Embed Size (px)
Citation preview
Virtual Segmentation Platform Manual
Version 5.0 | Release 4.0.14 | Aug 2016
Copyright © 2016 iWebGate. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of iWebGate.
Basic Rights of Use
Thank you for choosing iWebGate. Licencing a single product entitles you to begin using the product for the specific purposes of the product. Additional licencing might be required to use additional features. For more information about iWebGate, visit us at http://www.iwebgate.com.
Trademarks
Microsoft, Windows, Windows NT, and Vista are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
To ensure proper operational function and/or reliability of the product is maintained, iWebGate reserves the right to make changes to the product described within this document, via electronic means or otherwise, without notice. iWebGate does not assume any liability that may occur due to the use, or application of, the product described herein.
Table of Contents
Introduction 5
Port Forwarding Requirements 5
Logging In 6
Main Menu 7
Administration Features 8
Network LinkUp 9
Adding and Editing a LinkUp 9
Configuring a LinkUp 10
LinkUp Nodes 11
User Manager 13
Adding and Editing Users 15
Creating Groups 16
Assigning Users to Groups 16
Directory Services Users and Groups 17
Certificate Manager 17
Uploading SSL Certificates 17
Removing SSL Certificates 18
Network Settings 19
Licencing 21
Activating a Licence 21
Viewing a Licence 22
Directory Services 23
Directory Service Management 23
Adding or Editing Directory Service 24
Directory Service Authentication 26
Authentication 27
Google Authenticator 27
SSH Management 30
Adding or Editing a SSH Key 31
Log Archive 32
Log Archive Settings 32
Backup 33
Secure Copy Key 33
Backup Settings 34
Backup Schedule 35
Restore 36
Upload Backup 37
Importing Users 38
VPN LP 39
Adding and Editing a VPN 39
Configuring a VPN 40
VPN Nodes 41
Adding and Editing Nodes 41
Configuring a Machine or User Account Node 41
Desktop LP 43
Configuring Remote Connections 44
RDP Connection Options 45
VNC Connection Options 48
SSH Connection Options 50
Proxy LP 51
Creating Reverse Proxies 51
Backends 51
Frontends 53
Authentication 56
Establishing Email Proxies 57
Release Notes 58
What’s New for 4.0.14 58
5
Introduction The Virtual Segmentation Platform (VSP) is the configuration and administration interface
for iWebGate’s features, such as VPN LP, Proxy LP and Desktop LP. This manual will cover
navigating the VSP and all the features available.
Port Forwarding Requirements Each feature of the VSP requires certain ports forwarded to it in order to function. Ports
do not need to be opened for any feature not in use. The VSP Web Service ports are
required for normal functioning of the product. If you intend to run the VSP in an isolated
environment, please contact your installation technician.
Service TCP Ingress TCP Egress UDP Ingress UDP Egress
Administration &
Maintenance
443 25, 80, 443 123
Desktop LP 443, 7717
Email Proxy IMAP 143, 993
Email Proxy POP3 110, 995
Email Proxy SMTP 25, 587
Network LinkUp/VPN LP 443 7718, 7719 7718, 7719
Reverse Proxy 80, 443 or other port configured for
HTTP/HTTPS
80, 443 or other port configured for
HTTP/HTTPS
VSP Email Alerts 25
VSP Web Services 443 80, 443 123
You may need to open more egress ports if your VSP is accessing
external resources for services such as Email Proxy or Reverse Proxy.
6
Logging In An Administrator account is required to make any configuration changes in the VSP. It is
highly recommended to change your password the first time you log in.
After a default installation, the default username is admin, and the default password is
password. After performing a custom installation, the username is admin, and the
password is the unique passcode configured during custom installation.
1. Login: Enter your credentials here to log into the VSP.
2. Forgot Password: You can reset a password if the username and account email
address are known.
1
2
7
Main Menu The landing page of the VSP shows quick start links for each service along with access to
the logged in user’s details.
1. Sidebar: Links to all the VSP’s Administrative content.
2. Quick Launch: Fast access links to the most commonly used sections.
3. User Details: A shortcut to view the logged in user’s profile.
1
2
3
8
Administration Features The Administration menu provides access to a variety of features for modifying the VSP.
The options available will vary depending on your VSP licence. For example, Network
Settings may not be available in some Cloud deployed instances.
9
Network LinkUp Network LinkUp creates a Virtual Invisible Network (VIN) using iWebGate’s patented broker
and peer technology to securely connect the VSP to remote computers.
