If you want to use Users and User Groups from an integrated Active Directory server as the source and destination of rules, you must install the User Agent software on a Windows server that communicates with the Active Directory Domain Controllers. You define the information about the Domain Controllers in the properties of the Active Directory Server element. You define the information about the User Agent as a User Agent element, and specify which User Agent each firewall communicates with in the properties of the firewall.
Examples of Directory Servers
The examples in this section illustrate some common uses for Directory Servers in StoneGate and general steps on how each scenario is configured.
Using the Internal User Database
Company A has a general office network and a separate HR network for servers that contain HR information, such as employee records and payroll information. The servers restrict which users have access, but for auditing reasons, the administrators want to separate the users into groups and require authentication to access the HR network. The administrators:
1. Create a User Group “HR Users” in the InternalDomain and assign one of the default internal authentication methods.
2. Create User elements for each person with access rights under the HR Users group.
3. Define Access rules for user authentication on the firewall.
Using StoneGate with a Microsoft Active Directory Server
This example provides an overview to the configuration. For more information on configuring IAS, consult Microsoft’s documentation at http://technet.microsoft.com/.
Company B has an existing Microsoft Active Directory server that stores user information. They decide to use this existing server’s directory services in StoneGate.
The administrators:
1. Define an Active Directory Server element.
2. Add the StoneGate-specific classes and attributes into the Active Directory server’s configuration to be able to fully manage the user accounts through the Management Client.
3. Define StoneGate as an LDAP client for the Active Directory server.
4. Define StoneGate as an authentication client for the IAS.
5. Add a new LDAP Domain element for the Active Directory server in the Management Client.
C HA PT E R 22
U SER A UTHENTICATION ON THE F IREWALL
User authentication means requiring the users of services in your network to authenticate themselves before they are given access to some resources. User authentication on the firewall means that the firewall checks user credentials against its own replica of the user database.
The following sections are included:
Overview to User Authentication on the Firewall (page 188)
Configuration of User Authentication on the Firewall (page 188)
Example of User Authentication on the Firewall (page 191)
Overview to User Authentication on the Firewall
User authentication means requiring the users to prove their identity before giving access to a network resource. User authentication is mandatory with client-to-gateway VPNs, but you can require it for non-VPN connections as well. User authentication on the firewall is only supported for IPv4 traffic.
User authentication requires creating user accounts. See Directory Servers (page 181) for more information about user accounts. Different users can use different authentication methods.
Storing the user information and authenticating the users are two separate concepts with separate options.
User authentication proceeds as follows:
1. The user opens an authentication connection to the firewall.
2. The firewall checks if the user exists and which authentication method the user should use.
3. The user-supplied credentials are verified.
If authentication succeeds, the firewall lists the user as an authenticated user, taking note of both username and authentication method.
When the user opens new connections, IPv4 Access rules that contain an authentication requirement may now match (in addition to other rules). The username and authentication method are both separately considered as matching criteria.
When the configured timeout is reached, the authentication expires and the user is removed from the list of authenticated users. Access rules that require authentication no longer match the user’s connections.
Configuration of User Authentication on the Firewall
Authentication methods define the authentication method used by particular users and user groups. The illustration below shows how elements are configured for user authentication on the firewall:
Illustration 22.1 Configuring User Authentication
Authentication Methods define the allowed authentication methods for IPv4 Access rules and for the Users and User Groups. Both User and User Group elements can be used in IPv4 Access rules to define rules that only match connections from specific, successfully authenticated
Firewall Policy User
Groups
Users Authentication
Methods
users. A specific Authentication Method definition is needed in each IPv4 Access rule especially when the Users and User Groups have several allowed Authentication Methods. Otherwise, the rules can allow any defined Authentication Method that is allowed for the included users.
Default Elements
There are three predefined Authentication Methods for user authentication on the firewall:
•IPsec Certificate is for IPsec VPN client certificate-based authentication.
•Pre-Shared Key Method is for use with some third-party VPN clients.
•User Password is for simple password authentication against the internal LDAP database (including user authentication in IPsec VPN client hybrid authentication).
To use the firewall for user authentication, you must use one of the predefined Authentication Methods.
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Online Help of the Management Client and the Administrator’s Guide PDF.