Documente Academic
Documente Profesional
Documente Cultură
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product. You will be prompted to read and accept the End User License Agreement when you register your Firebox on the WatchGuard website. Copyright 2005 Citrix Systems, Inc. All rights reserved. Copyright 2005 WatchGuard Technologies, Inc. All rights reserved WatchGuard, Firebox, LiveSecurity and any other word listed as a trademark in the Terms of Use portion of the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries. Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective manufacturers. The Firebox SSL Access Gateway software is distributed with source code covered under the GNU General Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard Technical Support at: 877.232.3531 in the United States and Canada +1.206.613.0456 in all other countries
This source code is free to download. There is a $35 charge to ship the CD. See Appendix B, Legal and Copyright Information on page 157 of this guide for the complete text of the GPL. VPN Gateway Software: 4.9 Document Version: 2201-000
ADDRESS:
505 Fifth Avenue South Suite 500 Seattle, WA 98104
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are robust as well as easy to buy, deploy and manage. The companys Firebox X family of expandable integrated security appliances is designed to be fully upgradeable as an SUPPORT: organization grows and to deliver the industrys best combination of security, www.watchguard.com/support support@watchguard.com performance, intuitive interface and value. WatchGuard Intelligent Layered Security U.S. and Canada +877.232.3531 architecture protects against emerging threats effectively and efficiently and provides All Other Countries +1.206.613.0456 the flexibility to integrate additional security functionality and services offered through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity SALES: U.S. and Canada +1.800.734.9905 Service subscription to help customers stay on top of the security landscape with All Other Countries +1.206.521.8340 vulnerability alerts, software updates, expert security instruction and superior customer care. For more information, please call (206) 521-8340 or visit www.watchguard.com.
ii
Contents
CHAPTER 1
Overview .........................................................................2 Feature Summary ................................................................ 4 The User Experience ............................................................ 6 Deployment and Administration ......................................... 7 Firebox SSL Operation .....................................................8 Starting the Secure Access Client ...................................... 9 Establishing the Secure Tunnel ........................................10 Tunneling Destination Private Address Traffic over SSL or TLS .................................................................................10 Terminating the Secure Tunnel and Returning Packets to the Client ..............................................................................12 Kiosk Operation ............................................................13 Deployment Options ......................................................16
CHAPTER 2
Using the Firebox SSL Remote Admin Terminal Window ....18 To open the Remote Admin Terminal window: ................19 Using the Administration Tool .........................................21 Using the Serial Console ................................................23 To open the serial console: ...............................................23
Upgrading the Firebox SSL Software ................................23 To display the version of your installed Firebox SSL: .....24 To upgrade your Firebox SSL ............................................24 Supporting Secure Access Users ....................................25 Configuring Software Firewalls for the Secure Access Client ..............................................................................26 Generating a Secure Certificate for the Firebox SSL .........29 About Digital Certificates and Firebox SSL Operation ...31 Overview of the Certificate Signing Request ...................32 Installing the Cygwin UNIX Environment for Windows ....33 Generating a CSR ..............................................................33 Unencrypting the Private Key ..........................................34 Converting to a PEM-Formatted Certificate .....................35 Combining the Private Key with the Signed Certificate ..36 Generating Trusted Certificates for Multiple Levels .......37 Uploading a Certificate to the Firebox SSL .....................38 Blocking External Access to the Administration Portal ......39 Managing Licenses ........................................................40 Viewing and Changing the System Date and Time ............41 Managing Administrative Users .......................................42 Saving and Restoring the Configuration ...........................43 Managing VPN Connections ............................................45 About Connection Handling ..............................................46 Closing a Connection to a Resource ................................47 Disabling/Enabling a VPN User ........................................48 Restarting the Firebox SSL .............................................49 Shutting Down the Firebox SSL .......................................49
CHAPTER 3
Using the Access Portal .................................................51 Connecting from a Private Computer ...............................56 Using the Secure Access Window ....................................56 Connecting from a Public Computer (Kiosk Session) ........61 Working with Shared Network Drives ...............................63 Using the Citrix Client ........................................................65 Using the Remote Desktop Client ....................................65
iv
Using the Telnet 3270 Emulator Client ...........................67 Using the VNC Client ..........................................................68 To use the VNC client: .......................................................68
CHAPTER 4
Configuring Network Interfaces .......................................72 Specifying DNS/WINS Settings .......................................74 Configuring Routes ........................................................75 Configuring Dynamic Routing ...........................................75 Adding, Testing, and Removing a Static Route ...............77 Static Route Example ........................................................78 Configuring Failover Firebox SSLs ....................................80
CHAPTER 5
Configuring Authentication, Authorization, and Local Users ... 82 About the Realm Named Default .....................................84 Using a Local User List for Authentication .......................84 Using LDAP Authorization with Local Authentication .....85 Using RADIUS Servers for Authentication ........................88 To specify RADIUS server settings: ..................................89 Using LDAP Servers for Authentication and Authorization ..91 To specify LDAP server settings: ......................................92 Looking Up Attributes in your LDAP Directory .................94 Using RSA SecurID for Authentication .............................95 To generate a sdconf.rec file for the Firebox SSL: ..........96 To enable RSA SecurID authentication for the Firebox SSL: ................................................................................97 Resetting the Node Secret ................................................99 Removing an Authentication Realm ...............................100 To remove an authentication realm: ..............................100 Adding Local Users ......................................................100 To create a user on the Firebox SSL: .............................101 To delete a user from the Firebox SSL: .........................102 Controlling Network Access ..........................................102 Specifying Accessible Networks .....................................103 Defining Network Resource Groups ...............................104
Denying Access to Groups with No ACL .........................107 Customizing VPN Portal Pages ......................................108 Downloading and Working with Portal Page Templates ...... 110 Loading Custom Portal Files on the Firebox SSL .........113 Disabling Portal Page Authentication .............................114 Linking to the VPN Clients from Your Website ..............115 Configuring Host Check Rules ......................................116 Example Host Check Rules .............................................118 Configuring Network Shares for Kiosk Sessions .............119 Adding and Configuring User Groups .............................121 Configuring Resource ACLs for a User Group ...............124 Configuring Kiosk Operation for a Group ......................126 Configuring a Host Check Policy for a Group ................128 Choosing a Portal Page for a Group ...............................130 Enabling IP Pooling ..........................................................131 Setting the Priority of Groups .........................................132 Enabling Split Tunneling ...............................................134 Enabling Split DNS ......................................................135 Enabling Session Timeout ............................................136 Configuring Internal Failover .........................................137 Forcing VPN User Re-login ............................................138 Configuring Secure Access for Single Sign-on ................140
APPENDIX A
Viewing and Downloading System Message Logs ...........143 Forwarding System Messages to a Syslog Server ........145 Enabling and Viewing SNMP Logs .................................146 MRTG Example .................................................................147 Viewing System Statistics ............................................149 Monitoring Firebox SSL Operations ...............................150 Recovering from a Crash of the Firebox SSL ..................153 To reinstall the Firebox SSL server software: ................154 Troubleshooting ...........................................................154
APPENDIX B
vi
CHAPTER 1
The WatchGuard Firebox SSL is a network appliance that provides secure remote access to network resources and all applications, including web, client-server, and peer-to-peer such as Instant Messaging (IM), video conferencing, and real-time Voice over IP (VoIP) applications. Combining the advantages of both IP Security (IPSec) and Secure Socket Layer (SSL) Virtual Private Network (VPN) solutions, the Firebox SSL provides full, secure application access without requiring changes to applications or Domain Name Service (DNS). The Firebox SSL gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, email, Intranet sites, and applications just as if they were working inside of their organizations firewall. The Firebox SSL also provides clientless kiosk operation, which opens a Virtual Network Computing (VNC) like connection for remote users who access the Firebox SSL from a non-secure computer. Kiosk user access can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), VNC servers, and Citrix ICA. The following topics provide an overview to the Firebox SSL: Overview on page 2
Firebox SSL VPN Gateway Administration Guide 1
Feature Summary on page 4 The User Experience on page 6 Deployment and Administration on page 7 Firebox SSL Operation on page 8 Kiosk Operation on page 13 Deployment Options on page 16 WatchGuard provides other network appliance products. For information, go to http://www.watchguard.com.
Overview
The Firebox SSL installs into any network infrastructure without requiring changes to the existing hardware or back-end software. The Firebox SSL sits in front of application and web servers and works with other networking products such as firewalls, server load balancers, cache engines, routers, and IEEE 802.11 broadband wireless devices. The Firebox SSL, installed in the corporate DMZ, participates on two networks: a private network and a public network with a publicly routable IP address. The Firebox SSL can also partition local area networks internally in the organization for access control and security between wired/wireless and data/voice networks. As shown in the following illustration, the Firebox SSL is appropriate for employees accessing the organization remotely, Business to Business (B2B) access and transactions, and intranet access from restricted LANs such as wireless networks.
Overview
As shown in the following illustration, the Firebox SSL creates a virtual TCP circuit between the client computer running the WatchGuard Secure Access client and itself.
The virtual TCP circuit is encrypted using proven technologies such as SSL and Transport Layer Security (TLS). All packets des-
tined for the private network are transported over the virtual TCP circuit. The Firebox SSL is essentially acting as a low-level packet filter with encryption. It drops traffic which does not have authentication or does not have permission for a particular network.
Feature Summary
Most of the features listed in the following table are implicitly supported through the ability of the Firebox SSL to intercept every network connection initiated on the client computer, whether TCP (connection-oriented applications) or UDP (voice and video applications). The Secure Access client forwards all IP packets over an SSL tunnel to the Firebox SSL based on dynamically determined routing policies which are transparent to the remote user. The Firebox SSL retransmits these IP packets to the intended host.
Application support
Protocol support
Platform support
Unlike other VPN solutions, the Firebox SSL is applicationagnostic. The Firebox SSL operates more like an IPSec VPN than an SSL VPN. Supports all applications (web, client-server, peer-to-peer, and realtime) without modification to the applications or DNS. Handles real-time traffic, such as voice (RTP/SIP), with minimal loss in performance. Supports IP . Supports PPPoE (Point-to-Point Protocol over Ethernet) and PPP . Supports Ethernet, including 802.11, and Remote Access Service (RAS) connections, including TCP , UDP , and Internet Control Message Protocol (ICMP). Supports computers running Windows 2000, Windows 2000 Professional, Windows 2000 Server, Windows XP , Windows XP Home, Windows XP Professional, and all Linux 2.4 platforms (tested extensively with RedHat). Includes a client that supports computers, such as Macintosh, running Java Virtual Machine (JVM) version 1.4.2 or higher.
Overview
Ease of use and Automatically updates the Secure Access client when a new deployment version is available on the Firebox SSL. The Secure Access client can go into a suspend state rather than timing out so that the connection is always available and the user does not have to repeatedly log in. The Secure Access client continues to run in memory even when the laptop or PC is disconnected from the network. This functionality ensures security over 802.11 networks without having to deploy and maintain a WEP environment. The Secure Access client can be configured for single sign-on operation so that it starts automatically after a user logs in to Windows. A users Windows login credentials are passed to the Firebox SSL for authentication and then the VPN connection is automatically established without user intervention. Windows login scripts run after the VPN connection is established. Ease of use and Includes the option to use the default portal pages (Access Portal), deployment to customize easy-to-use portal page templates, or to include links (continued) to the clients directly on your website. Provides access to remote networks that have the same numbering as the local subnet. VPN operation Provides users with a desktop-like network experience. Through the VPN connection, users can: Map network drives just as they would from their in-office computer. Work with client applications, such as Microsoft Outlook or any other application, in their native user interface. The remote user does not need to do any client application reconfiguration. VPN users can seamlessly access the Firebox SSL even if they are behind another organizations firewall. Kiosk operation Provides, on a group basis, access to a private network from public computers. Sends images, not data, to the kiosk. Because no temporary files or cookies are downloaded to the remote computer, there is no risk of files remaining after the session. Opens a VNC-like window that is configurable by group. Optional components include a Mozilla browser window with a configurable default URL, network shares, and icons that provide one-click access to Remote Desktop, VNC, Telnet 3270 emulator, SSH, and Citrix ICA clients. Performance Supports up to 205 tunnels Provides throughput of 75 MB per second. Authentication, Supports HTTP 401 Basic, Digest, and Windows Domain authorization, Authentication and RADIUS, LDAP , and RSA SecurID authentication and access servers. User accounts can also be defined on the Firebox SSL. control Supports realm-based authentication so that a single Firebox SSL can be used with multiple authentication servers. Supports LDAP or local user group authorization. Provides access control through the association of resources to user groups.
