Jump to:navigation, search
Wiki

User administration

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden



































































































































Create and configure users and groups (permissions)

Last adaptation to the version: 14.1.1(11.2025)

New:
notempty
This article refers to a Beta version

14.0 12.7 12.6 12.5.1 12.4 12.2.4 12.2.3 11.8.8 11.8.5 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Authentication User


Introduction

The users entered here are stored in a local database on the appliance.
The authentication configured at this point is also performed against the local database.
In addition, local user groups can be assigned to an AD/LDAP group.



User overview

User
Caption Value Description User UTMuser@firewall.name.fqdnAuthentication User administration
Name admin Login name of the user
Groups Administrator Group membership of the respective user
Permissions Firewall administrator Authorizations, configuration under Groups
Active functions notempty
New as of v14.1.0
Application: SSL VPN
Configured by: User 		Shows which user options are configured
  • Hovering over the icons displays the name of the function and whether the right is assigned via the group or directly
    • L2TP is configured
    An SSL VPN connection is configured
    A WireGuard connection is configured
    An IPSec connection is configured
    The login password may be changed
    The mail filter is configured
    Wake on LAN (WOL) is configured
    The use of OTP is configured/possible
    Notes Expires in 9 hours After expiration the user can no longer log in.
    Edit or delete the user
        Search across all displayed values, including under notes or authorizations.
    Add user Creates a new user. [[#{#var:Benutzer hinzufügen}} | see below]]
    Delete all expired users Does exactly that.
    Support users are automatically removed 24 hours after the expiry date at the latest.
    OTP Codes Generates a pdf document with OTP codes in QR format and plain text for all users except the user admin.
    notempty
    One OTP code is displayed per page.
    Updates the table
    Enlarges the display area for the table to the height of the screen.


    Support User

    Support User

    The support user is a temporary administrator who can be activated, for example, to be supported by Securepoint support.

  • Multiple support users cannot be created at the same time. If a support user already exists, you will be asked whether the existing user should be deleted!

    • Caption Value Description Add Support User UTMuser@firewall.name.fqdnSupport User Download support information 42 Support-Benutzer erstellen
    Neuen Support-Benutzer erstellen: Man klickt auf , um einen neuen Support-Benutzer anzulegen.
    Es öffnet sich ein neuer Dialog
    Login name: support-XLP-QHY-EE5 Arbitrary name beginning with support-. Manual entry is not possible. Add Support User UTMuser@firewall.name.fqdnSupport User Download support information Copy credentials UTM v12.6 Authentifizierung Benutzer Supportbenutzer-en.png
    Generate new login name at random.
    Password: ••••••••••••••••••• The Password tab defines the strength of the password and whether the password can be changed by the user.
    Show password
    Generate new random password
    Expiration date: 2023-10-20 12:00:00 After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!)
    Groups: administrator By default, the first user group with the authorization Firewall Administrator is entered. You can select other groups that also have this permission.
    Root permission: No With activation gives the user additional root privileges. When connecting with SSH, the login is done directly on the root console!
    Download support information notempty
    New as of v14.0.0
    		 The downloadable support information contains log messages and system information. These may be necessary to solve a support case. It is recommended to download these and attach them to a support ticket.
    Copy credentials Username and password are saved to the clipboard.
    The content of the clipboard then looks like this:
    Username: support-NII-Z53-Yk2
    Password: UMC-DP6-FSK-F46-ULD
    notempty
    Before saving, the login name and the password must be noted!
    The password can no longer be displayed after saving.
    Save Clicking the button creates and saves the support user.
    CLI command 
    user support new name support-4711 password insecure-ChangeTh1s groups administrator expirydate 2024-10-20 12:00 flags ROOT
    		 The support user can also be created via CLI if required.
    The value for the expiration date can either be specified as Unixtime (time in seconds since 1.1.1970 00:00) or in the format: YYYYY-MM-DD HH:MM.
    notempty
    Neuer Befehl:

    Information on the support user can then be retrieved using the command view supportuser (Link to the Wiki article)


    General User

    Add / edit user

    Add user /

    The dialog Add user opens. This dialog contains several tabs. There is no need to make entries in all tabs. With the entries are accepted.


    User General

    General

    root user

    Caption Value Description Add user UTMuser@firewall.name.fqdnAuthenticationUser Enter user login data
    Login name: admin-user Login name of the user
    root
  • A user with the name root must also be a member of a group with administrator privileges
    • This user will then automatically get root permission.
    • After logging on to the appliance via ssh, this user does not end up on the CLI but immediately in the Linux console
    • This user has extensive diagnostic tools available there, e.g. tcpdump
    • The root user reaches the Command Line Interface (CLI) with the command spcli and leaves it with exit
  • The root user should definitely be given a short-term expiration date or be removed immediately after the diagnostic work!
    • Password:
    Confirm password:    		 ••••••••
    Very strong































    Passwords must meet the following criteria:
    • at least 8 characters length
    • at least 3 of the following categories:
      • Upper case
      • Lower case
      • Special characters
      • Digits
    Expiration date: 2023-11-01 00:00:00 After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!)

    The expiration date can also be changed via CLI:
    user attribute set name testnutzer attribute expirydate value 2023-11-01 00:00

    The value is given as Unixtime (time in seconds since 1.1.1970 00:00) or as: YYYY-MM-DD HH:MM .
    Groups: administrator Group membership and therefore authorizations of this user


    VPN

    Here fixed tunnel IP addresses can be assigned to the users.

    L2TP
    Caption Description
    Define IP Tunnel Addresses
    L2TP IP Address: The tunnel IP address for L2TP

    SSL-VPN
    IPv4 Address: The tunnel IPv4 address for SSL-VPN
    IPv6 Address: The tunnel IPv6 address for SSL-VPN

    WIREGUARD
    IPv4 Peer Address: Die Tunnel IPv4-Adresse für WireGuard
    Diese Option konfiguriert WireGuards AllowedIPs für den Benutzer-Client.
    Die IPs der Gegenstellen werden in der UTM als allowed IPs hinterlegt.
    IPv6 Peer Address: Die Tunnel IPv6-Adresse für WireGuard
    Diese Option konfiguriert WireGuards AllowedIPs. Die IPs der Gegenstellen werden in der UTM als allowed IPs hinterlegt.
    Private key: Private key to be used for a user-related WireGuard connection.
    By clicking the button, the key management can be opened and a key can be created.

    IPSEC
    EAP-MSCHAPV2 Password: The password for EAP-MSCHAPV2
    For security reasons, the EAP password should differ from the user's general password.

    This HowTo describes the configuration of IPSec EAP

  • PPTP is no longer available because it has been proven to be an insecure protocol.


    • WireGuard

    Caption Value Description
    WireGuard settings for user
    Use settings from the group: Off
    Default    		 When enabled, the WireGuard settings from the group are used.
    Configuration downloadable in the user interface: On The configuration can be downloaded in the user interface.
    WireGuard connection: wg_roadwarrior WireGuard connection that this user should use.
    Endpoint: 192.168.175.1 IP address or host name of the UTM.
    Must only be set if the UTM is not accessible via the firewall name.
    Endpoint port: 51820 The port to the associated endpoint. This must be between 49152 and 65535.
    Pre-Shared Key: ************** Enter the pre-shared key of the WireGuard connection.
    Generate Generate a Pre-shared Key with very strong.

    Copy to clipboard    		 Copies the pre-shared key to the clipboard
    Keepalive: On 25 Sek. When activated, the duration can be set in seconds by Keepalive.


