1. Manuals
  2. Brands
  3. F5 Manuals
  4. Server
  5. FirePass
  6. Administrator's manual

F5 FirePass Administrator's Manual

F5 networks firepass server administrator guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

TM
FirePass
Server Administrator Guide
version 4.0
MAN-0081-00

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FirePass and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for F5 FirePass

Summary of Contents for F5 FirePass

  • Page 1 FirePass Server Administrator Guide version 4.0 MAN-0081-00...

  • Page 3: Legal Notices

    Copyright © 1999-2003, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use.
  • Page 5 Table of Contents...

  • Page 7: Table Of Contents

    Configuring a firewall to work with the FirePass server ............2-2 Overview of the firewall configuration process ............2-3 About the traffic between a remote user’s browser and the FirePass server ..2-5 About the traffic between the FirePass server and network services .....2-6 About the traffic between FirePass server and application services ......2-7...
  • Page 8 Converting to internal database authentication ............3-23 Setting up RADIUS server authentication ..............3-24 Setting up a RADIUS server to work with the FirePass server ....... 3-25 Setting up Windows domain server authentication ........... 3-25 Setting up LDAP server authentication ................ 3-27 Setting Up VASCO DigiPass authentication ..............
  • Page 9 Shutting down the FirePass server ................. 5-17 Restarting the FirePass server or services ..............5-17 Stopping and starting the bridge ..................5-18 Backing up and restoring the FirePass server ..............5-19 Specifying the email server ...................... 5-20 Specifying the FirePass administrator’s email address ............5-20 Granting Administrator privileges to other users ..............
  • Page 10 Updating the FirePass server’s firmware ................5-27 Adding definitions for other types of browsers ..............5-28 Monitoring the FirePass server ....................5-29 Monitoring the load on a FirePass server ..............5-29 Displaying FirePass server statistics ................5-30 Capturing network packets to troubleshoot networking problems ..... 5-30 Customizing the user’s home page ..................

  • Page 11: Introducing The Firepass Server

    Introducing the FirePass Server • The FirePass remote access solution • The FirePass server models • The FirePass server features • About this guide • Finding help and technical support resources...

  • Page 13: The Firepass Remote Access Solution

    The FirePass™ server is a network appliance providing remote users with secure access to corporate networks, using any standard Web browser. The FirePass server can be installed in a few hours and it requires no modifications to corporate applications. No configuration or setup is required at the user’s remote location.

  • Page 14: The Firepass Server Features

    The FirePass server features Overview of features Security FirePass server was built from the ground up to adhere to the highest standards of best security practices. • Encryption—FirePass server offers several strengths of encryption, depending on the capability of the browser in use and on the optional security settings of the FirePass implementation.

  • Page 15: Firepass Server Features

    Introducing the FirePass Server FirePass server features The following features are available on both FirePass server models. Standard Web browser support FirePass server can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Netscape Navigator®, Opera®, and Mozilla®.

  • Page 16: About This Guide

    Web conferencing. High availability FirePass servers can be configured to failover to hot standby servers. Scalability FirePass server clusters support up to 10,000 users on a single logical server. About this guide This FirePass Administrator Guide provides information and step-by-step instructions for installing and administering the FirePass™...

  • Page 17: Conventions Used In This Manual

    If your superuser password is lost, contact Technical Support. A Warning describes actions that can cause data loss or problems. For example: WARNING Do not turn the FirePass server off by using the Power switch on the front panel. ™ FirePass...
  • Page 18 Chapter 1 1 - 6...

  • Page 19: Deploying The Firepass Server

    Deploying the FirePass Server • Overview of deploying the FirePass server • Configuring a firewall to work with the FirePass server • Understanding name resolution issues for FirePass servers with a private IP address • Installing the FirePass server • Testing network connectivity •...

  • Page 21: Overview Of Deploying The Firepass Server

    Deploying the FirePass Server Overview of deploying the FirePass server This section contains an overview of the tasks for deploying the FirePass™ server. Summary of tasks for installing and deploying the FirePass server Table 2.1 provides a summary of the tasks for installing and deploying the FirePass server.

  • Page 22: Configuring A Firewall To Work With The Firepass Server

    80 and 443 for HTTP and HTTPS, on the external firewall between the FirePass server and remote Web browsers. If the FirePass server is installed in a DMZ with an internal firewall separating it from the corporate network, you also have to open other ports as necessary to allow access to network services such as DNS, and to use particular application services such as e-mail.

  • Page 23: Overview Of The Firewall Configuration Process

    FirePass server and these services. • If there is a firewall between the FirePass server and the corporate LAN, the firewall must allow traffic on ports 80, 443, and 661.
  • Page 24 Chapter 2 the FirePass server. To use static NAT, configure a rule that forwards all allowable traffic from the public IP address to the private IP assigned to the FirePass server. However, some firewalls only allow static NAT using a public IP address other than its own public interface.

  • Page 25: About The Traffic Between A Remote User's Browser And The Firepass Server

    TCP/IP ports (1025 – 65535). If the number of concurrent My Desktop users is low—less than 5 concurrent users on the FirePass 1000, or less than 20 on the FirePass 4000—then there is no requirement to open the high TCP/IP ports (1025 to 65535).

  • Page 26: About The Traffic Between The Firepass Server And Network Services

    IP address. This is to ensure that traffic from the same side of the firewall can reach the FirePass server. You can do this on a WINS server or on a DNS server if the DNS server is hosted locally.

  • Page 27: About The Traffic Between Firepass Server And Application Services

    • Client/server applications • SSL VPN A FirePass server that needs to use any of these application services must be able to communicate with the local LAN on several ports. Most of these ports are listed in Table 2.4 with the default port assignments. (Your network may vary).
  • Page 28 Local LAN FirePass 1025 to Required for (Response) server 65535 Host Access Client/Server FirePass 1025 to 65535 Local LAN User-defin Required for applications server ed TCP each App tunnel Table 2.4 Traffic between FirePass server and application services 2 - 8...

