Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Manage Users, Authentication, and VPN Certificates 509 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. 6. Select Users > Users. The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button. The policies submenu tabs display, with the Login Policies screen in view. 8. Click the By Client Browser submenu tab. The By Client Browser screen displays. The following figure shows a browser in the Defined Browsers table as an example. 9. In the Defined Browsers Status section, select a radio button: •Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table. •Allow Login only from Defined Browsers. Allow logging in from the browsers in the Defined Browsers table. 10. Click the Apply button. Your settings are saved. 11. In the Add Defined Browser section, add a browser to the Defined Browsers table by selecting one of the following browsers from the menu: •Internet Explorer. •Opera. •Netscape Navigator. •Firefox. Mozilla Firefox. •Mozilla. Other Mozilla browsers.
Manage Users, Authentication, and VPN Certificates 510 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 12. Click the Add button. The browser is added to the Defined Browsers table. 13. Repeat Step 11 and Step 12 for any other browsers that you want to add to the Defined Browsers table. Remove One or More Web Browsers for Login Restrictions The following procedure describes how to remove one or more web browsers that you no longer need for login restrictions. To remove one or more web browsers for login restrictions: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users. The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to change login policies, click the corresponding Policies button. The policies submenu tabs display, with the Login Policies screen in view. 8. Click the By Client Browser submenu tab. The By Client Browser screen displays. 9. In the Defined Browsers table, select the check box to the left of each browser that you want to remove or click the Select All button to select all browsers. 10. Click the Delete button. The selected browsers are removed from the Defined Browsers table.
Manage Users, Authentication, and VPN Certificates 511 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change Passwords and Automatic Logout Period For any user, you can change the password and automatic logout period. Only administrators have read/write access and can change these settings. All other users have read-only access. IMPORTANT: The default administrator passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password and that you configure a separate secure password for the guest account. The most secure password does not contain dictionary words from any language and is a mixture of letters (both uppercase and lowercase), numbers, and selected special characters. The password can be up to 32 characters in length. However, the password cannot contain a space nor any of the following special characters: ` ~ ! # $ & * ( ) - + | ; : < > After a factory defaults reset, the password and time-out value are changed back to password and 5 minutes, respectively. To change a password: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users. The Users screen displays.
Manage Users, Authentication, and VPN Certificates 512 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the List of Users table, to the right of the user for which you want to change the settings, click the corresponding Edit button. The Edit Users screen displays. 8. Change the password and logout period settings as described in the following table. 9. Click the Apply button. Your settings are saved. Manage Digital Certificates for VPN Connections The following sections provide information about managing digital certificates: •VPN Certificates Overview •Manage VPN CA Certificates •Manage VPN Self-Signed Certificates •Manage the VPN Certificate Revocation List SettingDescription Check to Edit PasswordSelect this check box to make the password fields accessible. Enter Your PasswordEnter the password with which you have logged in. New Password Enter the new password. Confirm New PasswordReenter the new password for confirmation. The password that you enter in this field must be identical to the password that you enter in the Password field. Idle Timeout The period after which an idle user is automatically logged out of the web management interface. The default idle time-out period is 5 minutes.
Manage Users, Authentication, and VPN Certificates 513 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Certificates Overview The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways or clients, or to be authenticated by remote entities: •On the VPN firewall, you can enter a digital certificate when you manually configure an IKE policy. For an IKE policy, the digital certificate is referred to as an RSA signature (see Authentication Method on page 372). •On the VPN client, you can enter a digital certificate when you configure authentication. Digital certificates are extended for secure web access connections over HTTPS (that is, SSL connections). Digital certificates either can be self-signed or can be issued by certification authorities (CAs) such as an internal Windows server or an external organization such as Verisign or Thawte. However, if the digital certificate contains the extKeyUsage extension, the certificate must be used for one of the purposes defined by the extension. For example, if the digital certificate contains the extKeyUsage extension that is defined for SNMPv2, the same certificate cannot be used for secure web management. The extKeyUsage would govern the certificate acceptance criteria on the VPN firewall when the same digital certificate is being used for secure web management. When you upload a digital certificate, the VPN firewall checks the validity and purpose of the certificate. If the certificate passes the validity test and the purpose matches its use, the VPN firewall accepts the certificate. The check for the purpose must correspond to its use for IPSec VPN, SSL VPN, or both. If the defined purpose is for IPSec VPN and SSL VPN, the digital certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is uploaded only to the IPSec VPN certificate repository. The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients and to be authenticated by remote entities. A digital certificate that authenticates a server, for example, is a file that contains the following elements: •A public encryption key to be used by clients for encrypting messages to the server. •Information identifying the operator of the server. •A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified. You can obtain a digital certificate from a well-known commercial certification authority (CA) such as Verisign or Thawte or you can generate and sign your own digital certificate. Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate from a commercial CA provides a strong assurance of the server’s identity. A self-signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server. The VPN firewall contains a self-signed digital certificate from NETGEAR. However, NETGEAR recommends that you replace this digital certificate with a digital certificate from a well-known commercial CA before you deploy the VPN firewall in your network.
Manage Users, Authentication, and VPN Certificates 514 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You can view loaded digital certificates, upload a new digital certificate, and generate a certificate signing request (CSR). The VPN firewall typically holds two types of digital certificates: •CA certificates. Each CA issues its own digital certificate to validate communication with the CA and to verify the validity of digital certificates that are signed by the CA. •Self-signed certificates. The digital certificates that are issued to you by a CA to identify your device. On the VPN firewall, you can manage certificates through four tables: •Trusted Certificates (CA Certificate) table. Contains the trusted digital certificates that were issued by CAs and that you uploaded (see Manage VPN CA Certificates on page 514). •Active Self Certificates table. Contains the self-signed certificates that were issued by CAs and that you uploaded (see Manage VPN Self-Signed Certificates on page 516). •Self Certificate Requests table. Contains the self-signed certificate requests that you generated. You might or might not have submitted these requests to CAs, and CAs might or might not have issued digital certificates for these requests. Only the self-signed certificates in the Active Self Certificates table are active on the VPN firewall (see Manage VPN Self-Signed Certificates on page 516). •Certificate Revocation Lists (CRL) table. Contains the lists with digital certificates that are revoked and no longer valid, that were issued by CAs, and that you uploaded. Note, however, that the table displays only the active CAs and their critical release dates (see Manage the VPN Certificate Revocation List on page 522). Manage VPN CA Certificates The following sections provide information about managing VPN certification authority (CA) certificates: •Upload a CA Certificate •Remove a CA Certificate Upload a CA Certificate The following procedure describes how to upload a CA certificate of a trusted CA on the VPN firewall. To upload a CA certificate of a trusted CA on the VPN firewall: 1. Download a digital certificate file from a trusted CA and store it on your computer. 2. On your computer, launch an Internet browser. 3. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Manage Users, Authentication, and VPN Certificates 515 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 4. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 5. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 6. Click the Login button. The Router Status screen displays. 7. Select VPN > Certificates. The Certificates screen displays. The following figure shows the top section with the trusted certificate information and a sample certificate in the Trusted Certificates (CA Certificate) table. The Trusted Certificates (CA Certificate) table lists the digital certificates of CAs and contains the following fields: •CA Identity (Subject Name). The organization or person to whom the digital certificate is issued. •Issuer Name. The name of the CA that issued the digital certificate. •Expiry Time. The date after which the digital certificate becomes invalid. 8. In the Upload Trusted Certificates section, click the Browse button and navigate to the trusted digital certificate file that you downloaded on your computer. 9. Click the Upload button. The VPN firewall verifies the certificate for validity and purpose. If the VPN firewall approves the certificate, it is added to the Trusted Certificates (CA Certificates) table.
Manage Users, Authentication, and VPN Certificates 516 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove a CA Certificate The following procedure describes how to remove one or more CA certificates that you no longer need. To remove one or more CA certificates: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. 7. In the Trusted Certificates (CA Certificate) table, select the check box to the left of each digital certificate that you want to remove or click the Select All button to select all digital certificates. 8. Click the Delete button. The selected certificates are removed from the Trusted Certificates (CA Certificate) table. Manage VPN Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate. The following sections provide information about managing VPN self-signed certificates: •Generate a Certificate Signing Request and Obtain a Self-Signed Certificate from a CA •View Self-Signed Certificates •Remove One or More Self-Signed Certificates •Remove One or More Certificate Signing Requests
Manage Users, Authentication, and VPN Certificates 517 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Generate a Certificate Signing Request and Obtain a Self-Signed Certificate from a CA To use a self-signed certificate, you first must request the digital certificate from a CA and then download and activate the digital certificate on the VPN firewall. To request a self-signed certificate from a CA, you must generate a certificate signing request (CSR) for and on the VPN firewall. The CSR is a file that contains information about your company and about the device that holds the certificate. Refer to the CA for guidelines about the information that you must include in your CSR. To generate a new CSR, obtain a digital certificate from a CA, and upload the digital certificate to the VPN firewall: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. The following figure shows the middle section with the Active Self Certificates section, Generate Self Certificate Request section, and Self Certificate Requests section. The Self Certificate Requests table shows a sample certificate.
Manage Users, Authentication, and VPN Certificates 518 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the Generate Self Certificate Request section, enter the settings as described in the following table. SettingDescription Name A descriptive name of the domain for identification and management purposes. Subject The name that other organizations see as the holder (owner) of the certificate. In general, use your registered business name or official company name for this purpose. Note:Generally, all of your certificates must have the same value in the Subject field. Hash Algorithm From the menu, select a hash algorithm: • MD5. A 128-bit (16-byte) message digest, slightly faster than SHA-1. • SHA-1. A 160-bit (20-byte) message digest, slightly stronger than MD5. Signature Algorithm Although this seems to be a menu, the only possible selection is RSA. That is, RSA is the default setting for generating a CSR. Signature Key Length From the menu, select one of the following signature key lengths in bits: • 512 • 1024 • 2048 Note:Larger key sizes might improve security but might also decrease performance. IP Address (Optional) Enter your fixed (static) IP address. If your IP address is dynamic, leave this field blank.