Vasco Personal axsguard Operator's manual

Personal aXsGUARD

Installation and Configuration Guide

7.7.1

Personal aXsGUARD - 7.7.1

Table of Contents

1. Introduction ...................................................................................................................... 1

1.1. About his Document ................................................................................................. 1

1.2. Examples used in this Guide ...................................................................................... 1

1.3. Documentation Sources ............................................................................................. 1

1.4. About the Personal aXsGUARD .................................................................................. 2

1.5. About the aXsGUARD Gatekeeper .............................................................................. 2

1.5.1. What is it? .................................................................................................... 2

1.5.2. Spare Units .................................................................................................. 2

1.5.3. Licensed Units .............................................................................................. 3

1.5.4. Configuration Wizards ..................................................................................... 3

1.6. About VASCO ......................................................................................................... 3

2. Before You Begin .............................................................................................................. 4

2.1. PAX Models ............................................................................................................ 4

2.2. AG-1296 Warranty Notice .......................................................................................... 4

2.3. Hardware and Environmental Specifications .................................................................. 4

3. Features and Concepts ...................................................................................................... 6

3.1. Documentation You May Need ................................................................................... 6

3.2. Central Management and PKI ..................................................................................... 6

3.3. Security Recommendations ........................................................................................ 7

3.4. NAT Traversal ......................................................................................................... 8

3.4.1. Purpose and Definition .................................................................................... 8

3.4.2. UPnP and NAT-PMP ...................................................................................... 8

3.4.3. DNAT and Port Forwarding .............................................................................. 8

3.4.4. SNAT and Masquerading ................................................................................ 9

3.5. VPN Failover ......................................................................................................... 10

3.6. Wireless Access Point ............................................................................................. 11

3.7. TCP or UDP? ........................................................................................................ 11

3.8. Remote Administration ............................................................................................. 12

3.8.1. HTTPS ....................................................................................................... 12

3.8.2. Administration User Levels ............................................................................. 12

3.8.3. Remote Support ........................................................................................... 12

3.9. Embedded Help ..................................................................................................... 12

4. Server-Side Configuration ................................................................................................ 13

4.1. Overview ............................................................................................................... 13

4.2. Feature Activation ................................................................................................... 13

4.3. Server and Client Certificates .................................................................................... 13

4.4. Client Options ........................................................................................................ 14

4.5. General Settings ..................................................................................................... 15

4.6. Network Settings .................................................................................................... 15

4.7. DHCP Settings ....................................................................................................... 17

4.8. Wireless Access Settings ......................................................................................... 17

4.9. Firewall Settings ..................................................................................................... 18

4.10. NAT Traversal ...................................................................................................... 19

4.10.1. Activating NAT ........................................................................................... 19

Personal aXsGUARD - 7.7.1

4.10.2. Automated NAT ......................................................................................... 20

4.10.3. DNAT and Port Forwarding .......................................................................... 20

4.10.4. SNAT and Masquerading ............................................................................. 21

5. Client-Side Configuration ................................................................................................. 23

5.1. Overview ............................................................................................................... 23

5.2. Factory Default Settings ........................................................................................... 23

5.3. Administrator Tool Access Levels .............................................................................. 23

5.4. Installation Instructions ............................................................................................ 24

5.5. Reboot Procedure ................................................................................................... 26

6. Status, Logging and Diagnostics ...................................................................................... 27

6.1. Overview ............................................................................................................... 27

6.2. Checking the Status ................................................................................................ 27

6.2.1. On the aXsGUARD Gatekeeper ...................................................................... 27

6.2.2. On the Personal aXsGUARD .......................................................................... 27

6.3. Checking the Logs .................................................................................................. 27

6.3.1. On the aXsGUARD Gatekeeper ...................................................................... 27

6.3.2. On the Personal aXsGUARD .......................................................................... 28

6.4. Using the Diagnostic Tool ........................................................................................ 28

6.5. Initiating a Remote Support Connection ...................................................................... 29

7. Troubleshooting .............................................................................................................. 30

8. Support .......................................................................................................................... 31

8.1. Overview ............................................................................................................... 31

8.2. If you encounter a problem ....................................................................................... 31

8.3. Return procedure if you have a hardware failure ........................................................... 31

Alphabetical Index ................................................................................................................ 35

Personal aXsGUARD - 7.7.1

VASCO Products

VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document

as ‘VASCO’. VASCO Products comprise Hardware, Software, Services and Documentation. This document

addresses potential and existing VASCO customers and has been provided to you and your organization for

the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license

to use VASCO Software or a contractual agreement to use VASCO Products.