  • Page 29: About The Traffic Between The Firepass Server And The Desktop Agent

    About the traffic between the FirePass server and the Desktop Agent To allow traffic from the FirePass server to the corporate LAN using the My Desktop feature, you must open firewall ports as shown in Table 2.5. The FirePass client on the desktop computer on the local LAN uses ports 80 and 81 to initiate communications with the FirePass server during My Desktop sessions.
  • Page 30 Required for My Protocol (HAP) server 65535 Desktop (response) HTTPS FirePass 1025 to 65535 Local LAN server HTTPS Local LAN FirePass 1025 to (response) server 65535 Table 2.5 Traffic between FirePass server and corporate LAN using My Desktop 2 - 10...

  • Page 31: Understanding Name Resolution Issues For Firepass Servers With A Private Ip Address

    Understanding name resolution issues for FirePass servers with a private IP address If the FirePass server is installed on a corporate LAN or in a DMZ that uses private IP addresses, the firewall or gateway performs Network Address Translation (NAT). This means that the FirePass server has two different DNS “identities”—one mapped to the public IP address, and another one to...

  • Page 32: Installing The Firepass Server

    • FirePass 1000: the WAN port is clearly labeled on the front panel of the server. • FirePass 4000: the WAN port is on the back of the server. It is the network port in the expansion slot on the right side (see FirePass 4000 port locations, on page 2-13).
  • Page 33 WARNING Do not turn the FirePass server off by using the Power switch on the front panel. Data corruption might occur, possibly rendering the FirePass server unavailable. To shut the FirePass server down, always use the Shutdown commands in the Administrative Console or the Maintenance Console.

  • Page 34: Performing The Initial Firepass Ip Configuration

    Chapter 2 Performing the initial FirePass IP configuration The FirePass server comes pre-configured with a default set of networking and server settings. The following table provides important default FirePass settings. Setting Factory default value Admin Console User Name admin Admin Console password...
  • Page 35 4. DNS name resolution. Navigate to Server/Maintenance/Network Configuration/Hosts. Enter the fully-qualified domain name (FQDN) of your FirePass server and the IP Address of your Domain Name Server. If you have not already done so, make the corresponding entries in your Domain Name Server.

  • Page 36: Testing Network Connectivity

    FirePass server’s fully qualified domain name resolves correctly both inside and outside the firewall. To test network connectivity: 1. Test that the FirePass server is accessible from the LAN by entering the following command on a host computer on the LAN: ping x.x.x.x where x.x.x.x is the FirePass server’s private IP address.

  • Page 37: Using The Administrative Console To Configure The Firepass Server

    Deploying the FirePass Server If you have trouble accessing the FirePass server by entering the fully qualified domain name on a computer inside the firewall, try entering the internal IP address. This problem is usually caused by DNS reflection, which occurs when an internal host sends a packet to the external interface of the firewall.

  • Page 38: Changing The Superuser Password

    Chapter 2 5. Click Login. After you log in, the Welcome panel for the FirePass Administrative Console appears. The Administrative Console is composed of several panels where you select options, enter configuration information, and choose commands to configure and administer the FirePass server. Some panels contain status information and reports that you can use to monitor the server.

  • Page 39: Installing Your License

    If the Serial number is shown as unknown, contact Technical Support. When you receive your new FirePass server, you should also have received an email from Technical Support or the entitlement server. If so, follow the directions in the email. If not, contact Support (support@f5.com) to make sure your license is ready.

  • Page 40: Using The Administrative Console To Access The Maintenance Console

    The Maintenance Console menu appears. Logging out of the Administrative Console If you do not log out of the Administrative Console, the FirePass server automatically times you out after a period of inactivity. This time interval is specified in the Inactivity Timeout option on the Customization panel of the Administrative Console.

  • Page 41: Using The Maintenance Console

    Deploying the FirePass Server Using the Maintenance Console If you intend to use the Administrative Console web interface (recommended) to configure the FirePass IP address or if your server’s IP address and network mask are already configured correctly, you can skip this section.
  • Page 42 Chapter 2 4. At the Login prompt, enter the following: maintenance No password is required. 5. Enter to agree to the conditions on the screen. The Maintenance Console menu appears. 6. To change the server name or other network settings, enter 1 for Network Configuration and then press the Enter key.

  • Page 43: What's Next

    Deploying the FirePass Server What’s next? Now that the FirePass server is installed and accessible on the network, you can use the Administrative Console to finish configuring FirePass. Set up security on the FirePass server by adding groups and user accounts, and then configuring authentication.
  • Page 44 Chapter 2 2 - 24...

  • Page 45: Setting Up Firepass Server Security

    Setting Up FirePass Server Security • Overview of setting up FirePass server security • Working with groups • Working with user accounts • Setting up FirePass server authentication • Setting up certificates • Limiting access to the administrative console by IP address •...

  • Page 47: Overview Of Setting Up Firepass Server Security

    (See Working with groups, on page 3-2.) 2. (Optional) If the FirePass server users are stored in an LDAP or a Windows Domain server, you can set up group mapping. Group mapping automatically keeps the groups on the FirePass server synchronized with the groups on the Windows Domain server or LDAP server.

  • Page 48: Working With Groups

    Chapter 3 4. (Optional) If you want to give FirePass server users access to NFS file servers, you can import the NFS permissions for each user that is listed in a UNIX password file. (See Using NFS user permissions from a UNIX password file, on page 3-17.) 5.

  • Page 49: Creating Groups

    Setting Up FirePass Server Security Creating groups To create a group Use the Group Management screen. 1. Under the Users tab on the left side of the Administrative Console, click the Groups link. The Group Management screen opens. 2. In the New group name box in the Create New Group section, enter a name for the group.

