Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
WebUI Handbook
Declaration of Conformity
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA. 95035, 1-866-692-7729, declare under our sole responsibility that the product(s) Array Networks, Inc. Array Appliance complies with Part 15 of FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
WARNING: This is a Class "A" digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. In a residential area, operation of this equipment is likely to cause harmful interference, in which case the user may be required to take adequate measures. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. Copyright2009/2010 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA. 95035, USA. All rights reserved. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and compilation. No part of this document may be reproduced in any form by any means without prior written authorization of Array Networks, Inc. Documentation is provided as is without warranty of any kind, either expressed or implied, including any kind of implied or expressed warranty of non-infringement or the implied warranties of merchantability or fitness for a particular purpose. Array Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Array Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Array Networks, Inc. The use and purchase of this product does not convey a license to any patent copyright, or trademark rights, or any other intellectual property rights of Array Networks, Inc.
2
2009/2010 Array Networks All Rights Reserved
WebUI Handbook
Contents
Contacting Array Networks ................................. 7 Web Users Interface Introduction....................... 7 Setting up the SPX ............................................... 7 Web Users Interface Setup Configuration ....... 8 Browser Basics................................................ 10 Accessing the SPX WebUI ............................. 10 Understanding the Array Pilot WebUI ........... 11 The Array Top Bar .......................................... 12 The Array Side Bar ......................................... 12 The Array Configuration Window .................. 13 Using the SPX WebUI .................................... 14 Configuring with the WebUI .......................... 15 The Global Home Page ...................................... 16 Quick Start ...................................................... 17 System Configuration ........................................ 23 General Settings .............................................. 23 Basic Networking............................................... 24 Interfaces ......................................................... 24 ARP Entries .................................................... 25 Routing............................................................ 26 Name Resolution Host .................................... 27 Advanced Networking ....................................... 30 NAT ................................................................ 30 TCP/UDP ........................................................ 31 Port Forwarding .............................................. 31 Transparent Port Forwarding .......................... 32 Multicast IP Forwarding ................................. 33 TCP IP ............................................................. 34 SSL.................................................................. 35 DNS................................................................. 36 DHCP Settings ................................................ 37 HTTP Compression Settings........................... 38 HTTP Settings ................................................. 39 Clustering ........................................................... 41 Clustering Environments ................................ 42 Active Standby with Stateful Failover ............ 44 Active Active .................................................. 45 Webwall ............................................................. 47 Global Admin.................................................. 48 Site Admin ...................................................... 49 Admin Roles ................................................... 50 Admin Authentication ..................................... 51 3
2009/2010 Array Networks All Rights Reserved
WebUI Handbook
Global Resources ............................................... 54 Local Databases .............................................. 54 SecurID Servers .............................................. 55 SSL Backend ................................................... 56 Thin Client Support......................................... 57 Admin Tools ...................................................... 60 System Management ....................................... 60 Config Management........................................ 63 Synchronization for Peer SPX ........................ 67 Monitoring ...................................................... 70 SNMP................................................................. 74 Monitoring Statistics ....................................... 76 Troubleshooting .............................................. 78 Change Password ............................................ 79 Service Management .......................................... 80 Network Separation ........................................ 80 Session Limits ................................................. 81 Site Access ...................................................... 82 Static VLAN ................................................... 83 Virtual Sites ....................................................... 84 Creating a Virtual Site .................................... 84 Creating the Shared Virtual Site ..................... 85 The Shared Virtual Site Home ........................ 86 The Shared Virtual Site Home ........................ 87 Creating the Aliased Virtual Site .................... 88
The Exclusive Virtual Site .............................. 89 Domain Forwarding ........................................ 90 QuickLink ....................................................... 90 The Virtual Site Navigation ............................... 91 Sidebar ............................................................ 92 Home Page ...................................................... 93 Quick Tasks .................................................... 94 Site Configuration .............................................. 95 SSL Certificates .............................................. 95 AAA ................................................................ 97 AAA Authorization ....................................... 104 Group Mapping ............................................. 106 AAA Accounting .......................................... 107 Portal ............................................................. 108 Security Settings ........................................... 113 Site Configuration ......................................... 120 Advanced Networking: DNS ........................ 120 Advanced Networking: WINS ...................... 121 Site2Site ........................................................ 122 Local Users & Groups ..................................... 129 Local Users ................................................... 129 Login Authorization ...................................... 132 Access Methods ............................................... 136 Web Access ................................................... 136 QuickLink ..................................................... 137 LinkDirect ..................................................... 138 4
200-2011 Array Networks All Rights Reserved
WebUI Handbook
Web Resource Mapping: Custom Rewrite ... 140 Web SSH....................................................... 143 NFS Fileshare................................................ 149 Mail Services ................................................ 150 Thin Client Support....................................... 152 TCP Applications .......................................... 157 L3VPN .......................................................... 162 ATF ............................................................... 168 Access Policies................................................. 169 Access Control Lists ..................................... 169 ACL Resources ............................................. 170 URL Filtering ................................................ 174 Admin Tools .................................................... 177 Session Management .................................... 177 Config Management...................................... 178 Monitoring .................................................... 182 Troubleshooting ............................................ 183 Change Password .......................................... 184 System Configuration Help.............................. 185 General Settings ............................................ 185 Basic Networking.......................................... 185 Interface ........................................................ 186 ARP ............................................................... 186 Routing.......................................................... 186 Name Resolution ........................................... 187 Advanced Networking .................................. 187 NAT .............................................................. 188
Port Forwarding ............................................ 188 Clustering ...................................................... 188 Webwall ........................................................ 189 Administrators Help ......................................... 190 Global/Site Admin/Admin Roles .................. 190 Admin Authentication ................................... 191 Global Resources Help .................................... 191 Local Databases ............................................ 191 SecurID Import ............................................. 192 NFS Fileshare................................................ 192 Thin Client Support....................................... 192 Admin Tools Help............................................ 193 Access Control .............................................. 193 Update ........................................................... 193 Shutting Down/ Restarting the SPX ............. 193 System License ............................................. 193 Config Management...................................... 194 Synchronization ............................................ 194 Monitoring .................................................... 195 Logging ......................................................... 195 SNMP............................................................ 195 Troubleshooting ............................................ 196 Change Password .......................................... 196 Virtual Sites Help ............................................. 197 Setting Up a Virtual Site ............................... 197 Site Configuration Help ................................ 198 5
200-2011 Array Networks All Rights Reserved
WebUI Handbook
Site2Site ........................................................ 199 AAA .............................................................. 200 AAA Methods ............................................... 201 Authentication and Authentication Servers .. 202 Authorization Servers ................................... 203 Accounting .................................................... 203 Portal Themes ............................................... 204 Creating Portal Themes................................. 205 Importing the Portal Themes ........................ 209 Portal Themes FAQ ...................................... 210 Security Settings ........................................... 216 SSL Settings .................................................. 217 Local Users & Groups Help ............................. 218 Login Authorization ...................................... 219 Access Methods Help ...................................... 219 Web Access ................................................... 219 Advanced ...................................................... 221 Server Access ................................................ 222 URL Policies ................................................. 223 File Access .................................................... 224 Mail Services ................................................ 225 Thin Client Support....................................... 225 TCP Application Support.............................. 225 L3VPN .......................................................... 227
Access Policies Help ..................................... 228 ACLs ............................................................. 228 URL Filtering ................................................ 230 Admin Tools Help............................................ 231 Session Management .................................... 231 Config Management...................................... 231 Monitoring .................................................... 231 Troubleshooting ............................................ 231 Change Password .......................................... 232 Appendix A: Captive Portal Setup ................... 232 Appendix B: QuickLink Deployment .............. 236 Appendix C: Syslog Messages......................... 238 Appendix D: The Array Pilot........................... 239 First Time Boot with DesktopDirect License 239 Switching from Traditional Management Interface to the Array Pilot ........................... 240 Switching from Array Pilot to Traditional Management Interface .................................. 240 Appendix E: HardwareID Authorization ......... 241
6
200-2011 Array Networks All Rights Reserved
WebUI Handbook
Telephone access to Array Networks, Inc. is available Monday through Friday, 9 to 5 PST. Address: Array Networks, Inc. 1371 McCarthy Blvd. Milpitas, California 95035
7
200-2011 Array Networks All Rights Reserved
WebUI Handbook
[7] Turn WebUI on. webui on Example: AN>enable AN#config terminal AN(config)#ip address outside 10.10.0.2 255.255.255.0 AN(config)#ip address inside 192.168.10.1 255.255.255.0 AN(config)#ip route default 10.10.0.1 AN(config)#system date 2007 6 10 AN(config)#system time 14 48 00 AN(config)#webui on AN(config)#quit
8
200-2011 Array Networks All Rights Reserved
WebUI Handbook
1 2
Outside Inside
em0 em1
1 5000 2 3 4
Outside Inside DMZ ENG Outside Inside DMZ ENG DMZ ENG DMZ ENG
em2 em3 em0 em1 em0 em1 em2 em3 em2 em3 ix0 ix1
9
200-2011 Array Networks All Rights Reserved
WebUI Handbook
Browser Basics
The ArraySPX WebUI supports the following browsers: IE (version 6.0 or later) Netscape (version 7.0 or later) Firefox (version1.5) Browser resolution should be set to 1024x768 or higher.
10
200-2011 Array Networks All Rights Reserved
WebUI Handbook
11
200-2011 Array Networks All Rights Reserved
WebUI Handbook
12
200-2011 Array Networks All Rights Reserved
WebUI Handbook
13
200-2011 Array Networks All Rights Reserved
WebUI Handbook
14
200-2011 Array Networks All Rights Reserved
WebUI Handbook
15
200-2011 Array Networks All Rights Reserved
WebUI Handbook
16
200-2011 Array Networks All Rights Reserved
WebUI Handbook
Quick Start
The first time you log into the SPX via the WebUI, the Global home page will have an additional actions link Begin Quick Start Wizard [a]. The Quick Start Wizard is designed to lead you through five (5) short steps to get the basic configuration process up and running. Along the way the wizard will also give you the opportunity to test and apply the configuration. To complete these quick start steps you will need some generic networking information available for quick reference including: Inside Interface IP and Netmask Outside Interface IP and Netmask Default Route DNS Server IP and Search Domain (if applicable) WINS Server IP (if applicable) WINS Broadcast Subnet IP and Netmask (if applicable) Virtual Site Host Name Virtual Site IP and Port At least one User and Password At least one destination Web Link (i.e. google.com)
Each of the above settings may be changed later if necessary.
1 2
Click on the action link Begin Quick Start Wizard [a]. The configuration window will display the first page of the wizard. On this page you will general outlines [b] [c] [d] of the steps to follow as well as two buttons toward the bottom of the window [e]. Click the Next button [e] to continue.
17
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Quick Start
Step 1 1 Set a given name to identify or differentiate this specific SPX [a]. A name may be entered as a single set of continuous alphanumeric characters up to 64 characters in length. To reach this wizard you will have already entered the Outside Interface and Netmask [b]. It is not recommended that you change this setting at this time. You may have also already configured the Inside Interface and Netmask, if not do so now by entering the values in the respective text fields [c]. The Default Route should have been already configured [d]. Proceed by clicking on the Next button [e].
Step 2 4 Supply the DNS Server IP and Search Domain (if applicable) in the respective fields [f] (the search domain is the search path to resolve non-qualified host names). Supply the WINS Server IP (if applicable) [g]. You may also supply the WINS Broadcast IP and Subnet Netmask [h] (if applicable). 5 Click on the Next button [i] to continue.
18
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Quick Start
Step 3 1 A virtual site provides a single interface for external users to access internal content. Each virtual site is associated with a domain name and listens on a specified virtual IP address (VIP) and port. Establish a Virtual Site by supplying the Virtual Site Host Name (fully qualified domain name) [a]. Supply the Virtual Site IP (VIP) and Port [b]. Proceed by clicking on the Next button [c].
2 3
Testing the Virtual Site 4 After setting up the first Virtual Site the wizard will allow you to test its availability by presenting a direct link. By clicking this link your browser will present to you the portal log in page (just as you navigated through to get to this WebUI. You may close the new window. Click on the Next button [d] to continue.
19
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Quick Start
Step 4 1 You will now be asked to create a User Account complete with access password [a]. This user account may be deleted later if you simply are creating an account for testing purposes. Assign users to the database (number of users is product and license specific). The user name and passwords are case sensitive. Proceed by clicking on the Next button [b].
Testing the Virtual Site with New User 3 After setting up the first Virtual Site the wizard will allow you to test its availability by presenting a direct link [c]. By clicking this link your browser will present to you the portal log in page (just as you navigated through to get to this WebUI. Now enter the new users name and password to gain access to the default portal. You may close the new window once completed login takes place. Click on the Next button [d] to continue.
20
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Quick Start
Step 5 1 You will now be asked to set up a web link as a content link for your portal page. To complete this task, use the selector [a] to set the URL protocol to either HTTP or HTTPS. Next enter the domain name for the URL in text field [b]. You may also add a description for the entered URL within the Link Description text field [c]. 2 Proceed by clicking on the Next button [d].
Testing the Virtual Site with New User and Web Access Link 3 After setting up the first Virtual Site the wizard will allow you to test its availability by presenting a direct link [e]. By clicking this link your browser will present to you the portal log in page (just as you navigated through to get to this WebUI. Now enter the new users name and password to gain access to the default portal. On the default portal page you should see the newly created Web Link. You may close the new window once completed login takes place. Click on the Next button [f] to continue.
21
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Quick Start
Finish 1 You have reached the final procedure of the Quick Start Wizard. Take a moment to verify the Virtual Host Name and IP [a]. Click the Finish button to complete the process [b].
After clicking on Finish the SPX will return you to the Global Home Page for you to continue configuring specific features for your network needs.
22
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
System Configuration
General Settings 1 Make certain that you are in Config Mode and have
clicked on the feature link General Settings. 2 Enter the Hosts Name for the SPX in the field provided [a]. Dont forget to click on the save button when it appears. Click on the Date/Time tab [b]. Enter the date and time as desired [c]. The SPX has the default time zone set to GMT. To change this zone, un-select the time zone box [d]. The time zone check box will be replaced with three pull down menus [e] to configure the proper zone. Dont forget to click on the save button when it appears.
23
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Basic Networking
Interfaces
1 Make certain that you are in Config Mode and have clicked on the feature link Basic Networking. The configuration window will default to the Interface>Outside configuration screen. Configure interfaces and IP addresses for each interface. Select desired interface [a] (including DMZ or ENG if applicable). Set MTU and port speed [b]. Will this interface be Non-VLAN [c]? Set the static IP and netmask [d] in dotted format. If you wish to add an MNET entry, click [e]. Remember to click Save Changes. If you select VLAN [c], then configuration buttons [e] will change from MNET to VLAN. To add either an MNET or VLAN entry, click on button [e]. A new page will appear for you to configure MNET/VLAN names, IP and netmask [f]. Once the configuration is completed click desired action link [g]. The newly configured interface mode will appear in the table seen on the first interface page [i]. Repeat configuration steps for inside, DMZ or ENG interfaces. You may view the current setup by clicking on the Summary sub-tab [j].
24
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Click on the ARP Table tab and the main window will display ARP table. The displayed ARP table contains sort-ready columns [b]. To add an ARP Table entry, click on the Add ARP Entry link [a]. A new configuration window will appear. Enter the appropriate IP and Hardware addresses in the fields [c]. Click on the desired action link [d]. To remove an ARP Entry, select the desired entry form the displayed list [e] and click on Delete Arp Entry action link [f]. Click OK to complete the deletion.
25
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
26
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
27
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Enter the correct search path [e] and click on desired action link [f]. Enter DNS IP address, in dotted IP format [g] and click on desired action link [h].
28
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Enter WINS IP address, in dotted IP format [e] and click on desired action link [f]. Enter the WINS broadcast address [g] and netmask [h]. Complete the configuration by clicking on the desired action link [i].
29
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Advanced Networking
NAT
NAT converts the address behind the SPX into one IP address for the Internet and vice versa. NAT also keeps individual IP addresses hidden from the outside world. 1 Make certain you selected Advanced Networking from the sidebar, are in Config Mode and have selected the NAT tab (when clicking on Advanced Networking, the NAT page is the default page). The configuration window displays the sort enabled table of previously setup NATs, if applicable. To create the NAT, click on the Add NAT Entry action link [a]. The configuration window will present text fields [b] supply the virtual IP address, network IP and netmask. The optional timeout length should be entered in seconds. Choose the appropriate action link [c].
30
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
31
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
2 3
32
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
33
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
34
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
35
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
36
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
37
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
38
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
39
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Persistence You may employ this feature to use persistent connections (HTTP/1.1) to the backend. Default is on. TCP Reset The SPX will immediately send a TCP reset for nonpersistent connections (HTTP/1.0) from the backend after receiving the complete response. If this is disengaged, then the SPX will wait for a TCP FIN. Default is off. X-Forwarded-For Enabling this option will cause the SPX to insert an "XForwarded-For" header into every request that it sends to the backend servers. You must also configure the X-Forwarded-For rule by selecting the X-ForwardedFor subtab, selecting a configured virtual portal and then setting up the rule. Single Sign On When single sign-on is enabled, the SPX will automatically negotiate Basic or NTLM authentication with the backend server for most requests. However, for very large requests exceeding a threshold size, you will need to manually authenticate with the backend server. The "system tune sso" command sets this threshold to <max_size> (note that <max_size> is specified in MB); by default the threshold is set to 10 MB. It is recommended that default settings not be changed without contacting Array Support. The default status is ON.
40
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Clustering
The SPX Clustering Technology allows you to maintain high availability with local sites. Virtual clustering provides high availability to SSL VIPs for the outside interface and for redundant gateways via the inside interface. 1 Make certain you selected Clustering from the sidebar are in Config Mode. Select the action link Add Virtual Cluster [a]. The configuration window will present a new screen. Give the virtual cluster an ID (1-255) [b]. Now assign the cluster to an interface via the selector [c]. Finish the creation of the virtual cluster by clicking on the action link [d]. Once youve added a virtual cluster, it will be displayed in the sort ready table. Select the virtual cluster from the table and double click [e]. The configuration window will present a new series of tabs for the completion of the clustering configuration. You may select from created virtual clusters by using the selector [g]. Tabs [h] are for navigating through the configuration steps for Clustering. Use check boxes [i] to enable the individual cluster and or enable preemption. Use text field [j] to adjust the advertisement interval (in seconds). Use the radio buttons [k] to require the use of an authentication code. Remember that after changing the settings to click the Save Changes button.
WebUI Handbook
Continued from previous page. 6 Make certain you selected Virtual IP (VIP) tab [l]. Previously configured VIPs will be displayed in the sort ready table. Select the action link Add VIP Entry [m]. The configuration window will present a new screen. Supply the VIP in dotted IP format in text field [o]. Next, click on the desired action link [p]. To set PRIORITY XXX X X X X X X X. Click on the Back to top menu link [s] to be taken to the original Clustering page. Once youve added a virtual cluster, it will be displayed in the sort ready table [t]. Use either of the two buttons [u] to universally enable or disable the clusters.
42
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Clustering Environments
Clustering environments allow administrator to set the manner in which clustering will operate within the network deployment. There are three standard modes for clustering; Active Standby without Stateful Failover (default), Active Standby with Stateful Failover and Active Active. 1 2 Select the Clustering Environment tab. The SPX will display a table of all currently configured SPX peers. By default the clustering environment is active standby without stateful failover. In ActiveStandby mode, one SPX in the cluster will be the Master of the VIP and is designated as active. The other SPX in the cluster will be in standby mode. If the active SPX fails, then second SPX will take over the VIP and be designated the Master. Any changes to this configuration need to be made on the virtual cluster page as described earlier [a]. Use the mode selector to change the environment between Active Standby without Stateful Failover, Active Standby with Stateful Failover and Active Active.
43
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
44
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Active Active
Active-Active clustering enables high throughput by hosting identical virtual services with different unique private IP addresses on individual cluster of peers represented collectively by a single VIP for public service. It is this virtual site (along with the configured port) that receives the requests and in turn dispatches the request to the internal virtual services hosted on local or remote clusters. Administrators may establish as many virtual active active groups of peers as permitted by the licensed number of virtual sites. 1 2 Select the Active-Active from the mode selector. The first step is to define the virtual clusters domain. Administrators will name the cluster (up to 32 characters), supply a secret key (up to 20 characters) for encryptions purposes between peers within the cluster as well as supplying an IP, netmask and port for the peers to share session related data [a]. The default port is 443. When this feature is in use, administrators will not be required to use any other synchronization features to bring the peers into proper synchronization. This command will need to be executed on each SPX peer. Click on Save Changes when complete [b]. Configuration information for each configured peer will be displayed in the table [c]. The configured virtual cluster domain information will be displayed at the bottom of the configuration window [d]. To add additional clustered IP groups to the active-active cluster click the action link [e].
