FirePass Server Administrator Guide. - F5 Networks, Inc.

FirePassTM Server Administrator Guide version 4.1

MAN-0081-01

Product Version This manual applies to product version 4.1 of the FirePass™ Server Administrator Guide.

Legal Notices Copyright Copyright © 1999-2004, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5. F5 reserves the right to change specifications at any time without notice.

Trademarks F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, GLOBAL-SITE, SEE-IT, EDGE-FX, FireGuard, Internet Control Architecture, IP Application Switch, Packet Velocity, iRules, SYN Check, FirePass, and uRoam are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. F5 Networks' trademarks may not be used in connection with any product or service except as permitted in writing by F5.

Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

Export Warning This is a Class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures.

FCC Compliance This equipment generates, uses, and may emit radio frequency energy. The equipment has been type tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules, which are designed to provide reasonable protection against such radio frequency interference. Operation of this equipment in a residential area may cause interference, in which case the user at his own expense will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance This class A digital apparatus complies with Canadian I CES-003.

Standards Compliance The product conforms to ANSI/UL Std 1950 and Certified to CAN/CSA Std. C22.2 No. 950.

FirePass™ Server Administrator Guide

i

ii

Table of Contents

Table of Contents

1 Introducing the FirePass Server The FirePass remote access solution ........................................................................................1-1 The FirePass server models ........................................................................................................1-1 The FirePass server features .......................................................................................................1-2 Overview of features ............................................................................................................1-2 FirePass server features .......................................................................................................1-3 About this guide ..............................................................................................................................1-4 Audience ..................................................................................................................................1-4 Finding help and technical support resources ..........................................................................1-5

2 Deploying the FirePass Server Overview of deploying the FirePass server .............................................................................2-1 Summary of tasks for installing and deploying the FirePass server ............................2-1 Configuring a firewall to work with the FirePass server ......................................................2-2 Overview of the firewall configuration process ............................................................2-3 About the traffic between a remote user’s browser and the FirePass server ........2-5 About the traffic between the FirePass server and network services .....................2-6 About the traffic between FirePass server and application services ........................2-7 About the traffic between the FirePass server and the Desktop Agent .................2-9 Understanding name resolution issues for FirePass servers with a private IP address .................................................................................................................... 2-11 Installing the FirePass server .................................................................................................... 2-12 Unpacking the FirePass server ......................................................................................... 2-12 Installing the FirePass server in an equipment rack .................................................... 2-12 Connecting the FirePass server to a network and powering up ............................. 2-12 Performing the initial FirePass IP configuration ........................................................... 2-14 Testing network connectivity .................................................................................................. 2-16 Using the Administrative Console to configure the FirePass server .............................. 2-17 Logging Into the Administrative Console ...................................................................... 2-17 Changing the superuser password ................................................................................ 2-18 Installing your license ......................................................................................................... 2-19 Displaying a list of current settings and licensed features ........................................ 2-19 Using the Administrative Console to access the Maintenance Console ............... 2-20 Logging out of the Administrative Console .................................................................. 2-20 Using the Maintenance Console ............................................................................................... 2-21 What’s next? ................................................................................................................................ 2-23

3 Setting Up FirePass Server Security Overview of setting up FirePass server security .....................................................................3-1 Working with groups ....................................................................................................................3-2 Creating groups ......................................................................................................................3-3 Deleting groups ......................................................................................................................3-4 Moving users to a different group ......................................................................................3-4 Showing a list of all users in a group .................................................................................3-4 Using Windows domain-based group mapping ...............................................................3-4 Using LDAP-based group mapping ....................................................................................3-6 Working with user accounts .................................................................................................... 3-11 Manually adding user accounts ....................................................................................... 3-11 Importing user accounts from a Windows domain server ....................................... 3-13 Importing user accounts from an LDAP server .......................................................... 3-15 Importing user accounts from a comma or tab delimited text file ......................... 3-16 FirePass™ Server Administrator Guide

v

Table of Contents

Using signup templates to add user accounts .............................................................. 3-16 Using NFS user permissions from a UNIX password file ......................................... 3-17 Changing user accounts ................................................................................................... 3-19 Activating, deactivating, or deleting user accounts .................................................... 3-19 Assigning administrative privileges to a user account ............................................... 3-19 Searching for user accounts ............................................................................................. 3-21 Generating a My Desktop client software installation key ....................................... 3-21 Installing My Desktop client software at a user’s computer ..................................... 3-22 Setting up FirePass server authentication .............................................................................. 3-23 Converting to internal database authentication .......................................................... 3-23 Setting up RADIUS server authentication ................................................................... 3-24 Setting up a RADIUS server to work with the FirePass server ............................... 3-25 Setting up Windows domain server authentication ................................................... 3-25 Setting up LDAP server authentication ........................................................................ 3-27 Setting Up VASCO DigiPass authentication ................................................................ 3-28 Setting up certificates .................................................................................................................. 3-29 Changing the FirePass server name ................................................................................ 3-30 Generating a server certificate request ......................................................................... 3-30 Installing or renewing a server certificate ..................................................................... 3-31 Using client certificates to authenticate a user’s computer ...................................... 3-31 Limiting access to the administrative console by IP address ............................................. 3-35 What’s next? ................................................................................................................................. 3-35

4 Configuring the FirePass Webifyers Overview of the FirePass Webifyers ..........................................................................................4-1 Configuring the My Files Webifyer ............................................................................................4-3 Defining Network Folder Favorites for the My Files Webifyer ................................4-3 Limiting a group’s access to the Network Folder Favorites ......................................4-3 Enabling virus scanning and file uploading for the My Files Webifyer ......................4-4 Configuring advanced settings for the My Files Webifyer ............................................4-4 Using client certification validation for the My Files Webifyer ..................................4-5 Configuring the My NFS Webifyer ............................................................................................4-6 Defining favorites for the My NFS Webifyer .................................................................4-6 Defining NFS shared folders for the My NFS Webifyer ...............................................4-7 Limiting a group’s access to the NFS Favorites .............................................................4-7 Using client certification validation for the My NFS Webifyer ..................................4-7 Configuring the My Intranet Webifyer .....................................................................................4-8 Defining intranet favorites for the My Intranet Webifyer ............................................4-8 Limiting a group’s access to the Intranet Favorites .................................................... 4-10 Using client certification validation for the My Intranet Webifyer ........................ 4-10 Configuring the My E-mail Webifyer ...................................................................................... 4-11 Configuring an email account .......................................................................................... 4-11 Obtaining each user’s email information based on an LDAP query ...................... 4-12 Disabling email attachment downloads ........................................................................ 4-13 Obtaining email addresses from an LDAP server ...................................................... 4-13 Using client certification validation for the My E-mail Webifyer ............................ 4-14 Configuring the Terminal Services Webifyer ....................................................................... 4-15 Configuring screen resolution and Terminal Services Favorites ............................. 4-15 Limiting a group’s access to the Terminal Service Favorites ................................... 4-17 Using client certification validation for the Terminal Service Webifyer ............... 4-17 Configuring the AppTunnels Webifyer .................................................................................. 4-18 Configuring AppTunnel Favorites .................................................................................. 4-18 Compressing traffic between the client and the FirePass server ........................... 4-20 Limiting a group’s access to the AppTunnels Favorites ............................................. 4-20

vi

Table of Contents

Using client certification validation for the AppTunnels Webifyer ........................ 4-20 Configuring the Host Access Webifyer ................................................................................. 4-21 Configuring Host Access Favorites ............................................................................... 4-21 Displaying active host access sessions .......................................................................... 4-22 Limiting a group’s access to the host access favorites .............................................. 4-22 Using client certification validation for the Host Access Webifyer ....................... 4-22 Configuring SSL-VPN ................................................................................................................. 4-23 Configuring global SSL VPN settings ............................................................................. 4-24 Configuring global SSL VPN packet filter rules ........................................................... 4-25 Configuring global SSL VPN timeout rules .................................................................. 4-26 Configuring global SSL VPN client appearance ........................................................... 4-26 Configuring the SSL VPN Webifyer for a group ........................................................ 4-27 Configuring group packet filter rules ............................................................................ 4-29 Configuring drive mappings for the SSL VPN Webifyer ........................................... 4-29 Launching applications automatically with the SSL VPN Webifyer ........................ 4-30 Using client certification validation for the SSL VPN Webifyer ............................. 4-30 Configuring the My Desktop Webifyer ................................................................................. 4-31 Configuring the My Desktop server ports .................................................................. 4-31 Configuring My Desktop Webifyer for cluster servers ............................................ 4-32 Disabling bridge access to desktops .............................................................................. 4-32 Using client certification validation for the My Desktop Webifyer ....................... 4-33 Configuring the Guest Access Webifyer ..................................................................... 4-33 Configuring the X-Windows Access Webifyer ................................................................... 4-35 Configuring X-Windows hosts for remote access ..................................................... 4-35 Using client certificate validation for Webifyers ................................................................... 4-38

5 Managing, Monitoring, and Maintaining the FirePass Server Maintaining the network configuration settings .....................................................................5-1 Configuring IP addresses and subnets ...............................................................................5-1 Configuring routing tables and rules .................................................................................5-2 Configuring Domain Name Servers (DNS) .....................................................................5-4 Configuring host names ........................................................................................................5-5 Configuring services ..............................................................................................................5-5 Configuring Desktop services .............................................................................................5-8 Other network settings ........................................................................................................5-8 Configuring IPSec for the FirePass server ................................................................................5-9 Managing FirePass licenses ......................................................................................................... 5-11 Obtaining a license for the first time .............................................................................. 5-11 Installing your license ......................................................................................................... 5-11 Adding capacity or features to your license ................................................................. 5-11 Mapping FirePass users to NFS users .................................................................................... 5-12 Specifying HTTP and SSL proxies ........................................................................................... 5-14 Configuring an SNMP agent ..................................................................................................... 5-15 Shutting down and restarting FirePass .................................................................................... 5-17 Shutting down the FirePass server ................................................................................. 5-17 Restarting the FirePass server or services .................................................................... 5-17 Stopping and starting the bridge .................................................................................... 5-18 Backing up and restoring the FirePass server ...................................................................... 5-19 Specifying the email server ...................................................................................................... 5-20 Specifying the FirePass administrator’s email address ......................................................... 5-20 Granting Administrator privileges to other users ................................................................ 5-21 Specifying the time, time zone, and NTP server ................................................................. 5-22 Configuring client caching and compression settings ......................................................... 5-23 Managing log files ........................................................................................................................ 5-25


vii

Table of Contents

Updating the FirePass server’s firmware ............................................................................... 5-27 Adding definitions for other types of browsers .................................................................. 5-28 Monitoring the FirePass server ............................................................................................... 5-29 Monitoring the load on a FirePass server .................................................................... 5-29 Displaying FirePass server statistics .............................................................................. 5-30 Capturing network packets to troubleshoot networking problems ..................... 5-30 Customizing the user’s home page .......................................................................................... 5-31 Providing SSH access for Technical Support ......................................................................... 5-31

6 Using FirePass Reports Overview of FirePass server reports ........................................................................................6-1 Using the Logon report ................................................................................................................6-2 Using the My Desktop Activations report ...............................................................................6-3 Using the Session report ..............................................................................................................6-4 Using HTTP Log reports ..............................................................................................................6-5 Using the Application Log report ..............................................................................................6-6 Using the Summary report ..........................................................................................................6-7 Using the Group report ...............................................................................................................6-8

7 Configuring FirePass Failover Servers and Cluster Servers Using FirePass failover servers ...................................................................................................7-1 Installing FirePass failover servers ....................................................................................7-1 Configuring the IP addresses for failover servers .........................................................7-1 Powering up failover servers .............................................................................................7-2 Configuring the failover settings .......................................................................................7-3 Making a standby server the active server .....................................................................7-4 Using FirePass server clusters ....................................................................................................7-5 Installing multiple FirePass servers as a cluster .............................................................7-5 Powering up FirePass server clusters ..............................................................................7-5 Configuring FirePass server clusters ................................................................................7-6 Preliminary configuration .....................................................................................................7-6 Configuring clustered servers .............................................................................................7-7 Accessing a slave server’s configuration while connected to a master server ........7-8 Displaying statistics for a FirePass server cluster ..........................................................7-8

Index

viii

1 Introducing the FirePass Server

• The FirePass remote access solution • The FirePass server models • The FirePass server features • About this guide • Finding help and technical support resources

Introducing the FirePass Server

The FirePass remote access solution The FirePass™ server is a network appliance providing remote users with secure access to corporate networks, using any standard Web browser. The FirePass server can be installed in a few hours and it requires no modifications to corporate applications. No configuration or setup is required at the user’s remote location. If the user’s Web browser can connect to Web sites on the Internet, then that browser can connect to the the FirePass server. The FirePass server provides a web-based alternative to traditional remote-access technologies such as modem pools, RAS servers, and IPSec-layer Virtual Private Networks (VPNs). By leveraging the browser as a standard “thin client,” FirePass server enables a corporation or organization to extend secure remote access easily and cost-effectively to anyone connected to the Internet with no special software or configuration on the remote device. Also, no additions or changes are necessary to the back-end resources being accessed. This approach eliminates the IPSec VPN support burden and adds application functionality well beyond mere connectivity. The FirePass server provides full access to network and desktop resources, including: • File servers • Email • Intranet • Terminal servers • Legacy mainframe, AS/400, and Telnet applications • Client/server applications • All desktop PC applications

The FirePass server models The FirePass server is available in two models: ◆

FirePass 1000: • Supports up to 100 concurrent users • 1U rackmount chassis • Includes one 10/100 Ethernet port and supports an option for a second 10/100 Ethernet port • 200 watt power supply

◆

FirePass 4000: • • • •


Supports up to 1000 concurrent users 2U rackmount chassis Includes two 10/100 Ethernet ports 480 watt power supply 1-1

Chapter 1

The FirePass server features Overview of features ◆

Security FirePass server was built from the ground up to adhere to the highest standards of best security practices. • Encryption—FirePass server offers several strengths of encryption, depending on the capability of the browser in use and on the optional security settings of the FirePass implementation. FirePass server offers encryption keys up to 1024 bits. • Authentication—FirePass server includes an internal user database for password authentication, and it can use existing RADIUS, LDAP, and Windows domain servers for authentication. Administrators can require different authentication methods for different groups. If you want to use two-factor authentication, FirePass server supports RSA SecurID® token-based authentication, and also offers an optional, built-in implementation of VASCO Digipass®. • Access Control—FirePass server grants access to specific applications to individuals or to groups of users. With FirePass server’s access controls, you can restrict individuals and groups to particular resources. For example, partners can be have restricted access to an extranet server only, while sales staff can connect to email, the company Intranet, and the CRM system.

1-2

◆

Availability Unlike IPSec VPNs, Web-based remote access works over all ISP connections and works from behind other firewalls. ISPs cannot detect and block FirePass server conversations as they might with detected IPSec traffic. Failover and clustering options provide high availability and high capacity. FirePass servers can be clustered to support up to 10,000 concurrent connections on a single logical URL without performance degradation.

◆

Ease of use, deployment, maintenance, and management FirePass server installs in a few hours. Users are presented with an intuitive, browser-based interface and they require minimal training after a brief introduction. FirePass server can be upgraded in the field over the Web. Automatic release update notifications prompt the FirePass server administrator to download new versions when they become available. Features and capacity can also be added over the Web.


FirePass server features The following features are available on both FirePass server models. ◆

Standard Web browser support FirePass server can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Netscape Navigator®, Opera®, and Mozilla®.

◆

WAN security FirePass server supports common encryption technologies, including RC4 and 3DES. It uses standard SSL encryption from the client browser to the FirePass server.

◆

Authentication FirePass server performs basic authentication using an internal database. It also supports two-factor (token-based) authentication methods like RSA SecurID® and VASCO Digipass. FirePass server authenticates devices using signed digital certificates. FirePass server can be integrated with LDAP directories and Windows Domain Servers.

◆

Application access using standard Webifyers FirePass server provides access to virtually all corporate and desktop applications, including email, file, and Intranet access, client-server application access, legacy host application access (mainframe, AS/400, X-Windows, and Telnet), and Terminal Services/Citrix® application access.

◆

Mobile device access FirePass server provides email, file, and Intranet access from mini-browsers on mobile devices. These include Internet-enabled (WAP and iMode) telephones, PDAs (PalmOS® and Pocket PC), and RIM Blackberries™.

◆

Administration FirePass server provide a web–based Administrator Console. The Console includes tools for installing and managing the FirePass server, including user and group enrollment and management, clustering and failover configuration, certificate generation and installation, and user interface customization.

◆

Audit trail FirePass server provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.

◆

Client/Server application support FirePass server offers a Client-Server Connector™ providing application-specific tunnels for client-server applications like Microsoft® Outlook®, ERP package applications, and custom TCP/IP applications. FirePass server also provides a VPN Connector™ giving full network access comparable to that offered by a traditional IPSec VPN connection.


1-3

Chapter 1

◆

Desktop Access FirePass server offers web–based access to authorized desktops with support for remote control, lightweight email/file access, guest access, and Web conferencing.

◆

High availability FirePass servers can be configured to failover to hot standby servers.

◆

Scalability FirePass server clusters support up to 10,000 users on a single logical server.

About this guide This FirePass Administrator Guide provides information and step-by-step instructions for installing and administering the FirePass™ 1000 and 4000 servers. This guide is available as an Adobe Acrobat file (.pdf). (To install a free version of Adobe Acrobat Reader, see http://www.adobe.com.)

Audience This guide is for system and network administrators who install and configure IT equipment and software. This guide assumes that administrators have experience installing software and working with network configurations.

1-4


Finding help and technical support resources You can find additional technical documentation about the FirePass server in the following locations: ◆

Release notes Release notes containing the latest information for the current version of FirePass server are available from the Administrative Console. Click the Maintenance tab and then click the Online Update link. Release notes include a list of new features and enhancements, a list of fixes, and a list of known issues.

◆

Online help for FirePass features You can find help online for virtually all screens on the Administrative Console. Click the Help Page button in the upper right of the panel.

◆

Technical support through the World Wide Web The F5® Networks Technical Support web site, http://tech.f5.com, provides the latest technical notes, answers to frequently asked questions, updates for the Administrator Kit (in PDF format), updates for the release notes, and the Ask F5 natural language question and answer engine.

Conventions used in this manual Information that you type appears in a bold, monospace font. For example: admin

A Tip suggests ways to make administration easier or faster. For example: Tip

An easy way to enter a user agent string is to copy and paste the string from the Logons report. A Note or Important contains important information. For example: Note

If you are powering up a server cluster, always power up the master server first. Important

If your superuser password is lost, contact Technical Support. A Warning describes actions that can cause data loss or problems. For example: WARNING

Do not turn the FirePass server off by using the Power switch on the front panel.


1-5

Chapter 1

1-6

2 Deploying the FirePass Server

• Overview of deploying the FirePass server • Configuring a firewall to work with the FirePass server • Understanding name resolution issues for FirePass servers with a private IP address • Installing the FirePass server • Testing network connectivity • Using the Administrative Console to configure the FirePass server • Using the Maintenance Console • What’s next?

Deploying the FirePass Server

Overview of deploying the FirePass server This section contains an overview of the tasks for deploying the FirePass™ server.

Summary of tasks for installing and deploying the FirePass server Table 2.1 provides a summary of the tasks for installing and deploying the FirePass server. Task

For more information, see

Configure the firewalls at your site to allow traffic to and from the FirePass server.

Configuring a firewall to work with the FirePass server, on page 2-2

If the FirePass server has a private IP address, set up name resolution for internal users and client software.

Understanding name resolution issues for FirePass servers with a private IP address, on page 2-11

Install the FirePass server, and power it up. Using the WAN port, create an isolated network to reach the FirePass server using its factory default IP address.

Installing the FirePass server, on page 2-12

Enter basic configuration information using either the Administrative Console (recommended) or the Maintenance Console (available as a backup).

Using the Administrative Console to configure the FirePass server, on page 2-17

Connect the FirePass server to the network. Test that the FirePass server is accessible on the network, and test DNS resolution of the FirePass server’s host name inside and outside firewall.

Testing network connectivity, on page 2-16

After the FirePass server is up and running and the network connections are working, use the Administrative Console to finish configuring the server from a Web browser.

Using the Administrative Console to configure the FirePass server, on page 2-17

(Recommended) Change the superuser password.

Changing the superuser password, on page 2-18

Configure one or more authentication methods for FirePass users. Then add groups and user accounts.

Chapter 3, Setting Up FirePass Server Security

Configure the FirePass server’s Webifyers that you want to make available to users. For example, configure the SSL VPN Webifyer, if necessary.

Chapter 4, Configuring the FirePass Webifyers

Install a new SSL certificate.

Setting up certificates, on page 3-29

(Optional) If necessary, customize the appearance of the user’s home panel, such as the logo and terms used for logging in.

Customizing the user’s home page, on page 5-31

Table 2.1 Overview of FirePass Deployment Tasks


2-1

Chapter 2

Configuring a firewall to work with the FirePass server The FirePass server enables remote access by communicating through secure tunnels between remote users at untrusted or unprivileged hosts on the Internet and your corporate LAN. This section describes the firewall ports at your site that must be opened to allow traffic to and from the FirePass server so that it can operate correctly. The particular firewall ports that you must open at your site depend on where you install the FirePass server relative to the firewalls, and which network and application services the server must access. There are some ports that must be open in all situations, such as ports 80 and 443 for HTTP and HTTPS, on the external firewall between the FirePass server and remote Web browsers. If the FirePass server is installed in a DMZ with an internal firewall separating it from the corporate network, you also have to open other ports as necessary to allow access to network services such as DNS, and to use particular application services such as e-mail. The illustration in Figure 2.1 shows the services and ports used by the FirePass server. .

Figure 2.1 Allowing traffic on firewall ports for a FirePass server

For more information on configuring the firewall ports, see the following section and the tables on pages 2-6 through 2-10.

2-2


Overview of the firewall configuration process During the process of firewall configuration, you might consider opening the firewall ports in phases. In the initial phase, you could focus on opening the ports that allow access to the FirePass server from both inside and outside the firewall when you specify the server’s host name in a Web browser. In this initial phase, you might also open the ports for SMTP so that the FirePass server can send email messages to the FirePass administrator. For this initial phase, the following ports need to be opened: • Assuming there is a firewall between the Internet and the FirePass server, the firewall must allow inbound traffic on ports 80 (HTTP) and 443 (SSH) as a base configuration with a destination address of the publicly accessible FirePass address. • The firewall must also allow the FirePass server access to network services such as NTP, DNS, and SMTP (on ports 123, 53, and 25). The network services might be located on an external network (Internet), or on the internal corporate network. The location of the network services and your particular deployment scenario determines which firewall’s ports must be open, assuming there is a firewall between the FirePass server and these services. • If there is a firewall between the FirePass server and the corporate LAN, the firewall must allow traffic on ports 80, 443, and 661. To verify that the FirePass server has access to DNS and SMTP services after you have opened the ports and installed the FirePass server, you can use the instructions in Testing network connectivity, on page 2-16. After you have verified that the FirePass server has access to DNS and SMTP services and that you can access the server from a Web browser from either side of the firewall, then you can open up the specific ports that are necessary for your particular deployment. See the following tables in this section that describe the ports and services. For example, if you are using LDAP for authentication, you must open ports 389 and 636. Here are some other examples of application services you might need to support: • To support My Files, the FirePass server needs access to Windows file servers using Microsoft Networking (ports 135, 137, 138, 139). • To support My Email, the FirePass server needs access to POP/IMAP and LDAP (ports 110, 143, 389, 636). • To support Host Access, the FirePass server needs access to Telnet (port 23). The services are sometimes hosted locally behind a firewall, and sometimes hosted remotely. If the services are hosted remotely, the external firewall must allow the FirePass server to make connections to those services on specific TCP/IP ports. To allow access to the FirePass server from the Internet, you can create either Network Address Translation (NAT) rules or port forwarding rules on the firewall to forward inbound packets to the server. The advantage of static NAT is that it does not require you to forward each individual port to


2-3

Chapter 2

the FirePass server. To use static NAT, configure a rule that forwards all allowable traffic from the public IP address to the private IP assigned to the FirePass server. However, some firewalls only allow static NAT using a public IP address other than its own public interface. In this case, you must use port forwarding by setting up rules to forward the appropriate ports to the private IP address assigned to the FirePass server. Firewalls can be classified as stateful and non-stateful. Stateful firewalls allow bi-directional communication (that is, they create a return rule for an allowed service). Older firewalls, especially ones based on Linux IP chains, are often non-stateful; they do not allow bi-directional communications. If you have a stateful firewall (most newer commercial firewalls are stateful), you only need to define rules for the actual traffic; the replies are automatically allowed to pass. If you have a non-stateful firewall, you also must define rules for traffic coming in and the replies with the ACK (acknowledgement) bit set for those protocols. For completeness, the following tables list the types of traffic (in pairs of request and response) that must be allowed through the firewalls for each category of FirePass server functionality. All traffic associated with the FirePass server falls into in one of these categories: • Traffic between the remote user’s browser and the FirePass server. (See About the traffic between a remote user’s browser and the FirePass server, on page 2-5.) • Traffic between the FirePass server and network services, such as LDAP, RADIUS, and DNS. (See About the traffic between the FirePass server and network services, on page 2-6.) • Traffic between the FirePass server and application services, such as file servers, email servers, and the Intranet. (See About the traffic between FirePass server and application services, on page 2-7.) • Traffic between the FirePass server and corporate LAN using My Desktop. (See About the traffic between the FirePass server and the Desktop Agent, on page 2-9.) Note

A particular type of traffic shown in the tables is only required if Required appears in the Comment column for the traffic, or, as stated previously, if you are enabling an application service that requires the port to be opened.

2-4


About the traffic between a remote user’s browser and the FirePass server To allow traffic between a remote user’s browser and the FirePass server, you must open the firewall ports as shown in Table 2.2. The FirePass bridge ports (10000-10100) are optional ports in the external firewall that are used to distribute sessions to ensure that port 443 is open for new requests. These ports are configurable, and can be set to any of the high TCP/IP ports (1025 – 65535). If the number of concurrent My Desktop users is low—less than 5 concurrent users on the FirePass 1000, or less than 20 on the FirePass 4000—then there is no requirement to open the high TCP/IP ports (1025 to 65535). The server uses the high ports if they are available, otherwise it uses port 443. During installation, or in case of severe malfunction, you may need to give Technical Support access to your Maintenance Console using Secure Shell (SSH). To allow this access while blocking routine SSH access, the FirePass server provides temporary, encrypted keys, further protected by a passphrase. For more information about providing SSH access to Technical Support, see Providing SSH access for Technical Support, on page 5-31.

Source Traffic Type

Protocol

Address

Destination Ports

Address

Ports

HTTP

TCP

Remote Browser

1025 to 65535

FirePass server

80

HTTP (response)

TCP

FirePass server

80

Remote Browser

1025 to 65535

HTTPS

TCP

Remote Browser

1025 to 65535

FirePass server

443

HTTPS (response)

TCP

FirePass server

443

Remote Browser

1025 to 65535

FirePass bridge

TCP

Remote Browser

1025 to 65535

FirePass server

10000 to 10100

FirePass bridge Response

TCP

FirePass server

10000 to 10100

Remote Browser

1025 to 65535

SSH

TCP

Local LAN

1025 to 65535

FirePass server

22

SSH (response)

TCP

FirePass server

22

Local LAN

1025 to 65535

Ack bit

Comment Required

yes

Required

Required

yes

Required

Optional for My Desktop yes

Optional for My Desktop

Optional

Yes

Optional

Table 2.2 Traffic between a remote user’s browser and the FirePass server


2-5

Chapter 2

About the traffic between the FirePass server and network services The FirePass server needs access to the network services listed in Table 2.3, some of which are optional and depend on your particular configuration. If the services are hosted across a firewall from the FirePass server, you must open the firewall ports to allow the FirePass server to access these services. Important

Configure your internal DNS server such that your FirePass server host name resolves to the server’s local IP address. This is to ensure that traffic from the same side of the firewall can reach the FirePass server. You can do this on a WINS server or on a DNS server if the DNS server is hosted locally. (See Understanding name resolution issues for FirePass servers with a private IP address, on page 2-11.) Source Traffic Type

Protocol

Address

Destination Ports

Address

Ports

DNS

TCP

Local LAN

1025 to 65535

FirePass server

53

DNS (response)

TCP

FirePass server

53

Local LAN

1025 to 65535

NTP

UDP

Local LAN

1025 to 65535

FirePass server

123

NTP (response)

UDP

FirePass server

123

Local LAN

1025 to 65535

SSH

TCP

Local LAN

1025 to 65535

FirePass server

22

SSH (response)

TCP

FirePass server

22

Local LAN

1025 to 65535

SecurID authentication

TCP

FirePass server

1025 to 65535

Local LAN

1645, 1646

SecurID authentication (response)

TCP

Local LAN

1645, 1646

FirePass server

1025 to 65535

LDAP

TCP

FirePass server

1025 to 65535

FirePass server

389, 636

LDAP (Response)

TCP

Local LAN

389, 636

FirePass server

1025 to 65535

Table 2.3 Traffic between FirePass server and network services

2-6

Ack bit

Comment

Yes

Optional

Yes

Optional

Optional

Yes

Optional

Required for LDAP authentication Yes

Required for LDAP authentication


Source Traffic Type

Protocol

Address

Destination Ports

Address

Ports

RADIUS

TCP

FirePass server

1025 to 65535

Local LAN

1645, 1646

RADIUS (response)

TCP

Local LAN

1645, 1646

FirePass server

1025 to 65535

SMTP Services

TCP

FirePass server

1025 to 65535

Local LAN

25

SMTP Services (response)

TCP

Local LAN

25

FirePass server

1025 to 65535

Ack bit

Comment Required for RADIUS authentication

Yes

Required for RADIUS authentication

Yes

Table 2.3 Traffic between FirePass server and network services (Continued)

About the traffic between FirePass server and application services To allow traffic between the FirePass server and application services on the corporate LAN, you must open the firewall ports as shown in Table 2.4. The application services include the following services, some of which are optional and depend on your particular configuration: • File servers • Email servers • Intranet • Terminal servers • Legacy mainframe and AS/400 applications • Client/server applications • SSL VPN A FirePass server that needs to use any of these application services must be able to communicate with the local LAN on several ports. Most of these ports are listed in Table 2.4 with the default port assignments. (Your network may vary). Microsoft Networking requires four ports, two TCP/IP ports and two UDP ports. Port 135 is the RPC port, port 139 is the NetBIOS session, port 137 is the NetBIOS name service, and port 138 is the datagram. These ports must be configured to allow users to use the My Files Webifyer to view network file shares. A WINS server helps address resolution from NetBIOS to TCP/IP to work properly.


2-7

Chapter 2

Source Traffic Type

Protocol

Address

Destination Ports

Address

Ports

HTTP

TCP

Local LAN

1025 to 65535

FirePass server

80

HTTP (response)

TCP

FirePass server

80

Local LAN

1025 to 65535

HTTPS

TCP

Local LAN

1025 to 65535

FirePass server

443

HTTPS (response)

TCP

FirePass server

443

Local LAN

1025 to 65535

IMAP

TCP

FirePass server

1025 to 65535

Local LAN

143

IMAP (Response)

TCP

Local LAN

143

FirePass server

1025 to 65535

POP

TCP

FirePass server

1025 to 65535

Local LAN

110

POP (Response)

TCP

Local LAN

110

FirePass server

1025 to 65535

Microsoft Networking

TCP

FirePass server

1025 to 65535

Local LAN

135, 139

Microsoft Networking (Response)

TCP

Local LAN

135, 139

FirePass server

1025 to 65535

Microsoft Networking

UDP

FirePass server

1025 to 65535

Local LAN

137, 138

Microsoft Networking (Response)

UDP

Local LAN

137, 138

FirePass server

1025 to 65535

Telnet/3270

TCP

FirePass server

1025 to 65535

Local LAN

23

Telnet/3270 (Response)

TCP

Local LAN

23

FirePass server

1025 to 65535

Client/Server applications

TCP

FirePass server

1025 to 65535

Local LAN

User-defin ed TCP

Table 2.4 Traffic between FirePass server and application services

2-8

Ack bit

Comment Required

Yes

Required

Yes

Required for email Yes

Required for email Required for email

Yes

Required for email Required for File services

Yes

Required for File services

Required for File services Yes

Required for File services

Required for Host Access Yes

Required for Host Access Required for each App tunnel


Source Traffic Type

Protocol

Address

Destination Ports

Address

Ports

Client/Server applications (response)

TCP

Local LAN

User-defined TCP

FirePass server

1025 to 65535

SSL VPN Connector

TCP UDP ICMP

FirePass server

1025 to 65535

Local LAN

Any ports as needed

SSL VPN Connector (response)

TCP UDP ICMP

Local LAN

Any ports as needed

FirePass server

1025 to 65535

Ack bit Yes

Comment Required for each App tunnel Required for SSL VPN as needed

Yes

Required for SSL VPN as needed

Table 2.4 Traffic between FirePass server and application services (Continued)

About the traffic between the FirePass server and the Desktop Agent To allow traffic from the FirePass server to the corporate LAN using the My Desktop feature, you must open firewall ports as shown in Table 2.5. The FirePass client on the desktop computer on the local LAN uses ports 80 and 81 to initiate communications with the FirePass server during My Desktop sessions. The FirePass server “wakes” the client on port 661, then communicates with it on port 443. The client then initiates a new connection on port 81 back to the FirePass server. Host Activation Protocol (HAP) is a registered port (661) which allows the FirePass server to initiate a session with the FirePass Desktop Agent. The FirePass server communicates with the Agent on port 443. Note

The port numbers in the following table are default values which you can change. For more information, see Configuring the My Desktop Webifyer, on page 4-31.


2-9

Chapter 2

Source Traffic Type

Protocol

Address

Destination Ports

Address

Ports

HTTP

TCP

Local LAN

1025 to 65535

FirePass server

80, 81

HTTP (response)

TCP

FirePass server

80, 81

Local LAN

1025 to 65535

Host Activation Protocol (HAP)

TCP

FirePass server

1025 to 65535

Local LAN

661

Host Activation Protocol (HAP) (response)

TCP

Local LAN

661

FirePass server

1025 to 65535

HTTPS

TCP

FirePass server

1025 to 65535

Local LAN

443

HTTPS (response)

TCP

Local LAN

443

FirePass server

1025 to 65535

Table 2.5 Traffic between FirePass server and corporate LAN using My Desktop

2 - 10

Ack bit

Comment Required for My Desktop

Yes

Required for My Desktop Required for My Desktop

Yes

Yes

Required for My Desktop


Understanding name resolution issues for FirePass servers with a private IP address If the FirePass server is installed on a corporate LAN or in a DMZ that uses private IP addresses, the firewall or gateway performs Network Address Translation (NAT). This means that the FirePass server has two different DNS “identities”—one mapped to the public IP address, and another one to the NAT'ed private IP address. External users outside the firewall do not have name resolution problems because the FirePass server’s name resolves to the public address of the firewall or gateway. The firewall or gateway then forwards the user’s traffic to the FirePass server. However, internal users on the corporate LAN and the My Desktop client software can be affected by internal name resolution problems unless you prevent them. You can prevent name resolution problems by doing any of the following: ◆

If you have an internal DNS server, set up a zone with a fully qualified domain name (such as server-name.company.com), and then add an A record to that zone that resolves to the FirePass server’s private address (such as 10.0.0.8).

◆

If you have a WINS server, add a static entry for the FirePass server name.

◆

If you have a firewall that supports a DNS alias feature (such as the CISCO PIX), set up the firewall to redirect internal FirePass server traffic originating from the corporate LAN to the FirePass server’s private IP address.

◆

If there is no internal DNS server, WINS server, or suitable firewall, you must use a local hosts file on each corporate LAN computer that must connect to the FirePass server. Note

This name resolution problem does not apply to a FirePass server that has a public IP address because internal and external users can both use a name that resolves to the same IP address for the server. Important

To support the FirePass server’s application tunnels for clustered or load balanced applications such as Oracle®, Citrix®, or SAP®, you must specify the fully qualified domain names of the servers running the applications. Those applications must also support the use of fully qualified domain names when passing server address information to the client side application. Single server applications may use the server IP address if the remote client is also configured to do so.


2 - 11

Chapter 2

Installing the FirePass server This section describes how to install one or more FirePass servers in an equipment rack, connect them to a network, and power them up. When installing and connecting wiring to the FirePass server, be sure to follow these basic safety precautions to avoid injury to you or damage to the server: • Read and understand all instructions. • Do not disassemble the FirePass server. • Do not restrict airflow through the fans or vents of the FirePass server. • Connect the unit to a properly grounded and rated power supply circuit that meets the provisions of the current edition of the National Electrical Code, or other wiring rules that may apply to your location.

Unpacking the FirePass server After unpacking the FirePass server, you should have the following items: • FirePass server • 120 VAC power cord • Network cable

Installing the FirePass server in an equipment rack Install a FirePass 1000 server in a standard 1U equipment rack, and a FirePass 4000 server in a standard 2U equipment rack. Make sure that the rack has adequate ventilation and power. We strongly recommend using an Uninterruptible Power Supply (UPS).

Connecting the FirePass server to a network and powering up To connect a FirePass server to a network and power up: 1. Connect an Ethernet cable from your network to the 10/100 Base-T (RJ-45) WAN connector on the FirePass server. • FirePass 1000: the WAN port is clearly labeled on the front panel of the server. • FirePass 4000: the WAN port is on the back of the server. It is the network port in the expansion slot on the right side (see FirePass 4000 port locations, on page 2-13).

2 - 12


Figure 2.2 FirePass 4000 port locations

2. If you are connecting two dual-NIC FirePass servers in failover pairs, connect the same corresponding NICs to the same subnet on both servers. For example, connect the internal NIC on both servers to the same subnet. For information on configuring FirePass failover servers, see Chapter 7, Configuring FirePass Failover Servers and Cluster Servers. 3. If you are connecting several FirePass servers as a cluster, connect the primary NICs to the same subnet unless they are installed in different geographic locations. For information on configuring FirePass server clusters, see Using FirePass server clusters, on page 7-5. 4. Plug in the power cable into a 120 VAC wall outlet and into the Power connector on the rear panel of the FirePass server. 5. Turn on the Power switch on the front panel of the FirePass server. Note

If you are powering up a server cluster, always power up the Master server first. If the Master server is not available when the slave servers power up, then the cluster does not work properly. WARNING

Do not turn the FirePass server off by using the Power switch on the front panel. Data corruption might occur, possibly rendering the FirePass server unavailable. To shut the FirePass server down, always use the Shutdown commands in the Administrative Console or the Maintenance Console. For more information, see Shutting down and restarting FirePass, on page 5-17.


2 - 13

Chapter 2

Performing the initial FirePass IP configuration The FirePass server comes pre-configured with a default set of networking and server settings. The following table provides important default FirePass settings.

Setting

Factory default value

Admin Console User Name

admin

Admin Console password

admin

Maintenance Console User Name

maintenance

Maintenance Console password

Server name

firepass.company.xyz

Server IP Address/Mask

192.168.1.99 / 255.255.255.0

DNS Server IP Address

192.168.1.1

Gateway IP Address

192.168.1.1

Domain suffix

company.xyz

SSL VPN Network Subnet

192.168.192.0 / 255.255.255.0

SSL Certificate

firepass.company.xyz

Administrator’s email address

[email protected]

SMTP Server

mail.company.xyz

NTP Server

ntp.nasa.gov

Table 2.6 FirePass default network settings

Perform the initial IP configuration using the web-based FirePass Administrative Console interface (recommended) or the terminal-based FirePass Maintenance Console.

To use the web-based Administrative Console for initial configuration (recommended) 1. Create an isolated network that includes the FirePass server and another machine with a web browser. Connect them directly using a cross-over Ethernet cable, or indirectly with a standard Ethernet cable and an isolated hub or switch. Enter the default URL,

2 - 14


https://192.168.1.99/stats/ into the web browser (be sure to include the final slash). One or more certificate warning messages may be displayed. Accept these. You should see the FirePass login screen. 2. Login using the default administrator name admin and password of admin. 3. Set up the IP configuration. Navigate to Server/Maintenance/Network Configuration. Specify the IP address, subnet, and port settings. For more information see Maintaining the network configuration settings, on page 5-1. 4. DNS name resolution. Navigate to Server/Maintenance/Network Configuration/Hosts. Enter the fully-qualified domain name (FQDN) of your FirePass server and the IP Address of your Domain Name Server. If you have not already done so, make the corresponding entries in your Domain Name Server. 5. Shutdown/restart. Now shut down and restart FirePass. For more information see Shutting down and restarting FirePass, on page 5-17. 6. Connect to your network. Disconnect the FirePass server from the isolated network and reconnect it to your network. Test the network connections by following the instructions in Testing network connectivity, on page 2-16. 7. Finish configuring your FirePass server following the steps in What’s next?, on page 2-23.

To use the terminal-based Maintenance Console for initial IP configuration First see To use the Maintenance Console to configure the FirePass server, on page 2-21. 1. Configure the appropriate network settings for your environment. 2. Shut down and restart the FirePass server. 3. Login to the Administrator’s Console, and then finish configuring the FirePass server following the steps in What’s next?, on page 2-23. Note

You can also access the Maintenance Console using a Telnet session in the Administration Console. For more information, see Using the Administrative Console to configure the FirePass server, on page 2-17.


2 - 15

Chapter 2

Testing network connectivity After connecting the FirePass server to your network, powering it up, and performing the initial IP address configuration, test that you can access the server from your network, and that the FirePass server’s fully qualified domain name resolves correctly both inside and outside the firewall.

To test network connectivity: 1. Test that the FirePass server is accessible from the LAN by entering the following command on a host computer on the LAN: ping x.x.x.x

where x.x.x.x is the FirePass server’s private IP address. 2. Test DNS resolution of the FirePass server’s name and address inside the firewall. On a host computer inside the firewall, enter the following command: ping

Inside the firewall, this name should resolve to the FirePass server’s private IP address. 3. Test DNS resolution of the FirePass server’s name and address outside the firewall. On a host computer outside the firewall, enter the following command: ping

Outside the firewall, this name should resolve to the FirePass server’s public IP address. Note: You may not receive pings back from outside the firewall if the firewall is not configured to pass ICMP packets. 4. Test accessing the server from a Web browser by entering the URL for the FirePass server on computers both inside and outside the firewall. For example, enter: https:///stats/

where is the host name assigned to the FirePass server. For example, enter: https://server-name.company.com/stats/

The FirePass server’s login screen should appear when you enter this URL. Use the following information to troubleshoot problems accessing the server: ◆

2 - 16

If you have trouble accessing the FirePass server with a Web browser on a computer outside the firewall, the problem is usually caused by a misconfigured firewall, or a firewall that does not allow packets to travel in both directions. Non-stateful firewalls do not keep a connection state history table and cannot identify packets returning from an open connection unless a similar rule looking for an ACK bit is configured to allow traffic to go in the opposite direction.


◆

If you have trouble accessing the FirePass server by entering the fully qualified domain name on a computer inside the firewall, try entering the internal IP address. This problem is usually caused by DNS reflection, which occurs when an internal host sends a packet to the external interface of the firewall. When the firewall forwards the packet to the FirePass server, the FirePass server replies to the external interface of the firewall which cannot properly route the packet back to the internal host. Some routers have a work-around for this problem.

Using the Administrative Console to configure the FirePass server After verifying that the FirePass server is accessible on your network, you can use the Administrative Console in a Web browser to administer the server and change configuration settings as necessary. You can run the Administrative Console on any computer that can access the FirePass server over the network.

Logging Into the Administrative Console To log into the Administrative Console: 1. Enter the following URL in a Web browser on a computer that can access the FirePass server over a network or the Internet: https:///stats/

where is the host name assigned to the FirePass server. For example, enter: https://server-name.company.com/stats/

2. If a Security alert appears, click Yes to accept the SSL encryption certificate. The FirePass login screen appears. (See below.) 3. Enter the following superuser user name: admin. 4. Enter the default superuser password: admin. Note: The user name and password are case sensitive. If the FirePass server rejects the user name and password, contact Technical Support.


2 - 17

Chapter 2

5. Click Login. .

After you log in, the Welcome panel for the FirePass Administrative Console appears. The Administrative Console is composed of several panels where you select options, enter configuration information, and choose commands to configure and administer the FirePass server. Some panels contain status information and reports that you can use to monitor the server. Click the tabs and links on the left side of the display to load each screen on the right side.

Changing the superuser password One of the first tasks you should do is change the default password for the preconfigured Administrator (“superuser”) account.

To change the superuser password 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 2. Click the Password link. The Change Superuser Password screen opens. 3. In the Old Password text box, type the current password. 4. In the Password and Confirm Password text boxes, type the new password, and then click Go.

Important

You also see an option to disable the Superuser account. Do not check this option before you have given comprehensive Administrator privileges, including access to all links on the Server tab, to other named accounts. You can assign Administrator privileges to other users by navigating to 2 - 18


Server/Security/Administrators. For more information about assigning Administrator privileges, see Granting Administrator privileges to other users, on page 5-21. Important

If your superuser password is lost, contact Technical Support.

Installing your license Getting your first license Your server should already have an installation type, serial number and registration key assigned. These show as the first three items in the Settings table display. If the Serial number is shown as unknown, contact Technical Support. When you receive your new FirePass server, you should also have received an email from Technical Support or the entitlement server. If so, follow the directions in the email. If not, contact Support ([email protected]) to make sure your license is ready. Licenses are time-limited, for security reasons. Install your license as soon as you receive it. Make sure that your firewall allows outbound Internet connections to port 443. Navigate to Server/Settings. Then click on the Pick up new license... link. If your license is ready and the server can contact the licensing server, your new license is installed.

Adding capacity or features to your license To add session capacity or features, see Adding capacity or features to your license, on page 5-11.

Displaying a list of current settings and licensed features You can display a list of the current configuration settings and licensed features. To display a list of current settings and licensed features click the Settings link under the Server tab. These are read-only, and are offered to assist in troubleshooting.


2 - 19

Chapter 2

Using the Administrative Console to access the Maintenance Console You can use a web browser to gain access to the Maintenance Console. You do this by launching a Telnet session within the Administrative Console.

To use the Administrative Console to run the Maintenance Console 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Low-level link. 3. Under Telnet access, click the Telnet Session to the Maintenance Account link. 4. At the Login prompt, enter the following: maintenance. No password is required. 5. Enter Y to agree to the conditions on the screen. The Maintenance Console menu appears.

Logging out of the Administrative Console If you do not log out of the Administrative Console, the FirePass server automatically times you out after a period of inactivity. This time interval is specified in the Inactivity Timeout option on the Customization panel of the Administrative Console.

To log out of the Administrative Console Use either option: • Click the Logout link on the left side of the Administrative Console. • Close your Web browser.

2 - 20


Using the Maintenance Console If you intend to use the Administrative Console web interface (recommended) to configure the FirePass IP address or if your server’s IP address and network mask are already configured correctly, you can skip this section. However, if your server’s IP address and network mask are not configured correctly, or if you are unable to connect to the server using a Web browser on the network, you can use the Maintenance Console to make configuration changes according to the instructions in this section. You can also use the Maintenance Console to perform basic connectivity diagnostics. Use one of the following methods to access the server and run the Maintenance Console: • Connect another computer’s serial port to the FirePass server’s serial port, and then use a terminal emulation program. • Connect a monitor and keyboard directly to the FirePass server (FirePass 4000 only).

To use the Maintenance Console to configure the FirePass server 1. Use a 9-pin D-style, null modem cable to connect the serial port on a serial terminal or on a computer to the FirePass server’s serial console port on the server’s rear panel. 2. If necessary, turn on the FirePass server’s Power switch. 3. Do one of the following: • If you connected a serial terminal, press Enter on the terminal’s keyboard to start the Maintenance Console. • If you connected a computer to the serial port, start a serial terminal emulation application (such as HyperTerminal on Windows® or Minicom on Linux) on the computer. Use the terminal emulation application to connect to the FirePass server with the following communications settings: Setting

Value

Bits per second

9600

Data bits

8

Parity

None

Stop bits

1

Flow control

Xon/Xoff


2 - 21

Chapter 2

4. At the Login prompt, enter the following: maintenance No password is required. 5. Enter Y to agree to the conditions on the screen. The Maintenance Console menu appears. 6. To change the server name or other network settings, enter 1 for Network Configuration and then press the Enter key. Tip

The IP Address and Network Mask are the only settings that you must configure to enable access to the server using the Administrative Console running in a Web browser on the network. But you can also use the other Maintenance Console commands at a later time to configure other settings. 7. At the Network Configuration prompts, enter the appropriate information or press the Enter key to accept the current setting. 8. After you finish entering the settings, enter Y at the confirmation prompt. 9. For some configuration changes, the server prompts you to restart. • To restart the server, enter 6 for Restart Server on the command menu, and then press the Enter key. • Otherwise, enter 8 for Exit, and then press the Enter key to exit the Maintenance Console. 10. Disconnect the serial cable.

2 - 22


What’s next? Now that the FirePass server is installed and accessible on the network, you can use the Administrative Console to finish configuring FirePass. ◆

Set up security on the FirePass server by adding groups and user accounts, and then configuring authentication. For more information, see Chapter 3, Setting Up FirePass Server Security.

◆

(Optional) If necessary, change the FirePass server host name to a name that is appropriate for your site. For more information, see Changing the FirePass server name, on page 3-30.

◆

Install a new SSL certificate. For more information, see Setting up certificates, on page 3-29.

◆

Configure the SMTP Server, Administrator’s password and email, proxies, and SSL Server Certificate. See Chapter 5, Managing, Monitoring, and Maintaining the FirePass Server, for directions.

◆

Install the license signature. You may have received an email from the F5 entitlement server describing how to install your license. If so, use those directions. If not, contact technical support ([email protected]) to make sure your license is ready. Then navigate to Server/Settings/License and click on the link to pick up your new license signature.

◆

Configure the Webifyers that you want to make available to users. For example, configure the SSL VPN Webifyer, if necessary. For more information, see Chapter 4, Configuring the FirePass Webifyers.

◆

(Optional) If necessary, customize the appearance of the user’s home page, such as the logo and terms used for logging in. For more information, see Customizing the user’s home page, on page 5-31. Note

After you use the superuser account to create user accounts, you can assign administrative privileges to one or more user accounts. For more information, see Assigning administrative privileges to a user account, on page 3-19.


2 - 23

Chapter 2

2 - 24

3 Setting Up FirePass Server Security

• Overview of setting up FirePass server security • Working with groups • Working with user accounts • Setting up FirePass server authentication • Setting up certificates • Limiting access to the administrative console by IP address • What’s next?

Setting Up FirePass Server Security

Overview of setting up FirePass server security Here is an overview of the steps for setting up groups, user accounts, authentication, and certificates on the FirePass™ server. 1. (Optional) If you want to use different settings for different users, create one or more additional groups on the FirePass server. Otherwise, use the default group for all users. Authentication, Webifyers, and many other features are set up on a per group basis on the FirePass server. If you are using the same authentication and Webifyer settings for all FirePass server users, you can simply add all users to the preexisting default group and use the default group for all settings. But if you want to use different authentication and Webifyer settings for different users, you must create one or more additional groups on the FirePass server before adding users or setting up authentication. (See Working with groups, on page 3-2.) 2. (Optional) If the FirePass server users are stored in an LDAP or a Windows Domain server, you can set up group mapping. Group mapping automatically keeps the groups on the FirePass server synchronized with the groups on the Windows Domain server or LDAP server. That is, if a user is moved to a different group on the Windows Domain or LDAP server, FirePass server automatically moves the user to the corresponding mapped group in its internal database the next time the user logs into FirePass server. If you also choose to use a signup template for new FirePass server users, group mapping can also have FirePass server query a Windows Domain or LDAP server for each user’s group membership, and automatically add the new user to the mapped group in the FirePass server’s internal database. (See Using Windows domain-based group mapping, on page 3-4 and Using LDAP-based group mapping, on page 3-6.) 3. Add user accounts to each group on the FirePass server by using any of the following methods: • Manually add users to each group. (See Manually adding user accounts, on page 3-11.) • Import users into each group from a Windows Domain server, an LDAP server, or a text file. (See page 3-13 through page 3-16.) • Enable a signup template for each group to automatically add users when they log in for the first time if the users have an existing account in a RADIUS, LDAP, or Windows Domain server. (See Using signup templates to add user accounts, on page 3-16.) All of these methods create user accounts in the FirePass server’s internal database.


3-1

Chapter 3

4. (Optional) If you want to give FirePass server users access to NFS file servers, you can import the NFS permissions for each user that is listed in a UNIX password file. (See Using NFS user permissions from a UNIX password file, on page 3-17.) 5. Set up authentication for each group on the FirePass server. You can have the FirePass server use its own internal database for authentication, or you can have it use an external RADIUS, Windows Domain, LDAP, or VASCO server for authentication. (See Setting up FirePass server authentication, on page 3-23.) 6. (Optional) Set up server certificates specifically for your site, and set up client certificates to validate clients. If the FirePass server is a pilot deployment, we preinstalled a server certificate that contains a server-name.FP.com URL. You can change the FirePass server name to one that is appropriate for your site, and then generate and install a new server certificate that uses the new server name. You can also install an optional client root certificate and optional certificate revocation list (CRL), and configure the FirePass server to validate client certificates installed at each user’s computer. You can use the client certificates as part of a two-factor authentication system, or to limit access to particular FirePass Webifyers. For more information on changing the server name and setting up server and client certificates, see Setting up certificates, on page 3-29.

Working with groups Users, authentication methods, Webifyers, and other features are set up separately for each Group defined in FirePass server. If you are using the same authentication and Webifyer settings for all FirePass server users, you can simply add all users to the preexisting FirePass server default group and use the default group for all settings. But if you want to use different authentication and Webifyer settings for different users, you must create groups on the FirePass server before adding users or setting up authentication requirements. For example, you can create one group of users that uses RADIUS server authentication, and another group that uses LDAP authentication. Note

Group IDs for NFS users are not related to FirePass server groups. For more information, see Using NFS user permissions from a UNIX password file, on page 3-17.

3-2


Creating groups To create a group Use the Group Management screen.

1. Under the Users tab on the left side of the Administrative Console, click the Groups link. The Group Management screen opens. 2. In the New group name box in the Create New Group section, enter a name for the group. Only alphanumeric symbols are allowed. 3. From the Copy settings from list, select the group whose settings you want to copy to the new group. All settings for authentication methods, Webifyers, and signup templates are copied from the selected group to the new group. FirePass™ Server Administrator Guide

3-3

Chapter 3

4. Click the Create button. The new group is now accessible from the Group list on the panels for setting up authentication methods, Webifyers, and signup templates.

Deleting groups To delete a group 1. In the Delete Group section of the Group Management panel, select the group from the Group to Delete drop-down list. 2. From the Reassign Users to drop-down list, choose the group to which you want to reassign the users from the deleted group. 3. Click the Delete button.

Moving users to a different group If you are not using group mapping for a group, you can move users to a different group.

To move users to a different group 1. In the Move Users section of the Group Management panel, select the group from the Move Users to Group drop-down list to which you want to move users. 2. Click the Select Users button. 3. In the Move Users panel, select the users you want to move by clicking the check box next to each name. 4. Click the Move To Group button.

Showing a list of all users in a group To show a list of all users in a group 1. In the Show Users section of the Group Management panel, select the group from the Show All Users in a Group drop-down list. 2. Click the Go button.

Using Windows domain-based group mapping Typically, there are multiple groups defined within a Windows domain and users belong to one or more of these groups. To use the group membership information from the Windows domain, you can map the Windows domain 3-4


groups to existing FirePass server groups. When a user logs into the FirePass server, FirePass server queries the Windows domain groups for the user’s name and attempts to match one of the domain groups to the FirePass server’s configured mapping. The FirePass server then dynamically moves the user to the FirePass server group based on a match. Note that the group must already exist on the FirePass server and be mapped before the user logs in. If the user is moved to a Windows domain group that does not exist on the FirePass server, the user remains in the same FirePass server group. Because a user can belong to more than one group within a Windows domain, the first group mapping match is used to determine which FirePass server group to move the user into. FirePass server uses the order in which you create mappings to determine the order in which to check for matches. That is, the first mapping you create is checked first. Keep this in mind when mapping groups to make sure domain users are mapped properly.

To use Windows domain-based group mapping 1. In the LDAP and Windows Domain Based Grouping section of the Group Management panel, select the Use Windows Domain Group to Map Group option. 2. In the Domain Name box, specify the name of the Windows domain you want to map users against. 3. (Optional) In the PDC Server Name box, specify the name of the Primary Domain Controller (PDC) server if the domain or PDC is on a different subnet than the FirePass server. 4. (Optional) In the WINS Server IP Address box, specify the IP address of the WINS server if the domain or PDC is on a different subnet than the FirePass server. 5. If the Windows domain PDC is not configured to accept anonymous access to user and group information, click the Join Windows Domain option. Then specify the Domain Admin Name and Domain Admin Password. 6. Click the Retrieve Windows Domain Groups button to retrieve the available domain groups from the Windows domain. If an error message is displayed or the list under Windows Domain Group is empty, verify the domain settings you specified. 7. To add mappings between domain groups and FirePass server groups, select domain group entries under the Windows Domain Group heading. Then select FirePass server groups from the drop-down list under the Map to Group heading and click the Add Mapping button.


3-5

Chapter 3

8. To test which FirePass server group a user would be mapped to, enter a user login name for the Windows domain, and then click the Test Mapping button.

Note

If necessary, you can delete a mapping by selecting it and then clicking the Delete link.

Using LDAP-based group mapping LDAP-based group mapping automatically keeps the groups on the FirePass server synchronized with the groups on an LDAP server. That is, if a user is moved to a different group on the LDAP server, FirePass server automatically moves the user to the new group in its internal database the next time the user logs into FirePass server. If the user is moved to an LDAP group that does not exist on the FirePass server, the user remains in the same FirePass server group. If you use a signup template for new FirePass server users, group mapping can also have FirePass server query a LDAP or Windows Domain server for each user’s group membership, and automatically add the new user to the mapped group in FirePass server’s internal database. (For more information on LDAP configuration, see Setting up LDAP server authentication, on page 3-27.) There are two methods you can use to map LDAP groups: • Based on LDAP user object information such as DN or any attribute. (See Mapping based on LDAP user object information, following.) • Based on a LDAP group object information. (See Using Windows domain-based group mapping, on page 3-4.) Note

See your LDAP administrator for more specific information about your site’s LDAP configuration.

Mapping based on LDAP user object information To map based on LDAP user object information 1. In the LDAP and Windows Domain Based Grouping section of the Group Management panel, select the Use LDAP User Object to Map Group option. A new set of options appears. 2. In the LDAP Server box, enter the name of an LDAP server. 3. In the LDAP Port box, enter an LDAP port, such as 389.

3-6


4. If you want to use SSL, select the Use SSL Connection option. 5. In the User DN box, enter a User DN. For example: CN=Administrator,DC=demo,DC=FP,DC=com

6. In the User Password box, enter a password. Note: You can leave the User DN and User Password text boxes blank if your server allows anonymous access to perform a query. 7. In the Search Base DN box, enter a Search Base DN to specify where DN searches start from. For example: DC=demo,DC=FP works,DC=com

8. In the Filter Template box, enter a filter template to look up a user. The filter template must be a valid LDAP query expression. Use%s in the filter expression to insert a user name. For example, suppose you enter the following filter template: (&(objectclass=person)(cn=%s))

If the user name is george, the query when the user logs on is: (&(objectclass=person)(cn=george))

9. Do one of the following: • Select the Use Attribute to Map Group option if your LDAP schema has an attribute that corresponds to a FirePass server group. • Select the Use Parent DN to Map Group option if the user’s parent DN corresponds to a FirePass server group. 10. Click Update to display the appropriate mapping table next to the Mapping option you just selected. 11. Do one of the following: • If you selected the Use Attribute to Map Group option, and if the attribute’s value corresponds verbatim to the name of a FirePass server group, select the Map Query Result into Group Name Verbatim option. Enter the LDAP attribute name in the Attribute Name box. • If you selected the Use Attribute to Map Group option, and the attribute’s value does not correspond verbatim to the name of a FirePass server group, enter an attribute name in the Attribute Name box, and then enter an attribute value in the Attribute Value box. From the Map to Group list, select the FirePass server group that corresponds to the attribute value, and then click the Add button. As necessary, continue mapping attribute values to groups by entering attribute values, selecting the FirePass server group from the list, and then clicking Add.


3-7

Chapter 3

For example, suppose you have an LDAP attribute named Department that has three attribute values Financial department, Sales department, and Marketing department. Suppose you also have three FirePass server groups named Financial, Marketing, and Sales. In that example, you map these attributes to these groups as follows.

Enter this attribute value

Choose this FirePass server group from the menu

Financial department

Financial

Marketing department

Marketing

Sales department

Sales

• If you selected the Use Parent DN to Map Group option, enter a DN value in the DN Value box. From the Map to Group list, select the FirePass server group that corresponds to the DN value, and then click the Add button. As necessary, continue mapping DN values to groups by entering DN values, selecting the FirePass server group from the menu, and then clicking Add. For example, suppose you have these three container objects in your LDAP schema to store users for each department: ou=Financial,o=MyCompany ou=Marketing,o=MyCompany ou=Sales,o=MyCompany

In that example, you map these DN values to groups as follows.

Enter this DN value

Choose this FirePass server group from the menu

ou=Financial,o=MyCompany

Financial

ou=Marketing,o=MyCompany

Marketing

ou=Sales,o=MyCompany

Sales

12. In the text boxes in the LDAP Attributes to Obtain Personal Information section, enter the LDAP attributes for first name, last name, and email address.

3-8


For example, here are some attributes that are used in a standard LDAP schema. Enter one of these attribute values

In this text box

Firstname, fn, name

Attribute for First Name

surname, sn

Attribute for Last Name

email, uid, mailto

Attribute for email

Mapping based on a LDAP group object information To use this method, you should have a group object in your LDAP schema that may be used to map FirePass groups. This object should have at least two multi-valued attributes to specify users that belong to this group. The first attribute specifies static members and is the list of user’s DNs. The second attribute specifies dynamic members and is presented as a list of LDAP URLs or LDAP queries that define the criteria of the group’s membership.

To map based on LDAP group object information 1. In the LDAP and Windows Domain Based Grouping section of the Group Management panel, select the Use LDAP Group Object to Map Group option. A new set of options appears. 2. From the For the group drop-down list, choose the FirePass server group that you want to map to. 3. Click the Add to List button to add the selected group to the mapping list. 4. Click Edit next to the group you added to set up mapping parameters for that group. A new set of options appears. 5. In the LDAP Server box, enter the name of an LDAP server. 6. In the LDAP Port box, enter an LDAP port such as 389. 7. If you want to use SSL, select the Use SSL Connection option. 8. In the User DN box, enter a user DN. For example: CN=Administrator,DC=demo,DC=FP works,DC=com

9. In the User Password box, enter a password. Note: You can leave the User DN and User Password boxes blank if your server allows anonymous access to perform a query. 10. In the Search Base DN box, enter a Search Base DN to specify where DN searches start from. For example: DC=demo,DC=FP works,Dc=com


3-9

Chapter 3

11. In the Filter for Group box, specify an LDAP query. It must be a valid LDAP query expression. For example: OU=Groups,O=MyCompany

12. In the Query Template for Static Members box, specify a query template for static members. Use %logon% in the filter expression to insert a user name. For example: (&(CN=Marketing)(uniqueMember=UID=%logon%,OU=People, O=MyCompany))

13. In the Attribute for Dynamic Members box, specify an attribute for dynamic members. 14. In the Search Base DN for User box, specify a Search Base DN. For example: OU=People,O=MyCompany

15. Click the Update button to store the mapping parameters for the selected group. 16. (Optional) To test the mapping parameters, enter a LDAP user name in the Test Logon box, and then click the Test Mapping button.

3 - 10


Working with user accounts You can add user accounts to each group on the FirePass server by using any of the following methods: • Manually add users to each group. (See Manually adding user accounts, following.) • Import users into each group from a Windows Domain server. (See Importing user accounts from a Windows domain server, on page 3-13.) • Import users into each group from an LDAP server. (See Importing user accounts from an LDAP server, on page 3-15.) • Import users into each group from a text file. (See Importing user accounts from a comma or tab delimited text file, on page 3-16.) • Allow a signup template for each group to automatically adds users when they log in for the first time, if the user has an existing account in a RADIUS, LDAP, or Windows Domain server. (See Using signup templates to add user accounts, on page 3-16.) All of these methods create user accounts in the FirePass server’s internal database.

Manually adding user accounts To manually add a user account 1. Under the Users tab on the left side of the Administrative Console, click the User Management link. The User Management screen opens.

2. Click the New User button. The User Details screen opens.


3 - 11

Chapter 3

3. If you want to add the user to a group other than the default group, choose the group from the Group drop-down list and then click the Change Group button. 4. In the Logon text box, enter a user name for the user. 5. In the First Name, Last Name, and Middle Initial boxes, enter the user’s first and last names, and middle initial. 6. In the Email box, enter the user’s email address. 7. Do one of the following: • If the authentication for the selected group is handled by the FirePass server’s internal database, enter the user’s password in the Password and Validate text boxes. • If the authentication is handled by an external VASCO server, enter the user’s Token ID in the Token ID text box. (See Setting Up VASCO DigiPass authentication, on page 3-28.) • If the authentication is handled by an external RADIUS, LDAP, or Windows Domain server, skip this step. The passwords for these three servers are stored in the external server instead of in the FirePass server.

3 - 12


8. (Optional) As necessary, select the options to force the user to change their password on the initial logon, email the password to the user, force periodic password changes, or deactivate the account after a specified period of time. 9. To generate a key that enables the user to install the My Desktop client software, select the Generate Installation Key option. If you select this option, the FirePass server sends an email message to the user that contains instructions for downloading and installing the My Desktop client software. You can also generate the installation key at another time. (See Generating a My Desktop client software installation key, on page 3-21.) 10. Select a User mode option for the user. A Manager can view the FirePass server system statistics. A User can not view statistics. 11. To grant access permissions for the user, select the MyDesktop Access option and/or the MyNetwork Access option. 12. Click the Add User button. 13. If you chose the option to generate a key, click the Click to Pick Up the Key button in the next panel that appears. The installation key for the user is listed in the Existing FirePass server Installation Keys panel. 14. Do one of the following: • Write down the installation key so you or the user can use it later for installing the My Desktop client software. (See Installing My Desktop client software at a user’s computer, on page 3-22.) • Email the key to the user by clicking the Send button.

Importing user accounts from a Windows domain server To import user accounts from a Windows domain server 1. In the User Management panel, click the Windows Domain Import button. The Windows Domain Import screen opens. 2. If you want to add the users to a group other than the default group, select the group from the For the group drop-down list. 3. In the Domain Name box, specify the name of the Windows domain you want to import users from. 4. (Optional) In the PDC Server Name box, specify the name of the Primary Domain Controller (PDC) server if the domain or PDC is on a different subnet than the FirePass server.


3 - 13

Chapter 3

5. (Optional) In the WINS Server IP Address box, specify the IP address of the WINS server if the domain or PDC is on a different subnet than the FirePass server. 6. If the Windows domain PDC is not configured to accept anonymous access to user and group information, select the Join Windows Domain option. Then specify the Domain Admin Name and Domain Admin Password. 7. Click the Query Domain button. The FirePass server performs a query in the Windows domain for all users and user groups, and displays the results. If no results are displayed, or you see an error message displayed, verify the domain settings you specified. 8. To restrict the list to users from a particular domain group, choose the group from the Domain Group Filtering drop-down list and then click the Filter Results button. 9. To store the user’s Domain as part of his FirePass server logon user name, select the FirePass Logon Formatted as DOMAIN\Username option. Note: This option is only necessary if there are FirePass server users with identical user login names belonging to different domains. If you select this option during an import process, each imported user must log in to the FirePass server using the format of DOMAIN\username. 10. To automatically generate appropriate email addresses for users, select an option from the Email Formatting drop-down list and then click the Update Results button. This step is necessary because email addresses are not available when querying a Windows domain. 11. Select the users you want to add to the FirePass server. To select all users in the list, click the Select All Users link at the bottom of the panel. 12. As necessary, select the MyNetwork Access option and the MyDesktop Access option to grant the users these access privileges. 13. Select the Send Email to Users option if you want to notify new users of their accounts. 14. Click the Add Users button to import the user accounts.

3 - 14


Importing user accounts from an LDAP server To import user accounts from an LDAP server 1. In the User Management panel, click the LDAP Import button. The LDAP import screen opens. 2. If you want to add the users to a group other than the default group, select the group from the Group list. 3. In the Host box, type the name or IP address of an LDAP server. 4. In the Port box, enter an LDAP port such as 389. 5. If you want to use SSL, select the Use SSL connection option. 6. In the User DN box, enter a user DN. For example: CN=Administrator,CN=Users,DC=demo,DC=FP,DC=com

7. In the User Password box, enter a password. Note: You can leave the User DN and User Password boxes blank if your server allows anonymous access to perform a query. 8. In the Search Base DN box, enter a search base DN to specify where DN searches start from. For example: DC=demo,DC=FP,DC=com

9. In the Search Query box, enter a query that produces a draft user list, which is basically the list of matching DNs. The search query must be a valid LDAP query expression. 10. Click the Query button. The LDAP import screen opens 11. Choose entries from the drop-down menus under the LDAP Attribute heading to map the LDAP attributes into FirePass server values, such as user name, first and last names, and email address. Note that the first and last names can be extracted from a compound attribute (such as cn). To avoid this, select the first empty item from the Full Name drop-down list. 12. Click the Map Attributes button. The query returns the list of matching users. Only the user records that have attributes corresponding to user name have a check box in front of them. The users with names already in the FirePass server internal database do not have a check box. 13. Select the users you want to add to the FirePass server. To select all users in the list, click the Select All Users link at the bottom of the panel. 14. As necessary, select the MyNetwork Access option and the MyDesktop Access option to grant the users these access privileges. 15. Select the Send Email to Users option if you want to notify new users of their accounts. FirePass™ Server Administrator Guide

3 - 15

Chapter 3

16. Click the Add Users button to import the user accounts.

Importing user accounts from a comma or tab delimited text file You can import user accounts from a text file that contains either commas or tabs between each element of information, such as first name, last name, and so on.

To import user accounts from a comma or tab delimited text file 1. In the User Management panel, click the Import from File button. The Import Users From Comma or Tab Separated List screen opens. 2. Enter or browse to the text file and then click the Load List button. 3. In the next panel, specify the order of the information fields in the text file by choosing a field name from each drop-down menu. 4. Select one of the options to import all of the list, or a subset based on logons or names, and then click the Process List button. 5. If you want to add the users to a group other than the default group, choose the group from the Group drop-down list. 6. (Optional) If you selected an option to import a subset of users, select the users you want to import by clicking the check box next to their logon or name. 7. (Optional) As necessary, select the options to force the user to change their password on the initial logon, email the password to the user, force periodic password changes, or deactivate the account after a specified period of time. 8. To grant access permissions for the user, select the MyDesktop Access option and/or the MyNetwork Access option. 9. Select an option to overwrite or skip users that already exist in the FirePass server internal database. 10. Click the Import Users button or the Import Selected button.

Using signup templates to add user accounts If some or all users at your site have an existing account in an external RADIUS, LDAP, or Windows Domain server, you can use a signup template to automatically add the users to the internal database when they log in to the FirePass server for the first time. FirePass server displays a dialog box where first-time users enter their user name, password, and other information. The FirePass server retrieves the user’s login and account information (except for password) from the external server and automatically adds a user account to its internal database.

3 - 16


If you are using an LDAP or Windows Domain server and you set up group mapping, the FirePass server also retrieves the user’s group information and adds the user to the corresponding mapped group in its internal database. (See Using Windows domain-based group mapping, on page 3-4 and Using LDAP-based group mapping, on page 3-6.) Note

The FirePass server adds users to the first group specified on the Signup Template panel that matches the first group where it locates the user in an external server. That is, if a user is a member of several groups in the external server and you have mapped all of the groups to groups in the internal database, the FirePass server adds the user to the first group on the external server that matches the first group in the order specified on the Signup Template panel. If necessary, you can move users to different groups in the internal database if the groups are not mapped. (See Moving users to a different group, on page 3-4.)

To use a signup template 1. Under the Server tab, click the Signup templates link. 2. From the For the group drop-down list, select the group that you want to use a signup template with. The group must use RADIUS, LDAP, or Windows Domain authentication. 3. Select the Allow Authenticated Signup by Template option. 4. Select a user mode option for the user. • A Manager can view the FirePass server system statistics. • A User cannot view statistics. 5. To grant access permissions for the user, select the MyNetwork Access option and/or the MyDesktop Access option. 6. To generate and email a key that enables the user to install the My Desktop client software, select the Generate and email installation key option. You can also generate the installation key later. (See Generating a My Desktop client software installation key, on page 3-21.) 7. Click the Update Template button.

Using NFS user permissions from a UNIX password file If you want to give FirePass server users the ability to access NFS file servers using the FirePass server My NFS Webifyer (see Configuring the My NFS Webifyer, on page 4-6), you must assign NFS user permissions to the users. You can either assign the permissions manually for each individual user, or you can import a list of user’s NFS user permissions from a UNIX password file. FirePass server stores each user’s User ID and Group FirePass™ Server Administrator Guide

3 - 17

Chapter 3

ID in the user’s existing FirePass server account. Note that each FirePass server user’s logon name (user name) must be identical to the logon name in the NFS servers. For example, a user with the logon name of tjones on the FirePass server must also have tjones as the logon name on the NFS servers. Note that this procedure does not create any new user accounts on the FirePass server. It simply imports the NFS user permissions for existing FirePass server users so that they can access NFS file servers.

Importing NFS user permissions from a UNIX password file To import NFS User Permissions from a UNIX password file 1. If you have not already done so, create the user accounts in the FirePass server and make sure the logon name in the FirePass server account is identical to the logon name in the UNIX password file. 2. Under the Users tab on the left side of the Administrative Console, click the Import NFS users link. The Import NFS Settings screen opens. 3. Copy the contents of a UNIX password file that contains the user IDs and group IDs you want to import. 4. Paste the contents of a UNIX password file into the text box on the Import NFS Settings panel. 5. Click the Import button. The NFS user permissions are listed on the next panel next to each FirePass server user’s logon name. Note

User IDs below 100 are ignored because they are reserved for system services.

Manually assigning NFS user permissions to a FirePass server user You can manually assign NFS user permissions to a FirePass server user when you first create the account, or at any time later.

To manually assign NFS user permissions to a FirePass server user 1. Do either of the following: • Create a new FirePass server user with a login name that is identical to the logon name in the NFS servers. (See Manually adding user accounts, on page 3-11.) • If the user account already exists, click the Edit button in the User Management panel next to the user account you want to assign NFS permissions to. Make sure the FirePass server login name is identical to the logon name in the NFS servers. 3 - 18


2. In the NFS Settings section at the bottom of the User's Details panel, enter the NFS user ID in the User ID box. 3. In the Group ID box, enter the NFS group ID. 4. Click the Add button.

Changing user accounts To change a user account 1. In the User Management panel, click the Edit button next to the user account you want to change. The User group screen opens. 2. To change the user’s group membership, select a different group from the Group list, and then click the Change group button. 3. Change the other user’s properties as necessary, and then click the Update user details button.

Activating, deactivating, or deleting user accounts To activate, deactivate, or delete a user account 1. In the User Management panel, select one or more user accounts that you want to activate, deactivate, or delete. 2. Do one of the following: • To activate or deactivate the users, click the Activate/Deactivate Selected button. A lock icon is placed next to user accounts that are deactivated. • Click the Delete Selected button, and then click the Delete button to confirm the deletion.

Assigning administrative privileges to a user account By default, the FirePass server includes a superuser account with the user name of admin that has a complete set of administrative privileges. You can also assign administrative privileges to an existing user account to allow the user to be a FirePass server administrator. To assign the administrative privileges, you must either be logged in as the superuser, or logged in as a user who already has administrative privileges. There is a range of administrative privileges that you can assign, such as access to some or all of the tabs and panels in the Administration Console, and to various groups of users. The activities of a user with administrative privileges are logged in Application Logs.


3 - 19

Chapter 3

To assign administrative privileges to a user account 1. Log into the Administrative Console as the superuser, or as a user who already has administrative privileges. 2. Under the Server tab on the left side of the Administrative Console, click the Security link. 3. On the Security screen, click the Administrators link. 4. Enter the user’s login name in the text box and then click the Add button. The user’s name is added to the list in the FirePass Administrators panel, but the user does not have administrative privileges until you explicitly assign them. 5. To assign administrative privileges for features in the Administration Console, click the Edit link in the Feature Access column next to the user’s name. The Feature Access screen opens.

Click these Edit links to allow access to a subset of the panels for a particular tab. Select these tab names to allow the user access to the tabs in the Administrative Console.

6. Do any of the following: • To allow access to all tabs, panels, and features in the Administrative Console, select the Allow Access to All Features option, and then click the Save button. • To allow access to a subset of the tabs in the Administrative Console, select the tab names on the Feature Access panel, and then click the Save button.

3 - 20


• To allow access to a subset of panels associated with a tab, click the Edit link next to the tab. For example, click the Edit link next to the Server tab name to specify access to the panels associated with the Server tab in the Administrative Console. Then, click the Save button. 7. To assign administrative privileges for user groups, click the Edit link in the Group Access column next to the user’s name in the FirePass Administrators panel. 8. To allow access to all groups, select the Allow Access to All Group option. 9. Click the Save button. 10. After you are finished assigning the administrative privilege, the user can log into Administrative Console by using the URL, https://server-name.company.com/, and then clicking Admin Console in the left panel. Or, the user can log into Administrative Console directly by using the URL, https://server-name.company.com/stats/.

Searching for user accounts You can limit the scope and the size of the list of users on the User Management panel by searching for logon, name, email, or group.

To search for user accounts 1. In the User Management panel, choose Logon, Name, email, or Group from the Search By drop-down list. 2. In the text box next to the Search By drop-down list, enter the logon, name, email, or group you want to find. 3. Click the magnifying button next to the text box. 4. To display the entire list of users, click the Show All Records link.

Generating a My Desktop client software installation key To install the My Desktop client software, each user needs a unique installation key. If you did not select the option to generate the installation key when you added a user, or if you need additional keys, you can generate the installation key.

To generate a My Desktop installation key 1. Under the Users tab, click the New Key link. The Create New Installation Keys screen opens. 2. Enter your name, description of the user’s system, and the number of keys. FirePass™ Server Administrator Guide

3 - 21

Chapter 3

3. Click the Generate Installation Keys button. The FirePass server generates the keys and displays them on the Existing FirePass Installation Keys panel, which displays the status of generated keys. 4. To send the keys to users, enter each user’s email address in the Send To box next to each key, and then click the Send button. 5. To drop a key so that you can generate a new one within your license limits, click the Drop link next to the key.

Installing My Desktop client software at a user’s computer You can install the My Desktop client software at a user’s computer on the user’s behalf.

To install the My Desktop client software at a user’s computer 1. If you are not at the user’s computer when you add the user’s account, do not select the option to generate an installation key. 2. Using the user’s computer, log into the Administration Console. 3. Generate a new key by following the instructions in the previous section, Generating a My Desktop client software installation key, on page 3-21. 4. In the Existing FirePass Installation Keys panel, select the key, right click, and then choose Copy from the context menu to copy the key to the clipboard. Do not send the key to the user. 5. Under the Desktop tab, click the Download link. 6. In the panel that appears, click the Download Desktop Software link. 7. Click Install from Current Location. The download takes a few minutes (depending on the speed of the computer). The installation program prompts you for an installation (activation) key. 8. Right click in the installation program window, and then choose Paste from the context menu to insert the key. 9. Enter the user name and password for the user.

3 - 22


Setting up FirePass server authentication Authentication is set up on a per group basis on the FirePass server. If you are using the same authentication for all FirePass server users, you can simply add all users to the FirePass server default group and use the same authentication for the default group. But, if you want to use different authentication for different users, you must create groups on the FirePass server before setting up authentication. (See Working with groups, on page 3-2.) You can either set up authentication using the FirePass server’s internal database, or you can use an external server. The advantage of using an external server is that you can use the same server to authenticate FirePass server users as you use to authenticate network users. You can set up FirePass server authentication using any combination of the following methods for different groups: ◆

FirePass server’s internal database This is the default authentication method. (See Converting to internal database authentication, following.)

◆

RADIUS server You can use a RADIUS server at your site that supports RSA’s SecurID technology. Each user is issued a SecurID token. (See Setting up RADIUS server authentication, on page 3-24.)

◆

Windows domain server You can use a Windows domain server for authentication. (See Setting up Windows domain server authentication, on page 3-25.)

◆

LDAP server You can use an LDAP server for authentication. (See Setting up LDAP server authentication, on page 3-27.)

◆

VASCO DigiPass This is a two-factor authentication that uses a combination of a dynamic password and a digital signature to grant access to the FirePass server. (See Setting Up VASCO DigiPass authentication, on page 3-28.)

If authentication is handled by the FirePass server, then strong hashes of each user’s password is stored in the internal database. If the authentication is handled by an external server, then each user’s password is stored in the external server.

Converting to internal database authentication In most cases when you first set up the FirePass server, the default group uses the internal database. If you then create new groups by copying settings from the default group, the authentication for the new groups also uses the internal database. In these cases, internal database authentication is already


3 - 23

Chapter 3

set up and no other configuration is required. However, if you want to convert a group’s authentication from an external server to the internal database, use the following instructions.

To convert a group to internal database authentication 1. Under the Server tab, click the Authentication link. The Authentication Scheme panel for the current authentication type appears. 2. From the For the group drop-down list, select the group that you want to set up authentication for. 3. Click the Internal User Database Authentication option link toward the bottom of the panel. Note

There is no other configuration required for internal database authentication.

Setting up RADIUS server authentication If the RADIUS authentication feature is licensed, the FirePass server can authenticate using a RADIUS server. FirePass server fully supports RSA extensions for RADIUS and is RSA-certified.

To set up RADIUS server authentication 1. Under the Server tab, click the Authentication link. 2. From the For the group drop-down list, select the group that you want to set up authentication for. 3. Click the RADIUS authentication link from the list of options toward the bottom of the panel. 4. In the Timeout box, enter the number of seconds before timing out the authentication process. Five seconds is recommended. 5. In the Retries box, enter the number of authentication retries. Five retries is recommended. 6. In the Server box, enter the server’s name or IP address. 7. In the Port box, enter the server’s port. By default, the port is 1645. If a different port is being used on the RADIUS server, set the FirePass server to match. 8. In the Shared Secret box, enter the shared secret for the RADIUS server. 9. (Optional) If you want to use a backup RADIUS server, select the Use a Backup RADIUS Server option and enter the backup server’s name or IP address, port number, and shared secret.

3 - 24


10. Click the Save Settings button.

To test the RADIUS authentication settings 1. Click the Test button. 2. Enter a user name and password in the RADIUS server, and then click the Test button.

Setting up a RADIUS server to work with the FirePass server To use SecurID, make sure that the SecurID Radius service is running. The FirePass server does not authenticate to the native SecurID protocol. Even if the RADIUS service has been started from the SecurID options window on an NT SecurID server, the service may not be active. In the Windows Services Manager, make sure that the service is set to start each time the server boots and is currently running. The RADIUS authentication takes place on a different port than native SecurID authentication. On the RADIUS server, the FirePass server needs to be set up as a client to the RADIUS server. Then, a shared secret needs to be created and added to both the RADIUS server and the FirePass server so the RADIUS server can trust the FirePass server. On all Secure ID servers, the SecurID server needs to be made a client of itself to make the RADIUS server function. The RADIUS service functions as a standalone process and if the SecurID server is not set up as a client of itself, it rejects the authentication request and not store anything in the logs, making this problem difficult at best to diagnose. The FirePass server merely reports that the authentication has failed. Note

The FirePass server uses the Radius protocol when communicating with the RSA Radius or ACE server. If you are using a RSA ACE server, you must add support for the Radius protocol in order for the FirePass server to communicate with it. You can do this by adding a “Radius Agent Host” to the RSA server configuration. For more information, see the documentation for your RSA server.

Setting up Windows domain server authentication If the Windows Domain authentication feature is licensed, you can use Windows Domain authentication to authenticate users against an internal Windows NT/2000/2003 based server. The following two authentication modes are supported: ◆

Native NTLM authentication Native NTLM authentication is supported if you specify domain administrative credentials when you set up Windows Domain


3 - 25

Chapter 3

authentication on the FirePass server. This allows FirePass server to add a machine account for itself, join the domain, and create a trust relationship with the Primary Domain Controller (PDC). FirePass server can then authenticate users using native NTLM services. ◆

Netlogon Share If you do not specify domain administrative credentials when you set up Windows Domain authentication on the FirePass server, then FirePass server uses a more basic method for authenticating users. FirePass server connects to the Primary Domain Controller netlogon share using the authenticating user’s credentials to determine whether the user has a valid account within the domain.

To set up Windows domain server authentication 1. Under the Server tab, click the Authentication link. The Authentication Scheme screen opens. 2. From the For the group drop-down list, select the group that you want to set up authentication for. 3. Click the Windows Domain Authentication link at the bottom of the panel. The Windows Domain Authentication Scheme screen opens. 4. In the Domain Name box, enter the name of the Windows domain. 5. (Optional) In the PDC Server Name box, specify the name of the Primary Domain Controller (PDC) server if you want to use a particular PDC when joining the Windows domain, or if the PDC is on a different subnet than the FirePass server. 6. (Optional) In the WINS Server IP Address box, specify the IP address of the WINS server to aid in name resolution of the configured domain or PDC. Note: The WINS server IP address is usually only necessary if the domain and PDC are on a different subnet than the FirePass server. 7. If there are FirePass server users with identical user names belonging to different Domains, select the FirePass Logon Formatted as DOMAIN\Username option to store the user’s Domain as part of their FirePass server logon user name. Note: This option is only necessary if there are FirePass server users with identical user login names belonging to different domains. If you select this option, each user must log in to the FirePass server using the format of DOMAIN\username. 8. If the FirePass server is able to retrieve Windows Domain groups from the configured Domain, select a group from the User Must Belong to Domain Group drop-down list. This option restricts authentication to users within that domain group.

3 - 26


9. If the FirePass server is to become part of the Windows domain and perform native NTLM authentication services, click the Join Windows Domain option. Then specify the Domain Admin Name and Domain Admin Password. 10. Click the Save Settings button.

To test the Windows Domain authentication settings 1. Click the Test Saved Settings button. 2. Enter a user name and password in the Windows domain, and then click the Test Domain Authentication button.

Setting up LDAP server authentication If the LDAP authentication feature is licensed, the FirePass server can authenticate using any LDAP database, including a Windows Active Directory.

To set up LDAP server authentication 1. Under the Server tab, click the Authentication link. The Authentication Scheme screen opens. 2. From the For the group drop-down list, select the group that you want to set up authentication for. 3. Click the LDAP Authentication link in the list of options. 4. In the Host box, enter the name or IP address of an LDAP server. 5. In the Port box, enter an LDAP port such as 389. 6. If you want to use SSL, select the Use SSL Connection option. 7. Do either of the following: • Select the Lookup User's DN Using Template option. Then, in the User DN Template box, enter a User DN template. Use %logon% in the expression to insert a user name. For example: uid=%logon%,ou=People,o=acme

• Select the Lookup User's DN Using Query option. In the User DN For Query box, enter a User DN query. In the Password box, enter a password. In the Search Base DN box, enter a Search Base DN to specify where DN searches start from. For example: ou=People,o=acme

In the Search Query Template box, specify a search query template. Use %logon% in the expression to insert a user name. For example: (&(uid=%logon%))

8. Click the Update button. FirePass™ Server Administrator Guide

3 - 27

Chapter 3

Setting Up VASCO DigiPass authentication If the VASCO DigiPass authentication feature is licensed, the FirePass server can authenticate using a VASCO server. Each user is issued a security token that generates a unique and dynamically time-limited password. The server has a similar algorithm associated with the token’s serial number. When logging in, the user enters a static password and a dynamic password generated by the token. Typically, the FirePass server comes preconfigured with the VASCO token keys. If necessary, you can import new tokens into the server from a VASCO file.

To set up VASCO DigiPass authentication 1. Under the Server tab, click the Authentication link. The Authentication Scheme screen opens. 2. From the Group drop-down list, choose the group that you want to set up authentication for. 3. Click the VASCO DigiPass Authentication link at the bottom of the panel. The VASCO DigiPass Authentication Scheme screen opens. The tokens are listed in the Tokens section. 4. (Optional) To import additional tokens from a VASCO file, click the Browse button and select the file. Then, in the Encryption box, enter the encryption key and click the Import button. Note: To assign a token to a user, enter the token ID in the User Details panel when you add or edit a user’s properties. (See Manually adding user accounts, on page 3-11, or Changing user accounts, on page 3-19.) 5. (Optional) To delete a token, select it in the Tokens section and click the Delete Selected button.

3 - 28


Setting up certificates A valid server certificate is very important in establishing a transparent HTTPS connection. The browser running on the user’s computer checks the certificate against its built-in list of Certificate Authorities and verifies that it has not expired and that the name in the certificate matches the FirePass server’s DNS name. If there is an error or a mismatch, some browsers display security warnings; other browsers, notably wireless ones, may refuse a connection. If the FirePass server is a pilot deployment, it comes with a preinstalled server certificate that contains a server-name.FP.com URL. If not, the FirePass server now comes pre-configured with a default SSL server digital certificate of firepass.company.xyz, signed by a FirePass root Certificate Authority. This certificate may be used for initial FirePass server configuration, testing, and licensing, but must not be used in a production FirePass server. You receive warning messages from your web browser when using this default certificate, indicating that the certificate signing authority is unknown and that the certificate name does not match that of your server.

Generating a new certificate request When you deploy the FirePass server into production, you must purchase and install a digital certificate matching the FirePass server’s configured host name. You can use the FirePass Administrative Console to generate a request to a Certificate Authority for a valid certificate. (See Generating a server certificate request, on page 3-30.)

Installing a new certificate You can change the FirePass server name to one that is appropriate for your site, and then generate and install a new server certificate that uses the new server name. It is important to keep your server certificate valid by renewing it as necessary, usually every year. You can check the expiration date of the server certificate on the Certificates panel. (See Installing or renewing a server certificate, on page 3-31.)

Using certificates to authenticate client computers You can also install an optional client root certificate and optional certificate revocation list (CRL), and configure the FirePass server to validate client certificates installed at each user’s computer. You can use the client certificates as part of a two-factor authentication system, or to limit access to particular FirePass server Webifyers. (See Using client certificates to authenticate a user’s computer, on page 3-31.)


3 - 29

Chapter 3

Changing the FirePass server name If you have a pilot FirePass server named server-name.FP.com (or some other default name), and you want to generate and install a new server certificate that is specific to your site, you must first change the server name.

To change the FirePass server name 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Network Configuration link. 3. Click the Hosts link. Enter the new fully-qualified domain name (FDQN). Be sure to make a corresponding entry in your domain name server. 4. Generate and install a new server certificate, as below.

Generating a server certificate request To obtain a server certificate, you must first generate a certificate request. Then you must submit the request to a Certificate Authority.

To generate a server certificate request 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Network Configuration link. 3. Click the Web Services link at the top of the screen. 4. Click the Configure link for the host name you intend to use. 5. On the configuration screen, check the Use SSL box. 6. Two new links now appear below this box: Edit certificates, and Generate new certificate request. Click the Generate... link. 7. Enter the correct information in the certificate request. All the information in the certificate request must be valid. If this is your first certificate request, the issuer may require additional information to verify your identity and validity of the data you have submitted. 8. (Optional) If you want to generate a new private key, select the Private Key option and enter an encryption password. 9. Click the Generate Certificate Request button. 10. On the following screen, click the Here link at the bottom of the panel to download a Zip file that contains a certificate request.

3 - 30


11. Unzip the zip file and send the certificate request file (called newcert.csr) to a known Certificate Authority to be signed. When asked by the Certificate authority, specify the type of the certificate as mod_ssl.

Installing or renewing a server certificate When you receive a new signed certificate from the Certificate Authority, you must install the certificate and, if you requested one, the new private key.

To install or renew a server certificate 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Navigate to Network Configuration/Web Services. Click the Configure SSL Certificates link. 3. Select the certificate you want to renew and click the Edit link, or click the Add New Certificate button. 4. Copy the new signed certificate to the clipboard and then paste into the upper text box. 5. If you generated a new key, paste it into the middle text box, and then enter the encryption password you specified when you generated the certificate request. 6. If your certificate comes from a chained Certificate Authority, paste the intermediate certificate chain in the lower text box. 7. Click the Go button.

Using client certificates to authenticate a user’s computer The server certificate verifies the server’s identity to a user’s computer. You also can require client certificates verifying the identity of a user’s computer to the server, or limiting access to particular FirePass Webifyers. Client certificates can be used as part of a two-factor authentication system, where users must have a valid client certificate installed on their computer in addition to knowing their user name and password. Alternatively, valid client certificates can be used to restrict access to particular Webifyers. For example, access to the FirePass server SSL VPN service can be limited to a laptop computer equipped with a valid client certificate. The user then would have access to the SSL VPN service from the laptop, but would not have access from other locations such as public access kiosks. To use client certificates, you must have a server configured as a Certificate Authority (CA) that can generate a client root certificate and the client certificates based on the client root certificate. Or, you can purchase the client root certificate and client certificates from an external CA.


3 - 31

Chapter 3

Here is an overview of the steps for using client certificates to authenticate a user’s computer: ◆

Install the client root certificate on the FirePass server. (See Installing a client root certificate, following.)

◆

Enable the validation of client certificates. (See Enabling validation of client certificates, on page 3-33.)

◆

Configure client certificate validation as part of the authentication for a group. (See Configuring client certificate authentication, on page 3-33.)

◆

Instruct users how to download and install the client certificate on their computer. (You can also email the client certificates to users.) The FirePass server can then request and validate the computer’s client certificate against its installed client root certificate as part of the authentication process.

Whenever necessary, you can also install an optional certificate revocation list (CRL) that contains a list of client certificates for users who you want to deny access to the FirePass server. For example, you can exclude the client certificates for users who have left your company. (See Installing a certificate revocation list, on page 3-34.)

Installing a client root certificate To install a client root certificate on the FirePass server 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 1. Click the Certificates link. The Certificates screen opens. 2. In the Configure SSL Client Certificate Validation section, click the Install Cert link. 3. Do one of the following: • Click the Browse button and select the client root certificate file. • Copy the contents of the client root certificate and paste it into the text box. 4. Click the Install Certificate button. Note

You can only have one client root certificate installed at any one time. If a root client certificate is already installed, it is overwritten when you install the new one. You can also delete the existing root client certificate by clicking the Delete Certificate button if you do not want any root certificate installed.

3 - 32


Enabling validation of client certificates To enable validation of client certificates 1. After you have installed a client root certificate, select the Request and Validate Client Certificate option on the Certificates panel to enable validation of client certificates. This option configures the FirePass server to request a client certificate as part of the SSL session negotiation which occurs before the client computer attempts to log in to the FirePass server. The server also validates and logs the client’s certificate, but it does not restrict access to the server. For information on restricting access using client certificates, see Configuring client certificate authentication, following. 2. (Optional) To have the server automatically enter the user name on the Login panel with the common name (CN) of the client certificate, select the Auto-fill Login Username with Certificate Common Name option. This is useful if the client certificate common name is the same as the user’s login name. The user must still enter a valid password to gain access to the FirePass server.

Configuring client certificate authentication After installing the client root certificate and enabling the validation of client certificates, you can configure client certificate validation as part of the authentication for a group.

To configure client certificate authentication 1. Under the Server tab, click the Authentication link. From the For the group drop-down list, select the group that you want to set up authentication for. 2. In the Configure Client-Side SSL Certificate Validation section, choose one of the following options from the Client Certificate drop-down menu: • Not Required This option disables client certificate authentication. The FirePass server requests and logs a client certificate, but users without client certificates are given access to the server. • Required for User Login This option enables client certificate authentication for user login and requires a valid client certificate for two-factor authentication of users. For example, you can configure a combination of internal database authentication with client certificate validation. To require that the user name on the Login panel must match the common name (CN) of the client certificate, select the Login Username Must Match Certificate Common Name option. FirePass™ Server Administrator Guide

3 - 33

Chapter 3

• Required for Access to Select Webifyers This option enables client certificate authentication for access to a set of Webifyers that you specify. Click the Webifyers Requiring Client Certificate for Access option and then select the Webifyers you want to restrict access to. (You can also restrict access to these Webifyers by choosing the Limit option in the Client Certificate Validation section of each Webifyer management panel.) To require that the user name on the Login panel must match the common name (CN) of the client certificate, select the Login Username Must Match Certificate Common Name option.

Installing a certificate revocation list To install a certificate revocation list (CRL) on the FirePass server 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 2. Click the Certificates link. The Certificates screen opens. 3. In the Configure SSL Client Certificate Validation section, click the Install CRL link. 4. Do one of the following: • Click the Browse button and select the CRL file. • Copy the contents of the CRL and paste it into the text box. 5. Click the Install CRL button.

3 - 34


Limiting access to the administrative console by IP address To increase the security of the FirePass server, you can limit access to the Administrative Console by source IP address and/or subnets. Your current browser’s source IP address is always allowed in order to protect you from accidentally locking the server.

To limit access to the Administrative Console by IP address 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 2. Click the Access by IP link. The Limit IP Access screen opens. 3. In the Option 1 text box, enter the IP addresses or subnets you want to allow access to. Separate addresses in the list with a blank space. Use the format xxx.yyy.zzz.www for an explicit address, or xxx.yyy.zzz.www/vv for an address/mask. You can also use this alternative form for a subnet: xxx.yyy.zzz. For example: 192.168.2.1 192.168.2.3 192.168.2.1/16 192.168.2

4. Click the Go button next to the Option 1 text box. 5. If you want to allow unlimited access to all IP addresses again, click the Go button next to the Option 2 text box.

What’s next? Now that FirePass server security is set up, you are ready to use the Administrative Console to finish the remaining configuration tasks: • Configure the Webifyers that you want to make available to users. For example, configure the SSL VPN Webifyer, if necessary. For more information, see Chapter 4, Configuring the FirePass Webifyers. • (Optional) If necessary, customize the appearance of the user’s home panel, such as the logo and terms used for logging in. For more information, see Customizing the user’s home page, on page 5-31.


3 - 35

Chapter 3

3 - 36

4 Configuring the FirePass Webifyers

• Overview of the FirePass Webifyers • Configuring the My Files Webifyer • Configuring the My NFS Webifyer • Configuring the My Intranet Webifyer • Configuring the My E-mail Webifyer • Configuring the Terminal Services Webifyer • Configuring the AppTunnels Webifyer • Configuring the Host Access Webifyer • Configuring SSL-VPN • Configuring the My Desktop Webifyer • Configuring the X-Windows Access Webifyer • Using client certificate validation for Webifyers

Configuring the FirePass Webifyers

Overview of the FirePass Webifyers The FirePass™ Webifyers™ provide remote users with web-based remote access to a wide variety of network applications and resources, including email servers, Intranet servers, file servers, terminal servers, and legacy mainframe, AS/400, Telnet, and X-Windows applications. Each Webifyer renders its respective resource into and out of Web browser formats. The Webifyer’s particular tasks are dictated by the application being accessed and the protocol being supported. Webifyers are separately licensed. These Webifyers are available with Release 4.0: ◆

My Files Allows remote users to browse, upload, download, move, copy, or delete files on shared directories. Supports SMB Shares, Windows Workgroups, Windows NT 4.0 and Windows 2000 domains, and Novell 5.1/6.0 with Native File System pack. (See Configuring the My Files Webifyer, on page 4-3.)

◆

My NFS Allows remote users to browse, upload, download, move, copy, or delete files on UNIX NFS servers. (See Configuring the My NFS Webifyer, on page 4-6.)

◆

My Intranet Allows remote users access to internal Web servers, including Outlook Web Access email servers. (See Configuring the My Intranet Webifyer, on page 4-8.)

◆

My E-mail Allows remote users access to POP/IMAP/SMTP email servers and LDAP address books using a Web browser. Users can send and receive messages, download attachments, and attach files stored on the internal LAN to send email messages. (See Configuring the My E-mail Webifyer, on page 4-11.)

◆

Terminal Services Provides remote users with Web-based access to Microsoft Terminal Servers, Windows XP network-access-enabled desktops, Citrix® MetaFrame applications, and VNC servers. No additional enabling software is required on the Terminal Servers or Windows XP computers being accessed. (See Configuring the Terminal Services Webifyer, on page 4-15.)

◆

AppTunnels Provides access from client applications on remote user’s computers to TCP/IP application servers. The AppTunnels Webifyer enables a client-side application to communicate back to the corporate application server using a secure tunnel between the user’s Web browser and the FirePass server. (See Configuring the AppTunnels Webifyer, on page 4-18.)


4-1

Chapter 4

◆

Host Access Provides remote users with Web-based access to legacy VT100, VT320, Telnet, X-Term, and IBM 3270/5250 applications without any modifications to the applications or application servers. (See Configuring the Host Access Webifyer, on page 4-21.)

◆

SSL VPN Provides remote users with the functionality of a traditional IPSec VPN client. Unlike an IPSec VPN client, the SSL VPN Webifyer does not require any pre-installed software or configuration on the remote user’s computer, and no server-side changes are required. (See Configuring SSL-VPN, on page 4-23.)

◆

My Desktop Provides employees with full remote control access to their desktop computers on the internal LAN. (See Configuring the My Desktop Webifyer, on page 4-31.)

◆

X-Windows Access Provides remote users with access to X-Windows applications hosted on UNIX and Linux servers.

Because you configure Webifyers separately for each group, you can allow different types of access to different groups of users. For example, you can allow one group of users to use SSL VPN, and prevent another group from using it.

4-2


Configuring the My Files Webifyer The My Files Webifyer allows remote users to browse and view files stored on internal LAN file servers. As the FirePass administrator, you can configure the My Files Webifyer to limit access for a particular group to the file shares you specify. The FirePass server does not allow unrestricted browsing, or browsing folders above the level of the share you specify.

Defining Network Folder Favorites for the My Files Webifyer To define a network folder favorite for the My Files Webifyer 1. Under the Webifyers tab, click the My Files link. 2. From the For the group drop-down list, select the group that you want to configure the My Files Webifyer for. 3. In the Edit Network Folder Favorites section, click the Add New link. 4. In the Name box that appears, specify a name for the file share that you are defining as a My Files Favorite. This name is displayed as a label for the My Files Favorite in each user’s Web browser under the My Network Files icon. For example: Company Literature. Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly. 5. In the Path box, specify a path for the file share in Microsoft UNC format. For example: \\server-name\share_name

You can also use the variables %username% or %group% in the path to insert the user’s login name or group in the path. For example, you might define a path for a favorite to each user’s folder that is named the same as the user’s login name. That is, the path \\server-name\%username% links to \\server-name\john_doe for the user with the login name of john_doe. 6. Click the Add New button.

Limiting a group’s access to the Network Folder Favorites If you want to limit a group’s access to the Network Folder Favorites you specified, select the Limit MyNetwork Access to Folder Favorites Only option.


4-3

Chapter 4

Enabling virus scanning and file uploading for the My Files Webifyer By default, users can download files with the My Files Webifyer. You can also choose to allow users in a group to upload files, and you can enable virus scanning of all downloaded and uploaded files. If the FirePass server detects a virus in the files, it terminates the download or upload process and notes the termination in the session log. Note

The FirePass server virus scanner is based on the open source virus signatures. For information on the latest virus signatures, see www.openantivirus.org.

To enable virus scanning for the My Files Webifyer 1. In the File Upload section of the My Files screen, select the Enable Virus Scanner option.

To update the virus signatures for the My Files Webifyer 1. In the File Upload section of the My Files screen, click the Browse button, select the VirusSignatures.credo file, and then click the Upload button.

To enable file uploading for the My Files Webifyer 1. In the File Upload section of the My Files screen, select the Enable File Upload option.

Configuring advanced settings for the My Files Webifyer If the FirePass server contains two NICs, it is important to configure a broadcast address for the internal NIC. If there is a WINS server on your network, specify its address to facilitate name resolution of Windows servers using the My Files Webifyer.

To configure advanced settings for the My Files Webifyer 1. In the Broadcast Address box in the Advanced My Network Files Settings section, enter the broadcast address you want the FirePass server to use for network broadcasts. If the FirePass server contains one NIC, enter the server’s IP address if the address is not already entered by default. If the FirePass server contains two NICs, enter the IP address of the internal NIC (that is, the NIC connected to the internal LAN). 2. In the WINS Address box, enter the IP address of the WINS server.

4-4


Important: The WINS Address setting is required for multi-segment networks where the FirePass server and the LAN are on different network segments, or when the LAN has multiple segments. If you do not specify the IP address of the WINS server in a multi-segment LAN environment, the My Files Webifyer does not work properly. 3. In the Default Domain/Workgroup box, enter the default domain and workgroup for the FirePass server. Important: The Default Domain/Workgroup setting is required for deployments where the IP address of the FirePass server is not on the target LAN. 4. To have the FirePass server attempt to automatically log into My Files servers and shares using each user’s FirePass login user name and password, select the Auto-login to My Network shares using FirePass user login credentials option.

Using client certification validation for the My Files Webifyer You can restrict access to the My Files Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38.


4-5

Chapter 4

Configuring the My NFS Webifyer Like the My Files Webifyer, the My NFS Webifyer allows remote users to browse and view files stored on internal UNIX NFS file servers. As the FirePass administrator, you can configure the My NFS Webifyer to limit access for a particular group to the NFS file shares you specify. The FirePass server does not allow unrestricted browsing, or browsing directories above the level of the specified server share. Note

FirePass users cannot access NFS shares until they have been assigned a UNIX-style User ID and Group ID. (See Using NFS user permissions from a UNIX password file, on page 3-17.)

Defining favorites for the My NFS Webifyer To define a NFS favorite for the My NFS Webifyer Under the Webifyers tab, click the My NFS link to open the My NFS Webifyer screen.

1. From the For the group drop-down list, select the group that you want to configure the My NFS Webifyer for. 2. In the NFS Favorites section, click the Add New link. 4-6


3. In the Name box, specify a name for the path that you are defining as a My NFS Favorite. This name is displayed as a label for the My NFS Favorite in the user’s Web browser under the My NFS Files icon. For example: Legal Documents. 4. In the Path box, specify a path for the NFS file share. For example: server-name.company.com:/directory_name

Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly. 5. Click the Add New button.

Defining NFS shared folders for the My NFS Webifyer You can specify NFS shared folders that you want to allow remote users to browse with the My NFS Webifyer icon on the left side of the user’s Web browser window. (The My NFS favorites are displayed on the right side of the browser window.) The FirePass server queries the NFS server for any exported file systems.

To define a NFS shared folder for the My NFS Webifyer 1. In the NFS Shared Folders section of the My NFS screen, click the Add New link. 2. In the Name box, enter the name for the path that you are defining as a My NFS shared folder. This name is displayed as a label for the NFS shared folder in the user’s Web browser. For example: Public 3. In the Path box, specify a path for the NFS shared folder. For example: server-name.company.com:/directory_name/public

Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly. 4. Click the Add New button.

Limiting a group’s access to the NFS Favorites If you want to limit a group’s access to the NFS Favorites you specified, select the Limit NFS Access to Folder Favorites Only option.

Using client certification validation for the My NFS Webifyer You can restrict access to the My NFS Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38. FirePass™ Server Administrator Guide

4-7

Chapter 4

Configuring the My Intranet Webifyer The My Intranet Webifyer allows remote users to access Web servers on the internal LAN in a unified and secure way. A user can either browse the internal Web sites by the site’s name or internal IP address, or to use Intranet Favorites that you define.

Defining intranet favorites for the My Intranet Webifyer For each group, you can create a set of links to internal Web sites and URLs. You can set any of these links or the Favorites screen as the default screen that users see when displaying My Intranet for the first time during a session. You can also specify whether you want a Web site to open inside the existing browser window or in a separate window.

To define an Intranet favorite for the My Intranet Webifyer Under the Webifyers tab, click the My Intranet link to open the My Intranet Webifyer screen.

1. From the For the group drop-down list, select the group that you want to configure the My Intranet Webifyer for. 2. In the Edit Intranet Favorites section, click the Add New link.

4-8


3. In the Name box, specify a name for the Intranet site that you are defining as a My Intranet Favorite. This name is displayed as a label for the My Intranet Favorite in each user’s Web browser under the My Intranet icon. For example: Project XYZ Web Site In the URL text box, specify the URL for an Intranet Web server. For example: http://server-name.company.com/index.html

4. (Optional) In the URL Variables box, specify variables to be either appended or POSTed (see step 6) to the URL you specified in the URL box. URL variables are useful in supporting automatic user login to Intranet web sites or for customizing Intranet content for a user. Specify the variables in the form: variable1=value1&variable2=value2&variable3=value3

where the %username% and %password% parameters can be used within values. The %username% and %password% parameters are replaced with the user's FirePass login user name and password. For example, suppose you specify this URL: http://server.company.com

and these URL variables: show_custom_content=1&user=%username%@company.com

For a FirePass user named johndoe, these variables would result in an actual Favorite link of: http://server.company.com?show_custom_content=1&user=john [email protected]

5. (Optional) If you want the URL variables you specified to be POSTed instead of appended to the URL, select the Post URL Variables option. POSTing the variables is a more secure way to use a user name and password for logging into an Intranet site, because the variables are POSTed to the site instead of being included as part of the URL. For more information on URL variables, see the Online Help for the My Intranet Webifyer screen. 6. (Optional) In the Enforce User-agent box, specify a User-Agent string which the FirePass server presents to the internal Web server instead of the actual browser's User-Agent. This option is useful in situations where you need to simplify the FirePass content if errors are occurring. Note: For Exchange 2000 OWA, it is necessary to simplify the content by specifying the following User-Agent string: Mozilla/4.7 [en] (Windows NT 4.0; U)


4-9

Chapter 4

The following table lists several other User-Agent strings. Browser

User-Agent String

IE 6.0

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)

IE 5.5

Mozilla/4.0 (compatible; MSIE 5.5; MSN 2.5; Windows 98)

IE 5.0

Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; CPT-IE401SP1; DigExt)

IE 4.5

Mozilla/4.0 (compatible; MSIE 4.5; Windows NT)

IE 4.01

Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)

Netscape 4.5

Mozilla/4.5 [en] (Win98; U)

Netscape 3.04

Mozilla/3.04Gold (Win95; U)

Opera 5

Opera/5.12 (Windows 2000; U) [en]

Opera 5 mimicking Netscape

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Opera 5.01 [en]

Tip: An easy way to enter a user agent string is to copy and paste the string from the Logons report. Click the Logons link under the Reports tab, and copy the user agent string from the User Agent column for various users in the group. Then paste the string into the Enforce User-agent box in the My Intranet Webifyer screen. 7. To open the Intranet resource in a separate window on the user’s screen, select the Open in New Window option. 8. Click the Add New button. The Intranet Favorite is added to the Default drop-down list. 9. (Optional) To specify a default My Intranet Favorite that is accessed automatically when users in the group open their My Intranet Favorites, select a favorite from the Default drop-down list.

Limiting a group’s access to the Intranet Favorites If you want to limit a group’s access to the Intranet Favorites you specified, select the Limit MyNetwork Access to Intranet Favorites Only option.

Using client certification validation for the My Intranet Webifyer You can restrict access to the My Intranet Webifyer to users in a group who have a valid client certificate installed on their computer. See Using client certificate validation for Webifyers, on page 4-38. 4 - 10


Configuring the My E-mail Webifyer The My E-mail Webifyer provides remote users with HTML access to multiple POP and IMAP mailboxes, and LDAP address books. After configuring a corporate email account, you can specify an LDAP server as a source of email addresses instead of using the default list of FirePass users.

Configuring an email account To configure an email account Under the Webifyers tab, click the My E-mail link to open the My E-mail Webifyer screen.

1. From the For the group drop-down list, select the group that you want to configure the My E-mail Webifyer for. 2. Select the Enable corporate mail account option. 3. In the Account name box, enter a name, such as Corporate Account, to identify the mail account. 4. In the Mail server box, enter the mail server’s host name or IP address, such as f22.company.com.


4 - 11

Chapter 4

5. From the Type drop-down list, select the mail server type (POP or IMAP). 6. If you are using an IMAP mail server, enter a list of folders in the IMAP Folders box that you want displayed. Enter a comma between the folder names in the list. This list prevents the confusion created by mail servers that display items that are not email messages, such as contacts or calendars, as empty email messages. Users can also add to the list themselves. 7. From the Login Information drop-down list, select one of the following options: • User supplies display and login information during first login Select this option to obtain email information from each user when they login for the first time. • Use FirePass database for display and login information Select this option to obtain each user’s email information from the FirePass server’s internal database. • Use LDAP query for mail server, display, and login information Select this option to obtain each user’s email information based on an LDAP query. (See Obtaining email addresses from an LDAP server, on page 4-13.) 8. Click the Update button.

Obtaining each user’s email information based on an LDAP query You can dynamically obtain the mail server name, display name, and login information for each user based on an LDAP query.

To obtain each user’s email information based on an LDAP query 1. From the Login Information drop-down list on the My E-mail Webifyer screen, select Use LDAP query for mail server, display, and login information. A group of LDAP options appear. 2. In the LDAP server address box, enter the LDAP server name. 3. In the Port box, enter an LDAP port, such as 389. 4. If you want to use SSL, select the Use SSL Connection option. 5. In the Bind DN text box, enter the relative distinguished name to bind to. Note: You can leave this text box blank if you want to use the server default. 6. In the Bind password box, enter a valid password.

4 - 12


Note: You can leave this text box blank if no authentication is required. 7. In the Search Base box, enter the DN of the entry in the tree to be used for the search. For example: cn=Recipients,ou=Exchange,o=Acme, Inc.

8. In the Filter template box, enter a search filter. For example: (&(uid=%s))

where %s is substituted by each user’s FirePass logon name. 9. In the Attribute for mail server box, enter the attribute in the LDAP schema that contains the mail server name. 10. In the Attribute for user’s display name box, enter the attribute in the LDAP schema that contains the user’s display name. 11. In the Attribute for user’s email address box, enter the attribute in the LDAP schema that contains the user’s email address. 12. In the Attribute for user’s logon box, enter the attribute in the LDAP schema that contains the user’s logon. 13. Click the Update button.

Disabling email attachment downloads By default, email attachment downloads are enabled. If necessary, you can disable attachment downloads.

To disable email attachment downloads 1. In the Message Settings section of the My E-mail Webifyer screen, select the Disable attachment download option. 2. Click the Update button.

Obtaining email addresses from an LDAP server By default, the My E-Mail Webifyer uses the FirePass internal database as a source of email addresses. Alternatively, you can specify an LDAP server as a source of email addresses.

To obtain email addresses from an LDAP server 1. In the Source for Address List section of the My E-mail Webifyer screen, select the Use LDAP server to obtain addresses option from the Address List drop-down list. A group of LDAP options appear. 2. In the LDAP Server box, enter the LDAP server’s name or IP address.


4 - 13

Chapter 4

3. In the Port box, enter an LDAP port, such as 389. 4. If you want to use SSL, select the Use SSL connection option. 5. In the Bind DN box, enter the relative distinguished name to bind to. Note: You can leave this box blank if you want to use the server default. 6. In the Bind password box, enter a valid password. Note: You can leave this box blank if no authentication is required. 7. In the Search Base box, enter the DN of the entry in the tree to be used for the search. For example: cn=Recipients,ou=Exchange,o=FirePass server

8. In the Filter template box, enter a search filter template. For example: (&(objectclass=person)(cn=*%s*))

where %s is substituted by user’s FirePass logon name. 9. In the Name Attribute box, specify the name attribute, which is typically cn. 10. In the Address Attribute box, enter the email address attribute, which is typically mail. 11. Click the Update button.

Using client certification validation for the My E-mail Webifyer You can restrict access to the My E-mail Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38.

4 - 14


Configuring the Terminal Services Webifyer The Terminal Services Webifyer provides remote users with access to internal LAN Microsoft Terminal servers, Windows XP desktop computers, Citrix Metaframe servers, and VNC servers in a unified secure way. Users have the option to either browse the servers by their name or internal IP address, or to use favorites. The Terminal Services Webifyer includes: • Support for native Terminal Server-hosted applications • Support for Citrix® MetaFrame applications • Automatic download and installation of the correct Terminal Services or Citrix remote-platform client component, if it is needed but has not yet been installed For each user group, you can assign options and create a set of favorite links to appropriate servers. You can also specify whether you want the terminal services to open inside the existing browser window or in a separate window.

Configuring screen resolution and Terminal Services Favorites Under the Webifyers tab, click the Terminal Services link to open the Terminal Services Webifyer screen.


4 - 15

Chapter 4

To configure screen resolution and Terminal Services Favorites 1. From the For the group drop-down list, select the group that you want to configure the Terminal Services for. 2. To set the initial screen resolution for Terminal Servers and Citrix Metaframe for the current group, select a resolution from the drop-down list in the Screen Resolution section. Users can also overwrite this setting on an individual basis. 3. In the Edit Terminal Service Favorites section, click the Add New link. 4. In the Name box, specify a name for the terminal service that you are defining as a Terminal Service Favorite. This name is displayed as a label for the Terminal Services Favorite in each user’s Web browser under the My Terminal Services icon. For example: Citrix XYZ Application. 5. In the Host box, enter the host name or IP address of the server running the terminal service. Note: You can use a space separated list of IP addresses or host names in the Host field for a Citrix Metaframe Server, a Citrix Metaframe Browser, and VNC. The FirePass server attempts to use the first entry in the list, and if that entry fails, the server proceeds with other entries in the list until a working server is found. 6. From the drop-down list next to the Port box, select a server type. After you select the server type, the appropriate default value for the port is automatically entered in the Port text box. If necessary, you can enter a different server port number. Note: The Citrix Metaframe Browser type relies upon the Citrix HTTPonTCP protocol, which must be enabled on the target server. This type is useful in accessing Citrix server farms and resolving application names to an IP address and port. 7. In the Select a Program box, enter the complete path and file name of the program you want to run on the remote server, such as c:\programs\notepad.exe. 8. In the Working Dir box, enter the directory where you want to run the program. such as C:\temp. 9. To open the Terminal Service application in a separate window on the user’s screen, select the Open in new window option. 10. To allow users access to the local drives on the remote server during a terminal service session, select the Allow access to local drives option. 11. Click the Add New button.

4 - 16


Limiting a group’s access to the Terminal Service Favorites If you want to limit a group’s access to the Terminal Service Favorites you specified, select the Limit MyNetwork Access to Terminal Service Favorites only option.

Using client certification validation for the Terminal Service Webifyer You can restrict access to the Terminal Services Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38.


4 - 17

Chapter 4

Configuring the AppTunnels Webifyer The AppTunnels Webifyer supports access from client applications on each user’s remote computer to TCP/IP application servers. The AppTunnels Webifyer enables a native client-side application to communicate back to the corporate application server using a secure tunnel between the user’s Web browser and the FirePass server. The AppTunnels Webifyer allows FirePass users to access the client-server applications you specify. Unlike a traditional IPSec VPN client that exposes the entire network, the AppTunnels Webifyer exposes only the specific resources used by the selected applications. You can also restrict users to the particular applications they need to use. The AppTunnels Webifyer uses the standard HTTPS protocol with SSL as the transport. As a result, the AppTunnels Webifyer works through all HTTP proxies, including public access points and private LANs, and over networks and ISPs that do not support traditional IPSec VPN clients. The first time users access the AppTunnels Webifyer, an ActiveX control is automatically installed in their Internet Explorer browser, or a plug-in is automatically installed in their Netscape or Mozilla browsers on Windows. You can use the AppTunnels Webifyer with the following types of applications: • MicroSoft® Outlook, PeopleSoft®, SAP®, or Oracle® • Terminal emulators • SSH • Internet Mail (POP/IMAP/SMTP) • LDAP • Intranet web sites that rely on networked ActiveX or Java • WEBDAV publishing • Network drive mapping In general, most TCP/IP-based client-server applications that do not require dynamic ports work with the AppTunnels Webifyer.

Configuring AppTunnel Favorites Under the Webifyers tab, click the AppTunnels link to open the AppTunnels Webifyer screen.

4 - 18


To configure AppTunnel Favorites 1. From the For the group drop-down list, select the group that you want to configure the AppTunnels for. 2. In the Favorite AppTunnels section, click the Add New link. 3. In the Name box, specify a name for the AppTunnel Favorite. This name is displayed as a label for the AppTunnels Favorite in each user’s Web browser under the AppTunnels icon. For example: XYZ Application. 4. From the drop-down list, select an application class. 5. In the text box next to the drop-down list, enter the remote host IP address or the host name, as appropriate. Note: If you specify a host name, the HOSTS file at the access point is temporarily patched for the duration of access. This temporary patch allows the AppTunnels Webifyer to temporarily override the port settings while preserving the usual LAN settings for the applications. The original HOSTS file is restored when the AppTunnels session is terminated. Also note that on NT platforms, either a user has to have local administrative rights to modify the HOSTS file, or the attributes of the HOSTS file have to be changed by the administrator. 6. Click the Add New icon. On the next screen, the template for the AppTunnel appears.


4 - 19

Chapter 4

7. If you are creating a custom AppTunnel, you need to specify remote and local ports for the connection. Generally, we recommend that you use the remote value for the local port at the access point, unless there might be a server running on the same port on a potential accessing computer. The IP address of the loopback adapter is generated automatically. 8. In the Command Line box, enter a command to start an application transparently for the user. For example: iexplore http://127.3.54.34/sales/automation.pl

or telnet 127.3.54.34

9. Click the Save button. 10. To add a subtunnel, choose an application class from the drop-down list below the tunnel you just saved. In the text box next to the drop-down list, enter the remote host IP address or the host name. Click the Add New button next to the subtunnel’s information. 11. To rearrange the order in which the tunnels are activated, click the Move Up or Move Down buttons next to the tunnels in the Favorite AppTunnels section.

Compressing traffic between the client and the FirePass server To compress all traffic between the client and the FirePass server using the GZip deflate method, select the Use GZIP compression option.

Limiting a group’s access to the AppTunnels Favorites If you want to limit a group’s access to the AppTunnels Favorites you specified, select the Limit MyNetwork Access to AppTunnels Favorites only option.

Using client certification validation for the AppTunnels Webifyer You can restrict access to the AppTunnels Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38.

4 - 20


Configuring the Host Access Webifyer The Host Access Webifyer allows remote users to access legacy applications using a Web browser. The Host Access Webifyer does not require any application modifications or any third-party software to webify interaction with hosts. There is nothing to install on the host system or server. The following formats are supported: • VT320 Telnet in Java • VT320 Telnet in HTML • TN3270, 80x24 in Java • TN3270, 80x32 in Java • TN3270, 132x27 in Java • TN5250, 80x32 as ActiveX control/self-installed plug-in You can also use a password-based SSH connection.

Configuring Host Access Favorites Under the Webifyers tab, click the Host Access link to open the Host Access Webifyer screen.

To configure Host Access Favorites 1. From the For the group drop-down list, select the group that you want to configure Host Access for. 2. Click the Add New link.


4 - 21

Chapter 4

3. In the Name box, specify a name for the host access Favorite. This name is displayed as a label for the Host Access Favorite in each user’s Web browser under the Host Access icon. 4. In the Host box, specify the host’s name or its IP address. 5. In the Port box, specify the host’s port number. In most cases, use the default 23 for host access, or use 22 if you are using SSH. 6. If you want to use SSH when accessing the host, select the Use SSH option. 7. From the Term-type drop-down list, select a type of terminal. 8. Click the Add New button.

Displaying active host access sessions In the Host Access Server section of the Host Webifyer screen, the Administration Console displays the number of host sessions that are currently in progress. If necessary, you can restart the host access server by clicking the Restart The Host Access Server button.

Limiting a group’s access to the host access favorites If you want to limit a group’s access to the host access favorites you specified, select the Limit MyNetwork Access to Host Access Favorites only option. Group members then are not allowed to access hosts by manually entering an IP address and port number.

Using client certification validation for the Host Access Webifyer You can restrict access to the Host Access Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38.

4 - 22


Configuring SSL-VPN The FirePass server’s SSL VPN provides the functionality of a traditional IPSec VPN client, but it is easier to deploy. Unlike a traditional IPSec VPN client, the SSL VPN Webifyer does not require any configuration on each remote user’s computer, and no server-side changes are necessary. The FirePass server’s SSL VPN implements PPP over SSL, which is a secure solution that does not have problems with routers, firewalls, or proxies. Whereas the AppTunnels Webifyer provides remote users with access to particular applications on a specific server and port, the SSL VPN Webifyer provides access to all applications and network resources, unless you configure restrictions. As with the AppTunnels Webifyer, the SSL VPN Webifyer uses the standard HTTPS protocol, works through all HTTP proxies, and leverages all of the setup, security, availability, and management features of the FirePass server. The SSL VPN Webifyer provides these benefits: ◆

Browser-based access to client-server applications. The self-configuring SSL VPN Webifyer does not require any pre-installed, pre-configured software on the remote system. Field staff and travelers can access their applications without needing any individual setup or configuration of their computers. The SSL VPN Webifyer supports UDP and TCP applications.

◆

Simple maintenance. Upgrades or replacement of field computers do not require any additional VPN-related maintenance, and changes to the host network or IP address can be made without reconfiguring each remote user’s computers.

◆

Split tunneling. If this option is enabled, only traffic intended for the target LAN goes through the SSL VPN Webifyer. All of the user’s other Internet activity is unchanged, and is handled by the ISP as though the SSL VPN Webifyer was not deployed.

◆

Packet-based, group-based firewall. Groups of users can be restricted to particular ports and addresses within the LAN. This feature allows full client-server application support without opening the entire network up to each user.

In addition, the FirePass server’s SSL VPN has global and group-based packet filters, so that you can define groups of users with different access rights. Note

The first time users access the AppTunnels Webifyer, an ActiveX control is automatically installed in their Internet Explorer browser, or a plug-in is automatically installed in their Netscape or Mozilla browsers on Windows.


4 - 23

Chapter 4

Configuring global SSL VPN settings First, configure the global SSL VPN settings that apply to all groups, and then configure the SSL VPN Webifyer settings for each group.

To configure the global SSL VPN settings 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 2. Click the SSL VPN link. 3. In the Network Address and Mask boxes, enter the network address and network mask for the subnet you want VPN users to use. In other words, a user who uses VPN to access the server is assigned an IP address in this subnet. Note that it is a network and not a single host IP address. (The address ends with .0.) 4. Do one of the following: • To use NAPT to access the LAN, enable the Use NAPT to Access LAN option. • To use a virtual subnet, disable the Use NAPT to Access LAN option. Here is a comparison of the two methods of using the Use NAPT to Access LAN option to configure a VPN back end. Virtual Subnet

NAPT

Does not require infrastructure changes on the network

No

Yes

IP Addresses used

Pool of virtual subnet IPs

Single FirePass IP address

Supports Microsoft Networking

Yes

No

Works with most client server applications

Yes

Yes

Works with more demanding networking applications

Yes

No

For example, use NAPT when you only need to provide Outlook users with complete Exchange access. VPN configuration is completely limited to the FirePass server. The use of a virtual network ensures complete transparency. A disadvantage is that the surrounding infrastructure has to be configured to route IP traffic to the virtual network IP addresses. Note: The pool of addresses is used in both cases to issue addresses to the remote endpoints. 4 - 24


Warning: The pool of addresses for the VPN must not contain the FirePass server address. Otherwise, severe routing problems can occur. 5. Click the Apply these rules now button.

Configuring global SSL VPN packet filter rules You can specify a set of global packet filter rules that are activated whenever a user starts the SSL VPN Webifyer. Each packet coming from a VPN client is first checked against an optional group rule set (see Configuring group packet filter rules, on page 4-29), and if no group rule is matched the packet is checked against the global rules. If there is no match, the packet is rejected. If the matching rule is found, the packet is accepted or rejected depending on the action you assigned to the rule. The rules are applied top to bottom in the order you create them on the VPN Settings screen. WARNING

If you enable the packet filter, but no rules are defined, all traffic is rejected.

To configure the global packet filter rules 1. On the VPN Settings screen, select the Use packet filter to access LAN option. The VPN Settings screen displays the Packet Filter Rules section. 2. In the Packet Filter Rules section, click the Add New Rule link. 3. From the Proto drop-down list, select a single protocol or all protocols. 4. In the Port box, enter a port number or a port range in the first:last format. To specify any port, enter 0:65535. 5. In the Address/Masks text box, enter a destination IP address: • For a host, such as 192.168.2.1 • For a subnet/mask, such as 192.168.2.0/24 or 192.168.2.0/255.255.255.0 • For any address and mask, use 0/0 6. From the Action drop-down list, select an action for the rule (Accept or Reject). 7. Click the Save button to save the rule. 8. Click the Apply these rules now button to apply the rules.


4 - 25

Chapter 4

Configuring global SSL VPN timeout rules To configure the global timeout rules 1. On the VPN Settings screen, select the Use packet filter to access LAN option. The Packet Filter Rules section is displayed on the VPN Settings screen. 2. In the Timeout Rules section, click the Add New Timeout Rule link. 3. From the Proto drop-down list, select a single protocol or all protocols. 4. In the Port box, enter a port number or a port range in the first:last format. To specify any port, enter 0:65535. 5. In the Address/Masks box, enter a destination IP address: • For a host, such as 192.168.2.1 • For a subnet/mask, such as 192.168.2.0/24 or 192.168.2.0/255.255.255.0 • For any address and mask, use 0/0 6. From the Action drop-down list, select an action for the rule (Accept or Reject). 7. Click the Save button to save the rule. 8. Click the Apply these rules now button to apply the rules.

Configuring global SSL VPN client appearance You can configure global settings that determine how the SSL VPN client appears on each remote user’s computer.

To configure the global SSL VPN client appearance 1. In the Client Appearance section of the VPN Settings screen, select the Do not display tray icon for connection option to hide the status monitor in the tray area. Note: This setting works on Windows 2000 and XP computer systems only. 2. In the Displayed bandwidth B/Sec box, enter a bandwidth value to display in the status window of VPN adapter on Windows. 3. Click the Save button.

4 - 26


Configuring the SSL VPN Webifyer for a group Under the Webifyers tab, click the SSL VPN link to open the SSL VPN Webifyer screen.

To configure the SSL VPN Webifyer for a group 1. From the For the group drop-down list, select the group that you want to configure SSL VPN for. 2. In the Connection name box, enter a name for the SSL VPN Favorite. This name is displayed as a label for the SSL VPN Favorite in each user’s Web browser under the SSL VPN icon. 3. In the DNS address box, enter a space-separated list of IP addresses for the internal company DNS servers. These are conveyed to the remote user’s access point. 4. In the WINS address box, enter a space-separated list of IP addresses for the internal company WINS servers. These are conveyed to the remote access point. Important: The WINS addresses are required for Microsoft Networking to operate properly. Note: Microsoft network browsing does not work in a configuration using network address translation (NAT).


4 - 27

Chapter 4

5. (Optional) To have only the traffic targeted at a specified address space go through the SSL VPN Webifyer, select the Use split tunneling option. All of the remote user’s other Internet activity is handled by the user’s ISP. For example, you might want to enable this option if a company does not want a remote user’s personal Internet activity to be channeled through the company network. Alternatively, you might want to disable this option if your company’s security policy is to perform a virus scan on all files a remote user accesses. 6. Click the Update button to update the screen. 7. If you selected the split tunneling option, the LAN Address Space box appears. Enter a space-separated list of addresses or address/mask pairs describing the target LAN to use for split tunneling. Only the traffic to these addresses and network segments goes through the SSL VPN. 8. To have the SSL VPN client work through a proxy server on the target network, select the Client proxy settings option. Note: The Client Proxy Settings option requires Internet Explorer 5.0 or later to be installed on the user’s computer or access point. 9. Click the Update button to update the screen. 10. If you selected the Client proxy settings option, do the following: a) In the Address box and the Port box, enter the IP address and port number of the proxy server you want the SSL VPN client to use to connect to the Internet. b) To use the proxy server for all local (Intranet) addresses, select the Bypass proxy for local addresses option. c) In the Proxy exclusion list box, enter the Web addresses that do not need to be accessed through the proxy server. You can use wild cards to match domain and host names or addresses. For example: www.*.com; 128.*, 240.*, *. mygroup.*, *x*

11. (Optional) To prevent all network configuration changes on the client computer during an SSL VPN client session, select the Prohibit routing table changes during SSL VPN connection option, further down the screen. When this option is selected, the SSL VPN connection terminates if there are any network configuration changes made on the client computer. For example, if a user has an SSL VPN connection established, and then starts a new dial-up connection or inserts a new network card, the SSL VPN connection terminates. This option is useful for security reasons.

4 - 28


12. To compress all traffic between the SSL VPN client and the FirePass server using the GZip deflate method, select the Use GZIP Compression option.

Configuring group packet filter rules If you have first enabled global SSL VPN packet filter rules (see Configuring global SSL VPN packet filter rules, on page 4-25), you can then specify a set of optional group rules that are activated whenever a user starts the SSL VPN client. Each packet coming from a VPN client is first checked against the group rule set, and if no group rule is matched, the packet is checked against the global rules. If there is no match, the packet is rejected. If the matching rule is found, the packet is accepted or rejected depending on the action you assigned to the rule. The rules are applied top to bottom in the order you create them on the SSL VPN Settings screen.

To configure the group packet filter rules 1. If you have not already done so, select the Use Packet Filter to Access LAN option on SSL VPN Settings screen (under the Server tab, click the Security link, then click the SSL VPN option). (See Configuring global SSL VPN packet filter rules, on page 4-25.) 2. In the Group Packet Filter section of the SSL VPN Webifyer screen, click the Add new rule link. 3. From the Proto drop-down list, select a single protocol or all protocols. 4. In the Port box, enter a port number or a port range in the first:last format. To specify any port, enter 0:65535. 5. In the Address/Masks box, enter a destination IP address for a host (such as 192.168.2.1), a subnet/mask (such as 192.168.2.0/24 or 192.168.2.0/255.255.255.0). To specify any address and mask, enter 0/0. 6. From the Action drop-down list, select an action for the rule (Accept or Reject). 7. Click the Save button to save the rule. 8. Click the Apply these rules now button to apply the rules.

Configuring drive mappings for the SSL VPN Webifyer You can preconfigure the network shares that are automatically mapped at the access point computer after the SSL VPN connection is established.

To configure drive mappings 1. In the Name box in the Drive Mappings section of the SSL VPN Webifyer screen, enter a name for the mapping. FirePass™ Server Administrator Guide

4 - 29

Chapter 4

2. In the Path box, enter a UNC path to the network share. Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly. 3. From the Map To drop-down list, select the preferred drive letter to map the network share to. Note

If the drive letter is taken, another letter is chosen at the connection time.

Launching applications automatically with the SSL VPN Webifyer You can have applications launch automatically whenever users in a group use the SSL VPN Webifyer. Under the Webifyers tab, click the SSL VPN link to open the VPN client settings screen.

To launch applications automatically 1. In the App Path box of the Launch Applications section of the SSL VPN screen, enter the complete path and file name of the application you want to launch. For example: iexplore http://127.3.54.34/sales/automation.pl.

2. In the Parameters box, enter any required parameters for the application. 3. Click the Add button. 4. To display a message before launching the application, select the Display message box before launching applications option.

Using client certification validation for the SSL VPN Webifyer You can restrict access to the SSL VPN Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers, on page 4-38.

4 - 30


Configuring the My Desktop Webifyer The My Desktop Webifyer provides employees with full remote control access to their desktop computers on the internal LAN. Employees can also use the My Desktop Webifyer to grant access to their desktop computers to guest users. The My Desktop Webifyer features include: ◆

Screen Sharing Users can remotely access and control their desktop computers from any full Web browser.

◆

Guest Access Users can invite remote guests to view their computer’s screen or files in real time, and optionally share cursor and keyboard control. This feature can be used for Web conferences that include up to 10 guests.

◆

My Outlook and Lotus Notes Webifyers Users have access to Outlook and Notes desktop clients with rich functionality over slow connections or small-format remote devices.

◆

My Explorer and Internet Favorites Users can use their desktop computers to access Intranet/Internet sites and desktop Internet shortcuts. Note

For information on downloading the My Desktop software, see Installing My Desktop client software at a user’s computer, on page 3-22.

Configuring the My Desktop server ports By default, the FirePass server uses port 80 for HTTP, and port 443 for HTTPS for the My Desktop Webifyer. If the My Desktop client software detects that port 80 or 443 is in use, the software automatically uses different ports. If those ports are or might be in use, you can also manually configure a different set of default ports. Any firewalls between the server and the desktop computer must be configured appropriately to allow traffic on the ports you configure. Note

The HTTPS port on the desktop computer must be accessible from the FirePass server.


4 - 31

Chapter 4

To configure the My Desktop ports 1. Under the Desktop tab on the left side of the Administrative Console, click the Settings link. The Default Desktop Software Server TCP Ports screen opens. 2. In the HTTP port box and the HTTPS port text box, enter the default port assignments for the My DeskTop Webifyer.

Configuring My Desktop Webifyer for cluster servers If you are using a cluster of FirePass servers, select the Disable Desktop Key Refresh option on the Default Desktop Software Server TCP Ports screen. Key Refresh is an extra security precaution that must be disabled for a cluster configuration. For more information on clusters, see Using FirePass server clusters, on page 7-5.

Disabling bridge access to desktops The bridge is a highly scalable, dynamic port-forwarding mechanism that uses a range of high ports on the FirePass server to tunnel the HTTPS traffic directly to the server. The resulting SSL session is between the Web browser and the desktop computer. The bridge is a secure mechanism. Any non-authenticated request that comes from the same access IP address to the same port on the bridge is redirected back to the logon screen. Only authenticated traffic is accepted by the My Desktop software running on the desktop computer. If you select the Disable Bridge Access to Desktop option, all traffic goes through port 443, which results in slight performance degradation.

4 - 32


Using client certification validation for the My Desktop Webifyer You can restrict access to the My Desktop Webifyer to users in a group who have a valid client certificate installed on their computer.

To use client certification validation for the My Desktop Webifyer 1. Under the Server tab, click the Authentication link. The Authentication Scheme screen opens. 2. From the For the group drop-down list, select the group that you want to use client certification validation for. 3. From the Client Certificate drop-down list in the Configure Client-Side SSL Certificate Validation section, select Required for access to select webifyers. 4. Click the Webifyers requiring client certificate for access option. 5. Select the My Desktop Webifyer. 6. To require that the user name on the Login screen must match the common name (CN) of the client certificate, select the Login username must match certificate common name option.

Configuring the Guest Access Webifyer The Guest Access Webifyer provides users with collaborative features for the My Desktop Webifyer. For example, when users are using the My Desktop Webifyer, they can use the Guest Access Webifyer to invite a person outside of the corporate network to share files and to view and control their desktop computer screen. As the administrator, you can choose to enable or disable the Guest Access Webifyer for a group of users. You can also set a default method for how users send an invitation to their guest users.

To configure the Guest Access Webifyer Under the Webifyers tab, click the Guest Access link to open the Guest Access Webifyer screen.


4 - 33

Chapter 4

1. From the For the group drop-down list, select the group that you want to configure Guest Access for. 2. To enable the Guest Access Webifyer for the selected group, select the Allow Guest Access option. 3. From the drop-down list, select a method for how users send an invitation to their guest users. 4. If you chose Internet mail, enter the name or IP address of the SMTP mail server for the desktop computer. 5. Click the Apply button.

4 - 34


Configuring the X-Windows Access Webifyer FirePass X-Windows Access allows users to connect to UNIX and Linux applications and application servers, from any standard web browser (so long as it is either Java or Active-X enabled). FirePass X-Windows Access supports any network application making use of the X protocol specification. Architecturally, FirePass X-Windows Access implements an X-Server on the FirePass server itself. This server acts as a proxy user of a UNIX-based client-server application. In this role, the FirePass server interacts with the application internally in the network, and then renders the X-Server output into encrypted, browser-readable output. The FirePass Systems Administrator can configure target UNIX and Linux hosts to be made available to remote users. For each group, he also can specify whether group members can add their own favorite hosts not already on their group's collective list of favorites. If group members are permitted to add their own individual favorites, they configure them in the same way an administrator configures favorites for the group, using an identical interface.

Configuring X-Windows hosts for remote access You can configure or add an X-Windows application host for FirePass remote access. Remember that each Group needs to be separately configured.

To configure an X-Windows host 1. From the Webifyers tab, click the X Windows link. The My X Windows Webifyer screen opens. 2. In the For the group list, select the group for which you want to provide or modify access. 3. Check the Limit access to... favorites only box to restrict the group you are configuring to only the hosts you set up for the group. If your policy allows members of this group to configure their own host sessions, leave this box unchecked. 4. Use the buttons available for each host, and click the appropriate one to edit, add, or delete one or more hosts for this group.

To add a host 1. From the Webifyers tab, click the X Windows link. The My X Windows Webifyer screen opens. 2. In the For the group list, select the group for which you want to provide or modify access.


4 - 35

Chapter 4

3. Click the Add New Favorite link (or the green X button next to it). The screen refreshes to provide input boxes. 4. In the Name box, supply a user-friendly name consisting of any alphanumeric string. You may use spaces, but do not use slashes or special characters. 5. In the Screen Access box, select one option: • If all the users in the group access this application only from Windows-based systems, select Advanced Real-Time. Advanced Real-Time uses ActiveX controls, available only on Windows. • Otherwise, or if you are not sure, select Java Real-Time. 6. In the Terminal Type box, select Telnet or SSH, depending on which access method is supported by the target host. 7. In the Host box, enter the IP address or host name of the target host. You can specify any system using the X interface here. 8. Click the Remember login/password check box to have the FirePass server log on to the host automatically, using the credentials supplied in the Login/Password box (below). If this box is unchecked, the FirePass server presents a signon screen to the user at the time of access. 9. In the Login / Password boxes, provide the default logon and password to be used. These credentials are used only if the Remember login/password box (above) is checked. 10. In the Xwindow type box, select an option: • If the host system uses a KDE, Gnome, Open Look, or TWM graphical interface, select it here. The FirePass server launches the selected program automatically. • Otherwise select Custom command, and enter the user's initial command below. 11. In the Custom command box, enter the first command to be executed from the UNIX prompt following logon. This command ordinarily starts a shell or a graphical interface. 12. In the Resolution box, set the screen resolution for the FirePass X-Windows server session. This selection governs the webified X-Windows output sent to the remote browsers. If you are unsure of the resolution of the likely remote systems, the safest choice is the lowest resolution (640 by 480 pixels).

4 - 36


Editing X-Windows host configuration details You can change the configuration details for a host from the My X Windows Webifyer screen.

To edit an X-Windows host configuration 1. Be sure to select the group for which you want to provide or modify access in the For the group list. 2. To modify the configuration details, click: • The server name • The green X icon to the left of the server name • The I edit icon to the right of the server name 3. Edit the host or logon details as needed.

Deleting a host You can use the My X Windows Webifyer screen to remove a host from the Favorites list.

To delete a host from the Favorites list 1. Click the delete icon (the X) to the right of the host name. To host is removed from the group’s X-Windows Favorites list.


4 - 37

Chapter 4

Using client certificate validation for Webifyers You can restrict Webifyer usage to users in a group who have a valid client certificate installed on their computer in addition to knowing their user name and password. For example, for a laptop user, you can restrict usage of the My Files Webifyer to the user’s laptop computer where a valid client certificate has been installed. The laptop user is not allowed to use the My Files Webifyer from other computers in other locations, such as a public access kiosk. You can restrict the following Webifyers: • My Files • My Intranet • My E-Mail • Terminal Services • AppTunnels • Host Access • My Desktop • SSL VPN

To use client certification for a Webifyer 1. Install and enable client certification for Webifyers for the selected group. (See Using client certificates to authenticate a user’s computer, on page 3-31.) 2. Under the Webifyers tab, click the link for the Webifyer you want to restrict access to. Note: For information on using client certification for the My Desktop Webifyer, see Using client certification validation for the My Desktop Webifyer, on page 4-33. 3. On the Webifyer screen that appears, under the Client Certification Validation section, select the Limit access to users with valid client certificates option. Important: This displays only if you have first configured client certification for the selected group.

4 - 38

5 Managing, Monitoring, and Maintaining the FirePass Server

• Maintaining the network configuration settings • Configuring IPSec for the FirePass server • Managing FirePass licenses • Mapping FirePass users to NFS users • Specifying HTTP and SSL proxies • Configuring an SNMP agent • Shutting down and restarting FirePass • Backing up and restoring the FirePass server • Specifying the email server • Specifying the FirePass administrator’s email address • Granting Administrator privileges to other users • Specifying the time, time zone, and NTP server • Configuring client caching and compression settings • Managing log files • Updating the FirePass server’s firmware • Adding definitions for other types of browsers • Monitoring the FirePass server • Customizing the user’s home page • Providing SSH access for Technical Support

Managing, Monitoring, and Maintaining the FirePass Server

Maintaining the network configuration settings You can use the Administrative Console to configure the FirePass server’s network settings. These include the network interfaces, IP addresses and netmasks, routing tables and rules, Domain Name Servers (DNS), host names, web services, and desktop-software settings. Note

Whenever you change any network configuration setting, you must commit the change using the Server/Maintenance/Network Configuration/Finalize screen before the new setting takes effect. Note

If you are configuring IP settings for failover or cluster servers, also see Chapter 7, Configuring FirePass Failover Servers and Cluster Servers.

Configuring IP addresses and subnets To add, change, or delete the FirePass server’s IP address and subnet settings 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Network Configuration link. 3. Click the IP Config link at the top of the screen. 4. Add additional IP addresses in the Add New IP region of the panel. Edit or delete any existing IP addresses displayed in the IP Configuration table. For each IP Address, you can specify or edit the following values: • IP Address/Netmask Enter the IP Address in dotted decimal notation, and the subnet mask in bits notation. (That is, the netmask is expressed as the number of bits to be masked. For example, a bits count of 17 corresponds to a mask of 255.255.255.128 in dotted-decimal notation. See the help screen for a table mapping dotted-decimal and hexadecimal notation to bits notation.) • Interface Indicate the Ethernet interface associated with the IP address. • Broadcast (optional) Enter the IP address to which the server is to send broadcast messages. If you do not specify a broadcast IP address, FirePass calculates a default Broadcast address from the IP address and mask.


5-1

Chapter 5

5. When you are finished entering the IP addresses and making other needed configuration changes, navigate to the Server/Maintenance screen and click the Finalize link to commit your changes. The changes are not applied until you have finalized the configuration and restarted your server. WARNING

Be extremely careful when changing the server’s IP configuration settings. If you enter incorrect settings, the server may become inaccessible from the network. If the server becomes inaccessible, use the Maintenance console to reconfigure the IP settings. For more information, see Using the Maintenance Console, on page 2-21.

Configuring routing tables and rules With FirePass you can take advantage of powerful new policy-based routing features in the Linux kernel. With these features, you can choose, for any destination IP address, which device to use and which source IP address to assign. You also can create rules applying to particular addresses. These rules specify which routing table to use, and the priority of the rule itself. Use the Maintenance/Network Configuration/Routing screen to add entries to the FirePass routing table. The Routing screen has two modes: • light, where you can maintain the main routing table • advanced, where you also can maintain routing rules, and you can add and maintain additional routing tables The Netmask (Len) is always expressed in bits notation. (That is, the netmask is expressed as the number of bits to be masked. For example, a bits count of 17 corresponds to a mask of 255.255.255.128 in dotted-decimal notation. See the help screen for this page for a table mapping dotted-decimal and hexadecimal notation to bits notation.). The new configuration does not take effect until you have committed it using the Finalize screen.

To add and maintain routing tables and rules 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Network Configuration link. 3. Click the Routing link at the top of the screen.

5-2


Adding specific routes To add a route to the main routing table 1. Select the device, and the Source IP address [Src (IP)] and Netmask [Len] to use. If you are in advanced mode, also select which routing table to use. 2. Specify the Destination IP address and Gateway IP address [Via (IP)]. 3. (optional) Specify the metric (from 1 to 16), Mtu, and Window values. 4. Click the Add route button. For convenience, you can add any number of blank lines to a routing table and then edit them as a group. To do so, specify the table name and the number of new lines to add, and click the Add many empty routes button. Then edit the table rows as above, and click the Update button. To add entries to other tables, you must be in advanced mode. In advanced mode you also can specify which table to modify. Note

A route with all zeros in the destination IP field is applied to any packet whose destination does not match that of another route.

Editing and deleting routes (advanced mode only) If you are in light mode, switch to advanced mode by clicking the link toggle. Click the link to display the routing tables. To edit a route, change the value in the table and click the Update button. To delete a route from the table, check the leftmost box on to the route's row, and click the Delete Selected button at the bottom of the table.

Adding and deleting routing tables (advanced mode only) If you are in light mode, switch to advanced mode by clicking the link toggle. You can define up to 254 routing tables. To delete a table, click the X button to the right of the table name. To add a new routing table, go to the Add new routing table section at the bottom of the screen, and enter a new table name and number (1 to 254).

Adding routing rules (advanced mode only) If you are in light mode, switch to advanced mode by clicking the link toggle.


5-3

Chapter 5

You can specify rules controlling which routing tables to use, and in what order, for particular routes and groups of routes. The route or route group is specified by filling in the destination IP, the Source IP, and the device. A blank source or destination IP address acts as a wildcard and signifies “all.” The Priority field controls the order in which the rules are to be applied. This must be a value from 0 to 64k, with lower values indicating higher priority.

Editing and deleting routing rules (advanced mode only) If you are in light mode, switch to advanced mode by clicking the link toggle. Click the link to display the routing tables. To edit a rule, change the value in the table and click the Update button. To delete a route from the table, click the check box to the left of the rule, and click the Delete Selected button at the bottom of the table. Note

You cannot delete two predefined rules (identifiable by their priorities of 32766 and 32767); no check box appears next to those rules.

Configuring Domain Name Servers (DNS) You can change the IP addresses of the Domain Name Server(s) (DNS) you want the server to use. You also can specify the server's default domain suffixes.

To configure the DNS 1. Navigate to Server/Maintenance/Network Configuration. 2. Click the DNS link at the top of the page. 3. Specify the IP addresses of up to three Domain Name Servers and up to six domain suffixes.

5-4


Configuring host names Fully-qualified domain name To add or change the server’s fully-qualified domain name (FQDN) and add other static host names, navigate to Server/Maintenance/Network Configuration and click the Hosts link at the top of the page. Enter the FQDN. WARNING

Warning: The FQDN must match the server certificate that is installed on the server. If you change the name, you must replace the certificate, and conversely. For more information, see Setting up certificates, on page 3-29.

Static host names You can also use this screen enter to add, edit, and delete static host names. If a local host name cannot be resolved using a DNS server, enter the host name’s IP address and host name in the Add New Static Hostname section. Click the Add New Hostname button to add the local host name to the list in the Static HostNames section. Static host names are stored in a local table, and are used only when you need to augment or override your Domain Name Server. FirePass uses the local table to locate an IP Address for a domain name, before consulting the DNS.

Configuring services Your server provides four distinct classes of operations: • User login and functionality • Administrator login and functionality • Communication with Desktop Agents • Synchronization among clusters and failover pairs These can be configured to use different rules and different ports, although they may also share rules and ports. A service consists of any distinct combination of rules, functionality, and IP Address/port assignment. This screen allows you to configure services. Note that: • You must have at least one service configured to allow Administrator access. • You must have at least one service configured to allow User access.


5-5

Chapter 5

• If you use MyDesktop, you must have exactly one service configured to allow Desktop Agents to communicate with the FirePass server. • If you have a clustered or failover configuration, you must have at least one service configured for use by the Synchronization Agent.

To configure Web Services To configure services, navigate to Server/Maintenance/Network Configuration/Web services. The currently-configured services are presented there in a read-only table. For each service, you can see all of the configuration details. Most are self-explanatory. The “Services” column should contain one or more of these codes. Code

Meaning

You must have

U

Configured to allow user access

At least one

A

Configured to allow administrator access

At least one

D

Configured as the Desktop agent port

Exactly one

S

Configured as a synchronization port

At least one, if you have failover or clustering configured

Table 5.1 Web services codes and rules

To add a service To add a new service, start at the Add new service region below the table. 1. Select the service's IP address from the list of addresses configured for this server, and specify the port to use for this service in the Port box. 2. Assign a name to the service, or specify the fully-qualified domain name of an Apache server listening on this port. 3. Click the SSL check box to specify encrypted communications (imperative for services involving access from outside the Firewall; optional elsewhere). 4. Click the Add New button. The new service now appears on the Configured Services table. Configure it according to the following instructions.

5-6


To configure a service 1. Click the Configure link on the service’s table row to provide the configuration details. The Web Server Configuration detail screen appears. Provide these variables: • Host An IP address configured for this server. If you need to add a service using a new IP Address, you must first add it to the IP Configuration using the Maintenance/Network Configuration screen. • Port Enter the port number for this service. • Use SSL Check this box to use Secure Sockets Layer (encrypted) communications (imperative for endpoints outside of your network; optional elsewhere). To use SSL, you must have an SSL certificate for this IP and host name. Select an installed certificate, or add a new certificate using the certificate links. • Allow HTTP connections Click this box if you want to permit access to browsers that do not support Secure Sockets Layer communication--for example, mini-browsers on some internet phones and PDAs. • Redirect To redirect sessions to another service, specify the name of a server or service to which to forward the session. You can leave this field blank. • User Login Check this box to allow an end-user to log in using this IP address/name. If this box is not checked, the user is redirected to the administrator user interface and must have a valid Administrator login. • Admin Login Check this box to allow administrators to log in using this IP address/name. If this box is not checked, the user is redirected to the standard end-user interface and does not have access to the Administrative Console, even with a valid Administrator login. • Desktop Check this box to define this service as the communication channel between Desktop Agents and the FirePass server. Only one service can be defined as a Desktop service. • Synchronization Only visible if you have a Cluster or Failover configuration. Check this box to configure this port for use by the Synchronization Agent. For more information see Chapter 7, Configuring FirePass Failover Servers and Cluster Servers.


5-7

Chapter 5

Configuring Desktop services Bridge ports When a remote user accesses his own desktop system, FirePass intermediates the sessions using a range of high ports, called bridge ports. To specify what ports to use, navigate to Server/Maintenance/Network Configuration/Desktop. Use this screen to specify which IP Address(es) and ports to use as bridge ports. It is usually not necessary to change the default port assignments. But if you have many MyDesktop users and are experiencing performance problems, however, try increasing the size of the range. Be sure the ports you use are accessible from outside your firewall.

Desktop agent host To specify a host for the Desktop Agent software and online help, and to select which server-side certificate to use on behalf of the desktop system, click the Server tab on the left of the Administrative Console, and navigate to Maintenance/Network Configuration/Desktop.

Desktop Agent ports By default, the Desktop Agent server (resident on the user’s PC) uses the standard TCP ports 80 and 443. If some other software competes for these ports, you can change the port assignment. To reconfigure those port assignments, click the Desktop tab.

Other network settings To view or change these network settings, navigate to Server/Maintenance/Network Configuration/Misc: • The IP address to use for the X-Windows server • The IP address to use for SSL-VPN traffic • The IP address to use for network broadcast

5-8


Configuring IPSec for the FirePass server IPSec (Internet Protocol Security) is a set of security mechanisms for enforcing the confidentiality, integrity, and authenticity of data transmitted over IP networks. You can use the FirePass server’s IPSec functionality to protect sensitive data that is transmitted between the FirePass server and other servers (such as an internal file server on a remote network) or a security gateway.

To set up a new IPSec connection 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 2. Click the IPSec Configuration link. 3. Click the New Connection button to create a new IPSec connection. The IPSec Configuration screen opens.

4. In the Connection Name text box, enter the name to identify the IPSec connection. The name cannot contain any blank spaces. 5. In the Local Endpoint text box, enter the IP address of the local network interface from which the IPSec connection is initiated. 6. In the Remote Endpoint text box, enter the IP address of the remote server or security gateway to which the IPSec connection should be established. 7. From the Remote Endpoint drop-down list, select a type of remote endpoint.


5-9

Chapter 5

• If the remote endpoint is a server, select Host as the endpoint type. • If the remote endpoint is a security gateway, select Gateway. 8. If you selected Gateway as the endpoint type, enter the subnet address behind the security gateway in the Remote Subnet text box. 9. In the Shared Secret text box, enter the secret password used by the local and remote endpoints to negotiate the initial set of encryption keys. Note: The shared secret is not used to generate any data encryption keys. 10. In the Key Lifetime text box, enter number of minutes after which a new set of data encryption keys are negotiated for this connection. 11. Select the Perfect Forward Secrecy option to use improved randomness in the generation of data encryption keys. Note: If this feature is supported by the remote endpoint, we recommend enabling this option. 12. Do one of the following: • If the endpoint IDs are the same as the endpoint IP addresses (which is the default setting), leave the Remote Endpoint ID text box blank. • If the security gateway lets you specify a different endpoint ID, enter this endpoint ID in the Remote Endpoint ID text box. 13. Click the Save button. 14. Click the Apply Configuration and Restart Connections button to have the new or changed IPSec connection take effect. If you do not click this button, the changes do not take effect until the FirePass server restarts. It is not possible to restart connections individually.

Note

To check the current status of the IPSec connections, click the Stats link under the Server tab to display the Server Stats panel.

5 - 10


Managing FirePass licenses You can install or upgrade the FirePass server license using the Admin Console. Licenses are managed using the Settings link under the Server tab.

Obtaining a license for the first time Your server should already have an installation type, serial number and registration key assigned. These show as the first three items in the Settings table display. If the Serial number is shown as unknown, contact Technical Support. When you receive your new FirePass server, you should also have received an email from Technical Support or the entitlement server. If so, follow the directions in the email. If not, contact Technical Support to make sure your license is ready. Licenses are time-limited, for security reasons. Install your license as soon as you receive it.

Installing your license To install a new or replacement license 1. Make sure that your firewall allows outbound Internet connections to port 443. 2. Navigate to Server/Settings on the Administrative Console. 3. Click the Pick up new license... link.

If your license is ready and your server can contact the licensing server, your configuration is upgraded. Note

If you restore your server software onto new hardware, you must obtain and install a new license. Contact Technical Support to prepare your new license for pickup.

Adding capacity or features to your license You can automatically generate an encrypted license request to add concurrent session capacity, access features, and Desktop seats. 1. Navigate to Server/Settings on the Administrative Console. 2. Click the Request a license for new options link. The Configuration Options panel appears. FirePass™ Server Administrator Guide

5 - 11

Chapter 5

3. Select the new concurrent sessions capacity limit, enter the number of Desktop licenses, and check all the features you want to obtain a license to use. 4. Click the Generate license request button. An encrypted message appears. 5. Copy and paste this request into an email. 6. Send it to your sales representative or customer support contact. When you are notified that your new license is ready, follow the installation directions above to install it. You must restart your server to activate the new license. Note

If you have a clustering or failover configuration, be sure to generate the upgrade request on each server, and include all the requests together in the same email.

Mapping FirePass users to NFS users The FirePass server can provide FirePass users with access to NFS (that is, UNIX or Linux) file systems using the My NFS Webifyer. To do so, you must do the following two tasks: ◆

Define NFS servers To allow users to browse an NFS server using the My NFS Webifyer, you must specify the host name or the IP address of the NFS server. The FirePass server can then query the NFS server for any exported file systems. For information on how to define NFS servers using the My NFS Webifyer, see Configuring the My NFS Webifyer, on page 4-6.

◆

Map FirePass users to NFS users Mapping FirePass users to NFS users is important in order to have the FirePass server correctly obey and preserve the file permissions of the NFS file systems.

If you already have a Network Information Service (NIS) server installed to handle UNIX users, you can configure the FirePass server as a client in your NIS domain, and no further configuration is necessary. Note that each FirePass user’s logon name (user name) must be identical to the logon name in the NFS servers. For example, a user with the logon name of tjones on the FirePass server must also have tjones as the logon name on the NFS servers. In some situations (for example, for read-only NFS servers), it is sufficient to define an Anonymous User ID for NFS access. If the Anonymous User ID is enabled, all user access to the NFS servers through the FirePass server appears to be coming from a single user.

5 - 12


If you do not have an NIS server but you still want strict access control for the NFS file systems, you must define all NFS users manually on the FirePass server. (For more information, see Using NFS user permissions from a UNIX password file, on page 3-17.) NIS and/or locally defined NFS users can be combined with the anonymous NFS user. The FirePass server uses the anonymous NFS user whenever a FirePass user is not defined as a local NFS user or a NIS user.

To map FirePass users to NFS users 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the NFS Configuration link. The NFS Configuration screen opens.

3. To use an NIS server, select the Enable NIS option in the NIS Settings section. 4. In the NIS Domain box, enter the NIS domain, such as company.com. 5. In the NIS server box, enter the NIS server name, such as NIS_server-name.company.com. 6. Click the Apply NIS Settings button. 7. To use an anonymous NFS user, select the Enable option. Fill in the User ID and Group ID text boxes, and then click the Update button.


5 - 13

Chapter 5

Specifying HTTP and SSL proxies You can configure the FirePass server to use HTTP and SSL proxies for Web server access. Proxies may be required in the following situations: • If the FirePass server has no outbound access to the Internet, the update mechanism for the FirePass server firmware requires a proxy. • If the FirePass server does not have direct access to Web servers on the internal LAN, the My Intranet Webifyer may require proxy settings.

To specify HTTP or SSL proxies 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Proxies link. The HTTP and SSL Proxies screen opens. 3. Do one or both of the following: • To enable an HTTP proxy, select the Enable HTTP Proxy option. In the Address text box, enter the HTTP proxy’s IP address, and in the Port text box, enter the HTTP proxy’s port number. • To enable an SSL proxy, select the Enable SSL Proxy option. In the Address text box, enter the SSL proxy’s IP address, and in the Port text box, enter the SSL proxy’s port number. 4. In the text box at the bottom of the screen, specify a list of IP addresses and/or subnets that you do not want to use a proxy. Separate each address with a comma. 5. Click the Update and Test button. The FirePass server verifies that it can connect to the proxies you specified before committing the settings. Note

If the settings are incorrect, the test may take a significant amount of time to complete.

5 - 14


Configuring an SNMP agent You can use a Simple Network Management Protocol (SNMP) agent to monitor the FirePass server. For more information on the MIBS that the SNMP agent supports, see the Online Help for the SNMP panel.

To configure a SNMP agent 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the SNMP link. The SNMP screen opens.

3. Select the Run SNMP Agent on Port option and enter a port number in the text box. The standard SNMP port is 161. Important: If you use a non-standard port, make sure that your SNMP management tool is configured appropriately. It is highly recommended to make sure this port is only accessible from the internal LAN. 4. In the System Name text box, enter a name to identify the SNMP agent for this FirePass server, such as the FirePass server’s name. 5. (Optional) In the Location text box, enter the FirePass server’s location.


5 - 15

Chapter 5

6. (Optional) In the Contact text box, enter an email address to contact, such as the address for the FirePass server administrator. 7. In the Community Name text boxes in the Rocommunity and Rwcommunity sections, enter the community name that is configured in your SNMP management tool. This is a standard SNMP access token. 8. In the Accessed From text boxes in the Rocommunity and Rwcommunity sections, enter one of the following to indicate the access location: • The string: anywhere • The string: nowhere • A list of space-separated host names, IP addresses, or IP address/netmask pairs Important: We recommend restricting the access location to that of your SNMP management tool. 9. In the Community Name text box in the Traps Configuration section, enter the community name that is configured in your SNMP management tool. This is a standard SNMP access token. 10. In the text boxes in the Hosts section, enter a list of space-separated host names, optionally followed by the column separated port number. (For example: my.trap.host:162). The hosts should correspond to your SNMP management tool configuration. 11. Click the Submit button.

5 - 16


Shutting down and restarting FirePass Important

Do not turn the FirePass server off by using the Power switch. Data corruption can occur as a result which would render the FirePass server unavailable. To shut the FirePass server down, always use the Shutdown commands in the Administrative Console or the Maintenance Console.

Shutting down the FirePass server You can shut down the FirePass server using the Administrative Console or the Maintenance Console.

To shut the FirePass server down using the Administrative Console 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Restart Services link. The Restart Services screen opens. 3. Click the Shutdown Server link.

To shut the FirePass server down using the Maintenance Console In the Maintenance Console, select the Shutdown Server command.

Restarting the FirePass server or services You can restart the FirePass server hardware using the Administrative Console or the Maintenance Console. You can also restart all FirePass server software components by using the Administrative Console.

To restart the FirePass server or services using the Administrative Console 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Restart Services link. The Restart Services screen opens. 3. Do one of the following: • To restart the FirePass server hardware, click the Restart Server link.


5 - 17

Chapter 5

• To restart the FirePass server software components, click the Restart Service link.

To restart the FirePass server hardware using the Maintenance Console In the Maintenance Console, select the Restart Server command.

Stopping and starting the bridge You can start and stop the bridge, which is the port-forwarding mechanism for the My Desktop Webifyer. (See Configuring the My Desktop Webifyer, on page 4-31.) The bridge provides a point-to-point, secure connection between the remote user’s Web browser and a desktop computer on the internal LAN. If the bridge is stopped, the FirePass server constantly encrypts and decrypts data. The bridge highly improves the scalability of the My Desktop Webifyer.

To stop and start the bridge 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Restart Services link. The Restart Services screen opens. 3. Click the Stop/Start Bridge link.

5 - 18


Backing up and restoring the FirePass server You can back up and restore the current FirePass server configuration, including user accounts, logs, and FirePass settings. Note

Your network configuration settings are not preserved; you need to reenter them after you have restored the configuration. You can transfer the FirePass server configuration information to a replacement server if a hardware failure occurs in the current server. You can also transfer the FirePass server configuration information when you are migrating from a FirePass 1000 server to a higher-capacity FirePass 4000 server. Note

If you restore to new hardware, you must obtain a new license. For more information see Managing FirePass licenses, on page 5-11.

To back up and restore FirePass server configuration information 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Backup/Restore link. The Backup / Restore screen opens. 3. Do one of the following: • To back up the current configuration excluding user and group accounts, Webifyer settings, and favorites, click the Backup Your Current Configuration link. When the backup zip file is created, click Save and browse to a location where you want to store the backup file. • To create a full backup of your server including user and group accounts, Webifyer settings, and favorites, click the Create Full Backup of your Current Configuration link. When the backup zip file is created, click Save and browse to a location where you want to store the backup file. • To restore a configuration, click the Browse button in the Restore section and select the configuration file. Then, click the Restore Your Saved Configuration link.


5 - 19

Chapter 5

Specifying the email server To have the FirePass server send email messages to the FirePass administrator and users, you must specify an email server for the FirePass server to use.

To specify an email server for the FirePass server to use 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the SMTP Server link. The FirePass global SMTP Server Address screen opens. 3. In the text box at the top of the screen, enter the name of the mail server, such as mailserver.company.com. 4. Click the Go button. 5. To test the email server connection, enter an email address in the lower text box on the screen, and then click the Send button.

Specifying the FirePass administrator’s email address You can specify to whom you want the FirePass server to send notification.

To specify the FirePass administrator’s email address 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Admin Email link. The Administrator's Email Address screen opens. 3. In the To field, enter the FirePass administrator’s email address. 4. (Optional) In the From field, specify a return address. 5. Click the Go button.

5 - 20


Granting Administrator privileges to other users Role-Based Administration is a powerful feature allowing you to assign customized subsets of administrative access and privileges, according to the administrative user's position and requirements. The user name admin is reserved for the Superuser. The Superuser has a complete set of privileges. But you also can assign highly-customizable subsets of administrative privileges to particular users, allowing them to perform specific administrative roles. Their rights can be restricted to operating on particular groups, as well; for example, the SalesAdmin user might be allowed to enroll users and customize Webifyers only for the Sales group. You also can create aliases serving as proxies for particular sets of privileges, or roles -- for example, a user named HR-Admin might be allowed to add users, create new groups, and issue Desktop licenses, but would not be given access to Server maintenance functions.

To create an administrator alias Create a new user login name, for example Sales-Admin, on the User Management screen.

To add administrative privileges 1. Enter the name of a user, or the role-based user alias, in the Enter existing username to assign administrative privileges link. Click Add. You see a list of user IDs with administrator privileges. 2. Add access to administrative functions by clicking the Edit link in the Feature Access column, and granting access to particular tabs on the Admin Console and particular functions within each tab. 3. Add rights to operate on Groups by clicking the Edit link in the Groups Access column, and then either checking one or more groups, or choosing the Allow Access to All Groups check box.

Only an administrative user given access to the Server/Maintenance/Administrators interface can perform this function on behalf of other users or user aliases. Activities of a user with administrative privileges are logged in Application Logs. Important

Do not disable the Superuser account unless you have given full administrative privileges, including access to all links on the Server and Users tabs, to another user.


5 - 21

Chapter 5

Specifying the time, time zone, and NTP server You can specify a time zone for the FirePass server’s location, and you can specify a Network Time Protocol (NTP) server for the FirePass server to use. You can also manually set the time for the FirePass server.

To specify a time, time zone, and NTP server for the FirePass server 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Time Server link. The Time Settings screen opens. 3. To specify a time zone for the FirePass server, choose a time zone from the list box and then click the Apply button. 4. To specify an NTP server, enter the server name in the New NTP Server text box, and then click the Apply button. 5. To specify the time manually, enter the time in the Enter New Date text box in the format of MMDDhhmm[[CC]YY][.ss], and then click the Apply button.

5 - 22


Configuring client caching and compression settings You can configure settings that determine caching and compression of files sent from the FirePass server to remote user’s Web browsers, as well as the transmission of cookies and file downloads from the server to users.

To configure client caching and compression settings 1. Under the Server tab on the left side of the Administrative Console, click the Security link. 1. Click the Caching and Compression link. The Client Caching and Compression Settings screen opens. 2. To enable gzip compression, select the Enable Compression option. Note: If you select this gzip compression option, the size of Web panels generated by the FirePass server are substantially reduced. However, server resources are also reduced, which may affect the server’s scalability. This option requires a server restart. 3. To remove the temporary Internet files related to the FirePass server session from user’s Web browser when users log out, select the Inject ActiveX to Force Cache Cleanup in Logout panel option. 4. Select the following cache options, as necessary. Each option is a trade-off of performance versus security. • Don't cache anything, except Style Sheets and JavaScript includes Good compromise between security and performance. By default, the My Intranet Webifyer marks every panel as non-cacheable with the exception of JavaScript and Style Sheet includes. The reason is that typically these sizeable includes are designed with caching in mind. When caching is turned off, a big percentage of the traffic consist of these includes. Given that the content of these includes is rarely confidential, they are not marked as non-cacheable by default. • Don't cache anything, except for images, style sheets and JavaScript includes Better performance than the first option, but less security. • Cache nothing at the remote browser Less performance than first two options, but better security. • Don't enforce no-cache Best performance of all options, but the least amount of security. Only use this option with trusted terminals such as home computers. This option caches everything according to the Web browser settings. 5. Select the following options, as necessary:


5 - 23

Chapter 5

• Block non-HTML data Select this option to block file downloads and attachments that consist of .doc and .pdf files. • Don't block cookies at FirePass, pass them to the browser Select this option to allow the server to pass cookies to the user’s Web browser. This option might be useful to support some Web applications that use JavaScript in the browser to manipulate cookies. • Block Content-Disposition headers Select this option to block content-disposition headers. This option might be useful to force in-line handling of attachments as opposed to saving them at the remote end. • Translate hidden form parameters if they look like URLs Select this option to translate hidden form parameters if they appear as a URL, such as http://XXX. This option, which requires a server restart, is useful when these parameters are manipulated by JavaScript.

5 - 24


Managing log files You can purge and archive FirePass server logs manually or automatically at specified intervals. Periodic purging and archiving of logs is important to manage storage space on the FirePass server.

To manage log files 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Logs link. The Logs screen opens. 3. To enable a periodic and automatic purge of the log files, select the Enable to Purge Logs option. 4. Click the Update button. A new set of Log options appears on the Logs screen.

5. Set the frequency of the purge process by selecting a time period from the Keep Logs For drop-down list. 6. To create an archive of the purged log files, select the Create Archive option. Note: If this option is not selected, the purged data is permanently deleted. 7. To email the archived logs, select the Send archive, using email option, and then enter the recipient’s email address in the text box. Note: If this option is not selected, the archived logs are temporarily stored in the temporary archive storage. (See step 11.)


5 - 25

Chapter 5

8. To manually start a purge procedure, click the Click to Purge Logs Right Now link. 9. To show archived log data in the reports panels, click the Set Archive Database for Reports link. After you click this link, the log information displayed in the Reports panels is from the Archived logs. When the archived data is displayed, the label “Archive database is on” is displayed on the Logs panel and the reports panels. 10. To hide the archived log data in the reports panels, click the Set Current Database for Reports link. 11. If you do not select the Send archive, using email option, you can download the log file in the server’s temporary archive storage by clicking the Download link and storing the log file on an external computer. 12. To remove the log file from the temporary archive storage, click the Delete link. 13. To expand the archive into the archive database, and replace the previous archive database, click the Expand link. Note: We recommend that you do not keep the archives on the FirePass server. Delete an archive from the Temporary Archive Storage after you expanded it. 14. To upload archives from external computer to the temporary archive storage, click Browse to choose a file, and then click the Upload button.

5 - 26


Updating the FirePass server’s firmware You can have FirePass server check and indicate whether an update to the server’s firmware is available. If new firmware is available, you can have the server download the new firmware, install it, and restart itself. Important

Whenever you upgrade the firmware, you must update all clustered and failover servers to the new version at the same time.

To update the FirePass server’s firmware 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Update link. The list of currently available firmware updates appears. 3. To download and install a new firmware package, click the link for the firmware version you want to install.


5 - 27

Chapter 5

Adding definitions for other types of browsers You can add and classify definitions for other types of browsers, such as mini-browsers and phones.

To add a definition for a browser 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the New Browsers link. The Classify New Browser Type screen opens.

3. In the User Agent text box, enter the user agent string for the new browser type. 4. From the Type drop-down list, select a browser type. 5. To support images in the browser, select the Supports Images option. 6. To support colors in the browser, select the Supports Color option. 7. Click the Add button. The browser definition is added to the list on the Force New Browser Type panel.

5 - 28


Monitoring the FirePass server You can monitor the FirePass server by displaying various graphs of the real-time load on server components, by displaying statistics, and by capturing network packets to troubleshoot problems. This section contains information on all of these monitoring methods. You can also use the information in the FirePass reports. For more information on reports, see Chapter 6, Using FirePass Reports.

Monitoring the load on a FirePass server You can display the real-time load on the FirePass server.

To monitor the load on the FirePass server 1. Under the Server tab on the left side of the Administrative Console, click the Load Monitor link. The Load Monitor screen opens.

2. Scroll down to see more graphs of information. 3. To select the reporting period, click one of the links near the top of the panel (Last 3 Hours, Last Day, Last Week, and Last Month). 4. To refresh the display, click the Load Monitor link at the top of the panel. FirePass™ Server Administrator Guide

5 - 29

Chapter 5

5. To delete all data from the monitoring database, click the Zeroinit link at the bottom of the panel.

Displaying FirePass server statistics You can display statistics and information for the FirePass server, such as average load, performance averages, and number of IPSec connections.

To display server statistics 1. Under the Server tab on the left side of the Administrative Console, click the Stats link. The Server Stats screen opens.

Capturing network packets to troubleshoot networking problems You can troubleshoot networking problems by capturing the network packets coming to and from the FirePass server.

To capture network packets to and from the FirePass server 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. The Maintenance screen opens. 2. Click the Low-level link. 3. From the Packet type drop-down list in the Network Packet Dump section, select whether you want to capture all types of packets, UDP packets only, or TCP packets only. 4. Do either of the following: • To capture traffic that has a particular destination IP address, enter the destination IP address in the Destination IP Address text box. • To capture all traffic, leave the Destination IP Address text box blank. 5. To exclude the traffic to your current Web browser, select the Exclude Your Browser Address option. Note: This option is useful when you do not specify the destination IP address. 6. From the Interface drop-down list, select the network interface if the FirePass server has two NICs installed. For a one-NIC server, only eth0 is applicable. 7. From the Max Packet Count drop-down menu, choose the max number of packets you want to capture.

5 - 30


8. To start capturing, click the link at the bottom of the panel, Please Click Here to Start Sniffing the Network Traffic. A window opens and a line is drawn to indicated the packets are being captured. 9. You can wait until the maximum packet count is reached, or click the Stop link to stop the capturing. A description of the captured packets appears in the window. 10. To download the entire packet dump file, click the download link at the top of the window. Note

Use Ethereal or tcpdump to view the packet dump file offline.

Customizing the user’s home page You can customize the appearance (logos, colors, and text) of the user’s home page. You can also specify which Webifyers are available and the order in which they appear.

To customize the user’s home page 1. Under the Server tab on the left side of the Administrative Console, click the Customization link. 2. For more information about the customization options, see Online Help for the Customization panel.

Providing SSH access for Technical Support A Secure Shell (SSH) session can only be initiated with the collaboration of the Administrator and Technical Support. To allow SSH access, you must supply Technical Support with the current passphrase. If you need to give Technical Support access to the FirePass server, you must also provide access on the SSH port (22). If you do not want to provide any SSH access, we recommend that you inhibit in-bound SSH traffic at your firewall. Alternatively, you may block SSH access from the Admin Console, but we strongly recommend against that.


5 - 31

Chapter 5

5 - 32

6 Using FirePass Reports

• Overview of FirePass server reports • Using the Logon report • Using the My Desktop Activations report • Using the Session report • Using HTTP Log reports • Using the Application Log report • Using the Summary report • Using the Group report

Using FirePass Reports

Overview of FirePass server reports You can display and print reports that describe FirePass server activity and status. You can also download and save a report as an Microsoft® Excel (.xls) file. The following types of FirePass server reports are available: ◆

Logon report Provides a list of all attempts to log on to the FirePass server, both successful and unsuccessful. For more information, see Using the Logon report, on page 6-2.

◆

My Desktop Activation report Provides a list of all activations of the My Desktop Webifyer. For more information, see Using the My Desktop Activations report, on page 6-3.

◆

Session report Provides a list of all active user sessions and a history of sessions, along with the corresponding user names, logons, times, and status. For more information, see Using the Session report, on page 6-4.

◆

HTTP Log report Provides various types of low-level server logs, such as a HTTP server access log, HTTP server error log, and a SSL engine log. For more information, see Using HTTP Log reports, on page 6-5.

◆

Application Log report Provides aggregate and per-user application logs. For more information, see Using the Application Log report, on page 6-6.

◆

Summary report Provides a summary of global or group-based user activity, including statistics, and descriptions of browser-type usage over specified periods of time. For more information, see Using the Summary report, on page 6-7.

◆

Group report Provides a snapshot of the user-group distribution and group-based averages. For more information, see Using the Group report, on page 6-8.


6-1

Chapter 6

Using the Logon report The Logon report provides a list of all attempts to log on to the FirePass server, both successful and unsuccessful. You can filter the report for unsuccessful attempts, which quickly provides an audit trail for detecting attacks from unauthorized users. In addition, the FirePass administrator receives a security alert message if 20 consecutive unsuccessful attempts to log on occur within 5 minutes.

To display the Logon report Under the Reports tab on the left side of the Administrative Console, click the Logons link to open the Logons Report.

1. You can do any of the following: • To filter the report for unsuccessful attempts, click the Show Failures link. • To show all attempts again, click the Show All link. • To display details about a user, click the link for the user’s name. • To display additional records in the report, click the arrow buttons at the top of the screen for Previous, Next, First, and Last. • To download and save the report as an Microsoft® Excel (.xls) file, click the Download report data link, click the Save button, and then enter a file name. 6-2


Using the My Desktop Activations report The My Desktop Activations report provides a list of all activations of the My Desktop Webifyer. You can filter the My Desktop Activations report for all failed activations, and for failed activations that were not the result of an incorrect password.

To display the My Desktop Activations report 1. Under the Reports tab on the left side of the Administrative Console, click the Activations link. 2. Do any of the following: • To filter the report for any type of My Desktop failed activation, click the Show Failures link. • To filter the report for failed activations of My Desktop that were not the result of an incorrect password, click the Show non-password Failures link. • To show all attempts again, click the Show All link. • To display additional records in the report, click the arrow buttons at the top of the screen for Previous, Next, First, and Last. • To download and save the report as an Microsoft® Excel (.xls) file, click the Download Report Data link, click the Save button, and then enter a file name.


6-3

Chapter 6

Using the Session report The Session report provides a list of all active user sessions and a history of sessions, along with the corresponding user names, logons, times, and status.

To display the Session report 1. Under the Reports tab on the left side of the Administrative Console, click the Sessions link. 2. With the Sessions report, you can do any of the following: • To filter the list for a particular user, enter a user’s login name in the Show sessions for box, and then click the magnifying glass button. To show all users, clear the Show Sessions For box, and then click the magnifying glass button. • To show a list of today’s sessions, click the Today’s Sessions link. • To show a list of a history of sessions, click the Complete History link. • To show a list of currently active sessions, click the Currently Active link. • To show daily aggregate session counts, click the Daily Averages link. • To show monthly aggregates, click the Monthly Averages link. • To display details about a particular user’s session (such as browser type or IP address), click the date in the Start column next to the user’s name. • To display details about a user, click the link for the user’s name. • To terminate a session for a user, click the Kill link in the user’s row. • To display additional records in the report, click the arrow buttons at the top or bottom of the screen for Previous, Next, First, and Last record. • To download and save the report as an Microsoft® Excel (.xls) file, click the Download Report Data link, click the Save button, and then enter a file name.

6-4


Using HTTP Log reports The HTTP Log report includes the following types of low-level server logs: • HTTP server access log • HTTP server error log • HTTPS server access log • HTTPS server error log • SSL engine log The FirePass server stores the logs in the HTTP Log report on a daily basis. You can use an online calendar to choose the day for which you want to display a HTTP Log report.

To display the HTTP Log report 1. Under the Reports tab on the left side of the Administrative Console, click the HTTP Logs link. To change the type of log in the report, select a log type from the Select Log File drop-down list, and then click the Go button or the icon. 2. Click the icon to display the calendar. Then do any of the following: • To display a particular page, enter the page number in the Select Page box, and then click the Go button. • To specify the number of records per page, enter the number of records in the Records Per Page box, and then click the Go button. 3. To display additional records in the report, click the arrow buttons at the top or bottom of the screen for Previous, Next, First, and Last record. 4. To download and save the report as an Microsoft® Excel (.xls) file, click the Download link, click the Save button, and then enter a file name.


6-5

Chapter 6

Using the Application Log report The Application Log report provides a list of aggregate and per-user application logs.

To display the Application Log report Under the Reports tab on the left side of the Administrative Console, click the App Logs link to open the Application Log Report.

1. With the Application Log Report, you can do any of the following: • To filter the report for a particular user, click the link in the Logon column for the user’s name. • To show all users again, click the Show all records link at the top of the report. • To display details about a particular session, click the link in the Session ID column for the session. • To display additional records in the report, click the arrow buttons at the top of the screen for Previous, Next, First, and Last. • To download and save the report as an Microsoft® Excel (.xls) file, click the Download Report Data link, click the Save button, and then enter a file name.

6-6


Using the Summary report The Summary report provides a summary of global or a group-based user activity, including stats and descriptions of operating system and browser type usage over specified periods of time. You can also display optional bar graphs in the report.

To display the Summary report 1. Under the Reports tab on the left side of the Administrative Console, click the Summary Report link 2. From the For the group drop-down list, select the FirePass server group that you want to create a Summary report for. 3. Do any of the following: • To specify a particular date range for the Summary report, select starting and ending dates from the Reporting period from and To (inclusive) drop-down lists. Then click the icon. You can also click the Last Week, Last 2 Weeks, Last Month, or Last Year links. • To include bar graphs in the report, click the Show graphs check box. • To download and save the report as an Microsoft® Excel (.xls) file, click the Download Report Data link, click the Save button, and then enter a file name.


6-7

Chapter 6

Using the Group report The Group report provides a snapshot of the user-group distribution and group-based averages.

To display the Group report 1. Under the Reports tab on the left side of the Administrative Console, click the Group Report link. 2. With the Group report, you can do any of the following: • To specify a particular date range for the Group report, select starting and ending dates from the Reporting period from and To (inclusive) drop-down lists. Then click the icon. You can also click the Last Week, Last 2 Weeks, Last Month, or Last Year links. • To download and save the report as an Microsoft® Excel (.xls) file, click the Download Report Data link, click the Save button, and then enter a file name.

6-8

7 Configuring FirePass Failover Servers and Cluster Servers

• Using FirePass failover servers • Using FirePass server clusters

Configuring FirePass Failover Servers and Cluster Servers

Using FirePass failover servers The Failover feature provides fault tolerance and guarantees that at least one server in a failover pair is accessible to users in the unlikely event of a server failure. The failover pair (an active server and a standby server) provide hot, stateful failover without session interruption or termination. If the active server has a failure, all session data is automatically preserved. The failover transfer process to the standby server is usually transparent to users, although occasionally a new session initiated since the most recent synchronization update may need to be restarted. The active and standby servers communicate with each other using a heartbeat. Each server can detect when the other server fails, and in case of failure it automatically restarts applications on the operating server. The standby server uses IP takeover to take over sessions if the active server has a failure.

Installing FirePass failover servers All FirePass servers are licensed initially as standalone servers. If you want to configure a pair of failover servers, you need to obtain new licenses. Contact your sales representative or Technical Support, and provide them with the serial numbers of the servers to be configured as a failover pair, or request a new license for each server by navigating to Server/Settings and clicking the link to request a new license. For more information, see Managing FirePass licenses, on page 5-11. If you are installing two single-NIC FirePass servers in failover pairs, simply connect the servers to the network. If you are connecting two dual-NIC FirePass servers in failover pairs, connect the same corresponding NICs to the same subnet on both servers. For example, connect the internal NIC on both servers to the same subnet. Note

For dual-NIC servers, the public subnet should always be associated with the NIC configured as eth0, and the private subnet should always be associated with the NIC configured as eth1. For more information, see Maintaining the network configuration settings, on page 5-1.

Configuring the IP addresses for failover servers For two single-NIC failover servers, you need at least three static IP addresses: one IP address for the NIC in each server, and a “virtual” IP address for the failover pair itself. For two dual-NIC failover servers, you need at least five static IP addresses: two IP addresses for each server’s NICs, and a virtual IP address for the failover pair itself.


7-1

Chapter 7

To add or change the IP addresses in the failover pair, you specify the IP addresses in the IP configuration panel for both servers. (For information on accessing the IP configuration panel, see Configuring IPSec for the FirePass server, on page 5-9.) These addresses must be configured for both failover servers: • One Server IP Address setting in the IP configuration panel must be a virtual IP address for the failover pair. The same Server IP Address must be set in both failover servers. For example, the Server IP address might be set to 10.4.10.190/24 in both failover servers. • Configure your DNS server to map a fully qualified domain name to the virtual IP address. For example, you might configure the DNS server to map the fully qualified domain name, server-name.company.com, to the virtual IP address, 10.4.10.190/24. The active server in the failover pair is the one that responds to requests that resolve to the Server IP Address. • Configure the Local Name:Port setting in both computers. The Local Name:Port setting in the Failover configuration panel is the IP address and port of the NIC in each server. This address must be unique in each server in the failover pair. Note that the Local Name IP addresses for the two failover servers must be on the same subnet. For example, the Local Name IP address might be set to 10.4.10.191/24 in one of the failover servers, and the Local Name IP address might be set to 10.4.10.192/24 in the other failover server. Important

If you change the Local Name IP address for either server, you must specify the same Local Name IP address for the server in the Configure Failover Pair panel. For more information, see Configuring the failover settings, on page 7-3.

Powering up failover servers When you power up failover servers for the first time, the first server you start automatically becomes the active server and uses the virtual IP address. The other server becomes the standby server. The two servers remain in this state until either the active server fails and the standby server takes over, or until you restart the active server and the standby server becomes the active server. If both servers are powered up simultaneously, the server with the lexically-lower name is the Active server. For example, Prowler1 has precedence over Prowler2.

7-2


Configuring the failover settings To configure the failover settings To configure servers as members of a failover pair, you must configure both: • Identical virtual IP addresses for their respective NICs • Reciprocal physical IP addresses for their heartbeat settings

Failover virtual IP configuration To serve as a member of a failover pair, the server must have a virtual IP address configured for each NIC. This virtual address must be shared with the corresponding NIC of the other member of the failover pair. This is what links them as members of a failover pair. If you have not already done so, add a virtual IP address for each NIC, using the Server/Maintenance/Network Configuration/IP Config screen on each server. A failover pair must also have reciprocal settings for their respective heartbeat configurations.

Failover heartbeat configuration The current active member of a failover pair sends regular “I am alive” signals, or heartbeats, to the standby member of the pair. Heartbeat settings tell this server what IP address and port to use for the heartbeat while it is the active member of the pair. The destination of the signal must be the other member of the failover pair. Ordinarily you provide heartbeat settings for each NIC on one server, and then you make corresponding, reciprocal entries for each corresponding NIC on the other server member of this failover pair. Note

Failover screens and links are visible only if you have a Failover license installed.

To configure the heartbeat settings 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Network Configuration link. 3. Click the Failover link at the top of the screen. 4. Use this screen to configure the heartbeat settings for this server to use when it is serving as the active member of the pair. Specify the Device (the Ethernet interface, or NIC) you are configuring and the UDP port to use for sending the active-node heartbeat.


7-3

Chapter 7

• The Remote IP address must be a physical (not virtual) IP address of the corresponding NIC of the other member of the failover pair. • The Local IP address is a physical (not virtual) IP address of this NIC on this server. Select the address to be used in the heartbeat signal. Note

Note: Your changes do not take effect until you commit them using the Finalize screen.

Making a standby server the active server To make a standby server the active server 1. Using a Web browser, enter the fully qualified domain name for the failover server pair and log in as Administrator. The active server responds to the request. 2. Under the Failover tab on the left side of the Administrative Console, click the Settings link. 3. Click the Restart This Node button. The current server restarts as the standby server, and the standby server takes over as the active server.

7-4


Using FirePass server clusters FirePass 4000 servers (or failover pairs of servers) can be clustered to support many concurrent connections on a single logical URL without performance degradation. Load balancing distributes the sessions among the available servers to maximize throughput. Each server (or failover pair) in the cluster must have a valid certificate and be publicly accessible from outside the LAN using its own unique fully-qualified domain name. The master node distributes configuration updates (for example, available system resources, new authorized users, and current user access rights) to the slaves, once per minute. This synchronization allows any slave to service any user session. Clustered servers do not share session information. Each session is established with a single server. The master server in a cluster balances the load among slaves by redirecting sessions to slaves. To make this possible, the slaves report their number of currently active sessions as a part of the synchronization process. You cannot change some configuration settings on slave servers. These changes must be made on the master, so they are replicated across all slaves during synchronization. When you use the Administration Console to connect to a slave server, the configuration options that you cannot change in slave servers are not available. For example, you cannot change user and group account information in the slave servers, and consequently the Users tab is not displayed when you connect to a slave server. To make global configuration changes to a cluster, always connect to the master server. The configuration information flows from the master to the slaves.

Installing multiple FirePass servers as a cluster To connect several FirePass servers as a cluster, connect the primary NICs to the same subnet unless they are installed in different geographic locations.

Powering up FirePass server clusters Whenever you power up the server cluster, always power up the master server first. If the master server is not available when the slave servers power up, then the cluster does not work properly.


7-5

Chapter 7

Configuring FirePass server clusters A cluster consists of one master node and up to nine optional slave nodes. The master node is responsible for handling incoming connections and redirecting each session to an available slave. The master node is also responsible for maintaining configuration information on itself and all slave nodes. The master itself can also function as an available slave.

Preliminary configuration Clustering licenses To configure this server as a member of a cluster, you must first have installed a license that enables clustering, and that indicates the role of this server (as a master or slave). Go to Server/Settings and click the Request a new license link, or contact your sales representative or technical support contact for assistance. For more information about licensing, see Managing FirePass licenses, on page 5-11.

Synchronization services To allow your clustered servers to remain synchronized, you must also have configured at least one Synchronization service on each server in the cluster. To configure a service for synchronization, navigate to Server/Network Configuration/Web Services. For more about configuring services, see Configuring services, on page 5-5.

Load balancing To configure Load Balancing, you must also have defined at least one User service allowing HTTP access -- that is, a service available for user access from outside the network -- on each server node of the cluster. To configure an available User service, navigate to Maintenance/Network Configuration/Web Services. For more about configuring services, see Configuring services, on page 5-5. You also can configure the method, or algorithm, FirePass uses to distribute sessions. FirePass can assign sessions randomly among the slave servers, or it can maintain an even session count among them. To change the load balancing algorithm, go to the Clustering tab at the left of the Administrative Console, and click Settings. Choose Random for random assignment of sessions. Choose Off for even distribution of session counts.

7-6


Configuring clustered servers Note

Clustering screens and links are visible only if you have a Clustering license installed.

To configure internal synchronization 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Network Configuration link. 3. Click the Clustering link at the top of the screen. 4. Configure the Service on master by selecting the Synchronization service to use from the pick list. 5. Configure the slave n services by entering the name and ports of Synchronization services configured on the corresponding slave servers, for each listed service on the master.

To configure Load Balancing 1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link. 2. Click the Network Configuration link. 3. Click the Clustering link at the top of the screen. 4. Complete the Load Balancing table, as follows: • If this is the master in a cluster, the screen displays a table with a column for each node in the cluster, beginning with the master. Each row corresponds to an HTTP-enabled User service on the master. In each cell of each slave column, enter the host name and port of a User Service on the respective slave. • If this is a slave in a cluster, the screen displays a table with two columns: the first column for this server, and the second for the master node. Each row corresponds to one HTTP-enabled User service on this server. Use the second column to associate this service with a service on the master. For each listed service on the slave, enter the host name and port of an HTTP-enabled User service configured on the master.

Note

All of these entries should be reciprocal between each node pair. That is, the configuration on this server should match the corresponding entries on the other member of each master/slave pair of services.


7-7

Chapter 7

Important

These settings do not take effect until you have committed them using the Finalize screen.

Accessing a slave server’s configuration while connected to a master server You can access a slave server’s configuration while you are connected to a master server using the Administrative Console.

To access a slave server’s configuration while connected to a master server 1. Use the Administrative Console to connect to the master server in the cluster. 2. Under the Clustering tab on the left side of the Administrative Console, click the slave Admin link. 3. Click the link for the slave server that you want to access. The Administrative Console accesses the slave server and displays the slave server’s settings within the console window. 4. Under the Clustering tab on the left side of the Administrative Console, click the Settings link. The slave Settings panel for the master server appears. Note

To return to the master server, enter the fully qualified domain name for the master server in your Web browser and then log in.

Displaying statistics for a FirePass server cluster You can display operational statistics for a server cluster in near-real time. The statistics include the number of sessions active on the servers, the average bitrate and CPU load, and the time of the most recent master-slave synchronization.

To display statistics for a FirePass server cluster 1. Use the Administrative Console to connect to the master FirePass server in the cluster. 2. Under the Clustering tab on the left side of the Administrative Console, click the Stats link.

7-8

Index

Index

A access to server, limiting by IP address 3-35 activity, report 6-7 Administrative Console access Maintenance Console from 2-20 using 2-17 administrative privileges, assigning to users 3-19 administrator, e-mail address 5-20 Application Logs report 6-1, 6-6 AppTunnels webifyer 4-1, 4-18 client certificates 4-20 compressing traffic 4-20 favorites 4-18 limiting access 4-20 attempts to log on, report 6-2 authentication internal database 3-23 LDAP server 3-27 overview of 3-23 RADIUS server 3-24 VASCO 3-28 Windows domain server 3-25 averages, reports 6-4

B backing up configuration 5-19 bridge 4-32 disabling access 4-32 starting and stopping 5-18 bridge ports 5-8 browser definitions, adding 5-28

C caching, specifying 5-23 certificates for servers changing server name for 3-30 generating server certificate request 3-30 installing and renewing server certificates 3-31 overview of 3-29 client certificates AppTunnels webifyer 4-20 authentication of user’s computer 3-31 Host Access webifyer 4-22 My Desktop webifyer 4-33 My E-mail webifyer 4-14 My Files 4-5 My Intranet 4-10 My NFS 4-7 SSL VPN webifyer 4-30 Terminal Services webifyer 4-17 webifyers, using 4-38


Clustered servers accessing Slave from Master 7-8 certificates 7-5 configuration changes 7-5 configuring synchronization 7-7 domain names 7-5 installing 7-5 operational statistics 7-8 starting 7-5 Synchronization 7-6 synchronization 7-5 using 7-5 clusters configuring 7-6 installing 7-5 overview of 7-5 powering up 7-5 statistics for, displaying 7-8 compression, specifying 5-23 configuration, backing up and restoring 5-19

D default group 3-1 definitions for browsers, adding 5-28 Deleting a host 4-37 deploying FirePass overview 2-1 summary of tasks 2-1 Desktop Agent server TCP ports 5-8 Disable Bridge Access to Desktop 4-32 Domain Name Server configuring 5-4

E Editing X-Windows host configuration details 4-37 e-mail address of administrator 5-20 e-mail server, specifying 5-20 Ethernet cable 2-12

F Failover dual-NIC configuration 7-1 fault tolerance 7-1 heartbeat 7-1 heartbeat configuration 7-3 IP addresses 7-1 IP configuration 7-3 licensing 7-1 standby server 7-4

Index - 1

Index

failover servers changing active server 7-4 configuring settings for 7-3 installing 7-1 IP addresses for 7-1 overview of 7-1 powering up 7-2 features of FirePass 1-2 FirePass authentication 3-23 client certificates, using 3-31 clusters 7-5 deploying, overview of 2-1 failover servers 7-1 features 1-2 groups 3-2 installing 2-12 introduction 1-1 IP configuration 5-1 models 1-1 monitoring 5-29 name resolution, solving problems with 2-11 reports 6-1 security, overview of 3-1 server certificates for 3-29 testing network connectivity 2-16 user accounts 3-11 webifyers 4-1 Firewall stateful and non-stateful 2-4 firewall configuration between FirePass and application services 2-7 between FirePass and LAN via My Desktop 2-9 between FirePass and network services 2-6 between remote user and FirePass 2-5 overview of 2-2, 2-3 firmware, updating server 5-27 FQDN specifying 5-5

G Group report 6-1, 6-8 groups creating 3-3 default 3-1 deleting 3-4 distribution report 6-8 LDAP-based mapping 3-6 moving users to 3-4 overview of 3-2 showing users in 3-4 Windows domain-based mapping 3-4 Guest webifyer, configuring 4-33

Index - 2

H heartbeat failover 7-1 home page appearance, customizing 5-31 Host Access webifyer 4-2, 4-21 active host sessions, displaying 4-22 client certificates 4-22 favorites 4-21 limiting access 4-22 HTTP Logs report 6-1, 6-5 HTTP proxies, using 5-14

I importing NFS permissions 3-18 users from a text file 3-16 users from a Windows domain server 3-13 users from an LDAP server 3-15 installing FirePass procedures for 2-12 summary of tasks 2-1 introduction to FirePass 1-1 IP configuration for server, setting 5-1 IPSec configuring new connection 5-9 definition 5-9 IPSec configuration, server 5-9

K keys for My Desktop webifyer, generating 3-21

L LDAP group mapping 3-6 group object mapping 3-9 user object mapping 3-6 using for authentication 3-27 license installing new 5-11 license request generating 5-11 licensed features, displaying 2-19 limiting server access by IP address 3-35 Load Balancing algorithm 7-6 configuring 7-7 Off 7-6 Random 7-6 load on server, monitoring 5-29 log files, managing 5-25 logging into FirePass 2-17 Logons report 6-1, 6-2

Index

M

O

Maintenance Console access using Administrative Console 2-20 models of FirePass 1-1 monitoring server 5-29 My Desktop Activations report 6-1, 6-3 My Desktop webifyer 4-2, 4-31 activations report 6-3 bridge access, disabling 4-32 client certificates 4-33 cluster configuration 4-32 desktop ports 4-31 generating keys for 3-21 Guest webifyer 4-33 installing 3-22 My E-mail webifyer 4-1, 4-11 client certificates 4-14 e-mail account, configuring 4-11 e-mail addresses, obtaining from LDAP server 4-13 e-mail attachments, disabling 4-13 LDAP query, using 4-12 My Files webifyer 4-1, 4-3 client certification 4-5 defining favorites 4-3 file uploads, enabling 4-4 limiting access 4-3 virus scanning, enabling 4-4 My Intranet webifyer 4-1, 4-8 client certification 4-10 defining favorites 4-8 limiting access 4-10 user agent strings 4-9 My NFS webifyer 4-1, 4-6 client certification 4-7 defining favorites 4-6 limiting access 4-7

overview of FirePass 1-1

N name resolution solving problems with resolving server name 2-11 network broadcast IP address to use 5-8 network packets, capturing 5-30 NFS user mapping 5-13 NFS permissions manually assigning 3-18 mapping users from NFS servers 5-12 using 3-17 NIS server, using 5-12 NTP server, specifying 5-22 null modem cable 2-21


P password superuser, changing 2-18 users 3-12 Power switch 2-13 proxies, HTTP and SSL 5-14

R RADIUS server setting up 3-24 using SecurID 3-25 release notes 1-5 reports Application Logs report 6-1, 6-6 Group report 6-1, 6-8 HTTP Logs report 6-1, 6-5 Logons report 6-1, 6-2 My Desktop Activations report 6-1, 6-3 overview of 6-1 saving 6-1 Sessions report 6-1, 6-4 Summary report 6-1, 6-7 restart bridge 5-18 server 5-17 restoring configuration 5-19 Role-Based Administration 5-21 routing rules adding and editing 5-4 routing table adding a route 5-3 adding new 5-3

S saving reports 6-1 SecurID, using 3-25 security groups 3-2 overview of 3-1 user accounts 3-11 server certificates. See certificates for servers. server name, changing 3-30 services, FirePass configuration 5-8 Sessions report 6-1, 6-4 settings and licensed features, displaying 2-19 signup templates, using to add users 3-16 SNMP agent, using 5-15 SSL proxies, using 5-14

Index - 3

Index

SSL VPN webifyer 4-2, 4-23 benefits 4-23 client certificates 4-30 drive mappings 4-29 global client appearance 4-26 global packet rules 4-25 global timeout rules 4-26 global VPN settings 4-24 group configuration 4-27 group packet rules 4-29 launching applications automatically 4-30 SSL-VPN traffic IP address to use 5-8 static host names 5-5 statistics for server, displaying 5-30 summary of tasks for installing and deploying 2-1 Summary report 6-1, 6-7 superuser name, entering 2-17 password, changing 2-18 Synchronization configuring 5-7 configuring addresses and ports 5-5 Synchronization Agent configuring 5-6 configuring ports for 5-7

T technical support 1-5 templates, signup 3-16 terminal emulation application 2-21 Terminal Services webifyer 4-1, 4-15 client certificates 4-17 favorites 4-15 limiting access 4-17 screen resolution 4-15 testing FirePass network connectivity 2-16 time and time zone, specifying 5-22 Timeout inactivity 2-20 troubleshooting using network packets 5-30

U unsuccessful attempts to log on, reports 6-2 updating server firmware 5-27 user accounts activating and deactivating 3-19 administrative privileges, assigning 3-19 changing 3-19 generating keys for My Desktop webifyer 3-21 importing from an LDAP server 3-15 importing from Windows domain server 3-13 importing permissions from NFS 3-18 importing users from a text file 3-16 manually adding 3-11 Index - 4

NFS permissions, using 3-17 overview of 3-11 searching for 3-21 signup templates 3-16 user activity report 6-7 user sessions, report 6-4

V VASCO, using for authentication 3-28 virtual IP address failover configuration 7-2 VPN, see SSL VPN webifyer.

W Web browser definitions, adding 5-28 web services configuring 5-6 webifyers AppTunnels 4-1, 4-18 customizing available features 5-31 Host Access 4-2, 4-21 My Desktop 4-2, 4-31 My E-mail 4-1, 4-11 My Files 4-1, 4-3 My Intranet 4-1, 4-8 My NFS 4-1, 4-6 overview of 4-1 SSL VPN 4-2, 4-23 Terminal Services 4-1, 4-15 Windows domain domain server, using 3-25 group mapping 3-4

X X-Windows Access 4-35 X-Windows server IP address to use 5-8

FirePass Server Administrator Guide. - F5 Networks, Inc.

FirePass Server Administrator Guide. - F5 Networks, Inc.

Suggest Documents

FirePass Product Datasheet - F5 Networks, Inc.

Deploying the FirePass Controller and BIG-IP ... - F5 Networks, Inc.

Working with the FirePass Reverse Proxy - F5 Networks, Inc.

Deployment Guide - F5 Networks, Inc.

Deploying Citrix Presentation Server - F5 Networks, Inc.

F5 Networks – FirePass Virtual Edition – Support ... - VMware

FirePass SSL VPN Product Overview | F5 Networks

Splunk for F5 FirePass SSL VPN - Solution Brief - F5 Networks, Inc.

DIGIPASS Authentication for F5 FirePass

DIGIPASS Authentication for F5 FirePass

FirePass SSL VPN Product Overview | F5 Networks - Westcon

F5 Networks FirePass® 4100 Version 5.5.2 ... - Common Criteria

F5 and Microsoft Solution Guide - F5 Networks

F5 and VMware Solution Guide - f5 Networks

Deploying the FirePass Controller with the BIG-IP ... - F5 Networks, Inc.

configuring the big-ip ltm system with firepass ... - F5 Networks, Inc.

F5 FirePass® SSL VPN appliance Integration Guide - SecurEnvoy

Eset Secure Authentication F5 FirePass SSL VPN Integration Guide

DIGIPASS Authentication for F5 FirePass - Kinetic Solutions

DIGIPASS Authentication for F5 FirePass - Kinetic Solutions

Deploying F5 with IBM Tivoli Maximo Asset ... - F5 Networks, Inc.

Deploying F5 with Microsoft Forefront Unified ... - F5 Networks, Inc.

CURRICULUM GUIDE MCITP SERVER ADMINISTRATOR

Mastercam Administrator Guide - ShopWare Inc.