® ® WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Contents CHAPTER 1 Getting Started with Firebox SSL VPN Gateway .................................................... 1 Audience ..................................................................................................................................................... 1 Operating System Requirements ...................................................................................................... 1 Document Conventions ..........................................................................
Disable kiosk mode ............................................................................................................................ 12 Specify multiple ports and port ranges for network resources ..................................................12 Voice over IP softphone support ...................................................................................................... 12 Editable HOSTS file .............................................................................................
Using the Serial Console .....................................................................................................................33 To open the serial console ................................................................................................................. 34 Using the Administration Tool .......................................................................................................... 34 To download and install the Administration Tool ...................................
Allowing ICMP traffic ............................................................................................................................ 46 To enable ICMP traffic ........................................................................................................................ 46 CHAPTER 4 Configuring Firebox SSL VPN Gateway Network Connections ................... 47 Configuring Network Information ............................................................................................
To disable Firebox SSL VPN Gateway authentication .................................................................. 68 SafeWord PremierAccess Authorization ........................................................................................ 68 Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication ...................... 68 To configure the IAS RADIUS realm .................................................................................................
Enabling session time-out ................................................................................................................ 92 Configuring Web Session Time-Outs .............................................................................................. 93 Disabling Desktop Sharing ............................................................................................................... 93 Setting Application Options .....................................................................
Using the Access Portal .....................................................................................................................118 To connect using the default portal page ....................................................................................118 Connecting from a Private Computer ..........................................................................................119 Tunneling Private Network Traffic over Secure Connections ...................................................
Launching the v 5.5 Administration Tool .....................................................................................143 Troubleshooting ..................................................................................................................................143 Troubleshooting the Web Interface ...............................................................................................143 Other Issues .......................................................................................
CHAPTER 1 Getting Started with Firebox SSL VPN Gateway This chapter describes who should read the Firebox SSL VPN Gateway Administration Guide, how it is organized, and its document conventions. Audience This user guide is intended for system administrators responsible for installing and configuring the Firebox SSL VPN Gateway. This document assumes that the Firebox SSL VPN Gateway is connected to an existing network and that the administrator has experience configuring that network.
Document Conventions Document Conventions Firebox SSL VPN Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface: Convention Meaning Boldface Commands, names of interface items such as text boxes, option buttons, and user input. Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file.
LiveSecurity Service Broadcasts learn more about your WatchGuard Firebox® and network security, or find a WatchGuard Certified Training Center in your area. LiveSecurity Service Broadcasts The WatchGuard® Rapid Response Team regularly sends messages and software information directly to your computer desktop by e-mail. We divide the messages into categories to help you to identify and make use of incoming information immediately.
LiveSecurity Service Self Help Tools New from WatchGuard When WatchGuard releases a new product, we first tell you — our customers. You can learn about new features and services, product upgrades, hardware releases, and promotions. Activating LiveSecurity Service You can activate LiveSecurity® Service through the activation section of the LiveSecurity web pages. Note To activate LiveSecurity Service, you must enable JavaScript on your browser.
WatchGuard Users Forum Advanced FAQs The Advanced FAQs (frequently asked questions) give you important information about configuration options and operation of systems or products. They add to the information you can find in this User Guide and in the Online Help system. Fireware® “How To”’s The Fireware How To documentation helps you to quickly find procedures for configuration tasks specific to Fireware appliance software.
Online Help This forum has different categories that you can use to look for information. The Technical Support team controls the forum during regular work hours. You do not get special help from Technical Support when you use the forum. To contact Technical Support directly from the web, log in to your LiveSecurity account. Click on the Incidents link to send a Technical Support incident. Using the WatchGuard Users Forum To use the WatchGuard Users Forum you must first create an account.
Training and Certification Service time We try for a maximum response time of four hours. Single Incident Priority Response Upgrade (SIPRU) and Single Incident After Hours Upgrade (SIAU) are also available. For more data about these upgrades, refer to the WatchGuard web site at: http://www.watchguard.com/support LiveSecurity Gold WatchGuard Gold LiveSecurity Technical Support adds to your standard LiveSecurity Service.
Training and Certification a certification exam. The training materials include links to books and web sites with more information about network security. WatchGuard product training is also available at a location near you through a large group of WatchGuard Certified Training Partners (WCTPs). Training partners give training using certified training materials and with WatchGuard hardware. You can install and configure the products with an advanced instructor and system administrator to help you learn.
CHAPTER 2 Introduction to Firebox SSL VPN Gateway WatchGuard Firebox SSL VPN Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, Firebox SSL VPN Gateway works through any firewall and supports all applications and protocols.
Overview As shown in the following illustration, the Firebox SSL VPN Gateway is appropriate for employees accessing the organization remotely and intranet access from restricted LANs such as wireless networks. Network topography showing the Firebox SSL VPN Gateway in the DMZ. The following illustration shows how the Firebox SSL VPN Gateway creates a secure virtual TCP circuit between the client computer running the Secure Access Client and the Firebox SSL VPN Gateway.
New Features The virtual TCP circuit is using industry standard Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. All packets destined for the private network are transported over the virtual TCP circuit. The Firebox SSL VPN Gateway is essentially acting as a low-level packet filter with encryption. It drops traffic that does not have authentication or does not have permission for a particular network.
New Features Secure Access Client connections The Secure Access Client included in this release can connect to earlier versions of the Firebox SSL VPN Gateway. Also,earlier versions of the Secure Access Client can connect to this release of the Firebox SSL VPN Gateway if enabled on the Global Cluster Policies tab.
Features NTLM authentication and authorization support. If your environment includes Windows NT 4.0 domain controllers, the Firebox SSL VPN Gateway can authenticate users against the user domain accounts maintained on the Windows NT server. The Firebox SSL VPN Gateway can also authorize users to access internal network resources based on a user’s group memberships on the Windows NT 4.0 domain controller.
Features • • • • Date and time configuration Certificate generation and installation Restarting and shutting down the Firebox SSL VPN Gateway Saving and reinstalling configuration settings Note If the Firebox SSL VPN Gateway is upgraded to Version 5.5 from an earlier version, you must uninstall and then reinstall the latest Administration Tool. You can uninstall the earlier version of the Administration Tool using Add/Remove Programs in Control Panel.
Features Feature Firebox SSL VPN Gateway Server Upgrade VPN Gateway Cluster > Administration Server Restart VPN Gateway Cluster > Administration Server Shut Down VPN Gateway Cluster > Administration Server Statistics VPN Gateway Cluster > Statistics Licensing VPN Gateway Cluster > Licensing Date and Time VPN Gateway Cluster > Date Enable External Administration VPN Gateway Cluster > Administration Saving and Restoring Server Configuration VPN Gateway Cluster > Administration Enable Split
The User Experience Feature Firebox SSL VPN Gateway Use SSL/TLS Local Group Users Access Policy Manager > User Groups > Properties > Members Client Certificate Criteria Expression Access Policy Manager > User Groups > Properties > Client Certificates Network Resource Groups Access Policy Manager > Network Resources Application Policies Access Policy Manager > Application Policies File Share Resources Access Policy Manager > File Share Resources Kiosk Resources and Policies Access Policy Manage
Deployment and Administration Secure Access Client by typing a secure Web address in a standard Web browser and providing authentication credentials. Because the Firebox SSL VPN Gateway encrypts traffic using standard SSL/TLS, it can traverse firewalls and proxy servers, regardless of the client location. For a more detailed description of the user experience, see “Connecting from a Private Computer” on page 119. The following illustration shows the Windows version of the Access Portal.
