V 49 Firebox SSLVPNGateway Admin Guide

WatchGuard Firebox SSL VPN
Gateway Administration Guide
Firebox SSL VPN Gateway
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product. You will be prompted to read and accept the End User License Agreement when you register your Firebox on the WatchGuard website. Copyright 2005 Citrix Systems, Inc. All rights reserved. Copyright 2005 WatchGuard Technologies, Inc. All rights reserved WatchGuard, Firebox, LiveSecurity and any other word listed as a trademark in the Terms of Use portion of the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries. Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective manufacturers. The Firebox SSL Access Gateway software is distributed with source code covered under the GNU General Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard Technical Support at: 877.232.3531 in the United States and Canada +1.206.613.0456 in all other countries
This source code is free to download. There is a $35 charge to ship the CD. See Appendix B, Legal and Copyright Information on page 157 of this guide for the complete text of the GPL. VPN Gateway Software: 4.9 Document Version: 2201-000
ADDRESS:
505 Fifth Avenue South Suite 500 Seattle, WA 98104
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are robust as well as easy to buy, deploy and manage. The companys Firebox X family of expandable integrated security appliances is designed to be fully upgradeable as an SUPPORT: organization grows and to deliver the industrys best combination of security, www.watchguard.com/support support@watchguard.com performance, intuitive interface and value. WatchGuard Intelligent Layered Security U.S. and Canada +877.232.3531 architecture protects against emerging threats effectively and efficiently and provides All Other Countries +1.206.613.0456 the flexibility to integrate additional security functionality and services offered through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity SALES: U.S. and Canada +1.800.734.9905 Service subscription to help customers stay on top of the security landscape with All Other Countries +1.206.521.8340 vulnerability alerts, software updates, expert security instruction and superior customer care. For more information, please call (206) 521-8340 or visit www.watchguard.com.
ii
Firebox SSL VPN Gateway Administration Guide
Contents
CHAPTER 1
Firebox SSL Overview .......................................1
Overview .........................................................................2 Feature Summary ................................................................ 4 The User Experience ............................................................ 6 Deployment and Administration ......................................... 7 Firebox SSL Operation .....................................................8 Starting the Secure Access Client ...................................... 9 Establishing the Secure Tunnel ........................................10 Tunneling Destination Private Address Traffic over SSL or TLS .................................................................................10 Terminating the Secure Tunnel and Returning Packets to the Client ..............................................................................12 Kiosk Operation ............................................................13 Deployment Options ......................................................16
CHAPTER 2
Administering the Firebox SSL .........................17
Using the Firebox SSL Remote Admin Terminal Window ....18 To open the Remote Admin Terminal window: ................19 Using the Administration Tool .........................................21 Using the Serial Console ................................................23 To open the serial console: ...............................................23
Upgrading the Firebox SSL Software ................................23 To display the version of your installed Firebox SSL: .....24 To upgrade your Firebox SSL ............................................24 Supporting Secure Access Users ....................................25 Configuring Software Firewalls for the Secure Access Client ..............................................................................26 Generating a Secure Certificate for the Firebox SSL .........29 About Digital Certificates and Firebox SSL Operation ...31 Overview of the Certificate Signing Request ...................32 Installing the Cygwin UNIX Environment for Windows ....33 Generating a CSR ..............................................................33 Unencrypting the Private Key ..........................................34 Converting to a PEM-Formatted Certificate .....................35 Combining the Private Key with the Signed Certificate ..36 Generating Trusted Certificates for Multiple Levels .......37 Uploading a Certificate to the Firebox SSL .....................38 Blocking External Access to the Administration Portal ......39 Managing Licenses ........................................................40 Viewing and Changing the System Date and Time ............41 Managing Administrative Users .......................................42 Saving and Restoring the Configuration ...........................43 Managing VPN Connections ............................................45 About Connection Handling ..............................................46 Closing a Connection to a Resource ................................47 Disabling/Enabling a VPN User ........................................48 Restarting the Firebox SSL .............................................49 Shutting Down the Firebox SSL .......................................49
CHAPTER 3
Working with a VPN Connection .......................51
Using the Access Portal .................................................51 Connecting from a Private Computer ...............................56 Using the Secure Access Window ....................................56 Connecting from a Public Computer (Kiosk Session) ........61 Working with Shared Network Drives ...............................63 Using the Citrix Client ........................................................65 Using the Remote Desktop Client ....................................65
iv
Using the Telnet 3270 Emulator Client ...........................67 Using the VNC Client ..........................................................68 To use the VNC client: .......................................................68
CHAPTER 4
Configuring Firebox SSL Network Connections ..71
Configuring Network Interfaces .......................................72 Specifying DNS/WINS Settings .......................................74 Configuring Routes ........................................................75 Configuring Dynamic Routing ...........................................75 Adding, Testing, and Removing a Static Route ...............77 Static Route Example ........................................................78 Configuring Failover Firebox SSLs ....................................80
CHAPTER 5
Configuring Firebox SSL Operation ...................81
Configuring Authentication, Authorization, and Local Users ... 82 About the Realm Named Default .....................................84 Using a Local User List for Authentication .......................84 Using LDAP Authorization with Local Authentication .....85 Using RADIUS Servers for Authentication ........................88 To specify RADIUS server settings: ..................................89 Using LDAP Servers for Authentication and Authorization ..91 To specify LDAP server settings: ......................................92 Looking Up Attributes in your LDAP Directory .................94 Using RSA SecurID for Authentication .............................95 To generate a sdconf.rec file for the Firebox SSL: ..........96 To enable RSA SecurID authentication for the Firebox SSL: ................................................................................97 Resetting the Node Secret ................................................99 Removing an Authentication Realm ...............................100 To remove an authentication realm: ..............................100 Adding Local Users ......................................................100 To create a user on the Firebox SSL: .............................101 To delete a user from the Firebox SSL: .........................102 Controlling Network Access ..........................................102 Specifying Accessible Networks .....................................103 Defining Network Resource Groups ...............................104
Denying Access to Groups with No ACL .........................107 Customizing VPN Portal Pages ......................................108 Downloading and Working with Portal Page Templates ...... 110 Loading Custom Portal Files on the Firebox SSL .........113 Disabling Portal Page Authentication .............................114 Linking to the VPN Clients from Your Website ..............115 Configuring Host Check Rules ......................................116 Example Host Check Rules .............................................118 Configuring Network Shares for Kiosk Sessions .............119 Adding and Configuring User Groups .............................121 Configuring Resource ACLs for a User Group ...............124 Configuring Kiosk Operation for a Group ......................126 Configuring a Host Check Policy for a Group ................128 Choosing a Portal Page for a Group ...............................130 Enabling IP Pooling ..........................................................131 Setting the Priority of Groups .........................................132 Enabling Split Tunneling ...............................................134 Enabling Split DNS ......................................................135 Enabling Session Timeout ............................................136 Configuring Internal Failover .........................................137 Forcing VPN User Re-login ............................................138 Configuring Secure Access for Single Sign-on ................140
APPENDIX A
Logging, Monitoring, and Troubleshooting Firebox SSL Operations143
Viewing and Downloading System Message Logs ...........143 Forwarding System Messages to a Syslog Server ........145 Enabling and Viewing SNMP Logs .................................146 MRTG Example .................................................................147 Viewing System Statistics ............................................149 Monitoring Firebox SSL Operations ...............................150 Recovering from a Crash of the Firebox SSL ..................153 To reinstall the Firebox SSL server software: ................154 Troubleshooting ...........................................................154
APPENDIX B
Legal and Copyright Information ....................157

vi
CHAPTER 1
Firebox SSL Overview
The WatchGuard Firebox SSL is a network appliance that provides secure remote access to network resources and all applications, including web, client-server, and peer-to-peer such as Instant Messaging (IM), video conferencing, and real-time Voice over IP (VoIP) applications. Combining the advantages of both IP Security (IPSec) and Secure Socket Layer (SSL) Virtual Private Network (VPN) solutions, the Firebox SSL provides full, secure application access without requiring changes to applications or Domain Name Service (DNS). The Firebox SSL gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, email, Intranet sites, and applications just as if they were working inside of their organizations firewall. The Firebox SSL also provides clientless kiosk operation, which opens a Virtual Network Computing (VNC) like connection for remote users who access the Firebox SSL from a non-secure computer. Kiosk user access can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), VNC servers, and Citrix ICA. The following topics provide an overview to the Firebox SSL: Overview on page 2
Firebox SSL VPN Gateway Administration Guide 1
Feature Summary on page 4 The User Experience on page 6 Deployment and Administration on page 7 Firebox SSL Operation on page 8 Kiosk Operation on page 13 Deployment Options on page 16 WatchGuard provides other network appliance products. For information, go to http://www.watchguard.com.
Overview
The Firebox SSL installs into any network infrastructure without requiring changes to the existing hardware or back-end software. The Firebox SSL sits in front of application and web servers and works with other networking products such as firewalls, server load balancers, cache engines, routers, and IEEE 802.11 broadband wireless devices. The Firebox SSL, installed in the corporate DMZ, participates on two networks: a private network and a public network with a publicly routable IP address. The Firebox SSL can also partition local area networks internally in the organization for access control and security between wired/wireless and data/voice networks. As shown in the following illustration, the Firebox SSL is appropriate for employees accessing the organization remotely, Business to Business (B2B) access and transactions, and intranet access from restricted LANs such as wireless networks.
Overview
As shown in the following illustration, the Firebox SSL creates a virtual TCP circuit between the client computer running the WatchGuard Secure Access client and itself.
The virtual TCP circuit is encrypted using proven technologies such as SSL and Transport Layer Security (TLS). All packets des-
tined for the private network are transported over the virtual TCP circuit. The Firebox SSL is essentially acting as a low-level packet filter with encryption. It drops traffic which does not have authentication or does not have permission for a particular network.
Feature Summary
Most of the features listed in the following table are implicitly supported through the ability of the Firebox SSL to intercept every network connection initiated on the client computer, whether TCP (connection-oriented applications) or UDP (voice and video applications). The Secure Access client forwards all IP packets over an SSL tunnel to the Firebox SSL based on dynamically determined routing policies which are transparent to the remote user. The Firebox SSL retransmits these IP packets to the intended host.
Application support
Protocol support
Platform support
Unlike other VPN solutions, the Firebox SSL is applicationagnostic. The Firebox SSL operates more like an IPSec VPN than an SSL VPN. Supports all applications (web, client-server, peer-to-peer, and realtime) without modification to the applications or DNS. Handles real-time traffic, such as voice (RTP/SIP), with minimal loss in performance. Supports IP . Supports PPPoE (Point-to-Point Protocol over Ethernet) and PPP . Supports Ethernet, including 802.11, and Remote Access Service (RAS) connections, including TCP , UDP , and Internet Control Message Protocol (ICMP). Supports computers running Windows 2000, Windows 2000 Professional, Windows 2000 Server, Windows XP , Windows XP Home, Windows XP Professional, and all Linux 2.4 platforms (tested extensively with RedHat). Includes a client that supports computers, such as Macintosh, running Java Virtual Machine (JVM) version 1.4.2 or higher.
Overview
Ease of use and Automatically updates the Secure Access client when a new deployment version is available on the Firebox SSL. The Secure Access client can go into a suspend state rather than timing out so that the connection is always available and the user does not have to repeatedly log in. The Secure Access client continues to run in memory even when the laptop or PC is disconnected from the network. This functionality ensures security over 802.11 networks without having to deploy and maintain a WEP environment. The Secure Access client can be configured for single sign-on operation so that it starts automatically after a user logs in to Windows. A users Windows login credentials are passed to the Firebox SSL for authentication and then the VPN connection is automatically established without user intervention. Windows login scripts run after the VPN connection is established. Ease of use and Includes the option to use the default portal pages (Access Portal), deployment to customize easy-to-use portal page templates, or to include links (continued) to the clients directly on your website. Provides access to remote networks that have the same numbering as the local subnet. VPN operation Provides users with a desktop-like network experience. Through the VPN connection, users can: Map network drives just as they would from their in-office computer. Work with client applications, such as Microsoft Outlook or any other application, in their native user interface. The remote user does not need to do any client application reconfiguration. VPN users can seamlessly access the Firebox SSL even if they are behind another organizations firewall. Kiosk operation Provides, on a group basis, access to a private network from public computers. Sends images, not data, to the kiosk. Because no temporary files or cookies are downloaded to the remote computer, there is no risk of files remaining after the session. Opens a VNC-like window that is configurable by group. Optional components include a Mozilla browser window with a configurable default URL, network shares, and icons that provide one-click access to Remote Desktop, VNC, Telnet 3270 emulator, SSH, and Citrix ICA clients. Performance Supports up to 205 tunnels Provides throughput of 75 MB per second. Authentication, Supports HTTP 401 Basic, Digest, and Windows Domain authorization, Authentication and RADIUS, LDAP , and RSA SecurID authentication and access servers. User accounts can also be defined on the Firebox SSL. control Supports realm-based authentication so that a single Firebox SSL can be used with multiple authentication servers. Supports LDAP or local user group authorization. Provides access control through the association of resources to user groups.
Security
Security (continued)
Supports digital certificates in Privacy Enhanced Mail (PEM) format that include a private key. Notifies VPN users if the Firebox SSL to which they connect does not have a certificate that is signed by a Certificate Authority, and therefore is not a trusted device. Redirects over a secure tunnel all network traffic (all IP packets) destined for certain private networks. Uses SSL (v1 and v2) and TLS SSL (v3) to encrypt every packet, including any header information. This provides a very high level of security and does not provide anyone who gets access to the secure stream the ability to reconstruct any useful information. Supports SSL with compression. Supports 196-bit TLS SSL encryption, as well as lower and higher bit values defined in your certificate. You might prefer to lower the encryption if performance is more important than security. Supports all OpenSSL ciphers: CAST, CAST5, DES, Triple-DES, IDEA, RC2, RC4, and RC5. Supports the 802.11 optional encryption scheme, Wired Equivalent Privacy (WEP). Requires only one available port: 443 (by default). Makes IP addresses either invisible or visible to accessed network applications, by application or host. When network IP addresses are hidden, the remote users VPN connection looks like a browser session rather than an IP address and thus blocks worm traversal. Does not touch client-side route tables. Supports configurable host check rules to ensure that a VPN users computer meets the requirements of the rule. You can require that a connecting computer has a particular registry path, file, and/or active process. For example, host check rules enable you to enforce real-time checking of the presence of firewall or antivirus software; if a VPN user stops the firewall or anti-virus software, the VPN tunnel is immediately frozen.
The User Experience

The Firebox SSL provides users with the desk-like network experience that they have with an IPSec VPN, but does so without any need to configure a client. The user starts the Secure Access client by accessing a secure web URL through a standard web browser, and then providing authentication credentials. Because the Firebox SSL traverses all ports of firewalls, remote users can access the Firebox SSL regardless of their location. For a more detailed description of the user experience, see Connecting from a Private Computer on page 56. The following illustration shows the default Windows version of the Access Portal.
Overview
NOTE The portal page is customizable, as described in Customizing VPN Portal Pages on page 108. You can also include a link to the clients on a website, as described in Linking to the VPN Clients from Your Website on page 115.
After a successful login, the user can work with network shares and run applications just as if the user were sitting inside of the organizations firewall. The remote user does not need to do any client application reconfiguration and works with client applications in their native user interface.
Deployment and Administration

The Firebox SSL is fast to deploy and simple to administer. You install the Firebox SSL in your organizations DMZ, giving it access to the external and internal networks. The most typical deployment configuration is to locate the Firebox SSL behind your firewall or to straddle the firewall. More complex deployments, such as with a server load balancer, are also supported and described in Deployment Options on page 16. The first-time that you start the Firebox SSL, you use the Firebox SSL Administration Tool to configure the basic settings that
are specific to your site, such as the Firebox SSL IP address, netmask, default gateway IP address, and DNS addresses. After you complete the basic connection, you then configure the settings specific to VPN operation, such as the options for authentication, authorization, and group-based access control, kiosk operation, host checking, portal pages, and IP pools. All Firebox SSL administration and monitoring is performed through the Firebox SSL Remote Admin Terminal window, which provides access to the Administration Tool and a variety of standard network monitoring tools, including Ethereal Network Monitor, xNetTools, Traceroute, fnetload, and System Monitor. The Firebox SSL Remote Admin Terminal window also provides access to the Real-time Monitor, where you can view a list of current VPN users and groups and close the VPN connection for any user or group You will need to provide remote VPN users with the URL of the Firebox SSL and a list of the resources that they can access. Remote users can log in with their usual credentials and do not need to perform any configuration of the Secure Access client or any application clients, resulting in minimal user support.
Firebox SSL Operation

The Firebox SSL performs the following functions: Authentication Termination of encrypted sessions Access control (based on permissions) Data traffic relay (when the first three functions are met) The Firebox SSL operates as follows:
1 2 3
A remote user obtains the Secure Access client by accessing a secure web URL and providing authentication credentials. After a successful login, the Firebox SSL establishes a secure tunnel. As the remote user attempts to access network resources across the VPN tunnel, the Firebox SSL encrypts all network traffic destined for the organizations intranet and forwards
the packets and user credentials over an HTTPS session to the Firebox SSL. The Firebox SSL terminates the SSL tunnel and accepts any incoming packets destined for the private network. After fixing the packets, the Firebox SSL injects them into the private network. The Firebox SSL sends traffic back to the remote computer over a secure tunnel. Those steps are detailed in the following sections: Starting the Secure Access Client on page 9 Establishing the Secure Tunnel on page 10 Tunneling Destination Private Address Traffic over SSL or TLS on page 10 Terminating the Secure Tunnel and Returning Packets to the Client on page 12
Starting the Secure Access Client

A remote user obtains the Secure Access client by accessing a secure web URL, typically the public host name of the Firebox SSL. The Firebox SSL prompts the user for authentication over HTTP 401 Basic or Digest. The Firebox SSL authenticates the credentials with a corporate logon server (LDAP, RADIUS, RSA ACE) and if the credentials are correct, finishes the handshake with the client personal computer. This login step is required only when the user initially downloads the Secure Access client. If the user is behind a proxy server, the user can specify the proxy server, and authentication credentials if required, before logging in by right-clicking the login dialog and choosing Advanced Options. The Secure Access client is installed on the remote users computer and operates at Layer 2 (between Ethernet and IP). After the first connection, the remote user can subsequently use a desktop shortcut to start the Secure Access client, thus bypassing the portal page login step.
Enabling Single Sign-On Operation for the Secure Access Client

If the Secure Access client is configured for single sign-on operation, it automatically starts after the user logs in to Windows. The users Windows login credentials are passed to the Firebox
SSL for authentication. Enabling single sign-on for the Secure Access client facilitates operations on the remote computer such as installation scripts and automatic drive mapping.
Establishing the Secure Tunnel

Once the Secure Access client has been started, it establishes a secure tunnel over HTTPS port 443 (or any configured port on the Firebox SSL) and sends authentication information to validate the tunnel. Once the tunnel is established, the Firebox SSL sends configuration information to the Secure Access client describing the networks to be secured and containing an IP address if you enabled IP address visibility.
Tunneling Destination Private Address Traffic over SSL or TLS

After the Secure Access client is authenticated and started, all network traffic destined for certain private networks is captured and redirected over the secure tunnel to the Firebox SSL. The Firebox SSL intercepts all network connections made by the client computer and multiplexes/tunnels them over SSL to the Firebox SSL, where the traffic is de-multiplexed and the connections are forwarded to the correct host and port combination, determined by the client-server application in real time. The Secure Access client streams any dynamic port traffic over SSL to the Firebox SSL where connections are re-established to the server at its desired dynamic port. On both the Firebox SSL and the Secure Access client, RTP packets are prioritized and processed before any other packets. The connections are subject to flexible administrative security policies which can apply to a single application, a subset of applications, or an entire intranet. You use the Firebox SSL Administration Tool to specify the resources (ranges of IP address/netmask pairs) that remote users can access through the VPN connection. All IP packets, regardless of protocol, are intercepted and transmitted over the secure link. This functionality is what provides IPSec equivalent functionality to the Firebox SSL. Consider TCP connections, for example. Connections from local applications on the client computer are securely tunneled over to the Firebox SSL, which re-establishes the connections to the target server.
10
Target servers view connections as originating from the local Firebox SSL on the private network, thus hiding client IP address (reverse NAT). Hiding IP addresses adds security to source locations in B2B implementations and also secures the wireless network in an organization for its users and visitors, providing a viable alternative to WEP. Locally, on the client computer, all connection-related traffic (such as SYN-ACK, PUSH, ACK and FIN packets) are recreated by the Secure Access client to appear from the private server.
Operation through NAT Firewalls and Proxies

Users of the Secure Access client will sometimes be located inside of another organizations firewall, as shown in the following illustration.
NAT firewalls maintain a NAT table that allows them to route secure packets from the Firebox SSL back to the client computer. For circuit-oriented connections, the Firebox SSL maintains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL to match connections and send packets back over the tunnel to the client with
11
the correct port numbers so that the packets return to the correct application. The Firebox SSL tunnel is established using industry standard connection establishment techniques such as HTTPS, Proxy HTTPS, and SOCKS. This operation makes the Firebox SSL firewall friendly and thus allows remote computers to access private networks from behind other organization firewalls without creating any problems. For example, the connection can be made via an intermediate proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate proxy. Any credentials requested by the intermediate proxy, will be in turn obtained from the remote user (by using single signon information or by requesting the information from the remote user) and presented to the intermediate proxy server. Once the HTTPS session is established, the payload of the session is encrypted and carries secure packets to the Firebox SSL.
Terminating the Secure Tunnel and Returning Packets to the Client

The Firebox SSL terminates the SSL tunnel and accepts any incoming packets destined for the private network. If the packets meet the authorization and access control criteria, the Firebox SSL regenerates the packet IP headers so that they appear to originate from the Firebox SSLs private network IP address range or the client-assigned private IP address. The Firebox SSL then injects the packets into the network.
NOTE If you run a packet sniffer such as Ethereal on the PC where the Secure Access client is running, you will see unencrypted traffic that appears to be between the client and the Firebox SSL. That unencrypted traffic, however, is not over the tunnel between the client and the Firebox SSL but rather the tunnel to the local applications. The Secure Access client maintains two tunnels: an SSL tunnel over which data is sent to the Firebox SSL (the sniffer also detects this tunnel) and a tunnel between the client and local applications. The encrypted data that arrives over the SSL tunnel is then decrypted before being sent to the local application over the second tunnel. The packet sniffer sees
12
Kiosk Operation
the second tunnels traffic, which appears to be from the Firebox SSL, after the traffic is already decrypted.
When an application client connects to its application server, certain protocols may require that the application server in turn attempt to create a new connection with the client. In this case, the client sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access client is able to provide the local client application a private IP address representation, which the Firebox SSL will use on the internal network. Many real-time voice applications and FTP use this feature.
Performance and Real-time Traffic

Real-time applications, such as voice and video, are implemented over UDP (since TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets). It is more important to deliver packets in real time than to ensure that all packets are delivered. However, with any tunneling technology over TCP, such realtime performances cannot be met. The Firebox SSL overcomes this issue by routing UDP packets over the secure tunnel as special IP packets that do not require TCP acknowledgements. Even if the packets get lost in the network, there is no attempt made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved over a secure TCP-based tunnel.
Kiosk Operation
The Firebox SSL also provides secure access to a private network from a public computer through optional kiosk operation. When remote users indicate that they are connecting from a public computer, the Firebox SSL opens a Virtual Network Computing (VNC) like connection in a window. For computers running Windows 2000 and above, kiosk operation is available through the Access Portal. The kiosk link can be removed from the Access Portal on a group basis.
13
For computers running a JVM 1.4.2 or higher (such as Macintosh or Windows 95/98 computers), kiosk operation is available through a Java applet. For Macintosh, Safari is the supported browser. During kiosk operation, the Firebox SSL sends images only (no data) over the VPN connection. As a result, there is no risk of leaving temporary files or cookies on the public computer. Both temporary files and cookies are maintained on the Firebox SSL for the session. As shown in the following example, the Firebox SSL kiosk display can include a web browser, several applications, and network shares.
The browser defaults to a URL that is configured per group through the Firebox SSL Administration Tool. The kiosk window can also include one-click access to Citrix ICA, Remote Desktop,
14
Kiosk Operation
SSH, Telnet 3270 emulator, and VNC clients, through icons that display in the bottom-right corner of the window. You specify for each group the applications to be included. The kiosk window also provides one-click access to shared network drives, through icons such as the one labelled ws in the following example. The Firebox SSL administrator configures the permissions granted (read-only or read/write) to each shared network drive. The following example shows the result of opening a shared network drive.
VPN users can copy files from the network share to their computer simply by dragging the file onto the KioskFTP icon and selecting the destination in the File Download dialog box.
15
Deployment Options
The Firebox SSL Quick Start describes how to install the Firebox SSL with a firewall, the most common configuration. You can also connect the Firebox SSL to other devices such as a server load balancer or router.
Connecting to a Server Load Balancer

You can connect one or more Firebox SSLs to a server load balancer. Characteristics of this configuration include the following: Incoming web traffic is intercepted by the server load balancer and load balanced between the Firebox SSLs (if more than one Firebox SSL is in use). For optimal performance, the server load balancer is configured with a virtual IP (VIP). The VIP is used by the Firebox SSL when reestablishing connection to the server load balancer. The Firebox SSL External Public Address is the externalfacing (public) VIP address of the server load balancer. The Firebox SSL modifies all requests to include the External Public Address. The External Public Address ensures that the redirected client returns to the Firebox SSL it first encountered, providing session stickiness. The association between a particular request and the Firebox SSL is broken only when the client makes a new connection. To establish the physical connection, connect the Firebox SSL eth0 interface to the internal network. Use the Firebox SSL Administration Tool to configure network settings. Specify the IP address of the server load balancer as the Default Gateway setting on the Networking > General Networking tab.
16
CHAPTER 2
Administering the Firebox SSL
The following topics describe how to administer your Firebox SSL: Using the Firebox SSL Remote Admin Terminal Window on page 18 Using the Administration Tool on page 21 Using the Serial Console on page 23 Upgrading the Firebox SSL Software on page 23 Supporting Secure Access Users on page 25 Generating a Secure Certificate for the Firebox SSL on page 29 Blocking External Access to the Administration Portal on page 39 Managing Licenses on page 40 Viewing and Changing the System Date and Time on page 41 Managing Administrative Users on page 42 Saving and Restoring the Configuration on page 43 Managing VPN Connections on page 45 Restarting the Firebox SSL on page 49
17
Shutting Down the Firebox SSL on page 49

NOTE This chapter assumes that you have set up the Firebox SSL hardware and performed the initial configuration as described in the Firebox SSL Quick Start.
Using the Firebox SSL Remote Admin Terminal Window

The VNC-like Firebox SSL Remote Admin Terminal window provides access to Firebox SSL configuration and monitoring tools. As shown in the following illustration, the Remote Admin Terminal window includes the Administration Tool, a graphical interface used to configure the Firebox SSL. The Remote Admin Terminal taskbar also includes one-click access to a variety of standard Linux monitoring applications as well as the Real-time Monitor, used to view and manage open VPN connections, and the system time and date.
18
Using the Firebox SSL Remote Admin Terminal Window
Administration Tool Tabs Help
Taskbar Administration Tool Monitoring Applications Real-time Monitor Workspace Switcher and Taskbar Buttons Processor Usage Network Usage System Time/Date
To open the Remote Admin Terminal window:

1 2
Make sure that the Firebox SSL is running. From a web browser, connect to the Firebox SSL by entering the URL: https://ipAddress:9001 where: - ipAddress is the IP address of your Firebox SSL - 9001 is the administration port of your Firebox SSL If a Security Alert dialog box appears, click Yes.
The Firebox SSL Administration Portal appears.
19
From the Downloads page, you can launch or download the Administration Tool and download documentation, portal page templates, and a sample email that you can customize with instructions for VPN users.
NOTE By default, if you configure the Firebox SSL to use both LAN interfaces, the Administration Portal can be accessed from either interface. To block administration access from the external-facing interface, see Blocking External Access to the Administration Portal on page 39.
Click either Launch Firebox SSL Administration Tool or Download the Firebox SSL Administration Tool. (If you see a Security Warning dialog, click Yes to download the required ActiveX Helper client.) - If you chose the launch link, skip to step 5. - If you chose the download link, click Save to save a shortcut to your desktop, enabling you to skip the
20
Using the Administration Tool
preceding steps the next time that you want to open the Remote Admin Terminal window.
In the Remote Admin Terminal login dialog, enter the Firebox SSL administrator credentials. Unless you have changed the default administrative account as described in Managing Administrative Users on page 42, enter root in the User Name field and rootadmin in the Password field, and then click Connect.
The Remote Admin Terminal window opens. For information on the applications available from the Remote Admin Terminal window, see the following topics: Using the Administration Tool on page 21 Monitoring Firebox SSL Operations on page 150
Using the Administration Tool

The Administration Tool, accessed from the Remote Admin Terminal window, contains all Firebox SSL configuration controls, except for administrative user account management which is available only from the Administration Portal.
NOTE The Firebox SSL also has a command-line interface, the serial console, described in Using the Serial Console on page 23.
21
The serial console contains the minimal prompts required to connect the Firebox SSL to your network.
When you open the Remote Admin Terminal window, the Administration Tool window opens inside of the Remote Admin Terminal window. If you close the Administration Tool, you can reopen it by clicking the Administration Tool icon in the taskbar of the Remote Admin Terminal window. The left pane of the Administration Tool window displays Help information for the current tab. In a few cases, making a selection from a drop-down menu displays a new Help topic.
Click a tab to view a related help topic.
Choose a main menu option to view a related help topic.
NOTE When working with the Administration Tool, click Submit to apply changes. If you are prompted to restart the Firebox SSL, you can restart it when you have completed your changes.
To close the Administration Tool window, choose Options > Exit or click the close button.
22
Using the Serial Console
Using the Serial Console

You can use the serial console to set the IP address and netmask of the Firebox SSL Interface 0, as well as the IP address of the default gateway device. All other configuration must be done through the Administration Tool. You can also use the serial console to test a connection with the ping command. If you want to reach the Firebox SSL via the serial console before making any configuration settings, use a serial cable to connect the Firebox SSL to a computer that has terminal emulation software.
To open the serial console:

1 2 3
Connect a computer to the Firebox SSL serial port. Make sure that the Firebox SSL is running. Start a terminal emulation application and open a TCP/IP connection to the Firebox SSL using its IP address and administration port number (usually 9001). If the serial console does not open, check the settings in the terminal emulation application. Set the serial connection to 115200 bits per second, 8 data bits, no parity, and 1 stop bit. Enter the administrative username (defaults to root) and password (defaults to rootadmin) when prompted.
The serial console menu appears.
Upgrading the Firebox SSL Software

WatchGuard will notify you when server software upgrades are available. Before you upgrade the Firebox SSL, you might need to look up your current Firebox SSL version.
23
To display the version of your installed Firebox SSL:

In the Administration Tool, go to the About WatchGuard Firebox SSL tab. As described in the following procedure, you can upgrade the Firebox SSL from the Administration Portal or Administration Tool.
NOTE When you upload a server upgrade, the Firebox SSL drops the active sessions, so it is best to upgrade the server when you know that traffic is at a minimum.
To upgrade your Firebox SSL
Download the upgrade file from the WatchGuard Support site to your local network. Upgrade files are available from https://www.watchguard.com/archive/softwarecenter.asp. If you cannot locate the upgrade file or do not know which upgrade file to use, please contact WatchGuard Support. In the Firebox SSL Administration Tool, go to the Administration > Maintenance tab.
Alternatively, from the Administration Portal, go to the Maintenance tab.
3 4
Across from Upload a Server Upgrade or Saved Config., click Browse.
Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL restarts automatically.
24
Supporting Secure Access Users
When you upgrade the Firebox SSL, all of your configuration settings are preserved. For information on saving and restoring a configuration, see Saving and Restoring the Configuration on page 43.

To enable users to connect to and use the Firebox SSL, you need to provide them with the following information: Firebox SSL URL If a user needs VPN access from a computer that is not running Windows 2000 or above or Linux, but is running a Java Virtual Machine (JVM) 1.4.2 or higher, the user can use the Java applet version of the kiosk. The URL for connecting to the Java applet version of the kiosk is: https://Access_Gateway_address/vpn_portal-javaonly.html The authentication realm name required for login (if you use realms other than the realm named default). Path to any network drives that the users can access (by mapping a network drive on their PC) Any system requirements for running the Firebox SSL clients, if you have configured host check rules Depending on the configuration of a remote users system, you might also need to provide additional information: To start the Secure Access client, Windows 2000 users must have permission to install programs on their computer. For example, under Windows 2000, a user must be a member of a non-restricted group such as Power Users or Administrators. (The Users Group restricts a user from installing programs.) This restriction applies to Windows XP for first-time installation only, not for upgrades. If a user runs a firewall on the remote computer, the user might need to change the firewall settings so that it does not block traffic to or from the IP addresses to which you have granted access. The Secure Access client automatically handles the Internet Connection Firewall built in to Microsoft Windows XP. For information about configuring a
variety of popular firewalls, see Configuring Software Firewalls for the Secure Access Client on page 26. Users who wish to FTP over the Firebox SSL connection must set their FTP application to perform passive transfers. A passive transfer means that the remote computer will establish the data connection to your FTP server, rather than your FTP server establishing the data connection to the remote computer. Users who wish to run X client applications across the VPN connection must run an X Server, such as XManager, on their computer. Because Secure Access users work with files and applications just as if they were local to the organizations network, no retraining of users or reconfiguration of applications is needed. We have provided an email template which includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. We recommend that you customize the text for your site and then send the text in an email to your VPN users.
Configuring Software Firewalls for the Secure Access Client

If a VPN user is unable to establish a connection to the Firebox SSL or cannot access allowed resources, it is likely that the software firewall on the users PC is blocking traffic. The Firebox SSL works with any personal firewall, provided that the firewall application allows the user to specify a trusted network or IP for the Firebox SSL. The following sections about some of the more widely-used firewall applications are intended as a supplement to the firewall vendors documentation.
NOTE The recommended source for current information on firewall applications is the firewall vendors documentation.
BlackICE PC Protection on page 27 McAfee Personal Firewall Plus on page 27 Norton Personal Firewall on page 28
26
Sygate Personal Firewall (free and Pro versions) on page 28 Tiny Personal Firewall on page 28 ZoneAlarm Pro on page 29
BlackICE PC Protection
The following BlackICE settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the BlackICE window and choose the following commands.
Tools > Edit BlackICE Settings On the Firewall tab, make sure that the Protection Level is lower than Paranoid, which will prevent you from running applications, such as e-mail, over the VPN connection. On the Intrusion Detection tab, add the IP address of the Firebox SSL as a trusted zone. Also add the IP address or range of allowed resources as trusted zones. When you add an IP address, be sure to select the Add Firewall Entry check box.
McAfee Personal Firewall Plus

The following McAfee Personal Firewall Plus settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the McAfee Security Center window, click the Personal Firewall+ tab, and choose the following commands. The following settings assume that you are using the Standard security level. To check your security level, go to the Personal Firewall+ tab, click Utilities, and then click Security Settings.
NOTE By default, when you install the Secure Access client, Personal Firewall+ will prompt you to grant or block access for the application. Choose Grant Access.
Trusted & Banned IPs System Services Add the IP address or range of allowed resources as trusted IP addresses. In the System Services list, select each service that you plan to use over the VPN connection.
27
Norton Personal Firewall

If you are using the default Norton Personal Firewall settings, you can simply respond to the Program Control alerts the first time that you attempt to start the Secure Access client or when you access a blocked location or application. When you respond to such an alert, choose the Permit action, select Always use this action, and click OK. If you have changed the default firewall settings, you might need to manually configure the following settings in order to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the Norton Personal Firewall window and choose the following tabs.
Networking You might need to add the following as trusted zones: -The IP address of the Firebox SSL -The IP address or range of allowed resources Click Add and enter the IP address(es). You might need to grant access to individual applications. Click Add and then browse for and select the application. When prompted, choose Permit.
Programs
Sygate Personal Firewall (free and Pro versions)

Each time that the Sygate Personal Firewall encounters new activity for which it does not have a rule, it displays a prompt. To grant access to the applications and locations that you will access through the Secure Access client, select the Remember my answer check box and click Yes when the prompt appears.
Tiny Personal Firewall

The following Tiny Personal Firewall settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL.
NOTE One method to configure Tiny Personal Firewall is to respond to the prompts displayed when the firewall encounters new activity for which it does not have a rule. The following information assumes that you do some pre-configuration of the firewall before installing the Secure Access client.
28
Generating a Secure Certificate for the Firebox SSL
To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below.
Add To permit the IP address or range of allowed resources, use the following settings: Protocol = TCP and UDP Direction = Both Direction Local Endpoint fields = Any Remote Endpoint = specify IP address(es) Action = Permit
After you apply the above configuration and then start the Secure Access client, Tiny Personal Firewall will display several Incoming Connection Alerts related to the Secure Access client. For each alert, select the Create appropriate filter check box and click Permit.
ZoneAlarm Pro
The following ZoneAlarm settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, choose the tabs indicated in the following table.
Firewall > Zones Define the host name of the Firebox SSL as a trusted zone.

