WatchGuard TechnologiesメーカーSSL VPNの使用説明書/サービス説明書
ページ先へ移動 of 198
W atchGuard ® F irebox ® SSL VPN Gate w a y Administration Guide Fir ebox SSL VPN Gatewa y.
ii Firebox SSL VPN Gatewa y ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, W A 98104 SUPPORT : www .watchguard.com/suppor t suppor t@watchguard .com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 SALES: U.S. and Canada +1.800.734.
Admin Guide iii Contents CHAPTER 1 Getting Star ted with F irebox SSL VPN Gatewa y .............. ................. ................. .... 1 Audience ................ ................. ................. ................. ................ .............
iv W atchGuard SSL VPN Gatewa y Disable kiosk mode ............. ................. ................. ................ ................. ................. ................ ........... 12 Specify multiple ports and por t ranges for network resources ...
Admin Guide v Using the Serial Cons ole .................... ................. ................ ................. ................. ............... .. ............. 33 T o open the serial co nsole ...................... ................ ..............
vi W atchGuard SSL VPN Gatewa y Allowing ICMP tr affic ............. ................. ................... ................. ................. ................. ..... ........ ........... 46 To e n a b l e I C M P t r a f f i c ................. .....
Admin Guide vii T o disable Firebo x SSL VPN Gateway authentic ation ................ ................. ................. ................ 68 SafeWor d PremierAc cess Authorization ...................... ................ ................. ............
viii W atchGuard SSL VPN Gatewa y Enabling session time- out ............ .............. ................. ................. ................ ................. ................. .. 92 Configuring W eb Session Time-Outs ................. ..............
Admin Guide ix Using the A ccess P ortal ...................... ................. ................ ................. ................. .............. ..... .........118 T o connect using the default po r tal page ...................... ...............
x W atchGuard SSL VPN Gatewa y Launching the v 5.5 Administration T ool ..................... ................ ................. ................. ..............143 T roubleshooting ............. ................ ................. ................. ..
Administration Guide 1 CHAPTER 1 Getting Star ted with F irebox SSL VPN Gatew a y This chapter describes who should read the F irebox SSL VPN Gateway A dministration Guide , how it is organized , and its document conv entions.
Document Con ventions 2 Firebox SSL VPN Gatewa y Document Conventions F irebox SSL VPN Gateway documentation uses the f o llowing typograph ic con ventions for menus, com- mands, keyboard key s, and i.
Administration Guide 3 LiveSecurity Ser vice Broadcasts learn m ore about your WatchGuard F irebox® and netw ork security , or find a W atchGuard C er tified T rain- ing Center in y our area.
LiveSecurity Ser vice Self Help T ools 4 Firebox SSL VPN Gatewa y New from W a t chGuard When W atchGuard r eleases a new product, we first tell you — our customers. Y ou can learn about new features and services, product upgrades, hardware releases, and pr omotions.
Administration Guide 5 W atchGuard Users Forum Advan ced F AQs The Advanced F AQs (frequently asked questi ons) g ive you important informati on about configuration options and operation of syst ems or products. They add to the informa tion you can find in this User Guide an d in the Online Help system.
Online Help 6 Firebox SSL VPN Gatewa y This forum has diff erent categories that you can use to look for inf ormation. The T echnical Suppor t t eam controls the forum during regular work hours. Y ou do not get special help from T echnical Suppor t when you use the forum.
Administration Guide 7 T raining and Cer tification Servic e ti me W e try for a maximum response time of four hours. Single Incident Priority Response Upgrade (SIPRU) and Sing le Incident After Hours Upgrade ( SIAU) ar e also available . For mor e data about these up grades, refer to the WatchGuard web site at: http://w ww .
T raining and Cer tification 8 Firebox SSL VPN Gatewa y a cer tification exam. The training materials include links to books and web sites with more information about ne twork sec urity . W atchGuar d product training is also available at a location near you through a large group of W atch- Guard C er tified T raining P ar tners ( WC TP s).
Administration Guide 9 CHAPTER 2 Introduction to F irebox SSL VPN Gatew a y WatchGu ard Fire box SS L VPN G ate way is a uni versa l Se cure S ock et Laye r (S SL) vi r tual pri vate ne twor k ( VPN) appl iance that provides a secur e single point- of-access to an y information resource — both data and voice .
Over view 10 Firebox SSL VPN Gatewa y As shown in the f ollowing illustrat ion, the Fir e box SSL VPN Gatewa y is appropriate f or employ ees accessing the organiza tion remotely and intr anet acce ss from r estric ted LANs such as wir eless networks.
Administration Guide 11 New F eatures The virtual T C P cir cuit is using industr y standard Se cure Socket Lay er (SSL) and T ransport Layer Securit y ( TLS) encryption. All packets destined for the private netw ork are transported ov er the vir tual T CP cir- cuit.
New F eatures 12 Firebox SSL VPN Gatewa y Secure Access Client connections The Secure Ac cess Client included in this release ca n connect to earlier versions of the Fir ebox SSL VPN Gateway .
Administration Guide 13 Features NTLM authenticat ion and authorization suppor t. If your envir onment includes W indows NT 4.0 do main contr ollers, the F irebo x SSL VPN Gateway can authenticate users against the user domain accounts maintained on the W indows NT server .
Features 14 Firebox SSL VPN Gatewa y • Date and time configuration • Certificate generation and installation • Restar ting and shutting down the F irebo x SSL VPN Gateway • Saving and reinstalling configuration settings Note If the Firebox SSL VPN Gateway is upgraded t o Versio n 5.
Administration Guide 15 Features Serve r Up gra de VPN Gateway Cluster > Administration Serve r Res tart VPN Gateway Cluster > Administration Serve r S hut D own VPN Gateway Cluster > Adminis.
The User Experience 16 Firebox SSL VPN Gatewa y Feature Summar y The following are key F irebox SSL VPN Gateway features: • Universal SSL VPN. Supports all applications and protocols that improve pr.
Administration Guide 17 Deployment and Administra tion Secure Acc ess Client by typing a s ecure We b address in a standard W eb browser and providing authen- tication credentials . Because the F irebox SSL VPN Gatewa y encr ypts traffic using standard SSL/TLS, it can traverse fir ewalls and proxy servers, regardless of the client location.
