Watchguard Firebox SSL VPN Gateway Administration Guide

Category
Software
Type
Administration Guide
WatchGuard
®
Firebox SSL VPN
Gateway Administration Guide
Firebox SSL VPN Gateway
ii Firebox SSL VPN Gateway Administration Guide
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT:
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.521.8340
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to mid-
sized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
organization grows and to deliver the industry’s best combination of security,
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
architecture protects against emerging threats effectively and efficiently and provides
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with
vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 521-8340 or visit
www.watchguard.com
.
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User
License Agreement applicable to this product. You will be prompted to read and accept the End User License
Agreement when you register your Firebox on the WatchGuard website.
Copyright© 2005 Citrix Systems, Inc. All rights reserved.
Copyright© 2005 WatchGuard Technologies, Inc. All rights reserved
WatchGuard, Firebox, LiveSecurity and any other word listed as a trademark in the “Terms of Use” portion of
the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard
Technologies, Inc. in the United States and/or other countries.
Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries.
Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective
manufacturers.
The Firebox SSL Access Gateway software is distributed with source code covered under the GNU General
Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard Technical
Support at:
877.232.3531 in the United States and Canada
+1.206.613.0456 in all other countries
This source code is free to download. There is a $35 charge to ship the CD.
See Appendix B, “Legal and Copyright Information” on page 157 of this guide for the complete text of the
GPL.
VPN Gateway Software: 4.9
Document Version: 2201-000
Firebox SSL VPN Gateway Administration Guide
Contents
CHAPTER 1 Firebox SSL Overview .......................................1
Overview .........................................................................2
Feature Summary ................................................................ 4
The User Experience ............................................................ 6
Deployment and Administration ......................................... 7
Firebox SSL Operation .....................................................8
Starting the Secure Access Client ...................................... 9
Establishing the Secure Tunnel ........................................10
Tunneling Destination Private Address Traffic over SSL or
TLS .................................................................................10
Terminating the Secure Tunnel and Returning Packets to the
Client ..............................................................................12
Kiosk Operation ............................................................13
Deployment Options ......................................................16
CHAPTER 2 Administering the Firebox SSL.........................17
Using the Firebox SSL Remote Admin Terminal Window ....18
To open the Remote Admin Terminal window: ................19
Using the Administration Tool .........................................21
Using the Serial Console ................................................23
To open the serial console: ...............................................23
iv Firebox SSL VPN Gateway Administration Guide
Upgrading the Firebox SSL Software ................................23
To display the version of your installed Firebox SSL: .....24
To upgrade your Firebox SSL ............................................24
Supporting Secure Access Users ....................................25
Configuring Software Firewalls for the Secure Access
Client ..............................................................................26
Generating a Secure Certificate for the Firebox SSL .........29
About Digital Certificates and Firebox SSL Operation ...31
Overview of the Certificate Signing Request ...................32
Installing the Cygwin UNIX Environment for Windows ....33
Generating a CSR ..............................................................33
Unencrypting the Private Key ..........................................34
Converting to a PEM-Formatted Certificate .....................35
Combining the Private Key with the Signed Certificate ..36
Generating Trusted Certificates for Multiple Levels .......37
Uploading a Certificate to the Firebox SSL .....................38
Blocking External Access to the Administration Portal ......39
Managing Licenses ........................................................40
Viewing and Changing the System Date and Time ............41
Managing Administrative Users .......................................42
Saving and Restoring the Configuration ...........................43
Managing VPN Connections ............................................45
About Connection Handling ..............................................46
Closing a Connection to a Resource ................................47
Disabling/Enabling a VPN User ........................................48
Restarting the Firebox SSL .............................................49
Shutting Down the Firebox SSL .......................................49
CHAPTER 3 Working with a VPN Connection .......................51
Using the Access Portal .................................................51
Connecting from a Private Computer ...............................56
Using the Secure Access Window ....................................56
Connecting from a Public Computer (Kiosk Session) ........61
Working with Shared Network Drives ...............................63
Using the Citrix Client ........................................................65
Using the Remote Desktop Client ....................................65
Firebox SSL VPN Gateway Administration Guide
Using the Telnet 3270 Emulator Client ...........................67
Using the VNC Client ..........................................................68
To use the VNC client: .......................................................68
CHAPTER 4 Configuring Firebox SSL Network Connections ..71
Configuring Network Interfaces .......................................72
Specifying DNS/WINS Settings .......................................74
Configuring Routes ........................................................75
Configuring Dynamic Routing ...........................................75
Adding, Testing, and Removing a Static Route ...............77
Static Route Example ........................................................78
Configuring Failover Firebox SSLs ....................................80
CHAPTER 5 Configuring Firebox SSL Operation...................81
Configuring Authentication, Authorization, and Local Users ...
