WatchGuard Technologies SSL VPN User Manual

WatchGuard

Firebox

SSL VPN

Gateway Administration Guide

Firebox SSL VPN Gateway

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product. You will be prompted to read and accept the End User License Agreement when you register your Firebox on the WatchGuard website. Copyright© 2008 Citrix Systems, Inc. All rights reserved.

the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries.

Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective manufacturers. The Firebox SSL Firebox SSL VPN Gateway software is distributed with source code covered under the GNU General Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard Technical Support at:

877.232.3531 in the United States and Canada +1.206.613.0456 in all other countries

This source code is free to download. There is a $35 charge to ship the CD. See Appendix E, “Legal and Copyright Information” on page 173 of this guide for the complete text of the

GPL.

VPN Gateway Software: 5.5 Document Version: 352-2784-001

ADDRESS:

505 Fifth Avenue South Suite 500 Seattle, WA 98104

SUPPORT:

www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456

SALES:

U.S. and Canada +1.800.734.9905 All Other Countries +1.206.521.8340

ABOUT WATCHGUARD

WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are robust as well as easy to buy, deploy and manage. The company’s Firebox X family of expandable integrated security appliances is designed to be fully upgradeable as an organization grows and to deliver the industry’s best combination of security, performance, intuitive interface and value. WatchGuard Intelligent Layered Security architecture protects against emerging threats effectively and efficiently and provides the flexibility to integrate additional security functionality and services offered through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity Service subscription to help customers stay on top of the security landscape with vulnerability alerts, software updates, expert security instruction and superior customer care. For more information, please call (206) 521-8340 or visit www.watchguard.com

ii Firebox SSL VPN Gateway

Contents

CHAPTER 1 Getting Started with Firebox SSL VPN Gateway .................................................... 1

Audience ..................................................................................................................................................... 1

Operating System Requirements ...................................................................................................... 1

Document Conventions ........................................................................................................................ 2

LiveSecurity Service Solutions ............................................................................................................ 2

LiveSecurity Service Broadcasts ......................................................................................................... 3

Activating LiveSecurity Service .......................................................................................................... 4

LiveSecurity Service Self Help Tools ................................................................................................. 4

WatchGuard Users Forum ..................................................................................................................... 5

Online Help ................................................................................................................................................ 6

Product Documentation ....................................................................................................................... 6

Technical Support ................................................................................................................................... 6

LiveSecurity Service technical support ............................................................................................. 6

LiveSecurity Gold .................................................................................................................................. 7

Firebox Installation Service ................................................................................................................. 7

VPN Installation Service ...................................................................................................................... 7

Training and Certification ..................................................................................................................... 7

CHAPTER 2 Introduction to Firebox SSL VPN Gateway ............................................................... 9

Overview .................................................................................................................................................... 9

New Features .......................................................................................................................................... 11

Authentication and one-time passwords ......................................................................................11

New versions of the Secure Access Client ....................................................................................... 11

Configurable symmetric encryption ciphers .................................................................................11

Automatic detection of proxy server settings ...............................................................................11

Secure Access Client connections ....................................................................................................12

Automatic port redirection ...............................................................................................................12

Disable desktop sharing ....................................................................................................................12

Additional control over Secure Access Client connections .........................................................12

Admin Guide iii

Disable kiosk mode ............................................................................................................................12

Specify multiple ports and port ranges for network resources ..................................................12

Voice over IP softphone support ......................................................................................................12

Editable HOSTS file .............................................................................................................................12

NTLM authentication and authorization support. ......................................................................13

Added challenge-response to RADIUS user authentication .......................................................13

SafeWord PremierAccess changed to support standards-based RADIUS token user

authentication

Updated serial console menu ...........................................................................................................13

..............................................................................................................................13

Features .....................................................................................................................................................13

Administration Tool ............................................................................................................................13

Firebox SSL VPN Gateway Settings ..................................................................................................14

Feature Summary ...............................................................................................................................16

The User Experience .............................................................................................................................16

Deployment and Administration .....................................................................................................17

Planning your deployment ................................................................................................................18

Deploying the Firebox SSL VPN Gateway in the Network DMZ .................................................18

Deploying the Firebox SSL VPN Gateway in a Secure Network .................................................18

Planning for Security with the Firebox SSL VPN Gateway ......................................................19

Configuring Secure Certificate Management ...............................................................................19

Authentication Support .................................................................................................................... 19

Deploying Additional Appliances for Load Balancing and Failover .........................................20

Installing the Firebox SSL VPN Gateway for the First Time .....................................................20

Getting Ready to Install the Firebox SSL VPN Gateway ...............................................................20

Setting Up the Firebox SSL VPN Gateway Hardware ...................................................................21

Configuring TCP/IP Settings for the Firebox SSL VPN Gateway .................................................21

Redirecting Connections on Port 80 to a Secure Port ..................................................................24

Using the Firebox SSL VPN Gateway ..............................................................................................24

The Firebox SSL VPN Gateway operates as follows: ..................................................................... 24

Starting the Secure Access Client ..................................................................................................... 25

Enabling Single Sign-On Operation for the Secure Access Client .............................................25

Establishing the Secure Tunnel ........................................................................................................26

Tunneling Destination Private Address Traffic over SSL or TLS ..................................................26

Operation through Firewalls and Proxies ......................................................................................26

Terminating the Secure Tunnel and Returning Packets to the Client .......................................27

Using Kiosk Mode ...............................................................................................................................28

Connecting to a Server Load Balancer ........................................................................................... 28

CHAPTER 3 Configuring Basic Settings .............................................................................................31

Firebox SSL VPN Gateway Administration Desktop ..................................................................32

To open the Administration Portal and Administrative Desktop ..............................................32

Using the Administration Portal .......................................................................................................32

Downloads Tab ...................................................................................................................................32

Admin Users Tab .................................................................................................................................33

Logging Tab .........................................................................................................................................33

Maintenance Tab ................................................................................................................................33

iv WatchGuard SSL VPN Gateway

Using the Serial Console .....................................................................................................................33

To open the serial console .................................................................................................................34

Using the Administration Tool ..........................................................................................................34

To download and install the Administration Tool ........................................................................34

Publishing Settings to Multiple Firebox SSL VPN Gateways ..................................................35

To publish Firebox SSL VPN Gateway settings ...............................................................................35

Product Activation and Licensing ...................................................................................................35

Upgrading the tunnel and tunnel upgrade license ......................................................................35

Upgrading the LiveSecurity Renewal and Tunnel Renewal license ...........................................36

Managing Licenses ...............................................................................................................................36

To manage licenses on the Firebox SSL VPN Gateway ................................................................36

To install a license file .........................................................................................................................37

Information about Your Licenses ....................................................................................................37

Testing Your License Installation .....................................................................................................37

Blocking External Access to the Administration Portal ...........................................................38

To block external access to the Administration Portal ................................................................38

Using Portal Pages ................................................................................................................................38