Planning your deployment 18 Firebox SSL VPN Gatewa y Administrati on Desktop also provides access to the Real- Time Monitor , wher e you can view a list of cur- rent users and close the connection for any user . Planning y our deployment This chapter discusses deployment scena rios for the Fi re box SS L VP N G a te wa y .
Administration Guide 19 Planning for Security with the Firebox SSL VPN Gatew ay When an F irebox SSL VPN Gateway is deploy ed in the secure network, the Secure Ac cess Client or k iosk client connections must trav erse the firewall to co nnect to the Firebox SSL VPN Gateway .
Installing the Firebox SSL VPN Gatew ay for the First T ime 20 Firebox SSL VPN Gatewa y Deploying Additional Appliances for Load Balancing and F ailover Y ou can install multiple Fir ebox SSL VPN Gateway appl iances into your en vironment f or one or both of these reasons: • Scalability .
Administration Guide 21 Installing the Firebox SSL VPN Gatew ay for the First T ime • The F irebo x SSL VPN Gatewa y FQDN for network addr ess translation (NA T ) • The IP addre ss of the default .
Installing the Firebox SSL VPN Gatew ay for the First T ime 22 Firebox SSL VPN Gatewa y • [4] Display Log displays the F irebox SSL VPN Gateway log • [5] Reset Certificate resets the c er tificate.
Administration Guide 23 Installing the Firebox SSL VPN Gatew ay for the First T ime T o configure TCP/IP Settings Using Network Cables The F irebox SSL VPN Gateway has two network adapt e rs installed. One network adapter communicates with the Internet and cl ient computers that are no t inside the corporate network.
Using the Firebox SSL VPN Gatewa y 24 Firebox SSL VPN Gatewa y F or information about the r elationship between the Default Gateway and dynamic or static r outing, see “Dynamic and Static Routing” on page 51. After you c onfigure y our network settings on the F irebox SSL VPN Gatewa y , you need t o restart the appliance.
Administration Guide 25 Using the Firebox SSL VPN Gatewa y • After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the F irebo x SSL VPN Gateway establishes a secure tunnel .
Using the Firebox SSL VPN Gatewa y 26 Firebox SSL VPN Gatewa y Establishing the Secure T unnel After the Secure Access Clien t is star ted, it establis hes a secure tunnel ov er por t 443 (or any c onfigured por t on the F irebox SSL VPN Gateway) and sends auth entication information.
Administration Guide 27 Using the Firebox SSL VPN Gatewa y NA T firewalls maintain a table tha t allows them to route secure packets fr om the F irebo x SSL VPN Gate- way back to the client computer . F or circuit-oriented connections, the F irebox SSL VPN Gateway main- tains a por t-mapped, reverse NA T translation tabl e.
Using the Firebox SSL VPN Gatewa y 28 Firebox SSL VPN Gatewa y work, no attempt is made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved ov er a secure T CP-based tunnel.
Administration Guide 29 Using the Firebox SSL VPN Gatewa y public address. The exte rnal public address ensu re s th at th e red irec ted c lie nt ret urn s to t he F irebox SSL VPN Gateway it first encountered , providing session stickiness.
Using the Firebox SSL VPN Gatewa y 30 Firebox SSL VPN Gatewa y.
Administration Guide 31 CHAPTER 3 Configuring Basic Settings This chapter describes F irebox SSL VPN Gatewa y basic administration, including connecting to the Fir e- box SSL VPN Gateway , using the Administration Deskto p, and using the A dministration T ool to config- ure the Fir ebox SSL VPN Gateway .
Firebox SSL VPN Gatewa y Administration Desktop 32 Firebox SSL VPN Gatewa y F irebox SSL VPN Gatew ay Administration Desktop The F irebo x SSL VPN Gateway Administrat ion Desktop provides F irebo x SSL VPN Gateway monitoring tools.
Administration Guide 33 Using the Serial Console • Download a sample email for users Admin Users T ab The Fir ebox SSL VPN Gateway has a default administrati v e user account with full ac cess to the F irebox SSL VPN Gateway.
Using the Administration T ool 34 Firebox SSL VPN Gatewa y T o open the serial console 1 Connect the RS2 32 cable to the serial por t on the Firebo x SSL VPN Gateway and to the serial por t on the computer . 2 M ake sure that the F irebo x SSL VPN Gateway is running.
Administration Guide 35 Publishing Settings to Multiple Firebox SSL VPN Gatew ay s 7I n Us ern ame and P assword , type the Fir ebox SSL VPN Gateway administrator cr edentials.
Managing Licenses 36 Firebox SSL VPN Gatewa y F irebox SSL VPN Gateway A dministration T ool. T o apply these license files, see “Managing Licenses ” on page 36. F or future tunnel capacity upgrades, you will f ollow these same steps to increase the capacit y of your Fi re b ox ® S S L VP N G at e wa y.
Administration Guide 37 Managing Licenses Do not overwrite any .lic files in the license director y . If another file in that directory has the same name, rename the newly r eceived file. Th e Fir ebox SSL VPN Gatewa y software calculates your licensed featur es based on all .
Blocking External Access to the Administration P or tal 38 Firebox SSL VPN Gatewa y 5 In a Web browser , type the address of the Fir ebox SSL VPN Gateway u sing either the IP address or fully qualified domain name (FQDN) to connect to either the internal or external int er face.
Administration Guide 39 Downloading and W or king with P or tal Page T emplates By default, users see a W atchGuard Fir ebox SS L VPN Gateway portal page when they open https:// F irebox SSL VPN Gateway_IP_or_hostname . F or samples of the defaul t portal pages for Windows, Linux, and Java, see “Using the A ccess P or tal” on page 118.
Downloading and W or king with P or tal Page T emplates 40 Firebox SSL VPN Gatewa y T o download the por tal page templ ates to your local computer 1 I n the F irebo x SSL VPN Gateway Administ ration P or tal, click Downloads .
Administration Guide 41 Enabling P or tal Page A uthentication T o install a custom por tal page or image on the F irebox SSL VPN Gatew ay 1C l i c k t h e Portal Page C onfigur ation tab . 2C l i c k Ad d Fi le . 3I n Fi l e I de nt i fi er , type a name that is descriptiv e of th e types of users who use the portal page.
Linking to Clients from Y our W eb Site 42 Firebox SSL VPN Gatewa y <object id="Net6Launch" type="application/x-oleobject" classid="CLSID:7E0FDFBB-87D4-43a1-9AD4-41F0EA8AFF7B" codebase="net6helper.cab#version=2,1,0,6"> </object> 2 Add the links as fo llows to the W eb page.
Administration Guide 43 Connecting Using a W eb Address tication policy check fails, the users receive an er ror message instructing them to c ontact their system administrator . F or more information about pre-authentication policies, see “Global policies” on page 96.
Saving and Restoring the Configuration 44 Firebox SSL VPN Gatewa y Sa ving and Restoring the Configuration When you upg rade the F irebox SSL VPN Gatew ay, all of your configuration settings , including uploaded certificates, licenses , and por tal pages, ar e restore auto matically .
Administration Guide 45 Restar ting the Firebox SSL VPN Gatew ay 2I n Upload a Ser ver Upgrade or Sav ed Config , click Bro wse. 3 Locate the upgrade file that you want to upload and click Open . The file is uploaded and t he Firebox SS L VPN Gateway restarts automatically .
Allowing ICMP traffic 46 Firebox SSL VPN Gatewa y T o change the system date and time 1 I n the A dministration T ool, click the VPN Gate way Cluster tab , select the appliance, and then click the Date tab. 2I n Ti m e Z o ne , select a time zone. 3I n Date , ty pe the date and ti me.
Administration Guide 47 CHAPTER 4 Configuring F irebox SSL VPN Gatew a y Networ k Connections The Fir ebox SSL VPN Gateway has two network adapters that can be c onfigured to work on your net- work. T he VPN G ateway Cluster > General Ne tworking tabs in the A dministration T ool ar e used to configure most netw ork settings.
General Networking 48 Firebox SSL VPN Gatewa y •T h e Routes tab is where dynamic and static routes are c onfigured •T h e Failov er Ser vers tab is wher e multiple Fir ebox SSL VPN Gateway’ s are configured General Networ king The F irebox SSL VPN Gateway has two network adapt ers installed.
Administration Guide 49 General Networking The Fi rebox SSL VPN Gateway in the DMZ. F or more information, see “ Connecting to a Ser ver L oad Balancer ” on page 28. External Public FQDN The Firebo x SSL VPN Gateway uses the e xternal IP address or F QDN to send its re sponse to a request back to the correct network connection.
Name Ser vice Pro viders 50 Firebox SSL VPN Gatewa y Note IP pooling is configured per groups , as desc ribed in “Enabling IP Pool ing” on page 94.
Administration Guide 51 Dynamic and Static Routing 3U n d e r Edit the HOSTS file , in IP address , enter the IP addr ess that you wan t to associate with an FQDN. 4I n FQDN , enter the FQDN you want to associate with the I P address you enter ed in the previous step.
Dynamic and Static Routing 52 Firebox SSL VPN Gatewa y Configuring Dynamic Routing When dynamic routing is selected , the Fir ebox SSL VPN Gatewa y operates as follo ws: • It listens for route inf ormation published thro ugh RIP and automaticall y populates its routing table.
Administration Guide 53 Dynamic and Static Routing 5 I n the text box, type a text string that is an exact, case -sensitive match to the authentication string transmitted by the RIP server . 6 S elect the Enable RIP MD5 Authentication f or Inter face check box if the RIP server transmits the authentication string encr ypted with MD5.
Dynamic and Static Routing 54 Firebox SSL VPN Gatewa y 8O n t h e Gene ral Netw orki ng tab , click Submit . The route name appears in the Static R outes list. T o test a static route 1 From the Firebox SSL V PN Gateway se rial conso le, type 1 (ping).
Administration Guide 55 Configuring Firebox SSL VPN Gatewa y Failo ver T o set up the static r oute, you ne ed to establish the path between the eth1 adapt er and IP address 129.6.0.20. T o set up the example stati c route 1C l i c k t h e VPN G ate way Cluster tab and then click the Routes tab .
Controlling Network Access 56 Firebox SSL VPN Gatewa y nect to por t 9001 when you ar e logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool .
Administration Guide 57 Enabling Split T unneling Y ou can change the default op eration so that user groups ar e denied network access unless they are allowed ac cess to one or more network resource groups . • Y ou configur e ACLs for user gr oups by specifying which net w ork resources ar e allowed or denied per user group.
Denyi ng Access to Groups without an ACL 58 Firebox SSL VPN Gatewa y When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Po li c ie s tab . The list of accessible networks must include all internal net works and subnetworks that the user may need to access with the Secur e Access Client.
Administration Guide 59 Improving V oice over IP Connecti ons T o den y access to user groups without an ACL 1C l i c k t h e Global Cluster Policies tab .
Improving V oice over IP Conn ections 60 Firebox SSL VPN Gatewa y Note If the Improving V oice o ver IP Connections setting is not selected, the UDP traffic is encr ypted using the symmetric encr yption cipher that is specified in the Select encryption type for client connections setting on the Global Cluster P olicies tab.
Administration Guide 61 CHAPTER 5 Configuring Authentication and Authorization The F ir ebox SSL V PN Gateway supports several authen tication types including LD AP , RADIUS, RSA Secu- rID , NTLM, and Secure Computing ’ s SafeW o r d products.
Configuring Authentication and Authorizatio n 62 Firebox SSL VPN Gatewa y Communications betw een the Firebox SSL VPN Gatewa y and authentication ser ver s.
Administration Guide 63 Configuring Authentication and Authoriza tion Configuring Authentication without Authorization The F ir ebox SSL VPN Gat eway can b e configur ed to au thenticat e users without requiring authorization. When users are not authorized , the F irebox SSL VPN Gatewa y does not per form a gr oup authorization check.
Configuring Authentication and Authorizatio n 64 Firebox SSL VPN Gatewa y Configuring Local Users Y ou can create user acc ounts locally on the F irebo x SSL VPN Gatew ay to supplement the users on authentication servers.
Administration Guide 65 Changing the Authentication T ype of the Default Realm T o change a user’ s password 1O n t h e Access Polic y Ma nage r tab , right-click a user , and click Set Passw ord.
Changing the Authentication T ype of the Default Realm 66 Firebox SSL VPN Gatewa y 3O n t h e Act ion menu, se lect Remove Default realm . A warning message appears.
Administration Guide 67 Using SafeW ord for Authentication Removing Realms If you are retiring an aut hentication ser ver or r emoving a domain ser ver , you can remov e any realm except f or the realm named Default. Y ou can remo ve the Default realm only if you immediately cr eate a new realm named Default.
Using SafeW ord for Citrix or SafeW ord RemoteAccess for Authentication 68 Firebox SSL VPN Gatewa y Configur e a SafeW ord realm to authenticate users. The F irebo x SSL VPN Gateway acts as a Saf eW ord agent authe nticating on beh alf of users logge d on using Sec ure Access Client.
Administration Guide 69 Using RADIUS Ser vers for Authentication and Authorization If you a re al read y us ing SafeWord for C itri x o r Safe W ord RemoteAccess in y our configuration t o authen- tic.
Using RADIUS Ser vers for Authentication and Authorization 70 Firebox SSL VPN Gatewa y •T y p e i s t h e v e n d o r - a s s igned attribute number . • Attribute name is the type of attribute name that is defined in IAS. The default name is CTX SU se rG r o u ps = .
Administration Guide 71 Using RADIUS Ser vers for Authentication and Authorization 18 In the Add Attributes dialog bo x, select Ve n d or - S p e c i f i c and click Ad d . 19 In the V endor-Specific Attr ibute Inf ormation dialog box, choose Select from list and accept the default RAD IU S=S ta nda rd .
Using RADIUS Ser vers for Authentication and Authorization 72 Firebox SSL VPN Gatewa y T o specify RADIUS ser ver authentication 1C l i c k t h e Authentication tab. 2I n Realm Name , type a name for the authentication r ealm that you will create , select One Sour ce , and then click Ad d .
Administration Guide 73 Using LDAP Server s for Authentic ation and Authorization RADIUS authentication. If y ou synchronize config urations am ong several Firebox SSL VPN Gateway appliances in a clus ter , all the ap pliances are config ured with the same secr et.
Using LDAP S er vers for Authentication and Authorization 74 Firebox SSL VPN Gatewa y This table contains examples of the base dn The following table contains examples of bind dn: Note F or further information to determine the LDAP server settings, see “Det ermining Attribut es in your LDAP Directory ” on page 7 8.
Administration Guide 75 LDAP Authoriza tion 8 S elect Allow Unsecure T raffic to allow unsecure LD AP connections. When this check box is clear , all LDAP connections are secure. 9I n Administra tor Bind DN , type the Administrat or Bind DN for queries to your LD AP directory.
LDAP Authori zation 76 Firebox SSL VPN Gatewa y Group member ships from group objects worki ng evaluations LDAP servers that evalu ate gr oup members hips from group objects indirectly work with F irebox SSL VPN Gateway author ization.
Administration Guide 77 LDAP Authoriza tion T h e LD AP S erv er po rt de fa u l ts t o 3 89 . If y ou a r e using an index ed database, such as Microsoft Active Director y with a Global Ca talog, changing the LD AP Ser ver port to 3268 significantly increases the speed of the LDAP querie s .
LDAP Authori zation 78 Firebox SSL VPN Gatewa y F or Active Directory, the g roup name specified as cn= groupname is requir ed. The gr oup name that is defined in the Fir ebox SSL VPN Gateway must be identical to the gr oup name that is defined on the LDAP server .
Administration Guide 79 Using RSA SecurID for Authentication Host Host name or IP address of your LD AP ser ver . Po r t Defaults to 389. Base DN Y ou can leav e this field blank . ( The inf ormat ion provided by the LD AP Browser will help y ou determine the Base DN need ed for the Authen tication tab.
Using RSA SecurID for Authentication 80 Firebox SSL VPN Gatewa y The F irebox SSL VPN Gateway supports RSA ACE/Ser ver V ersion 5.2 and higher . The F irebo x SSL VPN Gateway also suppor ts replication servers. Repl icat ion server configuration is completed on the RSA ACE/Server and is par t of the sdconf .
Administration Guide 81 Using RSA SecurID for Authentication 8 T o create the configur ation file for the new or changed Agen t Host, go to Age nt Ho st > G ene rate Configur ation Files . The file that you generate (sdconf .rec) is what you will upload to the Firebox SS L VPN Gateway, as described in the next procedure.
Using RSA SecurID for Authentication 82 Firebox SSL VPN Gatewa y Configuring RSA Settings for a Cluster If you have two or mor e appliances configured as a cluster , the sdconf .rec file needs to c ontain the FQDNs of all the appliances. Th e sdconf .
Administration Guide 83 Using RSA SecurID for Authentication Note Note: If you are c onfiguring double -sour ce authentication, click Two S o u r c e and then click Add . For more inf ormation about co nfiguring double-source authentica tion, see “C onfiguring Double-Source Authentication ” on page 85.
Using RSA SecurID for Authentication 84 Firebox SSL VPN Gatewa y Note Note: When 0 (ze ro) is entered as the por t, the Access Gateway at tempts to a utomatical ly detec t a por t number for this connection. 8I n Time- out (in seconds) , ent er the number of seconds within which th e authentication attempt must complete.
Administration Guide 85 Configuring Double-Source Authentication Y ou can prevent the storage of one-time passwords in cache, which f orces the user to ent er their cre- dentials again. T o prevent caching of one-time passwords 1 I n the A dministration T ool, click the A uthentication tab .
Configuring Double-Source Authentication 86 Firebox SSL VPN Gatewa y and passcode first and then the LDAP password second . Whatever is typed in the first password field is done last and the second password field is done first.
Administration Guide 87 CHAPTER 6 Adding and Configuring Local User s and User Groups User gr oups define the resource s the user has access to when conne cting to the corporate network through the F irebo x SSL VPN Gateway. Groups are associ ated with the local users list.
User Group Over view 88 Firebox SSL VPN Gatewa y 5 All users are members of the Defaul t resource gr oup. T o add a user to another group, under Loca l Use rs , click and dra g the user to the user g roup to which you want the user to belong.
Administration Guide 89 Creating User Groups Group resourc es include: • Network resourc es that define the ne tworks to which clients can connect. • Application policies that define the applicatio ns users can use when connected.
Configuring Proper ties for a User Group 90 Firebox SSL VPN Gatewa y Configuring Proper ties for a User Group Group pr operties include configuring access, netw orki ng, por tal pages, and client certificates. Proper- ties are configured by right- clicking a group and then clicking Pro per ties .
Administration Guide 91 Configuring Proper ties for a User Gr oup Note If you want t o close a connection and pr event a user or g roup from reconnecting automa tically , you must select the Authenticat e after network inte rruption setting. Other w ise, users immediately reconnect without being prompt ed for their cr edenti als.
Configuring Proper ties for a User Group 92 Firebox SSL VPN Gatewa y suppor ted and do not run. If the doma in controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Note Impor tant: The client computer must be a domain membe r in order to ru n domain logon scripts.
Administration Guide 93 Configuring Proper ties for a User Gr oup Configuring W e b Session Time-Outs When a user is logged on to the F irebox SSL VPN Gateway and using a W eb browser to connect to Web sites in the secure network, cookies are set to determin e if a user ’ s Web session is still active o n the F ire- box SSL VPN Gatew ay .
Configuring Proper ties for a User Group 94 Firebox SSL VPN Gatewa y 2 On the Gene ra l tab , under Application Op tions , select Deny applications without policies . F or more informati on about application policies, see “ Ap plication policies ” on page 101.
Administration Guide 95 Configuring Proper ties for a User Gr oup Choosing a por tal page for a group By default, all users log on to the Firebox SSL VP N Gateway using the Secure Ac cess Client from the default por tal page or by downloading and installing the Se cure Access Client on their computer .
Configuring Resources for a User Group 96 Firebox SSL VPN Gatewa y Note Client certificate configuration is no t available for the default user group. T o specify client cer tificate configuration 1 On the Access P ol icy Man ager tab , right-click a group that is not the default group .
Administration Guide 97 Configuring Resources for a User Group a network resource specifying the networks to which users can connect. If you have a restricted group for contr actors, drag the resour ce to this group and then den y the default setting.
Configuring Resources for a User Group 98 Firebox SSL VPN Gatewa y • Kiosk resources tha t define how the user can lo g on and which file shar es and applications are accessible to the user when logge d on. If the user is allo wed to use the F iref ox W eb browser in kiosk mode, the W eb address the user is allow ed to use is also defined.
Administration Guide 99 Configuring Resources for a User Group T o configure resource access control for a group 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, configure the group r esources. 3 When the resour ce is configured , click the resource and dr ag it to the group in the left pane.
Configuring Resources for a User Group 100 Firebox SSL VPN Gatewa y • Y ou can further restrict access by specifying a po r t and protocol f or an IP address/subnet pair . F or example, you might specify that a resource can use only por t 80 and the T CP protocol .
Administration Guide 101 Configuring Resources for a User Group • Deny rule s take precedenc e over all ow rules . This enables y ou to allow ac cess to a range o f resourc es and to also den y access t o selected resources within tha t ra nge. For ex amp le, y ou m igh t wa nt to al low a group access to a resource group that includes 10.
Configuring Resources for a User Group 102 Firebox SSL VPN Gatewa y T o add an application policy to a group 1 On the Access P ol icy Man ager tab , in the right-pane , under Application Policies , c lick the resour ce you want to add and then drag it to the us er group in the le ft pane.
Administration Guide 103 Configuring Resources for a User Group T o create a file share resource 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, right-click Fi le S ha re Re s ou rce s , click New File Share Resource , type a name, and click OK .
Configuring Resources for a User Group 104 Firebox SSL VPN Gatewa y 3 T o add a file share, under Fil e Sh are Re so urce s , drag the resource to Shares under File Sh are s . 4 Select the applications users are allowe d to use in kiosk mode. 5 Click Kiosk P ersistence (Sav e Application Settings) to r etain Fi refo x prefer ences between sessions.
Administration Guide 105 Configuring Resources for a User Group 8 If you selected Process Rule , do the following: -C l i c k Proce ss Rule . -I n Process Name , type the name of the process or click Browse t o navigate to the file. The MD5 field is automati cally completed when a pr ocess name is entered .
Setting the Priority of Groups 106 Firebox SSL VPN Gatewa y 2 In the right pane, right-click End Point Policies and then clic k New End Point Policy . 3 T ype a name and click OK . When the policy is created, create the expression b y dragging and dropping the end point re sources into the Expression Ro ot .
Administration Guide 107 Setting the Priority of Groups The following two settings are unioned together . F or these settings, they are combined among all of the groups of which the user is a member . When these a r e combined, these a r e the enforced set of rul es applied to the user .
Setting the Priority of Groups 108 Firebox SSL VPN Gatewa y.
Administration Guide 109 CHAPTER 7 Creating and Installing Secure Cer tificates The F irebox SSL VPN Gate way uses cer tificates f or authentication. In the F irebox SSL VPN Gateway Administrati on T ool, you can creat e a certificate to be signed by a Certificate Authority .
Digital Cer tificates and Firebox SSL VPN Gatew ay Ope ration 110 Firebox SSL VPN Gatewa y • Install a PEM certificate and private key from a Window s computer . This methods uploads a signed certificate and private key together . The cer tificate is signed by a CA and it is paired with the private key .
Administration Guide 111 Over view of the Certificate Signing Request private key from tampering and it is also requir ed when restoring a save d configuration to the F irebox SSL VPN Gateway . Passw ords are used whether the priva te key is encr ypted or unencr ypted .
Over view of the Certificate Signing Request 112 Firebox SSL VPN Gatewa y Note When you sav e the F irebox SSL VPN Gate way configuratio n, an y cer tificates that are alr eady installed are included in the backup. T o install a cer tificate file using the Ad ministration T ool 1C l i c k t h e VPN G ate way Cluster tab .
Administration Guide 113 Over view of the Certificate Signing Request The root certificate that is installed on the F irebox SSL VPN Gatewa y has to be in PEM format. On Win- dows, the file extension .cer is sometimes used to in dicate that the r oot cer tifica te is in PEM format.
Client Cer tificates 114 Firebox SSL VPN Gatewa y Note Note: HyperT erminal is not installed automatically on Windows 2000 Ser ver or Windows Server 2003 . T o install HyperT ermina l , use Add/Remove Programs in C ontrol Panel. 3 S et the serial connection to 9600 bits per sec ond, 8 data bits, no parity , 1 stop bit.
Administration Guide 115 Client Cer tificates Installing Root Cer tificates Suppor t for most trust ed root authorities is already built into the W indows operating syst em and Inter- net Explorer . Theref ore , there is no need to obtain and install root c er tificates on the clie nt device if you are using these CA s.
Requiring Cer tificates from Internal Connections 116 Firebox SSL VPN Gatewa y 3C l i c k Submit . Requiring Cer tificates from Internal Connections T o increase security for connections originating f.
Administration Guide 117 CHAPTER 8 W or king with Client Connections Clients can access resourc es on the corporate network by connecting through the Firebo x SSL VPN Gateway from their own computer or from a public computer .
Using the Access P or tal 118 Firebox SSL VPN Gatewa y If clients are using Mozilla Fir efox to connect, pages th at require A ctiveX, such as the pre-authentication page, ar e not able to run. If clients are going to connect using the kiosk , they must have Sun Ja va Runtime Environment (JRE) V er- sion 1.
Administration Guide 119 Connecting from a Private Computer the computer is started, users do not have to do anything to cr eate the connection, provided that they have a network connection and can log onto Windo ws. The connection enables users to work with the connect ed site just as if they were logged on at the site.
Connecting from a Private Computer 120 Firebox SSL VPN Gatewa y • The Fir ebox SSL VPN Gateway terminates the SSL tunn el, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network . The F irebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel.
Administration Guide 121 Connecting from a Private Computer that remote users can acc ess through the VPN connection. For more inf ormation, see “Configuring Resources for a User Gr oup ” on page 96. All IP packets, regardless of prot ocol, are intercepted and transmitt ed over the secure link.
Connecting from a Private Computer 122 Firebox SSL VPN Gatewa y sends its known lo cal IP address to the server by means of a custom client-s erver protocol.
Administration Guide 123 Connecting from a Private Computer An email template is pro vided that includes the info rma tion discussed in this sec tion. The t emplate is available fr om the Downloads page of the Administra tion Portal. W atchGuar d recommends that y ou customize the te xt for your site and then send the text in an email to users .
Connecting from a Private Computer 124 Firebox SSL VPN Gatewa y The Secure Access Client dialog box with the pop-up menu showing Advanced Options 4 Under P roxy Settings, select Use Prox y Ho st and then in Proxy Address and Proxy Ho st, type the IP address and por t.
Administration Guide 125 Connecting from a Private Computer T o view the C onnection Log The Connection Log contains real-time connection information that is particularly useful for trouble- shooting connection issues. 1 Right- click the F irebo x SSL Secure Ac cess Client icon in the notification area.
Connecting from a Public Computer 126 Firebox SSL VPN Gatewa y Configuring Secure Access Client to Wo r k w i t h N o n - A d m i nistrative Users If a user is not lo gged on as an administrator on a .
Administration Guide 127 Connecting from a Public Computer • F irefo x W eb browser . Y ou configure by group whether or not to include the F irefo x brow ser and the browser ’ s defaul t W eb address. Firefo x preferences, suc h as saved passwords, are retained for the next session.
Connecting from a Public Computer 128 Firebox SSL VPN Gatewa y T o create and configure a kiosk resource 1 Click the Acces s Polic y M anag er tab. 2 In the right pane, right-click Kiosk Resources and then click New Kiosk Resource . 3 T ype a name for the resource and click OK .
Administration Guide 129 Client Applications 2 Select a file share from Fi le Sh a re Re so ur ce s and drag it to Sha res under Fi le s ha res in the kiosk res ource. 3 Click OK. T o remove a file share On the Acces s Polic y Ma nag er tab, in the right -pane, right-click the file share and click Remove .
Client Applications 130 Firebox SSL VPN Gatewa y F irefox W eb Browser The Fir efox W eb br owser allows users to con nect to the Intern et when they are logged on in kiosk mode. They can connect to W eb sites as if they were sitting at their own computer .
Administration Guide 131 Client Applications T o use the SSH client 1 F rom the por tal page, choose A public c omputer and log on. 2 In the W eb bro wser , click the SSH icon. 3 Enter the user name and SSH host name or IP address. The SSH window opens.
Suppor ting Secure Access Client 132 Firebox SSL VPN Gatewa y T o use Gaim 1 F rom the por tal page, choose A public c omputer and log on. 2 In the Web br owser , double -click the Gaim icon. 3 If messenging ser vices w ere not added, an Account s window opens.
Administration Guide 133 Managing Client Connections An email template is pr ovided that includes the info rmation discussed in this section. The template is available fr om the Downloads page of the Administra t ion Portal. C ustomize the t ext for your sit e and then send th e text in an e mail to users.
Managing Client Connections 134 Firebox SSL VPN Gatewa y Closing a connection to a resource Without disrupting a user ’ s VPN connection, you can temporarily close the user ’ s connection to a par tic- ular resource. T o prevent the user from conne cting to the reso urce, correct the user ’ s group ACL.
Administration Guide 135 Managing Client Connections 2 In the lef t pane , right-click a group and click Proper tie s . 3 On the Gene ra l tab , under Session options , select one or both of th e f ollowing: • Authenticate after network interruption.
Managing Client Connections 136 Firebox SSL VPN Gatewa y.
Administration Guide 137 APPENDIX A F irebox SSL VPN Gatew a y Monitoring and T roubleshooting The following topics describe how to use Firebox SSL VPN Gateway l ogs and troubleshoot issue s: • View.
Viewing and Downloading Sy stem Message Logs 138 Firebox SSL VPN Gatewa y 3C l i c k Logging/S ettings. 4U n d e r Gate wa y L og , click Display L ogging Windo w . The log for today’s date is displayed. T o display the log for a prior date , selec t the date in the Log Arch ive list and click Vie w Lo g .
Administration Guide 139 Enabling and Viewing SNMP Logs T o view or download the log, go to the Logging > C onfiguration tab and cli ck Download W3C Log . Enabling and V iewing SNMP Logs When Simple Network Management Pr otocol (SNMP) is enabled, the Fir ebox SSL VPN Gateway reports the MIB-II system group (1.
Viewing Syste m Statistics 140 Firebox SSL VPN Gatewa y T o obtain SNMP data for the Firebox SSL VPN Gatew a y through Multi Router T raffic Grapher (in UNIX) 1 Configure the F irebox SSL VPN Gateway to respon d to SNMP queries as discus sed in “ T o enable logging of SNMP messages” on page 139.
Administration Guide 141 Recovering from a F ailure of the Firebox SSL VPN Gatewa y bottom right c orner , you can view pr ocess and ne twor k ac tivity levels; mouse over the t wo graphs to view numeric data.
Recovering from a F ailure of the Firebox SSL VPN Gatewa y 142 Firebox SSL VPN Gatewa y • apply the v 5.5 soft war e update Reinstalling v 4.9 application software T o reinstall v 4.9 on your appliance: 1 Find the F irebo x® SSL v 4.9.2 Recovery CD that came with your original F irebo x® SSL Core appliance.
Administration Guide 143 T roubleshooting T o upgrade to v 5. 5. 1 I n the v5.0 A dministration T ool, click the F irebo x® SSL VPN Gateway Cluster tab . 2O n t h e Administra tion tab, next to Upload a server upgrade or sa ved con fig , cl ick Brow se .
T roubleshooting 144 Firebox SSL VPN Gatewa y By default, the F irebo x SSL VPN Gateway passes only the user name and password to the W eb Interface. T o correct this, configur e a default domain or a set of domains users can log on to. T he W eb Inter face uses the first one in the list as the default domain.
Administration Guide 145 T roubleshooting Defining Accessibl e Networks In the Accessi ble Net works field on the Global Cluster P olicies tab, up t o 24 subnets can be defined. If more than 24 subnets are en tered, the F irebox SSL VPN Gateway ig nores the additional subnets.
T roubleshooting 146 Firebox SSL VPN Gatewa y Internal F ailover If internal failov er is enabled and the administrator is connected to the F irebox SSL VPN Gatewa y , the Administrati on T ool cannot be reache d over the connection. T o fix this pr oblem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001.
Administration Guide 147 T roubleshooting Devices Can not Communicate with the Firebox SSL VPN Gatew a y V erify that the f ollowing are c orrectly set up: • The External Public A ddr ess specified .
T roubleshooting 148 Firebox SSL VPN Gatewa y Client Connections from a Windows Ser ver 2003 If a connec tion to the F irebox SSL VPN Gatewa y is made from a Windows Server 2003 computer that is its own DNS ser ver , local and public DNS resolution does not work.
Administration Guide 149 APPENDIX B Using F irew alls with F irebox SSL VPN Gatew a y If a user cannot establish a connec tion to the F irebox SSL VPN Gateway or cannot access allowed resources , it is possible that the firewall sof tware on the user’ s computer is blocking traffic.
BlackICE PC Protection 150 Firebox SSL VPN Gatewa y T o view Secure Access Client status proper ties Double -click the Secure Access Client connection icon in the notification area. Alte rnatively , right - click the icon and choose Properties from the menu.
Administration Guide 151 Nor ton P ersonal F irew all . Nor ton P er sonal F ire w all If you are using the default Nor ton P ersonal F irewall settings, you can simply respond t o the Program Contr ol aler ts the first time that y ou attempt to st art the Secure Access Client or when y ou access a blocked location or application.
ZoneAlarm Pro 152 Firebox SSL VPN Gatewa y T o configure the settings , open the Tiny P ers onal F irewall administration window , click the Ad van ced button to view the F irewall Configur ation window , and then use the Filter Rule dialog bo x as indicated below .
Administration Guide 153 APPENDIX C Installing Windows Cer tificates The Fir ebox SSL VPN G ateway includes the Cer tificate Request G enerator to automatically create a cer- tificate request. After the file is returned fr om the Ce r tificat e Authority , it can be uploaded to the F irebo x SSL VPN Gateway.
Unencr ypting the Private K ey 154 Firebox SSL VPN Gatewa y 12 Click Next to start the installation. After Cygwin installs, y ou can gen erate the CSR. These instruc tions to generate a CSR assume that you are using the C ygwin UNIX environment installed as described in “ T o install Cy gwin ” on page 153.
Administration Guide 155 Converting to a PEM-Formatted Cer tificate F or information about do wnloading OpenSSL for Windo ws, see the Sour ceF orge W eb site at http://sourc eforge .
Generating T r usted Cer tificates for M ultiple Levels 156 Firebox SSL VPN Gatewa y T o combine the private ke y with the signed cer tificate 1 Use a text editor to c ombine the unencr ypted privat e key with the signed ce r tificate in the PEM file form at.
Administration Guide 157 Generating T r usted Cer tificates for Multip le Levels Inter mediate Cer tificate 0 Inter mediate Cer tificate 1 Inter mediate Cer tificate 2.
Generating T r usted Cer tificates for M ultiple Levels 158 Firebox SSL VPN Gatewa y.
Administration Guide 159 APPENDIX D Examples of Configuring Networ k Access After th e F irebox SSL VPN Gate way is installed an d co nfigured to opera te in your network environmen t, use the Administration T ool to configure user access to the ser vers , applications, and other resources on the internal network.
Scenario 1: Configuring LD AP Authentication and Authorization 160 Firebox SSL VPN Gatewa y Befor e reading the examples in this chapter , you shou ld become familiar with the settings on three tabs of the Administr ation T ool.
Administration Guide 161 Scenario 1: Configuring LD AP Authentication and Authorization • Determining the Sales and Engineering users who need r emote access • Collecting the LDAP dir ector y info.
Scenario 1: Configuring LD AP Authentication and Authorization 162 Firebox SSL VPN Gatewa y F or example, if the F irebo x SSL VPN Gateway operates with the Microsoft A ctive Director y , the F irebox SSL VPN Gateway checks the "memberOf " attribute in the P erson entr y to det ermine the groups to which a user belongs .
Administration Guide 163 Scenario 1: Configuring LD AP Authentication and Authorization • LDAP Server por t. The port on which the LDAP server listens for conne ctions. The default port for LD AP connections is por t 389. • LDAP Administrat or Bind DN and LDAP A dministrator Passw ord.
Scenario 1: Configuring LD AP Authentication and Authorization 164 Firebox SSL VPN Gatewa y This task includes these five procedures: • Configuring accessible networks • Creating an LDAP authen ti.
Administration Guide 165 Scenario 1: Configuring LD AP Authentication and Authorization Creating an LD AP Authentication and Au thorization Realm Creating an LDAP authen tication and authorizatio n realm is the second of fiv e proced ures the administrator performs to configure acc ess to th e internal network resour ces in this scenario .
Scenario 1: Configuring LD AP Authentication and Authorization 166 Firebox SSL VPN Gatewa y Creating the Appropriate Groups o n the F irebox SSL VPN Gatew ay Creating the appropria te groups on the F .
Administration Guide 167 Scenario 1: Configuring LD AP Authentication and Authorization 4 In Netw ork/Subnet , type thes e two IP address/subnet pairs for the resour ces. Separate each of these IP address/subnet pairs with a space : 10.10.0.0/24 10.60.
Scenario 1: Configuring LD AP Authentication and Authorization 168 Firebox SSL VPN Gatewa y the 10.0.20.x resource and al low access to the 10.0.x.x resource. In these ca ses , configure the polic y denying access to 10.0.20.x first and then configure the policy allowing ac cess to the 10.
Administration Guide 169 Scenario 2: Creating Guest Accounts Using the Local Users List 5 In the left pane, click the "Email ser ver" netw ork re source you just cr eated and drag it to Application Network P olicies listed under Application Constraints in the right pane .
Scenario 2: Creating Guest Accounts Using t he Local Users List 170 Firebox SSL VPN Gatewa y An administrator can also create a list of local users on the Firebox SSL VPN Gateway and configure the F irebox SSL VPN Gateway t o provide authentication and authorization services for these users.
Administration Guide 171 Scenario 2: Creating Guest Accounts Using the Local Users List T o create a guest authentication realm for the guest users 1 In the Fir ebox SSL VPN Gateway A dministration T ool, click the A uthentication tab . 2 In Realm Na me , type Guest.
Scenario 3: Configuring Local Authorization for Local Users 172 Firebox SSL VPN Gatewa y Silvio and Lisa are authorized to access any reso urce defined in the A CL of the D efault user gr oup because No Authorization is specified as th e authorization type of the Guest realm.
Administration Guide 173 APPENDIX E Legal and Cop yright Infor mation GNU GENERA L PUBLIC LICENS E FOR LINUX KER NEL AS PROVIDED WITH FIREBOX SSL F irebo x SSL VPN Gateway V ersion 2, June 1991 Copy right (C) 1989, 1991 F ree Software F oundation, Inc.
174 Firebox SSL VPN Gatewa y W e protect your rights with two st eps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy , distribute and/or modify the sof tware.
Administration Guide 175 change. b) Y ou must cause any w ork that you distribute or publish, that in whole or in par t contains or is derived from the Pr ogram or any part th ereof , to be licensed as a wh ole at no charge to all thir d parties under the terms of this License.
176 Firebox SSL VPN Gatewa y be distributed u nder the terms of Sec tions 1 an d 2 above on a medium customarily used for software interchange; or , c) Accompan y it with the information y ou receiv ed as to the offer to di stribute correspondin g source code.
Administration Guide 177 If any port ion of this section is held invalid or un enforceable under any particul ar circumstance , the bal- ance of the section is intended to ap ply and the sect ion as a whole is intended to apply in other circum- stances.
178 Firebox SSL VPN Gatewa y 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LA W OR AGREED TO IN WRITING WILL AN Y COPY - RIGHT HOLDER, OR ANY O THER P AR TY WHO MA Y MO DIFY AND/OR REDISTRIBUTE THE PR.
Administration Guide 179 This is fr ee so ft ware, a nd you are wel come t o red istr ibu te it u nder cer tai n con diti ons; typ e `s how c' for details. The hypothetical commands `sho w w' and `show c' sh ould show the appropriate par ts of the General Public License.
180 Firebox SSL VPN Gatewa y.
Administration Guide 181 Index A access control list 56, 97 allow and deny rules 98 deny access 15, 58 deny access without A CL 57, 88 Access P olicy Ma nager tab 15, 87 add network resource 101 Appli.
182 Firebox SSL VPN Gatewa y Authentication tab LDAP 74 authorization 15 configuring 61 LDAP 65, 73 LDAP and RSA/A CE Ser v er 81 local users 65 RADIUS 69, 72 B backing up 44 BlackICE PC P rotection 1.
Administration Guide 183 remov ing 105 Ethereal Network Anal yzer 141 unencrypted traffic 27 Ethereal Network M onitor 17 external access 15 F failover 48 appliances 14 DNS ser vers 50 gateways 55 int.
184 Firebox SSL VPN Gatewa y persistence 10 4 Remo te Deskto p Client 130 shared network drives , using 128 SSH client 130 T elnet 3270 Emula tor client 131 using FTP to copy files 129 VNC client 131 .
Administration Guide 185 ping 46 command 33, 145 from xNetT ools 141 policies access control lists 56 IP pooling 94 network access 56 por tal pages 38, 41 setting priority 106 port for con nec ti on s.
186 Firebox SSL VPN Gatewa y connection to 28 ser vice scanner 141 session timeout 15, 88, 92 settings General Net working 47 shared network drives 128 shared secr et 69, 82 shutting down 15, 45 singl.
Administration Guide 187 failover servers 55 General Net working 14, 47 logging 14, 137 managing li censes 15, 36 Name Ser vice P roviders 14, 47 Network Time Protocol 15 resta rt ing 15 resta rt ing .
188 Firebox SSL VPN Gatewa y.
デバイスWatchGuard Technologies SSL VPNの購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
WatchGuard Technologies SSL VPNをまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはWatchGuard Technologies SSL VPNの技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。WatchGuard Technologies SSL VPNの取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。WatchGuard Technologies SSL VPNで得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
WatchGuard Technologies SSL VPNを既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はWatchGuard Technologies SSL VPNの不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、WatchGuard Technologies SSL VPNに関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちWatchGuard Technologies SSL VPNデバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。