WatchGuard Technologies SSL VPN Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung WatchGuard Technologies SSL VPN an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von WatchGuard Technologies SSL VPN, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung WatchGuard Technologies SSL VPN die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung WatchGuard Technologies SSL VPN. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung WatchGuard Technologies SSL VPN sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts WatchGuard Technologies SSL VPN
- Den Namen des Produzenten und das Produktionsjahr des Geräts WatchGuard Technologies SSL VPN
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts WatchGuard Technologies SSL VPN
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von WatchGuard Technologies SSL VPN zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von WatchGuard Technologies SSL VPN und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service WatchGuard Technologies finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von WatchGuard Technologies SSL VPN zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts WatchGuard Technologies SSL VPN, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von WatchGuard Technologies SSL VPN widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    W atchGuard ® F irebox ® SSL VPN Gate w a y Administration Guide Fir ebox SSL VPN Gatewa y[...]

  • Seite 2

    ii Firebox SSL VPN Gatewa y ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, W A 98104 SUPPORT : www .watchguard.com/suppor t suppor t@watchguard .com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 SALES: U.S. and Canada +1.800.734.9905 All Other Countries +1.206.521.8340 ABOUT WA TCHGUARD WatchGuard is a leading provider of ne[...]

  • Seite 3

    Admin Guide iii Contents CHAPTER 1 Getting Star ted with F irebox SSL VPN Gatewa y .............. ................. ................. .... 1 Audience ................ ................. ................. ................. ................ ................. ................. . ............. ................. . 1 Operating Syst em Requirements .......[...]

  • Seite 4

    iv W atchGuard SSL VPN Gatewa y Disable kiosk mode ............. ................. ................. ................ ................. ................. ................ ........... 12 Specify multiple ports and por t ranges for network resources ................. ................. ................ 12 V oice over IP softphone suppor t ............[...]

  • Seite 5

    Admin Guide v Using the Serial Cons ole .................... ................. ................ ................. ................. ............... .. ............. 33 T o open the serial co nsole ...................... ................ ................. ................. ................. ................ ........ 34 Using the A dministration T oo[...]

  • Seite 6

    vi W atchGuard SSL VPN Gatewa y Allowing ICMP tr affic ............. ................. ................... ................. ................. ................. ..... ........ ........... 46 To e n a b l e I C M P t r a f f i c ................. ................. ................. ................. ................ ................. ...............[...]

  • Seite 7

    Admin Guide vii T o disable Firebo x SSL VPN Gateway authentic ation ................ ................. ................. ................ 68 SafeWor d PremierAc cess Authorization ...................... ................ ................. ................. ................ 68 Using Saf eW ord for Citrix or SafeW ord RemoteAcc ess for Authen ticatio[...]

  • Seite 8

    viii W atchGuard SSL VPN Gatewa y Enabling session time- out ............ .............. ................. ................. ................ ................. ................. .. 92 Configuring W eb Session Time-Outs ................. ................ ................. ................. ................ ........... 93 Disabling Desktop Sharing ..[...]

  • Seite 9

    Admin Guide ix Using the A ccess P ortal ...................... ................. ................ ................. ................. .............. ..... .........118 T o connect using the default po r tal page ...................... ................. ................. .............. ..............118 Connecting from a P rivate C omputer ........[...]

  • Seite 10

    x W atchGuard SSL VPN Gatewa y Launching the v 5.5 Administration T ool ..................... ................ ................. ................. ..............143 T roubleshooting ............. ................ ................. ................. ................. ................ ............... .. ................. 143 T roubleshooting the Web [...]

  • Seite 11

    Administration Guide 1 CHAPTER 1 Getting Star ted with F irebox SSL VPN Gatew a y This chapter describes who should read the F irebox SSL VPN Gateway A dministration Guide , how it is organized , and its document conv entions. Audience This user guide is intend ed for system administrators responsible f or installing and configuring the Fir e- box [...]

  • Seite 12

    Document Con ventions 2 Firebox SSL VPN Gatewa y Document Conventions F irebox SSL VPN Gateway documentation uses the f o llowing typograph ic con ventions for menus, com- mands, keyboard key s, and items in the prog ram inter fac e: LiveSecurity Ser vice Solutions The number of new secur ity proble ms and the volume of informa tion about net work [...]

  • Seite 13

    Administration Guide 3 LiveSecurity Ser vice Broadcasts learn m ore about your WatchGuard F irebox® and netw ork security , or find a W atchGuard C er tified T rain- ing Center in y our area. LiveSecurity Ser vice Broadcasts The W atchGuard® Rapid Resp onse T eam regu larly send s messages and soft ware inf ormation directly to your computer desk[...]

  • Seite 14

    LiveSecurity Ser vice Self Help T ools 4 Firebox SSL VPN Gatewa y New from W a t chGuard When W atchGuard r eleases a new product, we first tell you — our customers. Y ou can learn about new features and services, product upgrades, hardware releases, and pr omotions. Activating LiveSecurity Ser vice Y ou can activate LiveSe curity® Service throu[...]

  • Seite 15

    Administration Guide 5 W atchGuard Users Forum Advan ced F AQs The Advanced F AQs (frequently asked questi ons) g ive you important informati on about configuration options and operation of syst ems or products. They add to the informa tion you can find in this User Guide an d in the Online Help system. Firew are® “H ow T o” ’ s The Fir ewar[...]

  • Seite 16

    Online Help 6 Firebox SSL VPN Gatewa y This forum has diff erent categories that you can use to look for inf ormation. The T echnical Suppor t t eam controls the forum during regular work hours. Y ou do not get special help from T echnical Suppor t when you use the forum. T o contact T echnical Suppor t dire ctly from the web , log in to your LiveS[...]

  • Seite 17

    Administration Guide 7 T raining and Cer tification Servic e ti me W e try for a maximum response time of four hours. Single Incident Priority Response Upgrade (SIPRU) and Sing le Incident After Hours Upgrade ( SIAU) ar e also available . For mor e data about these up grades, refer to the WatchGuard web site at: http://w ww .watchguard.com/sup port[...]

  • Seite 18

    T raining and Cer tification 8 Firebox SSL VPN Gatewa y a cer tification exam. The training materials include links to books and web sites with more information about ne twork sec urity . W atchGuar d product training is also available at a location near you through a large group of W atch- Guard C er tified T raining P ar tners ( WC TP s). T raini[...]

  • Seite 19

    Administration Guide 9 CHAPTER 2 Introduction to F irebox SSL VPN Gatew a y WatchGu ard Fire box SS L VPN G ate way is a uni versa l Se cure S ock et Laye r (S SL) vi r tual pri vate ne twor k ( VPN) appl iance that provides a secur e single point- of-access to an y information resource — both data and voice . Combining the best featur es of Inte[...]

  • Seite 20

    Over view 10 Firebox SSL VPN Gatewa y As shown in the f ollowing illustrat ion, the Fir e box SSL VPN Gatewa y is appropriate f or employ ees accessing the organiza tion remotely and intr anet acce ss from r estric ted LANs such as wir eless networks. Network topography showing the Firebox SSL VPN Gatew ay in the DMZ. The following illustration sho[...]

  • Seite 21

    Administration Guide 11 New F eatures The virtual T C P cir cuit is using industr y standard Se cure Socket Lay er (SSL) and T ransport Layer Securit y ( TLS) encryption. All packets destined for the private netw ork are transported ov er the vir tual T CP cir- cuit. The F irebo x SSL VPN Gateway is essentially acting as a low-level packet filter w[...]

  • Seite 22

    New F eatures 12 Firebox SSL VPN Gatewa y Secure Access Client connections The Secure Ac cess Client included in this release ca n connect to earlier versions of the Fir ebox SSL VPN Gateway . Also ,earlier versions of th e Secure Acc ess Client can connect to this release of the F irebox SSL VPN Gateway if e nabled on the Global Cluster Policies t[...]

  • Seite 23

    Administration Guide 13 Features NTLM authenticat ion and authorization suppor t. If your envir onment includes W indows NT 4.0 do main contr ollers, the F irebo x SSL VPN Gateway can authenticate users against the user domain accounts maintained on the W indows NT server . The Fir e- box SSL VPN Gateway can also authorize users to a ccess internal[...]

  • Seite 24

    Features 14 Firebox SSL VPN Gatewa y • Date and time configuration • Certificate generation and installation • Restar ting and shutting down the F irebo x SSL VPN Gateway • Saving and reinstalling configuration settings Note If the Firebox SSL VPN Gateway is upgraded t o Versio n 5.5 from an earlier vers ion, you must uninstall and then rei[...]

