Applies To:

Show Versions Show Versions

Manual: FirePass Controller Administrator Guide, version 6.0

Original Publication Date: 06/23/2006

FirePass® Controller
version 6.0
Administrator Guide

Table of Contents

Legal Notices

1. Introducing the FirePass Controller

Introducing the FirePass controller

Introducing FirePass controller features

Reviewing the FirePass controller models

Finding the FirePass controller software version number

Understanding the FirePass controller

Getting started with the FirePass controller

The recommended path

Possible configuration scenarios

Using this guide


Stylistic conventions in this document

Finding help and technical support resources

2. Managing Users and Configuring Groups

Introducing master groups and resource groups

Understanding master groups

Understanding resource groups

Understanding how master groups and resource groups work together

Understanding user account management options

Configuring authentication for users

Creating internal users on the FirePass controller

Managing user information in an external data store

Managing users in the FirePass controller data store

Setting up master groups and users

Configuring a master group

Populating master groups with users

Understanding entries in the User Management list

Understanding dynamic group mapping

Finding procedures for dynamic group mapping

Understanding dynamic master group mapping

Understanding how a user is authenticated

Understanding dynamic resource group mapping

Understanding how resource groups are assigned

Using dynamic group mapping

Setting and changing mapping priority

Setting up authentication

Choosing an authentication scheme

Setting up internal authentication

Setting up RADIUS server authentication

Setting up LDAP server authentication

Setting up HTTP basic authentication to external server

Setting up initial signup on LDAP with subsequent strong internal password

Setting up Windows domain server authentication

Setting up Active Directory authentication (Kerberos authentication)

Setting up HTTP form-based authentication

Setting up client-certificate-based authentication

Setting up RSA SecurID authentication

Working with resource groups

Creating favorites in resource groups

Associating resource groups with users

Configuring resource group favorites

Impersonating a user

3. Configuring Endpoint Security

Understanding endpoint security

Collecting information

Using the inspectors

Using session variables

Performing remediation

Protecting resources

Understanding protection options

Understanding protection limitations

Using pre-logon sequences

Understanding pre-logon sequence flow

Understanding the visual policy editor

Understanding pre-logon sequence elements

Implementing client system checking

Creating pre-logon sequences to protect resources

Creating a pre-logon sequence

Using data gathered by pre-logon sequences

Assigning a protected configuration

Using actions in pre-logon sequences

Defining rules for actions in pre-logon sequences

Browser requirements for endpoint security

User rights requirements for protected workspace and pre-logon inspectors

Creating protected configurations

Protecting resources

Understanding protection assignment

Configuring post-logon protection

Using other kinds of protection

4. Using Server Certificates

Understanding SSL server certificates

Using server certificates on the FirePass controller

Using Certificate Authority-signed SSL server certificates

Using self-signed SSL server certificates

Managing certificates on the FirePass controller

Displaying information on installed certificates

Generating a Certificate Signing Request or self-signed certificate

Submitting the CSR

Understanding the files generated for the self-signed certificate

Installing a server certificate

Associating an SSL server certificate with a web service

Installing a self-signed certificate on client computers

Updating installed server certificates

Deleting installed certificates

Installing and configuring client root certificates

Using CRLs and OSCP

Using OCSP to validate client certificates

5. Configuring Network Access

Introducing Network Access

Understanding Network Access features

Understanding FirePass controller Network Access

Using client applications with Network Access

Configuring global Network Access settings

Understanding routing

Configuring global packet filter rules

Using overlapping IP address pools

Configuring bitrate evaluator parameters

Configuring Network Access resource group settings

Understanding Client Settings options

Understanding DNS options

Understanding Hosts options

Understanding Drive Mappings options

Understanding Launch Application options

Understanding IP Group Filters options

Understanding Policy Checks options

Understanding Customization options

Configuring Network Access master group settings

Customizing the user experience for Network Access connections

6. Configuring Application Access

Introducing Application Access

Understanding App Tunnels

Choosing a static or dynamic App Tunnel

Defining a web application tunnel

Understanding access restrictions for App Tunnels

Defining App Tunnel favorites

Creating web application App Tunnel favorites

Configuring Remote Host and Local Host settings: important considerations

Creating custom App Tunnels

Configuring App Tunnels that open automatically

Creating static App Tunnels to network file shares

Restricting access to App Tunnels

Configuring master group settings for App Tunnels

Understanding common master group settings for all App Tunnels

Understanding master group settings for dynamic and web application tunnels

Understanding Legacy Host connections

Defining legacy host favorites

Configuring legacy hosts keyboard mapping

Configuring master group settings for legacy hosts connections

Configuring terminal server favorites

Configuring master group settings for terminal server connections

Configuring global settings for Application Access

Handling Windows power-management events

Configuring client messages for Windows loopback

7. Configuring Portal Access

Introducing Portal Access

Introducing Portal Access features and operation

Introducing Portal Access application support

Configuring web applications on the FirePass controller

Understanding proxy and cache functionality

Defining favorites for Portal Access Web Applications access

Configuring web applications for minimal rewriting

Configuring NTLM and basic authentication proxy

Configuring split tunneling for Portal Access

Understanding access control lists for Portal Access

Preserving host names

Configuring content processing for web applications

Configuring caching and compression

Configuring intranet webtop options

Preserving page content

Configuring proxy options

Configuring Windows files

Configuring Windows Files favorites

Configuring Windows Files master group settings

Configuring Mobile E-Mail

Configuring the LDAP query

Configuring LDAP as the email address source

Disabling email attachments

Changing where Mobile E-Mail links appear on the webtop

Configuring content inspection

Configuring cross site scripting security

Configuring SQL injection scanning

Configuring buffer overflow protection

Configuring anti-virus scanning of uploaded files

8. Managing and Monitoring the FirePass Controller

Configuring global FirePass controller settings

Maintaining the network configuration settings

Understanding the finalize process

Understanding the Interfaces tab settings

Configuring VLAN settings

Configuring IP addresses and subnets

Configuring routing tables and rules

Configuring DNS

Configuring host names

Configuring web services

Configuring other network settings

Configuring access scope

Introducing realms

Configuring the Full Access realm

Configuring the FirePass controller for realms

Assigning administrative privileges to a user account

Upgrading with administrators configured in versions previous to FirePass 5.4

Using reports inside realms

Completing other configuration activities

Configuring Admin Email

Adding definitions for other types of browsers

Configuring a new RSA SecurID authentication server (for Native RSA authentication)

Specifying the SMTP email server

Configuring an SNMP agent

Specifying HTTP and SSL proxies

Specifying the time, time zone, and NTP server

Performing maintenance

Managing FirePass controller licenses

Backing up and restoring the FirePass controller

Upgrading controller software

Managing log files

Configuring for RADIUS accounting

Shutting down and restarting the FirePass controller

Using the troubleshooting tools

Monitoring the FirePass controller

Displaying FirePass controller statistics

Displaying FirePass controller system health

Monitoring the load on a FirePass controller

Customizing the user's webtop

Configuring for multiple languages

9. Using FirePass Controller Client Components

Downloading client components

Using Windows clients with the FirePass controller

Installing client components on Windows systems

Using MSI to preinstall client components

Using the Component Installer

Installing the F5 Networks VPN Client for Windows

Installing the Networks Client API

Using Macintosh and Linux clients with the FirePass controller

Introducing supported Network Access features

Using Macintosh clients

Using Linux clients

Configuring the starting of applications on Macintosh or Linux clients

Installing the client on Macintosh and Linux systems

Establishing client connections

Understanding Network Access error messages on Macintosh or Linux clients

Controlling the client using the command-line interface

Using the -start command

Using the -stop command

Using the -info command

Using the -profile command

Using the -help command

Using the command-line interface on the client

10. Using FirePass Controller Reports

Overview of FirePass controller reports

Using the App Logs report

Working with the App Logs report

Understanding entries in the App Logs report

Using the Group report

Working with the Group report

Understanding entries in the Group report

Using HTTP Log reports

Working with the HTTP Log report

Understanding entries in the HTTP Logs report

Using the Logons report

Working with the Logons report

Understanding entries in the Logons report

Using the Sessions report

Working with the Sessions report

Understanding entries in the Sessions report

Using the Summary report

Working with the Summary report

Understanding entries in the Summary report

Using the System Logs report

Working with the System Logs report

Understanding entries in the System Logs report

11. Using FirePass Controllers for Failover

Understanding FirePass controller high availability

Introducing failover configuration

Reviewing the configuration process

Introducing a failover member into a production environment

Configuring the active FirePass controller

Enabling failover on the active controller

Configuring the active controller with a self IP address

Configuring the active controller with a shared IP address

Configuring web services for the IP addresses of the active controller

Configuring the active controller's heartbeat, synchronization, and miscellaneous settings

Configuring the standby FirePass controller

Enabling failover on the standby controller

Configuring the standby controller with a self IP address

Configuring a shared IP address

Checking the FQDN

Configuring DNS server entries

Adding and configuring web services, and specify a synchronization service

Configuring the heartbeat

Finalizing and restarting the active controller

Accessing a standby controller

Post-configuration tasks

Starting failover controllers

Verifying the failover configuration

Verifying controller identity

Triggering manual failover

12. sing FirePass Controllers in Clusters

Understanding FirePass controller clusters

Understanding synchronization in clusters

Installing FirePass controllers as a cluster

Configuring FirePass controller clusters

Making configuration changes in clusters

Understanding the configuration process

Consolidating logs

Enabling clustering

Configuring the primary node

Configuring the secondary nodes

Configuring clustering synchronization

Configuring a synchronization service

Configuring load balancing

Configuring load balancing on the primary node

Configuring load balancing on the secondary node

Activating load balancing

Verifying the cluster configuration

Verifying the load balancing configuration

Managing a cluster configuration

Accessing a secondary controller's configuration

Displaying statistics for a FirePass controller cluster

13. Using Web Applications Engine Trace

Understanding Web Applications engine trace

Using the Web Applications engine trace feature

Understanding trace files

Analyzing Web Applications engine traces

Fixing common problems

Appendix A. How-To Examples

Introducing how-to scenarios

Denying access to users running Google Desktop Search

Creating the Google Desktop Check pre-logon sequence

Adding the Google Desktop Check action to the pre-logon sequence

Customizing the Google Desktop Check logon-denied message

Denying and allowing logons from specific operating systems and requiring certificates

Rule 1 - Deny Windows 95, Windows 98, and Windows Me connections

Rule 2 - Require Windows NT and Windows 2000 clients to log on using the virtual keyboard

Rule 3 - Allow logons only from Windows XP, Linux, Pocket PC, and Macintosh computers that have a valid certificate