- DL manuals
- F5
- Server
- FirePass
- Administrator's Manual
F5 FirePass Administrator's Manual
Summary of FirePass
Page 1
Firepass tm server administrator guide version 4.0 man-0081-00
Page 3
Firepass ™ server administrator guide i product version this manual applies to product version 4.0 of the firepass ™ server administrator guide. Legal notices copyright copyright © 1999-2003, f5 networks, inc. All rights reserved. F5 networks, inc. (f5) believes the information it furnishes to be ac...
Page 4
Ii.
Page 5
Table of contents.
Page 7
Table of contents firepass ™ server administrator guide v 1 introducing the firepass server the firepass remote access solution ........................................................................................1-1 the firepass server models ........................................................
Page 8
Table of contents vi using signup templates to add user accounts .............................................................. 3-16 using nfs user permissions from a unix password file ......................................... 3-17 changing user accounts ...............................................
Page 9
Table of contents firepass ™ server administrator guide vii using client certification validation for the apptunnels webifyer ........................ 4-20 configuring the host access webifyer ................................................................................. 4-21 configuring host acc...
Page 10
Table of contents viii updating the firepass server’s firmware ............................................................................... 5-27 adding definitions for other types of browsers .................................................................. 5-28 monitoring the firepass server .....
Page 11
1 introducing the firepass server • the firepass remote access solution • the firepass server models • the firepass server features • about this guide • finding help and technical support resources.
Page 13
Introducing the firepass server firepass ™ server administrator guide 1 - 1 the firepass remote access solution the firepass™ server is a network appliance providing remote users with secure access to corporate networks, using any standard web browser. The firepass server can be installed in a few h...
Page 14
Chapter 1 1 - 2 the firepass server features overview of features ◆ security firepass server was built from the ground up to adhere to the highest standards of best security practices. • encryption—firepass server offers several strengths of encryption, depending on the capability of the browser in ...
Page 15
Introducing the firepass server firepass ™ server administrator guide 1 - 3 firepass server features the following features are available on both firepass server models. ◆ standard web browser support firepass server can be used with most standard browsers supporting secure http (also known as https...
Page 16
Chapter 1 1 - 4 ◆ desktop access firepass server offers web–based access to authorized desktops with support for remote control, lightweight email/file access, guest access, and web conferencing. ◆ high availability firepass servers can be configured to failover to hot standby servers. ◆ scalability...
Page 17
Introducing the firepass server firepass ™ server administrator guide 1 - 5 finding help and technical support resources you can find additional technical documentation about the firepass server in the following locations: ◆ release notes release notes containing the latest information for the curre...
Page 18
Chapter 1 1 - 6.
Page 19
2 deploying the firepass server • overview of deploying the firepass server • configuring a firewall to work with the firepass server • understanding name resolution issues for firepass servers with a private ip address • installing the firepass server • testing network connectivity • using the admi...
Page 21
Deploying the firepass server firepass ™ server administrator guide 2 - 1 overview of deploying the firepass server this section contains an overview of the tasks for deploying the firepass™ server. Summary of tasks for installing and deploying the firepass server table 2.1 provides a summary of the...
Page 22
Chapter 2 2 - 2 configuring a firewall to work with the firepass server the firepass server enables remote access by communicating through secure tunnels between remote users at untrusted or unprivileged hosts on the internet and your corporate lan. This section describes the firewall ports at your ...
Page 23
Deploying the firepass server firepass ™ server administrator guide 2 - 3 overview of the firewall configuration process during the process of firewall configuration, you might consider opening the firewall ports in phases. In the initial phase, you could focus on opening the ports that allow access...
Page 24
Chapter 2 2 - 4 the firepass server. To use static nat, configure a rule that forwards all allowable traffic from the public ip address to the private ip assigned to the firepass server. However, some firewalls only allow static nat using a public ip address other than its own public interface. In t...
Page 25
Deploying the firepass server firepass ™ server administrator guide 2 - 5 about the traffic between a remote user’s browser and the firepass server to allow traffic between a remote user’s browser and the firepass server, you must open the firewall ports as shown in table 2.2. The firepass bridge po...
Page 26
Chapter 2 2 - 6 about the traffic between the firepass server and network services the firepass server needs access to the network services listed in table 2.3, some of which are optional and depend on your particular configuration. If the services are hosted across a firewall from the firepass serv...
Page 27
Deploying the firepass server firepass ™ server administrator guide 2 - 7 about the traffic between firepass server and application services to allow traffic between the firepass server and application services on the corporate lan, you must open the firewall ports as shown in table 2.4. The applica...
Page 28
Chapter 2 2 - 8 traffic type protocol source destination ack bit comment address ports address ports http tcp local lan 1025 to 65535 firepass server 80 required http (response) tcp firepass server 80 local lan 1025 to 65535 yes required https tcp local lan 1025 to 65535 firepass server 443 https (r...
