Page 2
Copyright, Trademark, and Patent Information Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product. You will be prompted to read and accept the End User License Agreement when you register your Firebox on the WatchGuard website.
Audience ... 1 Operating System Requirements Document Conventions LiveSecurity Service Solutions LiveSecurity Service Broadcasts Activating LiveSecurity Service LiveSecurity Service Self Help Tools WatchGuard Users Forum ... 5 Online Help ... 6 Product Documentation Technical Support LiveSecurity Service technical support LiveSecurity Gold Firebox Installation Service ...
Page 5
Using the Serial Console To open the serial console Using the Administration Tool To download and install the Administration Tool ... 34 Publishing Settings to Multiple Firebox SSL VPN Gateways To publish Firebox SSL VPN Gateway settings ... 35 Product Activation and Licensing Upgrading the tunnel and tunnel upgrade license ...
Page 7
To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication To configure the IAS RADIUS realm Using RADIUS Servers for Authentication and Authorization ... 69 To configure Microsoft Internet Authentication Service for Windows 2000 Server To specify RADIUS server authentication To configure RADIUS authorization Choosing RADIUS Authentication Protocols...
Page 9
Using the Access Portal To connect using the default portal page Connecting from a Private Computer Tunneling Private Network Traffic over Secure Connections Operation through Firewalls and Proxies Terminating the Secure Tunnel and Returning Packets to the Client ActiveX Helper Using the Secure Access Client Window Configuring Proxy Servers for the Secure Access Client Configuring Secure Access Client to Work with Non-Administrative Users...
Page 10
Creating and Assigning a Network Resource to the Default User Group Scenario 3: Configuring Local Authorization for Local Users APPENDIX E Legal and Copyright Information ...143 ...143 ...150 ...153 ...153 ...154 ...154 ...170 ...171 ...173 ...149 ...151 ...155 ...155 ...156 ...159 ...160 ...160 ...171 ...172 WatchGuard SSL VPN Gateway...
Getting Started with Firebox SSL CHAPTER 1 VPN Gateway This chapter describes who should read the Firebox SSL VPN Gateway Administration Guide, how it is organized, and its document conventions. Audience This user guide is intended for system administrators responsible for installing and configuring the Fire- box SSL VPN Gateway.
Threat responses, alerts, and expert advice After a new threat is identified, the WatchGuard Rapid Response Team sends you an e-mail to tell you about the problem. Each message gives full information about the type of security problem and the procedure you must use to make sure that your network is safe from attack.
WatchGuard Firebox® and network security, or find a WatchGuard Certified Train- ing Center in your area. LiveSecurity Service Broadcasts The WatchGuard® Rapid Response Team regularly sends messages and software information directly to your computer desktop by e-mail. We divide the messages into categories to help you to identify and make use of incoming information immediately.
Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the fields on the page. You must complete all the fields to activate correctly. This information helps WatchGuard to send you the information and software updates that are applicable to your products.
Product Documentation The WatchGuard web site has a copy of each product user guide, including user guides for software versions that are no longer supported. The user guides are in .pdf format. General Firebox X Edge and Firebox SOHO Resources This section of the web site shows basic information and links for Firebox X Edge and Firebox SOHO customers.
LiveSecurity Service technical support All new Firebox products include the WatchGuard LiveSecurity Technical Support Service. You can speak with a member of the WatchGuard Technical Support team when you have a problem with the installa- tion, management, or configuration of your Firebox.
VPN Installation Service WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can sched- ule a two-hour time with one of the WatchGuard Technical Support team. During this time, the techni- cian helps: • Do an analysis of your VPN policy •...
Page 18
The training materials include links to books and web sites with more information about network security. WatchGuard product training is also available at a location near you through a large group of Watch- Guard Certified Training Partners (WCTPs). Training partners give training using certified training mate- rials and with WatchGuard hardware.
CHAPTER 2 Gateway WatchGuard Firebox SSL VPN Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, Firebox SSL VPN Gateway works through any firewall and supports all applications and protocols.
Page 20
Overview As shown in the following illustration, the Firebox SSL VPN Gateway is appropriate for employees accessing the organization remotely and intranet access from restricted LANs such as wireless networks. Network topography showing the Firebox SSL VPN Gateway in the DMZ. The following illustration shows how the Firebox SSL VPN Gateway creates a secure virtual TCP circuit between the client computer running the Secure Access Client and the Firebox SSL VPN Gateway.
The virtual TCP circuit is using industry standard Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. All packets destined for the private network are transported over the virtual TCP cir- cuit. The Firebox SSL VPN Gateway is essentially acting as a low-level packet filter with encryption. It drops traffic that does not have authentication or does not have permission for a particular network.
New Features Secure Access Client connections The Secure Access Client included in this release can connect to earlier versions of the Firebox SSL VPN Gateway. Also,earlier versions of the Secure Access Client can connect to this release of the Firebox SSL VPN Gateway if enabled on the Global Cluster Policies tab.
NTLM authentication and authorization support. If your environment includes Windows NT 4.0 domain controllers, the Firebox SSL VPN Gateway can authenticate users against the user domain accounts maintained on the Windows NT server. The Fire- box SSL VPN Gateway can also authorize users to access internal network resources based on a user’s group memberships on the Windows NT 4.0 domain controller.
Features • Date and time configuration • Certificate generation and installation • Restarting and shutting down the Firebox SSL VPN Gateway • Saving and reinstalling configuration settings If the Firebox SSL VPN Gateway is upgraded to Version 5.5 from an earlier version, you must uninstall and then reinstall the latest Administration Tool.
Page 25
Feature Server Upgrade Server Restart Server Shut Down Server Statistics Licensing Date and Time Enable External Administration Saving and Restoring Server Configuration Enable Split Tunneling Accessible Networks Deny Access without ACL Require SSL Client Certificates Validate SSL Certificates for Internal Connections Improve Latency for Voice over IP Traffic Internal Failover Enable Portal Page Authentication...