Use Network LinkUp to pass through services such as Desktop LP or Proxy LP when the VSP
and the target computer are not on the same private network.
Adding and Editing a LinkUp
Click Add LinkUp on the Network LinkUp screen to create a new network, or click a LinkUp
in the list to edit it.
10
Configuring a LinkUp
1. Address: Enter a unique Name for the network, and choose a Network address.
2. Platform: Strict Checks sets whether clients connecting to this network should
validate the SSL certificate of the VSP; Broker Server and Broker Port are displayed
for reference.
3. Encryption Cipher: The Cipher Type to use for the encryption on this network. This
can be AES or Blowfish.
4. Encryption: The Phrase is the encryption key for this network. You can leave the
auto-generated one, generate a new one or type your own.
1 2
3 4
11
LinkUp Nodes
In a Linkup, nodes are the computers visible to the VSP while connected. A new LinkUp will
come with two nodes - one linking to the VSP and one for a connecting computer.
If the VSP linking node is removed, the VSP will disconnect from the VIN, and the LinkUp will
convert to a VPN LP.
Adding and Editing Nodes
When editing a LinkUp, click Add Machine or Add User in the Nodes section to create a
new node, or click a node in the list to edit its settings.
12
Configuring a Machine or User Account Node
Machine accounts are single use nodes, which delete automatically if removed from the
network. These accounts can only become a member of a single network, but User
accounts can be used in multiple networks.
When adding a node, either type an existing User account name, or provide a unique
name for a new Machine account.
1. Account Details: Type a unique Account name to create a new Machine account,
or in the case of adding a User account, select an existing User’s account to
provide that User access to this network.
The Password field is only available for Machine accounts and is mandatory
when creating a new one.
2. Additional Node Settings:
Never Direct When this is on, the node is instructed to
route all traffic via the broker server rather
than trying to communicate peer to peer
Persistent Instructs the node whether or not to
automatically connect to this network.
Can also be used by administrators to set
a node to reconnect after a reboot.
Enable Routing Allows the node computer to route traffic
between this network and its other network
connection(s). This does not automatically
create any routing.
Shows the password Automatically generates a
hidden password
1
2
When a node is marked as persistent, the configuration
files can be manually downloaded.
13
When configuring a User account node, select the account from the drop down list and
configure node settings if applicable.
For authentication onto a Network Linkup network, the certificate key size installed
and activated on the VSP determines the maximum length of any user’s UPN:
A certificate key size of 2048 bits will allow UPN usernames of up to 196 bytes.
A certificate key size of 4096 bits will allow UPN usernames lengths of up to
386 bytes.
User Manager User accounts provide access to the VSP and its features, such as Desktop LP and VPN LP.
There are two classes of users:
Administrators: assigned rights to be able to setup and/or configure the VSP platform
while administering a user’s access.
General Users: users who can only access features (VPN LP, Desktop LP) assigned to
them by an Administrator.
There is no limit to the number of groups that can be created.
14
1. Add User: Creates a new User account.
2. Add Group Button: Creates a new group for categorizing users.
3. Group Drop Down List: Shows the entire list of users, denoted as “All Users”, or filters
by selected group.
4. Enable Button: Enables all users listed in the currently selected group.
5. Add Button: Adds a new user into the currently selected group.
5
3
2
4
1
15
Adding and Editing Users
Add users to the VSP by clicking the add user link or select a user in the list to edit it.
1. Username: Type a unique name for the User that isn’t already in the VSP.
2. Email: Provide the user’s email address. This is required for a user to be able to reset
a password and receive alerts from the VSPs.
3. Password: Type a password for the User account. This will allows access to the VSP.
4. Other Options:
Full Name Optional and only used for reference
Cell Phone Optional but may be required by some
integrated features
Enable Account Controls whether the user can log in and
access features provided by the VSP
Global Administrator Controls whether the user is an Administrator
with complete control over the VSP
1
2
3
16
Creating Groups
User groups can be used to organize users and help when assigning permissions.
To create a new user grouping, click the Add in the Group header. Name the group and
provide a brief description for future reference.
Assigning Users to Groups
User memberships in groups can be managed on a per-user basis or on a per-group basis.
In either case, use the dropdown list to select users. Typing in the dropdown will search or
filter to a specific user.