    SSL-VPN





















































    Caption Value Description Benutzer bearbeiten UTMuser@firewall.name.fqdnAuthenticationUser SSL-VPN settings for users
    Use group settings: No If the user is a member of a group, the settings can be adopted from there. The following settings are then greyed out here and are to be configured in the Authentication Users  Area Groups menu.
    Client downloadable in the user interface Yes The Securepoint VPN Windows client can be downloaded from the user web interface (accessible via port 1443 by default). The port is configurable in the → Network →Server settingsTab Server settings Button Webserver / User Webinterface Port: : 1443.
    SSL VPN connection: RW-Securepoint Selection of a connection created in the VPN SSL-VPN menu.
    Client certificate: CC Roadwarrior A certificate must be specified that the client uses to authenticate itself to the UTM.
    It is also possible to use ACME certificates.
    Remote Gateway: 192.168.175.1 (Example-IP) External IP address or DNS resolvable address of the gateway to which the connection is to be established.
    Redirect Gateway:
    		 by Default-Route-Splitting notempty
    New as of v14.1.1
    		 All data traffic is routed through the tunnel. The VPN tunnel acts as the primary default gateway. If the tunnel does not respond, the regular default gateway is used.
    by replacing the default gateway (deprecated) All data traffic is routed through the tunnel. Completely replaces the default gateway (without fallback).
    Off Only destinations behind the VPN are routed through the tunnel. The default gateway is used for all other destinations
    Installer
    notempty
    New as of v14.1.1
  • ARM-64 Version verfügbar
  • Portable x64 und ARM-64 Version verfügbar
  • Windows Client verfügbar

  • Die Schaltflächen werden nur bei bereits angelegten Benutzern angezeigt
    		•  Lädt ein Installationsprogramm herunter, mit dem man entweder
    • den aktuellen Windows VPN-Client installiert oder alternativ
    • den Windows VPN-Client als portable Version (ohne Installation) herunterladen und nutzen kann

    Der installierte Client aktualisiert sich bei neuen Updates eigenständig - unabhängig von der UTM-Version.

    Configuration Downloads the configuration files for any VPN clients. The file contains the necessary configuration files and certificates in the local_firewall.securepoint.local.tblk folder.
    Configuration with certificate notempty
    New as of v14.0.1
    		 Downloads the configuration file for any VPN client.
    The certificates are written directly to the ovpn file.
    The file name contains the user name and notempty
    v14.1.1
     the type of file (installer, portable, config, or inline)



    Password

    The Password tab defines the strength of the password and whether the password can be changed by the user.

    Caption Default Description
    Setting the password properties
    Password change allowed: Off Determines whether the user can change his or her password in the user interface.
    Minimum password length: 8 The minimum password length can be set to more than 8 characters.































    Passwords must meet the following criteria:
    • at least 8 characters length
    • at least 3 of the following categories:
      • Upper case
      • Lower case
      • Special characters
      • Digits


    Mailfilter

    Caption Description
    Use group settings No If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu Authentication Users / Groups.
    Allow downloads of following attachments: None (Default) In the user interface, the user can download/u> attachments of mails that meet certain criteria.
    Filtered but not quarantined This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    Quarantined but not filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    Quarantined and/or filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    Allow forwarding of the following e-mails:
  • Die Berechtigung Mailfilter Administrator überschreibt diese Konfiguration mit dem Default Wert. notempty
    updated
    		•  None In the user interface, the user can forward/u> attachments of mails that meet certain criteria.
    Filtered but not quarantined
    Quarantined but not filtered (Default) This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    Quarantined and/or filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    Reports E-Mail Address
    If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.

    Report language: Default Default under Network Server settings
    Firewall
    Language of reports
    It can be specifically selected: German or English
    Email Addresses
    Email Addresses Adding an email address to the list
    user@ttt-point.de Email accounts that can be viewed by this user to control the mail filter.
    Delete with


    WOL

    WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.

