- DL manuals
- Watchguard
- Network Router
- SSL 1000
- User Manual
Watchguard SSL 1000 User Manual
Summary of SSL 1000
Page 1
Watchguard ® firebox ® ssl vpn gateway administration guide firebox ssl vpn gateway.
Page 2
Ii firebox ssl vpn gateway address: 505 fifth avenue south suite 500 seattle, wa 98104 support: www.Watchguard.Com/support support@watchguard.Com u.S. And canada +877.232.3531 all other countries +1.206.613.0456 sales: u.S. And canada +1.800.734.9905 all other countries +1.206.521.8340 about watchgu...
Page 3
Admin guide iii contents chapter 1 getting started with firebox ssl vpn gateway .................................................... 1 audience ..................................................................................................................................................... 1 oper...
Page 4
Iv watchguard ssl vpn gateway disable kiosk mode ............................................................................................................................ 12 specify multiple ports and port ranges for network resources .................................................. 12 voice ov...
Page 5
Admin guide v using the serial console ..................................................................................................................... 33 to open the serial console ....................................................................................................................
Page 6
Vi watchguard ssl vpn gateway allowing icmp traffic ............................................................................................................................ 46 to enable icmp traffic ....................................................................................................
Page 7
Admin guide vii to disable firebox ssl vpn gateway authentication .................................................................. 68 safeword premieraccess authorization ........................................................................................ 68 using safeword for citrix or safewo...
Page 8
Viii watchguard ssl vpn gateway enabling session time-out ................................................................................................................ 92 configuring web session time-outs ...............................................................................................
Page 9
Admin guide ix using the access portal .....................................................................................................................118 to connect using the default portal page ....................................................................................118 connecting ...
Page 10
X watchguard ssl vpn gateway launching the v 5.5 administration tool .....................................................................................143 troubleshooting .................................................................................................................................
Page 11
Administration guide 1 chapter 1 getting started with firebox ssl vpn gateway this chapter describes who should read the firebox ssl vpn gateway administration guide, how it is organized, and its document conventions. Audience this user guide is intended for system administrators responsible for ins...
Page 12
Document conventions 2 firebox ssl vpn gateway document conventions firebox ssl vpn gateway documentation uses the following typographic conventions for menus, com- mands, keyboard keys, and items in the program interface: livesecurity service solutions the number of new security problems and the vo...
Page 13
Administration guide 3 livesecurity service broadcasts learn more about your watchguard firebox® and network security, or find a watchguard certified train- ing center in your area. Livesecurity service broadcasts the watchguard® rapid response team regularly sends messages and software information ...
Page 14
Livesecurity service self help tools 4 firebox ssl vpn gateway new from watchguard when watchguard releases a new product, we first tell you — our customers. You can learn about new features and services, product upgrades, hardware releases, and promotions. Activating livesecurity service you can ac...
Page 15
Administration guide 5 watchguard users forum advanced faqs the advanced faqs (frequently asked questions) give you important information about configuration options and operation of systems or products. They add to the information you can find in this user guide and in the online help system. Firew...
Page 16
Online help 6 firebox ssl vpn gateway this forum has different categories that you can use to look for information. The technical support team controls the forum during regular work hours. You do not get special help from technical support when you use the forum. To contact technical support directl...
Page 17
Administration guide 7 training and certification service time we try for a maximum response time of four hours. Single incident priority response upgrade (sipru) and single incident after hours upgrade (siau) are also available. For more data about these upgrades, refer to the watchguard web site a...
Page 18
Training and certification 8 firebox ssl vpn gateway a certification exam. The training materials include links to books and web sites with more information about network security. Watchguard product training is also available at a location near you through a large group of watch- guard certified tr...
Page 19
Administration guide 9 chapter 2 introduction to firebox ssl vpn gateway watchguard firebox ssl vpn gateway is a universal secure socket layer (ssl) virtual private network (vpn) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the ...
Page 20
Overview 10 firebox ssl vpn gateway as shown in the following illustration, the firebox ssl vpn gateway is appropriate for employees accessing the organization remotely and intranet access from restricted lans such as wireless networks. Network topography showing the firebox ssl vpn gateway in the d...
Page 21
Administration guide 11 new features the virtual tcp circuit is using industry standard secure socket layer (ssl) and transport layer security (tls) encryption. All packets destined for the private network are transported over the virtual tcp cir- cuit. The firebox ssl vpn gateway is essentially act...
Page 22
New features 12 firebox ssl vpn gateway secure access client connections the secure access client included in this release can connect to earlier versions of the firebox ssl vpn gateway. Also,earlier versions of the secure access client can connect to this release of the firebox ssl vpn gateway if e...
Page 23
Administration guide 13 features ntlm authentication and authorization support. If your environment includes windows nt 4.0 domain controllers, the firebox ssl vpn gateway can authenticate users against the user domain accounts maintained on the windows nt server. The fire- box ssl vpn gateway can a...
Page 24
Features 14 firebox ssl vpn gateway • date and time configuration • certificate generation and installation • restarting and shutting down the firebox ssl vpn gateway • saving and reinstalling configuration settings note if the firebox ssl vpn gateway is upgraded to version 5.5 from an earlier versi...
Page 25
Administration guide 15 features server upgrade vpn gateway cluster > administration server restart vpn gateway cluster > administration server shut down vpn gateway cluster > administration server statistics vpn gateway cluster > statistics licensing vpn gateway cluster > licensing date and time vp...
Page 26
The user experience 16 firebox ssl vpn gateway feature summary the following are key firebox ssl vpn gateway features: • universal ssl vpn. Supports all applications and protocols that improve productivity by providing users with access to the applications and resources they need, without the need f...
Page 27
Administration guide 17 deployment and administration secure access client by typing a secure web address in a standard web browser and providing authen- tication credentials. Because the firebox ssl vpn gateway encrypts traffic using standard ssl/tls, it can traverse firewalls and proxy servers, re...
