Securepoint Network Access Controller (NAC)

Transcription

1 Securepoint Network Access Controller (NAC) Administration Guide Business Class Secure Mobility Version 1

2 2 Securepoint NAC Administration Guide 1 Table of contents 1 Table of contents Table of figures Introduction Launching the administration tool Administering user profiles Displaying user profiles Adding a user profile Defining a profile s validity dates Deleting a user profile Changing a user profile Administering user accounts Displaying user accounts Adding a user account Delete a user account Change a user account Suspending a user account Administering services Displaying services Adding a service Deleting a service Changing a service Activating/deactivating a service Administering zones Administering delegate administrator accounts Adding a Delegate Administrator account Deleting or modifying a Delegate Administrator account Administering delegate administrator accounts Adding an administrator account Deleting or modifying an administrator account Monitoring Monitoring Monitoring connected users Monitoring user sessions Monitoring user traffic Monitoring controller status Searching the logs Searching the session log Searching the activity log Statistics Update Graphs Reports Domain Top Top 10 URLs... 56

3 3 Securepoint NAC Administration Guide 12 Operations Backing up / Restoring the configuration Log file management Securepoint NAC Update Securepoint NAC manual update Securepoint NAC automatic update Updating the SECUREPOINT license Changing the administrator password Maintenance Appendix: Preconfigured services... 69

4 4 Securepoint NAC Administration Guide 2 Table of figures Figure 1: Securepoint NAC architecture... 6 Figure 2: Logging in to the SECUREPOINT administration tool... 7 Figure 3: Securepoint NAC homepage... 8 Figure 4: SECUREPOINT Administration homepage... 9 Figure 5: Displaying user profiles Figure 6: guest profile displayed Figure 7: Creating a user profile Figure 8: Example of creating a user profile: stage Figure 9: Example of creating a user profile: stage Figure 10: Example of creating a user profile: stage Figure 11: Example of creating a user profile: stage Figure 12: Example of creating a user profile: stage Figure 13: Example of creating a user profile: stage Figure 14: Displaying user profiles Figure 15: Example of a profile valid once created Figure 16: Example of a profile valid from the first connection Figure 17: Example of a profile valid for a date range Figure 18: Changing a user profile Figure 19: Administering user accounts Figure 20: Display showing an account created by a delegate administrator Figure 21: Displaying the user account guest Figure 22: Configuring automatic purging of user accounts Figure 23: Creating a user account Figure 24: Example of creating a user account: stage Figure 25: Example of creating a user account: stage Figure 26: Examples of authentication using MAC address Figure 27: Displaying user accounts Figure 28: Changing a user account Figure 29: Suspending a user account Figure 30: Displaying services Figure 31: Creating a service Figure 32: Displaying settings for a service Figure 33: Changing a service Figure 34: Disabling a service Figure 35: Administering zones Figure 36: Administering delegate administrator accounts Figure 37: Adding additional fields Figure 38: Customized delegated administration tool (adding fields) Figure 39: Creating a Delegate Administrator account Figure 40: Example of creating a Delegate Administrator account Figure 41: Configuring Delegate Administrator rights Figure 42: Selecting the profiles seen in the Administration tool Figure 43: Administering administrator accounts Figure 44: Adding an administrator account Figure 45: Securepoint NAC monitoring homepage Figure 46: Items in the Monitoring menu Figure 47: Monitoring connected users Figure 48: Monitoring user sessions... 41

5 5 Securepoint NAC Administration Guide Figure 49: Monitoring (service) traffic Figure 50: Monitoring controller status Figure 51: Items in the Search menu Figure 52: Form for searching the session log Figure 53: Selecting a database backup Figure 54: Results of searching the session log Figure 55: Form for searching the activity log Figure 56: Results of a URL search Figure 57: Results of searching the activity log Figure 58: Search results showing a user s traffic relating to a service Figure 59: Search results showing a user s traffic for a particular IP address Figure 60: Items in the Statistics menu Figure 61: Updating the statistics Figure 62: Statistics displayed graphically Figure 63: Compiling statistics for a time period Figure 64: Compiling statistics for a time period Figure 65: Statistics for the total number of user sessions Figure 66: Statistics on the length of user sessions Figure 67: Statistics showing the maximum number of simultaneous user sessions Figure 68: Statistics showing connection time by user profile Figure 69: Statistics showing connection time by authentication type Figure 70: Statistics on service usage Figure 71: Generating statistics reports Figure 72: Example of generating a statistics report Figure 73: Top 10 domains visited Figure 74: Top 10 URLs visited Figure 75: Operations homepage for Securepoint NAC Figure 76: Backing up / Restoring the configuration Figure 77: Saving the backup file Figure 78: Managing backup log files Figure 79: Example of configuring backup log files Figure 80: Export a backup file Figure 81: Import a backup file Figure 82: Instant purge of logs Figure 83: Securepoint NAC Update Figure 84: Manual update confirmation for the SECUREPOINT box Figure 85: Example of automatic update for the SECUREPOINT box Figure 86: Changing the administrator password Figure 87: Configuring a maintenance tunnel Figure 88: Maintenance tunnel activated... 68

6 6 Securepoint NAC Administration Guide 3 Introduction This guide is intended for system and/or network administrators responsible for managing Securepoint NAC. Securepoint NAC is an appliance located between the user s access infrastructure (Wi-Fi and/or wired) and the company s local network. Figure 1: Securepoint NAC architecture See the Securepoint NAC Installation Guide documentation for more information on installing and configuring the product. Securepoint NAC provides the following major functions: User authentication Access rights management via user profile based on location and time; Data confidentiality Zero configuration access for users Provision of accounts by delegation and/or self-registration Monitoring and logging Integration with legacy network Securepoint NAC uses simple Web interfaces for administration. There are two Administration tools: one is intended for Securepoint NAC administrators and gives access to the full set of administrator

