StoneGate Administrator's Guide SSL VPN 1.1

Transcription

1 StoneGate Administrator's Guide SSL VPN 1.1

2 Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: General Terms and Conditions of Support and Maintenance Services The support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: Replacement Service The instructions for replacement service can be found at the Stonesoft website: index.html Hardware Warranty The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: Trademarks and Patents The products described in these materials are protected by one or more of the following European and US patents: European Patent s , , , , , , , , , , and and US Patent s. 6,650,621; ; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737, 7,234,166, 7,260,843, and 7,280,540 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise Disclaimer Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Revision: SGSVAG_

3 Table of Contents OVERVIEW 11 Introduction 13 StoneGate SSL VPN Documentation 14 Other Resources 14 Release tes 14 Online Help 14 Technical tes 14 Conventions Used in this Publication 14 Special Fonts 14 Types of tes 15 Structure of the Guide 15 Contact Information 16 Licensing Issues 16 Technical Support 16 Your Comments 16 Other Queries 16 What s New? 17 New Features in StoneGate SSL VPN Adaptive Single Sign-on 18 Application Single Sign-on 18 BankID Renamed to E-ID 18 Mirroring for High Availability and Load-Balancing 18 New Standard resources 18 Reworked SMS tification Channel Configuration 18 System Time Setting in Web Console 18 Support for vell edirectory for Password Management 18 Support for OCSP 19 Windows Vista Support for Access Client 19 New Features in StoneGate SSL VPN Backup and Restore Scripts 19 Support for IBM Tivoli and RACF for Password Management 19 Documentation Changes 19 How-To Content in the Administrator s Guide 19 Technical te on ActiveSync 19 System Overview 21 Product Overview 22 Assessment 22 How Does It Work? 23 Authentication 23 Authorization 24 Access 24 How Does It Work? 24 Add a user account 24 Add access rules 24 Add a resource protected by the access rules 25 Auditing 25 How Does It Work? 25 Abolishment 25 How Does It Work? 26 System Services 27 Introduction to System Services 28 Administration Service 28 Access Point 29 Advanced Access Point Features 29 Mirroring 29 Trusted Gateways 29 Cipher Suites 29 Link Translation and DNS Mapping 29 Policy Service 30 3

4 Resources 30 Standard Resources 31 Access Rules 32 Single Sign-On 32 Cookie-based Authentication 32 Text-based Authentication 33 Authentication Service 33 StoneGate Authentication 33 Planning 35 Define the Deployment Goals 36 Initial Questions 36 Security Audit/Planning 36 System Architecture Review 36 Public Key Infrastructure 36 User Management Strategy 37 Analyzing Your Environment 38 Directory Service Requirements 38 Password Management 38 Use of Foreign Characters 39 Securing Microsoft Active Directory 39 Recommendations for DNS Management 39 Recommendations for the Active Directory Installation 40 Recommendations for Domain and OU Management 40 Recommendations for Tree and Forest Management 40 Recommendations for Object Access Control Management 40 Recommendations for Replication Management 41 Recommendations for Operations Masters 41 Recommendations for Auditing 41 Resource Access 41 Access Strategies 41 Using Groups 42 Naming Conventions 42 Select Authentication Methods 42 Pre-Installation Check List 43 The StoneGate Network 44 Services 44 Default Listening Ports 44 Administration 47 About StoneGate SSL VPN Administrator 48 Top Menu 48 Online Help 49 Getting Started 49 StoneGate SSL VPN Administrator 49 How To 49 Navigate in StoneGate SSL VPN Administrator 50 Monitor System 50 System Status 50 User Sessions 50 Log Viewer 50 Logging 50 License 50 Alerts 50 Reports 50 Manage Accounts and Storage 50 User Accounts 51 User Linking 51 User Link Repair 51 User Import 51 User Groups 51 User Storage 51 Global User Account Settings 51 Manage Resource Access 51 Standard Resources 51 Web Resources 51 Tunnel Resources 52 Tunnel Sets 52 Client Firewalls 52 Customized Resources 52 Access Rules 52 Application Portal 52 SSO Domains 52 Identity Federation 52 Global Resource Settings 52 Manage System 53 Authentication Methods 53 Abolishment 53 Assessment 53 RADIUS Configuration 53 tification Settings 53 Device Definitions 53 Delegated Management 53 Access Points 54 4

