Watchguard SSL 1000 User Manual
  1. Manuals
  2. Brands
  3. Watchguard Manuals
  4. Gateway
  5. SSL 1000
  6. User manual

Watchguard SSL 1000 User Manual

Vpn gateway
Hide thumbs Also See for SSL 1000:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Setup Manual, Quick Reference Manual
®
®
WatchGuard
Firebox
SSL VPN
Gateway Administration Guide
Firebox SSL VPN Gateway

Advertisement

Table of Contents
loading

Related Manuals for Watchguard SSL 1000

Summary of Contents for Watchguard SSL 1000

  • Page 1 ® ® WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway...
  • Page 2 Copyright, Trademark, and Patent Information Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product. You will be prompted to read and accept the End User License Agreement when you register your Firebox on the WatchGuard website.

  • Page 3: Table Of Contents

    Audience ... 1 Operating System Requirements Document Conventions LiveSecurity Service Solutions LiveSecurity Service Broadcasts Activating LiveSecurity Service LiveSecurity Service Self Help Tools WatchGuard Users Forum ... 5 Online Help ... 6 Product Documentation Technical Support LiveSecurity Service technical support LiveSecurity Gold Firebox Installation Service ...
  • Page 4 ... 33 ... 33 ... 33 ...12 ... 13 ... 13 ... 18 ... 18 ... 19 ... 20 ... 21 ... 21 ... 24 ... 24 ... 25 ...26 ... 27 ... 32 ... 32 WatchGuard SSL VPN Gateway...
  • Page 5 Using the Serial Console To open the serial console Using the Administration Tool To download and install the Administration Tool ... 34 Publishing Settings to Multiple Firebox SSL VPN Gateways To publish Firebox SSL VPN Gateway settings ... 35 Product Activation and Licensing Upgrading the tunnel and tunnel upgrade license ...
  • Page 6 ... 56 ...57 ... 58 ... 58 ... 59 ... 59 ... 59 ... 60 ... 61 ... 63 ... 63 ... 64 ... 64 ... 65 ... 67 ... 67 ... 47 ...61 ...65 ... 65 WatchGuard SSL VPN Gateway...
  • Page 7 To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication To configure the IAS RADIUS realm Using RADIUS Servers for Authentication and Authorization ... 69 To configure Microsoft Internet Authentication Service for Windows 2000 Server To specify RADIUS server authentication To configure RADIUS authorization Choosing RADIUS Authentication Protocols...
  • Page 8 ... 93 ... 93 ... 94 ... 95 ... 96 ... 98 ... 99 ...101 ...102 ...103 ...104 ...106 ...110 ...113 ...114 ...114 ...115 ...115 ...116 ...117 ...117 ...117 ...117 ...109 ...109 ...112 ...113 ...115 ...116 WatchGuard SSL VPN Gateway...
  • Page 9 Using the Access Portal To connect using the default portal page Connecting from a Private Computer Tunneling Private Network Traffic over Secure Connections Operation through Firewalls and Proxies Terminating the Secure Tunnel and Returning Packets to the Client ActiveX Helper Using the Secure Access Client Window Configuring Proxy Servers for the Secure Access Client Configuring Secure Access Client to Work with Non-Administrative Users...
  • Page 10 Creating and Assigning a Network Resource to the Default User Group Scenario 3: Configuring Local Authorization for Local Users APPENDIX E Legal and Copyright Information ...143 ...143 ...150 ...153 ...153 ...154 ...154 ...170 ...171 ...173 ...149 ...151 ...155 ...155 ...156 ...159 ...160 ...160 ...171 ...172 WatchGuard SSL VPN Gateway...

  • Page 11: Chapter 1 Getting Started With Firebox Ssl Vpn Gateway

    Getting Started with Firebox SSL CHAPTER 1 VPN Gateway This chapter describes who should read the Firebox SSL VPN Gateway Administration Guide, how it is organized, and its document conventions. Audience This user guide is intended for system administrators responsible for installing and configuring the Fire- box SSL VPN Gateway.

  • Page 12: Document Conventions

    Threat responses, alerts, and expert advice After a new threat is identified, the WatchGuard Rapid Response Team sends you an e-mail to tell you about the problem. Each message gives full information about the type of security problem and the procedure you must use to make sure that your network is safe from attack.

  • Page 13: Livesecurity Service Broadcasts

    WatchGuard Firebox® and network security, or find a WatchGuard Certified Train- ing Center in your area. LiveSecurity Service Broadcasts The WatchGuard® Rapid Response Team regularly sends messages and software information directly to your computer desktop by e-mail. We divide the messages into categories to help you to identify and make use of incoming information immediately.

  • Page 14: Activating Livesecurity Service

    Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the fields on the page. You must complete all the fields to activate correctly. This information helps WatchGuard to send you the information and software updates that are applicable to your products.

  • Page 15: Watchguard Users Forum

    Product Documentation The WatchGuard web site has a copy of each product user guide, including user guides for software versions that are no longer supported. The user guides are in .pdf format. General Firebox X Edge and Firebox SOHO Resources This section of the web site shows basic information and links for Firebox X Edge and Firebox SOHO customers.

  • Page 16: Online Help

    LiveSecurity Service technical support All new Firebox products include the WatchGuard LiveSecurity Technical Support Service. You can speak with a member of the WatchGuard Technical Support team when you have a problem with the installa- tion, management, or configuration of your Firebox.

  • Page 17: Livesecurity Gold

    VPN Installation Service WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can sched- ule a two-hour time with one of the WatchGuard Technical Support team. During this time, the techni- cian helps: • Do an analysis of your VPN policy •...
  • Page 18 The training materials include links to books and web sites with more information about network security. WatchGuard product training is also available at a location near you through a large group of Watch- Guard Certified Training Partners (WCTPs). Training partners give training using certified training mate- rials and with WatchGuard hardware.

  • Page 19: Chapter 2 Introduction To Firebox Ssl Vpn Gateway

    CHAPTER 2 Gateway WatchGuard Firebox SSL VPN Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, Firebox SSL VPN Gateway works through any firewall and supports all applications and protocols.
  • Page 20 Overview As shown in the following illustration, the Firebox SSL VPN Gateway is appropriate for employees accessing the organization remotely and intranet access from restricted LANs such as wireless networks. Network topography showing the Firebox SSL VPN Gateway in the DMZ. The following illustration shows how the Firebox SSL VPN Gateway creates a secure virtual TCP circuit between the client computer running the Secure Access Client and the Firebox SSL VPN Gateway.

  • Page 21: New Features

    The virtual TCP circuit is using industry standard Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. All packets destined for the private network are transported over the virtual TCP cir- cuit. The Firebox SSL VPN Gateway is essentially acting as a low-level packet filter with encryption. It drops traffic that does not have authentication or does not have permission for a particular network.

  • Page 22: Secure Access Client Connections

    New Features Secure Access Client connections The Secure Access Client included in this release can connect to earlier versions of the Firebox SSL VPN Gateway. Also,earlier versions of the Secure Access Client can connect to this release of the Firebox SSL VPN Gateway if enabled on the Global Cluster Policies tab.

