Administration Guide 161
Scenario 1: Configuring LDAP Authentication and Authorization
• Determining the Sales and Engineering users who need remote access
• Collecting the LDAP directory information
Determining the internal networks that include the needed resources
Determining the internal networks that include the needed resources is the first of three procedures
the administrator performs to prepare for the LDAP authentication and authorization configuration.
In this procedure, the administrator determines the network locations of the resources that the
remote users must access. As noted earlier:
• Remote users working for the Sales department must have access to an email server, a Web
conference server, a Sales Web application, and several file servers residing on the internal
network
• Remote users working for the Engineering department must have access to an email server, a
Web conference server, and several file servers residing on the internal network
• Three email servers are operating in the internal network, but the administrator wants remote
users to access only one of these email servers
To complete this procedure in this example, we assume the administrator collects the following
information:
• The Web conference server, email servers, and file servers that the remote Sales and
Engineering users must access all reside in the network 10.10.0.0/ 24
• The server containing the Sales Web application resides in the network 10.60.10.0/24
• The single email server that remote users must access has the IP address 10.10.25.50
Determining the Sales and Engineering Users Who Need Remote Access
Determining the Sales and Engineering users who need remote access is the second of three
procedures the administrator performs to prepare for LDAP authentication and authorization
configuration.
Before an administrator can configure the Firebox SSL VPN Gateway to support authorization with
an LDAP directory, the administrator must understand how the Firebox SSL VPN Gateway uses
groups to perform the authorization process.
Specifically, the administrator must understand the relationship between a user's group
membership in the LDAP directory and a user's group membership on the Firebox SSL VPN
Gateway.
Note
The Firebox SSL VPN Gateway also relies on user groups in a similar way to support authorization types
such as RADIUS.
When a user in an LDAP directory connects to the Firebox SSL VPN Gateway, the following basic
authentication and authorization sequence occurs:
• After a user enters authentication credentials from the LDAP directory, the Firebox SSL VPN
Gateway looks the user up in the LDAP directory, verifies the user's credentials, and logs the
user on.
• After a user successfully authenticates, the Firebox SSL VPN Gateway examines an attribute in
the user's LDAP directory Person entry to determine the LDAP directory groups to which the
user belongs.