GB-OS Version 5.3. GTA SSL Sentinel. Tel: Fax Web:

Transcription

1 GB-OS Version 5.3 GTA SSL Sentinel SSL Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL Tel: Fax Web:

2 Table of Contents Introduction...3 Requirements 3 Firewall Configuration... 4 Creating a Certificate Authority (CA) Certificate 4 Defining Bookmarks 4 Defining a Group for the SSL Sentinel Client 5 Defining a User on the Firewall 6 Enabling the SSL Sentinel Browser 7 Enabling the SSL Sentinel Client 9 Creating Security Policies for SSL Sentinel Client Access 10 Log Messages SSL Sentinel 11 SSL Sentinel Client 12 Troubleshooting...13 SSL Sentinel Browser Requirements 14 Connecting to the SSL Sentinel Browser 14 SSL Sentinel Browser Interface 15 Bookmarks 15 Bookmarks Only 15 Bookmarks and Browser 15 Password Prompts 16 Using the Browser 16 URL Access 16 Web Browser Toolbar 16 File Browser Toolbar 17 Auto Logout 17 Logout 17 Installing the SSL Sentinel Client Windows SSL Sentinel Client Installation 18 Requirements 18 Accessing the GTA Firewall SSL Sentinel Browser Interface for Download 18 Downloading the SSL Sentinel Client, Certificates and Configuration Files 19 SSL Sentinel Client Installation 19 Client Installation Warning 20 Configuring the SSL Sentinel Client 21 Using the SSL Sentinel Client 21 Linux SSL Sentinel Client Installation 23 Requirements 23 Accessing the GTA Firewall SSL Sentinel Browser Interface for Download 23 Download the SSL Sentinel Certificates and Configuration Files 23 Install OpenVPN 24 Opening the Tunnel Using Command Line 24 Install Network Manager Plug-In 25 Configure OpenVPN using Network Manager 25 Open the Tunnel using Network Manager 27 Mac SSL Sentinel Client Installation 28 Requirements 28 Accessing the GTA Firewall SSL Sentinel Browser Interface for Download 28 Downloading the SSL Sentinel Client, Certificates and Configuration Files 28 SSL Sentinel Client Installation 29 Appendix A: Best Practice SSL Sentinel Browser 31 SSL Sentinel Client 31 2 Table of Contents

3 Introduction The purpose of this document is to assist GB-OS users in the installation, configuration and use of the GTA Firewalls SSL Sentinel Service. GTA s SSL Sentinel Service has two components: Browser The SSL Sentinel Browser provides client-less remote network access. Using a standard Web browser, users launch a customized Web portal (the SSL Sentinel Browser) for access to files, applications and internal and external web sites. Supported protocols include http, https, ftp, ftps, and cifs. Client The SSL Sentinel Client is a remote access VPN client that uses SSL to establish a secure, encrypted connection to the network firewall. Via the SSL Browser, the SSL Client is downloaded and installed to the authorized remote user s machine. Browser access for SSL Sentinel users is determined by their group privileges. Some users may only have access to browse files and only use bookmarks. While other users may have access to browse any internal host using http, https, CIFS or ftp. In addition, users may be restricted to read only access for browsing or have upload and download access. Client access is also determined by group privileges. A user must have SSL Sentinel Browser capability in order to have Client access. The SSL Sentinel Client is downloaded via the SSL Sentinel Browser Interface for each user. Requirements GB-OS version or higher Introduction 3

4 Firewall Configuration SSL Sentinel has seven (7) configuration sections: 1. Creating a Certificate Authority (CA) Certificate 2. Defining Bookmarks 3. Defining Groups 4. Defining Users 5. Enabling the SSL Sentinel Browser 6. Enabling the SSL Sentinel Client 7. Creating Security Policies for SSL Sentinel Client Access Creating a Certificate Authority (CA) Certificate Create a Certificate Authority (CA) Certificate to sign all other Certificates. 1. Navigate to Configure>System>Certificates. 2. Set the section to default. The firewall will automatically generate a new CA and Local Certificate, and assign them as CA, Local, and VPN Certificate. Below is an example of the CA, Local, and VPN Certificate. Figure 1: Creating Certificates Note See the GB-OS Users Guide for more information on creating firewall certificates. Defining Bookmarks Bookmarks are shortcuts for users when logged in to the SSL Sentinel Browser. 1. Navigate to Configure>Objects>Bookmark Objects. 2. Edit an existing bookmark or create a new one. Figure 2: Defining Bookmarks Field Default Description Table 1: Bookmarks Disable Unchecked Disables bookmarks. Name Blank Object name referenced in groups section and in other bookmarks. Description Blank Brief description of the bookmark object s purpose. Label Blank Bookmark label displayed to the user when logged into the SSL Sentinel Browser interface. 4 Firewall Configuration

5 Field Default Description Bookmarks Table 1: Bookmarks Object User Defined Set to <user define> to define the bookmark or reference other bookmarks. Icon None Select an icon to represent the bookmark object. Options include None, Browser, Document, , Folder, Network and Web. Label Blank Link label as displayed to the user in the SSL Sentinel Browser. Type cifs Select the protocol to be used to connect to the URL. Specify http, https, ftp, or cifs. URL Blank IP address or host name. Description Blank User defined. Briefly description of the bookmark s purpose. Defining a Group for the SSL Sentinel Client Navigate to Configure>Accounts>Groups. 1. Create a New group, or edit an existing group. 2. Enable SSL Sentinel. 3. Enable Bookmarks Only and Read Only as applicable. Bookmarks Only will authorize users to only access configured bookmarks and will not allow browsing of internal networks. Read Only will only allow users to download files, disabling the upload feature. 4. Select the group bookmarks authorized for the user in the Bookmarks pulldown. 5. Enable the Client to authorize SSL Sentinel Client access for the configured group. Figure 3: Defining a Group Field Default Description Table 2: Defining Groups Disable Unchecked Disables the group. Name User Defined Name used to reference the group for permissions. Administrator Enable Unchecked Enables the group with Administrator privledges. Read Only Checked Enables Administrator read only access. SSL Sentinel Browser Enable Unchecked Enables SSL Sentinel Browser access. Bookmarks Only Checked Dispalys only Bookmarks for SSL Sentinel Browser access. Read Only Checked Read only access. Users can only download files via the browser. Bookmarks Not Selected Displays the defined bookmarks for the group. Client Enable Unchecked Allows SSL Sentinel Client access. Firewall Configuration 5

6 Defining a User on the Firewall 1. Navigate to Configure>Accounts>Users 2. Select the SSL Sentinel group previously configured. 3. Assign the SSL certificate previously defined or generate a new certificate. 4. Enter the password the user will use to login to both SSL Sentinel Browser, and SSL Sentinel Client. Figure 4: Defining a User Note User certificates used for the SSL Sentinel Client MUST be signed by a CA. Field Default Description Table 3: Defining Users Disable Unchecked Disables the user. Identity Blank The name used to authenticate the connecting user. This must be a unique name. Minimum of 3 characters. Full Name Blank Name to identify the user. Minimum of three (3) characters. Description Blank User defined description for the user. Primary Group Users Primary group for specifying the type of access allowed for SSL Sentinel. Also used in security policies for authentication. Certificate Generate Generate automatically creates a user certificate based on user definition, or select a predefined certificate. Authentication Password Blank Password for user to authenticate with the firewall. Minimum of four (4) characters. 6 Firewall Configuration

7 Enabling the SSL Sentinel Browser GTA SSL Sentinel 1. Navigate to Configure>VPN>SSL Sentinel>Browser. 2. Enable the SSL Sentinel Browser. (SSL Sentinel Client downloads require SSL Sentinel Browser access to be enabled.) 3. By default, the SSL Sentinel Browser is listening on TCP port 443. Administrators may choose to allow browser access on an alternate port and restrict 443 to firewall administrators only, or change the Administrator port. 4. Select the encryption level to be used. 5. Define the timeout range for the SSL Sentinel Browser. Valid timeout range is minutes. 6. Select the desired use of the virtual keyboard for logins. The virtual keyboard can be required, enabled to use or not use, or disabled and turned off. 7. Enable automatic policies as desired and select the one and source address for connections. 8. Optionally, create a customized login screen for the SSL Sentinel Browser displaying a title, logo and disclaimer message which will appear upon login. Figure 5: Enabling the SSL Sentinel Browser Field Default Description SSL Sentinel Alternative Port Table 4: SSL Sentinel Browser Enable Unchecked Starts the SSL Sentinel Browser service. Port 443 Port through which browser access will be allowed. Default is TCP port Encryption High Level of encryption to be used. See table below for more information. Timeout Sessions 10 minutes Define the timeout range. Valid range is minutes. Virtual Keyboard Require Require: requires users to use the virtual keyboard for logins to the browser interface; Enable: allows users to use or not use the virtual keyboard; Disable: turn off the virtual keyboard Authentication LDAP Unchecked Enables LDAP users. RADIUS Unchecked Enables RADIUS users. Firewall Configuration 7

