WatchGuard Technologies SSL VPN Water Heater User Manual


 
Administration Guide 95
Configuring Properties for a User Group
Choosing a portal page for a group
By default, all users log on to the Firebox SSL VPN Gateway using the Secure Access Client from the
default portal page or by downloading and installing the Secure Access Client on their computer. You
can load custom portal pages on the Firebox SSL VPN Gateway, as described in “Using Portal Pages” on
page 38, and then select a portal page for each group. This enables you to control which of the Firebox
SSL VPN Gateway clients are available by group.
Note
Disabling portal page authentication on the Global Policies page overrides the Portal Page setting for all
groups. For more information, see “Enabling Portal Page Authentication” on page 41.
To specify a portal page for a group
1 On the Access Policy Manager tab, under User Groups, right-click a group and click Properties.
2 On the Gateway Portal tab, under Portal Configuration, click Use Custom Portal Page.
3 In Use this custom portal page, select the page.
4 Click OK.
Client certificate criteria configuration
To specify criteria that client certificates must meet, use a Boolean expression. To belong to a group, the
user must meet the certificate criteria in addition to passing all other authentication rules that are con-
figured for that group. For example, the following criteria requires that the subject field of the client cer-
tificate provided by a user has the Organization Unit (OU) set to Accounting and the Common Name
(CN) attribute set to a value matching the user’s local user name on the Firebox SSL VPN Gateway.
client_cert_end_user_subject_organizational_unit=“Accouting” and user-
name=client_cert_end_user_subject_common_name.
Valid operators for the client certificate are as follows:
and logical AND
= equality test
Valid constants for the criteria are:
true logical TRUE
Valid variables for the criteria are:
username local user name on the Firebox SSL VPN Gateway
client_cert_end_user_subject_common_name CN attribute of the Subject of the client certificate
client_cert_end_user_subject_organizational_unit OU attribute of the Subject of the client certificate
client_cert_end_user_subject_organization O attribute of the Subject of the client certificate
Values for the client certificate criteria on the User Groups tab require quotation marks around them to
work. Correct and incorrect examples are:
The Boolean expression
client_cert_end_user_subject_common_name=“clients.gateways.watchguard.com”
is valid and it works.
The Boolean expression
client_cert_end_user_subject_common_name=clients.gateways.watchguard.com
is not valid and does not work