Planning your deployment Administration Desktop also provides access to the Real-Time Monitor, where you can view a list of current users and close the connection for any user. Planning your deployment This chapter discusses deployment scenarios for the Firebox SSL VPN Gateway.
Planning for Security with the Firebox SSL VPN Gateway When an Firebox SSL VPN Gateway is deployed in the secure network, the Secure Access Client or kiosk client connections must traverse the firewall to connect to the Firebox SSL VPN Gateway. By default, both of these clients use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall.
Installing the Firebox SSL VPN Gateway for the First Time Deploying Additional Appliances for Load Balancing and Failover You can install multiple Firebox SSL VPN Gateway appliances into your environment for one or both of these reasons: • Scalability. If you have a large remote user population, install additional Firebox SSL VPN Gateway appliances to accommodate the user load. • High Availability.
Installing the Firebox SSL VPN Gateway for the First Time • The Firebox SSL VPN Gateway FQDN for network address translation (NAT) • The IP address of the default gateway device • The port to be used for connections If connecting the Firebox SSL VPN Gateway to a server load balancer: • The Firebox SSL VPN Gateway IP address and subnet mask. • The settings of the server load balancer as the default gateway device (if required). See the load balancer manufacturer’s documentation for more information.
Installing the Firebox SSL VPN Gateway for the First Time • [4] Display Log displays the Firebox SSL VPN Gateway log • [5] Reset Certificate resets the certificate to the default certificate that comes with the Firebox SSL VPN Gateway • [6] Change Administrative Password allows you to change the default administrator password of rootadmin Note Important: WatchGuard recommends changing the administrator password before connecting the Firebox SSL VPN Gateway to your network.
Installing the Firebox SSL VPN Gateway for the First Time To configure TCP/IP Settings Using Network Cables The Firebox SSL VPN Gateway has two network adapters installed. One network adapter communicates with the Internet and client computers that are not inside the corporate network. The other network adapter communicates with the internal network. WatchGuard recommends that both network adapters be configured for maximum security.
Using the Firebox SSL VPN Gateway For information about the relationship between the Default Gateway and dynamic or static routing, see “Dynamic and Static Routing” on page 51. After you configure your network settings on the Firebox SSL VPN Gateway, you need to restart the appliance. Note Note: You do not need to restart the Firebox SSL VPN Gateway until you complete all configuration steps.These include configuring network access for the appliance and installing certificates and licenses.
Using the Firebox SSL VPN Gateway • After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Firebox SSL VPN Gateway establishes a secure tunnel. • As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Firebox SSL VPN Gateway.
Using the Firebox SSL VPN Gateway Establishing the Secure Tunnel After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is established, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client describing the networks to be secured and containing an IP address if you enabled IP pool visibility.
Using the Firebox SSL VPN Gateway NAT firewalls maintain a table that allows them to route secure packets from the Firebox SSL VPN Gateway back to the client computer. For circuit-oriented connections, the Firebox SSL VPN Gateway maintains a port-mapped, reverse NAT translation table.
Using the Firebox SSL VPN Gateway work, no attempt is made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved over a secure TCP-based tunnel. For more information about improving latency with UDP connections and Voice over IP, see “Improving Voice over IP Connections” on page 59. Using Kiosk Mode The Firebox SSL VPN Gateway provides secure access to a corporate network from a public computer using kiosk mode.
Using the Firebox SSL VPN Gateway public address. The external public address ensures that the redirected client returns to the Firebox SSL VPN Gateway it first encountered, providing session stickiness. The association between a particular request and the Firebox SSL VPN Gateway is broken only when the client makes a new connection. To configure the Firebox SSL VPN Gateway to connect to the network, see “Configuring Network Information” on page 47.
Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway
CHAPTER 3 Configuring Basic Settings This chapter describes Firebox SSL VPN Gateway basic administration, including connecting to the Firebox SSL VPN Gateway, using the Administration Desktop, and using the Administration Tool to configure the Firebox SSL VPN Gateway. Note All submitted configuration changes are applied automatically to the Firebox SSL VPN Gateway and do not cause a disruption for users connected to the Firebox SSL VPN Gateway.
Firebox SSL VPN Gateway Administration Desktop Firebox SSL VPN Gateway Administration Desktop The Firebox SSL VPN Gateway Administration Desktop provides Firebox SSL VPN Gateway monitoring tools. The taskbar includes one-click access to a variety of standard Linux monitoring applications as well as the Real-Time Monitor, used to view and manage open connections, and the system time and date.
Using the Serial Console • Download a sample email for users Admin Users Tab The Firebox SSL VPN Gateway has a default administrative user account with full access to the Firebox SSL VPN Gateway. To protect the Firebox SSL VPN Gateway from unauthorized access, change the default password during your initial configuration. Note To reset the root administrative password to its default, you must reinstall the Firebox SSL VPN Gateway server software.
Using the Administration Tool To open the serial console 1 2 3 4 5 Connect the RS232 cable to the serial port on the Firebox SSL VPN Gateway and to the serial port on the computer. Make sure that the Firebox SSL VPN Gateway is running. Start a terminal emulation application (such as HyperTerminal or Putty) and create the following settings: If the serial console does not open, check the settings in the terminal emulation application.
Publishing Settings to Multiple Firebox SSL VPN Gateways 7 In Username and Password, type the Firebox SSL VPN Gateway administrator credentials. The default user name and password are root and rootadmin. You can change the administrative password as described in “To change the administrator password” on page 33.
Managing Licenses Firebox SSL VPN Gateway Administration Tool. To apply these license files, see “Managing Licenses” on page 36. For future tunnel capacity upgrades, you will follow these same steps to increase the capacity of your Firebox® SSL VPN Gateway.
Managing Licenses Do not overwrite any .lic files in the license directory. If another file in that directory has the same name, rename the newly received file. The Firebox SSL VPN Gateway software calculates your licensed features based on all .lic files that are uploaded to the Firebox SSL VPN Gateway. Do not edit a .lic file or the Firebox SSL VPN Gateway software ignores any features associated with that license file. The contents of the file are encrypted and must remain intact.
Blocking External Access to the Administration Portal 5 6 7 In a Web browser, type the address of the Firebox SSL VPN Gateway using either the IP address or fully qualified domain name (FQDN) to connect to either the internal or external interface. The format should be either https://ipaddress or https://FQDN. Type the logon credentials. The WatchGuard Firebox SSL VPN Gateway portal page appears. Click My own computer and then click Connect.
Downloading and Working with Portal Page Templates By default, users see a WatchGuard Firebox SSL VPN Gateway portal page when they open https://Firebox SSL VPN Gateway_IP_or_hostname. For samples of the default portal pages for Windows, Linux, and Java, see “Using the Access Portal” on page 118. Several portal page templates that can be customized are provided. One of the templates includes links to both the Firebox SSL Secure Access Client and kiosk mode.
Downloading and Working with Portal Page Templates To download the portal page templates to your local computer 1 2 In the Firebox SSL VPN Gateway Administration Portal, click Downloads. Under Sample Portal Page Templates, right-click one of the links, click Save Target as, and specify a location in the dialog box. To work with the templates for Windows and Linux users 1 2 3 4 5 Determine how many custom portal pages that you need. You can use the same portal page for multiple groups.
Enabling Portal Page Authentication To install a custom portal page or image on the Firebox SSL VPN Gateway 1 2 3 Click the Portal Page Configuration tab. Click Add File. In File Identifier, type a name that is descriptive of the types of users who use the portal page. The file name can help you later when you need to associate the portal page with a group. For example, you might have a primary portal page used by many groups and a separate portal page used only by guests.
Linking to Clients from Your Web Site 2 Add the links as follows to the Web page. Client: Link to: Firebox SSL Secure Access Client (Windows/Java) https://ipAddress/CitrixSAClient.exe Kiosk mode (Windows/Java) https://ipAddress/net6javakiosk_applet.html Firebox SSL Secure Access Client (Linux) https://ipAddress/full_linux_instructions.
Connecting Using a Web Address tication policy check fails, the users receive an error message instructing them to contact their system administrator. For more information about pre-authentication policies, see “Global policies” on page 96.
Saving and Restoring the Configuration Saving and Restoring the Configuration When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are restore automatically. However, if you reinstall the Firebox SSL VPN Gateway software, you must manually restore your configuration settings. Note Before using the Recovery CD to reinstall the Firebox SSL VPN Gateway software, save your configuration.
Restarting the Firebox SSL VPN Gateway 2 3 In Upload a Server Upgrade or Saved Config, click Browse. Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL VPN Gateway restarts automatically. When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings are saved. For information about saving and restoring a configuration, see “Saving and Restoring the Configuration” on page 44.
Allowing ICMP traffic To change the system date and time 1 2 3 4 In the Administration Tool, click the VPN Gateway Cluster tab, select the appliance, and then click the Date tab. In Time Zone, select a time zone. In Date, type the date and time. Click Submit. Network Time Protocol The Network Time Protocol transmits and receives time over TCP/IP networks. The Network Time Protocol is useful for synchronizing the internal clock of computers on the network to a common time source.
CHAPTER 4 Configuring Firebox SSL VPN Gateway Network Connections The Firebox SSL VPN Gateway has two network adapters that can be configured to work on your network. The VPN Gateway Cluster > General Networking tabs in the Administration Tool are used to configure most network settings.
General Networking • The Routes tab is where dynamic and static routes are configured • The Failover Servers tab is where multiple Firebox SSL VPN Gateway’s are configured General Networking The Firebox SSL VPN Gateway has two network adapters installed. If two network adapters are used, then one network adapter communicates with the Internet and computers that are not inside the corporate network. The other network adapter communicates with the internal network.
General Networking The Firebox SSL VPN Gateway in the DMZ. For more information, see “Connecting to a Server Load Balancer” on page 28. External Public FQDN The Firebox SSL VPN Gateway uses the external IP address or FQDN to send its response to a request back to the correct network connection. If the external IP address is not specified, the Firebox SSL VPN Gateway sends responses out through the interface where the gateway is identified.
Name Service Providers Note IP pooling is configured per groups, as described in “Enabling IP Pooling” on page 94. Name Service Providers Name resolution is configured on the Name Service Providers tab. You can specify the following: DNS Server 1, DNS Server 2, DNS Server 3 These are the IP address of the first, second, and third DNS servers. DNS suffixes These are the DNS suffixes of the servers. Each entry in the list is separated by a space. Each entry should follow the format of site.com.
Dynamic and Static Routing 3 4 5 Under Edit the HOSTS file, in IP address, enter the IP address that you want to associate with an FQDN. In FQDN, enter the FQDN you want to associate with the IP address you entered in the previous step. Click Add. The IP address and HOSTS name pair appears in the Host Table. To remove an entry from the HOSTS file 1 2 Under Host Table, click the IP address and HOSTS name pair you want to delete. Click Remove.
Dynamic and Static Routing Configuring Dynamic Routing When dynamic routing is selected, the Firebox SSL VPN Gateway operates as follows: • It listens for route information published through RIP and automatically populates its routing table. • If the Dynamic Gateway option is enabled, the Firebox SSL VPN Gateway uses the Default Gateway provided by dynamic routing, rather than the value specified on the General Networking tab. • It disables any static routes created for the Firebox SSL VPN Gateway.
Dynamic and Static Routing 5 6 In the text box, type a text string that is an exact, case-sensitive match to the authentication string transmitted by the RIP server. Select the Enable RIP MD5 Authentication for Interface check box if the RIP server transmits the authentication string encrypted with MD5. Do not select this option if the RIP server transmits the authentication string using plain text. 7 Click Submit.
Dynamic and Static Routing 8 On the General Networking tab, click Submit. The route name appears in the Static Routes list. To test a static route 1 2 From the Firebox SSL VPN Gateway serial console, type 1 (ping). Enter the host IP address for the device you want to ping and press Enter. If you are successfully communicating with the other device, messages appear saying that the same number of packets were transmitted and received, and zero packets were lost.
Configuring Firebox SSL VPN Gateway Failover To set up the static route, you need to establish the path between the eth1 adapter and IP address 129.6.0.20. To set up the example static route 1 2 3 4 5 6 Click the VPN Gateway Cluster tab and then click the Routes tab. In Destination LAN IP Address, set the IP address of the destination LAN to 129.6.0.0. In Subnet Mask, set the subnet mask for the gateway device. In Gateway, set the IP address of the default gateway to 192.168.0.1.
Controlling Network Access nect to port 9001 when you are logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool. Controlling Network Access Configuring Network Access After you configure the appliance to operate in your network environment, the next step is to configure network access for the appliance and for groups and users. The steps to configure network access are: • Step 1: Configuring networks to which clients can connect.
Enabling Split Tunneling You can change the default operation so that user groups are denied network access unless they are allowed access to one or more network resource groups. • You configure ACLs for user groups by specifying which network resources are allowed or denied per user group. By default, all network resource groups are allowed and network access is controlled by the Deny Access without ACL option on the Global Cluster Policies tab.
Denying Access to Groups without an ACL When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Policies tab. The list of accessible networks must include all internal networks and subnetworks that the user may need to access with the Secure Access Client. The Secure Access Client uses the list of accessible networks as a filter to determine whether or not packets transmitted from the client computer should be sent to the Firebox SSL VPN Gateway.
Improving Voice over IP Connections To deny access to user groups without an ACL 1 2 3 Click the Global Cluster Policies tab. Under Access Options, select Deny Access without ACL. Click Submit. Improving Voice over IP Connections Real-time applications, such as voice and video, are implemented over UDP. TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets.
Improving Voice over IP Connections Note If the Improving Voice over IP Connections setting is not selected, the UDP traffic is encrypted using the symmetric encryption cipher that is specified in the Select encryption type for client connections setting on the Global Cluster Policies tab. The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order listed. The first accepted method is the one chosen for the session.
Configuring Authentication and Authorization CHAPTER 5 The Firebox SSL VPN Gateway supports several authentication types including LDAP, RADIUS, RSA SecurID, NTLM, and Secure Computing’s SafeWord products.
Configuring Authentication and Authorization Communications between the Firebox SSL VPN Gateway and authentication servers. If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the local user list, if the check box Use the local user database on the Firebox SSL VPN Gateway is selected on the Authentication > Settings tab. Communication between the client, the Firebox SSL VPN Gateway, and the local user account.
Configuring Authentication and Authorization Configuring Authentication without Authorization The Firebox SSL VPN Gateway can be configured to authenticate users without requiring authorization. When users are not authorized, the Firebox SSL VPN Gateway does not perform a group authorization check. The settings from the Default user group are assigned to the user. To remove authorization requirements from the Firebox SSL VPN Gateway 1 2 On the Authentication tab, select an authorization realm.
Configuring Authentication and Authorization Configuring Local Users You can create user accounts locally on the Firebox SSL VPN Gateway to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server. In that case, you add the user to the Firebox SSL VPN Gateway local user list as described in this section.
Changing the Authentication Type of the Default Realm To change a user’s password 1 2 On the Access Policy Manager tab, right-click a user, and click Set Password. Type the password twice and then click OK. Using LDAP Authorization with Local Authentication By default, the Firebox SSL VPN Gateway obtains an authenticated user’s group(s) from the local group file stored on the Firebox SSL VPN Gateway.
Changing the Authentication Type of the Default Realm 3 On the Action menu, select Remove Default realm. A warning message appears. Click Yes. 4 Under Add an Authentication Realm, in Realm name, type Default. Note Important: When creating a new Default realm, the word Default is case-sensitive and an uppercase D must be used. 5 6 7 Do one of the following: • If configuring one authentication type, select One Source and click Add.
Using SafeWord for Authentication Removing Realms If you are retiring an authentication server or removing a domain server, you can remove any realm except for the realm named Default. You can remove the Default realm only if you immediately create a new realm named Default. For more information, see “Configuring the Default Realm” on page 65. To remove a realm 1 2 On the Authentication tab, open the realm you want to remove. On the Action menu, click Remove realm name realm. The realm is removed.
Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Configure a SafeWord realm to authenticate users. The Firebox SSL VPN Gateway acts as a SafeWord agent authenticating on behalf of users logged on using Secure Access Client. If a user is not located on the SafeWord server or fails authentication, the Access Gateway checks the user against the local user list if Use the local user database on the Access Gateway is selected on the Settings tab.
Using RADIUS Servers for Authentication and Authorization If you are already using SafeWord for Citrix or SafeWord RemoteAccess in your configuration to authenticate using the Web Interface, you need to do the following: • Install and configure the SafeWord IAS Agent • Configure the IAS RADIUS server to recognize the Firebox SSL VPN Gateway as a RADIUS client • Configure the Firebox SSL VPN Gateway to send RADIUS authentication requests to the IAS RADIUS server To install and configure the IAS Agent and th
Using RADIUS Servers for Authentication and Authorization • Type is the vendor-assigned attribute number. • Attribute name is the type of attribute name that is defined in IAS. The default name is CTXSUserGroups=. • Separator is defined if multiple user groups are included in the RADIUS configuration. A separator can be a space, a period, a semicolon, or a colon. To configure IAS so the Firebox SSL VPN Gateway can use RADIUS authorization, follow the steps below.
Using RADIUS Servers for Authentication and Authorization 18 In the Add Attributes dialog box, select Vendor-Specific and click Add. 19 In the Vendor-Specific Attribute Information dialog box, choose Select from list and accept the default RADIUS=Standard. The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the server with those on the Firebox SSL VPN Gateway.
Using RADIUS Servers for Authentication and Authorization To specify RADIUS server authentication 1 2 Click the Authentication tab. In Realm Name, type a name for the authentication realm that you will create, select One Source, and then click Add. If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings. Realm names are case-sensitive and can contain spaces.
Using LDAP Servers for Authentication and Authorization RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are configured on the Firebox SSL VPN Gateway when a RADIUS realm is created. Using LDAP Servers for Authentication and Authorization You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server.
Using LDAP Servers for Authentication and Authorization This table contains examples of the base dn Microsoft Active Directory Server DC=citrix, DC=local Novell eDirectory dc=citrix,dc=net IBM Directory Server Lotus Domino OU=City, O=Citrix, C=US Sun ONE directory (formerly iPlanet) ou=People,dc=citrix,dc=com The following table contains examples of bind dn: Microsoft Active Directory Server CN=Administrator, CN=Users, DC=citrix, DC=local Novell eDirectory cn=admin, dc=citrix, dc=net IBM Direct
LDAP Authorization 8 Select Allow Unsecure Traffic to allow unsecure LDAP connections. When this check box is clear, all LDAP connections are secure. In Administrator Bind DN, type the Administrator Bind DN for queries to your LDAP directory. The following are examples of syntax for Bind DN: “domain/user name” “ou=administrator,dc=ace,dc=com” “user@domain.name” (for Active Directory) “cn=Administrator,cn=Users,dc=ace,dc=com” For Active Directory, the group name specified as cn=groupname is required.
LDAP Authorization Group memberships from group objects working evaluations LDAP servers that evaluate group memberships from group objects indirectly work with Firebox SSL VPN Gateway authorization. Some LDAP servers enable user objects to contain information about groups to which they belong, such as Active Directory or eDirectory. A user’s group membership can be computable attributes from the user object, such as IBM Directory Server or Sun ONE directory server.
LDAP Authorization The LDAP Server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries. If your directory is not indexed, use an administrative connection rather than an anonymous connection from the Firebox SSL VPN Gateway to the database. Download performance improves when you use an administrative connection.
LDAP Authorization 5 6 7 8 9 For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Firebox SSL VPN Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname. The Firebox SSL VPN Gateway binds to the LDAP server using the administrator credentials and then searches for the user.
Using RSA SecurID for Authentication Host Host name or IP address of your LDAP server. Port Defaults to 389. Base DN You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) 4 Anonymous Bind Select the check box if the LDAP server does not require credentials to connect to it. If the LDAP server requires credentials, leave the check box cleared, click Next, and enter the credentials. Click Finish.
Using RSA SecurID for Authentication The Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPN Gateway also supports replication servers. Replication server configuration is completed on the RSA ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway.
Using RSA SecurID for Authentication 8 To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files. The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL VPN Gateway, as described in the next procedure.
Using RSA SecurID for Authentication Configuring RSA Settings for a Cluster If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published. This allows all of the appliances to connect to the RSA server. You can also limit connections to the RSA server from user connections. For example, you have three appliances in your cluster.
Using RSA SecurID for Authentication Note Note: If you are configuring double-source authentication, click Two Source and then click Add. For more information about configuring double-source authentication, see “Configuring Double-Source Authentication” on page 85. 4 5 6 7 In IP address type the IP address of the RADIUS IAS server. In Port, type the port number. In Server secret, type the node secret of the RADIUS IAS server.
Using RSA SecurID for Authentication Note Note: When 0 (zero) is entered as the port, the Access Gateway attempts to automatically detect a port number for this connection. 8 9 In Time-out (in seconds), enter the number of seconds within which the authentication attempt must complete. If the authentication does not complete within this time interval, it fails. Click Submit. Configuring NTLM Authorization A Windows NT 4.0 domain controller maintains group accounts.
Configuring Double-Source Authentication You can prevent the storage of one-time passwords in cache, which forces the user to enter their credentials again. To prevent caching of one-time passwords 1 2 3 In the Administration Tool, click the Authentication tab. Open the authentication realm that uses the one-time password. Select Use the password one time and click Submit. Configuring Double-Source Authentication The Firebox SSL VPN Gateway supports double-source authentication.
Configuring Double-Source Authentication and passcode first and then the LDAP password second. Whatever is typed in the first password field is done last and the second password field is done first. Changing Password Labels You can change the password labels to accurately reflect the authentication type with which the user is logging on and to provide the correct prompt for what the user needs to type.
CHAPTER 6 Adding and Configuring Local Users and User Groups User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local users, you can then define the resources they have access to on the Access Policy Manager tab.
User Group Overview 5 All users are members of the Default resource group. To add a user to another group, under Local Users, click and drag the user to the user group to which you want the user to belong. To delete a user from the Firebox SSL VPN Gateway Right-click the user in the Local Users list and click Remove. User Group Overview When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained from the authentication server after a user is authenticated.
Creating User Groups Group resources include: • Network resources that define the networks to which clients can connect. • Application policies that define the applications users can use when connected. In addition to selecting the application, you can further define which networks the application has access to and if any end point policies need to be met when connecting. • File share resources that define which file shares the user can connect to when logged on in kiosk mode.
Configuring Properties for a User Group Configuring Properties for a User Group Group properties include configuring access, networking, portal pages, and client certificates. Properties are configured by right-clicking a group and then clicking Properties. Settings for the group are configured on the General, Networking, Gateway Portal, Members, and Client Certificates tabs.
Configuring Properties for a User Group Note If you want to close a connection and prevent a user or group from reconnecting automatically, you must select the Authenticate after network interruption setting. Otherwise, users immediately reconnect without being prompted for their credentials. For more information, see “Managing Client Connections” on page 133.
Configuring Properties for a User Group supported and do not run. If the domain controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Note Important: The client computer must be a domain member in order to run domain logon scripts. To enable logon scripts 1 2 3 4 Click the Access Policy Manager tab. In the left pane, right-click a group and click Properties. On the General tab, under Session Options, select Run logon scripts. Click OK.
Configuring Properties for a User Group Configuring Web Session Time-Outs When a user is logged on to the Firebox SSL VPN Gateway and using a Web browser to connect to Web sites in the secure network, cookies are set to determine if a user’s Web session is still active on the Firebox SSL VPN Gateway. If the Firebox SSL VPN Gateway cookie expires and logon page authentication is enabled, the end user is prompted to enter authentication credentials to resume the Web session.
Configuring Properties for a User Group 2 On the General tab, under Application Options, select Deny applications without policies. For more information about application policies, see “Application policies” on page 101. For more information about endpoint policies, see “End point resources and policies” on page 104. Enabling Split DNS By default, the Firebox SSL VPN Gateway checks a user’s remote DNS only. You can allow failover to a user’s local DNS by enabling split DNS.
Configuring Properties for a User Group Choosing a portal page for a group By default, all users log on to the Firebox SSL VPN Gateway using the Secure Access Client from the default portal page or by downloading and installing the Secure Access Client on their computer. You can load custom portal pages on the Firebox SSL VPN Gateway, as described in “Using Portal Pages” on page 38, and then select a portal page for each group.
Configuring Resources for a User Group Note Client certificate configuration is not available for the default user group. To specify client certificate configuration 1 2 On the Access Policy Manager tab, right-click a group that is not the default group. 3 Click OK. On the Client Certificates tab, under Client Certificate Criteria Expression, type the certificate information. Global policies Users can be restricted from logging on to the Firebox SSL VPN Gateway using Global Policies.
Configuring Resources for a User Group a network resource specifying the networks to which users can connect. If you have a restricted group for contractors, drag the resource to this group and then deny the default setting. For each user group, you can create an access control list (ACL) by specifying the resources that are to be allowed or denied for the group. Resource groups are defined as described in “Defining network resources” on page 99.
Configuring Resources for a User Group • Kiosk resources that define how the user can log on and which file shares and applications are accessible to the user when logged on. If the user is allowed to use the Firefox Web browser in kiosk mode, the Web address the user is allowed to use is also defined. • End point resources and policies that define the required and optional parameters that must be on the user’s computer when logging on.
Configuring Resources for a User Group To configure resource access control for a group 1 2 3 4 Click the Access Policy Manager tab. In the right pane, configure the group resources. When the resource is configured, click the resource and drag it to the group in the left pane. To allow or deny a resource, in the left pane, right-click the network resource or application policy and then click Allow or Deny. To remove a resource from a user group 1 2 Click the Access Policy Manager tab.
Configuring Resources for a User Group • You can further restrict access by specifying a port and protocol for an IP address/subnet pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. • When you configure resource group access for a user group, you can allow or deny access to any resource group. This enables you to exclude a portion of an otherwise allowed resource. For example, you might want to allow a user group access to 10.20.10.
Configuring Resources for a User Group • Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30. To handle this, you create two network resources; one that includes the 10.20.10.0/24 subnet and a group that includes 10.20.10.30.
Configuring Resources for a User Group To add an application policy to a group 1 On the Access Policy Manager tab, in the right-pane, under Application Policies, click the resource you want to add and then drag it to the user group in the left pane. 2 To allow or deny access, right-click the network resource and then click Allow or Deny. When an application policy is created and then added to a user group, the application can use only the specified network path and end point policy.
Configuring Resources for a User Group To create a file share resource 1 2 Click the Access Policy Manager tab. 3 In Share Source, type the path to the share source using the form: //server/share. 4 In Mount Type, select the file sharing network protocol, either CIFS/SMB or NFS. In the right pane, right-click File Share Resources, click New File Share Resource, type a name, and click OK.
Configuring Resources for a User Group 3 4 5 To add a file share, under File Share Resources, drag the resource to Shares under File Shares. 6 7 Click OK. Select the applications users are allowed to use in kiosk mode. Click Kiosk Persistence (Save Application Settings) to retain Firefox preferences between sessions. The preferences are saved on the remote server (hosting the session). To add a kiosk resource to a group, click the resource and drag it to the group or groups to which the policy applies.
Configuring Resources for a User Group 8 If you selected Process Rule, do the following: - Click Process Rule. - In Process Name, type the name of the process or click Browse to navigate to the file. The MD5 field is automatically completed when a process name is entered. 9 Click OK. Note For information about adding an end point policy to a user group, see “Configuring an end point policy for a group” on page 105. To delete an end point resource 1 2 Click the Access Policy Manager tab.
Setting the Priority of Groups 2 In the right pane, right-click End Point Policies and then click New End Point Policy. 3 Type a name and click OK. When the policy is created, create the expression by dragging and dropping the end point resources into the Expression Root. To build an end point policy expression 1 2 Click the Access Policy Manager tab. In the right pane, right-click an end point policy and click Properties. The property page opens and the resources pane moves to the left.
Setting the Priority of Groups The following two settings are unioned together. For these settings, they are combined among all of the groups of which the user is a member. When these are combined, these are the enforced set of rules applied to the user. For example, if a user is a member of the sales and support groups, if the sales group has notepad.exe and calc.
Setting the Priority of Groups 108 Firebox SSL VPN Gateway
CHAPTER 7 Creating and Installing Secure Certificates The Firebox SSL VPN Gateway uses certificates for authentication. In the Firebox SSL VPN Gateway Administration Tool, you can create a certificate to be signed by a Certificate Authority. Then, when the signed certificate is received, it can be installed on the Firebox SSL VPN Gateway.
Digital Certificates and Firebox SSL VPN Gateway Operation • Install a PEM certificate and private key from a Windows computer. This methods uploads a signed certificate and private key together. The certificate is signed by a CA and it is paired with the private key. Digital Certificates and Firebox SSL VPN Gateway Operation The Firebox SSL VPN Gateway uses digital certificates to encrypt and authenticate traffic over a connection.
Overview of the Certificate Signing Request private key from tampering and it is also required when restoring a saved configuration to the Firebox SSL VPN Gateway. Passwords are used whether the private key is encrypted or unencrypted. Note Caution: When you upgrade to Version 6.0 and save the configuration file, it cannot be used on earlier versions of the Firebox SSL VPN Gateway. If you attempt to upload the Version 6.
Overview of the Certificate Signing Request Note When you save the Firebox SSL VPN Gateway configuration, any certificates that are already installed are included in the backup. To install a certificate file using the Administration Tool 1 2 Click the VPN Gateway Cluster tab. On the Administration tab, next to Upload a signed Certificate (.crt), click Browse. This button is used only when you are installing a signed certificate generated on the Certificate Signing Request tab.
Overview of the Certificate Signing Request The root certificate that is installed on the Firebox SSL VPN Gateway has to be in PEM format. On Windows, the file extension .cer is sometimes used to indicate that the root certificate is in PEM format. If you are validating certificates on internal connections, the Firebox SSL VPN Gateway must have a root certificate installed.
