How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Similar documents
How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

BIG-IP Access Policy Manager : Portal Access. Version 12.1

SSL VPN Web Portal User Guide

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note

BIG-IP Access Policy Manager : Portal Access. Version 13.0

SSL VPN Web Portal User Guide

WHY CSRF WORKS. Implicit authentication by Web browsers

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

3.1 Getting Software and Certificates

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Stonesoft VPN Client. for Windows Release Notes Revision A

Using the Terminal Services Gateway Lesson 10

Configure Unsanctioned Device Access Control

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Release Notes. Dell SonicWALL SRA Release Notes

Clientless SSL VPN Remote Users

AD FS v3. Deployment Guide

Dolby Conference Phone. Configuration guide for BT MeetMe with Dolby Voice

How to Configure Authentication and Access Control (AAA)

NGFW Security Management Center

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

NGFW Security Management Center

Realms and Identity Policies

Sophos Firewall Configuring SSL VPN for Remote Access

Sophos Mobile as a Service

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

APSCN VPN SETUP F5 VPN October Update

Juniper SA 8.x Integration

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

Parallels Remote Application Server

NGFW Security Management Center

BIG-IP Access Policy Manager : Application Access. Version 13.0

SmartLink configuration DME Server 3.5

Okta Integration Guide for Web Access Management with F5 BIG-IP

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 1 Known Issues... 2 Resolved Issues...

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

with Access Manager 51.1 What is Supported in This Release?

Ingate Firewall. interworking with. SSH Sentinel

Citrix SSO for Mac OS X. User Guide

ISA 2006 and OWA 2003 Implementation Guide

NGFW Security Management Center

Stonesoft Management Center. Release Notes Revision B

Authlogics Forefront TMG and UAG Agent Integration Guide

Scan-to- . Copytech s guide to setting up Scan-to- on Konica Minolta M FDs

Read the following information carefully, before you begin an upgrade.

VII. Corente Services SSL Client

Aventail ST2 SSL VPN New Features Guide

Sophos Mobile SaaS startup guide. Product version: 7.1

VMware Horizon View Deployment

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

Configuring the CSS for Device Management

How to Set Up External CA VPN Certificates

ZENworks Mobile Workspace Configuration Server. September 2017

New Features for ASA Version 9.0(2)

Create Help Requests from Android and Windows Hosts

BIG-IP Access Policy Manager : Implementations. Version 12.1

In this article I will show you how to enable Outlook Web Access with forms based authentication in Exchange Server 2007 Beta 2.

Cloud Access Manager Configuration Guide

Hands-on Lab Exercise Guide

NotifySCM Workspace Administration Guide

Remote Desktop Services. Deployment Guide

Aventail Connect Client with Smart Tunneling

Browser Settings. Updated 4/30/ SSF

VMware Identity Manager Administration

Table of Contents HOL-1757-MBL-6

Dell SonicWALL Secure Mobile Access 8.5. Application Offloading and HTTP(S) Bookmarks Feature Guide

Clientless SSL VPN End User Set-up

NGFW Security Management Center

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Minimum requirements for Portal (on-premise version):

NGFW Security Management Center

Troubleshooting. Participants List Displays Multiple Entries for the Same User

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Stonesoft Management Center. Release Notes Revision B

Juniper JN0-570 JNCIS-SSL. Download Full Version :

Stonesoft Management Center. Release Notes Revision A

Stonesoft Management Center. Release Notes Revision A

AppController :28:18 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

Clientless SSL VPN. Security Precautions CHAPTER

On-demand target, up and running

Web Application Proxy

Setting up IMAP Mail in Outlook

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

NGFW Security Management Center

Azure MFA Integration with NetScaler

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

NGFW Security Management Center

WebVPN. WebVPN Security Precautions CHAPTER

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

Sophos Mobile. installation guide. Product Version: 8.5

Transcription:

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT Ta Table of Contents

Table of Contents TA TABLE OF CONTENTS 1 TABLE OF CONTENTS 1 BACKGROUND 2 CONFIGURATION STEPS 2 Create a SSL Portal Services 2 Configure a SSL VPN Portal Policy 5 Configure the SSL VPN Portal 6 Configure Engine Specific SSL Portal Settings 9 Checking the Configuration 10 Monitoring and Logging 11 Technical Document 1

Background This document provides Forcepoint NGFW SSL VPN Portal configuration example. SSL VPN Portal was enhanced recently and provides the following benefits for users and NGFW administrators: Quick setup of portal and access to users without client installation ; Give external access to wider intranet URL without need of individual client configuration; Support for JavaScript and common Web applications like Sharepoint, Office365; Self-signed certificates for easy initial setup; The main use case behind of SSL VPN is allow remote access solution with standard browser i.e. Firefox and Chrome. The SSL VPN Portal proxies end-user connections to HTTP-based services in the protected network. The end user is never directly connected to the back-end services. The following versions were used when writing this document: Security Management Center (SMC) 6.2.0; Next Generation Firewall (NGFW) 6.2.0; Windows Server 2012 R2; A web browser for client access We assume that the integration between SMC and Microsoft AD is up and running for user authentication purposes. Configuration Steps CREATE A SSL PORTAL SERVICES SSL VPN Portal Services map external URLs to HTTP-based services in the protected network. On SMC use the path Configuration > VPN > SSL VPN Portal > SSL VPN Portal Services (right click and define New SSL VPN Portal Service) to create a new SSL Portal Service. Technical Document 2