7 7 Securepoint NAC Administration Guide functions; the other is intended for authorized non-specialists. They can carry out some administration tasks such as creating a guest account. This guide describes both tools and the full set of administration procedures. Note: We will be using the terms box or controller indiscriminately in this guide to refer to Securepoint NAC. The term controller is in particular used by the graphical interface of SECUREPOINT administration tools. 4 Launching the administration tool Logging in to the administration console requires access to the SECUREPOINT controller. The controller can be found through the UPnP announcements that it broadcasts over the network at regular intervals across all its network interfaces. See the Securepoint NAC Installation Guide documentation for more details. Once connected to the SECUREPOINT controller and administration console, the login page is displayed: Figure 2: Logging in to the SECUREPOINT administration tool

8 8 Securepoint NAC Administration Guide Enter your login and password to authenticate. By default, the login is admin and the password is insecure. The welcome page is displayed: Figure 3: Securepoint NAC homepage Note: The homepage shows the class of the Securepoint NAC system and the Version and Release numbers. Note: To change the Administrator password, see the Securepoint NAC Installation Guide, Operation section.

9 9 Securepoint NAC Administration Guide Then click on the Administration option in the menu bar, to display the administration page below: Figure 4: SECUREPOINT Administration homepage Administration operations are sorted into classes, of which there are six: Users This class is used to create a user account by linking it to a profile. An account may be modified dynamically, or temporarily suspended to stop the user logging on. Profiles This class is used to create profiles. A profile may be used to define access rights to services, validity dates, time slots, a time credit, and input and output zones. Services This class provides an overall definition of all the services that may be used with the SECUREPOINT box. Each service may be associated with a Quality of Service. Access rights to these services are defined at the same time as the user profile. Delegation This class is used to define Delegate Administrator accounts. Such accounts can access the Delegated Administration Tool (to manage guests). Zones This last class defines zones, divided into input and output zones. Zones represent locations (e.g. reception, offices or the library) and are associated to user profiles, either

10 10 Securepoint NAC Administration Guide as input zones (to authorize or ban connection from the zone) or output (to define the network policies - NAT or routing). Administrators This category is used to set up administrator accounts with their login and password. It is also possible to limit administrators permissions to stop them from viewing user logs. 5 Administering user profiles The first stage in Securepoint NAC administrator is to define user profiles. These profiles describe the access rights to services, input and output zones and the profile s period of validity. 5.1 Displaying user profiles To display all the available profiles, click on the Profiles item in the sub-menu on the left-hand side of the window. The following page is displayed: Figure 5: Displaying user profiles The profile table summarizes all the existing profiles.

11 11 Securepoint NAC Administration Guide To display the full profile description, click on the profile name. Its characteristics are then displayed in the panel below the profile table. For instance, for the predefined guest profile, the following is displayed: Figure 6: guest profile displayed

12 12 Securepoint NAC Administration Guide 5.2 Adding a user profile To add a new profile, click the Add button in the profile table. The following page is displayed: The profile is created in the stages below: Figure 7: Creating a user profile 1. Profile information panel. Enter the profile name in the field Profile ID (this is a mandatory field). Example: a Guest profile. Figure 8: Example of creating a user profile: stage 1 2. Access rights panel. Associate the profile to the services it can access. The list of services available is displayed in the panel on the right. To authorise the use of the service by the profile, select the service to add, and click the <<< Add button. Example: adding Mail and Web services.

13 13 Securepoint NAC Administration Guide Figure 9: Example of creating a user profile: stage 2 3. Validity panel. Define the time for which the profile is valid. There are various options (see Section 5.3). Example: valid for one year Figure 10: Example of creating a user profile: stage 3 Note: By default, a profile is permanently valid. 4. Validity panel. You can restrict the use of a profile to particular days and times. Choose the days and times when users with this profile are authorized to login. You can also define a time credit. This is an overall connection time, which may be used up over several sessions. You have the option to top up the credit every n days. Example: connection is authorized for Tuesdays between 10am and 12pm and Thursday between 2pm and 6pm. There is no time credit.

14 14 Securepoint NAC Administration Guide Figure 11: Example of creating a user profile: stage 4 5. Zones panel. Choose the input and output zones associated with the profile. If an input zone is authorized, this means that the user may connect from the zone (see Section 8 for a description of how zones work). Example: the Guest user may connect from the Reception zone, but not from the Offices zone. Figure 12: Example of creating a user profile: stage 5 6. Advanced authentication options panel. If users have this profile, you can configure some of their authentication options. Figure 13: Example of creating a user profile: stage 6

15 15 Securepoint NAC Administration Guide Option 1: If users login in portal mode, then the portal s automated re-authentication mechanism may conflict with VPNs they use from the user workstation. The first option is to disable this mechanism. To do so, uncheck the corresponding checkbox. Option 2: Users HTTP traffic is redirected by default to the SECUREPOINT Web proxy. You can deactivate this mechanism. Some user populations may already be using a valid proxy, and if so, you won t want to redirect them to the SECUREPOINT proxy. Option 3: By default, SECUREPOINT does not permit simultaneous connections with the same login/password pair. It is possible to allow this to happen. In this case, the desired maximum number of simultaneous connections must be specified. Validate the profile by clicking the Confirm button. Once you have validated the profile you have created, it will appear in the profile list: 5.3 Defining a profile s validity dates Figure 14: Displaying user profiles The dates when a profile is valid can be expressed in various ways. Always valid The profile is permanently valid.