8 Field Default Description Automatic Policies Table 4: SSL Sentinel Browser Enable Checked Allows the firewall to automatically create policies for SSL Sentinel Browser access. Zone ANY Specifies the Zone which will be allowed to connect. Options are External, Protected, and PSN. Source Address ANY_IP Specifies the source address allowed to connect. Customization Login Title User Define Enter a customized title for the SSL Sentinel Browser. Logo User Define Upload a logo to be displayed on the SSL Sentinel login. Images must be 32 x 32 pixels and 100 KB or less. JPEG, PNG, or GIF formats are accepted. Disclaimer Enable Unchecked Enable the disclaimer message to appear upon login. Message User Define Enter a disclaimer, note or welcome to appear when users login to the SSL Sentinel Browser. Characters Remaing Uneditable Level Key Strength Description Character count field detailing the number of characters remaining for the disclaimer message. Maximum characters is Table 5: Encryption Levels None N/A Disables SSL encryption All N/A Accepts low, medium and high levels of encryption Low 40-, 56-, 64-bit A low level SSL encryption Medium 128-bit A medium level SSL encryption High 168-bit A high level SSL encryption 8 Firewall Configuration

9 Enabling the SSL Sentinel Client Note GTA SSL Sentinel 1. Navigate to Configure>VPN>SSL Sentinel>Client 2. Check the Enable check box to enable the SSL Sentinel Client Service 3. For Accessible Network, select an object or enter a user defined address for the networks accessible through the SSL Sentinel Client Tunnel 4. For Client DHCP Network, select an object or enter a user defined address for the network that will be used as the Client DHCP Address Pool. The first address in the range will be reserved and assigned to the firewall as tun0 interface. 5. Configure domain, DNS servers and WINS servers that will be assigned to the client. Figure 6: Enabling the SSL Sentinel Client Table 6: SSL Sentinel Client Field Default Description Enable Enabled Starts the SSL Sentinel Client Service. Port 1194 Port for SSL Sentinel Client access. Accessible Networks FW Network - Local Default Local Protected Networks. Client DHCP Network Pool - SSL Sentinel Default DHCP range of /24 Domain User Define Domain assigned to SSL Sentinel Client. Name Server IP Address User Define DNS server(s) pushed to SSL Sentinel Client. WINS Server IP Address User Define WINS server pushed to SSL Sentinel Client. Automatic Policies Enabled Creates an auto policy based on SSL port. Encryption Objects AES-192, sha1, grp2 Encryption used for SSL Sentinel. Lifetime 480 minutes Re-key time, in minutes. Allow Duplicate CN Unchecked Allows duplicate certificates. Override Host Name Blank Allows an administrtor to override default firewall host name, which is configured in Network Settings. Entry can be an IP address or a fully qualified host name. Redirect Client Gateway Unchecked Force all client connections via VPN. UDP Unchecked Use UDP instead of TCP for SSL connection. Use Compression Checked Disable to not use compression. Verbose Logging Unchecked Increase SSL logging for debug purposes. Firewall Configuration 9

10 Note Changes to the SSL Sentinel Client configuration for port, encryption, override host name, and compression will require new client downloads. Creating Security Policies for SSL Sentinel Client Access 1. Navigate to Configure>Security Policies>Policy Editor>SSL Sentnel Client. 2. By default, all in and out is allowed and access to the firewall administration interface using https is denied. Pings to the firewall are also allowed. 3. The default SSL Sentinel Client policies are displayed below. It is recommended that SSL Sentinel policies are configured based on your corporate secruity policy. Figure 7: Creating Security Policies 10 Firewall Configuration