5 Policy Services 54 Authentication Services 54 Administration Service 54 Directory Service 54 CONFIGURATION 55 Basic Configuration 57 Overview to Basic Configuration 58 Adding User Accounts 58 Adding Access Rules 59 Configuring Resource Access 60 Adding Web Resources 60 Adding Tunnel Resources 61 Configuring End-Point Security 62 End-Point Security Configuration 62 Configure End-Point Security Client Scan 63 Add Access Rule of the type End-Point Security 64 Add Authentication Method End-Point Security 65 Add Application Portal as a Resource 65 Setting the System Time 66 Advanced Configuration 69 Connecting to the Command Line Interface 70 Working With Backups 71 Backing up StoneGate SSL VPN 71 Restoring a StoneGate SSL VPN Backup 72 Configuring Mirroring 73 Configuration Overview 73 Preparing for Mirroring 74 Configuring Basic System Services for Mirroring 74 Configuring Administrator Web Resources for Mirroring 76 Setting up the Administrator Service for Mirroring 76 Setting up Appliances as Primary and Secondary 77 Adding SSO Domains 77 Add Resource to SSO Domain 78 Changing the Default Length of Mobile ID Password 78 Configuring WPA Authentication 79 Import CA Certificate 79 Import server certificate 79 Set server certificate for the Authentication Service 80 Configure Appliance as a RADIUS Client for the Authentication Service 80 Setting up Authentication Using RADIUS Groups 80 Create Authentication Method of the type General RADIUS 80 Create User Property Group 81 Setting up Form-based SSO with Citrix MetaFrame 81 Add Standard Resource of the Type Citrix MetaFrame Presentation Server 82 Edit Advanced Resource Settings 82 Add SSO Domain 83 Add Resource Path 83 Setting up Terminal Services in Web Browser 84 Download Remote Desktop Web Connection from Microsoft 84 Create the Tunnel Resource 84 Create the Tunnel Set 85 Allowing Users to Change Their Password in Directory Service 86 Using for OTP Authentication 87 Configure SMTP Channel 87 Configure SMS Setting Per User Account 87 Change Directory Mapping Attribute for tification SMS 88 Upgrading 89 Upgrading from 1.0 to To upgrade from 1.0 to Checking User Links After the Upgrade from 1.0 to Upgrading (From Version 1.1) 91 SETTINGS 93 Monitor System 95 About Monitor System 96 Status Overview 96 5

6 Event Overview 96 Manage Monitor System 96 Status Overview 96 Users 96 Resources 97 System information 97 Administrators 97 Event Overview 97 Manage Settings 98 Settings 98 System Status 99 General Status 99 Access Points 99 Policy Services 99 Authentication Services 99 User Sessions 99 Settings 100 Log Viewer 100 Diagnostics File 101 Log Viewer Settings 101 Logging 102 Manage Logging 103 Log Level Filter 104 Log File Rotation 104 Syslog 104 Manage Global Logging Settings 104 Settings 105 License 106 View License Details 106 Upload New License 107 Settings 107 Alerts 107 Alert Events 108 Manage Alerts 108 Alert Settings 108 Alert Event Settings 108 Alert tification Receivers 109 Settings 110 Manage Global Alert Settings 112 Settings 113 Reports 114 Time Range 115 Filters 115 Graphics 116 Statistics 117 Data Retrieval 117 About Report Database 117 Limitations 117 Backup and Restore 118 Scheduled Cleanup 118 Forced Cleanup 118 Database Growth 118 Manage Reports 119 Set Time Range 119 Assessment Report Settings 120 Abolishment Report Settings 121 Access Report Settings 121 Authentication Report Settings 122 Authorization Report Settings 122 Account Statistics Report Settings 123 Session Trend Report Settings 123 Communication Report Settings 124 Alert Report Settings 124 System Report Settings 124 Performance Report Settings 125 Tunnel Report Settings 125 Settings 126 Manage Accounts and Storage 127 About Accounts and Storage 128 User Accounts 128 User Import and Linking 128 User Groups 128 User Storage 129 Global User Account Settings 129 About User Linking 129 About User Link Repair 130 Manage Global User Account Settings 130 General Settings 130 Manage User Linking 131 Settings 133 General Settings 133 6

7 Auto Repair 135 User Linking 135 User Accounts 138 User Account Search Result List 139 Add User Account 139 User Linking 140 User Import 141 StoneGate Authentication 141 Single Sign-On Domain Settings 141 User Certificate 141 Manage User Accounts 142 Manage User Accounts 142 General Settings 142 Manage Authentication Settings 143 Manage SSO Settings 144 User Certificate 144 Settings 145 User Linking 155 Manage User Linking 155 Manage User Link Repair 155 Settings 156 User Import 156 Manage User Import 157 Settings 160 User Groups 160 About User Location Group 160 About User Property Group 160 About User Groups in Directory Service 160 Manage User Groups 161 Manage User Property Groups 161 Manage User Location Groups 161 Settings 162 User Storage 163 Search Rules 163 Directory Mapping 163 Manage User Storage 163 General Settings 163 Manage Search Rules 164 Search Scope 164 Settings 165 Manage Directory Mapping 166 Settings 166 Self Service 167 Self Service Example 167 Manage Self Service 168 Manage System Challenges 168 Add Challenges to Functions 169 Settings 171 Enabling Authentication Methods for Self Service 172 Manage Resource Access 173 About Resource Access 174 Access Rules 174 Standard Resources 174 Global Resource Settings 174 About Internal Proxy 174 About DNS Name Pool 175 About Filters 175 About Link Translation 176 URL Mapping 177 Pooled DNS mapping 177 Reserved DNS Mapping 177 Manage Global Resource Settings 178 General Settings 178 Filters 178 Path 178 Content Type 179 Link Translation 179 DNS Name Pool 180 DNS Name Pool 180 Settings 181 Standard Resources 184 Manage Standard Resources 184 Common Standard Resource Settings 185 Special Settings 185 Application Portal Settings 185 Access Rules 185 Standard Resources Settings 185 Citrix MetaFrame Presentation Server 185 Terminal Server 2000 and Outlook Web Access 2000/Outlook Web Access 2003/Outlook Web Access 2007/Outlook Web Access Microsoft Outlook Client 2000/2003/

