Use Cases

Importing CA Certificates on Windows

Creating Unique Access Policies for AD Groups

Importing CA Certificates on Windows

Two certificates are imported in this use case, a goDaddy certificate and a server certificate. See the following sections:

Importing a goDaddy Certificate on Windows

Importing a Server Certificate on Windows

Importing a goDaddy Certificate on Windows

In this use case, we format a goDaddy Root CA Certificate on a Windows system and then import it to our SRA appliance.

1. Double-click on the goDaddy.p7b file to open the Certificates window, and navigate to the goDaddy certificate.
The .p7b format is a PKCS#7 format certificate file, a very common certificate format.

2. Double-click the certificate file and select the Details tab.

cert_goDaddy1.jpg

 

3. Click Copy to File. The Certificate Export Wizard launches.

4. In the Certificate Export Wizard, click Next.

5. Select Base-64 encoded X.509 (.CER) and then click Next.

cert_goDaddy_base64.jpg

 

6. In the File to Export screen, type the file name in as goDaddy.cer and then click Next.

7. In the Completing the Certificate Export Wizard screen, verify the path and format and then click Finish.

8. Click OK in the confirmation dialog box.

The certificate is exported in base-64 encoded format. You can view it in a text editor.

cert_goDaddy_binary.jpg

 

9. In the SRA management interface, navigate to System > Certificates.

cert_goDaddy_sys_cert.jpg

 

10. In the Additional CA Certificates section, click Import CA Certificate. The Import Certificate window appears.

cert_goDaddy_import_cert.jpg

 

11. In the Import Certificate window, click Browse and navigate to the goDaddy.cer file on your Windows system and double-click it.

12. Click Upload. The certificate will be listed in the Additional CA Certificates table.

cert_goDaddy_imported.jpg

 

13. Navigate to System > Restart and restart the SRA appliance for the CA certificate to take effect.

Importing a Server Certificate on Windows

In this use case, we import a Microsoft CA server certificate to a Windows system. In this case, the purpose is to use an SSL certificate for application offloading to a mail server.

The server certificate is mail.chaoslabs.nl. This certificate needs to be exported in base-64 format as the server.crt file that is put in a .zip file and uploaded as a Server Certificate.

The private key is not included in the .p7b file. The private key needs to be exported from wherever it is and saved in a base-64 format and included in a server.key file in the .zip file.

1. Double-click on the mail.chaoslabs.nl.pb7 file and navigate to the certificate.

cert_chaos.jpg

 

2. Double-click the certificate file and select the Details tab.

3. Click Copy to File.

4. In the Certificate Export Wizard, select Base-64 encoded X.509 (.CER).

5. Click Next and save the file as server.crt on your Windows system.

The certificate is exported in base-64 encoded format.

6. Add the server.crt file to a .zip file.

7. Separately save the private key in base-64 format as server.key.

8. Add the server.key file to the .zip file that contains server.crt.

9. Upload the .zip file to the server as a Server Certificate.

Creating Unique Access Policies for AD Groups

In this use case, we add Outlook Web Access (OWA) resources to the SRA appliance, and need to configure the access policies for users in multiple Active Directory (AD) groups. We will create a local group for each AD group and apply separate access policies to each local group.

While Active Directory allows users to be members in multiple groups, the SRA appliance only allows each user to belong to a single group. It is this group that determines the access policies assigned to the user.

When importing a user from AD, the user will be placed into the local SRA group with which they have the most AD groups in common. For example: Bob belongs to the Users, Administrators, and Engineering AD groups. If one SRA group is associated with Users, and another is associated with both Administrators and Engineering, Bob will be assigned to the SRA group with both Administrators and Engineering because it matches more of his own AD groups.

The goal of this use case is to show that Dell SonicWALL SRA firmware supports group-based access policies by configuring the following:

• Allow Acme Group in Active Directory to access the 10.200.1.102 server using SSH

• Allow Mega Group in Active Directory to access Outlook Web Access (OWA) at 10.200.1.10

• Allow IT Group in Active Directory to access both SSH and OWA resources defined above

• Deny access to these resources to all other groups

This example configuration is provided courtesy of Vincent Cai, June 2008.

Figure C:29 Network Topology

AD_groups_topology.jpg

 

Perform the tasks in order of the following sections:

Creating the Active Directory Domain

Adding a Global Deny All Policy

Creating Local Groups

Adding the SSHv2 PERMIT Policy

Adding the OWA PERMIT Policies

Verifying the Access Policy Configuration

Creating the Active Directory Domain

This section describes how to create the SRA Local Domain, SNWL_AD. SNWL_AD is associated with the Active Directory domain of the OWA server.

1. Log in to the SRA management interface and navigate to the Portals > Domains page.

2. Click Add Domain. The Add Domain window appears.

AD_groups_addADdomain.jpg

 

3. In the Authentication type drop-down list, select Active Directory.

4. In the Domain name field, type SNWL_AD.

5. In the Active Directory domain field, type the AD domain name, in.loraxmfg.com.

6. In the Server address field, type the IP address of the OWA server, 10.200.1.10.

7. Click Add.

8. View the new domain in the Portals > Domains page.

AD_groups_ADdomain_added.jpg

 

Adding a Global Deny All Policy

This procedure creates a policy that denies access to the OWA resources to all groups, except groups configured with an explicit Permit policy.

The SRA default policy is Allow All. In order to have more granular control, we add a Deny All policy here. Later, we can add Permit policies for each group, one at a time.

1. Navigate to the Users > Local Users page.

AD_groups_LocalUsers.jpg

 

2. Click the Configure button icon_edit.jpg in the Global Policies row. The Edit Global Policies window appears.

3. In the Edit Global Policies window, click the Policies tab.

4. Click Add Policy. The Add Policy window appears.

AD_groups_AddPolicy.jpg

 

5. Select IP Address Range from the Apply Policy To drop-down list.

6. In the Policy Name field, type the descriptive name Deny All.

7. In the IP Network Address field, type the network address, 10.200.1.0.

8. In the Subnet Mask field, type the mask in decimal format, 255.255.255.0.

9. In the Service drop-down list, select All Services.

10. In the Status drop-down list, select DENY.

11. Click Add.

12. In the Edit Global Policies window, verify the Deny All policy settings and then click OK.

AD_groups_GlobalDenyAll.jpg

 

Creating Local Groups

This procedure creates Local Groups that belong to the SNWL_AD domain on the SRA appliance. We create one local group for each Active Directory group.

Adding the Local Groups

1. Navigate to the Users > Local Groups page and click Add Group. The Add Local Group window appears. We will add three local groups, corresponding to our Active Directory groups.

AD_groups_AddLocalGroup.jpg

 

2. In the Add Local Group window, type Acme_Group into the Group Name field.

3. Select SNWL_AD from the Domain drop-down list.

4. Click Add.

5. On the Users > Local Groups page, click Add Group to add the second local group.

6. In the Add Local Group window, type Mega_Group into the Group Name field.

7. Select SNWL_AD from the Domain drop-down list.

8. Click Add.

9. On the Users > Local Groups page, click Add Group to add the second local group.

10. In the Add Local Group window, type IT_Group into the Group Name field.

11. Select SNWL_AD from the Domain drop-down list.

12. Click Add.

13. View the added groups on the Users > Local Groups page.

AD_groups_LocalGroups.jpg

 

Configuring the Local Groups

In this procedure we will edit each new local group and associate it with the corresponding Active Directory Group.

1. Click the Configure button in the Acme_Group row. The Edit Group Settings window appears.

AD_groups_EditAcmeGroup.jpg

 

2. In the Edit Group Settings window, click the AD Groups tab.

3. On the AD Groups tab, click the Add Group button.

4. In the Edit Active Directory Group window, select Acme Group from the Active Directory Group drop-down list.

AD_groups_setADgroup.jpg

 

5. Click Edit.
Acme Group is listed in the Active Directory Groups table on the AD Groups tab.

AD_groups_Acme_Group_added.jpg

 

6. In the Edit Group Settings window, click OK.

7. On the Users > Local Groups page, click the Configure button in the Mega_Group row. The Edit Group Settings window appears.

8. In the Edit Group Settings window, click the AD Groups tab and then click the Add Group button.

9. In the Edit Active Directory Group window, select Mega Group from the Active Directory Group drop-down list and then click Edit.
Mega Group is listed in the Active Directory Groups table on the AD Groups tab.

10. In the Edit Group Settings window, click OK.

11. On the Users > Local Groups page, click the Configure button in the IT_Group row. The Edit Group Settings window appears.

12. In the Edit Group Settings window, click the AD Groups tab and then click the Add Group button.

13. In the Edit Active Directory Group window, select IT Group from the Active Directory Group drop-down list and then click Edit.
IT Group is listed in the Active Directory Groups table on the AD Groups tab.

14. In the Edit Group Settings window, click OK.

At this point, we have created the three Local Groups and associated each with its Active Directory Group.

Adding the SSHv2 PERMIT Policy

In this section, we will add the SSHv2 PERMIT policy for both Acme_Group and IT_Group to access the 10.200.1.102 server using SSH.

This procedure creates a policy for the SRA Local Group, Acme_Group, and results in SSH access for members of the Active Directory group, Acme Group.

Repeat this procedure for IT_Group to provide SSH access to the server for members of the Active Directory group, IT Group.

1. On the Users > Local Groups page, click the Configure button in the Acme_Group row. The Edit Group Settings window appears.

2. In the Edit Group Settings window, click the Policies tab.

3. On the Policies tab, click Add Policy.

4. In the Add Policy window, select IP Address in the Apply Policy To drop-down list.

AD_groups_AddSSHPolicy.jpg

 

5. In the Policy Name field, enter the descriptive name, Allow SSH.

6. In the IP Address field, enter the IP address of the target server, 10.202.1.102.

7. In the Services drop-down list, select Secure Shell Version 2 (SSHv2).

8. In the Status drop-down list, select PERMIT, and then click Add.

9. In the Edit Group Settings window, click OK.

Adding the OWA PERMIT Policies

In this section, we will add two OWA PERMIT policies for both Mega_Group and IT_Group to access the OWA service using Secure Web (HTTPS).

This procedure creates a policy for the SRA Local Group, Mega_Group, and results in OWA access for members of the Active Directory group, Mega Group.

To access the Exchange server, adding a PERMIT policy to the 10.200.1.10/exchange URL Object itself is not enough. Another URL Object policy is needed that permits access to 10.200.1.10/exchweb, because some OWA Web contents are located in the exchweb directory.

Repeat this procedure for IT_Group to provide OWA access for members of the Active Directory group, IT Group.

Note In this configuration, members of IT_Group and Mega_Group are denied access to the https://owa-server/public folder, because these groups have access only to the /exchange and /exchweb subfolders.

The OWA policies are applied to Exchange server URL Objects rather than server IP addresses since OWA is a Web service.

1. In the Users > Local Groups page, click the Configure button in the Mega_Group row. We will create two PERMIT policies for Mega_Group to allow access to the OWA Exchange server.

2. In the Edit Group Settings window, click the Policies tab, and then click Add Policy.

3. In the Add Policy window, select URL Object in the Apply Policy To drop-down list.

AD_groups_AddOWAPolicy.jpg

 

4. In the Policy Name field, enter the descriptive name, OWA.

5. In the Service drop-down list, select Secure Web (HTTPS).

6. In the URL field, enter the URL of the target application, 10.200.1.10/exchange.

7. In the Status drop-down list, select PERMIT, and then click Add.

8. In the Edit Group Settings window on the Policies tab, click Add Policy.

9. In the Add Policy window, select URL Object in the Apply Policy To drop-down list.

AD_groups_OWAexchwebPolicy.jpg

 

10. In the Policy Name field, enter the descriptive name, OWA exchweb.

11. In the Service drop-down list, select Secure Web (HTTPS).

12. In the URL field, enter the URL of the target application, 10.200.1.10/exchweb.

13. In the Status drop-down list, select PERMIT, and then click Add.

14. In the Edit Group Settings window, click OK. We are finished with the policies for Mega_Group. Repeat this procedure for IT_Group to provide OWA access for members of the Active Directory group, IT Group.

AD_groups_OWA_Policies.jpg

 

Verifying the Access Policy Configuration

At this point:

• Acme_Group users are allowed to access SSH to 10.200.1.102

• Mega_Group users are allowed to access OWA at 10.200.1.10

• IT_Groups users are allowed to access both SSH and OWA as defined above

The configuration can be verified by logging in as different AD group members to the SNWL_AD domain on the SRA appliance, and attempting to access the resources.

Test Result: Try Acmeuser Access

Acmeuser logs into the SNWL_AD domain.

AD_groups_acmeuser1.jpg

 

The Users > Status page shows that acmeuser is a member of the local group, Acme_Group.

AD_groups_acmeuser0.jpg

 

Acmeuser can access SSH, as expected.

AD_groups_acmeuser2.jpg

 

Acmeuser tries to access to other resources like OWA 10.200.1.10, but is denied, as expected.

AD_groups_acmeuser3.jpg

 

Test Result: Try Megauser Access

Megauser logs into the SNWL_AD domain.

AD_groups_megauser1.jpg

 

The Users > Status page shows that megauser is a member of the local group, Mega_Group.

AD_groups_megauser0.jpg

 

Megauser can access OWA resources, as expected.

AD_groups_megauser2.jpg

 

Megauser tries to access SSH, but is denied, as expected.

AD_groups_megauser3.jpg

 

Test Result: Try Ituser Access

Ituser logs into the SNWL_AD domain. The Users > Status page shows that ituser is a member of the local group, IT_Group.

AD_groups_ITuser0.jpg

 

Ituser can access SSH to 10.200.1.102, as expected.

AD_groups_ITuser1.jpg

 

Ituser can access OWA resources, as expected.

owa_access.jpg