  • Page 23: Ntlm Authentication And Authorization Support

    NTLM authentication and authorization support. If your environment includes Windows NT 4.0 domain controllers, the Firebox SSL VPN Gateway can authenticate users against the user domain accounts maintained on the Windows NT server. The Fire- box SSL VPN Gateway can also authorize users to access internal network resources based on a user’s group memberships on the Windows NT 4.0 domain controller.

  • Page 24: Firebox Ssl Vpn Gateway Settings

    Features • Date and time configuration • Certificate generation and installation • Restarting and shutting down the Firebox SSL VPN Gateway • Saving and reinstalling configuration settings If the Firebox SSL VPN Gateway is upgraded to Version 5.5 from an earlier version, you must uninstall and then reinstall the latest Administration Tool.
  • Page 25 Feature Server Upgrade Server Restart Server Shut Down Server Statistics Licensing Date and Time Enable External Administration Saving and Restoring Server Configuration Enable Split Tunneling Accessible Networks Deny Access without ACL Require SSL Client Certificates Validate SSL Certificates for Internal Connections Improve Latency for Voice over IP Traffic Internal Failover Enable Portal Page Authentication...

  • Page 26: Feature Summary

    The User Experience Feature Use SSL/TLS Local Group Users Client Certificate Criteria Expression Network Resource Groups Application Policies File Share Resources Kiosk Resources and Policies End Point Resource and Policies Pre-Authentication Policies Portal Page Configuration Group Priority Publish Feature Summary The following are key Firebox SSL VPN Gateway features: •...

  • Page 27: Deployment And Administration

    Secure Access Client by typing a secure Web address in a standard Web browser and providing authen- tication credentials. Because the Firebox SSL VPN Gateway encrypts traffic using standard SSL/TLS, it can traverse firewalls and proxy servers, regardless of the client location. For a more detailed description of the user experi- ence, see “Connecting from a Private Computer”...

  • Page 28: Planning Your Deployment

    Planning your deployment Administration Desktop also provides access to the Real-Time Monitor, where you can view a list of cur- rent users and close the connection for any user. Planning your deployment This chapter discusses deployment scenarios for the Firebox SSL VPN Gateway. You can deploy the Fire- box SSL VPN Gateway at the perimeter of your organization’s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network.

  • Page 29: Planning For Security With The Firebox Ssl Vpn Gateway

    SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments. Before you deploy the Firebox SSL VPN Gateway in a production environment, WatchGuard recom- mends that you request and receive a signed SSL server certificate from a known Certificate Authority and upload it to the Firebox SSL VPN Gateway.

  • Page 30: Deploying Additional Appliances For Load Balancing And Failover

    It works with other networking products such as cache engines, firewalls, routers, and IEEE 802.11 wireless devices. WatchGuard recommends installing the Firebox SSL VPN Gateway in the corporate demilitarized zone (DMZ). When installed in the DMZ, the Firebox SSL VPN Gateway participates on two networks: a private network and a public network with a publicly routable IP address.

  • Page 31: Setting Up The Firebox Ssl Vpn Gateway Hardware

    • The Firebox SSL VPN Gateway FQDN for network address translation (NAT) • The IP address of the default gateway device • The port to be used for connections If connecting the Firebox SSL VPN Gateway to a server load balancer: •...
  • Page 32 • [8] Log Out logs off from the Firebox SSL VPN Gateway WatchGuard recommends using both network adapters on the appliance. After configuring the TCP/IP settings for Interface 0, use the Administration Tool to configure TCP/IP settings for Interface 1.
  • Page 33 Internet and client computers that are not inside the corporate network. The other network adapter communicates with the internal network. WatchGuard recommends that both network adapters be configured for maximum security. If only one network adapter is used, it has to be routable for internal resources using Network Address Translation (NAT).

  • Page 34: Redirecting Connections On Port 80 To A Secure Port

    Using the Firebox SSL VPN Gateway For information about the relationship between the Default Gateway and dynamic or static routing, see “Dynamic and Static Routing” on page 51. After you configure your network settings on the Firebox SSL VPN Gateway, you need to restart the appliance.

  • Page 35: Starting The Secure Access Client

    • After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Firebox SSL VPN Gateway establishes a secure tunnel. • As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Firebox SSL VPN Gateway.

  • Page 36: Establishing The Secure Tunnel

    Using the Firebox SSL VPN Gateway Establishing the Secure Tunnel After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is estab- lished, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client describing the networks to be secured and containing an IP address if you enabled IP pool visibility.

  • Page 37: Terminating The Secure Tunnel And Returning Packets To The Client

    NAT firewalls maintain a table that allows them to route secure packets from the Firebox SSL VPN Gate- way back to the client computer. For circuit-oriented connections, the Firebox SSL VPN Gateway main- tains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL VPN Gateway to match connections and send packets back over the tunnel to the client with the correct port numbers so that the packets return to the correct application.

  • Page 38: Using Kiosk Mode

    Using the Firebox SSL VPN Gateway work, no attempt is made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved over a secure TCP-based tunnel. For more information about improving latency with UDP connections and Voice over IP, see “Improving Voice over IP Connections”...
  • Page 39 public address. The external public address ensures that the redirected client returns to the Firebox SSL VPN Gateway it first encountered, providing session stickiness. The association between a particular request and the Firebox SSL VPN Gateway is broken only when the client makes a new connection.
  • Page 40 Using the Firebox SSL VPN Gateway Firebox SSL VPN Gateway...

  • Page 41: Chapter 3 Configuring Basic Settings

    Configuring Basic Settings CHAPTER 3 This chapter describes Firebox SSL VPN Gateway basic administration, including connecting to the Fire- box SSL VPN Gateway, using the Administration Desktop, and using the Administration Tool to config- ure the Firebox SSL VPN Gateway. All submitted configuration changes are applied automatically to the Firebox SSL VPN Gateway and do not cause a disruption for users connected to the Firebox SSL VPN Gateway.

  • Page 42: Firebox Ssl Vpn Gateway Administration Desktop

    The Firebox SSL VPN Gateway Administration Portal appears. Click Launch Firebox SSL VPN Gateway Administrative Desktop. In the WatchGuard Firebox SSL Remote Admin Terminal dialog box, type your user name and password. By default, if you configure the Firebox SSL VPN Gateway to use both network adapters, the Administration Portal can be accessed from either adapter.

  • Page 43: Admin Users Tab

    • Download a sample email for users Admin Users Tab The Firebox SSL VPN Gateway has a default administrative user account with full access to the Firebox SSL VPN Gateway. To protect the Firebox SSL VPN Gateway from unauthorized access, change the default password during your initial configuration.

  • Page 44: To Open The Serial Console

    After downloading the file, navigate to the location where it was saved and then double-click the file. To install the Administration Tool, follow the instructions in the wizard. To start the Administration Tool, click Start > Programs > WatchGuard> Firebox SSL VPN Gateway Adminstration Tool > Firebox SSL VPN Gateway Administration Tool. Note...

  • Page 45: Publishing Settings To Multiple Firebox Ssl Vpn Gateways

    For new product installations, you will need to activate your Firebox SSL VPN Gateway by submitting the included license key codes to your Live Security account. You access your LiveSecurity account by browsing to the WatchGuard website at http://www.watchguard.com, then clicking LiveSecurity® Service on the left.