Page 28
Planning your deployment 18 firebox ssl vpn gateway administration desktop also provides access to the real-time monitor, where you can view a list of cur- rent users and close the connection for any user. Planning your deployment this chapter discusses deployment scenarios for the firebox ssl vpn g...
Page 29
Administration guide 19 planning for security with the firebox ssl vpn gateway when an firebox ssl vpn gateway is deployed in the secure network, the secure access client or kiosk client connections must traverse the firewall to connect to the firebox ssl vpn gateway. By default, both of these clien...
Page 30
Installing the firebox ssl vpn gateway for the first time 20 firebox ssl vpn gateway deploying additional appliances for load balancing and failover you can install multiple firebox ssl vpn gateway appliances into your environment for one or both of these reasons: • scalability. If you have a large ...
Page 31
Administration guide 21 installing the firebox ssl vpn gateway for the first time • the firebox ssl vpn gateway fqdn for network address translation (nat) • the ip address of the default gateway device • the port to be used for connections if connecting the firebox ssl vpn gateway to a server load b...
Page 32
Installing the firebox ssl vpn gateway for the first time 22 firebox ssl vpn gateway • [4] display log displays the firebox ssl vpn gateway log • [5] reset certificate resets the certificate to the default certificate that comes with the firebox ssl vpn gateway • [6] change administrative password a...
Page 33
Administration guide 23 installing the firebox ssl vpn gateway for the first time to configure tcp/ip settings using network cables the firebox ssl vpn gateway has two network adapters installed. One network adapter communicates with the internet and client computers that are not inside the corporat...
Page 34
Using the firebox ssl vpn gateway 24 firebox ssl vpn gateway for information about the relationship between the default gateway and dynamic or static routing, see “dynamic and static routing” on page 51. After you configure your network settings on the firebox ssl vpn gateway, you need to restart th...
Page 35
Administration guide 25 using the firebox ssl vpn gateway • after downloading the secure access client, the user logs on. When the user successfully authenticates, the firebox ssl vpn gateway establishes a secure tunnel. • as the remote user attempts to access network resources across the vpn tunnel...
Page 36
Using the firebox ssl vpn gateway 26 firebox ssl vpn gateway establishing the secure tunnel after the secure access client is started, it establishes a secure tunnel over port 443 (or any configured port on the firebox ssl vpn gateway) and sends authentication information. When the tunnel is estab- ...
Page 37
Administration guide 27 using the firebox ssl vpn gateway nat firewalls maintain a table that allows them to route secure packets from the firebox ssl vpn gate- way back to the client computer. For circuit-oriented connections, the firebox ssl vpn gateway main- tains a port-mapped, reverse nat trans...
Page 38
Using the firebox ssl vpn gateway 28 firebox ssl vpn gateway work, no attempt is made by either the client or the server applications to regenerate them, so real-time (udp like) performance is achieved over a secure tcp-based tunnel. For more information about improving latency with udp connections ...
Page 39
Administration guide 29 using the firebox ssl vpn gateway public address. The external public address ensures that the redirected client returns to the firebox ssl vpn gateway it first encountered, providing session stickiness. The association between a particular request and the firebox ssl vpn gat...
Page 40
Using the firebox ssl vpn gateway 30 firebox ssl vpn gateway.
Page 41
Administration guide 31 chapter 3 configuring basic settings this chapter describes firebox ssl vpn gateway basic administration, including connecting to the fire- box ssl vpn gateway, using the administration desktop, and using the administration tool to config- ure the firebox ssl vpn gateway. Not...
Page 42
Firebox ssl vpn gateway administration desktop 32 firebox ssl vpn gateway firebox ssl vpn gateway administration desktop the firebox ssl vpn gateway administration desktop provides firebox ssl vpn gateway monitoring tools. The taskbar includes one-click access to a variety of standard linux monitori...
Page 43
Administration guide 33 using the serial console • download a sample email for users admin users tab the firebox ssl vpn gateway has a default administrative user account with full access to the firebox ssl vpn gateway. To protect the firebox ssl vpn gateway from unauthorized access, change the defa...
Page 44
Using the administration tool 34 firebox ssl vpn gateway to open the serial console 1 connect the rs232 cable to the serial port on the firebox ssl vpn gateway and to the serial port on the computer. 2 make sure that the firebox ssl vpn gateway is running. 3 start a terminal emulation application (s...
Page 45
Administration guide 35 publishing settings to multiple firebox ssl vpn gateways 7 in username and password, type the firebox ssl vpn gateway administrator credentials. The default user name and password are root and rootadmin. You can change the administrative password as described in “to change th...
Page 46
Managing licenses 36 firebox ssl vpn gateway firebox ssl vpn gateway administration tool. To apply these license files, see “managing licenses” on page 36. For future tunnel capacity upgrades, you will follow these same steps to increase the capacity of your firebox® ssl vpn gateway. Upgrading the l...
Page 47
Administration guide 37 managing licenses do not overwrite any .Lic files in the license directory. If another file in that directory has the same name, rename the newly received file. The firebox ssl vpn gateway software calculates your licensed features based on all .Lic files that are uploaded to...
Page 48
Blocking external access to the administration portal 38 firebox ssl vpn gateway 5 in a web browser, type the address of the firebox ssl vpn gateway using either the ip address or fully qualified domain name (fqdn) to connect to either the internal or external interface. The format should be either ...
Page 49
Administration guide 39 downloading and working with portal page templates by default, users see a watchguard firebox ssl vpn gateway portal page when they open https://firebox ssl vpn gateway_ip_or_hostname. For samples of the default portal pages for windows, linux, and java, see “using the access...
Page 50
Downloading and working with portal page templates 40 firebox ssl vpn gateway to download the portal page templates to your local computer 1 in the firebox ssl vpn gateway administration portal, click downloads. 2 under sample portal page templates, right-click one of the links, click save target as...