8 POP3/SMTP 188 IMAP/SMTP 188 Windows File Share 188 Access to Home Directory 189 StoneGate SSL VPN Administrator 189 SalesForce 190 Settings 190 Web Resources 193 Single Sign-On 194 Manage Web Resource Hosts 194 General Settings 194 Access Rules 198 Advanced Settings 199 Access Settings 199 Authorization Settings 199 Settings 200 Manage Web Resource Paths 203 General Settings 203 Settings 204 Access Rules 205 Advanced Settings 206 Settings 207 Tunnel Resources 208 Manage Tunnel Resources 208 Tunnel Resource Settings 209 Alternative Hosts 209 Access Rules 209 Advanced Settings 210 Settings 210 Tunnel Resource Networks 212 Manage Tunnel Resource Networks 212 Tunnel Resource Network Settings 212 Access Rules 212 Advanced Settings 213 Settings 214 Tunnel Sets 215 Access Client 216 Manage Tunnel Sets 216 Tunnel Set Settings 216 Application Portal Settings 216 Static Tunnel Settings 217 Dynamic Tunnel Settings 219 Startup Settings 220 Advanced Settings 220 Additional Client Configuration 222 Fallback Tunnel Set 222 Access Rules 225 Manage Global Tunnel Set Settings 225 External DHCP Settings 225 Use External DHCP 225 DHCP Server 226 IP Address Pool 226 DNS Server 226 Settings 226 Client Firewalls 228 Prevent Other Network Connections to be routed 228 Check the Integrity of Connecting Application 228 How Does It Work? 229 Incoming Rules 229 Outgoing Rules 229 Exceptions 230 Firewall Rules Based on Device 230 Manage Client Firewalls 231 Settings 231 Incoming Firewall Rules 231 Settings 232 Outgoing Firewall Rules 232 Settings 233 Customized Resources 234 Manage Customized Resource Hosts 234 Customized Resource Host Settings 234 Manage Customized Resource Paths 236 Customized Resource Path Settings 236 Access Rules 237 Advanced Settings 237 Access Rules 239 Access Rule Types 239 Authentication Method 239 User Group Membership 239 IP Address of Incoming Client 240 Client Devices 240 Date, Day, and/or Time 240 User Storage 240 Assessment 240 Abolishment 240 Access Point 241 Identity Provider 241 Custom-defined Access Rule 241 8

9 Managing Access Rules 241 Manage Access Rules 241 Manage Global Access Rule 242 Selecting Registered Access Rules 242 Creating New Access Rules 243 Manage Access Rules for Resource or SSO Domain 243 Selecting Registered Access rules 243 Creating New Access Rules 243 Global Access Rule 244 Access Rule Settings 244 Authentication Method 244 User Group Membership 244 IP Address 245 Client Device 245 Date, Day, and/or Time 245 User Storage 245 Assessment 245 Microsoft Windows 246 Abolishment 249 Access Point 250 Identity provider 250 Custom-defined 250 Manage Global Access Rule 250 Settings 250 Application Portal 255 Access Client 256 Manage Application Portal 256 Application Portal Item Settings 256 Settings 257 SSO Domains 259 Access Rules 260 Domain Types 260 Manage SSO Domains 261 SSO Domain Settings 261 Domain Attributes 262 Access Rules 263 Settings 264 Identity Federation 266 SAML ADFS 266 Identity Management 266 Assertions 267 Preconditions 267 Service Provider 267 Identity Provider 267 Manage Identity Federation Settings 267 Global Identity Federation Settings 267 Settings 268 Manage SAML 2.0 Identity Federation Settings 268 Service Providers 268 Identity Providers 268 Settings 269 Manage ADFS Identity Federation Settings 270 Service Providers 270 Identity Providers 271 Settings 271 Manage System 275 About Manage System 276 Abolishment 276 Manage Abolishment 276 General Settings 277 Cache Cleaner 278 Advanced 278 Access Points 280 Web and WAP Access 280 Internet Channels 280 Authentication 281 Access Control 281 Encryption 281 Digital Signatures 281 Session Handling 281 The Access Client 281 Manage Access Points 282 Access Point Settings 282 Additional Listeners 282 Settings 283 Manage Global Access Point Settings 284 Advanced Settings 284 Cipher Suites 286 Client Access 286 Performance 286 Trusted Gateways 287 Load-Balancing 287 Settings 288 Administration Service 295 Configuration 295 Manage Administration Service 296 9