  • Page 46: Upgrading The Livesecurity Renewal And Tunnel Renewal License

    Managing Licenses Firebox SSL VPN Gateway Administration Tool. To apply these license files, see “Managing Licenses” on page 36. For future tunnel capacity upgrades, you will follow these same steps to increase the capacity of your Firebox® SSL VPN Gateway. Upgrading the LiveSecurity Renewal and Tunnel Renewal license In your Live Security account, under Your Activated Products, you can activate and extend your Live Security support service by submitting the Live Security Renewal and Tunnel Renewal license keys.

  • Page 47: To Install A License File

    Do not overwrite any .lic files in the license directory. If another file in that directory has the same name, rename the newly received file. The Firebox SSL VPN Gateway software calculates your licensed features based on all .lic files that are uploaded to the Firebox SSL VPN Gateway. Do not edit a .lic file or the Firebox SSL VPN Gateway software ignores any features associated with that license file.

  • Page 48: Blocking External Access To The Administration Portal

    (FQDN) to connect to either the internal or external interface. The format should be either https://ipaddress or https://FQDN. Type the logon credentials. The WatchGuard Firebox SSL VPN Gateway portal page appears. Click My own computer and then click Connect.

  • Page 49: Downloading And Working With Portal Page Templates

    By default, users see a WatchGuard Firebox SSL VPN Gateway portal page when they open https://Firebox SSL VPN Gateway_IP_or_hostname. For samples of the default portal pages for Windows, Linux, and Java, see “Using the Access Portal” on page 118. Several portal page templates that can be customized are provided. One of the templates includes links to both the Firebox SSL Secure Access Client and kiosk mode.

  • Page 50: To Download The Portal Page Templates To Your Local Computer

    Make a copy of each template that you will use and name the template, using the extension .html. Open the file in Notepad or an HTML editing application. To replace the WatchGuard image, locate the following line in the template: <img src=”citrix-logo.gif”/>...

  • Page 51: Enabling Portal Page Authentication

    To install a custom portal page or image on the Firebox SSL VPN Gateway Click the Portal Page Configuration tab. Click Add File. In File Identifier, type a name that is descriptive of the types of users who use the portal page. The file name can help you later when you need to associate the portal page with a group.

  • Page 52: Multiple Log On Options Using The Portal Page

    Linking to Clients from Your Web Site <object id="Net6Launch" type="application/x-oleobject" classid="CLSID:7E0FDFBB-87D4-43a1-9AD4-41F0EA8AFF7B" codebase="net6helper.cab#version=2,1,0,6"> </object> Add the links as follows to the Web page. Multiple Log On Options using the Portal Page Users can have the option to log on using Secure Access Client, the Web Interface, or kiosk mode from one Web page.

  • Page 53: Double-Source Authentication Portal Page

    tication policy check fails, the users receive an error message instructing them to contact their system administrator. For more information about pre-authentication policies, see “Global policies” on page 96. Double-source Authentication Portal Page When the Firebox SSL VPN Gateway is configured to require users to log on using two types of authenti- cation, such as LDAP and RSA SecurID, they are directed automatically to the Web page or Secure Access Client dialog box and users enter their user name and passwords.

  • Page 54: Saving And Restoring The Configuration

    Saving and Restoring the Configuration Saving and Restoring the Configuration When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are restore automatically. However, if you reinstall the Firebox SSL VPN Gateway software, you must manually restore your configuration settings. Before using the Recovery CD to reinstall the Firebox SSL VPN Gateway software, save your configuration.

  • Page 55: Restarting The Firebox Ssl Vpn Gateway

    In Upload a Server Upgrade or Saved Config, click Browse. Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL VPN Gateway restarts automatically. When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings are saved. For information about saving and restoring a configuration, see “Saving and Restoring the Configuration”...

  • Page 56: To Change The System Date And Time

    Allowing ICMP traffic To change the system date and time In the Administration Tool, click the VPN Gateway Cluster tab, select the appliance, and then click the Date tab. In Time Zone, select a time zone. In Date, type the date and time. Click Submit.

  • Page 57: Chapter 4 Configuring Firebox Ssl Vpn Gateway Network Connections

    Configuring Firebox SSL VPN CHAPTER 4 Gateway Network Connections The Firebox SSL VPN Gateway has two network adapters that can be configured to work on your net- work. The VPN Gateway Cluster > General Networking tabs in the Administration Tool are used to configure most network settings.

  • Page 58: General Networking

    General Networking • The Routes tab is where dynamic and static routes are configured • The Failover Servers tab is where multiple Firebox SSL VPN Gateway’s are configured General Networking The Firebox SSL VPN Gateway has two network adapters installed. If two network adapters are used, then one network adapter communicates with the Internet and computers that are not inside the cor- porate network.
  • Page 59 For more information, see “Connecting to a Server Load Balancer” on page 28. External Public FQDN The Firebox SSL VPN Gateway uses the external IP address or FQDN to send its response to a request back to the correct network connection. If the external IP address is not specified, the Firebox SSL VPN Gateway sends responses out through the interface where the gateway is identified.

  • Page 60: Name Service Providers

    Name Service Providers IP pooling is configured per groups, as described in “Enabling IP Pooling” on page 94. Name Service Providers Name resolution is configured on the Name Service Providers tab. You can specify the following: DNS Server 1, DNS Server 2, DNS Server 3 These are the IP address of the first, second, and third DNS servers.

  • Page 61: Dynamic And Static Routing

    Under Edit the HOSTS file, in IP address, enter the IP address that you want to associate with an FQDN. In FQDN, enter the FQDN you want to associate with the IP address you entered in the previous step. Click Add. The IP address and HOSTS name pair appears in the Host Table. To remove an entry from the HOSTS file Under Host Table, click the IP address and HOSTS name pair you want to delete.

  • Page 62: Configuring Dynamic Routing

    Dynamic and Static Routing Configuring Dynamic Routing When dynamic routing is selected, the Firebox SSL VPN Gateway operates as follows: • It listens for route information published through RIP and automatically populates its routing table. • If the Dynamic Gateway option is enabled, the Firebox SSL VPN Gateway uses the Default Gateway provided by dynamic routing, rather than the value specified on the General Networking tab.

  • Page 63: Changing From Dynamic Routing To Static Routing

    In the text box, type a text string that is an exact, case-sensitive match to the authentication string transmitted by the RIP server. Select the Enable RIP MD5 Authentication for Interface check box if the RIP server transmits the authentication string encrypted with MD5. Do not select this option if the RIP server transmits the authentication string using plain text.

  • Page 64: Static Route Example

    Dynamic and Static Routing On the General Networking tab, click Submit. The route name appears in the Static Routes list. To test a static route From the Firebox SSL VPN Gateway serial console, type 1 (ping). Enter the host IP address for the device you want to ping and press Enter. If you are successfully communicating with the other device, messages appear saying that the same number of packets were transmitted and received, and zero packets were lost.

  • Page 65: Configuring Firebox Ssl Vpn Gateway Failover

    To set up the static route, you need to establish the path between the eth1 adapter and IP address 129.6.0.20. To set up the example static route Click the VPN Gateway Cluster tab and then click the Routes tab. In Destination LAN IP Address, set the IP address of the destination LAN to 129.6.0.0. In Subnet Mask, set the subnet mask for the gateway device.

  • Page 66: Controlling Network Access

    Controlling Network Access nect to port 9001 when you are logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool. Controlling Network Access Configuring Network Access After you configure the appliance to operate in your network environment, the next step is to configure network access for the appliance and for groups and users.

  • Page 67: Specifying Accessible Networks

    You can change the default operation so that user groups are denied network access unless they are allowed access to one or more network resource groups. • You configure ACLs for user groups by specifying which network resources are allowed or denied per user group.

  • Page 68: To Enable Split Tunneling

    Denying Access to Groups without an ACL When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Policies tab. The list of accessible networks must include all internal networks and subnetworks that the user may need to access with the Secure Access Client.

  • Page 69: To Deny Access To User Groups Without An Acl

    To deny access to user groups without an ACL Click the Global Cluster Policies tab. Under Access Options, select Deny Access without ACL. Click Submit. Improving Voice over IP Connections Real-time applications, such as voice and video, are implemented over UDP. TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets.

  • Page 70: To Improve Latency For Udp Traffic

    Improving Voice over IP Connections If the Improving Voice over IP Connections setting is not selected, the UDP traffic is encrypted using the symmetric encryption cipher that is specified in the Select encryption type for client connections setting on the Global Cluster Policies tab. The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order listed.

  • Page 71: Chapter 5 Configuring Authentication And Authorization

    Configuring Authentication and CHAPTER 5 Authorization The Firebox SSL VPN Gateway supports several authentication types including LDAP, RADIUS, RSA Secu- rID, NTLM, and Secure Computing’s SafeWord products. The following topics describe how to configure Firebox SSL VPN Gateway authentication: • Choosing When to Configure Authentication on the Firebox SSL VPN Gateway •...
  • Page 72 Configuring Authentication and Authorization Communications between the Firebox SSL VPN Gateway and authentication servers. If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the local user on the Firebox SSL VPN Gateway is selected on the Authentication >...

  • Page 73: Configuring Authentication Without Authorization

    Configuring Authentication without Authorization The Firebox SSL VPN Gateway can be configured to authenticate users without requiring authorization. When users are not authorized, the Firebox SSL VPN Gateway does not perform a group authorization check. The settings from the Default user group are assigned to the user. To remove authorization requirements from the Firebox SSL VPN Gateway On the Authentication tab, select an authorization realm.

  • Page 74: Configuring Local Users

    Configuring Authentication and Authorization Configuring Local Users You can create user accounts locally on the Firebox SSL VPN Gateway to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server.

  • Page 75: Using Ldap Authorization With Local Authentication

    To change a user’s password On the Access Policy Manager tab, right-click a user, and click Set Password. Type the password twice and then click OK. Using LDAP Authorization with Local Authentication By default, the Firebox SSL VPN Gateway obtains an authenticated user’s group(s) from the local group file stored on the Firebox SSL VPN Gateway.

  • Page 76: Creating Additional Realms

    Note: Watchguard recommends that realm names map to their corresponding domain names. This enables users to log on using either realm name\user name or user name@realm name.

  • Page 77: Removing Realms

    RemoteAccess, SafeWord for WatchGuard, and SafeWord PremierAccess 4.0. • Install the SafeWord Web Interface Agent to work with the WatchGuard Web Interface. Authentication does not have to be configured on the Firebox SSL VPN Gateway and can be handled by the WatchGuard Web Interface.

  • Page 78: To Disable Firebox Ssl Vpn Gateway Authentication

    Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Configure a SafeWord realm to authenticate users. The Firebox SSL VPN Gateway acts as a SafeWord agent authenticating on behalf of users logged on using Secure Access Client. If a user is not located on the SafeWord server or fails authentication, the Access Gateway checks the user against the local user list if Use the local user database on the Access Gateway is selected on the Settings tab.

  • Page 79: To Configure The Ias Radius Realm

    If you are already using SafeWord for Citrix or SafeWord RemoteAccess in your configuration to authen- ticate using the Web Interface, you need to do the following: • Install and configure the SafeWord IAS Agent • Configure the IAS RADIUS server to recognize the Firebox SSL VPN Gateway as a RADIUS client •...

  • Page 80: To Configure Microsoft Internet Authentication Service For Windows 2000 Server

    Using RADIUS Servers for Authentication and Authorization • Type is the vendor-assigned attribute number. • Attribute name is the type of attribute name that is defined in IAS. The default name is CTXSUserGroups=. • Separator is defined if multiple user groups are included in the RADIUS configuration. A separator can be a space, a period, a semicolon, or a colon.
  • Page 81 18 In the Add Attributes dialog box, select Vendor-Specific and click Add. 19 In the Vendor-Specific Attribute Information dialog box, choose Select from list and accept the default RADIUS=Standard. The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the server with those on the Firebox SSL VPN Gateway.

  • Page 82: To Specify Radius Server Authentication

    Using RADIUS Servers for Authentication and Authorization To specify RADIUS server authentication Click the Authentication tab. In Realm Name, type a name for the authentication realm that you will create, select One Source, and then click Add. If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings.

  • Page 83: Using Ldap Servers For Authentication And Authorization

    RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config- ured on the Firebox SSL VPN Gateway when a RADIUS realm is created. Using LDAP Servers for Authentication and Authorization You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server.

  • Page 84: To Configure Ldap Authentication

    Using LDAP Servers for Authentication and Authorization This table contains examples of the base dn Microsoft Active Directory Server Novell eDirectory IBM Directory Server Lotus Domino Sun ONE directory (formerly iPlanet) The following table contains examples of bind dn: Microsoft Active Directory Server Novell eDirectory IBM Directory Server Lotus Domino...

  • Page 85: Ldap Authorization

    Select Allow Unsecure Traffic to allow unsecure LDAP connections. When this check box is clear, all LDAP connections are secure. In Administrator Bind DN, type the Administrator Bind DN for queries to your LDAP directory. The following are examples of syntax for Bind DN: “domain/user name”...

  • Page 86: Group Memberships From Group Objects Working Evaluations

    LDAP Authorization Group memberships from group objects working evaluations LDAP servers that evaluate group memberships from group objects indirectly work with Firebox SSL VPN Gateway authorization. Some LDAP servers enable user objects to contain information about groups to which they belong, such as Active Directory or eDirectory.

  • Page 87: To Configure Ldap Authorization

    The LDAP Server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries. If your directory is not indexed, use an administrative connection rather than an anonymous connection from the Firebox SSL VPN Gateway to the database.

  • Page 88: Using Certificates For Secure Ldap Connections

    LDAP Authorization For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Firebox SSL VPN Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname.

  • Page 89: Using Rsa Securid For Authentication

    Host Host name or IP address of your LDAP server. Port Defaults to 389. Base DN You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) Anonymous Bind Select the check box if the LDAP server does not require credentials to connect to it.

  • Page 90: To Generate A Sdconf.rec File For The Firebox Ssl Vpn Gateway

    Using RSA SecurID for Authentication The Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPN Gateway also supports replication servers. Replication server configuration is completed on the RSA ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this is configured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replication servers if there is a failure or network connection loss with the primary server.

  • Page 91: Enable Rsa Securid Authentication For The Firebox Ssl Vpn Gateway

    To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files. The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL VPN Gateway, as described in the next procedure.

  • Page 92: Configuring Rsa Settings For A Cluster

    Using RSA SecurID for Authentication Configuring RSA Settings for a Cluster If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published. This allows all of the appliances to connect to the RSA server.

  • Page 93: Configuring Ntlm Authentication And Authorization

    Note: If you are configuring double-source authentication, click Two Source and then click Add. For more information about configuring double-source authentication, see “Configuring Double-Source Authentication” on page 85. In IP address type the IP address of the RADIUS IAS server. In Port, type the port number.

  • Page 94: Configuring Ntlm Authorization

    Using RSA SecurID for Authentication Note: When 0 (zero) is entered as the port, the Access Gateway attempts to automatically detect a port number for this connection. In Time-out (in seconds), enter the number of seconds within which the authentication attempt must complete.

  • Page 95: Configuring Double-Source Authentication

    You can prevent the storage of one-time passwords in cache, which forces the user to enter their cre- dentials again. To prevent caching of one-time passwords In the Administration Tool, click the Authentication tab. Open the authentication realm that uses the one-time password. Select Use the password one time and click Submit.

  • Page 96: Changing Password Labels

    Configuring Double-Source Authentication and passcode first and then the LDAP password second. Whatever is typed in the first password field is done last and the second password field is done first. Changing Password Labels You can change the password labels to accurately reflect the authentication type with which the user is logging on and to provide the correct prompt for what the user needs to type.

  • Page 97: Chapter 6 Adding And Configuring Local Users And User Groups

    Adding and Configuring Local Users CHAPTER 6 and User Groups User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local users, you can then define the resources they have access to on the Access Policy Manager tab.

  • Page 98: To Delete A User From The Firebox Ssl Vpn Gateway

    User Group Overview All users are members of the Default resource group. To add a user to another group, under Local Users, click and drag the user to the user group to which you want the user to belong. To delete a user from the Firebox SSL VPN Gateway Right-click the user in the Local Users list and click Remove.

  • Page 99: Creating User Groups

    Group resources include: • Network resources that define the networks to which clients can connect. • Application policies that define the applications users can use when connected. In addition to selecting the application, you can further define which networks the application has access to and if any end point policies need to be met when connecting.

  • Page 100: Configuring Properties For A User Group

    Configuring Properties for a User Group Configuring Properties for a User Group Group properties include configuring access, networking, portal pages, and client certificates. Proper- ties are configured by right-clicking a group and then clicking Properties. Settings for the group are configured on the General, Networking, Gateway Portal, Members, and Client Certificates tabs.

  • Page 101: Configuring Secure Access Client For Single Sign-On

    If you want to close a connection and prevent a user or group from reconnecting automatically, you must select the Authenticate after network interruption setting. Otherwise, users immediately reconnect without being prompted for their credentials. For more information, see “Managing Client Connections”...

  • Page 102: Enabling Session Time-Out

    Configuring Properties for a User Group supported and do not run. If the domain controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Important: The client computer must be a domain member in order to run domain logon scripts. To enable logon scripts Click the Access Policy Manager tab.

  • Page 103: Configuring Web Session Time-Outs

    Configuring Web Session Time-Outs When a user is logged on to the Firebox SSL VPN Gateway and using a Web browser to connect to Web sites in the secure network, cookies are set to determine if a user’s Web session is still active on the Fire- box SSL VPN Gateway.

  • Page 104: Enabling Split Dns

    Configuring Properties for a User Group On the General tab, under Application Options, select Deny applications without policies. For more information about application policies, see “Application policies” on page 101. For more information about endpoint policies, see “End point resources and policies” on page 104. Enabling Split DNS By default, the Firebox SSL VPN Gateway checks a user’s remote DNS only.

  • Page 105: Choosing A Portal Page For A Group

    O attribute of the Subject of the client certificate Values for the client certificate criteria on the User Groups tab require quotation marks around them to work. Correct and incorrect examples are: The Boolean expression client_cert_end_user_subject_common_name=“clients.gateways.watchguard.com” is valid and it works. The Boolean expression client_cert_end_user_subject_common_name=clients.gateways.watchguard.com...

  • Page 106: Global Policies

    Configuring Resources for a User Group Client certificate configuration is not available for the default user group. To specify client certificate configuration On the Access Policy Manager tab, right-click a group that is not the default group. On the Client Certificates tab, under Client Certificate Criteria Expression, type the certificate information.
  • Page 107 • Logon and portal page usage that defines the page the user sees when logging on. The logon page can be a page provided by WatchGuard and can be modified for individual companies. If your company is using WatchGuard Presentation Server, the logon page can be the Web Interface.

  • Page 108: Adding Users To Multiple Groups

    Configuring Resources for a User Group • Kiosk resources that define how the user can log on and which file shares and applications are accessible to the user when logged on. If the user is allowed to use the Firefox Web browser in kiosk mode, the Web address the user is allowed to use is also defined.

  • Page 109: Defining Network Resources

    To configure resource access control for a group Click the Access Policy Manager tab. In the right pane, configure the group resources. When the resource is configured, click the resource and drag it to the group in the left pane. To allow or deny a resource, in the left pane, right-click the network resource or application policy and then click Allow or Deny.

  • Page 110: Allowing And Denying Network Resources And Application Policies

    Configuring Resources for a User Group • You can further restrict access by specifying a port and protocol for an IP address/subnet pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. •...

  • Page 111: Application Policies

    • Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30.

  • Page 112: Configuring File Share Resources

    Configuring Resources for a User Group To add an application policy to a group On the Access Policy Manager tab, in the right-pane, under Application Policies, click the resource you want to add and then drag it to the user group in the left pane. To allow or deny access, right-click the network resource and then click Allow or Deny.

  • Page 113: Configuring Kiosk Mode

    To create a file share resource Click the Access Policy Manager tab. In the right pane, right-click File Share Resources, click New File Share Resource, type a name, and click OK. In Share Source, type the path to the share source using the form: //server/share.

  • Page 114: End Point Resources And Policies

    Configuring Resources for a User Group To add a file share, under File Share Resources, drag the resource to Shares under File Shares. Select the applications users are allowed to use in kiosk mode. Click Kiosk Persistence (Save Application Settings) to retain Firefox preferences between sessions.

  • Page 115: Configuring An End Point Policy For A Group

    If you selected Process Rule, do the following: - Click Process Rule. - In Process Name, type the name of the process or click Browse to navigate to the file. The MD5 field is automatically completed when a process name is entered. Click OK.

  • Page 116: Setting The Priority Of Groups

    Setting the Priority of Groups In the right pane, right-click End Point Policies and then click New End Point Policy. Type a name and click OK. When the policy is created, create the expression by dragging and dropping the end point resources into the Expression Root.

  • Page 117: Configuring Pre-Authentication Policies

    The following two settings are unioned together. For these settings, they are combined among all of the groups of which the user is a member. When these are combined, these are the enforced set of rules applied to the user. For example, if a user is a member of the sales and support groups, if the sales group has notepad.exe and calc.exe defined as an end point policy, and if the support groups have just Inter- net Explorer defined, all of the policies are enforced for the user.
  • Page 118 Setting the Priority of Groups Firebox SSL VPN Gateway...

  • Page 119: Chapter 7 Creating And Installing Secure Certificates

    Gateway and the certificate is sent to a CA for signing. When the certificate is received back, it is installed on the appliance. During installation it is paired with the password-protected private key. WatchGuard recommends using this method to create and install Administration Guide...

  • Page 120: Digital Certificates And Firebox Ssl Vpn Gateway Operation

    Digital Certificates and Firebox SSL VPN Gateway Operation • Install a PEM certificate and private key from a Windows computer. This methods uploads a signed certificate and private key together. The certificate is signed by a CA and it is paired with the private key.

  • Page 121: Creating A Certificate Signing Request

    private key from tampering and it is also required when restoring a saved configuration to the Firebox SSL VPN Gateway. Passwords are used whether the private key is encrypted or unencrypted. Caution: When you upgrade to Version 6.0 and save the configuration file, it cannot be used on earlier versions of the Firebox SSL VPN Gateway.

  • Page 122: Installing A Certificate And Private Key From A Windows Computer

    Overview of the Certificate Signing Request When you save the Firebox SSL VPN Gateway configuration, any certificates that are already installed are included in the backup. To install a certificate file using the Administration Tool Click the VPN Gateway Cluster tab. On the Administration tab, next to Upload a signed Certificate (.crt), click Browse.

  • Page 123: Installing Multiple Root Certificates

    The root certificate that is installed on the Firebox SSL VPN Gateway has to be in PEM format. On Win- dows, the file extension .cer is sometimes used to indicate that the root certificate is in PEM format. If you are validating certificates on internal connections, the Firebox SSL VPN Gateway must have a root certificate installed.

  • Page 124: Client Certificates

    Client Certificates Note: HyperTerminal is not installed automatically on Windows 2000 Server or Windows Server 2003. To install HyperTerminal, use Add/Remove Programs in Control Panel. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional.

  • Page 125: Installing Root Certificates

    Installing Root Certificates Support for most trusted root authorities is already built into the Windows operating system and Inter- net Explorer. Therefore, there is no need to obtain and install root certificates on the client device if you are using these CAs. However, if you decide to use a different CA, you need to obtain and install the root certificates yourself.

  • Page 126: Requiring Certificates From Internal Connections

    Requiring Certificates from Internal Connections Click Submit. Requiring Certificates from Internal Connections To increase security for connections originating from the Firebox SSL VPN Gateway to your internal net- work, you can require the Firebox SSL VPN Gateway to validate SSL server certificates. Previous versions of the Firebox SSL VPN Gateway did not validate the SSL server certificate presented by the Web Inter- face and the Secure Ticket Authority.

  • Page 127: Chapter 8 Working With Client Connections

    Working with Client Connections CHAPTER 8 Clients can access resources on the corporate network by connecting through the Firebox SSL VPN Gateway from their own computer or from a public computer. The following topics describe how client connections work: • Using the Access Portal •...

  • Page 128: Using The Access Portal

    Using the Access Portal If clients are using Mozilla Firefox to connect, pages that require ActiveX, such as the pre-authentication page, are not able to run. If clients are going to connect using the kiosk, they must have Sun Java Runtime Environment (JRE) Ver- sion 1.5.0_06 installed on their computer.

  • Page 129: Connecting From A Private Computer

    the computer is started, users do not have to do anything to create the connection, provided that they have a network connection and can log onto Windows. The connection enables users to work with the connected site just as if they were logged on at the site.

  • Page 130: Tunneling Private Network Traffic Over Secure Connections

    Connecting from a Private Computer • The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The Firebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel. When a remote user logs on using the Secure Access Client, the Firebox SSL VPN Gateway prompts the user for authentication over HTTP 401 Basic or Digest.

  • Page 131: Operation Through Firewalls And Proxies

    that remote users can access through the VPN connection. For more information, see “Configuring Resources for a User Group” on page 96. All IP packets, regardless of protocol, are intercepted and transmitted over the secure link. Connections from local applications on the client computer are securely tunneled to the Firebox SSL VPN Gateway, which reestablishes the connections to the target server.

  • Page 132: Activex Helper

    Connecting from a Private Computer sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access Client provides the local client application a private IP address represen- tation, which the Firebox SSL VPN Gateway uses on the internal network. Many real-time voice applica- tions and FTP use this feature.
  • Page 133 An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. WatchGuard recommends that you customize the text for your site and then send the text in an email to users.
  • Page 134 Connecting from a Private Computer The Secure Access Client dialog box with the pop-up menu showing Advanced Options Under Proxy Settings, select Use Proxy Host and then in Proxy Address and Proxy Host, type the IP address and port. If the proxy server requires authentication, select Proxy server requires authentication.

  • Page 135: Configuring Proxy Servers For The Secure Access Client

    In IP Address and Port, type the IP address and port number. If authentication is required by the server, select Proxy server requires authentication. The Advanced Options dialog box can also be opened by right-clicking the WatchGuard Secure Access icon on the desktop and then clicking Properties.

  • Page 136: Configuring Secure Access Client To Work With Non-Administrative Users

    The Firebox SSL VPN Gateway provides secure access to a corporate network from a public computer using kiosk mode. When users select A public computer on the WatchGuard portal page, a Web browser opens. The user logs on and then can access applications provided in the browser window.

  • Page 137: Creating A Kiosk Mode Resource

    Use the logon page to connect, as described in “Connecting Using a Web Address”. Click A public computer. The WatchGuard Secure Access logon dialog box appears. Enter your network logon credentials and click Login. Note: Users logged on using kiosk mode can use the FTP protocol to download files from the corporate network.

  • Page 138: Working With File Share Resources

    Connecting from a Public Computer To create and configure a kiosk resource Click the Access Policy Manager tab. In the right pane, right-click Kiosk Resources and then click New Kiosk Resource. Type a name for the resource and click OK. To add a file share, under File shares, drag the resource to Shares.

  • Page 139: Client Applications

    Select a file share from File Share Resources and drag it to Shares under File shares in the kiosk resource. Click OK. To remove a file share On the Access Policy Manager tab, in the right-pane, right-click the file share and click Remove. You can specify the shared network drives that are accessible for sessions.

  • Page 140: Firefox Web Browser

    Client Applications Firefox Web Browser The Firefox Web browser allows users to connect to the Internet when they are logged on in kiosk mode. They can connect to Web sites as if they were sitting at their own computer. To configure Firefox Click the Access Policy Manager tab.

  • Page 141: Telnet 3270 Emulator Client

    To use the SSH client From the portal page, choose A public computer and log on. In the Web browser, click the SSH icon. Enter the user name and SSH host name or IP address. The SSH window opens. Telnet 3270 Emulator Client The Telnet 3270 Emulator client enables the user to establish a Telnet 3270 connection to a remote com- puter.

  • Page 142: Supporting Secure Access Client

    Supporting Secure Access Client To use Gaim From the portal page, choose A public computer and log on. In the Web browser, double-click the Gaim icon. If messenging services were not added, an Accounts window opens. Click Add. In the Add Account dialog box, in Protocol, select the instant messenging service to add. Complete the rest of the information and click Save.

  • Page 143: Managing Client Connections

    An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. Customize the text for your site and then send the text in an email to users. To install the Secure Access Client from inside the firewall, go to the portal page and use the Click here to download the client installer link to download the client.

  • Page 144: Closing A Connection To A Resource

    Managing Client Connections Closing a connection to a resource Without disrupting a user’s VPN connection, you can temporarily close the user’s connection to a partic- ular resource. To prevent the user from connecting to the resource, correct the user’s group ACL. To close a connection In the Firebox SSL VPN Gateway Administration Desktop, click the Real-time Monitor icon.
  • Page 145 In the left pane, right-click a group and click Properties. On the General tab, under Session options, select one or both of the following: • Authenticate after network interruption. This option forces a user to log on again if the network connection is briefly interrupted.
  • Page 146 Managing Client Connections Firebox SSL VPN Gateway...

  • Page 147: Appendix A Firebox Ssl Vpn Gateway Monitoring And Troubleshooting

    Firebox SSL VPN Gateway APPENDIX A Monitoring and Troubleshooting The following topics describe how to use Firebox SSL VPN Gateway logs and troubleshoot issues: • Viewing and Downloading System Message Logs • Enabling and Viewing SNMP Logs • Viewing System Statistics •...

  • Page 148: Forwarding System Messages To A Syslog Server

    Viewing and Downloading System Message Logs Click Logging/Settings. Under Gateway Log, click Display Logging Window. The log for today’s date is displayed. To display the log for a prior date, select the date in the Log Archive list and click View Log. By default, the log displays all entries.

  • Page 149: Enabling And Viewing Snmp Logs

    Field sc-status cs-uri sc-uri To view or download the log, go to the Logging > Configuration tab and click Download W3C Log. Enabling and Viewing SNMP Logs When Simple Network Management Protocol (SNMP) is enabled, the Firebox SSL VPN Gateway reports the MIB-II system group (1.3.6.1.2.1).

  • Page 150: Viewing System Statistics

    Viewing System Statistics To obtain SNMP data for the Firebox SSL VPN Gateway through Multi Router Traffic Grapher (in UNIX) Configure the Firebox SSL VPN Gateway to respond to SNMP queries as discussed in “To enable logging of SNMP messages” on page 139. Create Multi Router Traffic Grapher configuration files in /etc/mrtg.

  • Page 151: To Open The Firebox Ssl Vpn Gateway Administration Desktop

    bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. To open the Firebox SSL VPN Gateway Administration Desktop Open a Web browser and type the IP address or FQDN of the Firebox SSL VPN Gateway. The accepted formats are https://IPaddress or https://FQDN.

  • Page 152: Reinstalling V 4.9 Application Software

    To obtain the v 5.0 software update, v 5.0 Administrator’s Guide and v 5.0 Release Notes, go to https:// www.watchguard.com/archive/softwarecenter.asp. You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view.

  • Page 153: Launching The V 5.5 Administration Tool

    After the Administration Tool installation is complete, you can launch the new tool from Start > All Pro- grams > WatchGuard. Type the IP address or FQDN of the SSL VPN Gateway device in the Connecting To dialog box. Note that the dialog box does not always appear in the foreground—it may be buried behind other open windows on your desktop.

  • Page 154: Other Issues

    Troubleshooting By default, the Firebox SSL VPN Gateway passes only the user name and password to the Web Interface. To correct this, configure a default domain or a set of domains users can log on to. The Web Interface uses the first one in the list as the default domain. Web Interface Credentials Are Invalid When users log on to the Firebox SSL VPN Gateway, they are sent to the Web Interface but their applica- tions are not displayed.
  • Page 155 Troubleshooting Defining Accessible Networks In the Accessible Networks field on the Global Cluster Policies tab, up to 24 subnets can be defined. If more than 24 subnets are entered, the Firebox SSL VPN Gateway ignores the additional subnets. VMWare If a user logs on to the Secure Access Client from two computers that are running VMWare and VMWare uses the same MAC address for the two computers, the Firebox SSL VPN Gateway does not allow both clients to run simultaneously.
  • Page 156 Troubleshooting Internal Failover If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001.
  • Page 157 Devices Cannot Communicate with the Firebox SSL VPN Gateway Verify that the following are correctly set up: • The External Public Address specified on the General Networking tab in the Firebox SSL VPN Gateway Administration Tool is available outside of your firewall •...
  • Page 158 Troubleshooting Client Connections from a Windows Server 2003 If a connection to the Firebox SSL VPN Gateway is made from a Windows Server 2003 computer that is its own DNS server, local and public DNS resolution does not work. To fix this issue, configure the Win- dows Server 2003 network settings to point to a different DNS server.

  • Page 159: Appendix B Using Firewalls With Firebox Ssl Vpn Gateway

    WatchGuard recommends that the user’s personal firewall allow full access for the Secure Access Client. If you do not want to allow full access, the following UDP and UDP/TCP ports need to be open on the cli- ent computer: •...

  • Page 160: Blackice Pc Protection

    BlackICE PC Protection To view Secure Access Client status properties Double-click the Secure Access Client connection icon in the notification area. Alternatively, right-click the icon and choose Properties from the menu. The Secure Access Client dialog box appears. The properties of the connection provide information that is helpful for troubleshooting. The proper- ties include: •...

  • Page 161: Norton Personal Firewall

    Trusted & Add the IP address or range of allowed resources as trusted IP addresses. Banned IPs System In the System Services list, select each service that you plan to use over the VPN connection. Services Norton Personal Firewall If you are using the default Norton Personal Firewall settings, you can simply respond to the Program Control alerts the first time that you attempt to start the Secure Access Client or when you access a blocked location or application.

  • Page 162: Zonealarm Pro

    ZoneAlarm Pro To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below. To permit the IP address or range of allowed resources, use the following settings: Protocol = TCP and UDP Direction = Both Directions...

  • Page 163: Appendix C Installing Windows Certificates

    Installing Windows Certificates APPENDIX C The Firebox SSL VPN Gateway includes the Certificate Request Generator to automatically create a cer- tificate request. After the file is returned from the Certificate Authority, it can be uploaded to the Firebox SSL VPN Gateway. When the file is uploaded, it is converted automatically to the correct format for use. If you do not want to use the Certificate Request Generator to create the signed certificate, use Linux OpenSSL to administer any certificate tasks.

  • Page 164: Unencrypting The Private Key

    Unencrypting the Private Key 12 Click Next to start the installation. After Cygwin installs, you can generate the CSR. These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in “To install Cygwin” on page 153. To generate a CSR using the Cygwin UNIX environment Double-click the Cygwin icon on the desktop.

  • Page 165: Converting To A Pem-Formatted Certificate

    For information about downloading OpenSSL for Windows, see the SourceForge Web site at http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801. Converting to a PEM-Formatted Certificate The signed certificate file that you receive from the Certificate Authority might not be in a PEM format. If the file is in binary format (DER), convert it to PEM format as follows: openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile If the certificate is already in a text format, it may be in PKCS format.

  • Page 166: To Combine The Private Key With The Signed Certificate

    Generating Trusted Certificates for Multiple Levels To combine the private key with the signed certificate Use a text editor to combine the unencrypted private key with the signed certificate in the PEM file format. The file contents should look similar to the following: -----BEGIN RSA PRIVATE KEY----- <Unencrypted Private Key>...
  • Page 167 Generating Trusted Certificates for Multiple Levels Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2 Administration Guide...
  • Page 168 Generating Trusted Certificates for Multiple Levels Firebox SSL VPN Gateway...

  • Page 169: Appendix D Examples Of Configuring Network Access

    Examples of Configuring Network APPENDIX D Access After the Firebox SSL VPN Gateway is installed and configured to operate in your network environment, use the Administration Tool to configure user access to the servers, applications, and other resources on the internal network. Configuring user access to internal network resources involves defining accessible networks for split tunneling, configuring authentication and authorization, creating user groups, creating local users, and defining the access control lists (ACLs) for user groups.

