WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Configuring LDAP Authentication3 In the IP Address box, type the IP address of the primary LDAP server for the Firebox to contact withauthentication requests.The LDAP server can be located on any Firebox interface or available through a VPN tunnel.4 From the Port drop-down list, select the TCP port number for the Firebox to use to connect to theLDAP server. The default port number is 389.We do not support SSL binds on port 636.5 Type the Search Base. The standard format for the search base setting is: ou=organizationalunit,dc=first part of distinguished server name,dc=any part of the distinguished server nameappearing after the dot.For example, if your user accounts are in an OU (organizational unit) you refer to as “accounts” andyour domain name is kunstlerandsons.com, your search base is:“ou=accounts,dc=kunstlerandsons,dc=com”.You set a search base to put limits on the directories on the authentication server the Firebox searches in for anauthentication match.6 Type the Group String.The attribute string that is used to hold user group information on the LDAP server. On many LDAP servers, thedefault group string is “uniqueMember”; on other servers it is “member”.7 If necessary, change the time-out value. This is how long the Firebox waits for a response from theauthentication server.8 Add information for a backup LDAP Server, if you have one.9 To configure MUVPN users to get configuration information from the LDAP Server, you can changeyour directory schema and use the settings available through the Optional Settings button. Youcan enter MUVPN client information in the user properties of your LDAP Server, which includes theIP address, subnet mask, or DNS and WINS servers. Then, you can map these fields to the fields thatappear in Optional Settings. When the MUVPN user starts a VPN tunnel through the Firebox, theFirebox sets the IP address, subnet mask, or DNS and WINS servers for the user with the informationcontained in the LDAP user properties.IP Attribute StringType the name of the LDAP user property field name that contains the assigned IP address.Netmask Attribute StringType the name of the LDAP user property field name that contains the assigned subnet mask.DNS Attribute StringType the name of the LDAP user property field name that contains the DNS server IP address.WINS Attribute StringType the name of the LDAP user property field name that contains the WINS server IP address.Lease Time Attribute StringType the name of the LDAP user property field name that contains the total time allowed for theMUVPN connection session.Idle Timeout Attribute StringType the name of the LDAP user property field name that contains the assigned idle time-out.130 WatchGuard System Manager
Configuring Active Directory AuthenticationConfiguring Active Directory AuthenticationYou can use an Active Directory authentication server to authenticate your users to the Firebox. Youmust configure the Firebox® and configure the Active Directory server.1 From Policy Manager, select Setup > Authentication Servers. Select the Active Directory tab.2 Select the Enable Active Directory Server check box.3 Type the IP address of the primary Active Directory server.The Active Directory server can be located on any Firebox interface or available through a VPN tunnel.4 Select the TCP port number for the Firebox to use to connect to the Active Directory server. Thedefault port number is 389.If your Active Directory server is a global catalog server, it can be useful to change the default port. For moreinformation, see https://www.watchguard.com/support/Fireware_Howto/HowTo_UseGlobalCatalogPort.pdf.5 Type the Search Base. The standard format for the search base setting is: ou=organizationalunit,dc=first part of distinguished server name,dc=any part of the distinguished server nameappearing after the dot.For example, if your user accounts are in an OU (organizational unit) you refer to as “accounts” andyour domain name is HQ_main.com, your search base is: “ou=accounts,dc=HQ_main,dc=com”.You set a search base to put limits on the directories on the authentication server the Firebox searches in for anauthentication match.6 Type the Group String.This is the attribute string that is used to hold user group information on the Active Directory server. If you have notchanged your Active Directory schema, the group string is always “memberOf”.7 If necessary, change the time-out value. This is the time the Firebox waits for a response from theauthentication server.8 Add information for a backup Active Directory server, if you have one.9 To configure MUVPN users to get configuration information from the Active Directory server, youcan change your directory schema and use the settings available through the Optional SettingsUser Guide 131
- Page 98 and 99: Managing a Firebox from a Remote Lo
- Page 100 and 101: Setting Up the Log ServerSetting Up
- Page 102 and 103: Setting up the Firebox for a Design
- Page 104 and 105: Setting Global Logging and Notifica
- Page 106 and 107: Setting Global Logging and Notifica
- Page 108 and 109: Types of Log MessagesTypes of Log M
- Page 110 and 111: LogViewer SettingsLogViewer Setting
- Page 112 and 113: Using LogViewerSearching in LogView
- Page 114 and 115: Using LogViewerTo convert a log fil
- Page 116 and 117: Changing Firebox Interface IP Addre
- Page 118 and 119: Changing Firebox Interface IP Addre
- Page 120 and 121: About Multiple WAN Support3 Under H
- Page 122 and 123: About Multiple WAN SupportConfiguri
- Page 124 and 125: Adding Secondary NetworksIf your Fi
- Page 126 and 127: Configuring Dynamic DNSMake sure th
- Page 128 and 129: Configuring RoutesFor more informat
- Page 130 and 131: Configuring Related Hostsfor that I
- Page 132 and 133: Using Dynamic NATUsing Dynamic NATD
- Page 134 and 135: Using 1-to-1 NAT4 Click OK. Save th
- Page 136 and 137: Using 1-to-1 NATa VPN tunnel is con
- Page 138 and 139: Configuring Static NAT for a Policy
- Page 140 and 141: How User Authentication Worksvent a
- Page 142 and 143: Configuring the Firebox as an Authe
- Page 144 and 145: Configuring the Firebox as an Authe
- Page 146 and 147: Configuring SecurID Authentication6
- Page 150 and 151: Configuring a Policy with User Auth
- Page 152 and 153: Configuring a Policy with User Auth
- Page 154 and 155: Using Default Packet Handling Optio
- Page 156 and 157: Setting Blocked Sitesconfigure the
- Page 158 and 159: Setting Blocked SitesUsing an exter
- Page 160 and 161: Blocking PortsBlocking PortsYou can
- Page 162 and 163: Blocking Ports144 WatchGuard System
- Page 164 and 165: Adding Policies• Attacks that use
- Page 166 and 167: Adding Policies4 Click Add.The New
- Page 168 and 169: Configuring Policy Properties- ESP-
- Page 170 and 171: Configuring Policy Properties2 To a
- Page 172 and 173: Configuring Policy PropertiesRepeat
- Page 174 and 175: Configuring Policy PropertiesSettin
- Page 176 and 177: Setting Policy Precedence2 Traffic
- Page 178 and 179: Setting Policy Precedence160 WatchG
- Page 180 and 181: Defining RulesThe fields you use fo
- Page 182 and 183: Customizing Logging and Notificatio
- Page 184 and 185: Configuring the SMTP ProxyConfiguri
- Page 186 and 187: Configuring the SMTP Proxyand 8-bit
- Page 188 and 189: Configuring the SMTP ProxyDefining
- Page 190 and 191: Configuring the FTP Proxy2 For info
- Page 192 and 193: Configuring the HTTP ProxyConfiguri
- Page 194 and 195: Configuring the HTTP ProxyBrowsers
- Page 196 and 197: Configuring the HTTP ProxyThis rule
Configuring Active Directory AuthenticationConfiguring Active Directory AuthenticationYou can use an Active Directory authentication server to authenticate your users to the Firebox. Youmust configure the Firebox® and configure the Active Directory server.1 From Policy Manager, select Setup > Authentication Servers. Select the Active Directory tab.2 Select the Enable Active Directory Server check box.3 Type the IP address of the primary Active Directory server.The Active Directory server can be located on any Firebox interface or available through a VPN tunnel.4 Select the TCP port number for the Firebox to use to connect to the Active Directory server. Thedefault port number is 389.If your Active Directory server is a global catalog server, it can be useful to change the default port. For moreinformation, see https://www.watchguard.com/support/Fireware_Howto/HowTo_UseGlobalCatalogPort.pdf.5 Type the Search Base. The standard format for the search base setting is: ou=organizationalunit,dc=first part of distinguished server name,dc=any part of the distinguished server nameappearing after the dot.For example, if your user accounts are in an OU (organizational unit) you refer to as “accounts” andyour domain name is HQ_main.com, your search base is: “ou=accounts,dc=HQ_main,dc=com”.You set a search base to put limits on the directories on the authentication server the Firebox searches in for anauthentication match.6 Type the Group String.This is the attribute string that is used to hold user group information on the Active Directory server. If you have notchanged your Active Directory schema, the group string is always “memberOf”.7 If necessary, change the time-out value. This is the time the Firebox waits for a response from theauthentication server.8 Add information for a backup Active Directory server, if you have one.9 To configure MUVPN users to get configuration information from the Active Directory server, youcan change your directory schema and use the settings available through the Optional Settings<strong>User</strong> <strong>Guide</strong> 131