Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking with SSL Connections 479 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately. Add an IPv4 or IPv6 SSL VPN Policy for an IP Network The following procedure describes how to add an SSL policy for an IP network. To add an SSL policy for an IP network: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. SettingDescription Policy For Select the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy must be limited to a single group. From the menu, select a group name. For information about how to create groups, see Manage Authentication Groups on page 494. • User. The new policy must be limited to a single user. From the menu, select a user name. For information about how to create user accounts, see Manage User Accounts on page 498. Add SSL VPN Policies Apply Policy to? Select the IP Address radio button. The policy applies to a single IP address. The screen adjusts to make the associated fields and menus available; fields and menus that do not apply are masked out. Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The IPv4 or IPv6 address to which the SSL VPN policy applies. Port Range / Port NumberA port (complete the Begin field) or a range of ports (complete the Begin and End fields) to which the SSL VPN policy applies. Ports can be 0 through 65535. The policy applies to all TCP and UDP traffic that passes on those ports. Leave the fields blank to apply the policy to all traffic. Service From the menu, select the service to which the SSL VPN policy applies: • VPN Tunnel. The policy applies only to a VPN tunnel. • Port Forwarding. The policy applies only to port forwarding. • All. The policy applies both to a VPN tunnel and to port forwarding. Permission From the menu, select Permit or Deny to specify whether the policy permits or denies access.
Set Up Virtual Private Networking with SSL Connections 480 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN. The SSL VPN submenu tabs display with the Policies screen in view. 7. Under the List of SSL VPN Policies table, click the Add button. The Add SSL VPN Policy screen displays the IPv4 settings. . 8. To add an IPv6 SSL policy instead of an IPv4 SSL policy, in the upper rights select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings. Except for the IPv6 Prefix Length field, which is the Subnet Mask field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen.
Set Up Virtual Private Networking with SSL Connections 481 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately. Add an IPv4 or IPv6 SSL VPN Policy for All Addresses The following procedure describes how to add an SSL policy for all IP addresses. To add an SSL policy for all IP addresses: 1. On your computer, launch an Internet browser. SettingDescription Policy For Select the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy must be limited to a single group. From the menu, select a group name. For information about how to create groups, see Manage Authentication Groups on page 494. • User. The new policy must be limited to a single user. From the menu, select a user name. For information about how to create user accounts, see Manage User Accounts on page 498. Add SSL VPN Policies Apply Policy to? Select the IP Network radio button.The policy applies to a network address. The screen adjusts to make the associated fields and menus available; fields and menus that do not apply are masked out. Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The network IPv4 or IPv6 network address to which the SSL VPN policy applies. Subnet Mask (IPv4 screen) or IPv6 Prefix Length (IPv6 screen)The IPv4 subnet mask that apples to the network to which the SSL VPN policy applies. The IPv6 prefix length that apples to the network to which the SSL VPN policy applies. Port Range / Port NumberA port (complete the Begin field) or a range of ports (complete the Begin and End fields) to which the SSL VPN policy applies. Ports can be 0 through 65535. The policy applies to all TCP and UDP traffic that passes on those ports. Leave the fields blank to apply the policy to all traffic. Service From the menu, select the service to which the SSL VPN policy applies: • VPN Tunnel. The policy applies only to a VPN tunnel. • Port Forwarding. The policy applies only to port forwarding. • All. The policy applies both to a VPN tunnel and to port forwarding. Permission From the menu, select Permit or Deny to specify whether the policy permits or denies access.
Set Up Virtual Private Networking with SSL Connections 482 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN. The SSL VPN submenu tabs display with the Policies screen in view. 7. Under the List of SSL VPN Policies table, click the Add button. The Add SSL VPN Policy screen displays the IPv4 settings. . 8. To add an IPv6 SSL policy instead of an IPv4 SSL policy, in the upper right, select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings. Except for the IPv6 Prefix Length field, which is the Subnet Mask field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen.
Set Up Virtual Private Networking with SSL Connections 483 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately. Change an IPv4 or IPv6 SSL VPN Policy The following procedure describes how to change an existing SSL policy. To change an SSL VPN policy: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. SettingDescription Policy For Select the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy must be limited to a single group. From the menu, select a group name. For information about how to create groups, see Manage Authentication Groups on page 494. • User. The new policy must be limited to a single user. From the menu, select a user name. For information about how to create user accounts, see Manage User Accounts on page 498. Add SSL VPN Policies Apply Policy to? Select the All Addresses radio button. The policy applies to all addresses. The screen adjusts to make the associated fields and menus available; fields and menus that do not apply are masked out. Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. Port Range / Port NumberA port (complete the Begin field) or a range of ports (complete the Begin and End fields) to which the SSL VPN policy applies. Ports can be 0 through 65535. The policy applies to all TCP and UDP traffic that passes on those ports. Leave the fields blank to apply the policy to all traffic. Service From the menu, select the service to which the SSL VPN policy applies: • VPN Tunnel. The policy applies only to a VPN tunnel. • Port Forwarding. The policy applies only to port forwarding. • All. The policy applies both to a VPN tunnel and to port forwarding. Permission From the menu, select Permit or Deny to specify whether the policy permits or denies access.
Set Up Virtual Private Networking with SSL Connections 484 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN. The SSL VPN submenu tabs display with the Policies screen in view. 7. In the Query section, select a radio button: •Global. View all global policies. •Group. To view group policies: a. Select the Group radio button. b. From the menu, select a user group. •User. To view user policies: a. Select the User radio button. b. From the menu, select a user. 8. Click the Display action button. The List of SSL VPN Policies table displays the list for your selected Query option. 9. In the List of SSL VPN Policies table, click the Edit button for the SSL policy that you want to change. The Edit SSL VPN Policy screen displays the IPv4 settings. 10. To change an IPv6 SSL policy instead of an IPv4 SSL policy, in the upper right, select the IPv6 radio button. The Edit SSL VPN Policy screen displays the IPv6 settings. 11. Change the settings. For more information about the settings, see one of the following sections that relates to the type of SSL policy that you are changing: •Add an IPv4 or IPv6 SSL VPN Policy for a Network Resource on page 475 •Add an IPv4 or IPv6 SSL VPN Policy for a Single IP Address on page 477 •Add an IPv4 or IPv6 SSL VPN Policy for an IP Network on page 479 •Add an IPv4 or IPv6 SSL VPN Policy for All Addresses on page 481 12. Click the Apply button. Your settings are saved. The modified policy displays in the List of SSL VPN Policies table on the Policies screen.
Set Up Virtual Private Networking with SSL Connections 485 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More IPv4 or IPV6 SSL VPN Policies The following procedure describes how to remove an SSL policy that you no longer need. To remove one or more VPN policies: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN. The SSL VPN submenu tabs display with the Policies screen in view. 7. In the Query section, select a radio button: •Global. View all global policies. •Group. To view group policies: a. Select the Group radio button. b. From the menu, select a user group. •User. To view user policies: a. Select the User radio button. b. From the menu, select a user. 8. Click the Display action button. The List of SSL VPN Policies table displays the list for your selected Query option. 9. In the List of SSL VPN Policies table, select the check box to the left of each SSL policy that you want to remove or click the Select All button to select all policies. 10. Click the Delete button. The selected policies are removed from the List of SSL VPN Policies table.
486 10 10. Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. The chapter contains the following sections: •VPN Firewall’s Authentication •Configure Authentication Domains, Groups, and User Accounts •Manage Digital Certificates for VPN Connections
Manage Users, Authentication, and VPN Certificates 487 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Firewall’s Authentication Users are assigned to a group, and a group is assigned to a domain. Therefore, first create any domains, then groups, then user accounts. Note:Do not confuse the authentication groups with the LAN groups that are described in Manage IPv4 LAN Groups and Hosts on page 132. You must create name and password accounts for all users who must be able to connect to the VPN firewall. This includes administrators, guests, and SSL VPN clients. Accounts for IPSec VPN clients are required only if you have enabled extended authentication (XAUTH) in your IPSec VPN configuration. Users connecting to the VPN firewall must be authenticated before being allowed to access the VPN firewall or the VPN-protected network. The login screen that is presented to the user requires three items: a user name, a password, and a domain selection. The domain determines the authentication method that is used and, for SSL connections, the portal layout that is presented. Note:IPSec VPN, L2TP, and PPTP users do not belong to a domain and are not assigned to a group. Except in the case of IPSec VPN users, when you create a user account, you must specify a group. When you create a group, you must specify a domain. The following table summarizes the external authentication protocols and methods that the VPN firewall supports. Table 9. External authentication protocols and methods Authentication Protocol or Method Description PAP Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text. CHAP Challenge Handshake Authentication Protocol (CHAP) executes a three-way handshake in which the client and server trade challenge messages, each responding with a hash of the other’s challenge message, which is calculated using a shared secret value. RADIUS A network-validated PAP or CHAP password-based authentication method that functions with Remote Authentication Dial In User Service (RADIUS). MIAS A network-validated PAP or CHAP password-based authentication method that functions with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft Windows 2003 Server.
Manage Users, Authentication, and VPN Certificates 488 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure Authentication Domains, Groups, and User Accounts The following sections provide information about configuring authentication domains, groups, and user accounts: •Manage Authentication Domains •Manage Authentication Groups •Manage User Accounts •Manage User Login Policies •Change Passwords and Automatic Logout Period Manage Authentication Domains The following sections provide information about managing authentication domains: •Authentication Domains Overview •Add an Authentication Domain •Change an Authentication Domain WiKID WiKID Systems is a PAP or CHAP key-based two-factor authentication method that functions with public key cryptography. The client sends an encrypted PIN to the WiKID server and receives a one-time passcode with a short expiration period. The client logs in with the passcode. See Appendix C, Two-Factor Authentication, for more information about WiKID authentication. NT Domain A network-validated domain-based authentication method that functions with a Microsoft Windows NT Domain authentication server. This authentication method is superseded by Microsoft Active Directory authentication but is supported to authenticate legacy Windows clients. Active Directory A network-validated domain-based authentication method that functions with a Microsoft Active Directory authentication server. Microsoft Active Directory authentication servers support a group and user structure. Because the Active Directory supports a multilevel hierarchy (for example, groups or organizational units), this information can be queried to provide specific group policies or bookmarks based on Active Directory attributes. Note:A Microsoft Active Directory database uses an LDAP organization schema. LDAP A network-validated domain-based authentication method that functions with a Lightweight Directory Access Protocol (LDAP) authentication server. LDAP is a standard for querying and updating a directory. Because LDAP supports a multilevel hierarchy (for example, groups or organizational units), this information can be queried to provide specific group policies or bookmarks based on LDAP attributes. Table 9. External authentication protocols and methods (continued) Authentication Protocol or MethodDescription