The Firebox SSL includes a digital certificate which is not signed by a Certificate Authority. You should install on the Firebox SSL a digital X.509 certificate that belongs to your company and is signed by a Certificate Authority. Certificates from Verisign and Thawte are supported.
NOTE Operating the Firebox SSL without a digital certificate that is signed by a Certificate Authority can subject VPN connections to malicious attacks, as described in About Digital Certificates and Firebox SSL Operation on page 31.
29
The Firebox SSL accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a text format that is the Base-64 encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded. Before you can upload a certificate to the Firebox SSL, you will need to generate a Certificate Signing Request (CSR) and private key. We recommend using Linux OpenSSL to administer any certificate tasks. If Linux is not available, we recommend the Cygwin UNIX environment for Windows, which includes an OpenSSL module. Instructions for downloading, installing, and using the Cygwin UNIX environment to generate a CSR are included in this section. If you are familiar with certificate manipulation, you can use other tools to create a PEM-formatted file. The certificate that you upload to the Firebox SSL must have the following characteristics: It must be in PEM format and must include a private key. The signed certificate and private key must be unencrypted. The following topics describe how to perform the tasks associated with generating a CSR: About Digital Certificates and Firebox SSL Operation on page 31 Overview of the Certificate Signing Request on page 32 Installing the Cygwin UNIX Environment for Windows on page 33 Generating a CSR on page 33 Unencrypting the Private Key on page 34 Converting to a PEM-Formatted Certificate on page 35 Combining the Private Key with the Signed Certificate on page 36 Generating Trusted Certificates for Multiple Levels on page 37 Uploading a Certificate to the Firebox SSL on page 38
30
About Digital Certificates and Firebox SSL Operation

The Firebox SSL uses digital certificates to encrypt and authenticate traffic over a VPN connection. If the digital certificate installed on the Firebox SSL is not signed by a Certificate Authority, the traffic is encrypted but not authenticated. A digital certificate must be signed by a Certificate Authority to also authenticate the traffic. When traffic over a connection is not authenticated, the connection can be compromised through a man in the middle (MITM) attack. In an MITM attack, a third party intercepts the public key sent by the Firebox SSL to the Secure Access client and uses it to impersonate the Firebox SSL. As a result, the VPN user would unknowingly send authentication credentials to the attacker, who could then gain access to the Firebox SSL. A certificate that is signed by a Certificate Authority prevents such attacks. If the certificate installed on the Firebox SSL is not signed by a Certificate Authority, Secure Access and Kiosk users will see the following security alert when attempting to log in.
If the user chooses to establish the connection, the status window and system tray icon appear as follows.
31
Secure Access users will see security warnings unless you install a certificate that is signed by a Certificate Authority on the Firebox SSL and a corresponding certificate on VPN users computers. Users can also disable the Security Alert through the Secure Access Connection Properties dialog box.
Overview of the Certificate Signing Request

If you are unfamiliar with generating a CSR, review this section for background information.
The general process for generating a CSR and handling the signed certificate is as follows:
1 2 3
Generate a CSR (public.csr) and private key (private.key) as described in Generating a CSR on page 33. Send the public.csr file to an authorized certificate provider. If you used a tool other than the Cygwin UNIX environment to generate the CSR, check the format of the private key. If it is in DER format or is encrypted, convert it to PEM format as described in Unencrypting the Private Key on page 34. When you receive the signed certificate file from your SSL certification company, check the file format. If it is not in PEM format, convert it as described in Converting to a PEM-Formatted Certificate on page 35. Combine the PEM-formatted signed certificate with the PEM-formatted private key (private.key) as described in Combining the Private Key with the Signed Certificate on page 36. If your certificate has more than one level, handle the intermediate certificates as described in Generating Trusted Certificates for Multiple Levels on page 37. Upload the certificate to the Firebox SSL as described in Uploading a Certificate to the Firebox SSL on page 38.
32
Installing the Cygwin UNIX Environment for Windows

If Linux OpenSSL is not available, install the Cygwin UNIX environment for Windows. When you install Cygwin, you must choose the OpenSSL modules as described in the following steps.
To install Cygwin: 1 Use a web browser to navigate to www.cygwin.com and

click Install Cygwin Now.
2 3 4 5 6 7 8 9
Follow the on-screen instructions to open the setup installer. In the Cygwin Setup dialog box, click Next. Click Install from Internet and then click Next. Accept the default root installation directory settings and then click Next. Accept the default local package directory setting and then click Next. In the Internet Connection screen, click Use IE5 Settings and then click Next. In the list of Available Download Sites, click ftp:// ftp.nas.nasa.gov and then click Next. In the Select Packages screen, click the View button (upperright corner).
10 Scroll the packages list to locate in the Package column openssl: The OpenSSL runtime environment and openssldevel: The OpenSSL development environment. 11 In the New column for those two entries, click Skip.
The current version number of Cygwin appears.
12 Click Next to start the installation. After Cygwin installs, you can generate the CSR.
Generating a CSR
These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in Installing the Cygwin UNIX Environment for Windows on page 33.
33
To generate a CSR using the Cygwin UNIX environment: 1 Double-click the Cygwin icon on the desktop.
A command window opens with a UNIX bash environment.
2 3
To change to a particular drive, use the command: cd driveLetter: At the $ prompt, type the following to generate a CSR:
openssl req -new -nodes -keyout privateKeyFilename -out certRequestFilename
For example:
openssl req -new -nodes -keyout private.key -out public.csr
Status messages about the private key generation appear. You will be prompted for information such as country name.
When prompted for the Common name, enter the DNS name of the Firebox SSL.
The name that you enter will appear in the certificate and must match the name expected by PCs that connect to the Firebox SSL. Thus, if you alias DNS names, you will need to use the alias name instead.
Submit your CSR (public.csr) to an authorized certificate provider such as Verisign. When asked for the type of server that the certificate will be used with, indicate Apache. (If you indicate Microsoft, the certificate might be in PKCS7 format and you will need to follow the procedure in Converting to a PEM-Formatted Certificate on page 35 to convert the certificate to a PEM format.)
The certificate provider will return a Signed Certificate to you by email within several days.
Unencrypting the Private Key

The following procedure is not needed if you use the Cygwin UNIX environment to generate the CSR and private key. Follow this procedure only if the method you use to generate the private key results in an encrypted key.
34
To unencrypt the private key: 1 At the $ prompt enter the command: openssl rsa
If you enter this command without arguments, you will be prompted as follows:
read RSA key
Enter the name of the password to be encrypted. You can enter the openssl rsa command with arguments if you know the name of the private key and the unencrypted PEM file. For example, if the private key filename is my_keytag_key.pvk, and the unencrypted filename is keyout.pem, you would enter openssl rsa -in my_keytag_key.pvk -out keyout.pem.
For more information, refer to the following URL: http://www.openssl.org/docs/apps/rsa.html#EXAMPLES For information on downloading OpenSSL for Windows, refer to the following URL: http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801
Converting to a PEM-Formatted Certificate

The signed certificate file that you receive from your certificate provider might not be in a PEM format. If the file is in binary format (DER), convert it to PEM format as follows:
openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile
If the certificate is already in a text format, it may be in PKCS format. (You will receive a PKCS formatted certificate if you specified that the certificate will be used with a Microsoft rather than Apache operating system.) The following command will result in an error message if the certificate is not in PEM format. The certFile should not contain the private key when you run this command.
openssl verify -verbose -CApath /tmp certFile
35
If that command results in the following error message, the file is not in PEM format.
certFile: unable to load certificate file 4840:error:0906D064:PEM routines: PEM_read_bio:bad base64 decode:pem_lib.c:781:
To convert the certificate from PKCS7 to PEM format 1 Run the command:
openssl pkcs7 -in ./certFile -print_certs
The output will look like this:
subject=... ... -----BEGIN CERTIFICATE----... Server Certificate ... -----END CERTIFICATE----subject=... ... -----BEGIN CERTIFICATE----... Intermediate Cert ... -----END CERTIFICATE-----
Combine the server certificate data and the intermediate certificate data (if it exists) from the output with the private key as specified in Combining the Private Key with the Signed Certificate on page 36 and Generating Trusted Certificates for Multiple Levels on page 37.
Combining the Private Key with the Signed Certificate

You must combine the signed certificate with the private key before you can upload it to the Firebox SSL.
36
To combine the Private Key with the Signed Certificate: 1 Use a text editor to combine the unencrypted private key
with the signed certificate in the PEM file format. The file contents should look similar to the following:
-----BEGIN RSA PRIVATE KEY----<Unencrypted Private Key> -----END RSA Private KEY---------BEGIN CERTIFICATE----<Signed Certificate> -----END CERTIFICATE-----
Save and name the PEM file. For example, AccessGateway.pem.
Generating Trusted Certificates for Multiple Levels

NOTE Any certificate that has more than one level must include all intermediate certificates, or the system may become unusable.
You must determine whether your certificate has more than one level and, if it does, handle the intermediate certificates properly.
To generate trusted certificates for multiple levels: 1 Open Internet Explorer, and access a page through the
Firebox SSL. For example, enter a URL similar to the following: https://ipAddress:httpPort//www.mypage.com where: - ipAddress is the IP address of your Firebox SSL - httpPort is the Firebox SSL HTTP port number
Double-click the Lock symbol in the bottom right corner of the browser.
37
3 4
Switch to the Certificate Path window pane at the top of the screen. Double-click the first path level to bring up the Certificate information for the first level and then go to the Details screen. Click the Copy to File button at the bottom. After the Certificate Export Wizard appears, click Next. Click the format Base-64 encoded and then click Next. Enter a filename. For example, G:\tmp\root.cer. Review the information and note the complete filename. Click Finish.
5 6 7 8 9
10 Click OK to close the Certificate information window for the first level. 11 Repeat Steps 410 for all levels except the last level. 12 Insert all certificates into one file, and make sure that any intermediate certificates are part of any certificate file you upload. The file to be uploaded should be in the following format: private key Server Certificate Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2
Uploading a Certificate to the Firebox SSL

After you have completed the steps to obtain and assemble a properly formatted, signed certificate and private key, you can upload it to the Firebox SSL.
NOTE When you save the Firebox SSL configuration, the uploaded certificates are included in the backup.
To upload a certificate file: 1 In the Administration Tool, go to the Administration >

Maintenance tab.
38
Blocking External Access to the Administration Portal
Alternatively, go to the Administration Portal and click the Maintenance tab.
2 3 4 5
Across from Upload a Certificate, click Browse. Locate the file you want to upload and click Open. After the upload is complete, go to the Networking > General Networking tab. Set the Interface 0 External Public Address to the DNS name for which the certificate was registered.
Blocking External Access to the Administration Portal

By default, if the Firebox SSL is configured to use both interfaces, the external-facing interface can be used to access the Administration Portal from outside of the firewall. To block access to the Administration Portal from the external-facing interface, clear the check box for this option.
To block external access to the Administration Portal: 1 In the Firebox SSL Administration Tool, go to the
Administration > Maintenance tab.
39
2 3
Clear the check box for Enable External Administration. Click Apply Change.
Managing Licenses
Firebox SSL licensing limits the number of concurrent VPN user sessions to the number of licenses purchased. Thus, if you purchase 100 licenses, you can have 100 concurrent VPN sessions at any time. When a user ends a session, that license is freed for the next VPN user. A user who logs into the Firebox SSL from more than one computer occupies a license for each session. Once all licenses are occupied, no additional VPN connections can be opened until a VPN user ends a session or the administrator has used the Firebox SSL Real-time Monitor to close a connection, thereby freeing a license. For information on using the Real-time Monitor to close connections, see Managing VPN Connections on page 45. When you purchase the Firebox SSL or additional licenses, you will receive an email that contains a link to a download location. After you download the license file(s), we recommend that you manage them as follows.
To manage licenses: 1 On the administrative PC where you run the Firebox SSL
Administration Tool, create a license directory. Copy the license file (.lic) that you downloaded to the license directory. We recommend that you retain a local copy of all license files that you receive from WatchGuard. When you save a backup
40 Firebox SSL VPN Gateway Administration Guide
Viewing and Changing the System Date and Time
copy of the configuration file, all uploaded license files are included in the backup. If you need to reinstall the Firebox SSL server software and do not have a backup of the configuration, you will need the original license files. Do not overwrite any .lic files in the license directory. If another file in that directory has the same name, you should rename the newly received file. The Firebox SSL software calculates your licensed features based on all .lic files that are uploaded to the Firebox SSL. Do not edit a .lic file or the Firebox SSL software will ignore any features associated with that license file. The contents of the file are encrypted and must remain intact. Should you copy, rename, or insert a license file multiple times, the Firebox SSL will use only the original file and will ignore any duplicate files.
To upload a license file: 1 In the Administration Tool, go to the Administration >

Licensing tab.
Click Browse and locate the .lic file that you want to upload.
License files should be stored on the administrative PC where you run the Firebox SSL Administration Tool.
Click Open to upload the license file.
Viewing and Changing the System Date and Time

The system time displays on the right side of the taskbar in the Remote Admin Terminal window. To view the system date, mouse over the system time.
41
To view a calendar, click the system time. Click the system time again to hide the calendar.
To change the system date and time: 1 In the Administration Tool, go to the Administration >
Date tab.
2 3
Select a time zone. Enter the date and time and then click Submit.
Managing Administrative Users

The Firebox SSL has a default administrative user account (named root), with full access to the Firebox SSL. To protect the Firebox SSL from unauthorized access, you should change the default password during your initial configuration.
42
Saving and Restoring the Configuration
NOTE To reset the root administrative password to its default, you must reinstall the Firebox SSL server software.
The Firebox SSL is pre-configured with a default username and password (root/rootadmin). We recommend that you change the root password.
To change the root administrator password: 1 In the Administration Tool, go to the Administration >
Admin Users tab.
Enter the new password and click Change Password.
Saving and Restoring the Configuration

When you upgrade the Firebox SSL, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are automatically restored. However, if you reinstall the Firebox SSL software, you must manually restore your configuration settings.
NOTE Before using the Recovery CD to reinstall the Firebox SSL software, save your configuration. Reinstalling the Firebox SSL software returns the Firebox SSL to its pre-configured state.
43
If you have saved your configuration settings, as described in this section, you can easily restore them.
NOTE You can also save and restore configuration settings from the Maintenance tab of the Administration Portal.
44
Managing VPN Connections
To save the Firebox SSL configuration:
In the Administration Tool, go to the Administration > Maintenance tab.
2 Click Save Configuration. The entire Firebox SSL configuration, including system files, uploaded licenses, and uploaded server certificates, are saved to your computer in a file named config.restore. To restore a saved configuration: 1 In the Administration Tool, go to the Administration > Maintenance tab. 2 Across from Upload a Server Upgrade or Saved Config., click Browse. 3 Locate the file named config.restore and click Open.
After the configuration file is uploaded, the Firebox SSL restarts. All of your configuration settings, licenses, and certificates will be restored.
If you use RSA SecurID authentication, you must reset the node secret on the RSA ACE/Server, as described in Resetting the Node Secret on page 99.
Because the Firebox SSL has been re-imaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/Server will fail.