Page 29
Deploying the firepass server firepass ™ server administrator guide 2 - 9 about the traffic between the firepass server and the desktop agent to allow traffic from the firepass server to the corporate lan using the my desktop feature, you must open firewall ports as shown in table 2.5. The firepass ...
Page 30
Chapter 2 2 - 10 traffic type protocol source destination ack bit comment address ports address ports http tcp local lan 1025 to 65535 firepass server 80, 81 required for my desktop http (response) tcp firepass server 80, 81 local lan 1025 to 65535 yes required for my desktop host activation protoco...
Page 31
Deploying the firepass server firepass ™ server administrator guide 2 - 11 understanding name resolution issues for firepass servers with a private ip address if the firepass server is installed on a corporate lan or in a dmz that uses private ip addresses, the firewall or gateway performs network a...
Page 32
Chapter 2 2 - 12 installing the firepass server this section describes how to install one or more firepass servers in an equipment rack, connect them to a network, and power them up. When installing and connecting wiring to the firepass server, be sure to follow these basic safety precautions to avo...
Page 33
Deploying the firepass server firepass ™ server administrator guide 2 - 13 figure 2.2 firepass 4000 port locations 2. If you are connecting two dual-nic firepass servers in failover pairs, connect the same corresponding nics to the same subnet on both servers. For example, connect the internal nic o...
Page 34
Chapter 2 2 - 14 performing the initial firepass ip configuration the firepass server comes pre-configured with a default set of networking and server settings. The following table provides important default firepass settings. Perform the initial ip configuration using the web-based firepass adminis...
Page 35
Deploying the firepass server firepass ™ server administrator guide 2 - 15 https://192.168.1.99/stats/ into the web browser (be sure to include the final slash). One or more certificate warning messages may be displayed. Accept these. You should see the firepass login screen. 2. Login using the defa...
Page 36
Chapter 2 2 - 16 testing network connectivity after connecting the firepass server to your network, powering it up, and performing the initial ip address configuration, test that you can access the server from your network, and that the firepass server’s fully qualified domain name resolves correctl...
Page 37
Deploying the firepass server firepass ™ server administrator guide 2 - 17 ◆ if you have trouble accessing the firepass server by entering the fully qualified domain name on a computer inside the firewall, try entering the internal ip address. This problem is usually caused by dns reflection, which ...
Page 38
Chapter 2 2 - 18 5. Click login. . After you log in, the welcome panel for the firepass administrative console appears. The administrative console is composed of several panels where you select options, enter configuration information, and choose commands to configure and administer the firepass ser...
Page 39
Deploying the firepass server firepass ™ server administrator guide 2 - 19 server/security/administrators. For more information about assigning administrator privileges, see granting administrator privileges to other users, on page 5-21. Important if your superuser password is lost, contact technica...
Page 40
Chapter 2 2 - 20 using the administrative console to access the maintenance console you can use a web browser to gain access to the maintenance console. You do this by launching a telnet session within the administrative console. To use the administrative console to run the maintenance console 1. Un...
Page 41
Deploying the firepass server firepass ™ server administrator guide 2 - 21 using the maintenance console if you intend to use the administrative console web interface (recommended) to configure the firepass ip address or if your server’s ip address and network mask are already configured correctly, ...
Page 42
Chapter 2 2 - 22 4. At the login prompt, enter the following: maintenance no password is required. 5. Enter y to agree to the conditions on the screen. The maintenance console menu appears. 6. To change the server name or other network settings, enter 1 for network configuration and then press the e...
Page 43
Deploying the firepass server firepass ™ server administrator guide 2 - 23 what’s next? Now that the firepass server is installed and accessible on the network, you can use the administrative console to finish configuring firepass. ◆ set up security on the firepass server by adding groups and user a...
Page 44
Chapter 2 2 - 24.
Page 45
3 setting up firepass server security • overview of setting up firepass server security • working with groups • working with user accounts • setting up firepass server authentication • setting up certificates • limiting access to the administrative console by ip address • what’s next?.
Page 47
Setting up firepass server security firepass ™ server administrator guide 3 - 1 overview of setting up firepass server security here is an overview of the steps for setting up groups, user accounts, authentication, and certificates on the firepass™ server. 1. (optional) if you want to use different ...
Page 48
Chapter 3 3 - 2 4. (optional) if you want to give firepass server users access to nfs file servers, you can import the nfs permissions for each user that is listed in a unix password file. (see using nfs user permissions from a unix password file, on page 3-17.) 5. Set up authentication for each gro...
Page 49
Setting up firepass server security firepass ™ server administrator guide 3 - 3 creating groups to create a group use the group management screen. 1. Under the users tab on the left side of the administrative console, click the groups link. The group management screen opens. 2. In the new group name...
Page 50
Chapter 3 3 - 4 4. Click the create button. The new group is now accessible from the group list on the panels for setting up authentication methods, webifyers, and signup templates. Deleting groups to delete a group 1. In the delete group section of the group management panel, select the group from ...
Page 51
Setting up firepass server security firepass ™ server administrator guide 3 - 5 groups to existing firepass server groups. When a user logs into the firepass server, firepass server queries the windows domain groups for the user’s name and attempts to match one of the domain groups to the firepass s...
Page 52
Chapter 3 3 - 6 8. To test which firepass server group a user would be mapped to, enter a user login name for the windows domain, and then click the test mapping button. Note if necessary, you can delete a mapping by selecting it and then clicking the delete link. Using ldap-based group mapping ldap...
Page 53
Setting up firepass server security firepass ™ server administrator guide 3 - 7 4. If you want to use ssl, select the use ssl connection option. 5. In the user dn box, enter a user dn. For example: cn=administrator,dc=demo,dc=fp,dc=com 6. In the user password box, enter a password. Note: you can lea...
Page 54
Chapter 3 3 - 8 for example, suppose you have an ldap attribute named department that has three attribute values financial department, sales department, and marketing department. Suppose you also have three firepass server groups named financial, marketing, and sales. In that example, you map these ...
Page 55
Setting up firepass server security firepass ™ server administrator guide 3 - 9 for example, here are some attributes that are used in a standard ldap schema. Mapping based on a ldap group object information to use this method, you should have a group object in your ldap schema that may be used to m...
Page 56
Chapter 3 3 - 10 11. In the filter for group box, specify an ldap query. It must be a valid ldap query expression. For example: ou=groups,o=mycompany 12. In the query template for static members box, specify a query template for static members. Use %logon% in the filter expression to insert a user n...
Page 57
Setting up firepass server security firepass ™ server administrator guide 3 - 11 working with user accounts you can add user accounts to each group on the firepass server by using any of the following methods: • manually add users to each group. (see manually adding user accounts, following.) • impo...
Page 58
Chapter 3 3 - 12 3. If you want to add the user to a group other than the default group, choose the group from the group drop-down list and then click the change group button. 4. In the logon text box, enter a user name for the user. 5. In the first name, last name, and middle initial boxes, enter t...
Page 59
Setting up firepass server security firepass ™ server administrator guide 3 - 13 8. (optional) as necessary, select the options to force the user to change their password on the initial logon, email the password to the user, force periodic password changes, or deactivate the account after a specifie...
Page 60
Chapter 3 3 - 14 5. (optional) in the wins server ip address box, specify the ip address of the wins server if the domain or pdc is on a different subnet than the firepass server. 6. If the windows domain pdc is not configured to accept anonymous access to user and group information, select the join...
Page 61
Setting up firepass server security firepass ™ server administrator guide 3 - 15 importing user accounts from an ldap server to import user accounts from an ldap server 1. In the user management panel, click the ldap import button. The ldap import screen opens. 2. If you want to add the users to a g...
Page 62
Chapter 3 3 - 16 16. Click the add users button to import the user accounts. Importing user accounts from a comma or tab delimited text file you can import user accounts from a text file that contains either commas or tabs between each element of information, such as first name, last name, and so on...
Page 63
Setting up firepass server security firepass ™ server administrator guide 3 - 17 if you are using an ldap or windows domain server and you set up group mapping, the firepass server also retrieves the user’s group information and adds the user to the corresponding mapped group in its internal databas...
Page 64
Chapter 3 3 - 18 id in the user’s existing firepass server account. Note that each firepass server user’s logon name (user name) must be identical to the logon name in the nfs servers. For example, a user with the logon name of tjones on the firepass server must also have tjones as the logon name on...
Page 65
Setting up firepass server security firepass ™ server administrator guide 3 - 19 2. In the nfs settings section at the bottom of the user's details panel, enter the nfs user id in the user id box. 3. In the group id box, enter the nfs group id. 4. Click the add button. Changing user accounts to chan...
Page 66
Chapter 3 3 - 20 to assign administrative privileges to a user account 1. Log into the administrative console as the superuser, or as a user who already has administrative privileges. 2. Under the server tab on the left side of the administrative console, click the security link. 3. On the security ...
Page 67
Setting up firepass server security firepass ™ server administrator guide 3 - 21 • to allow access to a subset of panels associated with a tab, click the edit link next to the tab. For example, click the edit link next to the server tab name to specify access to the panels associated with the server...
Page 68
Chapter 3 3 - 22 3. Click the generate installation keys button. The firepass server generates the keys and displays them on the existing firepass installation keys panel, which displays the status of generated keys. 4. To send the keys to users, enter each user’s email address in the send to box ne...
Page 69
Setting up firepass server security firepass ™ server administrator guide 3 - 23 setting up firepass server authentication authentication is set up on a per group basis on the firepass server. If you are using the same authentication for all firepass server users, you can simply add all users to the...
Page 70
Chapter 3 3 - 24 set up and no other configuration is required. However, if you want to convert a group’s authentication from an external server to the internal database, use the following instructions. To convert a group to internal database authentication 1. Under the server tab, click the authent...
Page 71
Setting up firepass server security firepass ™ server administrator guide 3 - 25 10. Click the save settings button. To test the radius authentication settings 1. Click the test button. 2. Enter a user name and password in the radius server, and then click the test button. Setting up a radius server...
Page 72
Chapter 3 3 - 26 authentication on the firepass server. This allows firepass server to add a machine account for itself, join the domain, and create a trust relationship with the primary domain controller (pdc). Firepass server can then authenticate users using native ntlm services. ◆ netlogon share...
Page 73
Setting up firepass server security firepass ™ server administrator guide 3 - 27 9. If the firepass server is to become part of the windows domain and perform native ntlm authentication services, click the join windows domain option. Then specify the domain admin name and domain admin password. 10. ...
Page 74
Chapter 3 3 - 28 setting up vasco digipass authentication if the vasco digipass authentication feature is licensed, the firepass server can authenticate using a vasco server. Each user is issued a security token that generates a unique and dynamically time-limited password. The server has a similar ...
Page 75
Setting up firepass server security firepass ™ server administrator guide 3 - 29 setting up certificates a valid server certificate is very important in establishing a transparent https connection. The browser running on the user’s computer checks the certificate against its built-in list of certifi...
Page 76
Chapter 3 3 - 30 changing the firepass server name if you have a pilot firepass server named server-name.Fp.Com (or some other default name), and you want to generate and install a new server certificate that is specific to your site, you must first change the server name. To change the firepass ser...
Page 77
Setting up firepass server security firepass ™ server administrator guide 3 - 31 11. Unzip the zip file and send the certificate request file (called newcert.Csr) to a known certificate authority to be signed. When asked by the certificate authority, specify the type of the certificate as mod_ssl. I...
Page 78
Chapter 3 3 - 32 here is an overview of the steps for using client certificates to authenticate a user’s computer: ◆ install the client root certificate on the firepass server. (see installing a client root certificate, following.) ◆ enable the validation of client certificates. (see enabling valida...
Page 79
Setting up firepass server security firepass ™ server administrator guide 3 - 33 enabling validation of client certificates to enable validation of client certificates 1. After you have installed a client root certificate, select the request and validate client certificate option on the certificates...
Page 80
Chapter 3 3 - 34 • required for access to select webifyers this option enables client certificate authentication for access to a set of webifyers that you specify. Click the webifyers requiring client certificate for access option and then select the webifyers you want to restrict access to. (you ca...
Page 81
Setting up firepass server security firepass ™ server administrator guide 3 - 35 limiting access to the administrative console by ip address to increase the security of the firepass server, you can limit access to the administrative console by source ip address and/or subnets. Your current browser’s...
Page 82
Chapter 3 3 - 36.
Page 83
4 configuring the firepass webifyers • overview of the firepass webifyers • configuring the my files webifyer • configuring the my nfs webifyer • configuring the my intranet webifyer • configuring the my e-mail webifyer • configuring the terminal services webifyer • configuring the apptunnels webify...
Page 85
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 1 overview of the firepass webifyers the firepass™ webifyers™ provide remote users with web-based remote access to a wide variety of network applications and resources, including email servers, intranet servers, file server...
Page 86
Chapter 4 4 - 2 ◆ host access provides remote users with web-based access to legacy vt100, vt320, telnet, x-term, and ibm 3270/5250 applications without any modifications to the applications or application servers. (see configuring the host access webifyer, on page 4-21.) ◆ ssl vpn provides remote u...
Page 87
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 3 configuring the my files webifyer the my files webifyer allows remote users to browse and view files stored on internal lan file servers. As the firepass administrator, you can configure the my files webifyer to limit acc...
Page 88
Chapter 4 4 - 4 enabling virus scanning and file uploading for the my files webifyer by default, users can download files with the my files webifyer. You can also choose to allow users in a group to upload files, and you can enable virus scanning of all downloaded and uploaded files. If the firepass...
Page 89
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 5 important: the wins address setting is required for multi-segment networks where the firepass server and the lan are on different network segments, or when the lan has multiple segments. If you do not specify the ip addre...
Page 90
Chapter 4 4 - 6 configuring the my nfs webifyer like the my files webifyer, the my nfs webifyer allows remote users to browse and view files stored on internal unix nfs file servers. As the firepass administrator, you can configure the my nfs webifyer to limit access for a particular group to the nf...
Page 91
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 7 3. In the name box, specify a name for the path that you are defining as a my nfs favorite. This name is displayed as a label for the my nfs favorite in the user’s web browser under the my nfs files icon. For example: leg...