Page 51
Administration guide 41 enabling portal page authentication to install a custom portal page or image on the firebox ssl vpn gateway 1 click the portal page configuration tab. 2 click add file. 3 in file identifier, type a name that is descriptive of the types of users who use the portal page. The fi...
Page 52
Linking to clients from your web site 42 firebox ssl vpn gateway classid="clsid:7e0fdfbb-87d4-43a1-9ad4-41f0ea8aff7b" codebase="net6helper.Cab#version=2,1,0,6"> classid="clsid:7e0fdfbb-87d4-43a1-9ad4-41f0ea8aff7b" codebase="net6helper.Cab#version=2,1,0,6"> 2 add the links as follows to the web page....
Page 53
Administration guide 43 connecting using a web address tication policy check fails, the users receive an error message instructing them to contact their system administrator. For more information about pre-authentication policies, see “global policies” on page 96. Double-source authentication portal...
Page 54
Saving and restoring the configuration 44 firebox ssl vpn gateway saving and restoring the configuration when you upgrade the firebox ssl vpn gateway, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are restore automatically. However, if you reinstall...
Page 55
Administration guide 45 restarting the firebox ssl vpn gateway 2 in upload a server upgrade or saved config, click browse. 3 locate the upgrade file that you want to upload and click open. The file is uploaded and the firebox ssl vpn gateway restarts automatically. When you upgrade the firebox ssl v...
Page 56
Allowing icmp traffic 46 firebox ssl vpn gateway to change the system date and time 1 in the administration tool, click the vpn gateway cluster tab, select the appliance, and then click the date tab. 2 in time zone, select a time zone. 3 in date, type the date and time. 4 click submit. Network time ...
Page 57
Administration guide 47 chapter 4 configuring firebox ssl vpn gateway network connections the firebox ssl vpn gateway has two network adapters that can be configured to work on your net- work. The vpn gateway cluster > general networking tabs in the administration tool are used to configure most net...
Page 58
General networking 48 firebox ssl vpn gateway • the routes tab is where dynamic and static routes are configured • the failover servers tab is where multiple firebox ssl vpn gateway’s are configured general networking the firebox ssl vpn gateway has two network adapters installed. If two network ada...
Page 59
Administration guide 49 general networking the firebox ssl vpn gateway in the dmz. For more information, see “connecting to a server load balancer” on page 28. External public fqdn the firebox ssl vpn gateway uses the external ip address or fqdn to send its response to a request back to the correct ...
Page 60
Name service providers 50 firebox ssl vpn gateway note ip pooling is configured per groups, as described in “enabling ip pooling” on page 94. Name service providers name resolution is configured on the name service providers tab. You can specify the following: dns server 1, dns server 2, dns server ...
Page 61
Administration guide 51 dynamic and static routing 3 under edit the hosts file, in ip address, enter the ip address that you want to associate with an fqdn. 4 in fqdn, enter the fqdn you want to associate with the ip address you entered in the previous step. 5 click add. The ip address and hosts nam...
Page 62
Dynamic and static routing 52 firebox ssl vpn gateway configuring dynamic routing when dynamic routing is selected, the firebox ssl vpn gateway operates as follows: • it listens for route information published through rip and automatically populates its routing table. • if the dynamic gateway option...
Page 63
Administration guide 53 dynamic and static routing 5 in the text box, type a text string that is an exact, case-sensitive match to the authentication string transmitted by the rip server. 6 select the enable rip md5 authentication for interface check box if the rip server transmits the authenticatio...
Page 64
Dynamic and static routing 54 firebox ssl vpn gateway 8 on the general networking tab, click submit. The route name appears in the static routes list. To test a static route 1 from the firebox ssl vpn gateway serial console, type 1 (ping). 2 enter the host ip address for the device you want to ping ...
Page 65
Administration guide 55 configuring firebox ssl vpn gateway failover to set up the static route, you need to establish the path between the eth1 adapter and ip address 129.6.0.20. To set up the example static route 1 click the vpn gateway cluster tab and then click the routes tab. 2 in destination l...
Page 66
Controlling network access 56 firebox ssl vpn gateway nect to port 9001 when you are logged on from an external connection, configure ip pools and connect to the lowest ip address in the ip pool. Controlling network access configuring network access after you configure the appliance to operate in yo...
Page 67
Administration guide 57 enabling split tunneling you can change the default operation so that user groups are denied network access unless they are allowed access to one or more network resource groups. • you configure acls for user groups by specifying which network resources are allowed or denied ...
Page 68
Denying access to groups without an acl 58 firebox ssl vpn gateway when you enable split tunneling, you must enter a list of accessible networks on the global cluster policies tab. The list of accessible networks must include all internal networks and subnetworks that the user may need to access wit...
Page 69
Administration guide 59 improving voice over ip connections to deny access to user groups without an acl 1 click the global cluster policies tab. 2 under access options, select deny access without acl. 3 click submit. Improving voice over ip connections real-time applications, such as voice and vide...
Page 70
Improving voice over ip connections 60 firebox ssl vpn gateway note if the improving voice over ip connections setting is not selected, the udp traffic is encrypted using the symmetric encryption cipher that is specified in the select encryption type for client connections setting on the global clus...
Page 71
Administration guide 61 chapter 5 configuring authentication and authorization the firebox ssl vpn gateway supports several authentication types including ldap, radius, rsa secu- rid, ntlm, and secure computing’s safeword products. The following topics describe how to configure firebox ssl vpn gatew...
Page 72
Configuring authentication and authorization 62 firebox ssl vpn gateway communications between the firebox ssl vpn gateway and authentication servers. If a user is not located on an authentication server or fails authentication on that server, the firebox ssl vpn gateway checks the user against the ...
Page 73
Administration guide 63 configuring authentication and authorization configuring authentication without authorization the firebox ssl vpn gateway can be configured to authenticate users without requiring authorization. When users are not authorized, the firebox ssl vpn gateway does not perform a gro...
Page 74
Configuring authentication and authorization 64 firebox ssl vpn gateway configuring local users you can create user accounts locally on the firebox ssl vpn gateway to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such a...
Page 75
Administration guide 65 changing the authentication type of the default realm to change a user’s password 1 on the access policy manager tab, right-click a user, and click set password. 2 type the password twice and then click ok. Using ldap authorization with local authentication by default, the fi...
Page 76
Changing the authentication type of the default realm 66 firebox ssl vpn gateway 3 on the action menu, select remove default realm. A warning message appears. Click yes. 4 under add an authentication realm, in realm name, type default. Note important: when creating a new default realm, the word defa...
Page 77
Administration guide 67 using safeword for authentication removing realms if you are retiring an authentication server or removing a domain server, you can remove any realm except for the realm named default. You can remove the default realm only if you immediately create a new realm named default. ...
Page 78
Using safeword for citrix or safeword remoteaccess for authentication 68 firebox ssl vpn gateway configure a safeword realm to authenticate users. The firebox ssl vpn gateway acts as a safeword agent authenticating on behalf of users logged on using secure access client. If a user is not located on ...
Page 79
Administration guide 69 using radius servers for authentication and authorization if you are already using safeword for citrix or safeword remoteaccess in your configuration to authen- ticate using the web interface, you need to do the following: • install and configure the safeword ias agent • conf...
Page 80
Using radius servers for authentication and authorization 70 firebox ssl vpn gateway • type is the vendor-assigned attribute number. • attribute name is the type of attribute name that is defined in ias. The default name is ctxsusergroups=. • separator is defined if multiple user groups are included...
Page 81
Administration guide 71 using radius servers for authentication and authorization 18 in the add attributes dialog box, select vendor-specific and click add. 19 in the vendor-specific attribute information dialog box, choose select from list and accept the default radius=standard. The firebox ssl vpn...
Page 82
Using radius servers for authentication and authorization 72 firebox ssl vpn gateway to specify radius server authentication 1 click the authentication tab. 2 in realm name, type a name for the authentication realm that you will create, select one source, and then click add. If your site has multipl...
Page 83
Administration guide 73 using ldap servers for authentication and authorization radius authentication. If you synchronize configurations among several firebox ssl vpn gateway appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config- ured on the fireb...
Page 84
Using ldap servers for authentication and authorization 74 firebox ssl vpn gateway this table contains examples of the base dn the following table contains examples of bind dn: note for further information to determine the ldap server settings, see “determining attributes in your ldap directory” on ...
Page 85
Administration guide 75 ldap authorization 8 select allow unsecure traffic to allow unsecure ldap connections. When this check box is clear, all ldap connections are secure. 9 in administrator bind dn, type the administrator bind dn for queries to your ldap directory. The following are examples of s...
Page 86
Ldap authorization 76 firebox ssl vpn gateway group memberships from group objects working evaluations ldap servers that evaluate group memberships from group objects indirectly work with firebox ssl vpn gateway authorization. Some ldap servers enable user objects to contain information about groups...
Page 87
Administration guide 77 ldap authorization the ldap server port defaults to 389. If you are using an indexed database, such as microsoft active directory with a global catalog, changing the ldap server port to 3268 significantly increases the speed of the ldap queries. If your directory is not index...
Page 88
Ldap authorization 78 firebox ssl vpn gateway for active directory, the group name specified as cn=groupname is required. The group name that is defined in the firebox ssl vpn gateway must be identical to the group name that is defined on the ldap server. For other ldap directories, the group name e...
Page 89
Administration guide 79 using rsa securid for authentication host host name or ip address of your ldap server. Port defaults to 389. Base dn you can leave this field blank. (the information provided by the ldap browser will help you determine the base dn needed for the authentication tab.) anonymous...
Page 90
Using rsa securid for authentication 80 firebox ssl vpn gateway the firebox ssl vpn gateway supports rsa ace/server version 5.2 and higher. The firebox ssl vpn gateway also supports replication servers. Replication server configuration is completed on the rsa ace/server and is part of the sdconf.Rec...
Page 91
Administration guide 81 using rsa securid for authentication 8 to create the configuration file for the new or changed agent host, go to agent host > generate configuration files. The file that you generate (sdconf.Rec) is what you will upload to the firebox ssl vpn gateway, as described in the next...
Page 92
Using rsa securid for authentication 82 firebox ssl vpn gateway configuring rsa settings for a cluster if you have two or more appliances configured as a cluster, the sdconf.Rec file needs to contain the fqdns of all the appliances. The sdconf.Rec file is installed on one access gateway and then pub...
Page 93
Administration guide 83 using rsa securid for authentication note note: if you are configuring double-source authentication, click two source and then click add. For more information about configuring double-source authentication, see “configuring double-source authentication” on page 85. 4 in ip ad...
Page 94
Using rsa securid for authentication 84 firebox ssl vpn gateway note note: when 0 (zero) is entered as the port, the access gateway attempts to automatically detect a port number for this connection. 8 in time-out (in seconds), enter the number of seconds within which the authentication attempt must...
Page 95
Administration guide 85 configuring double-source authentication you can prevent the storage of one-time passwords in cache, which forces the user to enter their cre- dentials again. To prevent caching of one-time passwords 1 in the administration tool, click the authentication tab. 2 open the authe...
Page 96
Configuring double-source authentication 86 firebox ssl vpn gateway and passcode first and then the ldap password second. Whatever is typed in the first password field is done last and the second password field is done first. Changing password labels you can change the password labels to accurately ...
Page 97
Administration guide 87 chapter 6 adding and configuring local users and user groups user groups define the resources the user has access to when connecting to the corporate network through the firebox ssl vpn gateway. Groups are associated with the local users list. After adding local users, you ca...
