REMOTE ACCESS SSL BROWSER & CLIENT

Similar documents
GTA SSL Client & Browser Configuration

Basic Firewall Configuration

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Sophos Firewall Configuring SSL VPN for Remote Access

Configuring OpenVPN on pfsense

Contents. Introduction. Prerequisites. Requirements. Components Used

Barracuda Firewall Release Notes 6.6.X

VII. Corente Services SSL Client

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

High Availability Synchronization PAN-OS 5.0.3

INBOUND AND OUTBOUND NAT

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

Barracuda Firewall Release Notes 6.5.x

Double-clicking an entry opens a new window with detailed information about the selected VPN tunnel.

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Configuration Management & Upgrades

Comodo One Software Version 3.8

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

This release of the product includes these new features that have been added since NGFW 5.5.

AppGate 11.0 RELEASE NOTES

Firepower Threat Defense Remote Access VPNs

Endian Hotspot main features

This release of the product includes these new features that have been added since NGFW 5.5.

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

This release of the product includes these new features that have been added since NGFW 5.5.

SonicOS Release Notes

RADIUS Servers for AAA

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Training UNIFIED SECURITY. Signature based packet analysis

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

BIG-IP Access Policy Manager : Application Access. Version 13.0

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

New Features for ASA Version 9.0(2)

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Virtual Private Network with Open Source and Vendor Based Systems

Cisco Passguide Exam Questions & Answers

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

This release of the product includes these new features that have been added since NGFW 5.5.

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Troubleshoot. What to Do If. Locate chip.log File

Cisco Unified Operating System Administration Web Interface

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Cisco Unified Operating System Administration Web Interface for Cisco Emergency Responder

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Troubleshoot. What to Do If. Locate chip.log File. Procedure

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Gigabit SSL VPN Security Router

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

Configuring Group Policies

Advanced Authentication 6.0 includes new features, improves usability, and resolves several previous issues.

Release Notes. Dell SonicWALL SRA Release Notes

Installing the SSL Client for Mac

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Citrix SSO for Mac OS X. User Guide

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

IKEv2 Roadwarrior VPN. thuwall 2.0 with Firmware & 2.3.4

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

NGFW Security Management Center

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

5.4 Release README January 2005

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Network Security. Thierry Sans

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

SonicOS Enhanced Release Notes

Series 5000 ADSL Modem / Router. Firmware Release Notes

How to Configure a Client-to-Site L2TP/IPsec VPN

SASSL v1.0 Managing Advanced Cisco SSL VPN. 3 days lecture course and hands-on lab $2,495 USD 25 Digital Version

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

McAfee Next Generation Firewall 5.9.1

Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

How to Configure a Client-to-Site IPsec IKEv2 VPN

Identity Firewall. About the Identity Firewall

This release of the product includes these new features that have been added since NGFW 5.5.

NetExtender for SSL-VPN

Administrator's Guide

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Barracuda NextGen Report Creator

BIG-IP Access Policy Manager : Portal Access. Version 13.0

Cisco Expressway with Jabber Guest

Clientless SSL VPN Remote Users

GNAT Box SYSTEM. User s Guide ADDENDUM SOFTWARE VERSION 3.4

Fundamentals of Network Security v1.1 Scope and Sequence

Transcription:

REMOTE ACCESS SSL BROWSER & CLIENT Course 4001 1

SSL SSL - Comprised of Two Components Browser Clientless Access SSL Client SSL Browser SSL Client 2

SSL Remote Access Key Features! Part of GTA s remote access solutions which includes Mobile IPSec VPN s support XAuth. PPTP L2TP! Granular Network Access and Authorization based on groups and policies.! Clientless Access for Browser.! Customizable SSL Login portal.! Customized Browser Interface based on groups! Base Licenses of 2 SSL Clients or Browser access standard.! Windows, Linux and MAC client support.! Client installer and configurations files downloaded from Remote Access Portal.! Currently only supports IPv4 connections. 3

Requirements! GB-OS 5.3 or above! Signed Certificates for SSL Client User. Firewall VPN Certificate.! SSL Client permissions to run client on host! Firewall with VPN option or built in VPN support.! Additional Remote Access Licenses for more than 2 concurrent connections. 4

Steps Browser Configuration! Configure Certificates if needed! Configure Remote Access Portal! Configure Bookmarks for Groups! Configure Groups! Configure User LDAP Radius 5

Certificates (Briefly)! SSL Client connections require both firewall and the Client have signed certificates.! GB-OS 5.3 and above supports the creation of signed certificates using a CA created on the firewall.! All firewalls updated to GB-OS 5.3 will have a CA created automatically. If no CA exists it can be created in the Certificates Section and used to create VPN and User Certificates.! For more information on Certificate management please see GB-OS Guide and VPN Option Guide. You can import Certificates from a CA for use in the browser. 6

SSL Vulnerabilities! Always keep up to date!! Recent Vulnerabilities in SSL CVE-2013-0169 SSL, TLS and DTLS Plaintext Recovery Attack VU#720951 / CVE-2014-0160 - OpenSSL Heartbeat / Heart bleed Vulnerability VU#864643 - Beast 7

