NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Setting Up User and Group Access Policies

4-5

v1.1, November 2006

2.

From the Apply Policy To pull-down menu, select whether the policy will be applied to a

predefined network resource, an individual host, a network, or all addresses.

3.

In the Policy Name field, enter a name for the policy.

•

If your policy applies to a predefined network resource, select the name of the resource

from the Defined Resource menu. For information about creating network resources, refer

to

“Using Network Resource Objects to Simplify Policies” on page 4-20

.

•

If your policy applies to a specific host, enter the IP address of the local host machine in

the IP Address field.

•

If your policy applies to a network, enter the network address in the Network Address

field and the subnet mask in the Subnet Mask field.

4.

From the Service pull-down menu, select the service type. If you are applying a policy to a

network resource, the service type is defined in the network resource.

5.

From the Status pull-down menu, select PERMIT or DENY to either permit or deny SSL VPN

connections for the specified service and host machine.

6.

Click Apply to update the configuration. Once the configuration has been updated, the new

policy appears in the Global Policies table on the Global Settings screen.

The Global Policies will be displayed in the order of priority, from the highest priority policy

to the lowest priority policy.

Figure 4-3

Note:

SSL VPN Concentrator policies apply to the destination address(es) of the SSL

VPN connection, not the source address. You cannot permit or block a specific

IP address on the Internet from authenticating to the SSL VPN Concentrator

through the policy engine.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

4-6

Setting Up User and Group Access Policies

v1.1, November 2006

Defining and Editing Global Bookmarks

To define global bookmarks:

1.

In the Global Bookmarks section, click Add Bookmark. An Add Bookmark window displays.

When global bookmarks are defined, all members will see the defined bookmarks from the

SSL VPN portal. Individual users will not be able to delete or modify global bookmarks.

2.

In the Bookmark Name field, enter a descriptive name.

3.

In the Name or IP Address field, enter the domain name or the IP address of a host machine on

the LAN.

4.

From the Service pull-down menu, select the service type.

5.

If Terminal Services (RDP5) is selected, select the screen size that the bookmark will use from

the Screen Size drop-down menu.)

6.

Click Apply to update the configuration. Once the configuration has been updated, the new

global bookmark appears in the Global Bookmarks table on the Global Settings screen.

Groups Configuration

When configuring Groups, remember that user policies take precedence over all group policies

and group policies take precedence over all global policies, regardless of the policy definition. (A

user policy that allows access to all IP addresses will take precedence over a group policy that

denies access to a single IP address).

Figure 4-4

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Setting Up User and Group Access Policies

4-7

v1.1, November 2006

SSL VPN Concentrator Groups are also defined from the Users and Groups menu. Under the

Access and Administration menu in the left navigation pane, select the Users and Groups option.

The Users and Groups menu displays

Adding a New Group

To create a new group:

1.

In the Users and Groups menu, click Add Group. The Add Group menu displays.

Figure 4-5

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

4-8

Setting Up User and Group Access Policies

v1.1, November 2006

.

2.

In the Group Name field., enter a descriptive name for the group.

3.

In the Domain menu, select the appropriate domain. The domain will determine the

authentication method for the group.

4.

Click Apply to update the configuration. Once the group has been added, the new group

appears in the Groups table on the User and Groups menu.

All of the configured groups are displayed in the table in the Users and Groups menu. The

Groups are listed in alphabetical order.

Editing Group Settings

To edit group settings:

1.

In the Groups table, click the name of the group. The Edit Group Settings menu displays. The

general group information, including the Group Name, Domain Name, and Inactivity Timeout

are displayed. The Group Name and Domain Name are not configurable.

2.

In the Inactivity Timeout field, enter the number of minutes of inactivity to allow for users in

the group.

3.

Click Apply to save the configuration changes.

Figure 4-6

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Setting Up User and Group Access Policies

4-9

v1.1, November 2006

You can set the inactivity timeout at the user, group and global level. Set the timeout as 0 in the

user and group configuration to use the global timeout setting. If multiple timeout settings are

configured, the user timeout setting will take precedence over the group timeout and the group

timeout will take precedence over the global timeout.

The maximum timeout setting is 2

32

or over 100,000 minutes, although setting the timeout to

0

on the Global Settings page disables the inactivity timeout (if 0 is also configured as the

inactivity timeout for the user and group).

Defining and Editing Group Policies

With group access policies, all traffic is allowed by default. You can create additional allow and

deny policies by destination address or address range and by service type.

Figure 4-7