In General tab enter a Name for the new Portal Service. Basically there are three methods available for Link Translation: URL Rewrite A URL prefix that corresponds to a service in the protected network is added to the URL. This option does not requires additional DNS entries; DNS Mapping Incoming connections to the SSL VPN Portal are translated to an internal host running on a specific port. This option does requires additional DNS entries; Freeform URL Users can manually enter a URL in the SSL VPN Portal in addition to selecting a predefined service. We are going to use URL Rewrite on this document. The Profile contains settings for SSO/Authentication and cookie protection. It can be Authentication based on HTTP (Basic, Digest, NT LAN Manager -NTLM or NTLMv2) or Form (when web browser redirects to a custom logon webpage that has a customizable logon form). Define your profile before configuring the SSL Portal Services or use one of default ones. We are going to use Full Cookie Protection. External URL Prefix determines the URL Prefix seem by user when accessing this portal and the internal URL. The Internal URL specifies the URL of the service in the protected network. Alternative Hosts specifies additional host names or IP addresses at which the web server (Internal URL) can be contacted. For a given Portal Services setup, users can use SSO for all services that share credentials as part of the same SSO Domain. If you plan to use SSO Domain configure it before the Portal Service setup. Client Trust specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you select from the drop-down list. To allow the client to trust any CA, select Trust All CAs. The Client-Side Rewrite improves compatibility when JavaScript is used to dynamically construct URLs. Client-side URL rewrite must be enabled to connect to some services like Sharepoint and Office365, through the SSL VPN Portal. Going to Look & Feel tab of SSL Portal Services. Technical Document 3

A link to the service appears on the SSL VPN Portal webpage when Visible in Portal is selected. The Title that is displayed for the service (available for user to click) on the SSL VPN Portal webpage is specified in Title field while the Start page specifies the path to initial page that user sees when clicking the icon, connecting to the service. Optionally the Icon can be changed by another.png file. The Description determines the text the user sees when positioning the move over the icon. For each different service in the protected network that you want to make available to users, you can configure a different Portal Service with different parameters for each of them (link translation method, authentication, icons, etc ). Click OK Technical Document 4

CONFIGURE A SSL VPN PORTAL POLICY The SSL VPN Portal Policy defines which services are available in the SSL VPN Portal and which users can access the services. The Policy can provide access to many different services configured in SSL Portal Service. In our case we are going to include two services already configured. In order to configure a new policy use the path Configuration > VPN > SSL VPN Portal. By editing a new one you will be able to add the SSL VPN Portal Service and the users (or groups) who will be able to access the services. Select the Services to be applied to the Policy Select the Groups Save your configuration. Technical Document 5

CONFIGURE THE SSL VPN PORTAL Create and enable the SSL VPN Portal to make the SSL VPN Portal available through one or more security engines. Use the path Configuration > VPN > SSL VPN Portals and right click selecting New SSL VPN Portal. On the General tab enter a Name for this portal, the SSL VPN Portal Policy (already configured) associated to this portal, on Hostnames enter the domain name or IP address that the user enters in their web browser to access the SSL VPN Portal. In this case we are going to use self-signed certificate. Technical Document 6

The Look and Feel tab determines how the screen is presented to user just after login. It is possible to customize the portal (colours, logos, ) and see the preview. Change the Look & Feel to Forcepoint. In the Target Engine tab choose the NGFW engines that will be accepting the SSL Portal access requests as well as the TCP port. Technical Document 7

In Advanced tab enter the parameters related to Timeout (Idle and Session timeouts) and the log level associated to SSL Portal Services. In case Allow Persistent User Sessions is selected, users remain logged on to the SSL VPN Portal even after closing the browser until the defined session timeout is reached. When Allow Empty Referrer in HTTP Headers is selected web browsers are not required to include referrer information in HTTP headers. The referrer indicates the last page the user was on (the one where they clicked the link). Technical Document 8

CONFIGURE ENGINE SPECIFIC SSL PORTAL SETTINGS On the engine specific configuration click SSL VPN Portal under VPN settings. In the SSL VPN Portal field select the Portal already configured on Management Server as well as TCP port that will accept the user connections. Select the SSL/TLS versions which will be available to users and the TLS Cryptography Suite Set that will be used. Save the configuration Technical Document 9

CHECKING THE CONFIGURATION From the browser installed on the host on the external network we enter the IP address of external firewall interface (same IP address configured on Hostname field of SSL VPN Portals configuration page). Enter the credentials the user credentials, using an account already configured on AD. The browser then shows the page defined on the Look & Feel tab of SSL VPN Portals. Technical Document 10

By clicking Access to App1 it is possible to see the following screen (there is a basic html page hosted in an Apache web server) and the parameters configured before on SSL Portal Services settings. On this specific case the SMC is installed on internal network so you should be able to browse the SMC Management Client. MONITORING AND LOGGING It is possible to monitor logged in users on a single engine via Server Management. In order to check the them go to Configuration, right click the target engine, Monitoring > SSL VPN In case it is need additional information for troubleshooting you can use the diagnostics logging by right click the security engine, select Options > Diagnostics. It is possible to enable additional logging information by enabling SSL VPN Portal, SSL VPN Session Manager and SSL VPN Tunnel. It will be possible to track SSL VPN Portal HTTP transactions. Technical Document 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback