axsguard Gatekeeper System Administration How To v1.7

Transcription

1 axsguard Gatekeeper System Administration How To v1.7

2 Legal Notice VASCO Products VASCO data Security, Inc. and/or VASCO data Security International GmbH are referred to in this document as 'VASCO'. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF data) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO data Security, Inc. and/or VASCO data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, DIGIPASS, and are registered or unregistered trademarks of VASCO data Security, Inc. and/or VASCO data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Radius Disclaimer Information on the RADIUS server provided in this document relates to its operation in the axsguard Gatekeeper environment. We recommend that you contact your NAS/RAS vendor for further information. Copyright 2009 VASCO data Security, Inc, VASCO data Security International GmbH All rights reserved. 2

3 Table of Contents Table of Contents 1 Introduction Audience and Purpose of this document What is the axsguard Gatekeeper? About VASCO Accessing the Administrator Tool Overview Address for Accessing the Administrator Tool Accessing the Administrator Tool Quick Navigation Reference Overview System Information and Permanently On-Screen Buttons Menu Tables and Configuration Screens Table View Configuration Screens System Configuration Overview General Menu Customer Menu Feature Activation Menu UPS Settings Menu Administrator Tool Menu Tools Menu Overview Actions Automatic Reboot Returning to Factory Default Settings Activating New Modules Overview Activating a New Module Overview of Installed Modules (Activated Features)

4 Table of Contents 6 Backup and Restore Overview Backing up the axsguard Gatekeeper Configuration Backup Download Weekly Backup Daily Backup on Network Share Backups on VASCO Servers Restoring an axsguard Gatekeeper Configuration Restoring a Backup on a Spare Unit Update System Overview Notification of Available Updates Manual or Automatic Updating Version Updates Overview Version Testing and Approval Installing the New Version Accepting the New Version Revision Updates Reverting to a Previous Version Security Levels and Policies Overview Security Policies Security Levels with Authentication User Level Group Level Security Levels without Authentication Computer Level System Level Example Configurations User and Group Management Overview axsguard Gatekeeper Users axsguard Gatekeeper Groups User and Group Level Security Users & Groups: General Settings

5 Table of Contents 9.6 Creating and Modifying Users Creating a User General Settings Module-Specific Settings Administration Settings Overview Access to the Administrator Tool Access to FTP files Modifying a User Creating and Modifying Groups Creating a Group Modifying a Group Templates Group Template Settings User Template Settings Computer Management Overview When to register a computer on the axsguard Gatekeeper Computer Level Security Registering a Computer on the axsguard Gatekeeper Network Settings Overview Devices Ethernet Network Device Modifying an Ethernet Network Device General Settings Interface Types Connection Settings IP Settings Account Settings Connectivity Check Virtual Local Area Networks (VLANs) What is a Virtual Local Area Network device? Adding a VLAN Device VLAN-Identifiers PSTN Network Device Modifying a PSTN Network Device Settings

6 Table of Contents 11.3 Domain Name Server What is DNS? Domain Concept Fully Qualified Domain Names (FQDN) Unqualified Domain Names (UQDN) axsguard Gatekeeper Internal DNS axsguard Gatekeeper Internal DNS Flow axsguard Gatekeeper Internal DNS Zone Transfers (Secondary DNS) Examples of axsguard Gatekeeper Internal DNS Setups With Microsoft Active Directory Domain Without Microsoft Active Directory Domain With a Secondary DNS Server (DNS Zone Transfers) axsguard Gatekeeper as an Authentication Server with Active Directory DNS Domain Forwarding aXsGUARD Gatekeeper Public DNS aXsGUARD Gatekeeper Dynamic DNS DHCP Service What is DHCP? Data received from the axsguard Gatekeeper DHCP Server axsguard Gatekeeper DHCP Ranges axsguard Gatekeeper Static DHCP Leases Configuring the axsguard Gatekeeper DHCP Server Enabling the DHCP Service Specifying DHCP IP Ranges Adding a DHCP Static Lease DHCP Used Leases Routing What is Routing? Routing Table Entries Default Gateway Routing Mechanism Adding a Route on the axsguard Gatekeeper Consulting the Route Table NAT (Network Address Translation) What is NAT? Masquerading Masquerading Principle Pre-defined Masquerading Adding Masquerading Rules on the axsguard Gatekeeper: SNAT (Source Network Address Translation)

7 Table of Contents SNAT Principle Adding SNAT Rules on the axsguard Gatekeeper Port Forwarding Port Forwarding Principle Adding Port Forwarding Rules on the axsguard Gatekeeper DNAT (Destination Network Address Translation) DNAT Principle Adding DNAT Rules on the axsguard Gatekeeper Port Redirection Port Redirection Principle Pre-defined Port Redirection Adding Port Redirection Rules on the axsguard Gatekeeper NAT Helpers What are NAT helpers? Enabling NAT Helpers axsguard Gatekeeper and NTP What is an NTP Server Synchronizing the axsguard Gatekeeper with a Time Server Checking the axsguard Gatekeeper System Time System Status Overview System Info Health Status Access Message Priorities Run time Messages Configuration Warnings Services Status Hard Drive, UPS and Kernel Status High System Load Warning Messages System Logs Overview Update History Log Test Update History Log Administrator Tool Log Boot Log Full Event Log

8 Table of Contents 14.7 Other Log Troubleshooting Support Overview If you encounter a problem Return procedure if you have a hardware failure

9 Table of Contents Illustration Index Image 1: axsguard Gatekeeper as a Proxy Server...19 Image 2: Certificate Screen...19 Image 3: Login Screen...20 Image 4: Changing the System Administrator Password...21 Image 5: Administrator Tool Layout...22 Image 6: Permanently On-Screen Buttons...23 Image 7: Menu and Sub Menu (left) Selection...24 Image 8: User Table View...26 Image 9: Deletion Warning...27 Image 10: Table Search Filters...27 Image 11: Selectable Tabs...28 Image 12: Example Screen with Drop Down Menu, Checkbox and Entry Field Configuration Methods...29 Image 13: Configuration Screen Buttons for Modifying Records (top row) or Creating a New Record (bottom row)...29 Image 14: System > General: Modify System Parameters...30 Image 15: System > Customer...32 Image 16: Selecting mail types to receive from VASCO...33 Image 17: System > Feature Activation...34 Image 18: System > UPS...35 Image 19: System > Administrator Tool...35 Image 20: System > Tools > Actions...36 Image 21: System > Tools > Automatic Reboot...37 Image 22: Activating a New Module...39 Image 23: System > Tools > Backup: Backup Download...41 Image 24: System > Tools > Backup: Weekly Backup by Mail...41 Image 25: System > Tools > Backup: Daily Backup on Network Share...43 Image 26: Windows Share Name...44 Image 27: System > Tools > Restore...45 Image 28: System > Software Updates > Update Packages: Update Change Log...47 Image 29: System > Software Updates > General: Automatic Revision Update Fields...48 Image 30: System > Software Updates > Update Packages: Manual Installation...49 Image 31: System > Software Updates > General: Accepting a New Version...50 Image 32: Revision Installation Notification...51 Image 33: System > Software Updates > General: Reverting to a previous Version...51 Image 34: Security Levels...52 Image 35: Security Policies and Levels...53 Image 36: Users & Groups > General

10 Table of Contents Image 37: Users & Groups > Users > Add User...60 Image 38: User & Groups > User > Add User: Module-Specific Fields...61 Image 39: User & Groups > User > Add User: axsguard Gatekeeper Administration...62 Image 40: Add User > axsguard Gatekeeper Administration: Mailing Settings...64 Image 41: Users & Groups > Groups > Add Group...66 Image 42: Group Template...67 Image 43: User & Groups > Groups > Template...68 Image 44: User Template...68 Image 45: Users & Groups > User > Template...69 Image 46: Computers > Add Computer...72 Image 47: Network > Devices > Eth > Modify Ethernet Device...74 Image 48: Authentication Only Use of axsguard Gatekeeper...75 Image 49: Gateway Use of axsguard Gatekeeper...76 Image 50: Network > Device > Eth > Modify Ethernet Device: Interface Types...76 Image 51: Network > Device > Eth > Modify Ethernet Device: Connection Settings...77 Image 52: Network > Device > Eth > Modify Ethernet Device: IP Settings...78 Image 53: Network > Device > Eth > Modify Ethernet Device: Account Settings...79 Image 54: Network > Device > Eth > Modify Ethernet Device: Connectivity Check...80 Image 55: Adding a Virtual LAN to an Ethernet Interface...81 Image 56: VLAN Identifiers...82 Image 57: Network > Devices > PSTN > Modify PSTN Device...82 Image 58: Domain Name Concept...84 Image 59: axsguard Gatekeeper Internal DNS Flow...86 Image 60: System > General: System Domain Name...87 Image 61: Network > DNS > Forwarding > Add Forwarding DNS Service...87 Image 62: Network > General: ISP Domain Name Server Fields...88 Image 63: Network > General: DNS Zone Transfer Fields...89 Image 64: DNS Requests Forwarded from Microsoft AD to axsguard Gatekeeper...90 Image 65: DNS Requests Forwarded from axsguard Gatekeeper to ISP...91 Image 66: axsguard Gatekeeper with Secondary DNS Server (DNS Zone Transfers)...92 Image 67: axsguard Gatekeeper as an Authentication Appliance...93 Image 68: Network > DNS > Forwarding > Add Forwarding DNS Service...94 Image 69: System > Feature Activation > Network: Activating Dynamic DNS Feature...95 Image 70: DHCP Validation Warning...97 Image 71: System > Feature Activation > Network: Activating DHCP Feature...98 Image 72: Network > DHCP Server > DHCP Subnets > Add DHCP Server Subnet...98 Image 73: Network > DHCP Server > DHCP Subnets > Add DHCP Server Subnet: Adding Additional IP Ranges...98 Image 74: Network > DHCP Server > Static Leases > Add Static DHCP Lease

11 Table of Contents Image 75: Network > DCHP Server > Used Leases Image 76: axsguard Gatekeeper Routing Mechanism Image 77: Network > Routing > Add Static Route Definition Image 78: Main Routing Table Image 79: NAT Masquerading Image 80: Predefined Masquerading Rules Image 81: Exception to Predefined Masquerading Rules Image 82: Network > NAT > Masquerading > Add Masquerade Image 83: Example with SNAT: DMZ with Private IPs Image 84: Network > NAT > SNAT/DNAT > Add Network Address Translation (SNAT) Image 85: Example of Port Forwarding towards a Web Server in the DMZ Image 86: Network > NAT > Port Forwarding > Add Port Forwarding Image 87: Example of DNAT towards a Web Server in the DMZ Image 88: Network > NAT > SNAT/DNAT > Add Network Address Translation (DNAT) Image 89: Example Port Redirection on the axsguard Gatekeeper Image 90: Network > NAT > Port Redirection: Pre-defined Rules Image 91: Network > NAT > Port Redirection > Add Port Redirection Image 92: Network > NAT > General Image 93: axsguard Gatekeeper Time Server Image 94: Network > General Image 95: System Time (right) Image 96: System > Status > System Info Image 97: System > Status > Health Image 98: Health Message Types Image 99: Health Message with link to where action is needed Image 100: Health Messages with information only Image 101: System > Status > Health > Start Configuration Check Manually Image 102: System > Status > Services Image 103: System > Logs > Update History Image 104: Update History Log Entries Image 105: System > Logs > Test Update History Image 106: System > Logs > Admin Tool Image 107: Admin Tool Log Entries Image 108: System > Logs > Boot Log Image 109: System > Logs > Full Event Log Image 110: Full Event Log Entries Image 111: Full Event Log Search Image 112: System > Logs > Other

12 Table of Contents Image 113: Other Log Search

13 Table of Contents Index of Tables Table 1: Addresses for Accessing the Administrator Tool...18 Table 2: System Information and Permanently On-screen Buttons...23 Table 3: axsguard Gatekeeper Main Menus...24 Table 4: axsguard Gatekeeper Generic Sub Menu Items...25 Table 5: Table Buttons and Functionality...27 Table 6: Table Search Filter Buttons...28 Table 7: Configuration Screen Buttons and Functionality...29 Table 8: System > General Fields...31 Table 9: System > Customer Screen: Mailing Preferences...32 Table 10: System > Administrator Tool Fields...35 Table 11: System > Tools > Actions: Actions and Descriptions...37 Table 12: System > Tools > Backup Fields...42 Table 13: System > Tools > Backup: Daily Backup on Network Share Fields...43 Table 14: Users and Groups > General Fields...59 Table 15: User & Groups > User > Add User Fields...60 Table 16: User & Groups > Users > Add User > axsguard Gatekeeper Administration: Tool Access Types...63 Table 17: User & Groups > Users > Add User > axsguard Gatekeeper Administration: Mailing Preferences...64 Table 18: User & Groups > Users > Add User > axsguard Gatekeeper Administration: FTP Access Fields...65 Table 19: Computers > Add Computer Fields...72 Table 20: Network > Device > Eth > Modify Ethernet Device General Fields...74 Table 21: Network > Device > Eth > Modify Ethernet Device: Interface Types...77 Table 22: Network > Device > Eth > Modify Ethernet Device: Connection Settings...77 Table 23: Network > Device > Eth > Modify Ethernet Device: IP Settings...79 Table 24: Network > Device > Eth > Modify Ethernet Device: Account Settings...79 Table 25: Network > Device > Eth > Modify Ethernet Device: Connectivity Check...80 Table 26: Network > Devices > PSTN > Modify PSTN Device Fields...83 Table 27: Network > General Screen: DNS Zone Transfer Fields...89 Table 28: Network > DNS > Forwarding > Add Forwarding DNS Service Fields...94 Table 29: Network > DHCP Server > DHCP Subnets > Add DHCP Server Subnet Fields Table 30: Network > DHCP Server > Static Lease > Add DHCP Static Lease Fields Table 31: Network > DHCP Server > Used Leases: DHCP Leases Fields Table 32: Network > Routing Table Fields Table 33: Example Routing Table based on image Table 34: Network > Add Static Route Definition Fields Table 35: axsguard Gatekeeper Predefined Masquerading Rules Table 36: Network > NAT > Masquerading > Add Masquerade Rule Fields

14 Table of Contents Table 37: Network > NAT > SNAT/DNAT > Add Network Address Translation (SNAT) Fields Table 38: Network > NAT > Port Forwarding > Add Port Forwarding Fields Table 39: Network > NAT > SNAT/DNAT > Add Network Address Translation (DNAT) Fields Table 40: Network > NAT > Port Redirection > Add Port Redirection Fields Table 41: Network > NAT > General Fields Table 42: Health Status Message Priorities Table 43: System > Status > Services Fields

15 1 Introduction 1.1 Audience and Purpose of this document Introduction This guide serves as a reference source for technical personnel and / or system administrators. Explanations of concepts, e.g. axsguard Gatekeeper User and Groups, are provided together with instructions on how to configure relevant settings. In sections 1.1 and 1.2, we introduce the axsguard Gatekeeper and VASCO. In section 2, we explain how to access the axsguard Gatekeeper Administrator Tool. In section 3, we provide a quick reference guide to navigating the Administrator Tool. In section 4, we describe how to configure settings in the axsguard Gatekeeper System Menu. In section 5, we explain how to activate axsguard Gatekeeper modules. In section 6, we describe the axsguard Gatekeeper backup and restore functions and the possibility to maintain a spare axsguard Gatekeeper unit for swift replacement, in case of the unlikely event of a system failure. In section 7, we describe how to update the axsguard Gatekeeper. In section 8, we explain the concepts of Security Levels and Policies. Understanding these concepts will help you to configure your organization's security policy with the axsguard Gatekeeper. In section 9, we explain how to register and manage Users and Groups on the axsguard Gatekeeper. In section 10, we explain how to register computers on the axsguard Gatekeeper. In section 11, we describe critical axsguard Gatekeeper network settings (Network Devices, DNS, DHCP, Routing, NAT, etc.). In section 12, we describe the axsguard Gatekeeper NTP settings. In section 13, we explain the System (health) Status information. In section 14, we explain the types of logs available. In section 15, some solutions are offered to solve difficulties. In section 16, we explain how to request support, and return hardware for replacement. An index at the end of the document will help you to find specific information you are searching for. 15

16 Introduction Other documents in the set of axsguard Gatekeeper documentation include: axsguard Gatekeeper Installation Guide, which explains how to set up the axsguard Gatekeeper, and is intended for technical personnel and / or system administrators. 'How to guides', which provide detailed information on configuration of each of the features available as 'add-on' modules (explained in the next section). These guides cover specific features such as: axsguard Gatekeeper Authentication axsguard Gatekeeper Firewall axsguard Gatekeeper Single Sign-On axsguard Gatekeeper VPN axsguard Gatekeeper Reverse Proxy axsguard Gatekeeper Directory Services Access to axsguard Gatekeeper guides is provided through the permanently on-screen Documentation button in the axsguard Gatekeeper Administrator Tool. Further resources available include: Context-sensitive help, which is accessible in the axsguard Gatekeeper Administrator Tool through the Help button. This button is permanently available and displays information related to the current screen. Training courses covering features in detail can be organized on demand. These courses address all levels of expertise. Please see for further information. Welcome to axsguard Gatekeeper security. 16

