NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

3-12

Authenticating Users

v1.1, November 2006

8.

Click Apply to update the configuration. Once the domain has been added, the domain

displays in the table on the Domains screen

Troubleshooting Active Directory Authentication

If your users are unable to connect via Active Directory, verify the following:

1.

The time settings between the Active Directory server and the SSL VPN Concentrator must be

synchronized. Kerberos authentication, used by Active Directory to authenticate clients,

permits a maximum of a 15-minute time difference between the Windows server and the client

(the SSL VPN Concentrator). The easiest way to solve this issue is to configure Network Time

Protocol on the

Date and Time

screen and check that the server's time settings are also

correct.

2.

Confirm that your Windows server is configured for Active Directory authentication. If you

are using a Window NT 4.0 server, then your server only supports NT Domain authentication.

Typically, Windows 2000 and 2003 servers are also configured for NT Domain authentication

to support legacy Windows clients.

Deleting a Domain

To delete a domain, click the Delete link in the Domains table for the domain you wish to remove.

Once the SSL VPN Concentrator has been updated, the deleted domain will no longer appear in

the table in the Domains table.

Note:

The SSL VPN Concentrator

“geardomain” domain cannot be deleted.

4-1

v1.1, November 2006

Chapter 4

Setting Up User and Group Access Policies

This chapter describes how to define users and groups and how to configure SSL VPN

Concentrator access policies and bookmarks for the users and groups. This chapter includes the

following topics:

•

Determine Your Requirements

•

Users, Groups and Global Policies

•

Global Policies

•

Groups Configuration

•

Users Configuration

•

Using Network Resource Objects to Simplify Policies

Determine Your Requirements

The ProSafe SSL VPN Concentrator 25 provides an extremely flexible and granular architecture

for managing users and groups. Depending on your requirements, you can implement a simple or

complex policy structure. Some general guidelines are:

•

If you have a small number of users, all with the same privileges, and no central authentication

server, you can just add your users to the SSL VPN Concentrator’s local user database, using

the default group and domain.

•

If you use a RADIUS, LDAP, NT or Active Directory authentication server, you do not need

to add individual users into the SSL VPN Concentrator unless you wish to define specific

policies or bookmarks per user. Configure groups using the same group names as defined in

your authentication server.

•

To create complex policies involving groups of host names, IP addresses or IP address ranges,

you can define these groups as network objects using Network Resources as described in

“Using Network Resource Objects to Simplify Policies” on page 4-20

.

•

To present different portal content to different users (for example, external suppliers), create

the new portal layout, then add a new domain, selecting the new portal layout.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

4-2

Setting Up User and Group Access Policies

v1.1, November 2006

Users, Groups and Global Policies

An administrator can define and apply user, group and global policies to predefined network

resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN

services. A specific hierarchy is invoked over which policies take precedence. The SSL VPN

Concentrator policy hierarchy is defined as:

1.

User Policies take precedence over all Group Policies.

2.

Group Policies take precedence over all Global Policies.

3.

If two or more user, group or global policies are configured,

the most specific policy

takes

precedence.

For example, a policy configured for a single IP address takes precedence over a policy configured

for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over

a policy applied to all IP addresses. If two or more IP address ranges are configured, then the

smallest address range takes precedence. Hostnames are treated the same as individual IP

addresses.

Network Resources are prioritized just like other address ranges. However, the prioritization is

based on the individual address or address range, not the entire Network Resource.

For example, let’s assume the following global policy configuration:

•

Policy 1: A Deny rule has been configured to block all services to the IP address range

10.0.0.0 - 10.0.0.255

.

•

Policy 2: A Deny rule has been configured to block FTP access to

10.0.1.2 -

10.0.1.10

.

•

Policy 3: A Permit rule has been configured to allow FTP access to the predefined network

resource, FTP Servers. The FTP Servers

network resource includes the following

addresses:

10.0.0.5 - 10.0.0.20

and

ftp.company.com

, which resolves to

10.0.1.3

.

Assuming that no conflicting user or group policies have been configured, if a user attempted to

access:

•

An FTP server at

10.0.0.1

, the user would be blocked by Policy 1.

•

An FTP server at

10.0.1.5

, the user would be blocked by Policy 2.

•

An FTP server at

10.0.0.10

, the user would be granted access by Policy 3. The IP address

range

10.0.0.5 - 10.0.0.20

is more specific than the IP address range defined in

Policy 1.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Setting Up User and Group Access Policies

4-3

v1.1, November 2006

•

An FTP server at

ftp.company.com

, the user would be granted access by Policy 3. A single

host name is more specific than the IP address range configured in Policy 2.

Global Policies

You can view and configure the SSL VPN Concentrator Global Policies, Groups and Users by

selecting

Users and Groups

under the Access Administration menu in the left navigation pane.

Editing Global Policy Settings

To edit global settings:

1.

In the Global Policies table, click the Edit Global Policies link. The Global Settings screen

displays.

Note:

The user would not be able to access

ftp.company.com

using its IP address

10.0.1.3

. The SSL VPN Concentrator policy engine does not perform

reverse DNS lookups.

Figure 4-1

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

4-4

Setting Up User and Group Access Policies

v1.1, November 2006

2.

In the Inactivity Timeout field, enter the number of minutes of inactivity to allow.

3.

Click Apply to save the configuration changes.

You can set the inactivity timeout at the user, group and global level. If one or more timeouts

are configured for an individual user, the user timeout setting will take precedence over the

group timeout and the group timeout will take precedence over the global timeout.

Setting the global settings timeout to 0 disables the inactivity timeout for users that do not

have a group or user timeout configured.

Adding and Editing Global Policies

To define global access policies:

1.

In the Global Policies section, click Add Policy. An Add Policy window displays.

Figure 4-2

Note:

User and group access policies will take precedence over global policies.