The User Experience Feature Use SSL/TLS Local Group Users Client Certificate Criteria Expression Network Resource Groups Application Policies File Share Resources Kiosk Resources and Policies End Point Resource and Policies Pre-Authentication Policies Portal Page Configuration Group Priority Publish Feature Summary The following are key Firebox SSL VPN Gateway features: •...
Secure Access Client by typing a secure Web address in a standard Web browser and providing authen- tication credentials. Because the Firebox SSL VPN Gateway encrypts traffic using standard SSL/TLS, it can traverse firewalls and proxy servers, regardless of the client location. For a more detailed description of the user experi- ence, see “Connecting from a Private Computer”...
Planning your deployment Administration Desktop also provides access to the Real-Time Monitor, where you can view a list of cur- rent users and close the connection for any user. Planning your deployment This chapter discusses deployment scenarios for the Firebox SSL VPN Gateway. You can deploy the Fire- box SSL VPN Gateway at the perimeter of your organization’s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network.
SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments. Before you deploy the Firebox SSL VPN Gateway in a production environment, WatchGuard recom- mends that you request and receive a signed SSL server certificate from a known Certificate Authority and upload it to the Firebox SSL VPN Gateway.
It works with other networking products such as cache engines, firewalls, routers, and IEEE 802.11 wireless devices. WatchGuard recommends installing the Firebox SSL VPN Gateway in the corporate demilitarized zone (DMZ). When installed in the DMZ, the Firebox SSL VPN Gateway participates on two networks: a private network and a public network with a publicly routable IP address.
• The Firebox SSL VPN Gateway FQDN for network address translation (NAT) • The IP address of the default gateway device • The port to be used for connections If connecting the Firebox SSL VPN Gateway to a server load balancer: •...
Page 32
• [8] Log Out logs off from the Firebox SSL VPN Gateway WatchGuard recommends using both network adapters on the appliance. After configuring the TCP/IP settings for Interface 0, use the Administration Tool to configure TCP/IP settings for Interface 1.
Page 33
Internet and client computers that are not inside the corporate network. The other network adapter communicates with the internal network. WatchGuard recommends that both network adapters be configured for maximum security. If only one network adapter is used, it has to be routable for internal resources using Network Address Translation (NAT).
Using the Firebox SSL VPN Gateway For information about the relationship between the Default Gateway and dynamic or static routing, see “Dynamic and Static Routing” on page 51. After you configure your network settings on the Firebox SSL VPN Gateway, you need to restart the appliance.
• After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Firebox SSL VPN Gateway establishes a secure tunnel. • As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Firebox SSL VPN Gateway.
Using the Firebox SSL VPN Gateway Establishing the Secure Tunnel After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is estab- lished, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client describing the networks to be secured and containing an IP address if you enabled IP pool visibility.
NAT firewalls maintain a table that allows them to route secure packets from the Firebox SSL VPN Gate- way back to the client computer. For circuit-oriented connections, the Firebox SSL VPN Gateway main- tains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL VPN Gateway to match connections and send packets back over the tunnel to the client with the correct port numbers so that the packets return to the correct application.
Using the Firebox SSL VPN Gateway work, no attempt is made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved over a secure TCP-based tunnel. For more information about improving latency with UDP connections and Voice over IP, see “Improving Voice over IP Connections”...
Page 39
public address. The external public address ensures that the redirected client returns to the Firebox SSL VPN Gateway it first encountered, providing session stickiness. The association between a particular request and the Firebox SSL VPN Gateway is broken only when the client makes a new connection.
Page 40
Using the Firebox SSL VPN Gateway Firebox SSL VPN Gateway...
Configuring Basic Settings CHAPTER 3 This chapter describes Firebox SSL VPN Gateway basic administration, including connecting to the Fire- box SSL VPN Gateway, using the Administration Desktop, and using the Administration Tool to config- ure the Firebox SSL VPN Gateway. All submitted configuration changes are applied automatically to the Firebox SSL VPN Gateway and do not cause a disruption for users connected to the Firebox SSL VPN Gateway.
The Firebox SSL VPN Gateway Administration Portal appears. Click Launch Firebox SSL VPN Gateway Administrative Desktop. In the WatchGuard Firebox SSL Remote Admin Terminal dialog box, type your user name and password. By default, if you configure the Firebox SSL VPN Gateway to use both network adapters, the Administration Portal can be accessed from either adapter.
• Download a sample email for users Admin Users Tab The Firebox SSL VPN Gateway has a default administrative user account with full access to the Firebox SSL VPN Gateway. To protect the Firebox SSL VPN Gateway from unauthorized access, change the default password during your initial configuration.
After downloading the file, navigate to the location where it was saved and then double-click the file. To install the Administration Tool, follow the instructions in the wizard. To start the Administration Tool, click Start > Programs > WatchGuard> Firebox SSL VPN Gateway Adminstration Tool > Firebox SSL VPN Gateway Administration Tool. Note...
For new product installations, you will need to activate your Firebox SSL VPN Gateway by submitting the included license key codes to your Live Security account. You access your LiveSecurity account by browsing to the WatchGuard website at http://www.watchguard.com, then clicking LiveSecurity® Service on the left.
Managing Licenses Firebox SSL VPN Gateway Administration Tool. To apply these license files, see “Managing Licenses” on page 36. For future tunnel capacity upgrades, you will follow these same steps to increase the capacity of your Firebox® SSL VPN Gateway. Upgrading the LiveSecurity Renewal and Tunnel Renewal license In your Live Security account, under Your Activated Products, you can activate and extend your Live Security support service by submitting the Live Security Renewal and Tunnel Renewal license keys.
Do not overwrite any .lic files in the license directory. If another file in that directory has the same name, rename the newly received file. The Firebox SSL VPN Gateway software calculates your licensed features based on all .lic files that are uploaded to the Firebox SSL VPN Gateway. Do not edit a .lic file or the Firebox SSL VPN Gateway software ignores any features associated with that license file.
(FQDN) to connect to either the internal or external interface. The format should be either https://ipaddress or https://FQDN. Type the logon credentials. The WatchGuard Firebox SSL VPN Gateway portal page appears. Click My own computer and then click Connect.
By default, users see a WatchGuard Firebox SSL VPN Gateway portal page when they open https://Firebox SSL VPN Gateway_IP_or_hostname. For samples of the default portal pages for Windows, Linux, and Java, see “Using the Access Portal” on page 118. Several portal page templates that can be customized are provided. One of the templates includes links to both the Firebox SSL Secure Access Client and kiosk mode.
Make a copy of each template that you will use and name the template, using the extension .html. Open the file in Notepad or an HTML editing application. To replace the WatchGuard image, locate the following line in the template: <img src=”citrix-logo.gif”/>...
To install a custom portal page or image on the Firebox SSL VPN Gateway Click the Portal Page Configuration tab. Click Add File. In File Identifier, type a name that is descriptive of the types of users who use the portal page. The file name can help you later when you need to associate the portal page with a group.
Linking to Clients from Your Web Site <object id="Net6Launch" type="application/x-oleobject" classid="CLSID:7E0FDFBB-87D4-43a1-9AD4-41F0EA8AFF7B" codebase="net6helper.cab#version=2,1,0,6"> </object> Add the links as follows to the Web page. Multiple Log On Options using the Portal Page Users can have the option to log on using Secure Access Client, the Web Interface, or kiosk mode from one Web page.
tication policy check fails, the users receive an error message instructing them to contact their system administrator. For more information about pre-authentication policies, see “Global policies” on page 96. Double-source Authentication Portal Page When the Firebox SSL VPN Gateway is configured to require users to log on using two types of authenti- cation, such as LDAP and RSA SecurID, they are directed automatically to the Web page or Secure Access Client dialog box and users enter their user name and passwords.
Saving and Restoring the Configuration Saving and Restoring the Configuration When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are restore automatically. However, if you reinstall the Firebox SSL VPN Gateway software, you must manually restore your configuration settings. Before using the Recovery CD to reinstall the Firebox SSL VPN Gateway software, save your configuration.
In Upload a Server Upgrade or Saved Config, click Browse. Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL VPN Gateway restarts automatically. When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings are saved. For information about saving and restoring a configuration, see “Saving and Restoring the Configuration”...
Allowing ICMP traffic To change the system date and time In the Administration Tool, click the VPN Gateway Cluster tab, select the appliance, and then click the Date tab. In Time Zone, select a time zone. In Date, type the date and time. Click Submit.
Configuring Firebox SSL VPN CHAPTER 4 Gateway Network Connections The Firebox SSL VPN Gateway has two network adapters that can be configured to work on your net- work. The VPN Gateway Cluster > General Networking tabs in the Administration Tool are used to configure most network settings.
General Networking • The Routes tab is where dynamic and static routes are configured • The Failover Servers tab is where multiple Firebox SSL VPN Gateway’s are configured General Networking The Firebox SSL VPN Gateway has two network adapters installed. If two network adapters are used, then one network adapter communicates with the Internet and computers that are not inside the cor- porate network.
Page 59
For more information, see “Connecting to a Server Load Balancer” on page 28. External Public FQDN The Firebox SSL VPN Gateway uses the external IP address or FQDN to send its response to a request back to the correct network connection. If the external IP address is not specified, the Firebox SSL VPN Gateway sends responses out through the interface where the gateway is identified.
Name Service Providers IP pooling is configured per groups, as described in “Enabling IP Pooling” on page 94. Name Service Providers Name resolution is configured on the Name Service Providers tab. You can specify the following: DNS Server 1, DNS Server 2, DNS Server 3 These are the IP address of the first, second, and third DNS servers.
Under Edit the HOSTS file, in IP address, enter the IP address that you want to associate with an FQDN. In FQDN, enter the FQDN you want to associate with the IP address you entered in the previous step. Click Add. The IP address and HOSTS name pair appears in the Host Table. To remove an entry from the HOSTS file Under Host Table, click the IP address and HOSTS name pair you want to delete.
Dynamic and Static Routing Configuring Dynamic Routing When dynamic routing is selected, the Firebox SSL VPN Gateway operates as follows: • It listens for route information published through RIP and automatically populates its routing table. • If the Dynamic Gateway option is enabled, the Firebox SSL VPN Gateway uses the Default Gateway provided by dynamic routing, rather than the value specified on the General Networking tab.
In the text box, type a text string that is an exact, case-sensitive match to the authentication string transmitted by the RIP server. Select the Enable RIP MD5 Authentication for Interface check box if the RIP server transmits the authentication string encrypted with MD5. Do not select this option if the RIP server transmits the authentication string using plain text.
Dynamic and Static Routing On the General Networking tab, click Submit. The route name appears in the Static Routes list. To test a static route From the Firebox SSL VPN Gateway serial console, type 1 (ping). Enter the host IP address for the device you want to ping and press Enter. If you are successfully communicating with the other device, messages appear saying that the same number of packets were transmitted and received, and zero packets were lost.
To set up the static route, you need to establish the path between the eth1 adapter and IP address 129.6.0.20. To set up the example static route Click the VPN Gateway Cluster tab and then click the Routes tab. In Destination LAN IP Address, set the IP address of the destination LAN to 129.6.0.0. In Subnet Mask, set the subnet mask for the gateway device.
Controlling Network Access nect to port 9001 when you are logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool. Controlling Network Access Configuring Network Access After you configure the appliance to operate in your network environment, the next step is to configure network access for the appliance and for groups and users.