  • Seite 25

    Administration Guide 15 Features Serve r Up gra de VPN Gateway Cluster > Administration Serve r Res tart VPN Gateway Cluster > Administration Serve r S hut D own VPN Gateway Cluster > Administration Ser ver Stat istics VPN Gateway Cluster > Statis tics Licensing VPN Gateway Cluster > Licensing Date and Time VPN Gateway Cluster > D[...]

  • Seite 26

    The User Experience 16 Firebox SSL VPN Gatewa y Feature Summar y The following are key F irebox SSL VPN Gateway features: • Universal SSL VPN. Supports all applications and protocols that improve productivity by providing users with acc ess to the applications and resources th ey need, without the need f or customization or con verting the conten[...]

  • Seite 27

    Administration Guide 17 Deployment and Administra tion Secure Acc ess Client by typing a s ecure We b address in a standard W eb browser and providing authen- tication credentials . Because the F irebox SSL VPN Gatewa y encr ypts traffic using standard SSL/TLS, it can traverse fir ewalls and proxy servers, regardless of the client location. F or a [...]

  • Seite 28

    Planning your deployment 18 Firebox SSL VPN Gatewa y Administrati on Desktop also provides access to the Real- Time Monitor , wher e you can view a list of cur- rent users and close the connection for any user . Planning y our deployment This chapter discusses deployment scena rios for the Fi re box SS L VP N G a te wa y . Y o u c an d ep lo y t he[...]

  • Seite 29

    Administration Guide 19 Planning for Security with the Firebox SSL VPN Gatew ay When an F irebox SSL VPN Gateway is deploy ed in the secure network, the Secure Ac cess Client or k iosk client connections must trav erse the firewall to co nnect to the Firebox SSL VPN Gateway . By default, both of these clients use the SSL protocol on port 443 to est[...]

  • Seite 30

    Installing the Firebox SSL VPN Gatew ay for the First T ime 20 Firebox SSL VPN Gatewa y Deploying Additional Appliances for Load Balancing and F ailover Y ou can install multiple Fir ebox SSL VPN Gateway appl iances into your en vironment f or one or both of these reasons: • Scalability . If you have a large remote user population, install additi[...]

  • Seite 31

    Administration Guide 21 Installing the Firebox SSL VPN Gatew ay for the First T ime • The F irebo x SSL VPN Gatewa y FQDN for network addr ess translation (NA T ) • The IP addre ss of the default gateway device • The port to be used f or connect ions If connecting the Fir ebox SSL VPN Gat eway to a server load balancer: • The F irebox SSL V[...]

  • Seite 32

    Installing the Firebox SSL VPN Gatew ay for the First T ime 22 Firebox SSL VPN Gatewa y • [4] Display Log displays the F irebox SSL VPN Gateway log • [5] Reset Certificate resets the c er tificate t o the default cer tificate that comes with the F i r ebox SSL VPN Gateway • [6] Change Administr ative P assword allo ws you to change the de fau[...]

  • Seite 33

    Administration Guide 23 Installing the Firebox SSL VPN Gatew ay for the First T ime T o configure TCP/IP Settings Using Network Cables The F irebox SSL VPN Gateway has two network adapt e rs installed. One network adapter communicates with the Internet and cl ient computers that are no t inside the corporate network. The other network adapter commu[...]

  • Seite 34

    Using the Firebox SSL VPN Gatewa y 24 Firebox SSL VPN Gatewa y F or information about the r elationship between the Default Gateway and dynamic or static r outing, see “Dynamic and Static Routing” on page 51. After you c onfigure y our network settings on the F irebox SSL VPN Gatewa y , you need t o restart the appliance. Note Note: Y ou do not[...]

  • Seite 35

    Administration Guide 25 Using the Firebox SSL VPN Gatewa y • After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the F irebo x SSL VPN Gateway establishes a secure tunnel . • As the remote use r attempts to access net work resources across the VPN tunnel, the Secure Acc ess Client encr ypts al[...]

  • Seite 36

    Using the Firebox SSL VPN Gatewa y 26 Firebox SSL VPN Gatewa y Establishing the Secure T unnel After the Secure Access Clien t is star ted, it establis hes a secure tunnel ov er por t 443 (or any c onfigured por t on the F irebox SSL VPN Gateway) and sends auth entication information. Wh en the tunnel is estab- lished, the F irebox SSL VPN Gateway [...]

  • Seite 37

    Administration Guide 27 Using the Firebox SSL VPN Gatewa y NA T firewalls maintain a table tha t allows them to route secure packets fr om the F irebo x SSL VPN Gate- way back to the client computer . F or circuit-oriented connections, the F irebox SSL VPN Gateway main- tains a por t-mapped, reverse NA T translation tabl e. The r everse NA T transl[...]

  • Seite 38

    Using the Firebox SSL VPN Gatewa y 28 Firebox SSL VPN Gatewa y work, no attempt is made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved ov er a secure T CP-based tunnel. F or more information about impro ving latency with UDP connections and V oice over IP , see “Improving V oice[...]

  • Seite 39

    Administration Guide 29 Using the Firebox SSL VPN Gatewa y public address. The exte rnal public address ensu re s th at th e red irec ted c lie nt ret urn s to t he F irebox SSL VPN Gateway it first encountered , providing session stickiness. The association between a par ticular requ est and the F irebox SSL VPN Gateway is broken only when the cli[...]

  • Seite 40

    Using the Firebox SSL VPN Gatewa y 30 Firebox SSL VPN Gatewa y[...]

  • Seite 41

    Administration Guide 31 CHAPTER 3 Configuring Basic Settings This chapter describes F irebox SSL VPN Gatewa y basic administration, including connecting to the Fir e- box SSL VPN Gateway , using the Administration Deskto p, and using the A dministration T ool to config- ure the Fir ebox SSL VPN Gateway . Note All submitted configura tion changes ar[...]

  • Seite 42

    Firebox SSL VPN Gatewa y Administration Desktop 32 Firebox SSL VPN Gatewa y F irebox SSL VPN Gatew ay Administration Desktop The F irebo x SSL VPN Gateway Administrat ion Desktop provides F irebo x SSL VPN Gateway monitoring tools. The taskbar includes one -click access to a vari ety of standard Linux monitoring applications as well as the Real- Ti[...]

  • Seite 43

    Administration Guide 33 Using the Serial Console • Download a sample email for users Admin Users T ab The Fir ebox SSL VPN Gateway has a default administrati v e user account with full ac cess to the F irebox SSL VPN Gateway. T o protect the F irebox SSL VPN Gateway from unauthorized access, change th e default password during y our initial confi[...]

  • Seite 44

    Using the Administration T ool 34 Firebox SSL VPN Gatewa y T o open the serial console 1 Connect the RS2 32 cable to the serial por t on the Firebo x SSL VPN Gateway and to the serial por t on the computer . 2 M ake sure that the F irebo x SSL VPN Gateway is running. 3 Star t a terminal emulation application (such as HyperT erminal or Pu tty) and c[...]

  • Seite 45

    Administration Guide 35 Publishing Settings to Multiple Firebox SSL VPN Gatew ay s 7I n Us ern ame and P assword , type the Fir ebox SSL VPN Gateway administrator cr edentials. The default user name and password ar e root and rootadmin . Y ou can change the administrative password as described in “T o change th e administrator passw ord” on pag[...]

  • Seite 46

    Managing Licenses 36 Firebox SSL VPN Gatewa y F irebox SSL VPN Gateway A dministration T ool. T o apply these license files, see “Managing Licenses ” on page 36. F or future tunnel capacity upgrades, you will f ollow these same steps to increase the capacit y of your Fi re b ox ® S S L VP N G at e wa y. Upgrading the LiveSecurity Renew al and [...]

  • Seite 47

    Administration Guide 37 Managing Licenses Do not overwrite any .lic files in the license director y . If another file in that directory has the same name, rename the newly r eceived file. Th e Fir ebox SSL VPN Gatewa y software calculates your licensed featur es based on all .lic files that are uplo aded to the Firebox SSL VPN Gateway. Do not edit [...]

  • Seite 48

    Blocking External Access to the Administration P or tal 38 Firebox SSL VPN Gatewa y 5 In a Web browser , type the address of the Fir ebox SSL VPN Gateway u sing either the IP address or fully qualified domain name (FQDN) to connect to either the internal or external int er face. T he format should be either https://ipaddress or https://FQ DN. 6 T y[...]

  • Seite 49

    Administration Guide 39 Downloading and W or king with P or tal Page T emplates By default, users see a W atchGuard Fir ebox SS L VPN Gateway portal page when they open https:// F irebox SSL VPN Gateway_IP_or_hostname . F or samples of the defaul t portal pages for Windows, Linux, and Java, see “Using the A ccess P or tal” on page 118. Several [...]

  • Seite 50

    Downloading and W or king with P or tal Page T emplates 40 Firebox SSL VPN Gatewa y T o download the por tal page templ ates to your local computer 1 I n the F irebo x SSL VPN Gateway Administ ration P or tal, click Downloads . 2U n d e r S a mp le Por t al Pa ge T em p la tes , right-click one of the link s , click Sav e T arge t as , and specify [...]

  • Seite 51

    Administration Guide 41 Enabling P or tal Page A uthentication T o install a custom por tal page or image on the F irebox SSL VPN Gatew ay 1C l i c k t h e Portal Page C onfigur ation tab . 2C l i c k Ad d Fi le . 3I n Fi l e I de nt i fi er , type a name that is descriptiv e of th e types of users who use the portal page. The file name can help yo[...]

  • Seite 52

    Linking to Clients from Y our W eb Site 42 Firebox SSL VPN Gatewa y <object id="Net6Launch" type="application/x-oleobject" classid="CLSID:7E0FDFBB-87D4-43a1-9AD4-41F0EA8AFF7B" codebase="net6helper.cab#version=2,1,0,6"> </object> 2 Add the links as fo llows to the W eb page. Multiple Log On Option [...]

  • Seite 53

    Administration Guide 43 Connecting Using a W eb Address tication policy check fails, the users receive an er ror message instructing them to c ontact their system administrator . F or more information about pre-authentication policies, see “Global policies” on page 96. Double-source Authentication P or tal Page When the F irebo x SSL VPN Gatewa[...]

  • Seite 54

    Saving and Restoring the Configuration 44 Firebox SSL VPN Gatewa y Sa ving and Restoring the Configuration When you upg rade the F irebox SSL VPN Gatew ay, all of your configuration settings , including uploaded certificates, licenses , and por tal pages, ar e restore auto matically . Howeve r , if you re install the Fir ebox SSL VPN Gateway softwa[...]

  • Seite 55

    Administration Guide 45 Restar ting the Firebox SSL VPN Gatew ay 2I n Upload a Ser ver Upgrade or Sav ed Config , click Bro wse. 3 Locate the upgrade file that you want to upload and click Open . The file is uploaded and t he Firebox SS L VPN Gateway restarts automatically . When you upgrade the F irebox SSL VPN Gateway, all of your c onfiguration [...]

  • Seite 56

    Allowing ICMP traffic 46 Firebox SSL VPN Gatewa y T o change the system date and time 1 I n the A dministration T ool, click the VPN Gate way Cluster tab , select the appliance, and then click the Date tab. 2I n Ti m e Z o ne , select a time zone. 3I n Date , ty pe the date and ti me. 4C l i c k Submit . Network T ime Protocol The Network Time Pr o[...]

  • Seite 57

    Administration Guide 47 CHAPTER 4 Configuring F irebox SSL VPN Gatew a y Networ k Connections The Fir ebox SSL VPN Gateway has two network adapters that can be c onfigured to work on your net- work. T he VPN G ateway Cluster > General Ne tworking tabs in the A dministration T ool ar e used to configure most netw ork settings. The following topic[...]

  • Seite 58

    General Networking 48 Firebox SSL VPN Gatewa y •T h e Routes tab is where dynamic and static routes are c onfigured •T h e Failov er Ser vers tab is wher e multiple Fir ebox SSL VPN Gateway’ s are configured General Networ king The F irebox SSL VPN Gateway has two network adapt ers installed. If two network adapters are used, then one network[...]

  • Seite 59

    Administration Guide 49 General Networking The Fi rebox SSL VPN Gateway in the DMZ. F or more information, see “ Connecting to a Ser ver L oad Balancer ” on page 28. External Public FQDN The Firebo x SSL VPN Gateway uses the e xternal IP address or F QDN to send its re sponse to a request back to the correct network connection. I f the external[...]

  • Seite 60

    Name Ser vice Pro viders 50 Firebox SSL VPN Gatewa y Note IP pooling is configured per groups , as desc ribed in “Enabling IP Pool ing” on page 94. Name Ser vice Pro vider s Name resolution is configur ed on the Name Ser vice P roviders tab . Y ou can specify the following: DNS Server 1, DN S Serve r 2, D NS Serv er 3 These are the IP addr ess [...]

  • Seite 61

    Administration Guide 51 Dynamic and Static Routing 3U n d e r Edit the HOSTS file , in IP address , enter the IP addr ess that you wan t to associate with an FQDN. 4I n FQDN , enter the FQDN you want to associate with the I P address you enter ed in the previous step. 5C l i c k Ad d . The IP address and HOSTS name pair appears in the Host T able. [...]

  • Seite 62

    Dynamic and Static Routing 52 Firebox SSL VPN Gatewa y Configuring Dynamic Routing When dynamic routing is selected , the Fir ebox SSL VPN Gatewa y operates as follo ws: • It listens for route inf ormation published thro ugh RIP and automaticall y populates its routing table. • If the D ynamic Gateway option is enabled, the F irebox SSL VPN Gat[...]

  • Seite 63

    Administration Guide 53 Dynamic and Static Routing 5 I n the text box, type a text string that is an exact, case -sensitive match to the authentication string transmitted by the RIP server . 6 S elect the Enable RIP MD5 Authentication f or Inter face check box if the RIP server transmits the authentication string encr ypted with MD5. Do not select [...]

  • Seite 64

    Dynamic and Static Routing 54 Firebox SSL VPN Gatewa y 8O n t h e Gene ral Netw orki ng tab , click Submit . The route name appears in the Static R outes list. T o test a static route 1 From the Firebox SSL V PN Gateway se rial conso le, type 1 (ping). 2 Enter the host IP address for the de vice you want t o ping and press Enter . If you are succ e[...]

  • Seite 65

    Administration Guide 55 Configuring Firebox SSL VPN Gatewa y Failo ver T o set up the static r oute, you ne ed to establish the path between the eth1 adapt er and IP address 129.6.0.20. T o set up the example stati c route 1C l i c k t h e VPN G ate way Cluster tab and then click the Routes tab . 2I n Destination LA N IP A ddress , set the IP addre[...]

  • Seite 66

    Controlling Network Access 56 Firebox SSL VPN Gatewa y nect to por t 9001 when you ar e logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool . Controlling Network Access Configuring Networ k Access After you c onfigure the appliance t o operate i n your network environmen t, the next step is [...]

  • Seite 67

    Administration Guide 57 Enabling Split T unneling Y ou can change the default op eration so that user groups ar e denied network access unless they are allowed ac cess to one or more network resource groups . • Y ou configur e ACLs for user gr oups by specifying which net w ork resources ar e allowed or denied per user group. By default, all net [...]

  • Seite 68

    Denyi ng Access to Groups without an ACL 58 Firebox SSL VPN Gatewa y When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Po li c ie s tab . The list of accessible networks must include all internal net works and subnetworks that the user may need to access with the Secur e Access Client. The Secure Ac[...]

  • Seite 69

    Administration Guide 59 Improving V oice over IP Connecti ons T o den y access to user groups without an ACL 1C l i c k t h e Global Cluster Policies tab . 2U n d e r Acce ss O pti ons , selec t Deny Acce ss w ith out A CL . 3C l i c k Submit . Improving V oice over IP Connections Real-time applications, such as v oice and video , ar e implemented [...]

  • Seite 70

    Improving V oice over IP Conn ections 60 Firebox SSL VPN Gatewa y Note If the Improving V oice o ver IP Connections setting is not selected, the UDP traffic is encr ypted using the symmetric encr yption cipher that is specified in the Select encryption type for client connections setting on the Global Cluster P olicies tab. The encryption ciphers a[...]

  • Seite 71

    Administration Guide 61 CHAPTER 5 Configuring Authentication and Authorization The F ir ebox SSL V PN Gateway supports several authen tication types including LD AP , RADIUS, RSA Secu- rID , NTLM, and Secure Computing ’ s SafeW o r d products. The following top ics describe how to configure Firebox SSL VPN Gatew a y authentication: • Choosing W[...]

  • Seite 72

    Configuring Authentication and Authorizatio n 62 Firebox SSL VPN Gatewa y Communications betw een the Firebox SSL VPN Gatewa y and authentication ser ver s. If a user is not located on an authentication server or fails authentication on that server , the Firebo x SSL VPN Gateway checks the user against the local user list, if the check box Use the [...]

  • Seite 73

    Administration Guide 63 Configuring Authentication and Authoriza tion Configuring Authentication without Authorization The F ir ebox SSL VPN Gat eway can b e configur ed to au thenticat e users without requiring authorization. When users are not authorized , the F irebox SSL VPN Gatewa y does not per form a gr oup authorization check. The settings [...]

  • Seite 74

    Configuring Authentication and Authorizatio n 64 Firebox SSL VPN Gatewa y Configuring Local Users Y ou can create user acc ounts locally on the F irebo x SSL VPN Gatew ay to supplement the users on authentication servers. F or example, you might want to creat e local user accounts for temporary users, such as consu ltants or visitors, without creat[...]

  • Seite 75

    Administration Guide 65 Changing the Authentication T ype of the Default Realm T o change a user’ s password 1O n t h e Access Polic y Ma nage r tab , right-click a user , and click Set Passw ord. 2 T ype the pass wor d twice an d then click OK . Using LDAP Authorization with Local Authentication By default, the Fir ebox SSL VPN Gateway obtains a[...]

  • Seite 76

    Changing the Authentication T ype of the Default Realm 66 Firebox SSL VPN Gatewa y 3O n t h e Act ion menu, se lect Remove Default realm . A warning message appears. Click Ye s . 4U n d e r Add an Authentication Realm , in Realm name , type Default. Note Impor tant: When creating a new Defa ult realm, the word Default is case -sensitive and an up p[...]

  • Seite 77

    Administration Guide 67 Using SafeW ord for Authentication Removing Realms If you are retiring an aut hentication ser ver or r emoving a domain ser ver , you can remov e any realm except f or the realm named Default. Y ou can remo ve the Default realm only if you immediately cr eate a new realm named Default. F or more information, see “Configuri[...]

  • Seite 78

    Using SafeW ord for Citrix or SafeW ord RemoteAccess for Authentication 68 Firebox SSL VPN Gatewa y Configur e a SafeW ord realm to authenticate users. The F irebo x SSL VPN Gateway acts as a Saf eW ord agent authe nticating on beh alf of users logge d on using Sec ure Access Client. If a use r is not located on the SafeW ord ser ver or fails authe[...]

  • Seite 79

    Administration Guide 69 Using RADIUS Ser vers for Authentication and Authorization If you a re al read y us ing SafeWord for C itri x o r Safe W ord RemoteAccess in y our configuration t o authen- ticate using the W e b Interface, you need to do the follo wing: • Install and configur e the SafeW ord IAS A gent • Configure the IAS RADIUS server [...]

  • Seite 80

    Using RADIUS Ser vers for Authentication and Authorization 70 Firebox SSL VPN Gatewa y •T y p e i s t h e v e n d o r - a s s igned attribute number . • Attribute name is the type of attribute name that is defined in IAS. The default name is CTX SU se rG r o u ps = . • Separator is defined if multiple user groups are included in the RADIUS co[...]

  • Seite 81

    Administration Guide 71 Using RADIUS Ser vers for Authentication and Authorization 18 In the Add Attributes dialog bo x, select Ve n d or - S p e c i f i c and click Ad d . 19 In the V endor-Specific Attr ibute Inf ormation dialog box, choose Select from list and accept the default RAD IU S=S ta nda rd . The Firebox S SL VPN Gateway needs the V end[...]

  • Seite 82

    Using RADIUS Ser vers for Authentication and Authorization 72 Firebox SSL VPN Gatewa y T o specify RADIUS ser ver authentication 1C l i c k t h e Authentication tab. 2I n Realm Name , type a name for the authentication r ealm that you will create , select One Sour ce , and then click Ad d . If your site has multiple authent ication realms, use a na[...]

  • Seite 83

    Administration Guide 73 Using LDAP Server s for Authentic ation and Authorization RADIUS authentication. If y ou synchronize config urations am ong several Firebox SSL VPN Gateway appliances in a clus ter , all the ap pliances are config ured with the same secr et. Shared secr ets are config - ured on the Fir ebox SSL VPN Gatewa y when a RADIUS rea[...]

  • Seite 84

    Using LDAP S er vers for Authentication and Authorization 74 Firebox SSL VPN Gatewa y This table contains examples of the base dn The following table contains examples of bind dn: Note F or further information to determine the LDAP server settings, see “Det ermining Attribut es in your LDAP Directory ” on page 7 8. T o configure LD AP authentic[...]

  • Seite 85

    Administration Guide 75 LDAP Authoriza tion 8 S elect Allow Unsecure T raffic to allow unsecure LD AP connections. When this check box is clear , all LDAP connections are secure. 9I n Administra tor Bind DN , type the Administrat or Bind DN for queries to your LD AP directory. The f ollowing are example s of syntax for Bind DN: “ domain/user name[...]

  • Seite 86

    LDAP Authori zation 76 Firebox SSL VPN Gatewa y Group member ships from group objects worki ng evaluations LDAP servers that evalu ate gr oup members hips from group objects indirectly work with F irebox SSL VPN Gateway author ization. Some LDAP ser v ers enable user objects to contain in formation about groups to which they belong, such as Active [...]

  • Seite 87

    Administration Guide 77 LDAP Authoriza tion T h e LD AP S erv er po rt de fa u l ts t o 3 89 . If y ou a r e using an index ed database, such as Microsoft Active Director y with a Global Ca talog, changing the LD AP Ser ver port to 3268 significantly increases the speed of the LDAP querie s . If your directory is not indexed, use an administrativ e[...]

  • Seite 88

    LDAP Authori zation 78 Firebox SSL VPN Gatewa y F or Active Directory, the g roup name specified as cn= groupname is requir ed. The gr oup name that is defined in the Fir ebox SSL VPN Gateway must be identical to the gr oup name that is defined on the LDAP server . F or other LDAP directories , the group name either is not required or , if required[...]

  • Seite 89

    Administration Guide 79 Using RSA SecurID for Authentication Host Host name or IP address of your LD AP ser ver . Po r t Defaults to 389. Base DN Y ou can leav e this field blank . ( The inf ormat ion provided by the LD AP Browser will help y ou determine the Base DN need ed for the Authen tication tab.) Anonymous Bind Select the check box if the L[...]

  • Seite 90

    Using RSA SecurID for Authentication 80 Firebox SSL VPN Gatewa y The F irebox SSL VPN Gateway supports RSA ACE/Ser ver V ersion 5.2 and higher . The F irebo x SSL VPN Gateway also suppor ts replication servers. Repl icat ion server configuration is completed on the RSA ACE/Server and is par t of the sdconf .rec file that is uploaded to the Fir ebox[...]

  • Seite 91

    Administration Guide 81 Using RSA SecurID for Authentication 8 T o create the configur ation file for the new or changed Agen t Host, go to Age nt Ho st > G ene rate Configur ation Files . The file that you generate (sdconf .rec) is what you will upload to the Firebox SS L VPN Gateway, as described in the next procedure. Enable RSA SecurID aut h[...]

  • Seite 92

    Using RSA SecurID for Authentication 82 Firebox SSL VPN Gatewa y Configuring RSA Settings for a Cluster If you have two or mor e appliances configured as a cluster , the sdconf .rec file needs to c ontain the FQDNs of all the appliances. Th e sdconf .rec file is installed on one Access Gateway and then published . This allows all of the appliances [...]

  • Seite 93

    Administration Guide 83 Using RSA SecurID for Authentication Note Note: If you are c onfiguring double -sour ce authentication, click Two S o u r c e and then click Add . For more inf ormation about co nfiguring double-source authentica tion, see “C onfiguring Double-Source Authentication ” on page 85. 4I n IP a ddress type the IP addr ess of t[...]

  • Seite 94

    Using RSA SecurID for Authentication 84 Firebox SSL VPN Gatewa y Note Note: When 0 (ze ro) is entered as the por t, the Access Gateway at tempts to a utomatical ly detec t a por t number for this connection. 8I n Time- out (in seconds) , ent er the number of seconds within which th e authentication attempt must complete. If the authentication does [...]

  • Seite 95

    Administration Guide 85 Configuring Double-Source Authentication Y ou can prevent the storage of one-time passwords in cache, which f orces the user to ent er their cre- dentials again. T o prevent caching of one-time passwords 1 I n the A dministration T ool, click the A uthentication tab . 2 O pen the authentication r ealm that uses the one -time[...]

  • Seite 96

    Configuring Double-Source Authentication 86 Firebox SSL VPN Gatewa y and passcode first and then the LDAP password second . Whatever is typed in the first password field is done last and the second password field is done first. Changing P assword Labels Y ou can change the passwor d labels to accurately refl ect the authentication type with which t[...]

  • Seite 97

    Administration Guide 87 CHAPTER 6 Adding and Configuring Local User s and User Groups User gr oups define the resource s the user has access to when conne cting to the corporate network through the F irebo x SSL VPN Gateway. Groups are associ ated with the local users list. After adding local users, you can then define the resour ces they have acc [...]

  • Seite 98

    User Group Over view 88 Firebox SSL VPN Gatewa y 5 All users are members of the Defaul t resource gr oup. T o add a user to another group, under Loca l Use rs , click and dra g the user to the user g roup to which you want the user to belong. T o delete a user from the F irebox SSL VPN Gatew ay Right-click the user in the Loc al Users list and clic[...]

  • Seite 99

    Administration Guide 89 Creating User Groups Group resourc es include: • Network resourc es that define the ne tworks to which clients can connect. • Application policies that define the applicatio ns users can use when connected. In addition to selecting the application, you can fur ther define which networks the a pplication has access to and[...]

  • Seite 100

    Configuring Proper ties for a User Group 90 Firebox SSL VPN Gatewa y Configuring Proper ties for a User Group Group pr operties include configuring access, netw orki ng, por tal pages, and client certificates. Proper- ties are configured by right- clicking a group and then clicking Pro per ties . Settings for the group are config ured on th e Gener[...]

  • Seite 101

    Administration Guide 91 Configuring Proper ties for a User Gr oup Note If you want t o close a connection and pr event a user or g roup from reconnecting automa tically , you must select the Authenticat e after network inte rruption setting. Other w ise, users immediately reconnect without being prompt ed for their cr edenti als. F or more info rma[...]

  • Seite 102

    Configuring Proper ties for a User Group 92 Firebox SSL VPN Gatewa y suppor ted and do not run. If the doma in controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Note Impor tant: The client computer must be a domain membe r in order to ru n domain logon scripts. T o enable logon sc[...]

  • Seite 103

    Administration Guide 93 Configuring Proper ties for a User Gr oup Configuring W e b Session Time-Outs When a user is logged on to the F irebox SSL VPN Gateway and using a W eb browser to connect to Web sites in the secure network, cookies are set to determin e if a user ’ s Web session is still active o n the F ire- box SSL VPN Gatew ay . If the [...]

  • Seite 104

    Configuring Proper ties for a User Group 94 Firebox SSL VPN Gatewa y 2 On the Gene ra l tab , under Application Op tions , select Deny applications without policies . F or more informati on about application policies, see “ Ap plication policies ” on page 101. F or more informati on about endpoint policies, see “End point resourc es and polic[...]

  • Seite 105

    Administration Guide 95 Configuring Proper ties for a User Gr oup Choosing a por tal page for a group By default, all users log on to the Firebox SSL VP N Gateway using the Secure Ac cess Client from the default por tal page or by downloading and installing the Se cure Access Client on their computer . Y ou can load custom portal pages on the Fireb[...]

  • Seite 106

    Configuring Resources for a User Group 96 Firebox SSL VPN Gatewa y Note Client certificate configuration is no t available for the default user group. T o specify client cer tificate configuration 1 On the Access P ol icy Man ager tab , right-click a group that is not the default group . 2 On the Client C er tificates tab , under Client Certificate[...]

  • Seite 107

    Administration Guide 97 Configuring Resources for a User Group a network resource specifying the networks to which users can connect. If you have a restricted group for contr actors, drag the resour ce to this group and then den y the default setting. For e ac h u se r g ro up, yo u c a n c re at e a n a cc es s con tr ol l is t ( ACL ) by s p ec i[...]

  • Seite 108

    Configuring Resources for a User Group 98 Firebox SSL VPN Gatewa y • Kiosk resources tha t define how the user can lo g on and which file shar es and applications are accessible to the user when logge d on. If the user is allo wed to use the F iref ox W eb browser in kiosk mode, the W eb address the user is allow ed to use is also defined. • En[...]

  • Seite 109

    Administration Guide 99 Configuring Resources for a User Group T o configure resource access control for a group 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, configure the group r esources. 3 When the resour ce is configured , click the resource and dr ag it to the group in the left pane. 4 T o allow or deny a resour ce, in the l[...]

  • Seite 110

    Configuring Resources for a User Group 100 Firebox SSL VPN Gatewa y • Y ou can further restrict access by specifying a po r t and protocol f or an IP address/subnet pair . F or example, you might specify that a resource can use only por t 80 and the T CP protocol . • When you configure resource g roup access for a user group , you can allow or [...]

  • Seite 111

    Administration Guide 101 Configuring Resources for a User Group • Deny rule s take precedenc e over all ow rules . This enables y ou to allow ac cess to a range o f resourc es and to also den y access t o selected resources within tha t ra nge. For ex amp le, y ou m igh t wa nt to al low a group access to a resource group that includes 10.20.10.0[...]

  • Seite 112

    Configuring Resources for a User Group 102 Firebox SSL VPN Gatewa y T o add an application policy to a group 1 On the Access P ol icy Man ager tab , in the right-pane , under Application Policies , c lick the resour ce you want to add and then drag it to the us er group in the le ft pane. 2 T o allow or deny access, right-cl ick the network re sour[...]

  • Seite 113

    Administration Guide 103 Configuring Resources for a User Group T o create a file share resource 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, right-click Fi le S ha re Re s ou rce s , click New File Share Resource , type a name, and click OK . 3 In Share Sou rce , t ype the path t o the share source using the f orm: //ser v er/sh[...]

  • Seite 114

    Configuring Resources for a User Group 104 Firebox SSL VPN Gatewa y 3 T o add a file share, under Fil e Sh are Re so urce s , drag the resource to Shares under File Sh are s . 4 Select the applications users are allowe d to use in kiosk mode. 5 Click Kiosk P ersistence (Sav e Application Settings) to r etain Fi refo x prefer ences between sessions.[...]

  • Seite 115

    Administration Guide 105 Configuring Resources for a User Group 8 If you selected Process Rule , do the following: -C l i c k Proce ss Rule . -I n Process Name , type the name of the process or click Browse t o navigate to the file. The MD5 field is automati cally completed when a pr ocess name is entered . 9 Click OK . Note F or information about [...]

  • Seite 116

    Setting the Priority of Groups 106 Firebox SSL VPN Gatewa y 2 In the right pane, right-click End Point Policies and then clic k New End Point Policy . 3 T ype a name and click OK . When the policy is created, create the expression b y dragging and dropping the end point re sources into the Expression Ro ot . T o build an end poin t policy expressio[...]

  • Seite 117

    Administration Guide 107 Setting the Priority of Groups The following two settings are unioned together . F or these settings, they are combined among all of the groups of which the user is a member . When these a r e combined, these a r e the enforced set of rul es applied to the user . For example, if a user is a memb er of the sales and suppor t[...]

  • Seite 118

    Setting the Priority of Groups 108 Firebox SSL VPN Gatewa y[...]

  • Seite 119

    Administration Guide 109 CHAPTER 7 Creating and Installing Secure Cer tificates The F irebox SSL VPN Gate way uses cer tificates f or authentication. In the F irebox SSL VPN Gateway Administrati on T ool, you can creat e a certificate to be signed by a Certificate Authority . Then, when the signed cer tificate is r eceived, it can be installed on t[...]

  • Seite 120

    Digital Cer tificates and Firebox SSL VPN Gatew ay Ope ration 110 Firebox SSL VPN Gatewa y • Install a PEM certificate and private key from a Window s computer . This methods uploads a signed certificate and private key together . The cer tificate is signed by a CA and it is paired with the private key . Digital Cer tificates and Fire box SSL VPN[...]

  • Seite 121

    Administration Guide 111 Over view of the Certificate Signing Request private key from tampering and it is also requir ed when restoring a save d configuration to the F irebox SSL VPN Gateway . Passw ords are used whether the priva te key is encr ypted or unencr ypted . Note Caut ion : When you upgr ade to V ersion 6.0 and sa ve the configur ation [...]

  • Seite 122

    Over view of the Certificate Signing Request 112 Firebox SSL VPN Gatewa y Note When you sav e the F irebox SSL VPN Gate way configuratio n, an y cer tificates that are alr eady installed are included in the backup. T o install a cer tificate file using the Ad ministration T ool 1C l i c k t h e VPN G ate way Cluster tab . 2O n t h e Administra tion[...]

  • Seite 123

    Administration Guide 113 Over view of the Certificate Signing Request The root certificate that is installed on the F irebox SSL VPN Gatewa y has to be in PEM format. On Win- dows, the file extension .cer is sometimes used to in dicate that the r oot cer tifica te is in PEM format. If you are v alidating certificates on internal connections, the Fi[...]