Using the Default Portal Page .......................................................................................................... 38

Downloading and Working with Portal Page Templates ........................................................39

To download the portal page templates to your local computer .............................................40

To work with the templates for Windows and Linux users .........................................................40

Using the ActiveX Control .................................................................................................................40

Installing Custom Portal Files on the Firebox SSL VPN Gateway ...............................................40

Enabling Portal Page Authentication .............................................................................................41

To enable portal page authentication ...........................................................................................41

Linking to Clients from Your Web Site ...........................................................................................41

To include links to the Firebox SSL Secure Access Client and kiosk mode on your Web site .41

Multiple Log On Options using the Portal Page ...........................................................................42

Pre-Authentication Policy Portal Page ........................................................................................... 42

Double-source Authentication Portal Page ..................................................................................43

Connecting Using a Web Address ..................................................................................................43

Connecting Using Secure Access Client ........................................................................................ 43

Saving and Restoring the Configuration ......................................................................................44

To save the Firebox SSL VPN Gateway configuration .................................................................. 44

To restore a saved configuration .....................................................................................................44

Upgrading the Firebox SSL VPN Gateway Software .................................................................44

To upgrade the Firebox SSL VPN Gateway .....................................................................................44

Restarting the Firebox SSL VPN Gateway .....................................................................................45

To restart the Firebox SSL VPN Gateway ........................................................................................45

Shutting Down the Firebox SSL VPN Gateway ...........................................................................45

To shut down the Firebox SSL VPN Gateway .................................................................................45

Firebox SSL VPN Gateway System Date and Time .....................................................................45

To change the system date and time ..............................................................................................46

Network Time Protocol ......................................................................................................................46

Admin Guide v

Allowing ICMP traffic ............................................................................................................................46

To enable ICMP traff ic ........................................................................................................................46

CHAPTER 4 Configuring Firebox SSL VPN Gateway Network Connections ...................47

Configuring Network Information ..................................................................................................47

General Networking .............................................................................................................................48

Name Service Providers ......................................................................................................................50

To enable split DNS .............................................................................................................................50

To edit the HOSTS file .........................................................................................................................50

Dynamic and Static Routing ..............................................................................................................51

Configuring Network Routing ..........................................................................................................51

Configuring Dynamic Routing .........................................................................................................52

Enabling RIP Authentication for Dynamic Routing .....................................................................52

Changing from Dynamic Routing to Static Routing ...................................................................53

Configuring a Static Route ................................................................................................................53

Static Route Example .........................................................................................................................54

Configuring Firebox SSL VPN Gateway Failover .........................................................................55

To specify Firebox SSL VPN Gateway failover ................................................................................55

Configuring Internal Failover ...........................................................................................................55

Controlling Network Access ..............................................................................................................56

Configuring Network Access ............................................................................................................56

Specifying Accessible Networks .......................................................................................................57

Enabling Split Tunneling .....................................................................................................................57

To enable split tunneling ...................................................................................................................58

Configuring User Groups ...................................................................................................................58

Denying Access to Groups without an ACL .................................................................................58

To deny access to user groups without an ACL .............................................................................59

Improving Voice over IP Connections ............................................................................................59

Enabling Improving Voice over IP Connections ............................................................................59

To improve latency for UDP traffic ..................................................................................................60

CHAPTER 5 Configuring Authentication and Authorization ..................................................61

Configuring Authentication and Authorization .........................................................................61

Configuring Authentication without Authorization ....................................................................63

The Default Realm ..............................................................................................................................63

Using a Local User List for Authentication .....................................................................................63

Configuring Local Users .....................................................................................................................64

Adding Users to Multiple Groups .....................................................................................................64

Changing Password for Users ..........................................................................................................64

Using LDAP Authorization with Local Authentication ................................................................65

Changing the Authentication Type of the Default Realm ......................................................65

Configuring the Default Realm ........................................................................................................65

Creating Additional Realms ..............................................................................................................66

Removing Realms ...............................................................................................................................67

Using SafeWord for Authentication ................................................................................................ 67

Configuring Secure Computing SafeWord Authentication ........................................................67

Configuring SafeWord Settings on the Access Gateway ............................................................. 67

vi WatchGuard SSL VPN Gateway

To disable Firebox SSL VPN Gateway authentication ..................................................................68

SafeWord PremierAccess Authorization ........................................................................................68

Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication ......................68

To configure the IAS RADIUS realm .................................................................................................69

Using RADIUS Servers for Authentication and Authorization ...............................................69

To configure Microsoft Internet Authentication Service for Windows 2000 Server ...............70

To specify RADIUS server authentication .......................................................................................72

To configure RADIUS authorization ................................................................................................ 72

Choosing RADIUS Authentication Protocols .................................................................................72

Using LDAP Servers for Authentication and Authorization ...................................................73

LDAP authentication ..........................................................................................................................73

To configure LDAP authentication ..................................................................................................74

LDAP Authorization ..............................................................................................................................75

Group memberships from group objects working evaluations ................................................76

Group memberships from group objects non-working evaluations ........................................76

LDAP authorization group attribute fields ....................................................................................76

To configure LDAP authentication ..................................................................................................76

To configure LDAP authorization ....................................................................................................77

Using certificates for secure LDAP connections ............................................................................78

Determining Attributes in your LDAP Directory ...........................................................................78

Using RSA SecurID for Authentication ...........................................................................................79

To generate a sdconf.rec file for the Firebox SSL VPN Gateway ................................................. 80

Enable RSA SecurID authentication for the Firebox SSL VPN Gateway ....................................81

Configuring RSA Settings for a Cluster ...........................................................................................82

Resetting the node secret ..................................................................................................................82

Configuring Gemalto Protiva Authentication ...............................................................................82

Configuring NTLM Authentication and Authorization ...............................................................83

Configuring NTLM Authorization ....................................................................................................84

Configuring Authentication to use One-Time Passwords ...........................................................84

Configuring Double-Source Authentication ...............................................................................85

To create and configure a double-source authentication realm ..............................................85

Changing Password Labels ...............................................................................................................86

CHAPTER 6 Adding and Configuring Local Users and User Groups ...................................87

Adding Local Users ...............................................................................................................................87

To create a user on the Firebox SSL VPN Gateway ........................................................................87

To delete a user from the Firebox SSL VPN Gateway ....................................................................88

User Group Overview ...........................................................................................................................88

Creating User Groups ...........................................................................................................................89

To create a local user group ..............................................................................................................89

To remove a user group .....................................................................................................................89

Configuring Properties for a User Group ......................................................................................90

Default group properties ...................................................................................................................90

Forcing Users to Log on Again .......................................................................................................... 90

Configuring Secure Access Client for single sign-on ....................................................................91

Enabling domain logon scripts ........................................................................................................91

Admin Guide vii

Enabling session time-out ................................................................................................................92

Configuring Web Session Time-Outs ..............................................................................................93

Disabling Desktop Sharing ...............................................................................................................93

Setting Application Options .............................................................................................................93