Disclaimer of Warranties and Limitations of Liabilities

VASCO Products are provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory,

or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality,

merchantability, title, non-infringement or fitness for a particular purpose.

VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER

ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR

ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF

PROFITS, BUSINESS INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM

THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION,

REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS

BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR

MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND

SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS

IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A

BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION

WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY

REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS.

Intellectual Property and Copyright

VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO

Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products,

updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights,

database rights and all other intellectual and industrial property rights. No part of these Products may be

transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or

otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing.

This document is protected under US and international copyright law as an unpublished work of authorship.

No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic,

mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized

licensee.

VASCO Trademarks

VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS®, DIGIPASS as a Service™,

MYDIGIPASS.COM™ and the ® logo are registered or unregistered trademarks of VASCO Data

Security,Inc.and/orVASCODataSecurityInternationalGmbHintheU.S.andothercountries.Othercompany

brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all

URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected

by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered

trademarks or be part of any other entitlement of their respective owners.

Other Trademarks

Citrix® and XenServer® are trademarks or registered trademarks of Citrix Systems, Inc. VMware® and

vSphere® are registered trademarks or trademarks of VMware, Inc. Hyper-V™ is a registered trademark of

Microsoft Corporation.

Personal aXsGUARD - 7.7.1

Chapter 1. Introduction

1.1. About his Document

• This document has been written for aXsGUARD Gatekeeper version 7.7.1 and is based on changes and

features that have been implemented since version 7.7.0.

• This document was last updated on 22 Nov 2013.

This guide serves as a reference source for technical personnel and / or system administrators. It explains

how to set up and configure the Personal aXsGUARD VPN client.

In Chapter 1, Introduction, we introduce the aXsGUARD Gatekeeper and explain the difference between

licensed and spare units.

In Chapter 2, Before You Begin, we cover the product warranty and hardware specifications.

In Chapter 3, Features and Concepts, we explain the main features of the Personal aXsGUARD and how its

configuration is managed centrally on a corporate aXsGUARD Gatekeeper. We also provide some important

security-related guidelines.

In Chapter 4, Server-Side Configuration, we explain the server-side configuration, such as the initialization of

the CA, the generation of server and client certificates and the Personal aXsGUARD configuration settings,

which are downloaded from the VPN server.

In Chapter 5, Client-Side Configuration, we explain how to configure and connect the Personal aXsGUARD

with the corporate aXsGUARD Gatekeeper, starting with the factory default settings.

In Chapter 6, Status, Logging and Diagnostics, we explain how to access the Personal aXsGUARD logs and

status information and how to initiate a remote support connection.

In Chapter 7, Troubleshooting, we offer some solutions to solve potential difficulties.

In Chapter 8, Support, we explain how to request support and how to return hardware for replacement.

1.2. Examples used in this Guide

All setups and configuration examples in this guide are executed as an advanced administrator. Some options

are not available if you log on as a full administrator or a user with lower privileges.

The administrator levels are explained in the system administration guide.

As software development and documentation are ongoing processes, screens shown in this guide may

slightly vary from the software version installed on your appliance.

1.3. Documentation Sources

Other documents in the set of aXsGUARD Gatekeeper documentation include:

• aXsGUARD Gatekeeper Installation Guide, which explains how to set up the aXsGUARD Gatekeeper, and

is intended for technical personnel or system administrators.

• How to guides, which provide detailed information on the configuration of each of the features available as

add-on modules (explained in Section 1.5.1, “What is it?”). These guides cover specific features such as:

• aXsGUARD Gatekeeper Authentication

Personal aXsGUARD - 7.7.1 Chapter 1. Introduction

• aXsGUARD Gatekeeper Firewall

• aXsGUARD Gatekeeper Single Sign-On

• aXsGUARD Gatekeeper VPN

• aXsGUARD Gatekeeper Reverse Proxy

• aXsGUARD Gatekeeper Directory Services

Access to aXsGUARD Gatekeeper guides is provided through the permanently on-screen Documentation

button in the aXsGUARD Gatekeeper Administrator Tool.

Further resources available include:

• Context-sensitive help, which is accessible in the aXsGUARD Gatekeeper Administrator Tool through the

Help button. This button is permanently available and displays information related to the current screen.

• Training courses covering features in detail can be organized on demand. These courses address all levels

of expertise. Please see http://www.vasco.com for further information.