Security
Security (continued)
Supports digital certificates in Privacy Enhanced Mail (PEM) format that include a private key. Notifies VPN users if the Firebox SSL to which they connect does not have a certificate that is signed by a Certificate Authority, and therefore is not a trusted device. Redirects over a secure tunnel all network traffic (all IP packets) destined for certain private networks. Uses SSL (v1 and v2) and TLS SSL (v3) to encrypt every packet, including any header information. This provides a very high level of security and does not provide anyone who gets access to the secure stream the ability to reconstruct any useful information. Supports SSL with compression. Supports 196-bit TLS SSL encryption, as well as lower and higher bit values defined in your certificate. You might prefer to lower the encryption if performance is more important than security. Supports all OpenSSL ciphers: CAST, CAST5, DES, Triple-DES, IDEA, RC2, RC4, and RC5. Supports the 802.11 optional encryption scheme, Wired Equivalent Privacy (WEP). Requires only one available port: 443 (by default). Makes IP addresses either invisible or visible to accessed network applications, by application or host. When network IP addresses are hidden, the remote users VPN connection looks like a browser session rather than an IP address and thus blocks worm traversal. Does not touch client-side route tables. Supports configurable host check rules to ensure that a VPN users computer meets the requirements of the rule. You can require that a connecting computer has a particular registry path, file, and/or active process. For example, host check rules enable you to enforce real-time checking of the presence of firewall or antivirus software; if a VPN user stops the firewall or anti-virus software, the VPN tunnel is immediately frozen.
Overview
NOTE The portal page is customizable, as described in Customizing VPN Portal Pages on page 108. You can also include a link to the clients on a website, as described in Linking to the VPN Clients from Your Website on page 115.
After a successful login, the user can work with network shares and run applications just as if the user were sitting inside of the organizations firewall. The remote user does not need to do any client application reconfiguration and works with client applications in their native user interface.
are specific to your site, such as the Firebox SSL IP address, netmask, default gateway IP address, and DNS addresses. After you complete the basic connection, you then configure the settings specific to VPN operation, such as the options for authentication, authorization, and group-based access control, kiosk operation, host checking, portal pages, and IP pools. All Firebox SSL administration and monitoring is performed through the Firebox SSL Remote Admin Terminal window, which provides access to the Administration Tool and a variety of standard network monitoring tools, including Ethereal Network Monitor, xNetTools, Traceroute, fnetload, and System Monitor. The Firebox SSL Remote Admin Terminal window also provides access to the Real-time Monitor, where you can view a list of current VPN users and groups and close the VPN connection for any user or group You will need to provide remote VPN users with the URL of the Firebox SSL and a list of the resources that they can access. Remote users can log in with their usual credentials and do not need to perform any configuration of the Secure Access client or any application clients, resulting in minimal user support.
1 2 3
A remote user obtains the Secure Access client by accessing a secure web URL and providing authentication credentials. After a successful login, the Firebox SSL establishes a secure tunnel. As the remote user attempts to access network resources across the VPN tunnel, the Firebox SSL encrypts all network traffic destined for the organizations intranet and forwards
the packets and user credentials over an HTTPS session to the Firebox SSL. The Firebox SSL terminates the SSL tunnel and accepts any incoming packets destined for the private network. After fixing the packets, the Firebox SSL injects them into the private network. The Firebox SSL sends traffic back to the remote computer over a secure tunnel. Those steps are detailed in the following sections: Starting the Secure Access Client on page 9 Establishing the Secure Tunnel on page 10 Tunneling Destination Private Address Traffic over SSL or TLS on page 10 Terminating the Secure Tunnel and Returning Packets to the Client on page 12
SSL for authentication. Enabling single sign-on for the Secure Access client facilitates operations on the remote computer such as installation scripts and automatic drive mapping.
10
Target servers view connections as originating from the local Firebox SSL on the private network, thus hiding client IP address (reverse NAT). Hiding IP addresses adds security to source locations in B2B implementations and also secures the wireless network in an organization for its users and visitors, providing a viable alternative to WEP. Locally, on the client computer, all connection-related traffic (such as SYN-ACK, PUSH, ACK and FIN packets) are recreated by the Secure Access client to appear from the private server.
NAT firewalls maintain a NAT table that allows them to route secure packets from the Firebox SSL back to the client computer. For circuit-oriented connections, the Firebox SSL maintains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL to match connections and send packets back over the tunnel to the client with
11
the correct port numbers so that the packets return to the correct application. The Firebox SSL tunnel is established using industry standard connection establishment techniques such as HTTPS, Proxy HTTPS, and SOCKS. This operation makes the Firebox SSL firewall friendly and thus allows remote computers to access private networks from behind other organization firewalls without creating any problems. For example, the connection can be made via an intermediate proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate proxy. Any credentials requested by the intermediate proxy, will be in turn obtained from the remote user (by using single signon information or by requesting the information from the remote user) and presented to the intermediate proxy server. Once the HTTPS session is established, the payload of the session is encrypted and carries secure packets to the Firebox SSL.
12
Kiosk Operation
the second tunnels traffic, which appears to be from the Firebox SSL, after the traffic is already decrypted.
When an application client connects to its application server, certain protocols may require that the application server in turn attempt to create a new connection with the client. In this case, the client sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access client is able to provide the local client application a private IP address representation, which the Firebox SSL will use on the internal network. Many real-time voice applications and FTP use this feature.
Kiosk Operation
The Firebox SSL also provides secure access to a private network from a public computer through optional kiosk operation. When remote users indicate that they are connecting from a public computer, the Firebox SSL opens a Virtual Network Computing (VNC) like connection in a window. For computers running Windows 2000 and above, kiosk operation is available through the Access Portal. The kiosk link can be removed from the Access Portal on a group basis.
13
For computers running a JVM 1.4.2 or higher (such as Macintosh or Windows 95/98 computers), kiosk operation is available through a Java applet. For Macintosh, Safari is the supported browser. During kiosk operation, the Firebox SSL sends images only (no data) over the VPN connection. As a result, there is no risk of leaving temporary files or cookies on the public computer. Both temporary files and cookies are maintained on the Firebox SSL for the session. As shown in the following example, the Firebox SSL kiosk display can include a web browser, several applications, and network shares.
The browser defaults to a URL that is configured per group through the Firebox SSL Administration Tool. The kiosk window can also include one-click access to Citrix ICA, Remote Desktop,
14
Kiosk Operation
SSH, Telnet 3270 emulator, and VNC clients, through icons that display in the bottom-right corner of the window. You specify for each group the applications to be included. The kiosk window also provides one-click access to shared network drives, through icons such as the one labelled ws in the following example. The Firebox SSL administrator configures the permissions granted (read-only or read/write) to each shared network drive. The following example shows the result of opening a shared network drive.
VPN users can copy files from the network share to their computer simply by dragging the file onto the KioskFTP icon and selecting the destination in the File Download dialog box.
15
Deployment Options
The Firebox SSL Quick Start describes how to install the Firebox SSL with a firewall, the most common configuration. You can also connect the Firebox SSL to other devices such as a server load balancer or router.
16
CHAPTER 2
The following topics describe how to administer your Firebox SSL: Using the Firebox SSL Remote Admin Terminal Window on page 18 Using the Administration Tool on page 21 Using the Serial Console on page 23 Upgrading the Firebox SSL Software on page 23 Supporting Secure Access Users on page 25 Generating a Secure Certificate for the Firebox SSL on page 29 Blocking External Access to the Administration Portal on page 39 Managing Licenses on page 40 Viewing and Changing the System Date and Time on page 41 Managing Administrative Users on page 42 Saving and Restoring the Configuration on page 43 Managing VPN Connections on page 45 Restarting the Firebox SSL on page 49
17
18
Taskbar Administration Tool Monitoring Applications Real-time Monitor Workspace Switcher and Taskbar Buttons Processor Usage Network Usage System Time/Date
19
From the Downloads page, you can launch or download the Administration Tool and download documentation, portal page templates, and a sample email that you can customize with instructions for VPN users.
NOTE By default, if you configure the Firebox SSL to use both LAN interfaces, the Administration Portal can be accessed from either interface. To block administration access from the external-facing interface, see Blocking External Access to the Administration Portal on page 39.
Click either Launch Firebox SSL Administration Tool or Download the Firebox SSL Administration Tool. (If you see a Security Warning dialog, click Yes to download the required ActiveX Helper client.) - If you chose the launch link, skip to step 5. - If you chose the download link, click Save to save a shortcut to your desktop, enabling you to skip the
20
preceding steps the next time that you want to open the Remote Admin Terminal window.
In the Remote Admin Terminal login dialog, enter the Firebox SSL administrator credentials. Unless you have changed the default administrative account as described in Managing Administrative Users on page 42, enter root in the User Name field and rootadmin in the Password field, and then click Connect.
The Remote Admin Terminal window opens. For information on the applications available from the Remote Admin Terminal window, see the following topics: Using the Administration Tool on page 21 Monitoring Firebox SSL Operations on page 150
21
The serial console contains the minimal prompts required to connect the Firebox SSL to your network.
When you open the Remote Admin Terminal window, the Administration Tool window opens inside of the Remote Admin Terminal window. If you close the Administration Tool, you can reopen it by clicking the Administration Tool icon in the taskbar of the Remote Admin Terminal window. The left pane of the Administration Tool window displays Help information for the current tab. In a few cases, making a selection from a drop-down menu displays a new Help topic.
NOTE When working with the Administration Tool, click Submit to apply changes. If you are prompted to restart the Firebox SSL, you can restart it when you have completed your changes.
To close the Administration Tool window, choose Options > Exit or click the close button.
22
23
Download the upgrade file from the WatchGuard Support site to your local network. Upgrade files are available from https://www.watchguard.com/archive/softwarecenter.asp. If you cannot locate the upgrade file or do not know which upgrade file to use, please contact WatchGuard Support. In the Firebox SSL Administration Tool, go to the Administration > Maintenance tab.
3 4
Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL restarts automatically.
24
When you upgrade the Firebox SSL, all of your configuration settings are preserved. For information on saving and restoring a configuration, see Saving and Restoring the Configuration on page 43.
variety of popular firewalls, see Configuring Software Firewalls for the Secure Access Client on page 26. Users who wish to FTP over the Firebox SSL connection must set their FTP application to perform passive transfers. A passive transfer means that the remote computer will establish the data connection to your FTP server, rather than your FTP server establishing the data connection to the remote computer. Users who wish to run X client applications across the VPN connection must run an X Server, such as XManager, on their computer. Because Secure Access users work with files and applications just as if they were local to the organizations network, no retraining of users or reconfiguration of applications is needed. We have provided an email template which includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. We recommend that you customize the text for your site and then send the text in an email to your VPN users.
BlackICE PC Protection on page 27 McAfee Personal Firewall Plus on page 27 Norton Personal Firewall on page 28
26
Sygate Personal Firewall (free and Pro versions) on page 28 Tiny Personal Firewall on page 28 ZoneAlarm Pro on page 29
BlackICE PC Protection
The following BlackICE settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the BlackICE window and choose the following commands.
