version 7.0
MAN-0211-03
Product Version
This manual applies to product version 7.0 of the FirePass® product.
Publication Date
This manual was published on May 26, 2010.
Legal Notices
Copyright
Copyright 1999-2010, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Acopia, Acopia Networks, Application Accelerator, Ask
F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass,
FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet
Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM,
Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, SSL Accelerator, SYN Check,
Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam,
VIPRION, WANJet, WebAccelerator, and ZoneRunner are trademarks or service marks of F5 Networks,
Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
ii
Table of Contents
Table of Contents
1
Introducing the FirePass Controller
Introducing the FirePass controller ............................................................................................1-1
Introducing FirePass controller features ..........................................................................1-1
Reviewing the FirePass controller models .......................................................................1-3
Finding the FirePass controller software version number ...........................................1-4
Understanding the FirePass controller .............................................................................1-5
Getting started with the FirePass controller ............................................................................1-9
The recommended path .......................................................................................................1-9
Possible configuration scenarios ...................................................................................... 1-10
Using this guide ............................................................................................................................. 1-12
Audience ............................................................................................................................... 1-12
Stylistic conventions in this document ........................................................................... 1-12
Finding help and technical support resources ....................................................................... 1-15
2
Managing Users and Configuring Groups
Introducing master groups and resource groups ....................................................................2-1
Understanding master groups .............................................................................................2-1
Understanding resource groups .........................................................................................2-1
Understanding how master groups and resource groups work together ...............2-2
Understanding user account management options ........................................................2-3
Configuring authentication for users .................................................................................2-4
Creating internal users on the FirePass controller ........................................................2-4
Managing user information in an external data store .............................................................2-6
Managing users in the FirePass controller data store .............................................................2-8
Setting up master groups and users ...........................................................................................2-9
Configuring a master group .............................................................................................. 2-11
Populating master groups with users ............................................................................. 2-13
Understanding entries in the User Management list .................................................. 2-15
Setting up dynamic group mapping .......................................................................................... 2-16
Finding procedures for dynamic group mapping ......................................................... 2-16
Understanding dynamic master group mapping ........................................................... 2-17
Understanding how a user is authenticated ................................................................. 2-17
Understanding dynamic resource group mapping ....................................................... 2-18
Understanding how resource groups are assigned ..................................................... 2-19
Using dynamic group mapping ......................................................................................... 2-22
Using enhanced session variables created from RADIUS attributes ...................... 2-48
Customizing landing URI or virtual host logon ............................................................ 2-48
Customizing domain and password order .................................................................... 2-51
Setting and changing mapping priority ........................................................................... 2-52
Customizing virtual host and URI ................................................................................... 2-52
Using WebDAV for advanced customization .............................................................. 2-53
Using dynamic resource group mapping in master groups ....................................... 2-64
Setting up authentication ............................................................................................................ 2-67
Choosing an authentication method .............................................................................. 2-67
Setting up internal authentication ................................................................................... 2-72
Setting up RADIUS server authentication ..................................................................... 2-72
Setting up LDAP server authentication ........................................................................ 2-74
Setting up two-factor authentication with a Client Certificate and LDAP ........... 2-76
Setting up HTTP basic authentication to external server ......................................... 2-81
Setting up initial signup on LDAP with subsequent strong internal password ..... 2-81
Setting up Windows domain server authentication ................................................... 2-82
Setting up Active Directory authentication (Kerberos authentication) ................. 2-82
Configuring a flexible query for a client certificate with Active Directory ........... 2-83
Setting up HTTP form-based authentication ................................................................ 2-85
Setting up client-certificate-based authentication ....................................................... 2-85
Understanding VHOST client certificate request ....................................................... 2-91
Setting up RSA SecurID authentication ......................................................................... 2-92
Working with resource groups ................................................................................................ 2-94
Creating favorites in resource groups ........................................................................... 2-94
Associating resource groups with users ........................................................................ 2-96
Configuring resource group favorites ............................................................................ 2-97
Impersonating a user .......................................................................................................... 2-98
3
Configuring Endpoint Security
Understanding endpoint security ................................................................................................3-1
Collecting information ..........................................................................................................3-1
Using the inspectors ..............................................................................................................3-2
Using session variables ..........................................................................................................3-5
Performing remediation .......................................................................................................3-6
Protecting resources .............................................................................................................3-7
Understanding protection options .....................................................................................3-8
Understanding protection limitations ...............................................................................3-9
Using pre-logon sequences ........................................................................................................ 3-10
Understanding pre-logon sequence flow ................................................................................ 3-11
Understanding the visual policy editor .......................................................................... 3-11
Understanding pre-logon sequence elements .............................................................. 3-12
Implementing client system checking ...................................................................................... 3-14
Creating pre-logon sequences to protect resources .......................................................... 3-15
Understanding protected workspace ............................................................................. 3-15
Creating a pre-logon sequence ........................................................................................ 3-15
Using data gathered by pre-logon sequences ............................................................... 3-17
Assigning a protected configuration ............................................................................... 3-18
Using actions in pre-logon sequences ............................................................................ 3-19
Defining rules for actions in pre-logon sequences ...................................................... 3-23
Browser requirements for endpoint security .............................................................. 3-25
User rights requirements for protected workspace and pre-logon inspectors ... 3-26
Creating protected configurations ........................................................................................... 3-27
Protecting resources ................................................................................................................... 3-31
Configuring endpoint protection for a resource group ............................................. 3-32
Understanding protection assignment ........................................................................... 3-32
Configuring post-logon protection .......................................................................................... 3-33
Using other kinds of protection ............................................................................................... 3-34
4
Using Server Certificates
Understanding SSL server certificates ........................................................................................4-1
Using server certificates on the FirePass controller ....................................................4-1
Using Certificate Authority-signed SSL server certificates ..........................................4-2
Using self-signed SSL server certificates ...........................................................................4-2
Understanding reverse proxy backend server certificate verification ......................4-2
Managing certificates on the FirePass controller .....................................................................4-5
Displaying information on installed certificates ..............................................................4-5
Generating a Certificate Signing Request or self-signed certificate ....................................4-6
Submitting the CSR ...............................................................................................................4-7
Understanding the files generated for the self-signed certificate ...............................4-8
vi
Table of Contents
5
Configuring Network Access
Introducing Network Access .......................................................................................................5-1
Understanding Network Access features ........................................................................5-1
Understanding FirePass controller Network Access ....................................................5-3
Using client applications with Network Access .............................................................5-4
Configuring global Network Access settings ............................................................................5-6
Using NAPT or a virtual subnet .........................................................................................5-6
Understanding routing ..........................................................................................................5-9
Keeping connections open when the webtop is closed ............................................ 5-10
Configuring global packet filter rules ............................................................................. 5-10
Using overlapping IP address pools ................................................................................ 5-12
Configuring bitrate evaluator parameters ..................................................................... 5-18
Configuring Network Access resource group settings ....................................................... 5-19
Understanding Client Settings options .......................................................................... 5-19
Understanding DNS options ............................................................................................ 5-23
Understanding Hosts options .......................................................................................... 5-24
Understanding Drive Mappings options ........................................................................ 5-24
Understanding Launch Application options .................................................................. 5-25
Understanding IP Group Filters options ....................................................................... 5-26
Understanding Policy Checks options ........................................................................... 5-28
Understanding Customization options .......................................................................... 5-31
Configuring Network Access master group settings .......................................................... 5-39
Customizing the user experience for Network Access connections ..................... 5-39
Auto-launching web applications ..................................................................................... 5-40
6
Configuring Application Access
Introducing Application Access ...................................................................................................6-1
Understanding App Tunnels .........................................................................................................6-2
Choosing a static or dynamic App Tunnel .......................................................................6-3
Defining a web application tunnel ......................................................................................6-5
Understanding access restrictions for App Tunnels ......................................................6-6
Defining App Tunnel favorites .....................................................................................................6-7
Creating web application App Tunnel favorites .......................................................... 6-12
Configuring remote host and local host settings: important considerations ........ 6-15
Creating custom App Tunnels ......................................................................................... 6-16
Configuring App Tunnels that open automatically ...................................................... 6-17
Creating static App Tunnels to network file shares ................................................... 6-18
Restricting access to App Tunnels .................................................................................. 6-19
Configuring master group settings for App Tunnels ........................................................... 6-23
Understanding common master group settings for all App Tunnels ...................... 6-23
Understanding master group settings for dynamic and web application tunnels . 6-24
Understanding Legacy Host connections ............................................................................... 6-26
Defining legacy host favorites .......................................................................................... 6-27
Starting preconfigured legacy host favorites from a Web application page or webtop
6-29
Configuring legacy hosts keyboard mapping ................................................................ 6-30
Configuring master group settings for legacy hosts connections ............................ 6-31
Configuring terminal server favorites ..................................................................................... 6-33
Configuring master group settings for terminal server connections ...................... 6-36
Using Citrix session reliability .......................................................................................... 6-39
Using terminal servers screen resolution ..................................................................... 6-40
Configuring global settings for Application Access .............................................................. 6-43
Handling Windows power-management events .......................................................... 6-43
Configuring client messages for Windows loopback ................................................. 6-43
7
Configuring Portal Access
Introducing Portal Access .............................................................................................................7-1
Introducing Portal Access features and operation .........................................................7-1
Introducing Portal Access application support ...............................................................7-2
Configuring web applications on the FirePass controller ......................................................7-4
Understanding proxy and cache functionality .................................................................7-4
Defining favorites for Portal Access Web Applications access ...................................7-6
Configuring web applications for minimal rewriting ................................................... 7-10
Configuring NTLM and basic authentication proxy .................................................... 7-14
Using NTLM version 2 ...................................................................................................... 7-15
Configuring split tunneling for Portal Access ............................................................... 7-15
Understanding access control lists for Portal Access ................................................ 7-16
Understanding Java sockets support .............................................................................. 7-18
Preserving host names ....................................................................................................... 7-18
Configuring content processing for web applications ................................................ 7-19
Configuring caching and compression ............................................................................ 7-31
Configuring intranet webtop options ............................................................................. 7-33
Preserving page content .................................................................................................... 7-34
Configuring proxy options ................................................................................................ 7-34
Configuring Windows files ......................................................................................................... 7-36
Configuring Windows Files favorites ............................................................................. 7-36
Configuring Windows Files master group settings ..................................................... 7-37
Configuring Mobile E-Mail .......................................................................................................... 7-39
Configuring the LDAP query ............................................................................................ 7-40
Configuring LDAP as the email address source .......................................................... 7-41
Disabling email attachments ............................................................................................. 7-42
Changing where Mobile E-Mail links appear on the webtop .................................... 7-42
Configuring content inspection ................................................................................................ 7-43
Configuring cross site scripting security ....................................................................... 7-43
Configuring SQL injection scanning ................................................................................ 7-45
Configuring buffer overflow protection ........................................................................ 7-47
Configuring anti-virus scanning of uploaded files ........................................................ 7-48
Using the FirePass controller reverse proxy ......................................................................... 7-51
Understanding client-server implementations ............................................................. 7-51
Understanding the reverse proxy ................................................................................... 7-52
Understanding the reverse proxy and Flash ................................................................. 7-53
Configuring the reverse proxy dynamic cache ............................................................ 7-53
Troubleshooting reverse proxy issues .......................................................................... 7-54
Using the reverse proxy and SED script support ....................................................... 7-59
viii
Table of Contents
8
Managing and Monitoring the FirePass Controller
Maintaining the FirePass Controller ...........................................................................................8-1
Configuring global FirePass controller settings ........................................................................8-2
Maintaining the network configuration settings .....................................................................8-3
Understanding the finalization process .............................................................................8-4
Understanding the Interfaces tab settings ........................................................................8-6
Configuring VLAN settings ..................................................................................................8-9
Configuring IP addresses and subnets ...............................................................................8-9
Configuring routing tables and rules .............................................................................. 8-11
Configuring DNS ................................................................................................................. 8-18
Configuring host names ..................................................................................................... 8-19
Configuring web services .................................................................................................. 8-20
Configuring other network settings ............................................................................... 8-25
Configuring access scope .................................................................................................. 8-26
Using realms .................................................................................................................................. 8-29
Configuring the Full Access realm .................................................................................. 8-29
Configuring the FirePass controller for realms ........................................................... 8-30
Assigning administrative privileges to a user account ................................................ 8-32
Upgrading with administrators configured in versions previous to FirePass software
version 5.4 ............................................................................................................................ 8-33
Using reports inside realms .............................................................................................. 8-33
Completing other configuration activities .............................................................................. 8-34
Configuring Admin E-mail ................................................................................................. 8-34
Adding definitions for other types of browsers .......................................................... 8-35
Configuring a new RSA SecurID authentication server (for native RSA authentication)
8-36
Specifying the SMTP email server ................................................................................... 8-40
Configuring an SNMP agent .............................................................................................. 8-41
Specifying HTTP and SSL proxies ................................................................................... 8-42
Specifying the time, time zone, and NTP server ........................................................ 8-43
Performing maintenance ............................................................................................................. 8-45
Managing FirePass controller licenses ............................................................................ 8-45
Backing up and restoring the FirePass controller ....................................................... 8-47
Cavium RoHS FIPS card support .................................................................................... 8-48
Upgrading controller software ........................................................................................ 8-48
Managing log files ................................................................................................................ 8-51
Configuring for RADIUS accounting .............................................................................. 8-58
Shutting down and restarting the FirePass controller ................................................ 8-59
Using the troubleshooting tools ...................................................................................... 8-61
Monitoring the FirePass controller ......................................................................................... 8-66
Displaying FirePass controller statistics ......................................................................... 8-66
Displaying FirePass controller system health ............................................................... 8-67
Monitoring the load on a FirePass controller .............................................................. 8-67
Using load statistics ............................................................................................................ 8-69
Customizing the user’s webtop ................................................................................................ 8-70
Configuring for multiple languages ........................................................................................... 8-71
9
Using FirePass Controller Client Components
Downloading client components .................................................................................................9-1
Using Windows clients with the FirePass controller .............................................................9-2
Installing client components on Windows systems .......................................................9-2
Using MSI to preinstall client components ......................................................................9-4
10
Using FirePass Controller Reports
Overview of FirePass controller reports ............................................................................... 10-1
Using the App Logs report ........................................................................................................ 10-2
Working with the App Logs report ............................................................................... 10-2
Understanding entries in the App Logs report ............................................................ 10-2
Using the Group report ............................................................................................................. 10-4
Working with the Group report .................................................................................... 10-4
Understanding entries in the Group report ................................................................. 10-4
Using HTTP Logs reports .......................................................................................................... 10-6
Working with the HTTP Logs report ............................................................................ 10-6
Understanding entries in the HTTP Logs report ........................................................ 10-7
Using the Logons report .......................................................................................................... 10-10
Working with the Logons report ................................................................................. 10-10
Understanding entries in the Logons report .............................................................. 10-10
Using the Sessions report ........................................................................................................ 10-12
Working with the Sessions report ............................................................................... 10-12
Understanding entries in the Sessions report ............................................................ 10-13
Using the Summary report ...................................................................................................... 10-16
Working with the Summary report .............................................................................. 10-16
Understanding entries in the Summary report .......................................................... 10-16
Using the System Logs report ................................................................................................. 10-18
Working with the System Logs report ........................................................................ 10-18
Understanding entries in the System Logs report .................................................... 10-18
Understanding logging options ................................................................................................ 10-20
x
Table of Contents
11
Using FirePass Controllers for Failover
Understanding FirePass controller high availability .............................................................. 11-1
Introducing failover configuration ................................................................................... 11-1
Reviewing the configuration process ............................................................................. 11-2
Introducing a failover member into a production environment .............................. 11-5
Configuring the active FirePass controller ............................................................................. 11-7
Enabling failover on the active controller ..................................................................... 11-7
Configuring the active controller with a self IP address ............................................ 11-9
Configuring the active controller with a shared IP address .................................... 11-10
Configuring web services for the IP addresses of the active controller .............. 11-10
Configuring the active controller’s heartbeat, synchronization, and miscellaneous
settings ................................................................................................................................. 11-13
Configuring the standby FirePass controller ....................................................................... 11-15
Synchronizing re-signed client components between cluster/failover nodes ..... 11-16
Enabling failover on the standby controller ................................................................ 11-16
Configuring the standby controller with a self IP address ...................................... 11-17
Configuring a shared IP address .................................................................................... 11-17
Checking the FQDN ........................................................................................................ 11-17
Configuring DNS server entries .................................................................................... 11-17
Adding and configuring web services, and specify a synchronization service ..... 11-18
Configuring the heartbeat ............................................................................................... 11-18
Finalizing and restarting the active controller ............................................................ 11-18
Accessing a standby controller ...................................................................................... 11-18
Configuring multiple external addresses for availability testing ............................. 11-19
Post-configuration tasks ........................................................................................................... 11-20
Starting failover controllers ............................................................................................ 11-20
Verifying the failover configuration ............................................................................... 11-20
Verifying controller identity ........................................................................................... 11-21
Triggering manual failover ............................................................................................... 11-21
12
Using FirePass Controllers in Clusters
Understanding FirePass controller clusters ........................................................................... 12-1
Understanding synchronization in clusters ................................................................... 12-1
Installing FirePass controllers as a cluster ..................................................................... 12-2
Configuring FirePass controller clusters ................................................................................ 12-3
Making configuration changes in clusters ...................................................................... 12-3
Understanding the configuration process ..................................................................... 12-4
Consolidating logs ............................................................................................................... 12-5
Enabling clustering ........................................................................................................................ 12-6
Configuring the primary node .......................................................................................... 12-6
Configuring the secondary nodes ................................................................................... 12-7
Configuring clustering synchronization ................................................................................... 12-8
Configuring a synchronization service ........................................................................... 12-8
Configuring load balancing ....................................................................................................... 12-12
Configuring load balancing on the primary node ...................................................... 12-12
Configuring load balancing on the secondary node .................................................. 12-13
Activating load balancing ................................................................................................. 12-13
Verifying the cluster configuration ................................................................................ 12-14
Verifying the load balancing configuration ............................................................................ 12-15
Managing a cluster configuration ............................................................................................ 12-16
Accessing a secondary controller’s configuration ..................................................... 12-16
Displaying statistics for a FirePass controller cluster ............................................... 12-16
13
Using Web Applications Engine Trace
Understanding Web Applications engine trace .................................................................... 13-1
Using the Web Applications engine trace feature ............................................................... 13-2
Understanding trace files .................................................................................................. 13-3
Analyzing Web Applications engine traces ............................................................................ 13-5
Fixing common problems .................................................................................................. 13-6
A
How-To Examples
Introducing how-to scenarios .....................................................................................................A-1
Denying access to users running Google Desktop Search ..................................................A-2
Creating the Google Desktop Check pre-logon sequence ........................................A-2
Adding the Google Desktop Check action to the pre-logon sequence ..................A-5
Customizing the Google Desktop Check logon-denied message .............................A-8
Denying and allowing logons from specific operating systems and requiring certificates ....
A-11
Rule 1: Deny Windows 95, Windows 98, and Windows Me connections ...........A-11
Rule 2: Require Windows NT and Windows 2000 clients to log on using the virtual
keyboard ...............................................................................................................................A-15
Rule 3: Allow logons only from Windows XP, Linux, Pocket PC, and Macintosh
computers that have a valid certificate ..........................................................................A-17
Glossary
Index
xii
1
Introducing the FirePass Controller
1-2
Introducing the FirePass Controller
The FirePass 4100 and 4300 controllers also support clustering, which
provides increased numbers of connections and load balancing. For more
information, see Chapter 12, Using FirePass Controllers in Clusters.
1-4
Introducing the FirePass Controller
Availability
Unlike IPsec VPNs, the web-based remote access of the FirePass controller
works over all ISP connections, and from behind other firewalls. ISPs
cannot detect and block FirePass controller conversations as they might with
detected IPsec traffic. Failover and clustering options provide high
availability and high capacity. You can cluster FirePass controllers to
support up to 20,000 concurrent connections on a single logical URL
without performance degradation.
Security
The FirePass controller adheres to the highest standards of security.
◆ Endpoint security
The FirePass controller provides a broad set of endpoint security features
such as a protected workspace, client integrity checking, browser cache
cleaner, secure virtual keyboard, and support for 100+ versions of
antivirus and firewall software. Configurable remediation helps
end-users that fail compliance checks to automatically download the
needed client software to meet endpoint security requirements, for
example, the latest antivirus signature files, operating system updates,
and others. The FirePass controller can display a custom message
containing a download link, so end-users can perform their own
remediation, meet compliance requirements, and get access without
requiring having to call the IT help desk.
◆ Encryption
You can get several levels of encryption, depending on the capability of
the client browser and the configuration of FirePass controller security
settings. The controller supports high encryption standards such as Triple
DES and AES, as well as FIPS and hardware encryption accelerator
options.
◆ Authentication
The FirePass controller supports a number of authentication methods.
• An internal user database for user name and password authentication
• Basic HTTP and forms-based authentication methods
• Authentication based on client certificates
• Authentication based on your existing Active Directory, RADIUS,
LDAP, and Windows domain servers
Accessibility
The FirePass controller provides a range of accessibility options.
◆ Full network access
Full network access provides a connection that is always available,
assuming the client machine supports it. Full network access virtually
puts the client machine inside the company network, so that clients
perform operations exactly as if they sat at their corporate computers.
Typically, an administrator would choose full network access as the
deployment method for client computers that are from a well-known or
trusted source, such as company-provided laptops.
◆ Application tunnel access
Application tunnel access (also called App Tunnels) provides access to
TCP applications that support fixed ports or a range of ports. The client
experience is similar to full network access, but it exposes only specific
functionality available on the local machine.
Typically, an administrator would choose application tunnel access as the
deployment method for client computers that are from a somewhat
trusted source, such as employee-owned equipment.
◆ Specialized application access
Specialized application access provides browser-based interaction with a
set of commonly used functions:
• Mobile email
• Legacy hosts
• Windows files
• Terminal Servers
1-6
Introducing the FirePass Controller
1-8
Introducing the FirePass Controller
1 - 10
Introducing the FirePass Controller
Audience
This guide is intended for system and network administrators who configure
and maintain IT equipment and software. This guide assumes that
administrators have experience working with network configurations.
1 - 12
Introducing the FirePass Controller
For example, you can find information about various FirePass controller
models in the FirePass Controller Getting Started Guide, Chapter 1,
Getting Started with the FirePass Controller.
\
Continue to the next line without typing a line break.
< >
You enter text for the enclosed item. For example, if the command
has <your name>, type your name.
|
Separates parts of a command.
[ ]
Syntax inside the brackets is optional.
...
Indicates that you can type a series of items.
Additional conventions
We use a conspicuous note format for a variety of information, ranging from
supplemental to critical.
A Tip suggests ways to make administration easier or faster. For example:
Tip
An easy way to enter a user agent string is to copy and paste the string from
the Logons report.
Note
If you want users to be able to define their own personal webtop favorites or
preferences, then you must use internal user management.
Important
If you are starting up a controller cluster, always start the primary
controller first, and then the remaining secondary cluster controllers
thereafter. Otherwise, the controllers will not start properly.
A Warning describes actions that can cause data loss or problems. For
example:
WARNING
If you are configuring failover in a production environment, the order in
which the pair of controllers restart is very important, and can result in data
loss if the two controllers do not restart in the correct order. For more
information, see Introducing failover configuration, on page 11-1.
1 - 14
Introducing the FirePass Controller
1 - 16
2
Managing Users and Configuring Groups
• Setting up authentication
Figure 2.1 Association between users, master groups, resource groups, and favorites categories
2-2
Managing Users and Configuring Groups
Note
If you want users to be able to define their own personal webtop favorites or
preferences, you must manage users internally on the FirePass controller.
2-4
Managing Users and Configuring Groups
All of these methods create user accounts in the FirePass controller internal
database. For specific procedures for each of these operations, see the online
help,
Tip
If you already have an authentication mechanism in place (for example, you
are using the Active Directory service), you can use that mechanism to
manage users of the FirePass controller. Using external user authentication
reduces administration time, and is the simplest client-authentication
method.
For example, if your network uses the Active Directory service, you can
configure the FirePass controller to map to that structure. In this case, the
FirePass controller queries the directory to get user information, and uses
the results to associate each user with a master group as they log on.
2-6
Managing Users and Configuring Groups
Tip
You can create new master groups that use settings from existing master
groups by selecting the group from the Copy settings from list when you
create a new group.
To configure master groups for local users, follow the same steps as needed
for configuring a master group with external users, as described in the
procedure To configure master groups for external users, on page 2-6.
Note
The FirePass controller has a default master group called Default. You can
use this master group without creating any other master groups, or you can
create master groups to use instead of, or in addition to, the default group.
2-8
Managing Users and Configuring Groups
2 - 10
Managing Users and Configuring Groups
Tip
On many configuration screens, you can switch to a different master group
by selecting a group from the Group list box at the upper left. This is an
easy way to change the master group you are configuring, without returning
to the Master Groups list screen.
◆ Authentication
Lists the type of authentication the group uses. You can click the
authentication method to open the Master Group configuration screen
containing options such as authentication-specific settings
(Authentication tab).
◆ Resource Groups
Lists the number of resource groups assigned to the master group, and
whether dynamic resource assignment is enabled. You can click an entry
to open the Master Group configuration screen containing options for
adding or removing resource groups for the associated master group.
◆ Signup Template
Shows whether signup templates are enabled (options are: N/A, No, and
Yes). The N/A entry indicates master groups of externally managed
users. You can click a No or Yes entry to open the Master Group
configuration screen containing options such as whether to allow
automatic sign-up by template and others.
Note: You can specify signup template as an optional parameter only for
master groups of externally managed users.
◆ Max concurrent sessions
Contains the number representing the maximum number of sessions
configured for that master group. The default varies depending on the
number of licenses you have for the FirePass controller. You can specify
a different number on the General tab by clicking the associated link,
checking Limit the number of concurrent sessions for this group, and
specifying the number you want. In no case can you specify a number
greater than the number of licenses you have.
◆ Users
Contains an indication of whether the group’s users are maintained
internally (Local) or externally (External). In any group containing
locally managed users, you can click the Local link to display the users.
Note: You cannot view the list of users from master groups with
externally managed users.
◆ Routing Table
Contains an indication of which routing table governs the associated
master group. You can click the link in the column to open the Select
Routing Table screen to select a different table to associate with a master
group. The FirePass controller routes the traffic from users in the master
group according to the routes in the associated routing table.
◆ Delete
Provides links for deleting the associated master group. You cannot
delete the Default master group.
You can use the Back to Users : Groups : Master Groups page link at the
top of the screen to return to the Master Groups list screen. You can also
return to the Master Groups list screen by clicking Master Groups in the
navigation pane.
2 - 12
Managing Users and Configuring Groups
Important
If you move internal users from externally authenticated groups to internally
authenticated groups, you must manually specify each user’s password and
any other user information requested on the User Management screen.
If you want different settings for sets of users, you can either manage this
through use of multiple master groups (with resource groups statically
assigned to each master group), or with a single master group (and enabling
dynamic group mapping to map individual resource groups to users).
Note
Tip
If you plan to use the same authentication and settings for all users, you can
simply add all users to the existing default master group and just change the
authentication type.
Tip
You can switch to a different master group by selecting the group from the
Master Group list at the upper left of any Master Group configuration
screen. This is an easy way to change the master group you are configuring.
If you also use group mapping, the FirePass controller retrieves the user’s
group information and adds the user to the corresponding internal mapped
group, and then presents the signup template as needed. If a user is a
2 - 14
Managing Users and Configuring Groups
member of several groups on the external server and you have set up
mapping for each group, the FirePass controller adds the user to the first
group it finds that matches a group specified for signup templates.
For more information about group mapping, see Setting up dynamic group
mapping, on page 2-16.
Note
We recommend that you optimize your mapping table using the fewest
number of mappings to accomplish what you want. The trade-off is
performance-based. Because the FirePass controller retrieves group
mapping information at logon time for every user, a large number of groups
and mappings might slow logon times.
For information about one of the specific group mapping methods, see one
or more of the following sections.
• Mapping based on Active Directory or Windows domain controllers,
on page 2-27
• Mapping based on LDAP information, on page 2-32
• Mapping based on client certificates, on page 2-38
• Mapping based on RADIUS groups, on page 2-40
• Mapping based on landing URI, on page 2-43
• Mapping based on virtual hosts, on page 2-45
• Mapping based on session variables, on page 2-47
2 - 16
Managing Users and Configuring Groups
The Dynamic Group Mapping screen contains text that describes the process
illustrated in Figure 2.2. To access the Dynamic Group Mapping screen, in
the navigation pane, click Users, expand Groups, and click Dynamic
Group Mapping.
2 - 18
Managing Users and Configuring Groups
When you enable dynamic resource group mapping, and the user logs on to
the FirePass controller, the FirePass controller completes the following
sequence of events to map a user to available resources:
◆ First, the FirePass controller attempts to use dynamic resource group
mapping to determine which resource groups are assigned to the user. If
the system finds assigned resource groups, the FirePass controller
presents to the user the resources from those groups.
◆ Next, the FirePass controller attempts to determine which resource
groups are statically assigned to a user’s master group. If the system
finds resource groups, the FirePass controller allows the user access to
the resources associated with that master group.
◆ The FirePass controller then attempts to determine which static resource
groups are statically assigned to the user. If the system finds resource
groups, the FirePass controller permits the user access to those statically
assigned resources as well.
◆ Finally, the FirePass controller presents to the user all resource groups
received from this sequence.
Figure 2.2 illustrates the dynamic master group mapping process. You can
find sample mapping procedures in Specifying a group mapping method, on
page 2-26.
2 - 20
Managing Users and Configuring Groups
Next, you configure the dynamic resource group mapping table to map your
staff group to the FirePass controller Staff group, and your managers group
to the FirePass controller Managers group.
Here is what happens for Joe, a new staff member at your company.
When Joe starts at your company, you create user account information for
him in the staff group. When Joe tries to log on to the FirePass controller,
the FirePass controller retrieves the group value staff from your corporate
policy server. Based on the configured dynamic resource group mapping
entries, the FirePass controller maps the value staff to the FirePass controller
Staff resource group.
Now, Joe can access all of the resources configured for the Staff resource
group.
In this scenario, 12 months later, Joe is doing such good work that he is
promoted to a managerial position. To provide Joe access to the resources
that all managers see, the only thing you need to do is to change Joe’s group
from Staff to Managers on your corporate policy server.
The next time Joe tries to log on, the FirePass controller retrieves the group
value managers from your corporate policy server. Based on the configured
dynamic resource group mapping entries, the FirePass controller maps the
value managers to the FirePass controller Managers resource group, and
gives Joe access to all of the resources available to the Managers resource
group.
This example shows that dynamic resource group mapping allows you to
keep your group-based or role-based policies on your corporate policy
server. You can then configure the FirePass controller to apply these
policies dynamically when the user logs on. If a policy changes, you do not
have to reconfigure the FirePass controller, you can just move the user to a
different group on your corporate server. Because you have defined the
mapping entries, the FirePass controller automatically provides access
correctly, based on the user’s changing role.
2 - 22
Managing Users and Configuring Groups
2 - 24
Managing Users and Configuring Groups
12. Specify the mappings you want, and then click Add.
The Master mapping table screen opens, showing the mapping you
added.
This is where you add master mapping entries. For more
information, see the section that describes configuring mappings
based on the method you are using. For example, if you are mapping
using the LDAP (user object) method, see To add the LDAP user
object mapping method, on page 2-33.
13. Click the Resource mapping table tab.
The Resource mapping table screen opens.
14. From Mapping Method, select the type of mapping table you want
to create, and then click Add.
The Resource mapping table screen opens for the mapping method
you added.
15. Specify the mappings you want, and then click Add.
The Resource mapping table screen opens, showing the mapping
you added.
This is where you add resource mapping entries. For more
information, see the section that describes mappings based on the
method you are using.
2 - 26
Managing Users and Configuring Groups
Note
2. Check or clear the options you want to create the mapping sequence.
3. If you plan to have fallback groups for mapping users, in the Step 3
area of the screen, add and order master groups to the Fallback
master groups list.
4. If you plan to have dynamic resource group mapping, check the
option in the Resource Groups Mapping Sequence section.
5. Click the Group mapping methods tab.
The Group mapping methods screen opens.
6. From the mapping methods list, select Active Directory, and click
Add mapping method.
The new method is added to the table. If the table already contains a
mapping method of this type, the list contains no Active Directory
item.
7. Click the Configure link to the right of the entry in the Mapping
methods table.
The Mapping methods configuration screen opens.
8. In Domain name, type the domain name for the Active Directory to
use for mapping users.
You must use the Fully Qualified Domain Name (FQDN) in
Domain name. Domain name is a required parameter.
9. In Kerberos server name, type the Kerberos server name or IP
address.
Kerberos server name is an optional parameter.
10. In WINS server IP address, type the WINS server IP address.
WINS server IP address is an optional parameter.
11. In Domain admin name and Domain admin password, type a user
name and password that has Active Directory administrative
permissions.
Domain admin name and Domain admin password are required
parameters.
12. To use a second Active Directory server, check Use a secondary
AD server.
The screen changes to reveal additional options.
13. In Kerberos server name, type the Kerberos server name or IP
address.
14. In WINS server IP address, type the WINS server IP address.
15. To use a third Active Directory server, check Use a tertiary AD
server.
The screen changes to reveal additional options.
16. In Kerberos server name, type the Kerberos server name or IP
address.
17. In WINS server IP address, type the WINS server IP address.
2 - 28
Managing Users and Configuring Groups
Note
If you use Windows domain for your user database, you can configure the
FirePass controller to map users based on Windows domain groups.
Configuring Windows domain-based mapping involves three procedures:
adding the Windows domain mapping method, mapping the Windows
domain groups to FirePass controller master groups in the master group
mapping table, and mapping the Windows domain groups to FirePass
controller resource groups in the resource group mapping table.
2 - 30
Managing Users and Configuring Groups
Note
Important
In the request configuration, you can specify an LDAP port and configure
the FirePass controller to use SSL for the query operation. If you use LDAP
authentication over SSL, be sure that the host name you specify exactly
matches the host name on your LDAP server's certificate.
When you specify a query template for the request to use when searching for
a user, it must be a valid LDAP query expression.
2 - 32
Managing Users and Configuring Groups
2 - 34
Managing Users and Configuring Groups
2 - 36
Managing Users and Configuring Groups
2 - 38
Managing Users and Configuring Groups
OU attributes are tested in order, from left to right, based on the order of
their appearance in the certificate subject or issuer DN field, from left to
right in the subject or issuer DN using normal group mapping prioritization.
All matches are used to select master group or resource groups.
2 - 40
Managing Users and Configuring Groups
2 - 42
Managing Users and Configuring Groups
7. When the results are what you want, click the Finish button to
return to the Group Information section.
Important
You cannot simultaneously use virtual-host based dynamic group mapping
and landing URI-based dynamic group mapping.
2 - 44
Managing Users and Configuring Groups
Important
You cannot simultaneously use virtual-host based dynamic group mapping
and landing URI-based dynamic group mapping.
For virtual servers, you can define one customization for a single IP address.
URI-based customization takes precedence over virtual host customization.
Virtual host customization takes precedence over the default, global
customization.
2 - 46
Managing Users and Configuring Groups
2. From the Mapping Methods list, select Session Variable, and click
Add.
Note: If there is no Session Variable item, click the Group mapping
methods tab, and add the Session Variable mapping method first.
3. In the Session variable column, define the session variable you want
to map to, making sure to enclose the session variable within
percent ( % ) characters.
4. In the Value column, specify the string for the FirePass controller to
use for mapping.
Note: You can instead map the Session Variable value directly to a
FirePass controller master group name by checking the Map
verbatim box. In this case, the FirePass controller removes the
settings in the Value and FirePass Group columns.
5. From each list in the FirePass group column, select a group for
mapping to the session variable.
6. Click Add to save your mappings.
2 - 48
Managing Users and Configuring Groups
From the For Landing URI or Virtual Host list, you can select the URI or
virtual host to configure. The list contains all the configured landing URIs
and virtual hosts, and the default URI value (which applies when no landing
URI or virtual host is selected during the logon process). To appear on the
list, a landing URI must first be created on the Device Management :
Customization screen, with the option Virtual Host must have host based
customization enabled.
Note
When no landing URIs exist and no Virtual Hosts are enabled, only the
default URI selector is available.
Note
Tip
If the administrator does not specify an extra domain password, the logon
screen displays the domain password prompt.
When a user fails to authenticate during logon through any URI or virtual
host, the FirePass controller returns the user to the initial Landing URI or
virtual host logon screen.
On the Master Group authentication tab, the screen displays the Verify
domain password against Active Directory server option only when
Extra domain password is enabled for the default URI, or another enabled
landing URI or virtual host.
When a user accesses the logon screen without the domain password prompt
and is mapped to a group where verification of that password is required,
authentication fails. This also happens when domain password is disabled
everywhere, but a group has the Verification option enabled. In this case,
you can find the reason for the authentication failure in the Logon Report
details.
For logon screen customization on a per URI/VHOST basis, the
configuration setting is stored in the file
/usr/local/uroam/firepass/images/custom/$subdir/uroam.conf
where $subdir is either the landing URI name or the virtual host IP address.
Default URI settings are stored in the file
/usr/local/uroam/etc/uroam.conf
2 - 50
Managing Users and Configuring Groups
◆ Display extra input field at logon for user defined session variable
On the logon screen, presents the user with a box in which to type text.
This value is then converted to a session variable named
%session.userdef.logon_extra_field%. You can specify a label to help
the user know what to type in the box.
For example, you can map users to different master groups by specifying
the label Type your master group name in the following box, and then
mapping the session variable %session.userdef.logon_extra_field% to
that master group in the master mapping table. For a procedure to guide
you through this process, see the online help for the Users : Global
Settings screen.
◆ Specifying an additional domain password
Indicates that the system provides a second password prompt on the
logon screen. The FirePass controller passes the content of this prompt to
the functions that enable access to Windows Files, Web Applications,
Terminal Servers, and so on. If this option is disabled, the system
presents only one password prompt on the logon screen.
Understanding precedence
URI-based customization takes precedence over virtual host customization.
Virtual host customization takes precedence over the default, global
customization.
From a user standpoint, URI-based customization is sticky. It is maintained
by a cookie. This means that once a user has established a session using
URI-based customization, then all subsequent FirePass controller sessions
started from within the same browser session use the URI-based
customization, even if the user later enters either the domain name alone (for
example, www.siterequest.com), or even the domain name qualified by the
usual redirect screen (for example, www.siterequest.com/my.logon.php3).
2 - 52
Managing Users and Configuring Groups
Once the user has established a URI-based custom session, then the user
must start a new browser session to switch back to the global customization
(or a virtual host-based customization, if there is one). This is by design.
You access the WebDAV sandbox using HTTP at the URI /sandbox as the
user webdav. For example, if you configured the FirePass controller with a
HTTP web service at 192.168.0.99, you access the WebDAV sandbox at the
URL http://192.168.0.99/sandbox/.
2 - 54
Managing Users and Configuring Groups
Note
2 - 56
Managing Users and Configuring Groups
try
{
// URI and IP-host customization support
var allcookies = document.cookie;
var pos = allcookies.indexOf("VHOST=");
if (pos != -1)
{
var start = pos + 6; // Start of cookie
value, 6 = length of 'VHOST='
var end = allcookies.indexOf(";", start); // End of cookie value
if (end == -1) end = allcookies.length;
var vhostvalue = allcookies.substring(start, end); // Extract the value
vhostvalue = unescape(vhostvalue); // Decode it
document.forms[0].vhost.value = vhostvalue; // Assign VHOST cookie
value to coresponding form field
}
}
catch (e)
{
}
}
</script>
</head>
<body onload="OnLoad();">
<form name="e1" method="post" action="/my.activation.php3">
</form>
</body>
</html>
</pre>
2 - 58
Managing Users and Configuring Groups
<body>
<FP_DO_NOT_TOUCH>
<script>
// Replace NAME_OF_RESOURCE_GROUP with name from one of your configured resource groups.
// Replace FAVORITE_NAME with the text you want your user to see.
screenW = Math.round(screenW/100*perc);
screenH = Math.round(screenH/100*perc);
dimension = "WIDTH="+(screenW+2)+",HEIGHT="+(screenH+26);
params = params+"&width="+(screenW+2)+"&height="+screenH;
}
}
if(bNewWindow) {
params = params+"&bNewWindow=1";
window.open(url+params,"_blank",dimension+",status=no,toolbar=no,menubar=no,location=n
o");
} else {
window.open(url+params,"_self");
}
}
'name='+w_name+',resizable=0,scrollbars=0,statusbar=0,menubar=0,width=320,height=240')
;
}
'name='+w_name+',resizable=0,scrollbars=0,statusbar=0,menubar=0,width=320,height=240')
;
}
2 - 60
Managing Users and Configuring Groups
'name='+w_name+',resizable=0,scrollbars=0,statusbar=0,menubar=0,width=320,height=240')
;
childWindow.focus();
}
</script>
<a
href='javascript:createAppTunnelConnection("NAME_OF_RESOURCE_GROUP","FAVORITE_NAME")'>
App Tunnel</a>
</font></strong></p>
<p>This link connects you to office resources from a computer on an external
site
such as at an internet cafe or a client location. You will not need to
download
or install any software.</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: center;"><strong><font size="3">
<a
href='javascript:createTSConnection("NAME_OF_RESOURCE_GROUP","FAVORITE_NAME",false)'>T
erminal Services</a>
</font></strong></p>
<p>This link connects you to your terminal services applications.</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: center;"><strong><font size="3">
<a
href=/vdesk/intranets/provision.php3?res_group=NAME_OF_RESOURCE_GROUP&res_name=FAVORIT
E_NAME>Web Applications</a>
</font></strong></p>
<p>This link opens a portal page through Web Applications.</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: center;"><strong><font size="3">
<a
href='javascript:createDirectAppTunnelConnection("telnetserver.company.xyz", 23,
"127.173.191.252", 23, "telnet 127.173.191.252", 1)'>Direct App Tunnel</a>
</font></strong></p>
<p>This link opens a direct AppTunnel connection (by passing parameters). The
<b>Limit AppTunnels Access
to Favorites only</b> option must be disabled.</p>
</td>
</tr>
<tr>
</tbody>
</table>
2 - 62
Managing Users and Configuring Groups
</td>
</tr>
</tbody>
</table>
</FP_DO_NOT_TOUCH>
</body>
</html>
<html>
<!-- An example for launching FirePass controller Windows Files -->
<!-- The "dir" argument to directory.php3 is used for starting with a particular share.
-->
<!-- Do not include the "dir" argument to start at My Network Places. -->
<FP_DO_NOT_TOUCH>
<frameset cols="200,*">
<frame name="contents" target="main"
src="/vdesk/filemanager/directory.php3?dir=%5C%5Ccompany_server%5Cpublic%5C"
marginwidth=10 marginheight=10>
<frame name="main" src="/vdesk/filemanager/view.php3" marginwidth=10 marginheight=10>
</frameset>
</FP_DO_NOT_TOUCH>
Note
You can use any software that supports the WebDAV protocol.
You can enable the option Determine the user’s master groups
dynamically using resource group mapping table in user’s master
group to globally enable or disable resource group mapping that is
configured individually in the master groups. When this option is disabled,
this resource group mapping step is not performed even if it is configured in
master groups.
Additionally, on the Users : Groups : Master Groups screen for a selected
master group, you can enable the option Allow resource groups to be
assigned using dynamic group mapping configured in this master
group, as shown in Figure 2.5.
2 - 64
Managing Users and Configuring Groups
2 - 66
Managing Users and Configuring Groups
Setting up authentication
Authentication is the process of verifying the identity of a user logging on
to a network. In a typical authentication process, a system requires that users
provide logon information such as user name and password. The system
then checks those credentials against information maintained remotely or
locally on a server or in a database.
Note
The stringent nature of the authentication mechanism you use for the
FirePass controller should match your local network. That is, you should
use equally high standards for the FirePass controller authentication as you
do for your local network.
Important
To use a specific authentication method, you must have a server at your site
that supports the method.
2 - 68
Managing Users and Configuring Groups
native protocol, use the RSA SecurID method instead. For more
information on this method, see Setting up RADIUS server
authentication, on page 2-72.
◆ LDAP server
Uses the server at your site that supports authentication using LDAP. For
more information on this method, see Setting up LDAP server
authentication, on page 2-74.
◆ Basic HTTP authentication to external server
Uses external, web-based authentication servers such as Oracle®
COREid®, eTrust™ SiteMinder®, and others to validate user logons and
passwords, and to control user access to specific network resources. For
more information on this method, see Setting up HTTP basic
authentication to external server, on page 2-81.
◆ Initial signup on LDAP with subsequent strong password
Authenticates first-time users against an LDAP directory, but at the first
use also presents a form to require them to entry a strong password.
Subsequently, the user is authenticated using the internal FirePass
controller database. This method allows you to use strong passwords not
supported by your LDAP directory, while providing most of the
convenience of LDAP authentication. For more information on this
method, see Setting up initial signup on LDAP with subsequent strong
internal password, on page 2-81.
◆ Windows domain server
Uses the Windows domain server at your site that supports NTLM
authentication against a pre-Windows 2000 domain controller. For more
information on this method, see Setting up Windows domain server
authentication, on page 2-82.
◆ Windows Active Directory
Uses the server at your site that supports Kerberos authentication against
a Windows 2000 or later server. For more information on this method,
see Setting up Active Directory authentication (Kerberos authentication),
on page 2-82.
◆ HTTP form-based
Integrates with single sign-on systems such as Oracle COREid, and
eTrust SiteMinder. For more information on this method, see Setting up
HTTP form-based authentication, on page 2-85.
◆ Client certificate passwordless
Requires no name or password at logon for users who have the installed
client certificate. For more information on this method, see Setting up
client-certificate-based authentication, on page 2-85.
◆ RSA SecurID
Uses the server at your site that supports RSA’s SecurID technology over
its native protocol. RSA SecurID represents a two-factor authentication
method that uses a combination of a known password and a digitally
generated string to grant access to the FirePass controller. The FirePass
Important
The SSO settings on the User Management screen do not affect the Single
Sign On mechanism based on cookies received from an external web server
during HTTP Basic or Form-Based authentication methods.
2 - 70
Managing Users and Configuring Groups
Tip
An SSO password defined on the User Management screen overrides an
SSO password configured in a RADIUS authentication method. To use the
SSO password configured in a RADIUS authentication method, leave the
SSO password and regular expression boxes blank on the User Management
screen.
Important
Depending on the conversion, you might be required to configure additional
settings. For example, if you convert to the internal authentication method,
you must make sure to specify passwords as well as add any missing data so
all of the boxes are filled on the associated user information screen. For
more information on converting to an authentication type, see the section
associated with the specific method. For example, if you are converting to
the RADIUS authentication method, see Setting up RADIUS server
authentication, on page 2-72.
Important
Be sure that the RADIUS server is configured to recognize the FirePass
controller as a client. Use the same shared secret in both the RADIUS
server configuration, and in the FirePass controller configuration.
Tip
You can specify up to three RADIUS servers for redundancy. The FirePass
controller tries to authenticate using the first configured server. If there is
no response, it falls back to the secondary server. If the secondary server
does not respond, the FirePass controller tries with the tertiary server.
2 - 72
Managing Users and Configuring Groups
In the Windows Services Manager, make sure that the service is set to
start each time the server starts, and is currently running. RSA SecurID
authentication using RADIUS takes place on a different port than does
native SecurID authentication.
◆ The SecurID server is configured correctly for RADIUS
authentication.
While using RSA SecurID over RADIUS, the SecurID server is a client
of itself. The RADIUS service functions as a standalone process, and if
the SecurID server is not set up as a client of itself, it rejects the FirePass
controller authentication request and does not store anything in the logs.
In this case, the FirePass controller reports that authentication has failed,
and with no log information, the failure is difficult to diagnose. To
troubleshoot, check that:
• You have enabled support for the RADIUS protocol for the RSA
SecurID server.
• You have configured the FirePass controller as a client of the RSA
SecurID server.
Note
2 - 74
Managing Users and Configuring Groups
Note
Your schema may vary considerably from the examples presented in the
following list. The user object class user is different on some LDAP servers,
and your structure might have more layers of names defined between the
root and the leaves.
After the FirePass controller runs the query, if it finds a matching user entry,
it uses the returned DN value and the user-entered password to bind to the
LDAP directory. If the second bind succeeds, the authentication succeeds
(that is, the user is validated). If either bind fails, the authentication fails.
Note
2 - 76
Managing Users and Configuring Groups
• Regular expression
This option appears only when one of the last two settings (regex
extraction) is selected for the previous option and defines a regular
expression used to extract certificate data for comparison and to fill the
%certfield% variable.
• Verification method
This option defines the criteria for successful secondary authentication,
that is, what is considered a successful verification of certificate data
against LDAP. The following choices are available:
• User DN found in LDAP
Specifies that the authentication attempt is successful when the user
record is retrieved from the LDAP database using the configuration
defined in the Configure LDAP settings section; no attribute check is
performed.
• Direct match of client certificate field to LDAP attribute
Specifies that the user record must be retrieved from LDAP, and
LDAP attribute value must match extracted certificate data exactly.
• Match client certificate field within LDAP attribute (substring)
Specifies that the user record must be found, and extracted certificate
data must be a substring of LDAP attribute value.
• Match LDAP attribute within client certificate field (substring)
Specifies that the user record must be found, and LDAP attribute
value must be a substring of the extracted certificate data.
• Match LDAP attribute within client certificate field (substring)
Specifies that the user record must be found, and LDAP attribute
value must be a substring of extracted certificate data.
• Configure LDAP Settings
This section specifies the LDAP server configuration, and the criteria
used to retrieve the user record from the LDAP database.
• LDAP server
Specifies the IP address or host name of the LDAP server
• LDAP port
Specifies the TCP port number for connecting to the LDAP server.
• Use SSL connection
Specifies whether the connection must use SSL.
• Protocol version
Specifies the LDAP protocol version. The default values is 3, and the
FirePass controller supports version 2 and 3.
• Bind DN
Specifies the DN for binding to the LDAP server. This is usually the
DN of the administrative account, or another account with LDAP read
access.
• Bind password
Specifies the password for the Bind DN.
• Get user DN using
Specifies the method the FirePass controller uses to retrieve the user
record from the LDAP database. Options are template or query. The
User DN template - this specifies template for user record DN, for
example: CN=%certfield%,CN=Users,DC=domain,DC=com or
CN=%logon%,OU=Sales,O=Company.
Variables in the template are replaced with their values at the time of
user authentication and object, and the resulting DN is retrieved from
LDAP. The FirePass controller performs the LDAP search using this
variable as the base DN, and the search filter objectClass=*, which
returns the object with this base DN, if it exists.
• When query method is selected the following boxes appear:
Query template - the template for an LDAP search filter; except for
%certdn%, all other variables described are supported
2 - 78
Managing Users and Configuring Groups
LDAP Verification
The FirePass controller performs LDAP verification in a specific order:
• Prerequisites are checked.
• If the User DN found in LDAP verification method is selected, there
are no prerequisites.
• Otherwise, if you use an attribute check, the Client certificate
subject setting used for verification must be configured, and the
LDAP attribute used for verification must not be empty.
• If prerequisites are not met, LDAP verification fails.
• The FirePass controller extracts certificate data according to the
configuration options in the first section, and places them in a temporary
%certfield% variable. This field is automatically used in the user DN
template or query template when the FirePass controller retrieves the
user from the LDAP directory in the next step.
• When you select the User DN found in LDAP verification method:
• The user record is retrieved from the LDAP directory, according to
the configuration options specified.
• If the FirePass controller has a communication problem with the
LDAP directory, an error is reported (Connect Failed, Bind Failed,
or Request to LDAP server Failed) and verification fails.
• If the FirePass controller does not find the user record, errors are
logged (LDAP search result - User not found, Client certificate
match against LDAP - Failed, Client certificate validation -
Failed) and verification fails.
• If the FirePass controller finds the user in the database, a message is
logged (LDAP search result - User found, and Client certificate
validation - Succeeded) and verification succeeds.
• If you have selected an attribute check method:
• If no data was extracted by the FirePass controller from the certificate
in the previous step, so the %certfield% value is empty, errors are
logged (LDAP query results - No client cert setting and Client
certificate validation - Failed) and verification fails.
• If there is no error, the FirePass controller retrieves the user from the
LDAP directory according to the configuration.
• If the FirePass controller has a communication problem with the
LDAP directory, an error is reported (Connect Failed, Bind Failed,
or Request to LDAP server Failed) and verification fails.
• If the FirePass controller does not find the user record, errors are
logged (Client certificate match against LDAP attribute - Failed,
Client certificate validation - Failed) and verification fails.
• If the FirePass controller finds the user record, the extracted
certificate data is matched against LDAP attribute. If the FirePass
controller matches the fields successfully, a message is logged (Client
certificate setting match within LDAP attribute - Succeeded, or
LDAP attribute match within certificate setting - Succeeded, or
2 - 80
Managing Users and Configuring Groups
Note
You can test the URL by logging on with valid and invalid credentials, to
make sure your external authentication server issues a challenge when
invalid credentials are tendered, and that it does not send a redirect.
Note
In a strong password, neither the number nor the special character may be
in the last character position.
2 - 82
Managing Users and Configuring Groups
Use the variable (certfield or username) that is most appropriate for your
configuration.
Note
To use this feature, you must install the client root CA certificate on the
FirePass controller, and configure user name extraction from the client
certificate. Additionally, you must configure the master group with the client
certificate authentication method. And the option Perform additional client
certificate check using must be set to Active Directory.
Note
2 - 84
Managing Users and Configuring Groups
You select the secondary Active Directory authentication option from the
list Perform additional client certificate check using, then specify the
secondary authentication option.
2 - 86
Managing Users and Configuring Groups
to extract the second e-mail address from this attribute using a regular
expression, you can use the following expression
|email:.*, email:(.*)|
◆ Passwordless auto-logon
The presentation of a valid user client certificate, where the common
name (CN) matches the user logon name, enables either a zero-click or
one-click automatic logon. You can configure a passwordless automatic
logon mechanism on the Authentication screen. To access the screen,
click Users, expand Groups, click Master Groups, and click the link in
the Authentication column for the master group you want to configure.
For information about this feature, see Configuring passwordless
authentication, on page 2-89.
◆ Dynamic group mapping
The existence of a valid user client certificate allows use of options
within the client certificate to enable dynamic mapping of users into
particular FirePass controller master authentication groups or to
particular resource groups. This allows use of extensive resource policy
management based on the existence of settings within a client certificate.
You can configure the dynamic group mapping mechanism on the
Dynamic Group Mapping screen. To access the screen, click Users,
expand Endpoint Security, and click Dynamic Group Mapping. For
information about dynamic group mapping, see Setting up dynamic
group mapping, on page 2-16.
◆ Pre-logon sequence processing
The existence or nonexistence of a valid user client certificate controls
whether the FirePass controller performs the defined pre-logon actions,
such as loading the protected workspace or denying access to the
FirePass controller logon screen. You can configure a pre-logon
sequence that require client certificates on the Pre-Logon Sequence
screen. To access the screen, click Users, expand Endpoint Security,
and click Pre-Logon Sequence. For information about pre-logon
sequences and inspectors, see Creating pre-logon sequences to protect
resources, on page 3-15.
◆ Resource protection
You can use client certificates to control access to resources by assigning
a previously defined and named endpoint configuration (created using
the New Protected Configuration link on the Users : Endpoint Security
: Protected Configurations screen) to a resource on the Protect Resources
screen. To access the screen, click Users, expand Endpoint Security,
and click Protect Resources, and then click the Select link for each
service you want to protect. For information about protected
configurations, see Creating protected configurations, on page 3-27.
2 - 88
Managing Users and Configuring Groups
◆ Install the client root certificate on the FirePass controller. You can
install a client root certificate using the Certificates screen. To access the
screen, click Device Management, expand Security, and click
Certificates.
◆ Enable the validation of client certificates.
◆ Configure client certificate validation as part of the authentication for a
group.
◆ Instruct users how to download and install the client certificate on their
computers. You can also email the client certificates to users.
◆ Install a certificate revocation list (CRL) that contains a list of client
certificates for users who you want to deny access to the FirePass
controller, for example, the revoked client certificates of users who have
left your company.
The FirePass controller can then request and validate the computer’s
client certificate against its installed client root certificate as part of the
authentication process.
If you have more than one client root certificate installed, you can select a
client certificate issuer to restrict authentication to certificates issued by that
specific client root certificate. For more information on functionality with
more than one client root certificate installed, see Installing and configuring
client root certificates, on page 4-13.
Note
To use this feature, you must install the client root CA certificate on the
FirePass controller, and configure user name extraction from the client
certificate. Additionally, you must configure the master group with the client
certificate authentication method, and configure the option Perform
additional client certificate check using to use Active Directory.
2 - 90
Managing Users and Configuring Groups
Important
In all cases, the source IP address must match the SourceIP address in the
IP packets received by the RSA SecurID server.
2 - 92
Managing Users and Configuring Groups
For specific procedures for each of these operations, see the online help for
the Device Management : Configuration : RSA SecurID screen.
If you have already configured one or more RSA SecurID servers on the
FirePass controller, you can select from the list of RSA SecurID servers on
the Users : Groups : Master Groups screen, using the Authentication tab.
2 - 94
Managing Users and Configuring Groups
◆ Portal Access
Provides a web-based application that gives users access to POP or
IMAP email, network shares, and proprietary corporate applications. For
more information about portal access, see Introducing Portal Access, on
page 7-1.
◆ Network Access
Connects users to the network just as if they were using a traditional
IPsec Virtual Private Network connection. Then users can access any
applications that use IP networking between their remote computer and
the corporate intranet structure, enabling full network access through an
SSL-VPN tunnel. For more information about network access, see
Introducing Network Access, on page 5-1.
◆ Application Access
Provides users access in the following ways:
• App Tunnels, connections to a server on a corporate LAN that uses an
HTTPS-based, encrypted tunnel through the FirePass controller.
• Terminal Servers, connections to Microsoft Terminal Servers,
Windows XP® desktops, MetaFrame® servers, and VNC servers.
• Legacy Hosts, connections to legacy greenscreen systems (for
example, Vt100, Vt320, TN3270, and others) on mainframes,
AS/400s, and UNIX hosts).
Note
Portal access, network access, and application access all have master group
settings. When you configure favorites for a resource group, you should also
check the master group settings. Master group settings apply to all favorites
in a category. To find a category’s master group setting, from the
navigation pane, click Network Access, Portal Access, or Application
Access, and then click Master Group Settings. You can find more
information about master group settings in the online help for the associated
screen.
2 - 96
Managing Users and Configuring Groups
4. From the Available list, select the resource group or groups you
want to make accessible to users in the master group.
You can use the Shift and Ctrl keys to select multiple resource
groups.
5. Click the Add button to add the resource groups to the Selected list.
See Figure 2.1, on page 2-2, for a visual representation of the relationship
between users, master groups, resource groups, and favorites categories.
Tip
You can switch to a different resource group by selecting a group from the
Resource Group list. This is an easy way to switch from one resource group
to another, without returning to the Resource groups list screen.
Impersonating a user
You can use the Impersonate User feature to log on as if you were a user.
This feature can help you troubleshoot configuration once everything is
configured. You can find Impersonate User on the Users item in the
navigation pane. This feature is useful for checking favorites that you create
and for troubleshooting other connection issues.
Important
When you impersonate a user, the system ends your administrative session.
The impersonation process skips the step of authenticating the user. In order
to skip authentication, the FirePass controller must have sufficient
information about those users to treat them appropriately. Therefore, you
can impersonate only those users whose information is maintained in
FirePass controller data store.
When you log on using the Impersonate User feature, the system behaves as
if users were authenticated, even if those users can not pass the normal log
on procedure. While impersonating a user, you do not have access to any
network resources that require logging on.
While you are impersonating a user, the system records the actions of the
impersonated user in the Sessions report, available in Reports : Sessions.
Because the user did not actually log on, the system does not record an entry
in the Logon report.
Note
Although you can impersonate deactivated users, you do not have access to
any of the users’ assigned resources.
2 - 98
3
Configuring Endpoint Security
• Protecting resources
Collecting information
The FirePass controller collects various types of information about the client
system using browser add-ons. In clientless mode, that is, when the
inspection process does not download any controls or plug-ins, the endpoint
security process inspects the HTTP headers to gather the information.
The FirePass controller provides checking primarily for Windows-based
systems, and some of the checking is not supported on Mac OS X or Linux
systems. The FirePass controller does support file checking on Mac OS X
and Linux systems. Table 3.1, following, shows the complete list of
inspectors.
Inspector Description
Decision The decision box allows you to present a user options to select from a list. You
can use a rule containing the variable session.user_decision.last.check==1
to match the first option selected by user. Default options are Yes and No, but
you can modify these options, and you can add other options from which the
user can select.
Define custom variable Defines a new variable and assigns a value to an existing one. For more
information about the custom variable, see the section Using variables
generated by inspectors for Action Rule expressions in the online help for the
Pre-Logon Sequence screen.
Extended Windows information Gets version information about the Windows operating system, such as version
and hotfix information from the remote system. This inspector uses the
session.win_info.os_version, session.win_info.hotfixes.count, and
session.win_info.hotfixes.hf_<hotfixname>, which you can then use to
define a rule for a specific action in a sequence.
Far-End Security Integration Provides integration with third-party endpoint security products using the
session.external_security_check.result session variable. A match to
session.external_security_check.result == 1 indicates that the check
completed successfully.
You can use this inspector to detect WholeSecurity’s Confidence Online™
Server, which automatically identifies and eliminates both known and unknown
threats without requiring users to install or update signatures. For more
information about how to use this feature, see the deployment guides for
FirePass controller integration with Whole Security, available on the F5
Networks Solution Center at http://www.f5.com/solutions/.
Google Desktop Search Inspector Checks for the presence of Google Desktop Search software using the
session.google_desktop_check.result session variable. A match to
session.google_desktop_check.result != 1 indicates that Google Desktop
Search is running.
3-2
Configuring Endpoint Security
Inspector Description
Internet Explorer information Collects version information about the Internet Explorer software, such as
version and hotfix information, from the remote system. This inspector
generates the variables session.ie_info.version,
session.ie_info.hotfixes.count, and
session.ie_info.hotfixes.hf_<hotfixname>, which you can then use to define
a rule for a specific action in a sequence.
Linux file checker Checks for the presence of certain Linux files and uses MD5 to authenticate
files. This inspector uses the session.file_check_linux.<filename>.result
session variable. A match to
session.file_check_linux.<filename>.result ==1 indicates the presence of the
file with all associated parameters.
Logger Writes user-defined information to the logon and system logs. For the string,
you can use a session variable name enclosed in percent symbols (%) to have
the system substitute the appropriate information. For example, typing Logon
from %session.network.client.ip% creates an entry containing the IP address
for the client system where the logon operation originated.
Mac OS X file checker Checks for the presence of certain Mac OS X files and uses MD5 to
authenticate files. This inspector uses the
session.file_check_macosx.<filename>.result session variable. A match to
session.file_check_macosx.<filename>.result ==1 indicates the presence of
the file with all associated parameters.
Mailer (Sending email action) Sends email to the specified address during the pre-logon operation. For the
string, you can use a session variable name enclosed in percent symbols (%) to
have the system substitute the appropriate information.
For example, you can type the following message text:
Antivirus: %session.detected_av.av_1.name%,
%session.detected_av.av_1.engine_version%,
%session.detected_av.av_1.monitor%,
%session.detected_av.av_1.database_time%,
%session.detected_av.av_1.last_scan%
The following is a sample message constructed using these session variables.
pre-logon: Antivirus: McAfeeAV, 4400, enabled, 2005.08.01.00.00,
2005.07.29.00.00
For a list of session variables, see Using variables generated by inspectors for
Action Rule expressions in the online help for the Pre-Logon Sequence screen.
Important: A busy or incorrectly configured email server can cause an
extended delay in a pre-logon process. You can configure the email server on
the Device Management : Configuration : SMTP Server screen.
Message Presents a message to the user during the pre-logon check and prompts the
user to click the Continue button to continue with the pre-logon check. This
inspector does not return any session variables.
You can use the Endpoint Inspector Details screen to create the message you
want to present. In addition to the content you enter, you can select left
alignment, center alignment, or right alignment of the message text.
Inspector Description
Protected Workspace inspector Controls various aspects of switching Windows 2000 and Windows XP users to
run inside the F5 Networks protected workspace (PWS). Running inside the
PWS, you can restrict users from printing, saving files, or storing information on
a Windows file share. Placing users inside the PWS is especially useful when
your users are working on devices that are outside of company control.
Running inside the PWS only reduces the risk of unintentional or accidental
information leaks, but does not eliminate that risk.
Virtual keyboard enabler Toggles use of the virtual keyboard for client logon operations. Activating this
inspector presents a graphical representation of a keyboard and requires users
to type their password using mouse clicking on the graphical keyboard. This
helps prevent keyboard loggers from harvesting users logon names and
passwords. In addition to presenting the virtual keyboard, you can elect to have
the keyboard graphic reposition itself randomly with each mouse click.
Randomly repositioning prevents captured mouse movements from revealing
password information.
Windows antivirus checker Enforces antivirus protection and performs endpoint checks for viruses.
Using one instance of this inspector, you can check for up to three antivirus
packages. To find the list of supported antivirus packages, see the online help
for the Windows antivirus checker.
Windows file checker Checks for the presence of certain Windows files using the
session.file_check.<filename>.result session variable. A match to
session.file_check.<filename>.result ==1 indicates the presence of the file
with all associated parameters.
Windows firewall checker Checks for the presence of a firewall on the remote system. This inspector uses
the following rules:
running
session.fw.summary.enabled == 1
installed
session.fw.summary.count>0
You can enable the Windows firewall if other firewalls are not enabled. To find
the list of supported firewalls, see the online help for the Windows firewall
checker.
Windows machine certificate Checks for the presence of a machine certificate on Windows clients.
checker
Windows process checker Collects information about running Windows processes using the
session.process_check.<process>.result session variable. A match to
session.process_check.<process>.result == 1 indicates that the process is
running.
Windows registry checker Collects information about Windows registry keys using the
session.process_check.<registry_check_ID>.result session variable. A
match to session.process_check.<registry_check_ID>.result == 1 indicates
the presence of the registry item specified on the details page for this inspector.
Windows Group Policy Inspector Delivers and applies Group Policy settings to endpoint systems.
3-4
Configuring Endpoint Security
Note
WARNING
If logging is enabled on the FirePass controller, you can expect to
experience reduction in performance as a result.
Performing remediation
When the endpoint security process is inspecting the client systems, it can
take several actions to correct the state or condition of the client computer.
◆ Present information to the user
If the inspection process requires the download of certain controls or
plug-ins, and the user does not have sufficient privileges for the
download operation, the system can inform the user and present
recommendations for making the changes necessary, or prompt the user
to download and install a security update. You can present information to
the user using the Information box inspector.
◆ Perform the action needed
If the protection configuration needs a specific condition to be met, and it
is possible to perform the action, the system takes the remediative action
necessary. The following items describe some actions that the system can
take to remediate the situation.
3-6
Configuring Endpoint Security
Protecting resources
The final task of the pre-logon sequence is to protect resources. Protected
configurations use information that the inspectors gather to protect the
resource you assign them to. Protected configurations use the values that the
pre-logon sequence returns in its session variables to determine how to
respond to requests for resource access.
Important
If you plan to use protected configurations to grant or deny access to
resources, you must construct and activate a pre-logon sequence that
collects all necessary information. If you assign protected configurations to
your resources, but you do not activate a sequence, users receive the
following message: Endpoint check is not activated or pre-logon inspection
failed.
Note
3-8
Configuring Endpoint Security
• Antivirus vendor
Represents the maker of the antivirus software.
• Engine version
Represents the number assigned to a specific release of the software.
• Database signature
Represents an electronic, encryption-based, secure stamp of
authentication provided by the antivirus vendor by which you can
determine the authenticity of the software.
You can find database signature information by searching the Internet
or checking for the value on a specific product's web site.
• Database update time
Represents the timestamp on the antivirus software on the user’s
computer.
◆ Custom inspector usage
Gathers data related to the custom variable defined.
For more information, see the Endpoint Inspector Details online help for
the Define custom variable inspector.
3 - 10
Configuring Endpoint Security
Figure 3.2 Corporate Access Check pre-logon sequence with open CHANGE SEQUENCE pane
Note
3 - 12
Configuring Endpoint Security
As you construct pre-logon sequences, you can use the elements described
in Table 3.2.
Element Description
Action Represents one or more inspectors associated with one or more rules. Actions provide the
context for the inspectors. In the visual policy editor, actions appear inside a rectangle.
Rule Contains one or more Boolean expressions that describe a specific condition. Rules
evaluate what information the inspector collects. Each action has a fallback rule that
evaluates to true so you can specify the action to take if the result is not acceptable. For
example, the predefined action Check client certificate contains two rules: yes and
fallback. The yes rule defines the action to take if the result returned is acceptable. The
fallback rule defines the action to take if the result is not acceptable. In the visual policy
editor, rules appear along connecting lines as underlined words.
Ending Indicates the final outcome of the pre-logon inspection. The FirePass controller provides the
following endings: Logon Allowed, Logon Denied, External Logon Page (Client data
posted), Redirect (No client data posted), and Subsequence. In the visual policy editor,
endings appear in a rectangle with a cut-out right edge.
External Logon Page and Redirect perform essentially the same function, except that
Redirect uses the GET command for redirecting and does not send any data to the external
server.
Subsequence Represents a collection of actions, rules, and endings that branch off from the main
sequence path. In the visual policy editor, subsequences appear in the lower portion of the
screen, under the heading Subsequences. In the visual policy editor, a subsequence
appears in a rectangle with a pointed-out right edge when it occurs in the sequence
The subsequence appears in a shaded rectangle with a pointed-out right edge when it
occurs in the subsequence.
Important
You must create the pre-logon sequence to gather the information that the
protected configurations needs. Otherwise, protected configurations block
access.
3 - 14
Configuring Endpoint Security
Note
actions, see Using actions in pre-logon sequences, on page 3-19, and for
more information about rules, see Defining rules for actions in pre-logon
sequences, on page 3-23.
For example, you might want to require that all users operate inside a
protected workspace while they access a specific resource. To do so, you
create a new sequence, and add the action that switches the user to the
protected workspace.
Figure 3.3 The completed sequence containing the Switch to PWS action
3 - 16
Configuring Endpoint Security
Next, you use the data the pre-logon sequence gathered in a protected
configuration. For more information, see Using data gathered by pre-logon
sequences, following.
The active pre-logon sequence runs when a user tries to log on to the
FirePass controller. Only one pre-logon sequence is active at any one time.
A selected button next to the sequence name on the Users : Endpoint
Security : Pre-Logon Sequence screen indicates the active pre-logon
sequence.
6. Click the Protection Criteria tab along the top of the table.
The Protected Configurations screen opens with the Protection
Criteria tab selected.
7. Click the Information Leaks link.
The screen refreshes to reveal the safety measures or checks
associated with information leaks.
8. From the list, select Protected Workspace, and then click Add.
The Required safety measures or checks area refreshes to contain
the Protected Workspace criterion.
9. Click Save.
The Protected Configurations screen opens, with the protected
configuration you created shown at the bottom of the list.
10. Next, you assign the protected configuration to a resource. For more
information, see Assigning a protected configuration, following.
3 - 18
Configuring Endpoint Security
You can see an example of the action pane for the Check for Antiviruses
action in Figure 3.5, on page 3-22, available when you have a license for the
Anti-Virus / FireWall Checker inspector. Table 3.3 shows the rules and
definitions for the Check for Antiviruses action.
3 - 20
Configuring Endpoint Security
Rule Definition
AV installed (session.av.summary.count>0)AND
(NOT(EXIST(session.av_scan.infected) AND
(session.av_scan.infected != 0)))
Table 3.3 Rules and definitions for the Check for Antiviruses action
The action pane is where you can type a description for the action, add and
modify the action’s inspectors, and define rules for the action to use. Figure
3.5 contains the Check for Antiviruses’s action pane with the rules shown.
Figure 3.5 The action pane for the Check for Antiviruses action
For additional information, see the help for each inspector, and review the
rules of the predefined actions shipped with the FirePass controller.
3 - 22
Configuring Endpoint Security
To create a rule
1. In the navigation pane, click Users, expand Endpoint Security, and
click Pre-Logon Sequence.
The Pre-Logon Sequence screen opens.
2. Open an existing sequence, or create a new one.
The visual policy editor opens.
3. Add an action as described in Creating a pre-logon sequence, on
page 3-15.
The action pane opens in the visual policy editor.
4. From the Using list in the action pane, select New action.
5. Click Apply changes.
The sequence refreshes to contain the action New action.
6. In the Name box in the action pane, change the name to a
meaningful title for the action, and add some descriptive text in
Description, if you like.
7. Click Update details.
The visual policy editor refreshes to show the title you specified.
8. Position the cursor along the connecting line between the action you
added and the fallback rule, until you see the Add Action button .
3 - 24
Configuring Endpoint Security
For a list of the session information returned by specific inspectors, see the
online help for the Pre-Logon Inspection screen.
Figure 3.6 The subsequence certificate check from the Corporate Access
Check sequence
3 - 26
Configuring Endpoint Security
Important
Protected configurations use the result of the pre-logon and post-logon
operations to determine how to respond to requests for resource access. To
take advantage of protected configurations, you must define and activate a
pre-logon sequence. If you assign a protected configuration without
properly configuring a pre-logon sequence, you lock out all access to that
resource.
Unauthorized Access The following protection criteria are available for preventing unauthorized access:
Client Certificate
Requires that the client certificate meet criteria specified in properties. For this type of
protection, you must enable a pre-logon sequence.
Trusted Network
Specifies that logon is restricted to traffic arriving from the networks specified in properties.
Time Interval
Restricts access to the days and hours specified in properties. This protection requires no
pre-logon sequence.
Custom Check
Checks variables collected by the pre-logon sequences (or a variable set by the define
custom variable inspector). For this type of protection, you must enable a pre-logon
sequence.
Note: Only the Custom Check protection can use the data returned by the user-defined
variable in a pre-logon sequence. For more information, see the online help for the Endpoint
Inspector Details screen for the Define custom variable inspector.
Logon Allowed
Checks that pre inspection was done and that logon was allowed. For this type of protection,
you must enable a pre-logon sequence.
3 - 28
Configuring Endpoint Security
Information Leaks In addition to Client Certificate, No Measure or Check Required, and Trusted Network,
described above, the following protection criteria are available for preventing information
leaks:
Protected Workspace
Requires a user workspace that prevents external access, and deletes any files created
before leaving the protected area. When you add the Protected Workspace protection, the
user is placed into the protected workspace after logging on successfully. Operating inside
the protected workspace restricts access to specific folders, and deletes all files created
when the user logs out. You can read more about using the protected workspace inspector
in the Endpoint Security : Pre-Logon Sequence online help. For this type of protection, you
must use the Protected Workspace inspector in an enabled pre-logon sequence.
Cache Cleaner
Removes content from the cache when users log out. For this type of protection, you must
enable Inject ActiveX/Plugin to clean-up client browser web cache on the Users :
Endpoint Security : Post-Logon Actions screen.
Trusted Browser
Requires use of a browser specified in properties. If you specify Trusted Browser, make sure
also to configure the browsers you want to accept in properties. For this type of protection,
you must use the Internet Explorer information inspector in an enabled pre-logon sequence.
Virtual Keyboard
Specifies that passwords be entered using mouse clicks on a screen representation of a
keyboard. For this type of protection, you must use the Virtual Keyboard Enabler inspector in
an enabled pre-logon sequence.
Registry Control
Associates a result with a specific name generated by a Pre-logon add Windows registry
checker operation. For this type of protection, you must use the Windows registry checker
inspector in an enabled pre-logon sequence.
Process Control
Associates a result with a specific name generated by a Pre-logon add Windows process
checker operation. For this type of protection, you must use the Windows process checker
inspector in an enabled pre-logon sequence.
File Control
Associates a result with a specific name generated by a Pre-logon add Windows file checker
operation. For this type of protection, you must use the Windows file checker inspector in an
enabled pre-logon sequence.
Firewall
Requires the presence of specific firewall software. You specify the antivirus software in the
properties for this type of protection. For this type of protection, you must use the Windows
firewall checker inspector in an enabled pre-logon sequence.
Note: You must have an Anti-Virus/Firewall/Inspector license on the FirePass controller to
inspect the client system for antivirus and firewall software. If you do not have a license,
contact your sales representative to get one.
3 - 30
Configuring Endpoint Security
Protecting resources
Once you have created the protected configurations you want, you protect
resources, a process of assigning protected configurations to resources,
applications, and file stores. The FirePass controller uses protected
configurations to control access to network resources.
For example, you may have a general configuration for all Network Access
favorites, which require only that the logon arrive from a computer with
installed and running antivirus software. In this case, you would create a
pre-logon sequence that requires company-provided antivirus software,
define a protected configuration that uses the information from the
pre-logon sequence, and assign the protected configuration to all Network
Access favorites. This prevents access to network resources from computers
that are possibly infected, thus protecting your corporate intranet.
The FirePass controller uses protected configurations to control access to
network resources. A protected configuration is a definition of criteria that
users’ systems must meet in order to be granted access to specific resources.
Once you define a protected configuration, you must assign it. You can
assign resource protection at the following levels:
• Webtop
Protects all types of resource favorites.
• Resource type
Protects a class of resource favorites (for example, Web Applications or
Network Access favorites).
• Resource group
Protects all elements defined in resource group including favorites and
access control lists.
• Individual
Protects a single resource (for example, the Sales Intranet).
Important
Protected configurations use the result of pre-logon and post-logon
operations to determine how to respond to requests for resource access. To
take advantage of protected configurations, you must define and activate a
pre-logon sequence. If you assign a protected configuration without
properly configuring a pre-logon sequence, you lock out all access to that
resource.
3 - 32
Configuring Endpoint Security
Note
You can specify different post-logon protection for each master group.
For more information on each of these options, see the help for the
Post-Logon Actions screen, available under Users : EndPoint Security.
3 - 34
4
Using Server Certificates
Note
When a signed certificate expires and you do not plan to update it, you
should delete it from the FirePass controller. For information on how to
delete a certificate, see Deleting installed certificates, on page 4-12.
Important
Before you make the FirePass controller available to external users, you
should replace the default server certificate with a permanent certificate
that is appropriate for your environment.
Note
4-2
Using Server Certificates
The system carries out verification at the handshake stage, but the
connection with the backend server breaks if any errors are detected in the
certificate chain. In this case an error notification screen is generated for the
user.
The certificate must begin and end as shown below:
‘-----BEGIN CERTIFICATE-----’
‘-----END CERTIFICATE-----’
4-4
Using Server Certificates
4-6
Using Server Certificates
Important
The FirePass controller does not save the CSR. You need to click the here
link to download the ZIP file to a safe location.
• README.html
Contains instructions for submitting the CSR to a known CA. You can
view this file using any browser.
• newcert.csr
Contains the content for the CSR.
• new.key
Contains the private key that corresponds to the certificate (encrypted
with the password you specified). Keep this file in a safe place. You need
it when you install your CA-signed certificate.
Submit your CSR to a known, trusted CA. Typically, certificate vendors
provide a web form in which you can paste the contents of the CSR file.
Alternatively, you can submit your CSR as an email attachment. If the
vendor requests a certificate type, specify mod_ssl (Apache). As part of the
verification process, the CA might contact you to verify details you
submitted in the CSR.
4-8
Using Server Certificates
◆ An intermediate certificate
If you are using a CA-signed intermediate certificate (also known as a
chaining certificate), install the intermediate certificate when you install
your signed certificate.
You need the private key associated with the certificate, as well as the
encryption password. If you are generating a CSR using the FirePass
controller, the key (new.key) is in the zipped file that you saved.
Note
4 - 10
Using Server Certificates
Note
4 - 12
Using Server Certificates
Note
Note
You should not configure CRL updates if you are using the FirePass
controller to generate and issue client certificates to users (using either a
self-signed client root CA certificate, or a client root CA certificate from a
trusted CA). In this case the FirePass controller manages CRLs internally.
4 - 14
Using Server Certificates
Note
Do not use Client Certificate OCSP if you are using the FirePass controller
to generate/issue client certificates to users (using either a self-signed client
root CA certificate, or a client root CA certificate issued by a trusted CA). In
this case, the FirePass controller is managing CRLs internally.
4 - 16
5
Configuring Network Access
5-2
Configuring Network Access
5-4
Configuring Network Access
5-6
Configuring Network Access
Table 5.1, following, briefly shows the trade-off criteria for each method.
Figure 5.2 illustrates the differences between configuring virtual subnets and
configuring using NAPT.
Figure 5.2 Sample server addresses for virtual subnet configuration compared with NAPT enabled
Both with and without NAPT, the FirePass controller uses the IP address
pools to issue addresses to the remote client machines.
You can enable NAPT on the Network Access : Global Settings screen.
You also use the Network Access global settings screen to configure IP
address pools that the FirePass controller assigns to the client. You can
configure these settings in IP Address and Mask, by specifying the network
to be used for Network Access client addresses. The FirePass controller then
assigns client an address in this range.
Important
Make sure that the IP address of the FirePass controller itself does not fall
within the subnets you specify on the Network Access : Global Settings
screen.
5-8
Configuring Network Access
Understanding routing
When incorporating the FirePass controller into your network, if you do not
use NAPT, you must make some routing changes to support Network
Access clients. Routing changes are required because existing hosts, routers,
or firewalls need to know how to route packets to the virtual subnet that the
Network Access connections use. If users establish a Network Access
connection, but then cannot communicate with systems on your internal
network, the most common solution is to add the needed routing
configuration.
The specific routing configuration changes you must make depend on the
way you deploy the FirePass controller in your network, typically in one of
the following ways:
• FirePass controller interface connected to the internal LAN
• FirePass controller placed in a separate network from the LAN
5 - 10
Configuring Network Access
rules that the Network Access applies to all Network Access client traffic
that comes into the FirePass controller as well as the client’s outgoing
traffic. Network Access activates these rules on service startup, and applies
changes when you click the adjacent Apply these rules now button.
Without packet filtering enabled, Network Access accepts all packets. When
you enable packet filtering, Network Access creates a default Drop ALL
rule that runs after all other global rules run. Network Access also creates a
Drop ALL rule that runs at the end of each group’s rules. Once you enable
packet filtering, you must add filtering rules to allow the traffic you want to
pass through. If you want to accept all packets not otherwise filtered out,
you should precede this default rule with an accept-all rule. To create an
accept-all rule, select ALL from the Proto box and Accept from the Action
box.
Note
When configuring global rules, you typically select the Continue action in
the global rule and then specify more granular packet filtering under the IP
Group Filter tab on the Network Access : Resources screen. For information
about configuring IP group filters, see Understanding IP Group Filters
options, on page 5-26.
Network Access checks each packet coming from the user’s Network
Access client against the common, global rules. The packet might be
explicitly accepted, dropped, or rejected. However, if the packet matches
settings from a global rule with a Continue action, the packet is also
evaluated against the more granular, resource group-level rules. The group’s
rules must then explicitly accept, reject, or drop the packet.
Network Access applies the global rules, then the group rules, from top to
bottom. At each stage, Network Access uses the first-found matching rule to
process the packet. For more information about group-level rules, see
Understanding IP Group Filters options, on page 5-26.
While working in the Packet Filter Rules area on the Global Settings screen,
when you click the Add New Rule link, the screen presents options for
specifying several setting.
◆ Rulename
Contains the name for global packet rule.
◆ Protocol
Contains the options TCP, UDP, ICMP or All, that represent the
protocol Network Access uses to process the packet.
◆ Dst Port
Represents the port number or port range that the client uses as a
destination port while accessing various resources on the internal LAN.
You specify a port number or range of port numbers using the following
format
first_port_number:last_port_number, for example, 1:65535, which
means any port. An empty box also means any port. Network Access
does not use Dst Port for processing packets over ICMP.
◆ Dst Address/Mask
Represents the destination IP address used by the client when it tries to
access various resources on the internal LAN. For example, 192.168.2.1,
or subnet/mask, for example 192.168.2.0/24 or
192.168.2.0/255.255.255.0. You can specify 0/0 to mean any IP address.
◆ Action
• Accept: Ends filtering and forwards the packet to its destination.
• Continue: Passes the packet to the resource group rules.
• Drop: Does not pass the packet, and does not notify the sender.
• Reject: Drops the packet and notifies the sender. Depending on the
specific reject action type, Network Access sends the sender the
ICMP message code you select, or a TCP packet with the RST bit set.
◆ Src Address/Mask
Represents the source address and mask used by the client while
accessing resources on the internal LAN. You can use Src
Address/Mask to configure packet rules for a specific IP address pool.
◆ Log all matches
Writes to the system log all of the packets that match conditions in any
global packet rule. You can view log entries on the Reports : System
Logs screen by selecting Packet Filter from the Source list. For more
information about system logs, see Using the System Logs report, on
page 10-18.
Note
5 - 12
Configuring Network Access
Note
Because the defined ranges for P1 and P2 are overlapping, it is possible for
more than one user to have assigned the same IP address, though never in
the same resource group. Overlapping IP address pooling provides the
option of having more than one user with the same IP address.
WARNING
VLANs 2011, 2012, 2013, 2014, 2021, and 2022 are reserved VLAN tags,
and should not be used.
5 - 14
Configuring Network Access
4. From the Routing Table list, select TABLE1 from the list of
routing tables.
5. Click Create.
The Master Groups screen opens, with the General tab selected.
6. Click the Back to Users : Groups : Master Groups page link in
the upper right of the screen.
The Master Groups screen opens, showing the M1 master group. In
addition, TABLE1 appears in the Routing Table column for the M1
master group.
7. Repeat these steps to create the M2 master group and associate it
with TABLE2.
5 - 16
Configuring Network Access
Important
If you decide to disable overlapping IP address pools, check to make sure
that you redefine any overlapping IP address pools or statically defined
mappings. The FirePass controller does not automatically redefine address
pools. The presence of overlapping IP addresses along with a disabled
overlapping address pools setting can cause connectivity problems.
5 - 18
Configuring Network Access
the FirePass controller directs all other traffic out of the local network
connection. You can configure both of the following options when you
enable the Use split tunneling for traffic option.
• LAN address space
Provides a list of addresses or address/mask pairs describing the target
LAN. When using split tunneling, only the traffic to these addresses
and network segments goes through the tunnel configured for
Network Access. You can use the following format to configure this
option:
10.0.0.0/255.0.0.0
10.0.0.0/8
10.0.0.0/8,10.1.0.0/8
You can use spaces, commas, or semi-colons to separate list items.
You can also use a session variable to specify a LAN address space.
When you specify a session variable, the system resolves the address
by substituting the value received during user authentication. For
example, you can have the system substitute the value from the user’s
LDAP attribute SubnetAddress when you specify the session variable
%session.ldap.auth.SubnetAddress% in LAN address space.
• DNS address space
Provides a list of names describing the target LAN DNS addresses.
You can use spaces, commas, or semi-colons to separate list items.
For example, enter *.sales.siterequest.com
*.engineering.siterequest.com to help the browser resolve which
DNS server to use for resolving a host name. For example, Internet
Explorer uses the VPN DNS server settings for hosts in the DNS
address space, and the local client DNS for others.
◆ Force all traffic except local subnet traffic
Routes all traffic (except traffic to the local subnet), through the tunnel.
Use this option if you expect your users to connect from well-known
networks, such as their home computers, and you want to allow them
access to local resources, such as their printers at home, while using
Network Access.
◆ Force all traffic through tunnel
Routes all traffic (including traffic to the local subnet) through the
tunnel. In this case, there is no local subnet. Users cannot access local
resources, such as their printers at home, until they disconnect from
Network Access.
• Allow local subnet access
Provides the option, when checked, to add the VPN interface as a
default gateway on the client computer. Use this option to permit local
subnet access and local access to any host or subnet in routes that you
have specified in the client routing table. However, if the option to
Use split tunneling is enabled, the client computer cannot remove
conflicting routes from the client routing table. VPN routes are added
using a metric that allows existing local routes to take precedence.
• Exclude subnets
Provides the option, when checked, to add routes to excluded subnets
using local interfaces to allow public local access to these subnets.
5 - 20
Configuring Network Access
Note
5 - 22
Configuring Network Access
• Use static IP address per user from mapping table (1st priority)
Assigns IP addresses on a per-user basis. You must configure the
static IP address to be assigned to the user in the User to IP address
mapping table. When you enable this option, a new section appears,
Configure User To IP Address Mapping Table, containing Logon and
IP Address settings you can specify to create user-to-IP address
maps.
• Retrieve IP Address from designated DHCP Server (2nd priority)
Retrieve IP address from a designated DHCP server, with the FirePass
controller acting as the DHCP relay agent. DHCP client support on
the FirePass controller allows IP network access pools, per resource
group, to be managed by an external DHCP server.
• Assign IP address using session variables (3rd priority)
Assigns an IP address to the user using a specified session variable. If
you select this option, type the session variable to use for IP address
assignment in the Session Variable field below this option. The IP
address is retrieved at the time of authentication.
• Retrieve IP address from an external RADIUS server (4th
priority)
Retrieves IP addresses from external Radius Server using RADIUS
attribute 8 (Framed-IP-Address). The FirePass controller retrieves the
IP address at the time of authentication. This option requires the use
of RADIUS as the authentication method for any master group
associated with this resource. This option is not supported in clustered
environments.
• Assign IP address dynamically using IP address pool (lowest
priority: Enabled by Default)
Assigns IP addresses dynamically from an internally configured pool
of IP addresses. When you enable this option, a new area appears,
Select IP Address Pool, containing a list of the IP address pools
defined on the Network Access : Global Settings screen.
Important
For this file-change operation, users on Windows platforms must have local
administrative rights to modify the hosts file during the connection, or the
administrator must change the attributes of the hosts file to allow
non-administrative modification.
5 - 24
Configuring Network Access
During this time, the drive-mapping operation can fail and provide the
message: The network resource type is not correct. If the UNC path is
configured with the NetBIOS name, you may get the message: The
network path was not found.
If drive mapping fails, try the following corrections:
• Use an IP addresses instead of NetBIOS names
For example, specify \\192.168.191.1\share instead of \\server\share.
• Use fully qualified DNS names
For example, specify \\server.domain.com\share instead of
\\server\share.
• Check the default domain suffix
Make sure that the FirePass controller is configured with the proper DNS
suffixes.
• Try the operation again
Advise users to retry mapping. Subsequent mapping attempts usually
succeed after a 30 to 40-second delay. To retry, have the user click the
Relaunch button in the user's Network Access popup window.
• Check the Windows version
Some older Windows systems (mostly Windows 95 systems) cannot use
IP addresses in Windows Networking.
Note
To make the IP Group Filters tab available, you must check the Use packet
filter to access LAN box on the Network Access : Global Settings screen.
For information about the global packet filtering options, see Configuring
global Network Access settings, on page 5-6.
5 - 26
Configuring Network Access
Network Access applies the global rules, then the resource group rules, from
top to bottom, as they appear in the list of configured rules. At each stage,
Network Access uses the first-found matching mechanism to process the
packet.
Network Access checks each packet coming from the user’s Network
Access client against the global rules first. There, the packet is accepted,
dropped, or rejected, depending on which rule it matches. However, if the
packet matches settings from a global rule with a Continue action, the
packet is also evaluated against the resource group-level rules that you
configure on the IP Group Filters tab.
Without packet filtering enabled, Network Access forwards all packets that
the global rules pass through. When you enable packet filtering on the
Network Access : Global Settings screen, Network Access defaults to a drop
policy. This means that unless you create a rule to explicitly let traffic in, it
is denied.
Note
The default drop rule runs after all other group-based rules, and you cannot
delete the default drop rule. If you want to allow traffic not otherwise
filtered out, you must precede this default rule with a rule that accepts
traffic.
• Drop: Does not pass the packet, and does not notify the sender.
• Reject: Drops the packet and notifies the sender. Depending on the
specific reject action type, Network Access sends the sender the
ICMP message destination unreachable or a TCP packet with the
RST bit set.
◆ Log all matches
Writes to the system log all of the packets that match conditions in any
global packet rule. You can view log entries on the Reports : System
Logs screen by selecting Packet Filter from the Source list. For more
information about system logs, see Using the System Logs report, on
page 10-18.
Important
The policy checks that you configure here are completely independent of any
Endpoint Security checks configured on the Users : Endpoint Security
screens. These checks are simple, recurring checks run on the client for
Network Access only. You can use them in conjunction with any Endpoint
Security checks you have configured. For information about pre-logon
sequences, see Using pre-logon sequences, on page 3-10.
Note
Policy checks are not supported on MacOS, Linux, or PDA remote clients.
5 - 28
Configuring Network Access
Important
Use the Allow access to local DHCP server option along with Prohibit
routing table changes during Network Access connection to restore the
client routing table after a DHCP refresh. Otherwise, after DHCP renewal,
the client system restores the default gateway and possibly the local routes,
which could disrupt access to VPN hosts.
◆ Processes to be present/absent
Represents a Boolean expression containing strings that specify
executable process names that must be present or absent on the client
system during an active Network Access connection. You can use the
following conventions to specify the string:
• Wildcard characters asterisk ( * ), which represents many characters,
and question mark ( ? ), which represents a single character
• The logical operators AND, OR, and NOT.
• The characters open parenthesis ( and close parenthesis )
5 - 30
Configuring Network Access
For examples and additional information, see the online help for Network
Access : Resources on the Policy Checks tab.
5 - 32
Configuring Network Access
[protocol://]host[:port][/landinguri]
Note: You can use http or https as the protocol.
4. Click Add Controller.
The new entry appears in the list.
You can use the up, down, and delete buttons to operate on items in the list.
The client component accesses the FirePass controllers in the order they
appear in the list. When the client component finds an available controller, it
stops looking.
5 - 34
Configuring Network Access
5 - 36
Configuring Network Access
5 - 38
Configuring Network Access
Note
When you create a new favorite, the user must log out and log on again to
have the favorite available.
5 - 40
Configuring Network Access
5 - 42
6
Configuring Application Access
Note
6-2
Configuring Application Access
Figure 6.1 Comparison of application data flow without and with the FirePass controller
Note
You can configure a combination of dynamic and static tunnels for a single
App Tunnel definition.
• Windows file sharing (because this application uses the operating system
kernel to provide network communication or server, not the Windows
socket API)
• Terminal emulators, including SSH
Important
Running dynamic App Tunnels requires that the user has power user rights.
Note
If you have legacy App Tunnels that are working for you, there is no need
for reconfiguration. The system automatically uses static App Tunnels.
6-4
Configuring Application Access
Note
Although you can configure the same application using a dynamic App
Tunnel, the process for configuring web application App Tunnels is simpler.
Web applications are perfect candidates for using dynamic App Tunnels as
long as they do not use reverse proxy. If an application uses reverse proxy,
you can still try configuring it for dynamic App Tunnels. If the application
does not work through dynamic App Tunnels, you should use Portal Access
instead to configure the connection.
Web App Tunnels require a browser that supports multiple instances.
Windows Internet Explorer supports multiple instances. Mozilla and
FireFox support multiple processes within the same instance, but not
multiple instances. Therefore, even if the user’s default browser is not
Internet Explorer, all dynamic App Tunnels start an instance of Internet
Explorer or a custom minibrowser developed specifically to support
dynamic App Tunnels.
Use of the minibrowser provides additional security in that users cannot
copy text from the minibrowser window, print when the minibrowser is the
active application, or drag and drop to the minibrowser window. In addition,
the minibrowser does not allow the running of plug-ins or extensions.
Tip
You can configure this additional security for Internet Explorer users as
well by enabling the Locked Browser option when you create a Web
Application Tunnel favorite.
Important
For dynamic App Tunnels, if you do not specifically allow access, the system
disallows it.
6-6
Configuring Application Access
6. To add a static App Tunnel, click the Add button to the left of
the Static Tunnels heading, and continue with the procedure To
complete the static App Tunnel definition, on page 6-10.
6-8
Configuring Application Access
Note: The system searches the path for the application, so you do
not have to specify the complete path if the path is already set. If you
do not specify a path, the FirePass controller searches the Windows
registry. If an application registers itself in the Windows registry,
like Microsoft Outlook does, for example, the FirePass controller
can run it.
4. Check or clear the Terminate Existing box, if the application you
are starting does not support multiple instances, or when you want
the system to prompt the user for confirmation in halting the
existing instance.
5. Click the Add New Dynamic Tunnel button.
You can modify any existing setting by changing it and clicking the
Update All button.
Note
When you create a new favorite, a logged-in user must refresh the webtop to
have the favorite available.
When you select one of the options in the list of clients, the FirePass
controller populates the associated boxes with common values, as described
in Table 6.1.
item description
Custom When you select Custom, you can specify the application name and path,
including any environment variables in the format %envvarname%,
enclosing the string in quotation marks when the path contains spaces. The
variables resolve to the value representing the environment variable on the
client computer. For example, to configure for the Microsoft Service
Terminal client, specify the following string in Application:
"%SystemRoot%\system32\mstsc.exe" /v: mysite
For more information about creating custom App Tunnels, see Creating
custom App Tunnels, on page 6-16.
Citrix Neighborhood Agent When you select Citrix Neighborhood Agent, the system populates the
Name box with the value Citrix Neighborhood Agent, places the value
"%ProgramFiles%/Citrix/ICA Client/pnagent.exe" in the Application
box, and enables the Terminate Existing box. These are default values
that you can change.
Microsoft Outlook When you select Microsoft Outlook, the system populates the Name box
with the value Microsoft Outlook, places the value outlook.exe in the
Application box, and enables the Terminate Existing box. These are
default values that you can change.
Microsoft Outlook Express When you select Microsoft Outlook Express, the system populates the
Name box with the value Microsoft Outlook Express, places the value
msimn.exe in the Application box, and enables the Terminate Existing
box. These are default values that you can change.
item description
Microsoft Telnet client When you select Microsoft Telnet client, the system populates the Name
box with the value Microsoft Telnet client, and places the value
"%SYSTEMROOT%/SYSTEM32/telnet.exe" in the Application box.
These are default values that you can change.
Microsoft Terminal Server Client When you select Microsoft Terminal Server Client, the system populates
the Name box with the value Microsoft Terminal Server Client, and
places the value "%SYSTEMROOT%/SYSTEM32/mstsc.exe" in the
Application box. These are default values that you can change.
PuTTY When you select PuTTY, the system populates the Name box with the
value PuTTY, and places the value "%ProgramFiles%/PuTTY/putty.exe"
in the Application box. These are default values that you can change.
SecureCRT When you select SecureCRT, the system populates the Name box with the
value SecureCRT, and places the value
"%ProgramFiles%/SecureCRT/SecureCRT.exe" in the Application box.
These are default values that you can change.
Private Shell When you select Private Shell, the system populates the Name box with
the value Private Shell, and places the value "%ProgramFiles%/Private
Shell/pshell.exe" in the Application box. These are default values that
you can change.
6 - 10
Configuring Application Access
• MS Terminal Services
• Citrix
• RPC port mapper
• FTP (Passive)
• MS File Shares
• Exchange Client/Server Comm.
When you select an option, the system adds boxes, if necessary, and
populates those boxes with common settings. For more information,
see Example of system response, following.
2. In the Application box, specify a string that starts an application
transparently for the user. For example:
iexplore http://127.10.10.80/sales/automation.pl
telnet 127.10.10.10
putty -ssh 127.10.10.10
Note
When you create a new favorite, the user must log out and log on again to
have the favorite available.
6 - 12
Configuring Application Access
Note
When you configure multiple alternate webtops (for example, one for App
Tunnels, and another for Network Access), the FirePass controller starts
and displays them in a small browser window. Applications like Telnet or
Terminal Services are automatically started and displayed in additional
small browser windows because they require additional input from the user.
6 - 14
Configuring Application Access
Note
When you enable these options, the users can end their App Tunnel
connection and their session by right-clicking the tray icon and selecting the
Terminate connections option.
Important
For this file-change operation, users on Windows platforms must have local
administrative rights to modify the hosts file during the connection, or the
administrator must change the attributes of the hosts file to allow
non-administrative modification.
The Static App Tunnels feature supports forwarding ranges of TCP ports.
To do this, specify the range in the Remote Host : Port or Range and
Local Host : Port or Range boxes as port1-port2,port3,port4-port5, and
so on. The App Tunnels feature limits the maximum number of port settings
to 50. If you use port ranges, the range you specify in the local and remote
settings must match.
Important
For this file-change operation, users on Windows platforms must have local
administrative rights to modify the hosts file during the connection, or the
administrator must change the attributes of the hosts file to allow
non-administrative modification.
6 - 16
Configuring Application Access
The system also supports the following variables for mapping Microsoft
Windows network shares.
• %envvarname%
Represents the value of the environment variable on the client computer.
• %password%
Resolves to the user’s password when you enable the master group
option Auto-logon TO applicable AppTunnels using FirePass user
logon credentials.
• %host%
Represents the host address, which the system resolves to the loopback
host address.
• %port%
Indicates the loopback port.
The %port% variable is useful when original local port changes because
of conflicts with other software.
The following entries illustrate valid strings for various App Tunnels.
iexplore http://%host%:%port%/sales/automation.pl?u=%username%
telnet 127.3.54.34
%SystemRoot%\System32\mstsc.exe /v:127.107.93.167 /f
Now, when users who log on have the endpoint protection you require, the
FirePass controller automatically opens the associated App Tunnel and
provides the user access.
For example, if you want to map the H drive on the client computer
to the sales share, which is located on the corporate_presentations
computer, type:
mount H: \\corporate_presentations\sales
mount H: \\127.31.21.233\sales
Note: You can use the syntax specified in the second example when
the client operating system is Windows NT, Windows 2000,
Windows SP, or Windows Me.
For drive mapping to work, the FirePass controller must have a valid
certificate signed by a Certificate Authority accepted by the client’s
browser. Otherwise, a security warning could prevent the drive from being
mapped successfully.
Tip
When you configure App Tunnels for mapping drives, you can have clients
use their FirePass controller logon credentials by selecting the option
Auto-logon to applicable AppTunnels using FirePass controller user
logon credentials on the Application Access : App Tunnels : Master Group
Settings screen. This option applies only to App Tunnels configured to map
a network drive. If you select this option, you can also provide a domain or
workgroup name to be used when logging on to the mapped drive.
6 - 18
Configuring Application Access
One FirePass controller session for a user shares all ACLs you define for the
master group that contains the resource groups, those for all static and
dynamic App Tunnels and web application App Tunnels in a specific
resource group, and ACLs you specify for favorites or aliases within a
resource group. For a description of ACLs, see Understanding access
restrictions for App Tunnels, on page 6-6.
Important
For App Tunnels, if you do not specifically allow access, the system
disallows it.
Specifying ACLs
When you specify an ACL, you use a specific format, consisting of various
elements. This section describes each element of an ACL and presents
specific examples of how to define an ACL entry in the list.
When you specify an ACL, use the following format:
hostname:port | :port_range
ip_address/mask:port | :port_range
Separate each entry with a return. Separate multiple ports and port ranges
with a comma. If you do not specify a port or range of ports, the system
allows access from every port.
◆ hostname or ip_address
Represents the host name or IP address that you want the user to have
access to, for example:
siterequest.com
192.168.200.216:80-8080
You can use the asterisk when specifying hostname. The asterisk
matches any number of characters, for example:
*.siterequest.com:80
*.site*quest.com:23,80,443
*.siterequest*:23-25
◆ port or port_range
Represents one or more port numbers, ranges of ports, or a combination
of individual ports and port ranges, specified in accordance with the
following guidelines:
• Every port number or range is a number from 1 through 65535.
• The port range is represented by a dash between two ascending
numbers, for example, 1-10 or 500-600.
• Each instance of a port or port range is separated by commas.
• No instance of a port or port range overlaps another, that is, one
specified port or port range cannot be contained in another port range,
so it is not valid to specify 24,22-25.
• You must specify port numbers in ascending order, for example:
www.siterequest.com:22-25,80,443
• If you do not specify a port, the system substitutes a port range of
1-65535, which represents all ports.
Important
If you specify a fully qualified domain name (FQDN) as the host name in the
ACL, the user must specify the FQDN to access the host.
6 - 20
Configuring Application Access
*.siterequest.com:80
Important
Make sure that you click Update to save your ACLs. If you select a different
master group before you click Update, the system discards any ACLs you
have specified.
Important
Make sure that you click Update to save your ACLs. If you select a different
master group before you click Update, the system discards any ACLs you
have specified.
ACLs specified at the resource-group level are combined with those set at
the master-group level. You can specify additional ACLs in the favorite or
alias itself.
Important
Make sure you click Update to save your ACLs. If you select a different
master group before you click Update, the system discards any ACLs you
have specified.
ACLs specified at the favorite or alias level are combined with those set at
the resource-group level and the master-group level.
6 - 22
Configuring Application Access
For general information about master groups, see Introducing master groups
and resource groups, on page 2-1.
6 - 24
Configuring Application Access
Important
When you finish specifying entries in DNS address space and LAN address
space, make sure you click the Update button. If you make changes, and
then select a different master group from the Master Group list before
clicking the Update button, the system discards the changes.
6 - 26
Configuring Application Access
12. Check the Keep Alive check box to prevent the session from
ending, or leave the box empty to permit the sessions to end.
Note: Session name is available for 5250 sessions only.
13. From the Column separators list, select the type of column
separators for 5250 terminals.
14. From the Default charset list, select the character set to use for the
session. The FirePass controller provides several choices:
• DEC Supplemental Graphic Set
• MS-DOS Codepage 850 (Multilingual Latin 1)
• IBM Codepage 850
• ISO 8859-1 (Latin-1)
• Unicode
15. From the 3270 language list, select the language supported by the
3270 terminal.
16. From the Default font size list, select the default font size to use for
Java-based terminals.
17. From the Unicode encoding list, select the encoding. The FirePass
controller provides several choices:
• UTF-8
• UTF-16 little-endian
• UTF-16 big-endian
• UTF-32 little-endian
• UTF-32 big-endian
18. If you want to restrict access based on a defined protected
configuration, from the Endpoint protection required list, select
the protected configuration.
For more information about protected configurations, see Creating
protected configurations, on page 3-27.
19. Click the Add New button.
You can change any of these settings by clicking the link representing the
favorite, modifying the setting, and clicking the Update button.
6 - 28
Configuring Application Access
<script type="text/javascript">
function createTermConnection(params)
{
var w_name = 'TERM_CONNECTION'+(Math.random()).toString().substring(2,16);
childWindow = window.open('https:/vdesk/h3270/connect.php'+params, w_name,
'name='+w_name+',resizable=1,scrollbars=0,statusbar=0,menubar=0,width=512,height=300',
false);
}
</script>
<a href='javascript:createTermConnection("?res_group=Default_resource&res_name=aaaa")'>
Auto Launch Legacy Host</a>
Specify the resource group and resource name that the user can access, using
the res_group variable for the resource group, and the resource name with
the variable res_name. In the above example, the resource group is
Default_resource, and the resource name is aaaa.
6 - 30
Configuring Application Access
Commands are specific to one application or terminal type. You can supply
command arguments within the parentheses. A command with no arguments
ends with an pair of empty parentheses.
The default keyboard mapping contains default commands for standard
terminal types. You can add commands that act as application shortcuts.
These shortcuts can send commonly-used strings to your host applications
using the Send("String") command.
For example, if you want a specific key combination to send a text
command plus a program function key whenever the user presses Ctrl and
Alt and Shift and F12, the mapping rule might look like this:
Ctrl+Alt+Shift F12 Send("MY COMMAND"); PF1();
You can map the number pad keys divide ( / ), multiply ( * ), and minus ( - )
differently from the keyboard keys slash ( / ), asterisk ( * ), and hyphen ( - ).
In addition, you can map the Num Lock key to a command.
You can find additional information in the online help for the Application
Access : Legacy Hosts : Resources screen.
6 - 32
Configuring Application Access
6 - 34
Configuring Application Access
14. If you want to use a custom port for Citrix session reliability, type
the port number in the Session reliability port (Citrix only) box.
The default port is 2598.
15. From the Window Type list, select the method for displaying the
terminal server window.
• The default is to display the terminal window embedded in the
current browser window.
• To open the terminal window in a new browser window, select
New browser window.
• For Citrix applications, you can choose to open a separate
window with a menu, or a Citrix seamless window. The seamless
window makes the Citrix client window appear in an application
window, and not a browser window, as specified by the Citrix
server.
• The option Separate window with menu displays a window
similar to a seamless window, with a title bar that provides a
Citrix client menu.
16. Check the Redirect local resources (drives, printers, COM ports)
check box to have the target server’s local resources available to the
client after the application starts, or leave the box clear to have users
retain the resources on their computers.
17. Several options are available only for Microsoft Terminal Services
users. Check the boxes for the options you wish to enable.
• Show desktop wallpaper
• Show contents of window while dragging
• Menu and window animation
• Themes
• Server authentication
18. In Encryption (Citrix-only), select the encryption level for Citrix
MetaFrame connections.
This setting specifies an internal Citrix parameter, which must
match the MetaFrame server setting. Connection from the client to
the FirePass controller is made using SSL, regardless of this setting.
• Basic
This is the default.
• RC5 128 bit logon only
• RC5 40 bit
• RC5 56 bit
• RC5 128 bit
You can change any of these settings by clicking the link representing the
favorite, modifying the setting, and clicking the Update button.
6 - 36
Configuring Application Access
Note
Do not rename the .cab file before uploading to the FirePass Controller.
Make sure .cab file name matches the name of .inf file inside the package.
Specifying the ICA Citrix client version to download and install on to end user’s PC
The default setting is the minimally required version of the ICA Citrix client
version that the FirePass controller supports. If you want to upgrade your
client, select a later version in the Version box.
Important
Do not specify a version later than the one located on the FirePass
controller or web server; otherwise the client PC downloads and reinstalls
the Citrix client package each time it connects to the terminal servers.
6 - 38
Configuring Application Access
clsid={238F6F83-B8B4-11CF-8771-00A024541EE3}
FileVersion=8,00,24737,0
Note
For information about where to obtain the ICA Citrix JAVA client, refer to
the Citrix documentation.
By enabling the Session Reliability feature, Citrix ICA client version 8 and
later will try to establish a connection on a specified port (the default port is
port 2598). If a TCP connection cannot be established, then the ICA client
automatically switches to the ICA protocol on a different port (the default
port in this case is TCP port 1494).
Note
6 - 40
Configuring Application Access
Alt+Insert Cycles through the programs in the order they were started.
6 - 42
Configuring Application Access
6 - 44
7
Configuring Portal Access
Portal Access serves the internal resource into and out of the end user’s web
browser. The application being accessed and the protocol being supported
(HTTP and HTTPS) dictate how Portal Access operates. Figure 7.1 shows
the process that Portal Access follows.
7-2
Configuring Portal Access
Some of your custom web applications will work with Portal Access without
you having to make changes to the applications. However, some of your
web applications, particularly those that make extensive use of JavaScript,
Java applets, ActiveX controls, and Flash components, might require that
you use content processing scripts or other configuration changes to enable
the user to access them using Portal Access connections.
If you have a specific web application that requires additional configuration
to work through Portal Access, you can generally use Application Tunnels
or Network Access. These access methods provide a direct connection to the
internal network, and do not require proxy-based changes or modification of
web application content.
If you cannot use Application Tunnels or Network Access to solve access
issues, you can try the proxy feature minimal content-rewriting bypass. For
more information about this feature, see Configuring web applications for
minimal rewriting, on page 7-10.
7-4
Configuring Portal Access
You can use SED scripts to rewrite output instead of preventing rewriting by
configuring bypass. For information about Web application content
processing using SED scripts, see Configuring content processing for web
applications, on page 7-19.
Note
When you create a new favorite, the user must log out and log on again to
have the favorite available.
7-6
Configuring Portal Access
Once you have configured all of the necessary parameters for your
application, click the Add New button to add the favorite. When you have
configured at least one favorite, you can specify which link serves as the
default by selecting it from the Default box, and clicking Update.
The default favorite starts automatically when users of the resource group
open their web application favorites. With more than one default favorite
defined, for example, when a user has multiple resource groups assigned,
the FirePass controller starts only one of the defaults.
http://server.siterequest.com/index.html?show_custom_content=1&
user=johndoe&password=johndoepassword
Alternately, you can specify that the FirePass controller send the variables in
a POST request to the configured URL. This is a more secure way to
provide a user name and password for logging on to an intranet site, because
the variables are not visible on the URL line of the browser for someone to
see.
For example, if you have the following form contents on an intranet logon
page:
<form action=logon.php method=POST>
<input type=TEXT name=user>
<input type=PASSWORD name=password>
<input type=HIDDEN name=do_logon value=1>
<input type=SUBMIT value=Logon>
</form>
First, you specify the string in the URL box:
http://server.siterequest.com/logon.php
Then you specify the variables you want to use in the Url variables box:
user=%username%&password=%password%&do_logon=1
7-8
Configuring Portal Access
Mozilla 1.7.8 on Windows Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Mozilla 2.0.0.15 on Windows Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623
Firefox/2.0.0.15
Netscape 7.2 on Windows Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804
Netscape/7.2 (ax)
Opera 5 mimicking Netscape Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Opera 5.01 [en]
on Windows
Safari 2.0 for Macintosh OS X Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like
Gecko) Safari/412
Safari 3.1 for Macintosh OS X Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.13
(KHTML, like Gecko) Version/3.1 Safari/525.13
FireFox 1.0.4 on the Macintosh Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4
FireFox 1.0.6 on Windows Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716
Firefox/1.0.6
FireFox 1.0.1 on Linux Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050222
Firefox/1.0.1
Tip
An easy way to enter a user-agent string is to copy and paste the string from
the Logons report into the Enforce user-agent box. You can find the string
on the Reports : Logons screen in the User Agent column.
You can configure the minimal content-rewriting bypass feature in only one
of two modes:
◆ Pattern-based
Provides a pattern-matching mechanism for URLs. You specify a
protocol, host, and path for the FirePass controller to match. If the
FirePass controller encounters a URL that has a defined Pattern-based
bypass rule, the FirePass controller does not modify URLs on the
returned page.
Implementing Pattern-based bypass requires no network changes, but
you must specify the protocol, host, and path that the application uses so
that the FirePass controller can match the incoming URLs.
◆ Alternative Host/Port-based
Provides a dedicated IP address and TCP port through which the FirePass
controller proxies connections to the application server. When
configuring the FirePass controller in Alternative Host/Port-based mode,
you must configure one FirePass controller port for each port the
application server uses. If your application uses SSL encryption, you
must also install on the FirePass controller the same SSL certificate and
private key that is installed on the application server.
Note
7 - 10
Configuring Portal Access
searches are case-sensitive, so you might have to specify the same pattern in
upper- and lowercase. Patterns must be unique within the intranet to prevent
interference with other web applications.
When you use this feature, the FirePass controller replaces all references to
the target server’s protocol://address:port with the FirePass controller’s
protocol://address:port. For example, if a Web application consists of
URLs starting with /myapp/ and /myimages/, you would associate the
patterns /myapp/*,/myimages/* with the server. You must specify the
target server in the following form:
protocol://servername[:optional port]
An example target server is http://myserver
Important
The root directory of the server cannot be used as the pattern for the
pattern-based bypass mode, for example, you cannot specify http://, /, or /*.
You can find pattern-based bypass settings on the Master Group Settings
screen. To access the screen, in the navigation pane, click Portal Access,
expand Web Applications, and click Master Group Settings.
When you configure settings, first select from Master Group the master
group you want to have access to the application.
In the Minimal Content-Rewriting Bypass section, you can configure the
following options:
◆ Comma separated list of patterns
Contains a list of match patterns for the web application. In this box,
specify the application paths that you do not want the FirePass controller
to translate. Separate each directory with a comma.
For example, if you do not want the FirePass controller to translate a set
of URLs, including all pages in the location:
https://tech.siterequest.com/appdir1/
https://tech.siterequest.com/appdir2/
https://tech.siterequest.com/appdir3/text.html
◆ http[s]://<IP Address/Name>[:Port]
Contains the target server. In this box, specify the protocol and host
portion of the URL for the application.
For example, if you do not want the FirePass controller to translate the
URL:
https://tech.siterequest.com/appdir1/
You can specify a pattern using the wildcard characters asterisk ( * ), which
represents many characters, and question mark ( ? ), which represents a
single character. The patterns must be unique. When you specify a pattern,
you must include at least one subdirectory for each application.
7 - 12
Configuring Portal Access
Note
Depending on how your firewall is configured, if you specify a new port, you
might need to configure your firewall to allow communication on that port.
You might need to specify a new port if you have one internal side that
allows traffic through, or if you use servers outside the company on another
network (also known as one-armed configuration).
7 - 14
Configuring Portal Access
You can use the wildcard characters asterisk ( * ), which represents many
characters, and question mark ( ? ), which represents a single character, in
both the Rewrite and Bypass boxes. The FirePass controller first processes
all patterns in the Rewrite box, and then all patterns in the Bypass box.
Example: http://*.siterequest.com/*
The format requires a slash separator ( / ) between the host information and
the path. For example, you must specify: http://server.siterequest.com/*
instead of http://server.siterequest.com* or http://www.*/*.com* instead
of http://www.*.com* for the filter to work.
The split tunneling filters apply to favorites, to direct browsing, and to the
links within a rewritten page. If you enable split tunneling, the FirePass
controller presents only web pages that satisfy one of these filters. The
FirePass controller applies the specified default action to the others
(although a public site might still be available outside the webtop). If you do
not use split tunneling, the FirePass controller processes all URLs through
the reverse-proxy engine.
Split tunneling patterns ignore any part of the URL after the first pound sign
( # ) or question mark ( ? ) symbol; that is, anchors and URL variables are
ignored.
Note
7 - 16
Configuring Portal Access
names. This prevents the FirePass controller from using an IP address as the
first part of a website address. For example, if this check box is not selected,
an address like 192.168.1.2 can be used erroneously as
192.168.1.2.siterequest.com in some instances.
Select the check box Path is case insensitive if you are writing ACL rules
to detect Windows-based Web server addresses, which might use uppercase
and lowercase characters.
7 - 18
Configuring Portal Access
7 - 20
Configuring Portal Access
You can find more information about using SED scripts on the Ask F5sm
web site by searching FirePass-controller-related Solutions.
Note
The FirePass controller patches Java applets (when the option is enabled),
even those that use sockets, so this example is for illustrative purposes only.
7 - 22
Configuring Portal Access
To search for certain types of pages, you can specify a match pattern in
URL match pattern, for example */pathnet/XSLTS/*. Then in the SED
processing script box, you can use a SED script, such as s|/f5-w-[^/]*|//|g. In
this case, the FirePass controller should process content after performing its
patching, so from the Processing list on the Preprocessing Scripts screen,
select Post-process response.
This script removes the f5-w- information that reverse proxy adds. In
general, the page will work correctly after postprocessing, as long as the
links on the page are to the same host (or are relative links).
Note
You can use the Minimal Content Rewriting Bypass feature to avoid the full
content rewrite typically needed with Web Applications. Configuring this
feature helps deal with complex portal and web application content. For
more information, see Configuring the Alternative Host/Port-based type of
bypass, on page 7-12.
Note
You can specify a list of URLs under Web Applications Content Cleaning
on the Preprocessing Scripts screen. To access the screen, in the navigation
pane, click Portal Access, expand Web Applications, click Content
Processing, and then click the Preprocessing Scripts tab.
In the box under Web Applications Content Cleaning, you can use the
wildcard characters asterisk ( * ), which represents many characters, and
question mark ( ? ), which represents a single character, to specify URLs
7 - 24
Configuring Portal Access
that you want the FirePass controller to process for content cleaning. An
empty list means that the FirePass controller does not reformat content from
any URL.
Note
Note
To access the Global Settings screen, in the navigation pane, click Portal
Access, expand Web Applications, click Content Processing, and then
click the Global Settings tab.
7 - 26
Configuring Portal Access
In the list, you can use the wildcard characters asterisk ( * ), which
represents many characters, and question mark ( ? ), which represents a
single character, to specify URLs that should not update the FirePass
controller session. An empty list means all URLs update a session.
7 - 28
Configuring Portal Access
If your web site includes JavaScript that does any client-side cookie
manipulation, you must specify a pattern that allows the cookie to pass
through to the client browser. For security reasons, cookies are not passed
through by default. When troubleshooting or testing initial support for a web
portal or application, check the Do not block cookies at FirePass, pass
them to the browser for specified URL patterns check box, and type an
asterisk ( * ) in the box. This configuration instructs the FirePass controller
to pass all cookies through to the client browser. Then after testing, you can
restrict the cookies being passed.
Configuring Content Processing Global Settings requires a service restart,
and also provides the following options:
• Enable HTTP/1.1 support for back-end requests
Allows the FirePass controller to support HTTP requests that originate
from an HTTP/1.1 version server.
• Automatically patch Java Applets
Intercepts the Java applet and unwraps it if it is a .jar, .cab, or a .zip
archive. Next, each class is searched, and when the applet-rewrite
functionality finds an Applet, JApplet, Socket, or URL, or InetAddress
class, it rewrites it accordingly, along with rewriting its inheritance
definitions. Then, the applet is repacked and resigned, if necessary, using
the F5 signing certificate. The FirePass controller then passes the
transformed applets to the web client, and caches them, if the dynamic
cache option is set.
By specifying URLs under Java Byte Code Rewriting on the Content
Processing Global Settings screen, you can suspend rewriting for specific
URLs. For more information, see Preventing Java byte code rewriting,
on page 7-27 and Configuring the Alternative Host/Port-based type of
bypass, on page 7-12.
• Automatic MIME type recognition
Examines the content associated with a site to determine its Multipurpose
Internet Mail Extensions (MIME) type so that the application can present
the information correctly.
7 - 30
Configuring Portal Access
Note
You should not enable dynamic cache when you are using group-based
VLAN to access hosts with the same host name or IP address on different
VLANs.
7 - 32
Configuring Portal Access
Note
• Enabled
Indicates whether the web application serves the specified page as the
webtop for users in the associated group. For additional information on
how to use a page as a customized webtop and run FirePass controller
favorites, see the online help on the Device Management : Customization
screen.
Note
7 - 34
Configuring Portal Access
Proxy settings consist of an address and port number. You can also specify a
comma-separated list of addresses or subnets to which the FirePass
controller should allow direct access, that is, not through the proxy server.
When you check Enable HTTP proxy or Enable SSL proxy and click
Update and Test, the FirePass controller presents Address and Port boxes
for each type of proxy. You can also specify a list of the IP addresses to
which the FirePass controller should allow direct access rather than through
the proxy.
Note
In the No proxy for the following addresses (comma separated) box, you
can specify the leading digits for IP addresses for resources to which you
want the FirePass controller to allow direct access. Use commas to separate
these addresses. You can use the X[.Y[.Z]] format for IP address templates,
for example, 19 or 192 or 192.168 or 192.168.200 or 192.168.200.12. If
there is no list of addresses, the FirePass controller uses a proxy for all
resource access.
Note
The FirePass controller does not support specifying a subnet mask using
24-bit (CIDR) addresses for the proxy exclusion list.
Important
The FirePass controller does not verify paths, so make sure the path is
specified correctly.
7 - 36
Configuring Portal Access
7 - 38
Configuring Portal Access
Users can use any web browser to access the mailbox. In particular, users
who are away from the office can use browsers on mobile devices to quickly
browse through emails.
A user can configure any number of email accounts, but you can limit access
to only the corporate account you create, by checking the Limit E-Mail
Access to Corporate mail account only (for Extranets, partner and
customer access, etc.) check box. This limitation is useful for users logging
on from extranets, and for partner and customer access. You can also disable
the downloading of attachments, which can help prevent introduction of
untrusted material onto the client’s machine.
Configuring Mobile E-Mail includes the following options:
◆ Master Group
Presents a list of all master groups. Select the one you want to configure.
◆ Enable corporate mail account
Provides access to the user’s corporate email account.
◆ Account name
Represents the string users see as the name of the link on their webtop.
Corporate Mail is the default.
◆ Mail server
Represents the mail server name or IP address. For example,
mailserver.siterequest.com.
◆ Type
Presents the support options: POP and IMAP. Select the one you want.
◆ IMAP Folders
Represents the comma-separated list of folders that you want users to
see, if you are using an IMAP mail server. This list prevents the
confusion created by mail servers that display items that are not email
messages, such as contacts or calendars, as empty email folders. Users
can also add to the list themselves.
◆ Logon Information
Presents a list of options for logging on to Mobile E-Mail.
When you finish configuring all of the options, click the Update button.
Important
If you use LDAP authentication over SSL, specify a host name, and be sure
that the host name exactly matches the name on your LDAP server’s
certificate.
7 - 40
Configuring Portal Access
• Search base
Indicates the level of the entry in the tree to be used for the search, for
example:
cn=Recipients,ou=Exchange,o=FirePass
• Filter template
Contains the string to use when searching for the user. You can use %s
in the filter expression to have the FirePass controller insert a user logon,
for example:
(&(objectclass=person)(cn=*%s*))
• Attribute for mail server
Contains the attribute in the LDAP schema that stores the mail server
name.
• Attributes for user's display name, email address, and logon
Contains the attributes in the LDAP schema that stores the associated
information.
• Attribute for mail server
Represents the attribute in the LDAP schema that stores the mail server
name.
• Attribute for user’s display name
Represents the attribute in the LDAP schema that stores the name that
indicates who sent the email.
• Attribute for user’s email address
Represents the attribute in the LDAP schema that stores the originating
address of the email.
• Attribute for user’s logon
Represents the attribute in the LDAP schema that stores the name the
user types when logging on to the email server.
When you finish configuring all of the options, click the Update button.
• Bind DN
Represents the distinguished name the FirePass controller should use to
bind to the LDAP directory.
• Bind password
Represents the password for the BIND DN. You can leave the box empty
to require no authentication.
• Search base
Indicates the level of the entry in the tree to be used for the search, for
example:
cn=Recipients,ou=Exchange,o=FirePass
• Filter template
Contains the string to use when searching for the user. You can use %s
in the filter expression to have the FirePass controller insert a user logon,
for example:
(&(objectclass=person)(cn=*%s*))
• Name attribute
Represents the attribute in the LDAP scheme that stores the user’s name.
• Address attribute
Represents the attribute in the LDAP scheme that stores the user’s email
address, which is typically mail.
When you finish configuring all of the options, click the Update button.
7 - 42
Configuring Portal Access
Note
7 - 44
Configuring Portal Access
The FirePass controller provides the following options for scanning for
embedded code:
• Scan URL parameters for embedded script code
Inspects user input data for active elements such as scripts within URL
arguments.
• Scan form POST data for embedded script code
Inspects user input data within URL-encoded form POST data for active
elements, such as scripts.
• User defined script search elements (advanced)
Provides an area for defining your own search elements. For example,
you can modify the active element set of strings used for scanning of
URL arguments and form POST data. Checking this option opens a box
containing the default list of elements. You can modify this value or
define your own.
<script <object <applet <embed <form javascript: vbscript: mocha: livescript: about:
onload= onmouseover= text/javascript script> &{ url( expression(
You can:
• Filter input URL parameters and form POST data for suspicious
characters
• Block requests with suspicious extended content.
Note
This technique can prevent many attacks, but it also can result in many false
positives, and could alter valid input. For example, the name O'Hara would
be changed to OHara, and fail to match a valid record.
7 - 46
Configuring Portal Access
You can view and customize the default pattern by checking the User
defined block match regular expression (advanced) check box. You can
then modify the text using standard regular expression (regex) syntax. You
can restore the default match pattern by clearing the check box.
Web applications, web servers, and the services they use all can contain
buffer overflow vulnerabilities. The best defense is to restrict the length of
any attempted input string to the appropriate maximum for the application.
While it is the responsibility of the application to parse input, you can
specify maximum levels for your environment, providing an outer perimeter
of defense against exploits such as these.
The FirePass controller provides the following options for applying buffer
overflow protection:
• Restrict maximum upload size (32-1024 Mb)
Constrains files that the user uploads to a specific size. The default value
is 32 MB.
• Restrict maximum length of a GET query string
Constrains the request string to the maximum specified. The default
value is 2048 bytes.
If you check the Restrict maximum length of a GET query string check
box or the Restrict maximum length of POST data check box, you can
also specify a comma-separated list of URLs to exclude from buffer
overflow checks. In the web site exceptions box, you can use the wildcard
characters asterisk ( * ), which represents many characters, and question
mark ( ? ), which represents a single character. If you specify buffer
overflow options and you leave this list empty, it means that the FirePass
controller checks input to all sites accessed through Portal Access.
7 - 48
Configuring Portal Access
You specify the path and port of the ICAP server using the following
format:
[icap: // ]<domain-name > [<:port >][/ path]
Following are some examples of how to specify the path and port of the
ICAP server:
• siterequest_domain.siterequest.com: Specifies the domain name.
• siterequest_domain.siterequest.com:1345: Specifies the domain name
and port.
• siterequest_domain.siterequest.com:1345/avscan: Specifies the
domain name, port, and path.
• siterequest_domain.siterequest.com/avscan: Specifies the domain
name and path.
• icap://siterequest_domain.siterequest.com:1345/avscan: Specifies the
ICAP protocol, domain name, port, and path.
The update process uses the HTTP protocol. You can specify the frequency
of updates (as the number of Updates per day), number of Retry attempts
to download an update, and, if you use an HTTP proxy, any needed proxy
parameters.
Note
The Clam AntiVirus feature is valid only for Portal Access connections.
7 - 50
Configuring Portal Access
7 - 52
Configuring Portal Access
Note
Flash patcher cannot patch Flash version 4. With version 4 Flash, the Flash
file is returned unpatched. Flash patcher cannot patch ABCScript, which
can exist in Flash version 9 or later. Version 9 and later Flash files with
ABCScript are returned unpatched.
Note
Note
X-Cache does not set for an http error 304 Not Modified response.
7 - 54
Configuring Portal Access
• Use the Test Content Processing Settings link from the Portal Access :
Web Applications : Content Processing screen to fetch source material
directly for a particular page. This option also displays the source, and
displays any source changes made by applicable content processing
scripts.
• Use the HttpWatch from Simtec option to capture HTTP and HTTPS
traffic through Internet Explorer. The results can then be used to compare
traces through My Intranet or directly through an Application Tunnel or
SSL VPN tunnels.
• Use the Web Applications Engine Trace tool from the Device
Management : Maintenance : Debugging Tools screen to perform a
debug trace of the reverse-proxy that can be uploaded and viewed by
technical support.
It is common to use two sessions to troubleshoot a reverse proxy issue:
• one user session for which a problem exists
• a second administrator session to control the user session
• In the middle, the request log displays the events that took place
during the reverse proxy session.
• At the bottom left, the front-end request/response for the
client-FirePass controller side displays.The request headers and
body appear, if present, and the response headers and body for
requests between the client and the FirePass controller also
appear.
• At the bottom right, the back-end request/response for the
FirePass controller-remote server side appears. This table
displays the request headers and body, if present, and the
response headers and body for requests between the server and
the FirePass controller.
7 - 56
Configuring Portal Access
}
sub HexDecode {
my $res = shift;
$res =~ s/([\da-fA-F]{2})/pack("C", hex($1))/ge;
$res;
}
7 - 58
Configuring Portal Access
The advantages of this special mode of operation are that cookie processing
is greatly simplified, although cookie pass-through should be explicitly
enabled if necessary for a given site. This must be done manually if using
bypass mode for a site, as automatic cookie pass-through is not supported
with bypass mode.
Another advantage is that there is no longer a need to prefix every HTML
link or dynamic URL with a mangled string to encode the internal
destination host and port. Since there is less mangling (only the host name
and port are re-written), there is less chance for incompatibilities.
Note
• New lines may appear in the regexp using the two character sequence \n.
The s command attempts to match the pattern space against the supplied
regexp. If the match is successful, then that portion of the pattern space
that was matched is replaced with replacement. The replacement can
contain \n references (where n is a number from 1 to 9, inclusive), and
which refers to the portion of the match that is contained between the nth
\ (and its matching \). Also, the replacement can contain unescaped &
characters that reference the whole matched portion of the pattern space.
To include a literal \, &, or newline in the final replacement, be sure to
precede the desired \, &, or newline in the replacement with a \. The s
command can be followed with zero or more of the following flags:
• g - applies the replacement to all matches to the regexp, not just the
first instance)
• number - replaces only the number-th match of the regexp.
For more information about SED scripts, refer to the following resources:
• http://www.dbnet.ece.ntua.gr/~george/sed/sedfaq.html
• http://www.ptug.org/sed/sedfaq.htm
• http://www.wollery.demon.co.uk/sedtut10.txt
7 - 60
8
Managing and Monitoring the FirePass
Controller
• Using realms
• Performing maintenance
8-2
Managing and Monitoring the FirePass Controller
If you are configuring a failover pair or a cluster member, you also need to
configure an HTTP service for the synchronization agent. For more
information about failover configuration, see Understanding FirePass
controller high availability, on page 11-1. For more information about
clustering configuration, see Configuring FirePass controller clusters, on
page 12-3.
8-4
Managing and Monitoring the FirePass Controller
Important
If there is a web service running on the interface or VLAN, then you must
restart the system. If there is no web service associated with the IP address
being changed, then you do not need to restart it.
You can make some other IP configuration changes without restarting the
FirePass controller, but some of the changes require one. For changes that
require a restart, the FirePass controller posts a prompt. For more
information, see Changing network configuration settings that require
restart, following.
Important
Any additions, deletions, or configuration changes you make do not take
effect until you commit them using the Finalize tab. Some configuration
changes require that you restart the FirePass controller for them to take
effect. For more information, see Changing network configuration settings
that require restart, on page 8-5.
Important
If you deploy a FirePass platform that uses a shared MAC address, and you
do not use physical or virtual separation to segment traffic, you may
experience packet loss when accessing the FirePass controller.
Table 8.1 lists MAC address assignment information for each FirePass
controller.
8-6
Managing and Monitoring the FirePass Controller
Note
There are two additional ports available on the FirePass 4300 platform.
These fiber ports are labeled 2.1 and 2.2 on the controller chassis, and
eth 1.21 and eth 1.22 in the configuration interface. These ports provide
direct connections to a LAN, or to additional services such as dedicated
clustering, failover synchronization, or DMZ use. Additionally, you can also
run primary user and administrative servers on these ports. You must install
a small-form-factor pluggable (SFP) into the ports to enable them.
8-8
Managing and Monitoring the FirePass Controller
WARNING
Be extremely careful when changing the FirePass controller’s IP
configuration settings. If you enter incorrect settings, the FirePass
controller might become inaccessible from the network. If the FirePass
8 - 10
Managing and Monitoring the FirePass Controller
8 - 12
Managing and Monitoring the FirePass Controller
• Another route for the failover (or standby) unit, using the unit’s
device-specific, self IP address. For this configuration, select one
of the self IP addresses as the Src IP and Standby Only as the
mode. This causes the standby FirePass controller to use the self
IP address as the source IP address for all outgoing packets.
For more information about configuring web services for failover,
see Understanding FirePass controller high availability, on page
11-1.
9. In MTU and Window (Bytes), specify the size of the largest packet
to transmit.
The Maximum Transmission Unit (MTU) is a term for the
maximum number that represents the largest packet size allowed in
a single transmission. Windows (Bytes) represents the number of
bytes a sender can transmit without receiving an acknowledgement.
It is related to the size of the receiving buffer. This step is optional.
10. Click the Add route button.
8 - 14
Managing and Monitoring the FirePass Controller
4. In the Name box, type the string to use to identify the routing table.
Routing table names can contain up to 512 alphanumeric and
underline ( _ ) characters. The string you specify cannot match the
name of an existing table.
5. In the Number box, specify a number from 1 to 252.
6. Click Add New.
To delete a table
1. In the navigation pane, click Device Management, expand
Configuration, click Network Configuration, and click the
Routing tab.
The Routing screen opens in light mode.
2. Click the Switch to advanced mode link to switch to the advanced
routing mode.
The Advanced Routing Mode screen opens.
3. Click the link to display the routing tables.
WARNING
Routing table deletion occurs immediately, without a confirmation alert, so
be sure you are ready to delete the table when you click the Delete button.
8 - 16
Managing and Monitoring the FirePass Controller
To add a rule
1. In the navigation pane, click Device Management, expand
Configuration, click Network Configuration, and click the
Routing tab.
The Routing screen opens in light mode.
2. Click the Switch to advanced mode link to switch to the advanced
routing mode.
The Advanced Routing Mode screen opens.
3. In the From box, type the source IP address and netmask.
The FirePass controller applies the rule to incoming IP packets
matching the address and netmask specified.
4. In the To box, type the destination IP address and netmask.
The FirePass controller applies the rule to outgoing IP packets
matching the address and netmask specified.
5. From the Interfaces list, select the interface you want the FirePass
controller to apply the rule to.
Available interfaces include all of the physical interfaces and any
defined VLANs.
6. In Table, specify the target routing table for this rule.
When an incoming IP packet matches this rule, it is routed as
specified in this table.
7. In Priority, specify a number from 0 to 32765, with lower numbers
representing higher priority for this rule. The FirePass controller
assigns the main table the number 32766, and assigns the default
table the number 32767.
The value in the Priority box controls the order in which the
FirePass controller applies the rules. The lower the number, the
higher the priority, and the earlier the rule is evaluated during the
routing operation. The FirePass controller routes the traffic
according to the first match in the table.
8. Click Add New.
4. Directly in the list, change the value for To, From, Interface,
Table, and Priority, as described in To add a rule, preceding.
The presence of an asterisk ( * ) denotes a required value.
5. Click Update Table.
Configuring DNS
You can configure the IP addresses of the DNS you want the FirePass
controller to use. You also can specify the FirePass controller’s default
domain suffixes.
8 - 18
Managing and Monitoring the FirePass Controller
4. In the DNS Cache area of the screen, check the Enable DNS cache
box.
The FirePass controller uses this value to cache the controller results
of the DNS requests. This provides an increase in controller
performance.
5. Click Update.
Important
Any additions, deletions, or configuration changes you make do not take
effect until you commit them using the Finalize tab.
Important
Any additions, deletions, or configuration changes you make do not take
effect until you commit them using the Finalize tab.
You can configure services to use different roles and different ports,
although they might also share roles and ports. A service consists of any
distinct combination of roles, functionality, and IP address/port assignment.
8 - 20
Managing and Monitoring the FirePass Controller
The Services column of the table of web services contains one or more of
the codes described in Table 8.2.
Note
To add a service
1. In the navigation pane, click Device Management, expand
Configuration, and click Network Configuration.
The Network Configuration screen opens.
2. Click the Web Services tab.
The Web Services screen opens.
3. Scroll to the Add new service area.
4. From the list of IP addresses configured for the FirePass controller,
select the IP address to use for the new service.
You can add IP addresses using options on the IP Config tab. For
more information, see Configuring IP addresses and subnets, on
page 8-9.
5. In Port, specify the port to use for this service.
6. In Name, assign a name to the service, or specify the fully-qualified
domain name of the service listening on this port.
7. Check the SSL check box to specify encrypted communications.
F5 Networks recommends enabling SSL for all services other than
those that provide redirect, offload, or synchronization support, and
when you need to provide access to devices that do not support SSL.
To configure a service
1. In the navigation pane, click Device Management, expand
Configuration, and click Network Configuration.
The Network Configuration screen opens.
2. Click the Web Services tab.
The Web Services screen opens.
3. Click the Configure link in the row next to the service you want to
modify.
The configuration detail screen opens.
4. In Hostname, specify the FQDN of the service.
This step is optional, depending on the IP address you are
configuring, and whether you have entries in your DNS
corresponding to the IP address.
For example, if you are configuring the self IP address on a failover
pair, you might not want to specify FQDN, but if you are
configuring the shared IP address on a failover pair, you do. For
more information about IP addresses for failover pairs, see
Configuring the active controller with a self IP address, on page
11-9, and Configuring the active controller with a shared IP
address, on page 11-10.
Note: The CN on the certificate should match the hostname of the
web service that the certificate is assigned to. You could have
multiple hostnames if you have multiple IP addresses configured.
5. In IP Address, select the IP address configured for the FirePass
controller.
You can add a new IP address using options on the IP Config tab.
For more information, see Configuring IP addresses and subnets, on
page 8-9.
6. In Port, modify the port number for this service.
7. Check Use SSL, to enable secure communication for this service.
The screen refreshes, revealing the following options:
• From the Certificate list, select an installed certificate.
To use SSL, you must have an SSL certificate installed on the
computer.
• You can also edit existing certificates, generate a request for a
new certificate, or generate a self-signed certificate using the
links provided.
Note: The FirePass controller includes a preconfigured, default SSL
server certificate for firepass.company.xyz. You can use this
certificate while configuring and testing a FirePass controller, but
the certificate is not unique, and the certificate’s server name will
8 - 22
Managing and Monitoring the FirePass Controller
not match the name you give to the FirePass controller, so anyone
connecting to the FirePass controller sees warning messages from
their web browser. Before you make the FirePass controller
available to external users, you should replace the default server
certificate with a signed certificate. For more information, see
Installing a server certificate, on page 4-8.
8. If you do not check Use SSL, you can also configure the following
options:
• In HTTPS URL to redirect to, specify the name of a server or
service to which to forward the session. You can leave this box
blank.
• Check the Do not redirect to HTTPS check box to permit access
to browsers that do not support SSL communication, for
example, mini-browsers on some Internet-enabled mobile phones
and PDAs.
9. Check the Synchronization Agent check box to indicate that you
want the synchronization agent to use this service for cluster or
failover configuration synchronization. A synchronization service:
• Must allow HTTP connections, without redirecting to an HTTPS
service.
• Must not be on a shared IP address if it is to be used for
synchronizing failover pairs for high availability.
• Must be on a virtual IP address if it is to be used for
synchronizing clusters of failover pairs.
Note: The Synchronization Agent option is visible only when
clustering or failover is configured. For more information, see
Chapter 11, Using FirePass Controllers for Failover, and Chapter
12, Using FirePass Controllers in Clusters.
10. Check User Logon to allow an end-user to log on using this web
service.
11. Check Admin Logon to allow administrators to log on using this
web service.
If this box is not checked, the FirePass controller redirects a logon
request to the standard end-utility, so that even with a valid
administrator logon, the user does not have access to the
administrative functions.
12. Check WebAccess Bypass to restrict the service to web application
favorites that are configured to use the minimal content rewriting
bypass feature.
For more information about configuring for minimal content
rewriting, see Configuring the Alternative Host/Port-based type of
bypass, on page 7-12.
13. Check Offload SSL processing to a BIG-IP Local Traffic
Manager to use the BIG-IP Local Traffic Manager to handle the
SSL processing that the FirePass controller normally performs as
If you plan to offloading SSL process, you can use the following topics:
• Understanding BIG-IP system, following
• Using virtual servers on BIG-IP systems, on page 8-25
• Configuring offloading of SSL processing, on page 8-25
8 - 24
Managing and Monitoring the FirePass Controller
Important
Any changes you make do not take effect until you commit them using the
Finalize tab.
• hostname
Represents the host name or IP address to which you want to allow the
user access. You can use the wildcard characters asterisk ( * ), which
represents many characters, and question mark ( ? ), which represents a
single character. For example:
*.site*quest.com:23,80,443
*.siterequest*:23-25
• port
Represents a port number or a range of ports. If you do not specify a port,
the system allows connections on all ports. For example:
www.siterequest.com:80
www.siterequest.com:23-25
www.siterequest.com:23-25,80,4
172.30.11.0/24:8
172.30.11.0/255.255.255.0:0-65535
8 - 26
Managing and Monitoring the FirePass Controller
8 - 28
Managing and Monitoring the FirePass Controller
Using realms
An administrative realm is a complete set of roles, master groups, and
resource groups. The concept of realms extends the existing role-based
administration and simplifies FirePass controller administration by
providing an organizational structure for master groups and their associated
resource groups.
A FirePass controller realm consists of a set of defined master and resource
groups and realm administrators, with feature access delegated them by a
superuser. Superusers are users who have cross-realm access to all groups
and features. A superuser creates realm administrators, upgrading them from
FirePass controller users, and delegating full or restricted access to FirePass
controller functionality or groups. Realm administrators are users who can
create their own hierarchy of access to the groups and resources inside their
realm. In a typical setup, the master and resource groups of one realm are
not accessible to administrators of another realm, although superusers or
realm administrators can grant access across realms.
The FirePass controller provides a default realm named Full Access
containing a default superuser account named administrator. Full Access
gives superusers complete access to realm-configuration. Everyone serving
as administrator in the Full Access realm is considered a superuser.
Superusers have a realm list in the menu bar of the Administrative Console
that enables navigation to other realms.
Superusers can grant users administrative access to the Full Access realm.
Realm administrators can grant users administrative access only to their own
realm. An administrator in one realm cannot be an administrator in any other
realm, including the Full Access realm.
Tip
Realms are particularly useful for managing groups with clear functional or
geographic divisions and in the service-provider scenario.
8 - 30
Managing and Monitoring the FirePass Controller
Realms. Realm administrators or superusers can use the Edit link in the
Administrators column associated with the specific realm to add and delete
administrators for the realm.
WARNING
All delete operations occur immediately, without a confirmation alert, so be
sure you are ready to delete a realm or an administrator before you click
Delete.
Note
If the groups link is not present, it means that the realm is not configured to
have access to any groups.
Note
If the features link is not present, it means that the realm is not configured
to have access to any features.
Important
Because superusers have cross-realm access and because they can add
other superusers, you should make sure to add only trusted sources as
administrators of the Full Access realm.
The FirePass controller logs all activities of any user with administrative
privileges in Application Logs. You can find Application Logs on the
Reports : App Logs screen.
8 - 32
Managing and Monitoring the FirePass Controller
WARNING
Realm delete occurs immediately, without a confirmation alert, so be sure
you are ready to delete an administrator before you click Delete.
8 - 34
Managing and Monitoring the FirePass Controller
2. In the User Agent text box, type or paste the user-agent string
exactly as it appears in the HTTP header the browser sends in the
HTTP request.
For example, for Mozilla 1.7.8, the User-Agent is
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
Gecko/20050511
You can find other user-agent strings by referring to your browser’s
documentation, and by inspecting the user-agent HTTP header that
the browser sends.
3. From the Type list, select a browser type:
• Desktop Browser
• Minibrowser
• i-mode phone
• HDML, or early WAP phone
• WAP 1.1+ phone
• Pocket PC browser
4. Check the Supports images and Supports color options according
to the capabilities of the browser.
5. Check the Supports UTF-8 option to enable UTF-8 support for
browsers that support UTF-8.
Note: The Desktop browser and Pocket PC browser provide built-in
support for UTF-8, so the system keeps this option selected for these
browsers.
6. Click Add.
The browser definition is added to the list on the Force New
Browser Type panel.
8 - 36
Managing and Monitoring the FirePass Controller
◆ On the RSA SecurID authentication server, identify the users who are
authorized to use the FirePass controller.
For more information, see Step 2: On the RSA SecurID authentication
server, identify the users who are authorized to use the FirePass
controller, on page 8-38.
◆ On the FirePass controller, import the server configuration file.
For more information, see Step 3: Configure the FirePass controller to
use the RSA SecurID authentication server, on page 8-38.
For more information about how to use the RSA SecurID authentication
method, see Setting up RSA SecurID authentication, on page 2-92.
You can also find information about setting up the RSA SecurID
authentication server on the Solution Center at
http://www.f5.com/solutions/.
Important
Host names within the RSA Authentication Manager / RSA SecurID
Appliance must resolve to valid IP addresses on the local network.
Step 2: On the RSA SecurID authentication server, identify the users who
are authorized to use the FirePass controller
See your RSA SecurID Server administrator guide for information on how
to activate users on the agent host you created for the FirePass controller.
8 - 38
Managing and Monitoring the FirePass Controller
Note
The FirePass controller does not support email sent using an SMTP server
that requires authentication.
8 - 40
Managing and Monitoring the FirePass Controller
Important
When configuring systems described in the following procedure, F5
Networks strongly recommends making sure that only the internal LAN has
access to the port configured in Run SNMP agent on port setting. In
addition, we recommend restricting the access location specified in
Accessed from setting to that of your SNMP Manager.
You can find settings for these features on the Proxies screen. To access the
screen, click Device Management, expand Configuration, and click
Proxies. For more information about proxies settings, see Configuring
proxy options, on page 7-34.
8 - 42
Managing and Monitoring the FirePass Controller
Note
If the settings are incorrect, the test may take some time to complete.
2. To specify an NTP server, specify the server name in the New NTP
Server box, and then click the Apply button.
When the operation completes, the new time appears at the top of
the screen.
Note
Notes
• Brackets indicate optional values.
• If you do not specify CC and YY values, the FirePass controller uses the
current century and year. If the date you specify has not yet occurred in
the year, the FirePass controller uses the previous year.
• Type a period before the last two digits, if you want to set seconds.
Example
To set the time to 11:30:45 AM on September 24, 2004, type the following
string: 092411302004.45
8 - 44
Managing and Monitoring the FirePass Controller
Performing maintenance
Maintenance for the FirePass controller includes the following activities:
• Activate License
For more information, see Managing FirePass controller licenses,
following.
• Backup/Restore
For more information, see Backing up and restoring the FirePass
controller, on page 8-47.
• Local Update
For more information, see Upgrading controller software, on page 8-48.
• Logs
For more information, see Managing log files, on page 8-51.
• Accounting
For more information, see Configuring for RADIUS accounting, on page
8-58.
• Online Update
For more information, see Updating the software online, on page 8-51.
• Restart Services
For more information, see Shutting down and restarting the FirePass
controller, on page 8-59.
• Troubleshooting Tools
For more information, see Using the troubleshooting tools, on page 8-61.
• User Session Lockout
For more information, see Locking out user sessions, on page 8-49.
8 - 46
Managing and Monitoring the FirePass Controller
Important
If your license includes a FIPS or SSL-accelerator option, you must restart
the FirePass controller after activating the license.
Important
Both the platform you use for backing up and the one you use for restoring
must run the same version of the FirePass controller software, including all
hotfixes.
When the process posts the dialog box, click Save it to disk,
browse to a location where you want to store the backup file, and
click OK.
• To create a full backup of the configuration, including user and
group accounts, global and master-group access settings, and
favorites, click the Create backup of your current
configuration and log messages link. When the process posts
the dialog box, click Save it to disk, browse to a location where
you want to store the backup file, and click OK.
• To configure automated backups, check the Perform nightly
backups check box, check SCP or FTP, click Save, specify the
information requested, and click the Save or Backup Now
button.
• To restore a backed up configuration, click the Browse button in
the restore section, and select the backed up file. Then, click the
Restore your saved configuration link.
A FirePass controller backup file name appears similar to the
following:
backup-bip025328s-URM-5_5-20051021233816.zip, for a
partial backup, and
backup-full-bip025328s-URM-5_5-20051021235036.zip, for a
full backup.
The backed up files are protected with strong encryption, and are checked
for integrity prior to being restored.
WARNING
Backing up and restoring across FIPS-compliant systems restores only the
user accounts and groups configuration. It does not restore network settings
and certificates. This is a FIPS requirement.
8 - 48
Managing and Monitoring the FirePass Controller
members to the new version as well. When you update clusters and failover
pairs, make sure to apply the update to the primary or active member first;
otherwise, synchronization wipes out all upgrade activity.
Important
Always back up the FirePass controller before an upgrade. Additionally,
since you cannot downgrade between FirePass software versions, we
recommend that you create a snapshot to back up your system. For more
information about the snapshot feature, see Backing up and restoring the
FirePass controller, on page 8-47.
Note
If you do upgrade your system, we recommend that you extend the idle
time-out activity period to avoid the system timing out before the upgrade
completes.
Note
Although some browsers allow you to include passwords as part of the URL,
F5 Networks recommends that you do not do so because of the possibility of
someone intercepting the password.
8 - 50
Managing and Monitoring the FirePass Controller
9. Click Submit.
The update screen displays progress indicators that show the
progress of the download, install, and restart processes.
10. After restart completes, you can verify that the update completed
successfully by navigating to the Device Management : Current
Settings screen. The Current Settings screen displays the version
and build number, and all hotfixes that have been applied.
Note
F5 Networks recommends that you do not keep the archives on the FirePass
controller. Delete the archive from the Temporary Archive Storage after you
have externally archived it.
When you configure the FirePass controller to transfer these files over a
network to a remote system, the system compresses these files into a single
archive (a .zip file). The FirePass controller names files using a specific
format, as shown in the following example.
logs-bipnnnnnns-URM-5_5-yyyymmddhhmmss.zip
Log names follow these conventions:
• bipnnnnnns - serial number, typically with bip as the first three
characters, followed by six digits and a final character of s.
• yyyy - year, in four-digit representation.
• mm - month, in two-digit representation, from 01 to 12.
8 - 52
Managing and Monitoring the FirePass Controller
Format
IP_address--[mm/dd/yyyy hh:mm:ss]"var1=value1;var2=value2"
Example
192.168.200.170--[08/24/2005 22:19:51]
"sid=347cb5ea4ee9a4f6bf184ff56b97ed28;logon=access;group=Default;
message=Entered Admin Console
Variables
◆ Shared variables, as described in Variables shared by all logs, preceding.
◆ message
Describes the action occurring in FirePass controller session.
Other messages typical of administrator-related activity include:
• Access menu Welcome, param a = welcome, param click = 1
• Access menu Network Configuration, param a = ipconf
Other messages typical of client-related activity include:
• Network Access: dialing Click to connect to Network Access
• Network Access: dialing Connection to SA server
• Open Network Access Connection using remote IP address
192.168.192.6
• Network Access Connection terminated, Logged out
8 - 54
Managing and Monitoring the FirePass Controller
Format
IP_address--[mm/dd/yyyy hh:mm:ss] [mm/dd/yyyy hh:mm:ss]
"var1=value1;var2=value2"
Example
192.168.200.170--[08/24/2005 22:19:51][08/24/2005 22:22:20]
"sid=347cb5ea4ee9a4f6bf184ff56b97ed28;logon=access;group=Default;
agent_OS=WinXP;user_agent=Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)
For this item, the second timestamp indicates the ending time of the logged
activity.
Variables
◆ Shared variables, as described in Variables shared by all logs, on page
8-54.
◆ agent_OS
Indicates the operating system information of the client, taken from the
HTTP header user agent setting.
◆ user_agent
Indicates the browser information of the client, taken from the HTTP
header user agent setting.
Format
IP_address--[mm/dd/yyyy hh:mm:ss]"var1=value1;var2=value2"
Example
192.168.200.170--[08/24/2005 21:13:40]
logon=access;valid=yes;passed=yes;User-Agent=Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Variables
◆ Shared variables, as described in Variables shared by all logs, on page
8-54.
◆ valid
Indicates whether the logging on user’s computer presented a valid client
certificate. Possible values are yes and no.
◆ passed
Indicates whether the logging on user’s computer passed the active
pre-logon check. Possible values are yes and no.
◆ user_agent
Indicates the browser information of the client, taken from the HTTP
header user agent setting.
Format
IP_address--[mm/dd/yyyy hh:mm:ss] [mm/dd/yyyy hh:mm:ss]
"var1=value1;var2=value2"N
Example
192.168.200.170--[08/24/2005 22:19:51][08/24/2005 22:22:20]
"sid=347cb5ea4ee9a4f6bf184ff56b97ed28;logon=access;group=Default;
home_address=;protocol=HTTPS;nonstandard_port=0;content_type=
HTML;desktop_dns=;desktop_dns=;finish=:0;"0
For this item, the second timestamp indicates the ending time of the logged
activity.
Variables
◆ Shared variables, as described in Variables shared by all logs, on page
8-54.
◆ home_address
Represents the IP address of the remote desktop using Desktop Access.
An empty value indicates no Desktop Access connection.
◆ protocol
Represents the protocol used to access the FirePass controller, either
HTTPS (typical) or HTTP (unsecured).
◆ nonstandard_port
Represents the port number used to access the remote desktop for
Desktop Access connections. An empty value indicates no Desktop
Access connection.
◆ content_type
Represents the content form used to communicate with the standalone
VPN client. For a Windows-based browser, the value is typically HTML
it could be WML, in the case of a wireless hand-held device (PDA, cell
phone), for example.
◆ desktop_dns
Indicates the IP address of the remote DNS used by the remote desktop
for Desktop Access connections. An empty value indicates no Desktop
Access connection.
◆ desktop_finish
Indicates the length of the session, in seconds (integer) for Desktop
Access connections. An empty value indicates no Desktop Access
connection.
◆ server_addr
Indicates a reserved value.
8 - 56
Managing and Monitoring the FirePass Controller
Additional values
◆ N
Represents the status code of FirePass controller session, as indicated by
the following values.
• 0 - Server session in progress.
• 1 - Logged out from server
• 2 - Server session timed out
• 3 - Redirecting to desktop
• 4 - Desktop session in progress
• 5 - Logged out from desktop
• 6 - Desktop session timed out
• 7 - Session handed off to failover box
Format
[mm/dd/yyyy hh:mm:ss]
[internal_function]"var1=value1;var2=value2"
Example
[08/23/2005 19:32:10] [uroam_admin]
"sid=35351d251f1b7bda0c427ff2a0d65a10;logon=access;group=Default
;time=3549;
Variables
◆ Shared variables, as described in Variables shared by all logs, on page
8-54.
◆ time
Indicates the length of session, in seconds (integer), for the FirePass
controller connection.
◆ internal_function
Indicates the functionality used during FirePass controller session, as
indicated by the following values.
• uroam_admin - Admin Console
• uroam_mnemail - Mobile E-Mail
• uroam_mnfilemanager - Windows Files
• uroam_geekster - AppTunnels
• uroam_helppages - Help
• uroam_mnintranets - Web Applications
• uroam_mydesktop - Desktop Access
• uroam_nfs - UNIX Files
• uroam_terminal - Terminal Servers
• uroam_vault - Tools
• uroam_mnoptions - Account Details
• uroam_mndesktopupdate - Desktop Software Download
• uroam_look - Webtop settings
• uroam_mnsessions - View Current Sessions
• uroam_mnstats - System Statistics
• uroam_vpn - Network Access
• uroam_x11 - X Window System (X11) Access
Important
Be sure that the RADIUS accounting server is configured to recognize the
FirePass controller as a client.
8 - 58
Managing and Monitoring the FirePass Controller
Important
After shutting down, you must have physical access to the FirePass
controller device to start up the controller again. You cannot use the
browser interface to start up the FirePass controller.
8 - 60
Managing and Monitoring the FirePass Controller
Important
Although you can access the Maintenance Console from the
Troubleshooting Tools screen, you can initiate operations that result in the
inability to access the FirePass controller over the network. For example,
when you initiate a Snapshot operation, the system boots into Maintenance
mode, and you cannot access the FirePass controller from the browser. To
continue, you must access the controller using the serial console connected
directly to the physical device. Therefore, we recommend using caution
when initiating operations through the Maintenance Console. For more
information, see the FirePass® Controller Getting Started Guide, available
as a separate document on the F5 Networks Technical Support Web site,
https://support.F5.com.
Note
8 - 62
Managing and Monitoring the FirePass Controller
You can click the Email existing dataset to F5 Support link to email the
collected data directly from the FirePass controller to F5 Support. The
screen refreshes, and a confirmation of the sent message appears, or
notification of any error. The SMTP options, available on the Device
Management : Configuration : SMTP Server screen, must be configured
correctly for this option to work. In addition, your company might place
firewall restrictions on external emails originating from within your
network. In that case, you can download the dataset and email it directly.
You can delete a dataset to conserve storage. Before deleting a dataset,
confirm with F5 Support that they have received the files. Then click the
Delete existing dataset link to delete the dataset. The screen refreshes and
the options to download, email, and delete the dataset no longer appear.
Note
You can use a protocol analyzer that supports reading network traces in
libpcap format to view the packet dump file offline.
8 - 64
Managing and Monitoring the FirePass Controller
Situations when you would use the Web Applications engine trace feature
include the following:
• When a user has trouble connecting to a Web site using a FirePass
controller Web Applications session.
• If a web page is not displaying properly on a client computer.
• If Java or JavaScript is not working on a client computer.
• When the web page contains non-HTML elements, such as XML, Flash,
or ActiveX components, and a client computer cannot access the page.
For more information about using the Web Applications engine trace
feature, see Understanding Web Applications engine trace, on page 13-1.
Figure 8.1 A typical Statistics screen for a FirePass 4100 or 4300 platform
8 - 66
Managing and Monitoring the FirePass Controller
Figure 8.2 A typical System Health screen for a FirePass 4100 or 4300 platforms
Figure 8.3 A typical System Load screen for a FirePass 4100 or 4300 platform
8 - 68
Managing and Monitoring the FirePass Controller
Note
The FirePass controller initially inserts the key word all in the IP Address
box as a default value to indicate that all IP addresses are allowed to access
the Load Status screen. If you replace this keyword with an IP address, you
cannot, later, reenter the keyword all back into this box. Alternatively, the
Load Status Access Security IP address range can be limited to a specific
set of IP Addresses and subnet masks. Enter the IP address and mask on the
Load Status Access Security screen, separated by commas. When this box is
empty, however, it represents a Deny All request by default.
When a user submits the wrong credentials to access the load status screen,
the controller prompts the user to resubmit the credentials. When the
FirePass controller denies a user access to the load status screen because the
IP address is not specified in the Load Status Access Security screen, the
FirePass controller displays the following message in the user’s browser:
403 Forbidden. You do not have permission to access the above URL on
this server.
The following URL is provided to retrieve load status reports:
https://firepassnamorip/load_reports.php?reporttype=[summary|gr
oup]&group=master_group_name&output=output_type&from=date_start
&to=date_end
where:
reporttype= is summary or group
group= is the name of the master group; if the group value is not set, a
combined summary report for all master groups is generated
output= is represented by xls, html, txt (comma-separated text)
from= is represented by lastweek, last2weeks, lastmonth, lastyear,
ISO-8601 formatted date (YYYY-MM-DD); if this value is not set,
lastweek is used as the default
to= is represented by ISO-8601 formatted date (YYYY-MM-DD)
8 - 70
Managing and Monitoring the FirePass Controller
Note
Users can switch the webtop to English by clicking the Eng link at the top of
the webtop.
Note
Users can switch the webtop to English by clicking the Eng link at the top of
the webtop, but the localized favorite name is not affected by the switch.
8 - 72
9
Using FirePass Controller Client
Components
Check Time OK OK OK OK
UI mode OK OK OK OK
Check OS OK OK OK OK
9-2
Using FirePass Controller Client Components
Send mail OK OK OK OK
External Far-end check Varies based on Varies based on Varies based on Varies based on
check required check required check required check required
For client systems that have the inspector component pre-installed using the
MSI package, the requirements are the same. In cases in which user rights
are insufficient, although the system cannot download the update, the
previously installed component still works.
For the Java-based client adapters listed in the Table 9.2, Sun Java or
Microsoft Java must be installed on the user workstation.
FirePass controller component User rights Power User rights Admin rights
Cache cleanup OK OK OK
VNC OK OK OK
Application connector OK, but system cannot OK, but system cannot OK
(host name) modify Hosts file modify Hosts file
Application connector OK OK OK
(IP address)
Table 9.2 User rights requirements for installing and running other FirePass controller components
For client systems that have the components pre-installed using the MSI
package, the requirements are the same. In cases in which user rights are
insufficient, although the system cannot download the update, the
previously installed component still works.
9-4
Using FirePass Controller Client Components
Note
The Component Installer Service will likely not install the VPN drive on
Windows Vista because the driver is not signed. As a result, popups may
occur to which there will be no response by the FirePass controller.
Note
If a client application does not use the Connection Manager API for
networking, users must establish the SSL VPN connection manually using
the provided Connection Manager interface.
9-6
Using FirePass Controller Client Components
On the BIG-IP Edge Client™ screen, the client can configure the following
connection options:
• Auto-Connect
Starts a secure access connection as it is needed. This option uses the
DNS suffix information defined on the Device Management : Client
Downloads page, on the BIG-IP Edge Client™ tab, to determine when
the computer is on a defined local network. When the computer is not on
a defined local network, the remote access connection starts. When the
computer is on a local network, the client disconnects, but remains active
in the system tray. When you open the disconnected client, the message
Disconnected - LAN detected appears in the top pane of the client
window, as shown in Figure 9.1.
• Connect
Starts and maintains a secure access connection at all times, regardless of
your computer’s network location.
• Disconnect
Stops an active remote access connection, and prevents the client from
connecting again. After you click this option, a remote access connection
does not start again until you click one of the previous two options.
In addition, the client can click the Change Server button to change the
FirePass server.
9-8
Using FirePass Controller Client Components
Figure 9.2 BIG-IP Edge Client™ screen with traffic graph expanded
The Details screen provides four tabs that contain information relevant to
the operation of the BIG-IP Edge client. Click each tab to view the
information for that feature. The tabs are:
• Connection Details - Shows details of the current connection,
including status, server, tunnel details, and the amount of traffic sent and
received.
• Routing Table - Shows the current routing table for the client system.
• IP Configuration - Shows the current IP configuration for the client
system. The information in this tab is the same information you see when
you issue the command ipconfig /all at the Windows command
prompt.
• Miscellaneous - Shows version information for the client software, the
servers defined in the client, and the DNS suffixes used for network
location awareness.
9 - 10
Using FirePass Controller Client Components
You can use the Client Downloads screen to download the following
components:
◆ F5 Networks VPN Client for Windows
The F5 Networks VPN Client for Windows is a program that allows a
user to initiate and use Network Access, App Tunnel, and Terminal
Services sessions outside the context of an Internet browser. The F5
Networks VPN Client for Windows uses the FirePass controller API.
◆ F5 Networks Client COM API library
The F5 Networks Client COM API library is a set of routines that you
can use to construct standalone applications that allow the user to access
FirePass controller services. The API is provided as a C++ library. The
F5 Networks VPN Client for Windows uses the FirePass controller API
to provide the following functionality:
• Log on to the FirePass controller
• Get a list of authorized, preconfigured favorites
• Select a favorite
• Show parameters of the selected favorite
• Establish a connection to one or more favorites
• Mark a selected favorite to be connected automatically in subsequent
sessions
• Close favorites
• Log off of the FirePass controller
You can find descriptions of optional settings in the online help for the
FirePass Legacy Client screen. To access the screen, on the navigation pane,
expand Device Management, click Client Downloads, and select the
FirePass Legacy Client tab.
Note
You can type typically forbidden characters such as : * ? < > | in the
Network Access connection name box. However, use of these characters
prevents Windows Vista connections, although they are not a problem for
other Windows platforms.
Note
9 - 12
Using FirePass Controller Client Components
Note
If you do not select an option under Use Custom Proxy Settings, the system
tries to connect directly.
9 - 14
Using FirePass Controller Client Components
To configure ICAP
1. In the navigation pane, expand Portal Access, click Content
Inspection, and select the Antivirus tab.
2. Select the Enable ICAP Client option.
3. Click Update.
The ICAP settings appear.
9 - 16
Using FirePass Controller Client Components
You must configure the starting of remote client applications based on the
operating system on the remote computers. You can configure all other
features independent of the remote client operating systems. For details, see
Configuring the starting of applications on Macintosh or Linux clients,
following.
Important
The remote user must have superuser authority, or must be able to supply an
administrative password in order to successfully install the Network Access
client.
Both Macintosh and Linux systems must also include PPP support (this is
most often the case). When the user runs the Network Access client and
makes a connection for the first time, the client detects the presence of pppd
(the point-to-point protocol daemon), and determines whether the user has
the necessary permissions to run it. If pppd is not present, or if the user does
not have permissions needed to run the daemon, the connection fails.
After installation, the Macintosh client must restart the browser before
launching Network Access.
Note
If you have a firewall enabled on your Linux system, you need to enable
access on IP address 127.0.0.1 port 44444.
9 - 18
Using FirePass Controller Client Components
Important
When the user clicks a configured Network Access link, a small window
opens. It must remain open for the whole duration of the Network Access
session. If the user closes the window, it terminates the connection.
Note
On Microsoft Windows platforms, the user might also see a new network
connection icon in the system tray.
Error
code Meaning
9 - 20
Using FirePass Controller Client Components
Error
code Meaning
32 Signal caught
9 - 22
Using FirePass Controller Client Components
/config /c String Specifies the configuration Uses the default program profile, if
profile file name. /conf is not specified.
/user /u String Indicates the user name. If no value is specified, uses the
default value from the program
profile or presents a dialog box.
/userhex /uh String Indicates the user name in If no value is specified, uses the
hex-encoded format. default value from the program
profile or presents a dialog box.
/passwordhex /ph String Indicates the password in If no value is specified, uses the
hex-encoded format. default value from the program
profile or presents a dialog box.
/fid /f String Represents the favorite’s You can use the -info command
unique ID. to get the /fid value.
/fname /n name[:{vpn|apptunnel Indicates the name of the You can also specify a type if the
|terminal}] favorite to affect. name is not unique.
You can use the -info command
to get the /fname value.
Code Description
Note
You can get session and favorite ID values using the -info command.
Description
Runs the standalone client in simple mode and does not send a return value
until the system authenticates the user and establishes the session.
Command
f5fpc -start /h firepass.com:443 /u joe
Output
session id: 15
9 - 24
Using FirePass Controller Client Components
Description
Establishes a session named corp and starts the favorite named sales in
nonblocking mode.
Command
f5fpc -start /nb /h firepass.com /u joe /p password /m advanced /n corp:vpn /n
sales:apptunnel
Output
session id: 15
Description
Starts the favorite named sales in the already established session with a
session ID of 15.
Command
f5fpc -start /s 15 /n sales:vpn
Description
Starts the favorite whose favorite ID is 1 in the already established session
with a session ID of 345.
Command
f5fpc -start /s 345 /f 1
Note
You can get session and favorite ID values using the -info command.
/sid /s string Indicates the session ID. Halts the session as well as all
established favorites running in
the session.
/sid is a required parameter. All
other parameters are optional.
You can use the -info command
to get the /sid value.
/fid /f string Represents the favorite’s You must also include the /sid.
unique ID. You can use the -info command
to get the /fid value.
/fname /n name[:{vpn|apptunnel Indicates the name of the You must also include the /sid.
|terminal}] favorite to affect. You can also specify a type if the
name is not unique.
You can use the -info command
to get the /fname value.
Code Description
9 - 26
Using FirePass Controller Client Components
Note
You can get session and favorite ID values using the -info command.
Description
Closes the Network Access connection whose session ID is 15, and halts all
running favorites.
Command
f5fpc -stop /s 15
Description
Closes the Network Access connection whose name is corp, and halts all
running favorites.
Command
f5fpc -stop /s 15 /n corp:vpn
Description
Stops the favorite whose unique ID is 1 running in the session whose ID is
345.
Command
f5fpc -stop /s 345 /f 1
The following example illustrates a sample of the output that the -info
command returns.
15 1 vpn EMPLOYEE 0 available
Table 9.8 contains a list of the arguments that the -info command supports.
/sid /s string Indicates the session ID. For -info commands that do not
contain a value for /sid, the
operation returns a list of all
sessions and statuses.
For -info commands that contain a
value for /sid, the operation
returns a list of favorites and their
status codes.
For -info commands that do not
contain a value for /fid or /fname,
the operation returns a list of all
favorites and status codes.
For -info commands that contain a
value for /fid or /fname, the
operation returns information
about that favorite only.
/fid /f string Represents the favorite’s You must also include the /sid.
unique ID.
/fname /n name[:{vpn|apptunnel Indicates the name of the You must also include the /sid.
|terminal}] favorite to affect. You can also specify a type if the
name is not unique.
Code Description
9 - 28
Using FirePass Controller Client Components
Description
Returns all active sessions.
Command
f5fpc -info
Output
there are 2 active sessions
session code status
15 1 session established
345 4 user should select host from presented list
Note
The code value returned represents the session status. For information
about session status codes, see Session status codes, on page 9-30.
Description
Returns the status and list of favorites for session whose ID is 15.
Command
f5fpc -info /s 15
f5fpc -info /s 15 /f 1
session code status
15 1 session established
session favorite type name code status
15 1 vpn network1 1 established
15 2 apptunnel AS400 0 available
15 3 apptunnel SALES 0 available
Description
Returns information about the favorite whose unique ID is 1, which is
running in the session whose ID is 15.
Command
f5fpc -info /s 15 /f 1
Return
session favorite type name code status
15 1 vpn network1 1 established
Note
The code value returned represents the favorite status. For information
about favorite status codes, see Session status codes, following.
Description
Returns information about the favorite whose name is sales, which is
running in the session whose ID is 15.
Command
f5fpc -info /s 15 /n SALES:apptunnel
Return
session favorite type name code status
15 3 apptunnel SALES 0 available
Note
The code value returned represents the favorite status. For information
about favorite status codes, see Favorite status codes, on page 9-31.
code status
9 - 30
Using FirePass Controller Client Components
code status
/conf /c string Represents the configuration If no /conf value is specified, the operation
profile file name. uses the default current program profile.
Code Description
Code Description
Description
Returns information about the FirePass controllers configured in the default
profile file.
Command
f5fpc -profile
Return
Name Address Port Description
Main 44.58.251.1 443 The main gateway
Asia 28.45.13.22 443 Asia gateway
9 - 32
Using FirePass Controller Client Components
Description
Returns a list of all standalone client command line interface commands.
Command
f5fpc -help
f5fpc /?
Description
Returns help about the -start command.
Command
f5fpc -start /?
Description
Returns help about the -stop command.
Command
f5fpc -stop -help
9 - 34
Using FirePass Controller Client Components
4. Run a command.
The following are examples of commands you can run.
f5fpc -help
List all FirePass controller Windows
Client command line interface
commands
f5fpc -info /?
List all options for the -info
command
f5fpc -info
Get information about the current
Network Access session
fpfpc -info
Get the session information again,
and confirm that the session has
been closed
With the Enable logs option from the Tools menu, you can change the F5
log level of information to specify more detailed logs.
Use the Network Access Diagnostics option from the Tool menu to resolve
problems with Network Access issues. The Network Access Diagnostics
function scans the user system to gather information about the client
environment.
The Network Access Diagnostics feature performs three tests:
• Installation test
Checks for installation integrity —determines whether the SSL VPN
Driver (urvpndrv.sys) and IP Filter Driver (urfltw2k.sys) are installed
correctly, and checks DLL registration for: urxhost.dll, urxdialer.dll
and F5NAHelper.dll.
9 - 36
Using FirePass Controller Client Components
• Ping test
The Ping test performs an icmp echo to different hosts: external host by
name, by IP address, Loop back address (127.0.0.1) ping to default
gateway, and ping to DNS sever. It assumes that all ping tests are
successfully performed.
• Operating system network services test
Checks Windows network services status: DNS Client, Network
Connections, DNS Client, Remote Access Connection Manager, and
VPN driver as an urvpndrv service. Network Access requires that all
these services are in the running state.
9 - 38
10
Using FirePass Controller Reports
For information about archiving and purging logs, see the online help for the
Device Management : Maintenance : Logs screen.
10 - 2
Using FirePass Controller Reports
• Time
Represents the start date and time of the associated session. A typical
Time value looks similar to the following example: 10/25/2005 0:28.
• Source IP
Represents the IP address where the session originated. A typical Source
IP looks similar to the following example: 192.168.12.10.
• Logon
Represents the name for the logged on user who originated the session. A
typical Logon looks similar to the following example: joeu
• Session ID
Represents the unique identifier assigned to the session. A typical
Session ID looks similar to the following example: f8e63
• Record
Represents a single action recorded for the associated user. A typical
Record looks similar to the following example: [594330] Access menu
App Logs.
• User agent string
Represents the string the browser returns to identify itself. A typical User
agent string looks similar to the following example: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1).
10 - 4
Using FirePass Controller Reports
• Users
Represents two variables: the number of user accounts in the master
group shown in the Group value, and the percentage of the total users in
all master groups. A typical Users entry looks similar to the following
examples: for user accounts: 9, and for percent of total: 67%.
• Sessions
Represents the two variables: the total number of logons by users in the
master group shown in the Group value, and a percentage of the total
logons for users in all groups. A typical Sessions entry looks similar to
the following examples: total: 15, and for percent of total: 92%.
• Avg. Time at
Shows a calculated average of time spent on the FirePass controller
webtop. The entry is a number representing the average number of
seconds in each mode during the reporting period.
• Favorite webifyer
Represents the unique identifier assigned to the session. Some possible
values include Windows Files, Terminal Servers, and Web Applications.
10 - 6
Using FirePass Controller Reports
• Class
Represents the class of event associated with the entry in the log. A
typical Class value looks similar to the following example: notice.
• IP
Represents the IP address where the session originated. A typical IP
looks similar to the following example: 192.168.12.10.
• ID
Represents the unique identifier assigned to the log entry. A typical ID
value looks similar to the following example: 400.
• Text
Represents the HTTP command that the FirePass controller processed. A
typical Text value looks similar to the following example: "CONNECT
10.4.10.10:81 HTTP/1.0" 200 0.
10 - 8
Using FirePass Controller Reports
• Date
Represents the start date and time of the associated session. A typical
Date value looks similar to the following example:
[24/Oct/2005:00:17:48 -0700].
• Class
Represents the class of event associated with the entry in the log. A
typical Class value looks similar to the following example: notice.
• IP
Represents the IP address where the session originated. The Server error
log (https) does not show any IP values.
• ID
Represents the unique identifier assigned to the log entry. The Server
error log (https) does not show any ID values.
• Text
Represents the HTTPS command that the FirePass controller processed.
A typical Text value looks similar to the following example: Apache
configured -- resuming normal operations.
10 - 10
Using FirePass Controller Reports
10 - 12
Using FirePass Controller Reports
• To show a list of all sessions that have occurred, click the Complete
History tab.
On the Complete History tab, you can get details about a specific session
(such as browser type or IP address) by clicking a date link in the Start
column.
• To show daily aggregate session counts, click the Session Summary tab.
On the Session Summary tab, you can get details about a specific session
by clicking a link in the Date column.
10 - 14
Using FirePass Controller Reports
• Duration
Represents the length of the session, in the format HH:MM:SS, where
HH represents the hour, in 24-hour format, MM represents the minutes,
from 1 through 60, and SS represents the seconds, from 1 through 60. A
typical Duration value looks similar to the following example: 00 24 43.
• From
Represents the IP address where the session originated. A typical From
value looks similar to the following example: 192.168.12.10.
• To
Indicates the type of connection requested. A typical To value looks
similar to the following example: MyNetwork.
• Status
Indicates the status of the session. A typical Status value looks similar to
the following example: Logged out from server.
10 - 16
Using FirePass Controller Reports
• Stats
Provides measurements of various activity, such as total sessions,
average FirePass controller session, and average number of sessions per
week.
• Daily Activation
Shows the breakdown of logon activity by day of the week, from Sunday
through Saturday.
• User Activity Totals
Shows the breakdown of user activity, from high activity to inactive,
including the number of users and the percentage of total users they
represent.
• Browser Type
Indicates the type of browser used to log on and the number of users who
used each type.
• OS Type
Indicates the type of operating system used to log on and the number of
users who used each type.
• Session terminations
Indicates the number of sessions that ended for each method of ending.
• Feature Access
Indicates how the users used the sessions with the FirePass controller. A
typical value in the Feature Access table is Administrative Console.
10 - 18
Using FirePass Controller Reports
• Source
Indicates the origin of the logged entry. A typical Source value looks
similar to the following example: firepass.
• Message
Indicates the type of activity the logged entry represents. A typical
Message value looks similar to the following example:
[-] FirePass service started on firepass.siterequest.com.
10 - 20
11
Using FirePass Controllers for Failover
• Post-configuration tasks
Using FirePass Controllers for Failover
Important
If you plan to introduce a failover configuration into your environment, and
your configuration is already in production, you should review Introducing
a failover member into a production environment, on page 11-5 before
continuing.
For organizations with larger sites and multiple locations with FirePass
controllers, a cluster of FirePass controllers can provide additional
scalability of a high-availability configuration. For more information about
clustering, see Understanding FirePass controller clusters, on page 12-1.
• You must have two FirePass 1000, 1200, 4000, 4100, or 4300 systems
available.
• Each member of the redundant system must be running the same
software version.
• Either both systems have identical features licensed, or one of the two
units is licensed as a failover-only FirePass controller.
Important
If you have a failover-only controller, you must configure it second. For
more information, see Configuring the standby FirePass controller, on
page 11-15.
Important
If you plan to introduce a failover configuration into your environment, and
your configuration is already in production, you should review Introducing
a failover member into a production environment, on page 11-5 before
continuing.
11 - 2
Using FirePass Controllers for Failover
11 - 4
Using FirePass Controllers for Failover
WARNING
If you are configuring failover in a production environment, the order in
which the pair of controllers restart is very important, and can result in data
loss if the two controllers do not restart in the correct order. For more
information, see Introducing a failover member into a production
environment, following.
Note
Once you enable failover and configure the IP addresses for the active and
standby controllers, the process of restarting one controller fails over
automatically to the other one. Failover configuration requires a system
restart.
A good strategy to follow when deploying a FirePass controller high
availability configuration has three parts:
• Configure one FirePass controller for failover, typically, the existing one
you have in production, and then shut it down.
• Configure the second FirePass controller, and then shut it down.
• Restart the controller that you want to serve as the active failover
member, and then start the standby controller.
You can use the backup and restore feature to set up redundant system.
Backup and restore transfers settings to a one or more FirePass controllers.
Even though you transfer settings, you must still complete other
configuration tasks. For more information, see Reviewing the configuration
process, on page 11-2.
Important
When you restore the backup, do not restore the network settings to the
standby controller.
Note
For more information on using the backup and restore feature, see Backing
up and restoring the FirePass controller, on page 8-47. For more
information about using the backup and restore feature to transfer identical
settings to a number of FirePass controllers, see the Configuring the
BIG-IP System with FirePass Controllers for Load Balancing and SSL
Offload document on the Solution Center at the F5 corporate web site,
http://www.f5.com/solutions/.
11 - 6
Using FirePass Controllers for Failover
Important
If you are configuring failover in a production environment, or on an
existing FirePass controller, make a full backup of the controller before
making any configuration changes. For information about backing up a
FirePass controller, see Backing up and restoring the FirePass controller,
on page 8-47.
Note
If the screen does not show the Failover tab or other failover-related menu
items after you enable failover, refresh the view in your web browser.
11 - 8
Using FirePass Controllers for Failover
WARNING
Be extremely careful when changing the FirePass controller’s IP
configuration settings. If you enter incorrect settings, the FirePass
controller might become inaccessible from the network. If that happens, you
must have physical access to the FirePass controller device to start up the
controller again. You cannot use the browser interface to start up the
FirePass controller, you must use the Maintenance Console connected to
the device.
Configuring secure web services on port 443 for the active controller
The secure web service on port 443 is the one users log on to. In a typical
configuration, you configure web services on port 443 using SSL. Because
this unit represents one member of a redundant system, you configure web
services on the shared IP address.
11 - 10
Using FirePass Controllers for Failover
Note
You can configure synchronization for any port, not just port 81.
11 - 12
Using FirePass Controllers for Failover
3. From the IP list, in the Add new service area, select a self IP address
of the active controller.
4. In the Port box, type 81.
You can configure synchronization for any port, not just port 81.
5. In the Name box, type the FQDN of the FirePass controller.
You can leave Name blank if the self IP address does not have a
domain name specified in DNS, or if you want to use the self IP
address as the name.
6. From the For Mode list, select Always.
This setting causes the controller to keep a web service active on the
self IP and port specified. You must select Always for the
synchronization service.
7. To add the new service, click Add New.
The Web Service Configuration for <hostname> screen opens for
the new service.
8. Check the Do not redirect to HTTPS check box.
9. Check the Synchronization Agent check box.
For Synchronization Agent to be active, you must check Enable
Failover Configuration on the Device Management : Configuration :
Clustering and Failover screen.
10. Leave all other options unchecked.
11. To commit the settings, click Update.
12. Finalize the changes, and restart if necessary.
For specific steps, see Finalizing the configuration, on page 11-8,
and Restarting the controller or services after configuration, on
page 11-8.
11 - 14
Using FirePass Controllers for Failover
The configuration process is similar to the one you followed when you
configured the active controller, with two exceptions.
◆ Configure standby settings on the Clustering and Failover Settings
screen.
For more information, see To configure standby settings on the
Clustering and Failover Settings screen, on page 11-16.
◆ Specify the self IP address for the standby controller.
For more information, see To specify the self IP address for the standby
controller, on page 11-17.
Important
Use this function at your own risk. F5 does not provide assistance with
signing the controls. Please refer to the appropriate developer's
documentation on Java and ActiveX. This procedure must be repeated after
each firmware upgrade.
11 - 16
Using FirePass Controllers for Failover
11 - 18
Using FirePass Controllers for Failover
On the standby member of a redundant system, you cannot use the link
Please click here to start a console session to the Maintenance Account
on the Device Management : Maintenance : Troubleshooting Tools screen.
This is to help prevent changes to the standby controller of a redundant
system.
Post-configuration tasks
After you have configured both FirePass controllers for failover, confirm
that the failover configuration is working.
11 - 20
Using FirePass Controllers for Failover
11 - 22
12
Using FirePass Controllers in Clusters
• Enabling clustering
Once a user is logged on, the secondary node reports its updates to the
primary node as an input to the primary node’s load-balancing decision.
Because users can perform operations that change user-specific data, the
FirePass controller synchronizes some data from the secondary nodes back
to the primary node. These updates include password changes, additions and
changes to personal favorites, and modifications to other account settings.
For more information about synchronizing web services, see Configuring
clustering synchronization, on page 12-8.
Important
Always back up any FirePass controller before configuring clustering. For
more information on backup operations, see Backing up and restoring the
FirePass controller, on page 8-47.
12 - 2
Using FirePass Controllers in Clusters
To ensure the highest level of availability, you should use multiple pairs of
FirePass controllers as cluster nodes. If this is not possible, F5 Networks
recommends at a minimum, that you make the primary node a redundant
system.
Note
When you connect to a secondary node, you are limited to changing network
settings and clustering configuration options that the primary node does not
control. For example, because you cannot change user and group account
information on secondary nodes, the secondary node presents no user or
group options. These options are not available on any secondary node to
prevent conflicts during synchronization.
Note
As an alternative, you can use a BIG-IP Local Traffic Manager for load
balancing a cluster. For more information, see the associated deployment
guide on the F5 Solution Center at http://www.f5.com/solutions/.
12 - 4
Using FirePass Controllers in Clusters
Consolidating logs
You can use log consolidation settings to view information about all cluster
members in a single location on the primary node. Consolidating logs
simplifies the monitoring process for cluster node members. In order to have
the primary node receive log information from the secondary nodes, you
must enable log-consolidation settings on the Device Management :
Configuration : Clustering and Failover screen. For procedures containing
these steps, see Enabling clustering, following.
You can view consolidated logs on the primary node in Reports. Logs that
contain consolidated data include a Cluster Node column in the report. The
report contains data for each cluster node, including the primary node.
You can get node-specific statistics on the Device Management :
Monitoring : System Load screen by selecting an IP address from the
Cluster Node list.
Enabling clustering
Enabling clustering involves specifying the number of nodes in the cluster,
designating one as the primary node, and standardizing the Cluster ID and
Clustering/Failover Global ID on each of the nodes to be used in the cluster.
After you have enabled clustering and restarted the controller, you can make
additional configuration changes on newly available clustering screens.
Tip
If you are enabling clustering on a pair of controllers in a failover
configuration, set up clustering on the active controller.
12 - 6
Using FirePass Controllers in Clusters
Important
Whenever you activate a cluster member, always start the primary node
first. If the primary node is not available when the remaining cluster
members start up, the cluster cannot function properly. For this reason, F5
recommends that the primary node be a redundant system.
12 - 8
Using FirePass Controllers in Clusters
Important
Although the settings do not take effect until you complete the finalize
operation and restart the controller, the FirePass controller cannot compete
the finalize operation until all clustering settings are fully configured.
Tip
You can use a single web service for both cluster synchronization and
failover synchronization. For more information about configuring a web
service for failover, see Configuring a web service as a synchronization
agent for the active controller’s self IP address, on page 11-12.
Configuring synchronization
After you configure a synchronization service, you must associate that
service on the primary node with the corresponding service on each
secondary node.
12 - 10
Using FirePass Controllers in Clusters
Note
As an alternative, you can use a BIG-IP Local Traffic Manager for load
balancing a cluster. For more information, see the associated deployment
guide on the F5 Solution Center at http://www.f5.com/solutions/.
12 - 12
Using FirePass Controllers in Clusters
Tip
To update values on the Stats screen, click Stats in the navigation pane.
12 - 14
Using FirePass Controllers in Clusters
Tip
To return to the primary controller, type the FQDN for the primary
controller in your web browse’s address bar, and then log on.
Once you log on to a secondary node, you can check the system logs and the
logon reports for entries that can help you troubleshoot problems. To access
the reports, in the navigation screen, click Reports.
12 - 16
13
Using Web Applications Engine Trace
Note
If you plan to send the logs to F5 Networks Technical Support, open the logs
in a text editor, review them, and delete passwords and sensitive
information. For more information about reviewing Web Applications
engine trace logs, see Analyzing Web Applications engine traces, on page
13-5.
Important
Dynamic caching on the FirePass controller must be disabled when using
the Web Applications engine trace, unless you are troubleshooting a
problem with the dynamic cache. If dynamic caching is not disabled, items
that are served out of the cache are not included in the backend trace and
you will be unable to compare the response received from the backend to the
response sent to the client. You should also ask the user to clear the browser
cache first, unless the problem occurs only when content is already cached
by the browser.
13 - 2
Using Web Applications Engine Trace
Note: If the web page does not fully load, the trace file may be
empty. To capture content, be sure to connect to the user session,
then have the user perform the actions you want to trace, and wait
for the user’s browser to finish loading the content or time out.
You can alternatively click Get user sessions again and browse the
trace log files within the current Administrative console window
using the Browse link.
<nnn>.log Messages from the web applications modules on the FirePass controller itself.
Content in these files is intended for use by F5 Networks Technical Support, and
probably is of limited value for non-F5 personnel.
backend_<nnnn>.html Messages representing the request and response exchange between the
FirePass controller and the web server containing the request for the page, and
the content before web applications engine parses the content.
backend_<nnnn>.(gif | jpg | ...) Images referenced in the associated backend_<nnnn>.html file, received by the
FirePass controller from the application’s web server.
frontend_<nnnn>.html Messages representing the request and response exchange between the
FirePass controller and the client requesting the page.
This is the data from the application’s web server accessed by the user session,
after the FirePass controller has processed it and added state-change information.
frontend_<nnnn>.(gif | jpg | ...) Images referenced in the associated frontend_<nnnn>.html file, sent to the client
by the FirePass controller.
https.extra-error_log Messages from the web applications modules on the FirePass controller itself.
Content in these files is intended for use by F5 Networks Technical Support, and
probably is of limited value for non-F5 personnel.
index.html Content that formats the data for presentation in a browser window. Each file
represents one specific client request.
The .zip file contains one summary index.html, and one index.html file
representing each client request in the trace. After extraction, you can find the
summary file in the root extraction directory, and each client-request specific file in
its associated directory.
Table 13.1 Contents of the Web Applications engine trace .zip file
log.html Data that the content processing engine and content processing scripts changed.
This is a commented list of the reverse-proxy actions the FirePass controller
performed on the associated client request.
Table 13.1 Contents of the Web Applications engine trace .zip file
Each of the files in the client request directory is associated with one
specific client request.
The browser loads these files into different frames in the window,
depending on how you open the files. For more information, see Analyzing
Web Applications engine traces, on page 13-5.
13 - 4
Using Web Applications Engine Trace
For more information about the extracted Web Applications engine trace
files, see Understanding trace files, on page 13-3.
You can also open these files in any text editor.
Tip
We recommend using Internet Explorer as the browser because it shows
data with additional highlighting that can help you as you debug the
problem.
Once you have made this comparison, and located the point where controller
processing stops, you can use this information to find and fix several types
of problems.
13 - 6
Using Web Applications Engine Trace
Using the Web Applications content cleaning feature to fix HTML syntax errors
If you cannot correct the syntax error on the source HTML page, you can
use the FirePass controller content cleaning feature to fix the syntax error.
The content cleaning feature only works on HTML and plain text.
Tip
For a faster way to test content cleaning, type the complete URL of the web
application page into the text box under Test Content Processing Settings,
and click the Test button. This runs content cleaning on the page, and
returns four pieces of data: original URL source, content cleaning warnings
and errors, modified URL source, and modified URL source difference.
Using Web Applications content processing scripts to fix HTML syntax errors
If the problem continues after you use the content cleaning feature, you can
create a SED script to fix specific HTML errors dynamically. SED is a
scripting language that you can use to locate a pattern in an incoming web
page, and modify the match before sending the web page to the client. For
Note
The web applications module processes the list of content processing scripts
until it finds a match. After that, it stops examining scripts. To replace
several things on one page, you must replace all content in a single content
processing script.
13 - 8
Using Web Applications Engine Trace
JavaScript restrictions
Web pages can have JavaScript programs embedded in them. Sometimes
JavaScript programs have requirements that do not work inside a FirePass
controller Web Application connection.
For example, if a JavaScript program tests URLs to verify that they begin
with http://, this can cause a problem for a Web Application connection
because every URL that goes through the connection goes over a secure
connection, and a secure connection requires that URLs start with https://.
If you identify a JavaScript problem caused by a requirement such as this,
you can use a SED script to modify the JavaScript. Or, you can use
Application Access (App Tunnels) or Network Access instead of a Portal
Access connection.
For more information about Java script issues, see Scanning for embedded
script code, on page 7-44.
For detailed instructions on how to identify and respond to specific
problems you encounter, see Solution SOL3084 on the Ask F5sm technical
support site.
13 - 10
A
How-To Examples
Note
Although each section can stand alone, the more complex scenarios might
require existing knowledge. In that case, the content points you to either the
appropriate sections in this guide, or pages in the FirePass controller
online help.
A-2
How-To Examples
3. In the New Sequence section in the Create new sequence box, type
Google Desktop Check.
4. From the Based on list, select template: Empty.
The screen should look similar to Figure A.2, on page A-4.
5. Click Create.
6. Under Select Sequence to Use, click the edit link for Google
Desktop Check.
The visual policy editor opens, as shown in Figure A.3.
Figure A.3 The visual policy editor, for creating pre-logon sequences
A-4
How-To Examples
Figure A.4 Cursor positioned on the connecting line, with Add Action
button visible
Figure A.5 The visual policy editor after adding the Check for Google Desktop action.
The Check for Google Desktop action contains a predefined rule that, by
default, prevents access to users running Google Desktop Search. The rule
uses the value returned from the check operation to determine access. To
open the rule, click the link named Click here to show rules. The Edit rules
area opens, as shown in Figure A.6.
A-6
How-To Examples
Figure A.6 The visual policy editor with the Edit rules section open
Tip
You can force Google Desktop Search to close but still allow logon by
changing the end page to Logon Allowed Page.
You can click the Inspector Details button next to Checks for presence
of Google Desktop Search product under Inspectors in the Edit Action
panel to open the details page, as shown in Figure A.7.
Informing users of the reason that they are prevented from logging on helps
them correct the condition and try logging on again. The next step guides
you through the process of creating a logon-denied message.
Figure A.8 The End Page Properties panel open in the visual policy editor
A-8
How-To Examples
2. Into the Message for failed logons box, type the following text for
the message:
The FirePass controller cannot log you on because you
have Google Desktop Search running. Halt the software and
try logging on again.
Figure A.9 Pre-Logon Sequence screen with Google Desktop Check selected and applied
You have created a pre-logon sequence that checks for and prevents logon
by users running Google Desktop Search. As long as you keep the Google
Desktop Check pre-logon sequence selected, users who are running Google
Desktop Search cannot log on to the associated FirePass controller.
Note
A - 10
How-To Examples
3. Under the New Sequence section, in the Create new sequence box,
type Corporate Access Check.
4. From the Based on list, select template : Empty.
5. Click Create.
6. Under Select Sequence to Use, click the edit link for Corporate
Access Check.
The visual policy editor opens, as shown in Figure A.11.
A - 12
How-To Examples
Figure A.11 The visual policy editor, for creating pre-logon sequences
Figure A.12 Cursor positioned on the connecting line, with Add Action
button visible
Figure A.13 The visual policy editor after adding the Check OS action
The default Check OS action denies access to users logging on using the
associated operating systems.
Informing users of the reason that they are prevented logon helps them
correct the condition and try logging on again. The next step guides you
through the process of creating a logon-denied message.
A - 14
How-To Examples
Figure A.14 The END PAGE PROPERTIES panel with the logon-denied message for Windows 9.x users
Figure A.15 The UPDATE RULE panel for the Windows NT Based action
You can find a complete set of the session variables generated by inspectors
for action rule expressions in the online help for Users : Endpoint Security :
Pre-Logon Sequence.
Figure A.16 Cursor positioned on the connecting line, with Add Action
button visible
A - 16
How-To Examples
Figure A.17 The visual policy editor after adding the Show Virtual Keyboard action
Now, any users who are running Windows NT or Windows 2000 must use
the virtual keyboard to enter their password when they log on to the FirePass
controller.
Rule 3: Allow logons only from Windows XP, Linux, Pocket PC,
and Macintosh computers that have a valid certificate
Next, we want to allow logon only when the connecting client operating
system is of a certain type and that has a specified client certificate. To
accomplish that, we use the subsequence feature in the visual policy editor.
Figure A.18 The visual policy editor with the SUBSEQUENCES panel open
A - 18
How-To Examples
Figure A.19 The visual policy editor after adding the certificate check subsequence
Note
You must configure and enable client certificate checking before the
FirePass controller can request and check users’ client certificates. For
more information, see Setting up client-certificate-based authentication, on
page 2-85.
Figure A.20 Cursor positioned on the connecting line, with Add Action
button visible
Figure A.21 The visual policy after adding the Check client certificate action to the subsequence
A - 20
How-To Examples
Figure A.22 The subsequence after changing the final action to Logon Allowed Page.
Informing users of the reason that they are prevented from logging on helps
them correct the condition and try logging on again. The next step guides
you through the process of creating a logon-denied message.
Figure A.23 The END PAGE PROPERTIES panel with the logon-denied message for users without valid
certificates
A - 22
How-To Examples
Figure A.24 Cursor positioned on the connecting line, with Add Rule
button visible
Next, we map the Windows XP, Pocket PC, and Mac OS rules to the
Certificate Check subsequence.
Figure A.26 Cursor positioned on the connecting line, with Add Action
button visible
A - 24
How-To Examples
7. Repeat the steps in this procedure to map Linux, Pocket PC, and
Mac OS to the subsequence.
The final Corporate Access Check pre-logon sequence screen
should appear similar to Figure A.28, on page A-26.
Figure A.28 The final visual policy editor for the Corporate Access Check pre-logon sequence
A - 26
How-To Examples
Figure A.29 The Pre-Logon Sequence screen with Corporate Access Check selected and applied
You have now completed creating a pre-logon sequence that checks for and
prevents logon by users running Windows 95, Windows 98, and Windows
Me, requires virtual keyboard for logon from Windows NT- and Windows
2000-based clients, and requires a valid certificate for logon from Windows
XP, Linux, Pocket PC and Macintosh computers.
Tip
You can modify any pre-logon sequence to contain different functionality. If
you do, you should also change the sequence name to reflect any changes
you make. You can change the name by selecting the sequence from the
Rename sequence box, typing the new name, and clicking the Rename
button.
A - 28
Glossary
Glossary
action
In the pre-logon sequence editor, an action, depicted by a rectangle, is an
ordered set of rules for evaluating a remote system. Each action invokes one
or more inspectors. The action then uses rules to test the inspectors’
findings.
action pane
The action pane is the pane in the visual policy editor where you can type a
description for the action, add and modify the action’s inspectors, and define
rules for the action to use.
Active Directory
The Active Directory is a network structure supported by Windows® 2000,
or later, that provides support for tracking and locating any object on a
network.
Administrative Console
The Administrative Console is the browser-based application that you use to
configure the FirePass controller.
Application Access
Application Access is a FirePass controller feature that provides remote
users with web-based remote access to email servers, intranet servers, file
servers, terminal services, and legacy mainframe, character-based, terminal
applications. See also Network Access and Portal Access.
App Tunnel
An App Tunnel is a secure, application-level TCP/IP connection from the
client to a specific set of IP addresses and ports on the network.
authentication
Authentication is the process of verifying the identity of a user logging on to
a network.
authorization
Authorization is the process of enabling user access to resources,
applications, and network shares.
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication.
client certificate
A client certificate enables the FirePass controller to verify the identity of a
user’s computer, and to control access to specific resources, applications,
and files.
client components
A client component is a control downloaded from the FirePass controller
that enables the various features of FirePass controller functionality.
clientless mode
Clientless mode is an endpoint security mode that the FirePass controller
uses, when the inspection process for a client does not download any
controls or plug-ins. In clientless mode, the endpoint security process
inspects HTTP headers to gather information.
cluster
A cluster is a group of FirePass controller nodes that provide common user
services, and can distribute the load of active sessions across all controllers
in the cluster. See also cluster node, primary node, and secondary node.
cluster node
A cluster node represents one station in a cluster, and can consist of a single
FirePass controller, or a redundant system. See also cluster, primary node,
redundant system, and secondary node.
domain name
A domain name is a unique name that is associated with one or more IP
addresses. Domain names are used in URLs to identify particular Web
pages. For example, in the URL http://www.siterequest.com/index.html,
the domain name is siterequest.com.
Glossary - 2
Glossary
dynamic tunnel
A dynamic tunnel is a connection that the FirePass controller establishes to a
set of dynamic IP addressees and ports, in response to an application
request. See also tunnel and static tunnel.
endpoint security
Endpoint security is a centrally managed method of monitoring and
maintaining client-system security. See also pre-logon sequence, protected
configuration, and resource protection.
failover
Failover is the process whereby a standby unit in a redundant system takes
over when a software failure or a hardware failure is detected on the active
unit. See also active controller/active unit and standby controller/standby
unit.
failover pair
See redundant system.
favorite
A favorite is a webtop link defined by the FirePass controller administrator
or the user that contains all of the information needed for the client
computer to access a location, file share, or application on the company
network. See also webtop.
FIPS compliant
Federal Information Processing Standards (FIPS) are publicly announced
standards developed by the U.S. Federal government for use by all
(non-military) government agencies and by government contractors. The
FirePass controller can be configured with FIPS 140-encryption hardware,
which stores all certificates and private keys in the FIPS hardware.
FQDN
See fully qualified domain name.
Full Access
Full Access is the realm that gives superusers complete access to
realm-configuration. See also realm administrator and superuser.
group mapping
See dynamic group mapping.
heartbeat
The heartbeat is a activity indicator signal that the active controller sends to
notify the standby controller that the active controller is running See also
active controller/active unit and standby controller/standby unit.
high availability
High availability is the process of ensuring access to resources despite any
failures or loss of service in the setup. For hardware, high availability is
ensured by the presence of a redundant system. See also redundant system.
inspector
An inspector is an ActiveX control or Java plug-in that gathers information
about the user’s computer, evaluating factors such as the presence of viruses
or antivirus software, operating system version, running processes, and
others.
interface
A physical port on an F5 system is called an interface.
Glossary - 4
Glossary
IP address
An IP address (Internet Protocol address) is a unique number that identifies
a single device and enables it to use the Internet Protocol standard to
communicate with another device on a network. See also self IP address and
virtual IP address.
IPsec
IPsec (Internet Protocol Security) is a communications protocol that
provides security for the network layer of the Internet without imposing
requirements on applications running above it.
load balancing
The process the primary node uses to distribute user sessions among all the
nodes in the cluster is called load balancing. See also cluster and primary
node.
Maintenance Console
The Maintenance Console is a utility that provides administrative access to
the FirePass controller. You can access the Maintenance Console from the
Administrative Console or from a workstation that is directly connected to
the FirePass controller.
Management interface
The Management interface is a port on the FirePass 4100 and 4300 models
that is intended solely for administrative operations performed from a
workstation that is directly connected to the FirePass controller.
master group
A master group is a collection of users that contains authentication settings,
overall security configuration settings for groups of users, network access
filtering policies, user experience, and user accounts.
name resolution
Name resolution is the process by which a name server matches a domain
name request to an IP address, and sends the information to the client
requesting the resolution.
Network Access
Network Access is a FirePass controller feature that provides secure access
to corporate applications and data using a standard web browser. See also
Portal Access and Application Access.
network configuration
Network configuration is the process of setting up the FirePass controller’s
web services on network interfaces. See also web service.
port
A port is a number that is associated with a specific service supported by a
host.
Portal Access
Portal Access is a FirePass controller feature that provides users access to
network resources without requiring the download of any controls to the
client machine. See also Network Access and Application Access.
pre-logon sequence
A pre-logon sequence defines a set of actions that need to be taken in order
to evaluate the client system or device.
primary node
The primary node in a cluster (also known as the master) first handles
incoming connections, and then redirects each session to an available
secondary node, or services the connection itself. The primary node
maintains configurations for all user groups and user resources the cluster
supports. See also cluster, cluster node, load balancing, and secondary
node.
protected configuration
A protected configuration is a collection of safety measures or checks that
guard the connection and client system against various kinds of attacks or
threats. The protected configuration takes information gathered by the
pre-logon sequence and instructs the system to respond based on the result.
protected workspace
The protected workspace is a temporary user environment, containing a new
temporary folder, Desktop folder, My documents folder, and some
temporary registry keys. When the user returns from the protected
workspace, the system deletes all temporary files and keys.
Quick Setup
The Quick Setup wizard is a program that you can run from the
Administrative Console that guides you through the initial configuration
tasks for the FirePass controller.
Glossary - 6
Glossary
realm
A realm is a complete set of roles, master groups, and resource groups.
realm administrator
Realm administrators are users who can create their own hierarchy of access
to the groups and resources inside their realm. In a typical setup, the master
and resource groups of one realm are not accessible to administrators of
another realm, although superusers or realm administrators can grant access
across realms. See also superuser.
redundant system
Redundant system refers to a pair of units that are configured for failover. In
a redundant system, there are two units, one running as the active unit and
one running as the standby unit. If the active unit fails, the standby unit takes
over and manages connection requests.
resource
A resource is an application, a file, or a server on your network to which you
want users to have secure access.
resource group
A resource group is a collection of resources, access control lists, and
protection criteria, which includes your company intranet servers,
applications, and network shares.
resource protection
Resource protection is the process of using a defined protected configuration
to protect a set of resources. See also protected configuration.
rule
Rules test the inspectors’ findings about a client system. The order of rules
in a pre-logon sequence determines the flow of action.
sandbox
The WebDAV sandbox is a directory you can enable on the FirePass
controller. In this directory you can place any content that you want to
reference on user screens, and you can create specific files to modify the
user experience.
secondary node
Each secondary node in a cluster (also known as a slave) services user
sessions as requested by the primary node, and independently maintains its
own network configuration. See also cluster, cluster node, load balancing,
and primary node.
self IP address
A self IP address is an IP address that uniquely identifies each FirePass
controller interface or VLAN interface. See also IP address and virtual IP
address.
sequence
See pre-logon sequence.
server certificate
A server certificate verifies the server’s identity to a user’s computer
session variable
A session variable contains a number or string that represents a specific
piece of information about the client system, the FirePass controller, or
another piece of information.
signup template
A signup template is a form that the FirePass controller presents to users at
initial logon time that automatically adds the user to the group on the
external server.
snapshot
A snapshot is a compressed set of files that represent the FirePass
controller’s system settings. You can create and restore a snapshot using the
Maintenance Console. See also Maintenance Console.
split tunneling
Split tunneling is a process that directs through the Network Access tunnel
or App Tunnel all network traffic that is not destined for the address
specified.
Glossary - 8
Glossary
static tunnel
A static tunnel is a connection that the FirePass controller establishes to a
specific set of IP addresses and ports on the network. when the client clicks
to run a favorite, before the application starts. See also tunnel and dynamic
tunnel.
strong password
A strong password is one that is difficult to detect by both humans and
computer programs, which effectively protects data from unauthorized
access. A strong password typically consists of a specific number of
alphanumeric characters of differing case as well as certain punctuation
characters.
subsequence
Subsequences are defined sets of actions that run when processing
encounters a branch in the pre-logon sequence. See also pre-logon sequence.
superuser
Superusers are users who have cross-realm access to all groups and features.
A superuser creates realm administrators, upgrading them from FirePass
controller users, and delegating full or restricted access to FirePass
controller functionality or groups. See also realm administrator.
synchronization
Synchronization is the process used by the primary node to synchronize data
with the secondary nodes of a cluster. See also cluster, primary node, and
secondary node.
terminal server
A terminal server is a connection to a Microsoft Terminal Server, Windows
XP® desktop, Citrix MetaFrame® server, or VNC server.
trace
The trace feature provides an easy way for you to capture logs of user
sessions through the Web Applications feature of Portal Access.
tunnel
A tunnel is a secure connection between computers or networks over a
public network.
virtual host
In the FirePass controller context, a virtual host means the domain name or
IP address that users specify when logging on to a web service you create on
a virtual IP. See also virtual IP address.
virtual IP address
A virtual IP address is an IP address that identifies a virtual (that is,
non-physical) network location. The FirePass controller uses virtual IP
addresses for redundant systems. See also IP address, redundant system,
and self IP address.
webifyer
A webifyer is a FirePass controller feature that uses a browser to provide
nonbrowser-based application functionality. The FirePass controller uses
webifyers to present the Portal Access applications Windows Files and
Mobile E-Mail, as well as the Application Access applications Legacy
Hosts, Terminal Servers, and more.
web service
A web service is a method of communication that applications written in
various programming languages and running on various platforms can use to
exchange data over networks, such as the Internet or an intranet.
webtop
The webtop is the user’s home page, which contains links that are
configured as favorites for that user’s master group. Along the left side of
the webtop are icons representing various functionality. Depending on how
the webtop is configured, users may be able to add their own favorites by
clicking an icon and adding links.
Glossary - 10
Index
Index
Index - 2
Index
Index - 4
Index
Index - 6
Index
Index - 8
Index
Index - 10
Index
Index - 12
Index
Index - 14
Index
Index - 16
Index
Z
zero-click logon 2-89