16 16 Securepoint NAC Administration Guide Valid at creation Validity starts when the account is created, and lasts for the defined time, either for n days after midnight on the creation day, or for n days (plus hours and minutes). In the following example, the profile is valid for 3 days. Valid from first connection Figure 15: Example of a profile valid once created Validity starts to run the first time the user connects and lasts for a specified time, or up to midnight (on the day of first connection) plus n days; or for n days (plus hours and minutes). In the following example, the profile s validity will begin the first time the user connects and will last up to midnight on that day. Valid in date range Figure 16: Example of a profile valid from the first connection Connection is valid during an interval defined using a calendar.

17 17 Securepoint NAC Administration Guide 5.4 Deleting a user profile Figure 17: Example of a profile valid for a date range To delete a user profile, click on the Profiles item in the sub-menu on the left-hand side of the window. In the profile table, select the checkbox corresponding to the profile you want to remove, and click the Delete button. Attention: You cannot delete a profile if any users still have that profile. Note: To delete all the profiles at once, select the checkbox in the profile table s title row, and click on Delete.

18 18 Securepoint NAC Administration Guide 5.5 Changing a user profile To modify an existing user profile, click on the Profiles item in the sub-menu on the left-hand side of the window. In the profile table, select the checkbox corresponding to the profile you want to change, and click the Modify button. The following page is displayed: Figure 18: Changing a user profile You can change all the fields except the profile name. You can add conditions to the profile at this stage (see the following Section). 6 Administering user accounts Once user profiles are defined, the Securepoint NAC administrator can define users and associate them to profiles.

19 19 Securepoint NAC Administration Guide 6.1 Displaying user accounts To display all existing user accounts, click on the Users item in the sub-menu on the left-hand side of the window. The following page is displayed: Figure 19: Administering user accounts The user-accounts table summarizes all the accounts created. The column Status indicates if the account is active (green) or suspended (red). See Section 6.5. The Delegation column shows who created the account. If this field is empty, the account was created by the Administrator using this tool. If the account was created using the delegated administration tool, the delegate administrator s login is shown in the field. Example: the user jbrown was created by the delegate administrator Reception. Figure 20: Display showing an account created by a delegate administrator

20 20 Securepoint NAC Administration Guide To display the user account s full description, click on Last name. Its characteristics are then displayed in the panel below the user-accounts table. For instance, for the predefined guest1 account, the following is displayed: Figure 21: Displaying the user account guest1 Attention: Once a user account s validity period has expired, then by default, the account is automatically deleted. It is however possible to keep accounts after their expiry date, using the configuration below. Automatic purging of user accounts can be configured as follows: Figure 22: Configuring automatic purging of user accounts Deselect the first checkbox to disable the automatic deletion of accounts where validity has expired. This deletion is enabled by default. Select the second box if you would like to automatically delete permanent accounts where the creation date falls before a given number of days ago. Select the third checkbox if you would like to automatically delete accounts where the validity date starts when the user first logs in, which have never been used and which were created a given number of days ago.

21 21 Securepoint NAC Administration Guide 6.2 Adding a user account To add a user, click on the User item in the sub-menu on the left-hand side of the window, then click the Add button in the user-account table. The following page is displayed: The user account is created in the stages below. Figure 23: Creating a user account 1. User identity panel. Enter the login name in the Login field (this is a mandatory field). Enter the password associated with the account in the Password field (this is a mandatory field). Fill in the fields for the user s Last name and First name. Example: Figure 24: Example of creating a user account: stage 1 2. Profile panel. Select a user profile from the Available profiles list. When the selected profile is displayed, the Related services list shows you information about the services authorized by the profile.

22 22 Securepoint NAC Administration Guide Example: Figure 25: Example of creating a user account: stage 2 The user inherits the properties of his or her profile, so the account creation may be complete at this stage. You can however overwrite some inherited properties (Validity panel), namely the validity period, and timeslots (see the Creating a user profile section for further information). 3. Advanced options panel. In this panel, we find the option of defining authentication for a given user based on their MAC or IP address. In this case, the user or IP equipment connecting to SECUREPOINT will be authenticated automatically if its MAC and/or IP addresses matches that configured. Figure 26: Examples of authentication using MAC address Attention: This authentication method blocks any other authentication method (Web portal, 802.1x). Validate the profile by clicking the Confirm button. The new user now appears in the list of accounts.

23 23 Securepoint NAC Administration Guide 6.3 Delete a user account Figure 27: Displaying user accounts To delete a user account, click on the Users item in the sub-menu on the left-hand side of the window. In the user accounts table, select the checkbox corresponding to the account you want to remove, and click the Delete button. Note: To delete all the accounts at once, select the checkbox in the table s title line, and click on Delete.

24 24 Securepoint NAC Administration Guide 6.4 Change a user account To modify a user account, click on the Users item in the sub-menu on the left-hand side of the window. In the accounts table, select the checkbox corresponding to the account you want to change, and click the Modify button. The following page is displayed: Figure 28: Changing a user account The page displayed is identical to that for creating an account. You can change all the fields, except the Login field. 6.5 Suspending a user account A user account may be suspended at any time to prevent a user logging on. To do so, select the user you want to suspend, and click the Suspend button. To reactivate a user account, click the Unsuspend button. The Status column shows the account s current status: green means the account is active, and red means it is suspended. Example: the account jbrown is suspended. Attention: Suspending a user account also has the effect of disconnecting the user in real time.

25 25 Securepoint NAC Administration Guide 7 Administering services Figure 29: Suspending a user account A set of services is preconfigured (see the Appendix for a detailed description of the preconfigured services). However, you can add a new service or delete/change an existing service. 7.1 Displaying services To display all the available services, click on the Services item in the sub-menu on the left-hand side of the window. The following page is displayed: Figure 30: Displaying services The service table summarizes all available services.

26 26 Securepoint NAC Administration Guide The Settings column indicates the number of sets of parameters associated with the service (see next Section). The Status column indicates if the service is active (green) or suspended (red). See Section Adding a service To create a service, click on the Services item in the sub-menu on the left-hand side. Click the Add button in the service table. The following page is displayed: Figure 31: Creating a service A service is configured by following the steps below: Service panel. The first stage is to name the service (Service name). Setting panel. Each service has any number of associated parameter sets. These are parameters that describe the protocol, the server IP addresses, the open ports, etc. The first parameter is defined on this page. In this panel you define the name of the parameter set (Setting name) and describe the protocol used (Protocol type). The protocol type may be any of TCP/UDP, TCP, UDP, AH, ESP, L2TP, GRE, ICMP, IGMP.

27 27 Securepoint NAC Administration Guide Ports panel. This is used to specify the open ports for this parameter. You can define them in several ways: by defining either all port numbers as open (All) or a specific port number (Port number), or a range of port numbers (Port range). Quality of Service panel. This is used to associate a parameter with an appropriate quality of service. You may define three QoS parameters: the reserved bandwidth (Reserved bandwidth), upper limit on bandwidth (Maximum bandwidth) and type of service - priority or normal - (Priority traffic). The first two parameters are given in kilobytes per second. Addressing panel. Click on Confirm. This is used to specify the server IP address used for the parameter. You need not define a particular address (All), or you can enter a specific address (Server IP address) or a subnet address (Network address). If you define a subnet address (Network IP address), you must enter the mask as well (Netmask). To define a local service to Securepoint NAC, simply select Local. The service is then created with its first parameter. For instance, a Web service has two parameters: HTTP and HTTPS. The service is not a priority service. A bandwidth of 1000 KBps is reserved for each parameter. Figure 32: Displaying settings for a service To add another parameter to the service, click the Add button in the settings table. 7.3 Deleting a service To delete a service, click on the Services item in the sub-menu on the left-hand side. In the service table, select the checkbox corresponding to the service you want to remove, and click the Delete button.

28 28 Securepoint NAC Administration Guide 7.4 Changing a service To modify a service, click on the Services item in the sub-menu on the left-hand side. In the service table, select the checkbox corresponding to the service you want to change, and click the Modify button. The page showing the list of service parameters is displayed. Take the Web service as an example. Figure 33: Changing a service Select the parameter to change, and click on Modify. You change a parameter in the same way that you created it. 7.5 Activating/deactivating a service A service may be completely disabled. It is then no longer accessible to any user. The Status column in the service table indicates if the service is active (green) or suspended (red). By default, all services are active. To disable a service, select the checkbox for the service you want to disable, and click the Disable button.

29 29 Securepoint NAC Administration Guide In the following example, the SSH service is disabled: Figure 34: Disabling a service To reactivate the service, select the service and click the Enable button. 8 Administering zones Zones may describe a location, for instance in a business: a reception area or offices; in a university: the library or lecture theatres. In a multi-site architecture with centralized administration, a zone is a global concept, and is interpreted in the same way by all the SECUREPOINT boxes at all the sites. On the other hand, the way in which zones are set up is specific to each box. As regards the network, zones correspond to VLANs. The link between zone and VLAN is established when each box is configured. Not all zones are necessarily defined for each box. You can define input and output zones for a user profile. One user profile may be associated with several input zones. When the user is in one of these zones, he or she is then authorized to login. The output zone is unique. It represents both a VLAN and also the addressing policy for traffic leaving the SECUREPOINT box (NAT or routing).

30 30 Securepoint NAC Administration Guide To administer zones, click on the Zones item in the sub-menu on the left-hand side of the window. The following window appears: Figure 35: Administering zones Use the Add and Delete buttons to create or delete input and output zones. Once created, zones will be visible when you create or change user profiles. Attention: Zones can only be used with profiles if they are associated to existing VLANs (see the Securepoint NAC Installation Guide, Configuring incoming VLANs section). 9 Administering delegate administrator accounts Before a user can use the Delegated Administration tool, the Securepoint NAC Administrator must first create a Delegate Administrator account. 9.1 Adding a Delegate Administrator account The SECUREPOINT administrator may create Delegate Administrator accounts with varying powers. The Delegated Administration tool then functions according to the powers its user has. For instance, in the simplest case, the tool may be reduced to its most basic level, generating a connection ticket based just on the user s last name and first name. For more complex tasks, the delegate administrator can be authorized to create an account by allocating a profile and a time slot. He/she could even change the account after it has been created.

31 31 Securepoint NAC Administration Guide To create a Delegate Administrator account, click on the Administration item in the menu bar, then on the Delegation item in the sub-menu on the left-hand side of the window. The following page is displayed: Figure 36: Administering delegate administrator accounts Note: The account deleg is preconfigured by default. The account password is also deleg. The first panel is used to select the languages that will be used in the delegated administration tool. The second panel will be used to add fields to the delegated administration tool that will then appear during creation of a user account. These will be added to the three mandatory fields, namely the user s login, last name and first name. Each field added needs to be marked as mandatory or otherwise and given a field label in each of the languages available. Example: Adding an optional Room number field and a mandatory Identity Card field.

32 32 Securepoint NAC Administration Guide Figure 37: Adding additional fields Note: The default language can be selected. It is therefore not necessary to enter the field name in all languages. Fields not filled in will take the field value matching the default language.

33 33 Securepoint NAC Administration Guide In the case of that example, the delegated administration application page used to enter the user s personal details will be displayed as follows: Figure 38: Customized delegated administration tool (adding fields)

34 34 Securepoint NAC Administration Guide To add a delegate administrator, click the Add button in the table. The following page is displayed: Figure 39: Creating a Delegate Administrator account Use the Identification settings panel to add personal information about the Delegate Administrator. Login (mandatory field): the Delegate Administrator s ID; Password (mandatory field): the Delegate Administrator s password; Last name and First name of the delegate administrator. Example: Creating a Reception account. Figure 40: Example of creating a Delegate Administrator account

35 35 Securepoint NAC Administration Guide Use the Usage parameters panel to define the Delegate Administrator s rights. You have the following options. Select the checkbox corresponding to each selection: Authorize multiple account creation in delegation tool This option enables the delegate administrator to create multiple accounts, rather than individually, which is the default. Either the logins are assigned randomly, or they are supplied from a CSV file. By default, only the individual account creation is authorised. Authorize the creation of individual accounts with a random login By default, the Administrator must choose the user s login. This option generates the login randomly. Authorize the connection ticket to be printed as a badge By default, connection tickets are generated in A4 format. This option enables you to print them as a badge. Authorize sending connection ticket by SMS This option allows sending the connection ticket by SMS. To do so, an SMS account must be defined beforehand. Authorize sending connection ticket by This option allows sending the connection ticket by . To do so, an account must be defined beforehand. Authorize modification of validity settings The validity settings are inherited from the profile. The default does not allow the Delegate Administrator to change them: this option authorizes him/her to do so. Note: If this option is not configured, the Delegated Administration tool does not display the page for changing the validity settings. Authorize user administration This option allows user accounts to be administered, i.e. a previously created user account may be displayed/changed/removed. All the following are enabled: o o o Generate a new password Modify user account Delete user account These actions may apply just to user accounts that the Delegate Administrator has created, or to all user accounts (and thus possibly to accounts created by other Delegate Administrators). The screenshot below shows the menu used to set these options:

36 36 Securepoint NAC Administration Guide Figure 41: Configuring Delegate Administrator rights Select the profiles visible to the Delegate Administrator You can select the profiles that the Delegate Administrator can assign when he/she creates an account. By default, all the profiles are visible. Example: Only the guest and VIP profiles will appear on the Delegate Administrator s profile selection page. Figure 42: Selecting the profiles seen in the Administration tool Note: If just one profile is selected, the Delegate Administration tool does not display the page for selecting a profile. All user accounts will be created with the same profile (the one defined by the SECUREPOINT Administrator). 9.2 Deleting or modifying a Delegate Administrator account To delete a Delegate Administrator account, click on the Delegation item in the menu on the lefthand side of the window. In the table of Delegate Administrator accounts, select the checkbox corresponding to the account you want to remove, and click the Delete or Modify buttons.

37 37 Securepoint NAC Administration Guide 10 Administering delegate administrator accounts 10.1 Adding an administrator account To create an administrator account, click on the Administration item in the menu bar, then on the Administrators item in the sub-menu on the left-hand side of the window. The following page is displayed: Figure 43: Administering administrator accounts

38 38 Securepoint NAC Administration Guide To add a new administrator, click the Add button. The following page is displayed: Figure 44: Adding an administrator account Entering the administrator s login information (login and password) is mandatory. It is possible to limit the administrator s permissions to stop them from viewing logs (to do so, select the Forbid to consult logs checkbox). For this administrator, the log search menu will not be available. The administrator will however continue to see SECUREPOINT controller usage statistics. Click on Confirm Deleting or modifying an administrator account To delete an administrator account, click on the Administrators item in the menu on the left-hand side of the window. In the table of administrator accounts, select the checkbox corresponding to the account you want to remove, and click the Delete or Modify buttons. 11 Monitoring The purpose of monitoring is firstly to display current information about the users connected to Securepoint NAC, and secondly to log and display all the user sessions and user traffic. The logs are stored in a database. The database may be purged, totally or in part, based on criteria that you set (see Securepoint NAC Installation Guide, Configuring logging mechanism section).

39 39 Securepoint NAC Administration Guide Click on the Monitoring item in the menu bar to display this monitoring page: Figure 45: Securepoint NAC monitoring homepage The monitoring options are sorted into classes, of which there are three: Monitoring Use this class to view users connected to the SECUREPOINT controller, to view the sessions and traffic logs, and lastly to see information about the status of the controller (CPU, memory, upstream and downstream bandwidth). Search Use this class to search the session and traffic logs using various criteria (login, first name, last name, profile, IP address, port number, URL, etc.). Searches are carried out for a specified time interval. Statistics This class provides a set of ready-to-use statistics, including the average and maximum number of sessions, the average and maximum number of simultaneous sessions, etc. Results are displayed graphically as histograms or pie charts. You can also generate reports in PDF format.

40 40 Securepoint NAC Administration Guide 11.1 Monitoring Click on the Monitoring item shown on the left-hand side of the window. The following sub-menu is displayed with the options shown: Monitoring connected users Figure 46: Items in the Monitoring menu To display the list of currently connected users, click on the Connected users item in the sub-menu on the left-hand side of the window. The following information is displayed for each connected user: User ID: ID of the user Last name: User s last name First name: User s first name Profile: User profile Condition: Conditional profiles Authentication: Authentication protocol (Portal, PDA, Windows portal, 802.1x/EAP) Connected: Time connection established This information is presented in a table, as shown in the following example: Figure 47: Monitoring connected users

41 41 Securepoint NAC Administration Guide Other fields may be displayed, for instance the user s IP address or the MAC address of his/her machine. In addition, if extra fields were defined (using the Delegated Administration tool) when the user account was created (like identity-card number or company address, etc.), they can also be displayed. To display all available fields, click on the full screen link to display the complete table. Note: The information is refreshed automatically every 10 seconds. To disconnect a user immediately, select the user and click the Disconnect button Monitoring user sessions A user session is defined essentially by connection start and end times. To display all user sessions, click on the Sessions item in the sub-menu on the left-hand side of the window. The following table is displayed: Figure 48: Monitoring user sessions A Disconnected field indicates the time when the user was disconnected. To display all available fields, click on the full screen link Monitoring user traffic You can display the services used and the ones requested most often. To display the services used, click on the Traffic item in the sub-menu on the left-hand side of the window.

42 42 Securepoint NAC Administration Guide The following table is displayed: Figure 49: Monitoring (service) traffic You can display information about dropped packets. To do so, select Dropped packets in the dropdown menu at the top of the window Monitoring controller status To display the load of the controller, click on the Controller status item in the menu on the left-hand side of the window.

43 43 Securepoint NAC Administration Guide The following page is displayed: Figure 50: Monitoring controller status The Global Information panel provides current information about the status of the SECUREPOINT controller, including the time since it was last restarted, the load of the controller, CPU usage, free memory and number of connected users. The Bandwidth panel shows the upstream and downstream rates in Bps or KBps for each interface configured Searching the logs To search the logs, click on the Search item shown on the left-hand side of the window. The following sub-menu is displayed with the options shown: Searching the session log Figure 51: Items in the Search menu To search the logs and display information about user sessions, click on the Session search item in the sub-menu on the left-hand side of the window.

44 44 Securepoint NAC Administration Guide The following page is displayed: Figure 52: Form for searching the session log You can search the current database (default) or database backups. To select a backup database, use the Search in option menu (a database corresponds to a file). Example: Figure 53: Selecting a database backup You can also restrict the search to records in a particular time interval. To do so, use the Restrict search to the period from button and enter the search start and end dates. You can use other search criteria apart from time interval, such as User ID, First name, Last name, Profile, Authentication method, MAC address, and IP address. Search result sample that will open in a separate window: Figure 54: Results of searching the session log

45 45 Securepoint NAC Administration Guide Searching the activity log To search the logs and display information about user traffic, click on the Traffic Search item in the sub-menu on the left-hand side of the window. The following page is displayed: Figure 55: Form for searching the activity log The search result may be displayed either by user ID (using the form on the left) or by traffic (using the form on the right). You can select the (backup) database for your search as you did for the session-log search (see previous Section). Search as user IDs You can use this type of search to identify a particular user s traffic: for instance, a URL accessed during a particular time slot. You can use different search criteria (such as source or destination IP address, URL, port or protocol). Result sample of a URL search (

46 46 Securepoint NAC Administration Guide Search as traffic Figure 56: Results of a URL search You can use this type of search to obtain information and statistics about all user traffic. You can narrow the search using various criteria (user ID, first name, last name and profile). Search results sample based on user name: Figure 57: Results of searching the activity log To obtain details of the traffic associated with a particular service, click on the row corresponding to the service. Example showing the traffic for the Web service:

47 47 Securepoint NAC Administration Guide Figure 58: Search results showing a user s traffic relating to a service You can obtain more information about a particular destination IP address. To do so, click on that particular IP address. Example: Figure 59: Search results showing a user s traffic for a particular IP address

48 48 Securepoint NAC Administration Guide If you want to resolve the destination IP addresses, click the Enable/Disable DNS resolution button. Attention: The address resolution mechanism may slow down your search significantly Statistics To update and display logging statistics, click on the Statistics item shown on the left-hand side of the window. The following sub-menu is displayed with the options shown: Update Figure 60: Items in the Statistics menu The statistics referred to in the Statistics menu are compiled automatically every night at 4.00am, and are stored in a database separate from the log database. They can be updated on demand. To do so, click on the Update item in the menu on the left-hand side of the window. The following page is displayed: Figure 61: Updating the statistics

49 49 Securepoint NAC Administration Guide To update the statistics manually, click the Update button. The message Update successful indicates that the update has completed successfully Graphs To display the statistics graphically, click on the Graphs item in the menu on the left-hand side of the window. The following page is displayed: Figure 62: Statistics displayed graphically Statistics are compiled for a particular period of time. You must first select the date, which you can do in three ways: No restriction on the date: select All. In this case, the statistics will be those compiled since the SECUREPOINT box was initiated. A time period for which the statistics will be compiled. This period can be a year, a month or a day, as shown in the example below: Figure 63: Compiling statistics for a time period

50 50 Securepoint NAC Administration Guide The time interval between two dates. For instance: Figure 64: Compiling statistics for a time period You can narrow down the search interval by defining a time slot. To do so, select Time slot. Various statistics are available: Total number of sessions Example: Figure 65: Statistics for the total number of user sessions These statistics may be compiled by profile and by authentication type. Average and maximum duration of sessions Example:

51 51 Securepoint NAC Administration Guide Figure 66: Statistics on the length of user sessions These statistics may be compiled by profile and by authentication type. Maximum number of simultaneous sessions Example: Figure 67: Statistics showing the maximum number of simultaneous user sessions

52 52 Securepoint NAC Administration Guide Connection time by user profile Example: Figure 68: Statistics showing connection time by user profile Connection time by authentication type Two authentication methods are distinguished: portal mode and 802.1x/EAP mode. Example: Service usage Example: Figure 69: Statistics showing connection time by authentication type

53 53 Securepoint NAC Administration Guide Reports Figure 70: Statistics on service usage You can produce statistics reports in PDF format. To do so, click on the Reports item in the menu on the left-hand side of the window. The following page is displayed: Select the reporting parameters: Figure 71: Generating statistics reports 1. the period (year or month) for which you want to compile the statistics; 2. the controller(s) for which statistics will be compiled (only for a multi-controller environment); 3. the statistics to be displayed. Click the Display the report button. The report appears in your Internet browser window.

