Configure Security Policies For The Vpn Tunnel; How To Configure User-Aware Access Control; Set Up User Accounts - ZyXEL Communications ZYWALL USG 2000 Manual

Chapter 6 Tutorials

6.3.4 Configure Security Policies for the VPN Tunnel

You configure security policies based on zones. Assign the new VPN connection to
a zone to be able to apply security policies (firewall rules, IDP, and so on) to the
VPN connection. Make sure all firewalls between the ZyWALL and remote IPSec
router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable
NAT traversal, all firewalls between the ZyWALL and remote IPSec router should
also allow UDP port 4500.

6.4 How to Configure User-aware Access Control

You can configure many policies and security settings for specific users or groups
of users. This is illustrated in the following example, where you will set up the
following policies. This is a simple example that does not include priorities for
different types of traffic. See
bandwidth management.
Table 30 User-aware Access Control Example
GROUP
(USER)
Finance (Leo)
Engineer
(Steven)
Sales (Debbie)
Boss (Andy)
Guest (guest)
Others
The users are authenticated by an external RADIUS server at 192.168.1.200.
First, set up the user accounts and user groups in the ZyWALL. Then, set up user
authentication using the RADIUS server. Finally, set up the policies in the table
above.
The ZyWALL has its default settings.

6.4.1 Set Up User Accounts

Set up one user account for each user account in the RADIUS server. If it is
possible to export user names from the RADIUS server to a text file, then you
might create a script to create the user accounts instead. This example uses the
web configurator.
128
Bandwidth Management on page 446
WEB
WEB
BANDWIDT
SURFING
H
Yes 200K
Yes 100K
Yes 100K
Yes 100K
Yes 50K
No ---
LAN-TO-DMZ
MSN
ACCESS
No Yes
No No
Yes (M-F, Yes
08:30~18:00)
Yes Yes
No No
No No
ZyWALL USG 2000 User's Guide
for more on