Watchguard Firebox SSL VPN Gateway Administration Guide

WatchGuard

®

Firebox SSL VPN

Gateway Administration Guide

Firebox SSL VPN Gateway

ii Firebox SSL VPN Gateway Administration Guide

ADDRESS:

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

SUPPORT:

www.watchguard.com/support

support@watchguard.com

U.S. and Canada +877.232.3531

All Other Countries +1.206.613.0456

SALES:

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.521.8340

ABOUT WATCHGUARD

WatchGuard is a leading provider of network security solutions for small- to mid-

sized enterprises worldwide, delivering integrated products and services that are

robust as well as easy to buy, deploy and manage. The company’s Firebox X family of

expandable integrated security appliances is designed to be fully upgradeable as an

organization grows and to deliver the industry’s best combination of security,

performance, intuitive interface and value. WatchGuard Intelligent Layered Security

architecture protects against emerging threats effectively and efficiently and provides

the flexibility to integrate additional security functionality and services offered

through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity

Service subscription to help customers stay on top of the security landscape with

vulnerability alerts, software updates, expert security instruction and superior

customer care. For more information, please call (206) 521-8340 or visit

www.watchguard.com

.

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission of

WatchGuard Technologies, Inc.

Copyright, Trademark, and Patent Information

Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User

License Agreement applicable to this product. You will be prompted to read and accept the End User License

Agreement when you register your Firebox on the WatchGuard website.

WatchGuard, Firebox, LiveSecurity and any other word listed as a trademark in the “Terms of Use” portion of

the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard

Technologies, Inc. in the United States and/or other countries.

Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries.

Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective

manufacturers.

The Firebox SSL Access Gateway software is distributed with source code covered under the GNU General

Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard Technical

Support at:

877.232.3531 in the United States and Canada

+1.206.613.0456 in all other countries

This source code is free to download. There is a $35 charge to ship the CD.

See Appendix B, “Legal and Copyright Information” on page 157 of this guide for the complete text of the

GPL.

VPN Gateway Software: 4.9

Document Version: 2201-000

Firebox SSL VPN Gateway Administration Guide

Contents

CHAPTER 1 Firebox SSL Overview .......................................1

Overview .........................................................................2

Feature Summary ................................................................ 4

The User Experience ............................................................ 6

Deployment and Administration ......................................... 7

Firebox SSL Operation .....................................................8

Starting the Secure Access Client ...................................... 9

Establishing the Secure Tunnel ........................................10

Tunneling Destination Private Address Traffic over SSL or

TLS .................................................................................10

Terminating the Secure Tunnel and Returning Packets to the

Client ..............................................................................12

Kiosk Operation ............................................................13

Deployment Options ......................................................16

CHAPTER 2 Administering the Firebox SSL.........................17

Using the Firebox SSL Remote Admin Terminal Window ....18

To open the Remote Admin Terminal window: ................19

Using the Administration Tool .........................................21

Using the Serial Console ................................................23

To open the serial console: ...............................................23

iv Firebox SSL VPN Gateway Administration Guide

Upgrading the Firebox SSL Software ................................23

To display the version of your installed Firebox SSL: .....24

To upgrade your Firebox SSL ............................................24

Supporting Secure Access Users ....................................25

Configuring Software Firewalls for the Secure Access

Client ..............................................................................26

Generating a Secure Certificate for the Firebox SSL .........29

About Digital Certificates and Firebox SSL Operation ...31

Overview of the Certificate Signing Request ...................32

Installing the Cygwin UNIX Environment for Windows ....33

Generating a CSR ..............................................................33

Unencrypting the Private Key ..........................................34

Converting to a PEM-Formatted Certificate .....................35

Combining the Private Key with the Signed Certificate ..36

Generating Trusted Certificates for Multiple Levels .......37

Uploading a Certificate to the Firebox SSL .....................38

Blocking External Access to the Administration Portal ......39

Managing Licenses ........................................................40

Viewing and Changing the System Date and Time ............41

Managing Administrative Users .......................................42

Saving and Restoring the Configuration ...........................43

Managing VPN Connections ............................................45

About Connection Handling ..............................................46

Closing a Connection to a Resource ................................47

Disabling/Enabling a VPN User ........................................48

Restarting the Firebox SSL .............................................49

Shutting Down the Firebox SSL .......................................49

CHAPTER 3 Working with a VPN Connection .......................51

Using the Access Portal .................................................51

Connecting from a Private Computer ...............................56

Using the Secure Access Window ....................................56

Connecting from a Public Computer (Kiosk Session) ........61

Working with Shared Network Drives ...............................63

Using the Citrix Client ........................................................65

Using the Remote Desktop Client ....................................65

Firebox SSL VPN Gateway Administration Guide

Using the Telnet 3270 Emulator Client ...........................67

Using the VNC Client ..........................................................68

To use the VNC client: .......................................................68

CHAPTER 4 Configuring Firebox SSL Network Connections ..71

Configuring Network Interfaces .......................................72

Specifying DNS/WINS Settings .......................................74

Configuring Routes ........................................................75

Configuring Dynamic Routing ...........................................75

Adding, Testing, and Removing a Static Route ...............77

Static Route Example ........................................................78

Configuring Failover Firebox SSLs ....................................80

CHAPTER 5 Configuring Firebox SSL Operation...................81

Configuring Authentication, Authorization, and Local Users ...

82

About the Realm Named Default .....................................84

Using a Local User List for Authentication .......................84

Using LDAP Authorization with Local Authentication .....85

Using RADIUS Servers for Authentication ........................88

To specify RADIUS server settings: ..................................89

Using LDAP Servers for Authentication and Authorization ..91

To specify LDAP server settings: ......................................92

Looking Up Attributes in your LDAP Directory .................94

Using RSA SecurID for Authentication .............................95

To generate a sdconf.rec file for the Firebox SSL: ..........96

To enable RSA SecurID authentication for the Firebox

SSL: ................................................................................97

Resetting the Node Secret ................................................99

Removing an Authentication Realm ...............................100

To remove an authentication realm: ..............................100

Adding Local Users ......................................................100

To create a user on the Firebox SSL: .............................101

To delete a user from the Firebox SSL: .........................102

Controlling Network Access ..........................................102

Specifying Accessible Networks .....................................103

Defining Network Resource Groups ...............................104

vi Firebox SSL VPN Gateway Administration Guide

Denying Access to Groups with No ACL .........................107

Customizing VPN Portal Pages ......................................108

Downloading and Working with Portal Page Templates ......

110

Loading Custom Portal Files on the Firebox SSL .........113

Disabling Portal Page Authentication .............................114

Linking to the VPN Clients from Your Website ..............115

Configuring Host Check Rules ......................................116

Example Host Check Rules .............................................118

Configuring Network Shares for Kiosk Sessions .............119

Adding and Configuring User Groups .............................121

Configuring Resource ACLs for a User Group ...............124

Configuring Kiosk Operation for a Group ......................126

Configuring a Host Check Policy for a Group ................128

Choosing a Portal Page for a Group ...............................130

Enabling IP Pooling ..........................................................131

Setting the Priority of Groups .........................................132

Enabling Split Tunneling ...............................................134

Enabling Split DNS ......................................................135

Enabling Session Timeout ............................................136

Configuring Internal Failover .........................................137

Forcing VPN User Re-login ............................................138

Configuring Secure Access for Single Sign-on ................140

APPENDIX A Logging, Monitoring, and Troubleshooting Firebox

SSL Operations143

Viewing and Downloading System Message Logs ...........143

Forwarding System Messages to a Syslog Server ........145

Enabling and Viewing SNMP Logs .................................146

MRTG Example .................................................................147

Viewing System Statistics ............................................149

Monitoring Firebox SSL Operations ...............................150

Recovering from a Crash of the Firebox SSL ..................153

To reinstall the Firebox SSL server software: ................154

Troubleshooting ...........................................................154

APPENDIX B Legal and Copyright Information ....................157

Firebox SSL VPN Gateway Administration Guide 1

CHAPTER 1 Firebox SSL Overview

The WatchGuard Firebox SSL is a network appliance that pro-

vides secure remote access to network resources and all appli-

cations, including web, client-server, and peer-to-peer such as

Instant Messaging (IM), video conferencing, and real-time

Voice over IP (VoIP) applications. Combining the advantages of

both IP Security (IPSec) and Secure Socket Layer (SSL) Virtual

Private Network (VPN) solutions, the Firebox SSL provides full,

secure application access without requiring changes to applica-

tions or Domain Name Service (DNS).

The Firebox SSL gives the remote user seamless, secure access

to authorized applications and network resources. Remote

users can work with files on network drives, email, Intranet

sites, and applications just as if they were working inside of

their organization’s firewall.

The Firebox SSL also provides clientless kiosk operation, which

opens a Virtual Network Computing (VNC) like connection for

remote users who access the Firebox SSL from a non-secure

computer. Kiosk user access can include shared network drives,

a variety of built-in clients, servers running Windows Terminal

Services (Remote Desktop), VNC servers, and Citrix ICA.

The following topics provide an overview to the Firebox SSL:

• “Overview” on page 2

Firebox SSL Overview

2 Firebox SSL VPN Gateway Administration Guide

• “Feature Summary” on page 4

• “The User Experience” on page 6

• “Deployment and Administration” on page 7

• “Firebox SSL Operation” on page 8

• “Kiosk Operation” on page 13

• “Deployment Options” on page 16

WatchGuard provides other network appliance products. For

information, go to http://www.watchguard.com.

Overview

The Firebox SSL installs into any network infrastructure without

requiring changes to the existing hardware or back-end soft-

ware. The Firebox SSL sits in front of application and web serv-

ers and works with other networking products such as firewalls,

server load balancers, cache engines, routers, and IEEE 802.11

broadband wireless devices.

The Firebox SSL, installed in the corporate DMZ, participates on

two networks: a private network and a public network with a

publicly routable IP address. The Firebox SSL can also partition

local area networks internally in the organization for access

control and security between wired/wireless and data/voice net-

works.

As shown in the following illustration, the Firebox SSL is appro-

priate for employees accessing the organization remotely, Busi-

ness to Business (B2B) access and transactions, and intranet

access from restricted LANs such as wireless networks.

Overview

Firebox SSL VPN Gateway Administration Guide 3

As shown in the following illustration, the Firebox SSL creates a

virtual TCP circuit between the client computer running the

WatchGuard Secure Access client and itself.

The virtual TCP circuit is encrypted using proven technologies

such as SSL and Transport Layer Security (TLS). All packets des-

Firebox SSL Overview

4 Firebox SSL VPN Gateway Administration Guide

tined for the private network are transported over the virtual

TCP circuit. The Firebox SSL is essentially acting as a low-level

packet filter with encryption. It drops traffic which does not

have authentication or does not have permission for a particular

network.

Feature Summary

Most of the features listed in the following table are implicitly

supported through the ability of the Firebox SSL to intercept

every network connection initiated on the client computer,

whether TCP (connection-oriented applications) or UDP (voice

and video applications). The Secure Access client forwards all IP

packets over an SSL tunnel to the Firebox SSL based on dynam-

ically determined routing policies which are transparent to the

remote user. The Firebox SSL retransmits these IP packets to the

intended host.

Application

support

Unlike other VPN solutions, the Firebox SSL is application-

agnostic. The Firebox SSL operates more like an IPSec VPN than

an SSL VPN.

Supports all applications (web, client-server, peer-to-peer, and real-

time) without modification to the applications or DNS.

Handles real-time traffic, such as voice (RTP/SIP), with minimal

loss in performance.

Protocol

support

Supports IP.

Supports PPPoE (Point-to-Point Protocol over Ethernet) and PPP.

Supports Ethernet, including 802.11, and Remote Access Service

(RAS) connections, including TCP, UDP, and Internet Control

Message Protocol (ICMP).

Platform

support

Supports computers running Windows 2000, Windows 2000

Professional, Windows 2000 Server, Windows XP, Windows XP

Home, Windows XP Professional, and all Linux 2.4 platforms

(tested extensively with RedHat). Includes a client that supports

computers, such as Macintosh, running Java Virtual Machine (JVM)

version 1.4.2 or higher.

Overview

Firebox SSL VPN Gateway Administration Guide 5

Ease of use and

deployment

Automatically updates the Secure Access client when a new

version is available on the Firebox SSL.

The Secure Access client can go into a suspend state rather than

timing out so that the connection is always available and the user

does not have to repeatedly log in. The Secure Access client

continues to run in memory even when the laptop or PC is

disconnected from the network. This functionality ensures security

over 802.11 networks without having to deploy and maintain a

WEP environment.

The Secure Access client can be configured for single sign-on

operation so that it starts automatically after a user logs in to

Windows. A user’s Windows login credentials are passed to the

Firebox SSL for authentication and then the VPN connection is

automatically established without user intervention. Windows login

scripts run after the VPN connection is established.

Ease of use and

deployment

(continued)

Includes the option to use the default portal pages (Access Portal),

to customize easy-to-use portal page templates, or to include links

to the clients directly on your website.

Provides access to remote networks that have the same

numbering as the local subnet.

VPN operation Provides users with a desktop-like network experience. Through

the VPN connection, users can:

Map network drives just as they would from their in-office

computer.

Work with client applications, such as Microsoft Outlook or any

other application, in their native user interface. The remote user

does not need to do any client application reconfiguration.

VPN users can seamlessly access the Firebox SSL even if they are

behind another organization’s firewall.

Kiosk operation Provides, on a group basis, access to a private network from public

computers.

Sends images, not data, to the kiosk. Because no temporary files

or cookies are downloaded to the remote computer, there is no

risk of files remaining after the session.

Opens a VNC-like window that is configurable by group. Optional

components include a Mozilla browser window with a configurable

default URL, network shares, and icons that provide one-click

access to Remote Desktop, VNC, Telnet 3270 emulator, SSH, and

Citrix ICA clients.

Performance Supports up to 205 tunnels

Provides throughput of 75 MB per second.

Authentication,

authorization,

and access

control

Supports HTTP 401 Basic, Digest, and Windows Domain

Authentication and RADIUS, LDAP, and RSA SecurID authentication

servers. User accounts can also be defined on the Firebox SSL.

Supports realm-based authentication so that a single Firebox SSL

can be used with multiple authentication servers.

Supports LDAP or local user group authorization.

Provides access control through the association of resources to

user groups.

Firebox SSL Overview

6 Firebox SSL VPN Gateway Administration Guide

The User Experience

The Firebox SSL provides users with the desk-like network expe-

rience that they have with an IPSec VPN, but does so without

any need to configure a client. The user starts the Secure Access

client by accessing a secure web URL through a standard web

browser, and then providing authentication credentials.

Because the Firebox SSL traverses all ports of firewalls, remote

users can access the Firebox SSL regardless of their location. For

a more detailed description of the user experience, see “Con-

necting from a Private Computer” on page 56.

The following illustration shows the default Windows version of

the Access Portal.

Security Supports digital certificates in Privacy Enhanced Mail (PEM) format

that include a private key. Notifies VPN users if the Firebox SSL to

which they connect does not have a certificate that is signed by a

Certificate Authority, and therefore is not a trusted device.

Redirects over a secure tunnel all network traffic (all IP packets)

destined for certain private networks. Uses SSL (v1 and v2) and

TLS SSL (v3) to encrypt every packet, including any header

information. This provides a very high level of security and does

not provide anyone who gets access to the secure stream the

ability to reconstruct any useful information. Supports SSL with

compression.

Supports 196-bit TLS SSL encryption, as well as lower and higher

bit values defined in your certificate. You might prefer to lower the

encryption if performance is more important than security.

Supports all OpenSSL ciphers: CAST, CAST5, DES, Triple-DES,

IDEA, RC2, RC4, and RC5.

Supports the 802.11 optional encryption scheme, Wired

Equivalent Privacy (WEP).

Requires only one available port: 443 (by default).

