Active Directory

Top  Previous  Next

Configuration of Gibraltar in combination with a Microsoft Windows Active Directory. Some of the Active Directory users should be able to use some special services by using their common username and password. Active Directory Organisational Units can manage the access to those services. Configuration of OpenVPN for remote access.

 

HTTP-Proxy to secure HTTP traffic
SMTP authentication to allow external users to send emails by using the Gibraltar firewall
OpenVPN for secure remote access to the LAN

 

The Active Directory domain is configured as follows:

Domain name "company.local"
Organisational unit for the user communicating with Gibraltar: company.local/company/Users
Login name of the AD user: "gibuser"
OU for the groups to handle the access to specific services: company.local/company/Groups
A domain local group "dl_http" in the OU "company.local/company/Groups" to handle the access to the http proxy.
A domain local group "dl_smtp" in the OU "company.local/company/Groups" to handle the access to the smtp authentication.
A domain local group "dl_vpn" in the OU "company.local/company/Groups" to handle the access to the usage of VPN.
Internal network: 192.168.0.0/24
External IP: 1.1.1.1

 

Note: All stated values are only examples. You have to adapt these values to your individual needs.

 

System Requirements

Computer with two compatible network interfaces or Gibraltar Security Gateway.

 

Installation of Gibraltar

 

Please install Gibraltar as described in chapter Installation.

 

System configuration

 

System configuration as described in Scenario 1.

 

Network settings - Network interface cards

 

Network and routing configuration as described in Scenario 2

 

ATTENTION: By changing the IP address on the network card which you use for access to Gibraltar, the connection is interrupted. Please adapt the IP address on your work station computer as well.

 

Firewall rules

 

Firewall rules as described in Scenario 2

 

NAT rules

 

NAT rules as described in Scenario 2

 

Integration into Microsofts Active Directory

 

The Gibraltar firewall must be integrated into the Active Directory to allow the usage of the common Windows Logins. Please follow the steps below:

 

1.Choose User in the main menu.
2.You will be forwarded automatically to the tab LDAP Settings.
3.Server: Choose "Active Directory"
4.IP Domaincontroller: Enter the IP address of the domain controller.
5.AD user: Enter name of the AD user ("gibuser"). This user does not need administrator privileges because she is only needed for communication with the AD.
6.AD user password: Enter the password of the user "gibuser" and confirm it in the next text field.
7.Organizational Unit AD users: Enter the OU of the AD user ("ou=users,ou=company").
8.Organizational Unit AD Groups: Enter the OU of the AD groups ("ou=groups,ou=company").
9.Domain: Enter the FQDN of the internal Windows domain ("company.local").
10.Save: Confirm your changes with clicking the button Save.
11.Enter Domain: Click this button to enter the Active Directory Domain.
12.Domain Administrator: Enter the name of a Windows Domain Administrator to join the domain.
13.Password: Enter the password of the Domain Administrator.
14.Enter Domain: Click this button to enter the Active Directory Domain.
15.Select AD groups: Click this button to select the Active directory groups that handle the access to the specified services. All groups within the OU "ou=groups,ou=company" are listed.
16.VPN Group: Choose the group "dl_vpn".
17.HTTP-Proxy Group: Choose the group "dl_http".
18.Mail Group: Choose the group "dl_mail".
19.Save: Confirm your changes with clicking the button Save.
20.Add the users to the specified groups by using the Active Directory Snap-In at the Windows Domain Controller.

 

HTTP-Proxy

 