17 1.1 Introduction What is the axsguard Gatekeeper? The axsguard Gatekeeper is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the axsguard Gatekeeper has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, , Web access and VPN management. The axsguard Gatekeeper can easily be integrated into existing IT infrastructures as a stand-alone authentication appliance or as a gateway providing both authentication services and Internet Security. Authentication and other features such as firewall, and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a Digipass One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system. 1.2 About VASCO VASCO is a leading supplier of strong authentication and Electronic Signature solutions and services specializing in Internet Security applications and transactions. VASCO has positioned itself as a global software company for Internet Security serving customers in more than 100 countries, including many international financial institutions. VASCO s prime markets are the financial sector, enterprise security, e-commerce and egovernment. Over 50 of VASCO s client authentication technologies, products and services are based on the VASCO s one and unique core authentication platform: VACMAN. VASCO solutions comprise combinations of the VACMAN core authentication platform, IDENTIKEY, authentication server, axsguard authentication appliances, DIGIPASS client Password and Electronic Signature software and DIGIPASS PLUS authentication services. For further information on these security solutions, please see 17

18 Accessing the Administrator Tool 2 Accessing the Administrator Tool 2.1 Overview The Administrator Tool is the interface used for configuring the axsguard Gatekeeper. Once the axsguard Gatekeeper has been connected to your network, you can access the Administrator Tool by logging on from any workstation in the same network using a standard Web browser, providing the browser does not have a proxy setup in its browser settings. Access is secured by SSL (Secure Socket Layer) encryption over the HTTPS protocol. For instructions on how to connect the axsguard Gatekeeper to your network, please refer to the axsguard Gatekeeper Installation Guide, supplied with the axsguard Gatekeeper. Instructions on accessing the Administrator Tool are explained in this section. 2.2 Address for Accessing the Administrator Tool The address for accessing the Administrator Tool depends on whether the axsguard Gatekeeper is used as the browser's proxy. Table 1: Addresses for Accessing the Administrator Tool Used as a Proxy Server? Address to browse to: Not used as a Proxy Server e.g. Used as a Proxy Server Enter the secure LAN IP address of your axsguard Gatekeeper as the browser's proxy and 3128 as the port number (see image 1 below). Type tool in the browser's URL field. Tips If the connection fails, check your browser's proxy settings. Remove any previous settings and try again. If Single Sign-On (SSO) is used, the browser's proxy settings are set automatically. For more information, please refer to the document, axsguard Gatekeeper Single Sign-On How To, available through the permanently on-screen Documentation button in the Administrator Tool. Using the axsguard Gatekeeper as a Proxy Server is only possible if the Content Scanning Module is purchased. For more information on Content Scanning, please refer to the document, axsguard Gatekeeper Web Access How To, available through the permanently onscreen Documentation button in the Administrator Tool. 18

19 Accessing the Administrator Tool Image 1: axsguard Gatekeeper as a Proxy Server 2.3 Accessing the Administrator Tool As you are accessing a website secured with a self-signed certificate, the browser presents a warning asking you to accept the certificate (see image below). The procedure for accepting a certificate varies between browsers. After accepting the certificate, the axsguard Gatekeeper login screen appears (see image 3). Image 2: Certificate Screen 19

20 Accessing the Administrator Tool Image 3: Login Screen axsguard Gatekeeper administrators can be configured with different access privileges. Creating user and administrator accounts is explained in section 9. The default sysadmin account can only: Create and modify new axsguard Gatekeeper users (such as administrators, see section 9). Assign rights to the new axsguard Gatekeeper users (set the administrator type, see section 9.6.4). Access a spare axsguard Gatekeeper unit (see section 6.4). If no other administrator account is available or you are accessing the Administrator Tool for the first time, enter the default system administrator's User name and Password (use lower case only): User name: sysadmin Password: sysadmin Press Enter or click on the Log in button to proceed (see image above). Caution Changing the default System Administrator (sysadmin) password is critical for security. It should be changed as soon as you log on, otherwise the axsguard Gatekeeper can be accessed by non-authorized users. The sysadmin account cannot be removed; only the password can be changed. 20

21 Accessing the Administrator Tool After a successful login, the status screen is shown, with a warning including a link to the screen where you can modify the default system administrator's (sysadmin) password (see image below). Image 4: Changing the System Administrator Password 21

22 Quick Navigation Reference 3 Quick Navigation Reference 3.1 Overview The Administrator Tool interface has three panes (highlighted orange in the image below): the pane across the top is permanently visible; the left pane displays the menu and the right pane displays configuration settings for viewing and modifying. The functionality offered in each pane is explained in the following sections. Image 5: Administrator Tool Layout Note The amount of menu items and options in the panes depends on the amount of purchased / activated modules. Most of the menu items displayed above are not available on spare units (see section 6.4). 22

23 Quick Navigation Reference System Information and Permanently On-Screen Buttons The system information (version number, revision number, etc.) and standard buttons Help, Status, Documentation and Logout are permanently available in the top pane of the Administrator Tool interface, while you are logged on (see image 6). The functionality provided through the buttons is described in the table below. Image 6: Permanently On-Screen Buttons Table 2: System Information and Permanently On-screen Buttons Info/Button Description Version / Rev axsguard Gatekeeper version and revision numbers Administrator Name and Level The name of the administrator currently logged into the Administrator Tool and their access level (see section 9.6.4) System Time The current axsguard Gatekeeper system time (see section 12) Help Provides help related to the currently selected menu item Status Shows the current axsguard Gatekeeper system status (see section 13) Documentation Provides access to all available documentation (PDF files and external links) Logout Logs the user out of the axsguard Gatekeeper Menu The axsguard Gatekeeper Administrator Tool has a tree menu structure, which is displayed in the left pane. Selecting a menu or sub menu item displays the corresponding configuration pane to the right (see image 7). Navigating the tree menu structure is possible using the following buttons: Clicking on the Collapse button closes all sub menus, returning the menu to its original state. Clicking on the plus sign displays (expands) the sub menu of the selected item. Clicking on the menu item while the sub menu is collapsed also displays the sub menu. Clicking on the minus sign closes (collapses) the sub menu of the selected item. Clicking on the menu item while the sub menu is displayed also closes the sub menu. 23

24 Quick Navigation Reference Tip In the Administrator Tool, a selectable item can be identified by moving the cursor over it. The cursor changes to a hand-pointing symbol: Some menu items, such as Computers, do not have sub menus. Some sub menu items are generic and some are module-specific. Module-specific sub menu items are explained separately in the relevant axsguard Gatekeeper How To guides available through the permanently on-screen Documentation button. Main menus and the generic sub menus are described in the tables below. Image 7: Menu and Sub Menu (left) Selection Table 3: axsguard Gatekeeper Main Menus Main Menu Item Description System This menu displays several system-critical tools, system settings and system logs. Examples are: the axsguard Gatekeeper Feature Activation tool, the axsguard Gatekeeper DNS name, Domain name, System Update Settings, System Backup and Restore functions, and System Status, etc. Users and Groups This menu displays axsguard Gatekeeper user and group settings for viewing or modification, e.g. Web access rights, firewall rights, etc. Computers This menu displays computer-specific settings for viewing or modification, e.g. firewall rights assigned to a specific server in the network. Authentication This menu displays authentication-related settings for viewing or modification. All available authentication methods, such as two-factor authentication (VASCO DIGIPASS), RADIUS authentication and other authentication methods are configured through this menu. 24

25 Quick Navigation Reference Main Menu Item Description Module-related Additional axsguard Gatekeeper features can be licensed on a modular basis. Once activated on the axsguard Gatekeeper, module-specific sub menus are available through the main menu in the Administrator Tool (see section 4.4). Examples are: advanced mail filtering, VPN solutions, HTTP Proxy and Reverse Proxy, Intrusion Prevention (IPS), Firewall, Directory Services, Bandwidth Management (QoS), Advanced Monitoring and Reporting, etc. Add-ons This menu supports installation of add-on programs, such as the axsguard Gatekeeper Single Sign-On Tool (for more information, please refer to the document axsguard Gatekeeper Single Sign-On How To available through the permanently on-screen Documentation button). Table 4: axsguard Gatekeeper Generic Sub Menu Items Sub Menu Item Description General Main configuration settings for a module can be viewed or modified in the General sub menu. Special syntax may be required for some modules, e.g. the Directory Services module requires LDAP syntax. Module-specific settings and syntax are explained in the respective axsguard Gatekeeper How To guides, available through the permanently on-screen Documentation button. Status This sub menu displays the module-specific status information (see note below). This is useful if a problem occurs, for example a synchronization error with a Directory Server. The format of the status information is also module-specific, and is explained in the respective axsguard Gatekeeper How To guides, available through the permanently on-screen Documentation button. Tools Tools may be module-specific or system-specific. The Tools sub menu allows new setups to be tested, and the system to be shut down for maintenance, etc. (see section 4.7.2). Logs Logs are records of system or module-specific events, which help administrators to track and solve problems. Filters support searching for specific records within a given log file (see Search Filters p27). Note The axsguard Gatekeeper system status button (top right of the screen) remains permanently accessible and should not be confused with the Status sub menu of a module. 25

26 Quick Navigation Reference Tables and Configuration Screens Clicking on a menu or sub menu topic displays the corresponding information or configuration settings in the right pane of the Administrator Tool interface. Information or settings are presented in one of two ways: tables provide an overview of settings for a particular type of object, e.g. Groups, Users, or DIGIPASS configuration screens present the settings for a particular object, for viewing or modification. Note Settings can only be added or modified if an administrator is logged on with the appropriate rights (see section 9) Table View Clicking on some menu items, e.g. Users & Groups > Users (see image 8) displays a table in the right pane. Image 8: User Table View Table buttons Caution Deleted objects (e.g. a user, a configuration setting, etc.) cannot be recovered. For example, deleting a user irrevocably deletes the user mailbox and settings! Two groups of controls are displayed on screen above the table: the search filter controls (explained below) and buttons for various operations: Items per page, Template, Add New, Delete, Export and Refresh (see image 8). These buttons are explained in the table below. 26

27 Quick Navigation Reference Table 5: Table Buttons and Functionality Button Functionality Add New Adds a new (sub)menu-specific object, e.g. a user, a group, a client, a firewall rule, etc. Delete Deletes a (sub)menu-specific object, e.g. a user, a group, a client, a firewall policy, etc. Deleting an object with references is not allowed and generates a warning message. For example, deleting a group which still contains users, generates a message as shown in image 9. Export Exports the configuration data (e.g. User records) to a CSV file (Comma Separated Values). Refresh Refreshes the screen with the most current information. This is useful for checking that recent modifications have been applied (e.g. when synchronizing users and groups with a Directory Server). Column Toggle Inverts the selections in a column of records. Row Toggle (top) Enables/disables the record in a selected row. Items per Page This drop-down menu allows you to select the number of objects (e.g. users, groups, log files etc.) to be displayed on screen. Image 9: Deletion Warning Search Filters Tables may contain large numbers of records. Search filters help administrators to restrict viewing specifically to relevant records. Entering a search string in the available field (see image 10), displays only the records which match the search string. Search filter buttons are described in the table below. Image 10: Table Search Filters 27

28 Quick Navigation Reference Table 6: Table Search Filter Buttons Button Functionality Navigates to first page Navigates to previous page Navigates to next page Navigates to last page Filters out all records except those with the matching search string Clears the entered search string Switches case sensitivity for the search string on/off Field for entering search string Tip A tool tip pops up when the cursor is positioned over the buttons Configuration Screens Clicking on an object in a table, (e.g. a user name) displays the configuration settings. Multiple settings may be grouped and accessible through separate tabs (see image 11). The number of tabs varies depending on the number of activated axsguard Gatekeeper modules. Image 11: Selectable Tabs 28

29 Quick Navigation Reference Configuration Settings Some settings can be selected from drop-down lists, some need to be entered manually in data fields using a special syntax, and some require a checkbox to be selected (examples are shown in the image below). Image 12: Example Screen with Drop Down Menu, Checkbox and Entry Field Configuration Methods Tip Labels for mandatory fields are bold (e.g. Server IP Address in image 12). Configuration Screen Buttons The configuration screen buttons vary depending on whether an existing record is being modified (top row in the image below) or a new record is being entered (bottom row). Buttons are explained in the table below. Image 13: Configuration Screen Buttons for Modifying Records (top row) or Creating a New Record (bottom row). Table 7: Configuration Screen Buttons and Functionality Button Functionality Add New Adds a new (sub)menu-specific object, e.g. a user, a group, a client, a firewall rule, etc. Cancel Prevents new or modified settings from being stored and cancels the current operation, returning to the previous screen. Delete Deletes a (sub)menu-specific object, e.g. a user, a group, a client, a firewall policy, etc. Deleting an object with references is not allowed and generates a warning message. For example, deleting a group which still contains users, generates a message as shown in image 9. Edit as New Creates a copy of the selected record, keeping the same configurations. Save Stores any new objects, e.g. A new firewall rule. The Save button is only available on screens where saving is required. Update Submits any modifications to axsguard Gatekeeper settings. Modifications are lost if the Update button is not clicked 29

30 4 System Configuration 4.1 Overview System Configuration This section covers the axsguard Gatekeeper's System menu, explaining configuration in detail for the following sub menus: General Customer Feature Activation UPS Administrator Tool Tools Returning to Factory Default settings 4.2 General Menu Caution The Domain Name set on the System > General screen is not necessarily the Windows Domain Name. Please see the table below for more information. Navigate to System > General. A screen similar to image 14 is displayed. Fields and their settings are explained in the table below. Image 14: System > General: Modify System Parameters 30

31 System Configuration Table 8: System > General Fields Field Host name Description This is the internal (DNS) name of the axsguard Gatekeeper. The name axsguard is used by default. VASCO recommends not changing this name unless absolutely necessary, in which case no upper case, special characters or spaces may be used. Changing the host name requires Advanced Administrator access (see section 2). Domain Name Enter your organization's domain's name. No upper case, special characters or spaces may be used. If more than one domain name exists, enter the main Domain Name. This domain becomes the primary domain for the internal DNS server and is used whenever the axsguard Gatekeeper sends an to the administrator or to the outside world. See section 11.3 for information about the internal DNS server. (See Caution below). Time zone Select the applicable Time Zone from the drop-down list. This is the local axsguard Gatekeeper time zone which is used by the system processes. NTP is explained in section 12. System This field is used to enter the system administrator's address(es). Use the add button to enter Administrator additional addresses. System-critical information, such as important updates and system alerts are address sent to the specified address(es). Important mails about new modules, new axsguard Gatekeeper software upgrades, important system reports (such as from the IPS module) and axsguard Gatekeeper system backup information are also sent to the specified addresses. 4.3 System Administrator Password These fields are used to enter the sysadmin password. The password should be entered twice for verification. Passwords must comply with complexity rules (see section Secure Password Checker p59). Country Select the applicable country from the drop-down list. Customer Menu Navigate to System > Customer. A screen similar to image 15 is displayed. This screen is used to enter customer information, which is uploaded to the VASCO customer database in order to keep system administrators informed about new system features, product updates and to facilitate customer support and remote assistance. Note Keeping this information up-to-date optimizes and facilitates VASCO customer support. 31

32 System Configuration Image 15: System > Customer System administrators can choose the type of mailings which are sent by VASCO to the address supplied on this screen. How to configure preferences are explained in the table below. Table 9: System > Customer Screen: Mailing Preferences Preference To receive all mailings Boxes to check/uncheck Check: I herewith allow Able NV to send me all relevant axsguard Gatekeeper & VASCO informational and technical mailings. To receive selective mailings Uncheck the: I herewith allow Able NV to send me all relevant axsguard Gatekeeper & VASCO informational and technical mailings option. A list of mailing types is offered. Check the mailings you prefer to receive. To receive no mailings Uncheck the: I herewith allow Able NV to send me all relevant axsguard Gatekeeper & VASCO informational and technical mailings option. A list of mailing types is offered. Leave unchecked all further mailing options. 32

33 System Configuration Image 16: Selecting mail types to receive from VASCO 4.4 Feature Activation Menu VASCO differentiates between Modules and Features as follows: Modules are software packages combining several features, such as the Firewall and IPS Module. Feature is the term used in the Administrator Tool for a specific feature such as the Firewall. Special features required by country specific legislation, e.g. obfuscating user names in Web Access and Mail reports. The special features can only be enabled or disabled by VASCO Support. More information is available in the axsguard Gatekeeper Web Access and Relay How To. When new modules are activated, the corresponding features are activated automatically. How to activate new modules is described in section 5. Standard features which are enabled by default in the axsguard Gatekeeper and new features activated automatically when a module is activated may not all be required. Disabling unused features optimizes system performance. We explain here how to activate or deactivate axsguard Gatekeeper features. To activate a feature: 1. Navigate to System > Feature Activation 2. In the right pane, expand the sub menu for the feature you wish to enable 3. Check or uncheck the boxes to activate or deactivate features respectively (see image 17) 4. Click on Update After activating a feature, the configuration menu becomes available in the left pane. 33

34 System Configuration Image 17: System > Feature Activation Notes See section 5 for information about activating newly purchased axsguard Gatekeeper Software Packages. A feature is only accessible for activation when purchased. Some special features can only be enabled or disabled by VASCO Support (see above). 4.5 UPS Settings Menu A UPS (uninterruptible power supply) is a device which allows a server to continue running for a while if the primary power source is lost. It also provides protection against power surges. The axsguard Gatekeeper only supports the APC Smart-UPS and Back-UPS Pro. The UPS is connected to the axsguard Gatekeeper with a serial cable and uses a PSTN device for communication. If power is lost, the UPS notifies the axsguard Gatekeeper before its battery is depleted. This ensures that the axsguard Gatekeeper shuts down properly and prevents data corruption. To configure the settings of the connected UPS: 1. Navigate to System > UPS (see image Error: Reference source not found) 2. Enter the requested data 3. Click on Update to finish 34

35 System Configuration The PSTN device configuration settings (Network > Devices > PSTN) are explained in section Image 18: System > UPS Note Make sure the UPS feature is activated. See section Administrator Tool Menu General settings for the Administrator Tool are configured on the System > Administrator Tool screen. 1. Navigate to System > Administrator Tool. A screen similar to image 19 appears. 2. Modify the settings as required. Fields are explained in the table below. 3. Click on Update to finish. Image 19: System > Administrator Tool Table 10: System > Administrator Tool Fields Field Description Administrator Tool Time-Out Enter the time in minutes for the period of inactivity after which the axsguard Gatekeeper Administrator Tool is automatically disconnected. The system default is 15 minutes. This is an extra security precaution in case an administrator forgets to log off. Setting the value to 0 disables the time-out. Name to go to the axsguard The name specified in this field automatically resolves to the axsguard Gatekeeper Administrator Tool if the axsguard Gatekeeper is configured as your browser's proxy Gatekeeper Administrator server (see section 2). The system default is tool. This name is added to the axsguard Tool Gatekeeper's internal DNS (see section ). 35

36 System Configuration 4.7 Tools Menu Overview Caution Never disconnect the power supply (power cord) while the axsguard Gatekeeper is booting up or active, as this may cause system or hardware damage. Always use the Tools > Actions menu to reboot or switch off the axsguard Gatekeeper. Four system tools are grouped under the Tools menu: Actions Backup Restore Automatic Reboot The Backup and Restore functions are explained separately in section 6. Below we describe Actions and Automatic Reboot Actions Navigate to System > Tools > Actions. A screen similar to the image below appears. Actions are described in the table below. Image 20: System > Tools > Actions 36

37 System Configuration Table 11: System > Tools > Actions: Actions and Descriptions Button/Action Description Reboot Click this button to reboot the axsguard Gatekeeper. Shut Down Click this button to shut down the axsguard Gatekeeper. Rebuild (Empty) Proxy Cache This function is only available with the Content Scanning Module and is explained in the document axsguard Gatekeeper Web Access How To, available through the permanently on-screen Documentation button. Automatic Reboot Navigate to System > Tools > Automatic Reboot. A screen similar to the image below appears. Image 21: System > Tools > Automatic Reboot The fields on the Modify Automatic Reboot screen are self-explanatory. Automatic reboot can be enabled/disabled, the day, time and frequency for automatic reboot can be specified and the date and time of the next reboot is indicated (see image 21). Reboots are useful to check the axsguard Gatekeeper hard drive(s) for integrity. Generally, this occurs automatically at boot time, if the system detects that a file system is inconsistent, indicating failure to shut down properly, such as a crash or power failure. The system hard drives are additionally checked for consistency by default every 33 reboots or every 6 months. 37

38 4.8 System Configuration Returning to Factory Default Settings You can reset the axsguard Gatekeeper to its factory default settings via the axsguard Gatekeeper console tool. The console tool is a text-based command line interface (CLI) to edit and display critical axsguard Gatekeeper settings and variables via menus. It also allows to execute commands for advanced troubleshooting, such as network traffic analysis. In this section, we explain how to enable access to the axsguard Gatekeeper console. Details about using the console tool and resetting the axsguard Gatekeeper to its factory default settings, are available in the axsguard Gatekeeper Conmmand Line Interface How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. Caution Make sure to back up all your configuration and user data before restoring the axsguard Gatekeeper to its factory default settings. Details about backing up your axsguard Gatekeeper configuration and user data is available in section

39 5 Activating New Modules 5.1 Overview Activating New Modules VASCO differentiates between Modules and Features as follows: Modules are software packages combining several features, such as the Firewall and IPS Module. Feature is the term used in the Administrator Tool for a specific feature such as Firewall. How to activate features has been explained in section 4.4. Here we explain how to activate newly purchased axsguard Gatekeeper modules. When modules are activated, the corresponding features are activated automatically. 5.2 Activating a New Module System administrator(s) are automatically notified by if a new module has been purchased. Activation of the new module requires two steps: 1. Log on to the axsguard Gatekeeper as a Full or Advanced Administrator (administrator levels are explained in section 9.6.4). An on-screen message indicates that there are inactivated modules (see image 22). 2. Click the link (here) to activate the module and follow the on-screen instructions. Image 22: Activating a New Module 5.3 Overview of Installed Modules (Activated Features) An overview of purchased modules is available. How to access this overview is explained in section

40 6 Backup and Restore 6.1 Overview Backup and Restore Backup and Restore functionalities allow the axsguard Gatekeeper's configuration to be saved, and recovered later if necessary. It also allows you to restore a backup on a spare axsguard Gatekeeper unit, in case of a hardware failure. An axsguard Gatekeeper spare unit has reduced menu options (factory defaults), which are expanded as soon as the restore procedure - explained further in this chapter - has been completed. The Backup and Restore screens are accessible through the System > Tools sub menu. Available options on these screens are explained in the following sections. 6.2 Backing up the axsguard Gatekeeper Configuration Navigate to System > Tools > Backup to display the Modify Backup screen with tabs (explained below) for: Backup Download Weekly Backup Daily Backup on Network Share These and a fourth backup option, backup on VASCO Servers, are describe in the following sections Backup Download Caution Backup Download does not back up s, log files or any other user data. Daily Backup on Network Share creates these backups (see section 6.2.3). Backup Download allows you to save the current axsguard Gatekeeper configuration settings. The backup file(s) created can later be restored to the axsguard Gatekeeper if a configuration error occurs (see section 6.3). Configuration settings are saved in a compressed '.tgz' file. To create a backup: 1. Navigate to System > Tools > Backup 2. Click on Save as (see image 23) 3. Browse to select the location for storing the backup. 40

41 Backup and Restore Image 23: System > Tools > Backup: Backup Download Weekly Backup Caution Weekly Backup does not back up s, log files or any other user data. Daily Backup on Network Share creates these backups (see section 6.2.3). Weekly Backup allows a backup of the axsguard Gatekeeper configuration to be sent to one or more addresses. To configure a weekly backup: 1. Navigate to System > Tools > Backup 2. Click on the Weekly Backup tab (see image below) 3. Configure the settings as required. Fields are explained in the table below. 4. Click on Update Image 24: System > Tools > Backup: Weekly Backup by Mail 41

42 Backup and Restore Table 12: System > Tools > Backup Fields Field Description address for backup A copy of the weekly axsguard Gatekeeper backup configuration is sent to the specified address(es). Reporting Frequency Two options are available: Test configuration now: Immediately sends a configuration backup to the specified address(es). This option can be used to test whether the system is operating correctly or to create a real-time backup at any given moment. The option automatically reverts to weekly once the backup file has been sent. Weekly: is the system default option and sends a weekly configuration backup to the specified address(es). Daily Backup on Network Share Tip Daily Backup on Network Share allows you to make a backup of axsguard Gatekeeper user data, such as , logs, etc. VASCO recommends that you enable this option as shown in image 25. Daily Backup on Network Share allows you to make a backup of the axsguard Gatekeeper configuration and critical user data, such as s and log files, to a network share. System administrators receive a report via when the backup has been completed. The report is sent to the address(es) specified on the System > General screen. If an error occurs during the backup process, the type of error is also reported. To configure the Daily Backup on Network Share: 1. Navigate to System > Tools > Backup 2. Click on on the Daily Backup on Network Share tab (see image below). 3. Enter the Server settings and select the data to be backed up (fields are explained in the table below). 4. Click on Update. A 'Create Now' button appears at the bottom of the screen, which can be used to create a backup immediately, to test the settings. 42

43 Backup and Restore Image 25: System > Tools > Backup: Daily Backup on Network Share Table 13: System > Tools > Backup: Daily Backup on Network Share Fields Server Setting Description Do automatic daily backup at (hh:mm) Enter the time for the daily backup to be made in hh:mm format. The time is referenced from the axsguard Gatekeeper system time. Remote Server Name Enter the DNS name or IP address of the remote server on which the daily backup should be stored. Share on Remote Server Enter the name of the remote server's network share to be used for the daily backup. This is not the path used on the remote server, but the actual share name (label, see image 26). For instance, a share can be labeled as 'axsguard' while actually pointing to c:/data/backups. Directory on Share Enter the directory within the remote server's share where the daily backup should be stored. Leave this field empty if you do not wish to specify a subdirectory or if the remote server share does not contain any subdirectories. Specified subdirectories should be separated by \, for instance axsguard\axsbackup. Single subfolders cannot be preceded or followed by '\ '(as shown in image 25). User Enter a user account with adequate write permissions for the specified network share (optional). Password Enter the password for the user account above. The password should be entered twice for verification (optional). 43

44 Backup and Restore Server Setting Backup Contents Description Check the boxes for the data to be backed up. Including the date in file names prevents previous backup files from being overwritten. You can choose to back up: axsguard Gatekeeper configuration logs s faxes (only available in Belgium), and SSL VPN settings Image 26: Windows Share Name Backups on VASCO Servers Caution Backups to VASCO Servers do not include s, log files or any other user data. Daily Backup on Network Share creates these backups (see section 6.2.3). For customers who subscribe to a Managed Services contract, VASCO provides an axsguard Gatekeeper configuration backup service for disaster recovery. Backups to VASCO Servers are updated every 3 hours for subscribing customers. Only the latest backup is stored on the VASCO Servers: previous (older) backups are removed. 44

45 Backup and Restore 6.3 Restoring an axsguard Gatekeeper Configuration Caution 1) Restoring a backup of a different axsguard Gatekeeper license erases all s, logs and other files stored on the axsguard Gatekeeper. 2) The revision and version numbers of a backup file should be older or equal to the version and revision numbers of the current system. Restore allows you to restore an earlier axsguard Gatekeeper configuration. To restore an earlier configuration: 1. Navigate to System > Tools > Restore 2. Click on the Browse button to locate the appropriate backup file (see image 27). Backup files have the extension '.tgz ' (see section 6.2). 3. Reboot the axsguard Gatekeeper to load the new settings (see section 4.7.2). Image 27: System > Tools > Restore 6.4 Restoring a Backup on a Spare Unit The spare axsguard Gatekeeper unit can only be accessed with the sysadmin account (for more information about the sysadmin user, see section 2). Detailed information about maintaining a spare axsguard Gatekeeper unit is available in the axsguard Gatekeeper Replacement How To, which can be accessed by clicking on the permanently on-screen Documentation button in the Administrator Tool. 45

46 7 Update System 7.1 Overview Update System Caution VASCO strongly advises that you enable automatic updates: without regular updates, the axsguard Gatekeeper may become vulnerable to attacks. As the Internet is evolving continuously, new attacks and ways of exploiting networks are frequently discovered, which may pose a security threat to your network. It is therefore essential to keep the axsguard Gatekeeper updated. Two types of updates exist: Version updates, which include major axsguard Gatekeeper improvements Revision updates, which correct small errors Notifications of available updates, configuration for manual or automatic installation, and the updating processes are explained in the following sections. 7.2 Notification of Available Updates Administrators are automatically notified by when an update is available. The provides detailed information about the software improvements and changes (changelog) and should be read thoroughly before installation. Tip The information which is provided in the update notification is also available in a changelog which can be accessed by navigating to System > Software Updates > Update Packages. Click on the Package Name to view the changelog information (see image 28). 46

47 Update System Image 28: System > Software Updates > Update Packages: Update Change Log 7.3 Manual or Automatic Updating System updates (Revisions and Versions) can be installed manually or automatically. A system reboot is required with both methods. Navigate to System > Software Updates > General and select the appropriate tab (Revision or Version). A screen similar to image 29 is displayed. To configure for manual installation: uncheck the Automatic Updates option click the Update button To configure for automatic installation: check the Automatic Updates option specify the time for the installation of the new version or revision update click the Update button The axsguard Gatekeeper will be rebooted at the specified time and automatically install the new update. Caution Automatic updating of Versions always requires system administrator intervention to approve the test upgrade report and to accept the new Version permanently (see section 7.4 below). 47

48 Update System Image 29: System > Software Updates > General: Automatic Revision Update Fields 7.4 Version Updates Overview Version updates include major axsguard Gatekeeper improvements. Given the scale and impact of Version updates, they are tested automatically before installation. The test simulates the update without actually activating it. System administrator interaction is always required before a Version update can be definitively installed on the axsguard Gatekeeper. Version updating has three phases: 1. Version testing and approval of the test report 2. Installation of the Version (manually or automatically) 3. Confirmation to definitively accept the new Version These are explained in the following sections. 48

49 7.4.2 Update System Version Testing and Approval Version updates are tested automatically. The automatic testing functionality counters risks associated with Version updates. While the Version update is being tested (simulated), the axsguard Gatekeeper continues running with the current Version. A test report is automatically generated and indicates the actions required prior to installing the Version. This phase allows system administrators to assess any errors which may occur in a live environment and take the necessary preventive measures. To access and approve the test report, navigate to System > Software Updates > Test Upgrade. To rerun a test, click on Start Test Upgrade. The last ten test reports remain available for reference (please see section 14.3) Installing the New Version A new Version cannot be installed until it has been approved (see previous section). After approval of the Version test (see previous section): With Automatic Updates checked for Versions on the System > Software Updates > General screen, the new Version will be installed automatically at the specified time (see section 7.3). With Automatic Updates unchecked for Versions on the System > Software Updates > General screen, the Version can be manually installed as follows: 1. Navigate to System > Software Updates > Update Packages 2. Click on the Version update package 3. Check the Activated? checkbox 4. Click Update (see image 30). An installation notification is displayed. 5. Navigate to System > Tools > Actions and reboot the axsguard Gatekeeper. The new Version will be installed during the reboot process. Image 30: System > Software Updates > Update Packages: Manual Installation 49

50 7.4.4 Update System Accepting the New Version Caution 1.The new version should only be accepted if everything is functional. If not, reboot the axsguard Gatekeeper to revert to the previous version. 2. If this action is skipped, the axsguard Gatekeeper will revert to the previous version when rebooted. After the system has rebooted, to install the new version definitively: 1. Navigate to System > Status > Health 2. Check that all services are working correctly 3. If all services are working correctly, navigate to System > Software Updates > General 4. Check the Keep the current version permanently option (see image 31) 5. Click the Update button to finish Image 31: System > Software Updates > General: Accepting a New Version 7.5 Revision Updates Revision updates correct small errors and are downloaded automatically. Installation of downloaded Revisions can be manual or automatic. With Automatic Updates checked for Revisions on the System > Software Updates > General screen, no action is required and the new Revision will be installed automatically at the specified time (see section 7.3). With Automatic Updates unchecked for Revisions on the System > Software Updates > General screen, the Revision can be manually installed as follows: 1. Navigate to System > Software Updates > Update Packages 2. Click on the Revision name 50

51 Update System 3. Check the Activated? field 4. Click on Update. An installation notification is displayed (see image 32). 5. Navigate to System > Tools > Actions and reboot the axsguard Gatekeeper. The new Revision will be installed during the reboot process. Image 32: Revision Installation Notification 7.6 Reverting to a Previous Version Caution 1. VASCO recommend not reverting to a previous version if a new version has been in place for an extensive period (more than 2 weeks). 2. In the unlikely event of upgrade difficulties, administrators should revert to a previous version immediately. In the unlikely event of upgrade difficulties, it is possible to revert to a previous axsguard Gatekeeper version. To revert to a previous version: 1. Navigate to System > Software Updates > General 2. Select the version to be restored from the Available Versions to Restore drop-down list (see image 33). Image 33: System > Software Updates > General: Reverting to a previous Version Note Reverting to a previous version is only possible if it is still available on the system. Old versions are automatically removed from the system after a certain period of time to save disk space. 51

52 Security Levels and Policies 8 Security Levels and Policies 8.1 Overview An organization's security policy is configured in the axsguard Gatekeeper using two concepts: axsguard Gatekeeper Security Policies and axsguard Gatekeeper Security Levels. axsguard Gatekeeper Security Policies manage authentication and other features such as firewall, and Web access through a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. axsguard Gatekeeper Security Policies are assigned at four Security Levels: user, group, computer and system levels. Assigning Security Policies at the user and group levels requires user authentication. Assigning Security Policies at the computer and system levels does not require user authentication. As no user credentials are provided for the computer and system levels, they are implicitly less secure. VASCO therefore recommends enforcing user authentication whenever possible. In the following sections, we describe the concepts of Security Policies and Security Levels in more detail, and provide examples to illustrate how they simplify implementation of your organization's security policy. Image 34: Security Levels 52

53 Security Levels and Policies 8.2 Security Policies Security Policies define rights for authentication and for data transmission related to , Web access and the firewall: policies are based on the sender's and the receiver's addresses. Web access and firewall policies can be assigned at the system level, the computer level (based on the IP address), or after authentication at the user level. Authentication allows the configured group or user specific policies to be assigned. Without authentication, the axsguard Gatekeeper cannot identify the user, and will assign either computer or system based policies for Web and firewall access. Image 35 explains the concept of security policies, the rules they contain and their relation to the axsguard Gatekeeper security levels. In order to link individual rules, which are the smallest configuration element of an axsguard Gatekeeper feature, to security levels, three simple steps are required: 1. Create the rule 2. Add the rule to a policy 3. Assign the policy to a security level Image 35: Security Policies and Levels 53

54 Security Levels and Policies Tip It is imperative to enforce user authentication wherever possible. A Single Sign-On Tool is available for the axsguard Gatekeeper to implement Firewall and Web access authentication. This tool allows users to automatically sign-on with the axsguard Gatekeeper after logging on to their client PC. For more information, please refer to the documents axsguard Gatekeeper Single Sign-On Utility (SSO) and axsguard Gatekeeper Authentication How To, available through the permanently on-screen Documentation button. 8.3 Security Levels with Authentication User Level Settings defined at the user level are specific for a single user and determine special access rights or restrictions for a user on the network (i.e. exceptions). The axsguard Gatekeeper retrieves the Security Policy defining a user's rights based on the user's credentials submitted during authentication. To change user-specific policy settings on the axsguard Gatekeeper: Navigate to Users & Groups > Users 2. Select the appropriate user from the list 3. Adjust the settings as appropriate (user and group management is explained in section 9). Group Level An axsguard Gatekeeper group is unit of users who need the same access rights or restrictions on the network. The purpose of using groups is to simplify access control configuration and management. The axsguard Gatekeeper retrieves the Security Policy defining a group's rights based on the user's credentials submitted during authentication and their group membership. To change group-specific policy settings on the axsguard Gatekeeper: 1. Navigate to Users&Groups > Groups 2. Select the appropriate group from the list. 3. Adjust the settings as appropriate (user and group management is explained in section 9). 54

55 8.4 Security Levels without Authentication Computer Level Security Levels and Policies Caution VASCO recommends enforcing user authentication whenever possible, as this is the most secure option. Registering a computer on the axsguard Gatekeeper allows a policy to be applied to the computer, e.g. firewall rights or the right to use the axsguard Gatekeeper RADIUS authentication service (for more information about RADIUS authentication, please refer to the document axsguard Gatekeeper Authentication How To available through the permanently on-screen Documentation button). An unauthenticated user on a registered computer is assigned computer-level Web access and firewall policies, based the computer's IP address. Assigning rights at the computer level (based on the host's IP address) is therefore less secure than assigning them at user level, because unauthorized users with physical access to the computer could access the network. Computer registration for computer level assignment of security policies should only be used for servers with a fixed IP address needing specific access to services on the Internet, e.g. for necessary system updates. To change computer-specific policy settings on the axsguard Gatekeeper: Navigate to Computers 2. Select the appropriate computer from the list 3. Adjust the settings as appropriate (computer management is explained in section 10. System Level Caution VASCO recommends enforcing user authentication whenever possible, as this is the most secure option. A security policy is applied by default at the system level if a policy has not been assigned at any other level. The system level should enforce the tightest security, as the defined policies at this level are valid for all computers which are physically connected to your network. A user who is physically connected to your network and who does not authenticate, is automatically assigned system-level access rights if his/her computer is not registered on the axsguard Gatekeeper. System-specific policy settings are configured separately for each feature, e.g. for the firewall, Web access etc. For further information, please refer to the relevant axsguard Gatekeeper How To guide available through the permanently on-screen Documentation button. 55

56 8.5 Security Levels and Policies Example Configurations The following two examples demonstrate respectively a user-specific configuration and the efficiency of configuration using groups and Security Policies. Example 1 A company has a group defined for its Accounts department of 5 users. All users of the group are subject to the same Firewall Policy. However, one user needs special access to an Internet server which is not permitted by the Group Policy. This can be achieved by: 1. Creating a new firewall rule(s) allowing access to the specific server 2. Adding the rule to a security policy. 3. Selecting Add to Group Firewall Policies, for the user's Firewall Policy Mode. 4. Adding the new security policy for the user. This combines the group and the new policies for the user. The result is that the user has access to the specific server, while still subject to the 'Accounts' Group Firewall Policy. For further information on creating firewall rules and policies, please refer to the document axsguard Gatekeeper Firewall How To available through the permanently on-screen Documentation button. Example 2 An office of 500 users divided into 6 groups needs access to the axsguard Gatekeeper system. This implies the creation of 1 axsguard Gatekeeper firewall rule per service, i.e. POP, IMAP, SMTP, LDAP (for the address book), giving a total of 4 rules. Without Firewall Policies: creating 4 rules, and adding them to 500 users would require 2004 configurations. With Firewall Policies at the group level: creating 4 rules, adding them to 1 Firewall Policy and subsequently assigning the Policy to 6 groups requires only 11 configurations. 56

57 9 User and Group Management 9.1 Overview User and Group Management In this section we: define axsguard Gatekeeper users and groups list the advantages of assigning security policies at the user and group security levels explain the general settings for users explain how to create and modify users and groups on the axsguard Gatekeeper explain how user and group templates can speed up configuration For settings specifically related to axsguard Gatekeeper modules such as or Web access, please refer to the relevant axsguard Gatekeeper How To guide available through the permanently on-screen Documentation button. 9.2 axsguard Gatekeeper Users An axsguard Gatekeeper user is a person who: May authenticate with the axsguard Gatekeeper (is registered as a legitimate user on the system). Has certain access rights (firewall, Web access, etc.) depending on the individual user settings and/or group settings. Has an axsguard Gatekeeper mailbox (if the server module is activated). Users can be created using the axsguard Gatekeeper Administrator Tool or can be imported and synchronized with a Directory Server. For more information on user synchronization, please refer to the document, axsguard Gatekeeper Directory Services How To, available through the permanently on-screen Documentation button. User templates, in which access rights and other user-specific settings are specified, allow administrators to easily configure common user settings. User and group templates are explained further in section axsguard Gatekeeper Groups An axsguard Gatekeeper group is: A set of users (a group can also contain a single user). A unit, based on the location, department, access rights or position within an organization, e.g. accountants, the HR division, the legal department, management, etc. Linked to a set of permissions or restrictions which apply to its members. Groups can be created using the axsguard Gatekeeper Administrator Tool or can be imported and synchronized with a Directory Server. For more information on group synchronization, please refer to the 57

58 User and Group Management document, axsguard Gatekeeper Directory Services How To, available through the permanently on-screen Documentation button. Group templates, in which access rights and other group-specific settings are specified, allow administrators to easily configure common group settings. User and group templates are explained further in section 9.8. The relationship between user and group level policies are module-specific. For example, for firewall access, group level policies can be overruled, used, or an additional policy can be appended at the user level (see the firewall Example p56). For Web and access, group level policies can be used or overruled at the user level, but policies cannot be appended. For more information, please refer to the relevant axsguard Gatekeeper How To guides, available through the permanently on-screen Documentation button. 9.4 User and Group Level Security VASCO recommends assigning security policies at the user or group levels and enforcing authentication (see section 8). Assigning security policies at the computer level is insecure (see section 10.3). Advantages inherent to user and group level security are: The authentication process (identification of the user) is enforced which is the most secure option. Strong user authentication (VASCO DIGIPASS) can easily be implemented. Physical access to a computer is insufficient to obtain network access, e.g. for unauthorized access to network resources or to abuse the network's public IP address. With user or group level security, credentials always have to be provided before access is granted. A list of users and/or groups is easier to maintain than a list of computers (especially with large networks). Users sharing a computer, e.g. at a reception desk, can be assigned different user-specific rights. Assigning a computer level security policy assigns the same rights to all (unauthenticated) users of the computer. 9.5 Users & Groups: General Settings In this section, the General Settings sub menu is explained in detail. Navigate to Users&Groups > General. A screen similar to image 36 is displayed. Options are described in the table below and can be turned on/off using the checkboxes. Image 36: Users & Groups > General 58

59 User and Group Management Table 14: Users and Groups > General Fields Field Description Secure Password Checker Click on this checkbox to activate the secure static password checker for users. This allows the system to reject static passwords which can easily be guessed. Static passwords should: comprise at least 6 characters differ from the account (user) name differ from a word in the dictionary (to prevent dictionary password attacks) not be too simple, e.g not include a # symbol VASCO strongly recommends using DIGIPASS authentication (see Tip below). Users may change static passwords Click this checkbox to permit users to change their static password. Users are only able to change their passwords if their access rights on the axsguard Gatekeeper have been set to User (see section 9.6.4). Users may change auto-response settings This option is only available with the axsguard Gatekeeper module activated and allows users to change their auto-response settings. With auto-response, correspondents can be notified automatically if a recipient is unavailable. For more information, please refer to the document axsguard Gatekeeper How To, available through the permanently on-screen Documentation button. Users may change their forwarding This option is only available with the axsguard Gatekeeper module activated and allows a user's s to be forwarded to one or more address(es). A copy of the forwarded message(s) can also be kept in the recipient's mailbox. For more information, please refer to the document axsguard Gatekeeper How To, available through the permanently on-screen Documentation button. Tip VASCO strongly recommends using DIGIPASS authentication. VASCO DIGIPASS authentication is the most secure authentication method, because a one-time password is generated by the DIGIPASS every time a user logs on. For more information about DIGIPASS authentication, please refer to the document, axsguard Gatekeeper Authentication How To, available through the permanently on-screen Documentation button. 9.6 Creating and Modifying Users Creating a User To create a new user: 1. Navigate to Users&Groups > Users 2. Click Add New. Three types of settings need to be configured, as explained in the following sections: general settings module-specific settings and 59

60 User and Group Management axsguard Gatekeeper Administration settings. 3. After you have configured the settings in point 2 above as required, click on Save. Tip You can define a user template, based on commonly used settings, to speed up the creation of new users (see section 9.8) General Settings The top part of the Add User screen displays the general user settings (see image below). Settings are explained in the table below. Image 37: Users & Groups > Users > Add User Table 15: User & Groups > User > Add User Fields Field Description Mailbox / User Name Enter a name for the user and their mailbox. User's Full Name Enter the Full Name of the user (optional). User Login Enabled Uncheck to disable the user. Check to enable the user. If unchecked, the user cannot longer authenticate with the axsguard Gatekeeper, but the user's data, e.g. s and user policies, are preserved. Note that the user's mailbox can still receive mail, although this mail is no longer accessible to the user when the User Login is disabled. Password Enter and confirm a static password. This may not be identical to the user name and must comprise at least 6 characters and be sufficiently complex (see Secure Password Checker p59). Member of a Group Assign the user to a group using the select button. Has VASCO DIGIPASS Check this option if the user has a VASCO DIGIPASS. Select the appropriate DIGIPASS from the list. For more information on DIGIPASS management and strong authentication, please refer to the document axsguard Gatekeeper Authentication How To, available through the permanently on-screen Documentation button. 60

61 User and Group Management Tip The system generates an error message if password validation fails or the password is insecure (see Secure Password Checker p59) Module-Specific Settings Tabs on the lower part of the Add User screen may vary according to which modules are activated on your axsguard Gatekeeper (see image 38). Module-specific settings are explained in the relevant axsguard Gatekeeper How To guides, available through the permanently on-screen Documentation button. Image 38: User & Groups > User > Add User: Module-Specific Fields Administration Settings Overview The axsguard Gatekeeper Administration tab on the lower part of the Add User screen (see image below) presents: Tool Access Type settings. These settings define the user's access rights to the Administrator Tool, i.e. whether they are a user or system administrator. With the Tool Access Type configured for a system administrator, further options are displayed for Console Tool Access and mailing preferences (all these settings are explained in the following section). Access to FTP files settings (explained in section ) Access to the Administrator Tool 61

62 User and Group Management Image 39: User & Groups > User > Add User: axsguard Gatekeeper Administration To create a user: 1. Select User for the Tool Access Type (Tool Access Types are explained in the table below). 2. Click on Save to finish. To create a System Administrator: 1. For Tool Access Type, select Basic Administration or higher. Additional checkboxes are presented for configuring Console Tool Access and mailing preferences. 2. For Console Tool Access, select whether the administrator may access the axsguard Gatekeeper Console Tool. This allows administrators to use the command line for advanced troubleshooting purposes. For more information please refer to the document axsguard Gatekeeper Command Line Interface How To, available through the permanently on-screen Documentation button. 3. For mailing preferences (see image below), select whether the administrator should receive no mailings, all mailings or selective mailings. How to configure each of these options is explained in the table below. Technical mailings contain critical axsguard Gatekeeper update information, current technical issues, tips and other important axsguard Gatekeeper-related information. 4. Click on Save to finish. Caution Advanced Administrator Tool access should only be assigned to expert administrators. This access type allows system-critical modifications and should only be used with extreme caution. 62

63 User and Group Management Table 16: User & Groups > Users > Add User > axsguard Gatekeeper Administration: Tool Access Types Administrator Tool Access Type Description None The user has no access to the Administrator Tool. User The user can only modify his/her Full Name, auto-response settings, password and forwarding settings, if allowed by the system administrator (see section 9.5). Reporting User A reporting user has the same access as a regular user and additionally has access to statistics relating to Web access, and axsguard Gatekeeper hardware performance. Distribution List Administration This option is only available with the axsguard Gatekeeper module activated. This user has the same access rights as a reporting user and additionally has access to (and can manage) the distribution lists. Basic Administration This user has only restricted administrator access. Only non-critical system settings may be modified, e.g. user and group settings. Full Administrator This is the default administrator type. All standard system settings can be modified or viewed. Advanced Administrator Caution: Only expert administrators should be assigned this access type. Advanced administrators can view and/or modify system-critical settings, which should normally never be modified, e.g. DNS forwarding. 63

64 User and Group Management Image 40: Add User > axsguard Gatekeeper Administration: Mailing Settings Table 17: User & Groups > Users > Add User > axsguard Gatekeeper Administration: Mailing Preferences Preference Boxes to check/uncheck To receive no mailings Uncheck the: Receive axsguard Gatekeeper & VASCO informational and technical mailings option. To receive all mailings Check both: Receive axsguard Gatekeeper & VASCO informational and technical mailings, and I herewith allow Able NV to send me all relevant axsguard Gatekeeper & VASCO informational and technical mailings. To receive selected mailings Check the: Receive axsguard Gatekeeper & VASCO informational and technical mailings option, and Uncheck the: I herewith allow Able NV to send me all relevant axsguard Gatekeeper & VASCO informational and technical mailings option. A list of mailing types is offered. Check the mailings you prefer to receive. Note Technical s are only sent to the axsguard Gatekeeper system administrator(s) and customer contacts (see section 4.3). 64

65 User and Group Management Access to FTP files FTP access can be used to download axsguard Gatekeeper log files, e.g. firewall logs. FTP access towards the axsguard Gatekeeper is only possible if allowed in the appropriate firewall policies. For more information, please refer to the document axsguard Gatekeeper Firewall How To, available through the permanently on-screen Documentation button. Options for FTP access are displayed under the axsguard Gatekeeper Administration tab in the lower part of the Add User screen. Table 18: User & Groups > Users > Add User > axsguard Gatekeeper Administration: FTP Access Fields FTP Access Options Description No FTP Access Access to FTP is denied. Unrestricted FTP Access Provides access to the axsguard Gatekeeper logs and the IMAP mail directories (only applicable with the axsguard Gatekeeper module activated). Intranet-Extranet FTP access Only permits uploading and downloading of files to/from the axsguard Gatekeeper Intranet and Extranet area. This option is obsolete. Modifying a User To modify the settings of an existing user: 1. Navigate to Users&Groups > Users 2. Click on the Mailbox/User Name 3. Modify the user's settings (see sections to ) 4. Click on the Update button 9.7 Creating and Modifying Groups Creating a Group To create a new group: 1. Navigate to Users&Groups > Groups. 2. Click the Add new button. A screen similar to image 41 appears. 3. Enter the group name and a description (optional). 4. Tabs on the Add Group screen may vary according to which modules are activated on your axsguard Gatekeeper. For more information on the necessary module-specific settings, please refer to the relevant axsguard Gatekeeper How To guides available through the permanently on-screen Documentation button. 65

66 5. User and Group Management Click on Save to finish. The system may display a validation warning to counter potentially dangerous configurations, which require modification. Image 41: Users & Groups > Groups > Add Group Tip You can define a group template, based on commonly used settings, to speed up the creation of new groups (see section 9.8) Modifying a Group To modify the settings of an existing group: Navigate to Users&Groups > Groups 2. Click on the group name 3. Modify the group's settings (see section 9.7.1) 4. Click on the Update button Templates A group- and user template can be created and modified in the axsguard Gatekeeper. Templates allow administrators to easily configure common user or group settings. Examples of common settings are firewall access rights, Web access rights and policies. Templates prevent the need to repeatedly define similar settings, thus simplifying configuration. Settings in templates are automatically applied each time a new group or user is created or synchronized with a Directory Server. The template system is particularly useful for synchronizing a large number of users and groups with a Directory Server, such as Active Directory. For more information on user and group synchronization, please refer to the document axsguard Gatekeeper Directory Services How To, available through the permanently on-screen Documentation button. For maximum efficiency, the system administrator(s) needs to ascertain the lowest common denominator (common permissions and restrictions) for a group of axsguard Gatekeeper users. If a certain user or group 66

67 User and Group Management needs special access (or needs to be denied access) to a specific resource, it is easier to define and assign the exception(s) afterwards. The following sections explain how to configure user and group templates Group Template Settings Caution Modification of the group template does not affect existing axsguard Gatekeeper groups. The group template is only applied to new groups. Image 42: Group Template To modify the group template: 1. Navigate to Users&Groups > Groups. 2. Click on the Template button. A screen similar to image 42 appears. 3. Configure the group setting as required. 4. Click Update to finish. (The system may display a validation warning to counter potentially dangerous configurations, which need to be modified.) New groups created are automatically assigned the group template settings. 67

68 User and Group Management Image 43: User & Groups > Groups > Template Note Tabs on the Modify Group Template screen may vary according to which modules are activated on your axsguard Gatekeeper User Template Settings Caution Modification of the user template does not affect existing axsguard Gatekeeper users. The user template is only applied to new users. Image 44: User Template 68

69 User and Group Management To modify the user template: 1. Navigate to Users&Groups > Users 2. Click on the Template button. A screen similar to image 44 appears. 3. Configure the user settings as required. Tabs on the Modify User Template screen may vary according to which modules are activated on your axsguard Gatekeeper. For more information on the necessary module-specific settings, please refer to the relevant axsguard Gatekeeper How To guides available through the permanently on-screen Documentation button. 4. Click Update to finish. (The system may display validation warnings to counter potentially dangerous configurations, which need to be modified.) New users created are automatically assigned the user template settings. Image 45: Users & Groups > User > Template Note Tabs on the Modify User Template screen may vary according to which modules are activated on your axsguard Gatekeeper. 69

70 10 Computer Management 10.1 Overview Computer Management In this section, we explain: when computers need to be registered on the axsguard Gatekeeper the disadvantages of assigning security policies at the computer level, and how to register a computer on the axsguard Gatekeeper. For settings specifically related to axsguard Gatekeeper modules such as or Web access, please refer to the relevant axsguard Gatekeeper How To guide, available through the permanently on-screen Documentation button When to register a computer on the axsguard Gatekeeper Caution VASCO strongly recommends enforcing user authentication whenever possible rather than assigning security policies at the computer level. Registering computers on the axsguard Gatekeeper, allows rights and restrictions to be assigned through security policies. Security policies control network access from the computers, such as the firewall rights or the right to use the axsguard Gatekeeper RADIUS authentication service. (For more information on RADIUS authentication please refer to the document axsguard Gatekeeper Authentication How To, available through the permanently on-screen Documentation button.) Assigning security policies at the computer level is only appropriate for servers (with a static IP address) which need specific access, e.g. for the use of the RADIUS service on the axsguard Gatekeeper. In all other instances, VASCO recommends assigning security policies at user and group levels and enforcing user authentication (see section 8). It is not necessary to register computers from which users authenticate, as access rights in this case are determined based on the user credentials provided (see section 8) Computer Level Security Disadvantages inherent to computer level security are: The authentication process (identification of the user) is bypassed, which is insecure. Physical access to a computer is sufficient to acquire possibly more rights than normally permitted with user authentication and could lead to unauthorized access to network resources or to abuse of the network's public IP address. 70

71 Computer Management A computer list may lead to errors and is difficult to maintain (DHCP), while a user list is not (especially for large networks). It is not possible to assign different rights to multiple users who use the same computer, e.g. a reception desk. This is only possible with user authentication. Troubleshooting is more difficult and cumbersome, since access rights can be configured at the user, group and computer level. Tip It is imperative to enforce user authentication wherever possible. A Single Sign-On Tool is available for the axsguard Gatekeeper to implement Firewall and Web access authentication. This tool allows users to automatically sign-on with the axsguard Gatekeeper after logging on to their client PC. For more information, please refer to the documents axsguard Gatekeeper Single Sign-On Utility (SSO) and axsguard Gatekeeper Authentication How To, available through the permanently on-screen Documentation button Registering a Computer on the axsguard Gatekeeper Caution Only servers (with a static IP address) should be registered on the axsguard Gatekeeper. For computers from which users authenticate, access rights are determined based on the user credentials provided. VASCO strongly recommends assigning Security Policies at the user and group levels (see section 8) and enforcing user authentication. To register a computer on the axsguard Gatekeeper: 1. Navigate to Computers. 2. Click on Add new. A screen similar to image 46 appears. 3. Configure the settings as appropriate. The general fields are explained in the table below. Tabs on the Add Computer screen may vary according to which modules are activated on your axsguard Gatekeeper. For more information on the module-specific settings, please refer to the relevant axsguard Gatekeeper How To guides available through the permanently onscreen Documentation button. 4. Click on Save. 71

72 Computer Management Image 46: Computers > Add Computer Table 19: Computers > Add Computer Fields Field/Tab Description Computer Name Enter a name for the computer, using lower case without spaces, starting with an alphabetic character, followed by any number of alphanumeric characters and/or the special characters: hyphen (-) and full stop(.) If possible, use the name of your computer, as defined in your Network / Properties / Identification tab (where the computer name is listed) since this is usually unique. The entered computer names and aliases are added to the internal DNS system of the axsguard Gatekeeper (see section ). Alias Names You can add more than one additional name for a computer, providing the names adhere to the same specifications as for the Computer Name (see above). All aliases are added to the axsguard Gatekeeper DNS server. Computer names, computer aliases, device names and device aliases need to be unique in the network. IP address Enter the IP address of the computer to be added. IP addresses of computers need to be unique. If you want a certain IP address to be known under a different name(s), the name(s) can be added in Alias Names as described above. This computer can receive SMTP mail Enable this option if the computer is running an SMTP mail server. This may be the case, for example, if the mailboxes on the axsguard Gatekeeper aren't used, but mail is forwarded from the axsguard Gatekeeper to the specified computer. For more information, please refer to the document axsguard Gatekeeper Content Scanning How To, available through the permanently on-screen Documentation button. Use system mail policy when no other policy can be found This option is only visible if the This computer can receive SMTP mail option (see above) is enabled. Enable the option if the computer is a mail server where each user can control his/her own forwarding. For more information, please refer to the document axsguard Gatekeeper Content Scanning How To, available through the permanently on-screen Documentation button. 72

73 11 Network Settings 11.1 Overview Network Settings This section explains network settings on the axsguard Gatekeeper covering the following main topics: Devices, including Ethernet, Virtual Local Area Networks and PSTN network devices. (The number of network devices depends on the axsguard Gatekeeper model purchased. Each axsguard Gatekeeper is equipped with at least two Ethernet network devices and one or more PSTN devices.) DNS (Domain Name System) for resolving domain names to IP addresses and vice versa. DHCP (Dynamic Host Configuration Protocol) for assigning IP addresses to devices on a network. Routing of packets on a network. NAT (Network Address Translation) Devices Ethernet Network Device Modifying an Ethernet Network Device To modify an axsguard Gatekeeper Ethernet network device: 1. Navigate to Network > Devices >Eth. 2. Click on a logical device in the list. A screen similar to image 47 appears. 3. Configure the settings as explained in the following sections on: general settings interface types connection settings IP settings account settings connectivity checks 4. Click on Update. 73

74 Network Settings Image 47: Network > Devices > Eth > Modify Ethernet Device General Settings Fields for configuration on the Modify Ethernet Device screen are explained in the table below. Table 20: Network > Device > Eth > Modify Ethernet Device General Fields Field Description DNS Name The DNS name cannot be modified. This name is added to the axsguard Gatekeeper's Internal DNS repository (see section ). Description Enter a description for the device. The description is not mandatory. Alias Names Enter any alias DNS names for the device in this field. Multiple alias names can be entered, using the Add button. DNS names are explained in section

75 Network Settings Interface Types Image 48: Authentication Only Use of axsguard Gatekeeper If the axsguard Gatekeeper is only used as an authentication server in your network, only one secure interface is present (see image 48). Interface settings for the Internet and DMZ interfaces are not relevant in this situation. For more information on using the axsguard Gatekeeper authentication services, please refer to the document axsguard Gatekeeper Authentication How To available through the permanently on-screen Documentation button. 75

76 Network Settings Image 49: Gateway Use of axsguard Gatekeeper If the axsguard Gatekeeper sits at the gate of your network, (see image 49), several interface types are available depending on the network to which they are connected (Internet, Secure LAN and DMZ: see image below). Options presented for the Interface Type on the Modify Ethernet Device screen are explained in the table below. Image 50: Network > Device > Eth > Modify Ethernet Device: Interface Types 76

77 Network Settings Table 21: Network > Device > Eth > Modify Ethernet Device: Interface Types Field Description Not in use Select this option to disable the network device. Internet An insecure zone in your network. This is the axsguard Gatekeeper network device which is connected to the Internet. This device has a public IP address. (Multiple Ethernet devices of the type Internet are only possible if the Advanced Network Module has been purchased, which includes the Multiple Internet Connection feature.) Secure A secure zone in your network. This is generally the network device to which all your company PCs are connected, shielded from hackers by the axsguard Gatekeeper firewall. This device has an IP address in the private range. DMZ An insecure zone in your network. This network device can either be assigned a public or private IP address. The DMZ is an area where you would install a public server, in case the axsguard Gatekeeper Application Firewall (Reverse Proxy) cannot be used. Connection Settings The Connection Settings are always visible on the Modify Ethernet Device screen (see image below). These settings are explained in the table below. Image 51: Network > Device > Eth > Modify Ethernet Device: Connection Settings Table 22: Network > Device > Eth > Modify Ethernet Device: Connection Settings Field/Connection Mode Description Upstream bandwidth This setting is only relevant if the Advanced Network Module has been purchased, which includes the Bandwidth feature. Upstream bandwidth is the maximum restriction (in Kilobits per second) for outgoing data which can travel through the device at a given time. Setting the value to 0 (default) means there is no restriction. Downstream bandwidth This setting is only relevant if the Advanced Network Module has been purchased, which includes the Bandwidth feature. Downstream bandwidth is the maximum restriction (in Kilobits per second) for incoming data which can travel through the device at a given time. Setting the value to 0 (default) means there is no restriction. Connection Mode Select the appropriate connection mode for the interface from: Fixed IP Configuration, DHCP Client, PPTP Client and PPP over Ethernet (explained immediately below). The available tabs 77

78 Network Settings Field/Connection Mode Description displayed on screen vary with the mode selected Fixed IP Configuration Select this option if the selected axsguard Gatekeeper network interface should be assigned a fixed IP address. Selecting this option displays the IP Settings tab. DHCP Client DHCP is an Internet protocol through which IP addresses are assigned dynamically by a DHCP server to clients when they start up (Defined per RFC 2131). Select this option if the selected axsguard Gatekeeper interface receives its IP address from a DHCP server. Even though IP addresses assigned using DHCP may stay the same for long periods of time, they can change. PPTP Client (Internet Only) In some countries, Internet Service Providers use PPTP to connect their customers to the Internet. Selecting this option displays the IP and Account Settings tabs. Enter the correct IP and Account settings. Contact your Internet Service Provider to obtain the correct settings, if necessary. PPP over Ethernet (Internet Only) PPPoE is a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with ADSL services where individual users connect to the ADSL transceiver (modem) over Ethernet. (Defined per RFC 2516). Select this option if the selected axsguard Gatekeeper interface connects to the ISP using the PPPoE protocol. Selecting this option displays the Account Settings tab. Enter the correct Account settings. Contact your ISP to obtain the correct settings if necessary. IP Settings The IP Settings Tab is only visible when the following connection modes are selected: Fixed IP Configuration and PPTP Client (see section ). Fields are explained in the table below. Image 52: Network > Device > Eth > Modify Ethernet Device: IP Settings 78

79 Network Settings Table 23: Network > Device > Eth > Modify Ethernet Device: IP Settings Field Description IP Address/Netmask This is the axsguard Gatekeeper's IP address as seen by a network segment (zone) connected to the Ethernet device. The CIDR notation is used to specify the subnet mask. If the CIDR notation is not used when specifying an address, /24 is used as the default netmask, for instance / IP Aliases Use this field to add more than one IP address to the network interface. This option is used to connect several subnets (network segments) to the same ethernet interface. Use the CIDR notation to specify the subnet. If the CIDR notation is not used, /24 is used as the default netmask. This option is only available when using the Fixed IP Connection mode (see section ). Gateway If the Interface Type is Internet: enter the IP address of the gateway provided by your Internet Service Provider (ISP). Contact your ISP if necessary. If the Interface Type is not Internet: where the axsguard Gatekeeper is used as a gateway, leave this field empty. where the axsguard Gatekeeper is used for authentication only, (i.e. not as a gateway), enter the default gateway for your network. Account Settings The Account Settings tab (see image below) is only visible when the following Connection modes have been selected: PPTP Client and PPPoE (see section ). Fields are explained in the table below. Image 53: Network > Device > Eth > Modify Ethernet Device: Account Settings Table 24: Network > Device > Eth > Modify Ethernet Device: Account Settings Field Description ISP Account Name Enter the account name provided by your ISP. Password Enter the password provided by your ISP (twice for verification). 79

80 Network Settings Connectivity Check The Connectivity Check tab is always visible on the Modify Ethernet Device screen (see image below). Fields are explained in the table below. Image 54: Network > Device > Eth > Modify Ethernet Device: Connectivity Check Table 25: Network > Device > Eth > Modify Ethernet Device: Connectivity Check Field Description Connectivity Check Activates / Deactivates the connectivity check. If enabled, the axsguard Gatekeeper periodically sends ICMP (ping) messages to the IP address(es) specified in the field below. This enables system administrator(s) to be notified if an axsguard Gatekeeper network device is failing. Connectivity Check IPs Specify the IP address(es) to which ICMP (ping) messages should be sent (see Caution below). Caution If the Connectivity Check option is disabled and the network interface type is set to Internet (see section ), ICMP traffic is still sent to the Internet Root servers. If the option is enabled and IP addresses are specified, ICMP traffic is only sent to the specified IP addresses, not the Internet Root servers Virtual Local Area Networks (VLANs) What is a Virtual Local Area Network device? A Virtual Local Area Network (VLAN) device is an independent network interface, with its own configuration parameters. VLANs are used to add one or more segments to your network without the need to add an 80

81 Network Settings additional physical network interface. A Virtual LAN device is always added to a physical LAN device, for instance eth0. VLAN devices use their own identifiers for communication, e.g. eth0.10. Some identifiers are reserved and should not be used (see section ). Note Check the manual of your network switch to verify whether it supports VLANs Adding a VLAN Device To add a VLAN device: 1. Navigate to Network > Devices > Eth 2. Select the device in the list to which the VLAN should be added, e.g. eth0 3. Click on the Add Virtual LAN button (see image 55). 4. A VLAN device requires the same configuration parameters as described in section Only the Virtual LAN identifier is VLAN-specific. Some VLAN identifiers are reserved and should not be used, e.g. eth0.0 (see section below). 5. After configuring the relevant settings, click on Save. Image 55: Adding a Virtual LAN to an Ethernet Interface VLAN-Identifiers A VLAN identifier is a unique number to identify a VLAN device in a network (see image 56). Always use a VLAN identifier equal or superior to 10, e.g. eth0.11. VLAN identifiers 0 to 9 are reserved by some manufacturers and could cause the VLAN to malfunction if used. The Physical Device shown in image 56, for instance eth0.11, is the device name as recognized by the axsguard Gatekeeper Operating System. 81

82 Network Settings Image 56: VLAN Identifiers PSTN Network Device Modifying a PSTN Network Device axsguard Gatekeeper PSTN devices are used to allow communication with an uninterruptible power supply (UPS, see section 4.5). To modify a PSTN device: 1. Navigate to Network > Devices >PSTN 2. Click on a logical device in the list. A screen similar to image 57 appears. 3. Configure the general and interface type settings (explained in the table below) 4. Click on Update. Image 57: Network > Devices > PSTN > Modify PSTN Device 82

83 Network Settings Settings Settings for modification of a PSTN device are explained in the table below. Table 26: Network > Devices > PSTN > Modify PSTN Device Fields Field Description Description Enter a description for the device. This is not mandatory. Interface Type The Interface Type options are: Not in use: selecting this option disables the device. UPS: An APC Smart UPS can be connected to shut down the axsguard Gatekeeper automatically if the battery of the UPS is nearly depleted. The axsguard Gatekeeper PSTN interface communicates with the UPS. (See also section 4.5) Domain Name Server What is DNS? This section explains the concept and configuration of the axsguard Gatekeeper Internal Domain Name Server (DNS). First the general concept and terminology of DNS is explained, followed by the distinction between the axsguard Gatekeeper's Internal and Public DNS server. Internet Protocol (IP) addresses are dot-separated numbers which are not easy to remember, for instance They are therefore mapped to more intuitive names such as The Domain Name System (DNS) translates these more user friendly names into the corresponding IP addresses and vice versa. Two naming infrastructures exist, one for each translation direction. The protocol used by the DNS system is an application protocol of the TCP/IP protocol suite. Requests for translations to this system use the UDP and TCP protocols on port Domain Concept Domains group networked (sub)structures and use intuitive identifiers (domain suffixes, such as vasco.com). The substructures can either be sub-domains, computers, other hosts (for instance routers and printers) or even services (see image 58). 83

84 Network Settings Image 58: Domain Name Concept The use of domains (domain names) offers the following advantages: Name Grouping: Names of individual hosts and services used within an organization can be grouped into a single domain (using the same domain suffix) for name to IP address mapping purposes and vice versa. For instance, all computers (hosts) within VASCO have names ending in vasco.com, i.e. mail.vasco.com, etc. Intuitive names: An IP address by itself doesn't represent any characteristics of the host or service. The intuitive naming of a domain and its hosts identifies the purpose and characteristics of a host, such as the country of origin, the name of the company, the service provided by the host, etc. The following information can be deducted from the name mail.vasco.com: The com suffix indicates that the server belongs to a company VASCO is the name of the company which owns the server mail indicates that the host is a mail server More efficient and reliable name resolution: Without the name grouping concept, no hierarchical resolution of addresses would be possible, meaning all requests for domain name resolution would be directed to one physical place (a single root server on the Internet). This would not only slow down the entire name resolution process, but would also make the Internet less reliable, since there would be no redundant servers to take over if the single root server crashed. The domain concept allows domain names to pin-point a particular address of a host and the resolution of each part of the domain name occurs at different levels and is handled by different DNS (and DNS backup) servers. This distributed system thus improves the speed, reliability and efficiency of the Internet. 84

85 Network Settings Note For more detailed information about DNS, please consult chapter 7.1 in Computer Networks, Andrew S. Tanenbaum, 4th edition Fully Qualified Domain Names (FQDN) A Fully Qualified Domain Name or FQDN is the human-readable name which includes a hostname and its associated domain name. It is the top leaf in the DNS tree. For example, given a hostname of www and a domain name of vasco.com, the FQDN would be Unqualified Domain Names (UQDN) The unqualified domain name or UQDN is the leaf name without the domain name. Whenever a UQDN is used, the domain name of the host which issues the UQDN is appended to the UQDN. The result is an FQDN. For instance, www and mail are a UQDNs, vasco.com is the domain. Joined together they form FQDNs: and mail.vasco.com axsguard Gatekeeper Internal DNS The axsguard Gatekeeper DNS server resolves names to IP addresses and vice versa. It is configured to serve the local network (the DMZ and the secure LAN). A second axsguard Gatekeeper DNS server can be used to handle conversions outside the local network. This is briefly explained in section The axsguard Gatekeeper's internal DNS automatically collects DNS records. The following information is collected by the axsguard Gatekeeper's internal DNS: Names given to network devices, e.g. axsguard (see section 11.2). Names given to computers in the LAN (see section 10.4). General names, such as tool, login, logout, etc (see section 4.6). 85

86 Network Settings axsguard Gatekeeper Internal DNS Flow The axsguard Gatekeeper's internal DNS flow is shown in image 59 and explained below. Image 59: axsguard Gatekeeper Internal DNS Flow Stage 1: Interrogating a DNS Cache The DNS cache on the axsguard Gatekeeper is where previous DNS lookups are temporarily stored and is the first place where host names are resolved. If the host name can be resolved by the axsguard Gatekeeper's DNS cache, i.e. if a response is immediately available, the response is returned without proceeding to stage 2. 86

87 Network Settings Example Assume the DNS entry is not present in the DNS cache. User 1 requests The axsguard Gatekeeper performs a DNS lookup for on the Internet. The result is returned to the user and stored in the DNS cache. User 2 also requests Since the entry for is already present in the DNS cache, this entry is returned rather than performing a new lookup on the Internet. This process accelerates DNS lookups and saves Internet bandwidth. Stage 2: Interrogating a DNS Server If no record is available in the DNS cache, depending entirely on the host name to be resolved, the DNS request is handled by one of the following: A) axsguard Gatekeeper's internal DNS: if the DNS request (e.g. host.vasco.com) is related to a host within the system domain as entered on the System > General screen (see image 60), the request is translated by the axsguard Gatekeeper's internal DNS. Image 60: System > General: System Domain Name B) Forwarded DNS Server: if the DNS request is related to a host within a specific forwarded domain (not the system domain specified in A), the forwarded DNS server is contacted to provide a response. These DNS servers are specified on the Network > DNS > Forwarding screen (see image 61 and section ). In this example, all requests for hosts within 'somedomain.com' are forwarded to the DNS server with IP Caution Only Advanced Administrators can add/modify DNS Forwarding settings (see section 9.6.4). Image 61: Network > DNS > Forwarding > Add Forwarding DNS Service 87

88 Network Settings C) Other DNS Server: if the DNS request is for a host which cannot be resolved by the axsguard Gatekeeper system domain DNS (A) or a forwarded domain DNS server (B), the request is forwarded to another DNS server. If the axsguard Gatekeeper is used only as an authentication server, the network DNS server is used (see section ). If the axsguard Gatekeeper is used as a gateway, the ISP DNS server is used. DNS servers can be configured under Network > General (see image 62). The configured DNS server(s) contacts other DNS servers as necessary until a correct response is obtained. Caution If no DNS servers are specified on the Network > General screen, DNS Root servers are used. This has a negative impact on DNS lookup performance. VASCO therefore recommends specifying DNS servers. Image 62: Network > General: ISP Domain Name Server Fields axsguard Gatekeeper Internal DNS Zone Transfers (Secondary DNS) A backup DNS server, commonly known as a Secondary DNS server, handles DNS requests if the Primary DNS server is rebooted or fails. Zone transfers enable the synchronization of data between the axsguard Gatekeeper DNS and secondary DNS servers in your LAN. When the DNS repository of the axsguard Gatekeeper is updated, the repository of the secondary DNS server (and any additional configured DNS servers) are updated accordingly. To configure DNS Zone Transfer for a secondary DNS: 1. Navigate to Network > General. 2. Click the checkbox to enable DNS Zone Transfers in the Secure LAN. A screen similar to image 63 appears. 3. Enter the settings as described in Table Click on Update to finish. 88

89 Network Settings Image 63: Network > General: DNS Zone Transfer Fields Table 27: Network > General Screen: DNS Zone Transfer Fields Field Description Alias IP Address for Zone Transfers Enter the IP alias of the axsguard Gatekeeper network device from which DNS transfers should be received. Zone transfers on a secure LAN require a new alias axsguard Gatekeeper IP address. The secondary DNS server requests zone transfers from the alias IP address, rather than from the primary secure LAN IP address. IP aliases are explained in section Secondary Name Servers Enter the IP address(es) of the backup (secondary) DNS server(s) in your network. The IP address of the secondary secure LAN DNS server must be registered on the axsguard Gatekeeper for DNS Zone transfers to occur. Click to Add the Secondary Name Server Examples of axsguard Gatekeeper Internal DNS Setups With Microsoft Active Directory Domain DNS requests for the domain specified on the Active Directory (AD) Server are handled by the AD server, while requests for other domains are handled by the axsguard Gatekeeper. The DNS requests for other domains are forwarded to the axsguard Gatekeeper by the AD server, hereby shielding the secure LAN. This setup is shown in image 64. Tip Enter the IP addresses of your ISP DNS servers as explained in Stage 2: Interrogating a DNS Server (C). This optimizes DNS requests towards the Internet. If no parameters are entered, the Internet Root Servers are used. 89

90 Network Settings Image 64: DNS Requests Forwarded from Microsoft AD to axsguard Gatekeeper Without Microsoft Active Directory Domain DNS requests for the domain specified on the axsguard Gatekeeper are handled by the axsguard Gatekeeper, while requests for other domains are handled by the ISP DNS servers. This setup is shown in image 65. Tip Enter the IP addresses of your ISP DNS servers as explained in Stage 2: Interrogating a DNS Server (C) p87. This optimizes DNS requests towards the Internet. If no parameters are entered, the Internet Root Servers are used. 90

91 Network Settings Image 65: DNS Requests Forwarded from axsguard Gatekeeper to ISP With a Secondary DNS Server (DNS Zone Transfers) All DNS requests are forwarded to the axsguard Gatekeeper, which is the Primary DNS server. The DNS zones are transferred to a secondary (backup) DNS server. The backup DNS server temporarily handles all DNS requests while the axsguard Gatekeeper is rebooted for maintenance. This setup is shown in image 66. Tip Enter the IP addresses of your ISP DNS servers as explained in section Stage 2: Interrogating a DNS Server (C) p87. This optimizes DNS requests towards the Internet. If no parameters are entered, the Internet Root Servers are used. 91

92 Network Settings Image 66: axsguard Gatekeeper with Secondary DNS Server (DNS Zone Transfers) Note Without a Secondary DNS in your network, internal DNS services are temporarily unavailable during axsguard Gatekeeper maintenance, while the system is down or rebooted axsguard Gatekeeper as an Authentication Server with Active Directory DNS DNS requests for the corporate domain are handled by the Active Directory (AD) Server. The DNS requests for other domains are forwarded to the ISP DNS server by the Active Directory server. The axsguard Gatekeeper is set up as an authentication server in this example (image 67). 92

93 Network Settings Tip Enter the IP address of your Active Directory DNS server as explained in section Stage 2: Interrogating a DNS Server (C) p87, as the Active Directory handles all DNS requests in this situation, not the axsguard Gatekeeper. Image 67: axsguard Gatekeeper as an Authentication Appliance 93

94 Network Settings Domain Forwarding The axsguard Gatekeeper can be configured to forward requests for a specific DNS domain to a server as explained in the axsguard Gatekeeper internal DNS flow described in section To forward requests to a specified DNS server: 1. Navigate to Network > DNS >Forwarding. A screen similar to the image below is displayed. 2. Configure the settings as required (fields are described in the table below). 3. Click on Save to finish. Image 68: Network > DNS > Forwarding > Add Forwarding DNS Service Table 28: Network > DNS > Forwarding > Add Forwarding DNS Service Fields Field Description Forward Requests for Domain Enter the domain for which requests should be forwarded. Description Enter (optionally) a description. Enabled Check the box to enable forwarding for the specified domain. Forward to DNS server(s) Enter the IP address of the DNS server to which the requests should be forwarded for the specified domain axsguard Gatekeeper Public DNS The axsguard Gatekeeper's public DNS enables you to regulate which FQDNs from a domain can be used on the Internet. For more information on the use and configuration of the axsguard Gatekeeper's Public DNS Feature, please refer to the document axsguard Gatekeeper Public DNS How To, available through the permanently on-screen Documentation button axsguard Gatekeeper Dynamic DNS With Dynamic DNS, you can assign a static hostname to an axsguard Gatekeeper with a dynamically assigned IP address, allowing the axsguard Gatekeeper to be more easily accessible from the Internet. This 94

95 Network Settings allows VPN users to easily connect to the corporate network, since a static hostname (for instance vpn.mycompany.dyndns.org) is more user-friendly than a dynamic IP address. You must register with a Dynamic DNS service provider to use this feature. Two Dynamic DNS providers are supported by the axsguard Gatekeeper: DynDNS and EasyDNS. Configuration To enable Dynamic DNS: 1. Register with either DynDNS or EasyDNS via the websites: or Keep a record of the account settings received from your Dynamic DNS provider. 2. In the axsguard Gatekeeper, navigate to System > Feature Activation > Network 3. Check the box for dynamic DNS updating (see image 69). 4. Navigate to Network > DNS > Dynamic DNS and enter the account settings received from your Dynamic DNS provider. 5. Click Update to finish. The axsguard Gatekeeper sends its Public IP address to EasyDNS or DynDNS at boot time and whenever the Public IP address changes. Image 69: System > Feature Activation > Network: Activating Dynamic DNS Feature 11.4 DHCP Service What is DHCP? Dynamic Host Configuration Protocol (DHCP) is an application protocol of the TCP/IP protocol suite used for assigning dynamic IP addresses to devices on a network. It operates on UDP port 67. With dynamic addressing, different IP addresses may be assigned whenever a device connects to the network. Using DHCP simplifies network administration because software automatically keeps track of IP addresses so that administrators don't need to. New computers can be added to a network without unique IP addresses needing to be assigned. Many Internet Service Providers (ISPs) use dynamic IP addressing for dial-up users. 95

96 Network Settings Note How long dynamically assigned IP addresses remain valid depends on the configured DHCP lease time Data received from the axsguard Gatekeeper DHCP Server A computer connecting to the network receives the following parameters from the axsguard Gatekeeper DHCP server: an Internet Protocol (IP) address a default gateway address one or more Domain Name Server (DNS) address(es) a Windows Internet Name Server (WINS) address, if present in your network a Network Time Protocol (NTP) server address axsguard Gatekeeper DHCP Ranges A DHCP range is a valid range of IP addresses available for assignment or lease to clients in a particular subnet. The available ranges need to be registered on the axsguard Gatekeeper DHCP server. IP addresses from this pool are then supplied by the axsguard Gatekeeper to its DHCP clients. Each specified range is automatically assigned to the correct axsguard Gatekeeper network interface. IP ranges can be assigned to either hosts in the DMZ or the secure LAN. The axsguard Gatekeeper also allows IP addresses to be reserved within a subnet for dedicated hosts, e.g. for servers and printers, called static leasing (explained in the next section). Tip If an attempt is made to assign an invalid IP range (not associated with an existing axsguard Gatekeeper DMZ or LAN network interface), the axsguard Gatekeeper displays a validation warning (see image 70). Invalid ranges are ignored by the axsguard Gatekeeper. 96

97 Network Settings Image 70: DHCP Validation Warning axsguard Gatekeeper Static DHCP Leases Caution Always use static IP addresses on Windows Servers rather than static DHCP leases. Windows Servers may malfunction when the axsguard Gatekeeper's DHCP lease settings are changed. A static DHCP lease forces the axsguard Gatekeeper's DHCP server to always assign the same IP address to a specific host in the LAN. axsguard Gatekeeper Static DHCP leases allow: Automatic assignment of static IP addresses to servers and central management of the IP addresses. Settings defined in the configured DHCP range (e.g. DNS servers) to be overruled. This feature is required for certain programs to function properly Configuring the axsguard Gatekeeper DHCP Server Enabling the DHCP Service Caution Using multiple DHCP servers in a subnet causes conflicts. Before DHCP options can be configured, the axsguard Gatekeeper's DHCP server should be enabled. To enable the DHCP Server: 1. Navigate to System > Feature Activation > Network 2. Check the option to use the DHCP Server (see image 71) 3. Click on Update to finish 97

98 Network Settings Image 71: System > Feature Activation > Network: Activating DHCP Feature Specifying DHCP IP Ranges Image 72: Network > DHCP Server > DHCP Subnets > Add DHCP Server Subnet Image 73: Network > DHCP Server > DHCP Subnets > Add DHCP Server Subnet: Adding Additional IP Ranges 98

99 Network Settings To configure the DHCP IP Ranges on the axsguard Gatekeeper: 1. Navigate to Network > DHCP Server > DHCP Subnets 2. Click on the Add New button to add a DHCP subnet to a axsguard Gatekeeper network device (Secure LAN or DMZ). A screen similar to image 72 appears. 3. Configure the settings for the following (fields are explained in the table below) Enter the first range in the general settings. Configure the DHCP options Add additional ranges on the Additional IP ranges sub-screen (see image 73). All specified ranges are equally assigned. 4. Click on Save to finish. 99

100 Network Settings Table 29: Network > DHCP Server > DHCP Subnets > Add DHCP Server Subnet Fields Field Description General Settings Name Enter a name for the IP range, e.g. LAN. First IP address The axsguard Gatekeeper DHCP server has a range of IP addresses it can issue (see section ). Specify the first IP address of the range which may be issued by the axsguard Gatekeeper's DHCP server, e.g The axsguard Gatekeeper DHCP server remembers the MAC addresses for each DHCP lease and attempts to preserve previous IP address/mac address combinations. This means that clients have the same IP address (DHCP lease), although dynamically assigned. (This may not be possible if the axsguard Gatekeeper runs out of IP addresses to issue). The IP address must belong to the same network segment (subnet) as one of the axsguard Gatekeeper DMZ or LAN network devices. Last IP address Enter the last IP address of the DHCP range, e.g Netmask Enter the subnet mask assigned to the clients, e.g DHCP Options Routers The router is also known as the default gateway. Enter the DNS name or the IP address of the default gateway in your network, e.g For more information on the default gateway, see section Domain Name Servers Enter the primary DNS server which is used by the clients. Enter secondary DNS servers using the Add button, e.g More information about DNS is available in section Time Servers Enter the DNS name or the IP address of the Time Server in your network, for instance Additional Time servers may be entered using the add button. WINS Enter the IP addresses of any primary and secondary WINS (Windows Internet Name Server) servers in your network. WINS is Microsoft's implementation of the NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. WINS is to NetBIOS names what DNS is to domain names, a central mapping of host names to network addresses. TFTP Server Enter the IP address of a TFTP (Trivial File Transfer Protocol) server in your network to support booting from the network (i.e. for VoIP phones). Lease Time This is the duration of a DHCP lease (measured in seconds). The DHCP lease time is the period during which an assigned IP address remains valid for a host, for instance seconds. Additional IP Addresses within this Subnet First IP address in Enter the first IP address of the additional range to be issued by the axsguard Gatekeeper, e.g. range The IP address must belong to the same network segment (subnet) as specified in the General Parameters (see image 72). Last IP address in Enter the last IP address of the additional range to be issued by the axsguard Gatekeeper, for range instance Make sure that the entered IP address belongs to the same network segment (subnet) as specified in the General Parameters (see image 72). Tip IP addresses assigned by Static Leases are automatically excluded from configured DHCP ranges. 100

101 Network Settings Example Consider the following subnet: /24. The first range is specified under the general settings: Additional ranges are specified on the Additional IP Ranges subscreen: and The available IP addresses which fall within all specified ranges are assigned equally by the DHCP server i.e. there is no priority in the assignment Adding a DHCP Static Lease To configure a static lease: 1. Navigate to Network > DHCP Server > Static Leases. A list of the hosts with static leases is displayed. 2. Click on the Add New button to add a new lease (a screen similar to image 74 appears) or click on a name to modify an existing static lease. 3. Configure the settings as explained in the table below. 4. Click on Save to finish Image 74: Network > DHCP Server > Static Leases > Add Static DHCP Lease Tip IP addresses assigned by Static Leases are automatically excluded from configured DHCP ranges. 101

