Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Manage Users, Authentication, and VPN Certificates 499 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 User Accounts Overview When you create a user account, you must assign the user to a user group. When you create a group, you must assign the group to a domain that specifies the authentication method. Therefore, first create any domains, then groups, and then user accounts. Note:IPSec VPN, L2TP, and PPTP users do not belong to a domain and are not assigned to a group. The VPN firewall provides two default (preconfigured) user accounts: •A user with the name admin and the password password. This is a user who has read/write access, is associated with the domain geardomain, and is denied login from the WAN interface by default. The user name is appended by an asterisk. You cannot remove this user account. •A user with the name guest and the password password. This is a user who has read-only access, is associated with the domain geardomain, and is denied login from the WAN interface by default. The user name is appended by an asterisk. You cannot remove this user account. Note:For information about allowing user access from the WAN interface, see Configure Login Policies on page 504. You can create different types of user accounts by applying one of the predefined user types: •SSL VPN user. A user who can log in only to the SSL VPN portal. •Administrator. A user who has full access and the capacity to change the VPN firewall configuration (that is, read/write access). •Guest user. A user who can only view the VPN firewall configuration (that is, read-only access). •IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSAFE VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 388). •L2TP user. A user who can connect over an L2TP connection to an L2TP client that is located behind the VPN firewall. •PPTP user. A user who can connect over a PPTP connection to a PPTP client that is located behind the VPN firewall.
Manage Users, Authentication, and VPN Certificates 500 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add a User Account The following procedure describes how to manually add a user account. To add a user account: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users. The Users screen displays. The following figure shows the VPN firewall’s default users— admin and guest—and, as an example, several other users in the List of Users table. The List of Users table lists the following information: •Check box. Allows you to select the user in the table.
Manage Users, Authentication, and VPN Certificates 501 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Name. The name of the user. If the user name is appended by an asterisk, the user is a default user that is preconfigured on the VPN firewall and you cannot remove the user. •Group. The group to which the user is assigned. •Type. The type of access credentials that are assigned to the user. •Authentication Domain. The authentication domain to which the user is assigned. •Action. The Edit button, which provides access to the Edit User screen, and the Policies button, which provides access to the policy screens. 7. Under the List of Users table, click the Add button. The Add Users screen displays. 8. Enter the settings as described in the following table. SettingDescription User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the menu, select a predefined user type, which determines the access credentials: • SSL VPN User. A user who can log in only to the SSL VPN portal. • Administrator. A user who has full access and the capacity to change the VPN firewall configuration (that is, read/write access). • Guest (readonly). A user who can only view the VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSAFE VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 388). • L2TP User. A user who can connect over an L2TP connection to an L2TP client that is located behind the VPN firewall. • PPTP User. A user who can connect over a PPTP connection to a PPTP client that is located behind the VPN firewall. Select Group The menu shows the groups that are listed on the Groups screen. From the menu, select the group to which you want to assign the user. For information about how to configure groups, see Manage Authentication Groups on page 494. Note:The user is assigned automatically to the domain that is associated with the selected group.
Manage Users, Authentication, and VPN Certificates 502 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Click the Apply button. Your settings are saved. The user is added to the List of Users table. Change a User Account The following procedure describes how to change an existing user account. However, you cannot change the user name or the group to which the user is assigned. To change a user account: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users. The Users screen displays. 7. In the List of Users table, click the Edit button for the user that you want to change. The Edit Users screen displays. 8. Change the settings. For more information about the settings, see Add a User Account on page 500. 9. To change the password, select the Check to Edit Password check box. Password The password that the user must enter to gain access to the VPN firewall. Confirm Password The password that you enter in this field must be identical to the password that you enter in the Password field. Idle Timeout The period after which an idle user is automatically logged out of the web management interface. The default idle time-out period is 5 minutes. SettingDescription
Manage Users, Authentication, and VPN Certificates 503 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The password fields become accessible. 10. Change the password. 11. Click the Apply button. Your settings are saved. The modified user account displays in the List of Users table on the Users screen. Remove One or More User Accounts The following procedure describes how to remove one or more user accounts that you no longer need. Note:You cannot remove the default admin or guest user account. To remove one or more user accounts: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Groups. The Groups screen displays. 7. In the List of Users table, select the check box to the left of each user that you want to remove or click the Select All button to select all users. 8. Click the Delete button. The selected users are removed from the List of Users table.
Manage Users, Authentication, and VPN Certificates 504 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage User Login Policies You can restrict the ability of defined users to log in to the VPN firewall’s web management interface. You can also require or prohibit logging in from certain IP addresses or from particular browsers. The following sections provide information about managing user login policies: •Configure Login Policies •Configure Login Restrictions Based on IP Addresses •Remove One or More IP Addresses for Login Restrictions •Configure Login Restrictions Based on Web Browsers •Remove One or More Web Browsers for Login Restrictions Configure Login Policies The following procedure describes how to configure a user login procedure. To configure user login policies: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users. The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button. The policies submenu tabs display, with the Login Policies screen in view.
Manage Users, Authentication, and VPN Certificates 505 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Select one or both check boxes: •Disable Login. Prohibits the user from logging in to the VPN firewall. •Deny Login from WAN Interface. Prohibits the user from logging in from the WAN interface. In this case, the user can log in only from the LAN interface. Note:For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators. The Disable Login check box is disabled (masked out) for administrators. 9. Click the Apply button. Your settings are saved. Configure Login Restrictions Based on IP Addresses The following procedure describes how to restrict logging in based on IP addresses. To restrict logging in based on IP addresses: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button.
Manage Users, Authentication, and VPN Certificates 506 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. 6. Select Users > Users. The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button. The policies submenu tabs display, with the Login Policies screen in view. 8. Click the By Source IP Address submenu tab. The By Source IP Address screen displays the IPv4 settings. The following figure shows an IP address in the Defined Addresses table as an example. 9. To restrict logging in based on IPv6 addresses, in the upper right, select the IPv6 radio button. The By Source IP Address screen displays the IPv6 settings. Except for the Prefix Length field, which is the Subnet Mask field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen. 10. In the Defined Addresses Status section, select a radio button: •Deny Login from Defined Addresses. Denies logging in from the IP addresses in the Defined Addresses table. •Allow Login only from Defined Addresses. Allows logging in from the IP addresses in the Defined Addresses table. 11. Click the Apply button. Your settings are saved. 12. In the Add Defined Addresses section, add an address to the Defined Addresses table by entering the settings as described in the following table.
Manage Users, Authentication, and VPN Certificates 507 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: If you allow login only from the defined IP addresses, add your own IP address to the Defined Addresses table; otherwise, you are locked out. 13. Click the Add button. The address is added to the Defined Addresses table. 14. Repeat Step 12 and Step 13 for any other addresses that you want to add to the Defined Addresses table. Remove One or More IP Addresses for Login Restrictions The following procedure describes how to remove one or more IP addresses that you no longer need for login restrictions. To remove one or more IP addresses for login restrictions: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. SettingDescription Source Address Type Select the type of address from the menu: • IP Address. A single IPv4 or IPv6 address. • IP Network. A network of IPv4 or IPv6 addresses. For IPv4, you must enter a netmask length in the Mask Length field. For IPv6, you must enter a prefix length in the Prefix Length field. Network Address / IP AddressDepending on your selection from the Source Address Type menu, enter the IP address or the network address. Subnet Mask (IPv4 screen) or Prefix Length (IPv6 screen)For IPv4, and only for a network address, enter the netmask length (0–32). By default, a single IPv4 address is assigned a netmask length of 32. For IPv6, and only for a network address, enter the prefix length (0–64). By default, a single IPv6 address is assigned a prefix length of 64.
Manage Users, Authentication, and VPN Certificates 508 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users. The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to change login policies, click the corresponding Policies button. The policies submenu tabs display, with the Login Policies screen in view. 8. Click the By Source IP Address submenu tab. The By Source IP Address screen displays the IPv4 settings. 9. To remove IPv6 addresses, in the upper right, select the IPv6 radio button. The By Source IP Address screen displays the IPv6 settings. 10. In the Defined Addresses table, select the check box to the left of each address that you want to remove or click the Select All button to select all addresses. 11. Click the Delete button. The selected addresses are removed from the Defined Addresses table. Configure Login Restrictions Based on Web Browsers The following procedure describes how to restrict login restrictions based on web browsers. To restrict logging in based on the user’s browsers: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button.