Filter
Top Products
Administration Guide 97
Configuring Resources for a User Group
a network resource specifying the networks to which users can connect. If you have a restricted group
for contractors, drag the resource to this group and then deny the default setting.
For each user group, you can create an access control list (ACL) by specifying the resources that are to be
allowed or denied for the group. Resource groups are defined as described in “Defining network
resources” on page 99. ACLs for all groups that users are a part of are combined and applied to the user.
Unless you want to provide all users with full access to all accessible networks, you must associate user
groups with resource groups.
Several aspects of Firebox SSL VPN Gateway operation are configured at the group level. These are sep-
arated between group properties and group resources.
Group properties include:
• Groups that inherit properties from the Default group.
• Requiring users to log on again if there is a network interruption or if the computer is coming out
of standby or hibernate.
• Enabling single sign-on to Windows.
• Enabling single sign-on to the Web Interface.
• Running logon scripts when a user logs on using domain credentials.
• Denying application access to the network that does not have a defined application policy.
• Disable the desktop sharing feature of the Secure Access Client.
• Access configuration to specify the length of time a session is active. There are three types of
session time-outs:
-
User session time-out, which specifies the length of time a user can stay logged on, whether there
is activity or not. The specified time is absolute. If the user has a 60 minute session time-out, the
session ends at 60 minutes. Users are given a one minute warning that their session is about to
end.
- Network activity time-out where the user is logged off after a specified amount of time, during
which network activity from the client device over the VPN tunnel is not detected. Network activity
from the local area network is not considered.
- Idle session time-out where network activity is detected, but user activity is not detected. User
activities are keyboard strokes or mouse movement.
• Enabling split DNS where the client sends only the traffic destined for the secured network
through the VPN tunnel.
• IP pooling where a unique IP address is assigned to each client.
• Logon and portal page usage that defines the page the user sees when logging on. The logon
page can be a page provided by WatchGuard and can be modified for individual companies. If
your company is using WatchGuard Presentation Server, the logon page can be the Web
Interface. If you want to give the user options of how to log on, use the multiple logon option
page. For more information, see “Configuring a Portal Page with Multiple Logon Options”
Group resources include:
• Network resources that define the networks to which clients can connect.
• Application policies that define the applications users can use when connected. In addition to
selecting the application, you can further define which networks the application has access to
and if any end point policies need to be met when connecting.
• File share resources that define which file shares the user can connect to when logged on in kiosk
mode.