Applies To:

Show Versions Show Versions

Manual Chapter: FirePass 5.2 Handbook: Configuring Network Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>



3

Configuring Network Access



Overview of Network Access

Network Access (previously called SSL VPN) provides remote users with the functionality of a traditional IPSec VPN client. However, unlike an IPSec VPN, Network Access does not require any pre-installed software or configuration on the remote user's computer.


FirePass Network Access

The FirePass controller's Network Access feature implements PPP (Point-to-Point Protocol) over SSL, a secure solution that works well with routers, firewalls, and proxy servers. Network Access gives remote users access to all applications and network resources you choose. It uses standard HTTPS protocol and works through all HTTP proxy servers.

Network Access provides these benefits:

  • Browser-based access to client-server applications
    Network Access does not require any pre-installed, preconfigured software on the remote system. Remote users can access their applications without needing individual setup or configuration of their computers. Network Access supports UDP and TCP applications.


  • Simple maintenance
    Upgrading or replacement of remote computers does not require any VPN-related maintenance. Changes to the host network can be made without reconfiguring each remote computer.


  • Split tunneling
    If you enable this option, you can split traffic into two groups, with traffic intended for the host network going through Network Access, while all other traffic is untouched.


  • Packet-based, group-based firewall
    You can restrict groups of users to particular ports and addresses within the host network. The feature provides full client-server application support without opening up the entire network to each user.

Configuring Network Access settings

You need to configure global settings, resource settings, and master group settings in order to make Network Access available to remote users. Global settings apply to all groups and must be configured first. Resources apply to specific resource groups. Master group settings apply to specific master groups.

Note


You also have the option to open the FirePass controller standalone VPN screen from the Network Access menu. For more information about the standalone VPN client, see Overview of the standalone VPN client for Windows.

 


Configuring global Network Access settings

Network Access global settings specify addresses used by a client computer's PPP adapter and by the FirePass controller. The client computer opens an SSL connection to the FirePass controller using its NIC (Network Interface Card) address. Once the connection is open, the client uses its configured PPP address to communicate with the FirePass controller. Communication from the PPP address is encrypted and sent through Network Access connection, and the FirePass controller opens a proxy connection to the target server. You configure whether all client traffic or only traffic designated for specific destinations uses a Network Access connection.

You also use the global settings to specify the address or addresses the FirePass controller will use to communicate with servers inside the network. If you choose to use NAPT (network address and port translation), communication between the FirePass controller and internal servers on your network uses the FirePass controller address. If you do not use NAPT, an IP address from the VPN is used between the FirePass controller and internal network servers. If you are not using NAPT, you must make sure that your internal network is configured to route IP traffic to the virtual network IP addresses.

Note


You must configure global settings before Network Access is available to a group.

 

Note


The IP addresses of the FirePass controller cannot fall within the VPN address range.

 


To configure global Network Access settings
  1. On the navigation pane, click Network Access, and then click Global Settings.
    The Global Settings screen displays.


  2. In the IP Address box and the Mask box, type the network address and mask that define the network to be used for VPN client addresses. Type a network address rather than a single host IP address. Each client's PPP adapter is assigned an address in this range.


  3. To update the client IP address range, click Update.

While on this screen, you can also configure proxy connections, a bitrate threshold, and the global appearance of the Network Access client. If you choose to do any of these, continue with the procedures following.


To configure the FirePass controller address for proxy connections
  1. If you want to enable NAPT, on the Global Settings screen check the Use NAPT to access LAN box.


  2. To enable NAPT, click Apply these rules now.

If you are configuring other settings, continue.


To configure the FirePass controller to use packet filter rules
  1. If you want to enable packet filter rules, on the Global Settings screen check the Use packet filter to access LAN box.
    The Packet Filter Rules area opens.


  2. To add a rule, click Add New Rule.


  3. Type a name for the rule in the Rulename box.


  4. Select the protocol from the Proto list.


  5. Type a port in the Port box.


  6. Type an IP address and subnet mask in the Address/Mask box.


  7. Select an action from the Action list.


  8. To save the rule, click Save.


  9. To apply the rule, click Apply these rules now.

For more information about packet filter rules, see the online help for the Network Access : Global Settings screen.

If you are configuring other settings, continue.


To configure a bitrate threshold for updating the Network Access session

The bitrate threshold specifies a traffic limit, in bytes per second, over which Network Access will update a client session. You can use this option to distinguish between real application traffic and keepalive requests from clients. The timing window defines the period (in seconds) over which the bitrate is averaged. For more information, see the online help.

  1. If you want to specify a bitrate threshold for updating a session, on the Global Settings screen scroll down to the Specify bitrate evaluator parameters area, and type a numeric value in the Bitrate threshold (Bytes/sec) box.


  2. If you specify a bitrate threshold, also select a value from the Timing window list.


  3. To configure the bitrate threshold, click Apply these rules now.
    If you are configuring other settings, continue.

To configure global Network Access client appearance

A status monitor displays in the system tray on Microsoft® Windows® client computers. You can suppress the status monitor display on Windows® 2000 and Windows® XP client computers, using the FirePass Global Settings screen.

The bandwidth value is required by Windows but does not represent the actual bandwidth. You can control the value that displays on the client computers. See the online help for more information.

  1. On the Global Settings screen, scroll down to the Client appearance area and check the Do not display tray icon for connection box.


  2. To change the bandwidth value displayed in the status window of the Network Access client on Windows systems, type a value in the Displayed bandwidth B/Sec box.


  3. To save the settings, click Save.

Configuring Network Access resource settings

After configuring global Network Access settings, the next step is to configure resource settings. Resource settings specify the Network Access name and DNS server (Domain Name Service server) that each resource group will use. You can use the settings to configure client machines in a resource group to use split tunneling. Split tunneling allows you to specify what client traffic is to be directed through an SSL VPN tunnel. Only network traffic that you specify is routed through the Network Access tunnel. A tunnel is a secure connection between computers or networks over a public network.

Note


You must configure resource settings before Network Access is available to any user.

 


To configure Network Access for a resource group
  1. On the navigation pane, click Network Access.
    The Resources screen displays with the Client Settings tab selected.


  2. From the Resource Group list at the top of the screen, select the resource group for which you are configuring Network Access resource settings.
    The screen refreshes to display the information for the group you selected.


  3. Note: The group must already exist in order for you to configure Network Access for that group. For information on creating groups, see Chapter 4, Using Groups with FirePass Controllers.

  4. In the Connection name box, type a name for the Network Access session.
    Client machines will display this name under the Network Access icon.


  5. In the DNS address box, type the IP address for your internal DNS server. If you have more than one DNS server, separate multiple addresses with a space.


  6. In the WINS address box, type the IP address for your internal WINS server. If you have more than one WINS server, separate multiple addresses with a space.


  7. Note: The WINS address is required for Microsoft® Networking to work properly.

  8. If you want to use split tunneling:


    1. Select the Use split tunneling box.
      The screen expands and displays the LAN address space box, and the DNS address space box.


    2. Type one or more addresses or address/mask pairs in the LAN address space box. This list specifies the target LAN(s) for traffic directed through the Network Access tunnel. Separate multiple addresses or address/mask pairs with a space, comma, or semicolon. Only traffic to the addresses or subnets you enter here will go through Network Access.


    3. Type one or more names in the DNS address space box. This list specifies the target LAN DNS addresses for traffic directed through the Network Access tunnel. Separate multiple names with a space, comma, or semicolon. Only traffic to the name you enter here will go through the Network Access tunnel.


  9. If you want to use a proxy server:


    1. Check the Client proxy settings box.
      The screen displays additional fields.


    2. In the Autoconfig script box, type the URL of the proxy-autoconfiguration script.


    3. In the Address and Port boxes, type the IP address and port for the proxy server that Network Access clients will use to connect to the Internet.


    4. If you do not want to use the proxy server for all local (intranet) addresses, check the Bypass proxy for local addresses box.


    5. If there are Web addresses that do not need to be accessed through the proxy server, type the addresses in the Proxy exclusion list box. Separate addresses with a space, comma, or semicolon.


  10. If you want to compress traffic between the client computers and the FirePass controller, check the Use gzip compression box.


  11. Note: Using gzip compression improves connection speed but some browsers may have problems with the compression.

  12. Click Update to update the client settings.

Note


Microsoft Network browsing does not work in a configuration using network address translation (NAT).

 


Additional Network Access resources configuration options

You can configure additional Network Access resources options including drive mappings, automatic application launches, policy checks, customization, and host settings.


Configuring network share drive mappings

You can configure drive mappings for network shares that the system automatically maps on the remote client computer when it establishes the Network Access session.


To configure network shares
  1. On the Network Access : Resources screen, click the Drive Mappings tab.
    The Drive Mappings screen displays.


  2. In the Name box, type a name for the drive mapping.


  3. In the Path box, type a UNC path to the network share.


  4. Note: The path you enter is not verified by the FirePass controller.

  5. From the Map to list, select a preferred drive letter for the mapping.


  6. If the preferred drive letter is already taken on the client computer, another drive letter is substituted at connection.

  7. Click Add to add the drive mapping.

Configuring automatic application launches

You can have applications start automatically, whenever a remote user in a resource group makes a connection using Network Access.


To configure automatic application launches
  1. On the navigation pane, click Network Access.
    The Resources screen opens.


  2. Click the Launch Application tab.
    The Launch Applications screen displays.


  3. In the App Path box, type a complete path and file name for the application you want started. For example:


  4. iexplore http://127.3.54.34/sales/automation.pl

  5. In the Parameters box, type any necessary parameters for the application.


  6. Select the correct client operating system from the OS list.


  7. Click Add to add the application configuration.

Configuring policy checks

With policy checks you can monitor whether client systems are observing security policies. You have the option to prevent changes to the network settings or routing settings on the client computer while a connection through the Network Access client is active. You can also require specific applications like virus-checking software to be running on the client computers. You can prohibit other applications like known viruses from running on client computers.

Note


Policy checks are not supported on Macintosh and Linux remote clients.

 


To configure policy checks with Network Access
  1. On the navigation pane, click Network Access.
    The Resources screen opens.


  2. Click the Policy Checks tab.
    The Policy Checks screen displays.


  3. If you want to prohibit any changes to the network settings or routing table of the client computers, check the Prohibit routing table changes during Network Access connection box.


  4. When you select this option, the FirePass controller terminates the Network Access connection if there are any changes to the network or routing on a client computer during the connection.

  5. If you want to specify programs that must be running on the client computer, enter the application names in the Processes to be present box. Use a space to separate multiple applications.


  6. You can use Boolean operators (AND, OR, NOT) to specify combinations of applications that must be present. For example, (nisum.exe OR blackd.exe) AND navapsvc.exe means that a Network Access connection is only made if the client computer is running Norton Antivirus® (navapsvc.exe) and either Norton Personal FirewallTM (nisum.exe) or BlackIce FirewallTM (blackd.exe).

  7. If you want to specify programs that must not be running on the client computer, type the application names in the Processes to be absent box. Use a space to separate multiple applications.


  8. If you want to specify a particular HKEY value that must be in the registry on a Windows client computer, type the value in the Check system registry box. For more information, see the online help.


  9. To specify system service packs that must be present on the client computer, type the service packs in the Operating system service packs box.


  10. To specify Internet Explorer service packs that must be present on the client computer, type the service pack names in the Internet Explorer service packs box.


  11. When you are ready to update the group policy check settings, click Update.

Customizing the Network Access client

You can customize the behavior and appearance of the Network Access client for remote users. Use the customization configuration options to control what remote users see when they connect or disconnect, what messages display in the event of a connection error, and how the Network Access client behaves if Windows goes into power management mode.


To customize the Network Access client appearance and behavior
  1. On the navigation pane, click Network Access.
    The Resources screen opens.


  2. Click the Customization tab.
    The Customization screen displays.


  3. To configure Network Access client behavior after making a connection, under the Customization area, select the options you want:


    1. To have the remote user see a message after successfully connecting to the Network Access client, check the box for Present the user with a message box after successfully connecting Network Access client.


    2. To have the Network Access client window minimize after a successful connection is made, check the box for Minimize window after successfully connecting Network Access client.