Tools > Edit BlackICE Settings On the Firewall tab, make sure that the Protection Level is lower than Paranoid, which will prevent you from running applications, such as e-mail, over the VPN connection. On the Intrusion Detection tab, add the IP address of the Firebox SSL as a trusted zone. Also add the IP address or range of allowed resources as trusted zones. When you add an IP address, be sure to select the Add Firewall Entry check box.
27
Programs
28
To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below.
Add To permit the IP address or range of allowed resources, use the following settings: Protocol = TCP and UDP Direction = Both Direction Local Endpoint fields = Any Remote Endpoint = specify IP address(es) Action = Permit
After you apply the above configuration and then start the Secure Access client, Tiny Personal Firewall will display several Incoming Connection Alerts related to the Secure Access client. For each alert, select the Create appropriate filter check box and click Permit.
ZoneAlarm Pro
The following ZoneAlarm settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, choose the tabs indicated in the following table.
Firewall > Zones Define the host name of the Firebox SSL as a trusted zone.
29
The Firebox SSL accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a text format that is the Base-64 encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded. Before you can upload a certificate to the Firebox SSL, you will need to generate a Certificate Signing Request (CSR) and private key. We recommend using Linux OpenSSL to administer any certificate tasks. If Linux is not available, we recommend the Cygwin UNIX environment for Windows, which includes an OpenSSL module. Instructions for downloading, installing, and using the Cygwin UNIX environment to generate a CSR are included in this section. If you are familiar with certificate manipulation, you can use other tools to create a PEM-formatted file. The certificate that you upload to the Firebox SSL must have the following characteristics: It must be in PEM format and must include a private key. The signed certificate and private key must be unencrypted. The following topics describe how to perform the tasks associated with generating a CSR: About Digital Certificates and Firebox SSL Operation on page 31 Overview of the Certificate Signing Request on page 32 Installing the Cygwin UNIX Environment for Windows on page 33 Generating a CSR on page 33 Unencrypting the Private Key on page 34 Converting to a PEM-Formatted Certificate on page 35 Combining the Private Key with the Signed Certificate on page 36 Generating Trusted Certificates for Multiple Levels on page 37 Uploading a Certificate to the Firebox SSL on page 38
30
If the user chooses to establish the connection, the status window and system tray icon appear as follows.
31
Secure Access users will see security warnings unless you install a certificate that is signed by a Certificate Authority on the Firebox SSL and a corresponding certificate on VPN users computers. Users can also disable the Security Alert through the Secure Access Connection Properties dialog box.
The general process for generating a CSR and handling the signed certificate is as follows:
1 2 3
Generate a CSR (public.csr) and private key (private.key) as described in Generating a CSR on page 33. Send the public.csr file to an authorized certificate provider. If you used a tool other than the Cygwin UNIX environment to generate the CSR, check the format of the private key. If it is in DER format or is encrypted, convert it to PEM format as described in Unencrypting the Private Key on page 34. When you receive the signed certificate file from your SSL certification company, check the file format. If it is not in PEM format, convert it as described in Converting to a PEM-Formatted Certificate on page 35. Combine the PEM-formatted signed certificate with the PEM-formatted private key (private.key) as described in Combining the Private Key with the Signed Certificate on page 36. If your certificate has more than one level, handle the intermediate certificates as described in Generating Trusted Certificates for Multiple Levels on page 37. Upload the certificate to the Firebox SSL as described in Uploading a Certificate to the Firebox SSL on page 38.
32
2 3 4 5 6 7 8 9
Follow the on-screen instructions to open the setup installer. In the Cygwin Setup dialog box, click Next. Click Install from Internet and then click Next. Accept the default root installation directory settings and then click Next. Accept the default local package directory setting and then click Next. In the Internet Connection screen, click Use IE5 Settings and then click Next. In the list of Available Download Sites, click ftp:// ftp.nas.nasa.gov and then click Next. In the Select Packages screen, click the View button (upperright corner).
10 Scroll the packages list to locate in the Package column openssl: The OpenSSL runtime environment and openssldevel: The OpenSSL development environment. 11 In the New column for those two entries, click Skip.
The current version number of Cygwin appears.
12 Click Next to start the installation. After Cygwin installs, you can generate the CSR.
Generating a CSR
These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in Installing the Cygwin UNIX Environment for Windows on page 33.
33
To generate a CSR using the Cygwin UNIX environment: 1 Double-click the Cygwin icon on the desktop.
A command window opens with a UNIX bash environment.
2 3
To change to a particular drive, use the command: cd driveLetter: At the $ prompt, type the following to generate a CSR:
For example:
openssl req -new -nodes -keyout private.key -out public.csr
Status messages about the private key generation appear. You will be prompted for information such as country name.
When prompted for the Common name, enter the DNS name of the Firebox SSL.
The name that you enter will appear in the certificate and must match the name expected by PCs that connect to the Firebox SSL. Thus, if you alias DNS names, you will need to use the alias name instead.
Submit your CSR (public.csr) to an authorized certificate provider such as Verisign. When asked for the type of server that the certificate will be used with, indicate Apache. (If you indicate Microsoft, the certificate might be in PKCS7 format and you will need to follow the procedure in Converting to a PEM-Formatted Certificate on page 35 to convert the certificate to a PEM format.)
The certificate provider will return a Signed Certificate to you by email within several days.
34
To unencrypt the private key: 1 At the $ prompt enter the command: openssl rsa
If you enter this command without arguments, you will be prompted as follows:
Enter the name of the password to be encrypted. You can enter the openssl rsa command with arguments if you know the name of the private key and the unencrypted PEM file. For example, if the private key filename is my_keytag_key.pvk, and the unencrypted filename is keyout.pem, you would enter openssl rsa -in my_keytag_key.pvk -out keyout.pem.
For more information, refer to the following URL: http://www.openssl.org/docs/apps/rsa.html#EXAMPLES For information on downloading OpenSSL for Windows, refer to the following URL: http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801
If the certificate is already in a text format, it may be in PKCS format. (You will receive a PKCS formatted certificate if you specified that the certificate will be used with a Microsoft rather than Apache operating system.) The following command will result in an error message if the certificate is not in PEM format. The certFile should not contain the private key when you run this command.
openssl verify -verbose -CApath /tmp certFile
35
If that command results in the following error message, the file is not in PEM format.
certFile: unable to load certificate file 4840:error:0906D064:PEM routines: PEM_read_bio:bad base64 decode:pem_lib.c:781:
To convert the certificate from PKCS7 to PEM format 1 Run the command:
openssl pkcs7 -in ./certFile -print_certs
subject=... ... -----BEGIN CERTIFICATE----... Server Certificate ... -----END CERTIFICATE----subject=... ... -----BEGIN CERTIFICATE----... Intermediate Cert ... -----END CERTIFICATE-----
Combine the server certificate data and the intermediate certificate data (if it exists) from the output with the private key as specified in Combining the Private Key with the Signed Certificate on page 36 and Generating Trusted Certificates for Multiple Levels on page 37.
36
To combine the Private Key with the Signed Certificate: 1 Use a text editor to combine the unencrypted private key
with the signed certificate in the PEM file format. The file contents should look similar to the following:
-----BEGIN RSA PRIVATE KEY----<Unencrypted Private Key> -----END RSA Private KEY---------BEGIN CERTIFICATE----<Signed Certificate> -----END CERTIFICATE-----
You must determine whether your certificate has more than one level and, if it does, handle the intermediate certificates properly.
To generate trusted certificates for multiple levels: 1 Open Internet Explorer, and access a page through the
Firebox SSL. For example, enter a URL similar to the following: https://ipAddress:httpPort//www.mypage.com where: - ipAddress is the IP address of your Firebox SSL - httpPort is the Firebox SSL HTTP port number
Double-click the Lock symbol in the bottom right corner of the browser.
37
3 4
Switch to the Certificate Path window pane at the top of the screen. Double-click the first path level to bring up the Certificate information for the first level and then go to the Details screen. Click the Copy to File button at the bottom. After the Certificate Export Wizard appears, click Next. Click the format Base-64 encoded and then click Next. Enter a filename. For example, G:\tmp\root.cer. Review the information and note the complete filename. Click Finish.
5 6 7 8 9
10 Click OK to close the Certificate information window for the first level. 11 Repeat Steps 410 for all levels except the last level. 12 Insert all certificates into one file, and make sure that any intermediate certificates are part of any certificate file you upload. The file to be uploaded should be in the following format: private key Server Certificate Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2
38
2 3 4 5
Across from Upload a Certificate, click Browse. Locate the file you want to upload and click Open. After the upload is complete, go to the Networking > General Networking tab. Set the Interface 0 External Public Address to the DNS name for which the certificate was registered.
To block external access to the Administration Portal: 1 In the Firebox SSL Administration Tool, go to the
Administration > Maintenance tab.
39
2 3
Clear the check box for Enable External Administration. Click Apply Change.
Managing Licenses
Firebox SSL licensing limits the number of concurrent VPN user sessions to the number of licenses purchased. Thus, if you purchase 100 licenses, you can have 100 concurrent VPN sessions at any time. When a user ends a session, that license is freed for the next VPN user. A user who logs into the Firebox SSL from more than one computer occupies a license for each session. Once all licenses are occupied, no additional VPN connections can be opened until a VPN user ends a session or the administrator has used the Firebox SSL Real-time Monitor to close a connection, thereby freeing a license. For information on using the Real-time Monitor to close connections, see Managing VPN Connections on page 45. When you purchase the Firebox SSL or additional licenses, you will receive an email that contains a link to a download location. After you download the license file(s), we recommend that you manage them as follows.
To manage licenses: 1 On the administrative PC where you run the Firebox SSL
Administration Tool, create a license directory. Copy the license file (.lic) that you downloaded to the license directory. We recommend that you retain a local copy of all license files that you receive from WatchGuard. When you save a backup
40 Firebox SSL VPN Gateway Administration Guide
copy of the configuration file, all uploaded license files are included in the backup. If you need to reinstall the Firebox SSL server software and do not have a backup of the configuration, you will need the original license files. Do not overwrite any .lic files in the license directory. If another file in that directory has the same name, you should rename the newly received file. The Firebox SSL software calculates your licensed features based on all .lic files that are uploaded to the Firebox SSL. Do not edit a .lic file or the Firebox SSL software will ignore any features associated with that license file. The contents of the file are encrypted and must remain intact. Should you copy, rename, or insert a license file multiple times, the Firebox SSL will use only the original file and will ignore any duplicate files.
Click Browse and locate the .lic file that you want to upload.
License files should be stored on the administrative PC where you run the Firebox SSL Administration Tool.
41
To view a calendar, click the system time. Click the system time again to hide the calendar.
To change the system date and time: 1 In the Administration Tool, go to the Administration >
Date tab.
2 3
Select a time zone. Enter the date and time and then click Submit.
42
NOTE To reset the root administrative password to its default, you must reinstall the Firebox SSL server software.
The Firebox SSL is pre-configured with a default username and password (root/rootadmin). We recommend that you change the root password.
To change the root administrator password: 1 In the Administration Tool, go to the Administration >
Admin Users tab.
43
If you have saved your configuration settings, as described in this section, you can easily restore them.
NOTE You can also save and restore configuration settings from the Maintenance tab of the Administration Portal.
44
2 Click Save Configuration. The entire Firebox SSL configuration, including system files, uploaded licenses, and uploaded server certificates, are saved to your computer in a file named config.restore. To restore a saved configuration: 1 In the Administration Tool, go to the Administration > Maintenance tab. 2 Across from Upload a Server Upgrade or Saved Config., click Browse. 3 Locate the file named config.restore and click Open.
After the configuration file is uploaded, the Firebox SSL restarts. All of your configuration settings, licenses, and certificates will be restored.
If you use RSA SecurID authentication, you must reset the node secret on the RSA ACE/Server, as described in Resetting the Node Secret on page 99.
Because the Firebox SSL has been re-imaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/Server will fail.
45
tion. For example, connections to port 21 are FTP connections and connections to port 23 are Telnet connections.
You can manage connections as follows: You can close a type of connection (TCP, UDP, etc.). For example, suppose that a user has a TCP connection to a Target IP (perhaps a mapped drive) that should be off-limits to the user. You can correct the ACL for the users group (Configuring Resource ACLs for a User Group on page 124) and then close the TCP connection. If you do not correct the ACL before closing the connection, the user will be able to re-establish the TCP connection.
NOTE The Firebox SSL maintains connections to Target IP 0.0.0.0 that are required for VPN operations. Closing any of those connections will temporarily close a VPN connection.
You can disable a users connection and prevent subsequent logins from that user at the listed MAC address. The user will be able to log in from a different MAC address. You can re-enable a username/MAC address combination. The following sections describe connection management and use of the Real-time Monitor: About Connection Handling on page 46 Closing a Connection to a Resource on page 47 Disabling/Enabling a VPN User on page 48 Monitoring Firebox SSL Operations on page 150
46
tion to the Firebox SSL is terminated after a maximum wait period of ten minutes. (A shorter wait period would penalize VPN users who use slow connections.) This handling of VPN connections results in the following: The VPN user might continue to appear active in the Firebox SSL Real-time Monitor for about ten minutes, after which the VPN connection is terminated. The inactive VPN user occupies a license until the wait period expires and the VPN connection is closed. Suppose that you have a license for ten users and all ten users have logged into the Firebox SSL, leaving no available licenses. If one of the active users goes into standby mode, that users license is not available for ten minutes. The wait period does not apply to connections that are terminated through the Real-time Monitor.
To close a connection: 1 In the Remote Admin Terminal window, click the Real-time
Monitor icon .
2 3
Click
Right-click the connection that you want to close, and select Close connection.
47
The Firebox SSL maintains connections to Target IP 0.0.0.0 that are required for VPN operations. Closing any of those connections will temporarily close a VPN connection.
To disable a user at a particular MAC address: 1 In the Remote Admin Terminal window, click the Real-time
Monitor icon .
Right-click the main entry for the user and choose Disable User from MAC. The user will be unable to establish a VPN connection from that MAC address until you re-enable the user or restart the Firebox SSL.
To re-enable a user at a particular MAC address: 1 In the Remote Admin Terminal window, click the Real-time
Monitor icon .
Right-click the users entry and choose Enable User from MAC.
48
The user will be able to establish a VPN connection provided that there is an available license.
49
50
CHAPTER 3
The following topics describe how to work with a VPN connection: Using the Access Portal on page 51 Connecting from a Private Computer on page 56 Connecting from a Public Computer (Kiosk Session) on page 61
51
From the portal page, the user either starts the Secure Access or kiosk client. The Secure Access client is intended for VPN connections from a private computer, as data is transferred from the network to which the user is connecting to the users computer. The kiosk client is useful for VPN connections from a public computer, as no data is written to the VPN users computer. (However, if you configure network shares, a user can copy files from a shared network drive to the remote computer.)
NOTE You can configure the AG Administration Tool so that VPN users do not have the option to connect from a public computer. For information, see Configuring Kiosk Operation for a Group on page 126.
To use the Access Portal: 1 Use Internet Explorer to access the URL of the AG. For
example: https://vpndemo.watchguard.com.
If the AG does not have a signed certificate installed, a Security Alert dialog box appears. Click Yes to continue.
In the dialog box, enter your network user name and password and then click OK. The portal page opens. This page can be customized for a site, as described in Customizing VPN Portal Pages on page 108.
52
If you connect from a Linux computer, the following portal page appears.
If connecting from a Windows computer, choose the type of VPN connection: If connecting from a secure computer, click My own computer. The first time that you connect to the AG (after clicking My own computer), a terms and conditions of use dialog appears. You must click I Accept to install the driver.
53
When the File Download dialog box appears, click Open. (It is not necessary to save the client to your desktop. A shortcut to the client will be downloaded automatically.) The Secure Access client starts loading. A shortcut will be downloaded to your computer desktop. You can subsequently start the client without going through the portal page. If your administrator has configured the Secure Access client to start automatically, the client will start after you enter your Windows login credentials, which are also used for the Secure Access client. Thus, when you start your computer, you do not have to do anything to have a VPN connection, provided that you have a network connection and can log into Windows. The VPN connection enables you to work with the connected site just as if you were logged in at the site. You can transfer data between your remote computer and the connected site. For more information, see Connecting from a Private Computer on page 56. If connecting from a public computer, click A public computer. The kiosk will open in one of two configurable modes, as described in Connecting from a Public Computer (Kiosk Session) on page 61. If connecting from a Linux computer, click the Linux download link to start the download and view instructions on how to install the client.
54
NOTE The Linux tcl and tk packages are required for the Secure Access client.
In addition to the command net6vpn --login, which opens the login dialog for the Secure Access client, you can also enter net6vpn to see a list of other command-line options. If you lose the VPN connection, the VPN daemon may have stopped. The Secure Access client requires a running VPN daemon in order to connect to the Access Gateway. If you lose the VPN connection, the VPN daemon may have stopped. To check the status of the VPN daemon:
/sbin/service net6vpnd status
Then, click Disconnect and reenter your login credentials. To remove the Linux VPN client:
/sbin/service net6vpnd stop /sbin/chkconfig --del net6vpnd
55
56
NOTE If you are using the Linux client, the connection window will not include the options described in the following procedure.
To log in to the AG: 1 In the WatchGuard VPN - Connect dialog box, enter your
login credentials. If the AG is configured with authentication realms and you need to connect to a realm other than the default, enter the realm name before your user name (realmName\userName). Alternatively, to enter the realm name to be used each time that you log in, right-click the dialog box, click Advanced Options, and then enter the realm name. If your site uses RSA SecurID authentication, your password is your PIN plus the RSA SecurID token.
If you are behind a proxy server, right-click the dialog box and then click Advanced Options.
57
Select Use Proxy Host and enter the proxy server IP address and port. (The AG information is already filled in.) If the proxy server requires authentication, select the check box. When you attempt to establish a VPN connection, you first will be prompted for your proxy server login credentials.
4 5
To allow failover to your local DNS, select Enable Split DNS. To allow the Secure Access client to automatically update, without prompts, when a new version is available on the AG, select the Always update client check box. Click Connect.
NOTE If a digital certificate that is signed by a Certificate Authority is not installed on the AG, you will see a Security Alert. For more information, see About Digital Certificates and Firebox SSL Operation on page 31.
After logging in, you will see a Logging In status dialog box, followed by an Applying Network Policy status dialog box. If you have a personal Internet Connection Firewall (ICF) configured on the interface, you will also see an
58
Internet Sharing Configuration dialog box and will need to click Yes to continue.
When the VPN connection is established, a status window briefly appears and the Secure Access window is minimized to the system tray . The icon indicates whether the connection is enabled ( ) or disabled ( ) and flashes during activity. A shortcut to WatchGuard Secure Access is placed on your desktop.
To use the Secure Access window: 1 To open the window, double-click the icon in the system
tray. Alternatively, right-click the icon and choose VPN Properties from the menu.
The Secure Access window appears.
To view server information and a list of the secured networks, click the Details tab.
59
To view ACLs, click the Access Lists tab. (This tab does not appear for users who are not in a group.)
60
1 2
Right-click the WatchGuard Secure Access icon in the system tray. Choose Connection Log from the menu. The Connection Log for the session appears.
NOTE The Connection Log is written to the computer in Documents and Settings\UserName\ Local Settings\Application Data\ NET6\net6vpn.log. The log is overwritten each time that you establish a new VPN connection.
61
To support the Java kiosk client, the AG must be configured with a certificate that is signed by a trusted Certificate Authority. After the user clicks the appropriate link and logs in, the kiosk session opens, similar to a Virtual Network Computing (VNC) session.
Web Browser Remote Desktop VNC Telnet 3270 Emulator Citrix SSH Shared Network Drive FTP
The kiosk window can include: A Mozilla browser window. You configure by group whether to include the Mozilla browser and the browsers default URL. Mozilla preferences, such as saved passwords, are retained for the next session.
62
Icons that provide access to shared network drives. The icon labelled ws in the preceding example is a network share. The user can download files from a network share by dragging a file onto the KioskFTP icon, as described in Working with Shared Network Drives on page 63. Icons that provide access to a Web browser and to VNC, Remote Desktop, Telnet 3270 emulator, SSH, and Citrix ICA clients, as shown in the preceding example. You configure by group the clients to be included in the kiosk window. For information on using the clients, see the following sections: - Using the Citrix Client on page 65 - Using the Remote Desktop Client on page 65 - Using the SSH Client on page 67 - Using the Telnet 3270 Emulator Client on page 67 - Using the VNC Client on page 68 If the users browser is configured to use a proxy server, the kiosk client will use the browsers proxy setting. For more background information, see Kiosk Operation on page 13.
To log in to the AG in kiosk mode: 1 Use the portal page to connect, as described in Using the
Access Portal on page 51. Be sure to click A public computer. The WatchGuard VPN Login dialog box appears.
63
To work with a shared network drive: 1 From the kiosk window, double-click a shared network drive
icon ( ).
To copy a file from the network drive to your computer, drag the file icon over the KioskFTP icon.
In the Kiosk File Download dialog box, navigate to the location where you want to copy the file and then click Open.
When the FTP is complete, a message window appears.
64
You cannot FTP folders or copy files back to the shared network drive.
To use the Citrix ICA client: 1 From the portal page, choose A public computer... and log
in.
65
remains on the remote server; no files, only images, are sent to the kiosk users computer.
To use the Remote Desktop client: 1 From the portal page, choose A public computer... and log
in.
2 3
In the kiosk window, click the Remote Desktop icon Enter your username and the remote host and click Connect.
The desktop of the Remote Desktop server displays in a window on your computer.
Work with the remote server just as if it were your local computer.
66
To use the SSH client: 1 From the portal page, choose A public computer... and log
in.
2 3
To use the Telnet 3270 Emulator client: 1 From the portal page, choose A public computer... and log
in.
67
Left-click Connect and choose Other from the menu. The x3270 Connect window opens.
4 5
Enter the host name or IP address and click Connect to login and receive a prompt. To view the 3270 keypad, click the keypad icon in the upper-right corner .
Enter the IP address of the VNC host, your password for the server, and click Connect.
68
Work with the remote server just as if it were your local computer.
NOTE To send a Ctrl-Alt-Delete to the connected server through the VNC server, press Shift-Ctrl-Alt-Delete.
69
70
CHAPTER 4
The following topics describe how to configure Firebox SSL network connections: Configuring Network Interfaces on page 72 Specifying DNS/WINS Settings on page 74 Configuring Routes on page 75 Configuring Failover Firebox SSLs on page 80
NOTE When you have a working configuration, we recommend that you back up the configuration, as described in Saving and Restoring the Configuration on page 43.
The configuration instructions throughout those topics assume the following setup: The Firebox SSL is installed. For information on installing the Firebox SSL, refer to the Firebox SSL Quick Start and the Firebox SSL Hardware Installation Guide. The devices to which you are connecting the Firebox SSL, such as a firewall or server load balancer, are already part of a working configuration. This guide does not cover the steps for configuring application or web servers, firewalls, or a server farm with a server load balancer.
71
If the Firebox SSL straddles the firewall, choose Use Both Interfaces. Use Interface 0 for the DMZ (external) connection and Interface 1 for the LAN (internal) connection.
72
For more information, see the Firebox SSL Quick Start Guide and Connecting to a Server Load Balancer on page 16, in this guide. External Public Address The Firebox SSL uses the External Public Address to send its response to a request back on the correct network connection. If the External Public Address is not specified, the Firebox SSL sends responses out through the Interface where the gateway is identified. If the External Public Address is specified, the Firebox SSL writes all connections to the Interface with the specified host name or IP address. Duplex mode for each interface Duplex mode is either auto, full duplex, or half duplex. Use the default setting, auto, unless you need to change it. Maximum transmission unit (MTU) for each interface The MTU defines the maximum size of each transmitted packet. The default is 1500. Use the default setting unless you need to change it. Incoming VPN port (the port on the Firebox SSL to be used for VPN connections) IP address of the default gateway device, such as the main router, firewall, or server load balancer, depending on your network configuration. This should be the same as the Default Gateway setting that you would find on computers on the same subnet.
73
For information on the relationship between the default gateway and dynamic or static routing, see Configuring Routes on page 75.
NOTE IP pooling is configured per group, as described in Enabling IP Pooling on page 131.
74
Configuring Routes
By default, the Firebox SSL checks a VPN users remote DNS only. If you want to allow failover to a users local DNS: Go to the Global Policies tab and select the Enable Split DNS check box. The Firebox SSL fails over to the local DNS only if the specified DNS servers cannot be contacted, but not if there is a negative response.
Configuring Routes
You can configure the Firebox SSL to listen for the routes published by your routing server(s) or to use static routes that you specify. The Firebox SSL supports the Routing Information Protocol (RIP and RIP 2). The Default Gateway field on the Networking > General Networking tab is relevant to both dynamic and static routing. If you enable the Dynamic Gateway option (when configuring dynamic routing), the default gateway will be based on the routing table, not on the value entered in the Default Gateway field. If you add a static route, choose the Firebox SSL interface not being used by the default gateway.
If the Dynamic Gateway option is enabled, the Firebox SSL uses the default gateway providing by dynamic routing, rather than the value specified on the Networking > General Networking tab. It disables any static routes created for the Firebox SSL. If you later choose to disable dynamic routing, any previously created static routes will redisplay in the Firebox SSL routing table.
From the Select Routing Type menu, choose Dynamic Routing (RIP). Selecting that option disables the static routes area. If there are static routes defined, they no longer display in the routing table although they are still available should you wish to switch back to static routing. If you want to use the default gateway provided by the routing server(s), rather than the one specified in the Networking > General Networking tab, select the Enable Dynamic Gateway check box. The use of a dynamic gateway is noted in the Networking > General Networking tab with the message Gateway Provided by Dynamic Routing. Choose the Firebox SSL interface(s) to be used for dynamic routing. Typically, your routing server(s) are inside your firewall, so you would choose an internal-facing interface for this setting.
76
Configuring Routes
Click Submit.
Dynamic routes are not displayed in the Firebox SSL routing table.
2 3 4
Enter a descriptive name for the route. Enter the IP address of the destination LAN. Enter the subnet mask for the gateway device.
77
Enter the IP address for the default gateway. If you do not specify a gateway, the Firebox SSL can access content only on the local network. Select the Interface for the static route. The default is eth0. Click Add Static Route and then click Submit.
The route name appears in the Static Routes list.
6 7
To test a static route: 1 From the Firebox SSL serial console, type 1 (Ping).
Enter the host IP address for the device you want to ping and press Enter.
If you are successfully communicating with the other device, messages will appear saying that the same number of packets were transmitted and received, and zero packets were lost. If you are not communicating with the other device, the status messages indicate that zero packets were received and all the packets were lost. Return to Step 1 and recreate the static route.
2 3
In the Static Route table, select each route that you want to delete. Click Remove Route and then click Submit.
78
Configuring Routes
To 1 2 3 4
79
5 6
Choose eth1 as the gateway device interface. Click Add Static Route and then click Submit.
To specify Firebox SSLs for failover: 1 In the Firebox SSL Administration Tool, go to the
Networking > Failover Servers tab.
Enter the external IP address or the fully qualified domain name of the Firebox SSL(s) to be used for failover operation. The Firebox SSLs are used for failover in the order listed. Click Submit.
80
CHAPTER 5
Firebox SSL operation controls include authentication, authorization, network resource, and host check settings. Group-based controls include access control, host checking, portal pages, IP pools, and kiosk operation.
NOTE All submitted configuration changes are automatically applied to the Firebox SSL and will not cause a disruption in Firebox SSL client operation. Policy changes will take effect immediately; if a VPN connection violates a new policy, it will be closed.
The following topics describe how to configure Firebox SSL operation: Configuring Authentication, Authorization, and Local Users on page 82 Controlling Network Access on page 102 Customizing VPN Portal Pages on page 108 Configuring Host Check Rules on page 116 Configuring Network Shares for Kiosk Sessions on page 119 Adding and Configuring User Groups on page 121
81
Enabling Split Tunneling on page 134 Enabling Split DNS on page 135 Enabling Session Timeout on page 136 Configuring Internal Failover on page 137 Forcing VPN User Re-login on page 138 Configuring Secure Access for Single Sign-on on page 140
If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL checks the user against the local user list.
82
After a user is authenticated, the Firebox SSL performs a group authorization check by obtaining the users group information from either an LDAP server or the local group file (if not available on the LDAP server). If group information is available for the user, the Firebox SSL then checks the network resources allowed for the group. LDAP can be used for authorization regardless of the type(s) of authentication servers being used. By default, the Firebox SSL obtains an authenticated users group(s) from the local group file stored on the Firebox SSL. Alternatively, you can configure the Firebox SSL to obtain an authenticated users group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL checks its local group file. The group names obtained from the LDAP server are compared to the group names created locally on the Firebox SSL. If the two group names match, the properties of the local group apply to the group obtained from the LDAP server. For more information on groups and group names, see Adding and Configuring User Groups on page 121. The following topics describe how to configure authentication and authorization for the Firebox SSL: About the Realm Named Default on page 84
83
Using a Local User List for Authentication on page 84 Using RADIUS Servers for Authentication on page 88 Using LDAP Servers for Authentication and Authorization on page 91 Using RSA SecurID for Authentication on page 95 Removing an Authentication Realm on page 100 Adding Local Users on page 100
84
Firebox SSL without having to enter a realm name. You can have only one realm for local authentication. You can use LDAP authorization with local authentication, as described in Using LDAP Authorization with Local Authentication on page 85. If some users will authenticate only against the local user list on the Firebox SSL, you can keep the Default realm set to local authentication. Alternatively, you can create a different realm for local authentication and use the Default realm for another authentication type, as described in Changing the Authentication Type of the Default Realm on page 87.
NOTE Users who authenticate against a realm other than the Default realm must specify a realm name (once in the Secure Access Connection Properties dialog box, or with their user name each time they log in).
If all users authenticate against authentication servers, you do not need a realm for local authentication. The Firebox SSL always checks locally for authentication information if a user fails to authenticate on another authentication server.
To use LDAP authorization with local authentication: 1 In the Firebox SSL Administration Tool, go to the
Authentication and Local Users tab.
85
Open the window for the realm that is configured for local authentication. You will open the Default realm unless you have changed its authentication type.
See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings.
86
To change the authentication type of the Default realm: 1 In the Firebox SSL Administration Tool, go to the
Authentication and Local Users tab.
87
4 5
Click Yes. Create a new realm named Default, choose an authentication type, and click Add.
Complete the window that appears. For information, see: - Using RADIUS Servers for Authentication on page 88 - Using LDAP Servers for Authentication and Authorization on page 91 - Using RSA SecurID for Authentication on page 95
NOTE If you remove the Default realm and do not immediately replace it as described above, the Firebox SSL retains the Default realm that you attempted to remove.
88
If a user is not located on the RADIUS servers or fails authentication, the Firebox SSL checks the user against the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121).
If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings. Realm names are case-sensitive and can contain spaces.
Click Add.
A window for the authentication realm opens.
89
5 6 7 8
Enter the IP address and the port (default is 1812) of the RADIUS server. Enter the RADIUS server secret. If you use a secondary RADIUS server, enter its IP address, port, and server secret. To use LDAP for authorization, click the Authorization tab and complete the settings.
See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings.
90
Click Submit.
NOTE If you are using Microsoft Internet Authentication Service (IAS) as a RADIUS server and receive a bad username or password error when the Firebox SSL sends a request to the configured RADIUS server, check the following IAS setting: In IAS Remote Access Policies, under the applied policy's properties in the Authentication tab, make sure "unencrypted authentication (PAP, SPAP)" is selected.
91
Click Add.
A window for the authentication realm opens.
92
5 6
Select the Enable LDAP Authorization check box Enter the IP address and the port of the LDAP server. The LDAP Server Port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server Port to 3268 will significantly speed the LDAP queries. If your directory is not indexed, we recommend that you use an administrative connection, rather than an anonymous connection, from the Firebox SSL to the database. Download performance improves when you use an administrative connection. Enter the Administrator Bind DN and password for queries to your LDAP directory. Examples of syntax for Bind DN: "ou=administrator,dc=ace,dc=com" "user@domain.name" (for Active Directory) "cn=Administrator,cn=Users,dc=ace,dc=com" For Active Directory, the group name, specified as "cn=groupname", is required. For other LDAP directories, the group name either is not required or, if required, is specified as "ou=groupname". The Firebox SSL binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Firebox SSL unbinds the administrator credentials and rebinds with the user credentials. Enter the Base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for Base DN: "ou=Users,dc=ace,dc=com" "cn=Users,dc=ace,dc=com" Enter the attribute under which the Firebox SSL should look for user login names for the LDAP server that you are configuring. Defaults to "cn". If you use Active Directory, enter the attribute "sAMAccountName".
93
10 Specify the LDAP Group Attribute, which defaults to "memberOf". This attribute enables the Firebox SSL to obtain the groups associated with a user during authorization. 11 Click Submit.
To install and set up LDAP Browser: 1 Download the free LDAP Browser application from
www.ldapbrowser.com.
2 3
Install LDAP Browser and open it. From the LDAP Browser window, choose File > New Profile and specify the following settings: - Host: Host name or IP address of your LDAP server. - Port: Defaults to 389. - Base DN: You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) - Anonymous Bind: Select the check box if the LDAP server does not require credentials to connect to it. If the LDAP server requires credentials, leave the check box cleared, click Next, and enter the credentials. Click Finish. The LDAP Browser displays the profile name that you just created in the left pane of the LDAP Browser window and connects to the LDAP server.
To look up LDAP attributes: 1 In left pane of the LDAP Browser, select the profile name
that you created.
To look up the Base DN, locate in the right pane the namingContexts attribute. The value of that attribute is the Base DN for your site. The Base DN is typically
94
"dc=myDomain,dc=com" (if your directory tree is based on Internet domain names) or "ou=domain,o=myOrg,c=country".
If your site uses an RSA ACE/Server and SecurID for authentication, you can configure the Firebox SSL to authenticate user access with the RSA ACE/Server. The Firebox SSL acts as an RSA Agent Host, authenticating on behalf of the VPN users logging into the VPN client. The Firebox SSL supports the use of one RSA ACE/Server. If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL checks the user against
95
the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121). The Firebox SSL supports Next Token Mode. If a user enters three incorrect passwords, the Secure Access client prompts the user to wait until the next token is active before logging in. If a user logs in too many times with an incorrect password, the RSA server might disable the users account. To contact the RSA ACE/Server, the Firebox SSL must include a copy of the ACE Agent Host sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures describe how to generate and upload that file.
On a computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode. In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you are changing an Agent Host, Edit Agent Host). In the Name field, enter a descriptive name for the Firebox SSL (the Agent Host for which you are creating a configuration file). In the Network address field, enter the Firebox SSL IP address (the internal address). For Agent type, select UNIX Agent. Note that the Node Secret Created check box is cleared and inactive when you are creating an Agent Host. The RSA ACE/Server will send the Node Secret to the Firebox SSL the first time that it authenticates a request from the Firebox
4 5 6
96
SSL. After that, the Node Secret Created check box will be selected. By deselecting the check box and generating/ uploading a new configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL.
Indicate which users can be authenticated through the Firebox SSL through one of the following methods: - To configure the Firebox SSL as an open Agent Host, click Open to All Locally Known Users and then click OK. - To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select the Firebox SSL host, and then click OK. In the dialog box, click the User Activations button and select the users. To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files.
The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL, as described in the following procedure.
Click Add.
A window for the authentication realm opens.
97
To upload the sdconf.rec file that you generated in the previous procedure, click Upload sdconf.rec file and use the dialog box to locate and upload the file.
The sdconf.rec file is typically written to ace\data\config_files and to windows\system32.
- The file status message indicates whether an sdconf.rec file has been uploaded. If one has been uploaded and you need to replace it, click Upload sdconf.rec file and use the dialog box to locate and upload the file. - The first time that a client is successfully authenticated, the RSA ACE/Server will write some configuration files to the Firebox SSL. If you subsequently change the IP address of the Firebox SSL, click Remove ACE Configuration Files, reboot when prompted, and then upload a new sdconf.rec file.
6 7
After the file uploads, click Submit. To use LDAP for authorization, click the Authorization tab and complete the settings. See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up
98
Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings.
Click Submit.
To reset the node secret on the RSA ACE/Server: 1 On a computer where your RSA ACE/Server Administration
interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode.
2 3
In the RSA ACE/Server Administration interface, go to Agent Host > Edit Agent Host. Select the Firebox SSL IP address from the list of agent hosts.
99
Clear the Node Secret Created check box and save the change.
The RSA server will re-send the node secret on the next authentication attempt from the Firebox SSL.
100
2 3
Enter a user name. A user will need to enter this name when logging into Secure Access. User names can contain spaces. Enter a password for the user in the two fields. A user will need to enter this password when logging into Secure Access. A password must be six or more characters (checked up to 128 characters). Click Add Local User.
The added user appears in the Local Users list.
4 5
To change the group membership of a user: - To add a group to a user, select the group in the Available Groups list and click Add Group to User. For information on creating a group, see Adding and Configuring User Groups on page 121. - To remove a group from a user, select the group in the Associated Groups list and click Remove Group from User.
101
102
By default, all network resource groups are allowed (and network access is controlled by the Deny Access without ACL option). When you allow or deny one resource group, all other resource groups are automatically denied and the network access for the user group is controlled only through its ACL. If a resource group includes a resource that you do not want a user group to access, you can create a separate resource group for just that resource and deny the user group access to it. The options just discussed are summarized in the following table.
ACL set for user group? No Yes No Yes Deny access without ACL? No No Yes Yes User group can access: All accessible networks Allowed resource groups Nothing Allowed resource groups
For information on controlling network access, see the following topics: Specifying Accessible Networks on page 103 Defining Network Resource Groups on page 104 Denying Access to Groups with No ACL on page 107
To give the Firebox SSL access to a network: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
103
Suppose that you want to provide a user group with secure access to the following: the 10.10.x.x subnet the 10.20.10.x subnet 10.50.0.60 and 10.60.0.10 To provide that access, you would create a network resource group by specifying the following IP address/netmask pairs:
104
You can specify the mask in CIDR notation. For example, in the above example, you could specify 10.60.0.10/32 for the last entry. Additional tips for working with resource groups follow. You can further restrict access by specifying a port and protocol for an IP address/netmask pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. When you configure resource group access for a user group, you can allow or deny access to any resource group. This enables you to exclude a portion of an otherwise allowed resource. For example, you might want to allow a user group access to 10.20.10.0/24, but deny that user group access to 10.20.10.30. Deny rules take precedence over allow rules. The easiest method to provide all VPN user groups with access to all network resources, is to not create any resource groups and to disable the Deny Access without ACL option on the Global Policies tab. All user groups will then have access to the accessible networks listed on the Global Policies tab. If you have one or more user groups that should have access to all network resources, a shortcut to adding each individual resource group to those user groups is to create a resource group for 0.0.0.0/0.0.0.0 and allow that one resource group for those user groups. For all other user groups, you will need to allow/deny individual resource groups as needed.
To create a resource group: 1 In the Firebox SSL Administration Tool, go to the Network
Resources tab.
105
2 3
Enter a resource group name. For example, Archives or Web mail. Click Add. A window for the resource group appears.
Enter the IP address/netmask pair for the resource in the Subnets field. You can use CIDR notation for the mask. Use a space to separate entries. Enter a port for the pairs listed. Specify 0 to allow any port. Select a protocol for the pairs listed. Click Submit.
For information on adding a resource group to a user group, see Adding and Configuring User Groups on page 121.
5 6 7
To remove a resource group: 1 In the Firebox SSL Administration Tool, go to the Network
Resources tab.
2 3
Open the window for the resource group that you want to remove. From the Action menu, choose Remove ... resource.
106
To deny access to user groups without an ACL: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
2 3
Select the Deny Access without ACL check box. Click Submit.
107
By default, your VPN users will see a Citrix Access Portal page when they open https://Firebox SSL_IP_or_hostname. For samples of the default portal pages for Windows, Linux, and Java, see Using the Access Portal on page 51. We have also provided portal page templates that you can customize. One of the templates includes links to both the Secure Access and Kiosk clients. The following sample is the portal page that displays on a computer that is running Windows 2000 or higher. Your customization can be as simple as replacing the logo.
Replacement logo A variable is used to insert the current user name.
A variable is used to insert this portion into the template. The text cannot be changed.
The following sample is the same portal page when displayed on a computer that is running Linux. Clicking either link displays a page with instructions.
108
The other two templates include links to just one of those clients. You choose a template based on the access that you want to provide, on a group basis. For example, you might want to provide access to both clients to some VPN users and access only to the Secure Access or kiosk client for other users. You can do that by adding custom portal pages to the Firebox SSL and then specifying for each user group the portal page to be used.
NOTE If you want to add text to a template or make format changes, you will need to consult with someone who is familiar with HTML. Changes to the templates other than those described in this section are not supported.
The portal page templates are available from the Downloads page of the Administration Portal.
109
The following topics describe how to create portal pages, upload them to the Firebox SSL, and specify the portal page to be used for a user group: Downloading and Working with Portal Page Templates on page 110 Loading Custom Portal Files on the Firebox SSL on page 113 Disabling Portal Page Authentication on page 114 Linking to the VPN Clients from Your Website on page 115 Choosing a Portal Page for a Group on page 130
110
appropriate for the connecting computer (Windows 2000 or higher, or Linux). If you also have users on platforms such as Macintosh or Windows 95/98, you can provide them access to the Java-based kiosk client by inserting the appropriate variable in the template(s) used by those groups, as described in this section. The variables that can be used in templates are described in the following table.
Variable $citrix_username; $citrix_portal; Content inserted by variable Name of logged in user Links to both the Secure Access and the Kiosk clients:
Windows
Linux
$citrix_portal_full_client _only;
$citrix_portal_kiosk_clie nt_only;
A template can include only one of the three variables that start with $citrix_portal.
111
NOTE If you want to add text to a template or make format changes, you will need to consult with someone who is familiar with HTML. Changes to the templates other than those described in this section are not supported.
When choosing a template that is appropriate for a group, you only need to know whether the group should have access to both the Secure Access and kiosk clients or just one of the clients. The Firebox SSL detects the users platform (Windows, Linux, Java) and inserts the appropriate links into the templates that you upload to the Firebox SSL.
To download the portal page templates to your local computer: 1 In the Firebox SSL Administration Portal, go to the
Downloads page.
To download a template to a local computer, right-click the link and specify a location in the dialog box.
To work with the templates for Windows and Linux users: 1 Determine how many custom portal pages that you will
need. You can use the same portal page for multiple groups.
Use this portal page: vpnAndKioskClients.html vpnClientOnly.html kioskClientOnly.html To include links to these clients: Secure Access and kiosk Secure Access only Kiosk only
2 3
Make a copy of each template that you will use and name the template, using the extension .html. To replace the Citrix image: - Locate the following line in the template: <img src="vpn_logo.gif" /> - Replace vpn_logo.gif with the filename of your image. For example, if your image file is named logo.gif, change the line to: <img src="logo.gif" />
Firebox SSL VPN Gateway Administration Guide
112
An image file must have a file type of GIF or JPG. Do not change other characters on that line.
To load a custom portal page or image on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Portal
Page Configuration tab.
113
For the File Identifier of portal pages, enter a name that is descriptive of the types of VPN users who will use the portal page The filename can help you later when you need to associate the portal page with a group. For example, you might have a primary portal page used by many groups and a separate portal page used only by guests. In that case, you might identify the files as Primary Portal and Guest Portal. Or, you might have several portal pages that correspond to user groups, and use names such as Admin Portal, Student Portal, IT Portal. Select the type from the File Type menu.
Portal pages must be an HTML file. Any images referenced from an HTML page must be either GIF or JPG files.
4 5 6
To disable portal page authentication: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
114
2 3 4
Clear the checkbox for Enable Portal Page Authentication. Select the portal page to which all VPN users will be directed. Click Submit.
Add the following code to the HEAD tag of the web page that is to contain the links: <object id="Net6Launch" type="application/x-oleobject" classid="CLSID:7E0FDFBB-87D4-43a1-9AD4-41F0EA8AFF7B" codebase="net6helper.cab#version=2,1,0,6"></object>
115
2
Client:
You apply host check rules to each group, by specifying a host check expression, a Boolean expression that uses host check rule names. For more information, see Configuring a Host Check Policy for a Group on page 128.
To create a host check rule: 1 In the Firebox SSL Administration Tool, go to the Host
Checks tab.
116
2 3 4 5
Specify a name for the host check rule. Select the rule type from the drop-down list. Click Add. If you selected Registry Entry Rule, enter the path to the registry key, select a key type, enter the key name, and enter the value to which that key must be set. Click Submit.
If you selected File Rule, enter the path, filename, and creation date of the file. To specify a checksum for the file, select Calculate Checksum and click Upload File to Checksum. Navigate to the file and click Open. Click Submit.
If you selected Process Rule: Enter the name of the process that must be running. To specify a checksum for the file,
117
select the Manually Enter Checksum option and enter it, or select Calculate Checksum and click Upload File to Checksum. Navigate to the file and click Open. Click Submit.
NOTE For information on adding a host check expression to a user group, see Configuring a Host Check Policy for a Group on page 128.
To delete a host check rule: 1 In the Firebox SSL Administration Tool, go to the Host
Checks tab.
2 3
Open the window for the host check rule that you want to remove. From the Action menu, choose Remove ... host check.
118
bot applications. The path information provided assumes that the application is installed in the default directory.
Applications Antivirus AntiVir avast! McAfee Norton Personal Firewall McAfee File: C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe Process: MpfService.exe Process: ccProxy.exe OR ccSetMgr.exe File: C:\Program Files\Sygate\SPF\Smc.exe Process: Smc.exe File: C:\Program Files\Tiny Personal Firewall\PERSFW.EXE Process: PERSFW.EXE File: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe Process: zlclient.exe File: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe Process: Ad-Aware.exe File: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe Process: SpybotSD.exe File: C:\Program Files\AVPersonal\AVWIN.EXE Process: AVGUARD.EXE File: C:\Program Files\Avast\ashAvast.exe Process: ashServ.exe File: C:\Program Files\McAfee.com\VSO\mcvsshld.exe Process: McShield.exe File: C:\Program Files\Norton AntiVirus\NAVAPSVC.exe Host Check Rules
Zone Alarm Spybot Ad-aware SE Personal Edition Spybot - Search and Destroy
119
To provide kiosk users access to network shares: 1 In the Firebox SSL Administration Tool, go to the Share
Mounts tab.
Enter a name for the network share and click Add. The name that you enter will display with the share icon in the kiosk window.
A configuration window appears.