10 Administration Service Settings 296 Settings 296 Assessment 297 Manage Assessment 297 General Settings 297 Advanced Settings 301 Plug-ins 301 Authentication Methods 302 StoneGate Authentication Methods 303 Additional Authentication Methods 305 Manage Authentication Methods 307 General Settings 307 Settings 308 Authentication Method Server 313 Settings 313 RADIUS Replies 323 Settings 323 Extended Properties 324 User attribute 325 User name may not change during session 325 Allow user not listed in any User Storage 325 User account required prior authentication 326 Save credentials for SSO domain 326 Lock User ID to Session 326 Settings 326 Authentication Services 332 Manage Authentication Services 333 Authentication Service Settings 333 Settings 335 Manage Global Authentication Service Settings 336 RADIUS Authentication 336 Password/PIN 337 Messages 343 SMS/Screen Messages 347 Certificates 351 Registered Server Certificates 352 Registered Client Certificate 352 Manage Certificates 352 Certificate Authority Settings 352 Server Certificate Settings 353 Client Certificate Settings 354 Settings 354 Device Definitions 356 Manage Device Definitions 356 Settings 357 Delegated Management 357 Manage Delegated Management 357 Role Settings 358 Settings 359 Directory Services 361 Manage Directory Services 361 General Settings 361 Communication Settings 362 Advanced Settings 362 Settings 363 tification Settings 365 Manage tification Settings 365 Channel Settings 365 SMS Channel Settings 366 Policy Services 373 Manage Policy Services 374 General Settings 374 XPI: Web Services 375 Settings 375 Manage Global Policy Service Settings 376 Communication Settings 376 Settings 377 RADIUS Configuration 377 RADIUS Back-end Servers 378 Manage RADIUS Configuration 378 RADIUS Client Settings 378 Manage RADIUS Back-End Servers 379 Settings 380 APPENDICES 381 Legal Information 383 Glossary

11 Overview

12

13 CHAPTER 1 Introduction This chapter provides you an overview to this guide and other information resources available to you. It also contains the contact information for reaching Stonesoft. The following sections are included: StoneGate SSL VPN Documentation, on page 14 Structure of the Guide, on page 15 Contact Information, on page 16 13

14 StoneGate SSL VPN Documentation Welcome to StoneGate SSL VPN Administrator s Guide your reference guide to a secure and flexible solution for safe access to any and all of your internal and external resources and applications. This manual covers all aspects of StoneGate SSL VPN and is intended for both administrators and system integrators. Most sections in this guide begin with an overview to the subject at hand and continues with a Managing... section that explains the configuration options in detail. Other Resources Most documents referenced in this book, such as technical notes, can be accessed directly from the StoneGate SSL VPN Administrator Dashboard. Release tes Contains important information about the release. Available at the Stonesoft Web site. Online Help Contains context sensitive help and in-depth conceptual information. Available in the StoneGate SSL VPN Administrator. Technical tes Available on the StoneGate SSL VPN Administrator Dashboard. Conventions Used in this Publication This publication uses various conventions to present information. Words that require special treatment appear in specific fonts or font styles. Certain information, such as command-line options, uses special formats so that you can scan it quickly. Special Fonts This publication uses several typographical conventions. All code listings, reserved words, and the names of actual data structures, constants, fields, parameters, and routines are shown in monospaced font (this is monospace). Words that appear in boldface are menu items and/or settings in the StoneGate SSL VPN Administrator. 14 Chapter 1: Introduction

15 Types of tes This publication uses two types of notes. te A note like this contains information that is interesting but possibly not essential to an understanding of the main text. Caution A note like this contains information that is essential for an understanding of the main text. Structure of the Guide The StoneGate SSL VPN Administrator s Guide covers all areas related to StoneGate SSL VPN Administrator. The initial setup and configuration tasks are explained in the Appliance Installation Guide delivered with the appliance. Below is an outline of the main parts in this book and what each part covers. 1. Introduction, on page 13 The chapter you are reading now. 2. What s New?, on page 17 Information on changes done to the StoneGate SSL VPN software since the previous release. 3. System Overview, on page 21 General overview to the features and benefits offered by StoneGate SSL VPN. 4. System Services, on page 27 Introduction to the system and its parts. 5. Planning, on page 35 This chapter deals with preparations to perform before installing. It also contains recommendations for a successful deployment. 6. Administration, on page 47 This chapter is a general introductory overview of how to navigate in StoneGate SSL VPN Administrator. 7. Basic Configuration, on page 57 This chapter explains the basics of setting up your system step-by-step. 8. Advanced Configuration, on page 69 This chapter explains configuration steps for some common tasks that go beyond the basic seting up of the system. 9. Upgrading, on page 89 This chapter explains how you can upgrade the software on your StoneGate SSL VPN appliance. 10.Monitor System, on page 95 This chapter covers all aspect of the Monitor System section in the StoneGate SSL VPN Administrator. 11.Manage Accounts and Storage, on page 127 Structure of the Guide 15

16 This chapter covers all aspects of the Manage Accounts and Storage section in the StoneGate SSL VPN Administrator. 12.Manage Resource Access, on page 173 This chapter covers all aspects of the Manage Resource Access section in the StoneGate SSL VPN Administrator. 13.Manage System, on page 275 This chapter covers all aspects of the Manage System section in the StoneGate SSL VPN Administrator. 14.Glossary, on page 411 Contact Information For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our Web site at Licensing Issues You can view your current licenses at the License Center section of the Stonesoft Web site at For license-related queries, Technical Support Stonesoft offers global technical support services for Stonesoft s product families. For more information on technical support, visit the Support section at the Stonesoft Web site at Your Comments We want to make our products suit your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, feedback@stonesoft.com. To comment on the documentation, documentation@stonesoft.com. Other Queries For queries regarding other matters, info@stonesoft.com. 16 Chapter 1: Introduction

