User administration

From Securepoint Wiki
























































{Button|Quarantined but not filtered|dr}}} This function should only be allowed to experienced users!
Quarantised and/or filtered }} This function should only be allowed for experienced users!}}





































De.png
En.png
Fr.png


Creating and Configuring Users and Groups (Authorizations)

Last adaptation to the version: 11.8.6 (11.2019)


New:


Previous versions: 11.7 | 11.8.5


Preamble

Call user configuration in the navigation bar under → Authentication →Users

The users entered here are stored in a local database on the appliance.
The authentication configured at this point is also performed against the local database.
In addition, local user groups can be assigned to an AD/LDAP group.

Users

User administration
Caption Value Description
Name admin Login name of the user
Groups administrator Group membership of the respective user
Permissions Firewall Administrator Authorizations, configuration under Groups]
Notes
 
Expires in 8 hours After expiration the user can no longer log in.
Link= Edit or delete the user



Support user

Creating a Support User

 

The support user is a temporary administrator who can be activated, for example, to be supported by Securepoint support.

The button for creating a support user is located in the upper right corner of the dashboard. (Headset icon)

Multiple support users cannot be created at the same time. If a support user already exists, you will be asked whether the existing user should be deleted!


Caption Value Description
Loginname: support-N3e-oDt An arbitrary name that begins with support- and can only be changed by . Manual input is not possible.
UTM v.11.8.6 Authentifizierung Benutzer Supportbenutzer-en.png
Password: red-SZZ-sIa-dCB An arbitrary name that begins with support- and can only be changed by . Manual input is not possible.
Expiration date: 2019-08-20 11:11:11 By default, the access for the support user expires after 24 hours. It is possible to extend this value up to 30 days. For support users, it is not possible to change this value afterwards.
Groups: administrator By default, the first user group with the authorization Firewall Administrator is entered. You can select other groups that also have this permission.
Root permission: No With Yes Activation gives the user additional root privileges. When connecting with SSH, the login is done directly on the root console!
New Neu ab 11.8.6
 ╭╴ Administration╶╮
Enable access for the Securepoint support:   Yes
To enable access to the admin interface via the external interface, the entry support.de.securepoint.de is added under → Network →Server Settings Administration. If the entry already exists, the button is active but cannot be disabled.


 
Before saving, the login name must and the password should be noted !
The password can no longer be displayed after saving.
 

 

Both values can be copied from the clipboard.

Expired user accounts are automatically removed after a certain period of time.




Add user

+ Add user

The dialog Add user opens. This dialog contains several tabs. There is no need to make entries in all tabs. With Save the entries are accepted.

User General

General

Enter user login data
Caption Value Description
Login name admin-user Login name of the user

Password

Confirm Password

•••••••• Strong  





Passwords must meet the following criteria:
  • at least 8 characters in length
  • at least 3 of the following categories:
    • uppercase letters
    • lowercase letters
    • special characters
    • numerals
Expiry date
 
2020-08-21 00:00:00 After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!)

The expiration date can also be changed via CLI:
user attribute set name testnutzer attribute expirydate value 1576553166

The value is given as Unixtime (time in seconds since 1.1.1970 00:00).
Groups administrator Group membership and therefore authorizations of this user



VPN

Define IP Tunnel Addresses

Here fixed IP tunnel addresses can be assigned to the users.

  • L2TP IP Address:

  • SSL-VPN IPv4 Address:

  • SSL-VPN IPv6 Address:

PPTP is no longer available because it has been proven to be an insecure protocol.


SSL-VPN
















SSL VPN Settings for Users


Caption Value Description
Use settings from the group: No If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu → Authentication →Users / Groups.
Client can be downloaded in the user interface: Yes The Securepoint VPN Windows client can be downloaded from the user web interface (accessible via port 1443 by default). The port can be configured in the menu → Network →Server Settings / Server Settings / ╭╴ Web Server ╶╮ / User Web Interface Port: : 1443Link=.
SSL-VPN connection: RW-SSL VPN Connection Selection of a connection created in the → VPN →SSL-VPN menu.
Client certificate: RW-SSL-VPN Certificate A certificate must be specified with which the client authenticates itself to the UTM.
Remote Gateway: 192.168.175.1 (Example IP) External IP address or DNS-resolvable address of the gateway to which the connection is to be established.
Redirect Gateway: No When enabled, all network traffic from the client is sent through the selected gateway.

After Save and Edit there is also available:
Installer Downloads the Securepoint VPN Windows client. A user.zip file is created with the name of the respective user. The file contains an installation program for the Securepoint VPN Windows client and the associated configuration files and certificates.
Portable Client Downloads a portable version of the Securepoint VPN Windows client. A user.zip file will be created with the name of the user. The file contains the Start-SSL-VPN-Client.exe with the corresponding configuration files and certificates.
Configuration of the Downloads the configuration files for any VPN client. A user.zip file is created with the name of the respective user. The file contains the necessary configuration files and certificates in the folder local_firewall.securepoint.local.tblk.


Password:

Setting the Password Properties

The Password tab defines the strength of the password and whether the password can be changed by the user.

Beschriftung Default Description
Password change allowed: Off Determines whether the user can change his or her password in the user interface.
Minimum password length: 8Link= The minimum password length can be set to more than 8 characters.





Passwords must meet the following criteria:
  • at least 8 characters in length
  • at least 3 of the following categories:
    • uppercase letters
    • lowercase letters
    • special characters
    • numerals


Mailfilter

UTM v11.8.7 Authentifizierung Benutzer Mailfilter-en.png


Beschriftung Default Description
Use group settings: No If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu → Authentication →Users / Groups.
email address
user@ttt-point.de E-mail accounts that can be viewed by this user to control the mail filter.
Delete with Link=
email address + Adding an email address to the list
Allow downloads of following attachments: None New   New since 11.8.6  Allow forwarding of following emails:
Possible values:
No 
} (Default)
{Button2
Allow forwarding of following emails:
 
Quarantined, but not filtered  New   New since 11.8.6  In the user interface, the user can forward emails that meet certain criteria
Possible values:
No  
Filtered but not quarantined  }(Default)
Quarantined but not filtered  ! This function should only be allowed for experienced users!
Quarantined and/or filtered  This function should only be allowed for experienced users!
Report email address:
 
    Email address to which a spam report is sent.
If no entry is made here, the spam report is sent to the first email address in the list.
Report language: Defaulta Default under → Network →Server settings → ╭╴Firewall╶╮ → language of reports
It can be specifically selected: German  or English 



WOL

Configure Wake on Lan

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.

For a user to be able to use WOL, it must be configured here!

Beschriftung Default Description
Description:     Free text
MAC address: __:__:__:__:__: MAC address of the computer to be activated via Wake on Lan.
Interface: eth0   Interface of the appliance via which the WOL packet must be sent.


 Calls the entry for editing.

Link=  Deletes the item


Groups

Add groups

Some settings described in the Users section can also be set for the entire group. However, the settings for the individual user replace the group settings.

Permissions

Beschriftung Description
Group Name: Freely definable name
 Permissions 
Firewall Admin Members of this group can call the admin interface (by default accessible on port 11115.
There must always be at least one firewall administrator.
Spamreport Members of this group can receive a spam report
VPN-L2TP Members of this group can establish a VPN-L2TP connection.
Mailrelay User Members of this group can use the Mailrelay
HTTP Proxy Members of this group can use the HTTP proxy.
IPSEC XAUTH Members of this group can authenticate themselves with IPSEC.
Userinterface Members of this group have access to the user interface
Clientless VPN Members of this group can use Clientless VPN
Mailfilter Administrator Members of this group can make settings for the mail filter
SSL-VPN Members of this group can establish an SSL VPN connection.



Clientless VPN

UTM v11.8.5 Authentifizierung Benutzer Clientless-VPN-en.png

This tab is only displayed if Permissions Clientless VPN has been activated Ein in the Permissions tab.

Connections created under→ VPN →Clientless VPN are displayed here.

Clientless VPN
Name Name of the connection
Access No If Yes is activated, members of this group can use this connection.

Open Clientless VPN Administration Here you can configure and add connections.

Call alternatively via → VPN →Clientless VPN

Further information in the article to Clientless VPN.

SSL-VPN












SSL VPN group settings

Here you can configure settings for the SSL VPN for the entire group.
All users use the same certificate when the group settings are used!
SSL-VPN Settings of individual users overwrite the group settings.

Caption Default Description
Client downloadable from Userinterface:: No
SSL-VPN Verbindung:     Selection of the desired connection (Created under → VPN →SSL-VPN )
Client certificate:     Selection of the certificate for this group (Created under → Authentication →Certificates / Certificates
Remote Gateway:     External IP address of the gateway on which the SSL VPN clients dial in.
Free entry or selection via dropdown menu
Redirect Gateway: Off

Requests to destinations outside the local network (and thus also the VPN) are usually routed directly to the Internet from the VPN user's gateway. If the button On is activated, the local gateway is redirected to the UTM. This means that these packages also benefit from UTM protection.

This setting changes the configuration file for the VPN client.

Available in port filter:
 
No By activating Yes this option, rules for this group can be created in the port filter.
This controls access for users who are members of this group connected via SSL-VPN.
Further information in the article for Identity Based Firewall (IBF)

Directory Service

AD/LDAP group assignment

Here you can specify which directory service group the members of this user group should belong to.
In order for a group to be selected here, a corresponding connection must be configured under → Authentication →AD/LDAP Authentication .

Selection of an AD/LDAP group


Mailfilter

Configuring mail filters for groups

The authorization Userinterface Ein} is required.








{Button|Quarantined but not filtered|dr}}} This function should only be allowed to experienced users!
Quarantised and/or filtered }} This function should only be allowed for experienced users!}}











Caption Default Description
Email address
support@ttt-point.de Email accounts that can be viewed by members of this group to control the mail filter.
Delete with Link=
Email address + Adding a mail address to the list
Allow downloads of following attachments: None  Members of this group can download attachments from mails in the user interface that meet certain criteria.
Possible values:
No } (Default)
{Button
Allow forwarding of following emails:
 
Quarantined, but not filtered  Members of this group can forward emails in the user interface that meet certain criteria
Possible values:
No  
Filtered but not quarantined  }(Default)
Quarantined but not filtered  ! This function should only be allowed for experienced users!
Quarantined and/or filtered  This function should only be allowed for experienced users!
Report email address:
New   New from 11.8.5  
    Email address to which a spam report is sent.
If no entry is made here, the spam report is sent to the first email address in the list.
Report language: Default Default under → Network →Server settings → ╭╴Firewall╶╮ → language of reports
It can be specifically selected: German  or English 


WOL

Configuring Wake on LAN

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. Usually this is configured in the BIOS or UEFI.

Members of this group may switch on hosts entered here by WOL.

Beschriftung Default Description
Description     Free text
MAC address: __:__:__:__:__: MAC address of the computer to be activated via Wake on Lan.
Interface: eth0   Interface of the appliance via which the WOL packet must be sent.


 Calls the entry for editing.

Link=  Deletes the item