Novell Documentation: Novell BorderManager 3.8 - Client-to-Site Configuration

Client-to-Site Configuration

This utility helps you configure VPN client-to-site services on your network. You can modify or delete the existing client-to-site services. You can also configure a new client-to-site service.

Prerequisites:

Trusted Root Container: The same as the server (on which you want to host the client-to-site service) trusted root container. Referred to as Trusted Root in the pages and in Novell eDirectory.
Server Trusted Root Object: Under the Trusted Root Container mentioned above.

On this page you can view the configured client-to-site services. A default client-to-site service is created when you configure a server as a VPN Server.

Figure 47
New Client-to-Site Configuration

Use the Context list to select the Novell eDirectory context in which you want to view the already configured VPN client-to-site services. Select Subtree Level for a detailed context check. The Subtree Level search shows all VPN servers residing in all subcontexts. To change the context, click the Browse button and select the context. After selecting the context, click Update List.
Click New to add a new client-to-site service.
Click OK to go back to the main configuration page.

You can configure any one of the following parameters:

General

These are the general properties of the client-to-site service. Make sure to click Apply button if you've made any modifications to the general parameters.

The following illustration reflects the default values.

Figure 48
Default Values for a New Client-to-Site Service.

Choose the Trusted Root Container for the client-to-site service. You can configure one or more of the following:
- Inactivity Timeout: Specifies amount of time that a connection to a VPN client remains up if no encrypted data is received by the server from the client. The default value is 15 minutes.
- Keep Alive Automatically: A connection from a VPN client remains up indefinitely even if no data is sent or received. The default is Disabled. Enable this if you want to keep the connection alive indefinitely.
- Address Pool: This is to assign a private address to the VPN client. The administrator must assign an address pool in the client-to-site service and this address pool should not fall within any protected network behind this server, or the tunnel IP assigned to the server. This facility avoids an IP address conflict for two different clients having same IP address while residing two different NATs. During a session, after the IP address assignment is done, the client can access resources beyond VPN server if these resources have the VPN server's IP address as their default gateway. At least one address pool entry needs to be configured. The default client-to-site is associated with a network range 1.0.0.0 - 255.0.0.0. This does not work if the address pool is assigned on the same subnet as the VPN server interface.
Specify the client-to-site service name, then click Apply if you have made any changes to the general parameters. Click OK if you want to save and exit this configuration.

Traffic Rules

Traffic Rules are policies that govern accessibility for a user through a VPN connection. You can add, modify, or delete traffic rules for the client-to-site service. You can also change the priority of a traffic rule by moving it the up or down the list. The traffic rule at the top of the list has the highest priority.

HINT: A default traffic rule is automatically created. The default action of this traffic rule is to deny all packets. You need to modify the action of this default traffic rule.

Figure 49
Expanded View

Click New to add a new traffic rule.
You can configure any one if the following in a traffic rule.
- Define User: Users to whom this traffic rule will apply.
- Define Destination: Destinations to which the rule will apply. These are the protected networks that can be reached.
- Define Services: Services to which the rule will be applied
- Define Action: Action that must be performed.
HINT: The service provides the facility to configure and store your entries as profiles that can be used later when you log in to the service.

On entering the name and expanding the up or down button, the following view is available.

Figure 50
Expanded View

On expanding each of the rules, the following can be configured.

Define User

Use this page to define the users to whom this rule will apply. Click Define User to see this page. The values shown on the page are the default values. You can modify them.

You can apply this rule to any user, or you can specify a list of users or certificate users.

If you want to select a user list to which you want to apply this rule, select the Only User List option button. You can create a list of users or certificate users. To add users, click Add. To add certificate users, click Add Certificate User. This service also provides for selection of user groups or a group of users with a shared context.

The following two kinds of users can be selected here:

A User

Click Add and select the user from the page. It should be one of the underlined items.

Click Browse to find the User. The User might be in a context. Click the Context down-arrow to search for a User within a context.

The page displays the user list after an Administrator user is selected from the list.

NOTE: This is for the NMAS-NDS user.

A Certificate User

Click Add Certificate User to open the dialog box.

HINT: Specify the Certificate Subject Name of the user. Subject Alternative Names can also be specified. Specify the same Certificate Subject Name that you provided while creating User Certificates in ConsoleOne.

The certificate subject name should be in the format cn=admin.o=novell or o=novell.cn=admin. For exact subject name, view the certificate subject name from the user certificate.

To view the certificate subject name go to ConsoleOne and right-click the User Object > Properties > Security > Certificate. Select the certificate from the list, then click Details.

Select the Add Another One check box if you want to add another Certificate User. Click OK. If you have selected the Add Another One check box, the same dialog box will appear again; if not, the next page is displayed.

LDAP User

The LDAP Group or User name allows the administrator to specify the user or group identities that are allowed to use the LDAP form of authentication for VPN. When the user authenticates using the LDAP mode, the LDAP NMAS^TM method associates one of the configured user or group names from this list as the user's identity. If a user's name as well as his group name is present in the list, that username is selected as the identity. This list is unordered. Otherwise, if a user belongs to any of the groups in the list, that group name is chosen as the user's authenticating identity. Later, the authenticating identity will be compared against the traffic rules to match the policy to be applied for this client-to-site connection.

For example:

The client-to-site LDAP group or username list contains the following LDAP distinguished names:

cn=group1,o=xyz

cn=group2,o=xyz

cn=user1,o=xyz

The client-to-site traffic rules contains the following LDAP identity-based rules, in the following priority order:

Rule1: cn=group2, o=xyz - Encrypt

Rule2: cn=user1,o=xyz - Bypass

Rule3: cn=group1,o=xyz - Deny

If a user cn=user1,o=xyz (who is also a member of group1 and group2) authenticates, the identity is assigned as cn=user1,o=zyx, and the Rule2 is applied for traffic.

If a user cn=user2,o=novell (who is also a member of group1 and group2) authenticates, the identity is ascertained by comparing the user's groups with the LDAP group or user list during authentication. The one that matches is assigned as the identity. The same identity (either group1 or group2) is later used to select the traffic rule to be applied. If a user belongs to multiple groups, the identity might match the traffic rules based on any one of the groups.

Define Destination

Use this page to define destinations to which the rule will apply. Click Define Destination to see this page. The values shown on the page are the default values. You can modify them.

Figure 51
Traffic Rules

You can apply this rule to any host or you can specify a list of address ranges or networks.
If you want to select a destination IP Address List to apply this rule to, select the Only Use IP List option button. You can create a list of IP Address ranges or networks. Click Add to create a list.
If you want to add a network to the destination list, select the network in the Type drop-down list and specify the network number (IP address) and subnet mask. Click OK.
If you want to add a network to the destination list, select the network in the Type drop-down list and specify the start and end values for the range. Click OK.

NOTE: You can specify only one address range or network entry per rule.

Define Services

Use this page to define the services to which the rule is applied.

Click Define Service to see this page. The values shown on the page are the default values. You can modify them.

Figure 52
Traffic Rules

The default service is Any Protocol. You can select the protocol to which the traffic rule is applied. For TCP protocols less than 1024, you can also specify the service port.

NOTE: You can specify one port at a time. If you want to set up more ports, specify new traffic rules for each port.

Define Action

Use this page to define the action that has to be performed.

Click Define Action to see this page. The values shown on the page are the default values. You can modify them.

Figure 53
Traffic Rules: Default Values

Select Deny if you want to discard all packets that match this traffic rule. Select Allow Unencrypted if you want to bypass the tunnel for the packets that match this traffic rule. Select Encrypt if you want to encrypt the packets matching this traffic rule according to the encryption options that you have configured as shown in the next page.
The default Action is Encrypt with an IKE key lifetime of 120 minutes. Default encryption and authentication algorithms are 3DES/HMAC-MD5.
You can choose to discard, bypass (allow unencrypted), encrypt the packets that match this traffic rule. If the action is Encrypt, you can also configure the encryption and authentication algorithms and the IKE lifetime.

Authentication Rules

Authentication Rules are policies that govern authentication of a user to a VPN server.

You can add, modify, or delete authentication rules for the client-to-site service. You can also change the priority of an authentication rule by moving it up or down the list. The authentication rule at the top of the list has the highest priority.

HINT: A default authentication rule is automatically created. The default action of this authentication rule is to deny all users. The default authentication rule always has the lowest priority in the authentication rule list.

Figure 54
Authentication Rules

You can configure any of the following in an authentication rule:
- Users to whom this rule will apply.
- Type of authentication to be performed.
- Allow/Deny Action: If the action is set to Deny, the user cannot authenticate.
HINT: The service provides the facility to configure and store your entries as profiles that can be used later when you log in to the service.
Specify the name of the traffic rule. The following are discussed here:

Define User

Use this page to define the users to whom this rule will apply. Click Define User to see this page. The values shown on the page are the default values. You can modify them.

You can apply this rule to any user, or you can specify a list of users or certificate users. See Traffic Rules > Define User for details on this page.

Authentication Condition

Use this page to define the type of authentication to be performed. Click Authentication Condition to see this page. In Novell BorderManager 3.7, you could use vpncfg to verify the authentication data of the server shown during VPN client login. With Novell BorderManager 3.8, the authentication data of the server for the NMAS mode of authentication cannot be checked on the server side. Checking authentication data works only for the backward compatibility mode.There are no default values for this condition.

To define an authentication type:

You can select either Certificate Authentication or NMAS Authentication. If you select Certificate Authentication, you must configure one or more trusted roots. For NMAS Authentication, you can also configure the clearance level (Minimum Allowed Authentication Grade). For more details refer to the NMAS documentation.
Select Allow Certificate Authentication, then click Add to open the next page.
Select Trusted Root Object from the list.
If you selected Allow NMAS Authentication, you can configure the clearance level as shown in the illustration above. In this page, Password has been selected as the clearance level.

NOTE: Unless you have already configured a default security clearance for the users to a clearance level other than the one available while logging in, keep the minimum allowed authentication as logged in (which is the default).

Allow/Deny Action

Click Allow/Deny Action to see this page. Allow is the default action.
You can select either the Allow or the Deny action for this rule.

Example of a Default NMAS Configuration

Log into the iManager server.
Choose the VPN client-to-site configuration on the VPN server under NBM VPN Configuration.
Select the client-to-site service on the service list.
Go to Authentication Rules > Click New.
Provide the Rule Name.
Select Define User, and click All Users radio button.
Select Authentication Condition, the following screen will be displayed.
Figure 55
Authentication Condition Example
Check Allow NMAS Authentication as shown in the figure.
Select Allow/Deny Users, and check the Allow check box.
Click Apply > and then OK.

Remote LDAP Configuration

Configure LDAP to enable a remote authoritative directory for NMAS authentication using LDAP methods.

IMPORTANT: LDAP authentication uses SSL connections for authenticating the user from the Novell BorderManager server to the LDAP server. This requires the administrator to specify the trusted root container containing the Trusted Root object of the LDAP server.

The LDAP trusted root container configured in this purpose should contain only valid LDAP trusted root certificates, because the LDAP SSL client will fail to read certificates that are not valid LDAP trusted root certificates. Sometimes the LDAP SSL client fails to read some third-party certificates. We recommend that you create a separate trusted root container for storing LDAP trusted root certificates, and use it in the client-to-site LDAP configuration.

Figure 56
LDAP Configuration

Remote LDAP Server Name: The name or IP address of the remote LDAP server to which the VPN server will talk for LDAP authentication.
LDAP Port: The LDAP secured port used by the VPN server to establish an SSL connection. The default value is 636.
LDAP Trusted Root Container: This should contain the remote LDAP server's issuer certificate. The certificate can be created from the remote LDAP server certificate.
LDAP Remote User or Group Name: The User or Group name of the remote LDAP user from the local Novell eDirectory. The names should have complete information, such as cn=admin, o=novell.

DNS/SLP Configuration

Use this page to configure DNS/SLP to be applied on Windows workstation during a VPN session.

Figure 57
DNS/SLP Configuration

DNS Configuration Address List: The address list of the DNS servers applied in the client during the VPN session. After a connection ends, the client will get back its original DNS information.
SLP Configuration Address List: The address list of the directory agents applied in the client during the VPN session. This is applicable if Novell authentication is taking place during the VPN session. After a connection ends, the client will get back its original SLP information.

Final Client-to-Site Page

If all your configurations are correct, click OK on the bottom of the client-to-site service page to save the client-to-site service configuration.

The following page is displayed.

Figure 58
Final Client-to-Site Page

To delete the client-to-site service, click X.
Click the client-to-site service link if you want to modify any of the service properties.