17
Directory Services Users and Groups
If the VSP has been configured to synchronize users and groups from an Active Directory
server, then these users and groups will be visible in the User Manager.
There are however, a few notes on what an Administrator can do with these users and
groups:
A Directory Service is configured through the Directory Services Administration
Feature. When configured an admin can synchronize now or wait for the
scheduled time to trigger.
By default, user accounts imported from a Directory Service are initially disabled to
safe guard against accidental account exposure.
An Administrator is not permitted to delete or edit a user or group, which is
managed by a Directory Service, as all management should be performed
through tools to manage the Directory Service, such as Active Directory.
Certificate Manager Secure Socket Layer (SSL) certificates are used to create a secure encrypted link between
a server and a user’s application such as a browser or email client. The use of SSL
certificates is critical when protecting the transfer of sensitive data such as login credentials
and personal information.
Uploading SSL Certificates
Click Upload Signed Certificate in Certificate Manager.
The default SSL certificate installed on the VSP is self-signed.
18
1. Certificate Details: Type a Certificate Name to identify the new certificate.
2. Choose File: Opens a file dialog box to select the PFX file for uploading.
3. Password: if your private key is password protected, provide it here.
Removing SSL Certificates
As certificates expire or become obsolete, it is recommended to remove them from the
VSP. Currently assigned certificates or any in use by a Reverse Proxy cannot be removed.
To delete a certificate, select it in Certificate Manager before clicking Delete.
1
2
3
Makes a Certificate
active on the VSP
The PFX file should contain your public certificate, private certificate
and intermediate certificates.
19
Network Settings The Network Settings page allows the control of various aspects of your specific VSP’s
physical network adapters.
1. General Settings: Sets which adapter to use as the Gateway Device.
2. Override Settings: Uses these settings to override any static or DHCP defined values.
Host Name should match your assigned SSL certificate.
3. Active Settings: Displays the current values reported by the system.
4. Adapter List: Shows physical adapters. Click one to edit the adapter settings.
1
2 3
4
Incorrect settings may inhibit normal functioning of the VSP.
20
Select any field to edit the address. DHCP and On Boot may also be turned on.
Inputting of incorrect numbers will inhibit the VSP from working
correctly.
21
Licencing The VSP keeps track of licence data for Proxy LP servers, VPN LP nodes and Desktop LP
Hosts. This includes information on the total number of licences acquired, the number
already in use, validity dates and key number.
Activating a Licence
To enter or change the licence key, click Activate New Licence.
Enter the licence key, and click Activate.
22
Viewing a Licence
Once the licence is activated, details will be displayed on the main Licencing screen.
1. Update: The VSP automatically checks for updates to your licence, but you can
click Update to check immediately.
2. Period of Validity: Indicates dates of your licence period.
3. Entitled to Use: Displays your Total licences available and the Number in use.
1
2
3
23
Directory Services The VSP can be integrated into one or more Directory Service servers for authenticating
users and management of authorized access to features of the VSP. Microsoft Active
Directory (AD) is currently supported as a Directory Service.
Directory Service Management
An Administrator can configure the VSP to synchronize user and group information from
one or more AD servers. It is possible to configure synchronization of the entire directory
or to a subtree of the directory tree by assigning a base name. The screen below
provides a general overview of Directory Services.
1. Sync Now: Forces an immediate synchronization of user and group information
from the server providing the Directory Service.
2. Add: Creates additional Directory Service synchronization settings.
2
1
24
Adding or Editing Directory Service
Add Directory Service synchronization settings to the VSP by clicking Add or select an
existing Directory Service setting in the list to edit it.
1. Directory Service Name: A descriptive name for the particular settings.
2. Server: The Directory Server’s version 4 IP address.
3. Port: The port number on the server that provides access to the Directory Service.
4. Encryption Type: The type of encryption to be used between the VSP and the
Directory Service.
TLS TLS is the default option to access Active
Directory. The default ports for this
encryption are 389 or 3268.
SSL Active Directory Services can be accessed
using Secure Socket Layer (SSL) for
encrypted communications to the server.
The default ports for this encryption are 636
or 3269.
1
2
3
4
5
6
7
25
Insecure An Administrator may choose to connect
using no encryption. This is not recommend
for production systems. However, it is
available for those Active Directory servers
onto which no SSL certificate is deployed.
5. Base DN: The distinguished name of the path within the directory tree from where
user and group information is to be synchronized. An example base is: CN=users,
OU=sales, DC=domain, DC=local.