1.4. About the Personal aXsGUARD

The Personal aXsGUARD is a small plug and play OpenVPN appliance designed specifically for use

with the aXsGUARD Gatekeeper. Its integration with home networks is easy and allows telecommuters to

safely connect to corporate network resources and the Internet. All PAX settings are centrally managed on

and pushed by the corporate aXsGUARD Gatekeeper appliance, which makes deploying PAX systems a

convenient and straightforward process.

1.5. About the aXsGUARD Gatekeeper

1.5.1. What is it?

TheaXsGUARD Gatekeeper is anauthenticationappliance, intended for smallandmedium sized enterprises.

Inadditiontostrongauthentication,theaXsGUARD Gatekeeperhasthepotentialto manageallofyourInternet

security needs. Its modular design means that optional features can be purchased at any time to support, for

example, e-mail and Web access control. The aXsGUARD Gatekeeper can easily be integrated into existing

IT infrastructures as a stand-alone authentication appliance or as a gateway providing both authentication

services and Internet Security.

Authentication and other features such as firewall, e-mail and Web access, are managed by security policies,

which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time

Password in combination with a static password for authentication. Security Policies are applied to specific

users or groups of users and can also be applied to specific computers and the entire system.

1.5.2. Spare Units

ASpareUnitisanunlicensedappliance,withlimitedconfiguration possibilities and allows you to swiftly replace

a defective appliance. It can also be licensed as a new appliance. In fact, all appliances can be considered

spare units until they are licensed.

Restoring to a Spare Unit is restricted to:

• the same hardware version (e.g. AG-3XXX, AG-5XXX or AG7XXX) as the unit being replaced.

• the same software version as the appliance being replaced (or a higher version on which data migration is

supported; please contact VASCO support ([email protected]) for guidance.

Once a backup is restored on a Spare Unit, full functionality is available. The configuration tool of the appliance

can then be accessed by any user with administrative privileges (see the aXsGUARD Gatekeeper System

Administration How To.)

The license from the backup is also restored on the Spare Unit. However, an appliance with a restored license

onlyremainsoperationalforagrace period of 30 days,duringwhichtheSystemAdministrator needs to acquire

Personal aXsGUARD - 7.7.1 Chapter 1. Introduction

a new license. If a new license has not been issued after this grace period, all services on the appliance will

be stopped. Only the Administrator Tool will remain accessible.

Contact VASCO support ([email protected]) to release the restored license of the original appliance. To

relicense the appliance, follow the same procedure as used during first-time licensing.

1.5.3. Licensed Units

With a licensed appliance, a user with full administrative privileges has access to all the configuration options

on the aXsGUARD Gatekeeper. Use the sysadmin account to create a user with administrative privileges.

Since the sysadmin user can create new administrators, you should change the default password of this

account when you log in to the appliance for the first time.

Licensing and accessing a fully operational in-service appliance requires the following steps:

1. Logging on to the aXsGUARD Gatekeeper as the default sysadmin user and changing the sysadmin

password

2. Creating a new user with full administration rights, which is required to configure the aXsGUARD

Gatekeeper

3. Licensing the appliance

1.5.4. Configuration Wizards

As of version 7.6.5, configuration wizards are available. They allow you to configure the system

essentials more easily and faster. You can, of course, also configure your system manually.

1.6. About VASCO

VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts,

identities and transactions. As a global software company, VASCO serves a customer base of approximately

10,000 companies in over 100 countries, including approximately 1,500 international financial institutions. In

addition to the financial sector, VASCO’s technologies secure sensitive information and transactions for the

enterprise security, e-commerce and e-government industries.

For further information, please visit http://www.vasco.com.

Personal aXsGUARD - 7.7.1

Chapter 2. Before You Begin

2.1. PAX Models

There are two hardware models:

• The AG-1296: This model is still supported, but has been discontinued. Please see prior documentation

for reference.

• The AG-1497: See Section 2.3, “Hardware and Environmental Specifications”.

2.2. AG-1296 Warranty Notice

Do not press the reset button on the back panel of the AG-1296 model. Removal of the protective seal

automatically voids the product warranty and will necessitate a replacement.

Figure 2.1. AG-1296 Front and Back Panel

2.3. Hardware and Environmental Specifications

Figure 2.2. AG-1497 Front and Back Panel

Hardware Features

Interface • 4 10/100/1000Mbps LAN Ports

• 1 10/100/1000Mbps WAN Port

• 2 USB 2.0 Port

Buttons • WPS/Reset Button

• Wireless On/Off Switch

• Power On/Off Button

External Power

Supply 12VDC / 1.5A

Personal aXsGUARD - 7.7.1 Chapter 2. Before You Begin

Hardware Features

Dimensions (W X D

X H) 9.6x6.4x1.3 in.(243x160.6x32.5mm)

Antenna 3 external detachable dual band antennas (RP-SMA)

Wireless Features

Wireless Standards IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n

Frequency 2.4GHz & 5GHz

Signal Rate • 5GHz: Up to 450Mbps

• 2.4GHz: Up to 300Mbps

EIRP <20dBm

Reception

Sensitivity • 300M_2.4G: -70dBm

• 270M_2.4G: -70dBm

• 195M_2.4G: -71dBm

• 130M_2.4G: -74dBm

• 54M_2.4G: -79dBm

• 6M_2.4G: -94dBm

• 450M_5G: -64dBm

• 405M_5G: -64dBm

• 270M_5G: -67dBm

• 195M_5G: -70dBm

• 130M_5G: -73dBm

• 54M_5G: -79dBm

• 6M_5G: -92dBm

Guest Network • 2.4GHz guest network × 1

• 5GHz guest network × 1

Others

Environment • Operating Temperature: 0°C - 40°C (32°F - 104°F)

• Storage Temperature: -40°C - 70°C (-40°F - 158°F)

• Operating Humidity: 10% ~ 90% non-condensing

• Storage Humidity: 5% ~ 90% non-condensing

Personal aXsGUARD - 7.7.1

Chapter 3. Features and Concepts

3.1. Documentation You May Need

The concepts mentioned in this guide, i.e. certificates, IP address ranges, DHCP, NAT, routing, DNS and

firewall settings, are fully explained in separate guides which can be accessed by clicking on the permanently

available Documentation button in the aXsGUARD Gatekeeper Administrator Tool. Guides you may need

include:

• The aXsGUARD Gatekeeper System Administration How To, which explains important concepts, such as

IP address ranges, DNS, DHCP, NAT and routing.

• The aXsGUARD Gatekeeper Firewall How To, which explains the concepts and configuration of Firewall

Rules and Policies.

• The aXsGUARD Gatekeeper PKI How To, which explains the concepts of the Public Key Infrastructure and

how to configure it.

• The aXsGUARD Gatekeeper OpenVPN How To, which explains the concepts of OpenVPN. The PAX is

actually a hardware OpenVPN client.

3.2. Central Management and PKI

The hosts (client and server) involved in an SSL VPN connection use digital certificates for identification and

encryption purposes.

In terms of certificate types, there are client and server certificates. Each type has its purpose and

characteristics. System administrators must use the aXsGUARD Gatekeeper Administrator Tool to create,

manage and distribute valid PAX (client) certificates. The aXsGUARD Gatekeeper at your corporate HQ is the

certificate authority (CA), as shown in Figure 3.1, “Relationship between PAX and aXsGUARD Gatekeeper”.

Only a PAX that was issued a valid client certificate is allowed to connect to the corporate network.

Any PAX configuration starts on the aXsGUARD Gatekeeper, which is explained in Chapter 4, Server-Side

Configuration.

Figure 3.1. Relationship between PAX and aXsGUARD Gatekeeper

Besides client certificates, the following PAX settings are also managed on the aXsGUARD Gatekeeper (see

Chapter 4, Server-Side Configuration):

• The password to access the web-based Administrator Tool of a registered PAX system.

Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts

• PAX Network settings, such as routing, NAT and DNS servers.

• PAX DHCP server settings.

• WirelessAccesssettings,incaseyouareconnectingtothePAXfrom a PC equipped with a wireless network

device.

• Firewall Policies which regulate traffic through the VPN tunnel, as well as traffic towards the Internet.

3.3. Security Recommendations

There are two possible firewall scenarios:

•The VPN connection is up: the aXsGUARD Gatekeeper pushes the configured Firewall policies onto the

PAX. These policies regulate traffic from the PAX’s LAN towards the Internet, as well as traffic going through

the VPN tunnel (towards or through the aXsGUARD Gatekeeper). The system default Firewall policies only

accept ICMP traffic and VASCO remote support connections.

•The VPN connection is down: the PAX protects your network from incoming connections. In this state,

the PAX behaves like a home network router. All traffic towards the Internet is allowed, traffic coming from

the Internet is dropped, except ICMP traffic and VASCO remote support connections.

Figure 3.2. PAX Firewall Scenarios

The stat-sec Firewall Policy and dynamic policies configured for PPTP, L2TP or OpenVPN do not

apply to the PAX. All PAX Firewall rights must be configured separately on the corporate aXsGUARD

Gatekeeper. The PAX downloads its Firewall configuration when it connects to the aXsGUARD

Gatekeeper VPN server. Configure the Firewall settings as explained below.

• Restrict Firewall Access of the PAX to the corporate network resources which are specifically needed by

the client(s). This improves security in case a client is hijacked or compromised, e.g. if a client is infected

with a trojan virus.

• The pre-configured aXsGUARD Gatekeeper Firewall policy (fwd-access-lan) can be used to provide the

appropriate security for VPN clients and for system administrators who do no wish to configure their own

Firewall Policies. However, we strongly encourage system administrators to implement their own Firewall

Policies, install a client-side firewall and anti-malware software.

• VASCO recommends a setup where potentially dangerous or infected client computers connect directly to

the Internet using an existing installation. Only computers that need remote access to the corporate LAN

Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts

should be connected to the PAX. A secure option is to connect the Internet Interface of the PAX to the

user’s LAN and only connect the client computers that actually need access to corporate resources to the

PAX LAN (double NAT).

For additional information about aXsGUARD Gatekeeper Firewall Rules and Policies, see the

aXsGUARD Gatekeeper Firewall How To, which can be accessed via the Documentation button in the

Administration Tool.

3.4. NAT Traversal

3.4.1. Purpose and Definition

The PAX enables you to easily connect peers that are connected to a Network Address Translated network

segment of a gateway.

Network Address Translation (NAT) is a general term to describe techniques that establish and maintain TCP/

IP and/or UDP connections traversing network address translation (NAT) gateways. For detailed information

about NAT, see the aXsGUARD Gatekeeper System Administration How To, which can be accessed via the

Documentation button in the Administrator Tool.

As of PAX version 1.1, you can configure custom NAT rules on the aXsGUARD Gatekeeper. The rules are

downloaded by the PAX when it connects to the aXsGUARD Gatekeeper VPN server. By default, the NAT

rules apply to the PAX’s WAN interface; they are comparable to port forwarding rules on the aXsGUARD

Gatekeeper.

3.4.2. UPnP and NAT-PMP

Universal Plug and Play and NAT-PMP:

UPnP (Universal Plug’n'Play) enables programs running on a host to automatically configure port forwarding

on the PAX. UPnP basically allows a program to open ports that are necessary for its operation, without any

warning or intervention from the system administrator. For this reason, there is a security risk associated with

enabling UPnP on the PAX. Technically, a worm or malware could use this function to compromise your LAN’s

security.

It is therefore recommended to manually configure port forwarding whenever possible and disable UPnP.

However, in some cases dynamic port forwarding may be required if manual port forwarding becomes

impractical.

NAT-PMP is a protocol similar to UPnP supported by a number of Windows and Linux applications.

3.4.3. DNAT and Port Forwarding

Destination network address translation (DNAT) is a technique for transparently changing the destination IP

address of an en route packet and performing the inverse function for any replies. DNAT is commonly used

to publish a service located in a private network on a publicly accessible IP address. This use of DNAT is

also called port forwarding.

In most cases the WAN interface of the PAX is connected directly to the Internet and is assigned a public IP

address. In that case, network packets leaving the WAN interface are masqueraded. (For information about

masquerading, see the aXsGUARD Gatekeeper System Administration How To, which can be accessed

via the Documentation button in the Administrator Tool). By default, the PAX firewall blocks all connections

originating from the Internet.

If the WAN interface of the PAX is connected to a NAT’d network in a private range (the WAN interface is

connected to the LAN, as shown in Figure 3.3, “WAN to LAN Option in NAT Environment”), you can enable

access to its LAN from the network connected to its WAN interface.

Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts

With the option enabled (see Section 4.6, “Network Settings”), hosts in the NAT’d network connected to the

PAX’s WAN interface can connect seamlessly to machines in the PAX’s LAN, as if they were a part of the

same network segment. In this case, packets leaving the PAX’s WAN interface are not masqueraded. In short,

this option allows traffic from the NAT’d WAN to traverse the PAX’s firewall, while incoming Internet traffic

remains blocked.

Figure 3.3. WAN to LAN Option in NAT Environment

3.4.4. SNAT and Masquerading

Source Network Address Translation (SNAT) is a NAT type used to change the source IP address of packets.

Masquerading is a NAT type which is used to change a packet’s source IP address. For all new connections,

the source IP address is looked up, based on the outgoing interface of the packet, and subsequently altered

(masqueraded). Reply packets are automatically "demasqueraded" and returned to the original source IP

addresses.

Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts

Figure 3.4. SNAT and Masquerading

3.5. VPN Failover

In computing, failover is the capability to switch over automatically to a redundant or secondary computer

server,system,oranetworkuponthefailureorabnormalterminationoftheprimaryserver,system,ornetwork.

Failover occurs automatically and is generally a seamless process.

If you have a site with 2 aXsGUARD Gatekeeper appliances in a high availability (HA) configuration or a single

aXsGUARD Gatekeeper appliance equipped with multiple Internet devices (Internet Redundancy system),

you can configure the PAX to automatically try an alternate IP address in case the primary VPN connection

is failing.

Failover can also be applied at the protocol level, since the PAX supports UDP and TCP (see Section 3.7,

“TCP or UDP?”). The default behavior is set to auto, which means that a UDP connection will be attempted

first. If it fails, the PAX will automatically try to establish a TCP connection. If alternate IP addresses have

been configured and the VPN protocol type is set to auto, the PAX will try to establish a VPN connection in

the following order:

1. IP address 1 on UDP

2. IP address 1 on TCP

3. IP address 2 on UDP

4. IP address 2 on TCP

5. IP address X on UDP

6. IP address X on TCP

This provides the flexibility to use UDP on one VPN server and TCP on another. However, the PAX will take

longer to recover from a failing VPN connection; if the UDP connection towards the first server fails, the PAX

Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts

will first try to establish a TCP connection with the same server, before it switches to the second server. If

a connection is made to the second server, UDP will be attempted first. In case a specific VPN protocol is

selected, the failover occurs without delay, as only the selected protocol is used.

Example 3.1. Maintenance of master in HA cluster

Assume that you have a HA cluster and that the master is down for maintenance. If configured, the PAX

will automatically try to establish a VPN connection with the slave system, which is listening on a different

IP address.

Example 3.2. Selecting UDP as the VPN protocol

Assume you have configured the PAX to use UDP only. The PAX will connect to the first IP using UDP. If the

connection fails, it will immediately switch to the second IP, without attempting to establish a TCP connection

with the first IP.

For details about Internet Redundancy, see the aXsGUARD Gatekeeper Internet Redundancy How To

guide, which can be accessed via the Documentation button in the Administrator Tool.

3.6. Wireless Access Point

It is possible to enable wireless mode on the PAX (this option must be configured on the aXsGUARD

Gatekeeper). As such, your PAX becomes a secured wireless access point for your corporate network. This

requires some minor configuration on the client side. Consult the documentation of the client’s operating

system if necessary.

The following encryption types are supported:

• WPA2 Enterprise CCMP Encryption

• WPA2 PSK CCMP Encryption

• WPA/WPA2 Enterprise AES Encryption

• WPA/WPA2 PSK AES Encryption

• WPA/WPA2 Enterprise TKIP+AES Encryption

• WPA/WPA2 PSK TKIP+AES Encryption

• WEP 128 bit Encryption

The encryption types are listed from strongest to weakest, in descending order.

3.7. TCP or UDP?

The PAX is in fact a hardware OpenVPN client and uses UDP Port 1194 to establish a VPN connection with

the aXsGUARD Gatekeeper VPN server. UDP port 1194 is the port number that is officially assigned by the

IANA for OpenVPN.

Although UDP is the standard protocol, TCP is also supported. The PAX can be configured to automatically

detect the configured VPN protocol type (UDP or TCP) of the remote aXsGUARD Gatekeeper.

TCP is the preferred option if your PAX client is located in a remote area and is likely to have an Internet

connection of a quality inferior to modern standards. The TCP protocol offers error correction mechanisms and

is therefore more reliable and suitable for unstable Internet connections, but produces more overhead. UDP

is a faster protocol, but offers no error control mechanisms and guaranteed delivery. UDP is more suitable

for stable Internet connections.

Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts

3.8. Remote Administration

3.8.1. HTTPS

The PAX is administered via a web-based Administration Tool. HTTP is the default protocol, but you also

have the option to switch to HTTPS. The benefit of HTTPS is that any sensitive information that needs to be

transferred to the appliance is transmitted securely, since the link is encrypted.

3.8.2. Administration User Levels

There are two user levels; the admin and the user level.

• The admin level is required to configure system-critical settings, such as certificates and IP address(es) of

aXsGUARD Gatekeeper VPN server(s) on the Internet.

• The user level is limited to stopping and starting the VPN connection, initiating a remote support connection

and rebooting the PAX .

3.8.3. Remote Support

Users can request remote support via the web interface of the PAX system. This action initiates a secure

connection towards the VASCO support center, which enables our support engineers to access the PAX

for troubleshooting. As an alternative, VASCO can configure any PAX so that it has a permanent secured

connection to the VASCO service center.

3.9. Embedded Help

If you get stuck, the aXsGUARD Gatekeeper offers help text that is permanently embedded in the interface.

Just click on "Help" at the top-right corner of the PAX configuration screen.

Figure 3.5. Embedded Help

Personal aXsGUARD - 7.7.1

Chapter 4. Server-Side Configuration

4.1. Overview

In this chapter, we explain how to configure the corporate aXsGUARD Gatekeeper VPN server, so that a PAX

can download its settings and establish a VPN connection. The configuration steps must be executed in the

provided order. The instructions provided further imply that no CA or PAX has been initialized or configured on

the aXsGUARD Gatekeeper. If you are already familiar with these topics, you may skip to Chapter 5, Client-

Side Configuration, which explains how to configure your PAX.

Topics covered in this chapter include:

• PAX Feature Activation

• Initialization of the aXsGUARD Gatekeeper CA

• Creating an aXsGUARD Gatekeeper VPN (SSL) server certificate

• Creating a PAX client certificate

• Configuring the aXsGUARD Gatekeeper SSL VPN certificate settings

• Configuration of the PAX settings on the server side

4.2. Feature Activation

Before you can access the menu to configure your PAX settings, you need to activate the feature on the

aXsGUARD Gatekeeper.

1. LogontotheaXsGUARDGatekeeper,asexplainedin the aXsGUARD Gatekeeper System Administration

How To, which can be accessed via the Documentation button in the Administrator Tool.

2. Navigate to System ⇒Feature Activation

3. Expand the VPN & RAS tree.

4. Check the Do you use the Personal aXsGUARD Gatekeeper? option.

5. Click on Update.

Figure 4.1. PAX Feature Activation

4.3. Server and Client Certificates

You must use the aXsGUARD Gatekeeper CA to create the appropriate PAX client and server certificates.

The concept and use of the aXsGUARD Gatekeeper PKI are fully explained in the PKI How To, which can

be downloaded by clicking on the Documentation button in the administrator tool. What follows is an overview

of what is covered in this manual.

• How to initialize the CA

• How to generate certificates

• How to import, export and revoke certificates

• How to configure automatic notifications

Personal aXsGUARD - 7.7.1 Chapter 4. Server-Side Configuration

4.4. Client Options

Any PAX in the field must be configured on the aXsGUARD Gatekeeper VPN server before it can be used to

successfully establish a VPN connection (see Section 3.2, “Central Management and PKI”). A PAX downloads

its configuration settings directly from the corporate aXsGUARD Gatekeeper.

Certain configuration tabs only appear when the corresponding options are enabled.

1. Navigate to VPN & RAS ⇒Personal aXsGUARD ⇒Client.

2. Click on Add New.

3. Enter the common settings as explained in the table below.

4. Enter the settings per tab. Each tab is explained separately (Section 4.5, “General Settings” to

Section 4.10.3, “DNAT and Port Forwarding”).

5. Click on Save for a new configuration. Click on Update to store the settings of an existing configuration.

Figure 4.2. PAX Client Settings

Parameter Description

Distinguished Name Enter a unique name for the PAX unit.

Enabled Check this option to allow incoming connections from the PAX unit.

Uncheck to disable the unit / access to your network.

Description (optional) Provide an optional description for the unit, e.g. the name or the location

of the PAX user.

Personal aXsGUARD - 7.7.1 Chapter 4. Server-Side Configuration

Parameter Description

Hardware Model Select the model that applies to you.

Enable DHCP Server Check this option to enable the DHCP server on the PAX unit. If enabled,

the PAX will assign IP addresses to its DHCP clients in the specified range

(see Section 4.7, “DHCP Settings”).

Enable Wireless LAN Check this option to allow clients to connect to the corporate network and

the Internet via a wireless connection.

Activate NAT (only PAX v1.1 or

higher) Check this option if you want to forward incoming traffic to certain ports /

IP addresses in the LAN of the PAX (see Section 4.10.3, “DNAT and Port

Forwarding”).

Table 4.1. PAX Client Settings

4.5. General Settings

Parameter Description

Enable HTTPS Check if you want to administer the PAX over a secure connection rather

than standard HTTP.

Automatically start VPN connection If checked, the VPN connection is automatically initiated after the PAX has

completed its boot procedure. If the option is unchecked, the VPN must be

started manually by accessing the Administrator Tool of the PAX.

PAX admin password The password required to access the web-based administrator tool of the

PAX.

PAX user password The password required for end-users to connect, reconnect or disconnect the

VPN (also see Section 3.8.2, “Administration User Levels” and Chapter 5,

Client-Side Configuration).

Notes about this system General information about the PAX system that may be useful to

administrators, e.g. the location, additional user information, etc. This field

is optional.

Table 4.2. Client Settings - General Tab

The user password to access the web-based PAX administration tool is configured on the aXsGUARD

Gatekeeper. If you do not want users to access the web-based Administrator Tool of the PAX, simply

don’t specify a password.

4.6. Network Settings

In this section, we explain the configurable network settings of the PAX (the Network tab). Via this tab, you

can configure the LAN IP address to be assigned to the PAX, amongst others. The table below covers each

setting in detail.

Personal aXsGUARD - 7.7.1 Chapter 4. Server-Side Configuration

Figure 4.3. PAX Network Settings

Parameter Description

Remote LAN IP – Address Netmask This is the LAN IP address and subnet mask to be assigned to the PAX.

Use the CIDR notation, e.g. 10.0.0.1/24 . Use the IP address specified

here to access the web-based Administrator Tool of the PAX (explained in

Chapter 5, Client-Side Configuration).

Do not use the aXsGUARD DNS

Servers (See note below) Leave this option unchecked if you want to use the

aXsGUARD Gatekeeper DNS server while the VPN tunnel is up. Check

this option if you are using another DNS server (not the aXsGUARD

Gatekeeper), e.g. an Active Directory DNS server. You can specify one or

multiple DNS servers using the Add button.

DNS Server IP list (See note below ) If the Do not use the aXsGUARD DNS Servers option is

selected, this field becomes available so you can enter the IP address(es) of

the DNS server(s) to be used while the VPN tunnel is up, i.e. DNS servers

other than the aXsGUARD Gatekeeper. Use the Add button to enter the IP

address(es).

Route all traffic through Tunnel If this option is selected, all traffic leaving the PAX’s client is routed via the

VPN tunnel, including traffic towards the Internet. As a result, the corporate

aXsGUARD Gatekeeper acts as an Internet / network Gateway If this option

is unchecked, traffic towards the Internet is routed via the default gateway

of the PAX’s client.

Routing towards the following

networks Specify the networks which must be accessible via the VPN connection.

By default, the IP address of the aXsGUARD Gatekeeper’s primary LAN

interface is already provided. You must manually add the network address

of any other networks that must be accessible via the VPN connection. Use

the CIDR notation, e.g. 192.168.230.0/24 . Use the Add button to

enter the network address(es).

Enable WAN to LAN in NAT setup Check this option if the WAN interface of your PAX is connected to a

NAT’d network segment and you wish to grant access to the PAX’s LAN

from hosts of this NAT’d segment, as explained in Section 3.4, “NAT

Traversal”.

Allow access from these networks to

LAN If the option Enable LAN access from WAN is enabled, you must specify the

networkaddressof the NAT’d networksegmentwhich is allowed toconnect

the PAX’s LAN (see Section 3.4, “NAT Traversal” for more details). Use

the CIDR notation to specify the network, e.g. 172.16.0.0/24 . Use

the Add button to enter the network addresses.

Table 4.3. PAX Client Settings - Network Tab

Other manuals for Personal aXsGUARD

Table of contents

Other Vasco Firewall manuals

Vasco

Vasco Personal aXsGUARD Administrator Guide

Popular Firewall manuals by other brands

Lanner

Lanner NCA-2513 user manual

Nexcom

Nexcom NSA 1150 user manual

Draytek

Draytek Vigor2865 Series quick start guide

H3C

H3C SecPath F5030 installation guide

Nexcom

Nexcom DNA 1150 user manual

ZyXEL Communications

ZyXEL Communications ZyXEL ZyWALL 35 user guide

HotBrick

HotBrick Dual WAN Firewall VPN 1400/2 user guide

Rohde & Schwarz

Rohde & Schwarz GP-E user manual

Sophos

Sophos SG 450 Mounting instructions

Draytek

Draytek V2862AC-K quick start guide

Cisco

Cisco ISA3000-4C-K9 Hardware installation guide

NetScreen Technologies

NetScreen Technologies NetScreen-10 Series Installer's guide

Forcepoint

Forcepoint Stonesoft 320X Hardware guide

SonicWALL

SonicWALL TZ 180 Getting started guide

US Robotics

US Robotics USR8200 Quick installation guide

SonicWALL

SonicWALL Email Security 7.0 8000 Getting started guide

Abocom

Abocom BM200 Specification sheet

Fortinet

Fortinet FortiManager-3000 quick start guide

Vasco Personal aXsGUARD Operator's manual

Popular Firewall manuals by other brands