Scenario 1: Configuring LDAP Authentication and Authorization
162 Firebox SSL VPN Gateway
For example, if the Firebox SSL VPN Gateway operates with the Microsoft Active Directory, the
Firebox SSL VPN Gateway checks the "memberOf" attribute in the Person entry to determine the
groups to which a user belongs.
In this example, we assume that the group membership attribute indicates that a user is a member
of an LDAP directory group named "Remote Sales."
The Firebox SSL VPN Gateway then looks for a user group configured on the Access Policy Manager
tab of the Administration Tool that has a name that matches the name of an LDAP directory group
to which the user belongs.
In this example, the Firebox SSL VPN Gateway looks for a user group named "Remote Sales"
configured on the Firebox SSL VPN Gateway.
If the Firebox SSL VPN Gateway finds a user group configured on the Firebox SSL VPN Gateway that
has the same name as an LDAP directory group to which the user belongs, the Firebox SSL VPN
Gateway grants the user with the access privileges (authorization) assigned to the user group on
the Firebox SSL VPN Gateway.
In this example, the Firebox SSL VPN Gateway provides the user with the access levels associated
with the "Remote Sales" user group on the Access Policy Manager tab of the Administration Tool.
Therefore, before the administrator can authorize the Sales and Engineering users to access internal
network resources through the Firebox SSL VPN Gateway, the administrator must know the LDAP
directory groups to which these users belong.
At this point in this user access scenario, the administrator must accomplish one of two things
regarding the group membership of the users:
• Identify groups on the LDAP directory that contain all of the members who need remote
access to the internal networks
• If there are no existing groups that contain all of the appropriate members, the administrator
can create new groups in the LDAP directory and add the appropriate members to these
groups
In this example, we assume that the administrator creates groups named "Remote Sales" and
"Remote Engineers" in the LDAP directory and populates these groups with the Sales and
Engineering users that need remote access to the internal network resources.
Collecting the LDAP Directory Information
Collecting the LDAP directory information is the last of three procedures the administrator performs
to prepare for the LDAP authentication and authorization configuration.
In this example scenario, the organization uses a single LDAP directory as its user repository.
Before the administrator can configure the Firebox SSL VPN Gateway to support authentication and
authorization with an LDAP directory, the administrator must collect information about the LDAP
directory. This information is used in a later procedure to configure the Firebox SSL VPN Gateway to
connect to the LDAP directory to perform user and group name lookups.
Note
To determine the information needed to configure a particular authentication or authorization type
click the Authentication tab in the Administration Tool and create a test authentication realm that
includes the authentication and authorization types that you must support. Collect the information
needed to complete the fields for the selected authentication and authorization types.
In this procedure, the administrator collects the following information about the LDAP directory.
• LDAP Server IP address. The IP address of the computer running the LDAP server.