6. Service Authentication: The login credentials of the user account, which will be
authenticating to the Directory Service for synchronizing user and group
information to the VSP.
It is recommended to create a specific user in the Directory Service for this
purpose. For Active Directory, the account should be:
An account with read-only access to the directory tree
Configured with a password that does not expire
May reside outside of the directory tree represented by the Base DN from
which user accounts are synchronized
7. Sync Frequency: Controls the frequency of the synchronization of the Directory
Service by the VSP.
After configuring, all users and groups contained under the specified Base Distinguished
Name (BaseDN) will be imported into the VSP and available for management through
User Manager.
By default, all users imported from a Directory Service are initially disabled access to the
VSP. An administrator will need to enable each user before they will be able to access
features on the VSP.
Directory Service: Encryption
It is recommended for a Directory Service to have suitable encryption between the VSP
and server. The VSP provides support for SSL and TLS encrypted communications. If
encryption cannot be enabled due to a Directory Service configuration, it is strongly
recommended to connect the Directory Service to the VSP through the Network LinkUp
feature.
Directory Service: Read Only Access
The VSP does not have any ability to make changes to the Directory Service. It has the
ability to only read user and group information and authenticate a user via an LDAP bind
to the Directory Service.
26
Directory Service Authentication
When a Directory Service is configured, synchronized to the VSP and users are enabled
by an administrator, those users will be able to log in with their Directory Service
credentials. The username they provide to the VSP to authenticate is their User Principal
Name assigned to their account in Active Directory.
The format of a UPN is <user_name>@<domain_name>. The password for the account is
managed entirely through management tools provided with your Directory Service.
Directory Service: Passwords
User passwords are not cached or synchronized to the VSP. When the password for an
account is changed through the Directory Service, then that password change will take
effect immediately
User accounts in Active Directory, requiring access to the features of the VSP, will need to
be configured with a User Principal Name.
The built-in Microsoft accounts or User accounts created on the Windows Server before
the Microsoft Active Domain Services role is applied will not have a User Principal Name
assigned and will not appear as users on the VSP. It is recommended not to provide UPN
details to the built-in accounts, unless you understand the risks involved.
Any User account disabled through Active Directory will have their corresponding
account on the VSP disabled during the next synchronization window performed by the
27
VSP. Any User account re-enabled through Active Directory will not have their
corresponding VSP account automatically re-enabled on the VSP. Administrators must
grant access again through the VSP.
For scenarios where a firewall exists between the VSP and an Active Directory Domain
Controller, it is recommended that a Network Linkup be constructed with only the VSP
and Domain Controllers being participants on that Network Linkup. This will ensure an
appropriate level of isolation of access to Directory Services from users or nodes assigned
to other VIN networks managed on your VSP.
It is recommended that the VSP be configured to synchronize from the global catalog of
the Active Directory Domain Controller. If accessing the global catalog is not possible,
ensure that the DNS settings for the VSP point to the DNS service on your Active Directory
Domain Controllers.
Authentication The VSP can use multi-factor authentication (MFA) to enhance security. MFA will apply to
VSP logins automatically and can optionally be turned on for Reverse Proxies.
Google Authenticator
Google Authenticator uses a Time-Based One Time Password (TOTP) algorithm. Users will
need to install the Google Authenticator App on their mobile device and synchronize it
with the VSP.
Toggle the switch to turn on Google Authenticator
28
After enabling, all users will be asked to enroll with a device when they log into the VSP.
They will be presented with a code to enter into the Google Authenticator App.
Once enrolled, users will not be able to log in without using Google Authenticator, and
will be prompted to enter a TOTP code after they have logged in with their username
and password.
29
Administrators can reset a user’s enrolment from a button on the User Manager,
available when Google Authenticator is enabled.
30
SSH Management SSH access to the root user account on the VSP can be configured to allow password-
based logins (the default) or SSH key-based authentication.
1. Allow SSH logons: Toggles to allow password authentication for SSH connections to
the VSP.
2. Add: Registers a new SSH key into the root account.
3. Authorised Key for Root Account: Lists details of each SSH key authorized to log into
the VSP through SSH, whether the key is currently enabled or disabled. Click on a
listed key to edit that SSH key.
1
2
3
31
Adding or Editing a SSH Key
1. Public SSH Key: Pasted public SSH key must be in OpenSSH protocol 2 format and
may be either a RSA public key or a DSA public key.