  4. Click the Update button to update the Network Access configuration.

To configure Windows power management

You have several options on how the Network Access client behaves when Windows power management on a client computer takes effect.

  1. On the Resources screen, click the Customization tab.


  2. Under the Power Management area, select one of the options:


    • Do nothing. Ignore Power Management Events.


    • Prevent Windows from going into Standby/Hibernate mode during connection.


    • Terminate Network Access connection if Windows is going into Standby/Hibernate mode.


  3. Click the Update button to update the Network Access configuration.

To configure custom messages for the Network Access client to display

You can configure the Network Access client to display custom policy check messages when specific events occur.

  1. On the Resources screen, click the Customization tab near the top of the screen.
    The Customization screen displays.


  2. In the Custom Messages area, type the message you want the user to see, in the appropriate box. The options and their results are:


    • Connection Established--displays the message when the connection is established.


    • Connection Established using Fallback Configuration--displays the message when a connection is made using a fallback configuration.


    • Disconnect due to Routing Table Changes--displays the message when a connection is terminated because a change was made to the remote client's routing table.


    • Disconnect due to Configuration Error--displays the message when a connection is terminated because there was a configuration error.


    • Check for Processes Failed--displays the message when the check for processes fails.


    • Registry Check Failed--displays the message when the registry check fails.


    • System Patch Level Check Failed--displays the message when the system patch level check fails.


    • Internet Explorer Patch Level Check Failed--displays the message when the patch level check for Internet Explorer fails.


    • Personal Firewall/Antivirus Check Failed--displays the message when the check for a personal firewall and/or antivirus fails.


  3. When you have added the custom messages you want, click the Update button to update the custom messages configuration.

Configuring static host options

You can configure a list of static hosts for the Network Access client to use temporarily. The static hosts you configure temporarily modify a client computer's local hosts table and override your DNS server.


To configure static hosts
  1. On the Resources screen, click the Hosts tab.
    The Hosts screen displays.


  2. In the Hostname box, type a fully qualified host name.


  3. In the IP box, type the IP address of the host.


  4. To add the static host, click Add New.

Configuring Network Access master group settings

After configuring global and resource Network Access settings, the next step is to configure master group settings. Master group settings specify security policies for client workstations, and the appearance of the FirePass webtop. The security policies, or far-end policies, are security settings that apply to the remote workstations and include whether to require a client certificate, or to require a Protected Workspace on the workstations.

Note


You can also configure Network Access master group settings when you configure your master groups. For more information, see Understanding master groups.

 


To configure Network Access master group settings
  1. On the navigation pane, click Network Access, then click Master Group Settings.
    The Master Group Settings screen displays.


  2. From the Master Group list, select the master group for which you are configuring master group Network Access settings.
    The screen refreshes to display the information for the group you selected.


  3. Note: The group must already exist in order for you to configure Network Access for that group. For information on creating groups, see Chapter 4, Using Groups with FirePass Controllers.

  4. To change client certificate or Protected Workspace settings, in the Far End Policy area, click Click to change the client certificate or Protected Workspace validation settings.
    The tabbed Master Group configuration screen displays, with the Far-End Policy tab selected.


  5. Select the policy you want from the the Select policy list. The default is to not apply any far end policies to the group. Each choice refreshes the screen and displays additional configuration options.


  6. For detailed information on how to configure far-end policies, see Configuring far-end policies for a master group .

  7. To return to the Master Group Settings screen, click Master Group Settings on the left navigation pane.


  8. To change the Network Access webifyer appearance, click Click to change the status and/or webifyer position on the webtop.
    The master group Configuration screen displays, with the User Experience tab selected.

When you are done, click Update to update the master group settings. For detailed information on configuring the user experience, see Configuring the user experience for a master group.

Note


When you configure Network Access master group settings, you do so on the tabbed Master Group configuration screen. To return to the Network Access Master Group Settings screen, click Master Group Settings on the left navigation pane.

 


Installing the standalone VPN client

The FirePass controller standalone VPN client provides secure remote access without a browser session for Windows 2000 and Windows XP computers. For details on the standalone VPN client and how to install it, see Overview of the standalone VPN client for Windows.


Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)