Page 92
Chapter 4 4 - 8 configuring the my intranet webifyer the my intranet webifyer allows remote users to access web servers on the internal lan in a unified and secure way. A user can either browse the internal web sites by the site’s name or internal ip address, or to use intranet favorites that you de...
Page 93
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 9 3. In the name box, specify a name for the intranet site that you are defining as a my intranet favorite. This name is displayed as a label for the my intranet favorite in each user’s web browser under the my intranet ico...
Page 94
Chapter 4 4 - 10 the following table lists several other user-agent strings. Tip: an easy way to enter a user agent string is to copy and paste the string from the logons report. Click the logons link under the reports tab, and copy the user agent string from the user agent column for various users ...
Page 95
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 11 configuring the my e-mail webifyer the my e-mail webifyer provides remote users with html access to multiple pop and imap mailboxes, and ldap address books. After configuring a corporate email account, you can specify an...
Page 96
Chapter 4 4 - 12 5. From the type drop-down list, select the mail server type (pop or imap). 6. If you are using an imap mail server, enter a list of folders in the imap folders box that you want displayed. Enter a comma between the folder names in the list. This list prevents the confusion created ...
Page 97
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 13 note: you can leave this text box blank if no authentication is required. 7. In the search base box, enter the dn of the entry in the tree to be used for the search. For example: cn=recipients,ou=exchange,o=acme, inc. 8....
Page 98
Chapter 4 4 - 14 3. In the port box, enter an ldap port, such as 389. 4. If you want to use ssl, select the use ssl connection option. 5. In the bind dn box, enter the relative distinguished name to bind to. Note: you can leave this box blank if you want to use the server default. 6. In the bind pas...
Page 99
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 15 configuring the terminal services webifyer the terminal services webifyer provides remote users with access to internal lan microsoft terminal servers, windows xp desktop computers, citrix metaframe servers, and vnc serv...
Page 100
Chapter 4 4 - 16 to configure screen resolution and terminal services favorites 1. From the for the group drop-down list, select the group that you want to configure the terminal services for. 2. To set the initial screen resolution for terminal servers and citrix metaframe for the current group, se...
Page 101
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 17 limiting a group’s access to the terminal service favorites if you want to limit a group’s access to the terminal service favorites you specified, select the limit mynetwork access to terminal service favorites only opti...
Page 102
Chapter 4 4 - 18 configuring the apptunnels webifyer the apptunnels webifyer supports access from client applications on each user’s remote computer to tcp/ip application servers. The apptunnels webifyer enables a native client-side application to communicate back to the corporate application server...
Page 103
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 19 to configure apptunnel favorites 1. From the for the group drop-down list, select the group that you want to configure the apptunnels for. 2. In the favorite apptunnels section, click the add new link. 3. In the name box...
Page 104
Chapter 4 4 - 20 7. If you are creating a custom apptunnel, you need to specify remote and local ports for the connection. Generally, we recommend that you use the remote value for the local port at the access point, unless there might be a server running on the same port on a potential accessing co...
Page 105
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 21 configuring the host access webifyer the host access webifyer allows remote users to access legacy applications using a web browser. The host access webifyer does not require any application modifications or any third-pa...
Page 106
Chapter 4 4 - 22 3. In the name box, specify a name for the host access favorite. This name is displayed as a label for the host access favorite in each user’s web browser under the host access icon. 4. In the host box, specify the host’s name or its ip address. 5. In the port box, specify the host’...
Page 107
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 23 configuring ssl-vpn the firepass server’s ssl vpn provides the functionality of a traditional ipsec vpn client, but it is easier to deploy. Unlike a traditional ipsec vpn client, the ssl vpn webifyer does not require any...
Page 108
Chapter 4 4 - 24 configuring global ssl vpn settings first, configure the global ssl vpn settings that apply to all groups, and then configure the ssl vpn webifyer settings for each group. To configure the global ssl vpn settings 1. Under the server tab on the left side of the administrative console...
Page 109
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 25 warning: the pool of addresses for the vpn must not contain the firepass server address. Otherwise, severe routing problems can occur. 5. Click the apply these rules now button. Configuring global ssl vpn packet filter r...
Page 110
Chapter 4 4 - 26 configuring global ssl vpn timeout rules to configure the global timeout rules 1. On the vpn settings screen, select the use packet filter to access lan option. The packet filter rules section is displayed on the vpn settings screen. 2. In the timeout rules section, click the add ne...
Page 111
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 27 configuring the ssl vpn webifyer for a group under the webifyers tab, click the ssl vpn link to open the ssl vpn webifyer screen. To configure the ssl vpn webifyer for a group 1. From the for the group drop-down list, se...
Page 112
Chapter 4 4 - 28 5. (optional) to have only the traffic targeted at a specified address space go through the ssl vpn webifyer, select the use split tunneling option. All of the remote user’s other internet activity is handled by the user’s isp. For example, you might want to enable this option if a ...