  • Seite 124

    Client Cer tificates 114 Firebox SSL VPN Gatewa y Note Note: HyperT erminal is not installed automatically on Windows 2000 Ser ver or Windows Server 2003 . T o install HyperT ermina l , use Add/Remove Programs in C ontrol Panel. 3 S et the serial connection to 9600 bits per sec ond, 8 data bits, no parity , 1 stop bit. Hardware flo w contro l is op[...]

  • Seite 125

    Administration Guide 115 Client Cer tificates Installing Root Cer tificates Suppor t for most trust ed root authorities is already built into the W indows operating syst em and Inter- net Explorer . Theref ore , there is no need to obtain and install root c er tificates on the clie nt device if you are using these CA s. How ever , if you decide to [...]

  • Seite 126

    Requiring Cer tificates from Internal Connections 116 Firebox SSL VPN Gatewa y 3C l i c k Submit . Requiring Cer tificates from Internal Connections T o increase security for connections originating fr om the F ire box S SL VP N G ateway to yo ur i nter nal n et- work, you can r equire the F irebo x SSL VPN Gatewa y to validate SSL ser ver cer tifi[...]

  • Seite 127

    Administration Guide 117 CHAPTER 8 W or king with Client Connections Clients can access resourc es on the corporate network by connecting through the Firebo x SSL VPN Gateway from their own computer or from a public computer . The following top i cs describe how clie nt connections work: •U s i n g t h e A c c e s s P o r t a l • Connecting fro[...]

  • Seite 128

    Using the Access P or tal 118 Firebox SSL VPN Gatewa y If clients are using Mozilla Fir efox to connect, pages th at require A ctiveX, such as the pre-authentication page, ar e not able to run. If clients are going to connect using the kiosk , they must have Sun Ja va Runtime Environment (JRE) V er- sion 1.5.0_06 installed on their computer . Using[...]

  • Seite 129

    Administration Guide 119 Connecting from a Private Computer the computer is started, users do not have to do anything to cr eate the connection, provided that they have a network connection and can log onto Windo ws. The connection enables users to work with the connect ed site just as if they were logged on at the site. Data can be transferr ed be[...]

  • Seite 130

    Connecting from a Private Computer 120 Firebox SSL VPN Gatewa y • The Fir ebox SSL VPN Gateway terminates the SSL tunn el, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network . The F irebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel. When a remote user [...]

  • Seite 131

    Administration Guide 121 Connecting from a Private Computer that remote users can acc ess through the VPN connection. For more inf ormation, see “Configuring Resources for a User Gr oup ” on page 96. All IP packets, regardless of prot ocol, are intercepted and transmitt ed over the secure link. Connections from local applications on the client [...]

  • Seite 132

    Connecting from a Private Computer 122 Firebox SSL VPN Gatewa y sends its known lo cal IP address to the server by means of a custom client-s erver protocol. F or these applications, the Secure A ccess Client pro vides the lo cal client ap plication a private IP address r epresen- tation, which the F irebo x SSL VPN Gateway uses on the internal net[...]

  • Seite 133

    Administration Guide 123 Connecting from a Private Computer An email template is pro vided that includes the info rma tion discussed in this sec tion. The t emplate is available fr om the Downloads page of the Administra tion Portal. W atchGuar d recommends that y ou customize the te xt for your site and then send the text in an email to users . Wh[...]

  • Seite 134

    Connecting from a Private Computer 124 Firebox SSL VPN Gatewa y The Secure Access Client dialog box with the pop-up menu showing Advanced Options 4 Under P roxy Settings, select Use Prox y Ho st and then in Proxy Address and Proxy Ho st, type the IP address and por t. If the pro x y server requires authentication, select Pro xy ser v er requires au[...]

  • Seite 135

    Administration Guide 125 Connecting from a Private Computer T o view the C onnection Log The Connection Log contains real-time connection information that is particularly useful for trouble- shooting connection issues. 1 Right- click the F irebo x SSL Secure Ac cess Client icon in the notification area. 2 Choose Co nn e c ti on Lo g from the menu. [...]

  • Seite 136

    Connecting from a Public Computer 126 Firebox SSL VPN Gatewa y Configuring Secure Access Client to Wo r k w i t h N o n - A d m i nistrative Users If a user is not lo gged on as an administrator on a computer running W indows 2000 Prof essional, the Secure Acc ess Client must be installed locally on the client co mputer and then st arted using the [...]

  • Seite 137

    Administration Guide 127 Connecting from a Public Computer • F irefo x W eb browser . Y ou configure by group whether or not to include the F irefo x brow ser and the browser ’ s defaul t W eb address. Firefo x preferences, suc h as saved passwords, are retained for the next session. • Shared netw ork drives. Ic ons that provide access to sha[...]

  • Seite 138

    Connecting from a Public Computer 128 Firebox SSL VPN Gatewa y T o create and configure a kiosk resource 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, right-click Kiosk Resources and then click New Kiosk Resource . 3 T ype a name for the resource and click OK . 4 T o add a file share, under F ile shares , drag th e resource to Sha[...]

  • Seite 139

    Administration Guide 129 Client Applications 2 Select a file share from Fi le Sh a re Re so ur ce s and drag it to Sha res under Fi le s ha res in the kiosk res ource. 3 Click OK. T o remove a file share On the Acces s Polic y Ma nag er tab, in the right -pane, right-click the file share and click Remove . Y ou can specify the shared network drives[...]

  • Seite 140

    Client Applications 130 Firebox SSL VPN Gatewa y F irefox W eb Browser The Fir efox W eb br owser allows users to con nect to the Intern et when they are logged on in kiosk mode. They can connect to W eb sites as if they were sitting at their own computer . T o configure Firefox 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, under [...]

  • Seite 141

    Administration Guide 131 Client Applications T o use the SSH client 1 F rom the por tal page, choose A public c omputer and log on. 2 In the W eb bro wser , click the SSH icon. 3 Enter the user name and SSH host name or IP address. The SSH window opens. T elnet 3270 Emulator Client The T e lnet 3270 Emula tor client enables the user to establish a [...]

  • Seite 142

    Suppor ting Secure Access Client 132 Firebox SSL VPN Gatewa y T o use Gaim 1 F rom the por tal page, choose A public c omputer and log on. 2 In the Web br owser , double -click the Gaim icon. 3 If messenging ser vices w ere not added, an Account s window opens. Click Add . 4 In the A dd Acc ount dialog box, in P rotoc ol , select the instant messen[...]

  • Seite 143

    Administration Guide 133 Managing Client Connections An email template is pr ovided that includes the info rmation discussed in this section. The template is available fr om the Downloads page of the Administra t ion Portal. C ustomize the t ext for your sit e and then send th e text in an e mail to users. Note T o install the S ecur e Access Clien[...]

  • Seite 144

    Managing Client Connections 134 Firebox SSL VPN Gatewa y Closing a connection to a resource Without disrupting a user ’ s VPN connection, you can temporarily close the user ’ s connection to a par tic- ular resource. T o prevent the user from conne cting to the reso urce, correct the user ’ s group ACL. T o close a connection 1 In the Fir ebo[...]

  • Seite 145

    Administration Guide 135 Managing Client Connections 2 In the lef t pane , right-click a group and click Proper tie s . 3 On the Gene ra l tab , under Session options , select one or both of th e f ollowing: • Authenticate after network interruption. This option f orces a use r to log on again if the network connection is briefly interrupted. •[...]

  • Seite 146

    Managing Client Connections 136 Firebox SSL VPN Gatewa y[...]

  • Seite 147

    Administration Guide 137 APPENDIX A F irebox SSL VPN Gatew a y Monitoring and T roubleshooting The following topics describe how to use Firebox SSL VPN Gateway l ogs and troubleshoot issue s: • Viewing and Downloading System Message Logs • Enabling and Viewing SNMP Logs • Viewing Sy stem Statistics • Monitoring Firebo x SSL VPN Gateway Oper[...]

  • Seite 148

    Viewing and Downloading Sy stem Message Logs 138 Firebox SSL VPN Gatewa y 3C l i c k Logging/S ettings. 4U n d e r Gate wa y L og , click Display L ogging Windo w . The log for today’s date is displayed. T o display the log for a prior date , selec t the date in the Log Arch ive list and click Vie w Lo g . 5 By default, the log displa ys all entr[...]

  • Seite 149

    Administration Guide 139 Enabling and Viewing SNMP Logs T o view or download the log, go to the Logging > C onfiguration tab and cli ck Download W3C Log . Enabling and V iewing SNMP Logs When Simple Network Management Pr otocol (SNMP) is enabled, the Fir ebox SSL VPN Gateway reports the MIB-II system group (1.3.6.1.2.1). The F irebox SSL VPN Gat[...]