The Real-time Monitor lists the open VPN connections by user name and MAC address. For each VPN user, the type of connection by protocol (TCP, UDP, etc.) is also listed. The Target IP and Target Port provide additional information about the connec-
45
tion. For example, connections to port 21 are FTP connections and connections to port 23 are Telnet connections.
You can manage connections as follows: You can close a type of connection (TCP, UDP, etc.). For example, suppose that a user has a TCP connection to a Target IP (perhaps a mapped drive) that should be off-limits to the user. You can correct the ACL for the users group (Configuring Resource ACLs for a User Group on page 124) and then close the TCP connection. If you do not correct the ACL before closing the connection, the user will be able to re-establish the TCP connection.
NOTE The Firebox SSL maintains connections to Target IP 0.0.0.0 that are required for VPN operations. Closing any of those connections will temporarily close a VPN connection.
You can disable a users connection and prevent subsequent logins from that user at the listed MAC address. The user will be able to log in from a different MAC address. You can re-enable a username/MAC address combination. The following sections describe connection management and use of the Real-time Monitor: About Connection Handling on page 46 Closing a Connection to a Resource on page 47 Disabling/Enabling a VPN User on page 48 Monitoring Firebox SSL Operations on page 150
About Connection Handling

If a VPN user abruptly disconnects the network or puts the computer in hibernate or standby mode, the SSL/TCP connec-
46
tion to the Firebox SSL is terminated after a maximum wait period of ten minutes. (A shorter wait period would penalize VPN users who use slow connections.) This handling of VPN connections results in the following: The VPN user might continue to appear active in the Firebox SSL Real-time Monitor for about ten minutes, after which the VPN connection is terminated. The inactive VPN user occupies a license until the wait period expires and the VPN connection is closed. Suppose that you have a license for ten users and all ten users have logged into the Firebox SSL, leaving no available licenses. If one of the active users goes into standby mode, that users license is not available for ten minutes. The wait period does not apply to connections that are terminated through the Real-time Monitor.
Closing a Connection to a Resource

Without disrupting a users VPN connection, you can temporarily close the users connection to a particular resource. To prevent the user from connecting to the resource, correct the users group ACL.
To close a connection: 1 In the Remote Admin Terminal window, click the Real-time
Monitor icon .
2 3
Click
to expand the users entry.
Right-click the connection that you want to close, and select Close connection.
47
The Firebox SSL maintains connections to Target IP 0.0.0.0 that are required for VPN operations. Closing any of those connections will temporarily close a VPN connection.
Disabling/Enabling a VPN User

The Firebox SSL tracks user connections by a combination of user name and MAC address, enabling a user to establish simultaneous VPN connections from different computers. You can disable and enable a user/MAC address combination. Disabling a user frees a license.
To disable a user at a particular MAC address: 1 In the Remote Admin Terminal window, click the Real-time
Monitor icon .
Right-click the main entry for the user and choose Disable User from MAC. The user will be unable to establish a VPN connection from that MAC address until you re-enable the user or restart the Firebox SSL.
To re-enable a user at a particular MAC address: 1 In the Remote Admin Terminal window, click the Real-time
Monitor icon .
Right-click the users entry and choose Enable User from MAC.
48
Restarting the Firebox SSL
The user will be able to establish a VPN connection provided that there is an available license.
Restarting the Firebox SSL

To restart the Firebox SSL:
From the Administration Tool, go to the Administration > Maintenance tab and click Reboot. or From the Administration Portal, go to the Maintenance tab and click Reboot.
Shutting Down the Firebox SSL

Never shut down the Firebox SSL by powering it off. Use the command provided to shut down the device. Use the power switch only to power on the device.
To shut down the Firebox SSL:

From the Administration Tool, go to the Administration > Maintenance tab and click Shut Down. or From the Administration Portal, go to the Maintenance tab and click Shut Down.
49
50
CHAPTER 3
Working with a VPN Connection
The following topics describe how to work with a VPN connection: Using the Access Portal on page 51 Connecting from a Private Computer on page 56 Connecting from a Public Computer (Kiosk Session) on page 61
Using the Access Portal

The Access Portal is an HTML page that enables a VPN user to choose the type of VPN connection to be established from a remote computer.
NOTE You can customize the portal page templates provided with the AG and assign them on a group basis, as described in Customizing VPN Portal Pages on page 108 and Choosing a Portal Page for a Group on page 130. You can also include a link to the Access Gateway clients on a website, as described in Linking to the VPN Clients from Your Website on page 115.
51
From the portal page, the user either starts the Secure Access or kiosk client. The Secure Access client is intended for VPN connections from a private computer, as data is transferred from the network to which the user is connecting to the users computer. The kiosk client is useful for VPN connections from a public computer, as no data is written to the VPN users computer. (However, if you configure network shares, a user can copy files from a shared network drive to the remote computer.)
NOTE You can configure the AG Administration Tool so that VPN users do not have the option to connect from a public computer. For information, see Configuring Kiosk Operation for a Group on page 126.
To use the Access Portal: 1 Use Internet Explorer to access the URL of the AG. For
example: https://vpndemo.watchguard.com.
If the AG does not have a signed certificate installed, a Security Alert dialog box appears. Click Yes to continue.
In the dialog box, enter your network user name and password and then click OK. The portal page opens. This page can be customized for a site, as described in Customizing VPN Portal Pages on page 108.
52
If you connect from a Linux computer, the following portal page appears.
If connecting from a Windows computer, choose the type of VPN connection: If connecting from a secure computer, click My own computer. The first time that you connect to the AG (after clicking My own computer), a terms and conditions of use dialog appears. You must click I Accept to install the driver.
53
When the File Download dialog box appears, click Open. (It is not necessary to save the client to your desktop. A shortcut to the client will be downloaded automatically.) The Secure Access client starts loading. A shortcut will be downloaded to your computer desktop. You can subsequently start the client without going through the portal page. If your administrator has configured the Secure Access client to start automatically, the client will start after you enter your Windows login credentials, which are also used for the Secure Access client. Thus, when you start your computer, you do not have to do anything to have a VPN connection, provided that you have a network connection and can log into Windows. The VPN connection enables you to work with the connected site just as if you were logged in at the site. You can transfer data between your remote computer and the connected site. For more information, see Connecting from a Private Computer on page 56. If connecting from a public computer, click A public computer. The kiosk will open in one of two configurable modes, as described in Connecting from a Public Computer (Kiosk Session) on page 61. If connecting from a Linux computer, click the Linux download link to start the download and view instructions on how to install the client.
54
NOTE The Linux tcl and tk packages are required for the Secure Access client.
In addition to the command net6vpn --login, which opens the login dialog for the Secure Access client, you can also enter net6vpn to see a list of other command-line options. If you lose the VPN connection, the VPN daemon may have stopped. The Secure Access client requires a running VPN daemon in order to connect to the Access Gateway. If you lose the VPN connection, the VPN daemon may have stopped. To check the status of the VPN daemon:
/sbin/service net6vpnd status
To restart a stopped daemon:

/sbin/service net6vpnd start.
Then, click Disconnect and reenter your login credentials. To remove the Linux VPN client:
/sbin/service net6vpnd stop /sbin/chkconfig --del net6vpnd
55
rm -rf /etc/net6vpn.conf /etc/init.d/ net6vpnd /usr/bin/net6vpn /usr/sbin/ net6vpnd /usr/local/net6vpn/
Connecting from a Private Computer

If a user chooses the My own computer option in the Access Portal page, the VPN connection provides full access to the network resources that the users group(s) can access, as described in Adding and Configuring User Groups on page 121. The access granted by the security policies enable users to work with the remote system just as if they were logged in locally. For example, users might be granted permission to applications, including web, client-server, and peer-to-peer such as Instant Messaging (IM), video conferencing, and real-time Voice over IP (VoIP) applications. Users can also map network drives to access allowed network resources, including shared folders and printers. While connected to an AG, remote users cannot see network information from the site to which they are connected. For example, while connected to the AG, open a Command Prompt window and run the commands ipconfig/all or route print. You will see no network information from the VPN site. For information on the VPN user experience when using the Secure Access client to connect to the AG, see: Using the Secure Access Window on page 56 For information on kiosk operation, see Connecting from a Public Computer (Kiosk Session) on page 61.
Using the Secure Access Window

When Secure Access is loaded, you will be prompted to log in to the AG to establish the VPN connection. The AG administrator determines the authentication used through the Authentication and Local Users tab of the AG Administration Tool, as described in Configuring Authentication, Authorization, and Local Users on page 82.
56
NOTE If you are using the Linux client, the connection window will not include the options described in the following procedure.
To log in to the AG: 1 In the WatchGuard VPN - Connect dialog box, enter your
login credentials. If the AG is configured with authentication realms and you need to connect to a realm other than the default, enter the realm name before your user name (realmName\userName). Alternatively, to enter the realm name to be used each time that you log in, right-click the dialog box, click Advanced Options, and then enter the realm name. If your site uses RSA SecurID authentication, your password is your PIN plus the RSA SecurID token.
If you are behind a proxy server, right-click the dialog box and then click Advanced Options.
57
Select Use Proxy Host and enter the proxy server IP address and port. (The AG information is already filled in.) If the proxy server requires authentication, select the check box. When you attempt to establish a VPN connection, you first will be prompted for your proxy server login credentials.
4 5
To allow failover to your local DNS, select Enable Split DNS. To allow the Secure Access client to automatically update, without prompts, when a new version is available on the AG, select the Always update client check box. Click Connect.
NOTE If a digital certificate that is signed by a Certificate Authority is not installed on the AG, you will see a Security Alert. For more information, see About Digital Certificates and Firebox SSL Operation on page 31.
After logging in, you will see a Logging In status dialog box, followed by an Applying Network Policy status dialog box. If you have a personal Internet Connection Firewall (ICF) configured on the interface, you will also see an
58
Internet Sharing Configuration dialog box and will need to click Yes to continue.
When the VPN connection is established, a status window briefly appears and the Secure Access window is minimized to the system tray . The icon indicates whether the connection is enabled ( ) or disabled ( ) and flashes during activity. A shortcut to WatchGuard Secure Access is placed on your desktop.
To use the Secure Access window: 1 To open the window, double-click the icon in the system
tray. Alternatively, right-click the icon and choose VPN Properties from the menu.
The Secure Access window appears.
To view server information and a list of the secured networks, click the Details tab.
59
To view ACLs, click the Access Lists tab. (This tab does not appear for users who are not in a group.)
To close the window, click Close.
60
Connecting from a Public Computer (Kiosk Session)
To view the Connection Log:

The Connection Log contains real-time connection information which is particularly useful for troubleshooting connection issues.
1 2
Right-click the WatchGuard Secure Access icon in the system tray. Choose Connection Log from the menu. The Connection Log for the session appears.
NOTE The Connection Log is written to the computer in Documents and Settings\UserName\ Local Settings\Application Data\ NET6\net6vpn.log. The log is overwritten each time that you establish a new VPN connection.
To end a VPN session:

Right-click the Secure Access icon in the system tray and choose Disconnect from the menu.

Users can connect to the AG from a public computer through a kiosk session. If the computer is running Windows 2000 or above or Linux, the user clicks A public computer in the Access Portal page. If the computer is running JVM 1.4.2 or higher, the user accesses the kiosk by running a Java kiosk client. This client provides VPN access to users on computers, such as Macintosh and Windows 95/98, that are running JVM. To access the Java client, enter the following URL in a web browser that supports Java: https://vnpGateway/vpn_portal-javaonly.html
61
To support the Java kiosk client, the AG must be configured with a certificate that is signed by a trusted Certificate Authority. After the user clicks the appropriate link and logs in, the kiosk session opens, similar to a Virtual Network Computing (VNC) session.
Web Browser Remote Desktop VNC Telnet 3270 Emulator Citrix SSH Shared Network Drive FTP
The kiosk window can include: A Mozilla browser window. You configure by group whether to include the Mozilla browser and the browsers default URL. Mozilla preferences, such as saved passwords, are retained for the next session.
62
Icons that provide access to shared network drives. The icon labelled ws in the preceding example is a network share. The user can download files from a network share by dragging a file onto the KioskFTP icon, as described in Working with Shared Network Drives on page 63. Icons that provide access to a Web browser and to VNC, Remote Desktop, Telnet 3270 emulator, SSH, and Citrix ICA clients, as shown in the preceding example. You configure by group the clients to be included in the kiosk window. For information on using the clients, see the following sections: - Using the Citrix Client on page 65 - Using the Remote Desktop Client on page 65 - Using the SSH Client on page 67 - Using the Telnet 3270 Emulator Client on page 67 - Using the VNC Client on page 68 If the users browser is configured to use a proxy server, the kiosk client will use the browsers proxy setting. For more background information, see Kiosk Operation on page 13.
To log in to the AG in kiosk mode: 1 Use the portal page to connect, as described in Using the
Access Portal on page 51. Be sure to click A public computer. The WatchGuard VPN Login dialog box appears.
Enter your network login credentials and click OK.
Working with Shared Network Drives

The AG administrator can specify the shared network drives that will be accessible to any kiosk session. For each shared drive, the administrator specifies whether VPN users will have read-only or read-write access. If VPN users are granted read-write access, a user can change the files on the shared network drive, provided that the users account has the permissions to do so.
63
To work with a shared network drive: 1 From the kiosk window, double-click a shared network drive
icon ( ).
The share window opens inside of the kiosk window.
To copy a file from the network drive to your computer, drag the file icon over the KioskFTP icon.
In the Kiosk File Download dialog box, navigate to the location where you want to copy the file and then click Open.
When the FTP is complete, a message window appears.
64
You cannot FTP folders or copy files back to the shared network drive.
Using the Citrix Client

The Citrix ICA client enables the kiosk user to run a Citrix session over the VPN connection. During a kiosk session, your ICA settings can be saved so that they will be available to you for the next Citrix session.
To use the Citrix ICA client: 1 From the portal page, choose A public computer... and log
in.
In the kiosk window, click the Citrix icon

The Citrix ICA Client for Linux window opens.
Using the Remote Desktop Client

The Remote Desktop client enables a kiosk user to remotely access the desktop of a server that is running Windows Terminal Services. The Remote Desktop does not require any configuration on the VPN users computer. Through Remote Desktop the VPN user has full access to a remote servers resources, including files, applications, and network resources. Thus, the VPN user can remotely control the server, just as if the user were sitting at it. The kiosk users work
65
remains on the remote server; no files, only images, are sent to the kiosk users computer.
To use the Remote Desktop client: 1 From the portal page, choose A public computer... and log
in.
2 3
In the kiosk window, click the Remote Desktop icon Enter your username and the remote host and click Connect.
Enter the credentials and network name of the remote server.
The desktop of the Remote Desktop server displays in a window on your computer.
Work with the remote server just as if it were your local computer.
66
Using the SSH Client

The SSH client enables the kiosk user to establish an SSH connection to a remote computer.
To use the SSH client: 1 From the portal page, choose A public computer... and log
in.
2 3
In the kiosk window, click the SSH icon
Enter your username and SSH host name or IP address.
The ssh window opens.
Using the Telnet 3270 Emulator Client

The Telnet 3270 Emulator client enables the kiosk user to establish a Telnet 3270 connection to a remote computer.
To use the Telnet 3270 Emulator client: 1 From the portal page, choose A public computer... and log
in.
In the kiosk window, click the Telnet 3270 Emulator icon .

The x3270 window opens.
67
Left-click Connect and choose Other from the menu. The x3270 Connect window opens.
4 5
Enter the host name or IP address and click Connect to login and receive a prompt. To view the 3270 keypad, click the keypad icon in the upper-right corner .
Using the VNC Client

The VNC client enables a kiosk user to remotely access the desktop of a VNC server. The kiosk users work remains on the remote server; no files, only images, are sent to the kiosk users computer.
To use the VNC client:

1 2 3
From the portal page, choose A public computer... and log in. In the kiosk window, click the VNC icon .
Enter the IP address of the VNC host, your password for the server, and click Connect.
68
The desktop of the VNC server displays in a window on your computer.
Work with the remote server just as if it were your local computer.
NOTE To send a Ctrl-Alt-Delete to the connected server through the VNC server, press Shift-Ctrl-Alt-Delete.
69
70
CHAPTER 4
Configuring Firebox SSL Network Connections
The following topics describe how to configure Firebox SSL network connections: Configuring Network Interfaces on page 72 Specifying DNS/WINS Settings on page 74 Configuring Routes on page 75 Configuring Failover Firebox SSLs on page 80
NOTE When you have a working configuration, we recommend that you back up the configuration, as described in Saving and Restoring the Configuration on page 43.
The configuration instructions throughout those topics assume the following setup: The Firebox SSL is installed. For information on installing the Firebox SSL, refer to the Firebox SSL Quick Start and the Firebox SSL Hardware Installation Guide. The devices to which you are connecting the Firebox SSL, such as a firewall or server load balancer, are already part of a working configuration. This guide does not cover the steps for configuring application or web servers, firewalls, or a server farm with a server load balancer.
71
Configuring Network Interfaces

Network interface settings define the connections between the Firebox SSL and your network. To change the network interfaces settings, go to the Networking > General Networking tab of the Firebox SSL Administration Tool. The Firebox SSL network interface settings are as follows: IP address and subnet mask for Interface 0 and, if used, Interface 1 When connecting the Firebox SSL to your network, you typically place it either inside of a firewall, inside of a server load balancer, or straddling a firewall. If the Firebox SSL is inside of a firewall or connected to a server load balancer, choose Use Only Interface 0.
If the Firebox SSL straddles the firewall, choose Use Both Interfaces. Use Interface 0 for the DMZ (external) connection and Interface 1 for the LAN (internal) connection.
72
Configuring Network Interfaces
For more information, see the Firebox SSL Quick Start Guide and Connecting to a Server Load Balancer on page 16, in this guide. External Public Address The Firebox SSL uses the External Public Address to send its response to a request back on the correct network connection. If the External Public Address is not specified, the Firebox SSL sends responses out through the Interface where the gateway is identified. If the External Public Address is specified, the Firebox SSL writes all connections to the Interface with the specified host name or IP address. Duplex mode for each interface Duplex mode is either auto, full duplex, or half duplex. Use the default setting, auto, unless you need to change it. Maximum transmission unit (MTU) for each interface The MTU defines the maximum size of each transmitted packet. The default is 1500. Use the default setting unless you need to change it. Incoming VPN port (the port on the Firebox SSL to be used for VPN connections) IP address of the default gateway device, such as the main router, firewall, or server load balancer, depending on your network configuration. This should be the same as the Default Gateway setting that you would find on computers on the same subnet.
73
For information on the relationship between the default gateway and dynamic or static routing, see Configuring Routes on page 75.
NOTE IP pooling is configured per group, as described in Enabling IP Pooling on page 131.
Specifying DNS/WINS Settings