82
About the Realm Named Default .....................................84
Using a Local User List for Authentication .......................84
Using LDAP Authorization with Local Authentication .....85
Using RADIUS Servers for Authentication ........................88
To specify RADIUS server settings: ..................................89
Using LDAP Servers for Authentication and Authorization ..91
To specify LDAP server settings: ......................................92
Looking Up Attributes in your LDAP Directory .................94
Using RSA SecurID for Authentication .............................95
To generate a sdconf.rec file for the Firebox SSL: ..........96
To enable RSA SecurID authentication for the Firebox
SSL: ................................................................................97
Resetting the Node Secret ................................................99
Removing an Authentication Realm ...............................100
To remove an authentication realm: ..............................100
Adding Local Users ......................................................100
To create a user on the Firebox SSL: .............................101
To delete a user from the Firebox SSL: .........................102
Controlling Network Access ..........................................102
Specifying Accessible Networks .....................................103
Defining Network Resource Groups ...............................104
vi Firebox SSL VPN Gateway Administration Guide
Denying Access to Groups with No ACL .........................107
Customizing VPN Portal Pages ......................................108
Downloading and Working with Portal Page Templates ......
110
Loading Custom Portal Files on the Firebox SSL .........113
Disabling Portal Page Authentication .............................114
Linking to the VPN Clients from Your Website ..............115
Configuring Host Check Rules ......................................116
Example Host Check Rules .............................................118
Configuring Network Shares for Kiosk Sessions .............119
Adding and Configuring User Groups .............................121
Configuring Resource ACLs for a User Group ...............124
Configuring Kiosk Operation for a Group ......................126
Configuring a Host Check Policy for a Group ................128
Choosing a Portal Page for a Group ...............................130
Enabling IP Pooling ..........................................................131
Setting the Priority of Groups .........................................132
Enabling Split Tunneling ...............................................134
Enabling Split DNS ......................................................135
Enabling Session Timeout ............................................136
Configuring Internal Failover .........................................137
Forcing VPN User Re-login ............................................138
Configuring Secure Access for Single Sign-on ................140
APPENDIX A Logging, Monitoring, and Troubleshooting Firebox
SSL Operations143
Viewing and Downloading System Message Logs ...........143
Forwarding System Messages to a Syslog Server ........145
Enabling and Viewing SNMP Logs .................................146
MRTG Example .................................................................147
Viewing System Statistics ............................................149
Monitoring Firebox SSL Operations ...............................150
Recovering from a Crash of the Firebox SSL ..................153
To reinstall the Firebox SSL server software: ................154
Troubleshooting ...........................................................154
APPENDIX B Legal and Copyright Information ....................157
Firebox SSL VPN Gateway Administration Guide 1
CHAPTER 1 Firebox SSL Overview
The WatchGuard Firebox SSL is a network appliance that pro-
vides secure remote access to network resources and all appli-
cations, including web, client-server, and peer-to-peer such as
Instant Messaging (IM), video conferencing, and real-time
Voice over IP (VoIP) applications. Combining the advantages of
both IP Security (IPSec) and Secure Socket Layer (SSL) Virtual
Private Network (VPN) solutions, the Firebox SSL provides full,
secure application access without requiring changes to applica-
tions or Domain Name Service (DNS).
The Firebox SSL gives the remote user seamless, secure access
to authorized applications and network resources. Remote
users can work with files on network drives, email, Intranet
sites, and applications just as if they were working inside of
their organization’s firewall.
The Firebox SSL also provides clientless kiosk operation, which
opens a Virtual Network Computing (VNC) like connection for
remote users who access the Firebox SSL from a non-secure
computer. Kiosk user access can include shared network drives,
a variety of built-in clients, servers running Windows Terminal
Services (Remote Desktop), VNC servers, and Citrix ICA.
The following topics provide an overview to the Firebox SSL:
“Overview” on page 2
Firebox SSL Overview
2 Firebox SSL VPN Gateway Administration Guide
“Feature Summary” on page 4
“The User Experience” on page 6
“Deployment and Administration” on page 7
“Firebox SSL Operation” on page 8
“Kiosk Operation” on page 13
“Deployment Options” on page 16
WatchGuard provides other network appliance products. For
information, go to http://www.watchguard.com.
Overview
The Firebox SSL installs into any network infrastructure without
requiring changes to the existing hardware or back-end soft-
ware. The Firebox SSL sits in front of application and web serv-
ers and works with other networking products such as firewalls,
server load balancers, cache engines, routers, and IEEE 802.11
broadband wireless devices.
The Firebox SSL, installed in the corporate DMZ, participates on
two networks: a private network and a public network with a
publicly routable IP address. The Firebox SSL can also partition
local area networks internally in the organization for access
control and security between wired/wireless and data/voice net-
works.
As shown in the following illustration, the Firebox SSL is appro-
priate for employees accessing the organization remotely, Busi-
ness to Business (B2B) access and transactions, and intranet
access from restricted LANs such as wireless networks.
Overview
Firebox SSL VPN Gateway Administration Guide 3
As shown in the following illustration, the Firebox SSL creates a
virtual TCP circuit between the client computer running the
WatchGuard Secure Access client and itself.
The virtual TCP circuit is encrypted using proven technologies
such as SSL and Transport Layer Security (TLS). All packets des-
Firebox SSL Overview
4 Firebox SSL VPN Gateway Administration Guide
tined for the private network are transported over the virtual
TCP circuit. The Firebox SSL is essentially acting as a low-level
packet filter with encryption. It drops traffic which does not
have authentication or does not have permission for a particular
network.
Feature Summary
Most of the features listed in the following table are implicitly
supported through the ability of the Firebox SSL to intercept
every network connection initiated on the client computer,
whether TCP (connection-oriented applications) or UDP (voice
and video applications). The Secure Access client forwards all IP
packets over an SSL tunnel to the Firebox SSL based on dynam-
ically determined routing policies which are transparent to the
remote user. The Firebox SSL retransmits these IP packets to the
intended host.
Application
support
Unlike other VPN solutions, the Firebox SSL is application-
agnostic. The Firebox SSL operates more like an IPSec VPN than
an SSL VPN.
Supports all applications (web, client-server, peer-to-peer, and real-
time) without modification to the applications or DNS.
Handles real-time traffic, such as voice (RTP/SIP), with minimal
loss in performance.
Protocol
support
Supports IP.
Supports PPPoE (Point-to-Point Protocol over Ethernet) and PPP.
Supports Ethernet, including 802.11, and Remote Access Service
(RAS) connections, including TCP, UDP, and Internet Control
Message Protocol (ICMP).
Platform
support
Supports computers running Windows 2000, Windows 2000
Professional, Windows 2000 Server, Windows XP, Windows XP
Home, Windows XP Professional, and all Linux 2.4 platforms
(tested extensively with RedHat). Includes a client that supports
computers, such as Macintosh, running Java Virtual Machine (JVM)
version 1.4.2 or higher.
Overview
Firebox SSL VPN Gateway Administration Guide 5
Ease of use and
deployment
Automatically updates the Secure Access client when a new
version is available on the Firebox SSL.
The Secure Access client can go into a suspend state rather than
timing out so that the connection is always available and the user
does not have to repeatedly log in. The Secure Access client
continues to run in memory even when the laptop or PC is
disconnected from the network. This functionality ensures security
over 802.11 networks without having to deploy and maintain a
WEP environment.
The Secure Access client can be configured for single sign-on
operation so that it starts automatically after a user logs in to
Windows. A user’s Windows login credentials are passed to the
Firebox SSL for authentication and then the VPN connection is
automatically established without user intervention. Windows login
scripts run after the VPN connection is established.
Ease of use and
deployment
(continued)
Includes the option to use the default portal pages (Access Portal),
to customize easy-to-use portal page templates, or to include links
to the clients directly on your website.
Provides access to remote networks that have the same
numbering as the local subnet.
VPN operation Provides users with a desktop-like network experience. Through
the VPN connection, users can:
Map network drives just as they would from their in-office
computer.
Work with client applications, such as Microsoft Outlook or any
other application, in their native user interface. The remote user
does not need to do any client application reconfiguration.
VPN users can seamlessly access the Firebox SSL even if they are
behind another organization’s firewall.
Kiosk operation Provides, on a group basis, access to a private network from public
computers.
Sends images, not data, to the kiosk. Because no temporary files
or cookies are downloaded to the remote computer, there is no
risk of files remaining after the session.
Opens a VNC-like window that is configurable by group. Optional
components include a Mozilla browser window with a configurable
default URL, network shares, and icons that provide one-click
access to Remote Desktop, VNC, Telnet 3270 emulator, SSH, and
Citrix ICA clients.
Performance Supports up to 205 tunnels
Provides throughput of 75 MB per second.
Authentication,
authorization,
and access
control
Supports HTTP 401 Basic, Digest, and Windows Domain
Authentication and RADIUS, LDAP, and RSA SecurID authentication
servers. User accounts can also be defined on the Firebox SSL.
Supports realm-based authentication so that a single Firebox SSL
can be used with multiple authentication servers.
Supports LDAP or local user group authorization.
Provides access control through the association of resources to
user groups.
Firebox SSL Overview
6 Firebox SSL VPN Gateway Administration Guide
The User Experience
The Firebox SSL provides users with the desk-like network expe-
rience that they have with an IPSec VPN, but does so without
any need to configure a client. The user starts the Secure Access
client by accessing a secure web URL through a standard web
browser, and then providing authentication credentials.
Because the Firebox SSL traverses all ports of firewalls, remote
users can access the Firebox SSL regardless of their location. For
a more detailed description of the user experience, see “Con-
necting from a Private Computer” on page 56.
The following illustration shows the default Windows version of
the Access Portal.
Security Supports digital certificates in Privacy Enhanced Mail (PEM) format
that include a private key. Notifies VPN users if the Firebox SSL to
which they connect does not have a certificate that is signed by a
Certificate Authority, and therefore is not a trusted device.
Redirects over a secure tunnel all network traffic (all IP packets)
destined for certain private networks. Uses SSL (v1 and v2) and
TLS SSL (v3) to encrypt every packet, including any header
information. This provides a very high level of security and does
not provide anyone who gets access to the secure stream the
ability to reconstruct any useful information. Supports SSL with
compression.
Supports 196-bit TLS SSL encryption, as well as lower and higher
bit values defined in your certificate. You might prefer to lower the
encryption if performance is more important than security.
Supports all OpenSSL ciphers: CAST, CAST5, DES, Triple-DES,
IDEA, RC2, RC4, and RC5.
Supports the 802.11 optional encryption scheme, Wired
Equivalent Privacy (WEP).
Requires only one available port: 443 (by default).
Makes IP addresses either invisible or visible to accessed network
applications, by application or host. When network IP addresses
are hidden, the remote user’s VPN connection looks like a browser
session rather than an IP address and thus blocks worm traversal.
Does not touch client-side route tables.
Security
(continued)
Supports configurable host check rules to ensure that a VPN
user’s computer meets the requirements of the rule. You can
require that a connecting computer has a particular registry path,
file, and/or active process. For example, host check rules enable
you to enforce real-time checking of the presence of firewall or anti-
virus software; if a VPN user stops the firewall or anti-virus
software, the VPN tunnel is immediately frozen.
Overview
Firebox SSL VPN Gateway Administration Guide 7
N
OTE
The portal page is customizable, as described in “Customizing
VPN Portal Pages” on page 108. You can also include a link to
the clients on a website, as described in “Linking to the VPN
Clients from Your Website” on page 115.
After a successful login, the user can work with network shares
and run applications just as if the user were sitting inside of the
organization’s firewall.
The remote user does not need to do any client application
reconfiguration and works with client applications in their
native user interface.
Deployment and Administration
The Firebox SSL is fast to deploy and simple to administer. You
install the Firebox SSL in your organization’s DMZ, giving it
access to the external and internal networks. The most typical
deployment configuration is to locate the Firebox SSL behind
your firewall or to straddle the firewall. More complex deploy-
ments, such as with a server load balancer, are also supported
and described in “Deployment Options” on page 16.
The first-time that you start the Firebox SSL, you use the Fire-
box SSL Administration Tool to configure the basic settings that
Firebox SSL Overview
8 Firebox SSL VPN Gateway Administration Guide
are specific to your site, such as the Firebox SSL IP address, net-
mask, default gateway IP address, and DNS addresses. After you
complete the basic connection, you then configure the settings
specific to VPN operation, such as the options for authentica-
tion, authorization, and group-based access control, kiosk oper-
ation, host checking, portal pages, and IP pools.
All Firebox SSL administration and monitoring is performed
through the Firebox SSL Remote Admin Terminal window,
which provides access to the Administration Tool and a variety
of standard network monitoring tools, including Ethereal Net-
work Monitor, xNetTools, Traceroute, fnetload, and System
Monitor. The Firebox SSL Remote Admin Terminal window also
provides access to the Real-time Monitor, where you can view a
list of current VPN users and groups and close the VPN connec-
tion for any user or group
You will need to provide remote VPN users with the URL of the
Firebox SSL and a list of the resources that they can access.
Remote users can log in with their usual credentials and do not
need to perform any configuration of the Secure Access client or
any application clients, resulting in minimal user support.
Firebox SSL Operation
The Firebox SSL performs the following functions:
Authentication
Termination of encrypted sessions
Access control (based on permissions)
Data traffic relay (when the first three functions are met)
The Firebox SSL operates as follows:
1 A remote user obtains the Secure Access client by accessing
a secure web URL and providing authentication credentials.
2 After a successful login, the Firebox SSL establishes a secure
tunnel.
3 As the remote user attempts to access network resources
across the VPN tunnel, the Firebox SSL encrypts all network
traffic destined for the organization’s intranet and forwards
Firebox SSL Operation
Firebox SSL VPN Gateway Administration Guide 9
the packets and user credentials over an HTTPS session to
the Firebox SSL.
4 The Firebox SSL terminates the SSL tunnel and accepts any
incoming packets destined for the private network. After
fixing the packets, the Firebox SSL injects them into the
private network. The Firebox SSL sends traffic back to the
remote computer over a secure tunnel.
Those steps are detailed in the following sections:
“Starting the Secure Access Client” on page 9
“Establishing the Secure Tunnel” on page 10
“Tunneling Destination Private Address Traffic over SSL or
TLS” on page 10
“Terminating the Secure Tunnel and Returning Packets to
the Client” on page 12
Starting the Secure Access Client
A remote user obtains the Secure Access client by accessing a
secure web URL, typically the public host name of the Firebox
SSL. The Firebox SSL prompts the user for authentication over
HTTP 401 Basic or Digest. The Firebox SSL authenticates the
credentials with a corporate logon server (LDAP, RADIUS, RSA
ACE) and if the credentials are correct, finishes the handshake
with the client personal computer. This login step is required
only when the user initially downloads the Secure Access client.
