Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client



Similar documents
SSL SSL VPN

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

If you have questions or find errors in the guide, please, contact us under the following address:

Sophos UTM. Remote Access via SSL Configuring Remote Client

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

Sophos UTM. Remote Access via PPTP Configuring Remote Client

Sophos UTM Software Appliance

Sophos UTM. Remote Access via IPsec Configuring Remote Client

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Configuring Global Protect SSL VPN with a user-defined port

Configuring SSL VPN on the Cisco ISA500 Security Appliance

F-Secure Messaging Security Gateway. Deployment Guide

Guideline for setting up a functional VPN

Installing the Microsoft Network Driver Interface

Hosted Microsoft Exchange Client Setup & Guide Book

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

How to configure your Windows PC post migrating to Microsoft Office 365

VPN: Using WebVPN SSL Client This document outlines the process for using the WebVPN SSL with Internet Explorer and Firefox

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Scenario: IPsec Remote-Access VPN Configuration

McAfee SMC Installation Guide 5.7. Security Management Center

How To Industrial Networking

NSi Mobile Installation Guide. Version 6.2

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Windows XP VPN Client Example

VPN Quick Configuration Guide. Astaro Security Gateway V8

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

VPN: Using the WebVPN SSL Client

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

F-SECURE MESSAGING SECURITY GATEWAY

WestermoConnect User Guide. VPNeFree Service

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Chapter 5 Virtual Private Networking Using IPsec

Setting Up Scan to SMB on TaskALFA series MFP s.

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Hosted Microsoft Exchange Client Setup & Guide Book

Using the FDO Remote Access Portal

CTERA Agent for Mac OS-X

MultiSite Manager. Setup Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

For paid computer support call

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

Virtual Data Centre. User Guide

Virtual Owl. Guide for Windows. University Information Technology Services. Training, Outreach, Learning Technologies & Video Production

2X Cloud Portal v10.5

Setting up a Virtual Private Network (VPN) connection Windows 8

Network Configuration Settings

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

How do I set up a branch office VPN tunnel with the Management Server?

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Accessing the Media General SSL VPN

Configuring GTA Firewalls for Remote Access

Web Authentication Application Note

QUANTIFY INSTALLATION GUIDE

7.1. Remote Access Connection

NEFSIS DEDICATED SERVER

RemotelyAnywhere Getting Started Guide

How to set up Outlook Anywhere on your home system

SyncThru TM Web Admin Service Administrator Manual

MultiSite Manager. Setup Guide

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

VPN Configuration Guide WatchGuard Fireware XTM

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

Clientless SSL VPN Users

NETASQ SSO Agent Installation and deployment

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

CTERA Agent for Linux

While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

MadCap Software. Upgrading Guide. Pulse

DIGIPASS Authentication for Check Point Security Gateways

client configuration guide. Business

A Guide to New Features in Propalms OneGate 4.0

How to configure VPN function on TP-LINK Routers

Citrix Access on SonicWALL SSL VPN

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Sophos Mobile Control Installation guide. Product version: 3.5

Chapter 6 Basic Virtual Private Networking

Using the FDO Remote Access Portal

Using ipass Secure Anywhere. Secure Remote Access for Hallmark Independent Retailers

How To Configure SSL VPN in Cyberoam

If you already have Uninstalled SonicWALL Global VPN client, or never had it installed you can skip this step.

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

Introduction to Mobile Access Gateway Installation

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Follow these steps to configure Outlook Express to access your Staffmail account:

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

1 Using DATABOKS Online Backup Manager

How to install and use the File Sharing Outlook Plugin

Transcription:

Astaro Security Gateway V8 Remote Access via SSL Configuring ASG and Client

1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If you are not sure whether you have the current version of this guide, you can download it from the following Internet address: http://www.astaro.com/kb If you have questions or find errors in the guide, please, contact us under the following e-mail address: documentation@astaro.com For further help use our support-forum under... http://www.astaro.org... or use the Astaro Support offers http://www.astaro.com/support 2. Remote Access via SSL This guide describes step by step the configuration of a remote access to the Astaro Security Gateway by using the Secure Sockets Layer (SSL) protocol. The SSL remote access feature in Astaro Security Gateway provides security by a double authentication using X.509 certificates and username/password. Astaro's SSL VPN feature reuses the TCP port 443 to establish an encrypted tunnel to your company, allowing you to access internal resources. The Astaro User Portal offers the Astaro SSL VPN Client software, the configuration files, the necessary keys and configuration guides. You should get the log-in data for the user portal from your system administrator. 2.1. Configuration of the Astaro Security Gateway The Astaro Security Gateway is configured via the web based WebAdmin configuration tool from the administration PC. Opening and using this configuration tool is extensively described in the Astaro Security Gateway V8 administration guide. 1. Define the user account for the remote host: Open the Users >> Users page. Define a new user account for the remote client. With remote access via SSL this user account is necessary for accessing the Astaro User Portal and for VPN. More detailed information on the configuration of a User Account and detailed explanations of the individual settings can be found in the Astaro Security Gateway V8 administration guide in chapter 5.

Make the following settings: Username: Enter a specific user name (e.g. gforeman). In doing so remember that the remote user will need this username later to log in to the Astaro User Portal. Real name: Enter the full name of the remote user (e.g. George Foreman). Email address: Enter the e-mail address of the user. When you specify an e-mail address, an X.509 certificate for this user will be generated automatically while creating the user account, using the e-mail address as the certificate's VPN ID. The certificate will be displayed on the Remote Access >> Certificate Management >> Certificates tab. Authentication: With the Local authentication method the following two entry menus will be displayed for the definition of the password. In doing so remember that also the remote user will need this user name later to log in to the Astaro User Portal. Password: Enter the password for the user. In doing so remember that the remote user will need this password later to log in to the Astaro User Portal. Repeat: Confirm the password. Use static remote access IP: With a Remote Access via SSL it is not possible to assign a static IP address to the user. Leave this option deactivated if the user uses only the remote access via SSL. Comment (optional): Enter a description or additional information on the user. Save your settings by clicking on the Save button. 2. Configure the SSL remote access: Open the Remote Access >> SSL >> Global page. On the Global tab enable the SSL remote access by clicking Enable. The status light shows amber and the page becomes editable. More detailed information on the configuration of a SSL Remote Access and detailed explanations of the individual settings can be found in the Astaro Security Gateway V8 administration guide in chapter 13. Remote access settings Use the Remote access settings section to select the authorized users and assign the access conditions. Users and groups: Select the users and user groups that should be able to use SSL remote access (in this example: gforeman). Local networks: Select the local networks that should be reachable to SSL clients (in this example: Internal (Network)).

Note: If you wish the SSL-connected users to be allowed to access the Internet, you need to select Any in the Local networks dialog box. Additionally, you need to define appropriate Masquerading or NAT rules. Automatic packet filter rules: Once the SSL VPN tunnel is successfully established, the packet filter rules for the data traffic will automatically be added. After the completion of the connection, the packet filter rules will be removed. 3. Configure the SSL settings: Open the Remote Access >> SSL >> Settings tab. Server settings Interface address: Select the interface address that all SSL VPN clients must use. By default, Any is selected. When using the web application firewall you need to give a specific interface address for the service to listen for SSL connections. Protocol: Select the network protocol that all SSL VPN clients must use. By default, this is set to TCP. Port: Select the port that all SSL VPN clients must use. By default, this is set to 443. Override hostname: Leave this field empty if you want the gateway's hostname to be the target hostname for client VPN connections. Only enter another hostname if the gateway's hostname is not reachable via Internet. Virtual IP pool Pool network: The default settings assign addresses from the private IP space 10.242.2.x/24. This network is called the VPN Pool (SSL). If you wish to use a different network, simply change the definition of the VPN Pool (SSL) on the Definitions >> Networks page. Local certificate: In order to authenticate for VPN clients, the SSL server needs a local certificate (in this example: Local X.509 Cert this certificate is automatically preset). Confirm your settings by clicking on Apply. The status light shows green and the remote access is activated. 4. Configure the advanced SSL remote access settings: Open the Remote Access >> SSL >> Advanced tab. Cryptographic settings This section controls the encryption parameters for all SSL VPN remote access clients. Encryption algorithm: Supported algorithms are (all in Cipher Block Chaining (CBC) mode): DES-EDE3 168bit (3DES), AES (Rijndael) 128bit/192bit/256bit and Blowfish (BF).

Authentication algorithm: Supported algorithms are MD5 128bit and SHA1 160bit. Key size: The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024 or 2048 bits. Server certificate: Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients. Key Lifetime: Enter a time period after which the key will expire. The default is 28,800 seconds. Save your setting by clicking on the Apply button. Network settings Use data compression: All data sent through the SSL VPN tunnel will be compressed prior to encryption. Save your setting by clicking on Apply. Debug settings Enable Debug mode: This option controls how much debug output is generated in the log file. Select this option if you encounter connection problems and need detailed information about the negotiation of client parameters. Save your setting by clicking on the Apply button. 5. Configure the advanced remote access settings: Open the Remote Access >> Advanced page. This page allows you to define name servers (DNS and WINS) and the name service domain, which should be assigned to hosts during the connection establishment. 6. Define the packet filter rule (optional): You must define this packet filter rule if you have disabled the Automatic packet filter rule function during the configuration of the SSL remote access in step 2. Open the Network Security >> Packet Filter >> Rules tab. After clicking on the New rule button the dialog box for new rules will appear. Create a new rule for the access to the local internal network. Source: Remote host or user (in this example: gforeman). Service: Set the service. Destination: The allowed internal network (in this example: Internal (Network)).

Action: Allow. Confirm your settings by clicking on Save. New rules will be added at the end of the list and remain disabled (status light shows red) until they are explicitly enabled by clicking on the status light. Active rules are processed in the order of the numbers (next to the status light) until the first matching rule. Then the following rules will be ignored! The sequence of the rules is thus very important. Therefore never place a rule such as Any Any Any Allow at the beginning of the rules since all traffic will be allowed through and the following rules ignored! More detailed information on the definition of Packet Filter Rules and detailed explanations of the individual settings can be found in the Astaro Security Gateway V8 administration guide. 7. Define the masquerading rule (optional): Masquerading is used to mask the IP addresses of one network (in this example: gforeman) with the IP address of a second network (in this example: External). Thus remote users, who have only private IP addresses can surf on the Internet with an official IP address. More detailed information on the definition of Masquerading Rules and detailed explanations of the individual settings can be found in the Astaro Security Gateway V8 administration guide. Open the Network Security >> NAT >> Masquerading tab. Make the following settings: Network: Select the network of the remote endpoint (in this example: gforeman). Interface: Select the interface that shall be used to mask the clients. (in this example: External). Then confirm your settings by clicking on Save. New masquerading rules will be added at the end of the list and remain disabled (status light shows red) until they are explicitly enabled by clicking on the status light. 8. Activate the proxies (optional): If the remote employees shall access URL services via the remote access you may configure the required proxies on the Astaro Security Gateway this would be the DNS and HTTP proxy for example. More detailed information on the configuration of Proxies and detailed explanations of the individual settings can be found in the Astaro Security Gateway V8 administration guide. After configuring the VPN server (Headquarters) you must configure the road warrior. Depending on the security policy of your organization and the requirements of your network you might have to make additional settings.

2.2 Configuration of the Remote Client 2.2.1 Astaro User Portal: Getting Software and Certificates The Astaro User Portal is available for the remote access users. You can use this portal to download guides and tools for the configuration of your client. Especially for the SSL remote access, the user portal offers a configuration guide and a customized SSL VPN client software, which already includes software, certificates and configuration handled by a simple installation procedure. This client supports most business applications such as native Outlook, native Windows Filesharing and many more. You should get the following log-in data for the Astaro User Portal from your system administrator: IP address, user name and password. 1. Start your Browser and open the Astaro User Portal: Start your browser and enter the management address of the Astaro User Portal as follows: https://ip address (example: https://218.93.117.220). A security notice will appear. Accept the security notice by clicking OK (Mozilla Firefox) or Yes (Internet Explorer). 2. Log in to the Astaro UserPortal: Username: Your username, which you received from the administrator. Password: Your password, which you received from the administrator. Please note that passwords are case-sensitive! Click Login. 3. Load the tools for the SSL Remote Access to your client: The SSL VPN tab will contain the software and keys for your client; to do so have two options. Either you download a complete software package with the pertinent key for a new installation or you update an already installed SSL VPN client with new keys. The SSL VPN Client is available for Microsoft Windows 2000/XP/Vista and 7. Start the download process by clicking on Download. For the configuration of SSL VPN on Linux, MacOS X, BSD and Solaris please see installation instructions on http://openvpn.net (all necessary files are available over the Astaro User Portal. Close the Astaro User Portal session by clicking on Logout. The rest of the configuration takes place on the remote user client. This will require the IP address or hostname of the server, as well as a valid username and password. These should be supplied by the security system administrator.

2.2.2 SSL VPN Client: Installing the Software The first part of the installation uses the Installation Menu to configure basic settings. The setup program will check the hardware of the system, and then install the necessary software on your PC. Unpack the installation package (for example by using WinZip), if you have received it as a.zip file. Open a file browser and go to the appropriate directory. Launch the file setup.exe from this directory. You should see the installation wizard now. Click on Next to proceed. You will see the software license. If you agree to the terms of the license, click on I Agree. Choose the install location. Click on Install to proceed.

Then the installation process will be started. The installation wizard will copy the necessary files on your system. A virtual network card will be installed during the installation process. Since the relevant driver is not certified by Microsoft, a corresponding caution message will appear during the installation process. You can ignore this message. Click on Continue Installation. When installation process is finished, you are asked to complete. Click on Next to do so. When installation process is finished, you are asked to close the installation wizard. Click on Finish to do so. After the software installation the client is automatically started. Then the SSL VPN icon ( ) will be displayed in your Task bar. A double click on this icon opens the User Authentication dialogue box.

Log in with your Username and Password, which you use also for the Astaro User Portal and then start the connection by clicking OK. The connection status is indicated by the SSL VPN icon: Disconnected ( ), connecting ( ) and connected ( ). The Connection dialogue box allows you to monitor the set-up of the connection. The SSL VPN Remote Access can be disconnected by clicking Disconnect. Further information is usually available from the network administrator. The basic settings for the remote access via SSL are now finished. Depending on the security policy of your organization and the requirements of your network you might have to make additional settings. United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com Australia & New Zealand Sales Tel: +61 2 9409 9100 Email: sales@sophos.com.au Boston, USA Oxford, UK Copyright 2012. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information