Client Certificates Note Note: HyperTerminal is not installed automatically on Windows 2000 Server or Windows Server 2003. To install HyperTerminal, use Add/Remove Programs in Control Panel. 3 4 5 6 Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional. Turn on the Firebox SSL VPN Gateway. The serial console appears on the computer terminal after about three minutes. If using HyperTerminal, press the Enter key.
Client Certificates Installing Root Certificates Support for most trusted root authorities is already built into the Windows operating system and Internet Explorer. Therefore, there is no need to obtain and install root certificates on the client device if you are using these CAs. However, if you decide to use a different CA, you need to obtain and install the root certificates yourself.
Requiring Certificates from Internal Connections 3 Click Submit. Requiring Certificates from Internal Connections To increase security for connections originating from the Firebox SSL VPN Gateway to your internal network, you can require the Firebox SSL VPN Gateway to validate SSL server certificates. Previous versions of the Firebox SSL VPN Gateway did not validate the SSL server certificate presented by the Web Interface and the Secure Ticket Authority.
CHAPTER 8 Working with Client Connections Clients can access resources on the corporate network by connecting through the Firebox SSL VPN Gateway from their own computer or from a public computer.
Using the Access Portal If clients are using Mozilla Firefox to connect, pages that require ActiveX, such as the pre-authentication page, are not able to run. If clients are going to connect using the kiosk, they must have Sun Java Runtime Environment (JRE) Version 1.5.0_06 installed on their computer. Using the Access Portal The Access Portal is an HTML page that enables a user to choose the type of connection to be established from a remote computer.
Connecting from a Private Computer the computer is started, users do not have to do anything to create the connection, provided that they have a network connection and can log onto Windows. The connection enables users to work with the connected site just as if they were logged on at the site. Data can be transferred between the remote computer and the connected site. For more information, see “Connecting from a Private Computer” on page 119. If connecting from a public computer, click A public computer.
Connecting from a Private Computer • The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The Firebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel. When a remote user logs on using the Secure Access Client, the Firebox SSL VPN Gateway prompts the user for authentication over HTTP 401 Basic or Digest.
Connecting from a Private Computer that remote users can access through the VPN connection. For more information, see “Configuring Resources for a User Group” on page 96. All IP packets, regardless of protocol, are intercepted and transmitted over the secure link. Connections from local applications on the client computer are securely tunneled to the Firebox SSL VPN Gateway, which reestablishes the connections to the target server.
Connecting from a Private Computer sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access Client provides the local client application a private IP address representation, which the Firebox SSL VPN Gateway uses on the internal network. Many real-time voice applications and FTP use this feature.
Connecting from a Private Computer An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. WatchGuard recommends that you customize the text for your site and then send the text in an email to users. When the Secure Access Client is loaded, users are prompted to log on to the Firebox SSL VPN Gateway to establish the connection.
Connecting from a Private Computer The Secure Access Client dialog box with the pop-up menu showing Advanced Options 4 Under Proxy Settings, select Use Proxy Host and then in Proxy Address and Proxy Host, type the IP address and port. If the proxy server requires authentication, select Proxy server requires authentication. When users attempt to establish a connection, they are first prompted for their proxy server logon credentials.
Connecting from a Private Computer To view the Connection Log The Connection Log contains real-time connection information that is particularly useful for troubleshooting connection issues. 1 2 Right-click the Firebox SSL Secure Access Client icon in the notification area. Choose Connection Log from the menu. The Connection Log for the session appears. Note The Connection Log is written to the computer in %systemroot\Documents and Settings\username\Local Settings\Application Data\NET6\net6vpn.log.
Connecting from a Public Computer Configuring Secure Access Client to Work with Non-Administrative Users If a user is not logged on as an administrator on a computer running Windows 2000 Professional, the Secure Access Client must be installed locally on the client computer and then started using the Web address of https://FQDN/ WatchGuardsaclient.exe, where FQDN is the address of the Firebox SSL VPN Gateway. The ActiveX applet does not have the rights to download and install the file.
Connecting from a Public Computer • Firefox Web browser. You configure by group whether or not to include the Firefox browser and the browser’s default Web address. Firefox preferences, such as saved passwords, are retained for the next session. • Shared network drives. Icons that provide access to shared network drives. The user can download files from a network share by dragging a file onto the KioskFTP icon, as described in “Configuring File Shares for Kiosk Mode” on page 141.
Connecting from a Public Computer To create and configure a kiosk resource 1 2 3 4 5 6 7 Click the Access Policy Manager tab. In the right pane, right-click Kiosk Resources and then click New Kiosk Resource. Type a name for the resource and click OK. To add a file share, under File shares, drag the resource to Shares. Select the applications users are allowed to use in kiosk mode. Select Save kiosk application settings to retain Firefox preferences between sessions.
Client Applications 2 Select a file share from File Share Resources and drag it to Shares under File shares in the kiosk resource. 3 Click OK. To remove a file share On the Access Policy Manager tab, in the right-pane, right-click the file share and click Remove. You can specify the shared network drives that are accessible for sessions. For each shared drive, you specify whether users have read-only or read/write access.
Client Applications Firefox Web Browser The Firefox Web browser allows users to connect to the Internet when they are logged on in kiosk mode. They can connect to Web sites as if they were sitting at their own computer. To configure Firefox 1 2 3 Click the Access Policy Manager tab. In the right pane, under Kiosk Resources, right-click a resource and click Properties. Select Enable Firefox and in the text box, type the Web address for the browser.
Client Applications To use the SSH client 1 2 3 From the portal page, choose A public computer and log on. In the Web browser, click the SSH icon. Enter the user name and SSH host name or IP address. The SSH window opens. Telnet 3270 Emulator Client The Telnet 3270 Emulator client enables the user to establish a Telnet 3270 connection to a remote computer. To use the Telnet 3270 Emulator client 1 2 From the portal page, choose A public computer and log on.
Supporting Secure Access Client To use Gaim 1 2 3 4 5 6 7 From the portal page, choose A public computer and log on. In the Web browser, double-click the Gaim icon. If messenging services were not added, an Accounts window opens. Click Add. In the Add Account dialog box, in Protocol, select the instant messenging service to add. Complete the rest of the information and click Save. Repeat, adding instant messenging services for each product.
Managing Client Connections An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. Customize the text for your site and then send the text in an email to users. Note To install the Secure Access Client from inside the firewall, go to the portal page and use the Click here to download the client installer link to download the client.
Managing Client Connections Closing a connection to a resource Without disrupting a user’s VPN connection, you can temporarily close the user’s connection to a particular resource. To prevent the user from connecting to the resource, correct the user’s group ACL. To close a connection 1 In the Firebox SSL VPN Gateway Administration Desktop, click the Real-time Monitor icon. 2 Click the arrow to expand the user’s entry. 3 Right-click the connection that you want to close and select Close connection.
Managing Client Connections 2 3 In the left pane, right-click a group and click Properties. On the General tab, under Session options, select one or both of the following: • Authenticate after network interruption. This option forces a user to log on again if the network connection is briefly interrupted. • Authenticate upon system resume. This option forces a user to log on again if the user’s computer awakens from standby or hibernation. This option provides additional security for unattended computers.
Managing Client Connections 136 Firebox SSL VPN Gateway
APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting The following topics describe how to use Firebox SSL VPN Gateway logs and troubleshoot issues: • Viewing and Downloading System Message Logs • Enabling and Viewing SNMP Logs • Viewing System Statistics • Monitoring Firebox SSL VPN Gateway Operations • Recovering from a Failure of the Firebox SSL VPN Gateway • Troubleshooting Viewing and Downloading System Message Logs There are two types of logging for the Firebox SSL VPN Gateway.
Viewing and Downloading System Message Logs 3 4 Click Logging/Settings. Under Gateway Log, click Display Logging Window. The log for today’s date is displayed. 5 6 To display the log for a prior date, select the date in the Log Archive list and click View Log. By default, the log displays all entries. The log can be filtered as described below: • To filter the log by user or applications, under Log Filter, select Admins, Apps, or Users.
Enabling and Viewing SNMP Logs Field Description sc-status The Firebox SSL VPN Gateway-to-client request status code. For a description of status codes, refer to http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html. cs-uri The client-to-Firebox SSL VPN Gateway request URI. sc-uri The Firebox SSL VPN Gateway-to-client request URI. To view or download the log, go to the Logging > Configuration tab and click Download W3C Log.
Viewing System Statistics To obtain SNMP data for the Firebox SSL VPN Gateway through Multi Router Traffic Grapher (in UNIX) 1 2 Configure the Firebox SSL VPN Gateway to respond to SNMP queries as discussed in “To enable logging of SNMP messages” on page 139. Create Multi Router Traffic Grapher configuration files in /etc/mrtg. Each configuration file specifies the object identifiers that the grapher daemon is to monitor, specifies the target from which to obtain SNMP data, and defines the grapher output.
Recovering from a Failure of the Firebox SSL VPN Gateway bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. To open the Firebox SSL VPN Gateway Administration Desktop 1 2 3 Open a Web browser and type the IP address or FQDN of the Firebox SSL VPN Gateway. The accepted formats are https://IPaddress or https://FQDN. In the Firebox SSL VPN Gateway Administration Portal, click Downloads.
Recovering from a Failure of the Firebox SSL VPN Gateway • apply the v 5.5 software update Reinstalling v 4.9 application software To reinstall v 4.9 on your appliance: 1 Find the Firebox® SSL v 4.9.2 Recovery CD that came with your original Firebox® SSL Core appliance. 2 Use the instructions in the v 4.9 Administration Guide starting on page 153 to reinstall your application software with the system CD. Backing up your configuration settings Before starting the v 5.
Troubleshooting To upgrade to v 5.5. 1 In the v5.0 Administration Tool, click the Firebox® SSL VPN Gateway Cluster tab. 2 On the Administration tab, next to Upload a server upgrade or saved config, click Browse. 3 Navigate to the upgrade file and click Open. 4 Wait for the message Upgrade successful to appear and then restart the device. Note: If the upgrade file has the extension .zip, extract the files before you upgrade the Firebox® SSL VPN Gateway. Launching the v 5.
Troubleshooting By default, the Firebox SSL VPN Gateway passes only the user name and password to the Web Interface. To correct this, configure a default domain or a set of domains users can log on to. The Web Interface uses the first one in the list as the default domain. Web Interface Credentials Are Invalid When users log on to the Firebox SSL VPN Gateway, they are sent to the Web Interface but their applications are not displayed. The Message Center states that the users’ credentials are invalid.
Troubleshooting Defining Accessible Networks In the Accessible Networks field on the Global Cluster Policies tab, up to 24 subnets can be defined. If more than 24 subnets are entered, the Firebox SSL VPN Gateway ignores the additional subnets. VMWare If a user logs on to the Secure Access Client from two computers that are running VMWare and VMWare uses the same MAC address for the two computers, the Firebox SSL VPN Gateway does not allow both clients to run simultaneously.
Troubleshooting Internal Failover If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about configuring IP pools, see “Enabling IP Pooling” on page 94.
Troubleshooting Devices Cannot Communicate with the Firebox SSL VPN Gateway Verify that the following are correctly set up: • The External Public Address specified on the General Networking tab in the Firebox SSL VPN Gateway Administration Tool is available outside of your firewall • Any changes made in the Firebox SSL VPN Gateway serial console or Administration Tool were submitted Using Ctrl-Alt-Delete to Restart the Firebox SSL VPN Gateway Fails The restart function on the Firebox SSL VPN Gateway is di
Troubleshooting Client Connections from a Windows Server 2003 If a connection to the Firebox SSL VPN Gateway is made from a Windows Server 2003 computer that is its own DNS server, local and public DNS resolution does not work. To fix this issue, configure the Windows Server 2003 network settings to point to a different DNS server. NTLM Authentication The Secure Access Client does not support NTLM authentication to proxy servers. Only Basic authentication is supported for proxy servers.
APPENDIX B Using Firewalls with Firebox SSL VPN Gateway If a user cannot establish a connection to the Firebox SSL VPN Gateway or cannot access allowed resources, it is possible that the firewall software on the user’s computer is blocking traffic. The Firebox SSL VPN Gateway works with any personal firewall, provided that the application allows the user to specify a trusted network or IP address for the Firebox SSL VPN Gateway.
BlackICE PC Protection To view Secure Access Client status properties Double-click the Secure Access Client connection icon in the notification area. Alternatively, right-click the icon and choose Properties from the menu. The Secure Access Client dialog box appears. The properties of the connection provide information that is helpful for troubleshooting. The properties include: • The General tab displays connection information.
Norton Personal Firewall . Add the IP address or range of allowed resources as trusted IP addresses. Trusted & Banned IPs System Services In the System Services list, select each service that you plan to use over the VPN connection. Norton Personal Firewall If you are using the default Norton Personal Firewall settings, you can simply respond to the Program Control alerts the first time that you attempt to start the Secure Access Client or when you access a blocked location or application.
ZoneAlarm Pro To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below.
APPENDIX C Installing Windows Certificates The Firebox SSL VPN Gateway includes the Certificate Request Generator to automatically create a certificate request. After the file is returned from the Certificate Authority, it can be uploaded to the Firebox SSL VPN Gateway. When the file is uploaded, it is converted automatically to the correct format for use. If you do not want to use the Certificate Request Generator to create the signed certificate, use Linux OpenSSL to administer any certificate tasks.
Unencrypting the Private Key 12 Click Next to start the installation. After Cygwin installs, you can generate the CSR. These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in “To install Cygwin” on page 153. To generate a CSR using the Cygwin UNIX environment 1 Double-click the Cygwin icon on the desktop. A command window opens with a UNIX bash environment.
Converting to a PEM-Formatted Certificate For information about downloading OpenSSL for Windows, see the SourceForge Web site at http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801. Converting to a PEM-Formatted Certificate The signed certificate file that you receive from the Certificate Authority might not be in a PEM format.
Generating Trusted Certificates for Multiple Levels To combine the private key with the signed certificate 1 Use a text editor to combine the unencrypted private key with the signed certificate in the PEM file format. The file contents should look similar to the following: -----BEGIN RSA PRIVATE KEY---- -----END RSA PRIVATE KEY---------BEGIN CERTIFICATE---- -----END CERTIFICATE----- 2 Save and name the PEM file; for example, AccessGateway.pem.
Generating Trusted Certificates for Multiple Levels Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2 Administration Guide 157
Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway
APPENDIX D Examples of Configuring Network Access After the Firebox SSL VPN Gateway is installed and configured to operate in your network environment, use the Administration Tool to configure user access to the servers, applications, and other resources on the internal network.
Scenario 1: Configuring LDAP Authentication and Authorization Before reading the examples in this chapter, you should become familiar with the settings on three tabs of the Administration Tool. The settings on these tabs control user access to internal network resources: • Global Cluster Policies • Authentication • Access Policy Manager The three user access configuration examples discussed in this chapter are: • “Scenario 1: Configuring LDAP Authentication and Authorization” on page 160.
Scenario 1: Configuring LDAP Authentication and Authorization • Determining the Sales and Engineering users who need remote access • Collecting the LDAP directory information Determining the internal networks that include the needed resources Determining the internal networks that include the needed resources is the first of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration.
Scenario 1: Configuring LDAP Authentication and Authorization For example, if the Firebox SSL VPN Gateway operates with the Microsoft Active Directory, the Firebox SSL VPN Gateway checks the "memberOf" attribute in the Person entry to determine the groups to which a user belongs. In this example, we assume that the group membership attribute indicates that a user is a member of an LDAP directory group named "Remote Sales.
Scenario 1: Configuring LDAP Authentication and Authorization • • • • LDAP Server port. The port on which the LDAP server listens for connections. The default port for LDAP connections is port 389. LDAP Administrator Bind DN and LDAP Administrator Password. If the LDAP directory requires applications to authenticate when accessing it, the administrator must know the name of the user account that the Firebox SSL VPN Gateway should use for this authentication and the password associated with this account.
Scenario 1: Configuring LDAP Authentication and Authorization This task includes these five procedures: • Configuring accessible networks • Creating an LDAP authentication realm • Creating the appropriate groups on the Firebox SSL VPN Gateway • Creating and assigning network resources to the user groups • Creating an application policy for the email server Each of these procedures is discussed in detail below.
Scenario 1: Configuring LDAP Authentication and Authorization Creating an LDAP Authentication and Authorization Realm Creating an LDAP authentication and authorization realm is the second of five procedures the administrator performs to configure access to the internal network resources in this scenario. In this scenario, all of the Sales and Engineering users are listed in a corporate LDAP directory.
Scenario 1: Configuring LDAP Authentication and Authorization Creating the Appropriate Groups on the Firebox SSL VPN Gateway Creating the appropriate groups on the Firebox SSL VPN Gateway is the third of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario.
Scenario 1: Configuring LDAP Authentication and Authorization 4 In Network/Subnet, type these two IP address/subnet pairs for the resources. Separate each of these IP address/subnet pairs with a space: 10.10.0.0/24 10.60.10.0/24 5 To simplify this example, the administrator accepts the default values for the other settings on the Network Resource window and clicks OK.
Scenario 1: Configuring LDAP Authentication and Authorization the 10.0.20.x resource and allow access to the 10.0.x.x resource. In these cases, configure the policy denying access to 10.0.20.x first and then configure the policy allowing access to the 10.0.x.x network second. Always configure the most restrictive policy first and the least restrictive policy last.
Scenario 2: Creating Guest Accounts Using the Local Users List 5 In the left pane, click the "Email server" network resource you just created and drag it to Application Network Policies listed under Application Constraints in the right pane. Click OK. 6 In the left pane, expand both the "Remote Sales" user group and the "Remote Engineers" user group.
Scenario 2: Creating Guest Accounts Using the Local Users List An administrator can also create a list of local users on the Firebox SSL VPN Gateway and configure the Firebox SSL VPN Gateway to provide authentication and authorization services for these users. This list of local users is maintained in a database on the Firebox SSL VPN Gateway and not in an external directory.
Scenario 2: Creating Guest Accounts Using the Local Users List To create a guest authentication realm for the guest users 1 2 3 4 5 6 In the Firebox SSL VPN Gateway Administration Tool, click the Authentication tab. In Realm Name, type Guest. Select One Source and click Add. At Select Authentication Type, select Local authentication only and then click OK. From the Authorization tab, select No authorization. Click Submit.
Scenario 3: Configuring Local Authorization for Local Users Silvio and Lisa are authorized to access any resource defined in the ACL of the Default user group because No Authorization is specified as the authorization type of the Guest realm. In this example, Silvio and Lisa can access only the Web conference server on the internal network because that is the only network resource defined for the Default user group.
APPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE FOR LINUX KERNEL AS PROVIDED WITH FIREBOX SSL Firebox SSL VPN Gateway Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software.
change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
12.
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.
180 Firebox SSL VPN Gateway
Index A access control list 56, 97 allow and deny rules 98 deny access 15, 58 deny access without ACL 57, 88 Access Policy Manager tab 15, 87 add network resource 101 Application Policies 16, 101 applications without policies 15 client certificate criteria 16, 95 create network resource 100 create user group 89 end point policy 16, 105 end point policy expression 106 end point resource 16, 104 end point resource, removing 105 file share resources 16, 103 force authentication 15, 90 global policies 16 group
Authentication tab LDAP 74 authorization 15 configuring 61 LDAP 65, 73 LDAP and RSA/ACE Server 81 local users 65 RADIUS 69, 72 B backing up 44 BlackICE PC Protection 150 C certificate 109 512-bit keypairs 147 backing up 44 certificate signing request 14, 110 client 15, 95, 114 combining with private key 155 converting to PEM format 155 creating signing request 111 generating for multiple levels 156 installing 14 installing Cygwin for 153 internal connection 15 multilevel and SSL version 2 147 private key,
removing 105 Ethereal Network Analyzer 141 unencrypted traffic 27 Ethereal Network Monitor 17 external access 15 F failover 48 appliances 14 DNS servers 50 gateways 55 internal 15, 55 failure recovery 141 FAQs 5 file share configuring 103 mount type 103 source path 103 file share resources 16, 128 finger query 141 Firebox Installation Services 7 Firefox 104 preventing Java access 144 firewall BlackICE PC Protection 150 McAfee Personal Firewall Plus 150 Norton Personal Firewall 151 Sygate Personal Firewall
persistence 104 Remote Desktop Client 130 shared network drives, using 128 SSH client 130 Telnet 3270 Emulator client 131 using FTP to copy files 129 VNC client 131 known issues 5 using 140 Multi Router Traffic Grapher 139 multiple log on options portal page 42 My traceroute tool 141 L name scanner 141 Name Service Providers 14, 50, 148 NetMeeting 147 network 147 access 56 accessible networks 57 activity level graph 140 address translation (NAT) 49 connections overview 47 deny access without access contr
ping 46 command 33, 145 from xNetTools 141 policies access control lists 56 IP pooling 94 network access 56 portal pages 38, 41 setting priority 106 port for connections 49 scanner 141 portal page client connections 118 client variables 39 configuring 16, 95 customizing 15, 38 disabling 95 double source authentication 43, 85 downloading templates 32, 39 enabling authentication 15, 41 installing 40 multiple log on options 42 pre-authentication policy 42 usage 88 user name variables 39 pre-authentication port
connection to 28 service scanner 141 session timeout 15, 88, 92 settings General Networking 47 shared network drives 128 shared secret 69, 82 shutting down 15, 45 single sign-on 15 single sign-on for client 91 SNMP 139 logs, enabling and viewing 139 MIB groups reported 139 settings 139 software reinstalling 141 shutting down 45 upgrades 44 software reinstallation 141 software upgrades and LiveSecurity Service 3 split DNS 15, 94 enabling 50, 88, 124 user override 94, 124 split tunneling 15, 58 SSH client 28,
failover servers 55 General Networking 14, 47 logging 14, 137 managing licenses 15, 36 Name Service Providers 14, 47 Network Time Protocol 15 restarting 15 restarting appliance 45 restoring configuration 15, 44 routes 14, 48, 52, 54 save configuration 15, 44 shut down 15, 45 SNMP 139 static route 53 statistics 15, 140 Syslog settings 138 system date and time 45 upgrading 15, 44 VPN Installation Services 7 W W3C-formatted log 138 WatchGuard Certified Training Partners 8 WatchGuard users forum 5, 6 WCTP 8 We
188 Firebox SSL VPN Gateway