2. Enabled: Toggles to enable or disable the key. If disabled, then authentication
involving this key will be rejected.
1
2
32
Log Archive Log archive allows log data to be transferred to a remote file server for offsite storage.
When configured, log files are automatically archived and transferred at midnight. A
manual archive can be performed at any time.
Log Archive Settings
The remote server configuration settings can be entered after the Secure Copy key has
been saved to the remote server.
1. Hostname: The host name or IP address of the remote server, running SSH.
2. Port: The port for the SSH service (default 22).
3. Username: The username of the shell account into which the Secure Copy Key has
been deployed.
4. Path: The location onto the destination server where the log files are to be stored.
The location must end with a trailing / and may be either an absolute path (e.g.:
/path/to/backups/) or a path relative to the home directory of the specified
username (e.g.: path/to/backups/).
1 3
4 2
33
Backup The configuration of the VSP can be backed up offsite to a remote location. The backup
can be scheduled to occur at chosen times of the day or manually initiated.
Secure Copy Key
The first step in configuring remote backups or Log Archive is to copy the Secure Copy
public key into a shell account on the destination server. Typically, the public key is
pasted as a line into the file located at /home/<username>/.ssh/authorized_keys, on the
destination server.
1. Copy: Copies the public key to your clipboard.
2. Re-Generate: Creates a new public key.
1 2
34
Backup Settings
This configures an offsite location in which backup files are transferred to a remote server
by the VSP. The VSP identifies itself to the remote server using the corresponding private
key of the Secure Copy key which has been deployed to the remote server.
1. Hostname: The host name or IP address of the remote server, running SSH.
2. Port: The port for the SSH service (default 22).
3. Username: The username of the shell account into which the Secure Copy Key has
been deployed.
4. Path: The location onto the destination server where the backup files are to be
stored. The location must end with a trailing / and may be either an absolute path
(e.g.: /path/to/backups/) or a path relative to the home directory of the specified
username (e.g.: path/to/backups/).
1 3
4 2
35
Backup Schedule
Specific times can be selected for daily VSP backup.
When a scheduled backup occurs, a backup file will be transferred from the VSP to the
location on the backup server, as specified in the Path field.
The name of the backup file will take the form of <hostname>-<timestamp>.tar.bz2.
This backup file can restore the VSP to the state at the time the backup was performed.
Only when an offsite location is configured can a backup be instigated manually or
automatically at a scheduled time.
36
Restore To restore a backup a user must first have a copy of a backup file on their local
computer. The name of the backup file will take the form of <hostname>-
<timestamp>.tar.bz2.
A valid email address must be provided in the user account used to perform the restore.
When started, the restore process will temporarily stop all services on the VSP. An email
notification will be sent when the backup is complete, and all services have been
restarted.
For services to be fully operational, the restored VSP instance must be licensed either
before the restore or immediately afterwards.
37
Upload Backup
Backup files made from an older VSP release can be uploaded to a more recent version.
1. Backup File: Displays the backup file to restore.
2. Reset Google Authentication Enrolments: Forces all users, who have been restored
from the backup, to re-enroll their account with Google Authenticator.
3. Restore: Begins the restore process.
1
2
3
38
Importing Users Rather than adding users manually through User Manager, many users can be imported
using a CSV (comma-separated values) file.
From the Import Users screen, click Choose File to select a CSV file.
Import Summary displays the outcome of each import along with any possible issues for
each user.
39
VPN LP VPN LP creates Virtual Invisible Networks (VIN) using iWebGate’s patented broker and peer
technology. Use VPN LP to easily create individual virtual networks to securely connect
devices or networks to each other.
Because each VIN can operate independently from each other, multi-layered networks
can be created without any additional hardware.
Adding and Editing a VPN Click Add VPN on the VPN LP screen to create a new network, or select a VPN from the list
to edit it.
The VSP broker facilitates connectivity between your devices, but
does not join the network or decrypt any of the traffic.
40
Configuring a VPN
1. Address: Enter a unique Name for the network, and choose a Network address.
2. Platform: Strict Checks sets whether clients connecting to this network should
validate the SSL certificate of the VSP; Broker Server and Broker Port are displayed
for reference.
3. Encryption Cipher: The Cipher Type to use for the encryption on this network. This
can be AES or Blowfish.
4. Encryption: The Phrase is the encryption key for this network. You can leave the
auto generated one, generate a new one, or type your own.