11 Log Messages SSL Sentinel Licenses Exceeded messages OpenVPN client connections. Default user licenses is 2 users, additional user licenses may be requested via GTA sales. Sep 16 14:33:27 pri=3 msg= OpenVPN: MULTI: new incoming connection would exceed maximum number of clients (2) type=mgmt,vpn Close Tunnel OpenVPN: Sep 16 14:33:20 pri=5 msg= Close inbound, openvpn proto=53/udp src= srcport=48517 dst= dstport=53 rule=4 duration=22 sent=59 rcvd=130 pkts _ sent=1 pkts _ rcvd=1 Block Message Remote Access (Interface tun0 is SSL Sentinel Client interface): Sep 16 14:23:17 pri=4 pol _ type=rap pol _ action=block count=12 msg= Block RAP duration=30 rule=6 proto=443/tcp src= srcport= (3), (3), (3), (3) dst= dstport=443 interface= tun0 attribute= alarm flags=0x2 User Login Failure: Sep 16 15:59:50 pri=3 msg= OpenVPN: :55642 TLS Auth Error: Auth Username/ Password verification failed for peer type=mgmt,vpn Compression is disabled on firewall and not in the client configuration. Compression is enabled or disabled in Configure>VPN>SSL Sentinel>Client>Advanced in firewall interface. The use compression option comp-lzo sets compression for the client. Sep 16 16:32:27 pri=4 msg= OpenVPN: :59205 WARNING: comp-lzo is present in remote config but missing in local config, remote= comp-lzo type=mgmt,vpn Compression is enabled on firewall and not in the client configuration. Compression is enabled or disabled in Configure>VPN>SSL Sentinel>Client>Advanced in firewall interface. The use compression option comp-lzo sets compression for the client. Sep 16 16:40:21 pri=4 msg= OpenVPN: :60094 WARNING: comp-lzo is present in local config but missing in remote config, local= comp-lzo type=mgmt,vpn Firewall and client have mis matched configuration options for Encryption. This is configured in Configure>VPN>SSL Sentinel>Client>Advanced, or by setting cipher option on the client. Sep 16 16:47:52 pri=4 msg= OpenVPN: :60939 WARNING: cipher is used inconsistently, local= cipher AES-128-CBC, remote= cipher AES-192-CBC type=mgmt,vpn Sep 16 16:47:52 pri=4 msg= OpenVPN: :60939 WARNING: keysize is used inconsistently, local= keysize 128, remote= keysize 192 type=mgmt,vpn Remote server the proxy is attempting to connect to has an invalid certificate. Sep 21 15:21:41 pri=3 msg= SSL: SSL certificate problem, verify that the CA cert is OK. Details:\\0Aerror: :SSL routines:ssl3 _ GET _ SERVER _ CERTIFICATE:certificate verify failed type=mgmt proto=http/tcp user= support@ gta.com src= srcport=4869 dst= dstport=1443 duration=26 Log Messages 11

12 SSL Sentinel Client User Login Failure: Verify the login credentials. Wed Sep 16 15:59: AUTH: Received AUTH _ FAILED control message Compression is enabled on firewall and not in the client configuration. Compression is enabled or disabled in Configure>VPN>SSL Sentinel>Client>Advanced in firewall interface. The use compression option comp-lzo sets compression for the client. Wed Sep 16 16:40: WARNING: comp-lzo is present in remote config but missing in local config, remote= comp-lzo Compression is disabled on firewall and not in the client configuration. Compression is enabled or disabled in Configure>VPN>SSL Sentinel>Client>Advanced in firewall interface. The use compression option comp-lzo sets compression for the client. Wed Sep 16 16:46: WARNING: comp-lzo is present in local config but missing in remote config, local= comp-lzo Firewall and client have mis matched configuration options for Encryption. This is configured in Configure>VPN>SSL Sentinel>Client>Advanced, or by setting cipher option on the client. Wed Sep 16 16:50: WARNING: cipher is used inconsistently, local= cipher AES-192-CBC, remote= cipher DES-EDE3-CBC Client is unable to resolve the address of the firewall. Confirm firewall has fully qualified host name configured in Network>Interface Settings>Host name field. The host name resolves correctly. Fri Sep 18 08:24: RESOLVE: Cannot resolve host address: dbtest.gta.com: [HOST _ NOT _ FOUND] The specified host is unknown. SSL Sentinel Client is unable to use the Self Signed Certificates. To resolve this issue you will need to make sure that both the Client and Firewall VPN Certificates have been signed by a CA. Certificates can be managed in Configure>System>Certificates. Wed Nov 18 14:43: VERIFY ERROR: depth=0, error=self signed certificate: / address=support@gta.com/o=gta/c=us/cn=fw _ VPN _ CERTIFICATE 12 Log Messages

13 Troubleshooting If your question is not answered below, please contact GTA Support for more information. Q: When attempting to download the client I get the message, Error: Unable to create SSL Sentinel Client configuration bundle. Check that the Override Host Name in Configure>VPN>SSL Sentinel>Client is a single IP or name and not a network. Figure 1: Client Error Message Troubleshooting 13

14 SSL Sentinel Browser This section will assist users in connecting to the SSL Sentinel Browser and navigating the interface. Requirements GB-OS version or higher An IP Address assigned to the firewall External Interface, resolvable in DNS Connecting to the SSL Sentinel Browser To access the SSL Sentinel Browser, open a Web browser and enter the IP address or host name of the connecting firewall. If the browser is configured for a port other than 443, enter the host name or IP address followed by a colon and port number. Example: Figure 1: URL The Login screen for the SSL Sentinel Browser will display. Enter your user login credentials to access the browser. If the virtual keyboard force use is enabled, you will have to use the virtual keyboard to enter passwords. Use the shift key to access special characters. Note Figure 2: Login Administrators with SSL privileges logging in on the administration port will see the normal firewall administration interface and the SSL Sentinel Browser. 14 Connecting to and Navigating the SSL Sentinel Browser

