Home » Netgear Manuals » Bridges & Routers » Netgear FVS336G » Manual Viewer

Netgear FVS336G FVS336G Reference Manual - Page 149

Viewing and Loading CA Certificates, CA Identity Subject Name, Issuer Name, Expiry Time

UPC - 606449052015

Add to My Manuals
Save this manual to your list of manuals

Page 149 highlights

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In the FVS336G, the uploaded digital certificate is checked for validity and also the purpose of the certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL and VPN) the digital certificate is accepted. The additional check for the purpose of the uploaded digital certificate must correspond to use for VPN and secure web remote management via HTTPS. If the purpose defined is for VPN & HTTPS then the certificate is uploaded to the HTTPS certificate repository and as well in the VPN certificate repository. If the purpose defined is ONLY for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS. The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities. A certificate that authenticates a server, for example, is a file that contains: • A public encryption key to be used by clients for encrypting messages to the server. • Information identifying the operator of the server. • A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified absolutely. You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as Verisign or Thawte, or you can generate and sign your own certificate. Because a commercial CA takes steps to verify the identity of an applicant, a certificate from a commercial CA provides a strong assurance of the server's identity. A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. Your VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the VPN firewall in your network. From the VPN > Certificates menu, you can view the currently loaded certificates, upload a new certificate and generate a Certificate Signing Request (CSR). Your VPN firewall will typically hold two types of certificates: • CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates signed by the CA. • Self certificate. The certificate issued to you by a CA identifying your device. Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid. Managing Users, Authentication, and Certificates v1.0, March 2009 7-11

Section	Page
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats, and Scope	13
Revision History	14
Chapter 1 Introduction	15
Key Features	15
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	16
Advanced VPN Support for Both IPsec and SSL	16
A Powerful, True Firewall with Content Filtering	17
Autosensing Ethernet Connections with Auto Uplink	17
Extensive Protocol Support	18
Easy Installation and Management	18
Maintenance and Support	19
Package Contents	19
Front Panel Features	20
Rear Panel Features	21
Default IP Address, Login Name, and Password Location	22
Qualified Web Browsers	22
Chapter 2 Connecting the FVS336G to the Internet	23
Understanding the Connection Steps	23
Logging into the VPN Firewall Router	24
Navigating the Menus	25
Configuring the Internet Connections	26
Automatically Detecting and Connecting	27
Manually Configuring the Internet Connection	29
Configuring the WAN Mode (Required for Dual WAN)	32
Network Address Translation	33
Classical Routing	34
Configuring Auto-Rollover Mode	34
Configuring Load Balancing	36
Configuring Dynamic DNS (Optional)	38
Configuring the Advanced WAN Options (Optional)	40
Additional WAN Related Configuration	42
Chapter 3 LAN Configuration	43
Choosing the Firewall DHCP Options	43
Configuring the LAN Setup Options	44
Managing Groups and Hosts (LAN Groups)	47
Viewing the LAN Groups Database	48
Changing Group Names in the LAN Groups Database	49
Configuring DHCP Address Reservation	50
Configuring Multi Home LAN IP Addresses	51
Configuring Static Routes	52
Configuring Static Routes	52
Configuring Routing Information Protocol (RIP)	54
Chapter 4 Firewall Protection and Content Filtering	57
About Firewall Protection and Content Filtering	57
Using Rules to Block or Allow Specific Kinds of Traffic	58
About Services-Based Rules	59
Viewing the Rules	64
Order of Precedence for Rules	64
Setting the Default Outbound Policy	64
Creating a LAN WAN Outbound Services Rule	65
Creating a LAN WAN Inbound Services Rule	66
Inbound Rules Examples	67
Outbound Rules Example	70
Adding Customized Services	70
Setting Quality of Service (QoS) Priorities	72
Attack Checks	73
Blocking Internet Sites (Content Filtering)	74
Configuring Source MAC Filtering	77
Configuring IP/MAC Address Binding Alerts	79
Configuring Port Triggering	80
Setting a Schedule to Block or Allow Specific Traffic	82
Configuring a Bandwidth Profile	82
Configuring Session Limits	84
E-Mail Notifications of Event Logs and Alerts	85
Administrator Tips	85
Chapter 5 Virtual Private Networking Using IPsec	87
Considerations for Dual WAN Port Systems	87
Using the VPN Wizard for Client and Gateway Configurations	89
Creating Gateway to Gateway VPN Tunnels with the Wizard	89
Creating a Client to Gateway VPN Tunnel	92
Testing the Connections and Viewing Status Information	98
NETGEAR VPN Client Status and Log Information	98
FVS336G VPN Connection Status and Logs	100
Managing VPN Policies	101
Managing IKE Policies	101
Managing VPN Policies	103
Configuring Extended Authentication (XAUTH)	104
Configuring XAUTH for VPN Clients	105
User Database Configuration	106
RADIUS Client Configuration	106
Assigning IP Addresses to Remote Users (ModeConfig)	108
Mode Config Operation	109
Configuring the VPN Firewall	109
Configuring the ProSafe VPN Client for ModeConfig	112
Configuring Keepalives and Dead Peer Detection	114
Configuring Keepalive	114
Configuring NetBIOS Bridging with VPN	116
Chapter 6 Virtual Private Networking Using SSL Connections	119
Understanding the Portal Options	119
Planning for SSL VPN	120
Creating the Portal Layout	121
Configuring Domains, Groups, and Users	125
Configuring Applications for Port Forwarding	125
Adding Servers	126
Adding A New Host Name	127
Configuring the SSL VPN Client	128
Configuring the Client IP Address Range	129
Adding Routes for VPN Tunnel Clients	130
Replacing and Deleting Client Routes	130
Using Network Resource Objects to Simplify Policies	131
Adding New Network Resources	131
Configuring User, Group, and Global Policies	133
Viewing Policies	134
Adding a Policy	135
Chapter 7 Managing Users, Authentication, and Certificates	139
Adding Authentication Domains, Groups, and Users	139
Creating a Domain	139
Creating a Group	141
Creating a New User Account	142
Setting User Login Policies	143
Changing Passwords and Settings	145
RADIUS Server External Authentication	147
Managing Certificates	148
Viewing and Loading CA Certificates	149
Viewing Active Self Certificates	150
Obtaining a Self Certificate from a Certificate Authority	151
Managing your Certificate Revocation List (CRL)	153
Chapter 8 Router and Network Management	155
Performance Management	155
Bandwidth Capacity	155
Features That Reduce Traffic	156
Features That Increase Traffic	159
Using QoS to Shift the Traffic Mix	162
Tools for Traffic Management	162
Changing Passwords and Administrator Settings	162
Enabling Remote Management Access	164
Using the Command Line Interface	166
Using an SNMP Manager	167
Configuration File Management	169
Upgrading the Firmware	171
Configuring Date and Time Service	172
Chapter 9 Monitoring System Performance	175
Enabling the Traffic Meter	175
Activating Notification of Events and Alerts	178
Viewing Firewall Logs	180
Viewing Router Configuration and System Status	181
Monitoring the Status of WAN Ports	183
Monitoring Attached Devices	184
Reviewing the DHCP Log	186
Monitoring Active Users	186
Viewing Port Triggering Status	187
Monitoring VPN Tunnel Connection Status	188
Reviewing the VPN Logs	189
Chapter 10 Troubleshooting	191
Basic Functions	191
Power LED Not On	192
LEDs Never Turn Off	192
LAN or WAN Port LEDs Not On	192
Troubleshooting the Web Configuration Interface	193
Troubleshooting the ISP Connection	194
Troubleshooting a TCP/IP Network Using a Ping Utility	195
Testing the LAN Path to Your VPN Firewall	195
Testing the Path from Your PC to a Remote Device	196
Restoring the Default Configuration and Password	197
Problems with Date and Time	197
Using the Diagnostics Utilities	198
Appendix A Default Settings and Technical Specifications	201
Appendix B Related Documents	205
Appendix C Network Planning for Dual WAN Ports	207
What You Will Need to Do Before You Begin	207
Cabling and Computer Hardware Requirements	209
Computer Network Configuration Requirements	209
Internet Configuration Requirements	209
Where Do I Get the Internet Configuration Parameters?	210
Internet Connection Information Form	211
Overview of the Planning Process	212
Inbound Traffic	212
Virtual Private Networks (VPNs)	212
The Roll-over Case for Firewalls With Dual WAN Ports	213
The Load Balancing Case for Firewalls With Dual WAN Ports	213
Inbound Traffic	214
Inbound Traffic to Single WAN Port (Reference Case)	214
Inbound Traffic to Dual WAN Port Systems	214
Virtual Private Networks (VPNs)	216
VPN Road Warrior (Client-to-Gateway)	217
VPN Gateway-to-Gateway	220
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	223
Appendix D Two Factor Authentication	227
Why do I need Two-Factor Authentication?	227
What are the benefits of Two-Factor Authentication?	227
What is Two-Factor Authentication	228
NETGEAR Two-Factor Authentication Solutions	228

Match case Limit results 1 per page

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

Managing Users, Authentication, and Certificates

7-11

v1.0, March 2009

In the FVS336G, the uploaded digital certificate is checked for validity and also the purpose of the

certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL

and VPN) the digital certificate is accepted. The additional check for the purpose of the uploaded

digital certificate must correspond to use for VPN and secure web remote management via

HTTPS. If the purpose defined is for VPN & HTTPS then the certificate is uploaded to the HTTPS

certificate repository and as well in the VPN certificate repository. If the purpose defined is ONLY

for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates

used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS.

The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and

to be authenticated by remote entities. A certificate that authenticates a server, for example, is a

file that contains:

•

A public encryption key to be used by clients for encrypting messages to the server.

•

Information identifying the operator of the server.

•

A digital signature confirming the identity of the operator of the server. Ideally, the signature is

from a trusted third party whose identity can be verified absolutely.

You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as

Verisign or Thawte, or you can generate and sign your own certificate. Because a commercial CA

takes steps to verify the identity of an applicant, a certificate from a commercial CA provides a

strong assurance of the server’s identity. A self-signed certificate will trigger a warning from most

browsers as it provides no protection against identity theft of the server.

Your VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you

replace this certificate prior to deploying the VPN firewall in your network.

From the VPN > Certificates menu, you can view the currently loaded certificates, upload a new

certificate and generate a Certificate Signing Request (CSR). Your VPN firewall will typically

hold two types of certificates:

•

CA certificate. Each CA issues its own CA identity certificate in order to validate

communication with the CA and to verify the validity of certificates signed by the CA.

•

Self certificate. The certificate issued to you by a CA identifying your device.

Viewing and Loading CA Certificates

The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the

following data:

•

CA Identity (Subject Name)

. The organization or person to whom the certificate is issued.

•

Issuer Name

. The name of the CA that issued the certificate.

•

Expiry Time

. The date after which the certificate becomes invalid.