Jump to:navigation, search
Wiki










































































{Button|Quarantined but not filtered|dr}} } This function should only be allowed to experienced users!
Quarantised and/or filtered }} This function should only be allowed for experienced users!}}















































De.png
Fr.png


Creating and Configuring Users and Groups (Authorizations)

Last adaptation to the version: 11.8.8 (04.2020)


New:

  • Description: root user
  • New in 11.8.8 Default address for spam report from AD
  • Expiration date for user accounts
  • Preconfigured Support user can be created as required


Previous versions: 11.7 | 11.8.5


Preamble

Call user configuration in the navigation bar under → Authentication →Users

The users entered here are stored in a local database on the appliance.
The authentication configured at this point is also performed against the local database.
In addition, local user groups can be assigned to an AD/LDAP group.

Users

User administration
Caption Value Description
Name admin Login name of the user
Groups administrator Group membership of the respective user
Permissions Firewall Administrator Authorizations, configuration under Groups]
Notes
New from 11.8.5
Expires in 8 hours After expiration the user can no longer log in.
Edit or delete the user



Support user

Creating a Support User

New function as of 11.8.5

The support user is a temporary administrator who can be activated, for example, to be supported by Securepoint support.

The button for creating a support user is located in the upper right corner of the dashboard. (Headset icon)

Multiple support users cannot be created at the same time. If a support user already exists, you will be asked whether the existing user should be deleted!


Caption Value Description
Loginname: support-N3e-oDt An arbitrary name that begins with support- and can only be changed by . Manual input is not possible. Datei:UTM v.11.8.6 Authentifizierung Benutzer Supportbenutzer-en.png
Password: red-SZZ-sIa-dCB An arbitrary name that begins with support- and can only be changed by . Manual input is not possible.
Expiration date: 2019-08-20 11:11:11 By default, the access for the support user expires after 24 hours. It is possible to extend this value up to 30 days. For support users, it is not possible to change this value afterwards.
Groups: ×administrator By default, the first user group with the authorization Firewall Administrator is entered. You can select other groups that also have this permission.
Root permission: No With Yes Activation gives the user additional root privileges. When connecting with SSH, the login is done directly on the root console!
╭╴ Administration╶╮
Enable access for the Securepoint support:   Yes
To enable access to the admin interface via the external interface, the entry support.de.securepoint.de is added under → Network →Server Settings Administration. If the entry already exists, the button is active but cannot be disabled.


Before saving, the login name must and the password should be noted !
The password can no longer be displayed after saving.
Both values can be copied from the clipboard.

Expired user accounts are automatically removed after a certain period of time.




Add user

Add user

The dialog Add user opens. This dialog contains several tabs. There is no need to make entries in all tabs. With Save the entries are accepted.

User General

General

Enter user login data
Caption Value Description
Login name admin-user Login name of the user
root

root user

A user with the name root must also be a member of a group with administrator privileges.
This user will then automatically get root permission. After logging on to the appliance via ssh, this user does not end up on the CLI but immediately in the Linux console.
This user has extensive diagnostic tools available there, e.g. tcpdump
The root user reaches the Command Line Interface (CLI) with the command spcli and leaves it with exit.
The root user should definitely be given a short-term expiration date or be removed immediately after the diagnostic work!

Password

Confirm Password

•••••••• Strong New since 11.8
























Passwords must meet the following criteria:
  • at least 8 characters length
  • at least 3 of the following categories:
    • Upper case
    • Lower case
    • Special characters
    • Digits
Expiry date
New since 11.8.5
2020-08-21 00:00:00 After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!)

The expiration date can also be changed via CLI:
user attribute set name testnutzer attribute expirydate value 1576553166

The value is given as Unixtime (time in seconds since 1.1.1970 00:00).
Groups ×administrator Group membership and therefore authorizations of this user



VPN

Define IP Tunnel Addresses

Here fixed IP tunnel addresses can be assigned to the users.

  • L2TP IP Address:

  • SSL-VPN IPv4 Address:

  • SSL-VPN IPv6 Address:

PPTP is no longer available because it has been proven to be an insecure protocol.


SSL-VPN


































SSL-VPN Einstellungen für Benutzer


Beschriftung Wert Beschreibung
Einstellungen aus der Gruppe verwenden: Nein Wenn der Benutzer Mitglied einer Gruppe ist, können die Einstellungen von dort übernommen werden. Die folgenden Einstellungen werden dann hier ausgeblendet und sind im Menü → Authentifizierung →Benutzer / Gruppen zu konfigurieren.
Client im Userinterface herunterladbar: Ja Der Securepoint VPN-Windows-Client kann im User Webinterface (im Standard über Port 1443 erreichbar) herunter geladen werden. Der Port ist konfigurierbar im Menü → Netzwerk →Servereinstellungen / Servereinstellugnen / ╭╴ Webserver ╶╮ / User Webinterface Port: : 1443Link=.
SSL-VPN Verbindung: RW-SSL-VPN-Verbindung Auswahl einer Verbindung, die im Menü → VPN →SSL-VPN angelegt wurde.
Client-Zertifikat: RW-SSL-VPN Zertifikat Es muss ein Zertifikat angegeben werden, mit dem sich der Client gegenüber der UTM authentifiziert.
Remote Gateway: 192.168.175.1 (Beispiel-IP) IP-Adresse oder im DNS auflösbare Adresse des Gateways, zu dem die Verbindung hergestellt werden soll.
Redirect Gateway: Previous versions: Bei Aktivierung wird der gesamte Netzwerkverkehr des Clients über das gewählte Gateway gesendet.

Nach Speichern und Bearbeiten steht außerdem zur Verfügung:
Installer Lädt den Securepoint VPN-Windows-Client herunter. Es wird eine Benutzer.zip-Datei erstellt mit dem Name des jeweiligen Benutzers. Die Datei enthält ein Installationsprogramm für den Securepoint VPN-Windows-Client und die dazugehörigen Konfigurationsdateien und Zertifikate.
Portable Client Lädt eine Portable Version des Securepoint VPN-Windows-Clients herunter. Es wird eine Benutzer.zip-Datei erstellt mit dem Name des jeweiligen Benutzers. Die Datei enthält die Start-SSL-VPN-Client.exe mit den dazugehörigen Konfigurationsdateien und Zertifikate.
Konfiguration Lädt die Konfigurationsdateien für beliebige VPN-Clients herunter. Es wird eine Benutzer.zip-Datei erstellt mit dem Name des jeweiligen Benutzers. Die Datei enthält im Ordner local_firewall.securepoint.local.tblk die dazu notwendigen Konfigurationsdateien und Zertifikate.


Password:

Setting the Password Properties

The Password tab defines the strength of the password and whether the password can be changed by the user.

Beschriftung Default Description
Password change allowed: Off Determines whether the user can change his or her password in the user interface.
Minimum password length: 8Link= The minimum password length can be set to more than 8 characters.
























Passwords must meet the following criteria:
  • at least 8 characters length
  • at least 3 of the following categories:
    • Upper case
    • Lower case
    • Special characters
    • Digits


Mailfilter


Beschriftung Default Description
Use group settings: No If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu → Authentication →Users / Groups.
email address
user@ttt-point.de E-mail accounts that can be viewed by this user to control the mail filter.
Delete with
email address Adding an email address to the list
Herunterladen von folgenden Anhängen erlauben: None   (Default) In the user interface, the user can download/u> attachments of mails that meet certain criteria.
Filtered but not quarantined
Quarantined but not filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Quarantined and/or filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Weiterleiten von folgenden E-Mails erlauben: None   (Default) In the user interface, the user can forward/u> attachments of mails that meet certain criteria.
Filtered but not quarantined
Quarantined but not filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Quarantined and/or filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Bericht E-Mail-Adresse:     E-Mail-Adresse, an die ein Spam-Report versendet wird.
Wenn hier kein Eintrag erfolgt, wird der Spam-Report an die erste E-Mail-Adresse der Liste gesendet.
New New in 11.8.8 If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.
AD proxyAdresses spamreport.png

Report language: Defaulta Default under → Network →Server settings╭╴Firewall╶╮ → language of reports
It can be specifically selected: German  or English 



WOL

Configure Wake on Lan

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.

For a user to be able to use WOL, it must be configured here!

Beschriftung Default Description
Description:     Free text
MAC address: __:__:__:__:__: MAC address of the computer to be activated via Wake on Lan.
Interface: eth0   Interface of the appliance via which the WOL packet must be sent.


 Calls the entry for editing.

 Deletes the item


Groups

Some settings described in the Users section can also be set for the entire group. However, the settings for the individual user replace the group settings.

Permissions

Beschriftung Description
Group Name: Freely definable name
 Permissions 
Firewall Admin Members of this group can call the admin interface (by default accessible on port 11115.
There must always be at least one firewall administrator.
Spamreport Members of this group can receive a spam report
VPN-L2TP Members of this group can establish a VPN-L2TP connection.
Mailrelay User Members of this group can use the Mailrelay
HTTP Proxy Members of this group can use the HTTP proxy.
IPSEC XAUTH Members of this group can authenticate themselves with IPSEC.
Userinterface Members of this group have access to the user interface
Clientless VPN Members of this group can use Clientless VPN
Mailfilter Administrator Members of this group can make settings for the mail filter
SSL-VPN Members of this group can establish an SSL VPN connection.



Clientless VPN

UTM v11.8.5 Authentifizierung Benutzer Clientless-VPN-en.png

This tab is only displayed if Permissions Clientless VPN has been activated Ein in the Permissions tab.

Connections created under→ VPN →Clientless VPN are displayed here.

Clientless VPN
Name Name of the connection
Access No If Yes is activated, members of this group can use this connection.

Open Clientless VPN Administration Here you can configure and add connections.

Call alternatively via → VPN →Clientless VPN

Further information in the article to Clientless VPN.

SSL-VPN



















{{var|gsslvpn1|UTM_v11.8.5_Authentifizierung_Benutzer_SSL-VPN.png|











SSL-VPN Einstellungen der Gruppe

Hier können für die gesamte Gruppe Einstellungen für das SSL-VPN konfigueriert werden.
Alle Benutzer verwenden das gleiche Zertifikat, wenn die Gruppeneinstellungen verwendet werden!
SSL-VPN Einstellungen einzelner Benutzer überschreiben die Gruppeneinstellungen.

Beschriftung Default Beschreibung
Client im Userinterface herunterladbar: Nein
SSL-VPN Verbindung:     Auswahl der gewünschten Verbindung (Angelegt unter → VPN →SSL-VPN )
Client-Zertifikat:     Auswahl des Zertifikats für diese Gruppe (Angelegt unter → Authentifizierung →Zertifikate / Zertifikate)
Remote Gateway:     IP-Adresse des Gateways, auf dem sich die SSL-VPN-Clients einwählen.
Freie Eingabe oder Auswahl per Dropdown-Menü
Redirect Gateway: Aus

Anfragen zu Zielen außerhalb des lokalen Netzwerks (und damit auch des VPNs) werden vom Gateway des VPN-Users in der Regel direkt ins Internet geleitet. Bei Aktivierung des Buttons Ein wird das lokale Gateway umgeleitet auf die UTM. Dadurch profitieren auch diese Pakete vom Schutz der UTM.

Diese Einstellung verändert die Konfigurationsdatei für den VPN-Client.

Im Portfilter verfügbar:
Neue Funktion in 11.8
Nein Durch Aktivierung Ja dieser Option können im Portfilter Regeln für diese Gruppe erstellt werden.
Damit lässt sich der Zugriff für Benutzer, die Mitglied dieser, über SSL-VPN verbundenen Gruppe sind, steuern.
Weitere Hinweise im Artikel zu Identity Based Firewall (IBF)

Directory Service

AD/LDAP group assignment

Here you can specify which directory service group the members of this user group should belong to.
In order for a group to be selected here, a corresponding connection must be configured under → Authentication →AD/LDAP Authentication .

Selection of an AD/LDAP group


Mailfilter

The authorization Userinterface Ein} is required.


























{Button|Quarantined but not filtered|dr}} } This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Quarantised and/or filtered }} This function may allow the downloading of viruses and should therefore only be allowed for experienced users!}}

















Caption Default Description
Email address
support@ttt-point.de Email accounts that can be viewed by members of this group to control the mail filter.
Delete with
Email address Adding a mail address to the list
Allow downloads of following attachments: None   (Default) Members of this group can download attachments from mails in the user interface that meet certain criteria.
Filtered but not quarantined
Quarantined but not filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Quarantined and/or filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of following emails: None   (Default) Members of this group can forward emails in the user interface that meet certain criteria
Filtered but not quarantined
Quarantined but not filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Quarantined and/or filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Report email address:     Email address to which a spam report is sent.
If no entry is made here, the spam report is sent to the first email address in the list.
New New in 11.8.8 If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..
AD proxyAdresses spamreport.png

Report language: Default Default under → Network →Server settings╭╴Firewall╶╮ → language of reports
It can be specifically selected: German  or English 


WOL

Configuring Wake on LAN

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. Usually this is configured in the BIOS or UEFI.

Members of this group may switch on hosts entered here by WOL.

Beschriftung Default Description
Description     Free text
MAC address: __:__:__:__:__: MAC address of the computer to be activated via Wake on Lan.
Interface: eth0   Interface of the appliance via which the WOL packet must be sent.


 Calls the entry for editing.

 Deletes the item