1 2
3 4
41
VPN Nodes Nodes in a VPN are the computers that will be visible to each other when they are
connected.
Adding and Editing Nodes
When editing a VPN, click Add Machine or Add User in the Nodes section to create a new
node, or click a node in the list to edit the settings for it.
Configuring a Machine or User Account Node
Machine accounts are single use nodes and are deleted automatically if removed from
the network. These accounts can only be a member of a single network, but User
accounts can be used in multiple networks.
When adding a node, either type an existing User account name, or provide a unique
name for a new Machine account.
Shows the password Automatically generates a
hidden password
1
2
42
1. Account Details: Type a unique Account name to create a new Machine account,
or in the case of adding a User account, select an existing User’s account to
provide that User access to this network.
The Password field is only available for Machine accounts and is mandatory
when creating a new one.
2. Additional Node Settings:
Never Direct When this is on, the node is instructed to
route all traffic via the broker server rather
than trying to communicate peer to peer
Persistent Instructs the node whether or not to
automatically connect to this network.
Can also be used by administrators to set
a node to reconnect after a reboot.
Enable Routing Allows the node computer to route traffic
between this network and its other network
connection(s). This does not automatically
create any routing.
When a node is marked as persistent, the configuration
files can be manually downloaded.
43
When configuring a User account node, select the account from the drop down list and
configure node settings if applicable.
For authentication onto a VPN LP network, the certificate key size installed and
activated on the VSP determines the maximum length of any user’s UPN:
A certificate key size of 2048 bits will allow UPN usernames of up to 196 bytes.
A certificate key size of 4096 bits will allow UPN usernames lengths of up to
386 bytes.
Desktop LP Desktop LP provides secure access to remote computers by tunneling VNC, SSH or RDP
services. Access is IP restricted at the time a user tries to connect, and incoming
connections must be established within 20 seconds.
Standard RDP and VNC configuration options can be configured and sent to users
connecting through the VSP.
Before using Desktop LP, the remote computer needs to be accessible
to the VSP either by being on the same network or as a Network LinkUp
node.
44
Configuring Remote Connections To add remote connections to Desktop LP, click Add Host Computer.
Name the new connection, and choose a connection type from the drop-down list.
45
RDP Connection Options
Creating an RDP connection will send an RDP6 configuration file when users connect,
which can be used with a compatible RDP client.
In the General tab, provide the Remote Computer name or IP address and the internal
RDP Port used. Username and Domain Name are optional fields and will pre-fill for the
user when they connect.
The Display tab allows you to change the appearance settings of the RDP file.
46
In the Resources tab, set the peripheral device options.
In the Program tab, configure any applications that are to start on the remote computer
after the connection is established.
The Experience tab provides adjustments to connection performance options.
47
In the Advanced tab, set the authentication level for the RDP connection.
Use the Access tab to specify which users or groups can access and see a remote
connection. Only users marked in the access list will be able to use this connection.
Check a group to add all users in that group, or expand the All Users group with the icon
to select individual users.
48
VNC Connection Options
Creating a VNC connection will send a VNC configuration file when users connect,
which can be used with a compatible VNC client.
In the General tab, provide the Remote Computer name or IP address and the internal
VNC Port used. Username is an optional field and will pre-fill for the user when they connect.
The Display tab allows you to change the appearance settings of the VNC file.
49
In the Resources tab, change any control options or device mappings.
The Experience tab adjusts connection performance options.
50
Use the Access tab to specify which users or groups can access and see a remote
connection. Only users marked in the access list will be able to use this connection.
Check a group to add all users in that group, or expand the All Users group with the icon
to select individual users.
SSH Connection Options
Creating an SSH connection will allow users to connect with a compatible SSH client.
Users will need to manage their own SSH client, as no configuration file is sent.
In the General tab, provide the Remote Computer name or IP address and the internal SSH
Port used.
Use the Access tab to specify which users or groups can access and see a remote
connection. Only users marked in the access list will be able to use this connection.
Check a group to add all users in that group, or expand the All Users group with the icon
to select individual users.
51
Proxy LP Proxy LP protects web and mail servers by enhancing their SSL security and preventing
direct access to the computers. Proxy LP includes a number of proxy management tools,
including web proxy integration with Multi-factor Authentication (MFA).
Creating Reverse Proxies A reverse proxy provides an additional level of control and security to ensure the smooth
flow of network traffic between client and server.
