F5 Firepass Service manual

FirePass

Server Administrator Guide

version 4.0

MAN-0081-00

FirePass

™

Server Administrator Guide i

Product Version

This manual applies to product version 4.0 of the FirePass

™

Server Administrator Guide.

Legal Notices

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5

assumes no responsibility for the use of this information, nor any infringement of patents or other rights of

third parties which may result from its use. No license is granted by implication or otherwise under any

patent, copyright, or other intellectual property right of F5. F5 reserves the right to change specifications at

any time without notice.

Trademarks

F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, GLOBAL-SITE, SEE-IT, EDGE-FX, FireGuard,

Internet Control Architecture, IP Application Switch, Packet Velocity, iRules, SYN Check, FirePass, and

Webifyer are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain other

countries. All other trademarks mentioned in this document are the property of their respective owners. F5

Networks' trademarks may not be used in connection with any product or service except as permitted in

writing by F5.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States

government may consider it a criminal offense to export this product from the United States.

Export Warning

This is a Class A product. In a domestic environment this product may cause radio interference in which

case the user may be required to take adequate measures.

FCC Compliance

This equipment generates, uses, and may emit radio frequency energy. The equipment has been type tested

and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules, which

are designed to provide reasonable protection against such radio frequency interference.

Operation of this equipment in a residential area may cause interference, in which case the user at his own

expense will be required to take whatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's

authority to operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This class A digital apparatus complies with Canadian I CES-003.

Standards Compliance

The product conforms to ANSI/UL Std 1950 and Certified to CAN/CSA Std. C22.2 No. 950.

Table of Contents

FirePass

™

Server Administrator Guide v

Introducing the FirePass Server

The FirePass remote access solution ........................................................................................1-1

The FirePass server models ........................................................................................................1-1

The FirePass server features .......................................................................................................1-2

Overview of features ............................................................................................................1-2

FirePass server features .......................................................................................................1-3

About this guide ..............................................................................................................................1-4

Audience ..................................................................................................................................1-4

Finding help and technical support resources ..........................................................................1-5

Deploying the FirePass Server

Overview of deploying the FirePass server .............................................................................2-1

Summary of tasks for installing and deploying the FirePass server ............................2-1

Configuring a firewall to work with the FirePass server ......................................................2-2

Overview of the firewall configuration process ............................................................2-3

About the traffic between a remote user’s browser and the FirePass server ........2-5

About the traffic between the FirePass server and network services .....................2-6

About the traffic between FirePass server and application services ........................2-7

About the traffic between the FirePass server and the Desktop Agent .................2-9

Understanding name resolution issues for FirePass servers with

a private IP address .................................................................................................................... 2-11

Installing the FirePass server .................................................................................................... 2-12

Unpacking the FirePass server ......................................................................................... 2-12

Installing the FirePass server in an equipment rack .................................................... 2-12

Connecting the FirePass server to a network and powering up ............................. 2-12

Performing the initial FirePass IP configuration ........................................................... 2-14

Testing network connectivity ..................................................................................................2-16

Using the Administrative Console to configure the FirePass server .............................. 2-17

Logging Into the Administrative Console ...................................................................... 2-17

Changing the superuser password ................................................................................ 2-18

Installing your license ......................................................................................................... 2-19

Displaying a list of current settings and licensed features ........................................ 2-19

Using the Administrative Console to access the Maintenance Console ............... 2-20

Logging out of the Administrative Console .................................................................. 2-20

Using the Maintenance Console ............................................................................................... 2-21

What’s next? ................................................................................................................................ 2-23

Setting Up FirePass Server Security

Overview of setting up FirePass server security .....................................................................3-1

Working with groups ....................................................................................................................3-2

Creating groups ......................................................................................................................3-3

Deleting groups ......................................................................................................................3-4

Moving users to a different group ......................................................................................3-4

Showing a list of all users in a group .................................................................................3-4

Using Windows domain-based group mapping ...............................................................3-4

Using LDAP-based group mapping ....................................................................................3-6

Working with user accounts ....................................................................................................3-11

Manually adding user accounts ....................................................................................... 3-11

Importing user accounts from a Windows domain server ....................................... 3-13

Importing user accounts from an LDAP server .......................................................... 3-15

Importing user accounts from a comma or tab delimited text file ......................... 3-16

Table of Contents

Using signup templates to add user accounts .............................................................. 3-16

Using NFS user permissions from a UNIX password file ......................................... 3-17

Changing user accounts ................................................................................................... 3-19

Activating, deactivating, or deleting user accounts .................................................... 3-19

Assigning administrative privileges to a user account ............................................... 3-19

Searching for user accounts ............................................................................................. 3-21

Generating a My Desktop client software installation key ....................................... 3-21

Installing My Desktop client software at a user’s computer ..................................... 3-22

Setting up FirePass server authentication .............................................................................. 3-23

Converting to internal database authentication .......................................................... 3-23

Setting up RADIUS server authentication ................................................................... 3-24

Setting up a RADIUS server to work with the FirePass server ............................... 3-25

Setting up Windows domain server authentication ................................................... 3-25

Setting up LDAP server authentication ........................................................................ 3-27

Setting Up VASCO DigiPass authentication ................................................................ 3-28

Setting up certificates .................................................................................................................. 3-29

Changing the FirePass server name ................................................................................ 3-30

Generating a server certificate request ......................................................................... 3-30

Installing or renewing a server certificate ..................................................................... 3-31

Using client certificates to authenticate a user’s computer ...................................... 3-31

Limiting access to the administrative console by IP address ............................................. 3-35

What’s next? ................................................................................................................................. 3-35

Configuring the FirePass Webifyers

Overview of the FirePass Webifyers ..........................................................................................4-1

Configuring the My Files Webifyer ............................................................................................4-3

Defining Network Folder Favorites for the My Files Webifyer ................................4-3

Limiting a group’s access to the Network Folder Favorites ......................................4-3

Enabling virus scanning and file uploading for the My Files Webifyer ......................4-4

Configuring advanced settings for the My Files Webifyer ............................................4-4

Using client certification validation for the My Files Webifyer ..................................4-5

Configuring the My NFS Webifyer ............................................................................................4-6

Defining favorites for the My NFS Webifyer .................................................................4-6

Defining NFS shared folders for the My NFS Webifyer ...............................................4-7

Limiting a group’s access to the NFS Favorites .............................................................4-7

Using client certification validation for the My NFS Webifyer ..................................4-7

Configuring the My Intranet Webifyer .....................................................................................4-8

Defining intranet favorites for the My Intranet Webifyer ............................................4-8

Limiting a group’s access to the Intranet Favorites .................................................... 4-10

Using client certification validation for the My Intranet Webifyer ........................ 4-10

Configuring the My E-mail Webifyer ...................................................................................... 4-11

Configuring an email account .......................................................................................... 4-11

Obtaining each user’s email information based on an LDAP query ...................... 4-12

Disabling email attachment downloads ........................................................................ 4-13

Obtaining email addresses from an LDAP server ...................................................... 4-13

Using client certification validation for the My E-mail Webifyer ............................ 4-14

Configuring the Terminal Services Webifyer ....................................................................... 4-15

Configuring screen resolution and Terminal Services Favorites ............................. 4-15

Limiting a group’s access to the Terminal Service Favorites ................................... 4-17

Using client certification validation for the Terminal Service Webifyer ............... 4-17

Configuring the AppTunnels Webifyer .................................................................................. 4-18

Configuring AppTunnel Favorites .................................................................................. 4-18

Compressing traffic between the client and the FirePass server ........................... 4-20

Limiting a group’s access to the AppTunnels Favorites ............................................. 4-20

Table of Contents

FirePass

™

Server Administrator Guide vii

Using client certification validation for the AppTunnels Webifyer ........................ 4-20

Configuring the Host Access Webifyer ................................................................................. 4-21

Configuring Host Access Favorites ............................................................................... 4-21

Displaying active host access sessions .......................................................................... 4-22

Limiting a group’s access to the host access favorites .............................................. 4-22

Using client certification validation for the Host Access Webifyer ....................... 4-22

Configuring SSL-VPN ................................................................................................................. 4-23

Configuring global SSL VPN settings ............................................................................. 4-24

Configuring global SSL VPN packet filter rules ........................................................... 4-25

Configuring global SSL VPN timeout rules .................................................................. 4-26

Configuring global SSL VPN client appearance ........................................................... 4-26

Configuring the SSL VPN Webifyer for a group ........................................................ 4-27

Configuring group packet filter rules ............................................................................ 4-29

Configuring drive mappings for the SSL VPN Webifyer ........................................... 4-29

Launching applications automatically with the SSL VPN Webifyer ........................ 4-30

Using client certification validation for the SSL VPN Webifyer ............................. 4-30

Configuring the My Desktop Webifyer ................................................................................. 4-31

Configuring the My Desktop server ports .................................................................. 4-31

Configuring My Desktop Webifyer for cluster servers ............................................ 4-32

Disabling bridge access to desktops .............................................................................. 4-32

Using client certification validation for the My Desktop Webifyer ....................... 4-33

Configuring the Guest Access Webifyer ..................................................................... 4-33

Configuring the X-Windows Access Webifyer ................................................................... 4-35

Configuring X-Windows hosts for remote access ..................................................... 4-35

Using client certificate validation for Webifyers ................................................................... 4-38

Managing, Monitoring, and Maintaining the FirePass Server

Maintaining the network configuration settings .....................................................................5-1

Configuring IP addresses and subnets ...............................................................................5-1

Configuring routing tables and rules .................................................................................5-2

Configuring Domain Name Servers (DNS) .....................................................................5-4

Configuring host names ........................................................................................................5-5

Configuring services ..............................................................................................................5-5

Configuring Desktop services .............................................................................................5-8

Other network settings ........................................................................................................5-8

Configuring IPSec for the FirePass server ................................................................................5-9

Managing FirePass licenses ......................................................................................................... 5-11

Obtaining a license for the first time .............................................................................. 5-11

Installing your license ......................................................................................................... 5-11

Adding capacity or features to your license ................................................................. 5-11

Mapping FirePass users to NFS users .................................................................................... 5-12

Specifying HTTP and SSL proxies ........................................................................................... 5-14

Configuring an SNMP agent .....................................................................................................5-15

Shutting down and restarting FirePass .................................................................................... 5-17

Shutting down the FirePass server ................................................................................. 5-17

Restarting the FirePass server or services .................................................................... 5-17

Stopping and starting the bridge .................................................................................... 5-18

Backing up and restoring the FirePass server ...................................................................... 5-19

Specifying the email server ...................................................................................................... 5-20

Specifying the FirePass administrator’s email address ......................................................... 5-20

Granting Administrator privileges to other users ................................................................ 5-21

Specifying the time, time zone, and NTP server ................................................................. 5-22

Configuring client caching and compression settings ......................................................... 5-23

Managing log files ........................................................................................................................ 5-25

Table of Contents

viii

Updating the FirePass server’s firmware ............................................................................... 5-27

Adding definitions for other types of browsers .................................................................. 5-28

Monitoring the FirePass server ............................................................................................... 5-29

Monitoring the load on a FirePass server .................................................................... 5-29

Displaying FirePass server statistics .............................................................................. 5-30

Capturing network packets to troubleshoot networking problems ..................... 5-30

Customizing the user’s home page .......................................................................................... 5-31

Providing SSH access for Technical Support ......................................................................... 5-31

Using FirePass Reports

Overview of FirePass server reports ........................................................................................6-1

Using the Logon report ................................................................................................................6-2

Using the My Desktop Activations report ...............................................................................6-3

Using the Session report ..............................................................................................................6-4

Using HTTP Log reports ..............................................................................................................6-5

Using the Application Log report ..............................................................................................6-6

Using the Summary report ..........................................................................................................6-7

Using the Group report ...............................................................................................................6-8

Configuring FirePass Failover Servers and Cluster Servers

Using FirePass failover servers ...................................................................................................7-1

Installing FirePass failover servers ....................................................................................7-1

Configuring the IP addresses for failover servers .........................................................7-1

Powering up failover servers .............................................................................................7-2

Configuring the failover settings .......................................................................................7-3

Making a standby server the active server .....................................................................7-4

Using FirePass server clusters ....................................................................................................7-5

Installing multiple FirePass servers as a cluster .............................................................7-5

Powering up FirePass server clusters ..............................................................................7-5

Configuring FirePass server clusters ................................................................................7-6

Preliminary configuration .....................................................................................................7-6

Configuring clustered servers .............................................................................................7-7

Accessing a slave server’s configuration while connected to a master server ........7-8

Displaying statistics for a FirePass server cluster ..........................................................7-8

Index

Introducing the FirePass Server

• The FirePass remote access solution

• The FirePass server models

• The FirePass server features

• About this guide

• Finding help and technical support resources

Introducing the FirePass Server

FirePass

™

Server Administrator Guide 1 - 1

The FirePass remote access solution

The FirePass™ server is a network appliance providing remote users with

secure access to corporate networks, using any standard Web browser. The

FirePass server can be installed in a few hours and it requires no

modifications to corporate applications. No configuration or setup is

required at the user’s remote location. If the user’s Web browser can

connect to Web sites on the Internet, then that browser can connect to the

the FirePass server.

The FirePass server provides a web-based alternative to traditional

remote-access technologies such as modem pools, RAS servers, and

IPSec-layer Virtual Private Networks (VPNs). By leveraging the browser as

a standard “thin client,” FirePass server enables a corporation or

organization to extend secure remote access easily and cost-effectively to

anyone connected to the Internet with no special software or configuration

on the remote device. Also, no additions or changes are necessary to the

back-end resources being accessed. This approach eliminates the IPSec

VPN support burden and adds application functionality well beyond mere

connectivity.

The FirePass server provides full access to network and desktop resources,

including:

• File servers

•Email

• Intranet

• Terminal servers

• Legacy mainframe, AS/400, and Telnet applications

• Client/server applications

• All desktop PC applications

The FirePass server models

The FirePass server is available in two models:

◆

FirePass 1000:

• Supports up to 100 concurrent users

• 1U rackmount chassis

• Includes one 10/100 Ethernet port and supports an option for a second

10/100 Ethernet port

• 200 watt power supply

◆

FirePass 4000:

• Supports up to 1000 concurrent users

• 2U rackmount chassis

• Includes two 10/100 Ethernet ports

• 480 watt power supply

Chapter 1

1 - 2

The FirePass server features

Overview of features

◆

Security

FirePass server was built from the ground up to adhere to the highest

standards of best security practices.

• Encryption—FirePass server offers several strengths of encryption,

depending on the capability of the browser in use and on the optional

security settings of the FirePass implementation. FirePass server

offers encryption keys up to 1024 bits.

• Authentication—FirePass server includes an internal user database for

password authentication, and it can use existing RADIUS, LDAP, and

Windows domain servers for authentication. Administrators can

require different authentication methods for different groups. If you

want to use two-factor authentication, FirePass server supports RSA

SecurID®token-based authentication, and also offers an optional,

built-in implementation of VASCO Digipass®.

• Access Control—FirePass server grants access to specific

applications to individuals or to groups of users. With FirePass

server’s access controls, you can restrict individuals and groups to

particular resources. For example, partners can be have restricted

access to an extranet server only, while sales staff can connect to

email, the company Intranet, and the CRM system.

◆

Availability

Unlike IPSec VPNs, Web-based remote access works over all ISP

connections and works from behind other firewalls. ISPs cannot detect

and block FirePass server conversations as they might with detected

IPSec traffic. Failover and clustering options provide high availability

and high capacity. FirePass servers can be clustered to support up to

10,000 concurrent connections on a single logical URL without

performance degradation.

◆

Ease of use, deployment, maintenance, and management

FirePass server installs in a few hours. Users are presented with an

intuitive, browser-based interface and they require minimal training after

a brief introduction. FirePass server can be upgraded in the field over the

Web. Automatic release update notifications prompt the FirePass server

administrator to download new versions when they become available.

Features and capacity can also be added over the Web.

Introducing the FirePass Server

FirePass

™

Server Administrator Guide 1 - 3

FirePass server features

The following features are available on both FirePass server models.

◆

Standard Web browser support

FirePass server can be used with most standard browsers supporting

secure HTTP (also known as HTTPS). These include Internet Explorer®,

Netscape Navigator®, Opera®, and Mozilla®.

◆

WAN security

FirePass server supports common encryption technologies, including

RC4 and 3DES. It uses standard SSL encryption from the client browser

to the FirePass server.

◆

Authentication

FirePass server performs basic authentication using an internal database.

It also supports two-factor (token-based) authentication methods like

RSA SecurID® and VASCO Digipass.

FirePass server authenticates devices using signed digital certificates.

FirePass server can be integrated with LDAP directories and Windows

Domain Servers.

◆

Application access using standard Webifyers

FirePass server provides access to virtually all corporate and desktop

applications, including email, file, and Intranet access, client-server

application access, legacy host application access (mainframe, AS/400,

X-Windows, and Telnet), and Terminal Services/Citrix® application

access.

◆

Mobile device access

FirePass server provides email, file, and Intranet access from

mini-browsers on mobile devices. These include Internet-enabled (WAP

and iMode) telephones, PDAs (PalmOS® and Pocket PC), and RIM

Blackberries™.

◆

Administration

FirePass server provide a web–based Administrator Console. The

Console includes tools for installing and managing the FirePass server,

including user and group enrollment and management, clustering and

failover configuration, certificate generation and installation, and user

interface customization.

◆

Audit trail

FirePass server provides audit tools including full-session audit trails,

drill-down session queries, and customizable reports and queries.

◆

Client/Server application support

FirePass server offers a Client-Server Connector™ providing

application-specific tunnels for client-server applications like

Microsoft® Outlook®, ERP package applications, and custom TCP/IP

applications.

FirePass server also provides a VPN Connector™ giving full network

access comparable to that offered by a traditional IPSec VPN connection.

Chapter 1

1 - 4

◆

Desktop Access

FirePass server offers web–based access to authorized desktops with

support for remote control, lightweight email/file access, guest access,

and Web conferencing.

◆

High availability

FirePass servers can be configured to failover to hot standby servers.

◆

Scalability

FirePass server clusters support up to 10,000 users on a single logical

server.

About this guide

This FirePass Administrator Guide provides information and step-by-step

instructions for installing and administering the FirePass™ 1000 and 4000

servers.

This guide is available as an Adobe Acrobat file (.pdf). (To install a free

version of Adobe Acrobat Reader, see http://www.adobe.com.)

Audience

This guide is for system and network administrators who install and

configure IT equipment and software. This guide assumes that

administrators have experience installing software and working with

network configurations.

Introducing the FirePass Server

FirePass

™

Server Administrator Guide 1 - 5

Finding help and technical support resources

You can find additional technical documentation about the FirePass server

in the following locations:

◆

Release notes

Release notes containing the latest information for the current version of

FirePass server are available from the Administrative Console. Click the

Maintenance tab and then click the Online Update link. Release notes

include a list of new features and enhancements, a list of fixes, and a list

of known issues.

◆

Online help for FirePass features

You can find help online for virtually all screens on the Administrative

Console. Click the Help Page button in the upper right of the panel.

◆

Technical support through the World Wide Web

The F5

Networks Technical Support web site, http://tech.f5.com,

provides the latest technical notes, answers to frequently asked questions,

updates for the Administrator Kit (in PDF format), updates for the

release notes, and the Ask F5 natural language question and answer

engine.

Conventions used in this manual

Information that you type appears in a bold, monospace font. For example:

admin

A Tip suggests ways to make administration easier or faster. For example:

Tip

An easy way to enter a user agent string is to copy and paste the string from

the Logons report.

A Note or Important contains important information. For example:

Note

If you are powering up a server cluster, always power up the master server

first.

Important

If your superuser password is lost, contact Technical Support.

A Warning describes actions that can cause data loss or problems. For

example:

WARNING

Do not turn the FirePass server off by using the Power switch on the front

panel.

Chapter 1

1 - 6

Deploying the FirePass Server

• Overview of deploying the FirePass server

•Configuringafirewalltowork with the FirePass

server

• Understanding name resolution issues for FirePass

servers with a private IP address

• Installing the FirePass server

• Testing network connectivity

• Using the Administrative Console to configure the

FirePass server

• Using the Maintenance Console

• What’s next?

Table of contents

Other F5 Server manuals

F5 Acopia ARX 500/A106 User manual

F5 WANJet 400 Appliance Quick start guide

F5 ARX-1500 User manual

F5 ARX-2500 User manual

F5 ARX-2500 Manual

F5 BIG-IP 8950 Assembly Instructions

F5 VIPRION 2400 Assembly Instructions

Popular Server manuals by other brands

Sun Microsystems

Sun Microsystems 15K/9960 Site planning guide

Fujitsu

Fujitsu BX630 - PRIMERGY - S2 Dual operating manual

Dell

Dell PowerVault NX3000 Getting started with

Synology

Synology DS207 Series user guide

TYAN

TYAN Transport TN27 B4987 Service manual

IBM

IBM xSeries 440 8687 Hardware Maintenance Manual

smartvue

smartvue S9N Series user guide

Data Flow Systems

Data Flow Systems TCU800 Installation and operation manual

Austin Hughes Electronics

Austin Hughes Electronics RC-1000 Specifications

TechnipFMC

TechnipFMC Proline Promass 500 manual

Sansec

Sansec HSM user manual

Lenovo

Lenovo System x3250 M5 Product guide

Ganz

Ganz AI BOX user manual

Atop

Atop ABLELink GW51C-MAXI user manual

Gigabyte

Gigabyte R272-Z34 user manual

Supermicro

Supermicro SSG-6049P-E1CR24H user manual

AppNeta

AppNeta r40 Setup guide

GDC

GDC Standalone IMB SX-4000 user manual

F5 FirePass Service manual

Popular Server manuals by other brands