User administration

Preamble

Call user configuration in the navigation bar under → Authentication →Users

The users entered here are stored in a local database on the appliance.
The authentication configured at this point is also performed against the local database.
In addition, local user groups can be assigned to an AD/LDAP group.

User overview

User administration

Support user

Creating a Support User

The support user is a temporary administrator who can be activated, for example, to be supported by Securepoint support.

The button for creating a support user is located in the upper right corner of the dashboard. (Headset icon)

Caption	Value	Description
Loginname:	support-N3e-oDt	An arbitrary name that begins with support- and can only be changed by . Manual input is not possible.
Password:	red-SZZ-sIa-dCB	An arbitrary name that begins with support- and can only be changed by . Manual input is not possible.
Expiration date:	2019-08-20 11:11:11	By default, the access for the support user expires after 24 hours. It is possible to extend this value up to 30 days. For support users, it is not possible to change this value afterwards.
Groups:	×administrator	By default, the first user group with the authorization Firewall Administrator is entered. You can select other groups that also have this permission.
Root permission:	No	With Yes Activation gives the user additional root privileges. When connecting with SSH, the login is done directly on the root console!
Administration Enable access for the Securepoint support:   Yes		To enable access to the admin interface via the external interface, the entry support.de.securepoint.de is added under → Network →Server Settings Administration. If the entry already exists, the button is active but cannot be disabled.
Copy credentials New as of 12.2.3		Username and password are saved to the clipboard. he content of the clipboard then looks like this: Username: support-NII-Z53-Yk2 Password: UMC-DP6-FSK-F46-ULD Before saving, the login name must and the password should be noted! The password can no longer be displayed after saving.
Save		Click on the button to create and save the support user.
Close		Clicking the button cancels the process and closes the dialogue for the support user.
CLI command	user support new name support-4711 password Insecure.123 groups administrator expirydate 1566650891 flags ROOT	The support user can also be created via Cli if required. The value for the expiry date can either be specified as Unixtime (time in seconds since 1.1.1970 00:00) or in the format: YYYY-MM-DD HH:MM

General User

Add / edit user

Add user /

The dialog Add user opens. This dialog contains several tabs. There is no need to make entries in all tabs. With Save the entries are accepted.

User General

root user

Caption	Value	Description	Enter user login data
Login name	admin-user	Login name of the user
	root	A user with the name root must also be a member of a group with administrator privileges This user will then automatically get root permission. After logging on to the appliance via ssh, this user does not end up on the CLI but immediately in the Linux console This user has extensive diagnostic tools available there, e.g. tcpdump The root user reaches the Command Line Interface (CLI) with the command spcli and leaves it with exit The root user should definitely be given a short-term expiration date or be removed immediately after the diagnostic work!
Password Confirm Password	•••••••• Very strong	Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits
Expiry date	2020-08-21 00:00:00	After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!) The expiration date can also be changed via CLI: user attribute set name testnutzer attribute expirydate value 1576553166 The value is given as Unixtime (time in seconds since 1.1.1970 00:00) or as: YYYY-MM-DD HH:MM . updated
Groups	×administrator	Group membership and therefore authorizations of this user

VPN

Define IP Tunnel Addresses

Here fixed IP tunnel addresses can be assigned to the users.

• L2TP IP Address:

• SSL-VPN IPv4 Address:

• SSL-VPN IPv6 Address:

PPTP is no longer available because it has been proven to be an insecure protocol.

SSL-VPN

UTM/AUTH/Benutzerverwaltung SSL-VPN v12.2.3

Password:

Setting the Password Properties

The Password tab defines the strength of the password and whether the password can be changed by the user.

