AXS
GUARD
HOW TO
PERSONAL
AXS
®
USE THE
GUARD
Able NV – Dellingstraat 28b – 2800 Mechelen – Belgium
tel: +32 15 50 44 00 fax: +32 15 50 44 09 [email protected]
1
Contents
1
2
3
4
5
Contents................................................................................... .........2
Copyrights and Conditions of Use......................................................3
About this document.......................................... ...............................3
Background.............................................................. .........................4
On the HQ aXs GUARD............................................................. ..........4
5.1
Overview................................................................. ....................4
5.2
Instructions................................................................................. .4
5.2.1 Enable Personal aXs GUARD Option..........................................4
5.2.2 Initializing the Certificate Authority........................................ ...5
5.2.3 Creating an SSL Server Certificate............................................6
5.2.4 Attaching a Certificate to the aXs GUARD SSL Server................7
5.2.5 Configuring the Personal aXs GUARD .......................................7
5.2.6 Creating an SSL Personal aXs GUARD Certificate....................12
5.2.7 Exporting the Certificate to the Personal aXs GUARD..............13
6
On the Personal aXs GUARD........................................................... ..14
6.1
Overview.............................................................. .....................14
6.2
Personal aXs GUARD Defaults.................................. ..................14
6.3
Administrator's Tool Access Levels.............................................14
6.4
Installation Instructions........................................................... ...15
7
Personal aXs GUARD Status........................................ .....................18
7.1
HQ aXs GUARD Administrator's Tool...........................................18
7.2
Personal aXs GUARD Administrator's Tool...................................19
8
Troubleshooting....................................................... ........................19
8.1
UDP port 1194......................................................... ..................19
8.2
No wireless AES encryption on Windows XP client......................19
8.3
Logging onto the HQ aXs GUARD ..............................................19
8.4
Logging onto the Personal aXs GUARD.......................................19
9
About Able............................................................................... ........20
10
About VASCO............................................................... ..................21
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 2 of 21
12. July 2007
 2007 Able NV
2
Copyrights and Conditions of Use
Able Software and Documents contain proprietary and confidential
information. Able may have or may be applying for patents, trademarks,
copyrights or other intellectual property rights for Software and
Documentation. aXs GUARD®, aXs GUARD à la Carte™ and UNI-box™ are
trademarks of Able. Other company, brand or product names mentioned
herein may be the trademarks or registered trademarks of their respective
owners.
Able Software and Documentation are provided “as is” without warranty or
conditions of any kind, whether implied or statutory, including but not
limited to implied warranties of marketability, merchantability or fitness for a
particular purpose. Able has no liability under any circumstances for any
loss, damage or expense incurred by you, your company or any third party
arising from the use, or inability to use Able Software or Documentation,
regardless of the cause of the loss, including negligence.
This document is protected under US, European and international copyright
law as an unpublished work of authorship. No part of it may be transferred,
disclosed, reproduced or transmitted in any form or by any means,
electronic, mechanical or otherwise, for any purpose, except as expressly
permitted by Able in writing.
All title, rights and interest in the aXs GUARD, updates and upgrades
thereof, including software rights, copyrights, patent rights, trade secret
rights, mask work rights, sui generis database rights and all other
intellectual and industrial property rights, shall vest exclusively in Able or,
pursuant to the terms of a separate license agreement, its licensors. No part
of Able Products may be transferred, disclosed, reproduced or transmitted in
any form or by any means, electronic, mechanical or otherwise, for any
purpose, except as expressly permitted by Able in writing.
Copyright © 2007 Able NV. All rights reserved.
3
About this document
This document describes how to configure a Personal aXs GUARD from the
central aXs GUARD. Certain actions are required on both units and are
explained in this “hands on” guide to help you get everything up-andrunning as quickly as possible.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 3 of 21
12. July 2007
 2007 Able NV
4
Background
The Personal aXs GUARD is connected securely to an aXs GUARD with a
Secure Socket Layer (SSL) VPN connection. The aXs GUARD manages
everything centrally for all connected Personal aXs GUARD units, from IP
addresses and passwords to complex firewall settings. An SSL VPN
connection is based on certificates. The creation of valid certificates is only
possible through a certificate authority. aXs GUARD is therefore equipped
with a certificate authority, which first needs to be configured. How to
complete each of the necessary steps is explained in detail in the following
sections.
5
5.1
On the HQ aXs GUARD
Overview
This section explains how to configure the aXs GUARD to allow connection
and central management of Personal aXs GUARDs.
5.2
Instructions
5.2.1 Enable Personal aXs GUARD Option
Under the System > Feature Activation menu (shown in the screen shot
below) locate and switch on the option:
•
“Do you use the Personal aXs GUARD?”
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 4 of 21
12. July 2007
 2007 Able NV
5.2.2 Initializing the Certificate Authority
A CA allows you to create valid certificates for the SSL VPN connection
between aXs GUARD and the Personal aXs GUARD.
1. Go to the Public Key Infrastructure > Certificate Authority screen.
2. Select a country, and enter the organization name and locality. This
information will be included in all certificates created by the aXs GUARD
CA.
3. Enter a unique name to identify the aXs GUARD CA, for example caaxsguard.yourdomain.be.
4. Enter an email address for any notifications regarding this certificate.
5. Enter a CA Passphrase. This phrase is needed to issue new certificates
and therefore prevents unauthorized certificate issue from the CA.
6. Specify the number of days the CA, and all certificates issued since its
initialization may remain valid. You need to reinitialize the CA and create
new certificates once this date has passed.
Warning: Remember the CA passphrase, as no certificates can be issued
without it. Able cannot retrieve a lost passphrase. The only solution for a
forgotten CA passphrase is to reinitialize the CA, which renders all previously
issued certificates invalid.
7. Press the Initialize button and a confirmation of the CA initialization will
appear.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 5 of 21
12. July 2007
 2007 Able NV
5.2.3 Creating an SSL Server Certificate
Both sides of an SSL VPN connection need a certificate; first we need to
create a certificate for the aXs GUARD SSL server.
1. On the PKI > Certificates screen (see below), click on the Issue new
certificate button.
2. Select Server for Certificate usage.
3. Enter a unique Hostname for the certificate, for example
sslserver.yourdomain.be.
4. Enter the CA passphrase, to use the CA.
5. Click Sign (top right) to create the new server certificate.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 6 of 21
12. July 2007
 2007 Able NV
5.2.4 Attaching a Certificate to the aXs GUARD SSL Server
1. Go to the VPN & RAS > Personal aXs GUARD > General screen.
2. Enable the Personal aXs GUARD connection. Disabling blocks all logon
attempts from Personal aXs GUARDs.
3. Select the newly created server certificate.
4. The specified IP range will be used for creating the SSL tunnel between
the aXs GUARD and the Personal aXs GUARDs. Check that this range is
unused on your network and if necessary, change it to an unused one.
Routing problems occur, if the range isn't unique.
Note: Checking the Enabled option automatically allows SSL connection
attempts from Personal aXs GUARDs by adding the int-sslvpn firewall rule to
the stat-int static firewall policy. Deselecting this option removes this rule
from the stat-int static firewall policy, so that all connections from Personal
aXs GUARDs are rejected.
5.2.5 Configuring the Personal aXs GUARD
Name & Enabling options
Each Personal aXs GUARD used on the network needs to be configured in
the central or Head Quarter (HQ) aXs GUARD.
1. Go to the VPN & RAS > Personal aXs GUARD > Client screen and click on
the Add new button.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 7 of 21
12. July 2007
 2007 Able NV
Warning: Modifications made to the settings of a Personal aXs GUARD are
only active on reboot of the Personal aXs GUARD or restart of the VPN tunnel
(wait at least 10 seconds before reactivating). Doing a remote reboot of a
Personal aXs GUARD is possible using the VPN & RAS > Status > Personal
aXs GUARD screen.
2. Choose a unique (Distinguished) name for the Personal aXs GUARD.
3. Enable the remote LAN DHCP server and wireless settings, if needed.
General Tab
1. If the VPN tunnel may not start when the Personal aXs GUARD reboots,
deselect Start this VPN automatically.
2. Enter an administrator and user password.
3. Add a description and extra remarks, if needed.
Network Tab
1. Click on the Network tab
2. Enter the Personal aXs GUARD secure LAN IP address and netmask.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 8 of 21
12. July 2007
 2007 Able NV
3. By default the DNS servers of the HQ aXs GUARD are used whenever the
VPN tunnel is connected; otherwise the ISP's DNS servers are used. In
some cases, it is preferable to use another DNS server, for example the
active directory DNS server. If so, select the Do not use the aXs GUARD
DNS Servers option and enter the IP address(es) of the prefered DNS
server(s).
4. Add all networks which should be routed through the VPN tunnel to the
Routing towards following networks field. Otherwise, traffic towards these
networks is routed to the Internet. Normally the secure LAN range of the
HQ aXs GUARD should be added here too.
DHCP Tab
1. Click the DHCP tab or skip this (DHCP) section, if the DHCP server has
been disabled.
2. Add the DNS suffix used in your network; this will be used whenever an
incomplete DNS query is used (e.g. “www” will be expanded to
“www.mydomain.be”).
3. Enter the DHCP IP range and netmask.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 9 of 21
12. July 2007
 2007 Able NV
4. Force the DHCP server to give certain clients in the Personal aXs GUARD
secure LAN a specific IP address, by adding the Ethernet MAC address
and preferred IP address in the MAC to IP mappings field.
Wireless Tab
1. Click the Wireless tab or skip this (Wireless) section, if the wireless option
has been disabled.
2. Enter in the SSID field a name for identifying the Personal aXs GUARD to
wireless clients in the Personal aXs GUARD's secure LAN.
3. Select the appropriate wireless encryption for your network. Currently
WPA PSK AES is the most secure, and therefore recommended.
Warning: The Wireless Secret key for the WEP encryption must be 26
characters long, comprising characters 0-9 and/or A-F.
4. Choose a password (Wireless Secret Key) to protect access to the wireless
network of the Personal aXs GUARD.
Firewall Tab
Click the Firewall tab.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 10 of
21
12. July 2007
 2007 Able NV
The Personal aXs GUARD firewall settings depend on the VPN tunnel state:
When the VPN tunnel is not connected:
•
only ICMP packets and support connections from Able are allowed
to connect to the Personal aXs GUARD;
•
everything is allowed from the secure LAN towards the Internet.
When the VPN tunnel is connected:
•
ICMP packets and support connections from Able may connect to
the Personal aXs GUARD;
•
The firewall settings as shown in the screen above are active.
Warning: Unlike the VPN PPTP and VPN L2TP connections, the stat-sec
firewall rights and user and group special VPN firewall policies do NOT apply
for the Personal aXs GUARD. All access rights are administered in the
Personal aXs GUARD settings, i.e. once access has been granted to the VPN
tunnel at the Personal aXs GUARD side, everything is allowed. Access must
therefore be controlled at the Personal aXs GUARD side as follows:
•
Access rights added in the Firewall Policies field provide access
outside the Tunnel, i.e. directly to the Internet.
•
Access rights added in the Tunnel Firewall policies field provide
access through the VPN tunnel.
The same firewall policies as in the HQ aXs GUARD are available, although
some restrictions are applied:
•
Firewall policies: only fwd- dynamic policies (i.e. dynamic policies
with the rule type “Rules through the aXs GUARD”) are valid.
These policies allow access to services on the Internet without
using the VPN tunnel;
•
Tunnel Firewall policies: fwd- dynamic policies and sec- dynamic
policies are valid. The fwd- policies grant access through the HQ
aXs GUARD towards its secure LAN, DMZ zone and possibly the
Internet. The sec- dynamic policies allow access to services
running on the HQ aXs GUARD.
•
All other firewall dynamic policies are unusable for configuring the
Personal aXs GUARD.
Note: Incoming and outgoing devices specified in fwd- dynamic policies are
unused on the Personal aXs GUARD.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 11 of
21
12. July 2007
 2007 Able NV
Access rights can be restricted to a specific IP address or range of addresses
by specification in the Source IP field. This allows strict administration of
firewall access rights. Additionally an IP address can be assigned to a
specific client PC on the secure LAN of the Personal aXs GUARD, based on
the MAC address and the Personal aXs GUARD DHCP server (see the section
on DHCP server settings above).
Security Recommendations
Depending on the setup of the Personal aXs GUARD secure LAN, firewall
requirements may differ. The fwd-access-lan as a tunnel Firewall policy may
be effective for setups where the Personal aXs GUARD secure LAN consists
of only laptops and/or desktops controlled by the company (e.g. a Microsoft
domain with restricted user access). However it is good practice to restrict
access through the VPN tunnel and to the Internet, if other potentially
dangerous client computers exist on the network.
We recommend a setup which ensures that potentially dangerous or infected
client computers connect directly to the Internet using an existing
installation, while computers needing access to the HQ secure LAN are
connected safely behind the Personal aXs GUARD. A protective option is to
connect the Personal aXs GUARD Internet Interface to an existing secure
LAN switch, and connect client computers which need access to the HQ
secure LAN in the secure LAN of the Personal aXs GUARD. This setup
supports physically separate HQ and remote secure LANs.
5.2.6 Creating an SSL Personal aXs GUARD Certificate
Certificates are needed for both ends of an SSL VPN connection. This section
describes how to create the Personal aXs GUARD certificate.
1. On the PKI > Certificates screen (see below), click on the Issue new
certificate button.
2.
3. Select Personal aXs GUARD in the Certificate Usage field.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 12 of
21
12. July 2007
 2007 Able NV
4. Select the name of the newly created Personal aXs GUARD in the
Personal aXs GUARD field.
5. Specify the number of days the certificate will be valid.
6. Enter the CA passphrase to allow use of the CA.
7. Click on Sign (top right) to create the certificate.
5.2.7 Exporting the Certificate to the Personal aXs GUARD
1. On the PKI > Certificates screen (see below), click on the Export icon in
the row for the Personal aXs GUARD certificate. A screen for entering a
password appears.
2. The Personal aXs GUARD certificate and some extra information need to
be password protected during transport. Enter and confirm a password to
be used. When importing the certificate into the Personal aXs GUARD
tool, the password needs to be entered.
3. Click on Export (top right) to save the certificate (PKCS12 file with “.p12”
extension) on a portable medium for transporting to the Personal aXs
GUARD.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 13 of
21
12. July 2007
 2007 Able NV
6
On the Personal aXs GUARD
6.1
Overview
The following steps instruct on how to configure the Personal aXs GUARD to
conect with the HQ aXs GUARD using a secure SSL VPN connection. You will
need the Personal aXs GUARD certificate (explained in the previous section)
and the password for these steps.
6.2
Personal aXs GUARD Defaults
Central aXs GUARD settings for the Personal aXs GUARD are only
operational after successful VPN connection to the HQ aXs GUARD. Before
this point, defaults are active:
•
secure LAN IP address: 192.168.1.1
•
net mask : 255.255.255.0
•
DHCP server enabled
•
admin password: admin
•
user password: user
Access the Personal aXs GUARD administrator's tool using the following URL:
http://192.168.1.1
Warning : It is not recommended to use the reset button at the back of the
Personal aXs GUARD as it can cause hardware failure.
6.3
Administrator's Tool Access Levels
Two logon accounts exist. The admin account allows full access to all
settings. With the user account, local settings cannot be modified. A user
account can only reboot the Personal aXs GUARD and disconnect or start up
the VPN tunnel.
This allows administrators to control whether homeworkers can disconnect
or reconnect VPN tunnels (through assignment of user access to
homeworkers). Homeworkers may also be assigned no access to the
administrator's tool, if preferred.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 14 of
21
12. July 2007
 2007 Able NV
6.4
Installation Instructions
1. Configure your network interface to use the DHCP server of the Personal
aXs GUARD.
2. Check that the Personal aXs GUARD is reachable by pinging its IP address
(open the command prompt by clicking on Start, select the run command
and enter ping 192.168.1.1; this should result in a number of replies.)
3. Open a browser and enter the following URL: http://192.168.1.1
Note: Check that no proxy server is configured in your browser; if one is
configured, the Personal aXs GUARD tool may not be accessible.
4. Enter the admin username and admin as the password.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 15 of
21
12. July 2007
 2007 Able NV
5. Select the Settings screen.
6. Select the type of Internet connection and enter the settings supplied by
your ISP.
7. Enter the public IP address of the HQ aXs GUARD (the Personal aXs
GUARD needs this to make contact with HQ aXs GUARD).
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 16 of
21
12. July 2007
 2007 Able NV
8. Enter the password specified when creating and exporting the certificate
from the HQ aXs GUARD.
9. Click the Browse button and select the certificate exported from the HQ
aXs GUARD.
10. Click on update.
11. Go to the Home screen and click Now to reboot the Personal aXs
GUARD.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 17 of
21
12. July 2007
 2007 Able NV
Warning: The DMZ LED at the front of the Personal aXs GUARD indicates
booting status. Wait until the LED is unlit before proceeding.
12. The Personal aXs GUARD will now connect to the HQ aXs GUARD to
retrieve the configurations.
7
7.1
Personal aXs GUARD Status
HQ aXs GUARD Administrator's Tool
The VPN & RAS > Status > Personal aXs GUARD screen in the HQ aXs
GUARD administrator's tool provides an overview of all Personal aXs GUARDs
currently connected. It is also possible to remotely reboot a Personal aXs
GUARD from this screen. This is useful when modifications to the Personal
aXs GUARD's settings need to be activated immediately.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 18 of
21
12. July 2007
 2007 Able NV
7.2
Personal aXs GUARD Administrator's Tool
Several status screens are available in the Personal aXs GUARD
administrator's tool, for example DHCP, VPN, WAN, LAN etc.
8
8.1
Troubleshooting
UDP port 1194
Make sure that UDP port 1194 towards the Internet interface of the aXs
GUARD is open from the Internet and that the Personal aXs GUARD can
connect to the Internet using UDP port 1194. This is needed to allow the SSL
tunnel setup.
8.2
No wireless AES encryption on Windows XP client
A special Microsoft Windows XP update package is available, which supports
AES encryption. For more information visit:
http://support.microsoft.com/?id=893357
8.3
Logging onto the HQ aXs GUARD
Go to the VPN & RAS > Logs >Personal aXs GUARD and select the current
log file (or use the Live log viewer).
Verify that packets from the Personal aXs GUARD arrive at the HQ aXs
GUARD. Text lines with the public IP address of the Personal aXs GUARD
should be visible.
8.4
Logging onto the Personal aXs GUARD
The Personal aXs GUARD has limited disk space. Therefore only the last 20
logs are stored. You can view them in the Personal aXs GUARD
administrator's tool under Logging.
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 19 of
21
12. July 2007
 2007 Able NV
9
About Able
Able NV, a Belgian company based in Mechelen, designs, develops and
markets aXs GUARD. Able developed aXs GUARD to meet ever-growing
Internet risks with a dynamic security and communications product. Since
October 2006 Able is integrated in the VASCO group.
aXs GUARD is a total (All-in-1) solution to meet all your Internet
communication and security needs, and comprises hardware, software and
support. Customers design their own aXs GUARD à la Carte, paying only for
the modules they need today, making it an affordable solution to SMEs and
large organizations alike.
Since the first aXs GUARD prototype in 1996, 97% of Able clients have
remained loyal aXs GUARD users. The long term reliability of this dynamic
solution has won their trust. While aXs GUARD protects their Internet
communications, they can focus on business.
aXs GUARD is distributed worldwide through a network of dealers based in
the Benelux, England, Portugal, Scandinavia and the Middle East.
Able NV
Dellingstraat 28b
2800 Mechelen
Belgium
Tel +32 15 50 44 00
Fax +32 15 50 44 09
www.able.be
www.axsguard.com
[email protected]
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 20 of
21
12. July 2007
 2007 Able NV
10
About VASCO
VASCO is the number one supplier of strong authentication and esignature
solutions and services. VASCO has established itself as the worlds leading
software company specialized in Internet Security, with a customer base of
over 4,800 companies in more than 100 countries, including close to 750
international financial institutions. VASCO s prime markets are the financial
sector, enterprise security, e-commerce and e-government.
VASCO Belgium (Brussels)
Koningin Astridlaan 164
B-1780 Wemmel
phone: +32 2 609 97 00
phone: +32.2.609.97.00
www.vasco.com
[email protected]
aXs GUARD How to use Personal aXs GUARD
AG-70-MNTE-Personal_aXs_GUARD_howto20.odt
Page 21 of
21
12. July 2007
 2007 Able NV