15 SSL Sentinel Browser Interface There are two sections in the SSL Sentinel Browser interface: 1. Browser Displays for all users allowed access. Allows for quick, and secure access to protected resources. 2. Client - Only displays for users who are allowed SSL Sentinel Client access. Bookmarks 1. Labels are used to describe the group of bookmarks. Top level Labels are not clickable URL s and a Browser may have several Label and URL combinations. 2. There are four types of Bookmarks available a. http b. https c. ftp d. cifs (smb) 3. To access a URL, click on a Label link indicated by a bullet or icon. Example: Staff Site FTP Server 4. Password protected sites will prompt a user for a password, in case of ftp and cifs, before connection is completed. Bookmarks Only 1. A user with Bookmarks Only access will only have access to predefined URL s. 2. Access to an undefined URL will be denied. A user should contact their firewall administrator for access to undefined URLs. Figure 3: Browser access only Bookmarks and Browser 1. Users have the same access rights as a Bookmark Only user, with the addition of a Browser bar. 2. The Browser Bar allows users to enter URLs that are not predefined by selecting the Protocol (http. https, ftp, or cifs) and entering the URL. Figure 4: Bookmarks and Browser access Connecting to and Navigating the SSL Sentinel Browser 15

16 Password Prompts Links to URLs requiring a password such as a ftp server, file shares, or basic authentication will prompt users for a login. 1. Example of a FTP server login. The virtual keyboard is available for password entry. Figure 5: Login Prompt 2. Example of Outlook Web Access Basic Authentication login window: Figure 6: OWA Login Using the Browser URL Access URL s are accessed via predefined links or by entering the URL directly in the browser bar as shown below. Enter a URL and click on the refresh icon to open the URL. Figure 5: URL Browser Bar Web Browser Toolbar Navigation and http and https use is accomplished using the SSL Sentinel Browser toolbar. The SSL Sentinel Browser toolbar allows for quick and convenient access to bookmarks, the SSL Sentinel page and for closing the client. Figure 6: SSL Sentinel Browser Toolbar 1. Move - Allows the user to move the toolbar to the upper left, middle or upper right of their browser. 2. Bookmarks - Allows quick access to configured bookmarks. 3. Home - Returns the user to the SSL Sentinel Browser page. 4. Close - Close browser session. 5. Minimize/Maximize - Allows the user to minimize or maximize the SSL Sentinel toolbar. 16 Connecting to and Navigating the SSL Sentinel Browser

17 File Browser Toolbar The file browser toolbar will display differently based on user group permissions and protocol. It will only display when the protocol is ftp(s) or cifs (smb). Select a folder to browse it s contents. To rename a folder, select the edit icon beside the folder. A dialog box will appear. To download a file, select and double-click the file. Figure 7: File Browser Toolbar Table 1: File Browser Toolbar Icon Value Description Shares/SMB (cifs) FTP Read Only Up Move up one directory level. Yes Yes Yes Bookmarks Return browser to SSL Sentinel Browser page. Yes Yes Yes New Folder Creates a new folder. Yes Yes No Delete Deletes selected folder(s). To select multiple files or folder select the check mark next to the file or folder. Note: Folders cannot be deleted unless the contents of the folder are empty. Yes Yes No Copy Copies a file or folder. Yes No No Cut Cuts a file or folder. Yes No No Paste Pastes the object of a copy or cut. Yes No No Upload Upload a file. Yes Yes No Auto Logout When a browser has been inactive for a specified period of time, the user will be automatically logged out. A prompt will allow the user to remain logged in. If the idle period is too low, contact your firewall administrator to increase this time period. Logout Figure 8: Auto logout When logging out, it is recommended that you use the logout option and clear the cache on any untrusted hosts. The SSL Sentinel Browser will attempt to clear cache if the log out button is used. Figure 9: Logout Connecting to and Navigating the SSL Sentinel Browser 17

