Page 46 / 120 Scroll up to view Page 41 - 45
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3-12
Authenticating Users
v1.1, November 2006
8.
Click Apply to update the configuration. Once the domain has been added, the domain
displays in the table on the Domains screen
Troubleshooting Active Directory Authentication
If your users are unable to connect via Active Directory, verify the following:
1.
The time settings between the Active Directory server and the SSL VPN Concentrator must be
synchronized. Kerberos authentication, used by Active Directory to authenticate clients,
permits a maximum of a 15-minute time difference between the Windows server and the client
(the SSL VPN Concentrator). The easiest way to solve this issue is to configure Network Time
Protocol on the
Date and Time
screen and check that the server's time settings are also
correct.
2.
Confirm that your Windows server is configured for Active Directory authentication. If you
are using a Window NT 4.0 server, then your server only supports NT Domain authentication.
Typically, Windows 2000 and 2003 servers are also configured for NT Domain authentication
to support legacy Windows clients.
Deleting a Domain
To delete a domain, click the Delete link in the Domains table for the domain you wish to remove.
Once the SSL VPN Concentrator has been updated, the deleted domain will no longer appear in
the table in the Domains table.
Note:
The SSL VPN Concentrator
“geardomain” domain cannot be deleted.
Page 47 / 120
4-1
v1.1, November 2006
Chapter 4
Setting Up User and Group Access Policies
This chapter describes how to define users and groups and how to configure SSL VPN
Concentrator access policies and bookmarks for the users and groups. This chapter includes the
following topics:
Determine Your Requirements
Users, Groups and Global Policies
Global Policies
Groups Configuration
Users Configuration
Using Network Resource Objects to Simplify Policies
Determine Your Requirements
The ProSafe SSL VPN Concentrator 25 provides an extremely flexible and granular architecture
for managing users and groups. Depending on your requirements, you can implement a simple or
complex policy structure. Some general guidelines are:
If you have a small number of users, all with the same privileges, and no central authentication
server, you can just add your users to the SSL VPN Concentrator’s local user database, using
the default group and domain.
If you use a RADIUS, LDAP, NT or Active Directory authentication server, you do not need
to add individual users into the SSL VPN Concentrator unless you wish to define specific
policies or bookmarks per user. Configure groups using the same group names as defined in
your authentication server.
To create complex policies involving groups of host names, IP addresses or IP address ranges,
you can define these groups as network objects using Network Resources as described in
“Using Network Resource Objects to Simplify Policies” on page 4-20
.
To present different portal content to different users (for example, external suppliers), create
the new portal layout, then add a new domain, selecting the new portal layout.
Page 48 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
4-2
Setting Up User and Group Access Policies
v1.1, November 2006
Users, Groups and Global Policies
An administrator can define and apply user, group and global policies to predefined network
resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN
services. A specific hierarchy is invoked over which policies take precedence. The SSL VPN
Concentrator policy hierarchy is defined as:
1.
User Policies take precedence over all Group Policies.
2.
Group Policies take precedence over all Global Policies.
3.
If two or more user, group or global policies are configured,
the most specific policy
takes
precedence.
For example, a policy configured for a single IP address takes precedence over a policy configured
for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over
a policy applied to all IP addresses. If two or more IP address ranges are configured, then the
smallest address range takes precedence. Hostnames are treated the same as individual IP
addresses.
Network Resources are prioritized just like other address ranges. However, the prioritization is
based on the individual address or address range, not the entire Network Resource.
For example, let’s assume the following global policy configuration:
Policy 1: A Deny rule has been configured to block all services to the IP address range
10.0.0.0 - 10.0.0.255
.
Policy 2: A Deny rule has been configured to block FTP access to
10.0.1.2 -
10.0.1.10
.
Policy 3: A Permit rule has been configured to allow FTP access to the predefined network
resource, FTP Servers. The FTP Servers
network resource includes the following
addresses:
10.0.0.5 - 10.0.0.20
and
ftp.company.com
, which resolves to
10.0.1.3
.
Assuming that no conflicting user or group policies have been configured, if a user attempted to
access:
An FTP server at
10.0.0.1
, the user would be blocked by Policy 1.
An FTP server at
10.0.1.5
, the user would be blocked by Policy 2.
An FTP server at
10.0.0.10
, the user would be granted access by Policy 3. The IP address
range
10.0.0.5 - 10.0.0.20
is more specific than the IP address range defined in
Policy 1.
Page 49 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Setting Up User and Group Access Policies
4-3
v1.1, November 2006
An FTP server at
ftp.company.com
, the user would be granted access by Policy 3. A single
host name is more specific than the IP address range configured in Policy 2.
Global Policies
You can view and configure the SSL VPN Concentrator Global Policies, Groups and Users by
selecting
Users and Groups
under the Access Administration menu in the left navigation pane.
Editing Global Policy Settings
To edit global settings:
1.
In the Global Policies table, click the Edit Global Policies link. The Global Settings screen
displays.
Note:
The user would not be able to access
ftp.company.com
using its IP address
10.0.1.3
. The SSL VPN Concentrator policy engine does not perform
reverse DNS lookups.
Figure 4-1
Page 50 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
4-4
Setting Up User and Group Access Policies
v1.1, November 2006
2.
In the Inactivity Timeout field, enter the number of minutes of inactivity to allow.
3.
Click Apply to save the configuration changes.
You can set the inactivity timeout at the user, group and global level. If one or more timeouts
are configured for an individual user, the user timeout setting will take precedence over the
group timeout and the group timeout will take precedence over the global timeout.
Setting the global settings timeout to 0 disables the inactivity timeout for users that do not
have a group or user timeout configured.
Adding and Editing Global Policies
To define global access policies:
1.
In the Global Policies section, click Add Policy. An Add Policy window displays.
Figure 4-2
Note:
User and group access policies will take precedence over global policies.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top