  • Seite 150

    Viewing Syste m Statistics 140 Firebox SSL VPN Gatewa y T o obtain SNMP data for the Firebox SSL VPN Gatew a y through Multi Router T raffic Grapher (in UNIX) 1 Configure the F irebox SSL VPN Gateway to respon d to SNMP queries as discus sed in “ T o enable logging of SNMP messages” on page 139. 2 Create Multi Router T raffic Grapher configurat[...]

  • Seite 151

    Administration Guide 141 Recovering from a F ailure of the Firebox SSL VPN Gatewa y bottom right c orner , you can view pr ocess and ne twor k ac tivity levels; mouse over the t wo graphs to view numeric data. T o open the F irebox SSL VPN Ga tewa y Admin istration Desktop 1 O pen a W eb br owser and type the IP addr ess or FQDN of the Fir ebox SSL[...]

  • Seite 152

    Recovering from a F ailure of the Firebox SSL VPN Gatewa y 142 Firebox SSL VPN Gatewa y • apply the v 5.5 soft war e update Reinstalling v 4.9 application software T o reinstall v 4.9 on your appliance: 1 Find the F irebo x® SSL v 4.9.2 Recovery CD that came with your original F irebo x® SSL Core appliance. 2 Use the instruc tions in the v 4.9 [...]

  • Seite 153

    Administration Guide 143 T roubleshooting T o upgrade to v 5. 5. 1 I n the v5.0 A dministration T ool, click the F irebo x® SSL VPN Gateway Cluster tab . 2O n t h e Administra tion tab, next to Upload a server upgrade or sa ved con fig , cl ick Brow se . 3 Navigate to the upgrade file and click Op en . 4 W ait for the message Upgrade successful to[...]

  • Seite 154

    T roubleshooting 144 Firebox SSL VPN Gatewa y By default, the F irebo x SSL VPN Gateway passes only the user name and password to the W eb Interface. T o correct this, configur e a default domain or a set of domains users can log on to. T he W eb Inter face uses the first one in the list as the default domain. W e b Interfa ce Credentials Are Inval[...]

  • Seite 155

    Administration Guide 145 T roubleshooting Defining Accessibl e Networks In the Accessi ble Net works field on the Global Cluster P olicies tab, up t o 24 subnets can be defined. If more than 24 subnets are en tered, the F irebox SSL VPN Gateway ig nores the additional subnets. VMW are If a user logs on to the Sec ure Access Client f r om two c ompu[...]

  • Seite 156

    T roubleshooting 146 Firebox SSL VPN Gatewa y Internal F ailover If internal failov er is enabled and the administrator is connected to the F irebox SSL VPN Gatewa y , the Administrati on T ool cannot be reache d over the connection. T o fix this pr oblem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001. F[...]

  • Seite 157

    Administration Guide 147 T roubleshooting Devices Can not Communicate with the Firebox SSL VPN Gatew a y V erify that the f ollowing are c orrectly set up: • The External Public A ddr ess specified on the General Ne tworking tab in the F irebo x SSL VPN Gateway A dministration T ool is available outside of y our firewall • Any changes made in t[...]

  • Seite 158

    T roubleshooting 148 Firebox SSL VPN Gatewa y Client Connections from a Windows Ser ver 2003 If a connec tion to the F irebox SSL VPN Gatewa y is made from a Windows Server 2003 computer that is its own DNS ser ver , local and public DNS resolution does not work. T o fix this iss ue , configure the W in- dows Server 2003 network settings to point t[...]

  • Seite 159

    Administration Guide 149 APPENDIX B Using F irew alls with F irebox SSL VPN Gatew a y If a user cannot establish a connec tion to the F irebox SSL VPN Gateway or cannot access allowed resources , it is possible that the firewall sof tware on the user’ s computer is blocking traffic. The F irebo x SSL VPN Gateway works with any personal firewall, [...]

  • Seite 160

    BlackICE PC Protection 150 Firebox SSL VPN Gatewa y T o view Secure Access Client status proper ties Double -click the Secure Access Client connection icon in the notification area. Alte rnatively , right - click the icon and choose Properties from the menu. The Se cure Access C lient dialog bo x appears. The properties of the connection provide in[...]

  • Seite 161

    Administration Guide 151 Nor ton P ersonal F irew all . Nor ton P er sonal F ire w all If you are using the default Nor ton P ersonal F irewall settings, you can simply respond t o the Program Contr ol aler ts the first time that y ou attempt to st art the Secure Access Client or when y ou access a blocked location or application. When yo u respond[...]

  • Seite 162

    ZoneAlarm Pro 152 Firebox SSL VPN Gatewa y T o configure the settings , open the Tiny P ers onal F irewall administration window , click the Ad van ced button to view the F irewall Configur ation window , and then use the Filter Rule dialog bo x as indicated below . After you appl y the abov e configuration and star t the Secure Access Client, Tin [...]

  • Seite 163

    Administration Guide 153 APPENDIX C Installing Windows Cer tificates The Fir ebox SSL VPN G ateway includes the Cer tificate Request G enerator to automatically create a cer- tificate request. After the file is returned fr om the Ce r tificat e Authority , it can be uploaded to the F irebo x SSL VPN Gateway. When the file is uploaded, it is con ver[...]

  • Seite 164

    Unencr ypting the Private K ey 154 Firebox SSL VPN Gatewa y 12 Click Next to start the installation. After Cygwin installs, y ou can gen erate the CSR. These instruc tions to generate a CSR assume that you are using the C ygwin UNIX environment installed as described in “ T o install Cy gwin ” on page 153. T o generate a CSR using the Cygwin UN[...]

  • Seite 165

    Administration Guide 155 Converting to a PEM-Formatted Cer tificate F or information about do wnloading OpenSSL for Windo ws, see the Sour ceF orge W eb site at http://sourc eforge .net/project/showf iles .php?group_id=23617&r elease_id=48801. Con ver ting to a PEM-F ormatted Cer tificate The signed certificate file that y ou receive from the C[...]

  • Seite 166

    Generating T r usted Cer tificates for M ultiple Levels 156 Firebox SSL VPN Gatewa y T o combine the private ke y with the signed cer tificate 1 Use a text editor to c ombine the unencr ypted privat e key with the signed ce r tificate in the PEM file form at. The file contents should look similar to the f ollowing: -----BEGIN RSA PRIV A TE KEY ----[...]

  • Seite 167

    Administration Guide 157 Generating T r usted Cer tificates for Multip le Levels Inter mediate Cer tificate 0 Inter mediate Cer tificate 1 Inter mediate Cer tificate 2[...]

  • Seite 168

    Generating T r usted Cer tificates for M ultiple Levels 158 Firebox SSL VPN Gatewa y[...]

  • Seite 169

    Administration Guide 159 APPENDIX D Examples of Configuring Networ k Access After th e F irebox SSL VPN Gate way is installed an d co nfigured to opera te in your network environmen t, use the Administration T ool to configure user access to the ser vers , applications, and other resources on the internal network. Configuring user ac cess to intern[...]

  • Seite 170

    Scenario 1: Configuring LD AP Authentication and Authorization 160 Firebox SSL VPN Gatewa y Befor e reading the examples in this chapter , you shou ld become familiar with the settings on three tabs of the Administr ation T ool. The settings on these tabs control user access to inter nal network resources: • Global Cluster P olicies • Authentic[...]

  • Seite 171

    Administration Guide 161 Scenario 1: Configuring LD AP Authentication and Authorization • Determining the Sales and Engineering users who need r emote access • Collecting the LDAP dir ector y information Determining the internal networ ks that include the needed resources Determining the int ernal networks that include the needed resources is t[...]

  • Seite 172

    Scenario 1: Configuring LD AP Authentication and Authorization 162 Firebox SSL VPN Gatewa y F or example, if the F irebo x SSL VPN Gateway operates with the Microsoft A ctive Director y , the F irebox SSL VPN Gateway checks the "memberOf " attribute in the P erson entr y to det ermine the groups to which a user belongs . In this example, [...]

  • Seite 173

    Administration Guide 163 Scenario 1: Configuring LD AP Authentication and Authorization • LDAP Server por t. The port on which the LDAP server listens for conne ctions. The default port for LD AP connections is por t 389. • LDAP Administrat or Bind DN and LDAP A dministrator Passw ord. If the LD AP directory requires applications to authenticat[...]