If the user is behind a proxy server, the user can specify the
proxy server, and authentication credentials if required, before
logging in by right-clicking the login dialog and choosing
Advanced Options.
The Secure Access client is installed on the remote user’s com-
puter and operates at Layer 2 (between Ethernet and IP). After
the first connection, the remote user can subsequently use a
desktop shortcut to start the Secure Access client, thus bypass-
ing the portal page login step.
Enabling Single Sign-On Operation for the Secure
Access Client
If the Secure Access client is configured for single sign-on oper-
ation, it automatically starts after the user logs in to Windows.
The user’s Windows login credentials are passed to the Firebox
Firebox SSL Overview
10 Firebox SSL VPN Gateway Administration Guide
SSL for authentication. Enabling single sign-on for the Secure
Access client facilitates operations on the remote computer such
as installation scripts and automatic drive mapping.
Establishing the Secure Tunnel
Once the Secure Access client has been started, it establishes a
secure tunnel over HTTPS port 443 (or any configured port on
the Firebox SSL) and sends authentication information to vali-
date the tunnel. Once the tunnel is established, the Firebox SSL
sends configuration information to the Secure Access client
describing the networks to be secured and containing an IP
address if you enabled IP address visibility.
Tunneling Destination Private Address Traffic over
SSL or TLS
After the Secure Access client is authenticated and started, all
network traffic destined for certain private networks is captured
and redirected over the secure tunnel to the Firebox SSL.
The Firebox SSL intercepts all network connections made by the
client computer and multiplexes/tunnels them over SSL to the
Firebox SSL, where the traffic is de-multiplexed and the connec-
tions are forwarded to the correct host and port combination,
determined by the client-server application in real time. The
Secure Access client streams any dynamic port traffic over SSL
to the Firebox SSL where connections are re-established to the
server at its desired dynamic port. On both the Firebox SSL and
the Secure Access client, RTP packets are prioritized and pro-
cessed before any other packets.
The connections are subject to flexible administrative security
policies which can apply to a single application, a subset of
applications, or an entire intranet. You use the Firebox SSL
Administration Tool to specify the resources (ranges of IP
address/netmask pairs) that remote users can access through the
VPN connection.
All IP packets, regardless of protocol, are intercepted and trans-
mitted over the secure link. This functionality is what provides
IPSec equivalent functionality to the Firebox SSL. Consider TCP
connections, for example. Connections from local applications
on the client computer are securely tunneled over to the Firebox
SSL, which re-establishes the connections to the target server.
Firebox SSL Operation
Firebox SSL VPN Gateway Administration Guide 11
Target servers view connections as originating from the local
Firebox SSL on the private network, thus hiding client IP address
(reverse NAT). Hiding IP addresses adds security to source loca-
tions in B2B implementations and also secures the wireless net-
work in an organization for its users and visitors, providing a
viable alternative to WEP.
Locally, on the client computer, all connection-related traffic
(such as SYN-ACK, PUSH, ACK and FIN packets) are recreated by
the Secure Access client to appear from the private server.
Operation through NAT Firewalls and Proxies
Users of the Secure Access client will sometimes be located
inside of another organization’s firewall, as shown in the fol-
lowing illustration.
NAT firewalls maintain a NAT table that allows them to route
secure packets from the Firebox SSL back to the client com-
puter. For circuit-oriented connections, the Firebox SSL main-
tains a port-mapped, reverse NAT translation table. The reverse
NAT translation table enables the Firebox SSL to match connec-
tions and send packets back over the tunnel to the client with
Firebox SSL Overview
12 Firebox SSL VPN Gateway Administration Guide
the correct port numbers so that the packets return to the cor-
rect application.
The Firebox SSL tunnel is established using industry standard
connection establishment techniques such as HTTPS, Proxy
HTTPS, and SOCKS. This operation makes the Firebox SSL fire-
wall friendly and thus allows remote computers to access private
networks from behind other organization firewalls without cre-
ating any problems.
