Applies To:

Show Versions Show Versions

Manual Chapter: FirePass 5.2.2 Handbook: Configuring Network Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>



Configuring Network Access


Overview of Network Access

Network Access provides remote users with the functionality of a traditional IPsec VPN client. However, unlike an IPsec VPN, Network Access does not require any pre-installed software or configuration on the remote user's computer.

FirePass Network Access

The FirePass controller's Network Access feature implements PPP (Point-to-Point Protocol) over SSL, a secure solution that works well with routers, firewalls, and proxy servers. Network Access gives remote users access to all applications and network resources you choose. It uses standard HTTPS protocol and works through all HTTP proxy servers.

Network Access provides these benefits:

  • Browser-based access to client-server applications
    Network Access does not require any pre-installed, preconfigured software on the remote system. Remote users can access their applications without needing individual setup or configuration of their computers. Network Access supports UDP and TCP applications.


  • Simple maintenance
    Upgrading or replacement of remote computers does not require any VPN-related maintenance. Changes to the host network can be made without reconfiguring each remote computer.


  • Split tunneling
    If you enable this option, you can split traffic into two groups, with traffic intended for the host network going through Network Access, while all other traffic is untouched.


  • Packet-based, group-based firewall
    You can restrict groups of users to particular ports and addresses within the host network. The feature provides full client-server application support without opening up the entire network to each user.


Configuring Network Access settings

You need to configure global settings and resource settings in order to make Network Access available to remote users. You must configure global settings first.

Note


You also have the option to open the Windows Network Access Client (standalone VPN client) screen from the Network Access menu by clicking Client Downloads. For more information about the standalone VPN client, see Overview of the standalone VPN client for Windows.

 

Configuring global Network Access settings

Network Access global settings specify addresses used by a client computer's PPP adapter and by the FirePass controller. The client computer opens an SSL connection to the FirePass controller using its NIC (Network Interface Card) address. Once the connection is open, the client uses its configured PPP address to communicate with the FirePass controller. Communication from the PPP address is encrypted and sent through Network Access connection, and the FirePass controller opens a proxy connection to the target server. You configure whether all client traffic or only traffic designated for specific destinations uses a Network Access connection.

You also use the global settings to specify the address or addresses the FirePass controller will use to communicate with servers inside the network. If you choose to use NAPT (network address and port translation), communication between the FirePass controller and internal servers on your network uses the FirePass controller address. If you do not use NAPT, an IP address from the VPN is used between the FirePass controller and internal network servers. If you are not using NAPT, you must make sure that your internal network is configured to route IP traffic to the virtual network IP addresses.

Note


You must configure global settings before Network Access is available to a group.

 

Note


The IP addresses of the FirePass controller cannot fall within the VPN address range.

 

To configure global Network Access settings
  1. On the navigation pane, click Network Access, and then click Global Settings.
    The Global Settings screen displays.


  2. In the IP Address box and the Mask box, type the network address and mask that define the network to be used for VPN client addresses. Type a network address rather than a single host IP address. Each client's PPP adapter is assigned an address in this range.


  3. To update the client IP address range, click Update.


  4. While on this screen, you can also configure proxy connections and the global appearance of the Network Access client. If you choose to do any of these, continue with the procedures following.

To configure the FirePass controller address for proxy connections
  1. If you want to enable NAPT, on the Global Settings screen check the Use NAPT to access LAN box.


  2. To enable NAPT, click Apply these rules now.


If you are configuring other settings, continue.

To configure the FirePass controller to use packet filter rules
  1. If you want to enable packet filter rules, on the Global Settings screen check the Use packet filter to access LAN box.
    The Packet Filter Rules area opens.


  2. To add a rule, click Add New Rule.


  3. Type a name for the rule in the Rulename box.


  4. Select the protocol from the Proto list.


  5. Type a port in the Port box.


  6. Type an IP address and subnet mask in the Address/Mask box.


  7. Select an action from the Action list.


  8. To save the rule, click Save.


  9. To apply the rule, click Apply these rules now.


  10. For more information about packet filter rules, see the online help for the Network Access : Global Settings screen.

If you are configuring other settings, continue.

To configure global Network Access client appearance

A status monitor displays in the system tray on Microsoft® Windows® client computers. You can suppress the status monitor display on Windows® 2000 and Windows® XP client computers, using the FirePass Global Settings screen.

The bandwidth value is required by Windows but does not represent the actual bandwidth. You can control the value that displays on the client computers. See the online help for more information.

  1. On the Global Settings screen, scroll down to the Client appearance area and check the Do not display tray icon for connection box.


  2. To change the bandwidth value displayed in the status window of the Network Access client on Windows systems, type a value in the Displayed bandwidth B/Sec box.