1.Choose Proxy Server in the main menu.
2.Choose HTTP Proxy in the sub menu.
3.Choose the tab Proxy Cache.
4.RAM for proxy (in MB): This value defines the usage of RAM for caching objects. Do not change it, if you are not sure what consequences it will have. The RAM for proxy caching cannot be used by other services.
5.Maximum size of an object (in KB): This value limits the size of the objects stored into the cache.
6.Use disk cache: Activate this checkbox if you are using a HDD and if you want to use the disk cache.
7.Size of disk cache (in MB): Enter the size of the disk cache you want to be reserved for caching objects.
8.Save: Confirm your changes with clicking the button Save.
9.Choose the tab Authentication.
10.Authentication method: Choose the value "Authentication via LDAP".
11.Save: Confirm your changes with clicking the button Save.
12.Choose the tab Content Filter.
13.Kaspersky Anti-Virus: Activate this checkbox if you want to check your HTTP traffic and you bought a Kaspersky license key.
14.Save: Confirm your changes with clicking the button Save.
15.Add a new firewall rule to allow the traffic on TCP-port 3128 from incoming int to outgoing LOCAL.
16.Start the service HTTP-Proxy at the module services and change the value of starting the service automatically if you want.

 

Note: The HTTP-Proxy must be configured at the Internet browsers of the clients. Otherwise it will not be used. Group policies are the best method to publish these settings. The users can now connect to the Internet by using their common login information.

 

Mail Authentication

 

1.Choose Mail at the main menu.
2.Choose the tab SMTP user authentication.
3.Use Authentication: Activate the checkbox to use the authentication.
4.Save: Confirm your changes with clicking the button Save.
5.Add a new firewall rule to allow traffic at TCP port 25 from incoming ext to outgoing LOCAL. This rule allows sending mails from external to the mail relay at the firewall.
6.Start the service Mailserver to activate the settings and change the automatic start method to "On" if you want to start the service after rebooting.

 

Configure the mail clients of your users to use the Gibraltar SMTP service for sending mails now. Please be aware that you must configure a secure connection (SSL). "Extended account options" at MS Outlook Express for example.

 

Creating a Client Certificate

 

OpenVPN uses client certificates for user authentication. These certificates should be stored to the Active Directory. Therefore you must set privileges for the scheme for the user "gibuser". Login to the Domain Controller as Scheme Administrator and enter the following line:

 

dsacls ou=Users,ou=company,dc=company,dc=local /I:S /G "company\gibuser:RPWP;userPKCS12;user"

 

Follow the lines below to create a client certificate:

 

1.Choose VPN at the main menu.
2.Choose Certificate at the sub menu.
3.Generate client cert: Click this button to generate a new client certificate.
4.Fill in reasonable values into the text fields and choose the owner out of the drop down list of the Active Directory users. Note the password, because the user will need it to start the remote connection via OpenVPN.
5.Save the new certificate to your desktop.

 

Configuring the OpenVPN service

 

1.Choose VPN at the main menu.
2.Choose OpenVPN at the sub menu.
3.Listen on IP: Choose your public IP address out of the list ("1.1.1.1").
4.Routed networks: Enter the internal network(s) address which should reachable through the VPN tunnel ("192.168.0.0/24").
5.Save: Confirm your changes with clicking the button Save.
6.Add a new firewall rule to allow traffic from incoming tun+ (virtual interface used by OpenVPN) to outgoing int.
7.Start the Service OpenVPN at the module Services.

 

 

Installing the Windows Client

 

To use OpenVPN with Microsoft Windows Clients you must install a client software which can be downloaded at http://openvpn.se/.

After booting Windows you can see a small icon on the right side beside the clock of your task bar. Follow the steps below to configure your OpenVPN client software correctly.

 

1.Copy the downloaded certificate to the directory "C:\Program files\openvpn\config".
2.Choose VPN at the main menu.
3.Choose OpenVPN at the sub menu.
4.Download client config: Click this button to download the client configuration file client.ovpn and save it to the same directory as the certificate.
5.Start the OpenVPN connection by using the right button of your mouse and enter the password you chose at the creation of your certificate.

 

When the connection is started the remote user can access the resources in the local area network.

 

Active Directory Groups

Now you can add new users to the specific groups to allow access to the services. For example add "user1" to the group "dl_http" to allow the HTTP-Proxy.

 

NOTE: To increase the performance the authentication data is cached at the Gibraltar firewall. If you remove a user from a group, the new settings will be active after an hour. Restart the HTTP Proxy service to speed up this settings.

 

Saving configuration

 

1.Save the configuration to your default storage destination and save a backup to a USB stick.