For example, the connection can be made via an intermediate
proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS
command to the intermediate proxy. Any credentials requested
by the intermediate proxy, will be in turn obtained from the
remote user (by using single signon information or by request-
ing the information from the remote user) and presented to the
intermediate proxy server. Once the HTTPS session is estab-
lished, the payload of the session is encrypted and carries secure
packets to the Firebox SSL.
Terminating the Secure Tunnel and Returning
Packets to the Client
The Firebox SSL terminates the SSL tunnel and accepts any
incoming packets destined for the private network. If the pack-
ets meet the authorization and access control criteria, the Fire-
box SSL regenerates the packet IP headers so that they appear
to originate from the Firebox SSL’s private network IP address
range or the client-assigned private IP address. The Firebox SSL
then injects the packets into the network.
N
OTE
If you run a packet sniffer such as Ethereal on the PC where
the Secure Access client is running, you will see unencrypted
traffic that appears to be between the client and the Firebox
SSL. That unencrypted traffic, however, is not over the tunnel
between the client and the Firebox SSL but rather the tunnel
to the local applications.
The Secure Access client maintains two tunnels: an SSL
tunnel over which data is sent to the Firebox SSL (the sniffer
also detects this tunnel) and a tunnel between the client and
local applications. The encrypted data that arrives over the
SSL tunnel is then decrypted before being sent to the local
application over the second tunnel. The packet sniffer sees
Kiosk Operation
Firebox SSL VPN Gateway Administration Guide 13
the second tunnel’s traffic, which appears to be from the
Firebox SSL, after the traffic is already decrypted.
When an application client connects to its application server,
certain protocols may require that the application server in turn
attempt to create a new connection with the client. In this case,
the client sends its known local IP address to the server by
means of a custom client-server protocol. For these applications,
the Secure Access client is able to provide the local client appli-
cation a private IP address representation, which the Firebox SSL
will use on the internal network. Many real-time voice applica-
tions and FTP use this feature.
Performance and Real-time Traffic
Real-time applications, such as voice and video, are imple-
mented over UDP (since TCP is not appropriate for real-time
traffic due to the delay introduced by acknowledgements and
retransmission of lost packets). It is more important to deliver
packets in real time than to ensure that all packets are delivered.
However, with any tunneling technology over TCP, such real-
time performances cannot be met.
The Firebox SSL overcomes this issue by routing UDP packets
over the secure tunnel as special IP packets that do not require
TCP acknowledgements. Even if the packets get lost in the net-
work, there is no attempt made by either the client or the server
applications to regenerate them, so real-time (UDP like) perfor-
mance is achieved over a secure TCP-based tunnel.
Kiosk Operation
The Firebox SSL also provides secure access to a private network
from a public computer through optional kiosk operation. When
remote users indicate that they are connecting from a public
computer, the Firebox SSL opens a Virtual Network Computing
(VNC) like connection in a window.
For computers running Windows 2000 and above, kiosk
operation is available through the Access Portal. The kiosk
link can be removed from the Access Portal on a group
basis.
Firebox SSL Overview
14 Firebox SSL VPN Gateway Administration Guide
For computers running a JVM 1.4.2 or higher (such as
Macintosh or Windows 95/98 computers), kiosk operation is
available through a Java applet. For Macintosh, Safari is the
supported browser.
During kiosk operation, the Firebox SSL sends images only (no
data) over the VPN connection. As a result, there is no risk of
leaving temporary files or cookies on the public computer. Both
temporary files and cookies are maintained on the Firebox SSL
for the session.
As shown in the following example, the Firebox SSL kiosk dis-
play can include a web browser, several applications, and net-
work shares.
The browser defaults to a URL that is configured per group
through the Firebox SSL Administration Tool. The kiosk window
can also include one-click access to Citrix ICA, Remote Desktop,
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182

Watchguard Firebox SSL VPN Gateway Administration Guide

Category
Software
Type
Administration Guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI