Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Administrator Guide 4.0: Configuring the FirePass Webifyers
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


Configuring the FirePass Webifyers


Overview of the FirePass Webifyers

The FirePassTM WebifyersTM provide remote users with web-based remote access to a wide variety of network applications and resources, including email servers, Intranet servers, file servers, terminal servers, and legacy mainframe, AS/400, Telnet, and X-Windows applications. Each Webifyer renders its respective resource into and out of Web browser formats. The Webifyer's particular tasks are dictated by the application being accessed and the protocol being supported.

Webifyers are separately licensed. These Webifyers are available with Release 4.0:

  • My Files
    Allows remote users to browse, upload, download, move, copy, or delete files on shared directories. Supports SMB Shares, Windows Workgroups, Windows NT 4.0 and Windows 2000 domains, and Novell 5.1/6.0 with Native File System pack. (See Configuring the My Files Webifyer.)

  • My NFS
    Allows remote users to browse, upload, download, move, copy, or delete files on UNIX NFS servers. (See Configuring the My NFS Webifyer.)

  • My Intranet
    Allows remote users access to internal Web servers, including Outlook Web Access email servers. (See Configuring the My Intranet Webifyer.)

  • My E-mail
    Allows remote users access to POP/IMAP/SMTP email servers and LDAP address books using a Web browser. Users can send and receive messages, download attachments, and attach files stored on the internal LAN to send email messages. (See Configuring the My E-mail Webifyer.)

  • Terminal Services
    Provides remote users with Web-based access to Microsoft Terminal Servers, Windows XP network-access-enabled desktops, Citrix® MetaFrame applications, and VNC servers. No additional enabling software is required on the Terminal Servers or Windows XP computers being accessed. (See Configuring the Terminal Services Webifyer.)

  • AppTunnels
    Provides access from client applications on remote user's computers to TCP/IP application servers. The AppTunnels Webifyer enables a client-side application to communicate back to the corporate application server using a secure tunnel between the user's Web browser and the FirePass server. (See Configuring the AppTunnels Webifyer.)

  • Host Access
    Provides remote users with Web-based access to legacy VT100, VT320, Telnet, X-Term, and IBM 3270/5250 applications without any modifications to the applications or application servers. (See Configuring the Host Access Webifyer.)

  • SSL VPN
    Provides remote users with the functionality of a traditional IPSec VPN client. Unlike an IPSec VPN client, the SSL VPN Webifyer does not require any pre-installed software or configuration on the remote user's computer, and no server-side changes are required. (See Configuring SSL-VPN.)

  • My Desktop
    Provides employees with full remote control access to their desktop computers on the internal LAN. (See Configuring the My Desktop Webifyer.)

  • X-Windows Access
    Provides remote users with access to X-Windows applications hosted on UNIX and Linux servers.

    Because you configure Webifyers separately for each group, you can allow different types of access to different groups of users. For example, you can allow one group of users to use SSL VPN, and prevent another group from using it.

Configuring the My Files Webifyer

The My Files Webifyer allows remote users to browse and view files stored on internal LAN file servers. As the FirePass administrator, you can configure the My Files Webifyer to limit access for a particular group to the file shares you specify. The FirePass server does not allow unrestricted browsing, or browsing folders above the level of the share you specify.

Defining Network Folder Favorites for the My Files Webifyer

To define a network folder favorite for the My Files Webifyer
  1. Under the Webifyers tab, click the My Files link.

  2. From the For the group drop-down list, select the group that you want to configure the My Files Webifyer for.

  3. In the Edit Network Folder Favorites section, click the Add New link.

  4. In the Name box that appears, specify a name for the file share that you are defining as a My Files Favorite.
    This name is displayed as a label for the My Files Favorite in each user's Web browser under the My Network Files icon. For example: Company Literature.

    Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly.

  5. In the Path box, specify a path for the file share in Microsoft UNC format. For example:

    \\server-name\share_name

    You can also use the variables %username% or %group% in the path to insert the user's login name or group in the path. For example, you might define a path for a favorite to each user's folder that is named the same as the user's login name. That is, the path \\server-name\%username% links to \\server-name\john_doe for the user with the login name of john_doe.

  6. Click the Add New button.

Limiting a group's access to the Network Folder Favorites

If you want to limit a group's access to the Network Folder Favorites you specified, select the Limit MyNetwork Access to Folder Favorites Only option.

Enabling virus scanning and file uploading for the My Files Webifyer

By default, users can download files with the My Files Webifyer. You can also choose to allow users in a group to upload files, and you can enable virus scanning of all downloaded and uploaded files. If the FirePass server detects a virus in the files, it terminates the download or upload process and notes the termination in the session log.

Note


The FirePass server virus scanner is based on the open source virus signatures. For information on the latest virus signatures, see www.openantivirus.org.

 

To enable virus scanning for the My Files Webifyer

In the File Upload section of the My Files screen, select the Enable Virus Scanner option.

To update the virus signatures for the My Files Webifyer

In the File Upload section of the My Files screen, click the Browse button, select the VirusSignatures.credo file, and then click the Upload button.

To enable file uploading for the My Files Webifyer

In the File Upload section of the My Files screen, select the Enable File Upload option.

Configuring advanced settings for the My Files Webifyer

If the FirePass server contains two NICs, it is important to configure a broadcast address for the internal NIC. If there is a WINS server on your network, specify its address to facilitate name resolution of Windows servers using the My Files Webifyer.

To configure advanced settings for the My Files Webifyer
  1. In the Broadcast Address box in the Advanced My Network Files Settings section, enter the broadcast address you want the FirePass server to use for network broadcasts.

    If the FirePass server contains one NIC, enter the server's IP address if the address is not already entered by default. If the FirePass server contains two NICs, enter the IP address of the internal NIC (that is, the NIC connected to the internal LAN).

  2. In the WINS Address box, enter the IP address of the WINS server.

    Important: The WINS Address setting is required for multi-segment networks where the FirePass server and the LAN are on different network segments, or when the LAN has multiple segments. If you do not specify the IP address of the WINS server in a multi-segment LAN environment, the My Files Webifyer does not work properly.

  3. In the Default Domain/Workgroup box, enter the default domain and workgroup for the FirePass server.

    Important: The Default Domain/Workgroup setting is required for deployments where the IP address of the FirePass server is not on the target LAN.

  4. To have the FirePass server attempt to automatically log into My Files servers and shares using each user's FirePass login user name and password, select the Auto-login to My Network shares using FirePass user login credentials option.

Using client certification validation for the My Files Webifyer

You can restrict access to the My Files Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring the My NFS Webifyer

Like the My Files Webifyer, the My NFS Webifyer allows remote users to browse and view files stored on internal UNIX NFS file servers. As the FirePass administrator, you can configure the My NFS Webifyer to limit access for a particular group to the NFS file shares you specify. The FirePass server does not allow unrestricted browsing, or browsing directories above the level of the specified server share.

Note


FirePass users cannot access NFS shares until they have been assigned a UNIX-style User ID and Group ID. (See Using NFS user permissions from a UNIX password file.)

 

Defining favorites for the My NFS Webifyer

To define a NFS favorite for the My NFS Webifyer

Under the Webifyers tab, click the My NFS link to open the My NFS Webifyer screen.

  1. From the For the group drop-down list, select the group that you want to configure the My NFS Webifyer for.

  2. In the NFS Favorites section, click the Add New link.

  3. In the Name box, specify a name for the path that you are defining as a My NFS Favorite.

    This name is displayed as a label for the My NFS Favorite in the user's Web browser under the My NFS Files icon. For example: Legal Documents.

  4. In the Path box, specify a path for the NFS file share. For example:

    server-name.company.com:/directory_name

    Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly.

  5. Click the Add New button.

Defining NFS shared folders for the My NFS Webifyer

You can specify NFS shared folders that you want to allow remote users to browse with the My NFS Webifyer icon on the left side of the user's Web browser window. (The My NFS favorites are displayed on the right side of the browser window.) The FirePass server queries the NFS server for any exported file systems.

To define a NFS shared folder for the My NFS Webifyer
  1. In the NFS Shared Folders section of the My NFS screen, click the Add New link.

  2. In the Name box, enter the name for the path that you are defining as a My NFS shared folder. This name is displayed as a label for the NFS shared folder in the user's Web browser. For example: Public

  3. In the Path box, specify a path for the NFS shared folder. For example:

    server-name.company.com:/directory_name/public

    Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly.

  4. Click the Add New button.

Limiting a group's access to the NFS Favorites

If you want to limit a group's access to the NFS Favorites you specified, select the Limit NFS Access to Folder Favorites Only option.

Using client certification validation for the My NFS Webifyer

You can restrict access to the My NFS Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring the My Intranet Webifyer

The My Intranet Webifyer allows remote users to access Web servers on the internal LAN in a unified and secure way. A user can either browse the internal Web sites by the site's name or internal IP address, or to use Intranet Favorites that you define.

Defining intranet favorites for the My Intranet Webifyer

For each group, you can create a set of links to internal Web sites and URLs. You can set any of these links or the Favorites screen as the default screen that users see when displaying My Intranet for the first time during a session. You can also specify whether you want a Web site to open inside the existing browser window or in a separate window.

To define an Intranet favorite for the My Intranet Webifyer

Under the Webifyers tab, click the My Intranet link to open the My Intranet Webifyer screen.

  1. From the For the group drop-down list, select the group that you want to configure the My Intranet Webifyer for.

  2. In the Edit Intranet Favorites section, click the Add New link.

  3. In the Name box, specify a name for the Intranet site that you are defining as a My Intranet Favorite. This name is displayed as a label for the My Intranet Favorite in each user's Web browser under the My Intranet icon. For example: Project XYZ Web Site

    In the URL text box, specify the URL for an Intranet Web server. For example:

    http://server-name.company.com/index.html

  4. (Optional) In the URL Variables box, specify variables to be either appended or POSTed (see step 6) to the URL you specified in the URL box. URL variables are useful in supporting automatic user login to Intranet web sites or for customizing Intranet content for a user. Specify the variables in the form:

    variable1=value1&variable2=value2&variable3=value3

    where the %username% and %password% parameters can be used within values. The %username% and %password% parameters are replaced with the user's FirePass login user name and password.

    For example, suppose you specify this URL:

    http://server.company.com

    and these URL variables:

    show_custom_content=1&user=%username%@company.com

    For a FirePass user named johndoe, these variables would result in an actual Favorite link of:

    http://server.company.com?show_custom_content=1&user=john doe@company.com

  5. (Optional) If you want the URL variables you specified to be POSTed instead of appended to the URL, select the Post URL Variables option.

    POSTing the variables is a more secure way to use a user name and password for logging into an Intranet site, because the variables are POSTed to the site instead of being included as part of the URL. For more information on URL variables, see the Online Help for the My Intranet Webifyer screen.

  6. (Optional) In the Enforce User-agent box, specify a User-Agent string which the FirePass server presents to the internal Web server instead of the actual browser's User-Agent.

    This option is useful in situations where you need to simplify the FirePass content if errors are occurring.

    Note: For Exchange 2000 OWA, it is necessary to simplify the content by specifying the following User-Agent string: Mozilla/4.7 [en] (Windows NT 4.0; U)

    The following table lists several other User-Agent strings.


    Browser

    User-Agent String

    IE 6.0

    Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)

    IE 5.5

    Mozilla/4.0 (compatible; MSIE 5.5; MSN 2.5; Windows 98)

    IE 5.0

    Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; CPT-IE401SP1; DigExt)

    IE 4.5

    Mozilla/4.0 (compatible; MSIE 4.5; Windows NT)

    IE 4.01

    Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)

    Netscape 4.5

    Mozilla/4.5 [en] (Win98; U)

    Netscape 3.04

    Mozilla/3.04Gold (Win95; U)

    Opera 5

    Opera/5.12 (Windows 2000; U) [en]

    Opera 5 mimicking Netscape

    Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Opera 5.01 [en]


     

    Tip: An easy way to enter a user agent string is to copy and paste the string from the Logons report. Click the Logons link under the Reports tab, and copy the user agent string from the User Agent column for various users in the group. Then paste the string into the Enforce User-agent box in the My Intranet Webifyer screen.

  7. To open the Intranet resource in a separate window on the user's screen, select the Open in New Window option.

  8. Click the Add New button.
    The Intranet Favorite is added to the Default drop-down list.

  9. (Optional) To specify a default My Intranet Favorite that is accessed automatically when users in the group open their My Intranet Favorites, select a favorite from the Default drop-down list.

Limiting a group's access to the Intranet Favorites

If you want to limit a group's access to the Intranet Favorites you specified, select the Limit MyNetwork Access to Intranet Favorites Only option.

Using client certification validation for the My Intranet Webifyer

You can restrict access to the My Intranet Webifyer to users in a group who have a valid client certificate installed on their computer. See Using client certificate validation for Webifyers.

Configuring the My E-mail Webifyer

The My E-mail Webifyer provides remote users with HTML access to multiple POP and IMAP mailboxes, and LDAP address books. After configuring a corporate email account, you can specify an LDAP server as a source of email addresses instead of using the default list of FirePass users.

Configuring an email account

To configure an email account

Under the Webifyers tab, click the My E-mail link to open the My E-mail Webifyer screen.

  1. From the For the group drop-down list, select the group that you want to configure the My E-mail Webifyer for.

  2. Select the Enable corporate mail account option.

  3. In the Account name box, enter a name, such as Corporate Account, to identify the mail account.

  4. In the Mail server box, enter the mail server's host name or IP address, such as f22.company.com.

  5. From the Type drop-down list, select the mail server type (POP or IMAP).

  6. If you are using an IMAP mail server, enter a list of folders in the IMAP Folders box that you want displayed. Enter a comma between the folder names in the list.

    This list prevents the confusion created by mail servers that display items that are not email messages, such as contacts or calendars, as empty email messages. Users can also add to the list themselves.

  7. From the Login Information drop-down list, select one of the following options:

    • User supplies display and login information during first login
      Select this option to obtain email information from each user when they login for the first time.

    • Use FirePass database for display and login information
      Select this option to obtain each user's email information from the FirePass server's internal database.

    • Use LDAP query for mail server, display, and login information
      Select this option to obtain each user's email information based on an LDAP query. (See Obtaining email addresses from an LDAP server.)

  8. Click the Update button.

Obtaining each user's email information based on an LDAP query

You can dynamically obtain the mail server name, display name, and login information for each user based on an LDAP query.

To obtain each user's email information based on an LDAP query
  1. From the Login Information drop-down list on the My E-mail Webifyer screen, select Use LDAP query for mail server, display, and login information.
    A group of LDAP options appear.

  2. In the LDAP server address box, enter the LDAP server name.

  3. In the Port box, enter an LDAP port, such as 389.

  4. If you want to use SSL, select the Use SSL Connection option.

  5. In the Bind DN text box, enter the relative distinguished name to bind to.

    Note: You can leave this text box blank if you want to use the server default.

  6. In the Bind password box, enter a valid password.

    Note: You can leave this text box blank if no authentication is required.

  7. In the Search Base box, enter the DN of the entry in the tree to be used for the search. For example:

    cn=Recipients,ou=Exchange,o=Acme, Inc.

  8. In the Filter template box, enter a search filter. For example:

    (&(uid=%s))

    where %s is substituted by each user's FirePass logon name.

  9. In the Attribute for mail server box, enter the attribute in the LDAP schema that contains the mail server name.

  10. In the Attribute for user's display name box, enter the attribute in the LDAP schema that contains the user's display name.

  11. In the Attribute for user's email address box, enter the attribute in the LDAP schema that contains the user's email address.

  12. In the Attribute for user's logon box, enter the attribute in the LDAP schema that contains the user's logon.

  13. Click the Update button.

Disabling email attachment downloads

By default, email attachment downloads are enabled. If necessary, you can disable attachment downloads.

To disable email attachment downloads
  1. In the Message Settings section of the My E-mail Webifyer screen, select the Disable attachment download option.

  2. Click the Update button.

Obtaining email addresses from an LDAP server

By default, the My E-Mail Webifyer uses the FirePass internal database as a source of email addresses. Alternatively, you can specify an LDAP server as a source of email addresses.

To obtain email addresses from an LDAP server
  1. In the Source for Address List section of the My E-mail Webifyer screen, select the Use LDAP server to obtain addresses option from the Address List drop-down list.
    A group of LDAP options appear.

  2. In the LDAP Server box, enter the LDAP server's name or IP address.

  3. In the Port box, enter an LDAP port, such as 389.

  4. If you want to use SSL, select the Use SSL connection option.

  5. In the Bind DN box, enter the relative distinguished name to bind to.

    Note: You can leave this box blank if you want to use the server default.

  6. In the Bind password box, enter a valid password.

    Note: You can leave this box blank if no authentication is required.

  7. In the Search Base box, enter the DN of the entry in the tree to be used for the search. For example:

    cn=Recipients,ou=Exchange,o=FirePass server

  8. In the Filter template box, enter a search filter template. For example:

    (&(objectclass=person)(cn=*%s*))

    where %s is substituted by user's FirePass logon name.

  9. In the Name Attribute box, specify the name attribute, which is typically cn.

  10. In the Address Attribute box, enter the email address attribute, which is typically mail.

  11. Click the Update button.

Using client certification validation for the My E-mail Webifyer

You can restrict access to the My E-mail Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring the Terminal Services Webifyer

The Terminal Services Webifyer provides remote users with access to internal LAN Microsoft Terminal servers, Windows XP desktop computers, Citrix Metaframe servers, and VNC servers in a unified secure way. Users have the option to either browse the servers by their name or internal IP address, or to use favorites.

The Terminal Services Webifyer includes:

  • Support for native Terminal Server-hosted applications

  • Support for Citrix® MetaFrame applications

  • Automatic download and installation of the correct Terminal Services or Citrix remote-platform client component, if it is needed but has not yet been installed

    For each user group, you can assign options and create a set of favorite links to appropriate servers. You can also specify whether you want the terminal services to open inside the existing browser window or in a separate window.

Configuring screen resolution and Terminal Services Favorites

Under the Webifyers tab, click the Terminal Services link to open the Terminal Services Webifyer screen.

To configure screen resolution and Terminal Services Favorites
  1. From the For the group drop-down list, select the group that you want to configure the Terminal Services for.

  2. To set the initial screen resolution for Terminal Servers and Citrix Metaframe for the current group, select a resolution from the drop-down list in the Screen Resolution section. Users can also overwrite this setting on an individual basis.

  3. In the Edit Terminal Service Favorites section, click the Add New link.

  4. In the Name box, specify a name for the terminal service that you are defining as a Terminal Service Favorite. This name is displayed as a label for the Terminal Services Favorite in each user's Web browser under the My Terminal Services icon. For example: Citrix XYZ Application.

  5. In the Host box, enter the host name or IP address of the server running the terminal service.

    Note: You can use a space separated list of IP addresses or host names in the Host field for a Citrix Metaframe Server, a Citrix Metaframe Browser, and VNC. The FirePass server attempts to use the first entry in the list, and if that entry fails, the server proceeds with other entries in the list until a working server is found.

  6. From the drop-down list next to the Port box, select a server type.

    After you select the server type, the appropriate default value for the port is automatically entered in the Port text box. If necessary, you can enter a different server port number.

    Note: The Citrix Metaframe Browser type relies upon the Citrix HTTPonTCP protocol, which must be enabled on the target server. This type is useful in accessing Citrix server farms and resolving application names to an IP address and port.

  7. In the Select a Program box, enter the complete path and file name of the program you want to run on the remote server, such as c:\programs\notepad.exe.

  8. In the Working Dir box, enter the directory where you want to run the program. such as C:\temp.

  9. To open the Terminal Service application in a separate window on the user's screen, select the Open in new window option.

  10. To allow users access to the local drives on the remote server during a terminal service session, select the Allow access to local drives option.

  11. Click the Add New button.

Limiting a group's access to the Terminal Service Favorites

If you want to limit a group's access to the Terminal Service Favorites you specified, select the Limit MyNetwork Access to Terminal Service Favorites only option.

Using client certification validation for the Terminal Service Webifyer

You can restrict access to the Terminal Services Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring the AppTunnels Webifyer

The AppTunnels Webifyer supports access from client applications on each user's remote computer to TCP/IP application servers. The AppTunnels Webifyer enables a native client-side application to communicate back to the corporate application server using a secure tunnel between the user's Web browser and the FirePass server.

The AppTunnels Webifyer allows FirePass users to access the client-server applications you specify. Unlike a traditional IPSec VPN client that exposes the entire network, the AppTunnels Webifyer exposes only the specific resources used by the selected applications. You can also restrict users to the particular applications they need to use.

The AppTunnels Webifyer uses the standard HTTPS protocol with SSL as the transport. As a result, the AppTunnels Webifyer works through all HTTP proxies, including public access points and private LANs, and over networks and ISPs that do not support traditional IPSec VPN clients.

The first time users access the AppTunnels Webifyer, an ActiveX control is automatically installed in their Internet Explorer browser, or a plug-in is automatically installed in their Netscape or Mozilla browsers on Windows.

You can use the AppTunnels Webifyer with the following types of applications:

  • MicroSoft® Outlook, PeopleSoft®, SAP®, or Oracle®

  • Terminal emulators

  • SSH

  • Internet Mail (POP/IMAP/SMTP)

  • LDAP

  • Intranet web sites that rely on networked ActiveX or Java

  • WEBDAV publishing

  • Network drive mapping

    In general, most TCP/IP-based client-server applications that do not require dynamic ports work with the AppTunnels Webifyer.

Configuring AppTunnel Favorites

Under the Webifyers tab, click the AppTunnels link to open the AppTunnels Webifyer screen.

To configure AppTunnel Favorites
  1. From the For the group drop-down list, select the group that you want to configure the AppTunnels for.

  2. In the Favorite AppTunnels section, click the Add New link.

  3. In the Name box, specify a name for the AppTunnel Favorite.

    This name is displayed as a label for the AppTunnels Favorite in each user's Web browser under the AppTunnels icon. For example: XYZ Application.

  4. From the drop-down list, select an application class.

  5. In the text box next to the drop-down list, enter the remote host IP address or the host name, as appropriate.

    Note: If you specify a host name, the HOSTS file at the access point is temporarily patched for the duration of access. This temporary patch allows the AppTunnels Webifyer to temporarily override the port settings while preserving the usual LAN settings for the applications. The original HOSTS file is restored when the AppTunnels session is terminated. Also note that on NT platforms, either a user has to have local administrative rights to modify the HOSTS file, or the attributes of the HOSTS file have to be changed by the administrator.

  6. Click the Add New icon.
    On the next screen, the template for the AppTunnel appears.

  7. If you are creating a custom AppTunnel, you need to specify remote and local ports for the connection.

    Generally, we recommend that you use the remote value for the local port at the access point, unless there might be a server running on the same port on a potential accessing computer.

    The IP address of the loopback adapter is generated automatically.

  8. In the Command Line box, enter a command to start an application transparently for the user. For example:

    iexplore http://127.3.54.34/sales/automation.pl

    or

    telnet 127.3.54.34

  9. Click the Save button.

  10. To add a subtunnel, choose an application class from the drop-down list below the tunnel you just saved. In the text box next to the drop-down list, enter the remote host IP address or the host name. Click the Add New button next to the subtunnel's information.

  11. To rearrange the order in which the tunnels are activated, click the Move Up or Move Down buttons next to the tunnels in the Favorite AppTunnels section.

Compressing traffic between the client and the FirePass server

To compress all traffic between the client and the FirePass server using the GZip deflate method, select the Use GZIP compression option.

Limiting a group's access to the AppTunnels Favorites

If you want to limit a group's access to the AppTunnels Favorites you specified, select the Limit MyNetwork Access to AppTunnels Favorites only option.

Using client certification validation for the AppTunnels Webifyer

You can restrict access to the AppTunnels Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring the Host Access Webifyer

The Host Access Webifyer allows remote users to access legacy applications using a Web browser. The Host Access Webifyer does not require any application modifications or any third-party software to webify interaction with hosts. There is nothing to install on the host system or server.

The following formats are supported:

  • VT320 Telnet in Java

  • VT320 Telnet in HTML

  • TN3270, 80x24 in Java

  • TN3270, 80x32 in Java

  • TN3270, 132x27 in Java

  • TN5250, 80x32 as ActiveX control/self-installed plug-in

    You can also use a password-based SSH connection.

Configuring Host Access Favorites

Under the Webifyers tab, click the Host Access link to open the Host Access Webifyer screen.

To configure Host Access Favorites
  1. From the For the group drop-down list, select the group that you want to configure Host Access for.

  2. Click the Add New link.

  3. In the Name box, specify a name for the host access Favorite.
    This name is displayed as a label for the Host Access Favorite in each user's Web browser under the Host Access icon.

  4. In the Host box, specify the host's name or its IP address.

  5. In the Port box, specify the host's port number.
    In most cases, use the default 23 for host access, or use 22 if you are using SSH.

  6. If you want to use SSH when accessing the host, select the Use SSH option.

  7. From the Term-type drop-down list, select a type of terminal.

  8. Click the Add New button.

Displaying active host access sessions

In the Host Access Server section of the Host Webifyer screen, the Administration Console displays the number of host sessions that are currently in progress.

If necessary, you can restart the host access server by clicking the Restart The Host Access Server button.

Limiting a group's access to the host access favorites

If you want to limit a group's access to the host access favorites you specified, select the Limit MyNetwork Access to Host Access Favorites only option. Group members then are not allowed to access hosts by manually entering an IP address and port number.

Using client certification validation for the Host Access Webifyer

You can restrict access to the Host Access Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring SSL-VPN

The FirePass server's SSL VPN provides the functionality of a traditional IPSec VPN client, but it is easier to deploy. Unlike a traditional IPSec VPN client, the SSL VPN Webifyer does not require any configuration on each remote user's computer, and no server-side changes are necessary. The FirePass server's SSL VPN implements PPP over SSL, which is a secure solution that does not have problems with routers, firewalls, or proxies.

Whereas the AppTunnels Webifyer provides remote users with access to particular applications on a specific server and port, the SSL VPN Webifyer provides access to all applications and network resources, unless you configure restrictions.

As with the AppTunnels Webifyer, the SSL VPN Webifyer uses the standard HTTPS protocol, works through all HTTP proxies, and leverages all of the setup, security, availability, and management features of the FirePass server.

The SSL VPN Webifyer provides these benefits:

  • Browser-based access to client-server applications.
    The self-configuring SSL VPN Webifyer does not require any pre-installed, pre-configured software on the remote system. Field staff and travelers can access their applications without needing any individual setup or configuration of their computers. The SSL VPN Webifyer supports UDP and TCP applications.

  • Simple maintenance.
    Upgrades or replacement of field computers do not require any additional VPN-related maintenance, and changes to the host network or IP address can be made without reconfiguring each remote user's computers.

  • Split tunneling.
    If this option is enabled, only traffic intended for the target LAN goes through the SSL VPN Webifyer. All of the user's other Internet activity is unchanged, and is handled by the ISP as though the SSL VPN Webifyer was not deployed.

  • Packet-based, group-based firewall.
    Groups of users can be restricted to particular ports and addresses within the LAN. This feature allows full client-server application support without opening the entire network up to each user.

    In addition, the FirePass server's SSL VPN has global and group-based packet filters, so that you can define groups of users with different access rights.

    Note


    The first time users access the AppTunnels Webifyer, an ActiveX control is automatically installed in their Internet Explorer browser, or a plug-in is automatically installed in their Netscape or Mozilla browsers on Windows.

     

Configuring global SSL VPN settings

First, configure the global SSL VPN settings that apply to all groups, and then configure the SSL VPN Webifyer settings for each group.

To configure the global SSL VPN settings
  1. Under the Server tab on the left side of the Administrative Console, click the Security link.

  2. Click the SSL VPN link.

  3. In the Network Address and Mask boxes, enter the network address and network mask for the subnet you want VPN users to use.

    In other words, a user who uses VPN to access the server is assigned an IP address in this subnet. Note that it is a network and not a single host IP address. (The address ends with .0.)

  4. Do one of the following:

    • To use NAPT to access the LAN, enable the Use NAPT to Access LAN option.

    • To use a virtual subnet, disable the Use NAPT to Access LAN option.

      Here is a comparison of the two methods of using the Use NAPT to Access LAN option to configure a VPN back end.



      Virtual Subnet

      NAPT

      Does not require infrastructure changes on the network

      No

      Yes

      IP Addresses used

      Pool of virtual subnet IPs

      Single FirePass IP address

      Supports Microsoft Networking

      Yes

      No

      Works with most client server applications

      Yes

      Yes

      Works with more demanding networking applications

      Yes

      No


       

      For example, use NAPT when you only need to provide Outlook users with complete Exchange access. VPN configuration is completely limited to the FirePass server.

      The use of a virtual network ensures complete transparency. A disadvantage is that the surrounding infrastructure has to be configured to route IP traffic to the virtual network IP addresses.

      Note: The pool of addresses is used in both cases to issue addresses to the remote endpoints.

      Warning: The pool of addresses for the VPN must not contain the FirePass server address. Otherwise, severe routing problems can occur.

  5. Click the Apply these rules now button.

Configuring global SSL VPN packet filter rules

You can specify a set of global packet filter rules that are activated whenever a user starts the SSL VPN Webifyer. Each packet coming from a VPN client is first checked against an optional group rule set (see Configuring group packet filter rules), and if no group rule is matched the packet is checked against the global rules. If there is no match, the packet is rejected. If the matching rule is found, the packet is accepted or rejected depending on the action you assigned to the rule. The rules are applied top to bottom in the order you create them on the VPN Settings screen.

Warning


If you enable the packet filter, but no rules are defined, all traffic is rejected.

 

To configure the global packet filter rules
  1. On the VPN Settings screen, select the Use packet filter to access LAN option.
    The VPN Settings screen displays the Packet Filter Rules section.

  2. In the Packet Filter Rules section, click the Add New Rule link.

  3. From the Proto drop-down list, select a single protocol or all protocols.

  4. In the Port box, enter a port number or a port range in the first:last format. To specify any port, enter 0:65535.

  5. In the Address/Masks text box, enter a destination IP address:

    • For a host, such as 192.168.2.1

    • For a subnet/mask, such as 192.168.2.0/24 or 192.168.2.0/255.255.255.0

    • For any address and mask, use 0/0

  6. From the Action drop-down list, select an action for the rule (Accept or Reject).

  7. Click the Save button to save the rule.

  8. Click the Apply these rules now button to apply the rules.

Configuring global SSL VPN timeout rules

To configure the global timeout rules
  1. On the VPN Settings screen, select the Use packet filter to access LAN option.
    The Packet Filter Rules section is displayed on the VPN Settings screen.

  2. In the Timeout Rules section, click the Add New Timeout Rule link.

  3. From the Proto drop-down list, select a single protocol or all protocols.

  4. In the Port box, enter a port number or a port range in the first:last format. To specify any port, enter 0:65535.

  5. In the Address/Masks box, enter a destination IP address:

    • For a host, such as 192.168.2.1

    • For a subnet/mask, such as 192.168.2.0/24 or 192.168.2.0/255.255.255.0

    • For any address and mask, use 0/0

  6. From the Action drop-down list, select an action for the rule (Accept or Reject).

  7. Click the Save button to save the rule.

  8. Click the Apply these rules now button to apply the rules.

Configuring global SSL VPN client appearance

You can configure global settings that determine how the SSL VPN client appears on each remote user's computer.

To configure the global SSL VPN client appearance
  1. In the Client Appearance section of the VPN Settings screen, select the Do not display tray icon for connection option to hide the status monitor in the tray area.

    Note: This setting works on Windows 2000 and XP computer systems only.

  2. In the Displayed bandwidth B/Sec box, enter a bandwidth value to display in the status window of VPN adapter on Windows.

  3. Click the Save button.

Configuring the SSL VPN Webifyer for a group

Under the Webifyers tab, click the SSL VPN link to open the SSL VPN Webifyer screen.

To configure the SSL VPN Webifyer for a group
  1. From the For the group drop-down list, select the group that you want to configure SSL VPN for.

  2. In the Connection name box, enter a name for the SSL VPN Favorite.

    This name is displayed as a label for the SSL VPN Favorite in each user's Web browser under the SSL VPN icon.

  3. In the DNS address box, enter a space-separated list of IP addresses for the internal company DNS servers. These are conveyed to the remote user's access point.

  4. In the WINS address box, enter a space-separated list of IP addresses for the internal company WINS servers. These are conveyed to the remote access point.

    Important: The WINS addresses are required for Microsoft Networking to operate properly.

    Note: Microsoft network browsing does not work in a configuration using network address translation (NAT).

  5. (Optional) To have only the traffic targeted at a specified address space go through the SSL VPN Webifyer, select the Use split tunneling option. All of the remote user's other Internet activity is handled by the user's ISP.

    For example, you might want to enable this option if a company does not want a remote user's personal Internet activity to be channeled through the company network. Alternatively, you might want to disable this option if your company's security policy is to perform a virus scan on all files a remote user accesses.

  6. Click the Update button to update the screen.

  7. If you selected the split tunneling option, the LAN Address Space box appears. Enter a space-separated list of addresses or address/mask pairs describing the target LAN to use for split tunneling.

    Only the traffic to these addresses and network segments goes through the SSL VPN.

  8. To have the SSL VPN client work through a proxy server on the target network, select the Client proxy settings option.

    Note: The Client Proxy Settings option requires Internet Explorer 5.0 or later to be installed on the user's computer or access point.

  9. Click the Update button to update the screen.

  10. If you selected the Client proxy settings option, do the following:

    1. In the Address box and the Port box, enter the IP address and port number of the proxy server you want the SSL VPN client to use to connect to the Internet.


    2. To use the proxy server for all local (Intranet) addresses, select the Bypass proxy for local addresses option.


    3. In the Proxy exclusion list box, enter the Web addresses that do not need to be accessed through the proxy server. You can use wild cards to match domain and host names or addresses. For example:


    4. www.*.com; 128.*, 240.*, *. mygroup.*, *x*

  11. (Optional) To prevent all network configuration changes on the client computer during an SSL VPN client session, select the Prohibit routing table changes during SSL VPN connection option, further down the screen.

    When this option is selected, the SSL VPN connection terminates if there are any network configuration changes made on the client computer. For example, if a user has an SSL VPN connection established, and then starts a new dial-up connection or inserts a new network card, the SSL VPN connection terminates. This option is useful for security reasons.

  12. To compress all traffic between the SSL VPN client and the FirePass server using the GZip deflate method, select the Use GZIP Compression option.

Configuring group packet filter rules

If you have first enabled global SSL VPN packet filter rules (see Configuring global SSL VPN packet filter rules), you can then specify a set of optional group rules that are activated whenever a user starts the SSL VPN client. Each packet coming from a VPN client is first checked against the group rule set, and if no group rule is matched, the packet is checked against the global rules. If there is no match, the packet is rejected. If the matching rule is found, the packet is accepted or rejected depending on the action you assigned to the rule. The rules are applied top to bottom in the order you create them on the SSL VPN Settings screen.

To configure the group packet filter rules
  1. If you have not already done so, select the Use Packet Filter to Access LAN option on SSL VPN Settings screen (under the Server tab, click the Security link, then click the SSL VPN option). (See Configuring global SSL VPN packet filter rules.)

  2. In the Group Packet Filter section of the SSL VPN Webifyer screen, click the Add new rule link.

  3. From the Proto drop-down list, select a single protocol or all protocols.

  4. In the Port box, enter a port number or a port range in the first:last format. To specify any port, enter 0:65535.

  5. In the Address/Masks box, enter a destination IP address for a host (such as 192.168.2.1), a subnet/mask (such as 192.168.2.0/24 or 192.168.2.0/255.255.255.0). To specify any address and mask, enter 0/0.

  6. From the Action drop-down list, select an action for the rule (Accept or Reject).

  7. Click the Save button to save the rule.

  8. Click the Apply these rules now button to apply the rules.

Configuring drive mappings for the SSL VPN Webifyer

You can preconfigure the network shares that are automatically mapped at the access point computer after the SSL VPN connection is established.

To configure drive mappings
  1. In the Name box in the Drive Mappings section of the SSL VPN Webifyer screen, enter a name for the mapping.

  2. In the Path box, enter a UNC path to the network share.

    Important: The Administration Console does not verify the path you specify, so be sure to enter it correctly.

  3. From the Map To drop-down list, select the preferred drive letter to map the network share to.

    Note


    If the drive letter is taken, another letter is chosen at the connection time.

     

Launching applications automatically with the SSL VPN Webifyer

You can have applications launch automatically whenever users in a group use the SSL VPN Webifyer. Under the Webifyers tab, click the SSL VPN link to open the VPN client settings screen.

To launch applications automatically
  1. In the App Path box of the Launch Applications section of the SSL VPN screen, enter the complete path and file name of the application you want to launch. For example:

    iexplore http://127.3.54.34/sales/automation.pl.

  2. In the Parameters box, enter any required parameters for the application.

  3. Click the Add button.

  4. To display a message before launching the application, select the Display message box before launching applications option.

Using client certification validation for the SSL VPN Webifyer

You can restrict access to the SSL VPN Webifyer to users in a group who have a valid client certificate installed on their computer. For more information, see Using client certificate validation for Webifyers.

Configuring the My Desktop Webifyer

The My Desktop Webifyer provides employees with full remote control access to their desktop computers on the internal LAN. Employees can also use the My Desktop Webifyer to grant access to their desktop computers to guest users.

The My Desktop Webifyer features include:

  • Screen Sharing
    Users can remotely access and control their desktop computers from any full Web browser.

  • Guest Access
    Users can invite remote guests to view their computer's screen or files in real time, and optionally share cursor and keyboard control. This feature can be used for Web conferences that include up to 10 guests.

  • My Outlook and Lotus Notes Webifyers
    Users have access to Outlook and Notes desktop clients with rich functionality over slow connections or small-format remote devices.

  • My Explorer and Internet Favorites
    Users can use their desktop computers to access Intranet/Internet sites and desktop Internet shortcuts.

    Note


    For information on downloading the My Desktop software, see Installing My Desktop client software at a user's computer.

Configuring the My Desktop server ports

By default, the FirePass server uses port 80 for HTTP, and port 443 for HTTPS for the My Desktop Webifyer. If the My Desktop client software detects that port 80 or 443 is in use, the software automatically uses different ports. If those ports are or might be in use, you can also manually configure a different set of default ports. Any firewalls between the server and the desktop computer must be configured appropriately to allow traffic on the ports you configure.

Note


The HTTPS port on the desktop computer must be accessible from the FirePass server.
To configure the My Desktop ports
  1. Under the Desktop tab on the left side of the Administrative Console, click the Settings link.
    The Default Desktop Software Server TCP Ports screen opens.

  2. In the HTTP port box and the HTTPS port text box, enter the default port assignments for the My DeskTop Webifyer.

Configuring My Desktop Webifyer for cluster servers

If you are using a cluster of FirePass servers, select the Disable Desktop Key Refresh option on the Default Desktop Software Server TCP Ports screen. Key Refresh is an extra security precaution that must be disabled for a cluster configuration. For more information on clusters, see Using FirePass server clusters.

Disabling bridge access to desktops

The bridge is a highly scalable, dynamic port-forwarding mechanism that uses a range of high ports on the FirePass server to tunnel the HTTPS traffic directly to the server. The resulting SSL session is between the Web browser and the desktop computer.

The bridge is a secure mechanism. Any non-authenticated request that comes from the same access IP address to the same port on the bridge is redirected back to the logon screen. Only authenticated traffic is accepted by the My Desktop software running on the desktop computer.

If you select the Disable Bridge Access to Desktop option, all traffic goes through port 443, which results in slight performance degradation.

Using client certification validation for the My Desktop Webifyer

You can restrict access to the My Desktop Webifyer to users in a group who have a valid client certificate installed on their computer.

To use client certification validation for the My Desktop Webifyer
  1. Under the Server tab, click the Authentication link.
    The Authentication Scheme screen opens.

  2. From the For the group drop-down list, select the group that you want to use client certification validation for.

  3. From the Client Certificate drop-down list in the Configure Client-Side SSL Certificate Validation section, select Required for access to select webifyers.

  4. Click the Webifyers requiring client certificate for access option.

  5. Select the My Desktop Webifyer.

  6. To require that the user name on the Login screen must match the common name (CN) of the client certificate, select the Login username must match certificate common name option.

Configuring the Guest Access Webifyer

The Guest Access Webifyer provides users with collaborative features for the My Desktop Webifyer. For example, when users are using the My Desktop Webifyer, they can use the Guest Access Webifyer to invite a person outside of the corporate network to share files and to view and control their desktop computer screen.

As the administrator, you can choose to enable or disable the Guest Access Webifyer for a group of users. You can also set a default method for how users send an invitation to their guest users.

To configure the Guest Access Webifyer

Under the Webifyers tab, click the Guest Access link to open the Guest Access Webifyer screen.

  1. From the For the group drop-down list, select the group that you want to configure Guest Access for.

  2. To enable the Guest Access Webifyer for the selected group, select the Allow Guest Access option.

  3. From the drop-down list, select a method for how users send an invitation to their guest users.

  4. If you chose Internet mail, enter the name or IP address of the SMTP mail server for the desktop computer.

  5. Click the Apply button.

Configuring the X-Windows Access Webifyer

FirePass X-Windows Access allows users to connect to UNIX and Linux applications and application servers, from any standard web browser (so long as it is either Java or Active-X enabled). FirePass X-Windows Access supports any network application making use of the X protocol specification.

Architecturally, FirePass X-Windows Access implements an X-Server on the FirePass server itself. This server acts as a proxy user of a UNIX-based client-server application. In this role, the FirePass server interacts with the application internally in the network, and then renders the X-Server output into encrypted, browser-readable output.

The FirePass Systems Administrator can configure target UNIX and Linux hosts to be made available to remote users. For each group, he also can specify whether group members can add their own favorite hosts not already on their group's collective list of favorites. If group members are permitted to add their own individual favorites, they configure them in the same way an administrator configures favorites for the group, using an identical interface.

Configuring X-Windows hosts for remote access

You can configure or add an X-Windows application host for FirePass remote access. Remember that each Group needs to be separately configured.

To configure an X-Windows host
  1. From the Webifyers tab, click the X Windows link.
    The My X Windows Webifyer screen opens.

  2. In the For the group list, select the group for which you want to provide or modify access.

  3. Check the Limit access to... favorites only box to restrict the group you are configuring to only the hosts you set up for the group.
    If your policy allows members of this group to configure their own host sessions, leave this box unchecked.

  4. Use the buttons available for each host, and click the appropriate one to edit, add, or delete one or more hosts for this group.

To add a host
  1. From the Webifyers tab, click the X Windows link.
    The My X Windows Webifyer screen opens.

  2. In the For the group list, select the group for which you want to provide or modify access.

  3. Click the Add New Favorite link (or the green X button next to it).
    The screen refreshes to provide input boxes.

  4. In the Name box, supply a user-friendly name consisting of any alphanumeric string. You may use spaces, but do not use slashes or special characters.

  5. In the Screen Access box, select one option:

    • If all the users in the group access this application only from Windows-based systems, select Advanced Real-Time. Advanced Real-Time uses ActiveX controls, available only on Windows.

    • Otherwise, or if you are not sure, select Java Real-Time.

  6. In the Terminal Type box, select Telnet or SSH, depending on which access method is supported by the target host.

  7. In the Host box, enter the IP address or host name of the target host. You can specify any system using the X interface here.

  8. Click the Remember login/password check box to have the FirePass server log on to the host automatically, using the credentials supplied in the Login/Password box (below).
    If this box is unchecked, the FirePass server presents a signon screen to the user at the time of access.

  9. In the Login / Password boxes, provide the default logon and password to be used. These credentials are used only if the Remember login/password box (above) is checked.

  10. In the Xwindow type box, select an option:

    • If the host system uses a KDE, Gnome, Open Look, or TWM graphical interface, select it here. The FirePass server launches the selected program automatically.

    • Otherwise select Custom command, and enter the user's initial command below.

  11. In the Custom command box, enter the first command to be executed from the UNIX prompt following logon. This command ordinarily starts a shell or a graphical interface.

  12. In the Resolution box, set the screen resolution for the FirePass X-Windows server session. This selection governs the webified X-Windows output sent to the remote browsers. If you are unsure of the resolution of the likely remote systems, the safest choice is the lowest resolution (640 by 480 pixels).

Editing X-Windows host configuration details

You can change the configuration details for a host from the My X Windows Webifyer screen.

To edit an X-Windows host configuration
  1. Be sure to select the group for which you want to provide or modify access in the For the group list.

  2. To modify the configuration details, click:

    • The server name

    • The green X icon to the left of the server name

    • The I edit icon to the right of the server name

  3. Edit the host or logon details as needed.

Deleting a host

You can use the My X Windows Webifyer screen to remove a host from the Favorites list.

To delete a host from the Favorites list

Click the delete icon (the X) to the right of the host name.

The host is removed from the group's X-Windows Favorites list.

Using client certificate validation for Webifyers

You can restrict Webifyer usage to users in a group who have a valid client certificate installed on their computer in addition to knowing their user name and password. For example, for a laptop user, you can restrict usage of the My Files Webifyer to the user's laptop computer where a valid client certificate has been installed. The laptop user is not allowed to use the My Files Webifyer from other computers in other locations, such as a public access kiosk.

You can restrict the following Webifyers:

  • My Files

  • My Intranet

  • My E-Mail

  • Terminal Services

  • AppTunnels

  • Host Access

  • My Desktop

  • SSL VPN

To use client certification for a Webifyer
  1. Install and enable client certification for Webifyers for the selected group. (See Using client certificates to authenticate a user's computer.)

  2. Under the Webifyers tab, click the link for the Webifyer you want to restrict access to.

    Note: For information on using client certification for the My Desktop Webifyer, see Using client certification validation for the My Desktop Webifyer.

  3. On the Webifyer screen that appears, under the Client Certification Validation section, select the Limit access to users with valid client certificates option.

    Important: This displays only if you have first configured client certification for the selected group.


Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)