WatchGuard Technologies SSL VPN Benutzerhandbuch
Denying Access to Groups without an ACL
58
Firebox SSL VPN Gateway
When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster
Policies tab. The list of accessible networks must include all internal networks and subnetworks that the
user may need to access with the Secure Access Client.
The Secure Access Client uses the list of accessible networks as a filter to determine whether or not
packets transmitted from the client computer should be sent to the Firebox SSL VPN Gateway.
When the Secure Access Client starts, it obtains the list of accessible networks from the Firebox SSL
VPN Gateway. The Secure Access Client examines all packets transmitted on the network from the cli-
ent computer and compares the addresses within the packets to the list of accessible networks. If the
destination address in the packet is within one of the accessible networks, the Secure Access Client
sends the packet through the VPN tunnel to the Firebox SSL VPN Gateway. If the destination address
is not in an accessible network, the packet is not encrypted and the client routes the packet appropri-
ately.
Policies tab. The list of accessible networks must include all internal networks and subnetworks that the
user may need to access with the Secure Access Client.
The Secure Access Client uses the list of accessible networks as a filter to determine whether or not
packets transmitted from the client computer should be sent to the Firebox SSL VPN Gateway.
When the Secure Access Client starts, it obtains the list of accessible networks from the Firebox SSL
VPN Gateway. The Secure Access Client examines all packets transmitted on the network from the cli-
ent computer and compares the addresses within the packets to the list of accessible networks. If the
destination address in the packet is within one of the accessible networks, the Secure Access Client
sends the packet through the VPN tunnel to the Firebox SSL VPN Gateway. If the destination address
is not in an accessible network, the packet is not encrypted and the client routes the packet appropri-
ately.
To enable split tunneling
1
Click the Global Cluster Policies tab.
2
Under Access Options, click Enable Split Tunneling.
3
In Accessible Networks, type the IP addresses. Use a space or carriage return to separate the list of
networks.
networks.
4
Click Submit.
Configuring User Groups
User groups define the resources the user has access to when connecting to the corporate network
through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local
users to a group, you can then define the resources they have access to on the Access Policy Manager
tab. For more information about configuring local users, see “Configuring Properties for a User Group”
on page 90.
When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained
from the authentication server after a user is authenticated. If the group name that is obtained from the
authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the prop-
erties of the local group are used for the matching group obtained from the authentication servers.
through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local
users to a group, you can then define the resources they have access to on the Access Policy Manager
tab. For more information about configuring local users, see “Configuring Properties for a User Group”
on page 90.
When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained
from the authentication server after a user is authenticated. If the group name that is obtained from the
authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the prop-
erties of the local group are used for the matching group obtained from the authentication servers.
Note
Important: Group names on authentication servers and on the Firebox SSL VPN Gateway must be
identical and they are case-sensitive
identical and they are case-sensitive
Denying Access to Groups without an ACL
Each user should belong to at least one group that is defined locally on the Firebox SSL VPN Gateway. If
a user does not belong to a group, the overall access of the user is determined by using access control
lists (ACLs) that are defined by the Deny access without access control list (ACL) setting as follows:
If the Deny Access option is enabled, the user cannot establish a connection
If the Deny Access option is disabled, the user has full network access
In either case, the user can use kiosk mode, but network access within that session is determined by the
Deny access without access control list (ACL) setting.
a user does not belong to a group, the overall access of the user is determined by using access control
lists (ACLs) that are defined by the Deny access without access control list (ACL) setting as follows:
If the Deny Access option is enabled, the user cannot establish a connection
If the Deny Access option is disabled, the user has full network access
In either case, the user can use kiosk mode, but network access within that session is determined by the
Deny access without access control list (ACL) setting.