17 CHAPTER 2 What s New? This section lists major changes since the previous release. Most new or reworked features in the software are listed here. Changes that do not significantly affect the way StoneGate is configured are not listed. For a full list of changes in the software, consult the Release tes. The following sections are included: New Features in StoneGate SSL VPN 1.1, on page 18 New Features in StoneGate SSL VPN 1.0.2, on page 19 Documentation Changes, on page 19 17

18 New Features in StoneGate SSL VPN 1.1 Adaptive Single Sign-on Adaptive SSO is a form-based SSO that does not need to be configured, but learns its configuration automatically. For more information, see Adaptive Single-Sign On, on page 195. Application Single Sign-on In addition to Web applications, application SSO now supports also Windows fileshares and Microsoft Terminal Services. BankID Renamed to E-ID The BankID authentication method has been renamed to the more general term E-ID. The use of this method is not affected by this change. Mirroring for High Availability and Load-Balancing You can set up a pair of access points so that the configuration is automatically copied from a designated primary appliance to a secondary appliance. An external load-balancer can then balance the incoming traffic to either appliance to share the load and to provide a backup for the primary appliance, for example, during scheduled maintenance. For more information, see Configuring Mirroring, on page 73. New Standard resources Additional wizards have been added for easy access control to more services. For more information, see Standard Resources, on page 184. Reworked SMS tification Channel Configuration Setting up the SMS notification channel is now simpler. For more information, see tification Settings, on page 365 System Time Setting in Web Console You can now set the system time in the Web console. We recommend that you make sure the time and time zone are set correctly to ensure correct operation. Setting the System Time, on page 66. Support for vell edirectory for Password Management vell edirectory servers are now supported for password management. For more information, see Authentication Methods, on page Chapter 2: What s New?

19 Support for OCSP Support for OCSP (Online Certificate Status Protocol) has been added. It is superior to revocation lists in large-scale PKI implementations. For more information, see Manage Authentication Methods, on page 307. Windows Vista Support for Access Client The Access Client now supports Windows Vista. For more information, see the StoneGate SSL VPN Technical te 2082 (Deploying Access Clients). New Features in StoneGate SSL VPN Exceptionally, also the minor release introduced new features. Backup and Restore Scripts Since StoneGate SSL VPN 1.0.2, backup creation and restoration can be done simply by running a script. The backup is stored in a single archive file. For more information, see Working With Backups, on page 71. Support for IBM Tivoli and RACF for Password Management IBM Tivoli and RACF are now supported for password management. For more information, see Authentication Methods, on page 302. Documentation Changes How-To Content in the Administrator s Guide This Administrator s Guide has been divided in sections, and step-by-step configuration instructions have been added to the book (starting from Configuration, on page 55). Technical te on ActiveSync The technical note TN2086 Setting up ActiveSync has been added to the StoneGate SSL VPN technical library. It is available through the administration portal and at the technical documentation library at the Stonesoft Web site. The document covers how you can enable secure push mail from a Microsoft Exchange environment to any ActiveSync-enabled handheld device and explains the device lock mechanism that can disable access from lost or stolen devices. New Features in StoneGate SSL VPN

20 20 Chapter 2: What s New?

21 CHAPTER 3 System Overview This chapter provides an overview to the benefits you gain from the StoneGate SSL VPN solution. The following sections are included: Product Overview, on page 22 Assessment, on page 22 Authentication, on page 23 Authorization, on page 24 Access, on page 24 Auditing, on page 25 Abolishment, on page 25 21

22 Product Overview Users today rely on access to applications and information from any location using any device, for maximum business productivity and return-on-investment. By implementing a security strategy immediately, organizations can ensure that customer trust is kept, profits are not lost, and the brand image is not damaged by malicious attacks. StoneGate SSL VPN covers entry-to-exit security by following the six core principles of security, also known as the six A s. The six A s follows a holistic approach to security to ensure that users and organizations are completely protected using best of breed technologies: Assess: Inspect user devices to ensure they comply with the corporate security policy Authenticate: Identify that users are who they claim to be Authorize: Determine which applications users gain access to Access: Create a secure encrypted network link between users devices and the desired application or information Audit: Audit who accessed which application, when did they do it, and what did they download Abolish: Remove all traces of access to the corporate network from user devices on completion of the session Assessment StoneGate SSL VPN inspects, or assesses, client devices to ensure compliance with your corporate security policy. Requirements may include assessment of: Firewall and anti-virus software Operating systems and patches Spyware checking Device type Network configuration n-compliant devices may be refused entry, or be referred to software update sites. 22 Chapter 3: System Overview