18 Installing the SSL Sentinel Client This section will assist users in the download, installation, and configuration of the SSL Sentinel Client. Please select your platform for appropriate instructions: Windows SSL Sentinel Client Installation Linux SSL Sentinel Client Installation Mac SSL Sentinel Client Installation Windows SSL Sentinel Client Installation Requirements GB-OS or higher SSL Sentinel Client User access permissions for the SSL Sentinel Browser and Client on the firewall The host name or an IP Address assigned to the firewall s External Interface Downloaded client and configuration files. All required files may be downloaded via the firewall Web interface. Accessing the GTA Firewall SSL Sentinel Browser Interface for Download To access the SSL Sentinel Browser, open a Web browser and enter the IP address or host name of your firewall. If the firewall s SSL Sentinel browser is configured for a port other than 443, append with a colon and port number. Example: Figure 1: Location Bar with Non Standard Port The Login screen for the SSL Sentinel Browser will display. Enter your user login credentials to access the browser. If the virtual keyboard is required, you will have to use the virtual keyboard to enter your password. Use the shift key to access special characters. Figure 2: SSL Sentinel Login Note Administrators with SSL privileges logging in on the administration port will see the normal firewall administration interface and the SSL Sentinel Browser. 18 Installing the SSL Sentinel Client: Windows

19 Downloading the SSL Sentinel Client, Certificates and Configuration Files 1. Navigate to SSL Sentinel>Client for all files needed for download. 2. Click on the Windows Installer Download. This will download the Windows Installer. 3. Click on the Client Configuration Bundle to download the ZIP file containing the required certificates and configuration file. GTA SSL Sentinel Figure 3: Windows Installer, Certificates and Configuration files. SSL Sentinel Client Installation 1. Run the SSL Sentinel Client Installer and select the language. Figure 4: Select the Language for the Installer Figure 5: SSL Sentinel Client Setup Wizard 2. Accept the licenses for the SSL Sentinel Client. Figure 6: Accept SSL Sentinel Client License Installing the SSL Sentinel Client: Windows 19

20 3. Use the default installation path. 4. Click NEXT. Figure 7: Default SSL Sentinel Client Installation Path 5. Click FINISHED. Figure 8: SSL Sentinel Client Installation Complete Client Installation Warning Figure 9: Finished SSL Sentinel Client Install Some user may see the Windows Hardware Installation warning. Click CONTINUE ANYWAY. Figure 10: Windows Hardware Installation warning 20 Installing the SSL Sentinel Client: Windows

21 Configuring the SSL Sentinel Client 1. Client files include the following zipped or compressed files in a folder with the firewall host name. a. User key file b. User configuration c. User Certificate d. Firewall Certificate Figure 11: Zipped Directory Figure 12: Certificates and Configuration Files 2. Unzip the configuration files and certificates to C:\Program Files\GTA\SSL Sentinel Client Users accessing multiple files will have a directory for each firewall. Using the SSL Sentinel Client 1. To launch the client, select the SSL Sentinel Client icon on your desktop or navigate to the SSL Sentinel folder and click on SSL Sentinel Client. Figure 13: Desktop Icon Figure 14: Launching the Client 2. The SSL Sentinel Client icon will now display in the task bar. Below is an example of an unconnected client icon. Note the icon is BLACK. This indicates the client is NOT connected to SSL Sentinel. Figure 15: Unconnected Client Icon 3. Right click on the SSL Sentinel Client icon and select CONNECT. a. Figure 15 displays a connection panel for a user with a single SSL Sentinel Client configuration. b. Figure 16 displays a connection panel for a user with multiple SSL Sentinel Client configuration. Figure 17: Multiple Firewalls Figure 16: Single Firewall Installing the SSL Sentinel Client: Windows 21

22 4. Enter the username and password configured on the firewall and click OK. Figure 18: SSL Sentinel Client Login 5. The SSL Sentinel Client will connect to the remote firewall, establishing a secure VPN connection. The client, when connected, will display GREEN. Figure 19: Connected Client Icon 6. When the SSL Sentinel Client is connected to the remote firewall: a. It will automatically be assigned an IP Address, and DNS and Wins servers if configured to do so. b. Host routing tables will be updated for the remote networks reachable via the SSL VPN. c. Internal Access is controlled via the Accessible Networks defined by the firewall administrator, and by security polices defined to allow or access. 7. To close the VPN client connection, right click on the SSL Sentinel Client icon and select Disconnect. Figure 20: Disconnecting the Client 22 Installing the SSL Sentinel Client: Windows