  • Page 50: Deleting Groups

    Chapter 3 4. Click the Create button. The new group is now accessible from the Group list on the panels for setting up authentication methods, Webifyers, and signup templates. Deleting groups To delete a group 1. In the Delete Group section of the Group Management panel, select the group from the Group to Delete drop-down list.
  • Page 51 FirePass server’s configured mapping. The FirePass server then dynamically moves the user to the FirePass server group based on a match. Note that the group must already exist on the FirePass server and be mapped before the user logs in.

  • Page 52: Using Ldap-Based Group Mapping

    FirePass server. If the user is moved to an LDAP group that does not exist on the FirePass server, the user remains in the same FirePass server group.
  • Page 53 FirePass server group, enter an attribute name in the Attribute Name box, and then enter an attribute value in the Attribute Value box. From the Map to Group list, select the FirePass server group that corresponds to the attribute value, and then click the Add button.
  • Page 54 • If you selected the Use Parent DN to Map Group option, enter a DN value in the DN Value box. From the Map to Group list, select the FirePass server group that corresponds to the DN value, and then click the Add button. As necessary, continue mapping DN values to groups by entering DN values, selecting the FirePass server group from the menu, and then clicking Add.
  • Page 55 To use this method, you should have a group object in your LDAP schema that may be used to map FirePass groups. This object should have at least two multi-valued attributes to specify users that belong to this group. The first attribute specifies static members and is the list of user’s DNs.
  • Page 56 Chapter 3 11. In the Filter for Group box, specify an LDAP query. It must be a valid LDAP query expression. For example: OU=Groups,O=MyCompany 12. In the Query Template for Static Members box, specify a query template for static members. Use %logon% in the filter expression to insert a user name.

  • Page 57: Working With User Accounts

    Setting Up FirePass Server Security Working with user accounts You can add user accounts to each group on the FirePass server by using any of the following methods: • Manually add users to each group. (See Manually adding user accounts, following.)
  • Page 58 7. Do one of the following: • If the authentication for the selected group is handled by the FirePass server’s internal database, enter the user’s password in the Password and Validate text boxes. • If the authentication is handled by an external VASCO server, enter the user’s Token ID in the Token ID text box.

  • Page 59: Importing User Accounts From A Windows Domain Server

    9. To generate a key that enables the user to install the My Desktop client software, select the Generate Installation Key option. If you select this option, the FirePass server sends an email message to the user that contains instructions for downloading and installing the My Desktop client software.
  • Page 60 This step is necessary because email addresses are not available when querying a Windows domain. 11. Select the users you want to add to the FirePass server. To select all users in the list, click the Select All Users link at the bottom of the panel.

  • Page 61: Importing User Accounts From An Ldap Server

    The users with names already in the FirePass server internal database do not have a check box. 13. Select the users you want to add to the FirePass server. To select all users in the list, click the Select All Users link at the bottom of the panel.

  • Page 62: Importing User Accounts From A Comma Or Tab Delimited Text File

    RADIUS, LDAP, or Windows Domain server, you can use a signup template to automatically add the users to the internal database when they log in to the FirePass server for the first time. FirePass server displays a dialog box where first-time users enter their user name, password, and other information.

  • Page 63: Using Nfs User Permissions From A Unix Password File

    FirePass server adds the user to the first group on the external server that matches the first group in the order specified on the Signup Template panel.
  • Page 64 NFS servers. For example, a user with the logon name of tjones on the FirePass server must also have tjones as the logon name on the NFS servers. Note that this procedure does not create any new user accounts on the FirePass server.

  • Page 65: Changing User Accounts

    Assigning administrative privileges to a user account By default, the FirePass server includes a superuser account with the user name of admin that has a complete set of administrative privileges. You can also assign administrative privileges to an existing user account to allow the user to be a FirePass server administrator.
  • Page 66 4. Enter the user’s login name in the text box and then click the Add button. The user’s name is added to the list in the FirePass Administrators panel, but the user does not have administrative privileges until you explicitly assign them.

  • Page 67: Searching For User Accounts

    Setting Up FirePass Server Security • To allow access to a subset of panels associated with a tab, click the Edit link next to the tab. For example, click the Edit link next to the Server tab name to specify access to the panels associated with the Server tab in the Administrative Console.

  • Page 68: Installing My Desktop Client Software At A User's Computer

    Generating a My Desktop client software installation key, on page 3-21. 4. In the Existing FirePass Installation Keys panel, select the key, right click, and then choose Copy from the context menu to copy the key to the clipboard. Do not send the key to the user.

  • Page 69: Setting Up Firepass Server Authentication

    Setting Up FirePass Server Security Setting up FirePass server authentication Authentication is set up on a per group basis on the FirePass server. If you are using the same authentication for all FirePass server users, you can simply add all users to the FirePass server default group and use the same authentication for the default group.

  • Page 70: Setting Up Radius Server Authentication

    There is no other configuration required for internal database authentication. Setting up RADIUS server authentication If the RADIUS authentication feature is licensed, the FirePass server can authenticate using a RADIUS server. FirePass server fully supports RSA extensions for RADIUS and is RSA-certified.

  • Page 71: Setting Up A Radius Server To Work With The Firepass Server

    SecurID authentication. On the RADIUS server, the FirePass server needs to be set up as a client to the RADIUS server. Then, a shared secret needs to be created and added to both the RADIUS server and the FirePass server so the RADIUS server can trust the FirePass server.
  • Page 72 If you select this option, each user must log in to the FirePass server using the format of DOMAIN\username. 8. If the FirePass server is able to retrieve Windows Domain groups from the configured Domain, select a group from the User Must Belong to Domain Group drop-down list.

  • Page 73: Setting Up Ldap Server Authentication

    Setting Up FirePass Server Security 9. If the FirePass server is to become part of the Windows domain and perform native NTLM authentication services, click the Join Windows Domain option. Then specify the Domain Admin Name and Domain Admin Password.

  • Page 74: Setting Up Vasco Digipass Authentication

    Chapter 3 Setting Up VASCO DigiPass authentication If the VASCO DigiPass authentication feature is licensed, the FirePass server can authenticate using a VASCO server. Each user is issued a security token that generates a unique and dynamically time-limited password. The server has a similar algorithm associated with the token’s serial number.

