User guide
User and Group Management
192 Firebox X Edge e-Series
10. Select the Allow remote access with Mobile VPN with PPTP check box to allow the members of this
group to establish PPTP connections with the Edge from remote locations.
11. Select the Allow remote access with Mobile VPN with SSL check box to allow the members of this
group to establish SSL VPN connections with the Edge.
12. Click Submit.
Set a WebBlocker profile for an LDAP group
A WebBlocker profile is a unique set of restrictions you can apply to users on your network to control access
to external web sites. To apply a WebBlocker profile to a group, click the WebBlocker tab on the Firebox Users
New Group or Edit Group page and select a profile from the drop-down list. You must first create WebBlocker
profiles in the WebBlocker > Profiles area of the Firebox X Edge configuration pages. If no profile is assigned,
the users in this group have full access to all web sites. For more information on WebBlocker profiles, see
Create a WebBlocker profile
topic.
LDAP authentication and Mobile VPN with IPSec
Mobile VPN with IPSec access for users that authenticate using LDAP is configured at the group level. A group
must be added to the Firebox X Edge that matches the name of the group assigned to user entries in the LDAP
directory. Click the MOVPN tab for the Firebox group and configure the Mobile VPN with IPSec settings.
On the Edge, there is a built-in default group. The settings of the default group apply to any LDAP user that
does not belong to any group configured on the Edge. You can change the properties of the default group,
but you cannot delete the default group.
About Single Sign-On (SSO)
When users log on to a computer using Active Directory authentication, they must enter a user ID and
password. If you use your Firebox to restrict outgoing network traffic to specified users or groups, users must
log on again to access network resources such as the Internet. You can use Single Sign-On (SSO) so that users
on the trusted or optional networks are automatically authenticated with the Firebox when they log on to
their computer. While SSO offers convenience to your end users, there are access control limitations you must
be aware of.
For SSO to work, you must install SSO agent software. The SSO agent software makes a NetWkstaUserEnum call
to the client computer and uses the information it gets to authenticate a user for Single Sign-On. It is possible
that the SSO agent can get more than one answer from the computer it queries. This can occur if more than
one user logs in to the same computer, or because of service or batch logons that occur on the computer. The
SSO agent uses only the first answer it gets from the computer, and reports that user to the Firebox as the user
that is logged on.
For example, for services installed in on a client computer (such as a centrally administered antivirus client)
that have been deployed so that they log on with domain account credentials, the Firebox gives all users
access rights as defined by that user (and the groups of which that user is a member), and not the credentials
of individual users that log on interactively. Also, all log messages generated from the user’s activity show the
user name of the service account, and not the individual user.
You can find more information about how the Single Sign-On feature works in the presentation What’s New in
WSM/Fireware v10.0? available at https://www.watchguard.com/training/courses.asp
. You must log in with
your LiveSecurity account to see this presentation.
SSO is not recommended for environments where multiple users share a single computer or
IP address, where users log in using Mobile VPN, or on computers with service or batch logons.
When more than one user is associated with an IP address, network permissions may not operate
correctly. This can be a security risk.