23 Linux SSL Sentinel Client Installation Requirements GB-OS or higher Linux system with Tun/Tap support enabled in kernal (avaialble with Linux 2.4 and higher) Root access on the Linux system SSL Sentinel Client User access permissions for the SSL Sentinel Browser and Client on the firewall The host name or an IP Address assigned to the firewall s External Interface Downloaded client and configuration files. All required files may be downloaded via the firewall Web interface. Accessing the GTA Firewall SSL Sentinel Browser Interface for Download To access the SSL Sentinel Browser, open a Web browser and enter the IP address or host name of your firewall. If the firewall s SSL Sentinel browser is configured for a port other than 443, append with a colon and port number. Example: Figure 1: Location Bar with Non Standard Port The Login screen for the SSL Sentinel Browser will display. Enter your user login credentials to access the browser. If the virtual keyboard is required, you will have to use the virtual keyboard to enter your password. Use the shift key to access special characters. Figure 2: SSL Sentinel Login Note Administrators with SSL privileges logging in on the administration port will see the normal firewall administration interface and the SSL Sentinel Browser. Download the SSL Sentinel Certificates and Configuration Files All needed files can be downloaded from the Web interface at SSL Sentinel>Client. 1. Click on the LINUX/UNIX CLIENT CONFIGURATION BUNDLE DOWNLOAD. a. The users client configuration file and certificates will be downloaded in a zip file (including the CA certificate). b. The configuration file should be downloaded to your home directory (example: /home/user or /home/user/download). Figure 3: Linux/Unix Install Files Installing the SSL Sentinel Client: Linux 23

24 Note 2. Unzip the Client Configuration Bundle. > unzip client.zip This will create a folder with the firewall s host name. Note 3. For systems running selinux in enforcing mode, please perform the following steps: a. Enable OpenVPN Home Directory Permissions. > setsebool P openvpn _ enable _ homedirs 1 To temporarily (change will no longer be present after system reboot) set the selinux Boolean do not use the -P option. b. Restore Conetext of all of the Certificates and Key files that will be used. > restorecon v /home/user/download/firewall.example/user.crt > restorecon v /home/user/download/firewall.example/user.key > restorecon v /home/user/download/firewall.example/ca.crt Install OpenVPN 1. Using package manager (requires root privileges). a. Ubuntu/Debian > apt-get openvpn b. Fedora/Red Hat > yum install openvpn 2. Source code from the firewall (requires c++ compiler). a. Login to SSL Sentinel Interface. b. Navigate to SSL Sentinel>Client. c. Click on Linux / Unix Source download. This will download the source code. d. Extract the source code. > tar -xzf openvpn.tar.gz f. Change directories to the top-level of the extracted folder. g. Make and Install the Package. >./configure > make > make install 3. Download and Install from OpenVPN. a. Download - b. Install Instructions - howto.html#install Opening the Tunnel Using Command Line 1. Open a terminal. 2. Change directory to the location the downloaded zip file was extracted. > cd /home/user/download/ 3. Execute Open VPN with the Configuration File (requires root privilege). > openvpn -config firewall.example.ovpn 4. Enter User Credentials (open VPN will prompt your SSL Sentinel User Credentials). > Enter Auth Username: user > Enter Auth Password: 24 Installing the SSL Sentinel Client: Linux

25 Install Network Manager Plug-In Not required if using OpenVPN command line. 1. Using package manager. a. Ubuntu/Debian > apt-get NetworkManager-openvpn b. Fedora/Red Hat > yum install NetworkManager-openvpn Configure OpenVPN using Network Manager 1. Right click on the NETWORK MANAGER icon. 2. Select EDIT CONNECTIONS. 3. Select the VPN tab and click ADD. Figure 4: Network Manager Options Figure 5: VPN Tab 4. Select the connection type OPENVPN and click CREATE Figure 6: Select Connection Type Installing the SSL Sentinel Client: Linux 25

26 5. Enter a Connection Name. 6. Enter Gateway. This will be the IP address of the firewall that you are connecting. Figure7: Connection Name and Gateway 7. Select Type: Password with Certificates (TLS). 8. Enter the Username and Password configured for your user on the firewall. 9. Select the User Certificate. This is the user certificate included in the install bundle. 10. Select the CA Certificate. This is the firewall s CA certificate included in the install bundle. 11. Select the User Key. This is the private key associated with the User Certificate included in the install bundle. Figure 8: Configure the Connection 12. Click ADVANCED 13. Select the GENERAL tab. 14. Enable Use LZO data compression and Use a TCP connection. Figure 9: General Tab 26 Installing the SSL Sentinel Client: Linux

27 15. Select the SECURITY tab. 16. Select AES-192-CBC from the Cipher drop down. 17. Select SHA-1 from the HMAC Authentication drop down. The Default is SHA Click OK. 19. Select the IPV4 SETTINGS tab. Figure 10: Security Figure 11: IPV4 Settings 20. Click on ROUTES. 21. Check the option Use this connection only for resources on its network (without this option the routes will be such that all traffic will be forced through the OpenVPN client). 22. Click OK. 23. Click APPLY. Figure 12: Routes Open the Tunnel using Network Manager 1. Left click on the NETWORK MANAGER icon. 2. Go to VPN CONNECTIONS and select the name of the tunnel you just created. Figure 13: Opening the Tunnel Installing the SSL Sentinel Client: Linux 27

28 Mac SSL Sentinel Client Installation Requirements GB-OS or higher SSL Sentinel Client User access permissions for the SSL Sentinel Browser and Client on the firewall The host name or an IP Address assigned to the firewall s External Interface. Downloaded Client and configuration files. The SSL Sentinel Client and configurations files can be downloaded via the firewall Web interface. Accessing the GTA Firewall SSL Sentinel Browser Interface for Download To access the SSL Sentinel Browser, open a Web browser and enter the IP address or host name of your firewall. If the firewall s SSL Sentinel browser is configured for a port other than 443, append with a colon and port number. Example: Figure 1: Location Bar with Non Standard Port The Login screen for the SSL Sentinel Browser will display. Enter your user login credentials to access the browser. If the virtual keyboard is required, you will have to use the virtual keyboard to enter your password. Use the shift key to access special characters. Figure 2: SSL Sentinel Login Note Administrators with SSL privileges logging in on the administration port will see the normal firewall administration interface and the SSL Sentinel Browser. Downloading the SSL Sentinel Client, Certificates and Configuration Files 1. Navigate to SSL Sentinel>Client for all files needed for download. 2. Click on the Mac os x Installer Download. This will download the Mac OS installer. 3. Click on the Client Configuration Bundle to download the ZIP file containing the required certificates and configuration file. Figure 3: Mac OS Installer, Certificates and Configuration files. 28 Installing the SSL Sentinel Client: Mac

29 SSL Sentinel Client Installation GTA SSL Sentinel 1. Drag and drop the Tunnelblick application onto the shortcut to the Applications folder. This will copy the Tunnelblick application from the disk image to the user s Applications folder. Figure 4: Drag and Drop Tunnelblick to the Applications Folder 2. Unzip the Client Configuration Bundle to ~/Library/openvpn 3. Next, run Tunnelblick. The first time Tunnelblick is run after installation, an administrator s login is required. This is the administrator login for the Mac OS, not the configured firewall login. Figure 5: Enter System Login 4. Tunnelblick will then ask whether updates should be checked for automatically. Figure 6: Select Automatic Updates as Preferred 5. Once Tunnelblick has been started, an icon will appear at the top of the screen in the Status bar. 6. Click the Tunnelblick icon and select Connect. Figure 7: Connect to Tunnelblick Installing the SSL Sentinel Client: Mac 29

30 7. Enter the username and password configured on the firewall and click OK. Figure 8: Enter Username and Password 8. To disconnect, select the Tunnelblick icon and click Disconnect. Select Quit to close Tunnelblick completely. Figure 9: Disconnect from Tunnelblick 30 Installing the SSL Sentinel Client: Mac

31 Appendix A: Best Practice The follwing are GTA s recommended best practices for configuring and using the SSL Sentinel Browser and SSL Sentinel Client. Set up a Syslog service to log all SSL Sentinel and firewall activity. Keep GB-OS up to date with the latest patch releases. GTA incorporates the latest SSL Sentinel updates in firewall GB-OS releases. Require all hosts connecting to the firewall to have the latest OS patches as well as anti-virus, malware and spyware protection. SSL Sentinel Browser Use bookmarks in all cases. Only allow network browsing when absolutely necessary and restrict to administrative users if possible. Force Use of the virtual keyboards for all SSL Browser logins. When possible, use GBAuth to authenticate users before connecting to the SSL Sentinel Browser. Change the SSL Sentinel Browser default port to a different port number. When possible, do not reference external non-trusted sites in SSL Sentinel Browser or on internal web sites connected to via the SSL Sentinel Browser. SSL Sentinel Client Use the options for Redirect Client Gateway when all clients connect. This prevents connections to other sites when the SSL Sentinel Client is connected. When possible, use GBAuth to authenticate users before allowing access with SSL Sentinel Client. Change SSL Sentinel Client default port to a different port number. SSL Sentinel Client Security Polices should use: Source and destination networks in policies. Restricted access to required ports and services. Group based policies for access. Appendix A: Best Practices 31

32 Copyright , Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s Web site for more information. GTA s direct customers in the USA should call or GTA using the telephone and address below. International customers should contact a local Authorized GTA Channel Partner. Tel: support@gta.com Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at Some products include software developed by the OpenSSL Project ( Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc Lake Lynda Drive, Suite 109 Orlando, FL USA Tel: Fax: Web: info@gta.com 32 Copyright