Page 316 / 469 Scroll up to view Page 311 - 315
Manage Users, Authentication, and VPN
Certificates
316
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 209.
5.
In the Defined Addresses Status section of the screen, select one of the following radio
buttons:
Deny Login from Defined Addresses
. Deny logging in from the IP addresses in the
Defined Addresses table.
Allow Login only from Defined Addresses
. Allow logging in from the IP addresses
in the Defined Addresses table.
6.
Click
Apply
to save your settings.
7.
In the Add Defined Addresses section of the screen, add an address to the Defined
Addresses table by entering the settings as described in the following table:
8.
Click the
Add
table button. The address is added to the Defined Addresses table.
9.
Repeat
Step
7
and
Step
8
for any other addresses that you want to add to the Defined
Addresses table.
Table 80.
Defined addresses settings for IPv6
Setting
Description
Source Address Type
Select the type of address from the drop-down list:
IP Address
. A single IPv6 address.
IP Network
. A subnet of IPv6 addresses. You need to enter a prefix length in
the Prefix Length field.
Network Address / IP
Address
Depending on your selection from the Source Address Type drop-down list, enter
the IP address or the network address.
Prefix Length
For a network address, enter the prefix length (0–64).
Note:
By default, a single IPv6 address is assigned a prefix length of 64.
Page 317 / 469
Manage Users, Authentication, and VPN
Certificates
317
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
To delete one or more IPv6 addresses:
1.
In the Defined Addresses table, select the check box to the left of each address that you
want to delete, or click the
Select All
table button to select all addresses.
2.
Click the
Delete
table button.
Configure Login Restrictions Based on Web Browser
To restrict logging in based on the user’s browser:
1.
Select
Users > Users
. The Users screen displays (see
Figure
205
on page
311).
2.
In the Action column of the List of Users table, click the
Policies
table button for the user for
which you want to set login policies. The policies submenu tabs display, with the Login
Policies screen in view.
3.
Click the
By Client Browser
submenu tab.
The By Client Browser screen displays. (The
following figure shows a browser in the Defined Browsers table as an example.)
Figure 210.
4.
In the Defined Browsers Status section of the screen, select one of the following radio
buttons:
Deny Login from Defined Browsers
. Deny logging in from the browsers in the
Defined Browsers table.
Allow Login only from Defined Browsers
. Allow logging in from the browsers in the
Defined Browsers table.
5.
Click
Apply
to save your settings.
6.
In the Add Defined Browser section of the screen, add a browser to the Defined Browsers
table by selecting one of the following browsers from the drop-down list:
Internet Explorer
.
Opera
.
Netscape Navigator
.
Page 318 / 469
Manage Users, Authentication, and VPN
Certificates
318
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Firefox
. Mozilla Firefox.
Mozilla
. Other Mozilla browsers.
7.
Click the
Add
table button. The browser is added to the Defined Browsers table.
8.
Repeat
Step
6
and
Step
7
for any other browsers that you want to add to the Defined
Browsers table.
To delete one or more browsers:
1.
In the Defined Browsers table, select the check box to the left of each browser that you
want to delete, or click the
Select All
table button to select all browsers.
2.
Click the
Delete
table button.
Change Passwords and Other User Settings
For any user, you can change the password, user type, and idle time-out settings. Only
administrators have read/write access. All other users have read-only access.
Note:
The default administrator and default guest passwords for the web
management interface are both
password
. NETGEAR recommends
that you change the password for the administrator account to a
more secure password, and that you configure a separate secure
password for the guest account.
Note:
The most secure password should contain no dictionary words from
any language, and should be a mixture of letters (both uppercase
and lowercase), numbers, and symbols. Your password can be up to
32
characters.
Note:
After a factory defaults reset, the password and time-out value are
changed back to
password
and 5 minutes, respectively.
To modify user settings, including passwords:
1.
Select
Users > Users
. The Users screen displays (see
Figure
205
on page
311).
2.
In the Action column of the List of Users table, click the
Edit
table button for the user for
which you want to modify the settings. The Edit Users screen displays:
Page 319 / 469
Manage Users, Authentication, and VPN
Certificates
319
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 211.
3.
Change the settings as described in the following table:
Note:
Once established, you cannot change the user name or the group. If
you need to change the user name or the group, delete the user
account and recreate it with the correct name or group.
4.
Click
Apply
to save your settings.
Table 81.
Edit User screen settings
Setting
Description
Select User
Type
From the drop-down list, select one of the predefined user types that determines the
access credentials:
SSL VPN User
. User who can log in only to the SSL VPN portal.
Administrator
. User who has full access and the capacity to change the VPN firewall
configuration (that is, read/write access).
Guest (readonly)
. User who can only view the VPN firewall configuration (that is,
read-only access).
IPSEC VPN User
. You cannot change an existing user from the IPSEC VPN User
type to another type or from another type to the IPSEC VPN User type.
L2TP User
. You cannot change an existing user from the L2TP User type to another
type or from another type to the L2TP User type.
PPTP User
. You cannot change an existing user from the PPTP User type to another
type or from another type to the PPTP User type.
Check to Edit
Password
Select this check box to make the password fields accessible to modify the password.
Enter Your Password
Enter the password with which you have logged in.
New Password
Enter the new password.
Confirm New Password
Reenter the new password for confirmation.
Idle Timeout
The period after which an idle user is automatically logged out of the web management
interface. The default idle time-out period is 5 minutes.
Page 320 / 469
Manage Users, Authentication, and VPN
Certificates
320
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Manage Digital Certificates for VPN Connections
VPN Certificates Screen
Manage VPN CA Certificates
Manage VPN Self-Signed Certificates
Manage the VPN Certificate Revocation List
The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet
Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways
or clients, or to be authenticated by remote entities:
On the VPN firewall, you can enter a digital certificate on the IKE Policies screen, on
which the certificate is referred to as an RSA signature (see
Figure
159
on page
233 and
Authentication Method
on page
236).
On the VPN Client, you can enter a digital certificate on the Authentication pane in the
Configuration Panel screen (see
Figure
146
on page
222).
Digital certificates are extended for secure web access connections over HTTPS (that is, SSL
connections).
Digital certificates either can be self-signed or can be issued by certification authorities (CAs)
such as an internal Windows server or an external organization such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate needs to
be used for one of the purposes defined by the extension. For example, if the digital
certificate contains the extKeyUsage extension that is defined for SNMPv2, the same
certificate cannot be used for secure web management. The extKeyUsage would govern the
certificate acceptance criteria on the VPN firewall when the same digital certificate is being
used for secure web management.
On the VPN firewall, the uploaded digital certificate is checked for validity and purpose. The
digital certificate is accepted when it passes the validity test and the purpose matches its use.
The check for the purpose needs to correspond to its use for IPSec VPN, SSL VPN, or both.
If the defined purpose is for IPSec VPN and SSL VPN, the digital certificate is uploaded to
both the IPSec VPN certificate repository and the SSL VPN certificate repository. However, if
the defined purpose is for IPSec VPN only, the certificate is uploaded only to the IPSec VPN
certificate repository.
The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients,
and to be authenticated by remote entities. A digital certificate that authenticates a server, for
example, is a file that contains the following elements:
A public encryption key to be used by clients for encrypting messages to the server.
Information identifying the operator of the server.
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certification authority (CA)
such as Verisign or Thawte, or you can generate and sign your own digital certificate.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top