1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv3
    5. /
  5. 25
Page 121 / 203 Scroll up to view Page 116 - 120
Chapter 7:
Managing Users, Authentication, and Certificates
|
121
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
2.
Click
Add
. The Add User screen is displayed.
3.
Configure the following fields:
a.
User Name
. Enter a unique identifier, using any alphanumeric characters.
b. User Type
. Select either Administrator, SSL VPN User, or IPsec VPN User.
c. Select Group
. Select from a list of configured groups. The user will be associated
with the domain that is associated with that group.
d. Password/Confirm Password
. The password can contain alphanumeric
characters, dash, and underscore.
e. Idle Timeout
. For an Administrator, this is the period at which an idle user will be
automatically logged out of the Web Configuration Manager.
4.
Click
Apply
to save and apply your entries. The new user appears in the
List of Users
table.
Setting User Login Policies
You can restrict the ability of defined users to log into the Web Configuration Manager. You
can also require or prohibit logging in from certain IP addresses or using particular browsers.
To configure user login policies:
1.
In the
Action
column in the
List of Users
table, click
Policies
adjacent to the user
policy you want to configure. The Login Policies screen is displayed.
2.
To prohibit this user from logging in to the VPN firewall, select the
Disable Login
checkbox.
Page 122 / 203
122
|
Chapter 7:
Managing Users, Authentication, and Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
3.
To prohibit this user from logging in from the WAN interface, select the
Deny Login
from WAN Interface
checkbox. In this case, the user can log in only from the LAN
interface.
Note:
For security reasons,
Deny Login from WAN Interface
is checked
by default for admin and guest.
4.
Click
Apply
to save your settings.
To restrict logging in based on IP address:
1.
In the
Action
column of the
List of Users
table, click
Policies
adjacent to the user
policy you want to configure. The Login Policies screen is displayed.
2.
Select the
by Source IP Address
tab. The by Source IP Address screen is displayed.
3.
In the
Defined Addresses Status
section, select one of the following radio boxes:
The
Deny Login from Defined Addresses
radio box to deny logging in from the IP
addresses that you will specify
The
Allow Login only from Defined Addresses
radio box to allow logging in from
the IP addresses that you will specify.
4.
Click
Apply
.
5.
To specify a single IP address, select
IP Address
from the
Source Address Type
drop-down list and enter the IP address in the
Network Address/IP address
field.
6.
To specify a subnet of IP addresses, select
IP Network
from the
Source Address Type
drop-down list. Enter the network address and netmask length in the
Network
Address/IP address
field.
7.
Click
Add
to move the defined address to the
Defined Addresses
table.
Page 123 / 203
Chapter 7:
Managing Users, Authentication, and Certificates
|
123
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
8.
Repeat these steps to add additional addresses or subnets.
To restrict logging in based on the user’s browser:
1.
In the
Action
column of the
List of Users
table, click
Policies
adjacent to the user
policy you want to configure. The Login Policies screen is displayed.
2.
Select the
by Client Browser
tab. The by Client Browser screen is displayed.
3.
In the
Defined Browsers Status
section, select one of the following radio boxes:
The
Deny Login from Defined Browsers
radio box to deny logging in from browsers
that you will specify
The
Allow Login only from Defined Browsers
radio box to allow logging in from
browsers that you will specify.
4.
In the
Add Defined Browser
selection, select a browser from the
Client Browser
drop-down list and click
Add
to move the defined browser to the
Defined Browsers
table.
5.
Repeat these steps to add additional browsers, then click
Apply
to save your changes.
Changing Passwords and Other User Settings
For any user, you can change the password, user type, and idle timeout settings. Only
administrators have read/write access. All other users have read-only access. The default
passwords for the VPN firewall’s Web Configuration Manager is
password
.
To modify user settings, including administrative user settings:
1.
Select
Users
>
Users
from the menu. The Users screen is displayed (see
Figure 2 on
page 118
).
Page 124 / 203
124
|
Chapter 7:
Managing Users, Authentication, and Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
2.
In the
Action
column of the
List of Users
table, click
Edit
for the user for which you
want to modify the settings. The Edit User screen is displayed.
3.
Configure the following fields:
a.
Select User Type
. From the drop-down list, select one of the pre-defined user types
that determines the access credentials:
Administrator
. User who has full access and the capacity to change the VPN
firewall’s configuration (that is, read/write access).
SSL VPN User
. User who can only log in to the SSL VPN portal.
IPSEC VPN User
. User who can only make an IPsec VPN connection via a
NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled
(see
“Configuring Extended Authentication (XAUTH)”
on page 86”).
Guest User
. User who can only view the VPN firewall’s configuration (that is,
read-only access).
b. Check to Edit Password
. Select this checkbox to make the password fields
accessible to modify the password. Change the password by first entering the old
password, and then entering the new password twice.
c. Idle Timeout
. Change the idle logout time to the number of minutes you require.
The default is 5 minutes.
4.
Click
Apply
to save your settings or
Cancel
to return to your previous settings.
Note:
The password and time-out value you enter will be changed back to
password
and
10
minutes, respectively, after a factory defaults
reset.
Managing Certificates
The network storage uses Digital Certificates (also known as X509 Certificates) during the
Internet Key Exchange (IKE) authentication phase to authenticate connecting VPN gateways
Page 125 / 203
Chapter 7:
Managing Users, Authentication, and Certificates
|
125
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
or clients, or to be authenticated by remote entities. The same Digital Certificates are
extended for secure web access connections over HTTPS.
Digital Certificates can be either self signed or can be issued by Certification Authorities (CA)
such as via an in-house Windows server, or by an external organization such as Verisign or
Thawte.
However, if the Digital Certificates contain the extKeyUsage extension then the certificate
must be used for one of the purposes defined by the extension. For example, if the Digital
Certificate contains the extKeyUsage extension defined to SNMPV2 then the same certificate
cannot be used for secure web management.
The extKeyUsage would govern the certificate acceptance criteria in the network storage
when the same digital certificate is being used for secure web management.
In the network storage, the uploaded digital certificate is checked for validity and also the
purpose of the certificate is verified. Upon passing the validity test and the purpose matches
its use (has to be SSL and VPN) the digital certificate is accepted. The additional check for
the purpose of the uploaded digital certificate must correspond to use for VPN and secure
web remote management via HTTPS. If the purpose defined is for VPN and HTTPS then the
certificate is uploaded to the HTTPS certificate repository and as well in the VPN certificate
repository. If the purpose defined is
only
for VPN then the certificate is only uploaded to the
VPN certificate repository. Thus, certificates used by HTTPS and IPSec will be different if
their purpose is not defined to be VPN and HTTPS.
The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients,
and to be authenticated by remote entities. A certificate that authenticates a server, for
example, is a file that contains:
A public encryption key to be used by clients for encrypting messages to the server.
Information identifying the operator of the server.
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified absolutely.
You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as
Verisign or Thawte, or you can generate and sign your own certificate. Because a
commercial CA takes steps to verify the identity of an applicant, a certificate from a
commercial CA provides a strong assurance of the server’s identity. A self-signed certificate
will trigger a warning from most browsers as it provides no protection against identity theft of
the server.
Your VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you
replace this certificate prior to deploying the VPN firewall in your network.
From the Certificates screen, you can view the currently loaded certificates, upload a new
certificate and generate a Certificate Signing Request (CSR). Your VPN firewall will typically
hold two types of certificates:
CA certificate. Each CA issues its own CA identity certificate in order to validate
communication with the CA and to verify the validity of certificates signed by the CA.
Self certificate. The certificate issued to you by a CA identifying your device.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top