WatchGuard Firebox SSL VPN Gateway Administration Guide. Firebox SSL VPN Gateway

Transcription

1 WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway

2 Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product. You will be prompted to read and accept the End User License Agreement when you register your Firebox on the WatchGuard website. Copyright 2005 Citrix Systems, Inc. All rights reserved. Copyright 2005 WatchGuard Technologies, Inc. All rights reserved WatchGuard, Firebox, LiveSecurity and any other word listed as a trademark in the Terms of Use portion of the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries. Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective manufacturers. The Firebox SSL Access Gateway software is distributed with source code covered under the GNU General Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard Technical Support at: in the United States and Canada in all other countries This source code is free to download. There is a $35 charge to ship the CD. See Appendix B, Legal and Copyright Information on page 157 of this guide for the complete text of the GPL. VPN Gateway Software: 4.9 Document Version: ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, WA SUPPORT: support@watchguard.com U.S. and Canada All Other Countries SALES: U.S. and Canada All Other Countries ABOUT WATCHGUARD WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are robust as well as easy to buy, deploy and manage. The company s Firebox X family of expandable integrated security appliances is designed to be fully upgradeable as an organization grows and to deliver the industry s best combination of security, performance, intuitive interface and value. WatchGuard Intelligent Layered Security architecture protects against emerging threats effectively and efficiently and provides the flexibility to integrate additional security functionality and services offered through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity Service subscription to help customers stay on top of the security landscape with vulnerability alerts, software updates, expert security instruction and superior customer care. For more information, please call (206) or visit ii Firebox SSL VPN Gateway Administration Guide

3 Contents CHAPTER 1 Firebox SSL Overview...1 Overview...2 Feature Summary... 4 The User Experience... 6 Deployment and Administration... 7 Firebox SSL Operation...8 Starting the Secure Access Client... 9 Establishing the Secure Tunnel...10 Tunneling Destination Private Address Traffic over SSL or TLS...10 Terminating the Secure Tunnel and Returning Packets to the Client...12 Kiosk Operation...13 Deployment Options...16 Administering the Firebox SSL...17 CHAPTER 2 Using the Firebox SSL Remote Admin Terminal Window...18 To open the Remote Admin Terminal window:...19 Using the Administration Tool...21 Using the Serial Console...23 To open the serial console:...23 Firebox SSL VPN Gateway Administration Guide

4 Upgrading the Firebox SSL Software...23 To display the version of your installed Firebox SSL:...24 To upgrade your Firebox SSL...24 Supporting Secure Access Users...25 Configuring Software Firewalls for the Secure Access Client...26 Generating a Secure Certificate for the Firebox SSL...29 About Digital Certificates and Firebox SSL Operation...31 Overview of the Certificate Signing Request...32 Installing the Cygwin UNIX Environment for Windows...33 Generating a CSR...33 Unencrypting the Private Key...34 Converting to a PEM-Formatted Certificate...35 Combining the Private Key with the Signed Certificate..36 Generating Trusted Certificates for Multiple Levels...37 Uploading a Certificate to the Firebox SSL...38 Blocking External Access to the Administration Portal...39 Managing Licenses...40 Viewing and Changing the System Date and Time...41 Managing Administrative Users...42 Saving and Restoring the Configuration...43 Managing VPN Connections...45 About Connection Handling...46 Closing a Connection to a Resource...47 Disabling/Enabling a VPN User...48 Restarting the Firebox SSL...49 Shutting Down the Firebox SSL...49 CHAPTER 3 Working with a VPN Connection...51 Using the Access Portal...51 Connecting from a Private Computer...56 Using the Secure Access Window...56 Connecting from a Public Computer (Kiosk Session)...61 Working with Shared Network Drives...63 Using the Citrix Client...65 Using the Remote Desktop Client...65 iv Firebox SSL VPN Gateway Administration Guide

5 Using the Telnet 3270 Emulator Client...67 Using the VNC Client...68 To use the VNC client:...68 CHAPTER 4 Configuring Firebox SSL Network Connections..71 Configuring Network Interfaces...72 Specifying DNS/WINS Settings...74 Configuring Routes...75 Configuring Dynamic Routing...75 Adding, Testing, and Removing a Static Route...77 Static Route Example...78 Configuring Failover Firebox SSLs...80 Configuring Firebox SSL Operation...81 CHAPTER 5 Configuring Authentication, Authorization, and Local Users About the Realm Named Default...84 Using a Local User List for Authentication...84 Using LDAP Authorization with Local Authentication...85 Using RADIUS Servers for Authentication...88 To specify RADIUS server settings:...89 Using LDAP Servers for Authentication and Authorization..91 To specify LDAP server settings:...92 Looking Up Attributes in your LDAP Directory...94 Using RSA SecurID for Authentication...95 To generate a sdconf.rec file for the Firebox SSL:...96 To enable RSA SecurID authentication for the Firebox SSL:...97 Resetting the Node Secret...99 Removing an Authentication Realm To remove an authentication realm: Adding Local Users To create a user on the Firebox SSL: To delete a user from the Firebox SSL: Controlling Network Access Specifying Accessible Networks Defining Network Resource Groups Firebox SSL VPN Gateway Administration Guide

6 Denying Access to Groups with No ACL Customizing VPN Portal Pages Downloading and Working with Portal Page Templates Loading Custom Portal Files on the Firebox SSL Disabling Portal Page Authentication Linking to the VPN Clients from Your Website Configuring Host Check Rules Example Host Check Rules Configuring Network Shares for Kiosk Sessions Adding and Configuring User Groups Configuring Resource ACLs for a User Group Configuring Kiosk Operation for a Group Configuring a Host Check Policy for a Group Choosing a Portal Page for a Group Enabling IP Pooling Setting the Priority of Groups Enabling Split Tunneling Enabling Split DNS Enabling Session Timeout Configuring Internal Failover Forcing VPN User Re-login Configuring Secure Access for Single Sign-on APPENDIX A Logging, Monitoring, and Troubleshooting Firebox SSL Operations143 Viewing and Downloading System Message Logs Forwarding System Messages to a Syslog Server Enabling and Viewing SNMP Logs MRTG Example Viewing System Statistics Monitoring Firebox SSL Operations Recovering from a Crash of the Firebox SSL To reinstall the Firebox SSL server software: Troubleshooting APPENDIX B Legal and Copyright Information vi Firebox SSL VPN Gateway Administration Guide

7 CHAPTER 1 Firebox SSL Overview The WatchGuard Firebox SSL is a network appliance that provides secure remote access to network resources and all applications, including web, client-server, and peer-to-peer such as Instant Messaging (IM), video conferencing, and real-time Voice over IP (VoIP) applications. Combining the advantages of both IP Security (IPSec) and Secure Socket Layer (SSL) Virtual Private Network (VPN) solutions, the Firebox SSL provides full, secure application access without requiring changes to applications or Domain Name Service (DNS). The Firebox SSL gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, , Intranet sites, and applications just as if they were working inside of their organization s firewall. The Firebox SSL also provides clientless kiosk operation, which opens a Virtual Network Computing (VNC) like connection for remote users who access the Firebox SSL from a non-secure computer. Kiosk user access can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), VNC servers, and Citrix ICA. The following topics provide an overview to the Firebox SSL: Overview on page 2 Firebox SSL VPN Gateway Administration Guide 1

8 Firebox SSL Overview Overview Feature Summary on page 4 The User Experience on page 6 Deployment and Administration on page 7 Firebox SSL Operation on page 8 Kiosk Operation on page 13 Deployment Options on page 16 WatchGuard provides other network appliance products. For information, go to The Firebox SSL installs into any network infrastructure without requiring changes to the existing hardware or back-end software. The Firebox SSL sits in front of application and web servers and works with other networking products such as firewalls, server load balancers, cache engines, routers, and IEEE broadband wireless devices. The Firebox SSL, installed in the corporate DMZ, participates on two networks: a private network and a public network with a publicly routable IP address. The Firebox SSL can also partition local area networks internally in the organization for access control and security between wired/wireless and data/voice networks. As shown in the following illustration, the Firebox SSL is appropriate for employees accessing the organization remotely, Business to Business (B2B) access and transactions, and intranet access from restricted LANs such as wireless networks. 2 Firebox SSL VPN Gateway Administration Guide

9 Overview As shown in the following illustration, the Firebox SSL creates a virtual TCP circuit between the client computer running the WatchGuard Secure Access client and itself. The virtual TCP circuit is encrypted using proven technologies such as SSL and Transport Layer Security (TLS). All packets des- Firebox SSL VPN Gateway Administration Guide 3

10 Firebox SSL Overview tined for the private network are transported over the virtual TCP circuit. The Firebox SSL is essentially acting as a low-level packet filter with encryption. It drops traffic which does not have authentication or does not have permission for a particular network. Feature Summary Most of the features listed in the following table are implicitly supported through the ability of the Firebox SSL to intercept every network connection initiated on the client computer, whether TCP (connection-oriented applications) or UDP (voice and video applications). The Secure Access client forwards all IP packets over an SSL tunnel to the Firebox SSL based on dynamically determined routing policies which are transparent to the remote user. The Firebox SSL retransmits these IP packets to the intended host. Application support Protocol support Platform support Unlike other VPN solutions, the Firebox SSL is applicationagnostic. The Firebox SSL operates more like an IPSec VPN than an SSL VPN. Supports all applications (web, client-server, peer-to-peer, and realtime) without modification to the applications or DNS. Handles real-time traffic, such as voice (RTP/SIP), with minimal loss in performance. Supports IP. Supports PPPoE (Point-to-Point Protocol over Ethernet) and PPP. Supports Ethernet, including , and Remote Access Service (RAS) connections, including TCP, UDP, and Internet Control Message Protocol (ICMP). Supports computers running Windows 2000, Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows XP Home, Windows XP Professional, and all Linux 2.4 platforms (tested extensively with RedHat). Includes a client that supports computers, such as Macintosh, running Java Virtual Machine (JVM) version or higher. 4 Firebox SSL VPN Gateway Administration Guide

11 Overview Ease of use and deployment Ease of use and deployment (continued) VPN operation Kiosk operation Performance Authentication, authorization, and access control Automatically updates the Secure Access client when a new version is available on the Firebox SSL. The Secure Access client can go into a suspend state rather than timing out so that the connection is always available and the user does not have to repeatedly log in. The Secure Access client continues to run in memory even when the laptop or PC is disconnected from the network. This functionality ensures security over networks without having to deploy and maintain a WEP environment. The Secure Access client can be configured for single sign-on operation so that it starts automatically after a user logs in to Windows. A user s Windows login credentials are passed to the Firebox SSL for authentication and then the VPN connection is automatically established without user intervention. Windows login scripts run after the VPN connection is established. Includes the option to use the default portal pages (Access Portal), to customize easy-to-use portal page templates, or to include links to the clients directly on your website. Provides access to remote networks that have the same numbering as the local subnet. Provides users with a desktop-like network experience. Through the VPN connection, users can: Map network drives just as they would from their in-office computer. Work with client applications, such as Microsoft Outlook or any other application, in their native user interface. The remote user does not need to do any client application reconfiguration. VPN users can seamlessly access the Firebox SSL even if they are behind another organization s firewall. Provides, on a group basis, access to a private network from public computers. Sends images, not data, to the kiosk. Because no temporary files or cookies are downloaded to the remote computer, there is no risk of files remaining after the session. Opens a VNC-like window that is configurable by group. Optional components include a Mozilla browser window with a configurable default URL, network shares, and icons that provide one-click access to Remote Desktop, VNC, Telnet 3270 emulator, SSH, and Citrix ICA clients. Supports up to 205 tunnels Provides throughput of 75 MB per second. Supports HTTP 401 Basic, Digest, and Windows Domain Authentication and RADIUS, LDAP, and RSA SecurID authentication servers. User accounts can also be defined on the Firebox SSL. Supports realm-based authentication so that a single Firebox SSL can be used with multiple authentication servers. Supports LDAP or local user group authorization. Provides access control through the association of resources to user groups. Firebox SSL VPN Gateway Administration Guide 5

12 Firebox SSL Overview Security Security (continued) Supports digital certificates in Privacy Enhanced Mail (PEM) format that include a private key. Notifies VPN users if the Firebox SSL to which they connect does not have a certificate that is signed by a Certificate Authority, and therefore is not a trusted device. Redirects over a secure tunnel all network traffic (all IP packets) destined for certain private networks. Uses SSL (v1 and v2) and TLS SSL (v3) to encrypt every packet, including any header information. This provides a very high level of security and does not provide anyone who gets access to the secure stream the ability to reconstruct any useful information. Supports SSL with compression. Supports 196-bit TLS SSL encryption, as well as lower and higher bit values defined in your certificate. You might prefer to lower the encryption if performance is more important than security. Supports all OpenSSL ciphers: CAST, CAST5, DES, Triple-DES, IDEA, RC2, RC4, and RC5. Supports the optional encryption scheme, Wired Equivalent Privacy (WEP). Requires only one available port: 443 (by default). Makes IP addresses either invisible or visible to accessed network applications, by application or host. When network IP addresses are hidden, the remote user s VPN connection looks like a browser session rather than an IP address and thus blocks worm traversal. Does not touch client-side route tables. Supports configurable host check rules to ensure that a VPN user s computer meets the requirements of the rule. You can require that a connecting computer has a particular registry path, file, and/or active process. For example, host check rules enable you to enforce real-time checking of the presence of firewall or antivirus software; if a VPN user stops the firewall or anti-virus software, the VPN tunnel is immediately frozen. The User Experience The Firebox SSL provides users with the desk-like network experience that they have with an IPSec VPN, but does so without any need to configure a client. The user starts the Secure Access client by accessing a secure web URL through a standard web browser, and then providing authentication credentials. Because the Firebox SSL traverses all ports of firewalls, remote users can access the Firebox SSL regardless of their location. For a more detailed description of the user experience, see Connecting from a Private Computer on page 56. The following illustration shows the default Windows version of the Access Portal. 6 Firebox SSL VPN Gateway Administration Guide

13 Overview NOTE The portal page is customizable, as described in Customizing VPN Portal Pages on page 108. You can also include a link to the clients on a website, as described in Linking to the VPN Clients from Your Website on page 115. After a successful login, the user can work with network shares and run applications just as if the user were sitting inside of the organization s firewall. The remote user does not need to do any client application reconfiguration and works with client applications in their native user interface. Deployment and Administration The Firebox SSL is fast to deploy and simple to administer. You install the Firebox SSL in your organization s DMZ, giving it access to the external and internal networks. The most typical deployment configuration is to locate the Firebox SSL behind your firewall or to straddle the firewall. More complex deployments, such as with a server load balancer, are also supported and described in Deployment Options on page 16. The first-time that you start the Firebox SSL, you use the Firebox SSL Administration Tool to configure the basic settings that Firebox SSL VPN Gateway Administration Guide 7

14 Firebox SSL Overview are specific to your site, such as the Firebox SSL IP address, netmask, default gateway IP address, and DNS addresses. After you complete the basic connection, you then configure the settings specific to VPN operation, such as the options for authentication, authorization, and group-based access control, kiosk operation, host checking, portal pages, and IP pools. All Firebox SSL administration and monitoring is performed through the Firebox SSL Remote Admin Terminal window, which provides access to the Administration Tool and a variety of standard network monitoring tools, including Ethereal Network Monitor, xnettools, Traceroute, fnetload, and System Monitor. The Firebox SSL Remote Admin Terminal window also provides access to the Real-time Monitor, where you can view a list of current VPN users and groups and close the VPN connection for any user or group You will need to provide remote VPN users with the URL of the Firebox SSL and a list of the resources that they can access. Remote users can log in with their usual credentials and do not need to perform any configuration of the Secure Access client or any application clients, resulting in minimal user support. Firebox SSL Operation The Firebox SSL performs the following functions: Authentication Termination of encrypted sessions Access control (based on permissions) Data traffic relay (when the first three functions are met) The Firebox SSL operates as follows: 1 A remote user obtains the Secure Access client by accessing a secure web URL and providing authentication credentials. 2 After a successful login, the Firebox SSL establishes a secure tunnel. 3 As the remote user attempts to access network resources across the VPN tunnel, the Firebox SSL encrypts all network traffic destined for the organization s intranet and forwards 8 Firebox SSL VPN Gateway Administration Guide