Caption	Default	Description
Password change allowed:	Off	Determines whether the user can change his or her password in the user interface.
Minimum password length:	8	The minimum password length can be set to more than 8 characters.
Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits

Mailfilter

Caption	Default	Description
Use group settings:	No	If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu → Authentication →Users / Groups.
email address
user@ttt-point.de		E-mail accounts that can be viewed by this user to control the mail filter. Delete with
email address		Adding an email address to the list
Allow downloads of following attachments:	None (Default)	In the user interface, the user can download/u> attachments of mails that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of following emails:	None (Default)	In the user interface, the user can forward/u> attachments of mails that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Bericht E-Mail-Adresse:		E-Mail-Adresse, an die ein Spam-Report versendet wird. Wenn hier kein Eintrag erfolgt, wird der Spam-Report an die erste E-Mail-Adresse der Liste gesendet. New in 11.8.8 If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.
Report language:	Default	Default under → Network →Server settings → Firewall → language of reports It can be specifically selected: German or English

WOL

Configure Wake on Lan

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.

After logging into the user interface, the user can trigger a WOL for devices entered here.

 Calls the entry for editing.

 Deletes the item

Groups

Add groups

Some settings described in the Users section can also be set for the entire group. However, the settings for the individual user replace the group settings.

Permissions

Clientless VPN

This tab is only displayed if Permissions Clientless VPN has been activated Ein in the Permissions tab.

Connections created under→ VPN →Clientless VPN are displayed here.

Open Clientless VPN Administration Here you can configure and add connections.

Call alternatively via → VPN →Clientless VPN

Further information in the article to Clientless VPN.

SSL-VPN

UTM/AUTH/Benutzerverwaltung-Gruppen-SSL-VPN v12.2.3

Directory Service

AD/LDAP group assignment

Here you can specify which directory service group the members of this user group should belong to.
In order for a group to be selected here, a corresponding connection must be configured under → Authentication →AD/LDAP Authentication.

Selection of an AD/LDAP group

Mailfilter

Configuring mail filters for groups

The authorization Userinterface Ein is required.

Email address
Caption	Default	Description
support@ttt-point.de		Email accounts that can be viewed by members of this group to control the mail filter. Delete with
Email address		Adding a mail address to the list
Allow downloads of following attachments:	None (Default)	Members of this group can download attachments from mails in the user interface that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of following emails:	None (Default)	Members of this group can forward emails in the user interface that meet certain criteria
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Report email address:		Email address to which a spam report is sent. If no entry is made here, the spam report is sent to the first email address in the list. If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..
Report language:	Default	Default under → Network →Server settings → Firewall → language of reports It can be specifically selected: German or English

WOL

Configuring Wake on LAN

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. Usually this is configured in the BIOS or UEFI.

Members of this group can switch on hosts entered here via WOL after logging into the user interface.

 Calls the entry for editing.

 Deletes the item

Captive Portal User

Captive Portal users must authenticate themselves and agree to the terms of use when they connect to an appropriately configured network. Only then is the network access released - according to the port filter rules.

Firewall users who are members of a group with the permission Userinterface Adminstrator On (→ Authentication →UserTab Groups Button can access the Captive Portal user management via the User-Interface (in the default port 443)

Add user

Add user

Captive Portal users can be managed by:

• Administrators
• Users who are members of a group with the permission Userinterface Administrator .
  They reach the user administration via the user interface.

Caption	Value	Description
Login name:	user-DIW-ATS-K5C	Randomly generated login name. Once generated, login names cannot be changed after saving.
Password:	FWF-II7-4NB-GXQ-URC	Randomly generated password The login name and password can be regenerated with the button. Once saved, passwords cannot be displayed again.
Expiry date:	yyyy-mm-dd hh:mm:ss	Limits the validity of the credentials
	/ New as of v12.2.2	These buttons can be used to shorten (-) or extend (+) the expiry date by 24 hours from the current time
Print and save		Saves and closes the dialogue, creates an html page with the username and password and opens the print dialogue
Save		Saves the information and closes the dialogue. The password can then no longer be displayed. However, a new password can be created at any time .
Close		Closes the dialogue without saving changes.