3 4 5
Type the path to the share source, using the form: //server/ share. Choose the type of mount, either CIFS/SMB or NFS. If administrative user credentials are required to mount a CIFS/Samba drive, specify the username and password. Those fields are not enabled for NFS.
All users who access the share will have the rights of this user.
6 7
Enter the Active Directory domain or the Windows workgroup of the share. This field is not enabled for NFS. Specify whether you want remote users to have read/write or read-only permissions for the share.
120
NOTE Note: Users can FTP files from the share to the remote computer.
Click Submit.
NOTE To add a share to a user group, see Configuring Kiosk Operation for a Group on page 126.
To remove a share:
Open the window for the share and choose Action > Remove.
121
In either case, the user will be able to run a kiosk session, but network access within that session will be determined by the Deny Access without ACL setting. You can also add local groups that are not related to LDAP groups. For example, you might create a local group to set up a contractor or visitor to whom you want to provide temporary access without having to create an LDAP entry. For information on creating a local user, see Adding Local Users on page 100. Several aspects of VPN operation are configured at the group level, including access control, host checking, kiosk operation, portal page usage, and IP pooling. If a user belongs to more than one group, group policies are applied to the user based on the group priorities set on the Group Priorities tab, as described in Setting the Priority of Groups on page 132.
To create a local user group on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Groups
tab.
Type a descriptive name for the group (such as Temp Employees or accounting) and then click Add. If you want the groups properties to be used for a group obtained from LDAP, the group name must match the LDAP group name, including case and use of spaces.
A window for the added group appears.
122
To configure the group, see the following topics: - Configuring Resource ACLs for a User Group on page 124 - Configuring Kiosk Operation for a Group on page 126 - Configuring a Host Check Policy for a Group on page 128 - Choosing a Portal Page for a Group on page 130 - Enabling IP Pooling on page 131
To remove a user group: 1 In the Groups tab, open the window for the group. 2 Right-click the group name in the window and choose
Remove...group.
123
For each user group, you can create an ACL by specifying the resources that are to be allowed or denied for the group. Resource groups are defined as described in Defining Network Resource Groups on page 104. Unless you want to provide all VPN users with full access to all accessible networks, you must associate user groups with resource groups. By default, all network resource groups are allowed (and network access is controlled by the Deny Access without ACL option). When you allow or deny one resource group, all other resource groups are automatically denied and the network access for the user group is controlled only through its ACL. The Firebox SSL interprets allow/deny as follows: The Firebox SSL denies access to any resource that is not explicitly allowed. Thus, if you want to provide a particular user group with access to only one resource group, you only have to allow access to that resource group. Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group
124 Firebox SSL VPN Gateway Administration Guide
that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30. To handle this, you will need to create a resource group that includes 10.20.10.30. Access to that resource will be denied unless you specifically allow it.
To configure resource access control for a group: 1 In the group window, right-click Resource ACLs.
If you allow a resource and later want to deny it, right-click Resource ACLs, choose Add Resource, choose the resource, and then choose Deny.
125
4 Click Submit. To remove an resource from a user group: 1 In the group window, right-click the resource that you want to remove.
To remove the kiosk option from the Access Portal for a group: 1 In the group window, clear the check box for Enable Kiosk
Mode.
2 Click Submit. To configure kiosk operation for a group: 1 To add a network share to the group, open the groups window, right-click Network Shares, choose Add Share, choose the share name, and then choose Allow.
126
To configure network shares, see Configuring Network Shares for Kiosk Sessions on page 119.
127
To retain Citrix ICA settings and Mozilla preferences between sessions, select Persistent Mode. The Mozilla preferences saved include the passwords saved through the Mozilla Password Manager. The preferences are saved on the remote server (hosting the kiosk session). If you want a Mozilla browser window to appear in the kiosk window: - Specify the URL to open in the browser window (such as http://www.mysite.com/index.html, typically an Intranet site). The default is http://www.net6.com.
NOTE If the user has general Internet access before making a Kiosk connection, the user can browse the Internet from the Mozilla browser in the Kiosk window, unless there is a network resource defined that denies access to the Internet.
For the other kiosk applications listed, select each one that you want included in the kiosk window for the group.
To work with any of those applications, the VPN user will need to know the IP addresses of the corresponding servers.
Click Submit.
128
For users without Administrative privileges, a host check will fail if it includes a file in a restricted zone (such as C:\Documents and Settings\Administrator) or if it includes a restricted registry key. If a user belongs to more than one group, the host check expression applied to the user is the union of the expression for each of the users groups. For information on host check rules, see Configuring Host Check Rules on page 116.
To specify a host check expression for a group: 1 In the group window, enter the Boolean expression in the
Host Check Expression field.
129
Click Submit.
130
Enabling IP Pooling
In some situations, the Secure Access will need a unique IP address for the Firebox SSL. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable IP pooling for a group, the Firebox SSL can assign a unique IP address alias to each client. You can specify the gateway device to be used for IP pooling. The gateway device can be the Firebox SSL itself, or some other device. If you do not specify a Gateway, an Firebox SSL interface is used, based on the General Networking settings, as follows: If you have configured only Interface 0 (the Firebox SSL is inside your firewall), the Interface 0 IP address is used as the gateway. If you have configured Interfaces 0 and 1 (the Firebox SSL straddles your firewall), the Interface 1 IP address is used as
131
To 1 2 3
4 Specify the Gateway IP address. If you leave this field blank, an Firebox SSL interface is used, as described earlier in this section. If you specify some other device as the gateway, the Firebox SSL adds an entry for that route in the Firebox SSL routing table.
Click Submit.
132
priority of groups. For example, suppose that some users belong to both the sales group and the support group. If the sales group appears before the support group in the User Groups list, the sales group policies will apply to the users who belong to both of those groups. If the support group appears before the sales group in the list, the support group policies take precedence. The policies that are affected by the Group Priority setting are as follows: - Kiosk mode and persistence mode - Kiosk default URL - Portal page use - IP pools For ACLs and kiosk applications, a user who belongs to multiple groups has access to all resources and applications enabled for each of those groups. For example, suppose that the sales group has access to the Citrix ICA and Mozilla clients and that the support group has access to all clients. Users who belong to both groups will have access to all clients. Host check expressions are applied as described in Configuring a Host Check Policy for a Group on page 128. Groups are initially listed in the order in which they are created.
To set the priority of groups: 1 In the Firebox SSL Administration Tool, go to the Group
Priority tab.
133
Select a group that you want to move and use the arrow keys to raise or lower the group in the list.
The group at the top of the list has the highest priority.
3 Click Submit. To view the group priorities for a user: In the Remote Admin Terminal window, click the Real-time Monitor icon. The display lists all groups to which the user belongs and the group with the highest priority.
134
To enable split tunneling: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
2 3 4
Select the check box for Enable Split Tunneling. If there are no Accessible Networks specified, enter the addresses as described in the next section. Click Submit.
135
To enable session timeout: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
136
2 3
137
To enable the Secure Access client to fail over to the Firebox SSL internal IP address: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
2 3
138
Under Force Relogin after, select options as follows: Standby/Hibernate This option forces a user to log in again if the users computer awakens from a stand by or hibernate state. This option provides additional security for unattended computers. Network Interruption This option forces a user to log in again if the network connection is briefly interrupted.
NOTE If you want to close a VPN connection and prevent the user or group from reconnecting, you must select the Network Interruption setting. Otherwise, the user(s) will be immediately reconnected without being prompted for credentials. For more information, see Managing VPN Connections on page 45.
Click Submit.
139
You should enable single sign-on only if VPN users computers are logging into your organizations domain. If single sign-on is enabled and a user connects from a computer that is not on your domain, the user will be prompted to log in. The users connection log will note that the Firebox SSL failed to look up the domain controller.
To configure Secure Access for single sign-on: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
140
2 3
141
142
APPENDIX A
The following topics describe how to use Firebox SSL logs and troubleshoot issues: Viewing and Downloading System Message Logs on page 143 Enabling and Viewing SNMP Logs on page 146 Monitoring Firebox SSL Operations on page 150 Recovering from a Crash of the Firebox SSL on page 153 Troubleshooting on page 154
143
To view and filter the system log: 1 In the Administration Tool, go to the Logging > Local
System Log tab.
2 3
To display the log for a prior date, select the date in the Log Archive list and click View Log. By default, the log displays all entries. Filter the log as follows.
144
- To filter the log by user or applications, select one or more categories that you want to include. - To filter the log by priority, select the priorities that you want to include. - The filters that you select are treated as logical ORs. Thus, for each selected filter, all matches for the filter display.
To download a log: - Select a log in the Log Archive list and click Download Selected Log File. The log filename defaults to yyyymmdd.log. - Click Download All Log Files to download all logs listed in the Log Archive list. The filename defaults to log_archive_yyyymmdd.tgz. After you download the file, you can unzip it to access the individual log files.
To forward Firebox SSL system messages to a syslog server: 1 In the Administration Tool, go to the Logging > Syslog tab.
2 3 4
Enter the IP address of the syslog server Select the syslog facility level. Enter a broadcast frequency.
145
Click Submit.
To enable the logging of SNMP messages: 1 In the Administration Tool, go to the Logging > SNMP tab.
146
2 3
Enter the SNMP location and contact. These fields are informational only. Enter the SNMP community, which is the password that will be required by a client to obtain data from the SNMP agent. For example, if you use the MRTG monitoring tool, you will need to include this community string as a part of the Target field in the MRTG configuration file. The SNMP port defaults to 161. If you change this value, you will also need to change it in any tools that you use to monitor SNMP data. Click Submit.
SNMP messages appear on the SNMP tab.
MRTG Example
The Multi Router Traffic Grapher (MRTG) is a tool to monitor SNMP data, such as traffic load. MRTG generates HTML pages containing PNG images which provide a visual representation of the traffic. MRTG works under UNIX and Windows NT.
NOTE The information in this section is intended to provide a general idea of working with MRTG. For information on obtaining and using MRTG, refer to http://people.ee.ethz.ch/ ~oetiker/webtools/mrtg/.
To obtain SNMP data for the Firebox SSL through MRTG (in UNIX): 1 Configure the Firebox SSL to respond to SNMP queries
(Logging > SNMP).
Create MRTG configuration files in /etc/mrtg. Each configuration file specifies the OIDs that the MRTG daemon is to monitor, specifies the target from which to obtain SNMP data, and defines the MRTG output.
147
AG host name
Modify /etc/crontab to perform an SNMP query every five minutes, resulting in graphed data. The various .cfg files listed will generate separate MRTG output.
148
149
150
Firebox SSL Real-time Monitor Shows the open VPN connections. To view details about a connection, click the arrow ( ) for the user name. From the monitor, you can temporarily close a connection by connection type (TCP, etc.), disable a user (the user will not be able to connect until you enable the user), and re-enable a user. For more information, see Managing VPN Connections on page 45. Ethereal Network Analyzer Enables you to interactively browse packet data from a live network or from a previously saved capture file. For more information, refer to the Help that is available from the Ethereal Network Analyzer window.
xNetTools A multi-threaded network tool that includes a service scanner, port scanner, ping utility, ping scan, name scan, whois query, and finger query.
151
My traceroute Combines the functionality of the 'traceroute' and 'ping' programs in one network diagnostic tool. As My traceroute (mtr) starts, it investigates the network connection between the Firebox SSL and the destination host that you specify. After it determines the address of each network hop between the devices, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each device. As it does this, it prints running statistics about each device.
fnetload Provides real-time network interface statistics. It checks the / proc/net/dev every second and builds a graphical representation of its values.
152
System Monitor Shows information about CPU usage and memory/swap usage. For more information, refer to the Help available from the System Monitor window.
153
be set to the address 10.20.30.40/24, set the PC to an address of 10.20.30.41 (or another available address), set the subnet mask address to 255.255.255.0, and set the default gateway address to 10.20.30.40.
For each Firebox SSL you want to load software on, do these steps: 1 Connect a green (straight-through) network cable from the
Windows PC to the Eth1 interface on the Firebox SSL.
2 3 4 5 6
Connect the blue null modem (serial) cable from the Windows PC to the Firebox SSL serial port. Power on the Firebox SSL. On the Windows PC, click Start > Run and type cmd, then click OK. Change to the CD drive. For example, if the CD drive is D:, type D: and press Enter. Type install ip_address_of_Firebox/netmask.
For example, to install and give the Firebox SSL an IP address of 10.20.30.40 with a subnet mask of 255.255.0.0, type:
install 10.20.30.40/16
To install and give the Firebox SSL an IP address of 10.10.10.1 with a subnet mask of 255.255.255.0, type: install 10.10.10.1/24.
Power off the Firebox SSL when prompted. When prompted by the PC, power the Firebox SSL on.
Installation continues on the Firebox SSL. The Firebox SSL restarts automatically once during this process.
Troubleshooting
The following information explains how to deal with problems you might encounter when setting up and using the Firebox SSL.
154
Troubleshooting
The Firebox SSL does not start and the Firebox SSL serial console is blank.
Verify that the following are correctly set up: The serial console is using the correct port and the physical and logical ports match. The cable is a null-modem cable. The COM settings in your serial communication software are set to 115200 bits per second, 8 data bits, no parity, and 1 stop bit.
The Firebox SSL is offline and I cannot reach the Administration Tool.
You can use the Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL.
I tried using Ctrl-Alt-Delete to reboot the Firebox SSL, but nothing happened.
The reboot function on the Firebox SSL is disabled. You must use the Firebox SSL Administration Tool to restart and shutdown the device.
155
156
APPENDIX B
GNU GENERAL PUBLIC LICENSE FOR LINUX KERNEL AS PROVIDED WITH FIREBOX SSL ACCESS GATEWAY Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General
157
Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made
158
it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
159
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate
160 Firebox SSL VPN Gateway Administration Guide
works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machinereadable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or
161
executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
162
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
163
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY
164
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
165
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
166
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.
167
168
Index
A
access control, see ACL and user groups accessible networks 102 and split tunneling 134 deny access without ACL 107 specifying 103 ACL 102 allow/deny rules 124 defining for user group 124 deny access without ACL 107 listed in Secure Access Client window 60 Admin Terminal window 18 Administration Tool 21 monitoring tools 150 opening 19 Real-time Monitor 150 administration 7 Admin Terminal window 18 blocking external access 39 portal 19 Tool 21 Administration > Date tab 42 Administration > Licensing tab
license upload 41 Administration > Maintenance tab block external access 39 certificate upload 38 restart 49 restore configuration 45 save configuration 45 server upgrade 24 shut down 49 Administration > Users tab 43 Administration Portal page 19 administrative users changing password 43 resetting to default password 43 adware, host check examples 118 antivirus, host check examples 118 application access, see resource groups archive of system log 143 authentication 82 LDAP 91 local 82 RADIUS 88 realm 82 realm, removing 100 RSA SecurID 95
169
Authentication and Local Users tab add local user 101 LDAP authentication/authorization
92
RADIUS authentication 89 remove realm 100 RSA SecurID authentication 97 authorization 82 LDAP 91 local 83, 85
B
backing up the configuration 43 BlackICE PC Protection configuration
27
computer hibernate/suspend, affect on client 138 configuration Admin Terminal window 18 Administration Portal 19 Administration Tool 21 restoring 45 saving 43 serial console 21 connection closing to resource 47 handling 46 managing 45 policy changes 81 CPU usage 153
D C
certificate 29 backing up 43 combining with private key 36 converting to PEM format 35 CSR overview 32 generating for multiple levels 37 installing Cygwin for 33 multilevel and SSL V2 155 private key, unencrypting 34 Security Alert 31 signed by Certificate Authority 29 support 6 uploading 38 Certificate Authority 29 Certificate Signing Request (CSR) generating 33 overview 32 Citrix client 65 enabling 126 saving preferences 128 client variables for portal page 111 client, see Secure Access Client, kiosk closing VPN connection 45 Default Gateway setting 72 and dynamic gateway 75 Default realm 84 changing authentication 87 replacing 87 deployment overview 7 deployment with firewall, see <I_Italic>Quick Start LDAP server 82 RADIUS server 82 RSA ACE/Server 82 server load balancer 16 digital certificate support 6 see also certificate DNS client override 58 enable split 75, 135 failover to local 74 in Secure Access Client window 59 server settings 74 suffixes 74 Duplex Mode setting 73 dynamic gateway, enabling 75 dynamic routes, configuring 75
170
E
Ethereal Network Analyzer 151 Ethereal Network Anaylzer unencrypted traffic on client PC 12 External Public Address setting 73
F
failover client 137 DNS servers 74 gateways 80 internal 137 finger query 151 firewall 26 BlackICE PC Protection configuration 27 host check examples 118 Internet Connection Firewall 58 McAfee Personal Firewall Plus configuration 27 Norton Personal Firewall configuration 28 Sygate Personal Firewall configuration 28 Tiny Personal Firewall configuration
28
force re-login 138 internal failover 138 session timeout 114, 136 single sign-on 140 split DNS 75, 135 split tunneling 135 Group Priority tab 133 groups, see user groups
H
hibernate/suspend 138 host check rules 116 adding to user group 128 examples 118 Host Checks tab 116, 118
I
IEEE 802.11 support 2 internal failover for VPN client 137 Internet Connection Firewall 58 IP address change impact on SecurID setup 98 internal/external interfaces 72 preconfigured 23 IP pooling 131 IPSec functionality 10
ZoneAlarm Pro configuration 29 fnetload tool 152 FTP configuring for use with VPN client
26
J
Java support (client) 25, 61
G
gateway device default 73 dynamic gateway 75 Gateway Interface setting 72 Global Policies tab accessible networks 103
K
kiosk 13 browser default URL 128 Citrix client 65
171
configuring for user group 126 configuring network shares 119 connecting to 61 Java applet 25 link to from website 115 Mozilla client 128 Remote Desktop client 65 removing from portal page 126 shared network drives, using 63 SSH client 67 Telnet 3270 Emulator client 67 using FTP to copy files 64 VNC client 68
logging, see monitoring tools, SNMP, system log login script support 140
M
Macintosh support (JVM client) 61 McAfee Personal Firewall Plus configuration 27 memory usage 153 monitoring tools 18 using 150 Mozilla browser in kiosk 126 configuring 128 saving preferences 128 MRTG 146 MTU setting 73 My traceroute tool 152
L
LDAP Browser 94 LDAP server 82 attribute lookup 94 authentication 91 authorization 91 settings 91 licenses 40 backing up 43 backup CD 40 freeing 45 managing 40 uploading 41 Linux support (client) 4, 54 checking status 55 command-line options 55 link to from website 115 removing client 55 restarting stopped VPN daemon 55 local users authorization 83, 85 closing connection 45 creating 100 for authentication 82 Logging > Local System Log tab 144 Logging > SNMP tab 146 Logging > Statistics tab 149 Logging > Syslog tab 145
N
name scanner 151 NAT host 73 network access 102 accessible networks 103 activity level graph 150 address translation (NAT) 73 connections overview 71 drives, shared 63 interface (NIC) settings 72 interface traffic load monitor 152 monitoring 150 packet data analyzer 151 resource groups route tracing 152 scanning tools 151 Network Resources tab 105, 106 Networking > DNS/WINS tab 74 Networking > Failover Servers tab 80 Networking > General Networking tab
72
172
networks accessible to Gateway 103 deny access without ACL 107 in Secure Access Client window 59 Norton Personal Firewall configuration
28
process activity level graph 150 protocols supported 4 proxy server setup for VPN client 57
R O
OpenSSL ciphers supported 6 RADIUS server 82 authentication 88 settings 88 using LDAP authorization with 90 realm-based authentication 82 Default realm 84 see also authentication Real-time Monitor 45, 151 reinstalling software 153 remote client, see Secure Access Client Remote Desktop client 65 enabling 126 resource groups 102 adding to user group 124 defining 104 removing from user group 126 restarting server 49 restoring a configuration 45 routes dynamic 75 static 75 RSA ACE/Server 82 configuration file, see sdconf.rec file resetting node secret 99 SecurID authentication 95 settings 95 RSA/ACE Server using LDAP authorization with 98
P
packet data, browsing 151 password, administrative user 43 Persistent Mode setting (kiosk) 128 ping from serial console 23 from xNetTools 151 platforms supported by VPN client 4 policies ACLs 102 configuring for groups 121 host checks 116 IP pooling 131 multi-group membership 132 network access 102 network shares (kiosk) 119 portal pages 108, 114 setting priority 132 see also global policies port for VPN connections 73 required 6 scanner 151 portal Administration 19 VPN client 51 see Administration Portal, Virtual Network Portal Portal Page Configuration tab 113 private key combining with signed certificate
36
S
sdconf.rec file 95 generating 96 replacing 98 uploading 97 Secure Access Client 6, 140 ACL list in 60
unencrypting 34
173
affect of computer 138 affect of policy changes 81 assigning IP address from pool 131 automatic drive mapping support
140
automatic updates 58 Connection Log 61 forcing re-login 138 FTP configuration 25 host check rules 116 internal failover 137 link to from website 115 Linux support 54 operation 9 platforms supported 4 portal (custom) 108 portal (default) 51 proxy server setup 57 single sign-on operation 140 through firewalls/proxies 11 use with Internet Connection Firewall 58 window described 56 SecurID authentication 82 security 6, 8 authentication/authorization 82 controlling network access 102 denying access without ACL 107 digital certificates 29 forcing user re-login after interruption 138 host checking 116 preventing MITM attacks 31 Security Alert 31 serial console 23 server crash recovery 153 software reinstallation 153 server load balancer, connection to 16 server software uploading 24 service scanner 151 session timeout 136 Share Mounts tab 120 shared network drives 63
shutting down 49 single sign-on for VPN client 140 SNMP 146 logs, enabling and viewing 146 MIB groups reported 146 settings 146 software firewall, see firewall installed version 24 reinstalling 153 restarting 49 shutting down 49 upgrades 23 upgrading from a file 24 split DNS, enabling 75, 135 overriding at client 58 spyware, host check examples 118 SSH client 67 enabling 126 SSL, use of 10 static routes adding 77 configuring 75 example 78 removing 78 testing 78 swap space usage 153 Sygate Personal Firewall configuration
28
system configuration restoring 45 saving 43 system date and time changing 41 viewing 41 system log archive 143 downloading 143 filtering 143 forwarding to syslog server 145 viewing 143 System Monitor 153 system statistics 149
174
T
Telnet 3270 Emulator client 67 enabling 126 templates (portal), see Virtual Network Portal time zone, changing 41 Tiny Personal Firewall configuration 28 TLS, use of 10 troubleshooting 154
U
Upload Certificate setting 38 Upload Server Upgrade setting 24 URL of Administration Portal 19 of Java client 61 user groups 121 authorization 121 choosing custom portal page 130 configuring host check expression
128
variables 110 VNC client 68 enabling 126 VPN connection types 53 VPN Gateway Remote Admin Terminal window 8 VPN port setting 73 VPN users closing connection 45 disabling/enabling 48 enabling single sign-on 140 forcing re-login 138 multi-group membership 132 preventing access through host checks 116 supporting 25 viewing groups and priority group
134
W
whois query 151 Windows support (client) 4 Windows Terminal Services, support of
65
configuring kiosk operation 126 configuring resource ACL 124 creating 121 enabling IP pooling 131 LDAP, obtained from 121 naming 121 prioritizing policies 132 User Groups tab 122 user name variable for portal page 111 users, see administrative users, local users, VPN users
X
xNetTools 151
V
version of installed software 24 Virtual Network Portal 51 customizing 108 disabling authentication 114 downloading templates 110 loading custom files 113
Z
ZoneAlarm Pro configuration 29
175
176