You can change the default operation so that user groups are denied network access unless they are allowed access to one or more network resource groups. • You configure ACLs for user groups by specifying which network resources are allowed or denied per user group.
Denying Access to Groups without an ACL When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Policies tab. The list of accessible networks must include all internal networks and subnetworks that the user may need to access with the Secure Access Client.
To deny access to user groups without an ACL Click the Global Cluster Policies tab. Under Access Options, select Deny Access without ACL. Click Submit. Improving Voice over IP Connections Real-time applications, such as voice and video, are implemented over UDP. TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets.
Improving Voice over IP Connections If the Improving Voice over IP Connections setting is not selected, the UDP traffic is encrypted using the symmetric encryption cipher that is specified in the Select encryption type for client connections setting on the Global Cluster Policies tab. The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order listed.
Configuring Authentication and CHAPTER 5 Authorization The Firebox SSL VPN Gateway supports several authentication types including LDAP, RADIUS, RSA Secu- rID, NTLM, and Secure Computing’s SafeWord products. The following topics describe how to configure Firebox SSL VPN Gateway authentication: • Choosing When to Configure Authentication on the Firebox SSL VPN Gateway •...
Page 72
Configuring Authentication and Authorization Communications between the Firebox SSL VPN Gateway and authentication servers. If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the local user on the Firebox SSL VPN Gateway is selected on the Authentication >...
Configuring Authentication without Authorization The Firebox SSL VPN Gateway can be configured to authenticate users without requiring authorization. When users are not authorized, the Firebox SSL VPN Gateway does not perform a group authorization check. The settings from the Default user group are assigned to the user. To remove authorization requirements from the Firebox SSL VPN Gateway On the Authentication tab, select an authorization realm.
Configuring Authentication and Authorization Configuring Local Users You can create user accounts locally on the Firebox SSL VPN Gateway to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server.
To change a user’s password On the Access Policy Manager tab, right-click a user, and click Set Password. Type the password twice and then click OK. Using LDAP Authorization with Local Authentication By default, the Firebox SSL VPN Gateway obtains an authenticated user’s group(s) from the local group file stored on the Firebox SSL VPN Gateway.
Note: Watchguard recommends that realm names map to their corresponding domain names. This enables users to log on using either realm name\user name or user name@realm name.
RemoteAccess, SafeWord for WatchGuard, and SafeWord PremierAccess 4.0. • Install the SafeWord Web Interface Agent to work with the WatchGuard Web Interface. Authentication does not have to be configured on the Firebox SSL VPN Gateway and can be handled by the WatchGuard Web Interface.
Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Configure a SafeWord realm to authenticate users. The Firebox SSL VPN Gateway acts as a SafeWord agent authenticating on behalf of users logged on using Secure Access Client. If a user is not located on the SafeWord server or fails authentication, the Access Gateway checks the user against the local user list if Use the local user database on the Access Gateway is selected on the Settings tab.
If you are already using SafeWord for Citrix or SafeWord RemoteAccess in your configuration to authen- ticate using the Web Interface, you need to do the following: • Install and configure the SafeWord IAS Agent • Configure the IAS RADIUS server to recognize the Firebox SSL VPN Gateway as a RADIUS client •...
Using RADIUS Servers for Authentication and Authorization • Type is the vendor-assigned attribute number. • Attribute name is the type of attribute name that is defined in IAS. The default name is CTXSUserGroups=. • Separator is defined if multiple user groups are included in the RADIUS configuration. A separator can be a space, a period, a semicolon, or a colon.
Page 81
18 In the Add Attributes dialog box, select Vendor-Specific and click Add. 19 In the Vendor-Specific Attribute Information dialog box, choose Select from list and accept the default RADIUS=Standard. The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the server with those on the Firebox SSL VPN Gateway.
Using RADIUS Servers for Authentication and Authorization To specify RADIUS server authentication Click the Authentication tab. In Realm Name, type a name for the authentication realm that you will create, select One Source, and then click Add. If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings.
RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config- ured on the Firebox SSL VPN Gateway when a RADIUS realm is created. Using LDAP Servers for Authentication and Authorization You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server.
Using LDAP Servers for Authentication and Authorization This table contains examples of the base dn Microsoft Active Directory Server Novell eDirectory IBM Directory Server Lotus Domino Sun ONE directory (formerly iPlanet) The following table contains examples of bind dn: Microsoft Active Directory Server Novell eDirectory IBM Directory Server Lotus Domino...
Select Allow Unsecure Traffic to allow unsecure LDAP connections. When this check box is clear, all LDAP connections are secure. In Administrator Bind DN, type the Administrator Bind DN for queries to your LDAP directory. The following are examples of syntax for Bind DN: “domain/user name”...
LDAP Authorization Group memberships from group objects working evaluations LDAP servers that evaluate group memberships from group objects indirectly work with Firebox SSL VPN Gateway authorization. Some LDAP servers enable user objects to contain information about groups to which they belong, such as Active Directory or eDirectory.
The LDAP Server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries. If your directory is not indexed, use an administrative connection rather than an anonymous connection from the Firebox SSL VPN Gateway to the database.
LDAP Authorization For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Firebox SSL VPN Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname.
Host Host name or IP address of your LDAP server. Port Defaults to 389. Base DN You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) Anonymous Bind Select the check box if the LDAP server does not require credentials to connect to it.
Using RSA SecurID for Authentication The Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPN Gateway also supports replication servers. Replication server configuration is completed on the RSA ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this is configured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replication servers if there is a failure or network connection loss with the primary server.
To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files. The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL VPN Gateway, as described in the next procedure.
Using RSA SecurID for Authentication Configuring RSA Settings for a Cluster If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published. This allows all of the appliances to connect to the RSA server.
Note: If you are configuring double-source authentication, click Two Source and then click Add. For more information about configuring double-source authentication, see “Configuring Double-Source Authentication” on page 85. In IP address type the IP address of the RADIUS IAS server. In Port, type the port number.
Using RSA SecurID for Authentication Note: When 0 (zero) is entered as the port, the Access Gateway attempts to automatically detect a port number for this connection. In Time-out (in seconds), enter the number of seconds within which the authentication attempt must complete.
You can prevent the storage of one-time passwords in cache, which forces the user to enter their cre- dentials again. To prevent caching of one-time passwords In the Administration Tool, click the Authentication tab. Open the authentication realm that uses the one-time password. Select Use the password one time and click Submit.
Configuring Double-Source Authentication and passcode first and then the LDAP password second. Whatever is typed in the first password field is done last and the second password field is done first. Changing Password Labels You can change the password labels to accurately reflect the authentication type with which the user is logging on and to provide the correct prompt for what the user needs to type.
Adding and Configuring Local Users CHAPTER 6 and User Groups User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local users, you can then define the resources they have access to on the Access Policy Manager tab.
User Group Overview All users are members of the Default resource group. To add a user to another group, under Local Users, click and drag the user to the user group to which you want the user to belong. To delete a user from the Firebox SSL VPN Gateway Right-click the user in the Local Users list and click Remove.
Group resources include: • Network resources that define the networks to which clients can connect. • Application policies that define the applications users can use when connected. In addition to selecting the application, you can further define which networks the application has access to and if any end point policies need to be met when connecting.
Configuring Properties for a User Group Configuring Properties for a User Group Group properties include configuring access, networking, portal pages, and client certificates. Proper- ties are configured by right-clicking a group and then clicking Properties. Settings for the group are configured on the General, Networking, Gateway Portal, Members, and Client Certificates tabs.
If you want to close a connection and prevent a user or group from reconnecting automatically, you must select the Authenticate after network interruption setting. Otherwise, users immediately reconnect without being prompted for their credentials. For more information, see “Managing Client Connections”...
Configuring Properties for a User Group supported and do not run. If the domain controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Important: The client computer must be a domain member in order to run domain logon scripts. To enable logon scripts Click the Access Policy Manager tab.
Configuring Web Session Time-Outs When a user is logged on to the Firebox SSL VPN Gateway and using a Web browser to connect to Web sites in the secure network, cookies are set to determine if a user’s Web session is still active on the Fire- box SSL VPN Gateway.
Configuring Properties for a User Group On the General tab, under Application Options, select Deny applications without policies. For more information about application policies, see “Application policies” on page 101. For more information about endpoint policies, see “End point resources and policies” on page 104. Enabling Split DNS By default, the Firebox SSL VPN Gateway checks a user’s remote DNS only.
O attribute of the Subject of the client certificate Values for the client certificate criteria on the User Groups tab require quotation marks around them to work. Correct and incorrect examples are: The Boolean expression client_cert_end_user_subject_common_name=“clients.gateways.watchguard.com” is valid and it works. The Boolean expression client_cert_end_user_subject_common_name=clients.gateways.watchguard.com...
Configuring Resources for a User Group Client certificate configuration is not available for the default user group. To specify client certificate configuration On the Access Policy Manager tab, right-click a group that is not the default group. On the Client Certificates tab, under Client Certificate Criteria Expression, type the certificate information.
Page 107
• Logon and portal page usage that defines the page the user sees when logging on. The logon page can be a page provided by WatchGuard and can be modified for individual companies. If your company is using WatchGuard Presentation Server, the logon page can be the Web Interface.
Configuring Resources for a User Group • Kiosk resources that define how the user can log on and which file shares and applications are accessible to the user when logged on. If the user is allowed to use the Firefox Web browser in kiosk mode, the Web address the user is allowed to use is also defined.
To configure resource access control for a group Click the Access Policy Manager tab. In the right pane, configure the group resources. When the resource is configured, click the resource and drag it to the group in the left pane. To allow or deny a resource, in the left pane, right-click the network resource or application policy and then click Allow or Deny.
Configuring Resources for a User Group • You can further restrict access by specifying a port and protocol for an IP address/subnet pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. •...
• Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30.
Configuring Resources for a User Group To add an application policy to a group On the Access Policy Manager tab, in the right-pane, under Application Policies, click the resource you want to add and then drag it to the user group in the left pane. To allow or deny access, right-click the network resource and then click Allow or Deny.
To create a file share resource Click the Access Policy Manager tab. In the right pane, right-click File Share Resources, click New File Share Resource, type a name, and click OK. In Share Source, type the path to the share source using the form: //server/share.
Configuring Resources for a User Group To add a file share, under File Share Resources, drag the resource to Shares under File Shares. Select the applications users are allowed to use in kiosk mode. Click Kiosk Persistence (Save Application Settings) to retain Firefox preferences between sessions.
If you selected Process Rule, do the following: - Click Process Rule. - In Process Name, type the name of the process or click Browse to navigate to the file. The MD5 field is automatically completed when a process name is entered. Click OK.
Setting the Priority of Groups In the right pane, right-click End Point Policies and then click New End Point Policy. Type a name and click OK. When the policy is created, create the expression by dragging and dropping the end point resources into the Expression Root.
The following two settings are unioned together. For these settings, they are combined among all of the groups of which the user is a member. When these are combined, these are the enforced set of rules applied to the user. For example, if a user is a member of the sales and support groups, if the sales group has notepad.exe and calc.exe defined as an end point policy, and if the support groups have just Inter- net Explorer defined, all of the policies are enforced for the user.
Page 118
Setting the Priority of Groups Firebox SSL VPN Gateway...
Gateway and the certificate is sent to a CA for signing. When the certificate is received back, it is installed on the appliance. During installation it is paired with the password-protected private key. WatchGuard recommends using this method to create and install Administration Guide...