  • Page 75: Setting Up Certificates

    3-30.) Installing a new certificate You can change the FirePass server name to one that is appropriate for your site, and then generate and install a new server certificate that uses the new server name. It is important to keep your server certificate valid by renewing it as necessary, usually every year.

  • Page 76: Changing The Firepass Server Name

    Chapter 3 Changing the FirePass server name If you have a pilot FirePass server named server-name.FP.com (or some other default name), and you want to generate and install a new server certificate that is specific to your site, you must first change the server name.

  • Page 77: Installing Or Renewing A Server Certificate

    Alternatively, valid client certificates can be used to restrict access to particular Webifyers. For example, access to the FirePass server SSL VPN service can be limited to a laptop computer equipped with a valid client certificate. The user then would have access to the SSL VPN service from the laptop, but would not have access from other locations such as public access kiosks.
  • Page 78 Whenever necessary, you can also install an optional certificate revocation list (CRL) that contains a list of client certificates for users who you want to deny access to the FirePass server. For example, you can exclude the client certificates for users who have left your company. (See Installing a certificate revocation list, on page 3-34.)
  • Page 79 This option configures the FirePass server to request a client certificate as part of the SSL session negotiation which occurs before the client computer attempts to log in to the FirePass server. The server also validates and logs the client’s certificate, but it does not restrict access to the server.
  • Page 80 Login Username Must Match Certificate Common Name option. Installing a certificate revocation list To install a certificate revocation list (CRL) on the FirePass server 1. Under the Server tab on the left side of the Administrative Console, click the Security link.

  • Page 81: Limiting Access To The Administrative Console By Ip Address

    Limiting access to the administrative console by IP address To increase the security of the FirePass server, you can limit access to the Administrative Console by source IP address and/or subnets. Your current browser’s source IP address is always allowed in order to protect you from accidentally locking the server.
  • Page 82 Chapter 3 3 - 36...

  • Page 83: Configuring The Firepass Webifyers

    Configuring the FirePass Webifyers • Overview of the FirePass Webifyers • Configuring the My Files Webifyer • Configuring the My NFS Webifyer • Configuring the My Intranet Webifyer • Configuring the My E-mail Webifyer • Configuring the Terminal Services Webifyer •...

  • Page 85: Overview Of The Firepass Webifyers

    Configuring the FirePass Webifyers Overview of the FirePass Webifyers The FirePass™ Webifyers™ provide remote users with web-based remote access to a wide variety of network applications and resources, including email servers, Intranet servers, file servers, terminal servers, and legacy mainframe, AS/400, Telnet, and X-Windows applications. Each Webifyer renders its respective resource into and out of Web browser formats.
  • Page 86 Chapter 4 Host Access Provides remote users with Web-based access to legacy VT100, VT320, Telnet, X-Term, and IBM 3270/5250 applications without any modifications to the applications or application servers. (See Configuring the Host Access Webifyer, on page 4-21.) SSL VPN Provides remote users with the functionality of a traditional IPSec VPN client.

  • Page 87: Configuring The My Files Webifyer

    Configuring the My Files Webifyer The My Files Webifyer allows remote users to browse and view files stored on internal LAN file servers. As the FirePass administrator, you can configure the My Files Webifyer to limit access for a particular group to the file shares you specify.

  • Page 88: Enabling Virus Scanning And File Uploading For The My Files Webifyer

    File Upload option. Configuring advanced settings for the My Files Webifyer If the FirePass server contains two NICs, it is important to configure a broadcast address for the internal NIC. If there is a WINS server on your network, specify its address to facilitate name resolution of Windows servers using the My Files Webifyer.

  • Page 89: Using Client Certification Validation For The My Files Webifyer

    FirePass server. Important: The Default Domain/Workgroup setting is required for deployments where the IP address of the FirePass server is not on the target LAN. 4. To have the FirePass server attempt to automatically log into My Files servers and shares using each user’s FirePass login user name...

  • Page 90: Configuring The My Nfs Webifyer

    Note FirePass users cannot access NFS shares until they have been assigned a UNIX-style User ID and Group ID. (See Using NFS user permissions from a UNIX password file, on page 3-17.)

  • Page 91: Defining Nfs Shared Folders For The My Nfs Webifyer

    My NFS Webifyer icon on the left side of the user’s Web browser window. (The My NFS favorites are displayed on the right side of the browser window.) The FirePass server queries the NFS server for any exported file systems.

  • Page 92: Configuring The My Intranet Webifyer

    Chapter 4 Configuring the My Intranet Webifyer The My Intranet Webifyer allows remote users to access Web servers on the internal LAN in a unified and secure way. A user can either browse the internal Web sites by the site’s name or internal IP address, or to use Intranet Favorites that you define.
  • Page 93 Specify the variables in the form: variable1=value1&variable2=value2&variable3=value3 where the %username% and %password% parameters can be used within values. The %username% and %password% parameters are replaced with the user's FirePass login user name and password. For example, suppose you specify this URL: http://server.company.com and these URL variables: show_custom_content=1&user=%username%@company.com...

  • Page 94: Limiting A Group's Access To The Intranet Favorites

    Chapter 4 The following table lists several other User-Agent strings. Browser User-Agent String IE 6.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461) IE 5.5 Mozilla/4.0 (compatible; MSIE 5.5; MSN 2.5; Windows IE 5.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; CPT-IE401SP1; DigExt) IE 4.5 Mozilla/4.0 (compatible;...

  • Page 95: Configuring The My E-Mail Webifyer

    POP and IMAP mailboxes, and LDAP address books. After configuring a corporate email account, you can specify an LDAP server as a source of email addresses instead of using the default list of FirePass users. Configuring an email account...