Page 113
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 29 12. To compress all traffic between the ssl vpn client and the firepass server using the gzip deflate method, select the use gzip compression option. Configuring group packet filter rules if you have first enabled global...
Page 114
Chapter 4 4 - 30 2. In the path box, enter a unc path to the network share. Important: the administration console does not verify the path you specify, so be sure to enter it correctly. 3. From the map to drop-down list, select the preferred drive letter to map the network share to. Note if the driv...
Page 115
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 31 configuring the my desktop webifyer the my desktop webifyer provides employees with full remote control access to their desktop computers on the internal lan. Employees can also use the my desktop webifyer to grant acces...
Page 116
Chapter 4 4 - 32 to configure the my desktop ports 1. Under the desktop tab on the left side of the administrative console, click the settings link. The default desktop software server tcp ports screen opens. 2. In the http port box and the https port text box, enter the default port assignments for...
Page 117
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 33 using client certification validation for the my desktop webifyer you can restrict access to the my desktop webifyer to users in a group who have a valid client certificate installed on their computer. To use client cert...
Page 118
Chapter 4 4 - 34 1. From the for the group drop-down list, select the group that you want to configure guest access for. 2. To enable the guest access webifyer for the selected group, select the allow guest access option. 3. From the drop-down list, select a method for how users send an invitation t...
Page 119
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 35 configuring the x-windows access webifyer firepass x-windows access allows users to connect to unix and linux applications and application servers, from any standard web browser (so long as it is either java or active-x ...
Page 120
Chapter 4 4 - 36 3. Click the add new favorite link (or the green x button next to it). The screen refreshes to provide input boxes. 4. In the name box, supply a user-friendly name consisting of any alphanumeric string. You may use spaces, but do not use slashes or special characters. 5. In the scre...
Page 121
Configuring the firepass webifyers firepass ™ server administrator guide 4 - 37 editing x-windows host configuration details you can change the configuration details for a host from the my x windows webifyer screen. To edit an x-windows host configuration 1. Be sure to select the group for which you...
Page 122
Chapter 4 4 - 38 using client certificate validation for webifyers you can restrict webifyer usage to users in a group who have a valid client certificate installed on their computer in addition to knowing their user name and password. For example, for a laptop user, you can restrict usage of the my...
Page 123
5 managing, monitoring, and maintaining the firepass server • maintaining the network configuration settings • configuring ipsec for the firepass server • managing firepass licenses • mapping firepass users to nfs users • specifying http and ssl proxies • configuring an snmp agent • shutting down an...
Page 125
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 1 maintaining the network configuration settings you can use the administrative console to configure the firepass server’s network settings. These include the network interfaces, ip addresses and netm...
Page 126
Chapter 5 5 - 2 5. When you are finished entering the ip addresses and making other needed configuration changes, navigate to the server/maintenance screen and click the finalize link to commit your changes. The changes are not applied until you have finalized the configuration and restarted your se...
Page 127
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 3 adding specific routes to add a route to the main routing table 1. Select the device, and the source ip address [src (ip)] and netmask [len] to use. If you are in advanced mode, also select which ro...
Page 128
Chapter 5 5 - 4 you can specify rules controlling which routing tables to use, and in what order, for particular routes and groups of routes. The route or route group is specified by filling in the destination ip, the source ip, and the device. A blank source or destination ip address acts as a wild...
Page 129
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 5 configuring host names fully-qualified domain name to add or change the server’s fully-qualified domain name (fqdn) and add other static host names, navigate to server/maintenance/network configurat...
Page 130
Chapter 5 5 - 6 • if you use mydesktop, you must have exactly one service configured to allow desktop agents to communicate with the firepass server. • if you have a clustered or failover configuration, you must have at least one service configured for use by the synchronization agent. To configure ...
Page 131
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 7 to configure a service 1. Click the configure link on the service’s table row to provide the configuration details. The web server configuration detail screen appears. Provide these variables: • hos...
Page 132
Chapter 5 5 - 8 configuring desktop services bridge ports when a remote user accesses his own desktop system, firepass intermediates the sessions using a range of high ports, called bridge ports. To specify what ports to use, navigate to server/maintenance/network configuration/desktop. Use this scr...
Page 133
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 9 configuring ipsec for the firepass server ipsec (internet protocol security) is a set of security mechanisms for enforcing the confidentiality, integrity, and authenticity of data transmitted over i...
Page 134
Chapter 5 5 - 10 • if the remote endpoint is a server, select host as the endpoint type. • if the remote endpoint is a security gateway, select gateway. 8. If you selected gateway as the endpoint type, enter the subnet address behind the security gateway in the remote subnet text box. 9. In the shar...