54 54 Securepoint NAC Administration Guide Example: Figure 72: Example of generating a statistics report To generate the file in PDF format, click on Generate the report in PDF format in the menu on the left-hand side of the navigator window.

55 55 Securepoint NAC Administration Guide Domain Top 10 To see the domains that are most visited, click on the Domain Top 10 item in the menu on the lefthand side of the window. The following page is displayed: Figure 73: Top 10 domains visited

56 56 Securepoint NAC Administration Guide Top 10 URLs To see the URLs that are most visited, click on the URL Top 10 item in the menu on the left-hand side of the window. The following page is displayed: Figure 74: Top 10 URLs visited

57 57 Securepoint NAC Administration Guide 12 Operations To carry out all the management operations on the Securepoint NAC box, click on the Operations item in the menu bar. The following page is displayed: Figure 75: Operations homepage for Securepoint NAC The operation options are sorted into classes, of which there are six: Back up/restore This class lets you backup or restore a SECUREPOINT configuration. The entire configuration is backed up (network, user profiles, user accounts and services, etc.). Restore may be partial or full. Log file management You can import or export log backups manually. The database may also be purged manually. Update This class lets you compile statistics manually. License You can use this to change the license, for instance if you want to increase the number of simultaneous connections, or to move from the NAC to the NAC series, or to enable/disable specific functionality (such as redundancy or multi-sites). Password This class lets you change the password for the SECUREPOINT Administrator.

58 58 Securepoint NAC Administration Guide Maintenance This last class opens an SSH tunnel from the SECUREPOINT controller to the SECUREPOINT maintenance servers Backing up / Restoring the configuration You can back up or restore the entire Securepoint NAC configuration. Backup includes all the configurations defined using the Administration tool. The process also backs up the internal SECUREPOINT database (containing users, profiles, etc.). Click on the Back Up/Restore item shown on the left-hand side of the window. The following page is displayed: Figure 76: Backing up / Restoring the configuration

59 59 Securepoint NAC Administration Guide To backup the configuration, click the Save button. A window asks you to save the backup file in your file system: Figure 77: Saving the backup file Attention: Do not open the file. Do not change the filename extension (.bz2) when saving the file. To restore the configuration, select the backup file using the Browse... button and click on Confirm Log file management To see all the backup files available in Securepoint NAC, click on Log file management in the submenu shown on the left-hand side of the window.

60 60 Securepoint NAC Administration Guide The following page is displayed: Figure 78: Managing backup log files

61 61 Securepoint NAC Administration Guide Example: Figure 79: Example of configuring backup log files The table displays the list of all the log backups. If the dot in the Local column is coloured green, this means that the backup is on the SECUREPOINT appliance s hard drive. If the dot in the External column is coloured green, this means that the backup has been exported onto an external FTP server. Note: The FTP server will be that configured by the log export mechanism. See the Securepoint NAC Installation Guide, Automatic export of backup files section. : This icon indicates that the backup file is compressed. You can do various things with these backups: Delete a backup file

62 62 Securepoint NAC Administration Guide To delete one or more files, select the files by selecting the checkboxes, and click the Delete button. This action applies only to local backups. Synchronisation of backup files Synchronisation is carried out between local and external backups. If any local backups are not found on the FTP machine, they are exported from the SECUREPOINT box to the FTP server, and vice versa if any backups are not found on the SECUREPOINT box, they are retrieved from the FTP server. To synchronise files, click the Synchronise button. Backup file compression To compress one or more files, select the files by selecting the checkboxes, and click the Compress button. Backup files are compressed to optimise disk space. This action applies only to local backups. Decompressing a backup file To decompress one or more files, select the files by selecting the checkboxes, and click the Decompress button. This action applies only to local backups. Attention: Compression and decompression may take several minutes, depending on the size of the backup files. Export a backup file If you want to export a backup file to another machine, select the file by selecting the checkboxes and click the Export button. The following window appears: Figure 80: Export a backup file Import a backup file If you want to restore a file from a machine to the SECUREPOINT box, click the Browse button to select the file, and then click on Import to restore it to the SECUREPOINT box.

63 63 Securepoint NAC Administration Guide Figure 81: Import a backup file Attention: Deletion, compression, decompression and export can only be carried out on local backups. You can also initiate an immediate purge of the logs. To do so, click the Confirm button of the panel that summarizes the configured criteria for log purge Securepoint NAC Update Figure 82: Instant purge of logs To benefit from enhancements to Securepoint NAC, you can update your SECUREPOINT box with new software releases. Such releases may include bug fixes, enhancements and new functionality. Attention: You must have a maintenance contract before you can access updates.

64 64 Securepoint NAC Administration Guide Click on the Update item in the sub-menu shown on the left-hand side of the window. The following page is displayed: Securepoint NAC manual update Figure 83: Securepoint NAC Update The first step is to download the update file from the SECUREPOINT servers. Contact SECUREPOINT Communications who will explain the procedure. The update is in the form of an archive (*.tar) file, which you save on your computer. Use the Browse button to find the file for the new version to be installed. Click on Confirm to start the installation. The version number is shown, e.g. NAC version The release number is incremented for each update.

65 65 Securepoint NAC Administration Guide If the update is successful, the following message is displayed: Figure 84: Manual update confirmation for the SECUREPOINT box Securepoint NAC automatic update You can configure the SECUREPOINT box to automatically download updates from the SECUREPOINT maintenance servers. Two types of update are offered as automatic downloads: critical updates, meaning corrections or certificate updates, etc. standard updates which are new releases or versions. You can enable automatic downloads for each of these types of update. To do so, click on the Enable link corresponding to the desired upgrade. Attention: While standard updates are downloaded automatically, they are not installed. Installation is the administrator s responsibility. Note: Downloads are run daily at 1:30 a.m., but it is possible to force a download by clicking the Confirm button for each update type. Users are prompted to install automatically downloaded standard updates (or patches). To install a patch, click the appropriate Apply patch button. To see the patch contents, click its icon. Figure 85: Example of automatic update for the SECUREPOINT box If the patch is carried out correctly, it will appear in the Upgrade description box. Note: The Securepoint NAC update retains the existing configuration settings (profiles, users, etc.).

66 66 Securepoint NAC Administration Guide 12.4 Updating the SECUREPOINT license You may need to update the SECUREPOINT license if, for instance, you change from NAC 100 to NAC 400 configuration. The operations to be carried out are similar to those needed when first installing the licence. See the Securepoint NAC Installation Guide, SECUREPOINT license installation section. Attention: You must agree any change to the license in NAC with SECUREPOINT s sales department Changing the administrator password Click on the Password item in the sub-menu shown on the left-hand side of the window. The following page is displayed: Figure 86: Changing the administrator password Enter your old password, then your new password, twice. Click on Confirm to make the change. Attention: The default password is insecure

67 67 Securepoint NAC Administration Guide 12.6 Maintenance If you are having problems, you can open a maintenance tunnel from your SECUREPOINT controller to the SECUREPOINT maintenance servers. Click on the Maintenance item in the sub-menu shown on the left-hand side of the window. The following page is displayed: Figure 87: Configuring a maintenance tunnel Attention: To make use of this service, you must have a maintenance contract, and you must contact SECUREPOINT technical support before you start. By default, the tunnel will be automatically enabled when needed. Use the Test button to test communication links. If you wish to retain opening of the maintenance tunnel manual, click on the Disable link. When the SECUREPOINT maintenance tunnel is opened manually, the tunnel must be enabled by clicking the Enable button.

68 68 Securepoint NAC Administration Guide If connection is successful, the following message is displayed: To deactivate the tunnel, click on the Disable link. Figure 88: Maintenance tunnel activated Attention: If traffic from the SECUREPOINT box is filtered by a firewall, you will have to authorize traffic on SSH port 22 from the box s IP address to the outside.

69 69 Securepoint NAC Administration Guide 13 Appendix: Preconfigured services This Appendix shows the configurations for services preconfigured in Securepoint NAC. Services Sub-services Open ports Protocol Comments File Transfer FTP_ActiveMode 20 TCP File transfer in active mode FTP_PassiveMode TCP and UDP File transfer in passive mode FTP_Control 21 TCP Traffic control FTPS TCP and UDP Full Access All All TCP and UDP All open service Instant_Messaging MSNMessenger 1863 TCP MSN Messenger client MSNFileTransfer TCP File transfer via MSN Messenger MSNVoice 6901 TCP and UDP Voice via MSN Messenger YahooVoiceChat1 YahooVoiceChat2 Yahoo! Chat Yahoo! Chat YahooMessenger 5050 TCP Yahoo Messenger client YahooWebcam 5100 TCP Webcam via Yahoo Messenger ICQ 4000 UDP ICQ client AIM_AOL 5190 TCP and UDP AOL Messenger client IRC TCP and UDP IRC chat client NetmeetingLDAP 389 TCP LDAP for MS NetMeeting Netmeeting TCP Use of MS NetMeeting Netmeeting TCP Use of MS NetMeeting Netmeeting TCP Use of MS NetMeeting Netmeeting TCP Use of MS NetMeeting Mail POP3 110 TCP Message reception via POP3 POP3S 995 TCP and UDP Secured POP3 IMAP 143 TCP Message reception via IMAP IMAPS 993 TCP and UDP Secured IMAP SMTP 25 TCP Message reception

70 70 Securepoint NAC Administration Guide SMTPS 465 TCP Secured SMTP LotusNotes 1352 TCP and UDP Message reception via a Lotus Notes client IMAP3 220 TCP Message reception via an IMAP3 server Microsoft Network WINS 1512 TCP and UDP Netbios name server Netbios TCP and UDP Search protocol for Windows printers Samba 445 TCP and UDP Print sharing server Microsoft Access PcAnywhere TCP Remote administration via pcanywhere PcAnywhere UDP Remote administration via pcanywhere VNC TCP Remote administration via VNC VNC TCP Remote administration via VNC MSTerminalServer 3389 TCP SSH 22 TCP Telnet Telnet 23 TCP and UDP Telnets 992 TCP Secure telnet Securepoint_Administration SecurepointFullAccess Local (all ports) TCP and UDP Full local access to the controller (INPUT and OUTPUT only) Web HTTP 80 TCP HTTPS 443 TCP Secured HTTP PN IKE 500 UDP IPsec key negotiation NAT_T 4500 UDP Cisco VPN on UDP port 4500 Cisco TCP Cisco VPN on TCP port Cisco UDP Cisco VPN on TCP port CheckPoint 2746 UDP CheckPoint VPN OpenVPN 1194 UDP VPN connection via OpenVPN