Controlling Network Access; Configuring Network Access - Watchguard SSL 1000 User Manual

Controlling Network Access

nect to port 9001 when you are logged on from an external connection, configure IP pools and connect
to the lowest IP address in the IP pool.
Controlling Network Access

Configuring Network Access

After you configure the appliance to operate in your network environment, the next step is to configure
network access for the appliance and for groups and users.
The steps to configure network access are:
• Step 1: Configuring networks to which clients can connect. By default, clients cannot connect
to any networks. The first step in configuring network access is to specify the networks that
clients can connect to, using the Global Cluster Policies tab.
• Step 2: Configuring authentication and authorization. Authentication defines how users log
on and is configured using realms. Authentication types include local, NTLM, LDAP, RADIUS, RSA
SecurID, and SafeWord. Authorization types include local, LDAP, RADIUS, NTLM, or no
authorization. For more information about configuring authentication and authorization,
see"Configuring Authentication and Authorization" on page 61.
• Step 3: Configuring user groups. User groups are used in conjunction with authorization. For
example, if your users are connecting using LDAP, create an LDAP authentication realm, and then
create a group. The names of the user group must be the same as that on the LDAP server. In
addition, you can create local users on the Firebox SSL VPN Gateway for local authentication.
Local users are then added to user groups. For information about configuring local users, see
"Adding and Configuring Local Users and User Groups" on page 87.
• Step 4: Configuring network access for groups. After you configure your user groups, you then
configure network access for the groups. This includes the network resources users in the group
are allowed to access, application policies, kiosk connections, and end point policies.
For more information about configuring accessible networks, user groups, and network access for users,
see"Adding and Configuring Local Users and User Groups" on page 87.
By default, the Firebox SSL VPN Gateway is blocked from accessing any networks. You must specify the
networks that the Firebox SSL VPN Gateway can access, referred to as accessible networks. You then con-
trol user access to those networks as follows:
• You create network resource groups.
A network resource group includes one or more network locations. For example, a resource
group might provide access to a single application, a subset of applications, a range of IP
addresses, or an entire intranet. What you include in a network resource group depends largely
on the varying access requirements of your users. You might want to provide some user groups
with access to many resources and other user groups with access to smaller subsets of resources.
By allowing and denying a user group access to network resource groups, you create an access
control list (ACL) for that user group.
• You specify whether or not any user group without an ACL has full access to all of the accessible
networks defined for the Firebox SSL VPN Gateway.
By default, user groups without an ACL have access to all of the accessible networks defined for
the Firebox SSL VPN Gateway. This default operation provides simple configuration if most of
your user groups are to have full network access. By retaining this default operation, you need to
configure an ACL only for the user groups that should have more restricted access. The default
operation can also be useful for initial testing.
56 Firebox SSL VPN Gateway