  • Seite 174

    Scenario 1: Configuring LD AP Authentication and Authorization 164 Firebox SSL VPN Gatewa y This task includes these five procedures: • Configuring accessible networks • Creating an LDAP authen tication realm • Creating the appropriate groups on the Firebox SSL VPN Gateway • Creating and assigning network re sources to the user groups • C[...]

  • Seite 175

    Administration Guide 165 Scenario 1: Configuring LD AP Authentication and Authorization Creating an LD AP Authentication and Au thorization Realm Creating an LDAP authen tication and authorizatio n realm is the second of fiv e proced ures the administrator performs to configure acc ess to th e internal network resour ces in this scenario . In this [...]

  • Seite 176

    Scenario 1: Configuring LD AP Authentication and Authorization 166 Firebox SSL VPN Gatewa y Creating the Appropriate Groups o n the F irebox SSL VPN Gatew ay Creating the appropria te groups on the F i r ebox SSL VPN Gatewa y is the third of five procedur es the administrator performs to configure acc ess to th e internal network resour ces in the [...]

  • Seite 177

    Administration Guide 167 Scenario 1: Configuring LD AP Authentication and Authorization 4 In Netw ork/Subnet , type thes e two IP address/subnet pairs for the resour ces. Separate each of these IP address/subnet pairs with a space : 10.10.0.0/24 10.60.10.0/24 5 T o simplify this example, the administr ator acce pts the default values f or the other[...]

  • Seite 178

    Scenario 1: Configuring LD AP Authentication and Authorization 168 Firebox SSL VPN Gatewa y the 10.0.20.x resource and al low access to the 10.0.x.x resource. In these ca ses , configure the polic y denying access to 10.0.20.x first and then configure the policy allowing ac cess to the 10.0.x. x network second. Alw ays configu re the most restricti[...]

  • Seite 179

    Administration Guide 169 Scenario 2: Creating Guest Accounts Using the Local Users List 5 In the left pane, click the "Email ser ver" netw ork re source you just cr eated and drag it to Application Network P olicies listed under Application Constraints in the right pane . Click OK . 6 In the lef t pane , expand both the "Remote Sale [...]

  • Seite 180

    Scenario 2: Creating Guest Accounts Using t he Local Users List 170 Firebox SSL VPN Gatewa y An administrator can also create a list of local users on the Firebox SSL VPN Gateway and configure the F irebox SSL VPN Gateway t o provide authentication and authorization services for these users. This list of local users is maintained in a database on t[...]

  • Seite 181

    Administration Guide 171 Scenario 2: Creating Guest Accounts Using the Local Users List T o create a guest authentication realm for the guest users 1 In the Fir ebox SSL VPN Gateway A dministration T ool, click the A uthentication tab . 2 In Realm Na me , type Guest. 3 Select On e Sour ce and click Ad d . 4 At Select Authentication T ype , select L[...]

  • Seite 182

    Scenario 3: Configuring Local Authorization for Local Users 172 Firebox SSL VPN Gatewa y Silvio and Lisa are authorized to access any reso urce defined in the A CL of the D efault user gr oup because No Authorization is specified as th e authorization type of the Guest realm. In this example, Silvio and Lisa can access only the W eb confe rence ser[...]

  • Seite 183

    Administration Guide 173 APPENDIX E Legal and Cop yright Infor mation GNU GENERA L PUBLIC LICENS E FOR LINUX KER NEL AS PROVIDED WITH FIREBOX SSL F irebo x SSL VPN Gateway V ersion 2, June 1991 Copy right (C) 1989, 1991 F ree Software F oundation, Inc. 675 Mass Ave , Cambridge, MA 02139, USA Everyone is permitte d to copy and distribu te verbat im [...]

  • Seite 184

    174 Firebox SSL VPN Gatewa y W e protect your rights with two st eps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy , distribute and/or modify the sof tware. Also, f or each author's protection and ours, we wa nt t o make cer tain that everyone understands that there is no warranty for this[...]

  • Seite 185

    Administration Guide 175 change. b) Y ou must cause any w ork that you distribute or publish, that in whole or in par t contains or is derived from the Pr ogram or any part th ereof , to be licensed as a wh ole at no charge to all thir d parties under the terms of this License. c) If the modified program normally reads commands interactively when r[...]

  • Seite 186

    176 Firebox SSL VPN Gatewa y be distributed u nder the terms of Sec tions 1 an d 2 above on a medium customarily used for software interchange; or , c) Accompan y it with the information y ou receiv ed as to the offer to di stribute correspondin g source code. ( This alternative is allo wed only for noncommer cial distribution and only if you recei[...]

  • Seite 187

    Administration Guide 177 If any port ion of this section is held invalid or un enforceable under any particul ar circumstance , the bal- ance of the section is intended to ap ply and the sect ion as a whole is intended to apply in other circum- stances. It is not the purpose of this sec tion to induc e you to infringe any pate nts or other propert [...]

  • Seite 188

    178 Firebox SSL VPN Gatewa y 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LA W OR AGREED TO IN WRITING WILL AN Y COPY - RIGHT HOLDER, OR ANY O THER P AR TY WHO MA Y MO DIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMIT TED ABOVE, BE LIABLE T O Y OU FOR DAMA GES, INCL UDING ANY GENERAL, SPECIAL, INCIDENT AL OR CONSEQUENTIAL D AMA GES ARISING OUT OF THE[...]

  • Seite 189

    Administration Guide 179 This is fr ee so ft ware, a nd you are wel come t o red istr ibu te it u nder cer tai n con diti ons; typ e `s how c' for details. The hypothetical commands `sho w w' and `show c' sh ould show the appropriate par ts of the General Public License. Of course, the commands you use may be called something other t[...]

  • Seite 190

    180 Firebox SSL VPN Gatewa y[...]

  • Seite 191

    Administration Guide 181 Index A access control list 56, 97 allow and deny rules 98 deny access 15, 58 deny access without A CL 57, 88 Access P olicy Ma nager tab 15, 87 add network resource 101 Application Policies 16, 101 applications without policies 15 client certificate criteria 16, 95 create network resource 100 creat e user group 89 end poin[...]

  • Seite 192

    182 Firebox SSL VPN Gatewa y Authentication tab LDAP 74 authorization 15 configuring 61 LDAP 65, 73 LDAP and RSA/A CE Ser v er 81 local users 65 RADIUS 69, 72 B backing up 44 BlackICE PC P rotection 150 C certificate 109 512-bit keypairs 147 backing up 44 cer tificate signing request 14, 110 client 15, 95, 114 combining with private key 155 convert[...]

  • Seite 193

    Administration Guide 183 remov ing 105 Ethereal Network Anal yzer 141 unencrypted traffic 27 Ethereal Network M onitor 17 external access 15 F failover 48 appliances 14 DNS ser vers 50 gateways 55 internal 15, 55 failure recover y 141 FA Q s 5 file share configuring 103 mount type 103 source path 103 file share resources 16, 128 finger quer y 141 F[...]

  • Seite 194

    184 Firebox SSL VPN Gatewa y persistence 10 4 Remo te Deskto p Client 130 shared network drives , using 128 SSH client 130 T elnet 3270 Emula tor client 131 using FTP to copy files 129 VNC client 131 known issues 5 L LDAP authentication 15, 25 authorization 15, 73 authorization with RSA/ACE Server 81 LDAP authentication 73, 76 LDAP Browser 78 LDAP [...]

  • Seite 195

    Administration Guide 185 ping 46 command 33, 145 from xNetT ools 141 policies access control lists 56 IP pooling 94 network access 56 por tal pages 38, 41 setting priority 106 port for con nec ti on s 49 scanner 141 port al page client connections 118 client variables 39 configuring 16, 95 customizing 15, 38 disabling 95 double source authentic ati[...]

  • Seite 196

    186 Firebox SSL VPN Gatewa y connection to 28 ser vice scanner 141 session timeout 15, 88, 92 settings General Net working 47 shared network drives 128 shared secr et 69, 82 shutting down 15, 45 single sign-on 15 single sign- on for client 91 SNMP 139 logs, enabling and viewing 139 MIB groups r epor ted 139 settings 139 software rein stall ing 141 [...]

  • Seite 197

    Administration Guide 187 failover servers 55 General Net working 14, 47 logging 14, 137 managing li censes 15, 36 Name Ser vice P roviders 14, 47 Network Time Protocol 15 resta rt ing 15 resta rt ing a ppli ance 45 restoring configura tion 15, 44 route s 14, 48, 52, 54 save configuration 15, 44 shut down 15, 45 SNMP 139 static route 53 statistics 1[...]

  • Seite 198

    188 Firebox SSL VPN Gatewa y[...]