    • After logging into the user interface, the user can trigger a WOL for devices entered here.
    • 2 magic packets are sent via UDP to destination ports 7 and 9. notempty
      New as of v12.7.0
    • The magic packets can also be sent in VLANs
    Caption Default Description
    Configure Wake on Lan
    Description:     Free text
    MAC address: __:__:__:__:__:__ MAC address of the computer to be activated via Wake on Lan.
    Interface: LAN1 Interface of the appliance via which the WOL packet must be sent.
    Adds another device for WOL
    Calls the entry for editing.
    Deletes the item

    OTP

    There is a separate page in the wiki for the OTP settings.


    Groups

    Some settings described in the Users section can also be set for the entire group. However, the settings for the individual user replace the group settings.


    Permissions

    Caption Description Add group UTMuser@firewall.name.fqdnAuthentication Add group
    Group Name: Choose name freely
     Permissions 
    Firewall administrator Members of this group can call the admin interface (by default accessible on port 11115.
    There must always be at least one firewall administrator.
    Spamreport Members of this group can receive a spam report
    VPN-L2TP Members of this group can establish a VPN-L2TP connection.
    Mailrelay User Members of this group can use the Mailrelay
  • TLS/SSL encryption is required for authentication
  • This permission is NOT required to access the quarantined emails.
    • HTTP-Proxy Members of this group can use the HTTP proxy.
    IPSEC XAUTH Members of this group can authenticate themselves with IPSEC.
    IPSEC EAP Members of this group can authenticate for IPSec connections with IKEv2 using Microsoft CHAPv2
    Userinterface Members of this group have access to the user interface (including mailfilter)
    Clientless VPN Members of this group can use clientless VPN
    Mailfilter Administrator Members of this group, in combination with the User Web Interface right, have access to all emails that are temporarily stored in the UTM's mail archive. - Regardless of whether they are legitimate recipients or senders of these emails.
  • Overwrites the manually set value of ‘'Allow forwarding of the following emails:’' with the value Quarantined but not filtered for this group notempty
    updated
    • SSL-VPN Members of this group can establish an SSL VPN connection.
    WireGuard Members of this group can establish a WireGuard connection
    User interface administrator Members of this group can access the Captive Portal user administration via the user interface.


    Clientless VPN

    Connections created under VPN Clientless VPN are displayed here.
    Open clientless VPN administration Here you can configure and add connections.

    Clientless VPN
    Caption Default Description
    Name Name of the connection
    Access Off If activated, members of this group can use this connection.

    Further information in the article to Clientless VPN.


    WireGuard

    Caption Value Description
    WireGuard settings for group
    Configuration downloadable in the user interface: On The configuration can be downloaded in the user interface.
    WireGuard connection: wg_roadwarrior WireGuard connection that this user should use.
    Endpoint: 10.0.0.1 IP address or host name of the UTM.
    Must only be set if the UTM is not accessible via the firewall name.
    Endpoint port: 51820 The port to the associated endpoint. This must be between 49152 and 65535.
    Pre-Shared Key: ************** Enter the pre-shared key of the WireGuard connection.
    Generate Generate a Pre-shared Key with very strong.
    Keepalive: On 25 Sek. When activated, the duration can be set in seconds by Keepalive.


    SSL-VPN




























    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden


















    This is where to configure settings for the SSL VPN for an entire group.
    All users share the same certificate when using the group settings!
    SSL VPN settings of individual users override the group settings.

    Caption: Value Description: Add Group UTMuser@firewall.name.fqdnAuthenticationUser SSL VPN group settings
    Client downloadable in the user interface: No If enabled, the VPN client can be downloaded in the user interface
    SSL VPN connection: RW-Securepoint Select the preferred connection (created under VPN SSL-VPN )
    Client certificate: cs-sslvpn-rw Select the certificate for this group (created under Authentication Certificates  Area Certificates)
    It is also possible to use ACME certificates.
    Remote Gateway: 203.0.113.0 IP address of the gateway on which the SSL VPN clients dial in. Free input or selection via drop-down menu.
    Redirect Gateway: Off Requests to destinations outside the local network (and thus also the VPN) are usually routed directly to the Internet by the VPN user's gateway. When the On button is activated, the local gateway is redirected to the UTM. This way, these packets also benefit from the protection of the UTM.
    This setting changes the configuration file for the VPN client.
    Use in packet filter: No By enabling Yes this option, rules for this group can be created in the packet filter.
    This can be used to control access for users who are members of this group connected via SSL VPN.



    Directory Service

    AD/LDAP group assignment

    Here you can specify which directory service group the members of this user group should belong to.
    In order for a group to be selected here, a corresponding connection must be configured under Authentication AD/LDAP Authentication .
    Selection of an AD/LDAP group



    Mailfilter

    Configuring mail filters for groups

    The authorization Userinterface Ein is required.





  • <This function may allow the downloading of viruses and should therefore only be allowed for experienced users!/li> }}
    • Caption Default Description
    Allow downloads of following attachments: None (Default) Members of this group can download attachments from mails in the user interface that meet certain criteria.
    Filtered but not quarantined
    Quarantined but not filtered
  • This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    • Quarantined and/or filtered
  • This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    • Allow forwarding of following emails:
  • Die Berechtigung Mailfilter Administrator überschreibt diese Konfiguration mit dem Default Wert. notempty
    updated
    		•  None Members of this group can forward emails in the user interface that meet certain criteria
    Filtered but not quarantined
    Quarantined but not filtered (Default)
  • This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    • Quarantined and/or filtered
  • This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    • Report email address:     Email address to which a spam report is sent.
    If no entry is made here, the spam report is sent to the first email address in the list.
    If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..

    Report language: Default Default under Network Server settings
    Firewall
    language of reports
    It can be specifically selected: German or English
    Email address
    Email address Adding a mail address to the list
    support@ttt-point.de Email accounts that can be viewed by members of this group to control the mail filter.
    Delete with


    WOL

    WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.

    • After logging into the user interface, the user can trigger a WOL for devices entered here.
    • 2 magic packets are sent via UDP to destination ports 7 and 9. notempty
      New as of v12.7.0
    • The magic packets can also be sent in VLANs
    Caption Default Description
    Configure Wake on Lan
    Description:     Free text
    MAC address: __:__:__:__:__: MAC address of the computer to be activated via Wake on Lan.
    Interface: LAN1 Interface of the appliance via which the WOL packet must be sent.
    Adds another device for WOL
    Calls the entry for editing.
    Deletes the item





























    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden























    Captive Portal User

    Captive Portal User
    Captive Portal users must authenticate themselves and agree to the terms of use when they connect to an appropriately configured network. Only then is the network access released - according to the port filter rules. User UTMuser@firewall.name.fqdnAuthentication
    notempty
    Firewall users who are members of a group with the permission Userinterface Adminstrator On ( Authentication User  Area Groups button can access the Captive Portal user management via the User-Interface (in the default port 443)



    Add user

    Add user

    Captive Portal users can be managed by:

    • Administrators
    •  Users who are members of a group with the permission Userinterface Administrator .
      They reach the user administration via the user interface.
    Caption Value Description Add Captive Portal User UTMuser@firewall.name.fqdnAuthenticationUser Print and save
    Login name: user-DGS-6UM Randomly generated login name.
    Once generated, login names cannot be changed after saving.
    Password: IH3-FF5-BSP-APZ-USC Randomly generated password
    The login name and password can be regenerated with the button. Once saved, passwords cannot be displayed again.
    Expiry date: yyyy-mm-dd hh:mm:ss Limits the validity of the credentials
    / These buttons can be used to shorten (-) or extend (+) the expiry date by 24 hours from the current time
    Print and save Saves and closes the dialogue, creates an html page with the username and password and opens the print dialogue
    Saves the information and closes the dialogue.
  • The password can then no longer be displayed. However, a new password can be created at any time .
    • Closes the dialogue without saving changes.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/AUTH/Benutzerverwaltung&oldid=99484"