15 Firebox SSL Operation the packets and user credentials over an HTTPS session to the Firebox SSL. 4 The Firebox SSL terminates the SSL tunnel and accepts any incoming packets destined for the private network. After fixing the packets, the Firebox SSL injects them into the private network. The Firebox SSL sends traffic back to the remote computer over a secure tunnel. Those steps are detailed in the following sections: Starting the Secure Access Client on page 9 Establishing the Secure Tunnel on page 10 Tunneling Destination Private Address Traffic over SSL or TLS on page 10 Terminating the Secure Tunnel and Returning Packets to the Client on page 12 Starting the Secure Access Client A remote user obtains the Secure Access client by accessing a secure web URL, typically the public host name of the Firebox SSL. The Firebox SSL prompts the user for authentication over HTTP 401 Basic or Digest. The Firebox SSL authenticates the credentials with a corporate logon server (LDAP, RADIUS, RSA ACE) and if the credentials are correct, finishes the handshake with the client personal computer. This login step is required only when the user initially downloads the Secure Access client. If the user is behind a proxy server, the user can specify the proxy server, and authentication credentials if required, before logging in by right-clicking the login dialog and choosing Advanced Options. The Secure Access client is installed on the remote user s computer and operates at Layer 2 (between Ethernet and IP). After the first connection, the remote user can subsequently use a desktop shortcut to start the Secure Access client, thus bypassing the portal page login step. Enabling Single Sign-On Operation for the Secure Access Client If the Secure Access client is configured for single sign-on operation, it automatically starts after the user logs in to Windows. The user s Windows login credentials are passed to the Firebox Firebox SSL VPN Gateway Administration Guide 9

16 Firebox SSL Overview SSL for authentication. Enabling single sign-on for the Secure Access client facilitates operations on the remote computer such as installation scripts and automatic drive mapping. Establishing the Secure Tunnel Once the Secure Access client has been started, it establishes a secure tunnel over HTTPS port 443 (or any configured port on the Firebox SSL) and sends authentication information to validate the tunnel. Once the tunnel is established, the Firebox SSL sends configuration information to the Secure Access client describing the networks to be secured and containing an IP address if you enabled IP address visibility. Tunneling Destination Private Address Traffic over SSL or TLS After the Secure Access client is authenticated and started, all network traffic destined for certain private networks is captured and redirected over the secure tunnel to the Firebox SSL. The Firebox SSL intercepts all network connections made by the client computer and multiplexes/tunnels them over SSL to the Firebox SSL, where the traffic is de-multiplexed and the connections are forwarded to the correct host and port combination, determined by the client-server application in real time. The Secure Access client streams any dynamic port traffic over SSL to the Firebox SSL where connections are re-established to the server at its desired dynamic port. On both the Firebox SSL and the Secure Access client, RTP packets are prioritized and processed before any other packets. The connections are subject to flexible administrative security policies which can apply to a single application, a subset of applications, or an entire intranet. You use the Firebox SSL Administration Tool to specify the resources (ranges of IP address/netmask pairs) that remote users can access through the VPN connection. All IP packets, regardless of protocol, are intercepted and transmitted over the secure link. This functionality is what provides IPSec equivalent functionality to the Firebox SSL. Consider TCP connections, for example. Connections from local applications on the client computer are securely tunneled over to the Firebox SSL, which re-establishes the connections to the target server. 10 Firebox SSL VPN Gateway Administration Guide

17 Firebox SSL Operation Target servers view connections as originating from the local Firebox SSL on the private network, thus hiding client IP address (reverse NAT). Hiding IP addresses adds security to source locations in B2B implementations and also secures the wireless network in an organization for its users and visitors, providing a viable alternative to WEP. Locally, on the client computer, all connection-related traffic (such as SYN-ACK, PUSH, ACK and FIN packets) are recreated by the Secure Access client to appear from the private server. Operation through NAT Firewalls and Proxies Users of the Secure Access client will sometimes be located inside of another organization s firewall, as shown in the following illustration. NAT firewalls maintain a NAT table that allows them to route secure packets from the Firebox SSL back to the client computer. For circuit-oriented connections, the Firebox SSL maintains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL to match connections and send packets back over the tunnel to the client with Firebox SSL VPN Gateway Administration Guide 11

18 Firebox SSL Overview the correct port numbers so that the packets return to the correct application. The Firebox SSL tunnel is established using industry standard connection establishment techniques such as HTTPS, Proxy HTTPS, and SOCKS. This operation makes the Firebox SSL firewall friendly and thus allows remote computers to access private networks from behind other organization firewalls without creating any problems. For example, the connection can be made via an intermediate proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate proxy. Any credentials requested by the intermediate proxy, will be in turn obtained from the remote user (by using single signon information or by requesting the information from the remote user) and presented to the intermediate proxy server. Once the HTTPS session is established, the payload of the session is encrypted and carries secure packets to the Firebox SSL. Terminating the Secure Tunnel and Returning Packets to the Client The Firebox SSL terminates the SSL tunnel and accepts any incoming packets destined for the private network. If the packets meet the authorization and access control criteria, the Firebox SSL regenerates the packet IP headers so that they appear to originate from the Firebox SSL s private network IP address range or the client-assigned private IP address. The Firebox SSL then injects the packets into the network. NOTE If you run a packet sniffer such as Ethereal on the PC where the Secure Access client is running, you will see unencrypted traffic that appears to be between the client and the Firebox SSL. That unencrypted traffic, however, is not over the tunnel between the client and the Firebox SSL but rather the tunnel to the local applications. The Secure Access client maintains two tunnels: an SSL tunnel over which data is sent to the Firebox SSL (the sniffer also detects this tunnel) and a tunnel between the client and local applications. The encrypted data that arrives over the SSL tunnel is then decrypted before being sent to the local application over the second tunnel. The packet sniffer sees 12 Firebox SSL VPN Gateway Administration Guide

19 Kiosk Operation the second tunnel s traffic, which appears to be from the Firebox SSL, after the traffic is already decrypted. When an application client connects to its application server, certain protocols may require that the application server in turn attempt to create a new connection with the client. In this case, the client sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access client is able to provide the local client application a private IP address representation, which the Firebox SSL will use on the internal network. Many real-time voice applications and FTP use this feature. Performance and Real-time Traffic Real-time applications, such as voice and video, are implemented over UDP (since TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets). It is more important to deliver packets in real time than to ensure that all packets are delivered. However, with any tunneling technology over TCP, such realtime performances cannot be met. The Firebox SSL overcomes this issue by routing UDP packets over the secure tunnel as special IP packets that do not require TCP acknowledgements. Even if the packets get lost in the network, there is no attempt made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved over a secure TCP-based tunnel. Kiosk Operation The Firebox SSL also provides secure access to a private network from a public computer through optional kiosk operation. When remote users indicate that they are connecting from a public computer, the Firebox SSL opens a Virtual Network Computing (VNC) like connection in a window. For computers running Windows 2000 and above, kiosk operation is available through the Access Portal. The kiosk link can be removed from the Access Portal on a group basis. Firebox SSL VPN Gateway Administration Guide 13

20 Firebox SSL Overview For computers running a JVM or higher (such as Macintosh or Windows 95/98 computers), kiosk operation is available through a Java applet. For Macintosh, Safari is the supported browser. During kiosk operation, the Firebox SSL sends images only (no data) over the VPN connection. As a result, there is no risk of leaving temporary files or cookies on the public computer. Both temporary files and cookies are maintained on the Firebox SSL for the session. As shown in the following example, the Firebox SSL kiosk display can include a web browser, several applications, and network shares. The browser defaults to a URL that is configured per group through the Firebox SSL Administration Tool. The kiosk window can also include one-click access to Citrix ICA, Remote Desktop, 14 Firebox SSL VPN Gateway Administration Guide

21 Kiosk Operation SSH, Telnet 3270 emulator, and VNC clients, through icons that display in the bottom-right corner of the window. You specify for each group the applications to be included. The kiosk window also provides one-click access to shared network drives, through icons such as the one labelled ws in the following example. The Firebox SSL administrator configures the permissions granted (read-only or read/write) to each shared network drive. The following example shows the result of opening a shared network drive. VPN users can copy files from the network share to their computer simply by dragging the file onto the KioskFTP icon and selecting the destination in the File Download dialog box. Firebox SSL VPN Gateway Administration Guide 15

22 Firebox SSL Overview Deployment Options The Firebox SSL Quick Start describes how to install the Firebox SSL with a firewall, the most common configuration. You can also connect the Firebox SSL to other devices such as a server load balancer or router. Connecting to a Server Load Balancer You can connect one or more Firebox SSLs to a server load balancer. Characteristics of this configuration include the following: Incoming web traffic is intercepted by the server load balancer and load balanced between the Firebox SSLs (if more than one Firebox SSL is in use). For optimal performance, the server load balancer is configured with a virtual IP (VIP). The VIP is used by the Firebox SSL when reestablishing connection to the server load balancer. The Firebox SSL External Public Address is the externalfacing (public) VIP address of the server load balancer. The Firebox SSL modifies all requests to include the External Public Address. The External Public Address ensures that the redirected client returns to the Firebox SSL it first encountered, providing session stickiness. The association between a particular request and the Firebox SSL is broken only when the client makes a new connection. To establish the physical connection, connect the Firebox SSL eth0 interface to the internal network. Use the Firebox SSL Administration Tool to configure network settings. Specify the IP address of the server load balancer as the Default Gateway setting on the Networking > General Networking tab. 16 Firebox SSL VPN Gateway Administration Guide

23 CHAPTER 2 Administering the Firebox SSL The following topics describe how to administer your Firebox SSL: Using the Firebox SSL Remote Admin Terminal Window on page 18 Using the Administration Tool on page 21 Using the Serial Console on page 23 Upgrading the Firebox SSL Software on page 23 Supporting Secure Access Users on page 25 Generating a Secure Certificate for the Firebox SSL on page 29 Blocking External Access to the Administration Portal on page 39 Managing Licenses on page 40 Viewing and Changing the System Date and Time on page 41 Managing Administrative Users on page 42 Saving and Restoring the Configuration on page 43 Managing VPN Connections on page 45 Restarting the Firebox SSL on page 49 Firebox SSL VPN Gateway Administration Guide 17

24 Administering the Firebox SSL Shutting Down the Firebox SSL on page 49 NOTE This chapter assumes that you have set up the Firebox SSL hardware and performed the initial configuration as described in the Firebox SSL Quick Start. Using the Firebox SSL Remote Admin Terminal Window The VNC-like Firebox SSL Remote Admin Terminal window provides access to Firebox SSL configuration and monitoring tools. As shown in the following illustration, the Remote Admin Terminal window includes the Administration Tool, a graphical interface used to configure the Firebox SSL. The Remote Admin Terminal taskbar also includes one-click access to a variety of standard Linux monitoring applications as well as the Real-time Monitor, used to view and manage open VPN connections, and the system time and date. 18 Firebox SSL VPN Gateway Administration Guide

25 Using the Firebox SSL Remote Admin Terminal Window Administration Tool Tabs Help Taskbar Administration Tool Monitoring Workspace Switcher Processor Usage Applications and Taskbar Buttons Network Usage Real-time Monitor System Time/Date To open the Remote Admin Terminal window: 1 Make sure that the Firebox SSL is running. 2 From a web browser, connect to the Firebox SSL by entering the URL: where: - ipaddress is the IP address of your Firebox SSL is the administration port of your Firebox SSL 3 If a Security Alert dialog box appears, click Yes. The Firebox SSL Administration Portal appears. Firebox SSL VPN Gateway Administration Guide 19

26 Administering the Firebox SSL From the Downloads page, you can launch or download the Administration Tool and download documentation, portal page templates, and a sample that you can customize with instructions for VPN users. NOTE By default, if you configure the Firebox SSL to use both LAN interfaces, the Administration Portal can be accessed from either interface. To block administration access from the external-facing interface, see Blocking External Access to the Administration Portal on page Click either Launch Firebox SSL Administration Tool or Download the Firebox SSL Administration Tool. (If you see a Security Warning dialog, click Yes to download the required ActiveX Helper client.) - If you chose the launch link, skip to step 5. - If you chose the download link, click Save to save a shortcut to your desktop, enabling you to skip the 20 Firebox SSL VPN Gateway Administration Guide

27 Using the Administration Tool preceding steps the next time that you want to open the Remote Admin Terminal window. 5 In the Remote Admin Terminal login dialog, enter the Firebox SSL administrator credentials. Unless you have changed the default administrative account as described in Managing Administrative Users on page 42, enter root in the User Name field and rootadmin in the Password field, and then click Connect. The Remote Admin Terminal window opens. For information on the applications available from the Remote Admin Terminal window, see the following topics: Using the Administration Tool on page 21 Monitoring Firebox SSL Operations on page 150 Using the Administration Tool The Administration Tool, accessed from the Remote Admin Terminal window, contains all Firebox SSL configuration controls, except for administrative user account management which is available only from the Administration Portal. NOTE The Firebox SSL also has a command-line interface, the serial console, described in Using the Serial Console on page 23. Firebox SSL VPN Gateway Administration Guide 21

28 Administering the Firebox SSL The serial console contains the minimal prompts required to connect the Firebox SSL to your network. When you open the Remote Admin Terminal window, the Administration Tool window opens inside of the Remote Admin Terminal window. If you close the Administration Tool, you can reopen it by clicking the Administration Tool icon in the taskbar of the Remote Admin Terminal window. The left pane of the Administration Tool window displays Help information for the current tab. In a few cases, making a selection from a drop-down menu displays a new Help topic. Click a tab to view a related help topic. Choose a main menu option to view a related help topic. NOTE When working with the Administration Tool, click Submit to apply changes. If you are prompted to restart the Firebox SSL, you can restart it when you have completed your changes. To close the Administration Tool window, choose Options > Exit or click the close button. 22 Firebox SSL VPN Gateway Administration Guide

29 Using the Serial Console Using the Serial Console You can use the serial console to set the IP address and netmask of the Firebox SSL Interface 0, as well as the IP address of the default gateway device. All other configuration must be done through the Administration Tool. You can also use the serial console to test a connection with the ping command. If you want to reach the Firebox SSL via the serial console before making any configuration settings, use a serial cable to connect the Firebox SSL to a computer that has terminal emulation software. To open the serial console: 1 Connect a computer to the Firebox SSL serial port. 2 Make sure that the Firebox SSL is running. 3 Start a terminal emulation application and open a TCP/IP connection to the Firebox SSL using its IP address and administration port number (usually 9001). If the serial console does not open, check the settings in the terminal emulation application. Set the serial connection to bits per second, 8 data bits, no parity, and 1 stop bit. 4 Enter the administrative username (defaults to root) and password (defaults to rootadmin) when prompted. The serial console menu appears. Upgrading the Firebox SSL Software WatchGuard will notify you when server software upgrades are available. Before you upgrade the Firebox SSL, you might need to look up your current Firebox SSL version. Firebox SSL VPN Gateway Administration Guide 23

30 Administering the Firebox SSL To display the version of your installed Firebox SSL: In the Administration Tool, go to the About WatchGuard Firebox SSL tab. As described in the following procedure, you can upgrade the Firebox SSL from the Administration Portal or Administration Tool. To upgrade your Firebox SSL NOTE When you upload a server upgrade, the Firebox SSL drops the active sessions, so it is best to upgrade the server when you know that traffic is at a minimum. 1 Download the upgrade file from the WatchGuard Support site to your local network. Upgrade files are available from If you cannot locate the upgrade file or do not know which upgrade file to use, please contact WatchGuard Support. 2 In the Firebox SSL Administration Tool, go to the Administration > Maintenance tab. Alternatively, from the Administration Portal, go to the Maintenance tab. 3 Across from Upload a Server Upgrade or Saved Config., click Browse. 4 Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL restarts automatically. 24 Firebox SSL VPN Gateway Administration Guide

31 Supporting Secure Access Users When you upgrade the Firebox SSL, all of your configuration settings are preserved. For information on saving and restoring a configuration, see Saving and Restoring the Configuration on page 43. Supporting Secure Access Users To enable users to connect to and use the Firebox SSL, you need to provide them with the following information: Firebox SSL URL If a user needs VPN access from a computer that is not running Windows 2000 or above or Linux, but is running a Java Virtual Machine (JVM) or higher, the user can use the Java applet version of the kiosk. The URL for connecting to the Java applet version of the kiosk is: The authentication realm name required for login (if you use realms other than the realm named default ). Path to any network drives that the users can access (by mapping a network drive on their PC) Any system requirements for running the Firebox SSL clients, if you have configured host check rules Depending on the configuration of a remote user s system, you might also need to provide additional information: To start the Secure Access client, Windows 2000 users must have permission to install programs on their computer. For example, under Windows 2000, a user must be a member of a non-restricted group such as Power Users or Administrators. (The Users Group restricts a user from installing programs.) This restriction applies to Windows XP for first-time installation only, not for upgrades. If a user runs a firewall on the remote computer, the user might need to change the firewall settings so that it does not block traffic to or from the IP addresses to which you have granted access. The Secure Access client automatically handles the Internet Connection Firewall built in to Microsoft Windows XP. For information about configuring a Firebox SSL VPN Gateway Administration Guide 25

32 Administering the Firebox SSL variety of popular firewalls, see Configuring Software Firewalls for the Secure Access Client on page 26. Users who wish to FTP over the Firebox SSL connection must set their FTP application to perform passive transfers. A passive transfer means that the remote computer will establish the data connection to your FTP server, rather than your FTP server establishing the data connection to the remote computer. Users who wish to run X client applications across the VPN connection must run an X Server, such as XManager, on their computer. Because Secure Access users work with files and applications just as if they were local to the organization s network, no retraining of users or reconfiguration of applications is needed. We have provided an template which includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. We recommend that you customize the text for your site and then send the text in an to your VPN users. Configuring Software Firewalls for the Secure Access Client If a VPN user is unable to establish a connection to the Firebox SSL or cannot access allowed resources, it is likely that the software firewall on the user s PC is blocking traffic. The Firebox SSL works with any personal firewall, provided that the firewall application allows the user to specify a trusted network or IP for the Firebox SSL. The following sections about some of the more widely-used firewall applications are intended as a supplement to the firewall vendors documentation. NOTE The recommended source for current information on firewall applications is the firewall vendors documentation. BlackICE PC Protection on page 27 McAfee Personal Firewall Plus on page 27 Norton Personal Firewall on page Firebox SSL VPN Gateway Administration Guide

33 Supporting Secure Access Users Sygate Personal Firewall (free and Pro versions) on page 28 Tiny Personal Firewall on page 28 ZoneAlarm Pro on page 29 BlackICE PC Protection The following BlackICE settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the BlackICE window and choose the following commands. Tools > Edit BlackICE Settings On the Firewall tab, make sure that the Protection Level is lower than Paranoid, which will prevent you from running applications, such as , over the VPN connection. On the Intrusion Detection tab, add the IP address of the Firebox SSL as a trusted zone. Also add the IP address or range of allowed resources as trusted zones. When you add an IP address, be sure to select the Add Firewall Entry check box. McAfee Personal Firewall Plus The following McAfee Personal Firewall Plus settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the McAfee Security Center window, click the Personal Firewall+ tab, and choose the following commands. The following settings assume that you are using the Standard security level. To check your security level, go to the Personal Firewall+ tab, click Utilities, and then click Security Settings. NOTE By default, when you install the Secure Access client, Personal Firewall+ will prompt you to grant or block access for the application. Choose Grant Access. Trusted & Banned IPs System Services Add the IP address or range of allowed resources as trusted IP addresses. In the System Services list, select each service that you plan to use over the VPN connection. Firebox SSL VPN Gateway Administration Guide 27

34 Administering the Firebox SSL Norton Personal Firewall If you are using the default Norton Personal Firewall settings, you can simply respond to the Program Control alerts the first time that you attempt to start the Secure Access client or when you access a blocked location or application. When you respond to such an alert, choose the Permit action, select Always use this action, and click OK. If you have changed the default firewall settings, you might need to manually configure the following settings in order to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, open the Norton Personal Firewall window and choose the following tabs. Networking Programs You might need to add the following as trusted zones: -The IP address of the Firebox SSL -The IP address or range of allowed resources Click Add and enter the IP address(es). You might need to grant access to individual applications. Click Add and then browse for and select the application. When prompted, choose Permit. Sygate Personal Firewall (free and Pro versions) Each time that the Sygate Personal Firewall encounters new activity for which it does not have a rule, it displays a prompt. To grant access to the applications and locations that you will access through the Secure Access client, select the Remember my answer check box and click Yes when the prompt appears. Tiny Personal Firewall The following Tiny Personal Firewall settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. NOTE One method to configure Tiny Personal Firewall is to respond to the prompts displayed when the firewall encounters new activity for which it does not have a rule. The following information assumes that you do some pre-configuration of the firewall before installing the Secure Access client. 28 Firebox SSL VPN Gateway Administration Guide

35 Generating a Secure Certificate for the Firebox SSL To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below. Add To permit the IP address or range of allowed resources, use the following settings: Protocol = TCP and UDP Direction = Both Direction Local Endpoint fields = Any Remote Endpoint = specify IP address(es) Action = Permit After you apply the above configuration and then start the Secure Access client, Tiny Personal Firewall will display several Incoming Connection Alerts related to the Secure Access client. For each alert, select the Create appropriate filter check box and click Permit. ZoneAlarm Pro The following ZoneAlarm settings enable the Secure Access client to reach the Internet and the resources allowed by the Firebox SSL. To configure the settings, choose the tabs indicated in the following table. Firewall > Zones Define the host name of the Firebox SSL as a trusted zone. Generating a Secure Certificate for the Firebox SSL The Firebox SSL includes a digital certificate which is not signed by a Certificate Authority. You should install on the Firebox SSL a digital X.509 certificate that belongs to your company and is signed by a Certificate Authority. Certificates from Verisign and Thawte are supported. NOTE Operating the Firebox SSL without a digital certificate that is signed by a Certificate Authority can subject VPN connections to malicious attacks, as described in About Digital Certificates and Firebox SSL Operation on page 31. Firebox SSL VPN Gateway Administration Guide 29

36 Administering the Firebox SSL The Firebox SSL accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a text format that is the Base-64 encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded. Before you can upload a certificate to the Firebox SSL, you will need to generate a Certificate Signing Request (CSR) and private key. We recommend using Linux OpenSSL to administer any certificate tasks. If Linux is not available, we recommend the Cygwin UNIX environment for Windows, which includes an OpenSSL module. Instructions for downloading, installing, and using the Cygwin UNIX environment to generate a CSR are included in this section. If you are familiar with certificate manipulation, you can use other tools to create a PEM-formatted file. The certificate that you upload to the Firebox SSL must have the following characteristics: It must be in PEM format and must include a private key. The signed certificate and private key must be unencrypted. The following topics describe how to perform the tasks associated with generating a CSR: About Digital Certificates and Firebox SSL Operation on page 31 Overview of the Certificate Signing Request on page 32 Installing the Cygwin UNIX Environment for Windows on page 33 Generating a CSR on page 33 Unencrypting the Private Key on page 34 Converting to a PEM-Formatted Certificate on page 35 Combining the Private Key with the Signed Certificate on page 36 Generating Trusted Certificates for Multiple Levels on page 37 Uploading a Certificate to the Firebox SSL on page Firebox SSL VPN Gateway Administration Guide

37 Generating a Secure Certificate for the Firebox SSL About Digital Certificates and Firebox SSL Operation The Firebox SSL uses digital certificates to encrypt and authenticate traffic over a VPN connection. If the digital certificate installed on the Firebox SSL is not signed by a Certificate Authority, the traffic is encrypted but not authenticated. A digital certificate must be signed by a Certificate Authority to also authenticate the traffic. When traffic over a connection is not authenticated, the connection can be compromised through a man in the middle (MITM) attack. In an MITM attack, a third party intercepts the public key sent by the Firebox SSL to the Secure Access client and uses it to impersonate the Firebox SSL. As a result, the VPN user would unknowingly send authentication credentials to the attacker, who could then gain access to the Firebox SSL. A certificate that is signed by a Certificate Authority prevents such attacks. If the certificate installed on the Firebox SSL is not signed by a Certificate Authority, Secure Access and Kiosk users will see the following security alert when attempting to log in. If the user chooses to establish the connection, the status window and system tray icon appear as follows. Firebox SSL VPN Gateway Administration Guide 31

38 Administering the Firebox SSL Secure Access users will see security warnings unless you install a certificate that is signed by a Certificate Authority on the Firebox SSL and a corresponding certificate on VPN users computers. Users can also disable the Security Alert through the Secure Access Connection Properties dialog box. Overview of the Certificate Signing Request If you are unfamiliar with generating a CSR, review this section for background information. The general process for generating a CSR and handling the signed certificate is as follows: 1 Generate a CSR (public.csr) and private key (private.key) as described in Generating a CSR on page Send the public.csr file to an authorized certificate provider. 3 If you used a tool other than the Cygwin UNIX environment to generate the CSR, check the format of the private key. If it is in DER format or is encrypted, convert it to PEM format as described in Unencrypting the Private Key on page When you receive the signed certificate file from your SSL certification company, check the file format. If it is not in PEM format, convert it as described in Converting to a PEM-Formatted Certificate on page Combine the PEM-formatted signed certificate with the PEM-formatted private key (private.key) as described in Combining the Private Key with the Signed Certificate on page If your certificate has more than one level, handle the intermediate certificates as described in Generating Trusted Certificates for Multiple Levels on page Upload the certificate to the Firebox SSL as described in Uploading a Certificate to the Firebox SSL on page Firebox SSL VPN Gateway Administration Guide

39 Generating a Secure Certificate for the Firebox SSL Installing the Cygwin UNIX Environment for Windows If Linux OpenSSL is not available, install the Cygwin UNIX environment for Windows. When you install Cygwin, you must choose the OpenSSL modules as described in the following steps. To install Cygwin: 1 Use a web browser to navigate to and click Install Cygwin Now. 2 Follow the on-screen instructions to open the setup installer. 3 In the Cygwin Setup dialog box, click Next. 4 Click Install from Internet and then click Next. 5 Accept the default root installation directory settings and then click Next. 6 Accept the default local package directory setting and then click Next. 7 In the Internet Connection screen, click Use IE5 Settings and then click Next. 8 In the list of Available Download Sites, click ftp:// ftp.nas.nasa.gov and then click Next. 9 In the Select Packages screen, click the View button (upperright corner). 10 Scroll the packages list to locate in the Package column openssl: The OpenSSL runtime environment and openssldevel: The OpenSSL development environment. 11 In the New column for those two entries, click Skip. The current version number of Cygwin appears. 12 Click Next to start the installation. After Cygwin installs, you can generate the CSR. Generating a CSR These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in Installing the Cygwin UNIX Environment for Windows on page 33. Firebox SSL VPN Gateway Administration Guide 33

40 Administering the Firebox SSL To generate a CSR using the Cygwin UNIX environment: 1 Double-click the Cygwin icon on the desktop. A command window opens with a UNIX bash environment. 2 To change to a particular drive, use the command: cd driveletter: 3 At the $ prompt, type the following to generate a CSR: openssl req -new -nodes -keyout privatekeyfilename -out certrequestfilename For example: openssl req -new -nodes -keyout private.key -out public.csr Status messages about the private key generation appear. You will be prompted for information such as country name. 4 When prompted for the Common name, enter the DNS name of the Firebox SSL. The name that you enter will appear in the certificate and must match the name expected by PCs that connect to the Firebox SSL. Thus, if you alias DNS names, you will need to use the alias name instead. 5 Submit your CSR (public.csr) to an authorized certificate provider such as Verisign. When asked for the type of server that the certificate will be used with, indicate Apache. (If you indicate Microsoft, the certificate might be in PKCS7 format and you will need to follow the procedure in Converting to a PEM-Formatted Certificate on page 35 to convert the certificate to a PEM format.) The certificate provider will return a Signed Certificate to you by e- mail within several days. Unencrypting the Private Key The following procedure is not needed if you use the Cygwin UNIX environment to generate the CSR and private key. Follow this procedure only if the method you use to generate the private key results in an encrypted key. 34 Firebox SSL VPN Gateway Administration Guide

41 Unencrypting the Private Key To unencrypt the private key: 1 At the $ prompt enter the command: openssl rsa If you enter this command without arguments, you will be prompted as follows: read RSA key 2 Enter the name of the password to be encrypted. You can enter the openssl rsa command with arguments if you know the name of the private key and the unencrypted PEM file. For example, if the private key filename is my_keytag_key.pvk, and the unencrypted filename is keyout.pem, you would enter openssl rsa -in my_keytag_key.pvk -out keyout.pem. For more information, refer to the following URL: For information on downloading OpenSSL for Windows, refer to the following URL: Converting to a PEM-Formatted Certificate The signed certificate file that you receive from your certificate provider might not be in a PEM format. If the file is in binary format (DER), convert it to PEM format as follows: openssl x509 -in certfile -inform DER -outform PEM -out convertedcertfile If the certificate is already in a text format, it may be in PKCS format. (You will receive a PKCS formatted certificate if you specified that the certificate will be used with a Microsoft rather than Apache operating system.) The following command will result in an error message if the certificate is not in PEM format. The certfile should not contain the private key when you run this command. openssl verify -verbose -CApath /tmp certfile Firebox SSL VPN Gateway Administration Guide 35

42 Administering the Firebox SSL If that command results in the following error message, the file is not in PEM format. certfile: unable to load certificate file 4840:error:0906D064:PEM routines: PEM_read_bio:bad base64 decode:pem_lib.c:781: To convert the certificate from PKCS7 to PEM format 1 Run the command: openssl pkcs7 -in./certfile -print_certs The output will look like this: subject= BEGIN CERTIFICATE Server Certificate END CERTIFICATE----- subject= BEGIN CERTIFICATE Intermediate Cert END CERTIFICATE Combine the server certificate data and the intermediate certificate data (if it exists) from the output with the private key as specified in Combining the Private Key with the Signed Certificate on page 36 and Generating Trusted Certificates for Multiple Levels on page 37. Combining the Private Key with the Signed Certificate You must combine the signed certificate with the private key before you can upload it to the Firebox SSL. 36 Firebox SSL VPN Gateway Administration Guide

43 Unencrypting the Private Key To combine the Private Key with the Signed Certificate: 1 Use a text editor to combine the unencrypted private key with the signed certificate in the PEM file format. The file contents should look similar to the following: -----BEGIN RSA PRIVATE KEY----- <Unencrypted Private Key> -----END RSA Private KEY BEGIN CERTIFICATE----- <Signed Certificate> -----END CERTIFICATE Save and name the PEM file. For example, AccessGateway.pem. Generating Trusted Certificates for Multiple Levels NOTE Any certificate that has more than one level must include all intermediate certificates, or the system may become unusable. You must determine whether your certificate has more than one level and, if it does, handle the intermediate certificates properly. To generate trusted certificates for multiple levels: 1 Open Internet Explorer, and access a page through the Firebox SSL. For example, enter a URL similar to the following: where: - ipaddress is the IP address of your Firebox SSL - httpport is the Firebox SSL HTTP port number 2 Double-click the Lock symbol in the bottom right corner of the browser. Firebox SSL VPN Gateway Administration Guide 37

44 Administering the Firebox SSL 3 Switch to the Certificate Path window pane at the top of the screen. 4 Double-click the first path level to bring up the Certificate information for the first level and then go to the Details screen. 5 Click the Copy to File button at the bottom. 6 After the Certificate Export Wizard appears, click Next. 7 Click the format Base-64 encoded and then click Next. 8 Enter a filename. For example, G:\tmp\root.cer. 9 Review the information and note the complete filename. Click Finish. 10 Click OK to close the Certificate information window for the first level. 11 Repeat Steps 4 10 for all levels except the last level. 12 Insert all certificates into one file, and make sure that any intermediate certificates are part of any certificate file you upload. The file to be uploaded should be in the following format: private key Server Certificate Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2 Uploading a Certificate to the Firebox SSL After you have completed the steps to obtain and assemble a properly formatted, signed certificate and private key, you can upload it to the Firebox SSL. NOTE When you save the Firebox SSL configuration, the uploaded certificates are included in the backup. To upload a certificate file: 1 In the Administration Tool, go to the Administration > Maintenance tab. 38 Firebox SSL VPN Gateway Administration Guide

45 Blocking External Access to the Administration Portal Alternatively, go to the Administration Portal and click the Maintenance tab. 2 Across from Upload a Certificate, click Browse. 3 Locate the file you want to upload and click Open. 4 After the upload is complete, go to the Networking > General Networking tab. 5 Set the Interface 0 External Public Address to the DNS name for which the certificate was registered. Blocking External Access to the Administration Portal By default, if the Firebox SSL is configured to use both interfaces, the external-facing interface can be used to access the Administration Portal from outside of the firewall. To block access to the Administration Portal from the external-facing interface, clear the check box for this option. To block external access to the Administration Portal: 1 In the Firebox SSL Administration Tool, go to the Administration > Maintenance tab. Firebox SSL VPN Gateway Administration Guide 39

46 Administering the Firebox SSL 2 Clear the check box for Enable External Administration. 3 Click Apply Change. Managing Licenses Firebox SSL licensing limits the number of concurrent VPN user sessions to the number of licenses purchased. Thus, if you purchase 100 licenses, you can have 100 concurrent VPN sessions at any time. When a user ends a session, that license is freed for the next VPN user. A user who logs into the Firebox SSL from more than one computer occupies a license for each session. Once all licenses are occupied, no additional VPN connections can be opened until a VPN user ends a session or the administrator has used the Firebox SSL Real-time Monitor to close a connection, thereby freeing a license. For information on using the Real-time Monitor to close connections, see Managing VPN Connections on page 45. When you purchase the Firebox SSL or additional licenses, you will receive an that contains a link to a download location. After you download the license file(s), we recommend that you manage them as follows. To manage licenses: 1 On the administrative PC where you run the Firebox SSL Administration Tool, create a license directory. 2 Copy the license file (.lic) that you downloaded to the license directory. We recommend that you retain a local copy of all license files that you receive from WatchGuard. When you save a backup 40 Firebox SSL VPN Gateway Administration Guide

47 Viewing and Changing the System Date and Time copy of the configuration file, all uploaded license files are included in the backup. If you need to reinstall the Firebox SSL server software and do not have a backup of the configuration, you will need the original license files. Do not overwrite any.lic files in the license directory. If another file in that directory has the same name, you should rename the newly received file. The Firebox SSL software calculates your licensed features based on all.lic files that are uploaded to the Firebox SSL. Do not edit a.lic file or the Firebox SSL software will ignore any features associated with that license file. The contents of the file are encrypted and must remain intact. Should you copy, rename, or insert a license file multiple times, the Firebox SSL will use only the original file and will ignore any duplicate files. To upload a license file: 1 In the Administration Tool, go to the Administration > Licensing tab. 2 Click Browse and locate the.lic file that you want to upload. License files should be stored on the administrative PC where you run the Firebox SSL Administration Tool. 3 Click Open to upload the license file. Viewing and Changing the System Date and Time The system time displays on the right side of the taskbar in the Remote Admin Terminal window. To view the system date, mouse over the system time. Firebox SSL VPN Gateway Administration Guide 41

48 Administering the Firebox SSL To view a calendar, click the system time. Click the system time again to hide the calendar. To change the system date and time: 1 In the Administration Tool, go to the Administration > Date tab. 2 Select a time zone. 3 Enter the date and time and then click Submit. Managing Administrative Users The Firebox SSL has a default administrative user account (named root), with full access to the Firebox SSL. To protect the Firebox SSL from unauthorized access, you should change the default password during your initial configuration. 42 Firebox SSL VPN Gateway Administration Guide

49 Saving and Restoring the Configuration NOTE To reset the root administrative password to its default, you must reinstall the Firebox SSL server software. The Firebox SSL is pre-configured with a default username and password (root/rootadmin). We recommend that you change the root password. To change the root administrator password: 1 In the Administration Tool, go to the Administration > Admin Users tab. 2 Enter the new password and click Change Password. Saving and Restoring the Configuration When you upgrade the Firebox SSL, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are automatically restored. However, if you reinstall the Firebox SSL software, you must manually restore your configuration settings. NOTE Before using the Recovery CD to reinstall the Firebox SSL software, save your configuration. Reinstalling the Firebox SSL software returns the Firebox SSL to its pre-configured state. Firebox SSL VPN Gateway Administration Guide 43

50 Administering the Firebox SSL If you have saved your configuration settings, as described in this section, you can easily restore them. NOTE You can also save and restore configuration settings from the Maintenance tab of the Administration Portal. 44 Firebox SSL VPN Gateway Administration Guide

51 Managing VPN Connections To save the Firebox SSL configuration: 1 In the Administration Tool, go to the Administration > Maintenance tab. 2 Click Save Configuration. The entire Firebox SSL configuration, including system files, uploaded licenses, and uploaded server certificates, are saved to your computer in a file named config.restore. To restore a saved configuration: 1 In the Administration Tool, go to the Administration > Maintenance tab. 2 Across from Upload a Server Upgrade or Saved Config., click Browse. 3 Locate the file named config.restore and click Open. After the configuration file is uploaded, the Firebox SSL restarts. All of your configuration settings, licenses, and certificates will be restored. 4 If you use RSA SecurID authentication, you must reset the node secret on the RSA ACE/Server, as described in Resetting the Node Secret on page 99. Because the Firebox SSL has been re-imaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/Server will fail. Managing VPN Connections The Real-time Monitor lists the open VPN connections by user name and MAC address. For each VPN user, the type of connection by protocol (TCP, UDP, etc.) is also listed. The Target IP and Target Port provide additional information about the connec- Firebox SSL VPN Gateway Administration Guide 45

52 Administering the Firebox SSL tion. For example, connections to port 21 are FTP connections and connections to port 23 are Telnet connections. You can manage connections as follows: You can close a type of connection (TCP, UDP, etc.). For example, suppose that a user has a TCP connection to a Target IP (perhaps a mapped drive) that should be off-limits to the user. You can correct the ACL for the user s group ( Configuring Resource ACLs for a User Group on page 124) and then close the TCP connection. If you do not correct the ACL before closing the connection, the user will be able to re-establish the TCP connection. NOTE The Firebox SSL maintains connections to Target IP that are required for VPN operations. Closing any of those connections will temporarily close a VPN connection. You can disable a user s connection and prevent subsequent logins from that user at the listed MAC address. The user will be able to log in from a different MAC address. You can re-enable a username/mac address combination. The following sections describe connection management and use of the Real-time Monitor: About Connection Handling on page 46 Closing a Connection to a Resource on page 47 Disabling/Enabling a VPN User on page 48 Monitoring Firebox SSL Operations on page 150 About Connection Handling If a VPN user abruptly disconnects the network or puts the computer in hibernate or standby mode, the SSL/TCP connec- 46 Firebox SSL VPN Gateway Administration Guide

53 Managing VPN Connections tion to the Firebox SSL is terminated after a maximum wait period of ten minutes. (A shorter wait period would penalize VPN users who use slow connections.) This handling of VPN connections results in the following: The VPN user might continue to appear active in the Firebox SSL Real-time Monitor for about ten minutes, after which the VPN connection is terminated. The inactive VPN user occupies a license until the wait period expires and the VPN connection is closed. Suppose that you have a license for ten users and all ten users have logged into the Firebox SSL, leaving no available licenses. If one of the active users goes into standby mode, that user s license is not available for ten minutes. The wait period does not apply to connections that are terminated through the Real-time Monitor. Closing a Connection to a Resource Without disrupting a user s VPN connection, you can temporarily close the user s connection to a particular resource. To prevent the user from connecting to the resource, correct the user s group ACL. To close a connection: 1 In the Remote Admin Terminal window, click the Real-time Monitor icon. 2 Click to expand the user s entry. 3 Right-click the connection that you want to close, and select Close connection. Firebox SSL VPN Gateway Administration Guide 47

54 Administering the Firebox SSL The Firebox SSL maintains connections to Target IP that are required for VPN operations. Closing any of those connections will temporarily close a VPN connection. Disabling/Enabling a VPN User The Firebox SSL tracks user connections by a combination of user name and MAC address, enabling a user to establish simultaneous VPN connections from different computers. You can disable and enable a user/mac address combination. Disabling a user frees a license. To disable a user at a particular MAC address: 1 In the Remote Admin Terminal window, click the Real-time Monitor icon. 2 Right-click the main entry for the user and choose Disable User from MAC. The user will be unable to establish a VPN connection from that MAC address until you re-enable the user or restart the Firebox SSL. To re-enable a user at a particular MAC address: 1 In the Remote Admin Terminal window, click the Real-time Monitor icon. 2 Right-click the user s entry and choose Enable User from MAC. 48 Firebox SSL VPN Gateway Administration Guide

55 Restarting the Firebox SSL The user will be able to establish a VPN connection provided that there is an available license. Restarting the Firebox SSL To restart the Firebox SSL: From the Administration Tool, go to the Administration > Maintenance tab and click Reboot. or From the Administration Portal, go to the Maintenance tab and click Reboot. Shutting Down the Firebox SSL Never shut down the Firebox SSL by powering it off. Use the command provided to shut down the device. Use the power switch only to power on the device. To shut down the Firebox SSL: From the Administration Tool, go to the Administration > Maintenance tab and click Shut Down. or From the Administration Portal, go to the Maintenance tab and click Shut Down. Firebox SSL VPN Gateway Administration Guide 49

56 Administering the Firebox SSL 50 Firebox SSL VPN Gateway Administration Guide

57 CHAPTER 3 Working with a VPN Connection The following topics describe how to work with a VPN connection: Using the Access Portal on page 51 Connecting from a Private Computer on page 56 Connecting from a Public Computer (Kiosk Session) on page 61 Using the Access Portal The Access Portal is an HTML page that enables a VPN user to choose the type of VPN connection to be established from a remote computer. NOTE You can customize the portal page templates provided with the AG and assign them on a group basis, as described in Customizing VPN Portal Pages on page 108 and Choosing a Portal Page for a Group on page 130. You can also include a link to the Access Gateway clients on a website, as described in Linking to the VPN Clients from Your Website on page 115. Firebox SSL VPN Gateway Administration Guide 51

58 Working with a VPN Connection From the portal page, the user either starts the Secure Access or kiosk client. The Secure Access client is intended for VPN connections from a private computer, as data is transferred from the network to which the user is connecting to the user s computer. The kiosk client is useful for VPN connections from a public computer, as no data is written to the VPN user s computer. (However, if you configure network shares, a user can copy files from a shared network drive to the remote computer.) NOTE You can configure the AG Administration Tool so that VPN users do not have the option to connect from a public computer. For information, see Configuring Kiosk Operation for a Group on page 126. To use the Access Portal: 1 Use Internet Explorer to access the URL of the AG. For example: If the AG does not have a signed certificate installed, a Security Alert dialog box appears. Click Yes to continue. 2 In the dialog box, enter your network user name and password and then click OK. The portal page opens. This page can be customized for a site, as described in Customizing VPN Portal Pages on page Firebox SSL VPN Gateway Administration Guide

59 Using the Access Portal If you connect from a Linux computer, the following portal page appears. 3 If connecting from a Windows computer, choose the type of VPN connection: If connecting from a secure computer, click My own computer. The first time that you connect to the AG (after clicking My own computer), a terms and conditions of use dialog appears. You must click I Accept to install the driver. Firebox SSL VPN Gateway Administration Guide 53

60 Working with a VPN Connection When the File Download dialog box appears, click Open. (It is not necessary to save the client to your desktop. A shortcut to the client will be downloaded automatically.) The Secure Access client starts loading. A shortcut will be downloaded to your computer desktop. You can subsequently start the client without going through the portal page. If your administrator has configured the Secure Access client to start automatically, the client will start after you enter your Windows login credentials, which are also used for the Secure Access client. Thus, when you start your computer, you do not have to do anything to have a VPN connection, provided that you have a network connection and can log into Windows. The VPN connection enables you to work with the connected site just as if you were logged in at the site. You can transfer data between your remote computer and the connected site. For more information, see Connecting from a Private Computer on page 56. If connecting from a public computer, click A public computer. The kiosk will open in one of two configurable modes, as described in Connecting from a Public Computer (Kiosk Session) on page If connecting from a Linux computer, click the Linux download link to start the download and view instructions on how to install the client. 54 Firebox SSL VPN Gateway Administration Guide

61 Using the Access Portal NOTE The Linux tcl and tk packages are required for the Secure Access client. In addition to the command net6vpn --login, which opens the login dialog for the Secure Access client, you can also enter net6vpn to see a list of other command-line options. If you lose the VPN connection, the VPN daemon may have stopped. The Secure Access client requires a running VPN daemon in order to connect to the Access Gateway. If you lose the VPN connection, the VPN daemon may have stopped. To check the status of the VPN daemon: /sbin/service net6vpnd status To restart a stopped daemon: /sbin/service net6vpnd start. Then, click Disconnect and reenter your login credentials. To remove the Linux VPN client: /sbin/service net6vpnd stop /sbin/chkconfig --del net6vpnd Firebox SSL VPN Gateway Administration Guide 55

62 Working with a VPN Connection rm -rf /etc/net6vpn.conf /etc/init.d/ net6vpnd /usr/bin/net6vpn /usr/sbin/ net6vpnd /usr/local/net6vpn/ Connecting from a Private Computer If a user chooses the My own computer option in the Access Portal page, the VPN connection provides full access to the network resources that the user s group(s) can access, as described in Adding and Configuring User Groups on page 121. The access granted by the security policies enable users to work with the remote system just as if they were logged in locally. For example, users might be granted permission to applications, including web, client-server, and peer-to-peer such as Instant Messaging (IM), video conferencing, and real-time Voice over IP (VoIP) applications. Users can also map network drives to access allowed network resources, including shared folders and printers. While connected to an AG, remote users cannot see network information from the site to which they are connected. For example, while connected to the AG, open a Command Prompt window and run the commands ipconfig/all or route print. You will see no network information from the VPN site. For information on the VPN user experience when using the Secure Access client to connect to the AG, see: Using the Secure Access Window on page 56 For information on kiosk operation, see Connecting from a Public Computer (Kiosk Session) on page 61. Using the Secure Access Window When Secure Access is loaded, you will be prompted to log in to the AG to establish the VPN connection. The AG administrator determines the authentication used through the Authentication and Local Users tab of the AG Administration Tool, as described in Configuring Authentication, Authorization, and Local Users on page Firebox SSL VPN Gateway Administration Guide

63 Connecting from a Private Computer NOTE If you are using the Linux client, the connection window will not include the options described in the following procedure. To log in to the AG: 1 In the WatchGuard VPN - Connect dialog box, enter your login credentials. If the AG is configured with authentication realms and you need to connect to a realm other than the default, enter the realm name before your user name (realmname\username). Alternatively, to enter the realm name to be used each time that you log in, right-click the dialog box, click Advanced Options, and then enter the realm name. If your site uses RSA SecurID authentication, your password is your PIN plus the RSA SecurID token. 2 If you are behind a proxy server, right-click the dialog box and then click Advanced Options. Firebox SSL VPN Gateway Administration Guide 57

64 Working with a VPN Connection 3 Select Use Proxy Host and enter the proxy server IP address and port. (The AG information is already filled in.) If the proxy server requires authentication, select the check box. When you attempt to establish a VPN connection, you first will be prompted for your proxy server login credentials. 4 To allow failover to your local DNS, select Enable Split DNS. 5 To allow the Secure Access client to automatically update, without prompts, when a new version is available on the AG, select the Always update client check box. 6 Click Connect. NOTE If a digital certificate that is signed by a Certificate Authority is not installed on the AG, you will see a Security Alert. For more information, see About Digital Certificates and Firebox SSL Operation on page 31. After logging in, you will see a Logging In status dialog box, followed by an Applying Network Policy status dialog box. If you have a personal Internet Connection Firewall (ICF) configured on the interface, you will also see an 58 Firebox SSL VPN Gateway Administration Guide

65 Connecting from a Private Computer Internet Sharing Configuration dialog box and will need to click Yes to continue. When the VPN connection is established, a status window briefly appears and the Secure Access window is minimized to the system tray. The icon indicates whether the connection is enabled ( ) or disabled ( ) and flashes during activity. A shortcut to WatchGuard Secure Access is placed on your desktop. To use the Secure Access window: 1 To open the window, double-click the icon in the system tray. Alternatively, right-click the icon and choose VPN Properties from the menu. The Secure Access window appears. 2 To view server information and a list of the secured networks, click the Details tab. Firebox SSL VPN Gateway Administration Guide 59

66 Working with a VPN Connection 3 To view ACLs, click the Access Lists tab. (This tab does not appear for users who are not in a group.) To close the window, click Close. 60 Firebox SSL VPN Gateway Administration Guide

67 Connecting from a Public Computer (Kiosk Session) To view the Connection Log: The Connection Log contains real-time connection information which is particularly useful for troubleshooting connection issues. 1 Right-click the WatchGuard Secure Access icon in the system tray. 2 Choose Connection Log from the menu. The Connection Log for the session appears. NOTE The Connection Log is written to the computer in Documents and Settings\UserName\ Local Settings\Application Data\ NET6\net6vpn.log. The log is overwritten each time that you establish a new VPN connection. To end a VPN session: Right-click the Secure Access icon in the system tray and choose Disconnect from the menu. Connecting from a Public Computer (Kiosk Session) Users can connect to the AG from a public computer through a kiosk session. If the computer is running Windows 2000 or above or Linux, the user clicks A public computer in the Access Portal page. If the computer is running JVM or higher, the user accesses the kiosk by running a Java kiosk client. This client provides VPN access to users on computers, such as Macintosh and Windows 95/98, that are running JVM. To access the Java client, enter the following URL in a web browser that supports Java: Firebox SSL VPN Gateway Administration Guide 61

68 Working with a VPN Connection To support the Java kiosk client, the AG must be configured with a certificate that is signed by a trusted Certificate Authority. After the user clicks the appropriate link and logs in, the kiosk session opens, similar to a Virtual Network Computing (VNC) session. Web Browser Remote Desktop VNC Telnet 3270 Emulator SSH Citrix Shared Network Drive The kiosk window can include: A Mozilla browser window. You configure by group whether to include the Mozilla browser and the browser s default URL. Mozilla preferences, such as saved passwords, are retained for the next session. FTP 62 Firebox SSL VPN Gateway Administration Guide

69 Connecting from a Public Computer (Kiosk Session) Icons that provide access to shared network drives. The icon labelled ws in the preceding example is a network share. The user can download files from a network share by dragging a file onto the KioskFTP icon, as described in Working with Shared Network Drives on page 63. Icons that provide access to a Web browser and to VNC, Remote Desktop, Telnet 3270 emulator, SSH, and Citrix ICA clients, as shown in the preceding example. You configure by group the clients to be included in the kiosk window. For information on using the clients, see the following sections: - Using the Citrix Client on page 65 - Using the Remote Desktop Client on page 65 - Using the SSH Client on page 67 - Using the Telnet 3270 Emulator Client on page 67 - Using the VNC Client on page 68 If the user s browser is configured to use a proxy server, the kiosk client will use the browser s proxy setting. For more background information, see Kiosk Operation on page 13. To log in to the AG in kiosk mode: 1 Use the portal page to connect, as described in Using the Access Portal on page 51. Be sure to click A public computer. The WatchGuard VPN Login dialog box appears. 2 Enter your network login credentials and click OK. Working with Shared Network Drives The AG administrator can specify the shared network drives that will be accessible to any kiosk session. For each shared drive, the administrator specifies whether VPN users will have read-only or read-write access. If VPN users are granted read-write access, a user can change the files on the shared network drive, provided that the user s account has the permissions to do so. Firebox SSL VPN Gateway Administration Guide 63

70 Working with a VPN Connection To work with a shared network drive: 1 From the kiosk window, double-click a shared network drive icon ( ). 2 The share window opens inside of the kiosk window. 3 To copy a file from the network drive to your computer, drag the file icon over the KioskFTP icon. 4 In the Kiosk File Download dialog box, navigate to the location where you want to copy the file and then click Open. When the FTP is complete, a message window appears. 64 Firebox SSL VPN Gateway Administration Guide

71 Connecting from a Public Computer (Kiosk Session) You cannot FTP folders or copy files back to the shared network drive. Using the Citrix Client The Citrix ICA client enables the kiosk user to run a Citrix session over the VPN connection. During a kiosk session, your ICA settings can be saved so that they will be available to you for the next Citrix session. To use the Citrix ICA client: 1 From the portal page, choose A public computer... and log in. 2 In the kiosk window, click the Citrix icon. The Citrix ICA Client for Linux window opens. Using the Remote Desktop Client The Remote Desktop client enables a kiosk user to remotely access the desktop of a server that is running Windows Terminal Services. The Remote Desktop does not require any configuration on the VPN user s computer. Through Remote Desktop the VPN user has full access to a remote server s resources, including files, applications, and network resources. Thus, the VPN user can remotely control the server, just as if the user were sitting at it. The kiosk user s work Firebox SSL VPN Gateway Administration Guide 65

72 Working with a VPN Connection remains on the remote server; no files, only images, are sent to the kiosk user s computer. To use the Remote Desktop client: 1 From the portal page, choose A public computer... and log in. 2 In the kiosk window, click the Remote Desktop icon. 3 Enter your username and the remote host and click Connect. 4 Enter the credentials and network name of the remote server. The desktop of the Remote Desktop server displays in a window on your computer. 5 Work with the remote server just as if it were your local computer. 66 Firebox SSL VPN Gateway Administration Guide

73 Connecting from a Public Computer (Kiosk Session) Using the SSH Client The SSH client enables the kiosk user to establish an SSH connection to a remote computer. To use the SSH client: 1 From the portal page, choose A public computer... and log in. 2 In the kiosk window, click the SSH icon. 3 Enter your username and SSH host name or IP address. The ssh window opens. Using the Telnet 3270 Emulator Client The Telnet 3270 Emulator client enables the kiosk user to establish a Telnet 3270 connection to a remote computer. To use the Telnet 3270 Emulator client: 1 From the portal page, choose A public computer... and log in. 2 In the kiosk window, click the Telnet 3270 Emulator icon. The x3270 window opens. Firebox SSL VPN Gateway Administration Guide 67

74 Working with a VPN Connection 3 Left-click Connect and choose Other from the menu. The x3270 Connect window opens. 4 Enter the host name or IP address and click Connect to login and receive a prompt. 5 To view the 3270 keypad, click the keypad icon in the upper-right corner. Using the VNC Client The VNC client enables a kiosk user to remotely access the desktop of a VNC server. The kiosk user s work remains on the remote server; no files, only images, are sent to the kiosk user s computer. To use the VNC client: 1 From the portal page, choose A public computer... and log in. 2 In the kiosk window, click the VNC icon. 3 Enter the IP address of the VNC host, your password for the server, and click Connect. 68 Firebox SSL VPN Gateway Administration Guide

75 Connecting from a Public Computer (Kiosk Session) The desktop of the VNC server displays in a window on your computer. 4 Work with the remote server just as if it were your local computer. NOTE To send a Ctrl-Alt-Delete to the connected server through the VNC server, press Shift-Ctrl-Alt-Delete. Firebox SSL VPN Gateway Administration Guide 69

76 Working with a VPN Connection 70 Firebox SSL VPN Gateway Administration Guide

77 CHAPTER 4 Configuring Firebox SSL Network Connections The following topics describe how to configure Firebox SSL network connections: Configuring Network Interfaces on page 72 Specifying DNS/WINS Settings on page 74 Configuring Routes on page 75 Configuring Failover Firebox SSLs on page 80 NOTE When you have a working configuration, we recommend that you back up the configuration, as described in Saving and Restoring the Configuration on page 43. The configuration instructions throughout those topics assume the following setup: The Firebox SSL is installed. For information on installing the Firebox SSL, refer to the Firebox SSL Quick Start and the Firebox SSL Hardware Installation Guide. The devices to which you are connecting the Firebox SSL, such as a firewall or server load balancer, are already part of a working configuration. This guide does not cover the steps for configuring application or web servers, firewalls, or a server farm with a server load balancer. Firebox SSL VPN Gateway Administration Guide 71

78 Configuring Firebox SSL Network Connections Configuring Network Interfaces Network interface settings define the connections between the Firebox SSL and your network. To change the network interfaces settings, go to the Networking > General Networking tab of the Firebox SSL Administration Tool. The Firebox SSL network interface settings are as follows: IP address and subnet mask for Interface 0 and, if used, Interface 1 When connecting the Firebox SSL to your network, you typically place it either inside of a firewall, inside of a server load balancer, or straddling a firewall. If the Firebox SSL is inside of a firewall or connected to a server load balancer, choose Use Only Interface 0. If the Firebox SSL straddles the firewall, choose Use Both Interfaces. Use Interface 0 for the DMZ (external) connection and Interface 1 for the LAN (internal) connection. 72 Firebox SSL VPN Gateway Administration Guide

79 Configuring Network Interfaces For more information, see the Firebox SSL Quick Start Guide and Connecting to a Server Load Balancer on page 16, in this guide. External Public Address The Firebox SSL uses the External Public Address to send its response to a request back on the correct network connection. If the External Public Address is not specified, the Firebox SSL sends responses out through the Interface where the gateway is identified. If the External Public Address is specified, the Firebox SSL writes all connections to the Interface with the specified host name or IP address. Duplex mode for each interface Duplex mode is either auto, full duplex, or half duplex. Use the default setting, auto, unless you need to change it. Maximum transmission unit (MTU) for each interface The MTU defines the maximum size of each transmitted packet. The default is Use the default setting unless you need to change it. Incoming VPN port (the port on the Firebox SSL to be used for VPN connections) IP address of the default gateway device, such as the main router, firewall, or server load balancer, depending on your network configuration. This should be the same as the Default Gateway setting that you would find on computers on the same subnet. Firebox SSL VPN Gateway Administration Guide 73

80 Configuring Firebox SSL Network Connections For information on the relationship between the default gateway and dynamic or static routing, see Configuring Routes on page 75. NOTE IP pooling is configured per group, as described in Enabling IP Pooling on page 131. Specifying DNS/WINS Settings If you use name resolution, go to the Networking > DNS/WINS tab of the Administration Tool to specify the following: IP address of the first, second, and third DNS servers. DNS suffixes. Do not precede a suffix with a dot (. ). For example, specify site.com, not.site.com. Entries must be space-separated. WINS server IP address. 74 Firebox SSL VPN Gateway Administration Guide

81 Configuring Routes By default, the Firebox SSL checks a VPN user s remote DNS only. If you want to allow failover to a user s local DNS: Go to the Global Policies tab and select the Enable Split DNS check box. The Firebox SSL fails over to the local DNS only if the specified DNS servers cannot be contacted, but not if there is a negative response. Configuring Routes You can configure the Firebox SSL to listen for the routes published by your routing server(s) or to use static routes that you specify. The Firebox SSL supports the Routing Information Protocol (RIP and RIP 2). The Default Gateway field on the Networking > General Networking tab is relevant to both dynamic and static routing. If you enable the Dynamic Gateway option (when configuring dynamic routing), the default gateway will be based on the routing table, not on the value entered in the Default Gateway field. If you add a static route, choose the Firebox SSL interface not being used by the default gateway. Configuring Dynamic Routing When you choose dynamic routing, the Firebox SSL operates as follows: It listens for route information published through RIP and automatically populates its routing table. Firebox SSL VPN Gateway Administration Guide 75

82 Configuring Firebox SSL Network Connections If the Dynamic Gateway option is enabled, the Firebox SSL uses the default gateway providing by dynamic routing, rather than the value specified on the Networking > General Networking tab. It disables any static routes created for the Firebox SSL. If you later choose to disable dynamic routing, any previously created static routes will redisplay in the Firebox SSL routing table. To configure dynamic routing: 1 In the Firebox SSL Administration Tool, go to the Networking > Routes tab. 2 From the Select Routing Type menu, choose Dynamic Routing (RIP). Selecting that option disables the static routes area. If there are static routes defined, they no longer display in the routing table although they are still available should you wish to switch back to static routing. 3 If you want to use the default gateway provided by the routing server(s), rather than the one specified in the Networking > General Networking tab, select the Enable Dynamic Gateway check box. The use of a dynamic gateway is noted in the Networking > General Networking tab with the message Gateway Provided by Dynamic Routing. 4 Choose the Firebox SSL interface(s) to be used for dynamic routing. Typically, your routing server(s) are inside your firewall, so you would choose an internal-facing interface for this setting. 76 Firebox SSL VPN Gateway Administration Guide

83 Configuring Routes 5 Click Submit. Dynamic routes are not displayed in the Firebox SSL routing table. Adding, Testing, and Removing a Static Route When setting up communication with another host or network, you might need to add a static route from the Firebox SSL to the new destination if you do not use dynamic routing. Set up static routes on the Firebox SSL interface not being used by the default gateway. The default gateway is specified on the Networking > General Networking tab. For an example static route setup, see Static Route Example on page 78. To add a static route: 1 In the Firebox SSL Administration Tool, go to the Networking > Routes tab. 2 Enter a descriptive name for the route. 3 Enter the IP address of the destination LAN. 4 Enter the subnet mask for the gateway device. Firebox SSL VPN Gateway Administration Guide 77

84 Configuring Firebox SSL Network Connections 5 Enter the IP address for the default gateway. If you do not specify a gateway, the Firebox SSL can access content only on the local network. 6 Select the Interface for the static route. The default is eth0. 7 Click Add Static Route and then click Submit. The route name appears in the Static Routes list. To test a static route: 1 From the Firebox SSL serial console, type 1 (Ping). Enter the host IP address for the device you want to ping and press Enter. If you are successfully communicating with the other device, messages will appear saying that the same number of packets were transmitted and received, and zero packets were lost. If you are not communicating with the other device, the status messages indicate that zero packets were received and all the packets were lost. Return to Step 1 and recreate the static route. To remove a static route: 1 In the Firebox SSL Administration Tool, go to the Networking > Routes tab. 2 In the Static Route table, select each route that you want to delete. 3 Click Remove Route and then click Submit. Static Route Example Suppose the IP address of the eth0 port on your Firebox SSL is and there has been a request to access information at , to which you currently have no path. You can create a static route through the interface that is not set as your Firebox SSL default gateway, and out to the requested network address, as shown in Figure 4, Building a Static Route, on page Firebox SSL VPN Gateway Administration Guide

85 Configuring Routes Figure 4: Building a Static Route Figure 4, Building a Static Route, on page 79 shows the following connections: The eth0 interface ( ) leads to the default gateway ( ), which connects to the rest of the network. The eth1 interface ( ) is set to communicate with the network and its gateway ( ). Through this gateway, the eth1 port can communicate with the network, and the server at IP address To set up this static route, you need to establish the path between the eth1 interface and IP address To set up the example static route: 1 Go to the Networking > Routes tab. 2 Set the IP address of the destination LAN to Set the subnet mask for the gateway device. 4 Set the IP address of the default gateway to Firebox SSL VPN Gateway Administration Guide 79

86 Configuring Firebox SSL Network Connections 5 Choose eth1 as the gateway device interface. 6 Click Add Static Route and then click Submit. Configuring Failover Firebox SSLs You can configure an Firebox SSL to fail over to multiple Firebox SSLs. Because the Firebox SSL failover is active/active, you can use each Firebox SSL as a primary gateway for a different set of users. During its initial connection to the Secure Access client, the Firebox SSL provides the failover list to the client. If the client loses the connection to its primary Firebox SSL, it iterates through the list of failover Firebox SSLs. The client performs a DNS lookup for the first failover Firebox SSL (listed in the VPN Failover dialog box) and tries to connect to that server. If the first failover Firebox SSL is not available, the client tries the next failover server. When the client successfully connects to a failover Firebox SSL, the client prompts the user to log in. To specify Firebox SSLs for failover: 1 In the Firebox SSL Administration Tool, go to the Networking > Failover Servers tab. 2 Enter the external IP address or the fully qualified domain name of the Firebox SSL(s) to be used for failover operation. The Firebox SSLs are used for failover in the order listed. 3 Click Submit. 80 Firebox SSL VPN Gateway Administration Guide

87 CHAPTER 5 Configuring Firebox SSL Operation Firebox SSL operation controls include authentication, authorization, network resource, and host check settings. Group-based controls include access control, host checking, portal pages, IP pools, and kiosk operation. NOTE All submitted configuration changes are automatically applied to the Firebox SSL and will not cause a disruption in Firebox SSL client operation. Policy changes will take effect immediately; if a VPN connection violates a new policy, it will be closed. The following topics describe how to configure Firebox SSL operation: Configuring Authentication, Authorization, and Local Users on page 82 Controlling Network Access on page 102 Customizing VPN Portal Pages on page 108 Configuring Host Check Rules on page 116 Configuring Network Shares for Kiosk Sessions on page 119 Adding and Configuring User Groups on page 121 Firebox SSL VPN Gateway Administration Guide 81

88 Configuring Firebox SSL Operation Enabling Split Tunneling on page 134 Enabling Split DNS on page 135 Enabling Session Timeout on page 136 Configuring Internal Failover on page 137 Forcing VPN User Re-login on page 138 Configuring Secure Access for Single Sign-on on page 140 Configuring Authentication, Authorization, and Local Users By default the Firebox SSL authenticates users against a user list stored locally on the Firebox SSL. You can configure the Firebox SSL to also use LDAP, RADIUS, and/or RSA SecurID authentication servers. The Firebox SSL supports realm-based authentication to accommodate sites with more than one LDAP or RADIUS server or with a combination of LDAP, RADIUS, and/or RSA SecurID authentication servers. If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL checks the user against the local user list. 82 Firebox SSL VPN Gateway Administration Guide

89 Configuring Authentication, Authorization, and Local Users After a user is authenticated, the Firebox SSL performs a group authorization check by obtaining the user s group information from either an LDAP server or the local group file (if not available on the LDAP server). If group information is available for the user, the Firebox SSL then checks the network resources allowed for the group. LDAP can be used for authorization regardless of the type(s) of authentication servers being used. By default, the Firebox SSL obtains an authenticated user s group(s) from the local group file stored on the Firebox SSL. Alternatively, you can configure the Firebox SSL to obtain an authenticated user s group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL checks its local group file. The group names obtained from the LDAP server are compared to the group names created locally on the Firebox SSL. If the two group names match, the properties of the local group apply to the group obtained from the LDAP server. For more information on groups and group names, see Adding and Configuring User Groups on page 121. The following topics describe how to configure authentication and authorization for the Firebox SSL: About the Realm Named Default on page 84 Firebox SSL VPN Gateway Administration Guide 83

90 Configuring Firebox SSL Operation Using a Local User List for Authentication on page 84 Using RADIUS Servers for Authentication on page 88 Using LDAP Servers for Authentication and Authorization on page 91 Using RSA SecurID for Authentication on page 95 Removing an Authentication Realm on page 100 Adding Local Users on page 100 About the Realm Named Default The Firebox SSL has a permanent realm named Default, with the following characteristics: For a new installation, the Default realm is configured for local authentication. You can change the authentication type of the Default realm. You cannot remove the Default realm unless you immediately replace it with a new Default realm. The Default realm is assumed when a user enters only a user name when logging in to the Firebox SSL. When a user logs into any other realm, the user must log in using realmname\username. Therefore, if all of your users are authenticated against one authentication server, configure the Default realm for that type of authentication so that users will not have to enter a realm name when logging in. Users who authenticate against a realm other than the Default realm must specify a realm name (once in the Secure Access Connection Properties dialog box, or with their user name each time they log in). Using a Local User List for Authentication For a new installation, the Default realm is set to local authentication. If your site does not use a RADIUS, LDAP, or RSA server for authentication, keep the Default realm set to local authentication. This will enable users to log in to the 84 Firebox SSL VPN Gateway Administration Guide

91 Using a Local User List for Authentication Firebox SSL without having to enter a realm name. You can have only one realm for local authentication. You can use LDAP authorization with local authentication, as described in Using LDAP Authorization with Local Authentication on page 85. If some users will authenticate only against the local user list on the Firebox SSL, you can keep the Default realm set to local authentication. Alternatively, you can create a different realm for local authentication and use the Default realm for another authentication type, as described in Changing the Authentication Type of the Default Realm on page 87. NOTE Users who authenticate against a realm other than the Default realm must specify a realm name (once in the Secure Access Connection Properties dialog box, or with their user name each time they log in). If all users authenticate against authentication servers, you do not need a realm for local authentication. The Firebox SSL always checks locally for authentication information if a user fails to authenticate on another authentication server. Using LDAP Authorization with Local Authentication By default, the Firebox SSL obtains an authenticated user s group(s) from the local group file stored on the Firebox SSL. Alternatively, you can configure the Firebox SSL to obtain an authenticated user s group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL checks its local group file. To use LDAP authorization with local authentication: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. Firebox SSL VPN Gateway Administration Guide 85

92 Configuring Firebox SSL Operation 2 Open the window for the realm that is configured for local authentication. You will open the Default realm unless you have changed its authentication type. 3 Click the Authorization tab and complete the settings. See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings. 86 Firebox SSL VPN Gateway Administration Guide

93 Using a Local User List for Authentication Changing the Authentication Type of the Default Realm When a VPN user logs in to the Default realm, the user does not have to specify a realm name. For any other realm, the user must specify a realm name when logging in. Thus, if most users will log into a non-local authentication realm, you should change the authentication type of the Default realm. To change the authentication type of the Default realm, remove the Default realm and then immediately create a new Default realm as follows. To change the authentication type of the Default realm: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. 2 Open the window for the Default realm. 3 From the Action menu, choose Remove Default realm. A warning message appears. Firebox SSL VPN Gateway Administration Guide 87

94 Configuring Firebox SSL Operation 4 Click Yes. 5 Create a new realm named Default, choose an authentication type, and click Add. 6 Complete the window that appears. For information, see: - Using RADIUS Servers for Authentication on page 88 - Using LDAP Servers for Authentication and Authorization on page 91 - Using RSA SecurID for Authentication on page 95 NOTE If you remove the Default realm and do not immediately replace it as described above, the Firebox SSL retains the Default realm that you attempted to remove. Using RADIUS Servers for Authentication You can configure the Firebox SSL to authenticate user access with one or more RADIUS servers. For each RADIUS realm that you use for authentication, you can configure both the primary and secondary RADIUS servers. If the primary RADIUS server is unavailable, the Firebox SSL will attempt to authenticate against the secondary RADIUS server for that realm. 88 Firebox SSL VPN Gateway Administration Guide

95 Using RADIUS Servers for Authentication If a user is not located on the RADIUS servers or fails authentication, the Firebox SSL checks the user against the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121). To specify RADIUS server settings: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. 2 Enter a name for the authentication realm that you will create. NOTE If you want the Default realm to use RADIUS authentication, remove the Default realm as described in Changing the Authentication Type of the Default Realm on page 87. If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings. Realm names are case-sensitive and can contain spaces. 3 From the Type menu, choose RADIUS and Local Authentication. 4 Click Add. A window for the authentication realm opens. Firebox SSL VPN Gateway Administration Guide 89

96 Configuring Firebox SSL Operation 5 Enter the IP address and the port (default is 1812) of the RADIUS server. 6 Enter the RADIUS server secret. 7 If you use a secondary RADIUS server, enter its IP address, port, and server secret. 8 To use LDAP for authorization, click the Authorization tab and complete the settings. See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings. 90 Firebox SSL VPN Gateway Administration Guide

97 Using LDAP Servers for Authentication and Authorization 9 Click Submit. NOTE If you are using Microsoft Internet Authentication Service (IAS) as a RADIUS server and receive a bad username or password error when the Firebox SSL sends a request to the configured RADIUS server, check the following IAS setting: In IAS Remote Access Policies, under the applied policy's properties in the Authentication tab, make sure "unencrypted authentication (PAP, SPAP)" is selected. Using LDAP Servers for Authentication and Authorization You can configure the Firebox SSL to authenticate user access with one or more LDAP servers. If a user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL checks the user against the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121). NOTE If you need help determining your LDAP server settings, see Looking Up Attributes in your LDAP Directory on page 94. Firebox SSL VPN Gateway Administration Guide 91

98 Configuring Firebox SSL Operation To specify LDAP server settings: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. 2 Enter a name for the authentication realm that you will create. NOTE If you want the Default realm to use LDAP authentication, remove the Default realm as described in Changing the Authentication Type of the Default Realm on page 87. If your site has multiple authentication realms, you might use a name that identifies the LDAP realm for which you will specify settings. Realm names are case-sensitive and can contain spaces. 3 From the Type menu, choose LDAP and Local Authentication. 4 Click Add. A window for the authentication realm opens. 92 Firebox SSL VPN Gateway Administration Guide

99 Using LDAP Servers for Authentication and Authorization 5 Select the Enable LDAP Authorization check box 6 Enter the IP address and the port of the LDAP server. The LDAP Server Port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server Port to 3268 will significantly speed the LDAP queries. If your directory is not indexed, we recommend that you use an administrative connection, rather than an anonymous connection, from the Firebox SSL to the database. Download performance improves when you use an administrative connection. 7 Enter the Administrator Bind DN and password for queries to your LDAP directory. Examples of syntax for Bind DN: "ou=administrator,dc=ace,dc=com" "user@domain.name" (for Active Directory) "cn=administrator,cn=users,dc=ace,dc=com" For Active Directory, the group name, specified as "cn=groupname", is required. For other LDAP directories, the group name either is not required or, if required, is specified as "ou=groupname". The Firebox SSL binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Firebox SSL unbinds the administrator credentials and rebinds with the user credentials. 8 Enter the Base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for Base DN: "ou=users,dc=ace,dc=com" "cn=users,dc=ace,dc=com" 9 Enter the attribute under which the Firebox SSL should look for user login names for the LDAP server that you are configuring. Defaults to "cn". If you use Active Directory, enter the attribute "samaccountname". Firebox SSL VPN Gateway Administration Guide 93

100 Configuring Firebox SSL Operation 10 Specify the LDAP Group Attribute, which defaults to "memberof". This attribute enables the Firebox SSL to obtain the groups associated with a user during authorization. 11 Click Submit. Looking Up Attributes in your LDAP Directory If you need help determining your LDAP Directory attributes, you can easily look them up with the free LDAP Browser from Softerra. To install and set up LDAP Browser: 1 Download the free LDAP Browser application from 2 Install LDAP Browser and open it. 3 From the LDAP Browser window, choose File > New Profile and specify the following settings: - Host: Host name or IP address of your LDAP server. - Port: Defaults to Base DN: You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) - Anonymous Bind: Select the check box if the LDAP server does not require credentials to connect to it. If the LDAP server requires credentials, leave the check box cleared, click Next, and enter the credentials. 4 Click Finish. The LDAP Browser displays the profile name that you just created in the left pane of the LDAP Browser window and connects to the LDAP server. To look up LDAP attributes: 1 In left pane of the LDAP Browser, select the profile name that you created. 2 To look up the Base DN, locate in the right pane the namingcontexts attribute. The value of that attribute is the Base DN for your site. The Base DN is typically 94 Firebox SSL VPN Gateway Administration Guide

101 Using RSA SecurID for Authentication "dc=mydomain,dc=com" (if your directory tree is based on Internet domain names) or "ou=domain,o=myorg,c=country". 3 Navigate with the browser to locate other attributes. Using RSA SecurID for Authentication NOTE If you are running a RADIUS server on an RSA server, configure RADIUS authentication, as described in Using RADIUS Servers for Authentication on page 88. If your site uses an RSA ACE/Server and SecurID for authentication, you can configure the Firebox SSL to authenticate user access with the RSA ACE/Server. The Firebox SSL acts as an RSA Agent Host, authenticating on behalf of the VPN users logging into the VPN client. The Firebox SSL supports the use of one RSA ACE/Server. If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL checks the user against Firebox SSL VPN Gateway Administration Guide 95

102 Configuring Firebox SSL Operation the user information stored locally on the Firebox SSL (for more information, see Adding and Configuring User Groups on page 121). The Firebox SSL supports Next Token Mode. If a user enters three incorrect passwords, the Secure Access client prompts the user to wait until the next token is active before logging in. If a user logs in too many times with an incorrect password, the RSA server might disable the user s account. To contact the RSA ACE/Server, the Firebox SSL must include a copy of the ACE Agent Host sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures describe how to generate and upload that file. To generate a sdconf.rec file for the Firebox SSL: NOTE The following steps describe the required settings for the Firebox SSL. Your site might have additional requirements. Refer to the RSA ACE/Server documentation for more information. If you have to re-image the Firebox SSL, see Resetting the Node Secret on page On a computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode. 2 In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you are changing an Agent Host, Edit Agent Host). 3 In the Name field, enter a descriptive name for the Firebox SSL (the Agent Host for which you are creating a configuration file). 4 In the Network address field, enter the Firebox SSL IP address (the internal address). 5 For Agent type, select UNIX Agent. 6 Note that the Node Secret Created check box is cleared and inactive when you are creating an Agent Host. The RSA ACE/Server will send the Node Secret to the Firebox SSL the first time that it authenticates a request from the Firebox 96 Firebox SSL VPN Gateway Administration Guide

103 Using RSA SecurID for Authentication SSL. After that, the Node Secret Created check box will be selected. By deselecting the check box and generating/ uploading a new configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL. 7 Indicate which users can be authenticated through the Firebox SSL through one of the following methods: - To configure the Firebox SSL as an open Agent Host, click Open to All Locally Known Users and then click OK. - To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select the Firebox SSL host, and then click OK. In the dialog box, click the User Activations button and select the users. 8 To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files. The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL, as described in the following procedure. To enable RSA SecurID authentication for the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. 2 Enter a realm name to identify the RSA ACE/Server. If you want the Default realm to use RSA authentication, remove the Default realm as described in Changing the Authentication Type of the Default Realm on page 87. Realm names are case-sensitive and can contain spaces. 3 From the Type menu, choose SecurID and Local Authentication. 4 Click Add. A window for the authentication realm opens. Firebox SSL VPN Gateway Administration Guide 97

104 Configuring Firebox SSL Operation 5 To upload the sdconf.rec file that you generated in the previous procedure, click Upload sdconf.rec file and use the dialog box to locate and upload the file. The sdconf.rec file is typically written to ace\data\config_files and to windows\system32. - The file status message indicates whether an sdconf.rec file has been uploaded. If one has been uploaded and you need to replace it, click Upload sdconf.rec file and use the dialog box to locate and upload the file. - The first time that a client is successfully authenticated, the RSA ACE/Server will write some configuration files to the Firebox SSL. If you subsequently change the IP address of the Firebox SSL, click Remove ACE Configuration Files, reboot when prompted, and then upload a new sdconf.rec file. 6 After the file uploads, click Submit. 7 To use LDAP for authorization, click the Authorization tab and complete the settings. See Using LDAP Servers for Authentication and Authorization on page 91 (starting with Step 5) for a description of the LDAP server settings. See Looking Up 98 Firebox SSL VPN Gateway Administration Guide

105 Using RSA SecurID for Authentication Attributes in your LDAP Directory on page 94 for information on looking up LDAP server settings. 8 Click Submit. Resetting the Node Secret If you have re-imaged the Firebox SSL, giving it the same IP address as before, and restored your configuration, you must also reset the node secret on the RSA ACE/Server. (Because the Firebox SSL has been re-imaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/ Server will fail.) After you reset the server secret on the RSA ACE/Server, the next authentication attempt will cause the RSA ACE/Server to send a node secret to the Firebox SSL. To reset the node secret on the RSA ACE/Server: 1 On a computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode. 2 In the RSA ACE/Server Administration interface, go to Agent Host > Edit Agent Host. 3 Select the Firebox SSL IP address from the list of agent hosts. Firebox SSL VPN Gateway Administration Guide 99

106 Configuring Firebox SSL Operation 4 Clear the Node Secret Created check box and save the change. The RSA server will re-send the node secret on the next authentication attempt from the Firebox SSL. Removing an Authentication Realm You can remove any realm except for the realm named Default. (You can remove the Default realm only if you immediately create a new realm named Default. For more information, see Changing the Authentication Type of the Default Realm on page 87.) To remove an authentication realm: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users tab. 2 Open the window for the authentication realm that you want to remove. 3 From the Action menu, choose Remove... realm. Adding Local Users You can create user accounts locally on the Firebox SSL to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary VPN users, such as consultants or visitors, without creating an entry for those users on the authentication server. In that case, you add the user to the Firebox SSL local user list as described in this section. If you associate more than one group with a user account, the properties of the first group that you select for the user will be used. 100 Firebox SSL VPN Gateway Administration Guide

107 Adding Local Users To create a user on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Authentication and Local Users > Local Users tab. 2 Enter a user name. A user will need to enter this name when logging into Secure Access. User names can contain spaces. 3 Enter a password for the user in the two fields. A user will need to enter this password when logging into Secure Access. A password must be six or more characters (checked up to 128 characters). 4 Click Add Local User. The added user appears in the Local Users list. 5 To change the group membership of a user: - To add a group to a user, select the group in the Available Groups list and click Add Group to User. For information on creating a group, see Adding and Configuring User Groups on page To remove a group from a user, select the group in the Associated Groups list and click Remove Group from User. Firebox SSL VPN Gateway Administration Guide 101

108 Configuring Firebox SSL Operation To delete a user from the Firebox SSL: Select the user in the Local Users list and click Remove User. Controlling Network Access By default, the Firebox SSL is blocked from accessing any networks. You must specify the networks that the Firebox SSL can access, referred to as accessible networks. You then control VPN user access to those networks as follows: You create network resource groups. A network resource group includes one or more network locations. For example, a resource group might provide access to a single application, a subset of applications, a range of IP addresses, or an entire intranet. What you include in a network resource group depends largely on the varying access requirements of your VPN users. You might want to provide some user groups with access to many resources and other user groups with access to smaller subsets of resources. By allowing and denying a user group access to network resource groups, you create an Access Control List (ACL) for that user group. You specify whether any user group with no ACL has full access to all of the accessible networks defined for the Firebox SSL. By default, user groups without an ACL have access to all of the accessible networks defined for the Firebox SSL. This default operation provides simple configuration if most of your user groups are to have full network access. By retaining this default operation, you will need to configure an ACL only for the user groups who should have more restricted access. The default operation can also be useful for initial testing. You can change the default operation so that user groups are denied network access unless they have been allowed access to one or more network resource groups. You configure ACLs for user groups by specifying which network resources are allowed or denied per user group. 102 Firebox SSL VPN Gateway Administration Guide

109 Controlling Network Access By default, all network resource groups are allowed (and network access is controlled by the Deny Access without ACL option). When you allow or deny one resource group, all other resource groups are automatically denied and the network access for the user group is controlled only through its ACL. If a resource group includes a resource that you do not want a user group to access, you can create a separate resource group for just that resource and deny the user group access to it. The options just discussed are summarized in the following table. ACL set for user group? Deny access without ACL? User group can access: No No All accessible networks Yes No Allowed resource groups No Yes Nothing Yes Yes Allowed resource groups For information on controlling network access, see the following topics: Specifying Accessible Networks on page 103 Defining Network Resource Groups on page 104 Denying Access to Groups with No ACL on page 107 Specifying Accessible Networks You must specify which networks the Firebox SSL can access. By default, the Firebox SSL has no network access. To give the Firebox SSL access to a network: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. Firebox SSL VPN Gateway Administration Guide 103

110 Configuring Firebox SSL Operation 2 Enter a space-separated list of networks and click Submit. Defining Network Resource Groups Network resource groups define the locations that authorized VPN users can access. Resource groups are associated with user groups to form resource access control policies. Suppose that you want to provide a user group with secure access to the following: the x.x subnet the x subnet and To provide that access, you would create a network resource group by specifying the following IP address/netmask pairs: 104 Firebox SSL VPN Gateway Administration Guide

111 Controlling Network Access / / / / You can specify the mask in CIDR notation. For example, in the above example, you could specify /32 for the last entry. Additional tips for working with resource groups follow. You can further restrict access by specifying a port and protocol for an IP address/netmask pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. When you configure resource group access for a user group, you can allow or deny access to any resource group. This enables you to exclude a portion of an otherwise allowed resource. For example, you might want to allow a user group access to /24, but deny that user group access to Deny rules take precedence over allow rules. The easiest method to provide all VPN user groups with access to all network resources, is to not create any resource groups and to disable the Deny Access without ACL option on the Global Policies tab. All user groups will then have access to the accessible networks listed on the Global Policies tab. If you have one or more user groups that should have access to all network resources, a shortcut to adding each individual resource group to those user groups is to create a resource group for / and allow that one resource group for those user groups. For all other user groups, you will need to allow/deny individual resource groups as needed. To create a resource group: 1 In the Firebox SSL Administration Tool, go to the Network Resources tab. Firebox SSL VPN Gateway Administration Guide 105

112 Configuring Firebox SSL Operation 2 Enter a resource group name. For example, Archives or Web mail. 3 Click Add. A window for the resource group appears. 4 Enter the IP address/netmask pair for the resource in the Subnets field. You can use CIDR notation for the mask. Use a space to separate entries. 5 Enter a port for the pairs listed. Specify 0 to allow any port. 6 Select a protocol for the pairs listed. 7 Click Submit. For information on adding a resource group to a user group, see Adding and Configuring User Groups on page 121. To remove a resource group: 1 In the Firebox SSL Administration Tool, go to the Network Resources tab. 2 Open the window for the resource group that you want to remove. 3 From the Action menu, choose Remove... resource. 106 Firebox SSL VPN Gateway Administration Guide

113 Controlling Network Access Denying Access to Groups with No ACL By default, a user group without an ACL has access to all of the accessible networks defined for the Firebox SSL, as described in Controlling Network Access on page 102. You can deny access to user groups with no ACL as follows. To deny access to user groups without an ACL: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 2 Select the Deny Access without ACL check box. 3 Click Submit. Firebox SSL VPN Gateway Administration Guide 107

114 Configuring Firebox SSL Operation Customizing VPN Portal Pages NOTE You can also include links to the Secure Access and kiosk clients on your website, as described in Linking to the VPN Clients from Your Website on page 115. By default, your VPN users will see a Citrix Access Portal page when they open SSL_IP_or_hostname. For samples of the default portal pages for Windows, Linux, and Java, see Using the Access Portal on page 51. We have also provided portal page templates that you can customize. One of the templates includes links to both the Secure Access and Kiosk clients. The following sample is the portal page that displays on a computer that is running Windows 2000 or higher. Your customization can be as simple as replacing the logo. Replacement logo A variable is used to insert the current user name. A variable is used to insert this portion into the template. The text cannot be changed. The following sample is the same portal page when displayed on a computer that is running Linux. Clicking either link displays a page with instructions. 108 Firebox SSL VPN Gateway Administration Guide

115 Customizing VPN Portal Pages The other two templates include links to just one of those clients. You choose a template based on the access that you want to provide, on a group basis. For example, you might want to provide access to both clients to some VPN users and access only to the Secure Access or kiosk client for other users. You can do that by adding custom portal pages to the Firebox SSL and then specifying for each user group the portal page to be used. NOTE If you want to add text to a template or make format changes, you will need to consult with someone who is familiar with HTML. Changes to the templates other than those described in this section are not supported. The portal page templates are available from the Downloads page of the Administration Portal. Firebox SSL VPN Gateway Administration Guide 109

116 Configuring Firebox SSL Operation Links to Portal Page Templates The following topics describe how to create portal pages, upload them to the Firebox SSL, and specify the portal page to be used for a user group: Downloading and Working with Portal Page Templates on page 110 Loading Custom Portal Files on the Firebox SSL on page 113 Disabling Portal Page Authentication on page 114 Linking to the VPN Clients from Your Website on page 115 Choosing a Portal Page for a Group on page 130 Downloading and Working with Portal Page Templates The portal page templates include variables that the Firebox SSL replaces with the current user name and with links that are 110 Firebox SSL VPN Gateway Administration Guide

117 Customizing VPN Portal Pages appropriate for the connecting computer (Windows 2000 or higher, or Linux). If you also have users on platforms such as Macintosh or Windows 95/98, you can provide them access to the Java-based kiosk client by inserting the appropriate variable in the template(s) used by those groups, as described in this section. The variables that can be used in templates are described in the following table. Variable $citrix_username; $citrix_portal; Content inserted by variable Name of logged in user Links to both the Secure Access and the Kiosk clients: Windows Linux $citrix_portal_full_client _only; Link to the Secure Access only: $citrix_portal_kiosk_clie nt_only; Link to the Kiosk client only: A template can include only one of the three variables that start with $citrix_portal. Firebox SSL VPN Gateway Administration Guide 111

118 Configuring Firebox SSL Operation NOTE If you want to add text to a template or make format changes, you will need to consult with someone who is familiar with HTML. Changes to the templates other than those described in this section are not supported. When choosing a template that is appropriate for a group, you only need to know whether the group should have access to both the Secure Access and kiosk clients or just one of the clients. The Firebox SSL detects the user s platform (Windows, Linux, Java) and inserts the appropriate links into the templates that you upload to the Firebox SSL. To download the portal page templates to your local computer: 1 In the Firebox SSL Administration Portal, go to the Downloads page. 2 To download a template to a local computer, right-click the link and specify a location in the dialog box. To work with the templates for Windows and Linux users: 1 Determine how many custom portal pages that you will need. You can use the same portal page for multiple groups. Use this portal page: vpnandkioskclients.html vpnclientonly.html kioskclientonly.html To include links to these clients: Secure Access and kiosk Secure Access only Kiosk only 2 Make a copy of each template that you will use and name the template, using the extension.html. 3 To replace the Citrix image: - Locate the following line in the template: <img src="vpn_logo.gif" /> - Replace vpn_logo.gif with the filename of your image. For example, if your image file is named logo.gif, change the line to: <img src="logo.gif" /> 112 Firebox SSL VPN Gateway Administration Guide

119 Customizing VPN Portal Pages An image file must have a file type of GIF or JPG. Do not change other characters on that line. 4 Save the file. Loading Custom Portal Files on the Firebox SSL You must load on the Firebox SSL any custom portal pages and referenced image files. To load a custom portal page or image on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Portal Page Configuration tab. 2 Click Add File. Firebox SSL VPN Gateway Administration Guide 113

120 Configuring Firebox SSL Operation 3 For the File Identifier of portal pages, enter a name that is descriptive of the types of VPN users who will use the portal page The filename can help you later when you need to associate the portal page with a group. For example, you might have a primary portal page used by many groups and a separate portal page used only by guests. In that case, you might identify the files as Primary Portal and Guest Portal. Or, you might have several portal pages that correspond to user groups, and use names such as Admin Portal, Student Portal, IT Portal. 4 Select the type from the File Type menu. Portal pages must be an HTML file. Any images referenced from an HTML page must be either GIF or JPG files. 5 Click Upload File. 6 Navigate to the file and click Open. The file will be loaded on the Firebox SSL. To remove a portal file from the Firebox SSL: Select the page identifier in the list and click Remove Selected File. Disabling Portal Page Authentication By default, a VPN user must log in to the portal page and then again to the Secure Access or kiosk client. You can eliminate the portal page login step using either of the following methods: You can set a global policy that disables authentication for the portal page and that specifies the portal page that will display for all VPN users. This global policy overrides any portal page selections for groups. You can include links to the Secure Access and kiosk clients directly on your website, as described in Linking to the VPN Clients from Your Website on page 115. To disable portal page authentication: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 114 Firebox SSL VPN Gateway Administration Guide

121 Customizing VPN Portal Pages 2 Clear the checkbox for Enable Portal Page Authentication. 3 Select the portal page to which all VPN users will be directed. 4 Click Submit. Linking to the VPN Clients from Your Website You can also provide your VPN users links to the Secure Access and kiosk clients from your website. The links will launch the clients for Windows or will direct the user to a page that explains how to download and install the client for Linux. To include links to the Secure Access and kiosk client on your website: 1 Add the following code to the HEAD tag of the web page that is to contain the links: <object id="net6launch" type="application/x-oleobject" classid="clsid:7e0fdfbb-87d4-43a1-9ad4-41f0ea8aff7b" codebase="net6helper.cab#version=2,1,0,6"></object> Firebox SSL VPN Gateway Administration Guide 115

122 Configuring Firebox SSL Operation 2 Add the links as follows to the web page. Client: Secure Access (Windows/ Java) Kiosk (Windows/Java) Secure Access (Linux) Link to: This page includes a link to the Linux installer executable. The ipaddress is the address of your Firebox SSL. Configuring Host Check Rules Host check rules provide another layer of security, helping to ensure that the VPN users are connecting to your Firebox SSL on a computer that meets certain criteria. For example, you can require that a connecting computer has particular registry entries, files, and/or active processes. Each host check rule specifies that a computer must have one of the following: A registry entry that matches the path, entry type, and value that you specify. A file that matches the path, filename, and date that you specify. You can also specify a checksum for the file. A running process that you specify. You can also specify a checksum for the file. NOTE Example Host Check Rules on page 118 contains the file and process names for a variety of personal firewall, antivirus, and spybot applications. You apply host check rules to each group, by specifying a host check expression, a Boolean expression that uses host check rule names. For more information, see Configuring a Host Check Policy for a Group on page 128. To create a host check rule: 1 In the Firebox SSL Administration Tool, go to the Host Checks tab. 116 Firebox SSL VPN Gateway Administration Guide

123 Configuring Host Check Rules 2 Specify a name for the host check rule. 3 Select the rule type from the drop-down list. 4 Click Add. 5 If you selected Registry Entry Rule, enter the path to the registry key, select a key type, enter the key name, and enter the value to which that key must be set. Click Submit. 6 If you selected File Rule, enter the path, filename, and creation date of the file. To specify a checksum for the file, select Calculate Checksum and click Upload File to Checksum. Navigate to the file and click Open. Click Submit. 7 If you selected Process Rule: Enter the name of the process that must be running. To specify a checksum for the file, Firebox SSL VPN Gateway Administration Guide 117

124 Configuring Firebox SSL Operation select the Manually Enter Checksum option and enter it, or select Calculate Checksum and click Upload File to Checksum. Navigate to the file and click Open. Click Submit. NOTE For information on adding a host check expression to a user group, see Configuring a Host Check Policy for a Group on page 128. To delete a host check rule: 1 In the Firebox SSL Administration Tool, go to the Host Checks tab. 2 Open the window for the host check rule that you want to remove. 3 From the Action menu, choose Remove... host check. Example Host Check Rules This table contains information that you can use to create host check rules for a variety of personal firewall, antivirus, and spy- 118 Firebox SSL VPN Gateway Administration Guide

125 Configuring Network Shares for Kiosk Sessions Applications Antivirus AntiVir avast! McAfee Norton Personal Firewall McAfee Norton Sygate Tiny Zone Alarm Spybot Ad-aware SE Personal Edition Spybot - Search and Destroy bot applications. The path information provided assumes that the application is installed in the default directory. Host Check Rules File: C:\Program Files\AVPersonal\AVWIN.EXE Process: AVGUARD.EXE File: C:\Program Files\Avast\ashAvast.exe Process: ashserv.exe File: C:\Program Files\McAfee.com\VSO\mcvsshld.exe Process: McShield.exe File: C:\Program Files\Norton AntiVirus\NAVAPSVC.exe File: C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe Process: MpfService.exe Process: ccproxy.exe OR ccsetmgr.exe File: C:\Program Files\Sygate\SPF\Smc.exe Process: Smc.exe File: C:\Program Files\Tiny Personal Firewall\PERSFW.EXE Process: PERSFW.EXE File: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe Process: zlclient.exe File: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe Process: Ad-Aware.exe File: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe Process: SpybotSD.exe Configuring Network Shares for Kiosk Sessions When a VPN user connects from a public computer (by selecting that option on a portal page), the Firebox SSL opens a kiosk connection. The network shares available to a kiosk user are configured in the Share Mounts tab. Firebox SSL VPN Gateway Administration Guide 119

126 Configuring Firebox SSL Operation To provide kiosk users access to network shares: 1 In the Firebox SSL Administration Tool, go to the Share Mounts tab. 2 Enter a name for the network share and click Add. The name that you enter will display with the share icon in the kiosk window. A configuration window appears. 3 Type the path to the share source, using the form: //server/ share. 4 Choose the type of mount, either CIFS/SMB or NFS. 5 If administrative user credentials are required to mount a CIFS/Samba drive, specify the username and password. Those fields are not enabled for NFS. All users who access the share will have the rights of this user. 6 Enter the Active Directory domain or the Windows workgroup of the share. This field is not enabled for NFS. 7 Specify whether you want remote users to have read/write or read-only permissions for the share. 120 Firebox SSL VPN Gateway Administration Guide

127 Adding and Configuring User Groups NOTE Note: Users can FTP files from the share to the remote computer. 8 Click Submit. NOTE To add a share to a user group, see Configuring Kiosk Operation for a Group on page 126. To remove a share: Open the window for the share and choose Action > Remove. Adding and Configuring User Groups When you enable LDAP authorization on the Firebox SSL, user group information is obtained from the LDAP server after a user is authenticated. If the group name obtained from LDAP matches a group name created locally on the Firebox SSL, the properties of the local group are used for the matching group obtained from LDAP. Each VPN user should belong to at least one group that is defined locally on the Firebox SSL. If a user does not belong to a group, the overall access of the user is determined by the Deny Access without ACL setting on the Global Policies tab, as follows: If the Deny Access option is enabled, the user will not be able to establish a VPN connection. If the Deny Access option is disabled, the user will have full network access. Firebox SSL VPN Gateway Administration Guide 121

128 Configuring Firebox SSL Operation In either case, the user will be able to run a kiosk session, but network access within that session will be determined by the Deny Access without ACL setting. You can also add local groups that are not related to LDAP groups. For example, you might create a local group to set up a contractor or visitor to whom you want to provide temporary access without having to create an LDAP entry. For information on creating a local user, see Adding Local Users on page 100. Several aspects of VPN operation are configured at the group level, including access control, host checking, kiosk operation, portal page usage, and IP pooling. If a user belongs to more than one group, group policies are applied to the user based on the group priorities set on the Group Priorities tab, as described in Setting the Priority of Groups on page 132. To create a local user group on the Firebox SSL: 1 In the Firebox SSL Administration Tool, go to the Groups tab. 2 Type a descriptive name for the group (such as Temp Employees or accounting ) and then click Add. If you want the group s properties to be used for a group obtained from LDAP, the group name must match the LDAP group name, including case and use of spaces. A window for the added group appears. 122 Firebox SSL VPN Gateway Administration Guide

129 Adding and Configuring User Groups 3 To configure the group, see the following topics: - Configuring Resource ACLs for a User Group on page Configuring Kiosk Operation for a Group on page Configuring a Host Check Policy for a Group on page Choosing a Portal Page for a Group on page Enabling IP Pooling on page 131 To remove a user group: 1 In the Groups tab, open the window for the group. 2 Right-click the group name in the window and choose Remove...group. Firebox SSL VPN Gateway Administration Guide 123

130 Configuring Firebox SSL Operation Alternatively, from the group window s Action menu, choose Remove. Configuring Resource ACLs for a User Group NOTE For background information on network access, see Controlling Network Access on page 102. You will need to let your users know which resources that they can access. A sample with instructions that you can customize for your users is available from the Administration Portal Downloads page. For each user group, you can create an ACL by specifying the resources that are to be allowed or denied for the group. Resource groups are defined as described in Defining Network Resource Groups on page 104. Unless you want to provide all VPN users with full access to all accessible networks, you must associate user groups with resource groups. By default, all network resource groups are allowed (and network access is controlled by the Deny Access without ACL option). When you allow or deny one resource group, all other resource groups are automatically denied and the network access for the user group is controlled only through its ACL. The Firebox SSL interprets allow/deny as follows: The Firebox SSL denies access to any resource that is not explicitly allowed. Thus, if you want to provide a particular user group with access to only one resource group, you only have to allow access to that resource group. Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group 124 Firebox SSL VPN Gateway Administration Guide

131 Adding and Configuring User Groups that includes /24, but need to deny that user group access to To handle this, you will need to create a resource group that includes Access to that resource will be denied unless you specifically allow it. To configure resource access control for a group: 1 In the group window, right-click Resource ACLs. 2 Choose Add Resource, choose a resource, and then choose Allow. NOTE If you have not allowed a resource, it will be denied. 3 If you allow a resource and later want to deny it, right-click Resource ACLs, choose Add Resource, choose the resource, and then choose Deny. Firebox SSL VPN Gateway Administration Guide 125

132 Configuring Firebox SSL Operation 4 Click Submit. To remove an resource from a user group: 1 In the group window, right-click the resource that you want to remove. 2 Choose Remove Resource and then click Submit. Configuring Kiosk Operation for a Group You can specify whether a group is allowed VPN kiosk access from public computers and, if so, which applications and network shares appear in the kiosk window. To remove the kiosk option from the Access Portal for a group: 1 In the group window, clear the check box for Enable Kiosk Mode. 2 Click Submit. To configure kiosk operation for a group: 1 To add a network share to the group, open the group s window, right-click Network Shares, choose Add Share, choose the share name, and then choose Allow. 126 Firebox SSL VPN Gateway Administration Guide

133 Adding and Configuring User Groups The share name appears. To configure network shares, see Configuring Network Shares for Kiosk Sessions on page Verify that the Enable Kiosk Mode option is selected. Firebox SSL VPN Gateway Administration Guide 127

134 Configuring Firebox SSL Operation 3 To retain Citrix ICA settings and Mozilla preferences between sessions, select Persistent Mode. The Mozilla preferences saved include the passwords saved through the Mozilla Password Manager. The preferences are saved on the remote server (hosting the kiosk session). 4 If you want a Mozilla browser window to appear in the kiosk window: - Specify the URL to open in the browser window (such as typically an Intranet site). The default is NOTE If the user has general Internet access before making a Kiosk connection, the user can browse the Internet from the Mozilla browser in the Kiosk window, unless there is a network resource defined that denies access to the Internet. - Select the Mozilla option. 5 For the other kiosk applications listed, select each one that you want included in the kiosk window for the group. To work with any of those applications, the VPN user will need to know the IP addresses of the corresponding servers. 6 Click Submit. Configuring a Host Check Policy for a Group To configure a host check policy for a group, you specify a Boolean expression containing the host check rule names that you want to apply to the group. Suppose that you create the following host check rules: CorpAssetRegistryEntry AntiVirusProcess1 AntiVirusProcess2 Your host check expression might specify that a registry check must verify that the resource attempting to connect is a corporate asset and that the resource must have one of the antivirus processes running. That Boolean expression is: (CorpAssetRegistryEntry & (AntiVirusProcess1 AntiVirusProcess2)) 128 Firebox SSL VPN Gateway Administration Guide

135 Adding and Configuring User Groups Valid operators for host check expressions are as follows: ( ) - used to nest expressions to control their evaluation & - logical AND - logical OR! - logical NOT For users without Administrative privileges, a host check will fail if it includes a file in a restricted zone (such as C:\Documents and Settings\Administrator) or if it includes a restricted registry key. If a user belongs to more than one group, the host check expression applied to the user is the union of the expression for each of the user s groups. For information on host check rules, see Configuring Host Check Rules on page 116. To specify a host check expression for a group: 1 In the group window, enter the Boolean expression in the Host Check Expression field. Firebox SSL VPN Gateway Administration Guide 129

136 Configuring Firebox SSL Operation 2 Click Submit. Choosing a Portal Page for a Group By default, a group uses the Firebox SSL Access Portal page. You can load custom portal pages on the Firebox SSL, as described in Customizing VPN Portal Pages on page 108, and then select a portal page for each group. This enables you to control which of the Firebox SSL clients are available by group. NOTE Disabling portal page authentication on the Global Policies page, as described in Disabling Portal Page Authentication on page 114, overrides the Portal Page setting for all groups. To specify a portal page for a group: In the group window, choose the page name from the Portal Page menu and click Submit. 130 Firebox SSL VPN Gateway Administration Guide

137 Adding and Configuring User Groups Enabling IP Pooling In some situations, the Secure Access will need a unique IP address for the Firebox SSL. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable IP pooling for a group, the Firebox SSL can assign a unique IP address alias to each client. You can specify the gateway device to be used for IP pooling. The gateway device can be the Firebox SSL itself, or some other device. If you do not specify a Gateway, an Firebox SSL interface is used, based on the General Networking settings, as follows: If you have configured only Interface 0 (the Firebox SSL is inside your firewall), the Interface 0 IP address is used as the gateway. If you have configured Interfaces 0 and 1 (the Firebox SSL straddles your firewall), the Interface 1 IP address is used as Firebox SSL VPN Gateway Administration Guide 131

138 Configuring Firebox SSL Operation the gateway. (Interface 1 is considered the internal interface in this scenario.) To configure IP pooling for a group: 1 In the group window, select Enable IP Pools. 2 Specify the starting IP address for the pool. 3 Specify the number of IP address aliases. You can have as many as 2000 IP addresses total in all IP pools. 4 Specify the Gateway IP address. If you leave this field blank, an Firebox SSL interface is used, as described earlier in this section. If you specify some other device as the gateway, the Firebox SSL adds an entry for that route in the Firebox SSL routing table. 5 Click Submit. Setting the Priority of Groups For users who belong to more than one group, you can determine which group s policies applies to a user by specifying the 132 Firebox SSL VPN Gateway Administration Guide

139 Adding and Configuring User Groups priority of groups. For example, suppose that some users belong to both the sales group and the support group. If the sales group appears before the support group in the User Groups list, the sales group policies will apply to the users who belong to both of those groups. If the support group appears before the sales group in the list, the support group policies take precedence. The policies that are affected by the Group Priority setting are as follows: - Kiosk mode and persistence mode - Kiosk default URL - Portal page use - IP pools For ACLs and kiosk applications, a user who belongs to multiple groups has access to all resources and applications enabled for each of those groups. For example, suppose that the sales group has access to the Citrix ICA and Mozilla clients and that the support group has access to all clients. Users who belong to both groups will have access to all clients. Host check expressions are applied as described in Configuring a Host Check Policy for a Group on page 128. Groups are initially listed in the order in which they are created. To set the priority of groups: 1 In the Firebox SSL Administration Tool, go to the Group Priority tab. Firebox SSL VPN Gateway Administration Guide 133

140 Configuring Firebox SSL Operation 2 Select a group that you want to move and use the arrow keys to raise or lower the group in the list. The group at the top of the list has the highest priority. 3 Click Submit. To view the group priorities for a user: In the Remote Admin Terminal window, click the Real-time Monitor icon. The display lists all groups to which the user belongs and the group with the highest priority. Enabling Split Tunneling By default, all traffic goes through the VPN tunnel. You can choose to use split tunneling so that the VPN client sends only the traffic destined for the secured network through the VPN tunnel. The secured network consists of the addresses specified as accessible networks, as described in Specifying Accessible Networks on page 103. When you enable split tunneling, group-based policies apply to the internal NIC only. For connections from inside of the firewall, group-based policies do not apply to traffic to external resources or resources local to the network; that traffic is not encrypted. 134 Firebox SSL VPN Gateway Administration Guide

141 Enabling Split DNS To enable split tunneling: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 2 Select the check box for Enable Split Tunneling. 3 If there are no Accessible Networks specified, enter the addresses as described in the next section. 4 Click Submit. Enabling Split DNS By default, the Firebox SSL checks a VPN user s remote DNS only. You can allow failover to a user s local DNS by enabling split DNS. A VPN user can override this setting from the Connection Properties dialog box (from the login dialog box, select Options > Advanced Options). To allow failover to a user s local DNS: Go to the Global Policies tab and select the Enable Split DNS check box. The Firebox SSL fails over to the local DNS only if the specified DNS servers cannot be contacted, but not if there is a negative response. Firebox SSL VPN Gateway Administration Guide 135

142 Configuring Firebox SSL Operation Enabling Session Timeout By default, a VPN user can keep a VPN connection open indefinitely. You can set a session timeout, which is the maximum VPN session duration allowed, after which a VPN user has to log in again. One minute before a session is due to timeout, the VPN user is alerted that a login will be required shortly. To enable session timeout: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 136 Firebox SSL VPN Gateway Administration Guide

143 Configuring Internal Failover 2 Enter the maximum session duration in minutes. 3 Click Submit. Configuring Internal Failover The Internal Failover setting enables the Secure Access to connect to the Firebox SSL from inside of the firewall if the Firebox SSL external IP address cannot be reached from inside the firewall. When the Internal Failover setting is enabled, the VPN client will failover to the internal IP address of the Firebox SSL if the external IP address is unreachable. NOTE To install the Secure Access client from inside the firewall, go to the portal page and use the click here to download the client installer link to download the client. The first time that you run the client from inside the firewall, you will need to point the client to the internal IP address of the Firebox SSL by right-clicking the Secure Access client log in dialog box and choosing Advanced Options. Firebox SSL VPN Gateway Administration Guide 137

144 Configuring Firebox SSL Operation To enable the Secure Access client to fail over to the Firebox SSL internal IP address: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 2 Select Enable Internal Failover. 3 Click Submit. Forcing VPN User Re-login By default, if a VPN user s network connection is briefly interrupted, the user does not have to log in again once the connection is restored. You can require that users log in after interruptions such as when a computer comes out of a hibernate state, when the user switches to a different wireless network, or when you force close a connection. To force re-logins: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 138 Firebox SSL VPN Gateway Administration Guide

145 Forcing VPN User Re-login 2 Under Force Relogin after, select options as follows: Standby/Hibernate This option forces a user to log in again if the user s computer awakens from a stand by or hibernate state. This option provides additional security for unattended computers. Network Interruption This option forces a user to log in again if the network connection is briefly interrupted. NOTE If you want to close a VPN connection and prevent the user or group from reconnecting, you must select the Network Interruption setting. Otherwise, the user(s) will be immediately reconnected without being prompted for credentials. For more information, see Managing VPN Connections on page Click Submit. Firebox SSL VPN Gateway Administration Guide 139

146 Configuring Firebox SSL Operation Configuring Secure Access for Single Sign-on By default, Windows users open a VPN connection by launching the Secure Access client from the desktop. You can specify that Secure Access start automatically after the user logs into Windows. Users Windows login credentials are passed to the Firebox SSL for authentication. After authentication, the Firebox SSL establishes the VPN connection, obtains Windows login scripts from the domain controller, and then runs the login scripts to perform operations such as automatic drive mapping. NOTE Login script support is restricted to scripts that are executed by the command processor, such as executables and batch files. Visual Basic and Javascript login scripts are not yet supported. You should enable single sign-on only if VPN users computers are logging into your organization s domain. If single sign-on is enabled and a user connects from a computer that is not on your domain, the user will be prompted to log in. The user s connection log will note that the Firebox SSL failed to look up the domain controller. To configure Secure Access for single sign-on: 1 In the Firebox SSL Administration Tool, go to the Global Policies tab. 140 Firebox SSL VPN Gateway Administration Guide

147 Configuring Secure Access for Single Sign-on 2 Select Enable Single Sign-On. 3 Click Submit. Firebox SSL VPN Gateway Administration Guide 141

148 Configuring Firebox SSL Operation 142 Firebox SSL VPN Gateway Administration Guide

149 APPENDIX A Logging, Monitoring, and Troubleshooting Firebox SSL Operations The following topics describe how to use Firebox SSL logs and troubleshoot issues: Viewing and Downloading System Message Logs on page 143 Enabling and Viewing SNMP Logs on page 146 Monitoring Firebox SSL Operations on page 150 Recovering from a Crash of the Firebox SSL on page 153 Troubleshooting on page 154 Viewing and Downloading System Message Logs System message logs contain information that can help Firebox SSL support personnel assist with troubleshooting. By reviewing the information provided, you can track unusual changes that can affect the stability and performance of the Firebox SSL. System message logs are archived on the Firebox SSL for 30 days. The oldest log is then replaced with the current log. You can download one or all logs at any time. You can also have system messages forwarded to your syslog server, as Firebox SSL VPN Gateway Administration Guide 143

150 Logging, Monitoring, and Troubleshooting Firebox SSL Operations described in Forwarding System Messages to a Syslog Server on page 145. NOTE If you need to view the system log and the Firebox SSL is offline, go to the Administration Portal and click the Logging tab. To view and filter the system log: 1 In the Administration Tool, go to the Logging > Local System Log tab. The log displayed is for the current date. 2 To display the log for a prior date, select the date in the Log Archive list and click View Log. 3 By default, the log displays all entries. Filter the log as follows. 144 Firebox SSL VPN Gateway Administration Guide

151 Viewing and Downloading System Message Logs - To filter the log by user or applications, select one or more categories that you want to include. - To filter the log by priority, select the priorities that you want to include. - The filters that you select are treated as logical ORs. Thus, for each selected filter, all matches for the filter display. 4 To download a log: - Select a log in the Log Archive list and click Download Selected Log File. The log filename defaults to yyyymmdd.log. - Click Download All Log Files to download all logs listed in the Log Archive list. The filename defaults to log_archive_yyyymmdd.tgz. After you download the file, you can unzip it to access the individual log files. Forwarding System Messages to a Syslog Server The Firebox SSL archives system messages, as described in Viewing and Downloading System Message Logs on page 143. You can also have the Firebox SSL forward system messages to a syslog server. To forward Firebox SSL system messages to a syslog server: 1 In the Administration Tool, go to the Logging > Syslog tab. 2 Enter the IP address of the syslog server 3 Select the syslog facility level. 4 Enter a broadcast frequency. Firebox SSL VPN Gateway Administration Guide 145

152 Logging, Monitoring, and Troubleshooting Firebox SSL Operations 5 Click Submit. Enabling and Viewing SNMP Logs When SNMP is enabled, the Firebox SSL reports the MIB-II system group ( ). The Firebox SSL does not support Firebox SSL-specific SNMP data. You can view SNMP messages in the Administration Tool and you can configure an SNMP monitoring tool such as the Multi Router Traffic Grapher (MRTG) to provide a visual representation of the SNMP data reported by the Firebox SSL in response to queries. For a sample of MRTG output, see MRTG Example on page 147. To enable the logging of SNMP messages: 1 In the Administration Tool, go to the Logging > SNMP tab. 146 Firebox SSL VPN Gateway Administration Guide

153 Enabling and Viewing SNMP Logs 2 Enter the SNMP location and contact. These fields are informational only. 3 Enter the SNMP community, which is the password that will be required by a client to obtain data from the SNMP agent. For example, if you use the MRTG monitoring tool, you will need to include this community string as a part of the Target field in the MRTG configuration file. 4 The SNMP port defaults to 161. If you change this value, you will also need to change it in any tools that you use to monitor SNMP data. 5 Click Submit. SNMP messages appear on the SNMP tab. MRTG Example The Multi Router Traffic Grapher (MRTG) is a tool to monitor SNMP data, such as traffic load. MRTG generates HTML pages containing PNG images which provide a visual representation of the traffic. MRTG works under UNIX and Windows NT. NOTE The information in this section is intended to provide a general idea of working with MRTG. For information on obtaining and using MRTG, refer to ~oetiker/webtools/mrtg/. To obtain SNMP data for the Firebox SSL through MRTG (in UNIX): 1 Configure the Firebox SSL to respond to SNMP queries (Logging > SNMP). 2 Create MRTG configuration files in /etc/mrtg. Each configuration file specifies the OIDs that the MRTG daemon is to monitor, specifies the target from which to obtain SNMP data, and defines the MRTG output. Firebox SSL VPN Gateway Administration Guide 147

154 Logging, Monitoring, and Troubleshooting Firebox SSL Operations AG host name 3 Modify /etc/crontab to perform an SNMP query every five minutes, resulting in graphed data. The various.cfg files listed will generate separate MRTG output. OIDs to obtain AG SNMP AG internal from the AG Community IP address MRTG configuration files 4 View the MRTG output in a Web browser. MRTG stores HTML output in the Workdir specified in the configuration file. The output filename that corresponds to the configuration file in Step 2 is vpn.myorg.com.tcpcurrestab.html. 148 Firebox SSL VPN Gateway Administration Guide

155 Viewing System Statistics Viewing System Statistics General system statistics are provided on the Logging > Statistics tab. The Max. Connections value is the number of licenses installed. Firebox SSL VPN Gateway Administration Guide 149

156 Logging, Monitoring, and Troubleshooting Firebox SSL Operations Monitoring Firebox SSL Operations The Firebox SSL includes a variety of standard Linux monitoring applications so that you can conveniently access the applications from one location. With the exception of the Real-time Monitor, the applications are included in the Firebox SSL under the GNU public license. The icons across the bottom left of the screen provide singleclick access to the six monitoring tools. In the bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. The monitoring applications are as follows. 150 Firebox SSL VPN Gateway Administration Guide

157 Monitoring Firebox SSL Operations Firebox SSL Real-time Monitor Shows the open VPN connections. To view details about a connection, click the arrow ( ) for the user name. From the monitor, you can temporarily close a connection by connection type (TCP, etc.), disable a user (the user will not be able to connect until you enable the user), and re-enable a user. For more information, see Managing VPN Connections on page 45. Ethereal Network Analyzer Enables you to interactively browse packet data from a live network or from a previously saved capture file. For more information, refer to the Help that is available from the Ethereal Network Analyzer window. xnettools A multi-threaded network tool that includes a service scanner, port scanner, ping utility, ping scan, name scan, whois query, and finger query. Firebox SSL VPN Gateway Administration Guide 151

158 Logging, Monitoring, and Troubleshooting Firebox SSL Operations My traceroute Combines the functionality of the 'traceroute' and 'ping' programs in one network diagnostic tool. As My traceroute (mtr) starts, it investigates the network connection between the Firebox SSL and the destination host that you specify. After it determines the address of each network hop between the devices, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each device. As it does this, it prints running statistics about each device. fnetload Provides real-time network interface statistics. It checks the / proc/net/dev every second and builds a graphical representation of its values. 152 Firebox SSL VPN Gateway Administration Guide

159 Recovering from a Crash of the Firebox SSL System Monitor Shows information about CPU usage and memory/swap usage. For more information, refer to the Help available from the System Monitor window. Recovering from a Crash of the Firebox SSL If the Firebox SSL software crashes, reinstall the Firebox SSL server software from the CD provided with the device. Prepare the PC before you attempt to reinstall the software. Set the PC to have an IP address on the same network as you want to assign to the Firebox SSL. For example, if the Firebox SSL will Firebox SSL VPN Gateway Administration Guide 153