Enabling Split DNS ..............................................................................................................................94

Enabling IP Pooling ............................................................................................................................94

Choosing a portal page for a group ................................................................................................95

Client certificate criteria configuration .......................................................................................... 95

Global policies .....................................................................................................................................96

Configuring Resources for a User Group ....................................................................................... 96

Adding Users to Multiple Groups .....................................................................................................98

Allowing and denying network resources and application policies .........................................98

Defining network resources ..............................................................................................................99

Allowing and Denying Network Resources and Application Policies .....................................100

Application policies ..........................................................................................................................101

Configuring file share resources ....................................................................................................102

Configuring kiosk mode ..................................................................................................................103

End point resources and policies ...................................................................................................104

Configuring an end point policy for a group ...............................................................................105

Setting the Priority of Groups .........................................................................................................106

Configuring Pre-Authentication Policies ......................................................................................107

CHAPTER 7 Creating and Installing Secure Certificates ..........................................................109

Generating a Secure Certificate for the Firebox SSL VPN Gateway ...................................109

Digital Certificates and Firebox SSL VPN Gateway Operation .............................................110

Overview of the Certificate Signing Request ............................................................................110

Password-Protected Private Keys ...................................................................................................110

Creating a Certificate Signing Request .........................................................................................111

Installing a Certificate and Private Key from a Windows Computer ......................................112

Installing Root Certificates on the Firebox SSL VPN Gateway ..................................................112

Installing Multiple Root Certificates ..............................................................................................113

Creating Root Certificates Using a Command Prompt .............................................................113

Resetting the Certificate to the Default Setting ..........................................................................113

Client Certificates ................................................................................................................................114

To require client certificates ............................................................................................................114

Installing Root Certificates .............................................................................................................115

Obtaining a Root Certificate from a CertificateAuthority ........................................................115

Installing Root Certificates on a Client Device ............................................................................115

Selecting an Encryption Type for Client Connections ................................................................115

Requiring Certificates from Internal Connections ...................................................................116

To require server certificates for internal client connections ....................................................116

Wildcard Certificates ..........................................................................................................................116

CHAPTER 8 Working with Client Connections .............................................................................117

System Requirements ........................................................................................................................117

Operating Systems ...........................................................................................................................117

Web Browsers ....................................................................................................................................117

viii WatchGuard SSL VPN Gateway

Using the Access Portal .....................................................................................................................118

To connect using the default portal page ....................................................................................118

Connecting from a Private Computer ..........................................................................................119

Tunneling Private Network Traffic over Secure Connections ...................................................120

Operation through Firewalls and Proxies ....................................................................................121

Terminating the Secure Tunnel and Returning Packets to the Client .....................................121

ActiveX Helper ...................................................................................................................................122

Using the Secure Access Client Window .......................................................................................122

Configuring Proxy Servers for the Secure Access Client ............................................................125

Configuring Secure Access Client to Work with Non-Administrative Users ..........................126

Connecting from a Public Computer ..........................................................................................126

Connections Using Kiosk Mode ......................................................................................................126

Creating a Kiosk Mode Resource ...................................................................................................127

Working with File Share Resources ................................................................................................128

Client Applications ..............................................................................................................................129

To enable client applications ..........................................................................................................129

Firefox Web Browser .........................................................................................................................130

Remote Desktop client .....................................................................................................................130

SSH Client ...........................................................................................................................................130

Telnet 3270 Emulator Client ...........................................................................................................131

VNC Client ..........................................................................................................................................131

Gaim Instant Messenging ...............................................................................................................131

Supporting Secure Access Client ...................................................................................................132

Managing Client Connections ........................................................................................................133

Connection handling .......................................................................................................................133

Closing a connection to a resource ...............................................................................................134

Disabling and enabling a user .......................................................................................................134

Configuring Authentication Requirements after Network Interruption ................................134

APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting ..................137

Viewing and Downloading System Message Logs ..................................................................137

To view and filter the system log ....................................................................................................137

Forwarding System Messages to a Syslog Server .......................................................................138

To forward Firebox SSL VPN Gateway system messages to a syslog server ..........................138

Viewing the W3C-Formatted Request Log ...................................................................................138

Enabling and Viewing SNMP Logs ................................................................................................139

To enable logging of SNMP messages ..........................................................................................139

Multi Router Traffic Grapher Example ..........................................................................................139

Viewing System Statistics .................................................................................................................140

Monitoring Firebox SSL VPN Gateway Operations ..................................................................140

To open the Firebox SSL VPN Gateway Administration Desktop .............................................141

Recovering from a Failure of the Firebox SSL VPN Gateway ................................................141

Reinstalling v 4.9 application software ........................................................................................142

Backing up your configuration settings .......................................................................................142

Upgrading to SSL v 5.0 .....................................................................................................................142

Upgrading to SSL v 5.5 .....................................................................................................................142

Admin Guide ix

Launching the v 5.5 Administration Tool .....................................................................................143

Troubleshooting ..................................................................................................................................143

Troubleshooting the Web Interface ...............................................................................................143

Other Issues ........................................................................................................................................144

APPENDIX B Using Firewalls with Firebox SSL VPN Gateway ...............................................149

BlackICE PC Protection ......................................................................................................................150

McAfee Personal Firewall Plus .........................................................................................................150

Norton Personal Firewall ...................................................................................................................151

Sygate Personal Firewall (Free and Pro Versions) .....................................................................151

Tiny Personal Firewall .........................................................................................................................151

ZoneAlarm Pro ......................................................................................................................................152

APPENDIX C Installing Windows Certificates ...............................................................................153

To install Cygwin ...............................................................................................................................153

Unencrypting the Private Key .........................................................................................................154

To unencrypt the private key ..........................................................................................................154

Converting to a PEM-Formatted Certificate ...............................................................................155

To convert the certificate from PKCS7 to PEM format ...............................................................155

Combining the Private Key with the Signed Certificate ........................................................155

To combine the private key with the signed certificate .............................................................156

Generating Trusted Certificates for Multiple Levels ................................................................156

To generate trusted certificates for multiple levels .....................................................................156

APPENDIX D Examples of Configuring Network Access .........................................................159

Scenario 1: Configuring LDAP Authentication and Authorization ....................................160

Preparing for the LDAP Authentication and Authorization Configuration ..........................160

Configuring the Firebox SSL VPN Gateway to Support Access to the Internal Network

Resources

......................................................................................................................................163

Scenario 2: Creating Guest Accounts Using the Local Users List ........................................169

Creating a Guest User Authentication Realm .............................................................................170

Creating Local Users .........................................................................................................................171

Creating and Assigning a Network Resource to the Default User Group ..............................171

Scenario 3: Configuring Local Authorization for Local Users ..............................................172

APPENDIX E Legal and Copyright Information ............................................................................173

x WatchGuard SSL VPN Gateway

CHAPTER 1 Getting Started with Firebox SSL

VPN Gateway

This chapter describes who should read the Firebox SSL VPN Gateway Administration Guide, how it is organized, and its document conventions.

Audience

This user guide is intended for system administrators responsible for installing and configuring the Firebox SSL VPN Gateway. This document assumes that the Firebox SSL VPN Gateway is connected to an existing network and that the administrator has experience configuring that network.

Operating System Requirements

The Firebox SSL VPN Gateway Administration Tool and Secure Access Client software can run on the following operating systems:

• Windows 2000 Professional

• Windows 2000 Server

• Windows XP Home Edition

• Windows XP Professional

• Windows Server 2003

• Windows Vista 32-bit

• Linux 2.4 platforms (all distributions)

Administration Guide 1

Document Conventions

Firebox SSL VPN Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user

Italics Placeholders for information or parameters that you provide. For example, filename in

%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other

Monospace

{ braces } A series of items, one of which is required in command statements. For example, { yes |

[ brackets ] Optional items in command statements. For example, [/ping] means that you can type

| (vertical bar) A separator between items in braces or brackets in command statements. For example,

… (ellipsis) You can repeat the previous item or items in command statements. For example, /

input.

a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books.

name you specify when you install Windows.

Text displayed in a text file.

no } means you must type yes or no. Do not type the braces themselves.

/ping with the command. Do not type the brackets themselves.

{ /hold | /release | /delete } means you type /hold or /release or /delete.

route:devicename[,…] means you can type additional devicenames separated by

commas.

LiveSecurity Service Solutions

The number of new security problems and the volume of information about network security continues to increase. We know that a firewall is only the first component in a full security solution. The WatchGuard® Rapid Response Team is a dedicated group of network security personnel who can help you to control the problem of too much security information. They monitor the Internet security web sites to identify new security problems.

Threat responses, alerts, and expert advice

After a new threat is identified, the WatchGuard Rapid Response Team sends you an e-mail to tell you about the problem. Each message gives full information about the type of security problem and the procedure you must use to make sure that your network is safe from attack.

Easy software updates

LiveSecurity® Service saves you time because you receive an e-mail when we release new version of your software. These continued updates make sure that you do not have to use your time to find new software.

Access to technical support and training

You can find information about your WatchGuard products quickly with our many online resources. You can also speak directly to one of the WatchGuard technical support personnel. Use our online training to

2 Firebox SSL VPN Gateway

learn more about your WatchGuard Firebox® and network security, or find a WatchGuard Certified Training Center in your area.

LiveSecurity Service Broadcasts

The WatchGuard® Rapid Response Team regularly sends messages and software information directly to your computer desktop by e-mail. We divide the messages into categories to help you to identify and make use of incoming information immediately.

Information Alert

Information Alerts give you a fast view of the newest information and threats to Internet security. The WatchGuard Rapid Response Team frequently recommends that you make a security policy change to protect against the new threat. When necessary, the Information Alert includes instructions on the procedure.

Threat Response

If a new security threat makes it necessary, the WatchGuard Rapid Response Team transmits a software update for your Firebox®. The Threat Response includes information about the security threat and instructions on how to download a software update and install it on your Firebox and management station.

LiveSecurity Service Broadcasts

Software Update

When necessary, WatchGuard updates the WatchGuard System Manager software. Product upgrades can include new features and patches. When we release a software update, you get an e-mail with instructions on how to download and install your upgrade.

Editorial

Each week, top network security personnel come together with the WatchGuard Rapid Response Team to write about network security. This continuous supply of information can help your network be safe and secure.

Foundations

The WatchGuard Rapid Response Team also writes information specially for security administrators, employees, and other personnel that are new to this technology.

Loopback

At the end of each month LiveSecurity® Service sends you an e-mail with a summary of the information sent that month.

Support Flash

These short training messages can help you to operate WatchGuard products. They are an added resource to the other online resources:

• Online Help

•FAQs

• Known Issues pages on the Technical Support web site

Virus Alert

WatchGuard has come together with antivirus vendor McAfee to give you the most current information about computer viruses. Each week, we send you a message with a summary of the virus traffic on the Internet. When a hacker releases a dangerous virus on the Internet, we send a special virus alert to help you protect your network.

Administration Guide 3

LiveSecurity Service Self Help Tools

New from WatchGuard

When WatchGuard releases a new product, we first tell you — our customers. You can learn about new features and services, product upgrades, hardware releases, and promotions.

Activating LiveSecurity Service

You can activate LiveSecurity® Service through the activation section of the LiveSecurity web pages.

To activate LiveSecurity Service, you must enable JavaScript on your browser.

To activate LiveSecurity Service through the Internet: 1 Make sure that you have your Firebox® serial number. This is necessary during the LiveSecurity

activation procedure.

• You can find the Firebox serial number on a label on the rear side of the Firebox below the Universal Product Code (UPC), or on a label on the bottom of the Firebox.

• The license key numbers for LiveSecurity and LiveSecurity Tunnel Renewals are on the WatchGuard LiveSecurity License Key certificate. Make sure that you enter the license key in all capital letters and include hyphens.

2 Use your web browser to go to:

www.watchguard.com/account/register.asp

The Account page appears.

3 Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the

fields on the page.

You must complete all the fields to activate correctly. This information helps WatchGuard to send you the information and software updates that are applicable to your products.

4 Make sure that your e-mail address is correct. Your LiveSecurity e-mails about product updates and

threat responses come to this address. After you complete the procedure, you get an e-mail message that tells you that you activated LiveSecurity Service succesfully.

5Click Register.

Note

LiveSecurity Service Self Help Tools

Online Self Help Tools enable you to get the best performance from your WatchGuard® products.

Note

You must activate LiveSecurity® Service before you can access online resources.

Instant Answers

Instant Answers is a guided Help tool designed to give solutions to product questions very quickly. Instant Answers asks you questions and then gives you to the best solution based on the answers you give.

Basic FAQs

The Basic FAQs (frequently asked questions) give you general information about the Firebox® and the WatchGuard System Manager software. They are written for the customer who is new to network security and to WatchGuard products.

4 Firebox SSL VPN Gateway

WatchGuard Users Forum

Advanced FAQs

The Advanced FAQs (frequently asked questions) give you important information about configuration options and operation of systems or products. They add to the information you can find in this User Guide and in the Online Help system.

Fireware® “How To”’s

The Fireware How To documentation helps you to quickly find procedures for configuration tasks specific to Fireware appliance software.

Known Issues

This Known Issues tool monitors WatchGuard product problems and software updates.

WatchGuard Users Forum

The WatchGuard Technical Support team operates a web site where customers can help each other with WatchGuard products. Technical Support monitors this forum to make sure you get accurate information.

Online Training

Browse to the online training section to learn more about network security and WatchGuard products. You can read training materials and get a certification in WatchGuard products. The training includes links to a wide range of documents and web sites about network security. The training is divided into parts, which lets you use only the materials you feel necessary. To learn more about online training, browse to:

www.watchguard.com/training/courses_online.asp

Learn About

Learn About is a list of all resources available for a specified product or feature. It is a site map for the feature.

Product Documentation

The WatchGuard web site has a copy of each product user guide, including user guides for software versions that are no longer supported. The user guides are in .pdf format.

General Firebox X Edge and Firebox SOHO Resources

This section of the web site shows basic information and links for Firebox X Edge and Firebox

SOHO customers. It can help you to install and use the Firebox X Edge and SOHO hardware. To get access to the LiveSecurity Service Self Help Tools: 1 Start your web browser. In the address bar, type:

http://www.watchguard.com/support

2Click Self Help Tools.

You must log in.

3 Click your selection.

WatchGuard Users Forum

The WatchGuard® Users Forum is an online group. It lets users of WatchGuard products interchange product information about:

• Configuration

• Connecting WatchGuard products and those of other companies

• Network policies

Administration Guide 5

Online Help

This forum has different categories that you can use to look for information. The Technical Support team controls the forum during regular work hours. You do not get special help from Technical Support when you use the forum. To contact Technical Support directly from the web, log in to your LiveSecurity account. Click on the Incidents link to send a Technical Support incident.

Using the WatchGuard Users Forum

To use the WatchGuard Users Forum you must first create an account. Browse to http://www.watchguard.com/forum for instructions.

Online Help

Online Help for the Firebox SSL VPN Gateway is included in the application software. It is available in the pane on the left side of your application window.

Product Documentation

We copy all user guides to the web site at http://www.watchguard.com/help/documentation.

Technical Support

Your Li veSecurity® Service subscription includes technical support for the WatchGuard® System Manager software and Firebox® hardware. To learn more about WatchGuard Technical Support, browse to the WatchGuard web site at:

http://www.watchguard.com/support

You must activate LiveSecurity Service before you can get technical support.

LiveSecurity Service technical support

All new Firebox products include the WatchGuard LiveSecurity Technical Support Service. You can speak with a member of the WatchGuard Technical Support team when you have a problem with the installation, management, or configuration of your Firebox.

Hours

WatchGuard LiveSecurity Technical Support operates from 6:00 AM to 6:00 PM in your local

time zone, Monday through Friday.

Note

Telephone number

877.232.3531 (select option #2) in United States and Canada

+1.206.613.0456 in all other countries

Web site

http://www.watchguard.com/support

6 Firebox SSL VPN Gateway

Training and Certification

Service time

We try for a maximum response time of four hours. Single Incident Priority Response Upgrade (SIPRU) and Single Incident After Hours Upgrade (SIAU) are

also available. For more data about these upgrades, refer to the WatchGuard web site at:

http://www.watchguard.com/support

LiveSecurity Gold

WatchGuard Gold LiveSecurity Technical Support adds to your standard LiveSecurity Service. We recommend that you get this upgrade if you use the Internet or VPN tunnels for most of your work.

With WatchGuard Gold LiveSecurity Technical Support you get:

• Technical support 24 hours a day, seven days a week, including holidays.

• The Technical Support Team operates the support center from 7 PM Sunday to 7 PM Friday (Pacific Time). For weekend support for critical problems, use the on-call paging system.

• We try for a maximum response time of one hour.

• To create a support incident, call WatchGuard LiveSecurity Technical Support. A Customer Care representative records the problem and gives you an incident number. A Priority Support technician calls you as quickly as possible. If you have a critical problem when the support center is not open, use the LiveSecurity Technical Support phone number to page a technician. You can also send an incident on the web site at: http://www.watchguard.com/support/ incidents/newincident.asp.

Firebox Installation Service

WatchGuard Remote Firebox Installation Service helps you to install and configure your Firebox. You can schedule two hours with a WatchGuard Technical Support team member. The technician helps you to:

• Do an analysis of your network and security policy

• Install the WatchGuard System Manager software and Firebox hardware

• Align your configuration with your company security policy

This service does not include VPN installation.

VPN Installation Service

WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can schedule a two-hour time with one of the WatchGuard Technical Support team. During this time, the technician helps:

• Do an analysis of your VPN policy

• Configure your VPN tunnels

• Do a test of your VPN configuration

You can use this service after you correctly install and configure your Firebox devices.

Training and Certification

WatchGuard® product training is available online to help you learn more about network security and WatchGuard products. You can find training materials on the Technical Support web site and prepare for

Administration Guide 7

Training and Certification

a certification exam. The training materials include links to books and web sites with more information about network security.

WatchGuard product training is also available at a location near you through a large group of WatchGuard Certified Training Partners (WCTPs). Training partners give training using certified training materials and with WatchGuard hardware. You can install and configure the products with an advanced instructor and system administrator to help you learn. To find a training partner, go to

http://www.watchguard.com/training/partners_locate.asp

8 Firebox SSL VPN Gateway

CHAPTER 2 Introduction to Firebox SSL VPN

Gateway

WatchGuard Firebox SSL VPN Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, Firebox SSL VPN Gateway works through any firewall and supports all applications and protocols. It is fast, simple, and cost-effective to deploy and maintain with a Web-deployed and automatically updating client. Users receive a consistent desklike user experience with “always-on” connectivity, an integrated worm-blocking client, and integrated end-point scanning. With the Firebox SSL VPN Gateway, organizations can quickly and easily deploy one product for all of their secure remote access needs.

The Firebox SSL VPN Gateway gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, email, intranet sites, and applications just as if they are working inside of their organization’s firewall.

The Firebox SSL VPN Gateway also provides kiosk mode, which opens a virtual network computing-like connection to the Firebox SSL VPN Gateway. Kiosk mode can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), and client applications.

The following topics provide an overview to the Firebox SSL VPN Gateway:

•Overview

• New Features

• The User Experience

• Deployment and Administration

•Using the Firebox SSL VPN Gateway

• Using Kiosk Mode

Overview

The Firebox SSL VPN Gateway is typically installed in the network demilitarized zone (DMZ) between the public and private networks. Placing the Firebox SSL VPN Gateway in front of the private network protects internal server and IT resources. The Firebox SSL VPN Gateway can also partition internal local area networks for access control and security between any two networks, such as wired/wireless and data/ voice networks.

Administration Guide 9

Overview

As shown in the following illustration, the Firebox SSL VPN Gateway is appropriate for employees accessing the organization remotely and intranet access from restricted LANs such as wireless networks.

Network topography showing the Firebox SSL VPN Gateway in the DMZ.

The following illustration shows how the Firebox SSL VPN Gateway creates a secure virtual TCP circuit between the client computer running the Secure Access Client and the Firebox SSL VPN Gateway.

Network topology showing the TCP circuit.

10 Firebox SSL VPN Gateway

The virtual TCP circuit is using industry standard Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. All packets destined for the private network are transported over the virtual TCP circuit. The Firebox SSL VPN Gateway is essentially acting as a low-level packet filter with encryption. It drops traffic that does not have authentication or does not have permission for a particular network.

The Firebox SSL VPN Gateway opens up the following ports:

• Port 443 is opened for VPN network traffic

• Ports 9001 and 9002 are opened for administrator traffic for the Administration Portal and Administration Tool

The first time the Firebox SSL VPN Gateway is started, use the Firebox SSL VPN Gateway Administration Tool to configure the basic settings that are specific to your corporate network, such as the IP address, subnet mask, default gateway IP address, and DNS address. After you complete the basic connection, you then configure the settings specific to Firebox SSL VPN Gateway operation, such as the options for authentication, authorization, and group-based access control, kiosk mode, end point resources and polices, portal pages, and IP pools.

New Features

The v5.5 software update for the Firebox SSL Core VPN Gateway includes the following new features:

New Features

Authentication and one-time passwords

You can configure the Firebox SSL VPN Gateway to prevent caching of one-time passwords, such as those used by an RSA SecurID. When this feature is enabled, it prevents users from being locked out of their accounts in the event of a network interruption.

New versions of the Secure Access Client

There is a new version of the Secure Access Client for Windows Vista. This version of the Secure Access Client is installed with the same ease-of-use as other versions of the Secure Access Client.

Configurable symmetric encryption ciphers

You can select the specific cipher that the Firebox SSL VPN Gateway uses for symmetric data encryption on an SSL connection. You can select one of these three encryption ciphers:

RC4 128 Bit, MD5/SHA 3DES, SHA AES 128/256 Bit, SHA

Automatic detection of proxy server settings

In this release, the Secure Access Client automatically detects the proxy server settings specified in the operating system and when users are using Internet Explorer. Proxy server settings specified in proxy autoconfiguration files are not supported.

Administration Guide 11

New Features

Secure Access Client connections

The Secure Access Client included in this release can connect to earlier versions of the Firebox SSL VPN Gateway. Also,earlier versions of the Secure Access Client can connect to this release of the Firebox SSL VPN Gateway if enabled on the Global Cluster Policies tab.

Automatic port redirection

You can configure the Firebox SSL VPN Gateway so that any unsecure HTTP connection attempt on port 80 is automatically redirected by the Firebox SSL VPN Gateway to a secure HTTPS connection attempt on port 443 (or other administrator-specified port).

Disable desktop sharing

You can disable the desktop sharing feature of the Secure Access Client for a user group. The Secure Access Client desktop sharing feature allows a user to view a list of all other users who are logged on. If this capability causes privacy concerns for your organization, you can disable the desktop sharing feature to prevent a specific group of users from viewing the list of online users.

Additional control over Secure Access Client connections

You can configure the Secure Access Client to disconnect from the Firebox SSL VPN Gateway if there is no user activity on the connection for a specific time interval. You can also force a client disconnection if the connection remains active for a specific time interval or if the Firebox SSL VPN Gateway does not detect keyboard or mouse activity.

Disable kiosk mode

In this release, you can disable kiosk mode for client connections. When kiosk mode is disabled, users do not see the kiosk link on the Web portal page. Users are only allowed to log on using the full Secure Access Client.

Specify multiple ports and port ranges for network resources

This release allows you to configure port ranges. You have four options when configuring the ports the Firebox SSL VPN Gateway uses to connect to internal network resources. You can specify a single port, multiple individual ports, a range of ports, or all ports.

Voice over IP softphone support

The Firebox SSL VPN Gateway supports voice over IP softphones from Avaya, Nortel, and Cisco.

Editable HOSTS file

You can edit the HOSTS file on the Firebox SSL VPN Gateway from the user interface of the Administration Tool. The Firebox SSL VPN Gateway uses the HOSTS file in conjunction with DNS servers to force DNS resolution to translate host names to IP addresses.

12 Firebox SSL VPN Gateway

Features

NTLM authentication and authorization support.

If your environment includes Windows NT 4.0 domain controllers, the Firebox SSL VPN Gateway can authenticate users against the user domain accounts maintained on the Windows NT server. The Firebox SSL VPN Gateway can also authorize users to access internal network resources based on a user’s group memberships on the Windows NT 4.0 domain controller.

Added challenge-response to RADIUS user authentication

The Access Gateway now supports challenge-response token authentication with new PIN and next token modes when RSA SecurID authentication is used with RADIUS.

SafeWord PremierAccess changed to support standards-based RADIUS token user authentication

The proprietary PremierAccess configuration file has been removed and replaced using RADIUS server support. Legacy SafeWord PremierAccess realms are converted when the Firebox SSL VPN Gateway is upgraded to Version 5.5. SafeWord authentication is configured using RADIUS-style parameters.

Updated serial console menu

There are new menu items on the serial console allowing you to change the Firebox SSL VPN Gateway administrator password, set the duplex mode and network adapter speed, and revert to the default certificate that comes with the Firebox SSL VPN Gateway. Enhanced End-point and application access policies

Features

Administration Tool

The Firebox SSL VPN Gateway provides the Administration Tool to configure all of the settings for one or more Firebox SSL VPN Gateway appliances. If you have more than one Firebox SSL VPN Gateway installed, you can configure the settings once and then publish them to all of the appliances.

The Administration Tool is downloaded from the Firebox SSL VPN Gateway Administration Portal and installed on a Windows computer that is located in the secure network. A desktop icon allows you to start the Administration Tool without going to the Administration Portal.

The following sections describe the Administration Tool and where to configure the settings.

Networking, Logging, and Administration

Whether you deploy one or more appliances, basic administration of each Firebox SSL VPN Gateway is done using the VPN Gateway Cluster tab. This includes:

• Network configuration

•Logging

• Administration

• Statistics

•Licensing

Administration Guide 13

Features

• Date and time configuration

• Certificate generation and installation

• Restarting and shutting down the Firebox SSL VPN Gateway

• Saving and reinstalling configuration settings

Note

If the Firebox SSL VPN Gateway is upgraded to Version 5.5 from an earlier version, you must uninstall and then reinstall the latest Administration Tool. You can uninstall the earlier version of the Administration Tool using Add/Remove Programs in Control Panel.

User Groups, Local Users, and Resources

User groups, local users, and policies are configured on the Access Policy Manager tab. On this tab, you can configure the following:

•Network resources

• Application policies

• File sharing

•Kiosk resources

• End point resources and policies

•Local users

Authentication and Authorization

Authentication and authorization are configured on the Authentication tab. Double-source authentication (also known as two-factor authentication) is new for this release of the

Firebox SSL VPN Gateway.

Firebox SSL VPN Gateway Settings

The following table maps the Firebox SSL VPN Gateway settings.

Note

To configure group settings on the Access Policy Manager tab, right-click a group and then click

Properties.

Feature Firebox SSL VPN Gateway

General Networking

DNS/WINS

Dynamic and Static Routing

Firebox SSL VPN Gateway Failover Servers (includes internal failover)

Logging Information

VPN Gateway Cluster > General Networking

VPN Gateway Cluster > Name Service Providers

VPN Gateway Cluster > Routes

VPN Gateway Cluster > Failover Servers

VPN Gateway Cluster > Logging/Settings

Cert ificate Requests

Certificate Installation

14 Firebox SSL VPN Gateway

VPN Gateway Cluster > Generate CSR

VPN Gateway Cluster > Administration

Feature Firebox SSL VPN Gateway

Features

Server Upgrade

Server Restart

Server Shut Down

Server Statistics

Licensing

Date and Time

Enable External Administration

Saving and Restoring Server Configuration

Enable Split Tunneling

Accessible Networks

Deny Access without ACL

Require SSL Client Certificates

Validate SSL Certificates for Internal Connections

Improve Latency for Voice over IP Traffic

Internal Failover

Enable Portal Page Authentication

Configuration of Double Source Authentication

VPN Gateway Cluster > Administration

VPN Gateway Cluster > Statistics

VPN Gateway Cluster > Licensing

VPN Gateway Cluster > Date

VPN Gateway Cluster > Administration

Global Cluster Policies

Global Cluster Polices

Global Cluster Policies

Two Source radio button

Authentication and Authorization (LDAP, RADIUS, RSA SecurID, local, and Safeword PremierAccess)

Local Users

Inherit Default Group Properties

Authentication after network interruption

Authenticate upon system resume

Enable Single Sign-On

Run Logon Scripts

Session Time-out

Deny Applications without Policies

Enable Split DNS

Enable IP pools

Custo m Portal Page

Web Interface Configuration (defines portal homepage and proxy server)

Passthrough Authentication

Authentication > Authentication Authentication > Authorization

Access Policy Manager

Access Policy Manager > User Groups > Properties > General

Access Policy Manager > User Groups > Properties > Networking

Access Policy Manager > User Groups > Properties > Gateway Portal

Administration Guide 15

The User Experience

Feature Firebox SSL VPN Gateway

Use SSL/TLS

Local Group Users

Client Certificate Criteria Expression

Network Resource Groups

Application Policies

File Share Resources

Kiosk Resources and Policies

End Point Resource and Policies

Pre-Authentication Policies

Portal Page Con figuration

Group Priority

Publish

Feature Summary

The following are key Firebox SSL VPN Gateway features:

• Universal SSL VPN. Supports all applications and protocols that improve productivity by providing users with access to the applications and resources they need, without the need for customization or converting the content for Web access.

• Standards-based security. Information is kept private and protected using industry standard SSL/ TLS encryption. Users are authenticated using standards such as LDAP, RADIUS, double-source authentication, and client and server certificates.

• Web-deployed client. There is no need to preinstall or manage complex client software, reducing the cost of ownership. (Note that a user must have Administrator access on the Windows computer to install the client from the Web).

• Desk-like access. Users receive the same network experience and application access as if physically connected to the corporate network.

• Always-on access. Automatically reconnects users to the appliance as soon as the network connection is restored. Reduces user frustration when using public networks, such as wireless connections in hotels or airports.

• Integrated end-point scanning. Ensures that the computer meets corporate standards to connect and remains safe for connection to the network.

• Hides internal IP addresses. There is no IP stack or routing table entry, so internal IP addresses are hidden, reducing the threat of worms propagating.

Access Policy Manager > User Groups > Properties > Members

Access Policy Manager > User Groups > Properties > Client Certificates

Access Policy Manager > Network Resources

Access Policy Manager > Application Policies

Access Policy Manager > File Share Resources

Access Policy Manager > Kiosk Resources

Access Policy Manger > End Point Resources Access Policy Manager > End Point Policies

Access Policy Manager > Global Policies

Portal Page Configuration

Group Priority

Publish

The User Experience

The Firebox SSL VPN Gateway provides users with the desk-like network experience that they have with an IPSec VPN, but does so without any need to pre-install or configure a client. The user starts the

16 Firebox SSL VPN Gateway

Deployment and Administration

Secure Access Client by typing a secure Web address in a standard Web browser and providing authentication credentials.

Because the Firebox SSL VPN Gateway encrypts traffic using standard SSL/TLS, it can traverse firewalls and proxy servers, regardless of the client location. For a more detailed description of the user experience, see “Connecting from a Private Computer” on page 119.

The following illustration shows the Windows version of the Access Portal.

Connecting to the Firebox SSL Access Portal.

The Firebox SSL Access Portal can be customized. For more information, see “Using Portal Pages” on page 38. You can also include a link to the clients on a Web site. For more information, see “Linking to Clients from Your Web Site” on page 41.

After a successful logon, the user can work with network shares and use applications just as if the user were sitting in the office.

Deployment and Administration

The Firebox SSL VPN Gateway is quick and easy to deploy and simple to administer. The most typical deployment configuration is to locate the Firebox SSL VPN Gateway behind your firewall or in the demilitarized zone (DMZ). More complex deployments, such as with a server load balancer, are also supported and described in this chapter.

The first time the Firebox SSL VPN Gateway is started, use the Firebox SSL VPN Gateway Administration Tool to configure the basic settings that are specific to your corporate network, such as the Firebox SSL VPN Gateway IP address, subnet mask, default gateway IP address, and DNS address. After you complete the basic connection, you then configure the settings specific to Firebox SSL VPN Gateway operation, such as the options for authentication, authorization, and group-based access control; kiosk mode, end point resources and polices, portal pages, and IP pools.

Firebox SSL VPN Gateway monitoring is performed through the Firebox SSL VPN Gateway Administration Desktop, providing access to a variety of standard network monitoring tools, including Ethereal Network Monitor, xNetTools, Traceroute, fnetload, and System Monitor. The Firebox SSL VPN Gateway

Note

Administration Guide 17

Planning your deployment

Administration Desktop also provides access to the Real-Time Monitor, where you can view a list of current users and close the connection for any user.

Planning your deployment

This chapter discusses deployment scenarios for the Firebox SSL VPN Gateway. You can deploy the Firebox SSL VPN Gateway at the perimeter of your organization’s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Firebox SSL VPN Gateway before they can access any resources on the internal network.

This section discusses the following Firebox SSL VPN Gateway deployments:

• Deploying the Firebox SSL VPN Gateway in the network demilitarized zone (DMZ)

• Deploying the Firebox SSL VPN Gateway in a secure network that does not have a DMZ

Deploying the Firebox SSL VPN Gateway in the Network DMZ

Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization’s secure internal network and the Internet (or any external network). When the Firebox SSL VPN Gateway is deployed in the DMZ, users access it using the Secure Access Client or the kiosk client.

In this configuration, you install the Firebox SSL VPN Gateway in the DMZ and configure it to connect to both the Internet and the internal network. When you deploy the Firebox SSL VPN Gateway in the DMZ, client connections must traverse the first firewall to connect to the Firebox SSL VPN Gateway. By default, clients use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall.

Note

You can change the port clients use to connect to the Firebox SSL VPN Gateway by altering the port setting in the Administration Tool. This port setting is discussed in “Configuring TCP/IP Settings Using Network Cables”.

. The Firebox SSL VPN Gateway decrypts the SSL connections from the client and establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access.

For example, if you authorize external users to access a Web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. The Firebox SSL VPN Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external clients.

The Firebox SSL VPN Gateway administrative tools available on the Firebox SSL VPN Gateway also listen for connections on these ports:

• Port 9001 - Connections to the Administration Portal occur on this port.

• Port 9002 - Connections to the Administration Tool occur on this port

Deploying the Firebox SSL VPN Gateway in a Secure Network

You can install the Firebox SSL VPN Gateway in the secure network. In this scenario, there is typically one firewall between the Internet and the secure network. The Firebox SSL VPN Gateway resides inside the firewall to control access to the network resources.

18 Firebox SSL VPN Gateway

Planning for Security with the Firebox SSL VPN Gateway

When an Firebox SSL VPN Gateway is deployed in the secure network, the Secure Access Client or kiosk client connections must traverse the firewall to connect to the Firebox SSL VPN Gateway. By default, both of these clients use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall.

Note

You can change the port on which clients connect to the Firebox SSL VPN Gateway by altering the port setting in the Administration Tool. This port setting is discussed in “Configuring TCP/IP Settings Using Network Cables”.

Planning for Security with the Firebox SSL VPN Gateway

When planning any type of Firebox SSL VPN Gateway deployment, there are basic security issues associated with certificates, authentication, and authorization that you should understand.

Configuring Secure Certificate Management

By default, the Firebox SSL VPN Gateway includes a self-signed SSL server certificate that enables it to complete SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments.

Before you deploy the Firebox SSL VPN Gateway in a production environment, WatchGuard recommends that you request and receive a signed SSL server certificate from a known Certificate Authority and upload it to the Firebox SSL VPN Gateway.

If you deploy the Firebox SSL VPN Gateway in any environment where the Firebox SSL VPN Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on the Firebox SSL VPN Gateway. For more information about root certificates, see “Installing Root Certificates on the Firebox SSL VPN Gateway” on page 112.

For more information about certificates, see “Creating and Installing Secure Certificates” on page 109.

Authentication Support

You can configure the Firebox SSL VPN Gateway to authenticate users and control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying the Firebox SSL VPN Gateway, your network environment should have the corporate directories and authentication servers in place to support one of these authentication types:

• LDAP

•RADIUS

•RSA SecurID

•NTLM

• Secure Computing SafeWord products

If your environment supports none of the authentication types listed above, or you have a small population of remote users, you can create a list of local users on the Firebox SSL VPN Gateway and configure the Firebox SSL VPN Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory.

For more information about authentication and authorization, see “Configuring Authentication and Authorization” on page 61.

Administration Guide 19

Installing the Firebox SSL VPN Gateway for the First Time

Deploying Additional Appliances for Load Balancing and Failover

You can install multiple Firebox SSL VPN Gateway appliances into your environment for one or both of these reasons:

• Scalability. If you have a large remote user population, install additional Firebox SSL VPN Gateway appliances to accommodate the user load.

• High Availability. If an Firebox SSL VPN Gateway fails, you can install an additional Firebox SSL VPN Gateway to ensure that the internal network remains available to remote users.

Note

To support only high availability, you can configure one Firebox SSL VPN Gateway as the primary Firebox SSL VPN Gateway and one (or more) Firebox SSL VPN Gateway appliances as a failover device. If the primary Firebox SSL VPN Gateway fails, client connections are directed to the failover Firebox SSL VPN Gateway. For more information about this configuration, see “Configuring Firebox SSL VPN Gateway Failover” on page 55.

To support both scalability and high availability, you can install a load balancer and then install multiple Firebox SSL VPN Gateway appliances behind the load balancer. Deploying multiple appliances behind a load balancer enables you to support a large population of remote users and maintain high availability of the internal network to the users.

Installing the Firebox SSL VPN Gateway for the First Time

The Firebox SSL VPN Gateway installs in any network infrastructure without requiring changes to the existing hardware or back-end software. It works with other networking products such as cache engines, firewalls, routers, and IEEE 802.11 wireless devices.

WatchGuard recommends installing the Firebox SSL VPN Gateway in the corporate demilitarized zone (DMZ). When installed in the DMZ, the Firebox SSL VPN Gateway participates on two networks: a private network and a public network with a publicly routable IP address. Typically, the private network is the corporate network and the public one is the Internet. You can also use the Firebox SSL VPN Gateway to partition local area networks internally in the organization for access control and security. You can create partitions between wired or wireless networks and data and voice networks.

Getting Ready to Install the Firebox SSL VPN Gateway

Before installing the Firebox SSL VPN Gateway, collect materials for the initial configuration and for the connection to your network.

For initial configuration, use one of the following setups:

• A cross-over cable and a Windows computer

• Two network cables, a network switch, and a Windows computer

A serial cable and a computer with terminal emulation software

•

For a connection to a local area network, use the following items:

• One network cable to connect the Firebox SSL VPN Gateway inside of a firewall.

• Two network cables to connect the Firebox SSL VPN Gateway located in the demilitarized zone (DMZ) to the Internet and private networks

Collect the following network information for appliances:

• The Firebox SSL VPN Gateway internal IP address and subnet mask

• The Firebox SSL VPN Gateway external IP address and subnet mask

20 Firebox SSL VPN Gateway

+ 168 hidden pages

WatchGuard Technologies SSL VPN User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Audience

Operating System Requirements

Document Conventions

LiveSecurity Service Solutions

LiveSecurity Service Broadcasts

LiveSecurity Service Self Help Tools

Activating LiveSecurity Service

WatchGuard Users Forum

Online Help

Product Documentation

Technical Support

LiveSecurity Service technical support

Training and Certification

LiveSecurity Gold

Firebox Installation Service

VPN Installation Service

Overview

New Features

Authentication and one-time passwords

New versions of the Secure Access Client

Configurable symmetric encryption ciphers

Automatic detection of proxy server settings

Secure Access Client connections

Automatic port redirection

Disable desktop sharing

Additional control over Secure Access Client connections

Disable kiosk mode

Specify multiple ports and port ranges for network resources

Voice over IP softphone support

Editable HOSTS file

Features

NTLM authentication and authorization support.

Added challenge-response to RADIUS user authentication

SafeWord PremierAccess changed to support standards-based RADIUS token user authentication

Updated serial console menu

Administration Tool

Firebox SSL VPN Gateway Settings

The User Experience

Feature Summary

Deployment and Administration

Planning your deployment

Deploying the Firebox SSL VPN Gateway in the Network DMZ

Deploying the Firebox SSL VPN Gateway in a Secure Network

Planning for Security with the Firebox SSL VPN Gateway

Configuring Secure Certificate Management

Authentication Support

Installing the Firebox SSL VPN Gateway for the First Time

Deploying Additional Appliances for Load Balancing and Failover

Getting Ready to Install the Firebox SSL VPN Gateway