SSL Browser Configuration! Remote Access Portal Configuration - [Configure -> VPN -> Remote Access -> Browser]! Allows access for to remotely access network services and download SSL Client.! Steps Enable service alternate port. This is optional however it is recommended. Create Bookmarks for. Define Group allowing access with SSL Browser Enabled. Define on firewall and place in SSL group. If using LDAP or Radius are not required. 8

SSL Browser Preferences Browser Configuration Alternate Port Field Value Description Enable Unchecked Starts the service on alternate port. Port 1443 Specifies an alternate port the service is running on. Otherwise uses administration port Authentication LDAP Unchecked Enables LDAP User Access Radius Unchecked Enables Radius User Access 9

SSL Browser Preferences Advanced Configuration Field Value Description Automatic Policies Encryption High Level of encryption to use for browsers. FIPS Disable Forces use of FIPS complaint algorithms. Timeout Sessions 10 minutes In activity timeout Valid from 5 1440 minutes Virtual Keyboard Required Requires to login with the virtual keyboard Enable Enabled Allows firewall to create automatic policy based on firewall configuration Zone ANY Specifies interface the connection is allowed on Source Address ANY_IP Specified networks allowed to connect 10

SSL Browser Preferences Advanced Configuration Field Value Description Customization Login Title User Defined Logo User Defined Allows upload of a 32x32 pixel and 100 KB or less JPEG, PNG, or GIF file Disclaimer Enable Unchecked Enables disclaimer to be displayed. Message User defined Allows for a 4095 character message Characters remaining Non editable Remaining characters in disclaimer. 11

Bookmarks Short cuts for to access common protected sites.! Bookmark Object Used to reference other bookmarks Icons browser, Document, Email, Folder, Network, Web Label What displayed to user in SSL Browser Types - http/https, ftp/ftps, CIFS(SMB) URL link to internal resource 12

Groups SSL Access is based on a Users group Field Enable Bookmarks Only Description Allows SSL Access User can only see Bookmarks Read Only May only download files Bookmarks Bookmark object for Client Enables the SSL client for user 13

Users! When defining or editing a user select the group which has SSL enabled! Groups will determine the Users permissions.! Note: If using LDAP or radius this step is not required. However, the LDAP on the Active directory server will need to be defined in the groups section with SSL enabled. 14

Logging into The Remote Access Portal Login using the host name or IP address of the firewall on the specified port. Users bookmarks and browser configuration will be displayed. -Browser All predefined links and Browser if enabled. -Client downloads for installers and configuration policy. 15

Example of SSL Page! Browser tool bar -Allows user to easily and quickly return to the SSL Browser page.! Easy to use file tool bar allows easy navigation and uploading and downloading files 16

SSL Client Configuration! Configures properties for SSL Client connections.! Steps Enable SSL Browser service alternate port. This is optional however it is recommended. The Remote Access Portal is used to download client installers and configuration. Create Bookmarks for, if required. Define Groups allowing access with SSL enabled for browser and clients. Define on firewall and place in SSL group. Configured SSL Client [Configure -> VPN -> Remote Access -> SSL -> Client]. Configure SSL Security Policies - [Configure -> Security Policies -> Policy Editor -> SSL Client]. 17

SSL Client Configuration Field Value Description Enable Disabled Start SSL Client service Port 1194 Port service listens on Accessible Networks Client DHCP Networks Default is Object <FW Networks Local> Default is <Pool SSL> Default network is 192.168.72.0/24 Local networks for the SSL VPN IP address ranges assigned to the client s when connecting Domain User Defined Domain Assigned to client Name Servers IP Address User Defined DNS servers assigned to client Wins Server IP Address User Defined WINS servers assigned to client 18

SSL Client Configuration Advanced Field Value Description Automatic Policies Enabled Allows firewall to create needed security policies to allow client to connections Encryption Object AES-192, sha-1, grp2 Encryption for VPN FIPS Unchecked Forces use of FIPS compliant algorithms. Lifetime 480 minutes Re-key time Allow Duplicate CN Unchecked Allows duplicate certificates Over ride host name blank Uses host name from [ Network -> Interfaces -> Settings] Used when alias on firewall is used for the SSL Client Redirect Client Gateway Uncheck Forces all remote connections via VPN UDP Unchecked Uses UDP instead of TCP for client Compression Checked Enables or disables compression Verbose Logging Unchecked Increases SSL Logging for debug 19

TUN Adapter & Routing Table When SSL Client service is started it will automatically add on the firewall and tun0 interface and IP address. 20

SSL Security Policies SSL Security Policies control access for the client through the firewall. Filter on Source and destination IP Time Service And Group Configure these policies based on the corporate security 21

Downloading the Client! Client configuration file and installers are downloaded via the firewall SSL Browser interface.! Installers Windows: GTA SSL Client MAC: Tunnelblick SSL client. Linux: OpenVPN.! SSL VPN client installation guide is also available via the firewall. 22

Install Instructions! Run installer for your specific OS.! Unzip or uncompress the configuration files in the directory you installed the client in. 23

Connecting with the Client Open client using your method described for your OS and authenticate. Windows select the SSL Client icon on desktop MAC - Run Tunnelblick. Once tunnelblick is started an icon will appear at the top of the screen. Linux use either command line options to Network Manager (If installed) to open connection.! See client installation guides for detailed instructions. 24

Windows Client 25

Using Client"! Once client is open and connected the firewall will assign an IP Address from the SSL Pool to the client and push routes to the client for the local networks to the client.! After client is completely connected it will work very similar to the IPSec VPN. Access based on policies. 26

Active Sessions Log Files Mar 31 15:58:15 pri=5 msg="close inbound, SSL" type=ssl proto=53/udp src=192.168.211.2 srcport=49957 user="david Brooks" dst=10.10.1.9 dstport=53 rule=4 duration=22 sent=71 rcvd=136 pkts_sent=1 pkts_rcvd=1 27

Remote Access Solutions Option GB-250 10 User GB-250 e or 25 GB-300 GB-850/820 GB-2100 GB-2500 GB-Ware IPSEC Tunnels Optional Included Included Included Included Included Included Mobile IPSec/ PPTP/L2TP Optional Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 SSL Browser Optional Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 SSL Client Optional Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Number of IPSec Tunnels and Mobile Users connected are based on each product. SSL Browser Portal is customizable with corporate logo, Greeting and Disclaimer.. 28

Licenses! Remote Access Licenses (5.3 and above) Any firewall with VPN Option will have enabled SSL Browser and Client, IPSec client, L2TP client and PPTP client! SSL Browser Default SSL Licenses is 2 concurrent Browser connections are not counted with the SSL Client or other VPN connections. Client Default SSL Licenses is 2 concurrent Client licenses are not counted with Browser or other VPN connections.! IPSec, PPTP, and L2TP Note: L2TP and PPT supported in v5.4 Default Licenses is 2 concurrent connections. Any combination of IPSec, PPTP, or L2TP will count toward the concurrent user licenses. Example Firewall has base 2 concurrent connections. IPsec client connects - 1 connection L2TP client connects - 1 connection Total: 2 connections IPsec client connects - 1 connection PPTP client connects - 1 connection Total: 2 connections L2TP client connects - 1 connection PPTP client connects - 1 connection Total: 2 connections 29

Trouble Shooting/Logs! After updating Certificates or re-start the SSL Service.! Compromised Address Attempt -! Feb 12 10:26:00 pri=4 msg="ssl: 217.170.99.174:42942 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...]" type=mgmt! User missing SSL Certificate: Error: Unable to create SSL Client configuration bundle! Client Login Failure - Wed Sep 16 15:59:53 2009 AUTH: Received AUTH _ FAILED control message! Firewall log for login failure Jan 20 09:12:08 pri=3 msg="ssl: 199.120.225.20:5369 Authentication failure, user(fwadmin)" type=mgmt Jan 20 09:12:08 pri=6 msg="ssl: 199.120.225.20:5369 Authentication attempt, user(fwadmin)" type=mgmt Jan 20 09:11:53 pri=5 msg="auth: Remote user login" user="fwadmin" src=199.120.225.20 srcport=5077 dst=199.120.225.75 dstport=1443! Host Locked Out May 9 09:01:04 pri=4 msg="wwwadmin: Locked out, remote access denied" type=mgmt src=199.120.225.20 srcport=49373 dst=199.120.225.80 dstport=1443 30

Best Practices!! Set up a Syslog service to log all SSL and firewall activity.! Keep GB-OS up to date with the latest patch releases. GTA incorporates the latest SSL updates in firewall GB-OS releases.! Require all hosts connecting to the firewall to have the latest OS patches as well as anti-virus, malware and spyware protection.!! SSL Browser! Use bookmarks in all cases. Only allow network browsing when absolutely necessary and restrict to administrative if possible.! Force Use of the virtual keyboards for all SSL Browser logins.! When possible, use GBAuth to authenticate before connecting to the SSL Browser. Change the SSL Browser default port to a different port number.! When possible, do not reference external non-trusted sites in SSL Browser or on internal web sites connected to via the SSL Browser.!! SSL Client! Use the options for Redirect Client Gateway when all clients connect. This prevents connections to other sites when the SSL Client is connected.! When possible, use GBAuth to authenticate before allowing access with SSL Client.! Change SSL Client default port to a different port number.!! SSL Client Security Polices should use:! Source and destination networks in policies.! Restricted access to required ports and services.! Group based policies for access. 31

Additional Information! Tunnel Blick - http://code.google.com/p/tunnelblick/! Open VPN - http://openvpn.net/! GTA Documentation - http://www.gta.com/support/documents/! FIPS - http://www.openssl.org/docs/fips/fipsnotes.html! FIPS-140-2 information: http://csrc.nist.gov/publications/fips/ fips140-2/fips1402.pdf 32

If you require additional assistance or have additional questions please contact GTA Technical Support. Email: support @gta.com Phone: 1.407.482.6925 Skype: gta_support Free User Support http://forum.gta.com 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback