WatchGuard Technologies SSL VPN Benutzerhandbuch
Administration Guide
73
Using LDAP Servers for Authentication and Authorization
RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway
appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config-
ured on the Firebox SSL VPN Gateway when a RADIUS realm is created.
appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config-
ured on the Firebox SSL VPN Gateway when a RADIUS realm is created.
Using LDAP Servers for Authentication and Authorization
You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server. If a
user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL VPN Gateway
checks the user against the user information stored locally on the Firebox SSL VPN Gateway.
LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the
Firebox SSL VPN Gateway. The characters and case must also be the same.
user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL VPN Gateway
checks the user against the user information stored locally on the Firebox SSL VPN Gateway.
LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the
Firebox SSL VPN Gateway. The characters and case must also be the same.
LDAP authentication
Starting with Version 5.0 of the Firebox SSL VPN Gateway, LDAP authentication, by default, is secure
using SSL/TLS. There are two types of secure LDAP connections. With one type, the LDAP server accepts
the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After a
client establishes the SSL/TLS connection, LDAP traffic can be sent over the connection. The second
type allows both unsecure and secure LDAP connections and is handled by a single port on the server.
In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then,
the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports Start-
TLS, the connection is converted to a secure LDAP connection using TLS.
The standard port numbers for unsecure LDAP connections is 389. The port number for secure LDAP
connections with SSL/TLS is 636. LDAP connections that use the StartTLS command use port number
389. The Microsoft port numbers for unsecure and secure LDAP connections are 3268 and 3269. If port
numbers 389 or 3268 are configured on the Firebox SSL VPN Gateway, it tries to use StartTLS to make
the connection. If any other port number is used, connection attempts are made using SSL/TLS.
When configuring the Firebox SSL VPN Gateway to use LDAP authentication and the check box Allow
Unsecure Traffic is selected, LDAP connections are unsecure.
using SSL/TLS. There are two types of secure LDAP connections. With one type, the LDAP server accepts
the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After a
client establishes the SSL/TLS connection, LDAP traffic can be sent over the connection. The second
type allows both unsecure and secure LDAP connections and is handled by a single port on the server.
In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then,
the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports Start-
TLS, the connection is converted to a secure LDAP connection using TLS.
The standard port numbers for unsecure LDAP connections is 389. The port number for secure LDAP
connections with SSL/TLS is 636. LDAP connections that use the StartTLS command use port number
389. The Microsoft port numbers for unsecure and secure LDAP connections are 3268 and 3269. If port
numbers 389 or 3268 are configured on the Firebox SSL VPN Gateway, it tries to use StartTLS to make
the connection. If any other port number is used, connection attempts are made using SSL/TLS.
When configuring the Firebox SSL VPN Gateway to use LDAP authentication and the check box Allow
Unsecure Traffic is selected, LDAP connections are unsecure.
Note
When upgrading the Firebox SSL VPN Gateway from an earlier version, and an LDAP realm is already
configured, LDAP connections are unsecure by default. If this is a new installation of the Firebox SSL VPN
Gateway, or you are creating a new LDAP realm, LDAP connections are secure by default.
configured, LDAP connections are unsecure by default. If this is a new installation of the Firebox SSL VPN
Gateway, or you are creating a new LDAP realm, LDAP connections are secure by default.
When configuring the LDAP server, the letter case must match what is on the server and what is on the
Firebox SSL VPN Gateway. If the root directory of the LDAP server is specified, all of the subdirectories
are also searched to find the user attribute. In large directories, this can affect performance; we recom-
mend that you use a specific organizational unit (OU).
The following table contains examples of user attribute fields for LDAP servers.
Firebox SSL VPN Gateway. If the root directory of the LDAP server is specified, all of the subdirectories
are also searched to find the user attribute. In large directories, this can affect performance; we recom-
mend that you use a specific organizational unit (OU).
The following table contains examples of user attribute fields for LDAP servers.
LDAP Server
User Attribute
Case Sensitive
Microsoft Active Directory Server
sAMAccountName
No
Novell eDirectory
cn
Yes
IBM Directory Server
uid
Lotus Domino
CN
Sun ONE directory (formerly iPlanet)
uid or cn
Yes