Page 135
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 11 managing firepass licenses you can install or upgrade the firepass server license using the admin console. Licenses are managed using the settings link under the server tab. Obtaining a license for...
Page 136
Chapter 5 5 - 12 3. Select the new concurrent sessions capacity limit, enter the number of desktop licenses, and check all the features you want to obtain a license to use. 4. Click the generate license request button. An encrypted message appears. 5. Copy and paste this request into an email. 6. Se...
Page 137
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 13 if you do not have an nis server but you still want strict access control for the nfs file systems, you must define all nfs users manually on the firepass server. (for more information, see using n...
Page 138
Chapter 5 5 - 14 specifying http and ssl proxies you can configure the firepass server to use http and ssl proxies for web server access. Proxies may be required in the following situations: • if the firepass server has no outbound access to the internet, the update mechanism for the firepass server...
Page 139
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 15 configuring an snmp agent you can use a simple network management protocol (snmp) agent to monitor the firepass server. For more information on the mibs that the snmp agent supports, see the online...
Page 140
Chapter 5 5 - 16 6. (optional) in the contact text box, enter an email address to contact, such as the address for the firepass server administrator. 7. In the community name text boxes in the rocommunity and rwcommunity sections, enter the community name that is configured in your snmp management t...
Page 141
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 17 shutting down and restarting firepass important do not turn the firepass server off by using the power switch. Data corruption can occur as a result which would render the firepass server unavailab...
Page 142
Chapter 5 5 - 18 • to restart the firepass server software components, click the restart service link. To restart the firepass server hardware using the maintenance console in the maintenance console, select the restart server command. Stopping and starting the bridge you can start and stop the brid...
Page 143
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 19 backing up and restoring the firepass server you can back up and restore the current firepass server configuration, including user accounts, logs, and firepass settings. Note your network configura...
Page 144
Chapter 5 5 - 20 specifying the email server to have the firepass server send email messages to the firepass administrator and users, you must specify an email server for the firepass server to use. To specify an email server for the firepass server to use 1. Under the server tab on the left side of...
Page 145
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 21 granting administrator privileges to other users role-based administration is a powerful feature allowing you to assign customized subsets of administrative access and privileges, according to the ...
Page 146
Chapter 5 5 - 22 specifying the time, time zone, and ntp server you can specify a time zone for the firepass server’s location, and you can specify a network time protocol (ntp) server for the firepass server to use. You can also manually set the time for the firepass server. To specify a time, time...
Page 147
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 23 configuring client caching and compression settings you can configure settings that determine caching and compression of files sent from the firepass server to remote user’s web browsers, as well a...
Page 148
Chapter 5 5 - 24 • block non-html data select this option to block file downloads and attachments that consist of .Doc and .Pdf files. • don't block cookies at firepass, pass them to the browser select this option to allow the server to pass cookies to the user’s web browser. This option might be us...
Page 149
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 25 managing log files you can purge and archive firepass server logs manually or automatically at specified intervals. Periodic purging and archiving of logs is important to manage storage space on th...
Page 150
Chapter 5 5 - 26 8. To manually start a purge procedure, click the click to purge logs right now link. 9. To show archived log data in the reports panels, click the set archive database for reports link. After you click this link, the log information displayed in the reports panels is from the archi...
Page 151
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 27 updating the firepass server’s firmware you can have firepass server check and indicate whether an update to the server’s firmware is available. If new firmware is available, you can have the serve...
Page 152
Chapter 5 5 - 28 adding definitions for other types of browsers you can add and classify definitions for other types of browsers, such as mini-browsers and phones. To add a definition for a browser 1. Under the server tab on the left side of the administrative console, click the maintenance link. Th...
Page 153
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 29 monitoring the firepass server you can monitor the firepass server by displaying various graphs of the real-time load on server components, by displaying statistics, and by capturing network packet...
Page 154
Chapter 5 5 - 30 5. To delete all data from the monitoring database, click the zeroinit link at the bottom of the panel. Displaying firepass server statistics you can display statistics and information for the firepass server, such as average load, performance averages, and number of ipsec connectio...
Page 155
Managing, monitoring, and maintaining the firepass server firepass ™ server administrator guide 5 - 31 8. To start capturing, click the link at the bottom of the panel, please click here to start sniffing the network traffic. A window opens and a line is drawn to indicated the packets are being capt...
Page 156
Chapter 5 5 - 32.
Page 157
6 using firepass reports • overview of firepass server reports • using the logon report • using the my desktop activations report • using the session report • using http log reports • using the application log report • using the summary report • using the group report.
Page 159
Using firepass reports firepass ™ server administrator guide 6 - 1 overview of firepass server reports you can display and print reports that describe firepass server activity and status. You can also download and save a report as an microsoft ® excel (.Xls) file. The following types of firepass ser...
Page 160
Chapter 6 6 - 2 using the logon report the logon report provides a list of all attempts to log on to the firepass server, both successful and unsuccessful. You can filter the report for unsuccessful attempts, which quickly provides an audit trail for detecting attacks from unauthorized users. In add...
Page 161
Using firepass reports firepass ™ server administrator guide 6 - 3 using the my desktop activations report the my desktop activations report provides a list of all activations of the my desktop webifyer. You can filter the my desktop activations report for all failed activations, and for failed acti...
Page 162
Chapter 6 6 - 4 using the session report the session report provides a list of all active user sessions and a history of sessions, along with the corresponding user names, logons, times, and status. To display the session report 1. Under the reports tab on the left side of the administrative console...
Page 163
Using firepass reports firepass ™ server administrator guide 6 - 5 using http log reports the http log report includes the following types of low-level server logs: • http server access log • http server error log • https server access log • https server error log • ssl engine log the firepass serve...
Page 164
Chapter 6 6 - 6 using the application log report the application log report provides a list of aggregate and per-user application logs. To display the application log report under the reports tab on the left side of the administrative console, click the app logs link to open the application log repo...
Page 165
Using firepass reports firepass ™ server administrator guide 6 - 7 using the summary report the summary report provides a summary of global or a group-based user activity, including stats and descriptions of operating system and browser type usage over specified periods of time. You can also display...
Page 166
Chapter 6 6 - 8 using the group report the group report provides a snapshot of the user-group distribution and group-based averages. To display the group report 1. Under the reports tab on the left side of the administrative console, click the group report link. 2. With the group report, you can do ...
Page 167
7 configuring firepass failover servers and cluster servers • using firepass failover servers • using firepass server clusters.
Page 169
Configuring firepass failover servers and cluster servers firepass ™ server administrator guide 7 - 1 using firepass failover servers the failover feature provides fault tolerance and guarantees that at least one server in a failover pair is accessible to users in the unlikely event of a server fail...
Page 170
Chapter 7 7 - 2 to add or change the ip addresses in the failover pair, you specify the ip addresses in the ip configuration panel for both servers. (for information on accessing the ip configuration panel, see configuring ipsec for the firepass server, on page 5-9.) these addresses must be configur...
Page 171
Configuring firepass failover servers and cluster servers firepass ™ server administrator guide 7 - 3 configuring the failover settings to configure the failover settings to configure servers as members of a failover pair, you must configure both: • identical virtual ip addresses for their respectiv...
Page 172
Chapter 7 7 - 4 • the remote ip address must be a physical (not virtual) ip address of the corresponding nic of the other member of the failover pair. • the local ip address is a physical (not virtual) ip address of this nic on this server. Select the address to be used in the heartbeat signal. Note...
Page 173
Configuring firepass failover servers and cluster servers firepass ™ server administrator guide 7 - 5 using firepass server clusters firepass 4000 servers (or failover pairs of servers) can be clustered to support many concurrent connections on a single logical url without performance degradation. L...
Page 174
Chapter 7 7 - 6 configuring firepass server clusters a cluster consists of one master node and up to nine optional slave nodes. The master node is responsible for handling incoming connections and redirecting each session to an available slave. The master node is also responsible for maintaining con...
Page 175
Configuring firepass failover servers and cluster servers firepass ™ server administrator guide 7 - 7 configuring clustered servers note clustering screens and links are visible only if you have a clustering license installed. To configure internal synchronization 1. Under the server tab on the left...
Page 176
Chapter 7 7 - 8 important these settings do not take effect until you have committed them using the finalize screen. Accessing a slave server’s configuration while connected to a master server you can access a slave server’s configuration while you are connected to a master server using the administ...
Page 177
Index.
Page 179
Index firepass ™ server administrator guide index - 1 a access to server, limiting by ip address 3-35 activity, report 6-7 administrative console access maintenance console from 2-20 using 2-17 administrative privileges, assigning to users 3-19 administrator, e-mail address 5-20 application logs rep...
Page 180
Index index - 2 failover servers changing active server 7-4 configuring settings for 7-3 installing 7-1 ip addresses for 7-1 overview of 7-1 powering up 7-2 features of firepass 1-2 firepass authentication 3-23 client certificates, using 3-31 clusters 7-5 deploying, overview of 2-1 failover servers ...
Page 181
Index firepass ™ server administrator guide index - 3 m maintenance console access using administrative console 2-20 models of firepass 1-1 monitoring server 5-29 my desktop activations report 6-1, 6-3 my desktop webifyer 4-2, 4-31 activations report 6-3 bridge access, disabling 4-32 client certific...
Page 182
Index index - 4 ssl vpn webifyer 4-2, 4-23 benefits 4-23 client certificates 4-30 drive mappings 4-29 global client appearance 4-26 global packet rules 4-25 global timeout rules 4-26 global vpn settings 4-24 group configuration 4-27 group packet rules 4-29 launching applications automatically 4-30 s...