If you use name resolution, go to the Networking > DNS/WINS tab of the Administration Tool to specify the following: IP address of the first, second, and third DNS servers. DNS suffixes. Do not precede a suffix with a dot (.). For example, specify site.com, not .site.com. Entries must be space-separated. WINS server IP address.
74
Configuring Routes
By default, the Firebox SSL checks a VPN users remote DNS only. If you want to allow failover to a users local DNS: Go to the Global Policies tab and select the Enable Split DNS check box. The Firebox SSL fails over to the local DNS only if the specified DNS servers cannot be contacted, but not if there is a negative response.
Configuring Routes
You can configure the Firebox SSL to listen for the routes published by your routing server(s) or to use static routes that you specify. The Firebox SSL supports the Routing Information Protocol (RIP and RIP 2). The Default Gateway field on the Networking > General Networking tab is relevant to both dynamic and static routing. If you enable the Dynamic Gateway option (when configuring dynamic routing), the default gateway will be based on the routing table, not on the value entered in the Default Gateway field. If you add a static route, choose the Firebox SSL interface not being used by the default gateway.
Configuring Dynamic Routing

When you choose dynamic routing, the Firebox SSL operates as follows: It listens for route information published through RIP and automatically populates its routing table.
If the Dynamic Gateway option is enabled, the Firebox SSL uses the default gateway providing by dynamic routing, rather than the value specified on the Networking > General Networking tab. It disables any static routes created for the Firebox SSL. If you later choose to disable dynamic routing, any previously created static routes will redisplay in the Firebox SSL routing table.
To configure dynamic routing: 1 In the Firebox SSL Administration Tool, go to the

Networking > Routes tab.
From the Select Routing Type menu, choose Dynamic Routing (RIP). Selecting that option disables the static routes area. If there are static routes defined, they no longer display in the routing table although they are still available should you wish to switch back to static routing. If you want to use the default gateway provided by the routing server(s), rather than the one specified in the Networking > General Networking tab, select the Enable Dynamic Gateway check box. The use of a dynamic gateway is noted in the Networking > General Networking tab with the message Gateway Provided by Dynamic Routing. Choose the Firebox SSL interface(s) to be used for dynamic routing. Typically, your routing server(s) are inside your firewall, so you would choose an internal-facing interface for this setting.
76
Configuring Routes
Click Submit.
Dynamic routes are not displayed in the Firebox SSL routing table.
Adding, Testing, and Removing a Static Route

When setting up communication with another host or network, you might need to add a static route from the Firebox SSL to the new destination if you do not use dynamic routing. Set up static routes on the Firebox SSL interface not being used by the default gateway. The default gateway is specified on the Networking > General Networking tab. For an example static route setup, see Static Route Example on page 78.
To add a static route: 1 In the Firebox SSL Administration Tool, go to the

2 3 4
Enter a descriptive name for the route. Enter the IP address of the destination LAN. Enter the subnet mask for the gateway device.
77
Enter the IP address for the default gateway. If you do not specify a gateway, the Firebox SSL can access content only on the local network. Select the Interface for the static route. The default is eth0. Click Add Static Route and then click Submit.
The route name appears in the Static Routes list.
6 7
To test a static route: 1 From the Firebox SSL serial console, type 1 (Ping).
Enter the host IP address for the device you want to ping and press Enter.
If you are successfully communicating with the other device, messages will appear saying that the same number of packets were transmitted and received, and zero packets were lost. If you are not communicating with the other device, the status messages indicate that zero packets were received and all the packets were lost. Return to Step 1 and recreate the static route.
To remove a static route: 1 In the Firebox SSL Administration Tool, go to the

2 3
In the Static Route table, select each route that you want to delete. Click Remove Route and then click Submit.
Static Route Example

Suppose the IP address of the eth0 port on your Firebox SSL is 10.0.16.20 and there has been a request to access information at 129.6.0.20, to which you currently have no path. You can create a static route through the interface that is not set as your Firebox SSL default gateway, and out to the requested network address, as shown in Figure 4, Building a Static Route, on page 79.
78
Configuring Routes
Figure 4: Building a Static Route

Figure 4, Building a Static Route, on page 79 shows the following connections: The eth0 interface (10.0.16.20) leads to the default gateway (10.0.16.1), which connects to the rest of the 10.0.0.0 network. The eth1 interface (192.168.0.20) is set to communicate with the 192.168.0.0 network and its gateway (192.168.0.1). Through this gateway, the eth1 port can communicate with the 129.6.00 network, and the server at IP address 129.6.0.20. To set up this static route, you need to establish the path between the eth1 interface and IP address 129.6.0.20.
To 1 2 3 4
set up the example static route:

Go to the Networking > Routes tab. Set the IP address of the destination LAN to 129.6.0.0. Set the subnet mask for the gateway device. Set the IP address of the default gateway to 192.168.0.1.
79
5 6
Choose eth1 as the gateway device interface. Click Add Static Route and then click Submit.
Configuring Failover Firebox SSLs

You can configure an Firebox SSL to fail over to multiple Firebox SSLs. Because the Firebox SSL failover is active/active, you can use each Firebox SSL as a primary gateway for a different set of users. During its initial connection to the Secure Access client, the Firebox SSL provides the failover list to the client. If the client loses the connection to its primary Firebox SSL, it iterates through the list of failover Firebox SSLs. The client performs a DNS lookup for the first failover Firebox SSL (listed in the VPN Failover dialog box) and tries to connect to that server. If the first failover Firebox SSL is not available, the client tries the next failover server. When the client successfully connects to a failover Firebox SSL, the client prompts the user to log in.
To specify Firebox SSLs for failover: 1 In the Firebox SSL Administration Tool, go to the
Networking > Failover Servers tab.
Enter the external IP address or the fully qualified domain name of the Firebox SSL(s) to be used for failover operation. The Firebox SSLs are used for failover in the order listed. Click Submit.
80
CHAPTER 5
Configuring Firebox SSL Operation
Firebox SSL operation controls include authentication, authorization, network resource, and host check settings. Group-based controls include access control, host checking, portal pages, IP pools, and kiosk operation.
NOTE All submitted configuration changes are automatically applied to the Firebox SSL and will not cause a disruption in Firebox SSL client operation. Policy changes will take effect immediately; if a VPN connection violates a new policy, it will be closed.
The following topics describe how to configure Firebox SSL operation: Configuring Authentication, Authorization, and Local Users on page 82 Controlling Network Access on page 102 Customizing VPN Portal Pages on page 108 Configuring Host Check Rules on page 116 Configuring Network Shares for Kiosk Sessions on page 119 Adding and Configuring User Groups on page 121
81
Enabling Split Tunneling on page 134 Enabling Split DNS on page 135 Enabling Session Timeout on page 136 Configuring Internal Failover on page 137 Forcing VPN User Re-login on page 138 Configuring Secure Access for Single Sign-on on page 140
Configuring Authentication, Authorization, and Local Users

By default the Firebox SSL authenticates users against a user list stored locally on the Firebox SSL. You can configure the Firebox SSL to also use LDAP, RADIUS, and/or RSA SecurID authentication servers. The Firebox SSL supports realm-based authentication to accommodate sites with more than one LDAP or RADIUS server or with a combination of LDAP, RADIUS, and/or RSA SecurID authentication servers.
If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL checks the user against the local user list.
82
Configuring Authentication, Authorization, and Local Users
After a user is authenticated, the Firebox SSL performs a group authorization check by obtaining the users group information from either an LDAP server or the local group file (if not available on the LDAP server). If group information is available for the user, the Firebox SSL then checks the network resources allowed for the group. LDAP can be used for authorization regardless of the type(s) of authentication servers being used. By default, the Firebox SSL obtains an authenticated users group(s) from the local group file stored on the Firebox SSL. Alternatively, you can configure the Firebox SSL to obtain an authenticated users group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL checks its local group file. The group names obtained from the LDAP server are compared to the group names created locally on the Firebox SSL. If the two group names match, the properties of the local group apply to the group obtained from the LDAP server. For more information on groups and group names, see Adding and Configuring User Groups on page 121. The following topics describe how to configure authentication and authorization for the Firebox SSL: About the Realm Named Default on page 84
83
Using a Local User List for Authentication on page 84 Using RADIUS Servers for Authentication on page 88 Using LDAP Servers for Authentication and Authorization on page 91 Using RSA SecurID for Authentication on page 95 Removing an Authentication Realm on page 100 Adding Local Users on page 100
About the Realm Named Default

The Firebox SSL has a permanent realm named Default, with the following characteristics: For a new installation, the Default realm is configured for local authentication. You can change the authentication type of the Default realm. You cannot remove the Default realm unless you immediately replace it with a new Default realm. The Default realm is assumed when a user enters only a user name when logging in to the Firebox SSL. When a user logs into any other realm, the user must log in using realmName\userName. Therefore, if all of your users are authenticated against one authentication server, configure the Default realm for that type of authentication so that users will not have to enter a realm name when logging in. Users who authenticate against a realm other than the Default realm must specify a realm name (once in the Secure Access Connection Properties dialog box, or with their user name each time they log in).
Using a Local User List for Authentication

For a new installation, the Default realm is set to local authentication. If your site does not use a RADIUS, LDAP, or RSA server for authentication, keep the Default realm set to local authentication. This will enable users to log in to the
84
Firebox SSL without having to enter a realm name. You can have only one realm for local authentication. You can use LDAP authorization with local authentication, as described in Using LDAP Authorization with Local Authentication on page 85. If some users will authenticate only against the local user list on the Firebox SSL, you can keep the Default realm set to local authentication. Alternatively, you can create a different realm for local authentication and use the Default realm for another authentication type, as described in Changing the Authentication Type of the Default Realm on page 87.
NOTE Users who authenticate against a realm other than the Default realm must specify a realm name (once in the Secure Access Connection Properties dialog box, or with their user name each time they log in).
If all users authenticate against authentication servers, you do not need a realm for local authentication. The Firebox SSL always checks locally for authentication information if a user fails to authenticate on another authentication server.
Using LDAP Authorization with Local Authentication

By default, the Firebox SSL obtains an authenticated users group(s) from the local group file stored on the Firebox SSL. Alternatively, you can configure the Firebox SSL to obtain an authenticated users group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL checks its local group file.
To use LDAP authorization with local authentication: 1 In the Firebox SSL Administration Tool, go to the
Authentication and Local Users tab.
85
Open the window for the realm that is configured for local authentication. You will open the Default realm unless you have changed its authentication type.
Click the Authorization tab and complete the settings.
See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings.
86
Changing the Authentication Type of the Default Realm

When a VPN user logs in to the Default realm, the user does not have to specify a realm name. For any other realm, the user must specify a realm name when logging in. Thus, if most users will log into a non-local authentication realm, you should change the authentication type of the Default realm. To change the authentication type of the Default realm, remove the Default realm and then immediately create a new Default realm as follows.
To change the authentication type of the Default realm: 1 In the Firebox SSL Administration Tool, go to the
Authentication and Local Users tab.
Open the window for the Default realm.
From the Action menu, choose Remove Default realm.
A warning message appears.
87
4 5
Click Yes. Create a new realm named Default, choose an authentication type, and click Add.
Complete the window that appears. For information, see: - Using RADIUS Servers for Authentication on page 88 - Using LDAP Servers for Authentication and Authorization on page 91 - Using RSA SecurID for Authentication on page 95
NOTE If you remove the Default realm and do not immediately replace it as described above, the Firebox SSL retains the Default realm that you attempted to remove.
Using RADIUS Servers for Authentication

You can configure the Firebox SSL to authenticate user access with one or more RADIUS servers. For each RADIUS realm that you use for authentication, you can configure both the primary and secondary RADIUS servers. If the primary RADIUS server is unavailable, the Firebox SSL will attempt to authenticate against the secondary RADIUS server for that realm.
88
Using RADIUS Servers for Authentication
If a user is not located on the RADIUS servers or fails authentication, the Firebox SSL checks the user against the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121).
To specify RADIUS server settings:

1 2
In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. Enter a name for the authentication realm that you will create.
NOTE If you want the Default realm to use RADIUS authentication, remove the Default realm as described in Changing the Authentication Type of the Default Realm on page 87.
If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings. Realm names are case-sensitive and can contain spaces.
From the Type menu, choose RADIUS and Local Authentication.
Click Add.
A window for the authentication realm opens.
89
5 6 7 8
Enter the IP address and the port (default is 1812) of the RADIUS server. Enter the RADIUS server secret. If you use a secondary RADIUS server, enter its IP address, port, and server secret. To use LDAP for authorization, click the Authorization tab and complete the settings.
See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings.
90
Using LDAP Servers for Authentication and Authorization
Click Submit.
NOTE If you are using Microsoft Internet Authentication Service (IAS) as a RADIUS server and receive a bad username or password error when the Firebox SSL sends a request to the configured RADIUS server, check the following IAS setting: In IAS Remote Access Policies, under the applied policy's properties in the Authentication tab, make sure "unencrypted authentication (PAP, SPAP)" is selected.

You can configure the Firebox SSL to authenticate user access with one or more LDAP servers. If a user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL checks the user against the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121).
NOTE If you need help determining your LDAP server settings, see Looking Up Attributes in your LDAP Directory on page 94.
91
To specify LDAP server settings:

1 2
In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. Enter a name for the authentication realm that you will create.
NOTE If you want the Default realm to use LDAP authentication, remove the Default realm as described in Changing the Authentication Type of the Default Realm on page 87.
If your site has multiple authentication realms, you might use a name that identifies the LDAP realm for which you will specify settings. Realm names are case-sensitive and can contain spaces.
From the Type menu, choose LDAP and Local Authentication.
Click Add.
92
5 6
Select the Enable LDAP Authorization check box Enter the IP address and the port of the LDAP server. The LDAP Server Port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server Port to 3268 will significantly speed the LDAP queries. If your directory is not indexed, we recommend that you use an administrative connection, rather than an anonymous connection, from the Firebox SSL to the database. Download performance improves when you use an administrative connection. Enter the Administrator Bind DN and password for queries to your LDAP directory. Examples of syntax for Bind DN: "ou=administrator,dc=ace,dc=com" "user@domain.name" (for Active Directory) "cn=Administrator,cn=Users,dc=ace,dc=com" For Active Directory, the group name, specified as "cn=groupname", is required. For other LDAP directories, the group name either is not required or, if required, is specified as "ou=groupname". The Firebox SSL binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Firebox SSL unbinds the administrator credentials and rebinds with the user credentials. Enter the Base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for Base DN: "ou=Users,dc=ace,dc=com" "cn=Users,dc=ace,dc=com" Enter the attribute under which the Firebox SSL should look for user login names for the LDAP server that you are configuring. Defaults to "cn". If you use Active Directory, enter the attribute "sAMAccountName".
93
10 Specify the LDAP Group Attribute, which defaults to "memberOf". This attribute enables the Firebox SSL to obtain the groups associated with a user during authorization. 11 Click Submit.
Looking Up Attributes in your LDAP Directory

If you need help determining your LDAP Directory attributes, you can easily look them up with the free LDAP Browser from Softerra.
To install and set up LDAP Browser: 1 Download the free LDAP Browser application from
www.ldapbrowser.com.
2 3
Install LDAP Browser and open it. From the LDAP Browser window, choose File > New Profile and specify the following settings: - Host: Host name or IP address of your LDAP server. - Port: Defaults to 389. - Base DN: You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) - Anonymous Bind: Select the check box if the LDAP server does not require credentials to connect to it. If the LDAP server requires credentials, leave the check box cleared, click Next, and enter the credentials. Click Finish. The LDAP Browser displays the profile name that you just created in the left pane of the LDAP Browser window and connects to the LDAP server.
To look up LDAP attributes: 1 In left pane of the LDAP Browser, select the profile name
that you created.
To look up the Base DN, locate in the right pane the namingContexts attribute. The value of that attribute is the Base DN for your site. The Base DN is typically
94
Using RSA SecurID for Authentication
"dc=myDomain,dc=com" (if your directory tree is based on Internet domain names) or "ou=domain,o=myOrg,c=country".
Navigate with the browser to locate other attributes.

