This chapter provides configuration tasks specific to the Portal tab on the SonicWALL SSL VPN Web-based management interface, including configuring portals, assigning portals, and defining authentication domains, such as RADIUS, NT Domain, LDAP, and Active Directory.
This chapter contains the following sections:
This section provides information about the configuration tasks in the Portals > Portals page. The Portals > Portals page allows the administrator to add and configure portals by specifying the layout and home page. This section contains the following configuration tasks:
The administrator can customize a portal that appears as a customized landing page to users when they are redirected to the SonicWALL SSL VPN for authentication.
The network administrator may define individual layouts for the portal. The layout configuration includes menu layout, portal pages to display, and portal application icons to display, and Web cache control options.
A default portal is the LocalDomain portal. Additional portals can be added and modified.
Table 14 provides a description of the fields you may configure in the Portal - Layout tab. Refer to “Configuring General Portal Settings” section for the specific steps required to configure a custom portal.
There are two main options for configuring a portal:
To configure a new portal, perform the following steps:
|
Step 1
|
Enter a descriptive name for the portal in the Portal Name field. This name will be part of the path of the SonicWALL SSL VPN appliance portal URL. For example, if your SonicWALL SSL VPN portal is hosted at https://vpn.company.com, and you created a portal named sales, then users will be able to access the sub-site at https://vpn.company.com/portal/sales.
|
|
Step 5
|
The Portal URL field is automatically populated based on your SSL VPN network address and Portal Name.
|
|
Step 7
|
Check the box next to Enable HTTP meta tags for cache control to apply HTTP meta tag cache control directives to the portal. Cache control directives include:
|
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">
These directives help prevent clients browsers from caching SonicWALL SSL VPN portal pages and other Web content.
|
Step 8
|
Check the box next to Enable ActiveX Web cache cleaner to load an ActiveX cache control when users log in to the SonicWALL SSL VPN appliance. The Web cache cleaner will prompt the user to delete all session temporary Internet files, cookies and browser history when the user logs out or closes the Web browser window. The ActiveX Web cache control is ignored by Web browsers that don’t support ActiveX.
|
Login uniqueness, when enforced, restricts each account to a single session at a time. When login uniqueness is not enforced, each account can have multiple, simultaneous, sessions. To enforce login uniqueness, perform the following steps:
The home page is an optional starting page for the SonicWALL SSL VPN appliance portal. The home page enables you to create a custom page that mobile users will see when they log into the portal. Because the home page can be customized, it provides the ideal way to communicate remote access instructions, support information, technical contact information or SSL VPN-related updates to remote users.
The home page is well-suited as a starting page for restricted users. If mobile users or business partners are only permitted to access a few files or Web URLs, the home page can be customized to show only those links.
You can edit the title of the page, create a home page message that is displayed at the top of the page, show all applicable bookmarks (user, group, and global) for each user, and optionally upload an HTML file.
To configure the home page, perform the following tasks:
|
Step 4
|
Table 15 provides a description of the configurable options in the Portal - Home Page tab.
|
|
|
Note
|
Some ActiveX applications, such as the ActiveX Terminal Services client, will only work when connecting to a server with a certificate from a trusted root authority. If you are using the test SSL certificate that is included with the SonicWALL SSL VPN appliance, then you can check the Display Import self-signed certificate links check box to allow Windows users to easily import a self-signed certificate.
It is strongly recommended that you upload a valid SSL certificate from a trusted root authority such as Verisign or Thawte. If you have a valid SSL certificate, don’t check the box next to Display Import self-signed certificate links.
|
|
Step 5
|
Click OK to update the home page content.
|
Creating a virtual host allows users to log in using a different hostname than your default URL. For example, sales members can access https://sales.company.com instead of the default domain, https://vpn.company.com that you use for administration. The Portal URL (for example, https://vpn.company.com/portal/sales) will still exist even if you define a virtual host name. Virtual host names enable administrators to give separate and distinct login URLs to different groups of users. This option is only available on the SonicWALL SSL VPN 2000 and 4000 platforms.
To create a Virtual Host Domain Name, perform the following tasks:
|
Step 5
|
Select a specific Virtual Host Interface for this portal if using IP based virtual hosting.
|
The Custom Logo Settings section allows the administrator to upload a custom portal logo and to toggle between the default SonicWALL logo and a custom uploaded logo.
To add a custom portal logo, perform the following steps:
|
Step 4
|
Click the Browse... button next to the Upload Logo field. The file browser window displays.
|
|
Step 6
|
Click the Upload button to transfer the logo to the SSL VPN appliance.
|
NetExtender can be configured to start automatically when a user logs into the user portal. To enable NetExtender to launch automatically, perform the following tasks:
|
Step 3
|
In the Portal page, select the Home Page tab.
|
The Java File Shares Applet option provides users with additional functionality not available in standard HTML-based file sharing, including:
To create a Virtual Host Domain Name, perform the following tasks:
|
Step 5
|
Check the Use Applet as Default check box.
|
For most SonicWALL SSL VPN administrators, a plain text home page message and a list of links to network resources is sufficient. For administrators who want to display additional content on the user portal, review the following information:
This section provides information about the configuration tasks in the Portal > Domains page. The Portal > Domains page allows the administrator to add and configure a domain by selecting:
This section contains the following configuration tasks:
In order to create access policies, you must first create authentication domains. By default, the LocalDomain authentication domain is already defined. The LocalDomain domain is the internal user database. Additional domains may be created that require authentication to remote authentication servers. SonicWALL SSL VPN supports RADIUS, LDAP, NT Domain, and Active Directory authentication in addition to internal user database authentication.
You may create multiple domains that authenticate users with user names and passwords stored on the SonicWALL SSL VPN appliance to display different portals (such as a SonicWALL SSL VPN portal page) to different users.
To add a new authentication domain, perform the following steps:
|
Step 2
|
Click Add Domain. The Add Domain dialog box displays.Select Local User Database from the Authentication Type pull-down menu.
|
|
Step 5
|
Optionally, check the Allow password changes checkbox. This allows users to change their own passwords after their account is set up.
|
|
Step 6
|
Optionally check the check box next to Require client digital certificates to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication.
|
|
Step 8
|
Click Submit to update the configuration. Once the domain has been added, the domain will be added to the Domain Settings table.
|
To create a domain with RADIUS authentication, perform the following steps:
|
Step 1
|
On the Portal > Domains page, click Add Domain to display the Add Domain dialog box.
|
|
Step 2
|
Select RADIUS from the Authentication Type menu. The RADIUS configuration field is displayed.Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN appliance portal.
|
|
Step 3
|
Select the proper Authentication Protocol for your RADIUS server. Choose from PAP, CHAP, MSCHAP, or MSCHAPV2.
|
|
Step 4
|
Under Primary Radius Server, enter the IP address or domain name of the RADIUS server in the RADIUS Server Address field.
|
|
Step 9
|
Under Backup Radius Server, enter the IP address or domain name of the backup RADIUS server in the RADIUS Server Address field.
|
|
Step 14
|
Optionally check the box next to Require client digital certificates to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication.
|
|
Step 16
|
Click Add to update the configuration. The domain will be added to the Domain Settings table.
|
|
Step 19
|
Click Test. SonicWALL SSL VPN will connect to your RADIUS server.
|
|
Step 20
|
If you receive the message Server not responding, check your user ID and password and click the General tab to verify your RADIUS settings. Try running the test again.
|
|
|
Note
|
The SonicWALL SSL VPN appliance will attempt to authenticate against the specified RADIUS server using PAP authentication. It is generally required that the RADIUS server be configured to accept RADIUS client connections from the SonicWALL SSL VPN appliance. Typically, these connections will appear to come from the SonicWALL SSL VPN’s X0 interface IP address. Refer to your RADIUS server documentation for configuration instructions.
|
To configure NT Domain authentication, perform the following steps:
|
Step 1
|
On the Portal > Domains page, click Add Domain to display the Add Domain dialog box.
|
|
Step 2
|
Select NT Domain from the Authentication Type menu. The NT Domain configuration fields will be displayed. Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name selected by users when they authenticate to the SonicWALL SSL VPN appliance portal. It may be the same value as the NT Domain Name.
|
|
Step 6
|
Click Add to update the configuration. Once the domain has been added, the domain will be added to the Domain Settings table.
|
To configure LDAP authentication, perform the following steps:
|
Step 1
|
Click Add Domain to display the Add New Domain dialog box.
|
|
Step 2
|
Select LDAP from the Authentication Type menu. The LDAP domain configuration fields is displayed.Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN appliance user portal. It can be the same value as the Server Address field.
|
|
|
Note
|
When entering Login Username and Login Password, remember that the SSL VPN appliance binds to the LDAP tree with these credentials and users can log in with their sAMAccountName.
|
|
Step 7
|
Optionally check the box next to Allow password changes (if allowed by LDAP server). This option, if allowed by your LDAP server, will enable users to change their LDAP password during an SSL VPN session.
|
|
Step 8
|
Optionally place a check in the box next to Require client digital certificates if you want to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication.
|
|
Step 9
|
Optionally check the box next to One-time passwords to enable the One-time password feature. A pull-down menu will appear, in which you can select if configured, required for all users, or using domain name. The LDAP e-mail attribute pull-down menu will appear, in which you can select mail, userPrincipalName, or custom. For more information about configuring the One-time password feature using LDAP, refer to “Configuring One-time Passwords” section.
|
|
Step 10
|
Click Submit to update the configuration and add the domain to the Domains Settings table.
|
To configure Windows Active Directory authentication, perform the following steps:
|
Step 1
|
Click Add Domain to display the Add Domain dialog box.
|
|
|
Note
|
Of all types of authentication, Active Directory authentication is most sensitive to clock skew, or variances in time between the SonicWALL SSL VPN appliance and the Active Directory server against which it is authenticating. If you are unable to authenticate using Active Directory, refer to “Active Directory Troubleshooting” section.
|
|
Step 2
|
Select Active Directory from the Authentication type pull-down menu. The Active Directory configuration fields will be displayed. Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SonicWALL SSL VPN appliance portal. It can be the same value as the Server Address field or the Active Directory Domain field, depending on your network configuration.
|
|
Step 6
|
You may optionally check the box next to Require client digital certificates if you want to require the use of client certificates for login. By checking this check box, you require the client to present a client certificate for strong mutual authentication. The CNAME of the client certificate must match the user name that the user supplies to login and the certificate must be generated by a certificate authority (CA) that is trusted by the SonicWALL SSL VPN appliance.
|
|
Step 8
|
Click Apply to update the configuration. Once the domain has been added, the domain will be added to the Domain Settings table.
|
If your users are unable to connect using Active Directory, verify the following configurations:
|
|
•
|
The time settings on the Active Directory server and the SonicWALL SSL VPN appliance must be synchronized. Kerberos authentication, used by Active Directory to authenticate clients, permits a maximum 15-minute time difference between the Windows server and the client (the SonicWALL SSL VPN appliance). The easiest way to solve this issue is to configure Network Time Protocol on the System > Time page of the SonicWALL SSL VPN Web-based management interface and check that the Active Directory server has the correct time settings.
|
All of the configured domains are listed in the Domain Settings table in the Portal > Domains window. The domains are listed in the order in which they were created.
To delete a domain, click the trash can icon next to the domain to delete from the Domain Settings table. Once the SonicWALL SSL VPN appliance has been updated, the deleted domain will no longer be displayed in the Domain Settings table.
(Supported only on the SonicWALL SSL VPN 2000 and 4000 appliances.) Two-factor authentication is an authentication method that requires two independent pieces of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentication that only requires one factor (the user’s password).
For more information on how two-factor authentication works see “Two-Factor Authentication Overview” section.
SonicWALL’s implementation of two-factor authentication partners with two of the leaders in advanced user authentication: RSA and VASCO. If you are using RSA, you must have the RSA Authentication Manager and RSA SecurID tokens. If you are using VASCO, you must have the VASCO VACMAN Middleware and Digipass tokens.
To configure two-factor authentication, you must first configure a RADIUS domain. For information see “Configuring RADIUS Authentication” section.
The following sections describe how to configure the supported third-party authentication servers:
The following sections describe how to configure the RSA Authentication Manager version 6.1 to perform two-factor authentication with your SonicWALL SSL VPN appliance:
If you will be using VASCO instead of RSA, see “Configuring the VASCO VACMAN Middleware”.
To establish a connection between the SSL VPN appliance and the RSA Authentication Manager, an Agent Host record must be added to the RSA authentication Manger database. The Agent host record identifies the SSL VPN appliance within its database and contains information about communication and encryption.
To create the Agent Host record for the SSL VPN appliance, perform the following steps:
|
Step 2
|
On the Agent Host menu, select Add Agent Host.
|
|
Step 5
|
Select Communication Server in the Agent type window.
|
|
Step 6
|
By default, the Enable Offline Authentication and Enable Windows Password Integration options are enabled. SonicWALL recommends disabling all of these options except for Open to All Locally Known Users.
|
After you have created the Agent Host record, you must add the SonicWALL SSL VPN to the RSA Authentication Manager as a RADIUS client. To do so, perform the following steps:
|
Step 2
|
Expand the RSA RADIUS Server Administration tree and select RADIUS Clients.
|
|
Step 3
|
Click Add. The Add RADIUS Client window displays.
|
|
Step 7
|
Click OK and close the RSA RADIUS Manager.
|
Because two-factor authentication depends on time synchronization, it is import that the internal clocks for the RSA Authentication Manager and the SSL VPN appliance are set correctly.
After you have configured the RSA Authentication Manager to communicate with the SonicWALL SSL VPN appliance, you must import tokens and add users to the RSA Authentication Manager. To do so, perform the following steps.
|
Step 3
|
The Import Status window displays information on the number of tokens imported to the RSA Authentication Manager.
|
|
Step 7
|
Select either Allowed to Create a PIN or Required to Create a PIN. Allowed to Create a PIN gives users the option of either creating their own PIN or having the system generate a random PIN. Required to Create a PIN requires the user to create a PIN.
|
|
Step 10
|
Click OK in the Edit User window. The user is added to the RSA Authentication Manager.
|
The following sections describe how to configure two-factor authentication using VASCO’s VACMAN Middleware Administration version 2.3:
If you will be using RSA instead of VASCO, see “Configuring the RSA Authentication Manager”.
To create a connection between the Sonic wall SSL VPN appliance and the VASCO server, you must create a component record for the external RADIUS server. VASCO servers do not have an internal RADIUS component, so they must use an external RADIUS server. To create a component record for the RADIUS server, perform the following steps:
|
Step 2
|
Expand the VACMAN Middleware Administration tree and the VACMAN Server tree.
|
To add the SonicWALL SSL VPN appliance to VACMAN Middleware Administrator as a RADIUS client, perform the following steps.
a
|
Step 3
|
Enter the IP Address of the SSL VPN appliance.
|
The DIGIPASS token is based on time synchronization. All tokens are created with their internal real-time clocks set to GMT. As such, it is important to set the date and time zone of the server running the VACMAN middleware to correctly so the GMT can be local derived correctly.
Before Digipass tokens can be assigned to a user, their application records must be imported to the VACMAN middleware. To do this, perform the following steps.
|
Step 2
|
Click Import Digipass.
|
|
Step 3
|
Click Browse, navigate to the location of the Digipass import file, and click Open.
|
|
Step 5
|
Click Import All Applications to import all records in the file. Or to select the records to import, click Show Applications, select the records to import, and click Import Selected Applications.
|
To add users to the VACMAN Middleware Administration, perform the following steps.
|
Step 1
|
Expand the VACMAN Server tree and right-click on Users.
|
After you have imported the digipass tokens and created the users, you need to assign the Digipass tokens to the users. To do so, perform the following steps.
|
Step 1
|
Expand the VACMAN Server tree and click on Digipass.
|
When the username is displayed in the Search Results window, select the username and click OK to assign the Digipass token.
Beginning with the SSL VPN 2.5 release, portal logos are no longer configured globally from the Portal > Custom Logos page. Custom logos are uploaded on a per-portal basis from the Logo tab in the Portal Logo Settings dialogue. For information related to Custom Portal Logos, refer to the “Portals > Portals” section.