  • Page 96: Obtaining Each User's Email Information Based On An Ldap Query

    Select this option to obtain email information from each user when they login for the first time. • Use FirePass database for display and login information Select this option to obtain each user’s email information from the FirePass server’s internal database.

  • Page 97: Disabling Email Attachment Downloads

    2. Click the Update button. Obtaining email addresses from an LDAP server By default, the My E-Mail Webifyer uses the FirePass internal database as a source of email addresses. Alternatively, you can specify an LDAP server as a source of email addresses.

  • Page 98: Using Client Certification Validation For The My E-Mail Webifyer

    8. In the Filter template box, enter a search filter template. For example: (&(objectclass=person)(cn=*%s*)) where %s is substituted by user’s FirePass logon name. 9. In the Name Attribute box, specify the name attribute, which is typically cn. 10. In the Address Attribute box, enter the email address attribute, which is typically mail.

  • Page 99: Configuring The Terminal Services Webifyer

    Configuring the FirePass Webifyers Configuring the Terminal Services Webifyer The Terminal Services Webifyer provides remote users with access to internal LAN Microsoft Terminal servers, Windows XP desktop computers, Citrix Metaframe servers, and VNC servers in a unified secure way. Users have the option to either browse the servers by their name or internal IP address, or to use favorites.
  • Page 100 Note: You can use a space separated list of IP addresses or host names in the Host field for a Citrix Metaframe Server, a Citrix Metaframe Browser, and VNC. The FirePass server attempts to use the first entry in the list, and if that entry fails, the server proceeds with other entries in the list until a working server is found.

  • Page 101: Limiting A Group's Access To The Terminal Service Favorites

    Configuring the FirePass Webifyers Limiting a group’s access to the Terminal Service Favorites If you want to limit a group’s access to the Terminal Service Favorites you specified, select the Limit MyNetwork Access to Terminal Service Favorites only option. Using client certification validation for the Terminal Service...

  • Page 102: Configuring The Apptunnels Webifyer

    Web browser and the FirePass server. The AppTunnels Webifyer allows FirePass users to access the client-server applications you specify. Unlike a traditional IPSec VPN client that exposes the entire network, the AppTunnels Webifyer exposes only the specific resources used by the selected applications.
  • Page 103 Configuring the FirePass Webifyers To configure AppTunnel Favorites 1. From the For the group drop-down list, select the group that you want to configure the AppTunnels for. 2. In the Favorite AppTunnels section, click the Add New link. 3. In the Name box, specify a name for the AppTunnel Favorite.

  • Page 104: Compressing Traffic Between The Client And The Firepass Server

    AppTunnels section. Compressing traffic between the client and the FirePass server To compress all traffic between the client and the FirePass server using the GZip deflate method, select the Use GZIP compression option. Limiting a group’s access to the AppTunnels Favorites If you want to limit a group’s access to the AppTunnels Favorites you...

  • Page 105: Configuring The Host Access Webifyer

    Configuring the FirePass Webifyers Configuring the Host Access Webifyer The Host Access Webifyer allows remote users to access legacy applications using a Web browser. The Host Access Webifyer does not require any application modifications or any third-party software to webify interaction with hosts.

  • Page 106: Displaying Active Host Access Sessions

    Chapter 4 3. In the Name box, specify a name for the host access Favorite. This name is displayed as a label for the Host Access Favorite in each user’s Web browser under the Host Access icon. 4. In the Host box, specify the host’s name or its IP address. 5.

  • Page 107: Configuring Ssl-Vpn

    SSL VPN Webifyer does not require any configuration on each remote user’s computer, and no server-side changes are necessary. The FirePass server’s SSL VPN implements PPP over SSL, which is a secure solution that does not have problems with routers, firewalls, or proxies.

  • Page 108: Configuring Global Ssl Vpn Settings

    For example, use NAPT when you only need to provide Outlook users with complete Exchange access. VPN configuration is completely limited to the FirePass server. The use of a virtual network ensures complete transparency. A disadvantage is that the surrounding infrastructure has to be configured to route IP traffic to the virtual network IP addresses.

  • Page 109: Configuring Global Ssl Vpn Packet Filter Rules

    Configuring the FirePass Webifyers Warning: The pool of addresses for the VPN must not contain the FirePass server address. Otherwise, severe routing problems can occur. 5. Click the Apply these rules now button. Configuring global SSL VPN packet filter rules You can specify a set of global packet filter rules that are activated whenever a user starts the SSL VPN Webifyer.

  • Page 110: Configuring Global Ssl Vpn Timeout Rules

    Chapter 4 Configuring global SSL VPN timeout rules To configure the global timeout rules 1. On the VPN Settings screen, select the Use packet filter to access LAN option. The Packet Filter Rules section is displayed on the VPN Settings screen.

  • Page 111: Configuring The Ssl Vpn Webifyer For A Group

    Configuring the FirePass Webifyers Configuring the SSL VPN Webifyer for a group Under the Webifyers tab, click the SSL VPN link to open the SSL VPN Webifyer screen. To configure the SSL VPN Webifyer for a group 1. From the For the group drop-down list, select the group that you want to configure SSL VPN for.
  • Page 112 Chapter 4 5. (Optional) To have only the traffic targeted at a specified address space go through the SSL VPN Webifyer, select the Use split tunneling option. All of the remote user’s other Internet activity is handled by the user’s ISP. For example, you might want to enable this option if a company does not want a remote user’s personal Internet activity to be channeled through the company network.

  • Page 113: Configuring Group Packet Filter Rules

    Configuring the FirePass Webifyers 12. To compress all traffic between the SSL VPN client and the FirePass server using the GZip deflate method, select the Use GZIP Compression option. Configuring group packet filter rules If you have first enabled global SSL VPN packet filter rules (see...

  • Page 114: Launching Applications Automatically With The Ssl Vpn Webifyer

    Chapter 4 2. In the Path box, enter a UNC path to the network share. Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly. 3. From the Map To drop-down list, select the preferred drive letter to map the network share to.

  • Page 115: Configuring The My Desktop Webifyer

    My Desktop client software at a user’s computer, on page 3-22. Configuring the My Desktop server ports By default, the FirePass server uses port 80 for HTTP, and port 443 for HTTPS for the My Desktop Webifyer. If the My Desktop client software detects that port 80 or 443 is in use, the software automatically uses different ports.

  • Page 116: Configuring My Desktop Webifyer For Cluster Servers

    Disabling bridge access to desktops The bridge is a highly scalable, dynamic port-forwarding mechanism that uses a range of high ports on the FirePass server to tunnel the HTTPS traffic directly to the server. The resulting SSL session is between the Web browser and the desktop computer.

  • Page 117: Using Client Certification Validation For The My Desktop Webifyer

    Configuring the FirePass Webifyers Using client certification validation for the My Desktop Webifyer You can restrict access to the My Desktop Webifyer to users in a group who have a valid client certificate installed on their computer. To use client certification validation for the My Desktop Webifyer 1.
  • Page 118 Chapter 4 1. From the For the group drop-down list, select the group that you want to configure Guest Access for. 2. To enable the Guest Access Webifyer for the selected group, select the Allow Guest Access option. 3. From the drop-down list, select a method for how users send an invitation to their guest users.

  • Page 119: Configuring The X-Windows Access Webifyer

    Architecturally, FirePass X-Windows Access implements an X-Server on the FirePass server itself. This server acts as a proxy user of a UNIX-based client-server application. In this role, the FirePass server interacts with the application internally in the network, and then renders the X-Server output into encrypted, browser-readable output.
  • Page 120 UNIX prompt following logon. This command ordinarily starts a shell or a graphical interface. 12. In the Resolution box, set the screen resolution for the FirePass X-Windows server session. This selection governs the webified X-Windows output sent to the remote browsers. If you are unsure of the resolution of the likely remote systems, the safest choice is the lowest resolution (640 by 480 pixels).

  • Page 121: Deleting A Host

    Configuring the FirePass Webifyers Editing X-Windows host configuration details You can change the configuration details for a host from the My X Windows Webifyer screen. To edit an X-Windows host configuration 1. Be sure to select the group for which you want to provide or modify access in the For the group list.

  • Page 122: Using Client Certificate Validation For Webifyers

    Chapter 4 Using client certificate validation for Webifyers You can restrict Webifyer usage to users in a group who have a valid client certificate installed on their computer in addition to knowing their user name and password. For example, for a laptop user, you can restrict usage of the My Files Webifyer to the user’s laptop computer where a valid client certificate has been installed.

  • Page 123: Managing, Monitoring, And Maintaining The Firepass Server

    • Specifying HTTP and SSL proxies • Configuring an SNMP agent • Shutting down and restarting FirePass • Backing up and restoring the FirePass server • Specifying the email server • Specifying the FirePass administrator’s email address • Granting Administrator privileges to other users •...

  • Page 125: Maintaining The Network Configuration Settings

    Managing, Monitoring, and Maintaining the FirePass Server Maintaining the network configuration settings You can use the Administrative Console to configure the FirePass server’s network settings. These include the network interfaces, IP addresses and netmasks, routing tables and rules, Domain Name Servers (DNS), host names, web services, and desktop-software settings.

  • Page 126: Configuring Routing Tables And Rules

    Maintenance Console, on page 2-21. Configuring routing tables and rules With FirePass you can take advantage of powerful new policy-based routing features in the Linux kernel. With these features, you can choose, for any destination IP address, which device to use and which source IP address to assign.
  • Page 127 Managing, Monitoring, and Maintaining the FirePass Server Adding specific routes To add a route to the main routing table 1. Select the device, and the Source IP address [Src (IP)] and Netmask [Len] to use. If you are in advanced mode, also select which routing table to use.

  • Page 128: Configuring Domain Name Servers (Dns)

    Chapter 5 You can specify rules controlling which routing tables to use, and in what order, for particular routes and groups of routes. The route or route group is specified by filling in the destination IP, the Source IP, and the device. A blank source or destination IP address acts as a wildcard and signifies “all.”...

  • Page 129: Configuring Host Names

    Static host names are stored in a local table, and are used only when you need to augment or override your Domain Name Server. FirePass uses the local table to locate an IP Address for a domain name, before consulting the DNS.
  • Page 130 Chapter 5 • If you use MyDesktop, you must have exactly one service configured to allow Desktop Agents to communicate with the FirePass server. • If you have a clustered or failover configuration, you must have at least one service configured for use by the Synchronization Agent.
  • Page 131 Administrative Console, even with a valid Administrator login. • Desktop Check this box to define this service as the communication channel between Desktop Agents and the FirePass server. Only one service can be defined as a Desktop service. • Synchronization Only visible if you have a Cluster or Failover configuration.

  • Page 132: Configuring Desktop Services

    Chapter 5 Configuring Desktop services Bridge ports When a remote user accesses his own desktop system, FirePass intermediates the sessions using a range of high ports, called bridge ports. To specify what ports to use, navigate to Server/Maintenance/Network Configuration/Desktop. Use this screen to specify which IP Address(es) and ports to use as bridge ports.

  • Page 133: Configuring Ipsec For The Firepass Server

    IP networks. You can use the FirePass server’s IPSec functionality to protect sensitive data that is transmitted between the FirePass server and other servers (such as an internal file server on a remote network) or a security gateway. To set up a new IPSec connection 1.
  • Page 134 14. Click the Apply Configuration and Restart Connections button to have the new or changed IPSec connection take effect. If you do not click this button, the changes do not take effect until the FirePass server restarts. It is not possible to restart connections individually.

  • Page 135: Managing Firepass Licenses

    Managing, Monitoring, and Maintaining the FirePass Server Managing FirePass licenses You can install or upgrade the FirePass server license using the Admin Console. Licenses are managed using the Settings link under the Server tab. Obtaining a license for the first time Your server should already have an installation type, serial number and registration key assigned.