Digital Certificates and Firebox SSL VPN Gateway Operation • Install a PEM certificate and private key from a Windows computer. This methods uploads a signed certificate and private key together. The certificate is signed by a CA and it is paired with the private key.
private key from tampering and it is also required when restoring a saved configuration to the Firebox SSL VPN Gateway. Passwords are used whether the private key is encrypted or unencrypted. Caution: When you upgrade to Version 6.0 and save the configuration file, it cannot be used on earlier versions of the Firebox SSL VPN Gateway.
Overview of the Certificate Signing Request When you save the Firebox SSL VPN Gateway configuration, any certificates that are already installed are included in the backup. To install a certificate file using the Administration Tool Click the VPN Gateway Cluster tab. On the Administration tab, next to Upload a signed Certificate (.crt), click Browse.
The root certificate that is installed on the Firebox SSL VPN Gateway has to be in PEM format. On Win- dows, the file extension .cer is sometimes used to indicate that the root certificate is in PEM format. If you are validating certificates on internal connections, the Firebox SSL VPN Gateway must have a root certificate installed.
Client Certificates Note: HyperTerminal is not installed automatically on Windows 2000 Server or Windows Server 2003. To install HyperTerminal, use Add/Remove Programs in Control Panel. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional.
Installing Root Certificates Support for most trusted root authorities is already built into the Windows operating system and Inter- net Explorer. Therefore, there is no need to obtain and install root certificates on the client device if you are using these CAs. However, if you decide to use a different CA, you need to obtain and install the root certificates yourself.
Requiring Certificates from Internal Connections Click Submit. Requiring Certificates from Internal Connections To increase security for connections originating from the Firebox SSL VPN Gateway to your internal net- work, you can require the Firebox SSL VPN Gateway to validate SSL server certificates. Previous versions of the Firebox SSL VPN Gateway did not validate the SSL server certificate presented by the Web Inter- face and the Secure Ticket Authority.
Working with Client Connections CHAPTER 8 Clients can access resources on the corporate network by connecting through the Firebox SSL VPN Gateway from their own computer or from a public computer. The following topics describe how client connections work: • Using the Access Portal •...
Using the Access Portal If clients are using Mozilla Firefox to connect, pages that require ActiveX, such as the pre-authentication page, are not able to run. If clients are going to connect using the kiosk, they must have Sun Java Runtime Environment (JRE) Ver- sion 1.5.0_06 installed on their computer.
the computer is started, users do not have to do anything to create the connection, provided that they have a network connection and can log onto Windows. The connection enables users to work with the connected site just as if they were logged on at the site.
Connecting from a Private Computer • The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The Firebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel. When a remote user logs on using the Secure Access Client, the Firebox SSL VPN Gateway prompts the user for authentication over HTTP 401 Basic or Digest.
that remote users can access through the VPN connection. For more information, see “Configuring Resources for a User Group” on page 96. All IP packets, regardless of protocol, are intercepted and transmitted over the secure link. Connections from local applications on the client computer are securely tunneled to the Firebox SSL VPN Gateway, which reestablishes the connections to the target server.
Connecting from a Private Computer sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access Client provides the local client application a private IP address represen- tation, which the Firebox SSL VPN Gateway uses on the internal network. Many real-time voice applica- tions and FTP use this feature.
Page 133
An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. WatchGuard recommends that you customize the text for your site and then send the text in an email to users.
Page 134
Connecting from a Private Computer The Secure Access Client dialog box with the pop-up menu showing Advanced Options Under Proxy Settings, select Use Proxy Host and then in Proxy Address and Proxy Host, type the IP address and port. If the proxy server requires authentication, select Proxy server requires authentication.
In IP Address and Port, type the IP address and port number. If authentication is required by the server, select Proxy server requires authentication. The Advanced Options dialog box can also be opened by right-clicking the WatchGuard Secure Access icon on the desktop and then clicking Properties.
The Firebox SSL VPN Gateway provides secure access to a corporate network from a public computer using kiosk mode. When users select A public computer on the WatchGuard portal page, a Web browser opens. The user logs on and then can access applications provided in the browser window.
Use the logon page to connect, as described in “Connecting Using a Web Address”. Click A public computer. The WatchGuard Secure Access logon dialog box appears. Enter your network logon credentials and click Login. Note: Users logged on using kiosk mode can use the FTP protocol to download files from the corporate network.
Connecting from a Public Computer To create and configure a kiosk resource Click the Access Policy Manager tab. In the right pane, right-click Kiosk Resources and then click New Kiosk Resource. Type a name for the resource and click OK. To add a file share, under File shares, drag the resource to Shares.
Select a file share from File Share Resources and drag it to Shares under File shares in the kiosk resource. Click OK. To remove a file share On the Access Policy Manager tab, in the right-pane, right-click the file share and click Remove. You can specify the shared network drives that are accessible for sessions.
Client Applications Firefox Web Browser The Firefox Web browser allows users to connect to the Internet when they are logged on in kiosk mode. They can connect to Web sites as if they were sitting at their own computer. To configure Firefox Click the Access Policy Manager tab.
To use the SSH client From the portal page, choose A public computer and log on. In the Web browser, click the SSH icon. Enter the user name and SSH host name or IP address. The SSH window opens. Telnet 3270 Emulator Client The Telnet 3270 Emulator client enables the user to establish a Telnet 3270 connection to a remote com- puter.
Supporting Secure Access Client To use Gaim From the portal page, choose A public computer and log on. In the Web browser, double-click the Gaim icon. If messenging services were not added, an Accounts window opens. Click Add. In the Add Account dialog box, in Protocol, select the instant messenging service to add. Complete the rest of the information and click Save.
An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. Customize the text for your site and then send the text in an email to users. To install the Secure Access Client from inside the firewall, go to the portal page and use the Click here to download the client installer link to download the client.
Managing Client Connections Closing a connection to a resource Without disrupting a user’s VPN connection, you can temporarily close the user’s connection to a partic- ular resource. To prevent the user from connecting to the resource, correct the user’s group ACL. To close a connection In the Firebox SSL VPN Gateway Administration Desktop, click the Real-time Monitor icon.
Page 145
In the left pane, right-click a group and click Properties. On the General tab, under Session options, select one or both of the following: • Authenticate after network interruption. This option forces a user to log on again if the network connection is briefly interrupted.
Firebox SSL VPN Gateway APPENDIX A Monitoring and Troubleshooting The following topics describe how to use Firebox SSL VPN Gateway logs and troubleshoot issues: • Viewing and Downloading System Message Logs • Enabling and Viewing SNMP Logs • Viewing System Statistics •...
Viewing and Downloading System Message Logs Click Logging/Settings. Under Gateway Log, click Display Logging Window. The log for today’s date is displayed. To display the log for a prior date, select the date in the Log Archive list and click View Log. By default, the log displays all entries.
Field sc-status cs-uri sc-uri To view or download the log, go to the Logging > Configuration tab and click Download W3C Log. Enabling and Viewing SNMP Logs When Simple Network Management Protocol (SNMP) is enabled, the Firebox SSL VPN Gateway reports the MIB-II system group (1.3.6.1.2.1).
Viewing System Statistics To obtain SNMP data for the Firebox SSL VPN Gateway through Multi Router Traffic Grapher (in UNIX) Configure the Firebox SSL VPN Gateway to respond to SNMP queries as discussed in “To enable logging of SNMP messages” on page 139. Create Multi Router Traffic Grapher configuration files in /etc/mrtg.
bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. To open the Firebox SSL VPN Gateway Administration Desktop Open a Web browser and type the IP address or FQDN of the Firebox SSL VPN Gateway. The accepted formats are https://IPaddress or https://FQDN.
To obtain the v 5.0 software update, v 5.0 Administrator’s Guide and v 5.0 Release Notes, go to https:// www.watchguard.com/archive/softwarecenter.asp. You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view.
After the Administration Tool installation is complete, you can launch the new tool from Start > All Pro- grams > WatchGuard. Type the IP address or FQDN of the SSL VPN Gateway device in the Connecting To dialog box. Note that the dialog box does not always appear in the foreground—it may be buried behind other open windows on your desktop.
Troubleshooting By default, the Firebox SSL VPN Gateway passes only the user name and password to the Web Interface. To correct this, configure a default domain or a set of domains users can log on to. The Web Interface uses the first one in the list as the default domain. Web Interface Credentials Are Invalid When users log on to the Firebox SSL VPN Gateway, they are sent to the Web Interface but their applica- tions are not displayed.
Page 155
Troubleshooting Defining Accessible Networks In the Accessible Networks field on the Global Cluster Policies tab, up to 24 subnets can be defined. If more than 24 subnets are entered, the Firebox SSL VPN Gateway ignores the additional subnets. VMWare If a user logs on to the Secure Access Client from two computers that are running VMWare and VMWare uses the same MAC address for the two computers, the Firebox SSL VPN Gateway does not allow both clients to run simultaneously.
Page 156
Troubleshooting Internal Failover If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001.
Page 157
Devices Cannot Communicate with the Firebox SSL VPN Gateway Verify that the following are correctly set up: • The External Public Address specified on the General Networking tab in the Firebox SSL VPN Gateway Administration Tool is available outside of your firewall •...
Page 158
Troubleshooting Client Connections from a Windows Server 2003 If a connection to the Firebox SSL VPN Gateway is made from a Windows Server 2003 computer that is its own DNS server, local and public DNS resolution does not work. To fix this issue, configure the Win- dows Server 2003 network settings to point to a different DNS server.
WatchGuard recommends that the user’s personal firewall allow full access for the Secure Access Client. If you do not want to allow full access, the following UDP and UDP/TCP ports need to be open on the cli- ent computer: •...
BlackICE PC Protection To view Secure Access Client status properties Double-click the Secure Access Client connection icon in the notification area. Alternatively, right-click the icon and choose Properties from the menu. The Secure Access Client dialog box appears. The properties of the connection provide information that is helpful for troubleshooting. The proper- ties include: •...
Trusted & Add the IP address or range of allowed resources as trusted IP addresses. Banned IPs System In the System Services list, select each service that you plan to use over the VPN connection. Services Norton Personal Firewall If you are using the default Norton Personal Firewall settings, you can simply respond to the Program Control alerts the first time that you attempt to start the Secure Access Client or when you access a blocked location or application.
ZoneAlarm Pro To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below. To permit the IP address or range of allowed resources, use the following settings: Protocol = TCP and UDP Direction = Both Directions...
Installing Windows Certificates APPENDIX C The Firebox SSL VPN Gateway includes the Certificate Request Generator to automatically create a cer- tificate request. After the file is returned from the Certificate Authority, it can be uploaded to the Firebox SSL VPN Gateway. When the file is uploaded, it is converted automatically to the correct format for use. If you do not want to use the Certificate Request Generator to create the signed certificate, use Linux OpenSSL to administer any certificate tasks.
Unencrypting the Private Key 12 Click Next to start the installation. After Cygwin installs, you can generate the CSR. These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in “To install Cygwin” on page 153. To generate a CSR using the Cygwin UNIX environment Double-click the Cygwin icon on the desktop.
For information about downloading OpenSSL for Windows, see the SourceForge Web site at http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801. Converting to a PEM-Formatted Certificate The signed certificate file that you receive from the Certificate Authority might not be in a PEM format. If the file is in binary format (DER), convert it to PEM format as follows: openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile If the certificate is already in a text format, it may be in PKCS format.
Generating Trusted Certificates for Multiple Levels To combine the private key with the signed certificate Use a text editor to combine the unencrypted private key with the signed certificate in the PEM file format. The file contents should look similar to the following: -----BEGIN RSA PRIVATE KEY----- <Unencrypted Private Key>...