Page 98
User group overview 88 firebox ssl vpn gateway 5 all users are members of the default resource group. To add a user to another group, under local users, click and drag the user to the user group to which you want the user to belong. To delete a user from the firebox ssl vpn gateway right-click the u...
Page 99
Administration guide 89 creating user groups group resources include: • network resources that define the networks to which clients can connect. • application policies that define the applications users can use when connected. In addition to selecting the application, you can further define which ne...
Page 100
Configuring properties for a user group 90 firebox ssl vpn gateway configuring properties for a user group group properties include configuring access, networking, portal pages, and client certificates. Proper- ties are configured by right-clicking a group and then clicking properties. Settings for ...
Page 101
Administration guide 91 configuring properties for a user group note if you want to close a connection and prevent a user or group from reconnecting automatically, you must select the authenticate after network interruption setting. Otherwise, users immediately reconnect without being prompted for t...
Page 102
Configuring properties for a user group 92 firebox ssl vpn gateway supported and do not run. If the domain controller cannot be contacted, the firebox ssl vpn gateway connection is completed but the logon scripts are not run. Note important: the client computer must be a domain member in order to ru...
Page 103
Administration guide 93 configuring properties for a user group configuring web session time-outs when a user is logged on to the firebox ssl vpn gateway and using a web browser to connect to web sites in the secure network, cookies are set to determine if a user’s web session is still active on the...
Page 104
Configuring properties for a user group 94 firebox ssl vpn gateway 2 on the general tab, under application options, select deny applications without policies. For more information about application policies, see “application policies” on page 101. For more information about endpoint policies, see “e...
Page 105
Administration guide 95 configuring properties for a user group choosing a portal page for a group by default, all users log on to the firebox ssl vpn gateway using the secure access client from the default portal page or by downloading and installing the secure access client on their computer. You ...
Page 106
Configuring resources for a user group 96 firebox ssl vpn gateway note client certificate configuration is not available for the default user group. To specify client certificate configuration 1 on the access policy manager tab, right-click a group that is not the default group. 2 on the client cert...
Page 107
Administration guide 97 configuring resources for a user group a network resource specifying the networks to which users can connect. If you have a restricted group for contractors, drag the resource to this group and then deny the default setting. For each user group, you can create an access contr...
Page 108
Configuring resources for a user group 98 firebox ssl vpn gateway • kiosk resources that define how the user can log on and which file shares and applications are accessible to the user when logged on. If the user is allowed to use the firefox web browser in kiosk mode, the web address the user is a...
Page 109
Administration guide 99 configuring resources for a user group to configure resource access control for a group 1 click the access policy manager tab. 2 in the right pane, configure the group resources. 3 when the resource is configured, click the resource and drag it to the group in the left pane. ...
Page 110
Configuring resources for a user group 100 firebox ssl vpn gateway • you can further restrict access by specifying a port and protocol for an ip address/subnet pair. For example, you might specify that a resource can use only port 80 and the tcp protocol. • when you configure resource group access f...
Page 111
Administration guide 101 configuring resources for a user group • deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource g...
Page 112
Configuring resources for a user group 102 firebox ssl vpn gateway to add an application policy to a group 1 on the access policy manager tab, in the right-pane, under application policies, click the resource you want to add and then drag it to the user group in the left pane. 2 to allow or deny acc...
Page 113
Administration guide 103 configuring resources for a user group to create a file share resource 1 click the access policy manager tab. 2 in the right pane, right-click file share resources, click new file share resource, type a name, and click ok. 3 in share source, type the path to the share source...
Page 114
Configuring resources for a user group 104 firebox ssl vpn gateway 3 to add a file share, under file share resources, drag the resource to shares under file shares. 4 select the applications users are allowed to use in kiosk mode. 5 click kiosk persistence (save application settings) to retain firef...
Page 115
Administration guide 105 configuring resources for a user group 8 if you selected process rule, do the following: - click process rule. - in process name, type the name of the process or click browse to navigate to the file. The md5 field is automatically completed when a process name is entered. 9 ...
Page 116
Setting the priority of groups 106 firebox ssl vpn gateway 2 in the right pane, right-click end point policies and then click new end point policy. 3 type a name and click ok. When the policy is created, create the expression by dragging and dropping the end point resources into the expression root....
Page 117
Administration guide 107 setting the priority of groups the following two settings are unioned together. For these settings, they are combined among all of the groups of which the user is a member. When these are combined, these are the enforced set of rules applied to the user. For example, if a us...
Page 118
Setting the priority of groups 108 firebox ssl vpn gateway.
Page 119
Administration guide 109 chapter 7 creating and installing secure certificates the firebox ssl vpn gateway uses certificates for authentication. In the firebox ssl vpn gateway administration tool, you can create a certificate to be signed by a certificate authority. Then, when the signed certificate...
Page 120
Digital certificates and firebox ssl vpn gateway operation 110 firebox ssl vpn gateway • install a pem certificate and private key from a windows computer. This methods uploads a signed certificate and private key together. The certificate is signed by a ca and it is paired with the private key. Dig...
Page 121
Administration guide 111 overview of the certificate signing request private key from tampering and it is also required when restoring a saved configuration to the firebox ssl vpn gateway. Passwords are used whether the private key is encrypted or unencrypted. Note caution: when you upgrade to versi...
Page 122
Overview of the certificate signing request 112 firebox ssl vpn gateway note when you save the firebox ssl vpn gateway configuration, any certificates that are already installed are included in the backup. To install a certificate file using the administration tool 1 click the vpn gateway cluster ta...
Page 123
Administration guide 113 overview of the certificate signing request the root certificate that is installed on the firebox ssl vpn gateway has to be in pem format. On win- dows, the file extension .Cer is sometimes used to indicate that the root certificate is in pem format. If you are validating ce...
Page 124
Client certificates 114 firebox ssl vpn gateway note note: hyperterminal is not installed automatically on windows 2000 server or windows server 2003. To install hyperterminal, use add/remove programs in control panel. 3 set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 st...
