In this page, all users that have an account on the Panda GateDefender Appliance‘s VPN
server are displayed in the table, and for each the following
information are shown:
- Name. The name of the user.
- Remark. A comment.
- Authentication server. The server used for the user authentication,
which is either local (the Panda GateDefender Appliance itself) or LDAP (an
external LDAP server, configurable in the Settings
tab).
- Actions. The available operation that can be carried out on the
account. For LDAP users they are Enable/Disable and Edit, for
local users, there is also the possibility to Delete . Editing an
LDAP user only allows to modify its local options, not of other data
like username or password, which are entirely managed by the LDAP
server.
Click on Add new local user above the table to add a new
local account. In the form that will show up, the following options
can be specified for each user.
- Username
- The login name of the user
- Remark
- An additional comment.
- Password, Confirm password
- The password for the user, to be entered twice. The passwords are
actually not shown: To see them, tick the two checkboxes on their
right.
- Certificate configuration
- Select the mode to assign a certificate to the user. The available
modes are selectable from the drop-down menu: Generate a new
certificate, Upload a certificate, and Upload a Certificate
signing request. Upon selection, below the drop-down menu appear
the available options for each mode, which are described in the
Certificates page.
- Organizational unit name
- The Organisation Unit to which the user belongs to, i.e., the
company, enterprise, or institution department identified with the
certificate.
- Organization name
- The organisation to which the user belongs to.
- City
- The city (L) in which the organisation is located.
- State or province
- The state or province (ST) in which the organisation is located.
- Country
- The Country (C) in which the organisation is located, chosen from
those in the selection menu. By typing one or more letters,
matching countries are searched for and displayed.
- Email address
- The e-mail address of the user.
- Group membership
- In this part of the panel it is possible to assign membership to
one or more groups to the user. In the search widget it is possible
to filter existing groups to find matching groups. Group membership
is added by clicking on the + on the right of the group
name. Groups to which the user belongs are show in the textfield
below. There are also shortcuts to Add all and to
Remove all groups memberships at once.
- Override OpenVPN options
- Tick this checkbox to allow the OpenVPN protocol to be used. This
option will reveal a box in which to specify custom option for the
account, see below.
- Override L2TP options
Tick this checkbox to show a box in which to choose the L2TP tunnel
to be used.
Note
This option can not be selected if no L2TP tunnel has yet
been configured. In such a case, an informative message
appears as a hyperlink: Upon clicking on it, the IPsec
connection editor opens. Once done, it will be possible
to allow a VPN user to connect using the L2TP Protocol.
Hint
The box for L2TP options will appear below the OpenVPN
options box, if also OpenVPN option are to be overridden
- Enabled
- Tick the checkbox to enable the user, i.e., to allow her to connect
to the OpenVPN server on the Panda GateDefender Appliance.
- direct all client traffic through the VPN server
- If this option is checked, all the traffic from the connecting
client, regardless of the destination, is routed through the uplink
of the Panda GateDefender Appliance. The default is to route all the traffic whose
destination is outside any of the internal zones (such as Internet
hosts) through the client’s uplink.
- Push only global options to this client
- For advanced users only. Normally, when a client connects,
tunnelled routes to networks that are accessible via VPN are added
to the client’s routing table, to allow it to connect to the
various local networks reachable from the Panda GateDefender Appliance. This option
should be enabled if this behaviour is not wanted, but the client’s
routing tables (especially those for the internal zones) should be
modified manually.
- Push route to GREEN [BLUE, ORANGE] zone,
- When this option is active, the client will have access to the
GREEN, BLUE, or ORANGE zone. These options have no effect if the
corresponding zones are not enabled.
- Networks behind client
- This option is only needed if this account is used as a client in a
Gateway-to-Gateway setup. In the box should be written the networks
laying behind this client that should be pushed to the other
clients. In other words, these networks will be available to the
other clients.
- Static IP addresses
Dynamic IP addresses are assigned to clients, but a static IP
address provided here will be assigned to the client whenever it
connects.
Note
If the client connects to a multicore VPN server running
on the Panda GateDefender Appliance, this assignment will not be taken into
account.
- Push these nameservers
- Assign custom nameservers on a per-client basis here. This setting
(and the next one) can be defined, but enabled or disabled at will.
- Push these domains
- Assign custom search domains on a per-client basis here.
Note
When planning to have two or more branch offices connected
through a Gateway-to-Gateway VPN, it is good practice to choose
different subnets for the LANs in the different branches. For
example, one branch might have a GREEN zone with the
192.168.1.0/24 subnet while the other branch uses
192.168.2.0/24. Using this solution, several possible sources
for errors and conflicts will be avoided. Indeed, several
advantages come for free, including: The automatic assignment of
correct routes, without the need for pushing custom routes, no
warning messages about possibly conflicting routes, correct local
name resolution, and easier WAN network setup.
- IPsec Tunnel
- This drop-down menu allows to choose the tunnel that will be
employed by the user, among those already defined.
In this page a table is displayed, which shows all the groups that are
either defined on the Panda GateDefender Appliance or on an external LDAP server. For
each group the following information are shown:
- Groupname. The name of the group.
- Remark. A comment.
- Authentication server. The server used for the user authentication,
which is either local (the Panda GateDefender Appliance itself) or LDAP (an external
LDAP server, configurable in the vpnauthsettings tab).
- Actions. The available operation that can be carried out on the
account. For LDAP servers the only action is to Edit the local
properties, while for local groups there is also the possibility to
Delete the group.
Click on Add new local groups above the table to add a new
local group. In the form that will show up, the following options
can be specified for each group.
- Group Name
- The name given to the group.
- Remark
- A comment.
- Users
- In this part of the panel it is possible to assign users to the
group. in the search widget it is possible to filter existing local
users to find matching users. Users are added to the group by
clicking on the + on the right of the username. Users
in the Group are shown in the textfield below. There are also
shortcuts to Add all and to Remove all
users to/from a group.
- Override OpenVPN options
- Tick this checkbox to allow the OpenVPN protocol to be used. This
option will reveal a box in which to specify custom option for the
account, which are the same as those specified for the local
users.
- Override L2TP options
Tick this checkbox to show a box in which to choose the L2TP tunnel
to be used from a drop-down menu.
Note
This option can not be selected if no L2TP tunnel has yet
been configured. In such a case, an informative message
appears as a hyperlink: Upon clicking on it, the IPsec
connection editor opens. Once created a new L2TP tunnel,
it will be possible to associate it to a user.
Hint
The box for L2TP options will appear below the OpenVPN
options box, if also OpenVPN option are to be overridden
- Enabled
- Tick the checkbox to enable the user, i.e., to allow her to connect
to the OpenVPN server on the Panda GateDefender Appliance.
Warning
While the same user can be legally part of one or more
groups, care must be taken that the groups the user
belongs to do not define contrasting override
options. As an example, consider a user member of two
groups, one allowing access only to the GREEN zone, and
one only to the BLUE. In this case, it is not easy to
predict whether that user will be granted or not access
to the BLUE or GREEN zone. The management of these issues
is left to the manager of the OpenVPN server.
This page contains the current configuration of the authentication
servers on which the Panda GateDefender Appliance relies and allows for their
management. Currently, only local and LDAP / Active Directory are
supported, though in future releases additional types of authentication
server might be added, like e.g. Radius servers.
There are two tables in this page, one displaying information about
Authentication servers, and one showing Authentication server
mappings. In the former, those information is shown:
- Name. The name given to the server
- Type. Whether the server is a local or an external LDAP one.
- Service. Which authentication is available for that server.
- Actions. For local authentication, it is possible to
enable/disable the server, to edit it, or to delete it. For LDAP
servers there is also the ability to refresh the connection, for
synchronising the users and groups.
The table at the bottom shows the correspondences between a service
(IPsec XAuth, OpenVPN, and L2TP) and the type of authentication
allowed. The only Actions for the mappings is to Edit them. By
clicking on Edit, a form will appear, in which a selector
allows to select which authentication backends will be used for that
service.
A click on the Add new authentication server link above
the tables opens a form in which to supply all data to set up a new
authentication server.
This form replaces the tables displaying the already defined
authentication servers and allows to configure a new one, by
specifying appropriate values for the following configuration options.
- Name
- The name given to the authentication server.
- Enabled
- Tick the checkbox to enable the server.
- Type
- Select from the drop-down menu whether the server shall be LDAP /
Active directory or local. All the next options, except for the
last one, are available only for the configuration of LDAP servers.
- LDAP server URI
- The URI of the LDAP server.
- LDAP server type
- This drop-down menu allows the choice of the type of the
authentication server among Generic, Active Directory, Novell
eDirectory, or OpenLDAP.
- LDAP bind DN username
- The fully distinguished name of the bind DN user, which must have the
permission to read user attributes
- LDAP bind DN password
- The password of the bind DN user.
The following options depend on the server’s setup and are used to
identify which users and groups shall be granted access to Panda GateDefender Appliance‘s OpenVPN server: LDAP user base DN, LDAP user search filter,
LDAP user unique ID attribute, LDAP group base DN, LDAP group
unique ID attribute, LDAP group member attribute, LDAP group
search filter
- Limit to specified groups
- This option allows to select which groups on the LDAP server are
allowed to connect to the Panda GateDefender Appliance‘s OpenVPN server.