Firebox SSL VPN Gateway Administration Guide - WatchGuard ...

More documents

Recommendations

Info

Firebox SSL Overviewtined for the private network are transported over the virtualTCP circuit. The Firebox SSL is essentially acting as a low-levelpacket filter with encryption. It drops traffic which does nothave authentication or does not have permission for a particularnetwork.Feature SummaryMost of the features listed in the following table are implicitlysupported through the ability of the Firebox SSL to interceptevery network connection initiated on the client computer,whether TCP (connection-oriented applications) or UDP (voiceand video applications). The Secure Access client forwards all IPpackets over an SSL tunnel to the Firebox SSL based on dynamicallydetermined routing policies which are transparent to theremote user. The Firebox SSL retransmits these IP packets to theintended host.ApplicationsupportProtocolsupportPlatformsupportUnlike other VPN solutions, the Firebox SSL is applicationagnostic.The Firebox SSL operates more like an IPSec VPN thanan SSL VPN.Supports all applications (web, client-server, peer-to-peer, and realtime)without modification to the applications or DNS.Handles real-time traffic, such as voice (RTP/SIP), with minimalloss in performance.Supports IP.Supports PPPoE (Point-to-Point Protocol over Ethernet) and PPP.Supports Ethernet, including 802.11, and Remote Access Service(RAS) connections, including TCP, UDP, and Internet ControlMessage Protocol (ICMP).Supports computers running Windows 2000, Windows 2000Professional, Windows 2000 Server, Windows XP, Windows XPHome, Windows XP Professional, and all Linux 2.4 platforms(tested extensively with RedHat). Includes a client that supportscomputers, such as Macintosh, running Java Virtual Machine (JVM)version 1.4.2 or higher.4 Firebox SSL VPN Gateway Administration Guide
OverviewEase of use anddeploymentEase of use anddeployment(continued)VPN operationKiosk operationPerformanceAuthentication,authorization,and accesscontrolAutomatically updates the Secure Access client when a newversion is available on the Firebox SSL.The Secure Access client can go into a suspend state rather thantiming out so that the connection is always available and the userdoes not have to repeatedly log in. The Secure Access clientcontinues to run in memory even when the laptop or PC isdisconnected from the network. This functionality ensures securityover 802.11 networks without having to deploy and maintain aWEP environment.The Secure Access client can be configured for single sign-onoperation so that it starts automatically after a user logs in toWindows. A user’s Windows login credentials are passed to theFirebox SSL for authentication and then the VPN connection isautomatically established without user intervention. Windows loginscripts run after the VPN connection is established.Includes the option to use the default portal pages (Access Portal),to customize easy-to-use portal page templates, or to include linksto the clients directly on your website.Provides access to remote networks that have the samenumbering as the local subnet.Provides users with a desktop-like network experience. Throughthe VPN connection, users can:Map network drives just as they would from their in-officecomputer.Work with client applications, such as Microsoft Outlook or anyother application, in their native user interface. The remote userdoes not need to do any client application reconfiguration.VPN users can seamlessly access the Firebox SSL even if they arebehind another organization’s firewall.Provides, on a group basis, access to a private network from publiccomputers.Sends images, not data, to the kiosk. Because no temporary filesor cookies are downloaded to the remote computer, there is norisk of files remaining after the session.Opens a VNC-like window that is configurable by group. Optionalcomponents include a Mozilla browser window with a configurabledefault URL, network shares, and icons that provide one-clickaccess to Remote Desktop, VNC, Telnet 3270 emulator, SSH, andCitrix ICA clients.Supports up to 205 tunnelsProvides throughput of 75 MB per second.Supports HTTP 401 Basic, Digest, and Windows DomainAuthentication and RADIUS, LDAP, and RSA SecurID authenticationservers. User accounts can also be defined on the Firebox SSL.Supports realm-based authentication so that a single Firebox SSLcan be used with multiple authentication servers.Supports LDAP or local user group authorization.Provides access control through the association of resources touser groups.Firebox SSL VPN Gateway Administration Guide 5
Page 1 and 2: WatchGuard ® Firebox SSL VPNGatewa
Page 5 and 6: Using the Telnet 3270 Emulator Clie
Page 7 and 8: CHAPTER 1Firebox SSL OverviewThe Wa
Page 9: OverviewAs shown in the following i
Page 13 and 14: OverviewNOTEThe portal page is cust
Page 15 and 16: Firebox SSL Operationthe packets an
Page 17 and 18: Firebox SSL OperationTarget servers
Page 19 and 20: Kiosk Operationthe second tunnel’
Page 21 and 22: Kiosk OperationSSH, Telnet 3270 emu
Page 23 and 24: CHAPTER 2Administering theFirebox S
Page 25 and 26: Using the Firebox SSL Remote Admin
Page 27 and 28: Using the Administration Toolpreced
Page 29 and 30: Using the Serial ConsoleUsing the S
Page 31 and 32: Supporting Secure Access UsersWhen
Page 33 and 34: Supporting Secure Access Users•
Page 35 and 36: Generating a Secure Certificate for
Page 41 and 42: Unencrypting the Private KeyTo unen
Page 43 and 44: Unencrypting the Private KeyTo comb
Page 45 and 46: Blocking External Access to the Adm
Page 47 and 48: Viewing and Changing the System Dat
Page 49 and 50: Saving and Restoring the Configurat
Page 51 and 52: Managing VPN ConnectionsTo save the
Page 53 and 54: Managing VPN Connectionstion to the
Page 55 and 56: Restarting the Firebox SSLThe user
Page 57 and 58: CHAPTER 3Working with a VPNConnecti
Page 59 and 60: Using the Access PortalIf you conne
Page 61 and 62:
Using the Access PortalNOTEThe Linu
Page 63 and 64:
Connecting from a Private ComputerN
Page 65 and 66:
Connecting from a Private ComputerI
Page 67 and 68:
Connecting from a Public Computer (
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
CHAPTER 4Configuring FireboxSSL Net
Page 79 and 80:
Configuring Network InterfacesFor m
Page 81 and 82:
Configuring RoutesBy default, the F
Page 83 and 84:
Configuring Routes5 Click Submit.Dy
Page 85 and 86:
Configuring RoutesFigure 4: Buildin
Page 87 and 88:
CHAPTER 5Configuring FireboxSSL Ope
Page 89 and 90:
Configuring Authentication, Authori
Page 91 and 92:
Using a Local User List for Authent
Page 93 and 94:
Using a Local User List for Authent
Page 95 and 96:
Using RADIUS Servers for Authentica
Page 97 and 98:
Using LDAP Servers for Authenticati
Page 99 and 100:
Using LDAP Servers for Authenticati
Page 101 and 102:
Using RSA SecurID for Authenticatio
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Adding Local UsersTo create a user
Page 109 and 110:
Controlling Network AccessBy defaul
Page 111 and 112:
Controlling Network Access10.10.0.0
Page 113 and 114:
Controlling Network AccessDenying A
Page 115 and 116:
Customizing VPN Portal PagesThe oth
Page 117 and 118:
Customizing VPN Portal Pagesappropr
Page 119 and 120:
Customizing VPN Portal PagesAn imag
Page 121 and 122:
Customizing VPN Portal Pages2 Clear
Page 123 and 124:
Configuring Host Check Rules2 Speci
Page 125 and 126:
Configuring Network Shares for Kios
Page 127 and 128:
Adding and Configuring User GroupsN
Page 129 and 130:
Adding and Configuring User Groups3
Page 131 and 132:
Adding and Configuring User Groupst
Page 133 and 134:
Adding and Configuring User GroupsT
Page 135 and 136:
Adding and Configuring User GroupsV
Page 137 and 138:
Adding and Configuring User GroupsE
Page 139 and 140:
Adding and Configuring User Groupsp
Page 141 and 142:
Enabling Split DNSTo enable split t
Page 143 and 144:
Configuring Internal Failover2 Ente
Page 145 and 146:
Forcing VPN User Re-login2 Under Fo
Page 147 and 148:
Configuring Secure Access for Singl
Page 149 and 150:
APPENDIX ALogging, Monitoring,and T
Page 151 and 152:
Viewing and Downloading System Mess
Page 153 and 154:
Enabling and Viewing SNMP Logs2 Ent
Page 155 and 156:
Viewing System StatisticsViewing Sy
Page 157 and 158:
Monitoring Firebox SSL OperationsFi
Page 159 and 160:
Recovering from a Crash of the Fire
Page 161 and 162:
TroubleshootingThe Firebox SSL does
Page 163 and 164:
APPENDIX BLegal and CopyrightInform
Page 165 and 166:
it clear that any patent must be li
Page 167 and 168:
works. But when you distribute the
Page 169 and 170:
6. Each time you redistribute the P
Page 171 and 172:
11. BECAUSE THE PROGRAM IS LICENSED
Page 173 and 174:
This is free software, and you are
Page 175 and 176:
IndexAaccess control, see ACL and u
Page 177 and 178:
EEthereal Network Analyzer 151Ether
Page 179 and 180:
networks accessible to Gateway 103d
Page 181 and 182:
TTelnet 3270 Emulator client 67enab
show all

Firebox SSL VPN Gateway Administration Guide - WatchGuard ...

Create successful ePaper yourself

Delete template?

Save as template?