Applies To:

Show Versions Show Versions

Manual: FirePass® Controller Administrator Guide, version 5.5

Original Publication Date: 11/22/2005

Table of Contents

Legal Notices

Introducing the FirePass Controller

Introducing the FirePass controller

Introducing FirePass controller features

Reviewing the FirePass controller models

Finding the FirePass controller software version number

Understanding the FirePass controller

Getting started with the FirePass controller

The recommended path

Possible configuration scenarios

Using this guide


Stylistic conventions in this document

Finding help and technical support resources

Managing Users and Configuring Groups

Introducing master groups and resource groups

Understanding master groups

Understanding resource groups

Understanding how master groups and resource groups work together

Working with user accounts

Configuring authentication for users

Creating internal users on the FirePass controller

Managing user information in an external data store

Managing users in the FirePass controller data store

Setting up master groups and users

Configuring a master group

Populating master groups with users

Understanding entries in the User Management list

Understanding dynamic group mapping

Finding procedures for dynamic group mapping

Understanding the group mapping process

Using dynamic group mapping

Setting and changing mapping priority

Specifying the request configuration

Configuring user information mapping updates

Setting up authentication

Choosing an authentication scheme

Setting up internal authentication

Setting up RADIUS server authentication

Setting up LDAP server authentication

Setting up HTTP basic authentication to external server

Setting up initial signup on LDAP with subsequent strong internal password

Setting up Windows domain server authentication

Setting up Active Directory authentication (Kerberos authentication)

Setting up HTTP form-based authentication

Setting up client-certificate-based authentication

Setting up RSA SecurID authentication

Working with resource groups

Creating favorites in resource groups

Associating resource groups with users

Configuring resource group favorites

Introducing realms

Configuring the Full Access realm

Configuring the FirePass controller for realms

Assigning administrative privileges to a user accounts

Upgrading with administrators configured in versions previous to FirePass 5.4

Using reports inside realms

Configuring Endpoint Security

Understanding endpoint security

Collecting information

Performing remediation

Protecting resources

Understanding protection options

Understanding protection limitations

Using pre-logon sequences

Understanding pre-logon sequence flow

Understanding the visual policy editor

Understanding pre-logon sequence elements

Implementing client system checking

Creating pre-logon sequences to protect resources

Creating a pre-logon sequence

Using data gathered by pre-logon sequences

Assigning a protected configuration

Using actions in pre-logon sequences

Defining rules for actions in pre-logon sequences

Browser requirements for endpoint security

Creating protected configurations

Protecting resources

Understanding protection assignment

Configuring post-logon protection

Using other kinds of protection

Using Server Certificates

Understanding SSL server certificates

Using server certificates on the FirePass controller

Using Certificate Authority-signed SSL server certificates

Using self-signed SSL server certificates

Managing certificates on the FirePass controller

Displaying information on installed certificates

Generating a Certificate Signing Request or self-signed certificate

Submitting the CSR

Understanding the files generated for the self-signed certificate

Installing a server certificate

Associating an SSL server certificate with a web service

Installing a self-signed certificate on client computers

Updating installed server certificates

Deleting installed certificates

Installing and configuring client root certificates

Using CRLs and OSCP

Using OCSP to validate client certificates

Configuring Network Access

Introducing Network Access

Understanding Network Access features

Understanding FirePass controller Network Access

Using client applications with Network Access

Configuring global Network Access settings

Understanding routing

Configuring global packet filter rules

Using overlapping IP address pools

Configuring bitrate evaluator parameters

Configuring Network Access resource group settings

Understanding Client Settings options

Understanding DNS options

Understanding Hosts options

Understanding Drive Mappings options

Understanding Launch Application options

Understanding IP Group Filters options

Understanding Policy Checks options

Understanding Customization options

Configuring Network Access master group settings

Downloading client components

Installing the F5 Networks VPN Client for Windows

Installing the Networks Client API

Establishing client connections

Configuring Portal Access

Introducing Portal Access

Introducing Portal Access features and operation

Introducing Portal Access application support

Configuring web applications on the FirePass controller

Understanding proxy and cache functionality

Defining favorites for Portal Access Web Applications access

Configuring web applications for minimal rewriting

Configuring NTLM and basic authentication proxy

Configuring split tunneling for Portal Access

Configuring accessibility scope

Preserving host names

Configuring content processing for web applications

Configuring caching and compression

Configuring intranet webtop options

Preserving page content

Configuring proxy options

Configuring Windows files

Configuring Windows Files favorites

Configuring Windows Files master group settings

Configuring Mobile E-Mail

Configuring the LDAP query

Configuring LDAP as the email address source

Disabling email attachments

Changing where Mobile E-Mail links appear on the webtop

Configuring content inspection

Configuring cross site scripting security

Configuring SQL injection scanning

Configuring buffer overflow protection

Configuring anti-virus scanning of uploaded files

Configuring Application Access

Introducing Application Access

Understanding App Tunnels

Defining App Tunnel favorites

Configuring App Tunnel auto-open

Creating App Tunnels to network file shares

Configuring master group settings for App Tunnels

Understanding Legacy Host connections

Defining legacy host favorites

Configuring legacy hosts keyboard mapping

Configuring master group settings for legacy hosts connections

Configuring terminal server favorites

Configuring master group settings for terminal server connections

Configuring global settings for Application Access

Handling Windows power-management events

Configuring client messages for Windows loopback

Managing and Monitoring the FirePass Controller

Configuring global FirePass controller settings

Maintaining the network configuration settings

Understanding the finalize process

Understanding the Interfaces tab settings

Configuring VLAN settings

Configuring IP addresses and subnets

Configuring routing tables and rules

Configuring DNS

Configuring host names

Configuring web services

Other network settings

Other configuration activities

Configuring Admin Email

Adding definitions for other types of browsers

Configuring a new RSA SecurID authentication server (for Native RSA authentication)

Specifying the SMTP email server

Configuring an SNMP agent

Specifying HTTP and SSL proxies

Specifying the time, time zone, and NTP server

Performing maintenance

Managing FirePass controller licenses

Backing up and restoring the FirePass controller

Upgrading controller software

Managing log files

Configuring for RADIUS accounting

Shutting down and restarting the FirePass controller

Using the troubleshooting tools

Monitoring the FirePass controller

Displaying FirePass controller statistics

Displaying FirePass controller system health

Monitoring the load on a FirePass controller

Customizing the users' webtop

Using FirePass Controller Reports

Overview of FirePass controller reports

Using the App Logs report

Working with the App Logs report

Understanding entries in the App Logs report

Using the Group report

Working with the Group report

Understanding entries in the Group report

Using HTTP Log reports

Working with the HTTP Log report

Understanding entries in the HTTP Logs report

Using the Logons report

Working with the Logons report

Understanding entries in the Logons report

Using the Sessions report

Working with the Sessions report

Understanding entries in the Sessions report

Using the Summary report

Working with the Summary report

Understanding entries in the Summary report

Using the System Logs report

Working with the System Logs report

Understanding entries in the System Logs report

Using FirePass Controllers for Failover

Understanding FirePass controller high availability

Introducing failover configuration

Reviewing the configuration process

Introducing a failover member into a production environment

Configuring the active FirePass controller

Enabling failover on the active controller

Configuring the active controller with a self IP address

Configuring the active controller with a shared IP address

Configuring web services for the shared IP address of the active controller

Configuring the active controller's heartbeat, synchronization, and miscellaneous settings

Configuring the standby FirePass controller

Enabling failover on the standby controller

Configuring the standby controller with a self IP address

Configuring a shared IP address

Checking the FQDN

Configuring DNS server entries

Adding and configuring web services, and specify a synchronization service

Configuring the heartbeat

Finalizing and restarting the active controller

Accessing a standby controller that is already in production

Post-configuration tasks

Starting failover controllers

Verifying the failover configuration

Verifying controller identity

Triggering manual failover

Using Macintosh or Linux clients with FirePass Controller

Using Macintosh and Linux clients with FirePass controller

Introducing supported Network Access features

Using Macintosh clients

Using Linux clients

Configuring the starting of applications on Macintosh or Linux clients

Installing the client on Macintosh and Linux systems

Understanding Network Access error messages on Macintosh or Linux clients

Using FirePass Controllers in Clusters

Understanding FirePass controller clusters

Understanding synchronization in clusters

Installing FirePass controllers as a cluster

Configuring FirePass controller clusters

Making configuration changes in clusters

Understanding the configuration process

Enabling clustering

Configuring clustering synchronization

Configuring a synchronization service

Verifying the cluster configuration

Configuring load balancing

Configuring load balancing on the primary node

Configuring load balancing on the secondary node

Activating load balancing

Verifying the load balancing configuration

Managing a cluster configuration

Accessing a secondary controller's configuration

Displaying statistics for a FirePass controller cluster

Using Web Applications Engine Trace

Understanding Web Applications engine trace

Using the Web Applications engine trace feature

Understanding trace files

Analyzing Web Applications engine traces

Fixing common problems

How-To Examples

Introducing how-to scenarios

Denying access to users running Google Desktop Search

Creating the Google Desktop Check pre-logon sequence

Adding the Google Desktop Check action to the pre-logon sequence

Customizing the Google Desktop Check logon-denied message

Denying and allowing logons from specific operating systems and requiring certificates

Rule 1 - Deny Windows 95, Windows 98, and Windows Me connections

Rule 2 - Require Windows NT and Windows 2000 clients to log on using the virtual keyboard

Rule 3 - Allow logons only from Windows XP, Linux, Pocket PC, and Macintosh computers that have a valid certificate.