Page 121 / 944
Scroll up to view Page 116 - 120
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
121
4
Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Under
VPN
Gateway
select
Site-to-site
and the VPN gateway (
VPN_GW_EXAMPLE
).
Under
Policy
, select
LAN1_SUBNET
for the local network and
VPN_REMOTE_SUBNET
for the remote. Click
OK
.
Figure 70
Configuration > VPN > IPSec VPN > VPN Connection > Add
5
Now set up the VPN settings on the peer IPSec router and try to establish the VPN
tunnel. To trigger the VPN, either try to connect to a device on the peer IPSec
router’s LAN or click
Configuration > VPN > IPSec VPN > VPN Connection
and use the VPN connection screen’s
Connect
icon.
7.4.3
Configure Security Policies for the VPN Tunnel
You configure security policies based on zones. The new VPN connection was
assigned to the IPSec_VPN zone. By default, there are no security restrictions on
the IPSec_VPN zone, so, next, you should set up security policies (firewall rules,
IDP, and so on) that apply to the IPSec_VPN zone. Make sure all firewalls between
the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50
(AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL
and remote IPSec router should also allow UDP port 4500.
Page 122 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
122
7.5
How to Configure User-aware Access Control
You can configure many policies and security settings for specific users or groups
of users. This is illustrated in the following example, where you will set up the
following policies. This is a simple example that does not include priorities for
different types of traffic. See
Bandwidth Management on page 439
for more on
bandwidth management.
The users are authenticated by an external RADIUS server at 192.168.1.200.
First, set up the user accounts and user groups in the ZyWALL. Then, set up user
authentication using the RADIUS server. Finally, set up the policies in the table
above.
The ZyWALL has its default settings.
7.5.1
Set Up User Accounts
Set up one user account for each user account in the RADIUS server. If it is
possible to export user names from the RADIUS server to a text file, then you
might create a script to create the user accounts instead. This example uses the
Web Configurator.
1
Click
Configuration > Object > User/Group > User
. Click the
Add
icon.
Table 18
User-aware Access Control Example
GROUP (USER)
WEB
SURFING
WEB
BANDWIDTH
MSN
LAN1-TO-
DMZ ACCESS
Finance (Leo)
Yes
200K
No
Yes
Engineer (Steven)
Yes
100K
No
No
Sales (Debbie)
Yes
100K
Yes (M-F, 08:30~18:00)
Yes
Boss (Andy)
Yes
100K
Yes
Yes
Guest (guest)
Yes
50K
No
No
Others
No
---
No
No
Page 123 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
123
2
Enter the same user name that is used in the RADIUS server, and set the
User
Type
to
ext-user
because this user account is authenticated by an external
server. Click
OK
.
Figure 71
Configuration > Object > User/Group > User > Add
3
Repeat this process to set up the remaining user accounts.
7.5.2
Set Up User Groups
Set up the user groups and assign the users to the user groups.
1
Click
Configuration > Object > User/Group > Group
. Click the
Add
icon.
Page 124 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
124
2
Enter the name of the group that is used in the example in
Table 18 on page 122
.
In this example, it is “Finance”. Then, select
User/Leo
and click the right arrow to
move him to the
Member
list. This example only has one member in this group,
so click
OK
. Of course you could add more members later.
Figure 72
Configuration > Object > User/Group > Group > Add
3
Repeat this process to set up the remaining user groups.
7.5.3
Set Up User Authentication Using the RADIUS Server
This step sets up user authentication using the RADIUS server. First, configure the
settings for the RADIUS server. Then, set up the authentication method, and
configure the ZyWALL to use the authentication method. Finally, force users to log
in to the ZyWALL before it routes traffic for them.
Page 125 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
125
1
Click
Configuration > Object > AAA Server > RADIUS
. Double-click the
radius
entry. Configure the RADIUS server’s address authentication port (1812 if
you were not told otherwise), key, and click
Apply
.
Figure 73
Configuration > Object > AAA Server > RADIUS > Add
2
Click
Configuration > Object > Auth. method
. Double-click the
default
entry.
Click the
Add
icon. Select
group radius
because the ZyWALL should use the
specified RADIUS server for authentication. Click
OK
.
Figure 74
Configuration > Object > Auth. method > Add
3
Click
Configuration > Auth. Policy
. In the
Authentication Policy Summary
section, click the
Add
icon.
4
Set up a default policy that forces every user to log in to the ZyWALL before the
ZyWALL routes traffic for them. Select
Enable
. Set the
Authentication
field to
required
, and make sure
Force User Authentication
is selected. Keep the rest
of the default settings, and click
OK
.
19216811.live