Page 125
Administration guide 115 client certificates installing root certificates support for most trusted root authorities is already built into the windows operating system and inter- net explorer. Therefore, there is no need to obtain and install root certificates on the client device if you are using th...
Page 126
Requiring certificates from internal connections 116 firebox ssl vpn gateway 3 click submit. Requiring certificates from internal connections to increase security for connections originating from the firebox ssl vpn gateway to your internal net- work, you can require the firebox ssl vpn gateway to v...
Page 127
Administration guide 117 chapter 8 working with client connections clients can access resources on the corporate network by connecting through the firebox ssl vpn gateway from their own computer or from a public computer. The following topics describe how client connections work: • using the access ...
Page 128
Using the access portal 118 firebox ssl vpn gateway if clients are using mozilla firefox to connect, pages that require activex, such as the pre-authentication page, are not able to run. If clients are going to connect using the kiosk, they must have sun java runtime environment (jre) ver- sion 1.5....
Page 129
Administration guide 119 connecting from a private computer the computer is started, users do not have to do anything to create the connection, provided that they have a network connection and can log onto windows. The connection enables users to work with the connected site just as if they were log...
Page 130
Connecting from a private computer 120 firebox ssl vpn gateway • the firebox ssl vpn gateway terminates the ssl tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The firebox ssl vpn gateway sends traffic back to the remote compute...
Page 131
Administration guide 121 connecting from a private computer that remote users can access through the vpn connection. For more information, see “configuring resources for a user group” on page 96. All ip packets, regardless of protocol, are intercepted and transmitted over the secure link. Connection...
Page 132
Connecting from a private computer 122 firebox ssl vpn gateway sends its known local ip address to the server by means of a custom client-server protocol. For these applications, the secure access client provides the local client application a private ip address represen- tation, which the firebox s...
Page 133
Administration guide 123 connecting from a private computer an email template is provided that includes the information discussed in this section. The template is available from the downloads page of the administration portal. Watchguard recommends that you customize the text for your site and then ...
Page 134
Connecting from a private computer 124 firebox ssl vpn gateway the secure access client dialog box with the pop-up menu showing advanced options 4 under proxy settings, select use proxy host and then in proxy address and proxy host, type the ip address and port. If the proxy server requires authenti...
Page 135
Administration guide 125 connecting from a private computer to view the connection log the connection log contains real-time connection information that is particularly useful for trouble- shooting connection issues. 1 right-click the firebox ssl secure access client icon in the notification area. 2...
Page 136
Connecting from a public computer 126 firebox ssl vpn gateway configuring secure access client to work with non-administrative users if a user is not logged on as an administrator on a computer running windows 2000 professional, the secure access client must be installed locally on the client comput...
Page 137
Administration guide 127 connecting from a public computer • firefox web browser. You configure by group whether or not to include the firefox browser and the browser’s default web address. Firefox preferences, such as saved passwords, are retained for the next session. • shared network drives. Icon...
Page 138
Connecting from a public computer 128 firebox ssl vpn gateway to create and configure a kiosk resource 1 click the access policy manager tab. 2 in the right pane, right-click kiosk resources and then click new kiosk resource. 3 type a name for the resource and click ok. 4 to add a file share, under ...
Page 139
Administration guide 129 client applications 2 select a file share from file share resources and drag it to shares under file shares in the kiosk resource. 3 click ok. To remove a file share on the access policy manager tab, in the right-pane, right-click the file share and click remove. You can spe...
Page 140
Client applications 130 firebox ssl vpn gateway firefox web browser the firefox web browser allows users to connect to the internet when they are logged on in kiosk mode. They can connect to web sites as if they were sitting at their own computer. To configure firefox 1 click the access policy manag...
Page 141
Administration guide 131 client applications to use the ssh client 1 from the portal page, choose a public computer and log on. 2 in the web browser, click the ssh icon. 3 enter the user name and ssh host name or ip address. The ssh window opens. Telnet 3270 emulator client the telnet 3270 emulator ...
Page 142
Supporting secure access client 132 firebox ssl vpn gateway to use gaim 1 from the portal page, choose a public computer and log on. 2 in the web browser, double-click the gaim icon. 3 if messenging services were not added, an accounts window opens. Click add. 4 in the add account dialog box, in pro...
Page 143
Administration guide 133 managing client connections an email template is provided that includes the information discussed in this section. The template is available from the downloads page of the administration portal. Customize the text for your site and then send the text in an email to users. No...
Page 144
Managing client connections 134 firebox ssl vpn gateway closing a connection to a resource without disrupting a user’s vpn connection, you can temporarily close the user’s connection to a partic- ular resource. To prevent the user from connecting to the resource, correct the user’s group acl. To clo...
Page 145
Administration guide 135 managing client connections 2 in the left pane, right-click a group and click properties. 3 on the general tab, under session options, select one or both of the following: • authenticate after network interruption. This option forces a user to log on again if the network con...
Page 146
Managing client connections 136 firebox ssl vpn gateway.
Page 147
Administration guide 137 appendix a firebox ssl vpn gateway monitoring and troubleshooting the following topics describe how to use firebox ssl vpn gateway logs and troubleshoot issues: • viewing and downloading system message logs • enabling and viewing snmp logs • viewing system statistics • monit...
Page 148
Viewing and downloading system message logs 138 firebox ssl vpn gateway 3 click logging/settings. 4 under gateway log, click display logging window. The log for today’s date is displayed. To display the log for a prior date, select the date in the log archive list and click view log. 5 by default, t...
Page 149
Administration guide 139 enabling and viewing snmp logs to view or download the log, go to the logging > configuration tab and click download w3c log. Enabling and viewing snmp logs when simple network management protocol (snmp) is enabled, the firebox ssl vpn gateway reports the mib-ii system group...
Page 150
Viewing system statistics 140 firebox ssl vpn gateway to obtain snmp data for the firebox ssl vpn gateway through multi router traffic grapher (in unix) 1 configure the firebox ssl vpn gateway to respond to snmp queries as discussed in “to enable logging of snmp messages” on page 139. 2 create multi...
Page 151
Administration guide 141 recovering from a failure of the firebox ssl vpn gateway bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. To open the firebox ssl vpn gateway administration desktop 1 open a web browser and type the ip add...
Page 152
Recovering from a failure of the firebox ssl vpn gateway 142 firebox ssl vpn gateway • apply the v 5.5 software update reinstalling v 4.9 application software to reinstall v 4.9 on your appliance: 1 find the firebox® ssl v 4.9.2 recovery cd that came with your original firebox® ssl core appliance. 2...
Page 153
Administration guide 143 troubleshooting to upgrade to v 5.5. 1 in the v5.0 administration tool, click the firebox® ssl vpn gateway cluster tab. 2 on the administration tab, next to upload a server upgrade or saved config, click browse. 3 navigate to the upgrade file and click open. 4 wait for the m...
Page 154
Troubleshooting 144 firebox ssl vpn gateway by default, the firebox ssl vpn gateway passes only the user name and password to the web interface. To correct this, configure a default domain or a set of domains users can log on to. The web interface uses the first one in the list as the default domain...
Page 155
Administration guide 145 troubleshooting defining accessible networks in the accessible networks field on the global cluster policies tab, up to 24 subnets can be defined. If more than 24 subnets are entered, the firebox ssl vpn gateway ignores the additional subnets. Vmware if a user logs on to the...
Page 156
Troubleshooting 146 firebox ssl vpn gateway internal failover if internal failover is enabled and the administrator is connected to the firebox ssl vpn gateway, the administration tool cannot be reached over the connection. To fix this problem, enable ip pooling and then connect to the lowest ip add...
Page 157
Administration guide 147 troubleshooting devices cannot communicate with the firebox ssl vpn gateway verify that the following are correctly set up: • the external public address specified on the general networking tab in the firebox ssl vpn gateway administration tool is available outside of your f...
Page 158
Troubleshooting 148 firebox ssl vpn gateway client connections from a windows server 2003 if a connection to the firebox ssl vpn gateway is made from a windows server 2003 computer that is its own dns server, local and public dns resolution does not work. To fix this issue, configure the win- dows s...
Page 159
Administration guide 149 appendix b using firewalls with firebox ssl vpn gateway if a user cannot establish a connection to the firebox ssl vpn gateway or cannot access allowed resources, it is possible that the firewall software on the user’s computer is blocking traffic. The firebox ssl vpn gatewa...
Page 160
Blackice pc protection 150 firebox ssl vpn gateway to view secure access client status properties double-click the secure access client connection icon in the notification area. Alternatively, right-click the icon and choose properties from the menu. The secure access client dialog box appears. The ...
Page 161
Administration guide 151 norton personal firewall . Norton personal firewall if you are using the default norton personal firewall settings, you can simply respond to the program control alerts the first time that you attempt to start the secure access client or when you access a blocked location or...
Page 162
Zonealarm pro 152 firebox ssl vpn gateway to configure the settings, open the tiny personal firewall administration window, click the advanced button to view the firewall configuration window, and then use the filter rule dialog box as indicated below. After you apply the above configuration and sta...
Page 163
Administration guide 153 appendix c installing windows certificates the firebox ssl vpn gateway includes the certificate request generator to automatically create a cer- tificate request. After the file is returned from the certificate authority, it can be uploaded to the firebox ssl vpn gateway. Wh...
Page 164
Unencrypting the private key 154 firebox ssl vpn gateway 12 click next to start the installation. After cygwin installs, you can generate the csr. These instructions to generate a csr assume that you are using the cygwin unix environment installed as described in “to install cygwin” on page 153. To ...
Page 165
Administration guide 155 converting to a pem-formatted certificate for information about downloading openssl for windows, see the sourceforge web site at http://sourceforge.Net/project/showfiles.Php?Group_id=23617&release_id=48801. Converting to a pem-formatted certificate the signed certificate fil...
Page 166
Generating trusted certificates for multiple levels 156 firebox ssl vpn gateway to combine the private key with the signed certificate 1 use a text editor to combine the unencrypted private key with the signed certificate in the pem file format. The file contents should look similar to the following...
Page 167
Administration guide 157 generating trusted certificates for multiple levels intermediate certificate 0 intermediate certificate 1 intermediate certificate 2.
Page 168
Generating trusted certificates for multiple levels 158 firebox ssl vpn gateway.
Page 169
Administration guide 159 appendix d examples of configuring network access after the firebox ssl vpn gateway is installed and configured to operate in your network environment, use the administration tool to configure user access to the servers, applications, and other resources on the internal netw...
Page 170
Scenario 1: configuring ldap authentication and authorization 160 firebox ssl vpn gateway before reading the examples in this chapter, you should become familiar with the settings on three tabs of the administration tool. The settings on these tabs control user access to internal network resources: ...
Page 171
Administration guide 161 scenario 1: configuring ldap authentication and authorization • determining the sales and engineering users who need remote access • collecting the ldap directory information determining the internal networks that include the needed resources determining the internal network...
Page 172
Scenario 1: configuring ldap authentication and authorization 162 firebox ssl vpn gateway for example, if the firebox ssl vpn gateway operates with the microsoft active directory, the firebox ssl vpn gateway checks the "memberof" attribute in the person entry to determine the groups to which a user ...
Page 173
Administration guide 163 scenario 1: configuring ldap authentication and authorization • ldap server port. The port on which the ldap server listens for connections. The default port for ldap connections is port 389. • ldap administrator bind dn and ldap administrator password. If the ldap directory...