  3. To save the settings, click Save.


Configuring Network Access resource settings

After configuring global Network Access settings, the next step is to configure resource settings. Resource settings specify the Network Access name and DNS server (Domain Name Service server) that each group will use. You can use the settings to configure client machines in a group to use split tunneling. With Split tunneling you can specify what client traffic is to be directed through an SSL VPN tunnel. Only network traffic that you specify is routed through the Network Access tunnel. A tunnel is a secure connection between computers or networks over a public network.

Note


You must configure resource settings before Network Access is available to any user.

 

To configure Network Access resource settings
  1. On the navigation pane, click Network Access.
    The Resources screen displays with the Client Settings tab selected.


  2. In the Connection name box, type a name for the Network Access session.
    Client machines display this name under the Network Access icon.


  3. In the DNS address box, type the IP address for your internal DNS server. If you have more than one DNS server, separate multiple addresses with a space.


  4. In the WINS address box, type the IP address for your internal WINS server. If you have more than one WINS server, separate multiple addresses with a space.


  5. Note: The WINS address is required for Microsoft® Networking to work properly.

  6. If you want to use split tunneling:


    1. Select the Use split tunneling box.
      The screen expands and displays the LAN address space box, and the DNS address space box.


    2. Type one or more addresses or address/mask pairs in the LAN address space box. This list specifies the target LAN(s) for traffic directed through the Network Access tunnel. Separate multiple addresses or address/mask pairs with a space, comma, or semicolon. Only traffic to the addresses or subnets you enter here will go through Network Access.


    3. Type one or more names in the DNS address space box. This list specifies the target LAN DNS addresses for traffic directed through the Network Access tunnel. Separate multiple names with a space, comma, or semicolon. Only traffic to the name you enter here will go through the Network Access tunnel.


  7. If you want to use a proxy server:


    1. Check the Client proxy settings box.
      The screen displays additional fields.


    2. In the Autoconfig script box, type the URL of the proxy-autoconfiguration script.


    3. In the Address box, type the IP address and port for the proxy server that Network Access clients will use to connect to the Internet.


    4. If you do not want to use the proxy server for all local (intranet) addresses, check the Bypass proxy for local addresses box.


    5. If there are Web addresses that do not need to be accessed through the proxy server, type the addresses in the Proxy exclusion list box. Separate addresses with a space, comma, or semicolon.


  8. If you want to compress traffic between the client computers and the FirePass controller, check the Use gzip compression box.


  9. Note: Using gzip compression improves connection speed but some browsers may have problems with the compression.

  10. Click Update to update the client settings.


  11. Note


    Microsoft Network browsing does not work in a configuration using network address translation (NAT).

     

Additional Network Access resources configuration options

You can configure additional Network Access resources options including drive mappings, automatic application launches, policy checks, customization, and host settings.

Configuring network share drive mappings

You can configure drive mappings for network shares that the system automatically maps on the remote client computer when it establishes the Network Access session.

To configure network shares

Warning


Enabling auto-login (in step 6) may result in the user's logon name and password passing over the SSL session to the client. This can result in security vulnerabilities if the client machine has been compromised.

 

  1. On the Network Access : Resources screen, click the Drive Mappings tab.
    The Drive Mappings screen displays.


  2. In the Name box, type a name for the drive mapping.


  3. In the Path box, type a UNC path to the network share.


  4. Note: The path you enter is not verified by the FirePass controller.

  5. From the Map to list, select a preferred drive letter for the mapping.


  6. If the preferred drive letter is already taken on the client computer, another drive letter is substituted at connection.

  7. Click Add to add the drive mapping.


  8. To login automatically using FirePass login information, check the Auto-login to drive mappings using FirePass user login credentials box.


  9. Type the domain or workgroup name in the Domain/Workgroup box, or leave it blank to use the default.


  10. Click Update to accept the settings.


Configuring automatic application launches

You can have applications start automatically, whenever a remote user makes a connection using Network Access.

To configure automatic application launches
  1. On the navigation pane, click Network Access.
    The Resources screen opens.


  2. Click the Launch Application tab.
    The Launch Applications screen displays.


  3. In the App Path box, type a complete path and file name for the application you want started. For example:


  4. iexplore http://127.3.54.34/sales/automation.pl

  5. In the Parameters box, type any necessary parameters for the application.


  6. Select the correct client operating system from the OS list.


  7. To post a confirmation message before the launch occurs, check the Display message box before launching applications box, or leave the box cleared to have applications launch without intervention.


  8. Click Add to add the application configuration.


Configuring policy checks

With policy checks you can monitor whether client systems are observing security policies. You have the option to prevent changes to the network settings or routing settings on the client computer while a connection through the Network Access client is active. You can also require specific applications like virus-checking software to be running on the client computers. You can prohibit other applications like known viruses from running on client computers.

Note


Policy checks are not supported on Macintosh® and Linux® remote clients.

 

To configure policy checks with Network Access
  1. On the navigation pane, click Network Access.
    The Resources screen opens.


  2. Click the Policy Checks tab.
    The Policy Checks screen displays.


  3. If you want to prohibit any changes to the network settings or routing table of the client computers, check the Prohibit routing table changes during Network Access connection box.


  4. When you select this option, the FirePass controller terminates the Network Access connection if there are any changes to the network or routing on a client computer during the connection.

  5. If you want to specify programs that must be running on the client computer, enter the application names in the Processes to be present box. Use a space to separate multiple applications.


  6. You can use Boolean operators (AND, OR, NOT) to specify combinations of applications that must be present. For example, (nisum.exe OR blackd.exe) AND navapsvc.exe means that a Network Access connection is only made if the client computer is running Norton Antivirus® (navapsvc.exe) and either Norton Personal FirewallTM (nisum.exe) or BlackIce FirewallTM (blackd.exe).

  7. If you want to specify programs that must not be running on the client computer, type the application names in the Processes to be absent box. Use a space to separate multiple applications.


  8. If you want to specify a particular HKEY value that must be in the registry on a Windows client computer, type the value in the Check system registry box. For more information, see the online help.


  9. To specify system service packs that must be present on the client computer, type the service packs in the Operating system service packs box.


  10. To specify Internet Explorer service packs that must be present on the client computer, type the service pack names in the Internet Explorer service packs box.


  11. When you are ready to update the policy check settings, click Update.


  12. To specify additional firewall and antivirus checking, check the McAfee VirusScan box.


  13. In the Scan Engine Version box, type the version number you want to require.


  14. In the Last Signature Update box, type the signature you want to require.


  15. When you are ready to update the Personal FireWalls/AntiVirus Checks settings, click Update.


Customizing the Network Access client

You can customize the behavior and appearance of the Network Access client for remote users. Use the customization configuration options to control what remote users see when they connect or disconnect, what messages display in the event of a connection error, and how the Network Access client behaves if Windows goes into power management mode.

To customize the Network Access client appearance and behavior
  1. On the navigation pane, click Network Access.
    The Resources screen opens.


  2. Click the Customization tab.
    The Customization screen displays.


  3. To configure Network Access client behavior after making a connection, under the Customization area, select the options you want:


    1. To have the remote user see a message after successfully connecting to the Network Access client, check the box for Present the user with a message box after successfully connecting Network Access client.


    2. To have the Network Access client window minimize after a successful connection is made, check the box for Minimize window after successfully connecting Network Access client.


  4. Click the Update button to update the Network Access configuration.


To configure Windows power management

You have several options on how the Network Access client behaves when Windows power management on a client computer takes effect.

  1. On the Resources screen, click the Customization tab.


  2. Under the Power Management area, select one of the options:


    • Do nothing. Ignore power management events


    • Prevent Windows from going into standby/hibernate during connection


    • Terminate Network Access connection if Windows is going into standby/hibernate


  3. Click the Update button to update the Network Access configuration.


To configure custom messages for the Network Access client to display

You can configure the Network Access client to display custom policy check messages when specific events occur.

  1. On the Resources screen, click the Customization tab near the top of the screen.
    The Customization screen displays.


  2. In the Custom Messages area, type the message you want the user to see, in the appropriate box. The options and their results are:


    • Connection Established--displays the message when the connection is established.


    • Disconnect due to Routing Table Changes--displays the message when a connection is terminated because a change was made to the remote client's routing table.


    • Disconnect due to Configuration Error--displays the message when a connection is terminated because there was a configuration error.


    • Check for Processes Failed--displays the message when the check for processes fails.


    • Registry Check Failed--displays the message when the registry check fails.


    • System Patch Level Check Failed--displays the message when the system patch level check fails.


    • Internet Explorer Patch Level Check Failed--displays the message when the patch level check for Internet Explorer fails.


    • Personal Firewall/Antivirus Check Failed--displays the message when the check for a personal firewall and/or antivirus fails.


  3. When you have added the custom messages you want, click the Update button to update the custom messages configuration.


Configuring static host options

You can configure a list of static hosts for the Network Access client to use temporarily. The static hosts you configure temporarily modify a client computer's local hosts table and override your DNS server.

To configure static hosts
  1. On the Resources screen, click the Hosts tab.
    The Hosts screen displays.


  2. In the Hostname box, type a fully qualified host name.


  3. In the IP box, type the IP address of the host.


  4. To add the static host, click Add New.


Installing the standalone VPN client

The FirePass controller standalone VPN client provides secure remote access without a browser session for Windows 2000 and Windows XP computers. For details on the standalone VPN client and how to install it, see Overview of the standalone VPN client for Windows.


Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)