45
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
From the selector [e] select the desired local virtual site. Now select the dispatcher IP, set the port and assign the dispatcher policy (persistent IP or round-robin) [f]. The synchronized peer SPXs with IPs should be listed [g]; assign a unique IP to another peer in the cluster in the last field. Click action link [h] to complete the setup.
46
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Webwall
The SPX allows you to create permit/deny rules to filter packets passing through the network infrastructure. The Webwall supports the filtering of TCP, UDP and ICMP packets. Using access lists will define these various permit and deny rules and apply them to access groups. Once the ACLs are configured, administrators may apply or bind the group to an interface within the network. 1 Make certain you selected Webwall from the sidebar are in Config Mode. 2 Select the action link Add Access Group Entry [a]. The configuration window will present a new screen. 3 Assign the access group an ID (1-1000) [b] and assign this group to an interface [c]. Complete this portion by selecting the desired action link [d]. 4 After creating access groups, click on the action link Add Access List Entry [f] to set Permit/Deny rules for the access groups. The configuration window will change. 5 Supply the access group ID [g], permission setting [h], protocol (ICMP, TCP, UDP or GRE) [i], source IP with netmask and source port [j], destination IP with netmask and source port [k] and ICMP Type [l]. Complete this portion by selecting the desired action link [m. 6 Configured access groups will be displayed in the sort ready table and may be enabled on a per-interface basis [e].
WebUI Handbook
48
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
49
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
50
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
2 3
51
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
After selecting the methods and ranking them you will have to set up the authentication servers to match the methods configured in the previous step. 5 ACTIVE DIRECTORY: To configure Active Directory click on the action link [f] to add an AD server. Supply the AD server IP, Port and Mail Domain in fields [g]. Complete the task by selecting the desired action link [h]. LDAP: To configure LDAP click on the LDAP tab and click on the action link [i] to add an LDAP server. Supply the LDAP server IP, Port, User Name, Password, Base and Timeout values in the fields supplied [j]. If you want to use SSL/TLS then check box [k]. Complete the task by selecting the desired action link [l]. To configure the LDAP search filter to retrieve authorization records only then define the search filter as a single string [n]; e.g. "cn=<USER>" where <USER> matches the login username. By default, a filter of "uid=<USER>" will be used. Please note that "<USER>" is the only token allowed in the filter and must occur at least once in the filter. To clear the search filter click on action link [m].
52
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
After selecting the methods and ranking them you will have to set up the authentication servers to match the methods configured in the previous step. 7 RADIUS: To configure RADIUS authentication server click on the RADIUS tab and on the action link [p] to add the RADIUS server. Supply the RADIUS server IP, Port, Secret Password, Timeout period and Number of Retries in fields [q]. Complete the task by selecting the desired action link [r].
53
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Global Resources
Local Databases
The SPX allows you to create specific groups of users and authorize only specified content points on the network for these groups. This way, for example, administrators may set up separate, specific network destinations for the sales departments and the marketing group, while granting executive staff access to both. 1 To set up or edit local databases, make certain you are in Config Mode and have selected Local Databases from the sidebar. Note that the configuration window displays a sort ready table of previously set up databases (if applicable) and a Global Resource Limit Summary [a]. To add or create a new database click on the action link [b] and proceed to step 2. To delete a database, select the database from the table [c] and click the action link Delete [d]. You may also edit an existing database by double-clicking the database from the table [c]. The edit page looks virtually the same as the Add configuration page described in step 2. Supply the database name in the field provided [e] and configure the database required limits for data, users and groups [f]. If you would like to enable the strong password feature for this database[g]? To which virtual sites do you wish to associate the newly created/edited database [h]? Complete the setup with action links [i].
WebUI Handbook
55
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
56
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
WebUI Handbook
Global Resources
4 After selecting the module and double clicking on it, the configuration widow presents the next configuration page including new tabs (General Settings, Configurator* and Resource Files), a TCS Module Selector [g] and a special action link (Back to top menu) [h]. Make sure you are configuring the desired module via the selector [g]. (* the pubapp module comes standard with the SPX and therefore does not require the configurator.) You may customize specific aspects of the TC window including the description [j] and the width and height of the pop module [k] and [l] respectively. You may also set the Resource File (citrix.jar or CVS) via the selector [m] as well as the Resource Type (Java App (jar), Java App (cab) or ActiveX) via the selector [n]. Click on the Resource File tab to import or delete resource files to be found in the selector [m]. After importing any resource file, return to this screen to complete the importation configuration. Import the global resources (TerminalSvcsTCS.cab, TerminalSvcsTCSConfig.cab and msrdp.cab) by selecting the Resource Files tab. By selecting the tab the SPX will display a sort ready table of all existing resource files. Click on the Import action link to continue the configuration. Now supply the source URL or file name for each imported file in the text field [o] and make certain the resource is assigned as a global via the radio buttons [p]. Assign each resource and click the necessary action link [q].
WebUI Handbook
After importing all of the necessary files, verify the imported status for the files via the sort ready table. Return to step 6 (General Settings) to complete the configuration of the imported resource files.
Click on the Configurator tab. On this screen use the Resource File selector [a] to choose the imported application file to deploy. This step in the process is to assign the application (making certain to verify the version [b]) and verify the configurator GUI settings that will be used as the configurator interface in the following steps. Once the setup is complete, click the red save button [c] to continue.
59
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Admin Tools
System Management
This section will discuss various configuration management functions available for the SPX. SYSTEM INFO/ Version: 1 Make certain you are in Config Mode and have selected System Management from the sidebar. The configuration window will present a page with navigational tabs for System Information, Access Control, Update, Shutdown/Reboot and License [a]. There are also three (3) sub tabs for the System Info page; Version [b], Memory [c] and Statistics [d]. The remainder of the window displays the current running version of the ArrayOS powering the SPX [e].
SYSTEM INFO/ Memory: 2 By selecting the Memory sub tab [f] the SPX will display all current memory usage data.
SYSTEM INFO/ Statistics: 3 By selecting the Statistics sub tab [g] the SPX will display all current relevant technical running information.
60
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
ACCESS CONTROL/ WebUI: 2 To disable the WebUI uncheck box [a]. To change the current WebUI IP or port settings make those changes in text fields [b] and [c] respectively.
ACCESS CONTROL/ XMLRPC: 3 Enable XMLRPC by selecting checkbox [d] and supply port value [e].
ACCESS CONTROL/ SSH: 4 Use checkbox [f] to enable/disable SSH access to the SPX. Use action link [g] to regenerate an SSH host key.
ACCESS CONTROL/ Config Mode: 5 You may reset the value before Config Mode times out [h] or reset the Config Mode immediately [i]. Resetting Config Mode will terminate the current WebUI session.
61
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
SHUTDOWN/REBOOT 3 By selecting the Shutdown/Reboot tab [h] the configuration window will present a system reboot button [i], a system shutdown button [j] as well as the option to fallback to a previous software version [k]. If you check box [k] for fallback, remember to click on the red save button when it appears.
LICENSE 4 By selecting the License tab [l] administrators my import a new license by entering the value in the text field [m] and clicking the Import link [n]. Administrators may also click the Flex License subtab [o] and enter the Flex License value in the text field and click on the import tab. The Flex License allows temporary session usage to exceed the base license allotment of user sessions.
62
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
VIEW/ Startup Config: 2 By selecting the Startup Config sub tab [h] the SPX will display the startup configuration data.
VIEW/ Saved File: 3 By selecting the Saved File sub tab [i] the SPX will display all currently saved configuration files. Double click on a file name [j] to view the details of the configuration file.
63
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
WebUI Handbook
WebUI Handbook
66
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
67
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
SYNCHRONIZATION
Continued from previous page The configuration window will display all configured peers in two sort ready tables; one for Configuration Synchronization where all individual SPXs share the same configuration and Synchronization Rollback a feature for once again pulling a specific SPX back out of a clustered group and having the configuration revert to a pre-synchronized configuration (see step 6). 5 Configuration Synchronization- This feature allows you to either push a configuration onto other SPXs in the network via the Synchronization Direction To button [o] or pull a configuration from a specific SPX and place that configuration on the SPX being setup Note: You may push a configuration onto all exiting SPXs, but you may only pull a configuration from one SPX at a time. Once you have selected the SPXs to synchronize, click on the action link [q]. To reset to a previously synchronized configuration that was received from another SPX peer on the network, leave the radio button [r] set to Local and select the SPX peer that originated the configuration form the list and click on the Rollback action link [s]. To reset a peer that received the configuration from the current SPX, select Remote [r], the destination SPX from the list and click [s].
68
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
SYNCHRONIZATION
The final three sub tabs allow you to check various elements of the synchronized configuration with other SPX peers and configurations elsewhere on the network. 7 RESULTS- The Results sub tab [t] will display the configured peers in a sort ready table. Double click on any peer to view synchronization results for the specified peer or take advantage of the action links View Synch Summary [u] or View All Results [v]. DIFFERENCES- The Differences sub tab [w] will display all configured peers in a sort ready table. Double click on the desired peer to view configuration differences between the selected remote peer SPXs configuration and the SPX where you are currently synchronizing from. HISTORY- The History sub tab [x] will display all synchronization events related to the current SPX being configured.
69
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
70
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Monitoring
This section will discuss various configuration management functions available for the SPX. LOGGING/ Syslog Servers: 5 By selecting the Syslog Servers sub tab [k] the SPX will display all currently configured servers. To add a server click on the action link Add Server Entry [l]. The configuration window will present text fields for configuration. Supply the server host IP [m], logging protocol (UDP or TCP) via selector [n], host port [o] and source port [p]. The log host is the remote Syslog server receiving messages. Up to three servers may be configured (all messages will be sent to all servers). Source Port default setting is 514. Click on the desired action link [q] to complete configuration.
LOGGING/ HTTP Logging: 6 By selecting the HTTP Logging sub tab [r] the SPX will display a configuration pages allowing you to enable HTTP logging at set the format via radio buttons [s] as well as optional selections to include the VIP and Host in log reports [t]. Click on the Apply action link [u] to complete the configuration.
LOGGING/ L3VPN Logging: Select the subtab L3VPN Logging administrators may enable the logging featre [v] and set a timeout for the logging fuction related to L3 VPN traffic. This timeout parameter [w] is measured in seconds and the default setting is 300 seconds (five minutes). Though the L3 VPN connection may remain open, the log file will terminate for the connection.
WebUI Handbook
72
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
73
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
SNMP
SNMP, Simple Network Management Protocol, is a widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device to the workstation console used to oversee the network. Up to three SNMP hosts may be configured. NOTE: SNMP traps must be enabled to view graphs on the Array Flight Deck. SNMP/ General: 1 By selecting the feature tab SNMP [a] the configuration window will present a configuration page where you may enable the SNMP feature via checkbox [b]. Define a community string (up to 32 characters long) to act as a password to limit or control access from the NMS to the agent [c]. Now enter the contact person [d] and the SPX location [e] in the fields provided (up to 128 characters each). Make certain to click on the red save button when complete.
SNMP/ Traps: 2 Administrators may choose to either enable individual traps by selecting the Traps sub tab [f] and selecting those desirable traps from the list [g]. Make certain to click the red save button [h] when changes are made.
WebUI Handbook
SNMP
SNMP/ SNMP Servers: 1 By selecting the SNMP Servers sub tab [a] the configuration window will present a list of any configured SNMP servers. To add a new entry, click on the action link Add Server Entry [b]. In the fields provided supply the SNMP server IP address [c] and community string [d]. Complete the task by clicking on the desired action link [e].
SNMP/ MIB File: 3 Users may view any active MIB file by selecting the MIB File sub tab [f]. The configuration window will display the users MID file if applicable.
75
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Statistics/IP: 2 Select the IP sub tab [d] to view and enable IP statistic gathering [e].
Statistics/SSL: 3 Select the SSL sub tab [f] to view statistics. Clear statistics for SSL via action link [g].
Statistics/System CPU: 4 Select the System/CPU sub tab [h] to view statistics.
76
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
77
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
3 4
WebUI Handbook
79
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Service Management
Network Separation
1 Make certain you are in Config Mode and have selected Service Management from the sidebar. The configuration window will present four tabs (Network Separation, Session Limits, Site Access and Static VLAN) as well as a checkbox for enabling the network separation feature [a]. Also on this page there are two edit ready tables for Global Level Permit and Site Level Permit. For previously configured interfaces or VLANS simply double click the entry to edit. To add an interface or VLAN click on action link [b] (proceed to step 2) to add global level permit or [c] to add a site level permitted interface or VLAN (proceed to step 3). Simply use the selector [d] to add the configured interface or VLAN and click on the desired action link [e] to continue. Use the selector [f] to choose the desired virtual site to be added and specify the configured interface or VLAN with selector [g]. Click on the desired action link [h] to continue.
80
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Session Limits
1 By selecting the Session Limits tab [a] the configuration window will present display two edit ready tables for Group Session Limits [b] and Site Session Limits [c]. The group session feature allows the global administrator to define the name of a virtual site that is to be assigned to a group of virtual sites that share specific session resources. A virtual site that belongs to a session group may not have an individual site session limit assigned. Administrators may create up to 128 session limit groups. To add a site to the group click on the action link [d] and proceed to step 2. To set session limits for an individual site click on the action link Add [e] and proceed to step 4. To add a site or sites to a group of shared resources, the group must be created. Supply the group name in text field [f] and click on the desired action link [g]. The newly entered group will appear in the Group Session Limits table [1b]. To set a limit for the group, double click the entry in the table [b] and proceed to step 3. Set the maximum number of concurrent active session in the text field [h] for the group. Note that all members of this group will be displayed in table [i]. To add members to the group to the group click on the Add link [j]. From the next page you will see a selector for choosing configured sites to add to the group. To assign session limits to an individual site use the selector [k] to specify the site and supply the maximum session value in text field [l]. Complete by clicking on the desired link [m].
81
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Site Access
1 By selecting the Site Access tab [a] the configuration window will present display a Global Level Lock configuration option [b] and a Site Level Lock table [c]. If the administrator wishes to deny all access to all sites or to deny configuration mode access to all sites simply choose the desired button [d]. To make configuration restrictions to a specific site, double click on the site as listed in the table [c] and proceed to step 2. To limit access to a specific site choose the site from the selector list of configured sites [e] and set the type of lock (access or configuration) [f]. Complete the setup by clicking on the action link [g].
82
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Static VLAN
1 By selecting the Static VLAN tab [a] the configuration window will present display the Static VLAN Routing table [b] for all configured VLANs. Click on the Add action link [c] to add a new VLAN static route to the configuration. Use the selector [d] to specify the VLANs interface name. Supply the destination IP address, netmask and gateway IP in the text fields [e]. Complete the setup by clicking on the desired action link [f].
Once static routes are entered into the table [ 1b] they are editable by double clicking on the table entry directly.
83
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Virtual Sites
Creating a Virtual Site
The SPX provides secure remote access to internal resources through one or more virtual sites (up to 256). A virtual site provides a single interface for external users to access internal content. Each virtual site is associated with a domain name and listens on a specified virtual IP address (VIP) and port. Virtual sites are designed to be independently configured such that each site has its own portal, SSL settings, AAA methods and servers, file sharing configuration, and TCP application services or to be a part of a shared virtual network. All created virtual site domain names (FQDN) must have a valid A record in DNS or a related hosts file entry. 1 2 Click on Virtual Sites link. The configuration window will display any current virtual sites. Tabs [a] allow navigation to other configuration pages for this feature. Select from the configuration links [b] to add a virtual site. The next pages will show how to set up each type of virtual site. Newly created sites will be displayed in the main configuration window. Newly created sites may be access for further configuration by selected the site via the pull down menu or by double clicking the virtual site name as listed in the sort ready table. It is recommended that you complete the global configuration before continuing the virtual site setup. To continue the virtual site configuration process see CONFIGURING VIRTUAL SITES.
3 4
WebUI Handbook
85
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
86
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
By selecting the Portal tab, the configuration window will display the necessary configuration elements for setting up the main shared portal page. This main shared portal page is the site users will first come to below departing for the specific portals. The individual aliased pages may set their own portal look and feel independent of the main shared portal (See Portal) Also users will enter thei credentials at the individual alised site. Set the main shared portal pages language and greeting message [a]. Set the main shared portal pages logo by specifying the file path or URL [b] and clicking the Import action link. You may also enable the HTML encoding feature via the checkbox [c] or set the SPX to redirect the main Shared Portal to a specified HTML or WML location [d].
87
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
88
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
89
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Domain Forwarding
The Domain Forwarding feature (also referenced as IP Forwarding as pictured here) allows administrators to establish multiple IP/Port pairs to be directed to a configured, exclusive virtual site. 1 Select the tab IP Forwarding (or Domain For warding) [a]. The SPX will show previously configured IP/Port pairs and the corresponding virtual site in the sort ready table [b]. To add a new rule, click on the Add action link [c]. To edit an existing entry, double click on the desired rule from the table. Supply the rule ID (integer) as well as the listening IP and port in the text fields [d]. Use the selector [e] to assign the IP/Port pair to the desired virtual site. Click on the appropriate action link [f] to complete the configuration.
QuickLink
QuickLink is a clientless access method that allows SPX users instant access to web content originating from the internal network, most times from servers that are not exposed to access from the outside. Rather than doing full content parsing and rewriting, QuickLink uses a unique hostname or a unique port to represent the backend web server. 3 Select the tab QuickLink. The SPX will show previously configured QuickLink settings in the sort ready table [g]. To add a new rule, click on the Add action link [h]. To edit an existing entry, double click on the desired rule from the table. [i]. Click on the appropriate action link [j] to complete the configuration.
WebUI Handbook
91
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
92
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
93
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
94
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
CSR/Key 2 3 To generate a CRS/Key make certain you on the CRS page from the selection of configuration page tabs [c]. Supply the country code for the CSR [d]. Fill out the remainder of the CSR by supplying the requested information [e]. Finally, select whether this private key will be exportable (Y/N?) [f].
Certificates (Importing) 4 To import an existing certificate and key pair select the Certificate tab [h] and the method for importing the pair (import or import via TFTP) [i]. For TFTP import skip to step 6. Paste your existing certificate into text field [j] and existing key into field [k]. Supply the password (if necessary) in field [l]. Complete task by clicking the submit link [m]. To import a cert/key pair via TFTP supply server for the certificate [n], key [o] and password [p]. Complete task by clicking the submit link [m].
WebUI Handbook
Trusted CA (Importing) 9 To import an existing certificate from a Trusted Certificate Authority select the Trusted CA tab [f]. You will see a list of existing certificates (if applicable) [g]. Click the action link Import [h] and proceed to step 10.
10 Paste the Trusted root CA in field [i] and click on the desired action link [j] to complete/continue the configuration. CRL CA (Importing) For importing CRL CA certificates, the process is the same as outlined above. Click the Import link and paste the certificate into the field an dclick on the Submit link.
96
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
2 3
97
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
98
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Active Directory 2
99
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
AAA Authentication
LDAP 3 Select the sub tab LDAP [g] to configure for LDAP authentication. Any configured servers will be listed in a sort ready table. Click on the action link Add LDAP Server [h] (skip to step 4). Some proprietary LDAP implementations, including NDS, do not publish password hash information. For these servers, the SPX must identify the users Distinguished Name (DN) before the user can be authenticated. The SPX provides the administrator with a choice of two different ways to construct the users DN. If all users are direct descendants of a single node in the LDAP directory tree (i.e. if users DNs are identical except for the username portions), the DN can be statically constructed by concatenating the strings <dn_prefix> <USER_NAME> <dn_suffix>, where <USER_NAME> is the username used to log into the SPX. For example, if the DNs are cn=joe, ou=Eng, o=example.com and cn=john, ou=Eng, o=example.com, then the administrator should configure <dn_prefix>=cn= and <dn_suffix>=, ou=Eng, o=example.com. Enter the search path in text field [i] and set this path to be static or dynamic [j]. You may clear the search path with action link [k]. 4 The configuration window presents six text fields [l] & [m] for you to enter the LDAP server IP address, port, user name, password, base and timeout. You may configure up to three LDAP servers. Complete the task by clicking on the desired action link [n].
100
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Multiple Domain LDAP Support 5 Select the sub tab Multi-Domain LDAP [g] to configure for LDAP authentication to be performed across multiple domains/servers. Any configured servers will be accessible by selecting the desired domain from the selector [o] and sort ready table. Click on the action link Add LDAP Server [p] (skip to step 6). Administrators may also configure custom search filters and group attributes [q] and [r] (see step 3 on the previous page for related filter and attribute information). The configuration window presents a text filed [s] for administrators to add or associate a new domain (previously configured domains appear in the sort ready table) as well as six text fields [t] & [u] for you to enter the LDAP server IP address, port, user name, password, base and timeout. You may configure up to three LDAP servers. Complete the task by clicking on the desired action link [v].
101
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
102
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
WebUI Handbook
LDAP 2 By default the configuration window will present the LDAP information page. On this page you will see any previously configured LDAP authorization servers displayed in a sort ready table [c]. To add an LDAP server click on the action link [d]. The configuration window will present a screen for you to supply the necessary LDAP data including the server IP, port, user name, user password, LDAP base and timeout [e]. Complete the setup by selecting the desired action link [f].
WebUI Handbook
105
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Group Mapping
1 By selecting the Group Mapping sub tab [a] the configuration window will present configuration elements for completion. In the text fields supplied [b] please supply the LDAP attribute (name) in the form of a searchable string for defining purposes. Also supply an attribute to use as an identifier for the desired external RADIUS group. The attribute should be a numerical integer representing an element in the user profile stored on the server. For example, one would use 25 for the "Class" attribute. Numbers for other attributes are available on the RADIUS RFC (RFC 2865). Assign a default group from the list of previously configured local or LDAP groups [c]. The table displays all existing group mapping configurations [d]. To add a new configuration click on the action link Add [e] and follow the steps as outlined.
3 4
106
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
AAA Accounting
RADIUS has a well-defined accounting mechanism built into the protocol. RADIUS accounting on the SPX will track all logins and logouts through RADIUS servers. The SPX will log all START and STOP records for each session. The START record is sent once the user has been authenticated. The new session will not begin until the RADIUS server sends confirmation for having received the START record from the SPX. The STOP record is sent when the session is terminated. Session termination includes user logout, timeout (lifetime or session) or the explicit termination of the session by administrators via the session kill command. RADIUS accounting only tracks the START and STOP records, other activities of the session are handled through the standard logging feature of the SPX RADIUS Accounting 1 Begin by clicking on the Accounting tab [a] the configuration window will display a list of previously configured RADIUS accounting servers in a sort ready table [b]. Enable RADIUS accounting by clicking on the enable checkbox [c]. When enabling RADIUS accounting you must also select between Login/Logout or VPN Tunneling or both for proper accounting results [d] To add a RADIUS server click the action link [e]. The configuration window will present a configuration page with text fields [f] for you to supply the RADIUS servers IP, port, secret password, timeout period and number of retries. Select the desired action link [g] to complete the setup.
WebUI Handbook
Portal
The SPX provides a portal page that allows your users to easily, securely access protected content. After users authenticate using the SPX login page, they are presented with a portal page that serves as a "jumping off" point for accessing all of the internal content available through the SPX. The appearance of the portal page can be customized in several ways. Each virtual site may have its own independent portal page. 1 Make certain are in Config Mode [a], selected the desired virtual site [b] and have selected the Portal feature [c]. The configuration window will present the General Settings configuration page with of three tabs; General Settings, Theme and External Pages [d] and two sub tabs; Common Settings and Portal Pages [e].
General Settings/Common Settings 2 Select the desired language for your portals from the selector [f]. If you intend to use a specific logo on the portal page furnish the URL location or file path of the logo [g] and click the Import action link . Select whether users may change their passwords via the web portal [h] (SPX does not natively support the ability for
users to change their passwords, so this URL must refer to a page on a machine other than the SPX).
Select the desired format for the portal (HTML or WML) [i]. You may configure a specific character set to override the portal language configuration [j]. Enable the HTML Encoding feature [k] 3 Click desired finishing link [l].
108
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Portal
General Settings/Portal Pages 4 5 By selecting the sub tab Portal Pages [m] you will be able to setup specific messages for your users. The first message is the Login Message; supply the text for the message in field [n]. To have the SPX remember the user, select checkbox [o] (remembering indicates the placement of the users name within the message). Supply the title and message for the custom welcome page in text fields [p].
Theme You may create/import specialty themes for portal pages. 7 Click on the tab Theme [q]. The configuration window will display a list of all previously entered themes in a sort ready table (if no themes have been entered then only two action links will appear [r]). Once themes have been added, this screen will change slightly (see step 10 next page). To add a theme, click the action link [r]. To add a theme, supply the name in the text field [s] and click on the action link of choice [t]. To import a theme, supply the themes zip file location (file or URL) [u] and name the imported theme [v]. If you choose to import a theme via the URL setting, then make certain the URL resource file is HTML. If you are importing a file, then the file is required The Portal Theme Object Archive should be a .zip file with its contents extractable only in the same directory as the .zip file. Essentially, when the archive is extracted, all the files inside the archive should be extracted to
8 9
109
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
the same directory where the archive .zip file resides without creating any sub-directories. There should be only one object file in the archive and this object file should be one of the following file types namely, html, css, js, htc, xml, .text or binary. The url sources listed in the object file should always be relative and should also correspond to the current directory, as the assets would be in the current directory. The name of the .zip archive file should be equal to the name of the object file inside the archive including the file extension. For example, if the object file is obj1.html, then the portal theme object archive will have to be obj1.html.zip
Theme 10 You may add or import a portal theme by selecting the desired link [a] and then furnish the specific URL or theme name as required. On this page you will see a listing of all deployed portal themes displayed in a table [b].
110
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
3 4 5
111
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
112
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
113
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
114
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
115
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
When Host Integrity is enabled, Client Security will first perform all the necessary inspections. If any of the inspections fails then the user will be denied access to the Virtual Portal. Once the Host Integrity inspection is complete, Client Security will enable Cache Cleaner if needed. Host Integrity includes 5 inspection categories that can be performed: Anti-Virus Checking whether a specific anti-virus (multiple products may be specified) is installed and how old is its virus definition database. Personal Firewall Checking whether a specific personal firewall (multiple products may be specified) is installed.
116
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Service Pack Checking what service pack is installed on the PC (supported packs include Windows XP SP1, Windows XP SP2, Windows XP SP3, Windows Vista SP1, Windows Vista SP2, Windows Server 2003 SP1 and Windows Server 2003 SP1). Anti-Spyware Checking whether a specific anti-spyware product (multiple products may be specified) is installed. Custom Allowing the administrator to check a Registry value, the existence of a file, the existence of an application (and whether it is running), the OS version of the PC and whether the user is an administrator on the PC. Multiple conditions can be specified to create comprehensive custom rules. When the Cache Cleaner is enabled, it will monitor the virtual portals domain name and once user leave the virtual site, Cache Cleaner is triggered to deleted related cache.
117
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
SSL Settings
Here you may further custom the SSL security settings of the SPX for a specific virtual site. SSL Settings/General 1 2 3 4 5 6 Make certain you have selected the SSL Settings tab and General sub tab [a]. To enable SSL for the virtual site, select checkbox [b]. Select the SSL version to deploy on this virtual site [c]. SSLv3 and TLSv1 are supported protocol versions. Select checkbox [d] to enable the session reuse feature. Select checkbox [e] to enable the Accept Certificate Chain from Peer feature. Make certain to click the red Save Changes button [f] once the changes are complete.
SSL Settings/Client Authentication 7 Select the Client Authentication sub tab [g]. You may specify the use of a CRL to be used with client authentication. These lists can be downloaded from the specified CRL Distribution Point at the desired time interval (1-24 hours). To enable this feature, select checkbox [h]. The window will display any currently configured CRLs in the sort ready table [i]. To add a new list, click on the action link [j] and go on to step 8. Supply the CRL distribution point URL, CRL distribution point name and refresh rate [k] and click on action link [l] to complete.
WebUI Handbook
WebUI Handbook
3 4
120
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
3 4
121
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Site2Site
With the Site2Site solution, application access may be bidirectional where either end can initiate the connection with SSL tunneling on demand or always enabled as a configurable option. Resources (application, host, or network) to be published are configured on the SPX on the server side network. The server side SPX informs the client side SPX of the resources to be published. The client side SPX provisions an available IP address range for the published resource on the client side network to prevent any network conflicts. (-MORE-) 1 Make certain are in Config Mode and have selected the Site2site feature. The configuration window will present the Site2Site configuration page as well as tabs for Peer, Publishing, Provisioning and Policy [a]. Also on this page are a series of direct links for expediting the site2site configuration. Enable this feature by selecting the checkbox. Supply the site ID in the field provided [b]. The site ID may be up to 20 characters in length. Each side of the site2site tunnel must have a unique site ID. Click on the Peer tab [c]. The configuration window will display a table of previously configured peers. Action links allow you to disconnect all connections, connect/disconnect peers and add/delete peers. Click on the link Add Peer [d]. Define the peer by supplying the name (must match the remote SPX S2S site ID), network IP or host name and port [e]. Select the tunnel preference as being always on or on demand [f] and whether the opening of the tunnel requires additional authentication. Click action link [g] to continue.
122
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Select the Publishing tab [a] to configure resources that will be made accessible to the remote SPX peers. Two configuration tables are displayed on this page; one for individual resources [c] and the other for grouped resources [b]. To add a resource click on the action link [d] Add Resource. To add a group, click link [e] and skip to step 7.
Assign resources to be shared among the sites. You may define shared site2site resources host names that need to be resolved by the networks DNS, an entire subnet for the network or a specific service with a defined UDP, ICMP or TCP protocol [f]. Supply the host name and network IP [g] with port ranges [h]. Also specify the published host name that remote users will see [i]. Click desired action link [j] to continue.
Configured resources may be grouped together. Create a group name and entered in the text field/selector [k]. Now assign individual, previously configured resources (see step 6) via the selector [l]. Complete the group setup by clicking on the desired action link [m].
123
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Once the resources have been defined, click on the sub-tab Local Address Translation [a]. It is on these configuration pages that you will set up the IPs that will be used to manage incoming requests for services and allocating network IPs to avoid conflicts. The configuration page displays two tables; one for configured DHCP servers and associated peers [b] and one for dedicated service IP ranges [c]. You may assign peers or add/delete DHCP servers (step 9) and IP ranges (step 10) by selecting the desired action links [d, e]. Once IP ranges are set, or mapped, they may be used as default address when assigned using the selector [f].
Supply the DHCP server name and IP in the fields provided [g]. Assign or associate the desired peer to this configured DHCP server with selector [h]. Complete the setup by clicking action link [i].
10 Configure IP ranges for imported resources and remote clients (users) for site2site to map connection requests and service responses. These dedicated ranges will be used to avoid IP conflicts when sharing resources. Name the mapped IPs and specify the starting and ending addresses within the range inclusive [j]. Associate the dedicated IPs to a configured cluster [k] and specified peers [l]. Select the desired action from links [m].
124
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
11 Select the Published Resources sub tab [a]. The configuration window will display all configured resources. You may limit those resources that are to be displayed by use of the selector [b]. The display table shows the configured services/groups [c], the peers associated with those resources [d], the mapping method, category and status [e]. To make these resources available to remote peers on the site2site network click action link [f]. 12 To publish (or stop publishing) resources, indicate Resource Name or Group Name and specify the resource via the selector [g]. Use the selectors [h] to specify the remote peer being granted access to the resource and whether this access is transparent. Complete setup by selecting desired action [i]. 13 By selecting the Provisioning tab you will be able to view those remote resources that have been made available to the local SPX. The provisions refer to the users on the client side of the site2site tunnel. There are additional sub tabs for Resource Address Assignment, DNS, Resource Statistics and Connection Statistics. Specify the desired resource by selecting it from the table [j] and clicking the desired action link [k]. To assign a static address to a resource, see step 14. 14 If you wish to add a static IP for a network resource you will need to supply the information called for by screen [l] for all other resources you will see screen [m].
125
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
14 Very similar to the establishment of resources, you will have to now provision client IPs to avoid internal network conflicts. Click on the sub-tab Resource Address Assignment (sometime referred to as Remote Address Translation) [a]. It is on these configuration pages that you will set up the IPs that will be used to manage outbound requests for services. The configuration page displays two tables; one for configured DHCP servers and associated peers [b] and one for dedicated client IP ranges [c]. You may assign peers or add/delete DHCP servers (step 15) and IP ranges (step 16) by selecting the desired action links [d, e]. Once client IP ranges are set, or mapped, they may be used as default address when assigned using the selector [f].
15 Supply the DHCP server name and IP in the fields provided and assign or associate the desired peer to this configured DHCP server with selector [g]. Complete the setup by clicking action link [h].
16 Configure client IP ranges for imported resources and remote clients (users) for site2site to map connection requests and service responses. These dedicated ranges will be used to avoid IP conflicts when sharing resources. Name the mapped IPs and specify the starting and ending addresses within the range inclusive [i]. Associate the dedicated IPs to a configured cluster [j] and specified peers [k]. Select the desired action from links [l].
126
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
17 Select the DNS sub tab [a] you will be able to view a table of existing DNS suffixes that are combined with the hostnames supplied by the peer SPX to create the site2site hostname. To add or remove a domain suffix, click on the desired action link [b].
18 Enter the new domain suffix that is to be added to the hostname that is received from the peer to form the provisioned hostname for that resource [c] and assign it to the desired peer via the selector. The publishing site specifies the hostname, the provisioning supplies the domain; together this creates the final site2site hostname. Click on the desired action link [d] to complete or continue the configuration.
19 Click on the tab Policy to set up the rules regarding the access to configured resources. The configuration page will display all currently set policies in a standard table. You may use the selector [e] to choose a specific rule to display. Click on the action link Add Policy [f] to continue the configuration.
20 Supply the rule name [g] with associated IP, netmask and port range in text fields [h]. Complete setup by clicking on desired action link [i].
127
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
21 Select the Policy Config sub tab [a] to continue. The configuration window will display two tables; one for policy groups [b] and the other for individual policies [c]. To configure policy groups, click on the Add Group action link [d] and skip to step 23. For individual policy configuration, click on the action link Add Policy [e] and proceed to step 22.
22 Set the policy name [f] and uses the selectors [g] to set this policy to a source and destination, respectively. Set the protocol and permission action with selectors [h]. Configure a priority value [i] (the lower the number the higher the priority) as well as using the checkbox to indicate the desire to have an alert message sent when the policy is used. Finally, associate this policy with a specific SPX peer via the selector [j]. Complete the policy configuration with action link [k].
23 Supply a name for the policy grouping [l] and use the selector [m] to assign policies to the created group. Use selector [n] to associate this group to a specific SPX peer. Complete the setup by clicking on the desired action link [o].
128
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
129
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Local Users
Continued from previous page. 4 To add a user, supply the following information: User name [a], user password with confirmation [b] and whether to force a password change [c] upon the users first visit (forcing the user to set their own custom password). All previously configured GROUPS will be listed in the sort ready table [d]. If groups are listed here, you may assign the newly created users to those listed groups. If you have not created any groups, you will be instructed how to create groups and assign users to the groups on the next page. There are four optional fields for granting your users filing sharing preferences (see step 5) Click on the desired action link [e] to complete user setup. 5 OPTIONAL: To assign the newly created user to a work group with a static IP, supply the user an ID [f], Group ID [g], the static internal IP address [h] and netmask [i]. Click on the desired action link [e] to complete user setup.
130
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
The newly added group will appear in the sort ready table described in step 2 above. To make edits to this newly created group simply double click the group name to be returned to the edit page.
131
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
132
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
If this is the first time configuring this feature the configuration window will display the screen described in step 2 otherwise the screen will appears as described in step 3. 2 The configuration window for adding or editing a MAC authorization rule will have a selector for choosing a specific user [b] as well as three large data field for entering the users specific MAC addresses [c], Hard Drive ID (serial number) [d] and any specific executable path for ActiveX to obtain necessary IDs [e]. Complete the setup by clicking the desired action link [f]. Users must match one rule for authorization. The configuration window will display a sort ready table with all configured MAC based rules [g]. Double click any entry to edit (see step 2). To enable this feature, click on the enable checkbox [j]. Any changes to this screen will require you to click on the red save button for the changes to take effect. To set the default action concerning users without configured rules to Permit or Deny; choose desired button [k]. Enable the SPX to authorize the users MAC address and/or hard drive ID by selecting [l].
WebUI Handbook
134
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
135
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Access Methods
Web Access
The SPX provides a portal page that allows your users to easily, securely access protected content. After users authenticate using the SPX login page, they are presented with a portal page that serves as a "jumping off" point for accessing all of the internal content available through the SPX. The appearance of the portal page can be customized in several ways. Each virtual site may have its own independent portal page. Basic Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Web Access. The configuration window will display configuration tabs [b] (default landing page is Basic Settings). Any previously configured web links will be listed in the sort ready table [c]. 2 To add a web link for your users, click on the Add Weblink link [d] and go to step 3. The bottom of the configuration page has four settings to set browsing rules for virtual site portal [e]. These settings include the displaying of a URL bar on the portal homepage, display the navigational tool (with or without a URL bar), whether to open accessed links in a new window and the allowance of book marking from the virtual site. 3 Supply the web links URL in field [f] and description [g]. Now assign the links position on the portal homepage [h] in ascending order. If no position is given, links will be displayed in the order configured/created. Complete the task by selecting the desired action link [i].
WebUI Handbook
QuickLink
QuickLink is a clientless access method that allows SPX users instant access to web content originating from the internal network, most times from servers that are not exposed to access from the outside. Rather than doing full content parsing and rewriting, QuickLink uses a unique hostname or a unique port to represent the backend web server. This way parsing and rewriting are greatly simplified and streamlined. When backend web content is going through SPX, only absolute path with hostnames are rewritten to the configured unique hostname or port. This feature is a pure Web based SSLVPN solution requiring no plug-in and no client making QuickLink platform and browser neutral. 1 Clicked on the tab QuickLink [a]. A sort ready table will be displayed showing al previously configured QuickLinks; double click on an entry to edit. To add a new QuickLink, click the Add link. [b]. Configure the links destination ID, mode (path, port or hostname), the URL, the destination path, link description and link position (optional) in the fields provided [c]. Click on the desired action link to complete setup [e] Supported Features with QuickLink include [d]: ACL Support, SSO, Client-Auth Authentication, HTTP Client Certfield, Custom Rewrite, Book Marking, Portal Theme Configuration and SharePoint. Note: URL Masking is NOT supported with QuickLinks. Rewrite must be enabled for QuickLink to work (CLI: rewrite on).
137
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
LinkDirect
1 Clicked on the tab LinkDirect [a]. Near the center of the diaply is a checkbox to enable client DNS where the DNS request will go to client DNS system first and only be sent to SPX if local system can not resolve it [b]. The configuration window will display two sort ready tables; one for configured links and the other for configured rules (IP/port designations for L4 tunnels) [c]. To add a link location click on action link Add [d]. To configure a new rule, click on action link Add [e]. To edit existing enteries to either table, double click on the entry. 2 Create a L4/Web Resource Mapping link on the portal page on the virtual site. Note: These links only apply if a custom portal page has not already been specified with the "portal custom" operation. Specify the destination URL, description and optional link_position [f]. If no values are given for link positions, the links will be placed after all of the previously configured links. Click on the action link [g] to complete the setup. 3 Configure 0~10 IP/Port rule. When the portal linkdirect connection request falls within the rule, the connection will be tunneled through L4. This operation should only be used when embedded objects (ActiveX, Java or Flash) need to open connections to backend servers other than the main web server. Enter IP and port range [h]. Complete by selected [i].
138
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
139
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
140
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
141
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Server Access: General Settings 2 In this configuration window there are for enable/disable choices relating to the backend servers and web access. Enable Single Sign On (SSO) [c]. By enabling this option, the SPX will attempt to authenticate with backend servers using the end user's login username and password. This feature only works with backend servers that require NTLM or Basic HTTP authentication (or no authentication at all). Various features (including Header insertions, redirections and cookie management) may be enabled via checkboxes [d]. Administrators may wish to insert an x-client-certificate header into the request if the SSL client certificate is given or insert X-SSO-USER Header that inserts into every request made from the SPX to the backend server an X-SSO-USER HTTP header to set the username. This will include requests generated from portal pages. Pass Session Cookie to Origin Server. By default, the SPX strips its session cookie out of every request before it forwards the request to the backend server. Enabling this feature causes the SPX to leave session cookies in proxied requests. Administrators can let user access multiple backend applications without re-entering their credentials. There is an SSO POST table displaying current SSO POST configuration settings. To add a SSO user, click the Add link [f].
142
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Administrators may configure multiple pages per virtual site. The <hostname> parameter indicates the host name of the backend server; <login url> refers to the login page (the pair of <hostname> and <login url> should be unique per virtual site); the <username field> and <password field> are required for user authentication. The optional [post host] setting refers to the POST target and should be entered as hostname if the target is indeed the same location as the specified value entered for the <hostname> paramenter; if the POST target is different, administrators should enter the specific target with this optional setting including port designation if needed; i.e. www.testhost.com:8888. The optional parameter [post url] refers to the URL to direct the POST to if different from the <login url>. The optional paramenter [other post fields] refers to a set of fixed attributes that are sent with the POST; i.e. if a fixed domain and department is to be sent along with the POST credential, this would be entered as domain=arraynetworks.net&deptname=eng. The option [bookmark enable] instructs the SPX to resend the POST so that end users will not be prompted to supply credentials to visit multiple locations on the backend; ie. If a users times out while using OWA, and is in the middle of a new message, enabling this feature will allow the user to re-login and return directly to the new message as opposed to going to traditional starting point. [g]. Select and click the desired action link [h]. Make certain to click the red save button when finished.
Web SSH
4 Configure a portal link to a web based SSH resource, click on SSH and enable the feature [i] then supply the Hostname, port and link position [j].
143
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
144
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Server Access: Compression Settings URL policies for HTTP compression allow the administrator to disable compression on a per URL basis. Please note that the keyword parameter is limited to 200 bytes. 1 Existing policies are displayed in the sort ready table [a]. To edit or delete an entry, double click on the entry to edit or single click and select the action link Delete [b]. To add a policy, click on the action link Add [b]. Assign the policys priority from 0 to 65535, the lower the value the higher the priority. Supply the priority for the policy and keyword in fields [c]. Click on action link [d] to complete the set up.
2 3
Server Access: Application Redirect When redirect rule is configured, the SPX will redirect all the requests that have "external host" in the host header to the configured host of the virtual site. 4 Select the sub tab Application Redirect [e] to see a table of configured redirection policies. Click the Add link [f] to create a new policy or double click on the desired table entry to change an existing policy. Supply the external host name [g], choose the access type (web or L4) [h] and the application identifier with IP and Port values [i]. For access type "L4", the SPX will open L4 tunnel to the redirect target server. Note: for http redirect app to work properly site should have rewrite off and http statefulredirect enabled. Click the desired action link [j] to complete the configuration.
145
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Server Access: Certificate Forwarding X-Client-Certificates This feature allows you to forward specific certificate field(s) to backend server as well as customize the field name which could be accepted by backend server. The Header will pass the specific field, with the customized name if it is defined, in HTTP header to backend server. If the customized name is NULL, system will use the default value. The URL setting will pass the specific field, with the customized name if it is defined, in the URL request to backend server. The Field Name is the standard name for the certificate sections. The SPX supports following options: subject, issuer, subject_rev, issuer_rev, serial, notbefore, notafer, common name. The Customized Name specifies the field name to replace the standard name defined in previous parameter. 1 Click the sub tab Certificate Forward [a] and the SPX will display a table of previous configured forwarding policies [b]. Click the Add action link [c]. Set the method for the policy [d]. Supply the backend servers URL [e]. You may customize the policy [f]. Complete the configuration by clicking on the desired action link [g]. Click the sub tab X Client Certificate and the SPX will display a table of previous configured Object IDs (OID). Specify (reset/display) the rdn separate character for client certificate DN transferred to backend server. The <position> of the separate character, pre or post. Click the Add action link to name the OID. Customize the oid name of client certificate field transferred to backend server.
146
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
WebUI Handbook
148
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
NFS Fileshare
The NFS Fileshare feature allows you to create a link to an NFS/Unix shared directory. On systems deploying WINS, the hostname and the NetBIOS server name must be the same. 5 Select the NFS Fileshare tab [a]. Previously configured services will be displayed in table [b]. To edit an entry, double click on the desired link label to enter the screen (same as the Add screen described below). To add a file share link to resources, click on the action link Add NFS Link [c]. To add (or edit) an entry, supply data in fields [d]. Finish by selecting action link [e]. The <remote_host> and <path> parameters specify the location of the shared directory.
149
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
150
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
151
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Published Applications The Published Applications thin client provides simple access to applications published on Microsoft Terminal Services using the SPX. By enabling the TCS feature and the module PubApps (Published Applications) you are ready to continue to the Configurator by double-clicking on the desired module from the displayed list. 4 The Configurator configuration page for PubApp displays tabs and sub tabs for General Settings, Applications & Servers and Folders [e]. On this first page you may set Terminal Services, the URL to a Microsoft Web RDP client cab file and Verify At Startup that instructs the SPX to verify the existence of the Microsoft Web RDP client component, on the end-users host when the user starts the thin client. If the component is not found, the SPX will download the component from the URL specified at the Terminal Services property. [f] Continued on next page
152
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Single Sign-On. The logon settings area includes the following parameters: Enabled, the SPX will not prompt the user for credentials upon startup, rather it will extract the user information from the single sign-on information provided by the Array SPX and Default Domain, the default value that will be used as a domain. [g] Click the red SAVE CHANGES button to commit these changes to the running configuration.
Applications & Servers 7 By selecting the Applications & Servers sub tab you may now configure the specific applications to be supported and their locations [h]. Click the action link Add [i] to add applications (proceed to step 8, next page) or click on action link Add [j] to add application servers to the setup (proceed to step 11, next page).
153
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
To add applications through the configurator: 8 Click the enable box to make certain the added application will be active [a]. Supply the application information [b] including the applications name, description, location, folder, application window dimensions in pixels (-1 x -1 will open application window to full screen), color depth (default, 256 colors, high color 16 bit and true color 24 bit). You may also associate an icon with this application. Set the redirection strategy controls for where this specific remote application resource will be mapped to: including drivers, ports, printers or smart cards [c].
10 Complete this portion of the configuration by clicking on the desired action link [d].
To add servers through the configurator: 11 Supply the application host servers IP, type and port [e]. 12 Enable this server to be called by users wishing to access the configured application [f]. 13 Complete this portion of the configuration by clicking on the desired action link [g].
154
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Folders Folders are used to create logical groups of applications. Each application can be assigned to one folder (by default all applications are assigned to the root folder). 1 By selecting the Folders sub tab you may now add and name folders to better organize the TCS applications. Any previously configured folders will be displayed beneath the My Applications icon [a]. To add a new folder, click the My Applications icon [a] and then click the action link Add [b]. Supply the name of the newly created folder in the text field [c] and click action link [d]. The newly added folder will appear within the My Applications master folder [e]. You may add folders within the newly created folder in the same manner as this first folder was created as well. Note the icon change when folders are enclosed within other folders [f]. Use the action buttons [g] to open or close all folders contained within the master folder.
2 3 4
155
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
TCS Configurator Providing simple access to applications published on Microsoft Terminal Services using the SPX. By enabling the TCS feature and the TCS module you are ready to continue to the Configurator by double-clicking on the desired module from the displayed list. 4 The Configurator configuration page for PubApp displays tabs and sub tabs for General Settings, Applications & Servers and Folders [e]. On this first page you may set Terminal Services, the URL to a Microsoft Web RDP client cab file and Verify At Startup that instructs the SPX to verify the existence of the Microsoft Web RDP client component, on the end-users host when the user starts the thin client. If the component is not found, the SPX will download the component from the URL specified at the Terminal Services property. [f]
156
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
TCP Applications
The SPX provides secure remote access to legacy application servers within the network. This feature supports most fixed-port TCP applications, including common mail applications. Once configured, users may securely access applications from most Windows and recent Macintosh clients running a current Web browser (IE or Netscape) with Java support. General Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link TCP Applications [a]. The configuration window will display five configuration tabs [b] (default landing page is General Settings). Enable TCP application support by selecting checkbox [c]. The Application Manager listens for TCP traffic from applications running on the client machine, encrypts the packets, and forwards them to the SPX over SSL connections [d]. Set an optional dedicated control port [e]. Select the software support (Java|ActiveX) [f]. To enable Windows Redirector allowing applications to resolve and connect to hostnames on the internal network [g]. The default status for WinRedir is to have the non-user process feature enabled [h] allowing all applications not under the users direct privileges (such as SYSTEM, NETWORK, etc.) to go through the SPX proxy. To set tunneling" (WinRedir is not L3VPN) to split the winredir and secure desktop, meaning that when this feature in enabled both applications are tunneled, select box [i]. Enable client DNS where the DNS request will go to client DNS system first and only be sent to SPX if local system can not resolve it [j]
157
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
TCP Applications
Host Mapping 3 Select the Host Mapping tab [a]. The configuration window will display existing host entries in the sort ready table [b] (double click table entry to edit). To add a host, click the action link Add [c] and proceed to step 4. To enable the SPX to automatically update the users host file database [d]. The designated user must have full read, write and modify privileges, else operation will be blocked even if enabled on the SPX side. 4 Supply the hostname in field [e]. Supply local host IP [f] Click desired action link [g] to complete this set up.
Services You may specify which TCP services are made available to users through the legacy application proxy. TCP services may only be configured for hosts mapped to local IP addresses (an IP in the form 127.0.0.X where X=1-254). 5 6 Select the Services tab [h]. Existing services are displayed in table [i]. Click Add Service [j]. Configure a new service by supplying a description [ k], attaching the service to a host [l] and furnishing the needed IPs and ports [m-p]. Complete by selecting desired action [q].
158
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Select the Windows Redirector tab [a]. The configuration window will display three sub tabs [b]. Existing redirection entries are displayed in the sort ready table [c] (double click table entry to edit). To add a redirection entry, click the action link Add [d] and proceed to step 2. Supply the description [e], executable name [f] and MDS Hash Value [g] (An entry value of "0" will redirect all traffic from all executables with that name). Complete the task by selecting the desired action link [h].
159
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
TCP Applications
Windows Redirector: IP Based Redirect For clients running IE on Windows machines to configure an IP and port range where all traffic will be tunneled through the SPX. 3 Select the Windows Redirector tab [a] and the IP Based Redirection sub tab [b]. Existing redirection entries are displayed in the sort ready table [c] (double click table entry to edit). To add a redirection entry, click the action link Add [d] and proceed to step 4. You may also map external and internal IPs in much the same manner. Supply the description [e], IP address [f] and port range (first port & last port) [g] for all traffic to be tunneled. Complete the task by selecting the desired action link [h].
IP Mapping (External IP to Internal IP) Use this feature to add a rule for mapping a pair of external IPs and ports to a pair of internal IPs and ports. The pair of <external ip> and [external port] must be unique per virtual site. The default value of [external port] and [internal port] are 0 to indicate this is a one-to-one IP redirection for all ports. 5 Select the Windows Redirector tab (as above) and the IP Based Redirection sub tab (as above). Existing redirection entries are displayed in the sort ready table (double click table entry to edit). To add a rule for mapping a pair of external IPs and ports to a pair of internal IPs and ports click on the action link Add Mapping [i]. Supply the external IP and port in fields [j] and the destiniation internal IP and port [k]. Complete by selecting action link [l].
160
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Windows Redirector: Network Based Redirect To establish a specific tunneled network for clients running IE on Windows. If no last port is configured, the default will be the first port setting. 5 Select the Windows Redirector tab [i] and the Network Based Redirection sub tab [j]. Existing redirection entries are displayed in the sort ready table [k] (double click table entry to edit). To add a redirection entry, click the action link Add [l] and proceed to step 6. and port range (first port & last port) [o] for all traffic to be tunneled. Complete the task by selecting the desired action link [p].
ALP This feature acts to notify clientapp function to treat connections destined for the backend IP and port as HTTP protocol traffic. These connections may then benefit from SSO rules and will have HTTP ACLs applied to these requests. 1 Select the ALP tab [a] and the SPX will display a table of any previously configured processing rules [b]. To add a new rule click the Add action link [c]. Set the destination IP and Port for the backend [d] and complete the setup by clicking on the desired action link [e].
161
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
L3VPN
When the VPN feature is activated, a VPN client is automatically installed on the client machine from a Web browser. This VPN client intercepts all network traffic destined for the internal network and securely tunnels it to the SPX. All tunnel data is protected by SSL encryption. Since all IP traffic to the destination networks is tunneled, all IP-based applications should work transparently through the tunnel, including those that use dynamic port TCP and UDP protocols, NetBIOS, or ICMP. L3VPN General Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link L3VPN [a]. Enable the L3VPN feature [b] (requires AAA to also be enabled). Enable other L3 features such as the autolaunch, Pre-Install of the client, Client Isolate, etc. [c].
Netpools 3 Any existing netpools will be displayed in the sort ready table [d]. To add a netpool for the VPN click on the action link Add Netpool [e] and proceed to step 5. Links are provided at the bottom of this page for you to download the Array VPN standalone client software [f]. Configure netpools by supplying a name [h], tunneling choice (If split tunneling, only traffic destined for accessible
network zones will be tunneled. All other traffic will continue to be routed normally, and the client will continue to have access to local network resources) [i]. You may enable IPSec and StayConnected features [j] (stay connected is disabled when users deploy Secure Desktop). Complete setup [k].
4 5
WebUI Handbook
L3VPN
Netpool Configuration- Basic Tunneling 1 By selecting and double clicking on a Netpool Name from the sort ready table (previous page) the configuration window will present more configuration options for the VPN. The top of the window has a selector for you to switch between configured netpools or return to the L3VPN General Settings page [a]. On this configuration page there four tabs and two sub tabs [b] and a table [c] to display any configured network zones (defined IP subnets for the VPN). You may change the current tunnel setting for the netpool, if necessary [d]. To add a new network zone, click [e] and proceed to step 3. Supply the network IP and netmask [f] for the network to be accessible via the VPN. Click desired action [g].
163
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
WebUI Handbook
Netpool Configuration- DHCP Server 6 Supply the appropriate address [j] and choose next action [k].
Netpool Configuration- Drive Mapping 7 You may enable automatic drive mapping for the configured VPN netpool by selecting the Drive Mapping tab [a]. Configured drives are displayed in table [b]. To add a drive, click action link [c]. Assign the desired drive via selector [d] and furnish the resource path [e]. Complete the setup [f].
Netpool Configuration- Launch Command 9 You may configure an application or other executables to be launched upon successful L3 connection or termination of a Lay3 connection. Select the Launch Command tab. Double quote is required around the command string and the command string should contain the full path of the command and necessary arguments. If there are spaces in the command itself or in the argument itself, please use single quote, for example:
c:\program files\mycompany\my command.exe. myarg1.
Enter the command [g] or [i]. You may have the have the SPX stop the L3 VPN upon any launching error [h] or [j].
165
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
L3VPN
Netpool Configuration- Advanced: General 1 Select the Advanced tab [a] to continue the netpool setup. 2 You may enable the Stay Connected feature (if the client browser is closed, does the VPN stay connected) and or IPSec Tunneling over SSL VPN [b]. This is disabled if user is deploying the secure desktop. 3 To separate source-based routes for VPN tunneled traffic, on a per-netpool basis. If the default flag is specified, the route will be used for tunnel traffic whose destination does not match a globally configured "ip route static". If the all flag is specified, all tunnel traffic for this netpool will use this route, regardless of globally configured static route [c]. 4 Traffic IP broadcasts may be forwarded between the remote clients and the internal network. Enabled is the default behavior [d]. Enable Multicast IP Traffic Forwarding [e]. To enable local DNS services, select checkbo [f]. Note: If you choose to have the Client Local DNS Services feature enabled please make certain that all SPXs and virtual portal hostnames have been added to the local DNS files. 5 To enable L3VPN users to access resources on the local subnet, regardless of whether full or split tunneling is used [i]. To force L3VPN users to logout/terminate the session from the L3VPN client directly [j].
166
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
5 To set up a Windows Administrator, select sub tab [a]. The configuration window will display a sort ready table listing any previous administrator accounts [b]. You may edit these entries by double clicking on the account directly. Click on the action link [c] to add an entry. At the bottom of the page is a link [d] for administrators to download standalone VPN clients to distribute to their clients, if necessary. By selecting to Add an administrator account, the SPX will present you with text fields for account ID, username, password and confirm password. The fields <username> and <password> refer to the Windows machine local Admin username and password [e]. They can be maximum 255 characters in length. Password will be displayed in scrambled format (not base64 though). Complete the entry by clicking on the desired action link [f] Please note, according to
Windows convention, the username will be case insensitive and password will be case sensitive, however, this will solely depend on the individual Windows system.
Inside Proxy 6 To assign a proxy to the remote client after the client has a connection to the L3VPN. This proxy setting will be set to the IE browser per the internet options LAN setting.
167
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
ATF
Authorized Traffic Forwarding is a clientless access method used to authorize traffic and to secure intranet and Internet access. In this clientless access mode, the SPX would act as a gateway, forwarding packets to and from destinations based on authentication and authorization rules. When the end user logs in, that end users attribute values are retrieved from the AAA server. These end users will be directed to a portal page when any DNS query response and send request to is made (similar to the Captive Portal ); there is also an HTTP intercept made, so if any other URL is requested, the user is sent to the login portal. After logging in, the source IP/MAC address pairs are stored in session table to identify and authenticated users. After authentication, the configured authorization ACLs will be assigned to this user. These rules will define those resources this user may access. The outgoing packets from this user will pass through the SPX and be checked against the IP/MAC session table and ACLs. If permitted, the traffic packets will be sent on through, otherwise the packets will be dropped. ATF General Settings 1 2 Make certain you are in Config Mode for the desired virtual site and have selected the feature link ATF. Enable this feature [a], to set authentication method [b], to enable the status/connection indicator on the clients page [c] and to enable logging of ATF traffic and to set the timeout period [d]. Any changes will require you to click on the Save Changes button. Select the Traffic Statistics tab [e] to have the statistics displayed.
168
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Access Policies
Access Control Lists
The SPX controls access to Web, file and legacy application resources by enforcing restrictions defined by ACLs. When any user attempts to log into a virtual site, the SPX authenticates that user against the configured AAA server and retrieves all ACL and sourcenet attributes for any groups that the user may belongs to. The SPX will enforce the ACL restrictions on web and file requests for that session, except for requests that match an external URL policy. ACL Rules 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link ACLs. The configuration window will display two tabs [a] and two subtabs. Any previously configured ACL Rules will be listed in the sort ready table [b]. Double click on a table entry to make changes to the ACL via edit mode. To add a new ACL Rule, click on the Add link [c]. 2 To add an ACL Rule, supply the ACL target (individual user account or group) [d], select the assigned user, set whether the rule is permit or deny and assign the priority [e]. Next, set the resource group to New or Existing [f] and name the resource group with a description [g] (select any exising resources from the pull down menu). Finally assign the resource a type as applying to Network, Web or Fileshare [h].
169
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
ACL Resources
1 Click on the subtab ACL Resources [a]. Displayed here are the configured resource destinations listed by goup or resource [b] as shown in the sort ready table [c]. To add a new group or resource, click on the desired action link [d]. If adding a group, proceed to step 3 (next page). 2 By selecting the Add Resource link the SPX will present a configuration page for setting up resource type and enter a list of resource destinations. To assist with entering resource destinations, to the right of the Resource List there is a clickable list of example destinations [e]. You may click on any of the examples to automatically add the example to the Resource List field. From there, you can modify the value as necessary (Note that the clickable Examples list changes depending upon which Resource Type is selected). Also note that the Assign To Resource Group(s) table [f] changes depending upon which Resource Type is selected. This table shows all existing resource groups of the selected resource type. Once resources are configured, selected the desired action link [g] to continue.
170
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
3 This configuration pages allows you to name and provide a description for the resource group [a]. Next, select the resource type and enter a list of resource destinations [b]. To assist with entering resource destinations, to the right of the Resource List there is a clickable list of example destinations. You may click on any of the examples to automatically add the example to the Resource List field. From there, you can modify the value as necessary. Also note that the clickable Examples list changes depending upon which Resource Type is selected. Once resource groups are configured, selected the desired action link [c] to continue.
171
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Advanced Options 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Advanced Options [a]. The configuration window will display two tabs [b] (default landing page is ACLs). Any previously configured ACLs will be listed in the sort ready table [c]. Double click on a table entry to make changes to the ACL via edit mode. 2 You may search existing ACLs by using the selector and filter fields [d] and [e]. To add an ACL, click on the Add link [f] and go to step 3. 3 Define the list as being for a single user or group of users [g]. Create a new ACL by assigning the list to an exiting group, assign the lists priority (the small the value the greater the priority), assign the type as PERMIT or DENY and assign the list to a virtual site [h]. Define the scheme or protocol via the selector, supply the host IP and resource path [i]. Complete by clicking on desired action link [j].
172
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
If the users session has no ACLs that apply to a particular virtual service, the user will be allowed unrestricted access to all Web, file and TCP application resources through the virtual site. If the users session contains one or more ACLs that are applicable to a particular virtual site and scheme, the SPX will deny access to any resources of the appropriate scheme that are not specifically permitted by the ACL. The default behavior of the SPX can be adjusted by configuring an ACL with the appropriate scheme with <host><path> of */ with the largest priority value (i.e. lowest precedence). Note that if any keyword or value in the ACL is not recognized (i.e. anything other than http, file, tcp or the other listed forms for the scheme or a non-numeric value for the priority) the Security Manager will reject the ACL and reject the login request. This is intended to prevent security breaches in the event that DENY ACLs are incorrectly formatted. The administrator should NOT configure conflicting ACLs with the same priorities. The administrator must assign different priorities to indicate that one ACL should take precedence over another.
173
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
General Settings 2 Enable the URL filtering feature [c]. Assign the default filtering policy as permit or deny [d]. Set the behavior mode for filtering as active or passive [e]. Enable or disable the filtering of %encoded control characters in URLs [f] (control characters are those in the range %00 to %1F, and %7F).
Email Alerts 3 Configure the destination email address [g] for filter related alerts and the threshold for the number of dropped requests before issuing the alert [h].
174
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
175
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
176
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Admin Tools
Session Management
Active Sessions 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Session Management [a]. The configuration window will display two tabs (Active Sessions and User Lockout) [b]. If you wish to lock out a specific user, click the User Lockout tab and proceed to step 3. Also on this page will be a list of all active sessions [c] presented in a sort ready table. You may use the session user search field [d] to quickly locate or investigate the currently session by name [e]. To terminate a specific users session, select the name from the table and click on the action tab [f]. You may select multiple session for termination. Once you have more than one user logged in a second action link Terminate All Sessions will be available.
User Lockout 3 The feature allows you to add an individual, or individuals, to an active list of locked out users. Any and all active sessions belonging to the locked out user will be terminated and no new sessions will be allowed until the specified user is removed from the locked out list. All locked out users will be listed in a sort enabled table [g]. To add a user to this list click on the action link Add Lockout User [h]. The configuration window will change and present a text filed for to furnish the users name [i]. Complete by clicking on desired action link [j].
WebUI Handbook
VIEW/ Startup Config: 2 By selecting the Startup Config sub tab the SPX will display the startup configuration data.
VIEW/ Saved File: 3 By selecting the Saved File sub tab the SPX will display all currently saved configuration files. Double click on a file name to view the details of the configuration file.
178
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
179
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
180
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
181
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
1b
182
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
3 4
183
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Change Password
1 Make certain you are in Config Mode and have selected Change Password from the sidebar [a]. The configuration window will present display a list of alladministrators thus far established. By selecting the name from the list [c] you may change the password for an administrator, select the name from the list and supply the new password in text fields [b]
184
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Interface Names: The specific interface names being an inside, outside, DMZ or ENG. The interface name may also be entered with a configurable alphanumeric string for naming specific VLAN or MNET network interfaces. Interface IP: Gateway IP: In dotted IP format. In dotted IP format.
VLAN Name: The specified name for a given VLAN. VLAN Tag: A numeric value inserted in VLAN traffic. This may be any number between 0 and 4095 inclusive. Note that each tag number is exclusive per interface. It is recommended that vlan tag ID not be set to 1. This is a unique name that will be used to identify the MNET interface.
MNET Name:
185
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
routes
destination Interface Allows you to set interface IP addresses and netmask. If users are planning to use VALN or MNET functionality, then users are required to select the appropriate mnet or vlan button. For VLAN ID purposes you will need to furnish any integer between 0-4095 as a VLAN tag. It is recommended that vlan tag ID not be set to 1.
DNS/WINS IP In dotted IP format. Network IP/netmask: The NAT IP address and netmask. VIP: The IP address to use when translating incoming traffic from the NAT network. In dotted IP format. Server IP: If the network relies on an NTP server then the IP address will be needed. Make certain the server is available on the desired subnet. For networks deploying more than one SPX in a real cluster, an optional specific identifier is given to each SPX to accompany the host name. For single SPX or basic setup, this is an optional parameter.
NTP
ARP
You may create an ARP entry, requiring IP and MAC address. Once an ARP is resolved, it will be valid for five minute. Great care should be taken when modifying an ARP table. This operation allows users to create an ARP entry to the ArrayOS. The IP address and MAC address (XX:XX:XX:XX:XX:XX) are required. Once an ARP is resolved it will be valid for five (5) minutes.
Node ID:
Routing Interface
Port Speed Set to 10half (10 Mbps Ethernet half duplex communications), 100half (100 Mbps Ethernet half duplex communications), 100full (100 Mbps full duplex communications), 1000full (1000 Mbps Ethernet full duplex communications) or auto. MTU This allows the user to set the maximum transmission unit size and bind this definition to the specified interface. Default Route IP This allows the user to set a gateway IP address into the configuration of the Array SPX. The gateway IP must be entered in dotted IP format. Global Static Route This is used to modify the networks routing table as used by the Array SPX. Typically the destination parameter is the network IP address. If you will be using VLANS, you will also have to create a static route for the VLAN.
186
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Name Resolution
Network Host This allows the user to preset a DNS hostname and corresponding IP address with the Arrays DNS. The Array SPX can only resolve 128 byte or smaller DNS queries. DNS IP Addresses The user may establish up to three Name Servers. The user may enter only one Name Server IP address, in standard dotted format, at a time. If a user attempts to enter a fourth Name Server, the Array appliance will instruct the user to delete one of the previously entered Name Server addresses before accepting the new data. This allows the user to preset a DNS hostname and corresponding IP address with the Arrays DNS. The Array SPX can only resolve 128 byte or smaller DNS queries. DNS Search Path This allows the administrator to set a search path to resolve query for nonqualified hostnames. Up to six domains may be configured. DNS Cache This enables or disables the DNS cache functionality of the SPX. Administrators may set how long DNS data is cached. WINS Addresses This allows the user to establish up to three (3) WINS servers. This feature is designed for customers with Windows based environments where DNS is not/cannot be configured. NOTE: It is strongly recommended that the user reboot the client machine after upgrading,
downgrading or uninstalling the Windows redirector feature of clientapp. WINS Broadcast This allows the user to define up to three (3) subnets for WINS broadcast resolution; ideally this will be the same as the subnet of the Inside interface, unless the network configuration allows cross-subnet broadcast packets. WINS Cache This allows the user to enable or disable caching of WINS resolutions. WINS Cache Expire This allows the user to configure the expiration time for items stored within the WINS cache. The time parameter is in minutes and can be from 1 to 525,600 (365 days).
Advanced Networking
What you need about your network: Network IP/Netmask: The NAT network IP address and netmask. In dotted IP format. VIP (virtual IP : The IP address to use when translating incoming traffic from the NAT network. In dotted IP format. The name on the certificate associated with an IP/port for SSL traffic. This host will specify the certificate/key pair and other SSL attributes used for decrypting traffic. This should be the FQDN if you are implementing the private key as
SSL Host:
187
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
supplied by the SPX. Forward Service Name: The name given to the port forwarding setup, could be the user specified name of the VIP. Local IP/Port: This is the IP/Port address received by the SPX that will be forwarded to the remote location.
Clustering
The SPX Clustering Technology allows you to maintain high availability with local sites. Virtual clustering provides high availability to SSL VIPs for the outside interface and for redundant gateways via the inside interface.
Remote IP/Port: This is the destination IP/Port location for traffic forwarded by the SPX. What you need to know about your network: Interface Names: The specific interfaces being an inside or outside for virtual clustering. Virtual Cluster ID: The virtual cluster ID is a unique identifier between 1 and 255. Peer Name: Each SPX will require a unique ASCII string in framed in quotes. This may be the DNS name, but doesnt have to be. This name will only be used for the synchronization process. VIP_IP: A Virtual IP address may be any IP address on the Internet in IP dot format, excluding 0.0.0.0 and 255.255.255.255. Each virtual IP address entered must be unique. All IPs are valid barring reserved IP addresses such as loop back, multicast, and other commonly known specialized ranges.
NAT
NAT converts the address behind the SPX into one IP address for the Internet and vice versa. NAT also keeps individual IP addresses hidden from the outside world. To create the NAT, supply the addresses and netmask. The optional timeout length should be entered in seconds
Port Forwarding
Port Forwarding allows the SPX to transparently forward traffic destined from one IP and port to another elsewhere on the network. All related network servers should point to the SPX for their gateway routes to take full advantage of port forwarding. Set the local IP/port to be forwarded, the remote IP/port (the destination IP) for either TCP or UPD packets. There is an optional parameter to set the timeout for the request (in seconds).
188
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Webwall
The SPX allows you to create permit/deny rules to filter packets passing through the network infrastructure. The Webwall supports the filtering of TCP, UDP, GRE and ICMP packets. Using access lists will define these various permit and deny rules and apply them to access groups. Once the ACLs are configured, administrators may apply or bind the group to an interface within the network. The Webwall is a default-deny firewall. Default-Deny refers to the notion that if the network doesnt have any permit rules in the access control lists, no packets will be allowed to pass through the SPX. During the initial installation of the SPX, leave the Webwall off until the total configuration is complete. Note: by default the Webwall is turned off. The steps in configuring the Webwall are to create access groups with access lists within those groups. It is suggested that you create separate groups for different uses, i.e. one group for administrators and support, a different group for service permission (such as those using port 80, 443, etc.) and then configure Permit/Deny rules (which allows access to the network or denies it) based on the Protocol (ICMP, TCP, GRE or UDP), and then bind the rule to a destination IP address.
Preemption
Assign priority between the peers. The priority range is 1 255, where 255 has the highest priority. A priority assignment of zero (0) is used to bring a running cluster to an inactive state (the outside interface requires the priority to be zero before updating any of its attributes (excluding priority)). For the inside interface(s), all attributes may be updated without altering the priority. Assign the advertisement interval time (1-60 seconds) before a peer is designated as down and the secondary SPX assume the Master status (default is 5 seconds). Specify the authentication options for the cluster. The password may be up to 8-byte alphanumeric characters long.
Priority
The priority can be from 1 - 255, where 255 is the highest. A priority assignment of zero (0) is used to bring a running VCID to an inactive state. This is done to change one or more attributes before bringing the VCID back into the cluster. The outside interface requires the VCID priority to be zero before updating any of its attributes (excluding priority). For the inside interface(s), all attributes may be updated without altering the priority.
189
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
What you need to know about your network: Interface Names: The specific interface being an inside, outside, DMZ or ENG. The interface name may also be entered with a configurable alphanumeric string for naming VLAN or MNET network interfaces. Source IP: In dotted IP format. Source Netmask: In dotted IP format. Destination IP: In dotted IP format. Destination Netmask: In dotted IP format. Accesslist ID: The identification number (1-1000) assigned to this grouping of members. This value should match the value established for the access list member created with the access list command.
Administrators Help
The SPX supports Administrator Roles for network management by grouping features and then assigning them to a specific administrator for configuration control access (config mode) or viewing access (enable mode). For example, an administrator may assign File Share configuration updates and management to one individual for a specific virtual site which is a configure mode operation while limiting this same individual from other configure mode operations such as Webwall. This is similar to file sharing insofar that groups are created, files are specified and permissions granted. Multiple administrators may be configured for global or virtual sites. What you need to know about your network: AAA Method: Depending on the AAA method selected for administrative authorization, you will need IPs, ports, etc. AAA methods include RADIUS, LDAP and Active Directory.
Access Control
To form an access group, assign an interface to an access list ID. Now under the Access List Configuration section set the Permit/Deny rules for the new group by configuring rules for a specific IP address and port numbers.
190
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
admin, appfilter, clientapp, network, fileshare, TCS, localdb, SSL, URL, VPN, portal, site, client and service. Administrators may enter all for the feature setting to enable the complete list for the specified Role Name.
Local Databases
Administrators use this feature to create a virtual LocalDB database. The name cannot include the characters space, single quotes (forward and backward), $, (, ), |, \, ;, <, >, ? , /, , *, &, or +. The global administrator may allocate resources for the virtual databases (up to 128 databases). The maximum data limit is 8megs for the SPX. Users may set various limits for various virtual sites as long as cumulative totals remain at or below the stated maximums. Administrators may want to enforce a stringent set of password rules (Strong Password). When this feature is enabled, users are required to create a custom password that must be at lease eight characters in length (maximum length is thirty-two characters), contain at least two classes of character (upper case, lower case, digit and nonalphanumeric) and a minimum number of unique characters (based on the overall password length). Strong Password Requirements:
Length (in characters) No. of Classes Unique Characters
Admin Authentication
Within some organizations, where there may be many administrators, it may be important to ensure that the correct set of administrators have access to the corresponding set of accessible functionality or destination site. Administrators, like other users need to be monitored and controlled. Before an administrator is granted access to the network, the user name and password, or token, is verified against Radius, LDAP or Active Directory. Individual method configuration is similar to AAA methods discussed earlier. Define and rank the AAA method for administrator authentication. Rankings must be 1-3 with 1 being the highest ranking/preference. Configure the AAA host server for the configured method. If the selected method is LDAP, these configuration options are also available. Enable the feature. Default is off. This must be enabled for L3VPN operations.
2 2 3 4
8 16 6 5
191
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Here are examples of suitable passwords based on the previous table: MNmSdstgdArh (2 classes, 2 classes, 8 unique) AlMnMwqgQTEWPpohGbxaQLMehw (26 characters, 2 classes, 21 unique) mN2A3me4t (9 characters, 3 classes, 8 unique) Q%4h*wI9 (8 characters, 4 classed, 8 unique)
SecurID Import
Supply the configuration files path (file or URL) so that the SPX may import the global SecurID configuration file and clean up the local state accordingly.
NFS Fileshare
Enables or disables the NFS file sharing protocol for the specified virtual site. The administrator may create a link to an NFS/Unix shared directory. Configure the link label, the remote host and path to specify the location of the shared directory. This feature adds the link to every virtual site. On systems deploying WINS, the hostname and the NetBIOS server name must be the same.
192
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Access Control
WebUI Settings
To set the IP that the SPX will accept Web User Interface commands from the web. It is recommended that a management IP and port are used for configuring the WebUI address. The port must be designated greater than 1024. The default port is 8888.
System License
XMLRPC Settings
This feature allows the user to engage the XMLRPC function allowing administrators to gain access and configure the ArrayOS from remote locations. The default port is 9999. The system and software license can be changed and updated by entering the correct license code as supplied by ArrayNetworks. It is only recommended that users change or alter the current license when so directed by a Customer Satisfaction specialist from ArrayNetworks.
Update
You may update the entire ArrayOS package or just a specific component by supplying the URL destination where the file is located.
193
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Config Management
Running Config/Startup Config
These selections allow administrators to see the entire running configuration (or simply the startup configuration) for the desired SPX. The configuration specifics are broken out by feature.
Nodes/Peers
Define each peers unique name and IP address.
Tasks/Configuration Synchronization
Define which SPX will send configuration information and which SPX will receive configuration information. Enter the peer name of the sending SPX/peer. Manually synchronize one or all peers on the network and have the configuration written to memory on the receiving peer(s) with this command. To export this configuration to all recognized peers on the network, enter all for the peer name. The related IP settings unaffected include system IP addresses, IP route, hostname, mnet, vlan, Webwall, accesslist, accessgroup and WebUI IP address. At the end of the synchronization, the running configuration for the newly synchronized node is written to the disk as the current configuration. This preserves the configuration across reboots.
Saved File
Allows the viewing of configuration specifics from a separate configuration file.
Backup/Load/Clear
Caution should be taken when clearing configurations from the SPX. Make certain that you only clear those configurations you wish to. These operations will clear entire configurations, not specific functions or configuration elements. If you have any questions with clearing a running or saved configuration, please contact Array Networks Customer Support. You may load and save files to and from SCP TFTP and local file locations on your network.
Synchronization
The synchronization feature allows you to transfer configuration information among separate SPXs on the same network. Using configuration synchronization, you can also setup an Active-Standby configuration for failover support. The basic configuration must be completed before configuring the virtual clustering functionality.
194
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Differences
This feature will highlight configuration differences between the SPX you are currently logged into and the peer you select from the table.
Email
Configure an alert email for reporting issues. Set the log ID, a message of importance, the email address of recipient, the interval between sending reports and either a data report or a number of incident report. For certain message specific tasks, such as URL Filtering alerts, you may want to set up a specific email strategy for notification.
History
To display the last 50 events for a specific peer, you must be logged into the desired peer for this information.
Monitoring
The current logging mechanism used by the SPX is syslog compliant. See Appendix A for a complete list of Syslog Messages.
SNMP
SNMP, Simple Network Management Protocol, is a widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device to the workstation console used to oversee the network. Up to three SNMP hosts may be configured. NOTE: SNMP traps must be enabled to view graphs on the Array Flight Deck. Enable the feature and define the community string. This string acts as a password to control or limit access from the NMS to the agent. The string for this command maybe anywhere from 0 to 32 characters in length. The default string is public. Configure the SNMP contact and location names for each SPX. These strings may be up to 128 ASCII characters long.
Logging
Enable the feature and enable time stamp.
Syslog Servers
Set the log host IP, port and protocol (optional: UDP or TCP). The log host is the remote Syslog server receiving messages. Up to three servers may be configured (all messages will be sent to all servers). Also set the source port (514 is default).
Buffer
Set the log buffer to display the last 100 messages.
195
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Traps
To enable individual traps, choose the desired trap: castop coldstart warmstart linkdown linkup syslog cpuoverheat fanfail sslfail compressionfail redundancy
Change Password
To set or change enable level passwords. A password string may be up to 8 characters long. Setting the password to empty string is equivalent to having no password.
SNMP Server
Assign the SNMP server IP, port and community string.
Troubleshooting
Ping
This operation generates a network connectivity echo request directed toward the specified IP address. Results will be displayed in the given table.
Traceroute
This operation allows the user to trace the route a packet of information, or the request for that packet travels. When the user supplies the IP address, in dotted format, the Array SPX will display the devices and network locations used to process the request for that IP address. Results will be displayed in the given table.
196
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
What you need to know about your network: Type of Virtual Site: You may create an exclusive or shared virtual site (license required for shared sites). Default is exclusive. SSL Host: The name on the certificate associated with an IP/port for SSL traffic. This host will specify the certificate/key pair and other SSL attributes used for decrypting traffic. This should be the FQDN if you are implementing the private key as supplied by the SPX. Domain Names: All FQDN for virtual sites. VIP IP/Port: The virtual site address and port in dotted IP format. Default port is 443. Virtual Site ID: An identifying name for the virtual site. This name will be used to refer to the virtual site in other CLI commands. Note: If the assigned name begins with a numeric character, then the string needs to be framed in double quotes. The name cannot include the characters space, single quotes (forward and backward), $, (, ) , |, , \, ; , <, >, ? , /, *, &, or +.
197
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Local Database
Assign or create a virtual LocalDB database. The name cannot include the characters space, single quotes (forward and backward), $, (, ), |, \, ;, <, >, ? , /, , *, &, or +. Assign users to the database (number of users is product and license specific). The user name is case sensitive.
simply needs to "cut and paste" the key supplied by the certification authority into the CLI. ArrayOS has the capability of importing key formats used by IIS 5, IIS 4, Netscape iPlanet and Apache web servers, via TFTP. To, import the key using TFTP, the optional parameter (TFTP server IP) should be specified and the key should be available for TFTP with the filename <hostname>.key on the TFTP server. Note that this operation can import unencrypted private keys in PEM format also by TFTP but this can be very insecure and should be avoided.
SSL Certificate
This operation allows you to input a certificate to ArrayOS from a TFTP server. The parameter that is required with every command is the host name, where the TFTP server IP is required only if certificates are being imported via TFTP. Once the user has received the certificate via an email, user simply needs to "cut and paste" the certificate supplied by the certification authority into the window provided, if the certificate is in PEM format. ArrayOS has the capability of importing certificates formats used by IIS 5, IIS 4, Netscape iPlanet and Apache web servers, via TFTP. To, import the certificate using TFTP, the optional parameter (TFTP server IP) should be specified and the certificate should be available for TFTP with the filename <hostname>.crt on the TFTP server. If the option default is entered, this certificate will become the default certificate.
CSR.
To generate a Certificate Signing Request for the specified host. Administrators will have the option to make this key exportable and to protect this exportable key with an encrypted password for future use. In addition, this operation generates a test certificate for the host. Once this information has been furnished, the SPX will supply the user with a data message that should be copied over to an email message to be sent to a certifying body. WARNING: The test certificate generated by the ssl csr command should not be used for production systems, rather only for testing purposes.
SSL Key
This operation allows you to input a key to ArrayOS from a TFTP server. The parameter that is required with every command is the virtual host name, where the TFTP server IP is required only if keys are being imported via TFTP. Once the user has received the key via an email, user
198
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Certificates
Paste certificate and key data in the appropriate windows.
Steps
[1] Assign the name ID (up to 20 alphanumeric characters) to the SPX, framing the ID in double quotation marks. Each site2site location (SPX) within this configuration requires a unique site ID. [2] Assign resources to be shared among the sites. Administrators may define shared site2site resources host names that need to be resolved by the networks DNS, an entire subnet for the network or a specific service with a defined UDP, ICMP or TCP protocol. For multiple resources on the same internal network, Administrators may group these resources. [3] Establish the peer (or peers) to share the configured resources with. All peer names must match the name ID within the remote SPXs within the site2site configuration. Supply the peers IP and port to connect to as well as settle whether the tunnel connection is always active (alwayson) or open for a specific (ondemand) time period (1-1440 minutes, default of 5). [4] Set those resources to be exported to each peer site location by supplying the local resource (as set with the resource host command(s) above), remote peers site ID and whether the mapped connection is transparent or NATted for the end user accessing the exported resource. [5] Configure IP ranges for imported resources and clients (users) for site2site to map connection requests and service responses. These dedicated ranges will be
Site2Site
Site2Site SSL VPN connectivity is a more secure and flexible alternative to IPSec VPNs. This Site2Site solution will give administrators ease of deployment, no change in their internal networks and fine grained access control at the application level. With the Site2Site solution, application access may be bi-directional where either end can initiate the connection with SSL tunneling on demand or always enabled as a configurable option. Resources (application, host, or network) to be published are configured on the SPX on the server side network. The server side SPX informs the client side SPX of the resources to be published. The client side SPX provisions an available IP address range for the published resource on the client side network to prevent any network conflicts. The client side SPX provisions a fully qualified domain name for the resources and resolves these names to provisioned IP addresses. Client machines on the remote network are not allowed access to the server-side network all they see is a virtual application server at the provisioned IP address. By default, an SSL tunnel is established on demand. When the SPX receives traffic destined to a published resource, a secure tunnel is dynamically established. Site2Site provides an option to maintain a persistent connection. In this case, an SSL tunnel is established once SPX devices on both sites are up, and the tunnel remains open. The range of applications supported in both cases is the same.
199
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
used to avoid IP conflicts when sharing resources. [6] Set the mapping directives for the clients and servers with respect to the configured ranges from above. [6.5] To require the remote clients to login in order to be successfully connected to the site2site resources, administrators will need to have AAA enabled. Within the context of site2site, the exporting location responds as a backend server with respect to the client insofar that the clients user name and password (RADIUS, LDAP or LocalDB) will be used as authentication to gain access to the remote resources just as if they were logging in to the local network. [7] Set the timeout threshold for closing the site2site connection in seconds (default is 300 seconds (5 minutes)). Administrators may choose to add additional access rules to the Site2Site configuration for tighter control over the sharing of resource between peers. [8] Define the rule to be applied and assign the rule to the specific resources and to the specific clients. [9] Now assign the IP rule with desired protocol (TCP, UDP or ICMP), priority (the lower the value the higher the priority setting), the executed action of the rule (permit, deny or drop), the destination and source rules for association and an optional alert log message for when a rule match occurs. [10] Create policy groups as needed and apply the configured rule to the desired peers.
AAA
The SPX supports authentication with external LDAP, RADIUS, Microsoft Active Directory, and RSA SecurID servers. The SPX also provides a local authentication/authorization database (LocalDB) for small to medium-sized installations. Once a virtual site is created, AAA is enabled by default. You do have the option of disabling AAA on a per-virtual-site basis. If AAA is disabled, users will not be required to log in, but will instead be redirected to the portal page where the user connects to the virtual site when Web Resource Mapping is enabled. AAA methods, servers, and settings are configured on a per-virtual-site basis. In most cases it is only necessary to configure one AAA method for each virtual site. However, the SPX allows you to configure multiple AAA methods for a single virtual site. This provides added flexibility in cases where different users are authenticated with different AAA systems (for example, a small subset of users might have LocalDB accounts while records for other users are stored on a LDAP server.) AAA methods must be ranked in order of decreasing precedence; the method with rank 1 has the highest precedence, and a maximum of 4 methods may be ranked. The SPX will attempt to authenticate each user login with each ranked method or until authentication is successful until all methods have been exhausted. This is transparent to the end user. Note that if SecurID is configured as an AAA method it must have rank 1, since the token codes used by SecurID are time-sensitive. Use two fields for SecurID credentials The login page will display a two-field interface for SecurID users.
200
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Use default local group as fallback for LocalDB Authorization When this feature is enabled, when using LocalDB as an authorization method, the SPX will fall back to the default group (if one is configured) when it does not find an account to pull authorization data from.
performed. If localdb or ldap is specified, the selected mechanism will be used for authorization.
SecurID LDAP
This setting allows the user to establish SecurID with the LDAP password also presented as the authentication method for the specified virtual site. If no authorization method is selected, no authorization will be performed. If localdb or ldap is specified, the selected mechanism will be used for authorization. LDAP and SecurID user names and passwords need to be exactly the same.
AAA Methods
RADIUS
This setting allows the user to establish RADIUS as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If users do not deploy the authorization method, the SPX will use the same RADIUS server for authorization as well as for authentication.
Certificate Anonymous
This setting instructs the SPX to authenticate users by validating the client certificates against an AAA database. The user is not required to log in with username and password. The selected method must be the first ranked method for authorization.
Active Directory
This setting allows the user to establish AD (Active Directory) as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If no authorization method is selected the SPX will not to use any form of authorization, whereas employing LocalDB or LDAP will instruct the SPX to seek authorization from the specified second server.
Certificate Challenge
This setting allows administrators to deploy a two-factor authentication scheme for an additional layer of security. The SPX will authenticate users by validating both their client certificates and login passwords against an AAA database. The selected method must be the first ranked method for authorization.
LDAP
This setting allows the user to establish LDAP as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If no authorization method is selected, the SPX will use the same LDAP server for authorization
SecurID
This setting allows the user to establish SecurID as the authentication method for the specified virtual site. If no authorization method is selected, no authorization will be
201
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
as well as for authentication whereas employing LocalDB, LDAP or RADIUS will instruct the SPX to seek authorization from the specified second server.
LocalDB
This setting allows the user to establish LocalDB as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If users do not deploy the authorization method, the SPX will use LocalDB for authorization as well as for authentication.
LDAP
To configure the SPX for LDAP, enter the IP address of the LDAP server (if applicable) with the port, base (LDAP server parameter), user name and password. Administrators may configure up to three LDAP servers per virtual site for redundancy. The exact mechanism for authenticating users varies among LDAP server implementations. Most standard LDAP servers, including iPlanet and OpenLDAP, return the users password as a cryptographic one-way hash when this attribute is requested. (Note: Certain LDAP servers, i.e. iPlanet, will not return the users password attribute when queried anonymously. The user name and password in LDAP may be empty strings if anonymous bind is permitted.) Some proprietary LDAP implementations, including DNS, do not publish this password hash information. For these servers, the SPX must identify the users Distinguished Name (DN) before the user can be authenticated. The SPX provides the administrator with a choice of two different ways to construct the users DN. If all users are direct descendants of a single node in the LDAP directory tree (i.e. if users DNs are identical except for the username portions), the DN can be statically constructed
Authorize Only
This setting allows the administrator to use an AAA method that will skip authentication and apply the authorization policies defined for the default LocalDB group to all users. No login page will be presented to the end user, and all sessions will be anonymous. This method must be the only ranked method configured. Session reuse must be disabled when this method is configured.
202
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
by concatenating the strings <dn_prefix> <USER_NAME> <dn_suffix>, where <USER_NAME> is the username used to log into the SPX. For example, if the DNs are cn=joe, ou=Eng, o=example.com and cn=john, ou=Eng, o=example.com, then the administrator should conf igure <dn_prefix>=cn= and <dn_suffix>=, ou=Eng, o=example.com.
Authorization Servers
The SPX allows you to define policies for restricting any users access to internal network resources. For example, these policies may restrict the internal URLs that users can browse, the internal IP addresses and ports they can connect to, and the client IP addresses they can log in from.
RADIUS
The SPX is compatible with common RADIUS servers such as Microsoft RADIUS Server and Cistron. Enter the RADIUS servers IP address, port (default is set to 1812), number of retries, timeout period (default is 5 seconds) as well as the shared secret. The secret string must match the shared secret configured on the RADIUS server for the SPXs IP address as seen by the RADIUS server. Up to three RADIUS servers may be configured for redundancy. If the SPX fails to receive a response from a server after exhausting the configured number of retries, it will attempt to authenticate with the next configured RADIUS server. If the SPX fails to authenticate with the server(s), it will select the next method of AAA when configured. This is transparent to the end user. It is the responsibility of the administrator to ensure that user accounts and attributes are synchronized across multiple redundant servers.
LDAP
To configure an SPX for LDAP authorization enter the IP address of the LDAP server (if applicable) with the port, base (LDAP server parameter), user name and password. To configure the LDAP search filter to retrieve authorization records only. The <filter> argument is a single string, e.g. "cn=<USER>" where <USER> matches the login username. By default, a filter of "uid=<USER>" will be used. Please note that "<USER>" is the only token allowed in the filter and must occur at least once in the filter.
RADIUS
Configuring the SPX for separate RADIUS authorization is very similar to configuring the SPX for RADIUS authentication. Input the necessary IP address and port, as well as the RADIUS secret string, timeout period and the number of retries that are to be performed.
Accounting
This feature enables or disables the RADIUS account functionality. With this feature enabled, an authenticated session will begin once the RADIUS server confirms reception of the START record.
203
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Portal Themes
The SPX provides portal pages that allow your users to easily, securely access protected content. After users authenticate using the SPX login page, they are presented with a welcome page that serves as a "jumping off" point for accessing all of the internal content available through the SPX. The appearance of the portal page can be customized in several ways. Each virtual site may have its own independent portal page. The SPX also allows custom portal page themes to be imported and served directly from the SPX itself. The Portal Theme feature presents a method for web developers to include dynamic SPX data in a static HTML page. By including special tags in the developed webpage content, the developer is able to instruct the SPX to replace those tags with various dynamic contents. By using these tags, customers may now design their own custom portal pages while still taking advantage of SPX security capabilities. The developer of the HTML content for the custom portal pages would insert tags, such as Web Links or L3VPN Client and when the SPX encountered these tags it would replace them with the actual referenced content. Where previously the SPX only supported custom login, logout and error portal pages, Portal Themes allows the customer the flexibility to completely customize their portal pages. (Note: The SPX imports HTML pages and supports dynamic tags. While the actual HTML coding and deployment of these tags is to be completed separately from the SPX configuration.) The portal theme creation process has little to do with the SPX itself. The custom HTML page(s) need be created. Once each HTML page has been created then it will need to be imported to the SPX. Once these HTML files have been imported they will be preserved across reboots and protected/copied during system upgrades. Since the SPX
is not a full web server there are certain limitations including: Foreign Language Support The SPX supports a fixed set of languages: English, Chinese, Japanese, and Korean. For non-English languages, these are encoded using a variety of character sets, i.e. UTF-8 and ShiftJIS. If the portal language is set to one of these languages and encodings the imported content must also be of that same encoding. The HTTP response for non-binary portal theme pages will have the Content-Language and Content-Type: these character set values are automatically inserted. If the actual portal theme page content is of a different encoding the browser may not display the page properly. HTML For of parsing the custom portal content to find all embedded objects, the SPX requires that all code conform strictly to the standard W3C syntax. JavaScript Any JavaScript included on or in the custom portal pages must not dynamically generate additional embedded content. Dynamically generated links may be allowed because they will be handled by the JavaScript rewrite feature of the SPX. HTML Components (HTC) The SPX requires that HTC files not generate or contain embedded content themselves. Flash/ActiveX/Java Applets
204
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
This category of embedded content is allowed as long as they do not contain internal references to additional files. Flash files must not reference additional Flash resources, ActiveX objects must not download additional objects and Java Applets must contain all required class files inside the JAR/CAB archive. In the event that an ActiveX object or Java Applet needs to make connections to internal servers, the relevant hostnames and URLS must be stored using PARAM tags. See the rewrite param command in the CLI Handbook for configuration use to properly rewrite these values and allow the object to work through the SPX.
This is a list of SPX specific tags to be used within the HTML code for the custom portal page and the corresponding feature and or CLI command on the SPX that needs to be configured to support the custom page. When tags support attributes those values need to be placed with the tag brackets. For example, the tag <_AN_web_links cols=2> needs to be included in the HTML code to present the configured web links in two columns. Additionally, on the SPX the CLI command portal link <URL> <link_text> <position> needs to be used for each link to be listed on the custom page. The illustration below shows three web links added to the custom page as called for by the web link tag; (1) represents the tag location as shown before SPX configuration and (2) shows the populated links. Supported HTML Tags and Related SPX Configuration Requirements
2 1
<_AN_browse> The browse input/button from the default portal page, used for browsing to an arbitrary URL through the SPX.
205
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
class=class: Specify a style sheet class for the links. <_AN_web_links> The ACL filtered list of configured portal links. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted.
<_AN_fileshare_links> Presents a list of the shared files. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted.
<_AN_clientapp_list> The ACL filtered list of configured clientapp services. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted. <_AN_winredir_list> The ACL filtered list of configured clientapp winredir ip/exe entries. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted.
<_AN_tcs_links> The ACL filtered list of configured TCS modules. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2.
206
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
<_AN_fileshare_content> The relevant fileshare content will be inserted. This tag is only valid for the page configured using the keyword fileshare. Attributes: There are no options for this tag. class=class: Specify a style sheet class for the button/input text. Related SPX feature: The fileshare feature needs to be enabled. <_AN_autolaunch> The HTML and JavaScript needed to initiate the Autolaunch for L3VPN or Clientapp. Related SPX feature: The desired Autolaunch needs to be enabled. <_AN_ clientapp_object> Displays the relevant Clientapp object (ActiveX or Java Applet). The clientapp feature must be enabled. <_AN_l3vpn_activex> The L3VPN ActiveX object. Related SPX feature: The VPN feature must be enabled. <_AN_tcs_module> Embeds a TCS module. Attributes: The name attribute is required for this tag. name=name: Specify the specific TCS module to insert. Related SPX feature: The TCS feature must be enabled. <_AN_title> Inserts a context sensitive title for some pages. Only valid for the pages labeled info, login, tcs_page and autolaunch.
<_AN_heading> Inserts a context sensitive header for some pages. Only valid for the pages labeled info, tcs_page and autolaunch. <_AN_message> Inserts a context sensitive message for some pages. Only valid for the pages labeled info, login and autolaunch. In addition, the following JavaScript tags are supported in the same manner that the HTML tags are described previously: <_AN_web_links_var> An array of ACL filtered web link objects containing the text and URL for each link. <_AN_fileshare_links_var> An array of ACL filtered fileshare link objects containing the text and URL for each link. <_AN_tcs_links_var> An array of ACL filtered TCS link objects containing the text and URL for each link. <_AN_clientapp_list_var> An array of ACL filtered clientapp services. <_AN_winredir_list_var> An array of ACL filtered clientapp winredir ip/exe entries. <_AN_clientapp_launch_script> The required JavaScript functions for clientapp operations.
207
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
document.write(AN_tcs_module_list["pubapp"].embed Str); will embed the TCS module named "pubapp" in the page. AN_weblinks_list Javascript array containing all the configured web links. Each entry has two fields: href: the URL of the link description: the description of the link AN_fileshare_links_list Javascript array containing all the configured fileshare links. Each entry has two fields: href: the URL of the fileshare page description: the description of the fileshare
208
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
<keyword> <object name>/<filename> <file_type> These fields correspond to the fields in the portal theme object command (discussed in the Configuration section below). The directory layout for the files must correspond to this listing, i.e. there must be a subdirectory named <object name> containing <filename> and all associated resources. All filenames and path names must be standard ASCII characters; multi-byte characters are not supported. Need to make sure the links point to the appropriate directories. autolaunch choose_site clientapp fileshare fshare_auth info hostcheck antivirus The page for auto launching the Application Manager and L3VPN. The root page for shared virtual sites. The Application Manager template page. The template page for fileshare operation pages. The user credential page for authenticating to fileservers. The template page for information and error pages. A default page for Host Integrity check failures. Host Check antivirus rule failure page.
4 2
209
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Host Check personal firewall rule failure page. Host Check service pack rule failure page. Host Check custom rule failure page. The login page. The logout page. The page for SecurID new pin selection. The page for SecurID next token mode.
Q: I want to dynamically load a resource (for example, image file) through Javascript, but when I import the object, the external resource is not being imported by the SPX. A: The SPX will only import statically defined resources. You can work around this in one of two ways.
passchange The page for changing a user's LocalDB password. tcs_page welcome custom he Thin Client template page. The welcome portal page. An arbitrary resource not associated with an default portal page.
Create a theme zip package and put all necessary resources into the appropriate directory. Define a hidden element in your HTML file containing the external resources you need. For example, <div style="display:none;"> <img src="up.gif"> <img src="down.gif"> </div> may be used to force the SPX to import the files "up.gif" and "down.gif".
The valid file types for the <file_type> parameter are: html, css, js, htc, xml, text and binary. For each <theme name> and <object name> may be at most 20 characters long and containing only ASCII characters a-z, A-Z, 0-9, ., -, and _. All other characters are restricted. Any portal page not assigned a custom object will remain the default page.
Q: Why is the custom bullet icon I specified for an SPX-generated table not showing up? 210
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
A: If you specify a tag with a custom icon specify an invisible div to force the SPX to import the image file. <_AN_web_links bullet="image.gif"> <div style="display:none;"> <img src="image.gif"> </div> Q: How do I apply a CSS style to an HTML DOM element generated by the SPX box if it doesn't have a unique class or id? A: You can enclose the SPX tag (such as <_AN_web_links>) inside a div with a unique id, and then apply the CSS style to the HTML element by referencing the unique id. For example: <html> <head> <style type="text/css"> #invisible_links table { display:none; } </style> </head> <body> <div id="invisible_links"> <_AN_web_links cols="2"> </div>
<hr> </body> </html> This will apply the specified style (that makes the table invisible) to the table generated by the <_AN_web_links> tag. Q: How do I include the configured portal logo in my custom page? <img src="http://localhost/images/lock_logo .gif"></img> Q: Why doesn't the <_AN_autolaunch> tag work as expected on the autolaunch page? A: You need to explicitly call the javascript function start_everything_up() to start the client. For the autolaunch page, the following code works: <body onload="start_everything_up();">
211
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Q: Why does the <_AN_l3vpn_activex> tag immediately launch the L3 VPN client without waiting for the user to start it manually? A: The tag embeds the ActiveX control directly into the page. If you do not want it to start it manually, you may use Javascript to delay the loading of it until the user performs some action. Q: Why does the "Open links in new window" option not take effect with the <_AN_web_links> tag? A: That option is only valid for the default web links in the non-customized page. If you wish to have that option take effect for portal theme pages, query the AN_links_open_in_new_windows variable and then use the AN_weblinks_list array provided in arrayinclude.js to manually access the links with Javascript and build the links manually. Q: How do I make the choose_site page work? A: Your form must submit the "site_id" option to "/choose_site". The following form is an example: <form action="/choose_site" method ="POST"> <table cellspacing=10> <tr> <td align="right"
class="usermessage">Virtual Site Name:</td> <td> <input type="text" name="site_id" size="20" maxlength="40"> </td> <td> <input class="usermessage" name="option" type=submit value="Go"> </td> </tr> </table> </form> Q: How do I make the <_AN_clientapp_object> work the same as on the default Array VPN Portal? A: The following code is required: <body onload="object_init(); self.blur();" onbeforeunload="return do_ms_alert();" onunload="do_cleanup();"> Q: How do I make the fshare_auth page work? A: You must manually include the following Javascript function to be available in your page: function AN_inserturlvalue(formid) { 212
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
var myform = document.getElementById(formid); if (myform == null) return; var result = location.search.match(/^\?url=(http.+)$/); if (result == null) return; var myinput = document.createElement('input'); myinput.setAttribute('type', 'hidden'); myinput.setAttribute('name', 'backend_info'); myinput.setAttribute('value', unescape(result[1])); myform.appendChild(myinput); } You must then call this function and pass it the HTML DOM element id of the authorization form on the page. For example, if the login form is: <form id="authform" method ="post" action="http://localhost/fshare_auth"> <table> <tr> <td>Username:</td> <td><input type="text" name="uname"></td> </tr> <tr>
<td>Password:</td> <td><input type="password" name="pwd"></td> </tr> <tr> <td>Workgroup/Domain:</td> <td><input type="text" name="domain"></td> </tr> <tr> <td> <input type="submit" name="option" value="Sign In"> <input type="submit" name="option" value="Cancel"> </td> </tr> </table> </form> then the relevant id is 'authform', and you have to call AN_inserturlvalue('authform') You must call this function only after the page has 213
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
fully loaded. The easiest way to do that is to call it from the onload handler for the body HTML tag. Here is a full example: <html> <head> <script> function AN_inserturlvalue(formid) { var myform = document.getElementById(formid); if (myform == null) return; var result = location.search.match(/^\?url=(http.+)$/); if (result == null) return; var myinput = document.createElement('input'); myinput.setAttribute('type', 'hidden'); myinput.setAttribute('name', 'backend_info'); myinput.setAttribute('value', unescape(result[1])); myform.appendChild(myinput); } </script> </head>
<body onload="javascript:AN_inserturlvalue('authform ');"> <form id="authform" method ="post" action="http://localhost/fshare_auth"> <table><tr> <td>Username:</td> <td><input type="text" name="uname"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="pwd"></td> </tr> <tr> <td>Workgroup/Domain:</td> <td><input type="text" name="domain"></td> </tr> <tr> <td> <input type="submit" name="option" value="Sign In"> <input type="submit" 214
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
name="option" value="Cancel"> </td> </tr> </table> </form> </body></html> Q: Why do I sometimes see an unexpected host check page (for example, the antivirus page when a customrule page was expected)? A: The Symantec On-Demand agent may sometimes redirect the browser to a failure page that does not exactly correspond to the actual rule that failed. As long as you have configured each of the host check pages (hostcheck, antivirus, personalfw, servicepack, customrule), one of them is guaranteed to trigger on host check failure. Q: Why do I sometimes see "Permission denied" errors for custom pages when I import a theme in SPX 8.0? A: Make sure that the file permissions in the theme zip file allow the file to be world-readable. If you are on a Unix system, make sure to run chmod -R a+r * in the topmost theme files directory before creating the zip file.
Q: How can I include the appropriate Thin Client on the custom tcs_page? A: You will need to parse the URL value in order to get the tcs module name and then include it in the page. In the <head> section of your HTML file, do the following: <script src="/prx/000/http/localhost/arrayinclu de.js"> </script> <script> function AN_insertTCS() { var result = location.search.match(/^\?module=(.+) $/); if (result == null) return; document.write(AN_tcs_module_list[r esult[1]].embedStr); } </script> Then, call the function AN_insertTCS() where you want the thin client module to be placed. Here is a complete example: <html><head> <script src="/prx/000/http/localhost/arrayinclu 215
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
de.js"> </script> <script> function AN_insertTCS() { var result = location.search.match(/^\?module=(.+) $/); if (result == null) return; document.write(AN_tcs_module_list[r esult[1]].embedStr); } </script> </head> <body> <script> AN_insertTCS(); </script> </body> </html> Q: I imported arrayinclude.js, but it's not working. What do I do? A: If <script src="http://localhost/arrayinclude.js"> </script> isn't working, try
Security Settings
Session Limit per User This operation allows site administrators to limit the number of concurrent sessions per unique login username, if the global administrator has disabled session reuse for the site. Idle Session Timeout This operation allows administrators to set the time passage before the SPX will terminate an idle connection. The default is 36,000 seconds. Maximum Session Lifetime The session lifetime is the cumulative time that session is allowed to stay open. The default is 86,400 (24 hours). Enable Twostage Security Enable or disable fallback to default location when host integrity fails on primary location. Expiration Timer This operation allows the user to set the expiration timer for Persistent Desktop. Enable Background Color This operation allows the user to enable customization of background color. Color selection is made through virtual desktop WebUI.
216
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Background Image This operation allows the user to import custom background image for Virtual Desktop only .BMP format image is supported.
administrator may specify whether clients are allowed to browse to non-configured Web sites and file shares using the SPX navigation bars. By default the browse option is disabled.
Import/Export Settings Configure the Security Manager export-settings, either TFTP or SCP. When users login, the AESA will be imported by the client from this specific location and protocol.
SSL Settings
SSL Protocol Support This selection allows the user to change or set the SSL version supported by the appliance. SSLv3 and TLSv1 are supported. Users may enter either one of these three versions or all of them by entering ALL in the parameter field. NOTE: User cannot make changes to a SSL Host (host) with SSL engaged. Client Authentication. When enabled for SSL port forwarding, the SPX will present a certificate to the server when requested. The certificate, that is to be presented, may be imported through the Import Cert/Key page. You may also specify subject filter so that client authentication is successful only when the subject of client certificate matches the configured filter rule. Subject filtering is an optional configuration. The subject filter must contain one or more entries with form field = value. Spaces around each side of = are ignored. Multiple entries are to be separated by blank space, comma or both. Each field may optionally begin with /. Supported fields include C, ST, L, O, OU, CN, T and E (or email), please note that these entries are not case sensitive. Certification Revocation Lists. Users may specify the use of a CRL to be used with client authentication. These lists can be downloaded from the
Access Levels and Locations Configure client locations and security level (none, low, medium or high). An Access Level of none restricts all access of the remote user. An Access Level of low allows the remote user to access the web locations (WRM) as configured. An Access Level of medium permits remote users to access web locations (WRM), file sharing privileges, TCP Applications based on the administrators existing configuration and Thin Client Support (TCS). The Access Level of high allows remote users to access web locations (WRM) with arbitrary URL browsing, file sharing privileges with arbitrary browsing, TCP Applications, Thin Client Support (TCS) and VPN access. (Note: The location name entered here needs to correspond to those configured using the Sygate On-Demand Manager GUI.)
Security Privileges When an administrator creates a custom access level via the client security level command, use this operation to assign the specific privileges to be associated with the access level created. With the "browse" option, the
217
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
specified CRL Distribution Point (based on configured name and URL) at the desired time interval (1-24 hours). This time interval is specified in CRL Refresh parameter. HTTP and FTP are supported protocols to fetch the CRL files. This operation is not available for SSL Backend. Cipher Suits This operation sets the minimum key size. If any browser connecting to this host does not support encryption strength, it will be redirected to the specified URL. Starting with the 8.0 release, cipher suites utilizing a key length less than 128 bits will be disabled by default. Supported ciphers include: AES256-SHA, AES128-SHA, RC4-MD5, RC4-SHA and DES-CBC3-SHA. On FIPS enabled SPX systems, support ciphers include: AES256-SHA, AES128-SHA, RC4-MD5, RC4-SHA and DES-CBC3-SHA. SPX's cipher suite name and the standard name and description:
SPX Cipher Name: AES256-SHA Standard Name: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Description: 256-bit AES with SHA SPX Cipher Name: AES128-SHA Standard Name: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Description: 128-bit AES with SHA SPX Cipher Name: RC4-MD5 Standard Name: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Description: 128-bit RC4 with MD5 SPX Cipher Name: RC4-SHA Standard Name: TLS_RSA_WITH_RC4_128_SHA (0x0005) Description: 128-bit RC4 with SHA
SPX Cipher Name: DES-CBC3-SHA Standard Name: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Description: 168-bit Triple-DES with SHA SPX Cipher Name: DES-CBC-SHA Standard Name: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Description: 56-bit DES with SHA *
SPX Cipher Name: EXP-RC4-MD5 Standard Name: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Description: 40-bit RC4 with MD5 * SPX Cipher Name: EXP-DES-CBC-SHA Standard Name: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Description: 40-bit DES with SHA *
218
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
addresses and netmasks to specific accounts. Local Groups This operation allows the user to establish a group of accounts. You need to have a group created before you can assign accounts to the group. Netpools This option allows administrators to assign/map local DB groups to net pools. Administrators may only assign one net pool to a specified group. If you will be deploying VPN and net pools, then you will need to assign the group to a netpool.
attempts exceeds the lockout threshold (values are between 1 and 999, with a default value of 10), the account is locked out for a configured duration (equal to or greater than 5 seconds; default is to hold record until the SPX is rebooted). A locked-out account can not be used until it is reset by an administrator or until the lockout duration for that account expires.
Web Access
Web Links Configure any active links on the portal page with text and URL destination. Optionally you may enter a value for the link position, in ascending order. If no order is specified, links will listed in order they were created. Note that any given user will only see those links that are permitted by their ACLs. Up to 1,000 portal links can be defined for each virtual site: Portal Page URL Bar This feature option is for an URL bar to be displayed on the SPX-generated portal page for the specified virtual site. This allows users to navigate to any arbitrary internal URL. This operation is not applicable if a custom portal page is configured for the virtual site. Note that the URL bar cannot be enabled if URL masking is enabled. Portal Navigational Tool This feature allows the user to set a navigation tool to appear at the top of every Web page browsed through the SPX (except for the SPX-generated pages). This
Login Authorization
Account Client Networks This operation allows the administrator to create and/or manage sourcenet restrictions for individual users. The account name parameter is case sensitive. Group Client Networks This operation allows the administrator to create and manage LocalDB sourcenet restrictions for a specific group of users. MAC Address This feature only supports browsers using ActiveX (IE) on Windows 2000 and XP editions. All MAC address must be current or login will fail. Login Failure Lockout This feature turns on LocalDB account lockout for virtual database. When an account uses LocalDB as the authentication method and the number of failed login
219
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
navigation tool provides a convenient interface for the end user to log out, return to the portal page, or navigate to an arbitrary internal URL (the latter functionality is provided by a button on the navigation tool that expands into an URL bar). If this option is configured without the "URL bar" option, the URL bar will not be shown. Note that the navigation tool is not displayed on some older browsers (Netscape 4.X and below, IE 4.X and below). Web Resource Mapping must also be enabled for the virtual site. Note that if URL masking is enabled, the portal navtool must be enabled. Browser Bookmarking The SPX may remember or otherwise bookmark/tag visited pages once this feature in enabled. If a user visits a site inside or outside of the SPX controlled network, the user may set a bookmark that will be retained by the SPX. This feature also allows SPX users to continue browsing if one of the SPX machines in a cluster were to go down. The user will be asked to re-login and after successful login the user will be presented with the HTML page they last visited. The maximum URL that may be remembered by the SPX, and used for later redirects is 2-KB. Web Resource Mapping must be enabled to deploy this feature. Web Resource Mapping When objects such as Java Applets or ActiveX objects are embedded in a web page, they may be passed with parameters that are specified via the <PARAM> or <EMBED> HTML tags. These parameters may contain arbitrary values, and in some cases specify URLs or host names. This information (URLs or host names) is relative to the backend server from where the content was downloaded, the SPX needs to rewrite these parameters so that they are relative to the SPX. The first configuration
option allows the administrator to set whether the SPX will match the exact parameter or a merely substring of the parameter. This setting will apply to all rewritten parameters for the virtual site (separate virtual sites may be set differently). The second option allows the administrator to establish a specific rule for rewriting the content and parameters. The administrator is required to set a rule value, supply the name of the HTML parameter to rewrite, set the parameter type as being either URL or host. Rewrite Parameter Rules This feature enables the rewrite of custom embedded object parameters. When objects such as Java Applets or ActiveX objects are embedded in a web page, they can be passed with parameters that are specified via the <PARAM> or <EMBED> HTML tags. Since these URLs or host names are relative to the backend server where the web page was downloaded, the Array SPX needs to rewrite the parameters so that they are relative to the Array SPX. The arguments for this command are: rule_id This value to identify a configured rule.
param_name This value specifies a substring of the name of the HTML parameter to rewrite. The Array SPX will search for the object parameter whose name contains <param_name> as a substring, and will rewrite that parameter's value. param_type This value may either be "url" or "host". If "url" is specified, the HTML parameter value will be rewritten as a URL. If "host" is specified, the value of the HTML parameter will be replaced with the host name of the Array SPX virtual site.
220
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
separator
This optional parameter refers to a string that specifies a list separator. In some cases, an HTML parameter value may consist of a list of URLs or host names. In this case, the Array SPX must rewrite each element of the list. The separator argument can be up to 10 characters long, and specifies how the elements of the list are separated from each other. This is an optional argument. If no separator is specified, then the HTML parameter value is assumed to be a single URL or host name. The <index> parameter allows the administrator to only rewrite certain items in a list of values that are separated by <list_separator>. This parameter is optional. If no <index> is given, then the rule will apply to all values in the list.
index
URL Mask Enabling this option causes the SPX to apply a hash to the host and path portion of URLs that it translates as rewritable content, instead of leaving the backend server and path in their original form. If the optional Mask Filename option is also selected, the SPX will mask the backend server's hostname, path, and the name of the file being requested. Note that Rewrite Relative URLs must not be disabled when URL masking is enabled for a virtual site. Note that the URL input field on the welcome page must be disabled before URL masking can be enabled. See the "portal urlbar" command. Also, note that the portal navigation tool must be enabled without a URL input field before URL masking can be enabled. See the "portal navtool" command. Wrap Event Handlers This feature allows the administrator to handle a specific situation in IE where if a page contains a <script src="file.js"> tagoutside the <body> section (for example, in the <head>), and the page contains script (vbscript or javascript) which defines a function of the same name as a built-in event handler (for example, "onmouseover()"), and that function is assigned as the event handler for that event (onmouseover). In this event IE will call its built-in event handler function instead of the custom function. This will result in an infinite loop, which will throw a "Stack Overflow" error. Since the ArraySP WRM functionality inserts a <script src=> tag into the <head> section for all web pages (for javascript wrapper libraries), it is possible for the SPX to trigger this condition. Enabling this feature allows the SPX to detect this situation and wrap the call to the event handler function with an Array function that will in turn call the original function. Default is disabled.
Advanced
Disabling this feature will turn URL translation for rewritable content off. When Web Resource Mapping is off, OWA (Outlook Web Access) will not work through the SPX unless this option is specifically configured. Note that when Web Resource Mapping is enabled, OWA works without special consideration. Also, Web Resource Mapping does not rewrite embedded URLs within PDF or Microsoft Office files (including Word, Excel, PowerPoint, etc.) and therefore it is recommended that relative URLs be used within these types of documents whenever possible. Rewrite URLS Enable/disable the rewriting of relative links. Default status is enabled.
221
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Cookie Expiration Passthrough Enable/disable pass through of expires clauses in cookies set by backend Web servers. Default status is disabled. Disabling Browser Caching. This feature allows administrators to not allow browsers to store information for the specified virtual site within the browsers cache. Enable OWA Support This feature allows backend OWA server to be accessed through the given virtual service on Array SPX using HTTPS. This configuration is not relevant when Web Resource Mapping is enabled. URL Property Mask WRM This Feature allows the administrator to select the URL that will NOT be rewritten. Using the no version of the command will return the specified URL to the setting where it will be rewritten by the SPX. It is recommended that the URL be framed in double quotes. URL Property Mask Accept Encoding Deploying this feature creates a configurable policy to disable the insertion of the Accept Encoding header on a per-URL basis. This is used as a primarily for Web servers that are non-compliant with the HTTP RFC standards.
Server Access
Single Sign On By enabling this option, the SPX will attempt to authenticate with backend servers using the end user's login username and password. This feature only works with backend servers that require NTLM or Basic HTTP authentication (or no authentication at all). Insert X-Client-Cert Header This operation instructs the Array to insert an x-clientcertificate header into the request if the SSL client certificate is given. This operation works in conjunction with the SSL settings clientauth command. Insert X-SSO-User Header This feature allows the administrator to insert into every request made from the SPX to the backend server an X SSO-USER HTTP header to set the username. This will include requests generated from portal pages. Pass Session Cookie to Origin Server When this feature is in effect, the Array SPX will include the session cookie of the user in every request to the backend servers. By default, no pass session cookie strategy is active. Pass Session Cookie To Origin Server. By default, the SPX strips its session cookie out of every request before it forwards the request to the backend server. Enabling this feature causes the SPX to leave session cookies in proxied requests. Proxy Settings You may use the SPX to communicate with HTTP servers through a non-transparent HTTP proxy. When this feature
222
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
is in use, the SPX sends all HTTP and HTTPS requests to the configured proxy that in turn contacts the appropriate content servers (or the next proxy in the chain). When a proxy is in use, the SPX does not resolve the DNS names of backend servers. This affects the operation of the configured ACLs. If a given ACL matches the host name of a backend server but not the IP address, the SPX will not enforce the ACL if a backend server is accessed via its IP address. Supposing the content on server "server.example.com", whose IP address is 10.1.2.3. If the administrator has configured an ACL of "0 http:server.example.com/ deny", then users will be prevented from accessing the server using its host name. When a proxy server is *not* in use, the access will be denied even if users try to access the server using "10.1.2.3", the SPX will reverse-resolve "10.1.2.3" to "server.example.com" before applying the ACLs. When a proxy is used between the SPX and the backend server, the SPX will not perform this reverse resolution, and requests for "10.1.2.3" will be allowed. The solution is to create 2 ACLs: "0 http:server.example.com/ deny" "1 http:10.1.2.3/ deny" This will create the desired behavior even in the case where a proxy server is in use. Set the proxy for HTTP or HTTPS and configure the proxy IP (or name) and port. You may also set the SPX to automatically detect forward proxy settings using a script. The SPX will fetch the URL specified and execute the script for every request received by the virtual site. It will use the script results to decide which forward proxy to use. If the requested scheme has a static forward proxy defined using "server site proxy
manual <scheme>", the static proxy will be used instead of the script.
URL Policies
URL Policies allow administrators to control what web content the SPX will serve. It is usually not desirable for clients to use the SPX to access publicly available Internet content. By setting up URL policies, administrators may insure that the SPX is used only for its intended purpose: secure access to private content. URL Policies are matched with the URLs in all requests that the SPX receives. If a URL is classified as external according to the URL Policies, the SPX will redirect the end user's browser to the publicly available web content, instead of having to proxy the request to a backend server The SPX also provides public URL policies. If a request URL matches a public policy, it will be proxied by the SPX, but not require a session cookie for that request. Public URL policies should be used with care, for the obvious reason that they provide unrestricted access to internal content. The common use for public URL policies is to provide public access to content embedded in custom login pages, logout pages, and error pages.
Note that it is not possible to make the default policy public.
Configure the SPX to proxy requests that match the desired policy. The SPX will not require a session cookie in requests that match a "public" policy. Assign the policys priority from 0 to 65535, the lower the value the higher the priority. If a URL matches two policies, the matching policy with the highest precedence (lower priority means higher precedence) will be used to determine whether the requested URL is internal, external, or public. Configure
223
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
any keywords to be used to specify what URLs the policy will match. If the requested URL contains the keyword as a sub string, then the policy matches.
server. Enable the SPXs special navigational field for end users accessing shared files through the custom portal file sharing pages. The navigational tool will allow users to take advantage of either a dropdown menu populated with the configured file share links for the virtual site or to enter an arbitrary path (Formatted: //<server>/<service>/<path>) for CIFS links to the files. Configure a CIFS Link The proper format for the service parameter is "//<server>/<workgroup>" where <service> is the name or IP address of a CIFS server and <workgroup/domain> is the name of a shared folder on that server. Note that the server name required is NOT necessarily the IP (DNS) hostname of the server. The name required is a NetBIOS server name, which may or may not be the same as the IP hostname of the machine running the server. On systems deploying WINS, the hostname and the NetBIOS server name must be the same. Depending on the specific requirements of the deployed fileserver, the Workgroup parameter for the SPX will have to contain either the fileservers domain name or the fileservers workgroup name. If the fileserver does not require the client to supply a workgroup/domain name for access, then the <workgroup> SPX parameter is optional and may be left blank.
URL Policy When the SPX receives a request for a web resource, the SPX will decide whether to proxy that request, or redirect the client to an external server. The SPX will proxy requests that match an "internal", or "public" policy. It will redirect requests that match an "external" URL policy. The SPX will not require a session cookie in requests that match a "public" policy. The "urlpolicy default" command tells the SPX what to do if it receives a request that doesn't match any established policies. precedence keyword A value between 0 and 65535 inclusive. Sub-string from the URL.
File Access
The SPX provides secure remote access to Windows (SMB/CIFS) file servers utilizing a Web-based interface. This allows you to browse, download, upload, rename and delete files and folders from any client machine on the Internet with an SPX-compatible browser (upload/download up to 500-MB). In order to access shared Windows files, the user must have the appropriate permissions for the file server. The file server will enforce permissions based on the Windows username and password provided by the SPX. The SPX will initially assume that the Windows file server uses the same credentials that were used to log into the SPX. If the Windows file server rejects these credentials, the SPX will prompt the user for the appropriate credentials for the file
224
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Mail Services
The SPX can support native email clients that run SSL based IMAP and SMTP to gain access to email via SSL VPN. You need to configure the desired server (SMTPS or IMAPS) ports and IP address. The use of this feature requires that AAA be enabled. Assign one protocol service (IMAPS or SMTPS) from the virtual site to the backend only when the virtual site host is EXCLUSIVE. The listen port is the port used by SPX to listen for protocol IMAPS or SMTPS (typically IMAPS=993, SMTPS=465); server ip is the IP address for the mail server; server port indicates the port used by the mail server for IMAP or SMTP (typically IMAP=143(IMAP3=220), SMTP=25). For very large deployments, you may add an additional IPs to be used as sourcenets for the backend server connections. This is done by adding alias IPs via the Advanced tab.
225
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
You may add as many TCP services as required. Please note that each service must have a unique port per hostname; otherwise conflicts would occur on the end user's machine when they attempt to use the legacy application proxy. In order to access non-Web applications through the SPX, you must establish a network environment that allows outbound TCP connections to the SPX via the configured control port. Services with a range of server ports can be used to provide access to some dynamic-port TCP applications (e.g. passive mode FTP) with limited port ranges. However, if an application requires a large range of dynamic ports (several hundred ports or more) or requires server-initiated connections, it will be necessary to use the SPX's VPN capabilities. Use Dedicated Control Port: This optional command sets the port that the legacy application proxy will use to securely tunnel TCP connections through the SPX. This port should be opened on any firewalls between the SPX and end users: Host Mapping Configure the 'local host' to be mapped, and an IP that the hostname will be mapped to. If not specified, the default value of 127.0.0.1 will be used. A host must first be configured using this command before it can be used as part of a 'clientapp service' command. In addition, a hostname can only be mapped to one IP; attempts to map the same hostname to multiple local IP's will be rejected. Services This operation allows you to specify which TCP services are made available to end users through the legacy application proxy. TCP services may only be configured for hosts mapped to local IP addresses (an IP in the form
127.0.0.X where X=1-254). You may choose to use the optional port parameters to establish a range of accepted ports. Windows Redirector Windows Redirector will also tunnel any DNS or WINS requests that the client cannot resolve natively besides tunneling formal connections based on the configured rules (IP, EXE). Requests resolved by the SPX whenever possible and the response are returned to the client. This allows applications to resolve and connect to hostnames on the internal network Executable Name and MD5 Hash Value You use this option for clients running IE on Windows machines to configure an application where all traffic will be tunneled through the SPX. To secure the application, administrators specify the executable name (for example "telnet.exe") and optionally the MD5 hash value of the exe. Specifying a hash value allows the administrator to restrict redirection to specified versions of the application, and to ensure that "telnet.exe" really is Telnet, and not a renamed hacking utility. Setting the value of "0" means to redirect all traffic from all executables with that name. IP Redirect You use this operation for clients running IE on Windows machines to configure an IP and port range where all traffic will be tunneled through the SPX. When port ranges are used, it is advisable to limit the range of ports used by each service to 100 ports or fewer. It is recommended that the Windows redirector feature be enabled when providing access to dynamic-port TCP applications. Note that Administrator privileges on the client machine are required. The Microsoft JVM must be installed on the client machine in order to use the Array Windows Redirector.
226
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
L3VPN
When the VPN feature is activated, a VPN client is automatically installed on the client machine from a Web browser. This VPN client intercepts all network traffic destined for the internal network and securely tunnels it to the SPX. All tunnel data is protected by SSL encryption. Since all IP traffic to the destination networks is tunneled, all IP-based applications should work transparently through the tunnel, including those that use dynamic port TCP and UDP protocols, NetBIOS, or ICMP. For example, users will have transparent access to FTP, Outlook, and native Windows file sharing when connected to the VPN. Installation of the VPN client is a one-time process; the client is not removed unless explicitly uninstalled by the user.
Note: The user must have Administrator privileges on the client machine in order to initially install the VPN client. Once the VPN client has been installed, Administrator privileges are not required to launch or upgrade the client.
netpool_name A string to identify/specify the netpools. This string will be used as an identifier of netpool for other CLI commands that relate to configured netpools. split|nosplit If split is enabled, only packets whose destinations belong to a configured zone are tunneled. If split is disabled, all traffic leaving the users machine is tunneled. Please note that with full tunneling the client will not have access to its local network.
Network Zone Administrators deploy this feature to define one or more IP subnets, or zones, to which VPN users will have access. Dynamic IP Addresses and Ranges Assign one or more contiguous IP address ranges from those external IP addresses that may be assigned. With configurations where clustering is used, each configured dynamic IP range can optionally be associated with a particular synconfig node. IP ranges on different nodes can be the same or can be different. However, if a stateful failover clustering configuration in active-active mode is deployed, then administrators must configure disjoint IP ranges for each node to guarantee unique IP addresses are being assigned to the L3 VPN clients from different nodes: IP Range DHCP Allows the administrator to deploy dynamic IP address assignment using DHCP. The <leasetime> parameter refers to the time that the allotted IP address may be used (5 minutes through 43,200 minutes (one month)). The
Autolaunch The administrator may choose to have the VPN client automatically launched upon a successful login for the specified virtual site. This feature is disabled by default. Netpools Assign resources for the VPN (netpool name and description). For each netpool, the administrator may select either split tunneling or full tunneling. If split tunneling is selected, only traffic destined for configured, accessible network zones will be tunneled. All other traffic will continue to be routed normally, and the client will continue to have access to local network resources.
227
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
<Request> parameter refers to the network containing the DHCP server. Launch Command This feature allows the administrator to configure an application or other executables to be launched upon successful L3 connection. The parameter <command> is the actual command to be launched upon successful L3 connection. Double quote is required around the command string and the command string should contain the full path of the command and necessary arguments. If there are spaces in the command itself or in the argument itself, please use single quote, for example: c:\program files\mycompany\my command.exe. myarg1. The optional argument [stop_err] will allow administrator to specify whether L3 should abort connecting if an error happens while launching the command. Network Pool Routing This feature configures a separate source-based route for VPN tunnel traffic, on a per-netpool basis. If the default flag is specified, the route will be used for tunnel traffic whose destination does not match a globally configured "ip route static". If the all flag is specified, all tunnel traffic for this netpool will use this route, regardless of globally configured static route. Windows Administrator This feature allows the user to enable or disable the allowance for the creation of an L3 VPN for a restricted user. The parameters <username> and <password> refer to the Windows machine local Admin username and password. They can be maximum 255 characters in length. Password will be displayed in scrambled format (not base64 though). Please note, according to Windows convention, the username will case insensitive and
password will be case sensitive, however, this will solely depend on the individual Windows system. Inside Proxy This operation assigns a proxy to the remote client after the client has a connection to the L3VPN. This proxy setting will be set to the IE browser per the internet options LAN setting. The parameter <proxy_type> can only be one of two values; "script" and "manual". The setting of "script" means using auto configuration script, "manual" means using manually configured proxy. When configuring "script", the parameter <proxy_server> is the URL or path of executable scripts, for example "c:\windows\system\autorun.pac". When configure "manual", <proxy_server> is the proxy server address and port, for example "10.1.1.1:8080", protocols include HTTP, HTTPS, FTP, Gopher and Socks are using the same proxy server.
ACLs
The SPX controls access to Web, file and legacy application resources by enforcing restrictions defined by ACLs. When any user attempts to log into a virtual site, the SPX authenticates that user against the configured AAA server and retrieves all ACL and sourcenet attributes for any groups that the user may belongs to. The SPX will enforce the ACL restrictions on web and file requests for that session, except for requests that match an external URL policy. There are two forms of the ACL, the first is for VPN and Clientapp and will be discussed below; the
228
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
second pertains to HTTP traffic and Filesharing configurations and will be discussed in those sections. The SPX will accept ACLs that conform to a well-defined format. The same ACL format applies regardless of the AAA method used or the AAA server model. The format is as follows: <priority> ip <protocol>:<host_ip>[/<netmask>][:port] [AND <virtual_site_id>] {PERMIT|DENY} Priority This is a positive (including zero) numerical value indicating the precedence of the ACL. The lower the numeric value the higher the ACL precedence. The first ACL that matches is used to decide whether the request will be permitted or denied. http, tcp, file, IP, udp, gre, icmp as well as any other IP-based protocols. The IP address for the host (or network) that the ACL applies. This specifies the netmask of the network that the ACL applies. This portion of the ACL is used to control those virtual site(s) that the ACL is associated with. If the "AND <virtual_site_id>" portion of the ACL is omitted, or if "all" is given as the virtual name, ACL is assumed to apply to all virtual sites defined on the SPX. Otherwise, the virtual name given in the ACL dictates which virtual site the ACL is associated with. Denotes that if a packet matches the
ACL, the SPX will allow the packet to be processed by the backend server. DENY Denotes that if a packet matches the ACL, the SPX will drop the packet and return an error instead of sending the packet to the backend server.
If the users session has no ACLs that apply to a particular virtual service, the user will be allowed unrestricted access to all Web, file and TCP application resources through the virtual site. If the users session contains one or more ACLs that are applicable to a particular virtual site and scheme, the SPX will deny access to any resources of the appropriate scheme that are not specifically permitted by the ACL. The default behavior of the SPX can be adjusted by configuring an ACL with the appropriate scheme with <host><path> of */ with the largest priority value (i.e. lowest precedence). Note that if any keyword or value in the ACL is not recognized (i.e. anything other than http, file, tcp or the other listed forms for the scheme or a non-numeric value for the priority) the Security Manager will reject the ACL and reject the login request. This is intended to prevent security breaches in the event that DENY ACLs are incorrectly formatted. The administrator should NOT configure conflicting ACLs with the same priorities. The administrator must assign different priorities to indicate that one ACL should take precedence over another.
PERMIT
229
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
URL Filtering
You may set up restrictions or limitations on queries made to your network based on header length, request length, URL and query length as well as ASCII character ranges and keyword matches. All configurations can be made to respond passively or actively. Default Filtering Policy This operation allows the administrator to set the filter mode to deny by default or permit by default on the specified VIP. Filtering Mode Set the filter mode. The passive setting will allow the request to pass through the appliance while keeping a transaction record of the violation. The active setting will instruct the appliance to drop any request that violates the URL filtering protocols as configured by the user. By default, the Array is in active mode.
Email Alerts Configure the destination email address, in quotation marks, for filter related alerts and the threshold for the number of dropped requests before issuing the alert. Length Based Configure the filter length parameters for requests coming into the network. Character Based Configure the filter character parameters for requests coming into the network. To deny specific requests based on URL character ranges (ASCII values), then enter the starting and ending values. Keyword Based Configure keyword filtering. It is here that you may choose to enter a word or string for the SPX to be on the lookout for for either allowing the request through to the backend or for stopping the request directly. Type Based You may set up whether the filtering is to be integer or character string based.
Filtering Encoded Control Characters Enable or disable the filtering of %encoded control characters in URLs. Control characters are those in the range %00 to %1F, and %7F. For example: https://array.sp.com/prx/000/http/10.1.1.5/file%02name.ht ml. If "filter control codes" is enabled, this request will be rejected. If "no filter control codes" is used, this request will be permitted.
230
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
elements. If you have any questions with clearing a running or saved configuration, please contact Array Networks Customer Support. You may load and save files to and from SCP TFTP and local file locations on your network.
Monitoring
Select the desired feature to view relevant statistics concerning the SPX.
Troubleshooting
Ping
This operation generates a network connectivity echo request directed toward the specified IP address. Results will be displayed in the given table.
Config Management
Running Config/Startup Config
These selections allow administrators to see the entire running configuration (or simply the startup configuration) for the desired SPX. The configuration specifics are broken out by feature.
Traceroute
This operation allows the user to trace the route a packet of information, or the request for that packet travels. When the user supplies the IP address, in dotted format, the Array SPX will display the devices and network locations used to process the request for that IP address. Results will be displayed in the given table.
Saved File
Allows the viewing of configuration specifics from a separate configuration file.
Backup/Load/Clear
Caution should be taken when clearing configurations from the SPX. Make certain that you only clear those configurations you wish to. These operations will clear entire configurations, not specific functions or configuration
231
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Change Password
To set or change enable level passwords. A password string may be up to 8 characters long. Setting the password to empty string is equivalent to having no password.
The Array SPX provides comprehensive secure remote access. However, many user intranets may still be vulnerable due to not properly securing access to resources from users who connect to the LAN directly. For example, a local visitor may gain virtually unrestricted access to sensitive resources by simply plugging in a laptop to an open Ethernet port. In other instances, corporate networks have open wireless access points for on-site guests and do not have a proper network access control solution to secure their resources. The SPX provides remote and local, secure intranet and Internet, access. The SPX controls network access for users who may already have access to the physical network. Rather than being located on the edge of the intranet, the SPX is located inside the LAN. Clients using Ethernet or WAP hotspots are supported while keep the network secure. The captive portal feature (when licensed) encompasses the ability of the SPX to automatically present the login page to unauthenticated users signing onto a wireless hotspot or a wired Ethernet network. Administrators configure the DHCP server to designate the SPX as the DNS serve (the DHCP server may be an external server or the SPXs integrated DHCP server). Then configure the SPX to redirect all DNS requests coming on a chosen DNS service to a specific virtual site for authorization and authentication. This would force any outside user to connect through the SPX regardless of the URL entered into the browser.
NOTE: For extra security, we recommend administrators filter out all outgoing traffic on their routers unless it is originating from the SPX. This way, users who have not been authenticated by the SPX will not have access to Internet resources.
232
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
NOTE: Users will be able to access WRM links, if present, but will not be able to access any Internet resources directly. If the administrator wants to provide authenticated users with Internet access, use L3 VPN.
Captive Portal may be enabled for any Exclusive or Shared Virtual Site from the Virtual Site Table. In the Enable mode, the administrator can only see whether a virtual site is designated as a Captive Portal or not. The administrator needs to switch to Config mode to enable Captive Portal for any specific Virtual Site. Captive Portal column will only show when the Captive Portal feature is licensed in the SPX.
The following page shows up with the default selection of Internal DHCP Server. The Virtual Site name, the Name server IP address and the Default Gateway IP addresses are pre-determined. The administrator will have to provide the IP Range and optionally supply a Domain name. Click Save to set the specified Virtual Site as the Captive Portal that uses Internal DHCP Server.
Click on Enable link corresponding to the Virtual Site to be made as the Captive Portal.
233
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Notice the Virtual Site exclusive1 has the Edit instead of Enable (in the illustration below) as that Virtual Site has already been set as the Captive Portal that uses Internal DHCP Server. Administrators may select on the Edit link to edit the configuration of the Captive Portal or clear the Captive Portal Configuration on the corresponding Virtual Site.
To edit a captive portal configuration, click on Edit link in the Captive Portal column of the corresponding Virtual Site. Notice the Clear link button on the top right portion that only shows when the corresponding Virtual Site is configured as a Captive Portal. You can make a Captive Portal with Internal DHCP Server as a Captive Portal with External DHCP Server by selecting the radio button for External DHCP Server. Once selected, the input fields for IP Range Start, IP Range End and the Domain name disappear. The values for IP Range Start and IP Range End will get deleted when the Configuration is saved in order the change to External DHCP Server based Captive Portal.
To clear the Captive Portal Configuration for a specific Virtual Site, click on Edit link on the Captive Portal column of the corresponding Virtual Site and click on Clear link button. A dialogue window will then notify the user that clearing Captive Portal Configuration will also delete the associated local DNS and local DHCP Settings. When the user clicks OK, the configuration for that corresponding Virtual Site is cleared and the administrator would be redirected to the Virtual Site table. If a Virtual Site was configured as Internal DHCP Server based Captive Portal, no other Virtual Site on the same interface as the former Virtual Site can be made as an Internal DHCP Server based Captive Portal. In this case, when you click Enable link in the Captive Portal column of the Virtual Site table for the Virtual Site which lies on the
234
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
same interface as the Internal DHCP Server based Captive Portal, the Internal DHCP Server radio button would be disabled, so that user can only make the Virtual Site as the External DHCP Server based Captive Portal.
Editing a Captive Portal Configuration from the Local DHCP table. When the user tries to double-click to edit a local DHCP entry, which is associated with the Captive Portal from the Local DHCP table under the Advanced Networking menu item, a notification will be displayed to the user that the page will be redirected to the Captive Portal Configuration page for that associated local DHCP entry. Also, the Local DHCP table will have the Captive Portal column wherein the corresponding Virtual Site name is shown. When the user clicks OK button, the Captive Portal Configuration page shows up with the appropriate values pre-populated.
Editing a Captive Portal Configuration from the Local DNS table. When the user tries to double-click to edit a local DNS entry, which is associated with the Captive Portal from the Local DNS table under the Advanced Networking menu item, a notification will be displayed to the user that the page will be redirected to the Captive Portal Configuration page for that associated local DNS entry. Also, the Local DNS table will have the Captive Portal column wherein the corresponding Virtual Site name is shown. When the user clicks OK button, the Captive Portal Configuration page shows up with the appropriate values pre-populated.
235
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
webserver1.company.com. In this example, the administrator may choose vpnwebserver1.company.com to be mapped to webserver1.company.com. The link on the vpn.company.com portal page will be configured as http://vpnwebserver1.company.com. DNS needs to be configured so that vpnwebserver1.company.com is resolved to vpn.company.com virtual portals IP address. When the user clicks that link, the request is sent to the SPX (vpn.company.com) and will be mapped and forwarded to the backend server webserver1.company.com. Some web application may have binary objects embedded, for example an applet, Flash or ActiveX. If the binary has hard coded URLs such as "/dir/file.html", QuickLink can support it; however, hard coded absolute URLs such as http://webmail1.company.com/dir/file.html are not supported by QuickLink. Note: It is to be expected that QuickLink might not be able to handle certain cases due to non-standard Web programming, application security flaws, new technology, etc.; therefore it is recommended customers test their applications with QuickLink before deploying them. As described above, each published internal web server or resource needs its own unique hostname or port. When using a unique hostname, users will need to make sure that the hostname is resolved to SPXs virtual portal IP address. It is recommended that administrators deploy a domain wild card certificate (or add the alternative names to the virtual portal certificate) to avoid certificate alerts. When using unique ports, firewalls must be set to allow the traffic through.
236
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Supported Features with QuickLink include: ACL Support SSO Client-Auth Authentication HTTP Client Certfield Custom Rewrite Book Marking Portal Theme Configuration SharePoint (need to configure session cookie expire)
To add a new resource, select the Add a new one radio button. Name the resource (Resource ID). Set the Mode to either Hostname or Port If using the Hostname mode, supply the actual hostname, URL path, a description of the resource and the link position (for example a link position of 1 will put that resource at the top of the list). If no link position is specified, the resources are listed in the order they were configured. If using the Port mode, supply the actual port, URL path, a description of the resource and the link position (for example a link position of 1 will put that resource at the top of the list). If no link position is specified, the resources are listed in the order they were configured.
WebUI Configuration
Make certain you are in Configure Mode for the desired virtual portal and have selected Web Access. Click on the second tab, QuickLink. On this first page, there are two sort enabled tables of existing configured links and alias (if applicable). To edit any existing link or alias, simply double click on the desired entry. To add a new QuickLink resource, click on the Add link.
Click on the desired finishing link (Cancel, Save & Add Another or Save) when complete.
237
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
NOTICE: Administrator action and failures and errors involving individual requests 1. Administrator logins and configuration changes
2. Authentication failures (AAA and SSL client certificate verification) 3. 4. Authorization failures (ACLs and backend file servers) URL filtering hits
5. Traffic denied by Webwall 6. Bad HTTP requests and responses 7. Name resolution failures INFO: Normal system usage 1. Successful logins, successful logouts, and session timeouts 2. Successful requests and connections DEBUG: Troubleshooting information used for debugging by Array engineers only.
238
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
msg Audit Logs All accesses to internal network resources through the Array SPX are logged. A single log entry is generated for each attempted access to the internal network resources. These log entries conform to the WebTrends Extended Log Format (WELF), which includes the following fields: id time fw pri vpn user proto src dst Array SPX Time of event Hostname of the Array SPX log level Virtual site ID Username for the user generating the event Network protocol (HTTP, File, TCP, GRE, UDP or ICMP) IP address for the host that had sent request IP address for the server that had sent the response
Description of event
Example: id=Array SPX time=2003-10-20 05:17:22 fw=shakedown pri=6 vpn=example.com user=arraymann src=10.10.0.96 type=vpn msg="Authentication failed - credentials rejected"
dstname Host name for the server that had sent the response arg op result rcvd sent type URL or file path of the request HTTP of file access method HTTP or file access result code Number of bytes received from the server that handled the request Number of bytes sent to the server that handled the request Type of event
239
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
If you choose to proceed to the Array Pilot, the SPX will prompt you whether youd prefer to have the Array Pilot be the default WebUI each time your log in. Selecting OK will set the Array Pilot as the default, whereas selecting Cancel will still direct you to the Array Pilot for the active session, the next time you log in you will be take to the Traditional Management Interface.
Switching from Array Pilot to Traditional Management Interface To exit the Array Pilot and return to the traditional management interface is a five step process. (1) Use the Options Selector to access the Troubleshooting Tools page.
Switching from Traditional Management Interface to the Array Pilot When users wish to leave the traditional management interface, for example to configure DesktopDirect, simply click on the Go to Array Pilot link on the global configuration home page. Once you have made this selection, the SPX will prompt you as to whether or not you would like to save the Array Pilot as your default WebUI. By selecting Cancel or closing the dialogue box, you will be switched to the Array Pilot for this session only. (3) Click the Go to Advanced Management mode link at the bottom of the page.
(4) When prompted, Are you sure you want to go to Advanced Management?, click OK.
240
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
241
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
the Login Authorization feature link and select the Hardware ID tab.
From this page you may enable the HardwareID feature; set the administrator email address, set the limit for how many machines a client may use as well as manage individual groups.
By selecting the Authorization Requests sub tab, you manage individual users as far as approving or denying their access requests or assigning a single Machine ID to an entire group.
242
2007-2011 Array Networks All Rights Reserved
WebUI Handbook
Supported Browsers
OS\Browser list WinXP(32b) Vsita(32b) Win7(32b) Win7(64b) Win2003(32b) MacOS 10.4 MacOS 10.5 MacOS 10.6(32b) MacOS 10.6(64b) RedHat SUSE Fedora Ubuntu RedHat(64b) Fedora(64b) SUSE(64b) Ubuntu(64b) Y Y Y Y Y Y Y Y Y Y Y Y Y IE 6 Y Y IE 7 IE 8 Y Y Y Y Y Y FF 3.6 Y Safari Standalone Y Y Y Y Y
243
2007-2011 Array Networks All Rights Reserved