Page 174
Scenario 1: configuring ldap authentication and authorization 164 firebox ssl vpn gateway this task includes these five procedures: • configuring accessible networks • creating an ldap authentication realm • creating the appropriate groups on the firebox ssl vpn gateway • creating and assigning netw...
Page 175
Administration guide 165 scenario 1: configuring ldap authentication and authorization creating an ldap authentication and authorization realm creating an ldap authentication and authorization realm is the second of five procedures the administrator performs to configure access to the internal netwo...
Page 176
Scenario 1: configuring ldap authentication and authorization 166 firebox ssl vpn gateway creating the appropriate groups on the firebox ssl vpn gateway creating the appropriate groups on the firebox ssl vpn gateway is the third of five procedures the administrator performs to configure access to th...
Page 177
Administration guide 167 scenario 1: configuring ldap authentication and authorization 4 in network/subnet, type these two ip address/subnet pairs for the resources. Separate each of these ip address/subnet pairs with a space: 10.10.0.0/24 10.60.10.0/24 5 to simplify this example, the administrator ...
Page 178
Scenario 1: configuring ldap authentication and authorization 168 firebox ssl vpn gateway the 10.0.20.X resource and allow access to the 10.0.X.X resource. In these cases, configure the policy denying access to 10.0.20.X first and then configure the policy allowing access to the 10.0.X.X network sec...
Page 179
Administration guide 169 scenario 2: creating guest accounts using the local users list 5 in the left pane, click the "email server" network resource you just created and drag it to application network policies listed under application constraints in the right pane. Click ok. 6 in the left pane, exp...
Page 180
Scenario 2: creating guest accounts using the local users list 170 firebox ssl vpn gateway an administrator can also create a list of local users on the firebox ssl vpn gateway and configure the firebox ssl vpn gateway to provide authentication and authorization services for these users. This list o...
Page 181
Administration guide 171 scenario 2: creating guest accounts using the local users list to create a guest authentication realm for the guest users 1 in the firebox ssl vpn gateway administration tool, click the authentication tab. 2 in realm name, type guest. 3 select one source and click add. 4 at ...
Page 182
Scenario 3: configuring local authorization for local users 172 firebox ssl vpn gateway silvio and lisa are authorized to access any resource defined in the acl of the default user group because no authorization is specified as the authorization type of the guest realm. In this example, silvio and l...
Page 183
Administration guide 173 appendix e legal and copyright information gnu general public license for linux kernel as provided with firebox ssl firebox ssl vpn gateway version 2, june 1991 copyright (c) 1989, 1991 free software foundation, inc. 675 mass ave, cambridge, ma 02139, usa everyone is permitt...
Page 184
174 firebox ssl vpn gateway we protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understand...
Page 185
Administration guide 175 change. B) you must cause any work that you distribute or publish, that in whole or in part contains or is derived from the program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this license. C) if the modified program no...
Page 186
176 firebox ssl vpn gateway be distributed under the terms of sections 1 and 2 above on a medium customarily used for software interchange; or, c) accompany it with the information you received as to the offer to distribute corresponding source code. (this alternative is allowed only for noncommerci...
Page 187
Administration guide 177 if any portion of this section is held invalid or unenforceable under any particular circumstance, the bal- ance of the section is intended to apply and the section as a whole is intended to apply in other circum- stances. It is not the purpose of this section to induce you ...
Page 188
178 firebox ssl vpn gateway 12. In no event unless required by applicable law or agreed to in writing will any copy- right holder, or any other party who may modify and/or redistribute the program as permitted above, be liable to you for damages, including any general, special, incidental or consequ...
Page 189
Administration guide 179 this is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the general public license. Of course, the commands you use may be called s...
Page 190
180 firebox ssl vpn gateway.
Page 191
Administration guide 181 index a access control list 56, 97 allow and deny rules 98 deny access 15, 58 deny access without acl 57, 88 access policy manager tab 15, 87 add network resource 101 application policies 16, 101 applications without policies 15 client certificate criteria 16, 95 create netw...
Page 192
182 firebox ssl vpn gateway authentication tab ldap 74 authorization 15 configuring 61 ldap 65, 73 ldap and rsa/ace server 81 local users 65 radius 69, 72 b backing up 44 blackice pc protection 150 c certificate 109 512-bit keypairs 147 backing up 44 certificate signing request 14, 110 client 15, 95...
Page 193
Administration guide 183 removing 105 ethereal network analyzer 141 unencrypted traffic 27 ethereal network monitor 17 external access 15 f failover 48 appliances 14 dns servers 50 gateways 55 internal 15, 55 failure recovery 141 faqs 5 file share configuring 103 mount type 103 source path 103 file ...
Page 194
184 firebox ssl vpn gateway persistence 104 remote desktop client 130 shared network drives, using 128 ssh client 130 telnet 3270 emulator client 131 using ftp to copy files 129 vnc client 131 known issues 5 l ldap authentication 15, 25 authorization 15, 73 authorization with rsa/ace server 81 ldap ...
Page 195
Administration guide 185 ping 46 command 33, 145 from xnettools 141 policies access control lists 56 ip pooling 94 network access 56 portal pages 38, 41 setting priority 106 port for connections 49 scanner 141 portal page client connections 118 client variables 39 configuring 16, 95 customizing 15, ...
Page 196
186 firebox ssl vpn gateway connection to 28 service scanner 141 session timeout 15, 88, 92 settings general networking 47 shared network drives 128 shared secret 69, 82 shutting down 15, 45 single sign-on 15 single sign-on for client 91 snmp 139 logs, enabling and viewing 139 mib groups reported 13...
Page 197
Administration guide 187 failover servers 55 general networking 14, 47 logging 14, 137 managing licenses 15, 36 name service providers 14, 47 network time protocol 15 restarting 15 restarting appliance 45 restoring configuration 15, 44 routes 14, 48, 52, 54 save configuration 15, 44 shut down 15, 45...
Page 198
188 firebox ssl vpn gateway.