Examples of Configuring Network APPENDIX D Access After the Firebox SSL VPN Gateway is installed and configured to operate in your network environment, use the Administration Tool to configure user access to the servers, applications, and other resources on the internal network. Configuring user access to internal network resources involves defining accessible networks for split tunneling, configuring authentication and authorization, creating user groups, creating local users, and defining the access control lists (ACLs) for user groups.
Scenario 1: Configuring LDAP Authentication and Authorization Before reading the examples in this chapter, you should become familiar with the settings on three tabs of the Administration Tool. The settings on these tabs control user access to internal network resources: •...
Page 171
• Determining the Sales and Engineering users who need remote access • Collecting the LDAP directory information Determining the internal networks that include the needed resources Determining the internal networks that include the needed resources is the first of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration.
Page 172
Scenario 1: Configuring LDAP Authentication and Authorization For example, if the Firebox SSL VPN Gateway operates with the Microsoft Active Directory, the Firebox SSL VPN Gateway checks the "memberOf" attribute in the Person entry to determine the groups to which a user belongs. In this example, we assume that the group membership attribute indicates that a user is a member of an LDAP directory group named "Remote Sales."...
• LDAP Server port. The port on which the LDAP server listens for connections. The default port for LDAP connections is port 389. • LDAP Administrator Bind DN and LDAP Administrator Password. If the LDAP directory requires applications to authenticate when accessing it, the administrator must know the name of the user account that the Firebox SSL VPN Gateway should use for this authentication and the password associated with this account.
Page 174
Scenario 1: Configuring LDAP Authentication and Authorization This task includes these five procedures: • Configuring accessible networks • Creating an LDAP authentication realm • Creating the appropriate groups on the Firebox SSL VPN Gateway • Creating and assigning network resources to the user groups •...
Page 175
Creating an LDAP Authentication and Authorization Realm Creating an LDAP authentication and authorization realm is the second of five procedures the administrator performs to configure access to the internal network resources in this scenario. In this scenario, all of the Sales and Engineering users are listed in a corporate LDAP directory. To authenticate users listed in an LDAP directory, the administrator must create an authentication realm that supports LDAP authentication.
Page 176
Scenario 1: Configuring LDAP Authentication and Authorization Creating the Appropriate Groups on the Firebox SSL VPN Gateway Creating the appropriate groups on the Firebox SSL VPN Gateway is the third of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario.
Page 177
In Network/Subnet, type these two IP address/subnet pairs for the resources. Separate each of these IP address/subnet pairs with a space: 10.10.0.0/24 10.60.10.0/24 To simplify this example, the administrator accepts the default values for the other settings on the Network Resource window and clicks OK. After creating the Network Resource named "Sales Resource,"...
Page 178
Scenario 1: Configuring LDAP Authentication and Authorization the 10.0.20.x resource and allow access to the 10.0.x.x resource. In these cases, configure the policy denying access to 10.0.20.x first and then configure the policy allowing access to the 10.0.x.x network second. Always configure the most restrictive policy first and the least restrictive policy last.
In the left pane, click the "Email server" network resource you just created and drag it to Application Network Policies listed under Application Constraints in the right pane. Click In the left pane, expand both the "Remote Sales" user group and the "Remote Engineers" user group.
Scenario 2: Creating Guest Accounts Using the Local Users List An administrator can also create a list of local users on the Firebox SSL VPN Gateway and configure the Firebox SSL VPN Gateway to provide authentication and authorization services for these users. This list of local users is maintained in a database on the Firebox SSL VPN Gateway and not in an external direc- tory.
To create a guest authentication realm for the guest users In the Firebox SSL VPN Gateway Administration Tool, click the Authentication tab. In Realm Name, type Guest. Select One Source and click Add. At Select Authentication Type, select Local authentication only and then click OK. From the Authorization tab, select No authorization.
Scenario 3: Configuring Local Authorization for Local Users Silvio and Lisa are authorized to access any resource defined in the ACL of the Default user group because No Authorization is specified as the authorization type of the Guest realm. In this example, Silvio and Lisa can access only the Web conference server on the internal network because that is the only network resource defined for the Default user group.
Legal and Copyright Information APPENDIX E GNU GENERAL PUBLIC LICENSE FOR LINUX KERNEL AS PROVIDED WITH FIREBOX SSL Firebox SSL VPN Gateway Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 184
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software.
Page 185
change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
Page 186
be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Page 187
If any portion of this section is held invalid or unenforceable under any particular circumstance, the bal- ance of the section is intended to apply and the section as a whole is intended to apply in other circum- stances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims;...
Page 188
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPY- RIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER...
Page 189
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c';...
Page 194
persistence Remote Desktop Client shared network drives, using SSH client Telnet 3270 Emulator client using FTP to copy files VNC client known issues LDAP authentication 15, 25 authorization 15, 73 authorization with RSA/ACE Server LDAP authentication 73, 76 LDAP Browser LDAP server finding attributes licenses...
Page 195
ping command 33, 145 from xNetTools policies access control lists IP pooling network access portal pages 38, 41 setting priority port for connections scanner portal page client connections client variables configuring 16, 95 customizing 15, 38 disabling double source authentication 43, 85 downloading templates 32, 39...
Page 196
connection to service scanner session timeout 15, 88, 92 settings General Networking shared network drives shared secret 69, 82 shutting down 15, 45 single sign-on single sign-on for client SNMP logs, enabling and viewing MIB groups reported settings software reinstalling shutting down upgrades software reinstallation...
Page 197
15, 140 Syslog settings system date and time upgrading 15, 44 VPN Installation Services W3C-formatted log WatchGuard Certified Training Partners WatchGuard users forum 5, 6 WCTP Web address of Administration Portal of Java client Web Interface access without credentials...