23 How Does It Work? When activated, Assessment inspects the client computer and makes a security assessment before the user is granted access to a resource. This step complements the proceeding user authorization by verifying that the client computer is actually an authorized computer and has been properly protected. You create access rules on which the actual security assessment and policy verification is based. The security assessment can be configured and extended to support your security policy. The communication and data from the client computer is protected and an intruder cannot modify any evidence collected from the client computer. Please refer to the Online Help and Manage Assessment, on page 297, for detailed information on how to setup Assessment Client Scans. Authentication Authentication in StoneGate SSL VPN is made easy for the user. All requests flow through a web of specialized services, some of which may run on external servers: the Access Point, the Policy Service, the Authentication Service, and back again. But for the user, the single point of contact is a Web browser when accessing resources. To put it simply, the Access Point service verifies the identity of the user by forwarding the user credentials via the Policy Service to the Authentication Service, which in turn compares the information with credentials stored in the user storage. When the control is completed, a Request Accept is sent to the Access Point which allows the user to enter. The Authentication Service supports five authentication methods relying on the RADIUS protocol: StoneGate Mobile Text StoneGate Web PortWise Challenge StoneGate Password PortWise Synchronized Also supported are other RADIUS authentication methods such as SafeWord and SecurID. One feature in StoneGate SSL VPN is the management of Certificate Authorities. It provides, among other things, the opportunity to specify several parameters concerning certificate revocation: Certificate Authority Revocation List and Certificate Revocation List retrieval. Access control is specified by means of roles that link user groups with resources. A number of authentication methods can be set for each resource and it is also possible to specify multiple authentication methods for a specific resource. Examples of Authentication 23

24 authentication methods are client certificates, business rules, and RADIUS compliant methods. All authentication methods can be used in combination. Authorization Access rules are defined to allow users access to resources. All resources are associated with at least one access rule, consisting of requirements such as authentication methods, date or time restrictions, or user-group memberships. StoneGate SSL VPN also provides access control in conjunction with firewalls and access control in the internal systems. The firewall access control is performed when users interact with the system. The access control is performed on the same level of security as the firewall, which is on both IP and port level. Behind the scene, a complex chain of events verifies the identity of the user, secure the protection of the resource, and log all activities surrounding its access. Resources are typically applications, either Web-enabled applications or files accessible from the Web, or client-server applications accessed through tunnels. Access Any kind of resource, usually an application, can be accessed through the Application Portal and the Access Client. Resources include Web, Client Server, Terminal Server, and File Server applications. By using the Application Portal the complexity of how access is granted is hidden from the user. The Access Client creates a secure encrypted network tunnel between the user device and the application. You may define possible limitations for user access. StoneGate SSL VPN is designed for 24/7 access. How Does It Work? We recommend that systems administrators use the workflow outlined below to ensure secure application access. Add a user account When creating StoneGate user accounts, you can define specific levels of security for a group of or individual users regarding password management or authentication methods, and so on. See User Management Strategy, on page 37 for recommendations regarding user management. Add access rules Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, resource group, or communication channel. 24 Chapter 3: System Overview

25 Add a resource protected by the access rules With your user management strategy and access rules defined and in place, you simply add the applications your users will access. Resource hosts and specific paths are defined, and you choose how the application is presented in the Application Portal. Please refer to the Online Help and Manage User Accounts, on page 142, for detailed information on how to add user accounts, and Managing Access Rules, on page 241 and Manage Standard Resources, on page 184 for information on access rules, and resources. Auditing Auditing in StoneGate SSL VPN provides: Central capture of all access to corporate applications Real-time and historical reports covering all of the six A s, plus system and performance reports Permanent record of application access The advanced auditing features in StoneGate SSL VPN provide organizations with the tools to meet strict industry, government, and corporate compliance regulations. How Does It Work? The StoneGate SSL VPN Log Viewer is used to filter and display the log messages. The Report Generator then stores these messages in the report database. You then use different filters to create reports using different presentation formats, which also are configurable. Please refer to the Online Help and Manage Logging, on page 103, for detailed information on how to search logs using special characters and quoted searches. Also see Manage Alerts, on page 108 and Manage Reports, on page 119 for information on how logs are used in these features. Abolishment With StoneGate SSL VPN all traces of access to the corporate network on completion of the session can be removed. Browsers are renowned for creating a snail trail of information during an access session, including: Cookies URL history Cached Pages Registry Entries Downloadable Components All these objects can be eradicated. Auditing 25

26 26 Chapter 3: System Overview How Does It Work? When Abolishment is enabled, secure cleanup of a client computer removes all traces of the user session. For example, you could define: Cleaning of relevant Microsoft Internet Explorer cache entries - all cache information is deleted after the session is ended. Cleaning of MS Internet Explorer History entries - all contents in the History folder is deleted. Cleaning of downloaded files - all files created and saved during the session are deleted. Please refer to the Online Help and Manage Abolishment, on page 276, for detailed information.

27 CHAPTER 4 System Services This chapter introduces the services that comprise the StoneGate SSL VPN system. The following sections are included: Introduction to System Services, on page 28 Administration Service, on page 28 Access Point, on page 29 Advanced Access Point Features, on page 29 Policy Service, on page 30 Authentication Service, on page 33 27

28 Introduction to System Services Illustration 4.1 StoneGate Network Administration Service From a systems administrator s point of view, the Web user interface StoneGate SSL VPN Administrator is StoneGate SSL VPN, but as the illustration above demonstrates, that is not the case. StoneGate SSL VPN is a complete network of services, with the Administration Service as the natural connecting point, or hub, and the StoneGate SSL VPN Administrator its interface. All these services work together as a selfcontained unit in each StoneGate SSL VPN appliance. Optionally, authentication and user storage may be handled by external servers. You publish all updates in the StoneGate SSL VPN Administrator to the different services, and monitor and manage all user activity in real-time. Please refer to the Online Help for detailed information on how to configure and manage the different services, directory services, and resources. te Regular backups of the Administration Service are strongly recommended. 28 Chapter 4: System Services

29 Access Point As the gatekeeper for all resource and access requests, the Access Point is on constant alert, listening for incoming communication. Illustration 4.2 Default Listening Ports for the Access Point All requests are logged, filtered, encrypted, and forwarded to the Policy Service or a resource host depending on the type of request. Advanced Access Point Features Mirroring You can set up a pair of access points so that the configuration is automatically copied from a designated primary appliance to a secondary appliance. An external load-balancer can then balance the incoming traffic to either appliance to share the load and to provide a backup for the primary appliance, for example, during scheduled maintenance. The user sessions are shared between the appliances, so that requests can be processed correctly no matter which appliance receives the request. Trusted Gateways A client connecting to the Access Point may not have a secure connection, but incoming traffic from the trusted gateway (a specified IP address and port) is assumed to have a specified level of security. Cipher Suites When an SSL connection is initialized, the client and server determine a common cipher value to be used for key exchange and encryption. Various cipher values offer different types of encryption algorithms and levels of security. Link Translation and DNS Mapping Link translation is used to ensure that all traffic to registered Web resource hosts are routed through the Access Point, which in turn enables the use of SSL and a secure connection. With link translation, Web resource hosts are as secure as tunnel resource hosts. Access Point 29

30 A link can sometimes be divided into subsets, for example by protocol, host, and path, and then dynamically put together by the browser to form a link. In that case, the Access Point cannot interpret the link and consequently cannot translate it. To solve this, DNS mapping is used. A DNS name or an IP address pointing to the Access Point is mapped to an internal host and protocol: a mapped DNS name. All mapped DNS names are added to a DNS name pool. From there, you map Web hosts to DNS names using one of two methods: 1. Reserved DNS mapping - the Web resource is mapped to a specific DNS name in the DNS name pool. 2. Pooled DNS mapping - the Web resource is assigned the first available DNS name from the DNS name pool. Policy Service An important part of StoneGate SSL VPN is the authentication, authorization, and auditing service - the Policy Service. It provides policy management, authentication, authorization, and log services regardless of service or communication channel. All authentication methods are configured in the Policy Service, so when a request comes in, the Policy Service evaluates the appropriate access rules and forwards the request to its destination. Resources In StoneGate SSL VPN, applications, folders and files, and URLs are registered as Web or tunnel resources. Web-enabled applications are registered as Web resources, and client-server applications that are not Web enabled are registered as tunnel resources. You then protect the resources with access rules, authorization settings, and encryption levels to create seamless, secure access control. Users access the resources through the Web-based Application Portal, the Access Client, or directly in a Web browser using shortcuts. For users to be able to access a resource, you need to configure a resource host and specify if it will be available in the Application Portal or not. A resource host can have one or several paths. There are three different types of resource hosts: Web Resources Tunnel Resources Customized Resources Tunnel Resources are collected into Tunnel Sets where each tunnel in the set points to a tunnel resource. 30 Chapter 4: System Services

31 Standard Resources We have collected several of the most frequently used resources as Standard Resources. The purpose of this is to minimize your configuration time. File Sharing Resources Microsoft Windows File Share Access to Home Directory Mail IMAP/SMTP POP3/SMTP Outlook Web Access 5.5 Outlook Web Access 2000 Outlook Web Access 2003 Outlook Web Access 2007 MS Outlook Client 2000/2003/2007 Portal Resources Citrix Metaframe Presentation Server Microsoft Sharepoint Portal Server 2003 Administration Resources StoneGate SSL VPN Administrator Remote Controlling Resources Microsoft Terminal Server 2000 Microsoft Terminal Server 2003 Other Web Resources SalesForce The standard resources are: Outlook Web Access 2003 Outlook Web Access 2000 Domino Web Access 6.5 Citrix MetaFrame Presentation Server Terminal Server 2003 Terminal Server 2000 MS Outlook Client 2000/2003 File Sharing Access to Home Directory You can edit the standard resource settings just as easily as any other type of resource. For more information, see the Online Help and Manage Standard Resources, on page 184. Policy Service 31

32 Access Rules StoneGate SSL VPN authorization makes the access decisions using access rules. These rules rely on: who wants access what resource or service is requested what communication channel (or device) is used which authentication methods are most suitable Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, resource group, or communication channel. Additionally, business related conditions can be customized for services. For example, only customers who are allowed credit are able to use the ordering function. Access Control Lists (ACLs) stored in existing systems such as mainframes and databases can be reused in StoneGate SSL VPN. ACL is a list of security protections that apply to an entire object, a set of the object s properties, or an individual property of an object. In Microsoft Active Directory for example, there are two types of ACLs: discretionary and system. See the Online Help and Managing Access Rules, on page 241, for detailed information on how to add and use Access Rules. Single Sign-On Single Sign-On (SSO) permits users to enter their credentials once, which then gives them access to several resources without the need to re-authenticate when accessing each resource. All resources using the same user credentials can be defined in a SSO domain. When user credentials are modified, the changes apply to all resources in the SSO domain. When using the system for the first time, users are prompted for SSO credentials (user ID and password). The SSO credentials are stored per user account and retrieved whenever the user accesses resources registered in a SSO domain. If credentials are changed, the user will be prompted for authentication. SSO domains are divided into two domain types: Text Cookie Depending on which type you choose, different domain attributes can be associated with the SSO domain. Both types can be protected by access rules. To use form based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO domain. Cookie-based Authentication Cookie-based authentication is used to send authentication information in HTTP headers. A common use of cookie SSO is when back-end applications only want to read the authentication information at the very first request. 32 Chapter 4: System Services

33 Text-based Authentication Text-based authentication is used to send authentication information as text, with different attributes defining the information needed. When adding all domain attributes for the domain type text (user name, password, and domain), the Microsoft authentication method NTLM is used. When the attributes user name and password are added, the Basic authentication method is used. It is the most commonly used authentication method for Web environments. Authentication Service The Authentication Service provides mobile users with strong authentication methods that can be used regardless of device and location. Illustration 4.3 Authentication Service as RADIUS proxy The Authentication Service can act as a RADIUS proxy, that is, proxy the authentication request to another RADIUS server. StoneGate Authentication StoneGate authentication refers to the Authentication Service using the StoneGate authentication methods Mobile Text, Web, Challenge, Password, and Synchronized. All methods can be used on your laptop or desktop computer. When using the Synchronized or Challenge methods, users install Mobile ID client applications on the device being used. When using the Web authentication method, the client is either an ActiveX component or a Java applet. All supported authentication methods are described in Manage Authentication Methods, on page 307. To choose the authentication method, you need to consider your users needs: mobility, device flexibility, and level of security. Refer to each authentication method for more detailed information. All StoneGate authentication methods can be used in combination or singularly to access any type of resource. See the Online Help and Manage Authentication Methods, on page 307 for detailed information on how to configure and use the different authentication methods. Authentication Service 33

34 34 Chapter 4: System Services

35 CHAPTER 5 Planning In this section, a few general security recommendations that should be considered are presented. The following sections are included: Define the Deployment Goals, on page 36 Security Audit/Planning, on page 36 User Management Strategy, on page 37 Resource Access, on page 41 Pre-Installation Check List, on page 43 The StoneGate Network, on page 44 35

36 Define the Deployment Goals The major goals of the planning phase are to make sure that: User and administrator needs are addressed by the services you deploy Service prerequisites that affect installation and initial setup are identified Initial Questions What are the day-to-day requirements StoneGate SSL VPN needs to address? What are the user management requirements StoneGate SSL VPN needs to meet? What shape is your existing network in? Do you need to upgrade power supplies, switches, and other network components? Make sure the required hardware is available in time for the deployment. Security Audit/Planning You need to make decisions about your security architecture. This involves creating accounts, organizing your users into groups, and planning for access control. These are the phases in the security planning process: 1. Define your security goals 2. Make some preliminary decisions about your security architecture 3. Determine which users need which permissions to which resources, and develop a strategy for creating access rules System Architecture Review Find potential security problems related to the system architecture. This includes going through existing design documentation and high-level descriptions of the system. Typical areas of investigation are: Where and how sensitive information is stored Identify trusted components Communication paths and their protection Identify single-points of failure and components likely to hit Denial Of Service (DOS) attacks Public Key Infrastructure A well-defined public key infrastructure (PKI) enables your organization to secure critical internal and external processes. Deploying a PKI allows you to perform tasks such as: Digitally signing files such as documents and applications Securing from unintended viewers Enabling secure connections between computers, even if they are connected over the public Internet or through a wireless network Enhancing user authentication through the use of smart cards 36 Chapter 5: Planning

37 If your organization does not currently have a public key infrastructure, begin the process of designing a new PKI by identifying the certificate requirements for your organization. If your organization already uses a PKI, you can manage all of your internal security requirements, as well as security requirements for business exchanges with external customers or business partners. Designing a PKI for your organization involves defining your certificate requirements, creating a design for your infrastructure, creating a certificate management plan, and deploying your PKI solution. A PKI consists of the following basic components: Digital certificates Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Digital certificates provide the foundation of a PKI. One or more certification authorities (CAs) Trusted entities or services that issue digital certificates. When multiple CAs are used, they are typically arranged in a carefully prescribed order and perform specialized tasks, such as issuing certificates to subordinate CAs or issuing certificates to users. Certificate policy and practice statements Two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on. Certificate repositories A directory service or other location where certificates are stored and published. In a Windows Server 2003 domain environment, the Active Directory service is the most likely publication point for certificates issued by Windows Server 2003 based CAs. Certificate Revocation Lists (CRL) Lists of certificates that have been revoked before reaching the scheduled expiration date. User Management Strategy The best security plans and designs cannot protect an organization if security is not an essential part of their operating procedures. In this section, a few general security recommendations regarding user management that should be considered are presented. The Securing Microsoft Active Directory section contains specific recommendations for environments using Microsoft Active Directory. User Management Strategy 37