  • Page 136: Mapping Firepass Users To Nfs Users

    NFS file systems. If you already have a Network Information Service (NIS) server installed to handle UNIX users, you can configure the FirePass server as a client in your NIS domain, and no further configuration is necessary. Note that each FirePass user’s logon name (user name) must be identical to the logon name...
  • Page 137 NIS and/or locally defined NFS users can be combined with the anonymous NFS user. The FirePass server uses the anonymous NFS user whenever a FirePass user is not defined as a local NFS user or a NIS user. To map FirePass users to NFS users 1.

  • Page 138: Specifying Http And Ssl Proxies

    • If the FirePass server has no outbound access to the Internet, the update mechanism for the FirePass server firmware requires a proxy. • If the FirePass server does not have direct access to Web servers on the internal LAN, the My Intranet Webifyer may require proxy settings.

  • Page 139: Configuring An Snmp Agent

    Configuring an SNMP agent You can use a Simple Network Management Protocol (SNMP) agent to monitor the FirePass server. For more information on the MIBS that the SNMP agent supports, see the Online Help for the SNMP panel. To configure a SNMP agent 1.
  • Page 140 Chapter 5 6. (Optional) In the Contact text box, enter an email address to contact, such as the address for the FirePass server administrator. 7. In the Community Name text boxes in the Rocommunity and Rwcommunity sections, enter the community name that is configured in your SNMP management tool.

  • Page 141: Shutting Down And Restarting Firepass

    Shutting down and restarting FirePass Important Do not turn the FirePass server off by using the Power switch. Data corruption can occur as a result which would render the FirePass server unavailable. To shut the FirePass server down, always use the Shutdown commands in the Administrative Console or the Maintenance Console.

  • Page 142: Stopping And Starting The Bridge

    4-31.) The bridge provides a point-to-point, secure connection between the remote user’s Web browser and a desktop computer on the internal LAN. If the bridge is stopped, the FirePass server constantly encrypts and decrypts data. The bridge highly improves the scalability of the My Desktop Webifyer.

  • Page 143: Backing Up And Restoring The Firepass Server

    Managing, Monitoring, and Maintaining the FirePass Server Backing up and restoring the FirePass server You can back up and restore the current FirePass server configuration, including user accounts, logs, and FirePass settings. Note Your network configuration settings are not preserved; you need to reenter them after you have restored the configuration.

  • Page 144: Specifying The Email Server

    Send button. Specifying the FirePass administrator’s email address You can specify to whom you want the FirePass server to send notification. To specify the FirePass administrator’s email address 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link.

  • Page 145: Granting Administrator Privileges To Other Users

    Managing, Monitoring, and Maintaining the FirePass Server Granting Administrator privileges to other users Role-Based Administration is a powerful feature allowing you to assign customized subsets of administrative access and privileges, according to the administrative user's position and requirements. The user name admin is reserved for the Superuser. The Superuser has a complete set of privileges.

  • Page 146: Specifying The Time, Time Zone, And Ntp Server

    Chapter 5 Specifying the time, time zone, and NTP server You can specify a time zone for the FirePass server’s location, and you can specify a Network Time Protocol (NTP) server for the FirePass server to use. You can also manually set the time for the FirePass server.

  • Page 147: Configuring Client Caching And Compression Settings

    Configuring client caching and compression settings You can configure settings that determine caching and compression of files sent from the FirePass server to remote user’s Web browsers, as well as the transmission of cookies and file downloads from the server to users.
  • Page 148 Select this option to block file downloads and attachments that consist of .doc and .pdf files. • Don't block cookies at FirePass, pass them to the browser Select this option to allow the server to pass cookies to the user’s Web browser.

  • Page 149: Managing Log Files

    Managing, Monitoring, and Maintaining the FirePass Server Managing log files You can purge and archive FirePass server logs manually or automatically at specified intervals. Periodic purging and archiving of logs is important to manage storage space on the FirePass server.
  • Page 150 Expand link. Note: We recommend that you do not keep the archives on the FirePass server. Delete an archive from the Temporary Archive Storage after you expanded it. 14. To upload archives from external computer to the temporary archive storage, click Browse to choose a file, and then click the Upload button.

  • Page 151: Updating The Firepass Server's Firmware

    Managing, Monitoring, and Maintaining the FirePass Server Updating the FirePass server’s firmware You can have FirePass server check and indicate whether an update to the server’s firmware is available. If new firmware is available, you can have the server download the new firmware, install it, and restart itself.

  • Page 152: Adding Definitions For Other Types Of Browsers

    Chapter 5 Adding definitions for other types of browsers You can add and classify definitions for other types of browsers, such as mini-browsers and phones. To add a definition for a browser 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link.

  • Page 153: Monitoring The Firepass Server

    Managing, Monitoring, and Maintaining the FirePass Server Monitoring the FirePass server You can monitor the FirePass server by displaying various graphs of the real-time load on server components, by displaying statistics, and by capturing network packets to troubleshoot problems. This section contains information on all of these monitoring methods.

  • Page 154: Displaying Firepass Server Statistics

    5. To delete all data from the monitoring database, click the Zeroinit link at the bottom of the panel. Displaying FirePass server statistics You can display statistics and information for the FirePass server, such as average load, performance averages, and number of IPSec connections. To display server statistics 1.

  • Page 155: Customizing The User's Home Page

    Administrator and Technical Support. To allow SSH access, you must supply Technical Support with the current passphrase. If you need to give Technical Support access to the FirePass server, you must also provide access on the SSH port (22). If you do not want to provide any SSH access, we recommend that you inhibit in-bound SSH traffic at your firewall.
  • Page 156 Chapter 5 5 - 32...

  • Page 157: Using Firepass Reports

    Using FirePass Reports • Overview of FirePass server reports • Using the Logon report • Using the My Desktop Activations report • Using the Session report • Using HTTP Log reports • Using the Application Log report • Using the Summary report...