NOTE If you are running a RADIUS server on an RSA server, configure RADIUS authentication, as described in Using RADIUS Servers for Authentication on page 88.
If your site uses an RSA ACE/Server and SecurID for authentication, you can configure the Firebox SSL to authenticate user access with the RSA ACE/Server. The Firebox SSL acts as an RSA Agent Host, authenticating on behalf of the VPN users logging into the VPN client. The Firebox SSL supports the use of one RSA ACE/Server. If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL checks the user against
95
the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121). The Firebox SSL supports Next Token Mode. If a user enters three incorrect passwords, the Secure Access client prompts the user to wait until the next token is active before logging in. If a user logs in too many times with an incorrect password, the RSA server might disable the users account. To contact the RSA ACE/Server, the Firebox SSL must include a copy of the ACE Agent Host sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures describe how to generate and upload that file.
To generate a sdconf.rec file for the Firebox SSL:

NOTE The following steps describe the required settings for the Firebox SSL. Your site might have additional requirements. Refer to the RSA ACE/Server documentation for more information. If you have to re-image the Firebox SSL, see Resetting the Node Secret on page 99.
On a computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode. In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you are changing an Agent Host, Edit Agent Host). In the Name field, enter a descriptive name for the Firebox SSL (the Agent Host for which you are creating a configuration file). In the Network address field, enter the Firebox SSL IP address (the internal address). For Agent type, select UNIX Agent. Note that the Node Secret Created check box is cleared and inactive when you are creating an Agent Host. The RSA ACE/Server will send the Node Secret to the Firebox SSL the first time that it authenticates a request from the Firebox
4 5 6
96
SSL. After that, the Node Secret Created check box will be selected. By deselecting the check box and generating/ uploading a new configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL.
Indicate which users can be authenticated through the Firebox SSL through one of the following methods: - To configure the Firebox SSL as an open Agent Host, click Open to All Locally Known Users and then click OK. - To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select the Firebox SSL host, and then click OK. In the dialog box, click the User Activations button and select the users. To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files.
The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL, as described in the following procedure.
To enable RSA SecurID authentication for the Firebox SSL:

1 2
In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. Enter a realm name to identify the RSA ACE/Server.
If you want the Default realm to use RSA authentication, remove the Default realm as described in Changing the Authentication Type of the Default Realm on page 87.
Realm names are case-sensitive and can contain spaces.
From the Type menu, choose SecurID and Local Authentication.
Click Add.
97
To upload the sdconf.rec file that you generated in the previous procedure, click Upload sdconf.rec file and use the dialog box to locate and upload the file.
The sdconf.rec file is typically written to ace\data\config_files and to windows\system32.
- The file status message indicates whether an sdconf.rec file has been uploaded. If one has been uploaded and you need to replace it, click Upload sdconf.rec file and use the dialog box to locate and upload the file. - The first time that a client is successfully authenticated, the RSA ACE/Server will write some configuration files to the Firebox SSL. If you subsequently change the IP address of the Firebox SSL, click Remove ACE Configuration Files, reboot when prompted, and then upload a new sdconf.rec file.
6 7
After the file uploads, click Submit. To use LDAP for authorization, click the Authorization tab and complete the settings. See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up
98
Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings.
Click Submit.
Resetting the Node Secret

If you have re-imaged the Firebox SSL, giving it the same IP address as before, and restored your configuration, you must also reset the node secret on the RSA ACE/Server. (Because the Firebox SSL has been re-imaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/ Server will fail.) After you reset the server secret on the RSA ACE/Server, the next authentication attempt will cause the RSA ACE/Server to send a node secret to the Firebox SSL.
To reset the node secret on the RSA ACE/Server: 1 On a computer where your RSA ACE/Server Administration
interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode.
2 3
In the RSA ACE/Server Administration interface, go to Agent Host > Edit Agent Host. Select the Firebox SSL IP address from the list of agent hosts.
99
Clear the Node Secret Created check box and save the change.
The RSA server will re-send the node secret on the next authentication attempt from the Firebox SSL.
Removing an Authentication Realm

You can remove any realm except for the realm named Default. (You can remove the Default realm only if you immediately create a new realm named Default. For more information, see Changing the Authentication Type of the Default Realm on page 87.)
To remove an authentication realm:

1 2 3
In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. Open the window for the authentication realm that you want to remove. From the Action menu, choose Remove ... realm.
Adding Local Users

You can create user accounts locally on the Firebox SSL to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary VPN users, such as consultants or visitors, without creating an entry for those users on the authentication server. In that case, you add the user to the Firebox SSL local user list as described in this section. If you associate more than one group with a user account, the properties of the first group that you select for the user will be used.
100
Adding Local Users
To create a user on the Firebox SSL:

1
In the Firebox SSL Administration Tool, go to the Authentication and Local Users > Local Users tab.
2 3
Enter a user name. A user will need to enter this name when logging into Secure Access. User names can contain spaces. Enter a password for the user in the two fields. A user will need to enter this password when logging into Secure Access. A password must be six or more characters (checked up to 128 characters). Click Add Local User.
The added user appears in the Local Users list.
4 5
To change the group membership of a user: - To add a group to a user, select the group in the Available Groups list and click Add Group to User. For information on creating a group, see Adding and Configuring User Groups on page 121. - To remove a group from a user, select the group in the Associated Groups list and click Remove Group from User.
101
To delete a user from the Firebox SSL:

Select the user in the Local Users list and click Remove User.
Controlling Network Access

By default, the Firebox SSL is blocked from accessing any networks. You must specify the networks that the Firebox SSL can access, referred to as accessible networks. You then control VPN user access to those networks as follows: You create network resource groups. A network resource group includes one or more network locations. For example, a resource group might provide access to a single application, a subset of applications, a range of IP addresses, or an entire intranet. What you include in a network resource group depends largely on the varying access requirements of your VPN users. You might want to provide some user groups with access to many resources and other user groups with access to smaller subsets of resources. By allowing and denying a user group access to network resource groups, you create an Access Control List (ACL) for that user group. You specify whether any user group with no ACL has full access to all of the accessible networks defined for the Firebox SSL. By default, user groups without an ACL have access to all of the accessible networks defined for the Firebox SSL. This default operation provides simple configuration if most of your user groups are to have full network access. By retaining this default operation, you will need to configure an ACL only for the user groups who should have more restricted access. The default operation can also be useful for initial testing. You can change the default operation so that user groups are denied network access unless they have been allowed access to one or more network resource groups. You configure ACLs for user groups by specifying which network resources are allowed or denied per user group.
102
By default, all network resource groups are allowed (and network access is controlled by the Deny Access without ACL option). When you allow or deny one resource group, all other resource groups are automatically denied and the network access for the user group is controlled only through its ACL. If a resource group includes a resource that you do not want a user group to access, you can create a separate resource group for just that resource and deny the user group access to it. The options just discussed are summarized in the following table.
ACL set for user group? No Yes No Yes Deny access without ACL? No No Yes Yes User group can access: All accessible networks Allowed resource groups Nothing Allowed resource groups
For information on controlling network access, see the following topics: Specifying Accessible Networks on page 103 Defining Network Resource Groups on page 104 Denying Access to Groups with No ACL on page 107
Specifying Accessible Networks

You must specify which networks the Firebox SSL can access. By default, the Firebox SSL has no network access.
To give the Firebox SSL access to a network: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
103
Enter a space-separated list of networks and click Submit.
Defining Network Resource Groups

Network resource groups define the locations that authorized VPN users can access. Resource groups are associated with user groups to form resource access control policies.
Suppose that you want to provide a user group with secure access to the following: the 10.10.x.x subnet the 10.20.10.x subnet 10.50.0.60 and 10.60.0.10 To provide that access, you would create a network resource group by specifying the following IP address/netmask pairs:
104
10.10.0.0/255.255.0.0 10.20.10.0/255.255.255.0 10.50.0.60/255.255.255.255 10.60.0.10/255.255.255.255
You can specify the mask in CIDR notation. For example, in the above example, you could specify 10.60.0.10/32 for the last entry. Additional tips for working with resource groups follow. You can further restrict access by specifying a port and protocol for an IP address/netmask pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. When you configure resource group access for a user group, you can allow or deny access to any resource group. This enables you to exclude a portion of an otherwise allowed resource. For example, you might want to allow a user group access to 10.20.10.0/24, but deny that user group access to 10.20.10.30. Deny rules take precedence over allow rules. The easiest method to provide all VPN user groups with access to all network resources, is to not create any resource groups and to disable the Deny Access without ACL option on the Global Policies tab. All user groups will then have access to the accessible networks listed on the Global Policies tab. If you have one or more user groups that should have access to all network resources, a shortcut to adding each individual resource group to those user groups is to create a resource group for 0.0.0.0/0.0.0.0 and allow that one resource group for those user groups. For all other user groups, you will need to allow/deny individual resource groups as needed.
To create a resource group: 1 In the Firebox SSL Administration Tool, go to the Network
Resources tab.
105
2 3
Enter a resource group name. For example, Archives or Web mail. Click Add. A window for the resource group appears.
Enter the IP address/netmask pair for the resource in the Subnets field. You can use CIDR notation for the mask. Use a space to separate entries. Enter a port for the pairs listed. Specify 0 to allow any port. Select a protocol for the pairs listed. Click Submit.
For information on adding a resource group to a user group, see Adding and Configuring User Groups on page 121.
5 6 7
To remove a resource group: 1 In the Firebox SSL Administration Tool, go to the Network
Resources tab.
2 3
Open the window for the resource group that you want to remove. From the Action menu, choose Remove ... resource.
106
Denying Access to Groups with No ACL

By default, a user group without an ACL has access to all of the accessible networks defined for the Firebox SSL, as described in Controlling Network Access on page 102. You can deny access to user groups with no ACL as follows.
To deny access to user groups without an ACL: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
2 3
Select the Deny Access without ACL check box. Click Submit.
107
Customizing VPN Portal Pages

NOTE You can also include links to the Secure Access and kiosk clients on your website, as described in Linking to the VPN Clients from Your Website on page 115.
By default, your VPN users will see a Citrix Access Portal page when they open https://Firebox SSL_IP_or_hostname. For samples of the default portal pages for Windows, Linux, and Java, see Using the Access Portal on page 51. We have also provided portal page templates that you can customize. One of the templates includes links to both the Secure Access and Kiosk clients. The following sample is the portal page that displays on a computer that is running Windows 2000 or higher. Your customization can be as simple as replacing the logo.
Replacement logo A variable is used to insert the current user name.
A variable is used to insert this portion into the template. The text cannot be changed.
The following sample is the same portal page when displayed on a computer that is running Linux. Clicking either link displays a page with instructions.
108
The other two templates include links to just one of those clients. You choose a template based on the access that you want to provide, on a group basis. For example, you might want to provide access to both clients to some VPN users and access only to the Secure Access or kiosk client for other users. You can do that by adding custom portal pages to the Firebox SSL and then specifying for each user group the portal page to be used.
NOTE If you want to add text to a template or make format changes, you will need to consult with someone who is familiar with HTML. Changes to the templates other than those described in this section are not supported.
The portal page templates are available from the Downloads page of the Administration Portal.
109
Links to Portal Page Templates
The following topics describe how to create portal pages, upload them to the Firebox SSL, and specify the portal page to be used for a user group: Downloading and Working with Portal Page Templates on page 110 Loading Custom Portal Files on the Firebox SSL on page 113 Disabling Portal Page Authentication on page 114 Linking to the VPN Clients from Your Website on page 115 Choosing a Portal Page for a Group on page 130
Downloading and Working with Portal Page Templates

The portal page templates include variables that the Firebox SSL replaces with the current user name and with links that are
110
appropriate for the connecting computer (Windows 2000 or higher, or Linux). If you also have users on platforms such as Macintosh or Windows 95/98, you can provide them access to the Java-based kiosk client by inserting the appropriate variable in the template(s) used by those groups, as described in this section. The variables that can be used in templates are described in the following table.
Variable $citrix_username; $citrix_portal; Content inserted by variable Name of logged in user Links to both the Secure Access and the Kiosk clients:
Windows
Linux
$citrix_portal_full_client _only;
Link to the Secure Access only:
$citrix_portal_kiosk_clie nt_only;
Link to the Kiosk client only:
A template can include only one of the three variables that start with $citrix_portal.
111
NOTE If you want to add text to a template or make format changes, you will need to consult with someone who is familiar with HTML. Changes to the templates other than those described in this section are not supported.
When choosing a template that is appropriate for a group, you only need to know whether the group should have access to both the Secure Access and kiosk clients or just one of the clients. The Firebox SSL detects the users platform (Windows, Linux, Java) and inserts the appropriate links into the templates that you upload to the Firebox SSL.
To download the portal page templates to your local computer: 1 In the Firebox SSL Administration Portal, go to the
Downloads page.
To download a template to a local computer, right-click the link and specify a location in the dialog box.
To work with the templates for Windows and Linux users: 1 Determine how many custom portal pages that you will
need. You can use the same portal page for multiple groups.
Use this portal page: vpnAndKioskClients.html vpnClientOnly.html kioskClientOnly.html To include links to these clients: Secure Access and kiosk Secure Access only Kiosk only
2 3
Make a copy of each template that you will use and name the template, using the extension .html. To replace the Citrix image: - Locate the following line in the template: <img src="vpn_logo.gif" /> - Replace vpn_logo.gif with the filename of your image. For example, if your image file is named logo.gif, change the line to: <img src="logo.gif" />
112
An image file must have a file type of GIF or JPG. Do not change other characters on that line.
Save the file.
Loading Custom Portal Files on the Firebox SSL

You must load on the Firebox SSL any custom portal pages and referenced image files.
To load a custom portal page or image on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Portal
Page Configuration tab.
Click Add File.
113
For the File Identifier of portal pages, enter a name that is descriptive of the types of VPN users who will use the portal page The filename can help you later when you need to associate the portal page with a group. For example, you might have a primary portal page used by many groups and a separate portal page used only by guests. In that case, you might identify the files as Primary Portal and Guest Portal. Or, you might have several portal pages that correspond to user groups, and use names such as Admin Portal, Student Portal, IT Portal. Select the type from the File Type menu.
Portal pages must be an HTML file. Any images referenced from an HTML page must be either GIF or JPG files.
4 5 6
Click Upload File. Navigate to the file and click Open.

The file will be loaded on the Firebox SSL.
To remove a portal file from the Firebox SSL:

Select the page identifier in the list and click Remove Selected File.
Disabling Portal Page Authentication

By default, a VPN user must log in to the portal page and then again to the Secure Access or kiosk client. You can eliminate the portal page login step using either of the following methods: You can set a global policy that disables authentication for the portal page and that specifies the portal page that will display for all VPN users. This global policy overrides any portal page selections for groups. You can include links to the Secure Access and kiosk clients directly on your website, as described in Linking to the VPN Clients from Your Website on page 115.
To disable portal page authentication: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
114
2 3 4
Clear the checkbox for Enable Portal Page Authentication. Select the portal page to which all VPN users will be directed. Click Submit.
Linking to the VPN Clients from Your Website

You can also provide your VPN users links to the Secure Access and kiosk clients from your website. The links will launch the clients for Windows or will direct the user to a page that explains how to download and install the client for Linux.
To include links to the Secure Access and kiosk client on your website:
Add the following code to the HEAD tag of the web page that is to contain the links: <object id="Net6Launch" type="application/x-oleobject" classid="CLSID:7E0FDFBB-87D4-43a1-9AD4-41F0EA8AFF7B" codebase="net6helper.cab#version=2,1,0,6"></object>
115
2
Client:
Add the links as follows to the web page.

Link to: https://ipAddress/CitrixSAClient.exe https://ipAddress/CitrixSAKiosk.exe https://ipAddress/full_linux_instructions.html This page includes a link to the Linux installer executable.
Secure Access (Windows/ Java) Kiosk (Windows/Java) Secure Access (Linux)
The ipAddress is the address of your Firebox SSL.
Configuring Host Check Rules

Host check rules provide another layer of security, helping to ensure that the VPN users are connecting to your Firebox SSL on a computer that meets certain criteria. For example, you can require that a connecting computer has particular registry entries, files, and/or active processes. Each host check rule specifies that a computer must have one of the following: A registry entry that matches the path, entry type, and value that you specify. A file that matches the path, filename, and date that you specify. You can also specify a checksum for the file. A running process that you specify. You can also specify a checksum for the file.
NOTE Example Host Check Rules on page 118 contains the file and process names for a variety of personal firewall, antivirus, and spybot applications.
You apply host check rules to each group, by specifying a host check expression, a Boolean expression that uses host check rule names. For more information, see Configuring a Host Check Policy for a Group on page 128.
To create a host check rule: 1 In the Firebox SSL Administration Tool, go to the Host
Checks tab.
116
Configuring Host Check Rules
2 3 4 5
Specify a name for the host check rule. Select the rule type from the drop-down list. Click Add. If you selected Registry Entry Rule, enter the path to the registry key, select a key type, enter the key name, and enter the value to which that key must be set. Click Submit.
If you selected File Rule, enter the path, filename, and creation date of the file. To specify a checksum for the file, select Calculate Checksum and click Upload File to Checksum. Navigate to the file and click Open. Click Submit.
If you selected Process Rule: Enter the name of the process that must be running. To specify a checksum for the file,
117
select the Manually Enter Checksum option and enter it, or select Calculate Checksum and click Upload File to Checksum. Navigate to the file and click Open. Click Submit.
NOTE For information on adding a host check expression to a user group, see Configuring a Host Check Policy for a Group on page 128.
To delete a host check rule: 1 In the Firebox SSL Administration Tool, go to the Host
Checks tab.
2 3
Open the window for the host check rule that you want to remove. From the Action menu, choose Remove ... host check.
Example Host Check Rules

This table contains information that you can use to create host check rules for a variety of personal firewall, antivirus, and spy-
118
Configuring Network Shares for Kiosk Sessions
bot applications. The path information provided assumes that the application is installed in the default directory.
Applications Antivirus AntiVir avast! McAfee Norton Personal Firewall McAfee File: C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe Process: MpfService.exe Process: ccProxy.exe OR ccSetMgr.exe File: C:\Program Files\Sygate\SPF\Smc.exe Process: Smc.exe File: C:\Program Files\Tiny Personal Firewall\PERSFW.EXE Process: PERSFW.EXE File: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe Process: zlclient.exe File: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe Process: Ad-Aware.exe File: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe Process: SpybotSD.exe File: C:\Program Files\AVPersonal\AVWIN.EXE Process: AVGUARD.EXE File: C:\Program Files\Avast\ashAvast.exe Process: ashServ.exe File: C:\Program Files\McAfee.com\VSO\mcvsshld.exe Process: McShield.exe File: C:\Program Files\Norton AntiVirus\NAVAPSVC.exe Host Check Rules
Norton Sygate Tiny
Zone Alarm Spybot Ad-aware SE Personal Edition Spybot - Search and Destroy
Configuring Network Shares for Kiosk Sessions

When a VPN user connects from a public computer (by selecting that option on a portal page), the Firebox SSL opens a kiosk connection. The network shares available to a kiosk user are configured in the Share Mounts tab.
119
To provide kiosk users access to network shares: 1 In the Firebox SSL Administration Tool, go to the Share
Mounts tab.
Enter a name for the network share and click Add. The name that you enter will display with the share icon in the kiosk window.
A configuration window appears.
3 4 5
Type the path to the share source, using the form: //server/ share. Choose the type of mount, either CIFS/SMB or NFS. If administrative user credentials are required to mount a CIFS/Samba drive, specify the username and password. Those fields are not enabled for NFS.
All users who access the share will have the rights of this user.
6 7
Enter the Active Directory domain or the Windows workgroup of the share. This field is not enabled for NFS. Specify whether you want remote users to have read/write or read-only permissions for the share.
120
Adding and Configuring User Groups
NOTE Note: Users can FTP files from the share to the remote computer.
Click Submit.
NOTE To add a share to a user group, see Configuring Kiosk Operation for a Group on page 126.
To remove a share:
Open the window for the share and choose Action > Remove.

When you enable LDAP authorization on the Firebox SSL, user group information is obtained from the LDAP server after a user is authenticated. If the group name obtained from LDAP matches a group name created locally on the Firebox SSL, the properties of the local group are used for the matching group obtained from LDAP. Each VPN user should belong to at least one group that is defined locally on the Firebox SSL. If a user does not belong to a group, the overall access of the user is determined by the Deny Access without ACL setting on the Global Policies tab, as follows: If the Deny Access option is enabled, the user will not be able to establish a VPN connection. If the Deny Access option is disabled, the user will have full network access.
121
In either case, the user will be able to run a kiosk session, but network access within that session will be determined by the Deny Access without ACL setting. You can also add local groups that are not related to LDAP groups. For example, you might create a local group to set up a contractor or visitor to whom you want to provide temporary access without having to create an LDAP entry. For information on creating a local user, see Adding Local Users on page 100. Several aspects of VPN operation are configured at the group level, including access control, host checking, kiosk operation, portal page usage, and IP pooling. If a user belongs to more than one group, group policies are applied to the user based on the group priorities set on the Group Priorities tab, as described in Setting the Priority of Groups on page 132.
To create a local user group on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Groups
tab.
Type a descriptive name for the group (such as Temp Employees or accounting) and then click Add. If you want the groups properties to be used for a group obtained from LDAP, the group name must match the LDAP group name, including case and use of spaces.
A window for the added group appears.
122
To configure the group, see the following topics: - Configuring Resource ACLs for a User Group on page 124 - Configuring Kiosk Operation for a Group on page 126 - Configuring a Host Check Policy for a Group on page 128 - Choosing a Portal Page for a Group on page 130 - Enabling IP Pooling on page 131
To remove a user group: 1 In the Groups tab, open the window for the group. 2 Right-click the group name in the window and choose
Remove...group.
123
Alternatively, from the group windows Action menu, choose Remove.
Configuring Resource ACLs for a User Group

NOTE For background information on network access, see Controlling Network Access on page 102. You will need to let your users know which resources that they can access. A sample email with instructions that you can customize for your users is available from the Administration Portal Downloads page.
For each user group, you can create an ACL by specifying the resources that are to be allowed or denied for the group. Resource groups are defined as described in Defining Network Resource Groups on page 104. Unless you want to provide all VPN users with full access to all accessible networks, you must associate user groups with resource groups. By default, all network resource groups are allowed (and network access is controlled by the Deny Access without ACL option). When you allow or deny one resource group, all other resource groups are automatically denied and the network access for the user group is controlled only through its ACL. The Firebox SSL interprets allow/deny as follows: The Firebox SSL denies access to any resource that is not explicitly allowed. Thus, if you want to provide a particular user group with access to only one resource group, you only have to allow access to that resource group. Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group
that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30. To handle this, you will need to create a resource group that includes 10.20.10.30. Access to that resource will be denied unless you specifically allow it.
To configure resource access control for a group: 1 In the group window, right-click Resource ACLs.
Choose Add Resource, choose a resource, and then choose Allow.
NOTE If you have not allowed a resource, it will be denied.
If you allow a resource and later want to deny it, right-click Resource ACLs, choose Add Resource, choose the resource, and then choose Deny.
125
4 Click Submit. To remove an resource from a user group: 1 In the group window, right-click the resource that you want to remove.
Choose Remove Resource and then click Submit.
Configuring Kiosk Operation for a Group

You can specify whether a group is allowed VPN kiosk access from public computers and, if so, which applications and network shares appear in the kiosk window.
To remove the kiosk option from the Access Portal for a group: 1 In the group window, clear the check box for Enable Kiosk
Mode.
2 Click Submit. To configure kiosk operation for a group: 1 To add a network share to the group, open the groups window, right-click Network Shares, choose Add Share, choose the share name, and then choose Allow.
126
The share name appears.
To configure network shares, see Configuring Network Shares for Kiosk Sessions on page 119.
Verify that the Enable Kiosk Mode option is selected.
127
To retain Citrix ICA settings and Mozilla preferences between sessions, select Persistent Mode. The Mozilla preferences saved include the passwords saved through the Mozilla Password Manager. The preferences are saved on the remote server (hosting the kiosk session). If you want a Mozilla browser window to appear in the kiosk window: - Specify the URL to open in the browser window (such as http://www.mysite.com/index.html, typically an Intranet site). The default is http://www.net6.com.
NOTE If the user has general Internet access before making a Kiosk connection, the user can browse the Internet from the Mozilla browser in the Kiosk window, unless there is a network resource defined that denies access to the Internet.
- Select the Mozilla option.
For the other kiosk applications listed, select each one that you want included in the kiosk window for the group.
To work with any of those applications, the VPN user will need to know the IP addresses of the corresponding servers.
Click Submit.
Configuring a Host Check Policy for a Group

To configure a host check policy for a group, you specify a Boolean expression containing the host check rule names that you want to apply to the group. Suppose that you create the following host check rules: CorpAssetRegistryEntry AntiVirusProcess1 AntiVirusProcess2 Your host check expression might specify that a registry check must verify that the resource attempting to connect is a corporate asset and that the resource must have one of the antivirus processes running. That Boolean expression is: (CorpAssetRegistryEntry & (AntiVirusProcess1 |
AntiVirusProcess2))
128
Valid operators for host check expressions are as follows:

( ) & | !
- used to nest expressions to control their evaluation - logical AND - logical OR - logical NOT
For users without Administrative privileges, a host check will fail if it includes a file in a restricted zone (such as C:\Documents and Settings\Administrator) or if it includes a restricted registry key. If a user belongs to more than one group, the host check expression applied to the user is the union of the expression for each of the users groups. For information on host check rules, see Configuring Host Check Rules on page 116.
To specify a host check expression for a group: 1 In the group window, enter the Boolean expression in the
Host Check Expression field.
129
Click Submit.
Choosing a Portal Page for a Group

By default, a group uses the Firebox SSL Access Portal page. You can load custom portal pages on the Firebox SSL, as described in Customizing VPN Portal Pages on page 108, and then select a portal page for each group. This enables you to control which of the Firebox SSL clients are available by group.
NOTE Disabling portal page authentication on the Global Policies page, as described in Disabling Portal Page Authentication on page 114, overrides the Portal Page setting for all groups.
To specify a portal page for a group:

In the group window, choose the page name from the Portal Page menu and click Submit.
130
Enabling IP Pooling
In some situations, the Secure Access will need a unique IP address for the Firebox SSL. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable IP pooling for a group, the Firebox SSL can assign a unique IP address alias to each client. You can specify the gateway device to be used for IP pooling. The gateway device can be the Firebox SSL itself, or some other device. If you do not specify a Gateway, an Firebox SSL interface is used, based on the General Networking settings, as follows: If you have configured only Interface 0 (the Firebox SSL is inside your firewall), the Interface 0 IP address is used as the gateway. If you have configured Interfaces 0 and 1 (the Firebox SSL straddles your firewall), the Interface 1 IP address is used as
131
the gateway. (Interface 1 is considered the internal interface in this scenario.)
To 1 2 3
configure IP pooling for a group:

In the group window, select Enable IP Pools. Specify the starting IP address for the pool. Specify the number of IP address aliases. You can have as many as 2000 IP addresses total in all IP pools.
4 Specify the Gateway IP address. If you leave this field blank, an Firebox SSL interface is used, as described earlier in this section. If you specify some other device as the gateway, the Firebox SSL adds an entry for that route in the Firebox SSL routing table.
Click Submit.
Setting the Priority of Groups

For users who belong to more than one group, you can determine which groups policies applies to a user by specifying the
132
priority of groups. For example, suppose that some users belong to both the sales group and the support group. If the sales group appears before the support group in the User Groups list, the sales group policies will apply to the users who belong to both of those groups. If the support group appears before the sales group in the list, the support group policies take precedence. The policies that are affected by the Group Priority setting are as follows: - Kiosk mode and persistence mode - Kiosk default URL - Portal page use - IP pools For ACLs and kiosk applications, a user who belongs to multiple groups has access to all resources and applications enabled for each of those groups. For example, suppose that the sales group has access to the Citrix ICA and Mozilla clients and that the support group has access to all clients. Users who belong to both groups will have access to all clients. Host check expressions are applied as described in Configuring a Host Check Policy for a Group on page 128. Groups are initially listed in the order in which they are created.
To set the priority of groups: 1 In the Firebox SSL Administration Tool, go to the Group
Priority tab.
133
Select a group that you want to move and use the arrow keys to raise or lower the group in the list.
The group at the top of the list has the highest priority.
3 Click Submit. To view the group priorities for a user: In the Remote Admin Terminal window, click the Real-time Monitor icon. The display lists all groups to which the user belongs and the group with the highest priority.
Enabling Split Tunneling

By default, all traffic goes through the VPN tunnel. You can choose to use split tunneling so that the VPN client sends only the traffic destined for the secured network through the VPN tunnel. The secured network consists of the addresses specified as accessible networks, as described in Specifying Accessible Networks on page 103. When you enable split tunneling, group-based policies apply to the internal NIC only. For connections from inside of the firewall, group-based policies do not apply to traffic to external resources or resources local to the network; that traffic is not encrypted.
134
Enabling Split DNS
To enable split tunneling: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
2 3 4
Select the check box for Enable Split Tunneling. If there are no Accessible Networks specified, enter the addresses as described in the next section. Click Submit.
Enabling Split DNS

By default, the Firebox SSL checks a VPN users remote DNS only. You can allow failover to a users local DNS by enabling split DNS. A VPN user can override this setting from the Connection Properties dialog box (from the login dialog box, select Options > Advanced Options).
To allow failover to a users local DNS:

Go to the Global Policies tab and select the Enable Split DNS check box. The Firebox SSL fails over to the local DNS only if the specified DNS servers cannot be contacted, but not if there is a negative response.
135
Enabling Session Timeout

By default, a VPN user can keep a VPN connection open indefinitely. You can set a session timeout, which is the maximum VPN session duration allowed, after which a VPN user has to log in again. One minute before a session is due to timeout, the VPN user is alerted that a login will be required shortly.
To enable session timeout: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
136
Configuring Internal Failover
2 3
Enter the maximum session duration in minutes. Click Submit.
Configuring Internal Failover

The Internal Failover setting enables the Secure Access to connect to the Firebox SSL from inside of the firewall if the Firebox SSL external IP address cannot be reached from inside the firewall. When the Internal Failover setting is enabled, the VPN client will failover to the internal IP address of the Firebox SSL if the external IP address is unreachable.
NOTE To install the Secure Access client from inside the firewall, go to the portal page and use the click here to download the client installer link to download the client. The first time that you run the client from inside the firewall, you will need to point the client to the internal IP address of the Firebox SSL by right-clicking the Secure Access client log in dialog box and choosing Advanced Options.
137
To enable the Secure Access client to fail over to the Firebox SSL internal IP address: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
2 3
Select Enable Internal Failover. Click Submit.
Forcing VPN User Re-login

By default, if a VPN users network connection is briefly interrupted, the user does not have to log in again once the connection is restored. You can require that users log in after interruptions such as when a computer comes out of a hibernate state, when the user switches to a different wireless network, or when you force close a connection.
To force re-logins: 1 In the Firebox SSL Administration Tool, go to the Global

Policies tab.
138
Forcing VPN User Re-login
Under Force Relogin after, select options as follows: Standby/Hibernate This option forces a user to log in again if the users computer awakens from a stand by or hibernate state. This option provides additional security for unattended computers. Network Interruption This option forces a user to log in again if the network connection is briefly interrupted.
NOTE If you want to close a VPN connection and prevent the user or group from reconnecting, you must select the Network Interruption setting. Otherwise, the user(s) will be immediately reconnected without being prompted for credentials. For more information, see Managing VPN Connections on page 45.
Click Submit.
139
Configuring Secure Access for Single Sign-on

By default, Windows users open a VPN connection by launching the Secure Access client from the desktop. You can specify that Secure Access start automatically after the user logs into Windows. Users Windows login credentials are passed to the Firebox SSL for authentication. After authentication, the Firebox SSL establishes the VPN connection, obtains Windows login scripts from the domain controller, and then runs the login scripts to perform operations such as automatic drive mapping.
NOTE Login script support is restricted to scripts that are executed by the command processor, such as executables and batch files. Visual Basic and Javascript login scripts are not yet supported.
You should enable single sign-on only if VPN users computers are logging into your organizations domain. If single sign-on is enabled and a user connects from a computer that is not on your domain, the user will be prompted to log in. The users connection log will note that the Firebox SSL failed to look up the domain controller.
To configure Secure Access for single sign-on: 1 In the Firebox SSL Administration Tool, go to the Global
Policies tab.
140
Configuring Secure Access for Single Sign-on
2 3
Select Enable Single Sign-On. Click Submit.
141
142
APPENDIX A
Logging, Monitoring, and Troubleshooting Firebox SSL Operations
The following topics describe how to use Firebox SSL logs and troubleshoot issues: Viewing and Downloading System Message Logs on page 143 Enabling and Viewing SNMP Logs on page 146 Monitoring Firebox SSL Operations on page 150 Recovering from a Crash of the Firebox SSL on page 153 Troubleshooting on page 154
Viewing and Downloading System Message Logs

System message logs contain information that can help Firebox SSL support personnel assist with troubleshooting. By reviewing the information provided, you can track unusual changes that can affect the stability and performance of the Firebox SSL. System message logs are archived on the Firebox SSL for 30 days. The oldest log is then replaced with the current log. You can download one or all logs at any time. You can also have system messages forwarded to your syslog server, as
143
described in Forwarding System Messages to a Syslog Server on page 145.

NOTE If you need to view the system log and the Firebox SSL is offline, go to the Administration Portal and click the Logging tab.
To view and filter the system log: 1 In the Administration Tool, go to the Logging > Local
System Log tab.
The log displayed is for the current date.
2 3
To display the log for a prior date, select the date in the Log Archive list and click View Log. By default, the log displays all entries. Filter the log as follows.
144
Viewing and Downloading System Message Logs
- To filter the log by user or applications, select one or more categories that you want to include. - To filter the log by priority, select the priorities that you want to include. - The filters that you select are treated as logical ORs. Thus, for each selected filter, all matches for the filter display.
To download a log: - Select a log in the Log Archive list and click Download Selected Log File. The log filename defaults to yyyymmdd.log. - Click Download All Log Files to download all logs listed in the Log Archive list. The filename defaults to log_archive_yyyymmdd.tgz. After you download the file, you can unzip it to access the individual log files.
Forwarding System Messages to a Syslog Server

The Firebox SSL archives system messages, as described in Viewing and Downloading System Message Logs on page 143. You can also have the Firebox SSL forward system messages to a syslog server.
To forward Firebox SSL system messages to a syslog server: 1 In the Administration Tool, go to the Logging > Syslog tab.
2 3 4
Enter the IP address of the syslog server Select the syslog facility level. Enter a broadcast frequency.
145
Click Submit.
Enabling and Viewing SNMP Logs

When SNMP is enabled, the Firebox SSL reports the MIB-II system group (1.3.6.1.2.1). The Firebox SSL does not support Firebox SSL-specific SNMP data. You can view SNMP messages in the Administration Tool and you can configure an SNMP monitoring tool such as the Multi Router Traffic Grapher (MRTG) to provide a visual representation of the SNMP data reported by the Firebox SSL in response to queries. For a sample of MRTG output, see MRTG Example on page 147.
To enable the logging of SNMP messages: 1 In the Administration Tool, go to the Logging > SNMP tab.
146
Enabling and Viewing SNMP Logs
2 3
Enter the SNMP location and contact. These fields are informational only. Enter the SNMP community, which is the password that will be required by a client to obtain data from the SNMP agent. For example, if you use the MRTG monitoring tool, you will need to include this community string as a part of the Target field in the MRTG configuration file. The SNMP port defaults to 161. If you change this value, you will also need to change it in any tools that you use to monitor SNMP data. Click Submit.
SNMP messages appear on the SNMP tab.
MRTG Example
The Multi Router Traffic Grapher (MRTG) is a tool to monitor SNMP data, such as traffic load. MRTG generates HTML pages containing PNG images which provide a visual representation of the traffic. MRTG works under UNIX and Windows NT.
NOTE The information in this section is intended to provide a general idea of working with MRTG. For information on obtaining and using MRTG, refer to http://people.ee.ethz.ch/ ~oetiker/webtools/mrtg/.
To obtain SNMP data for the Firebox SSL through MRTG (in UNIX): 1 Configure the Firebox SSL to respond to SNMP queries
(Logging > SNMP).
Create MRTG configuration files in /etc/mrtg. Each configuration file specifies the OIDs that the MRTG daemon is to monitor, specifies the target from which to obtain SNMP data, and defines the MRTG output.
147
AG host name
OIDs to obtain from the AG
AG SNMP AG internal Community IP address
Modify /etc/crontab to perform an SNMP query every five minutes, resulting in graphed data. The various .cfg files listed will generate separate MRTG output.
MRTG configuration files
View the MRTG output in a Web browser.