Makes IP addresses either invisible or visible to accessed network

applications, by application or host. When network IP addresses

are hidden, the remote user’s VPN connection looks like a browser

session rather than an IP address and thus blocks worm traversal.

Does not touch client-side route tables.

Security

(continued)

Supports configurable host check rules to ensure that a VPN

user’s computer meets the requirements of the rule. You can

require that a connecting computer has a particular registry path,

file, and/or active process. For example, host check rules enable

you to enforce real-time checking of the presence of firewall or anti-

virus software; if a VPN user stops the firewall or anti-virus

software, the VPN tunnel is immediately frozen.

Overview

Firebox SSL VPN Gateway Administration Guide 7

N

OTE

The portal page is customizable, as described in “Customizing

VPN Portal Pages” on page 108. You can also include a link to

the clients on a website, as described in “Linking to the VPN

Clients from Your Website” on page 115.

After a successful login, the user can work with network shares

and run applications just as if the user were sitting inside of the

organization’s firewall.

The remote user does not need to do any client application

reconfiguration and works with client applications in their

native user interface.

Deployment and Administration

The Firebox SSL is fast to deploy and simple to administer. You

install the Firebox SSL in your organization’s DMZ, giving it

access to the external and internal networks. The most typical

deployment configuration is to locate the Firebox SSL behind

your firewall or to straddle the firewall. More complex deploy-

ments, such as with a server load balancer, are also supported

and described in “Deployment Options” on page 16.

The first-time that you start the Firebox SSL, you use the Fire-

box SSL Administration Tool to configure the basic settings that

Firebox SSL Overview

8 Firebox SSL VPN Gateway Administration Guide

are specific to your site, such as the Firebox SSL IP address, net-

mask, default gateway IP address, and DNS addresses. After you

complete the basic connection, you then configure the settings

specific to VPN operation, such as the options for authentica-

tion, authorization, and group-based access control, kiosk oper-

ation, host checking, portal pages, and IP pools.

All Firebox SSL administration and monitoring is performed

through the Firebox SSL Remote Admin Terminal window,

which provides access to the Administration Tool and a variety

of standard network monitoring tools, including Ethereal Net-

work Monitor, xNetTools, Traceroute, fnetload, and System

Monitor. The Firebox SSL Remote Admin Terminal window also

provides access to the Real-time Monitor, where you can view a

list of current VPN users and groups and close the VPN connec-

tion for any user or group

You will need to provide remote VPN users with the URL of the

Firebox SSL and a list of the resources that they can access.

Remote users can log in with their usual credentials and do not

need to perform any configuration of the Secure Access client or

any application clients, resulting in minimal user support.

Firebox SSL Operation

The Firebox SSL performs the following functions:

• Authentication

• Termination of encrypted sessions

• Access control (based on permissions)

• Data traffic relay (when the first three functions are met)

The Firebox SSL operates as follows:

1 A remote user obtains the Secure Access client by accessing

a secure web URL and providing authentication credentials.

2 After a successful login, the Firebox SSL establishes a secure

tunnel.

3 As the remote user attempts to access network resources

across the VPN tunnel, the Firebox SSL encrypts all network

traffic destined for the organization’s intranet and forwards

Firebox SSL Operation

Firebox SSL VPN Gateway Administration Guide 9

the packets and user credentials over an HTTPS session to

the Firebox SSL.

4 The Firebox SSL terminates the SSL tunnel and accepts any

incoming packets destined for the private network. After

fixing the packets, the Firebox SSL injects them into the

private network. The Firebox SSL sends traffic back to the

remote computer over a secure tunnel.

Those steps are detailed in the following sections:

• “Starting the Secure Access Client” on page 9

• “Establishing the Secure Tunnel” on page 10

• “Tunneling Destination Private Address Traffic over SSL or

TLS” on page 10

• “Terminating the Secure Tunnel and Returning Packets to

the Client” on page 12

Starting the Secure Access Client

A remote user obtains the Secure Access client by accessing a

secure web URL, typically the public host name of the Firebox

SSL. The Firebox SSL prompts the user for authentication over

HTTP 401 Basic or Digest. The Firebox SSL authenticates the

credentials with a corporate logon server (LDAP, RADIUS, RSA

ACE) and if the credentials are correct, finishes the handshake

with the client personal computer. This login step is required

only when the user initially downloads the Secure Access client.

If the user is behind a proxy server, the user can specify the

proxy server, and authentication credentials if required, before

logging in by right-clicking the login dialog and choosing

Advanced Options.

The Secure Access client is installed on the remote user’s com-

puter and operates at Layer 2 (between Ethernet and IP). After

the first connection, the remote user can subsequently use a

desktop shortcut to start the Secure Access client, thus bypass-

ing the portal page login step.

Enabling Single Sign-On Operation for the Secure

Access Client

If the Secure Access client is configured for single sign-on oper-

ation, it automatically starts after the user logs in to Windows.

The user’s Windows login credentials are passed to the Firebox

Firebox SSL Overview

10 Firebox SSL VPN Gateway Administration Guide

SSL for authentication. Enabling single sign-on for the Secure

Access client facilitates operations on the remote computer such

as installation scripts and automatic drive mapping.

Establishing the Secure Tunnel

Once the Secure Access client has been started, it establishes a

secure tunnel over HTTPS port 443 (or any configured port on

the Firebox SSL) and sends authentication information to vali-

date the tunnel. Once the tunnel is established, the Firebox SSL

sends configuration information to the Secure Access client

describing the networks to be secured and containing an IP

address if you enabled IP address visibility.

Tunneling Destination Private Address Traffic over

SSL or TLS

After the Secure Access client is authenticated and started, all

network traffic destined for certain private networks is captured

and redirected over the secure tunnel to the Firebox SSL.

The Firebox SSL intercepts all network connections made by the

client computer and multiplexes/tunnels them over SSL to the

Firebox SSL, where the traffic is de-multiplexed and the connec-

tions are forwarded to the correct host and port combination,

determined by the client-server application in real time. The

Secure Access client streams any dynamic port traffic over SSL

to the Firebox SSL where connections are re-established to the

server at its desired dynamic port. On both the Firebox SSL and

the Secure Access client, RTP packets are prioritized and pro-

cessed before any other packets.

The connections are subject to flexible administrative security

policies which can apply to a single application, a subset of

applications, or an entire intranet. You use the Firebox SSL

Administration Tool to specify the resources (ranges of IP

address/netmask pairs) that remote users can access through the

VPN connection.

All IP packets, regardless of protocol, are intercepted and trans-

mitted over the secure link. This functionality is what provides

IPSec equivalent functionality to the Firebox SSL. Consider TCP

connections, for example. Connections from local applications

on the client computer are securely tunneled over to the Firebox

SSL, which re-establishes the connections to the target server.

Firebox SSL Operation

Firebox SSL VPN Gateway Administration Guide 11

Target servers view connections as originating from the local

Firebox SSL on the private network, thus hiding client IP address

(reverse NAT). Hiding IP addresses adds security to source loca-

tions in B2B implementations and also secures the wireless net-

work in an organization for its users and visitors, providing a

viable alternative to WEP.

Locally, on the client computer, all connection-related traffic

(such as SYN-ACK, PUSH, ACK and FIN packets) are recreated by

the Secure Access client to appear from the private server.

Operation through NAT Firewalls and Proxies

Users of the Secure Access client will sometimes be located

inside of another organization’s firewall, as shown in the fol-

lowing illustration.

NAT firewalls maintain a NAT table that allows them to route

secure packets from the Firebox SSL back to the client com-

puter. For circuit-oriented connections, the Firebox SSL main-

tains a port-mapped, reverse NAT translation table. The reverse

NAT translation table enables the Firebox SSL to match connec-

tions and send packets back over the tunnel to the client with

Firebox SSL Overview

12 Firebox SSL VPN Gateway Administration Guide

the correct port numbers so that the packets return to the cor-

rect application.

The Firebox SSL tunnel is established using industry standard

connection establishment techniques such as HTTPS, Proxy

HTTPS, and SOCKS. This operation makes the Firebox SSL fire-

wall friendly and thus allows remote computers to access private

networks from behind other organization firewalls without cre-

ating any problems.

For example, the connection can be made via an intermediate

proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS

command to the intermediate proxy. Any credentials requested

by the intermediate proxy, will be in turn obtained from the

remote user (by using single signon information or by request-

ing the information from the remote user) and presented to the

intermediate proxy server. Once the HTTPS session is estab-

lished, the payload of the session is encrypted and carries secure

packets to the Firebox SSL.

Terminating the Secure Tunnel and Returning

Packets to the Client

The Firebox SSL terminates the SSL tunnel and accepts any

incoming packets destined for the private network. If the pack-

ets meet the authorization and access control criteria, the Fire-

box SSL regenerates the packet IP headers so that they appear

to originate from the Firebox SSL’s private network IP address

range or the client-assigned private IP address. The Firebox SSL

then injects the packets into the network.

N

OTE

If you run a packet sniffer such as Ethereal on the PC where

the Secure Access client is running, you will see unencrypted

traffic that appears to be between the client and the Firebox

SSL. That unencrypted traffic, however, is not over the tunnel

between the client and the Firebox SSL but rather the tunnel

to the local applications.

The Secure Access client maintains two tunnels: an SSL

tunnel over which data is sent to the Firebox SSL (the sniffer

also detects this tunnel) and a tunnel between the client and

local applications. The encrypted data that arrives over the

SSL tunnel is then decrypted before being sent to the local

application over the second tunnel. The packet sniffer sees

Kiosk Operation

Firebox SSL VPN Gateway Administration Guide 13

the second tunnel’s traffic, which appears to be from the

Firebox SSL, after the traffic is already decrypted.

When an application client connects to its application server,

certain protocols may require that the application server in turn

attempt to create a new connection with the client. In this case,

the client sends its known local IP address to the server by

means of a custom client-server protocol. For these applications,

the Secure Access client is able to provide the local client appli-

cation a private IP address representation, which the Firebox SSL

will use on the internal network. Many real-time voice applica-

tions and FTP use this feature.

Performance and Real-time Traffic

Real-time applications, such as voice and video, are imple-

mented over UDP (since TCP is not appropriate for real-time

traffic due to the delay introduced by acknowledgements and

retransmission of lost packets). It is more important to deliver

packets in real time than to ensure that all packets are delivered.

However, with any tunneling technology over TCP, such real-

time performances cannot be met.

The Firebox SSL overcomes this issue by routing UDP packets

over the secure tunnel as special IP packets that do not require

TCP acknowledgements. Even if the packets get lost in the net-

work, there is no attempt made by either the client or the server

applications to regenerate them, so real-time (UDP like) perfor-

mance is achieved over a secure TCP-based tunnel.

Kiosk Operation

The Firebox SSL also provides secure access to a private network

from a public computer through optional kiosk operation. When

remote users indicate that they are connecting from a public

computer, the Firebox SSL opens a Virtual Network Computing

(VNC) like connection in a window.

• For computers running Windows 2000 and above, kiosk

operation is available through the Access Portal. The kiosk

link can be removed from the Access Portal on a group

basis.

Firebox SSL Overview

14 Firebox SSL VPN Gateway Administration Guide

• For computers running a JVM 1.4.2 or higher (such as

Macintosh or Windows 95/98 computers), kiosk operation is

available through a Java applet. For Macintosh, Safari is the

supported browser.

During kiosk operation, the Firebox SSL sends images only (no

data) over the VPN connection. As a result, there is no risk of

leaving temporary files or cookies on the public computer. Both

temporary files and cookies are maintained on the Firebox SSL

for the session.

As shown in the following example, the Firebox SSL kiosk dis-

play can include a web browser, several applications, and net-

work shares.

The browser defaults to a URL that is configured per group

through the Firebox SSL Administration Tool. The kiosk window

can also include one-click access to Citrix ICA, Remote Desktop,

Page is loading ...

Watchguard Firebox SSL VPN Gateway Administration Guide

Watchguard Firebox SSL VPN Gateway Administration Guide

Related papers

Other documents