  • Page 159: Overview Of Firepass Server Reports

    (.xls) file. The following types of FirePass server reports are available: Logon report Provides a list of all attempts to log on to the FirePass server, both successful and unsuccessful. For more information, see Using the Logon report, on page 6-2.

  • Page 160: Using The Logon Report

    Chapter 6 Using the Logon report The Logon report provides a list of all attempts to log on to the FirePass server, both successful and unsuccessful. You can filter the report for unsuccessful attempts, which quickly provides an audit trail for detecting attacks from unauthorized users. In addition, the FirePass administrator receives a security alert message if 20 consecutive unsuccessful attempts to log on occur within 5 minutes.

  • Page 161: Using The My Desktop Activations Report

    Using FirePass Reports Using the My Desktop Activations report The My Desktop Activations report provides a list of all activations of the My Desktop Webifyer. You can filter the My Desktop Activations report for all failed activations, and for failed activations that were not the result of an incorrect password.

  • Page 162: Using The Session Report

    Chapter 6 Using the Session report The Session report provides a list of all active user sessions and a history of sessions, along with the corresponding user names, logons, times, and status. To display the Session report 1. Under the Reports tab on the left side of the Administrative Console, click the Sessions link.

  • Page 163: Using Http Log Reports

    • HTTPS server error log • SSL engine log The FirePass server stores the logs in the HTTP Log report on a daily basis. You can use an online calendar to choose the day for which you want to display a HTTP Log report.

  • Page 164: Using The Application Log Report

    Chapter 6 Using the Application Log report The Application Log report provides a list of aggregate and per-user application logs. To display the Application Log report Under the Reports tab on the left side of the Administrative Console, click the App Logs link to open the Application Log Report. 1.

  • Page 165: Using The Summary Report

    1. Under the Reports tab on the left side of the Administrative Console, click the Summary Report link 2. From the For the group drop-down list, select the FirePass server group that you want to create a Summary report for.

  • Page 166: Using The Group Report

    Chapter 6 Using the Group report The Group report provides a snapshot of the user-group distribution and group-based averages. To display the Group report 1. Under the Reports tab on the left side of the Administrative Console, click the Group Report link. 2.

  • Page 167: Configuring Firepass Failover Servers And Cluster Servers

    Configuring FirePass Failover Servers and Cluster Servers • Using FirePass failover servers • Using FirePass server clusters...

  • Page 169: Using Firepass Failover Servers

    Installing FirePass failover servers All FirePass servers are licensed initially as standalone servers. If you want to configure a pair of failover servers, you need to obtain new licenses. Contact your sales representative or Technical Support, and provide them...

  • Page 170: Powering Up Failover Servers

    IP configuration panel for both servers. (For information on accessing the IP configuration panel, see Configuring IPSec for the FirePass server, on page 5-9.) These addresses must be configured for both failover servers: • One Server IP Address setting in the IP configuration panel must be a virtual IP address for the failover pair.

  • Page 171: Configuring The Failover Settings

    Configuring FirePass Failover Servers and Cluster Servers Configuring the failover settings To configure the failover settings To configure servers as members of a failover pair, you must configure both: • Identical virtual IP addresses for their respective NICs • Reciprocal physical IP addresses for their heartbeat settings...

  • Page 172: Making A Standby Server The Active Server

    Chapter 7 • The Remote IP address must be a physical (not virtual) IP address of the corresponding NIC of the other member of the failover pair. • The Local IP address is a physical (not virtual) IP address of this NIC on this server.

  • Page 173: Using Firepass Server Clusters

    Configuring FirePass Failover Servers and Cluster Servers Using FirePass server clusters FirePass 4000 servers (or failover pairs of servers) can be clustered to support many concurrent connections on a single logical URL without performance degradation. Load balancing distributes the sessions among the available servers to maximize throughput.

  • Page 174: Load Balancing

    Configuration/Web Services. For more about configuring services, see Configuring services, on page 5-5. You also can configure the method, or algorithm, FirePass uses to distribute sessions. FirePass can assign sessions randomly among the slave servers, or it can maintain an even session count among them.

  • Page 175: Configuring Clustered Servers

    Configuring FirePass Failover Servers and Cluster Servers Configuring clustered servers Note Clustering screens and links are visible only if you have a Clustering license installed. To configure internal synchronization 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link.

  • Page 176: Accessing A Slave Server's Configuration While Connected To A Master Server

    CPU load, and the time of the most recent master-slave synchronization. To display statistics for a FirePass server cluster 1. Use the Administrative Console to connect to the master FirePass server in the cluster. 2. Under the Clustering tab on the left side of the Administrative Console, click the Stats link.
  • Page 177 Index...
  • Page 179 VASCO 3-28 Windows domain server 3-25 averages, reports 6-4 default group 3-1 definitions for browsers, adding 5-28 Deleting a host 4-37 deploying FirePass backing up configuration 5-19 overview 2-1 bridge 4-32 summary of tasks 2-1 disabling access 4-32 Desktop Agent...
  • Page 180 2-4 firewall configuration keys for My Desktop webifyer, generating 3-21 between FirePass and application services 2-7 between FirePass and LAN via My Desktop 2-9 between FirePass and network services 2-6 between remote user and FirePass 2-5 LDAP...
  • Page 181 Index Maintenance Console overview of FirePass 1-1 access using Administrative Console 2-20 models of FirePass 1-1 monitoring server 5-29 password My Desktop Activations report 6-1, 6-3 superuser, changing 2-18 My Desktop webifyer 4-2, 4-31 users 3-12 activations report 6-3 Power switch 2-13...
  • Page 182 3-4 client certificates 4-17 favorites 4-15 limiting access 4-17 screen resolution 4-15 X-Windows Access 4-35 testing FirePass network connectivity 2-16 X-Windows server time and time zone, specifying 5-22 IP address to use 5-8 Timeout inactivity 2-20 troubleshooting using network packets 5-30...

Table of Contents