  • Page 170: Scenario 1: Configuring Ldap Authentication And Authorization

    Scenario 1: Configuring LDAP Authentication and Authorization Before reading the examples in this chapter, you should become familiar with the settings on three tabs of the Administration Tool. The settings on these tabs control user access to internal network resources: •...
  • Page 171 • Determining the Sales and Engineering users who need remote access • Collecting the LDAP directory information Determining the internal networks that include the needed resources Determining the internal networks that include the needed resources is the first of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration.
  • Page 172 Scenario 1: Configuring LDAP Authentication and Authorization For example, if the Firebox SSL VPN Gateway operates with the Microsoft Active Directory, the Firebox SSL VPN Gateway checks the "memberOf" attribute in the Person entry to determine the groups to which a user belongs. In this example, we assume that the group membership attribute indicates that a user is a member of an LDAP directory group named "Remote Sales."...

  • Page 173: Configuring The Firebox Ssl Vpn Gateway To Support Access To The Internal Network Resources

    • LDAP Server port. The port on which the LDAP server listens for connections. The default port for LDAP connections is port 389. • LDAP Administrator Bind DN and LDAP Administrator Password. If the LDAP directory requires applications to authenticate when accessing it, the administrator must know the name of the user account that the Firebox SSL VPN Gateway should use for this authentication and the password associated with this account.
  • Page 174 Scenario 1: Configuring LDAP Authentication and Authorization This task includes these five procedures: • Configuring accessible networks • Creating an LDAP authentication realm • Creating the appropriate groups on the Firebox SSL VPN Gateway • Creating and assigning network resources to the user groups •...
  • Page 175 Creating an LDAP Authentication and Authorization Realm Creating an LDAP authentication and authorization realm is the second of five procedures the administrator performs to configure access to the internal network resources in this scenario. In this scenario, all of the Sales and Engineering users are listed in a corporate LDAP directory. To authenticate users listed in an LDAP directory, the administrator must create an authentication realm that supports LDAP authentication.
  • Page 176 Scenario 1: Configuring LDAP Authentication and Authorization Creating the Appropriate Groups on the Firebox SSL VPN Gateway Creating the appropriate groups on the Firebox SSL VPN Gateway is the third of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario.
  • Page 177 In Network/Subnet, type these two IP address/subnet pairs for the resources. Separate each of these IP address/subnet pairs with a space: 10.10.0.0/24 10.60.10.0/24 To simplify this example, the administrator accepts the default values for the other settings on the Network Resource window and clicks OK. After creating the Network Resource named "Sales Resource,"...
  • Page 178 Scenario 1: Configuring LDAP Authentication and Authorization the 10.0.20.x resource and allow access to the 10.0.x.x resource. In these cases, configure the policy denying access to 10.0.20.x first and then configure the policy allowing access to the 10.0.x.x network second. Always configure the most restrictive policy first and the least restrictive policy last.

  • Page 179: Scenario 2: Creating Guest Accounts Using The Local Users List

    In the left pane, click the "Email server" network resource you just created and drag it to Application Network Policies listed under Application Constraints in the right pane. Click In the left pane, expand both the "Remote Sales" user group and the "Remote Engineers" user group.

  • Page 180: Creating A Guest User Authentication Realm

    Scenario 2: Creating Guest Accounts Using the Local Users List An administrator can also create a list of local users on the Firebox SSL VPN Gateway and configure the Firebox SSL VPN Gateway to provide authentication and authorization services for these users. This list of local users is maintained in a database on the Firebox SSL VPN Gateway and not in an external direc- tory.

  • Page 181: Creating Local Users

    To create a guest authentication realm for the guest users In the Firebox SSL VPN Gateway Administration Tool, click the Authentication tab. In Realm Name, type Guest. Select One Source and click Add. At Select Authentication Type, select Local authentication only and then click OK. From the Authorization tab, select No authorization.

  • Page 182: Scenario 3: Configuring Local Authorization For Local Users

    Scenario 3: Configuring Local Authorization for Local Users Silvio and Lisa are authorized to access any resource defined in the ACL of the Default user group because No Authorization is specified as the authorization type of the Guest realm. In this example, Silvio and Lisa can access only the Web conference server on the internal network because that is the only network resource defined for the Default user group.

  • Page 183: Appendix E Legal And Copyright Information

    Legal and Copyright Information APPENDIX E GNU GENERAL PUBLIC LICENSE FOR LINUX KERNEL AS PROVIDED WITH FIREBOX SSL Firebox SSL VPN Gateway Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
  • Page 184 We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software.
  • Page 185 change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
  • Page 186 be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
  • Page 187 If any portion of this section is held invalid or unenforceable under any particular circumstance, the bal- ance of the section is intended to apply and the section as a whole is intended to apply in other circum- stances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims;...
  • Page 188 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPY- RIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER...
  • Page 189 This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c';...
  • Page 190 Firebox SSL VPN Gateway...
  • Page 191 Index access control list 56, 97 allow and deny rules deny access 15, 58 deny access without ACL 57, 88 Access Policy Manager tab 15, 87 add network resource Application Policies 16, 101 applications without policies client certificate criteria 16, 95 create network resource create user group end point policy...
  • Page 192 Authentication tab LDAP authorization configuring LDAP 65, 73 LDAP and RSA/ACE Server local users RADIUS 69, 72 backing up BlackICE PC Protection certificate 512-bit keypairs backing up certificate signing request 14, 110 client 15, 95, 114 combining with private key converting to PEM format creating signing request generating for multiple levels...
  • Page 193 removing Ethereal Network Analyzer unencrypted traffic Ethereal Network Monitor external access failover appliances DNS servers gateways internal 15, 55 failure recovery FAQs file share configuring mount type source path file share resources 16, 128 finger query Firebox Installation Services Firefox preventing Java access firewall BlackICE PC Protection...
  • Page 194 persistence Remote Desktop Client shared network drives, using SSH client Telnet 3270 Emulator client using FTP to copy files VNC client known issues LDAP authentication 15, 25 authorization 15, 73 authorization with RSA/ACE Server LDAP authentication 73, 76 LDAP Browser LDAP server finding attributes licenses...
  • Page 195 ping command 33, 145 from xNetTools policies access control lists IP pooling network access portal pages 38, 41 setting priority port for connections scanner portal page client connections client variables configuring 16, 95 customizing 15, 38 disabling double source authentication 43, 85 downloading templates 32, 39...
  • Page 196 connection to service scanner session timeout 15, 88, 92 settings General Networking shared network drives shared secret 69, 82 shutting down 15, 45 single sign-on single sign-on for client SNMP logs, enabling and viewing MIB groups reported settings software reinstalling shutting down upgrades software reinstallation...
  • Page 197 15, 140 Syslog settings system date and time upgrading 15, 44 VPN Installation Services W3C-formatted log WatchGuard Certified Training Partners WatchGuard users forum 5, 6 WCTP Web address of Administration Portal of Java client Web Interface access without credentials...
  • Page 198 Firebox SSL VPN Gateway...

This manual is also suitable for:

Ssl 500Firebox ssl series

Table of Contents