Zyxel ZYWALL SSL 10 Support Notes

ZyWALL SSL 10 Support Notes

ZyWALL SSL 10

Integrated SSL-VPN Appliance

Support Notes

Revision 2.01

April. 2007

ZyWALL SSL 10 Support Notes

INDEX

1. Deployment............................................................................................................................4

1.1 DMZ Zone....................................................................................................................4

1.1.1 Deploy ZYWALL SSL 10 in DMZ zone........................................................4

1.2 NAT Mode..................................................................................................................20

1.2.1 Deploy ZYWALL SSL 10 at the gateway....................................................20

2. Integrated Application..........................................................................................................29

2.1 External Authentication..............................................................................................30

2.1.1 External Authentication configuration............................................................30

2.1.2 User/Group configuration ............................................................................31

2.2 Objects Configuration................................................................................................ 33

2.2.1 SSL Application Object................................................................................33

2.2.2 VPN Network Object................................................................................... 37

2.2.3 Endpoint Security Object............................................................................. 38

2.2.4 Private IP Pool Object.................................................................................. 42

2.3 SSL Policy Configuration .......................................................................................... 43

3. SSL VPN Solution................................................................................................................ 47

3.1 UTM Integration: ZyWALL UTM+ZyWALL SSL10 ............................................... 47

3.2 Seamless Integrate SSL VPN into your existing IPSec VPN.....................................56

3.3 Integration: SonicWALL+ZyWALL SSL10 .............................................................. 67

3.4 Integration: Netscreen+ZyWALL SSL10................................................................... 71

3.5 Integration with NSA-2400 for file sharing...............................................................75

4. Best Practice: Stronger Password Security .......................................................................... 86

4.1 Using Two-factor authentication solution to provide stronger (FIPS 140 compliant)

security: SSL10+Authenex ..............................................................................................86

5. FAQ ......................................................................................................................................94

A. ZyWALL General FAQ ...............................................................................................94

A01. How to access ZyWALL SSL10 web GUI?.................................................... 94

A02. What do I need to use the ZyWALL?.............................................................. 94

A03. What is PPPoE?...............................................................................................94

A05. Does the ZyWALL support PPPoE?................................................................95

A06. How do I know I am using PPPoE?................................................................ 95

A07. Why does my Internet Service Provider use PPPoE? .....................................95

A08. How can I configure the ZyWALL?................................................................ 95

A09. What can we do with ZyWALL?.....................................................................96

ZyWALL SSL 10 Support Notes

A10. Does ZyWALL support dynamic IP addressing? ............................................ 96

A11. What is the difference between the internal IP and the real IP from my ISP?.96

A12. How does e-mail work through the ZyWALL?...............................................96

A13. What DHCP capability does the ZyWALL support?....................................... 97

A14. How do I used the reset button, more over what field of parameter will be

reset by reset button?................................................................................................97

A15. My ZyWALL can not get an IP address from the ISP to connect to the

Internet, what can I do?............................................................................................97

A16. What is BOOTP/DHCP?.................................................................................98

B. Firmware Upgrade FAQ ..............................................................................................99

B01. How to perform the firmware upgrade on ZyWALL SSL10?.........................99

C. Registration for Service Activation FAQ..................................................................... 99

C01. Why do I have to register?............................................................................... 99

C02. In addition to registration, what can I do with myZyXEL.com?..................... 99

C03. How to activate the SSL-VPN license?......................................................... 100

D. SSL VPN FAQ........................................................................................................... 100

D01. Matrix table for the SSL VPN terms ............................................................. 100

D02. Why cannot some web pages displayed correctly?.......................................100

D03. SSL VPN vs. PPTP VPN?............................................................................. 101

D04. What is the order of user authentication?...................................................... 101

E. EPC(End Point Check) FAQ......................................................................................101

E1. What is EPC on ZyWALL SSL10?..................................................................101

E2. What are the checking items of EPC on ZyWALL SSL 10? ........................... 102

ZyWALL SSL 10 Support Notes

1. Deployment

SSL topology encapsulates the sensitive data in SSL protocol to secure the communication between SSL client and SSL server via several encryption, authentication, and secret exchange method. ZyWALL SSL 10 which acts as a SSL server and easily to integrate with the existed firewall (ex. ZyWALL or 3rd party firewall) to provide SSL VPN solution. Depending on your current network topology, we have two suggestions for the deployment of ZYWALL SSL 10.

1.1 DMZ Zone

1.1.1 Deploy ZYWALL SSL 10 in DMZ zone

To deploy the ZYWALL SSL 10 to a network environment, people may ask where is the suggestion to put the device in the existing network. If the environment matches the following two criteria, put the SSL10 in DMZ zone is recommended.

y Customers who already installed a ZyWALL or a third party’s firewall, like

SonicWALL TZ170 or Juniper 5GT

y ZyWALL UTM or the third party’s firewall provides security inspection such as

Anti-Virus/IDP/firewall.

See following figure to show you the topology for example.

ZyWALL SSL 10 Support Notes

The network topology above is used to illustrate this application. We used one ZyWALL as main office’s gateway which is connected to the branch office’s ZyWALL. The ZyWALL SSL 10 is put behind main office’s gateway at D MZ zone. Remote users could either access the main office’s LAN resource or access the remote office’s LAN resource via IPSec VPN tunnel after user pass the SSL authentication.

Since the SSL VPN traffic will be decrypted by ZyWALL SSL 10, the traffic could be further inspected by ZyWALL UTM or third party firewall which has security checking features like firewall, Anti-Virus, IDP and etc. In this way, MIS administrator will take it easy to eliminate the worry that remote “trust” PC may distribute virus or attacks to internal network.

ZyWALL SSL 10 Support Notes

Configuration information in this example:

ZyWALL UTM ZyWALL SSL 10

WAN Address: 172.120.1.10

DMZ Address: 192.168.3.1

LAN Address: 192.168.1.1

WAN Address: 192.168.3.2

VPN Network: 192.168.1.0/24

Remote Users IP Address Pool:

192.168.10.200 ~ 192.168.10.250

To achieve this, we have to complete the following tasks:

z Check ZyWALL UTM or 3

party Firewall’s setting

1. Configure the proper IP address for WAN, LAN, DMZ interfaces.

2. Configure port 443 forwarding to ZyWALL SSL10 for SSL traffic.

3. Change the system management port for HTTPS from 443 to others to avoid

conflict with SSL VPN port forwarding.

z On ZyWALL SSL 10, using W izard to setup the initial SSL VPN access network.

See the following step-by-step configuration.

Configuration on ZyWALL UTM

Step1. Check if the WAN, LAN, DMZ IP address has been proper configured.

1) Go to the GUI > Network > DMZ, configure the DMZ IP address as 192.168.3.1.

ZyWALL SSL 10 Support Notes

2) Go to the GUI > Network > DMZ > Port Roles, define the port 4 belongs to DMZ zone.

3) Go to the GUI > Network > WAN > WAN1, configure the WAN IP address as a proper

one(ex. 172.120.1.10 in this example).

ZyWALL SSL 10 Support Notes

4) Go to the GUI > Network > LAN, configure the LAN IP address as 192.168.1.1.

Step2. Check if the Internet access is available on both LAN and DMZ network by ping from a LAN host and a DMZ host.

ZyWALL SSL 10 Support Notes

Step3. Check if UTM functions (ex. Firewall, Anti-Virus, and IDP) are enabled and without blocking the SSL traffic from WAN to DMZ.

Step4. Setup the port forwarding for SSL traffic.

1) Go to the GUI > ADVANCED > NAT > Port Forwarding, add one rule to forward port

443 traffic to the ZyWALL SSL 10 (192.168.3.2)

Step5. Go to the GUI > ADVANCED > REMOTE MGMT > WWW, change the ZyWALL UTM’s HTTPS management port number from port 443 to another port number(ex. 10443). This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10. But if IT staff needs to access the ZyWALL UTM by HTTPS, they can use

https://IP_address:10443

(which the IP_address could be the ZyWALL’s LAN or DMZ or

WAN IP address depending on your remote management setting).

ZyWALL SSL 10 Support Notes

Note: However, if you have configured a port-forwarding-rule 443 to a web server. We would suggest to utilize another WAN IP address of ZyWALL UTM device for ZyWALL SSL10’s access.

For example, if you have configured WAN1 IP forward port 443 to another web server, (ex. 192.168.3.10). We could use WAN2 interface (ex. IP address is 10.59.1.30) to forward 443 to ZyWALL SSL10 as following figure.

ZyWALL SSL 10 Support Notes

Configuration on ZyWALL SSL 10

1) Access ZyWALL SSL10 via https://192.168.1.1 by default, login by entering username

and password (default is admin/1234). Press Login button.

Note1: Depending on if you want to clean the HTTP cache after perform the tasks. If you are using your PC to configure ZyWALL SSL 10 without any security concern, leave it just as default ‘I am connecting via my own computer’. Otherwise, choose ‘I am connecting via Public computer’ instead.

Note2: Please ensure you turn on JavaScript and ActiveX control setting on your browser.

2) Then press Yes button to accept the system alert.

3) If you are the first time to configure ZyWALL SSL 10, the following page will be shown.

Choose Setup Wizard button to enter wizard.

ZyWALL SSL 10 Support Notes

But if it’s not your first time to configure ZyWALL SSL 10, the system will login to Advanced Setup page. Click the Wizard icon on the right top of page after successfully login.

4) Choose the default "Install on Gateway’s DMZ Port" and press Next button.

ZyWALL SSL 10 Support Notes

5) Then choose "Static" for the device’s WAN IP assignment for this example. Configure

the IP address setting as shown below. Press Next button.

6) We create one SSL VPN user for this example. Enter the username and password. Press

Next button.

ZyWALL SSL 10 Support Notes

7) Then configure the VPN network and the remote users IP address pool as below.

Note1: In this example, we have the IP arrangement as shown in the picture below. The right mark in blue color, the “VPN network” is as the destination you plan to allow SSL VPN users to access to(as the “LAN zone”). The “Remote users IP address pool” means the IP address will be assigned to the remote SSL VPN users from the device in full tunnel mode.

Note2: The remote users IP address pool should be different than VPN network. Like in this example, we use 192.168.1.0/24 for VPN network and remote users IP pool ranging from 192.168.10.200 to 192.168.10.250.

ZyWALL SSL 10 Support Notes

8) Then the system will remind you to remember configure the firmwall and UTM setting

on the ZyWALL UTM or 3

party’s UTM firewall. Press Next button then.

9) It will give you a summery for the ZyWALL SSL 10’s WAN IP setting. Press Activate

SSL-VPN License button to register the device’s information to myZyXEL.com. However, if you want to activate SSL-VPN license later, press Finish button.

Note: Please make sure the Internet access is available before pressing activate SSL-VPN license since the system will send the registration info rmation to

http://www.myZyXEL.com

ZyWALL SSL 10 Support Notes

10) Enter the necessary information to register your user account, the device, and get ten

SSL-VPN node licenses after registering successfully. Press Finished button to submit the information.

Then you will complete the registration and initial setup.

Simulate a Internet host to access ZyWALL SSL 10 via the ZyWALL

ZyWALL SSL 10 Support Notes

Step1: Assume the PC_A is an Internet host which is at ZyWALL’s WAN site. Open the IE browser to access ZyWALL’s WAN IP address by HTTPS(ex. https://172.120.1.10). The ZyWALL SSL10 login page will be shown. Enter the username/password we just created (ex. sharno/1234 in this example.)

It allows the PC_A to access internal resource. But after it successfully login, the remote user will see empty in the Application and File Sharing list as below.

Besides, the user will find his PC got a PPP IP address (ex. 192.168.1.200) in the PC’s network connections after successfully login.

ZyWALL SSL 10 Support Notes

The user can open the application tool to access the internal application server if he knows how to access. For example, a FTP server IP is 192.168.1.240. He can open the FTP tool(ex. CuteFTP) to access the server.

If IT stuff would like to pre-configure some access links for remote user’s quick view, he needs further configuration. Please refer to chapter 2 for the detail.

ZyWALL SSL 10 Support Notes

1.2 NAT Mode

1.2.1 Deploy ZYWALL SSL 10 at the gateway

If your company’s environment hasn’t had ZyWALL or other firewall to provide security checking mechanism yet, it’s suggested that you put ZYWALL SSL 10 at the network gateway and also perform the NAT feature to translate the private IP address to public.

See following figure to show you the topology for example.

The network topology is used to illustrate this application. We used one ZyWALL as main office’s gateway which is connected to the branch office’s ZyWALL. The ZyWALL SSL 10 is put at behind the main office’s gateway. Remote users could either access the main office’s LAN resource or access the remote office’s LAN resource via IPSec VPN

ZyWALL SSL 10 Support Notes

tunnel after user pass the SSL authentication.

SSL VPN configuration table

ZyWALL SSL 10

WAN Address: 172.120.1.10

LAN Address: 192.168.1.1

VPN Network: 192.168.1.0/24

Remote Users IP Address Pool: 192.168.10.200 ~ 192.168.10.250

To achieve this, we have to complete the following tasks: z On ZyWALL SSL 10, using W izard to setup the initial SSL VPN access network.

See the following step-by-step configuration.

Configuration on ZyWALL SSL 10

1) Login ZyWALL SSL 10 GUI (default username is admin; password is 1234). Press

ZyWALL SSL 10 Support Notes

Note2: Please ensure you turn on JavaScript and ActiveX control setting on your browser.

2) Then press Yes button to accept the system alert.

3) If you are the first time to configure ZyWALL SSL 10, the following page will be shown.

Choose Setup Wizard button to enter wizard.

ZyWALL SSL 10 Support Notes

But if it’s not your first time to configure ZyWALL SSL 10, the system will login to Advanced Setup page. Click the Wizard icon on the right top of page after successfully login.

4) Choose “Install as New Gateway“ and press Next button.

ZyWALL SSL 10 Support Notes

5) In this example, we choose “Static” for the device ‘s WAN IP assignment. Configure the

IP address setting as shown below. Press Next button.

6) Configure the LAN IP assignment and the DHCP setting. Press Next button. It will pop

up a warning message to remind you the LAN IP address will be changed. Your LAN PC needs to release and renew a new IP address from DHCP.

ZyWALL SSL 10 Support Notes

7) In this example, we create one SSL VPN user as the figure below. Press Next button.

ZyWALL SSL 10 Support Notes

8) Then configure the VPN network and the remote users IP address pool as following

figure. Press Next button then.

Note2: The remote users IP pool should be different than the VPN network.

ZyWALL SSL 10 Support Notes

9) It will give you a summery for the ZyWALL SSL 10’s LAN and WAN IP setting. Press

Activate SSL-VPN License button to register the device’s information to myZyXEL.com. However, if you want to activate SSL-VPN license later, press Finish button.

Note: Please make sure the Internet access is available before pressing activate SSL-VPN license since the system will send the registration info rmation to

http://www.myZyXEL.com.

ZyWALL SSL 10 Support Notes

10) Enter the necessary information to register your user account, the device, and get 10

SSL-VPN node licenses on myZyXEL.com. Press Finish button to submit the information.

Then you will complete the registration and initial setup. It allows a remote user to use ‘test/1234’ to connect to internal. But when a remote user successful login, he will see empty in the Application and File Sharing list since it needs further configuration.

To configure more users or groups and to specify a certain application for remote user’s access, please refer to the additional configuration in the chapter 2.

ZyWALL SSL 10 Support Notes

2. Integrated Application

The authentication, policy and end point security requirement is the three essential elements to build up the SSL connection and give different privilege to different user/group to fulfill the vary access application requirement.

Application Diagram:

Background:

A company has daily operation with travel employee, sales and outside partner. They will use SSL VPN to access the internal system to gather necessary information for business operation. The company already deployed a Microsoft AD server for user management and authentication and the ZyWALL SSL10 also used this server for user authentication. There are three user groups pre configured in the AD; they are RD, sales and outsider.

ZyWALL SSL 10 Support Notes

There are different access resources available like web server and web base application for partner to check the new product information or place the order online. For sales, they travel around globalize and they can use SSL VPN connect back to head office to check internal information and the latest price list. For RD group, they may remote access the office PC from his home in case urgent and also checking or updating the file to the internal network for developing and sharing. By ZyWALL SSL 10 object based configuration design, the IT engineer can plan and deploy this application more effective.

2.1 External Authentication

ZyWALL SSL10 can smoothly deploy in a network environment which already had a central user database like Microsoft Activate Directory, RADIUS or LDAP available. User don’t need to reconfigure the same user information in ZyWALL SSL10 local database. ZyWALL SSL10 provides a user friendly interface to configure the external database connection.

2.1.1 External Authentication configuration

Please login to ZyWALL SSL10 web GUI and switch to System > AAA Server

+ 72 hidden pages