After clicking Proxy LP on the sidebar, click Reverse Proxy from the list.
Backends
A proxy Backend is a group that will contain information about your internal server or
servers. You should only group together servers that are hosting identical content.
In Proxy LP’s Reverse Proxy main menu, click Add next to Backends.
Configure your DNS (Domain Name System) to direct domains to proxy
to the IP address of the VSP.
52
Type a name for the Backend and whether your internal servers are using SSL. The Load
Balancing options will take effect if there are more than one server in this backend group.
The options for loading balancing are:
Round-Robin Forwards each request onto the next server in the pool
and treats all servers as equals.
Least Connected Directs connections to the server with the fewest
connections used. This is effective in smoothing
distributution when a server becomes bogged down.
IP-Hash Ensures that user sessions from the same IP address are
sticky to a single backend server.
In the Server section of Backends, click Add to input information on a new internal web
server.
53
Type the server’s IP address and port; select any additional options such as making the
backend act as a backup server before clicking OK.
When finished adding servers, click Save to return to the Reverse Proxy main screen.
Frontends
A proxy Frontend configures host level or folder level proxy services. This is where the
domain names or URLs are set for the VSP to respond to and connect to a backend server
group.
Configure a Host proxy when all traffic will be directed to your backend servers, for
example www.yourdomain.com. Host proxies require a Fully Qualified Domain Name
(FQDN) and appropriate DNS entries to operate.
Configure a Folder proxy when only specific paths will be directed to your backend server,
for example www.yourvsp.com/owa. Folder proxies use the VSP hostname, and do not
require additional FQDN or DNS entries to operate.
At least one backend should be configured before
proceeding.
54
In Proxy LP’s Reverse Proxy main menu, click Add next to Frontends.
If adding a host proxy, click the Host Proxy option.
1. Name: Enter a reference Name for the new proxy.
2. Hostname: Provide the Hostname the proxy will respond to.
1
2
3
4
5
6
55
3. Port: Set the external Port you will forward to the VSP for this service.
4. Backend: Select a Backend server group.
5. Certificate: If using a SSL, choose a Certificate.
6. MFA: Turn on MFA if needed.
To add a new folder map, click the Folder Proxy option in the Add Proxy module.
1. Name: Enter a reference Name for the new proxy.
2. Hostname: The Hostname is automatically set to your VSP hostname for folder
proxies.
3. Port: Set the external Port to forward to the VSP for this service.
4. Backend: Select a Backend server group.
5. Certificate: If using SSL, choose your VSP Certificate. Leave this as No certificate if
using the standard port 443 for SSL.
6. MFA: This will turn MFA for all folders in this proxy on or off. Use the individual folder
settings to determine final MFA setup.
1
2
3
5
6
4
56
Choose a pre-configured set of folders from the Folder Maps list and click Add; or type
the web folder in the space provided and click Add.
Authentication Reverse Proxies can use MFAs configured in the Authentication section of the VSP
administration.
To configure proxy authentication, click Configure MFA in the main Reverse Proxy
module.
Select the desired 1st Factor Type. This is the authentication users must first enter to get
through to the backend proxy servers.
57
Establishing Email Proxies Email proxy services allow secure access to email servers through the VSP along with email
virus scanning and spam filtering.
If adjusting existing email DNS or MX to point to your VSP, no client changes are required.
Otherwise, you may need to update client settings to include your VSP hostname.
To add a new mail server, click Email Proxy from the Proxy LP menu.
Click Add Mail server in Email Proxy.
Enter the Mail Server hostname or IP address.
Email proxy supports all protocols including: SMTP, POP3
and IMAP4 without individual configurations.
58
Add any email domains that your VSP will receive SMTP for to the Delivery section.
Add domains for user emails in the Collection section.
Choosing to authenticate unqualified usernames will allow users to attempt
authentication against this mail server without using a login domain specified in the list.
Release Notes The VSP has been updated with new capabilities in many different service areas.
What’s New for 4.0.14
Administration Menu:
New user interface menu layout
New Administration features:
SSH key management
Backup and Restore
Offsite log file archive
Login and logout audit logging
59
Desktop LP:
Fixes for various memory leaks when bridging RDP, VNC, and SSH connections
VPN LP and Network LinkUp:
Fixed packet fragmentation performance issue
Proxy LP:
Security improvement to mitigate HTTPoxy vulnerability
Version 5.0 | release 4.0.14 | Aug 2016