102 Network Settings Table 30: Network > DHCP Server > Static Lease > Add DHCP Static Lease Fields Field Description Name Enter a name (ID) for the host which should receive a static lease. Description Provide a description of the host (not mandatory), e.g. file server 1. Hardware Address Enter the host's MAC address, for instance 00:12:d8:60:90:48. IP Address Enter the IP address you wish to statically assign to the host, e.g Router Router is also known as the default gateway. Enter the DNS name or the IP address of the default gateway in your network, e.g For more information on the default gateway, see section Domain Name Servers Enter the primary DNS server which is used by the clients. Enter secondary DNS servers using the Add button, e.g More information about DNS is available in section Time Servers Enter the DNS name or the IP address of the Time Server in your network, e.g Additional Time servers may be entered using the Add button. WINS Enter the IP addresses of any primary and secondary WINS (Windows Internet Name Server) servers in your network. WINS is Microsoft's implementation of the NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. WINS is a central mapping of host names to network addresses for NetBIOS. Lease Time This is the duration of a DHCP lease (measured in seconds). The DHCP lease time is the period during which an assigned IP address remains valid for a host, for instance seconds. Note The TFTP server option is not available for Static Leases DHCP Used Leases To view a Used Leases list of the clients which have been issued an IP address by the axsguard Gatekeeper DHCP server: Navigate to Network > DHCP Server > Used Leases. A screen similar to image 75 appears. Fields are explained in the table below. Image 75: Network > DCHP Server > Used Leases 102

103 Network Settings Table 31: Network > DHCP Server > Used Leases: DHCP Leases Fields Field Description IP The IP address which has been assigned from the specified IP range. Start The moment when a certain IP address was issued (Start of the lease). Stop The moment when an IP lease ceased to exist (or will cease to exist). Past leases are also listed. MAC The MAC address of the client which received (or has) a dynamically assigned IP address. Hostname The computer name of the host which received (or has) a dynamically assigned IP address. Abandoned The lease is no longer in use. Make Static Click this link to make the lease static (see section ). Delete Releases the IP address, which can then be reassigned. Note Clients with a static DHCP lease are not listed on the DHCP Used Leases list Routing What is Routing? The decision process by which packets are moved from one network to another is defined as routing. Entries in routing tables specify the interface or gateway through which a packet must leave a network to reach another. Checks in the routing table are processed from the top down for all incoming packets. Whether an IP packet can be sent directly to a destination (communicating with a computer in the same LAN or subnet) or needs to be sent to the computer's default gateway (attempting to communicate with a computer in another network segment or subnet) is first checked by the sending host. The axsguard Gatekeeper uses the same principle to send and receive network packets. 103

104 Network Settings Routing Table Entries The data types recorded in a routing table are defined in the table below. Table 32: Network > Routing Table Fields Field Description Destination This is the destination network of a packet. This is required to match the packet with an entry in the routing table, for instance Netmask This entry, for instance , is checked against the destination entries in the routing table. Gateway This entry designates a specific host (by its IP address) to which a packet should be forwarded if the destination cannot be reached directly by the axsguard Gatekeeper. Interface / Device This field specifies the network interface through which a packet destined for a network - which can be reached directly by the axsguard Gatekeeper - must be sent, e.g. eth0. Default Gateway The default gateway is the IP address of a host which is used to send packets with destination addresses that do not match any routing table entries. The gateway uses its own routing tables to forward traffic to the destination, e.g. to a server on the Internet using ISP infrastructure. The default gateway is generally represented by a network address and netmask value of Routing Mechanism Arriving network packets always traverse the routing table. If the destination network is within reach of one of the axsguard Gatekeeper network interfaces (i.e. it is a subnet of the axsguard Gatekeeper), routing entries are automatically added by the axsguard Gatekeeper and the packets are delivered. If the destination network cannot be reached directly by the axsguard Gatekeeper (i.e. it is not a subnet of the axsguard Gatekeeper), the routing system looks for a matching entry in the routing table. If a matching entry is found in the routing table, the network packets are delivered to the specified gateway for the destination network. If no matching entry is found for the destination network, the network packets are delivered to the default gateway. The routing system discards packets if no gateway or default gateway is specified in the routing table. In this case, a message is generated notifying the sending application that the destination network is unreachable, e.g. if pinging a host which is unreachable. Most systems using TCP/IP have a routing table entry in which the default gateway is specified. The routing mechanism can be summarized as follows (see image 76): 104

105 Network Settings Table 33: Example Routing Table based on image 76 Case Destination Netmask Gateway Network Interface * Eth * Eth Default Gateway Eth1 Eth2 Case 1 If the network packet is destined for a network which can be reached directly by the axsguard Gatekeeper (i.e. for a subnet of the axsguard Gatekeeper), the packet is immediately delivered to this network, e.g. a packet traveling from towards (see image below). Case 2 If the network packet is destined for a network which cannot be reached directly by the axsguard Gatekeeper, the packet is sent to the gateway of this network, if specified in the routing table, e.g. a packet traveling from towards (see image below). Case 3 If there is no specific gateway routing entry in the routing table for the destination network, the packet is sent to the default gateway, for instance a packet traveling from towards (see image below). Image 76: axsguard Gatekeeper Routing Mechanism 105

106 Network Settings Adding a Route on the axsguard Gatekeeper To add a route to the axsguard Gatekeeper's routing table: 1. Navigate to Network > Routing. 2. Click on the Add New button. A screen similar to image 77 is displayed. 3. Configure the settings as explained in the table below. 4. Click on Save to finish. Image 77: Network > Routing > Add Static Route Definition Table 34: Network > Add Static Route Definition Fields Field Description Name Enter an identifier for the route, using only lower case without spaces, starting with an alphabetic character followed by any number of alphanumeric characters and/or the special characters: back slash (\), hyphen (-), underscore (_), full stop(.), and the "at" sign (@), e.g. some_network. Description Enter a description for the route (optional), e.g. Route To Some_Network. Enabled Check the box to enable the defined route. Network Enter the network segment's IP address using the CIDR notation, e.g /24. The netmask may also be specified as / Destination Select the Destination option Gateway IP, Device or etunnel (explained next) Gateway IP (Case 2 p105) Select this option if you wish to add a Gateway to the axsguard Gatekeeper routing table, e.g Device (Case 1p105) Select a device (from the drop-down menu) through which traffic must be routed, e.g. eth1. The axsguard Gatekeeper automatically selects a device for the route if no device is selected. E-tunnel (special case) Select this option if you have several axsguard Gatekeepers connected in a VPN setup. For more information, please refer to the document axsguard Gatekeeper VPN How To, available through the permanently on-screen Documentation button. 106

107 Network Settings Consulting the Route Table When a route has been added to the axsguard Gatekeeper's route table and enabled, it can be viewed. To view the route table: Navigate to Network > Status > Route Table (see image 78). Image 78: Main Routing Table Note In this section we have described the main route table (see image above). Other route tables fall outside the scope of this guide NAT (Network Address Translation) Caution NAT only needs to be configured when the axsguard Gatekeeper is used as a router or a gateway. If you are using the axsguard Gatekeeper solely for authentication on your network, configuring NAT is not necessary and this section may be skipped What is NAT? While network packets travel from a source to a destination, routers which use NAT (Network Address Translation) alter the source or destination headers of the IP packets. If the UDP or TCP protocol is used, the source or destination port is also altered. Five NAT types are explained in the following sections. They are defined based on the altered header information: 1. Masquerading 2. SNAT (Source Network Address Translation) 107

108 Network Settings 3. Port Forwarding 4. DNAT (Destination Network Address Translation) 5. Port Redirection Masquerading Masquerading Principle Masquerading is a NAT type which is used to change a packet's source IP address. For all new connections, the source IP address is looked up, based on the outgoing interface of the packet, and subsequently altered (masqueraded). Reply packets are automatically demasqueraded and returned to the original source IP addresses. Masquerading allows private IP addresses to be hidden behind a public and dynamically assigned IP address (by the ISP), so that requests from within a LAN can be correctly answered by hosts on the Internet. In addition to masquerading of a packet's source IP address, the axsguard Gatekeeper also auto masquerades source ports, if a port is already in use. The automatic mapping mechanism on the axsguard Gatekeeper stores the data accordingly so that reply packets are correctly handled (demasqueraded). Note Port numbers are assigned based on those which are already in use. The range of available port numbers is pre-configured on the axsguard Gatekeeper and cannot be changed. Image 79: NAT Masquerading 108

109 Network Settings Examples IP Address Masquerading Image 79 shows that all computers in the LAN connect to the Internet via the same axsguard Gatekeeper Internet connection. The computers in the LAN have a private IP address in the /24 segment. PC1 sends a packet to the outside world (the Internet). The source IP address of this packet is , which is a private IP address. Since IP addresses in the private range cannot be used on the Internet, the Private IP address is masqueraded to the public IP address of the axsguard Gatekeeper, , so that a response can be given by the receiving computer. Receiving computers reply to , which is the axsguard Gatekeeper. Once the answer is received by the axsguard Gatekeeper,the address is rewritten (demasquerading) to , which is the address of the sending host. IP Address and Source Port Masquerading In image 79, assume that PC1 makes a connection with an external Web server using source port 2000, which is chosen randomly. The source IP address is and the destination is port 80 (i.e. a connection to a Web server). The axsguard Gatekeeper masquerades the private source IP address with its Internet interface IP address, which is The source port remains unchanged. The Web server identifies an incoming connection from source IP address , with source port 2000 and responds accordingly. When the response is received, the axsguard Gatekeeper automatically rewrites (demasquerades) the reply packet so that it contains the private source IP address of PC1, i.e , leaving the port (2000) unchanged. Assume that PC2 simultaneously connects to the same Web server and also uses source port The axsguard Gatekeeper identifies an incoming packet with source IP address , using port Since port 2000 is already in use for PC1, both the source IP address and port number need to be automatically masqueraded to allow demasquerading. Packets sent by PC2 are therefore masqueraded by the axsguard Gatekeeper to source IP address , using a different source port, e.g. source port The automatic mapping mechanism on the axsguard Gatekeeper stores the data accordingly so that reply packets are correctly handled (demasqueraded) Pre-defined Masquerading Caution When private IP addresses are used in the DMZ, Masquerading rules should be defined on the axsguard Gatekeeper to enable traffic from the DMZ towards the Internet. The axsguard Gatekeepers applies pre-defined masquerading in the following order by default: Table 35: axsguard Gatekeeper Predefined Masquerading Rules In Interface Out Interface Result DMZ Internet The packet is not masqueraded Secure LAN DMZ The packet is masqueraded Secure LAN Internet The packet is masqueraded If none of the above combinations (see image 80) match, the packet is either not masqueraded or blocked (providing the Firewall and IPS modules are activated). 109

110 Network Settings Image 80: Predefined Masquerading Rules In some situations the predefined masquerading rules described above do not suffice. Image 81 shows such a situation. In this case, private IP addresses are used in the DMZ. Therefore packets from the DMZ arriving on the Internet without being masqueraded are discarded, since IP addresses in the private range cannot be used on the Internet. This problem can be solved by adding an explicit masquerade rule for the DMZ subnet. Image 81: Exception to Predefined Masquerading Rules 110

111 Network Settings Example See image 81: packets destined for the Internet with a source IP address of the /24 DMZ subnet are not masqueraded by default, e.g. packets originating from server Adding Masquerading Rules on the axsguard Gatekeeper: To add a masquerading rule to the axsguard Gatekeeper: 1. Navigate to Network > NAT > Masquerading 2. Click on the Add New button. A screen similar to image 82 appears. 3. Configure the settings as explained in the table below. 4. Click on Save to finish. Image 82: Network > NAT > Masquerading > Add Masquerade Table 36: Network > NAT > Masquerading > Add Masquerade Rule Fields Field Description Name Enter an identifier for the rule, using only lower case without spaces, starting with an alphabetic character, followed by any number of alphanumeric characters and/or the special characters: back slash (\), hyphen (-), underscore (_), full stop(.), and the "at" sign (@), e.g. internet_access_for_dmz. Description Enter (optionally) a description for the rule, e.g. Access to the Internet from DMZ /24. Enabled Check to enable the defined rule. Source IP Enter the IP range to be masqueraded. Use the CIDR notation, e.g /24. If this field is left blank, the masquerade rule operates on all source IP addresses. Destination IP Enter the destination network for which the rule is intended. Use the CIDR notation. If this field is left blank, the masquerade rule operates on all destination IP addresses. Device Out Enter the device from which the packets are leaving the axsguard Gatekeeper, e.g. eth1-internet. Target Select the target from the drop-down list. Selecting Accept defines this masquerade entry as an exception to masquerading, i.e. no masquerading is performed for the defined source network (source IP). Masq performs masquerading for the specified source network. 111

112 SNAT (Source Network Address Translation) SNAT Principle Network Settings Source Network Address Translation (SNAT) is a type of NAT used to change the source IP address of packets. Unlike masquerading, the public IP address is not looked up for new connections (see section ). The Public source IP address can be fixed for all future connections. Therefore SNAT cannot be used with dynamically assigned public IP addresses. Similar to masquerading, the reverse de-snat process is automatic. Example This example has the same setup as used in the example in section (see image 83). The difference is that the Public IP address of the axsguard Gatekeeper is now fixed (not dynamically assigned by the ISP). Image 83: Example with SNAT: DMZ with Private IPs Adding SNAT Rules on the axsguard Gatekeeper To add a SNAT rule on the axsguard Gatekeeper: 1. Navigate to Network > NAT > SNAT/DNAT. 2. Click on the Add New button. A screen similar to image 84 appears. 3. Configure the settings as explained in the table below. 4. Click on Save to finish. 112

113 Network Settings Image 84: Network > NAT > SNAT/DNAT > Add Network Address Translation (SNAT) Table 37: Network > NAT > SNAT/DNAT > Add Network Address Translation (SNAT) Fields Field Description Name Enter an identifier for the rule, using only lower case without spaces, starting with an alphabetic character, followed by any number of alphanumeric characters and/or the special characters: back slash (\), hyphen (-), underscore (_), full stop(.), and the "at" sign e.g. internet_access_for_dmz. Description Enter (optionally) a description for the rule, e.g. Access to the Internet from DMZ /24. Enabled Check the box to enable the defined rule. Action Select Source Address Translation. Coming from IP or network Enter the IP range (network) to which the SNAT rule applies. Use the CIDR notation, e.g /24. Translate to IP Enter the IP address to be used for the translation, e.g Going to IP or network Specify a destination network for which the packets should be translated. Use the CIDR notation. If left empty, translations occur for all destination networks. Going through device Enter the device through which the packets to be translated are leaving the axsguard Gatekeeper, e.g. eth1 Internet. Tip Select Don't Translate for the Action field if you wish to define exceptions. 113

114 Port Forwarding Port Forwarding Principle Network Settings Port forwarding is a NAT type used to change the destination IP address and/or destination port of packets. As with masquerading and SNAT, the reverse Port Forwarding operation occurs automatically on reply packets. Example Port forwarding can be used to forward incoming traffic on the axsguard Gatekeeper to a server in the DMZ (configured with a private IP address). Whenever a connection is made from the Internet to the Internet IP address of the axsguard Gatekeeper, i.e , on port 800, the connection can be forwarded to the server in the DMZ on port 805 (see image 85). Based on image 85, a connection to on port 800, is mapped to on port 805. The server receives the packet and sends a reply packet with its private IP address. To avoid this packet being dropped immediately on the Internet as it leaves the LAN, this private IP address is automatically translated to the public IP address of the axsguard Gatekeeper i.e ; thus De-NAT is automatic with port forwarding. In this example, private IP addresses are used in the DMZ. It is also possible to use public IP addresses for servers in the DMZ. In such a case no Port Forwarding is required, since direct external connections can be made to any public IP address. Image 85: Example of Port Forwarding towards a Web Server in the DMZ 114

115 Network Settings Note For web servers, it is recommended to use the axsguard Gatekeeper Reverse Proxy Module. This is an application firewall which services the requests of Internet clients by forwarding them to the appropriate servers in the LAN, while providing access control, auditing and content monitoring, which cannot be accomplished with a DMZ setup. For more information, please refer to the document axsguard Gatekeeper Reverse Proxy Module How To, available through the permanently on-screen Documentation button Adding Port Forwarding Rules on the axsguard Gatekeeper To add a port forwarding rule on the axsguard Gatekeeper: 1. Navigate to Network > NAT > Port Forwarding. 2. Click the Add New button. A screen similar to image 86 appears. 3. Configure the settings as described in the table below. 4. Click on Save to finish. Image 86: Network > NAT > Port Forwarding > Add Port Forwarding Table 38: Network > NAT > Port Forwarding > Add Port Forwarding Fields Field Description Name Enter an identifier for the rule, using only lower case without spaces, starting with an alphabetic character, followed by any number of alphanumeric characters and/or the special characters: back slash (\), hyphen (-), underscore (_), full stop(.), and the "at" sign (@), e.g. fwd_to_dmz_webserver. Description Enter (optionally) a description for the rule, e.g. Port Forwarding to DMZ Web Server Enabled Check the box to enable the defined rule. Source IP/Net Specify the Source IP address or source subnet which can use the port forwarding rule. Use the CIDR 115

116 Network Settings Field Description notation. If this field is left empty, all IP addresses are permitted access by default. Protocol Select the protocol from the drop-down list (TCP or UDP). Entering via Device Select the device through which traffic to be forwarded is entering, e.g. eth1 - Internet. You can either Coming to IP address Enter the IP address for which the port forwarding rule is applied, e.g Port Enter the port number for which the port forwarding rule is applied, e.g Destination IP Specify the IP address of the host to which the port is forwarded. Only one IP address may be entered, e.g select a network zone (e.g. Internet) or a specific device connected to that zone (e.g. eth1 - Internet). Destination Port Enter the port number to which traffic should be forwarded, e.g If this parameter is left empty, traffic is automatically forwarded to the port as specified in the port field (see above), i.e. the destination port remains unchanged DNAT (Destination Network Address Translation) Caution VASCO recommends the use of Port Forwarding rather than DNAT, as it provides control over the specific ports to be forwarded. Forwarding all ports constitutes a serious security risk DNAT Principle Destination Network Address Translation (DNAT) is a special case of port forwarding. With DNAT all ports for a specific destination IP address are forwarded to another destination IP address. As with SNAT and masquerading, the reverse NAT mapping occurs automatically. This NAT type is almost never used as port forwarding accommodates most possible requirements. Example This example has the same setup as used in the Port Forwarding Example p114, except that the axsguard Gatekeeper has two public IP addresses (two Internet Interfaces), as shown in image 87. Based on image 87, a connection to on any port, is mapped to on any port (the same port initially used in the connection to ). The server receives the packet and sends a reply packet with its private IP address, To avoid this packet from being dropped immediately on the Internet as it leaves the LAN, this private IP address is automatically translated to the correct public IP address of the axsguard Gatekeeper i.e ; thus De-NAT is automatic with DNAT. The server in the DMZ cannot be contacted when making a connection to the axsguard Gatekeeper on IP

117 Network Settings Image 87: Example of DNAT towards a Web Server in the DMZ Adding DNAT Rules on the axsguard Gatekeeper To add a DNAT rule on the axsguard Gatekeeper: 1. Navigate to Network > NAT > SNAT/DNAT. 2. Click on the Add New button. A screen similar to image 88 appears. 3. Configure the settings as described in the table below. 4. Click on Save to finish. 117

118 Network Settings Image 88: Network > NAT > SNAT/DNAT > Add Network Address Translation (DNAT) Table 39: Network > NAT > SNAT/DNAT > Add Network Address Translation (DNAT) Fields Field Description Name Enter an identifier for the rule, using only lower case without spaces, starting with an alphabetic character, followed by any number of alphanumeric characters and/or the special characters: back slash (\), hyphen (-), underscore (_), full stop(.), and the "at" sign e.g. dnat_to_dmz_server. Description Enter (optionally) a description for the rule. Enabled Check the box to enable the defined rule. Action Select Destination Address Translation. Coming to IP or Network Enter the IP address for which the DNAT rule is applied, e.g Translate to IP Enter the IP address to be used for the translation, e.g Coming from IP or Network Specify an originating network for which the translation should be executed. Use the CIDR notation, e.g /24. If left empty, translations occur for all originating networks. Coming through Device Select (from the drop-down list) the device through which the packets to be translated are entering the axsguard Gatekeeper, e.g. eth1 Internet. Tip Select Don't Translate for the Action field if you wish to define exceptions. 118

119 Port Redirection Port Redirection Principle Network Settings Port Redirection is a NAT type which is used to redirect incoming network traffic for a specific port and/or IP address to a service running on a specific port on the axsguard Gatekeeper. In other words, the destination IP and port number in the network packets are altered to point to a service on the axsguard Gatekeeper. Example A good example of port redirection is the redirection of proxy network traffic from within the LAN (see image below). If the browser's proxy settings of your network clients are set to port 80, it is possible to activate a single port redirection rule on the axsguard Gatekeeper so that all traffic destined for port 80 on the axsguard Gatekeeper is redirected to port 3128 on the axsguard Gatekeeper. Port 3128 is the default port number of the axsguard Gatekeeper Proxy Server. This method is more efficient than modifying the proxy configuration settings on each client individually (on the condition that the IP address of the proxy server remains the same). For more information on proxy use, please refer to the document axsguard Gatekeeper Web Access How To, available through the permanently on-screen Documentation button. Image 89: Example Port Redirection on the axsguard Gatekeeper 119

120 Network Settings Pre-defined Port Redirection Caution Disabling pre-defined Port Redirection rules may prevent VASCO from being able to provide remote support. To view pre-defined port redirection rules on the axsguard Gatekeeper: Navigate to Network > NAT > Port Redirection. A list similar to image 90 appears. To view the configuration of a particular pre-defined port redirection rule: Click on the rule name in the Overview of Port Redirection table (see image 90) Image 90: Network > NAT > Port Redirection: Pre-defined Rules Note The axsguard Gatekeeper pre-defined port redirection rules can be disabled, but cannot be removed or altered. 120

121 Network Settings Adding Port Redirection Rules on the axsguard Gatekeeper To add a port redirection rule on the axsguard Gatekeeper: 1. Navigate to Network > NAT > Port Redirection. 2. Click on the Add New button. A screen similar to image 91 appears. 3. Configure the settings as described in the table below. 4. Click on Save to finish. Image 91: Network > NAT > Port Redirection > Add Port Redirection Table 40: Network > NAT > Port Redirection > Add Port Redirection Fields Field Description Name Enter an identifier for the rule, using only lower case without spaces, starting with an alphabetic character, followed by any number of alphanumeric characters and/or the special characters: back slash (\), hyphen (-), underscore (_), full stop(.), and the "at" sign (@), e.g. http_proxy. Description Enter (optionally) a description for the rule, e.g. Secure Port 80 to Enabled Check the box to enable the defined rule. Source IP/Net Specify the Source IP address or source subnet which is subject to the port redirection rule. Use the CIDR notation, e.g /24. If this field is left empty, all source IP addresses are subject to the rule. Protocol Select the protocol from the drop-down list (TCP or UDP). Entering via Device Select the device through which traffic to be redirected is entering, e.g. SEC - Secure. Coming to IP or Network Enter the destination IP address to which the port redirection rule is applied, e.g /32. Use the CIDR notation. If an IP address is specified, traffic is only redirected if the destination IP matches headers in the outgoing packets (exception). If no IP address is entered, the rule is applied to all destination addresses. Port Enter the port number to which the port forwarding rule is applied, e.g. 80. Traffic is redirected when a packet header matches the specified port number. Destination Port Enter the port number to which traffic should be redirected, e.g Traffic is redirected towards the specified port number, if the incoming network traffic matches. 121

122 Network Settings NAT Helpers What are NAT helpers? axsguard Gatekeeper connection tracking allows the automatic denat explained in the previous sections. Connection tracking refers to the ability to keep records of connection information, such as the source and destination IP address, port number pairs (also known as socket pairs), protocol types, connection states, timeouts, etc. in tables. NAT helpers (if enabled) automatically add to these tables the necessary connection information for a specific protocol. The listed protocols all use associated connections (control channels). The NAT helpers ensure that the associated connections are also properly NATed. For more information on Connection Tracking, please refer to the document axsguard Gatekeeper Firewall How To, available through the permanently on-screen Documentation button Enabling NAT Helpers To enable NAT helpers: 1. Navigate to Network > NAT > General. A screen similar to image 92 appears. 2. Check the appropriate boxes for the helpers required in your network (helper types are explained in the table below). 3. Click on Update to finish. Image 92: Network > NAT > General 122

123 Network Settings Table 41: Network > NAT > General Fields Field Description FTP Helper This is the NAT helper for the FTP protocol to track active FTP connections. If enabled, the necessary entry for the related FTP data channel is automatically added to the connection table, so that the FTP data channel is correctly NATed. VPN PPTP Helper This is the NAT helper for the VPN PPTP protocol, which tracks connection on TCP port 1723 with the associated data tunnel which uses the GRE protocol. IRC Helper This is the NAT helper for IRC, which tracks IRC connections on TCP port H.323 Helper This is the NAT helper for the H.323 protocol (VoIP). It supports RAS, Fast Start, H.245 Tunnelling, Call Forwarding, RTP/RTCP and T.120 based data and applications including audio, video, fax, chat, whiteboard, file transfer, etc. SIP Helper This is the NAT helper for the SIP protocol (VoIP). SNMP Helper This is the NAT helper for the SNMP protocol. This is the `basic' form of SNMP-ALG, as described in RFC It modifies IP addresses inside SNMP payloads to match IP-layer NAT mapping. TFTP Helper This is the NAT helper for the TFTP protocol, which tracks TFTP connections on UDP port 69. Amanda Helper This is the NAT helper for the Amanda backup tool protocol. 123

124 12 axsguard Gatekeeper and NTP 12.1 What is an NTP Server axsguard Gatekeeper and NTP NTP (Network Time Protocol) is a protocol designed to synchronize the clocks of hosts over a network. The axsguard Gatekeeper can be used as a time server for your LAN (see image 93). The axsguard Gatekeeper's internal time server is active by default and cannot be turned off. Clients on your network need to be configured accordingly to make use of this service. For instructions on how to do this, please refer to the appropriate documentation for your Operating System. Image 93: axsguard Gatekeeper Time Server 12.2 Synchronizing the axsguard Gatekeeper with a Time Server The axsguard Gatekeeper can be synchronized with a Time Server on the Internet or in your network. To specify the server with which the axsguard Gatekeeper should be synchronized: 1. Navigate to Network > General. 2. Enter the FQDN or IP address of the time server, e.g. ntp.vasco.com 3. Click on Update (see image 94). 124

125 axsguard Gatekeeper and NTP Image 94: Network > General Checking the axsguard Gatekeeper System Time The system time of your axsguard Gatekeeper is displayed permanently in the top pane of the Administrator Tool (see image 95). Image 95: System Time (right) 125

126 13 System Status 13.1 Overview System Status The System Status menu provides general information about the axsguard Gatekeeper system and specific information about the system's health, services, hardware and system kernel. This section explains how to access and use the system status information System Info To view the System Information: Navigate to System > Status > System Info (see image below) This screen displays the license information, type of maintenance contract, Version and Revision numbers, the model (Type), VASCO DIGIPASS and axsguard Gatekeeper hardware and software modules. Image 96: System > Status > System Info 126

127 System Status 13.3 Health Status Access The system health screen provides information about the system up time, health status (OK or Not OK), (see image 97) and health status messages. To access the axsguard Gatekeeper's health status screen: Click on the permanently on-screen Status button OR Navigate to System > Status > Health. Image 97: System > Status > Health Message Priorities Health status messages are either run time messages or messages generated following routine self-checks, and are prioritized into four levels explained in the table below. Table 42: Health Status Message Priorities Field Description Fatal Errors Errors which prevent the correct operation of the axsguard Gatekeeper or one of its services, e.g. the failure of a network device. Errors Errors which do not necessarily prevent the correct operation of the axsguard Gatekeeper, but which need immediate attention as they could affect the future operation and efficiency of the axsguard Gatekeeper or its services if left unattended, e.g. failure of the Antivirus updates or failure of Public DNS, etc. Warnings Messages regarding an error or omission in certain configuration settings, e.g. when the default sysadmin password remains unchanged (see section 2.3). Notice Information about a running process, e.g. anti-virus update is running. 127

128 System Status Image 98: Health Message Types Run time Messages Run time health messages either offer a link to the configuration page where action needs to be taken (see image 99) or offer information about a configuration problem and/or the action required to resolve it (see image 100). Image 99: Health Message with link to where action is needed 128

129 System Status Image 100: Health Messages with information only Configuration Warnings axsguard Gatekeeper self-checks occur automatically each night, taking a couple of minutes to complete. Configuration warnings are generated after the self-checks, and are refreshed every 24 hours after each selfcheck. This means that a configuration warning remains visible until the next self-check. These messages can also either offer links to directly resolve problems, or explain configuration problems and/or actions needed to resolve them. To access a list of the axsguard Gatekeeper configuration warnings: 1. Navigate to System > Status > Health 2. Click on the link under There are configuration problems! (see image 98). To test your configuration settings manually and force the configuration warnings to be refreshed immediately: 1. Navigate to System > Status > Health 2. Click on the Start Configuration Check button (see image 101). Please note that the configuration check takes a few minutes to complete. Image 101: System > Status > Health > Start Configuration Check Manually For more information on module-specific health messages and problems, please refer to the relevant axsguard Gatekeeper How To guides, available through the permanently on-screen Documentation button Services Status The Services screen displays the status of the axsguard Gatekeeper services. A stopped service can be (re)started on this screen. To access the Services screen: Navigate to System > Status > Services. A screen similar to image 102 is displayed. The fields are explained in the table below. 129

130 System Status Image 102: System > Status > Services Table 43: System > Status > Services Fields Fields 13.5 Description Service The name of the service. Color Green means the service is running correctly. Red means the service is no longer running or there is a problem with the service and it needs to be restarted. Grey means the service is available on the axsguard Gatekeeper, but not enabled under System > Feature Activation (see section 4.4). Status Indicates whether the service is stopped, enabled or disabled. Action Click this link to restart an axsguard Gatekeeper service. Extra Information Provides extra information about an axsguard Gatekeeper service. Hard Drive, UPS and Kernel Status Three further status screens offer information on the axsguard Gatekeeper's hard drive(s), e.g. partition information, remaining disk space, etc. connected UPS (if any). Only APC UPS appliances are supported (see section 4.5). running Kernel modules, such as the amount of memory which is used per module. To access these three screens respectively, navigate to: System > Status > Hard-Disk System > Status > UPS System > Status > Kernel Modules 130

131 13.6 System Status High System Load Warning Messages The axsguard Gatekeeper will automatically send an to the system administrator, if it detects a high system load during 5 consecutive days. The is sent to the address(es) entered under System > General. A high load average can be due to a task monopolizing a lot of CPU time. A hardware update may be required Contact the VASCO Sales Department for additional information. 131

132 System Logs 14 System Logs 14.1 Overview This section explains how to access and use the system logs of the axsguard Gatekeeper. System logs provide detailed information about all system activities. Several types of system logs help administrators to search for particular events: Update history log Test update history log Admin Tool log Boot log Full event log Other log Logs are organized in tables and ordered chronologically by default. Log files are labeled using the YYYY-MMDD format and the log size is measured in Kilobytes (KB) Update History Log The axsguard Gatekeeper Update System manages the installation of new axsguard Gatekeeper Revisions and Versions, and is explained in detail in section 7. Logs of update events can be viewed on the Update History Log screen. To access a particular Update History Log: 1. Navigate to System > Logs > Update History. A screen similar to image 103 is displayed. 2. Click on a date (log file) to view its details. A screen similar to image 104 is displayed. Image 103: System > Logs > Update History 132

133 System Logs Image 104: Update History Log Entries The log entry above indicates that the axsguard Gatekeeper has mailed the system administrator at a certain time to notify him/her that system updates were available. Another entry shows that the update (revision-005) has been activated Test Update History Log The axsguard Gatekeeper Update System manages the installation of new axsguard Gatekeeper Revisions and Versions, and is explained in detail in section 7. Logs of Version tests can be viewed on the Test Update History Log screen. To access a particular Test Update History Log: 1. Navigate to System > Logs > Test Update History. A screen similar to image 105 is displayed. 2. Click on a date (log file) to view its details. Image 105: System > Logs > Test Update History 14.4 Administrator Tool Log All actions performed by system administrators on the axsguard Gatekeeper are registered in the Admin Tool Log. To access a particular Admin Tool Log: 1. Navigate to System > Logs > Admin Tool. A screen similar to image 106 is displayed. 2. Click on a date (log file) to view its details. A screen similar to image 107 is displayed. 133

134 System Logs Image 106: System > Logs > Admin Tool Image 107: Admin Tool Log Entries The log entry above is self-explanatory, indicating the following: Times the axsguard Gatekeeper Administrator Tool has been accessed (login). The user account used to access the Administrator Tool. Times when the Administrator Tool has been exited (logout). Automatic Redirection of the administrator to the axsguard Gatekeeper customer page for completion. Modification of NTP server settings. 134

135 14.5 System Logs Boot Log The Boot Log contains chronologically ordered entries of axsguard Gatekeeper system startups and shutdowns. To access the Boot Log: Navigate to System > Logs > Boot. A screen similar to image 108 is displayed. Image 108: System > Logs > Boot Log Note Ideally, the boot entries should alternate between Down and Up. If two Up entries appear together as shown in image 108, the axsguard Gatekeeper has not been shut down properly (see section 4.7.2). 135

136 System Logs 14.6 Full Event Log The Full Event Log is a compilation of all the individual logs which are available on the axsguard Gatekeeper, including module-related logs. To view a particular log from the Full Event Log: 1. Navigate to System > Logs > Full Event. A screen similar to image 109 is displayed. 2. Click on a date (log file) to view its details. A screen similar to image 110 is displayed. Image 109: System > Logs > Full Event Log Image 110: Full Event Log Entries Search Example How to search for records has been explained earlier (see Search Filters p27). To search for particular records, enter a (case sensitive) search string, (see image 110) e.g. INPUT DROP and press enter. This displays in chronological order all connection attempts which have been dropped by the axsguard Gatekeeper firewall (see image 111). Adjust the Items to be displayed per page as necessary. 136

137 System Logs Image 111: Full Event Log Search 14.7 Other Log The Other Log is reduced version of the Full Event Log, with module-related logs filtered out. To access the Other Log: 1. Navigate to System > Logs > Other. A screen similar to image 112 is displayed. 2. Click on a date (log file) to view its details. Image 112: System > Logs > Other Search Example Enter a search string, for instance fping and press enter (see image 113). This displays all test ICMP connections as specified in the connectivity check tab of a network device (as explained in section ). 137

138 System Logs Image 113: Other Log Search Note Search strings are case sensitive by default. 138