MRTG stores HTML output in the Workdir specified in the configuration file. The output filename that corresponds to the configuration file in Step 2 is vpn.myorg.com.tcpcurrestab.html.
148
Viewing System Statistics
Viewing System Statistics

General system statistics are provided on the Logging > Statistics tab. The Max. Connections value is the number of licenses installed.
149
Monitoring Firebox SSL Operations

The Firebox SSL includes a variety of standard Linux monitoring applications so that you can conveniently access the applications from one location. With the exception of the Real-time Monitor, the applications are included in the Firebox SSL under the GNU public license. The icons across the bottom left of the screen provide singleclick access to the six monitoring tools. In the bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. The monitoring applications are as follows.
150
Monitoring Firebox SSL Operations
Firebox SSL Real-time Monitor Shows the open VPN connections. To view details about a connection, click the arrow ( ) for the user name. From the monitor, you can temporarily close a connection by connection type (TCP, etc.), disable a user (the user will not be able to connect until you enable the user), and re-enable a user. For more information, see Managing VPN Connections on page 45. Ethereal Network Analyzer Enables you to interactively browse packet data from a live network or from a previously saved capture file. For more information, refer to the Help that is available from the Ethereal Network Analyzer window.
xNetTools A multi-threaded network tool that includes a service scanner, port scanner, ping utility, ping scan, name scan, whois query, and finger query.
151
My traceroute Combines the functionality of the 'traceroute' and 'ping' programs in one network diagnostic tool. As My traceroute (mtr) starts, it investigates the network connection between the Firebox SSL and the destination host that you specify. After it determines the address of each network hop between the devices, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each device. As it does this, it prints running statistics about each device.
fnetload Provides real-time network interface statistics. It checks the / proc/net/dev every second and builds a graphical representation of its values.
152
Recovering from a Crash of the Firebox SSL
System Monitor Shows information about CPU usage and memory/swap usage. For more information, refer to the Help available from the System Monitor window.
Recovering from a Crash of the Firebox SSL

If the Firebox SSL software crashes, reinstall the Firebox SSL server software from the CD provided with the device. Prepare the PC before you attempt to reinstall the software. Set the PC to have an IP address on the same network as you want to assign to the Firebox SSL. For example, if the Firebox SSL will
153
be set to the address 10.20.30.40/24, set the PC to an address of 10.20.30.41 (or another available address), set the subnet mask address to 255.255.255.0, and set the default gateway address to 10.20.30.40.
To reinstall the Firebox SSL server software:

1
Make sure that a PC capable of hosting terminal emulation software is connected to the Firebox SSL; power on both systems. Insert the Firebox SSL Restore CD into the CD-ROM drive of the PC.
For each Firebox SSL you want to load software on, do these steps: 1 Connect a green (straight-through) network cable from the
Windows PC to the Eth1 interface on the Firebox SSL.
2 3 4 5 6
Connect the blue null modem (serial) cable from the Windows PC to the Firebox SSL serial port. Power on the Firebox SSL. On the Windows PC, click Start > Run and type cmd, then click OK. Change to the CD drive. For example, if the CD drive is D:, type D: and press Enter. Type install ip_address_of_Firebox/netmask.
For example, to install and give the Firebox SSL an IP address of 10.20.30.40 with a subnet mask of 255.255.0.0, type:
install 10.20.30.40/16
To install and give the Firebox SSL an IP address of 10.10.10.1 with a subnet mask of 255.255.255.0, type: install 10.10.10.1/24.
Power off the Firebox SSL when prompted. When prompted by the PC, power the Firebox SSL on.
Installation continues on the Firebox SSL. The Firebox SSL restarts automatically once during this process.
Troubleshooting
The following information explains how to deal with problems you might encounter when setting up and using the Firebox SSL.
154
Troubleshooting
The Firebox SSL does not start and the Firebox SSL serial console is blank.
Verify that the following are correctly set up: The serial console is using the correct port and the physical and logical ports match. The cable is a null-modem cable. The COM settings in your serial communication software are set to 115200 bits per second, 8 data bits, no parity, and 1 stop bit.
The Firebox SSL is offline and I cannot reach the Administration Tool.
You can use the Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL.
Devices cannot communicate with the Firebox SSL.

Verify that the following are correctly set up: The External Public Address specified in the Firebox SSL Administration Tool (Networking > General Networking tab) is available outside of your firewall. Any changes made in the Firebox SSL serial console or Administration Tool have been submitted.
I tried using Ctrl-Alt-Delete to reboot the Firebox SSL, but nothing happened.
The reboot function on the Firebox SSL is disabled. You must use the Firebox SSL Administration Tool to restart and shutdown the device.
SSLV2 sessions do not work with a multilevel certificate chain

If intermediate (multilevel) certificates are part of your secure certificate upload, you need to make sure that the intermediate certificates are part of the certificate file you are uploading. SSLV2 does not support certificate chaining. Any certificate that has more than one level must include all intermediate certificates, or the system may become unusable. For information about how to add intermediate certificates to the uploaded certificate file, see Generating a Secure Certificate for the Firebox SSL on page 29.
155
156
APPENDIX B
Legal and Copyright Information
GNU GENERAL PUBLIC LICENSE FOR LINUX KERNEL AS PROVIDED WITH FIREBOX SSL ACCESS GATEWAY Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General
157
Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made
158
it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
159
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate
works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machinereadable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or
161
executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
162
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
163
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY
164
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
165
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
166
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.
167
168
Index
A
access control, see ACL and user groups accessible networks 102 and split tunneling 134 deny access without ACL 107 specifying 103 ACL 102 allow/deny rules 124 defining for user group 124 deny access without ACL 107 listed in Secure Access Client window 60 Admin Terminal window 18 Administration Tool 21 monitoring tools 150 opening 19 Real-time Monitor 150 administration 7 Admin Terminal window 18 blocking external access 39 portal 19 Tool 21 Administration > Date tab 42 Administration > Licensing tab
license upload 41 Administration > Maintenance tab block external access 39 certificate upload 38 restart 49 restore configuration 45 save configuration 45 server upgrade 24 shut down 49 Administration > Users tab 43 Administration Portal page 19 administrative users changing password 43 resetting to default password 43 adware, host check examples 118 antivirus, host check examples 118 application access, see resource groups archive of system log 143 authentication 82 LDAP 91 local 82 RADIUS 88 realm 82 realm, removing 100 RSA SecurID 95
169
Authentication and Local Users tab add local user 101 LDAP authentication/authorization
92
RADIUS authentication 89 remove realm 100 RSA SecurID authentication 97 authorization 82 LDAP 91 local 83, 85
B
backing up the configuration 43 BlackICE PC Protection configuration
27
computer hibernate/suspend, affect on client 138 configuration Admin Terminal window 18 Administration Portal 19 Administration Tool 21 restoring 45 saving 43 serial console 21 connection closing to resource 47 handling 46 managing 45 policy changes 81 CPU usage 153
D C
certificate 29 backing up 43 combining with private key 36 converting to PEM format 35 CSR overview 32 generating for multiple levels 37 installing Cygwin for 33 multilevel and SSL V2 155 private key, unencrypting 34 Security Alert 31 signed by Certificate Authority 29 support 6 uploading 38 Certificate Authority 29 Certificate Signing Request (CSR) generating 33 overview 32 Citrix client 65 enabling 126 saving preferences 128 client variables for portal page 111 client, see Secure Access Client, kiosk closing VPN connection 45 Default Gateway setting 72 and dynamic gateway 75 Default realm 84 changing authentication 87 replacing 87 deployment overview 7 deployment with firewall, see <I_Italic>Quick Start LDAP server 82 RADIUS server 82 RSA ACE/Server 82 server load balancer 16 digital certificate support 6 see also certificate DNS client override 58 enable split 75, 135 failover to local 74 in Secure Access Client window 59 server settings 74 suffixes 74 Duplex Mode setting 73 dynamic gateway, enabling 75 dynamic routes, configuring 75
170
E
Ethereal Network Analyzer 151 Ethereal Network Anaylzer unencrypted traffic on client PC 12 External Public Address setting 73
deny access if no ACL 107 disable portal page authentication

114
F
failover client 137 DNS servers 74 gateways 80 internal 137 finger query 151 firewall 26 BlackICE PC Protection configuration 27 host check examples 118 Internet Connection Firewall 58 McAfee Personal Firewall Plus configuration 27 Norton Personal Firewall configuration 28 Sygate Personal Firewall configuration 28 Tiny Personal Firewall configuration
28
force re-login 138 internal failover 138 session timeout 114, 136 single sign-on 140 split DNS 75, 135 split tunneling 135 Group Priority tab 133 groups, see user groups
H
hibernate/suspend 138 host check rules 116 adding to user group 128 examples 118 Host Checks tab 116, 118
I
IEEE 802.11 support 2 internal failover for VPN client 137 Internet Connection Firewall 58 IP address change impact on SecurID setup 98 internal/external interfaces 72 preconfigured 23 IP pooling 131 IPSec functionality 10
using Secure Access Client behind a

11
ZoneAlarm Pro configuration 29 fnetload tool 152 FTP configuring for use with VPN client
26
using during kiosk session 63
J
Java support (client) 25, 61
G
gateway device default 73 dynamic gateway 75 Gateway Interface setting 72 Global Policies tab accessible networks 103
K
kiosk 13 browser default URL 128 Citrix client 65
171
configuring for user group 126 configuring network shares 119 connecting to 61 Java applet 25 link to from website 115 Mozilla client 128 Remote Desktop client 65 removing from portal page 126 shared network drives, using 63 SSH client 67 Telnet 3270 Emulator client 67 using FTP to copy files 64 VNC client 68
logging, see monitoring tools, SNMP, system log login script support 140
M
Macintosh support (JVM client) 61 McAfee Personal Firewall Plus configuration 27 memory usage 153 monitoring tools 18 using 150 Mozilla browser in kiosk 126 configuring 128 saving preferences 128 MRTG 146 MTU setting 73 My traceroute tool 152
L
LDAP Browser 94 LDAP server 82 attribute lookup 94 authentication 91 authorization 91 settings 91 licenses 40 backing up 43 backup CD 40 freeing 45 managing 40 uploading 41 Linux support (client) 4, 54 checking status 55 command-line options 55 link to from website 115 removing client 55 restarting stopped VPN daemon 55 local users authorization 83, 85 closing connection 45 creating 100 for authentication 82 Logging > Local System Log tab 144 Logging > SNMP tab 146 Logging > Statistics tab 149 Logging > Syslog tab 145
N
name scanner 151 NAT host 73 network access 102 accessible networks 103 activity level graph 150 address translation (NAT) 73 connections overview 71 drives, shared 63 interface (NIC) settings 72 interface traffic load monitor 152 monitoring 150 packet data analyzer 151 resource groups route tracing 152 scanning tools 151 Network Resources tab 105, 106 Networking > DNS/WINS tab 74 Networking > Failover Servers tab 80 Networking > General Networking tab
72
Networking > Routes tab 76, 77
172
networks accessible to Gateway 103 deny access without ACL 107 in Secure Access Client window 59 Norton Personal Firewall configuration
28
process activity level graph 150 protocols supported 4 proxy server setup for VPN client 57
R O
OpenSSL ciphers supported 6 RADIUS server 82 authentication 88 settings 88 using LDAP authorization with 90 realm-based authentication 82 Default realm 84 see also authentication Real-time Monitor 45, 151 reinstalling software 153 remote client, see Secure Access Client Remote Desktop client 65 enabling 126 resource groups 102 adding to user group 124 defining 104 removing from user group 126 restarting server 49 restoring a configuration 45 routes dynamic 75 static 75 RSA ACE/Server 82 configuration file, see sdconf.rec file resetting node secret 99 SecurID authentication 95 settings 95 RSA/ACE Server using LDAP authorization with 98
P
packet data, browsing 151 password, administrative user 43 Persistent Mode setting (kiosk) 128 ping from serial console 23 from xNetTools 151 platforms supported by VPN client 4 policies ACLs 102 configuring for groups 121 host checks 116 IP pooling 131 multi-group membership 132 network access 102 network shares (kiosk) 119 portal pages 108, 114 setting priority 132 see also global policies port for VPN connections 73 required 6 scanner 151 portal Administration 19 VPN client 51 see Administration Portal, Virtual Network Portal Portal Page Configuration tab 113 private key combining with signed certificate
36
S
sdconf.rec file 95 generating 96 replacing 98 uploading 97 Secure Access Client 6, 140 ACL list in 60
unencrypting 34
173
affect of computer 138 affect of policy changes 81 assigning IP address from pool 131 automatic drive mapping support
140
automatic updates 58 Connection Log 61 forcing re-login 138 FTP configuration 25 host check rules 116 internal failover 137 link to from website 115 Linux support 54 operation 9 platforms supported 4 portal (custom) 108 portal (default) 51 proxy server setup 57 single sign-on operation 140 through firewalls/proxies 11 use with Internet Connection Firewall 58 window described 56 SecurID authentication 82 security 6, 8 authentication/authorization 82 controlling network access 102 denying access without ACL 107 digital certificates 29 forcing user re-login after interruption 138 host checking 116 preventing MITM attacks 31 Security Alert 31 serial console 23 server crash recovery 153 software reinstallation 153 server load balancer, connection to 16 server software uploading 24 service scanner 151 session timeout 136 Share Mounts tab 120 shared network drives 63
shutting down 49 single sign-on for VPN client 140 SNMP 146 logs, enabling and viewing 146 MIB groups reported 146 settings 146 software firewall, see firewall installed version 24 reinstalling 153 restarting 49 shutting down 49 upgrades 23 upgrading from a file 24 split DNS, enabling 75, 135 overriding at client 58 spyware, host check examples 118 SSH client 67 enabling 126 SSL, use of 10 static routes adding 77 configuring 75 example 78 removing 78 testing 78 swap space usage 153 Sygate Personal Firewall configuration
28
syslog server, forwarding system log to

145
system configuration restoring 45 saving 43 system date and time changing 41 viewing 41 system log archive 143 downloading 143 filtering 143 forwarding to syslog server 145 viewing 143 System Monitor 153 system statistics 149
174
T
Telnet 3270 Emulator client 67 enabling 126 templates (portal), see Virtual Network Portal time zone, changing 41 Tiny Personal Firewall configuration 28 TLS, use of 10 troubleshooting 154
U
Upload Certificate setting 38 Upload Server Upgrade setting 24 URL of Administration Portal 19 of Java client 61 user groups 121 authorization 121 choosing custom portal page 130 configuring host check expression
128
variables 110 VNC client 68 enabling 126 VPN connection types 53 VPN Gateway Remote Admin Terminal window 8 VPN port setting 73 VPN users closing connection 45 disabling/enabling 48 enabling single sign-on 140 forcing re-login 138 multi-group membership 132 preventing access through host checks 116 supporting 25 viewing groups and priority group
134
viewing open connections 151 working with shared network drives

63
W
whois query 151 Windows support (client) 4 Windows Terminal Services, support of
65
configuring kiosk operation 126 configuring resource ACL 124 creating 121 enabling IP pooling 131 LDAP, obtained from 121 naming 121 prioritizing policies 132 User Groups tab 122 user name variable for portal page 111 users, see administrative users, local users, VPN users
WINS server in Secure Access Client window 59 setting 74
X
xNetTools 151
V
version of installed software 24 Virtual Network Portal 51 customizing 108 disabling authentication 114 downloading templates 110 loading custom files 113
Z
ZoneAlarm Pro configuration 29
175
176

V 49 Firebox SSLVPNGateway Admin Guide

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

V 49 Firebox SSLVPNGateway Admin Guide

Încărcat de

Drepturi de autor:

Formate disponibile

WatchGuard Firebox SSL VPN

Gateway Administration Guide

Firebox SSL VPN Gateway

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview .......................................1

Administering the Firebox SSL .........................17

Firebox SSL VPN Gateway Administration Guide

Working with a VPN Connection .......................51

Firebox SSL VPN Gateway Administration Guide

Configuring Firebox SSL Network Connections ..71

Configuring Firebox SSL Operation ...................81

Firebox SSL VPN Gateway Administration Guide

Logging, Monitoring, and Troubleshooting Firebox SSL Operations143

Legal and Copyright Information ....................157

Firebox SSL Overview

Firebox SSL Overview

Firebox SSL VPN Gateway Administration Guide

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview

Firebox SSL VPN Gateway Administration Guide

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview

The User Experience

Firebox SSL VPN Gateway Administration Guide

Deployment and Administration

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview

Firebox SSL Operation

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Operation

Starting the Secure Access Client

Enabling Single Sign-On Operation for the Secure Access Client

Firebox SSL Overview

Establishing the Secure Tunnel

Tunneling Destination Private Address Traffic over SSL or TLS

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Operation

Operation through NAT Firewalls and Proxies

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview

Terminating the Secure Tunnel and Returning Packets to the Client

Firebox SSL VPN Gateway Administration Guide

Performance and Real-time Traffic

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview

Firebox SSL VPN Gateway Administration Guide

Firebox SSL VPN Gateway Administration Guide

Firebox SSL Overview

Connecting to a Server Load Balancer

Firebox SSL VPN Gateway Administration Guide

Administering the Firebox SSL

Firebox SSL VPN Gateway Administration Guide

Administering the Firebox SSL

Shutting Down the Firebox SSL on page 49

Using the Firebox SSL Remote Admin Terminal Window

Firebox SSL VPN Gateway Administration Guide

Using the Firebox SSL Remote Admin Terminal Window

Administration Tool Tabs Help

To open the Remote Admin Terminal window:

Firebox SSL VPN Gateway Administration Guide

Administering the Firebox SSL

Firebox SSL VPN Gateway Administration Guide

Using the Administration Tool