Table of Contents
Advertisement
Advertisement
Chapters
Table of Contents
Related Manuals for Vasco Personal aXsGUARD
Summary of Contents for Vasco Personal aXsGUARD
- Page 1 Personal aXsGUARD Installation and Configuration Guide 7.7.1...
-
Page 2: Table Of Contents
1.1. About his Document ....................1 1.2. Examples used in this Guide ..................1 1.3. Documentation Sources ..................... 1 1.4. About the Personal aXsGUARD .................. 2 1.5. About the aXsGUARD Gatekeeper ................2 1.5.1. What is it? ....................2 1.5.2. Spare Units ....................2 1.5.3. - Page 3 6.1. Overview ....................... 27 6.2. Checking the Status ....................27 6.2.1. On the aXsGUARD Gatekeeper ..............27 6.2.2. On the Personal aXsGUARD ................27 6.3. Checking the Logs ....................27 6.3.1. On the aXsGUARD Gatekeeper ..............27 6.3.2. On the Personal aXsGUARD ................28 6.4.
- Page 4 VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products.
-
Page 5: Introduction
Chapter 4, Server-Side Configuration, we explain the server-side configuration, such as the initialization of the CA, the generation of server and client certificates and the Personal aXsGUARD configuration settings, which are downloaded from the VPN server. Chapter 5, Client-Side Configuration, we explain how to configure and connect the Personal aXsGUARD with the corporate aXsGUARD Gatekeeper, starting with the factory default settings. -
Page 6: About The Personal Axsguard
1.4. About the Personal aXsGUARD The Personal aXsGUARD is a small plug and play OpenVPN appliance designed specifically for use with the aXsGUARD Gatekeeper. Its integration with home networks is easy and allows telecommuters to safely connect to corporate network resources and the Internet. All PAX settings are centrally managed on and pushed by the corporate aXsGUARD Gatekeeper appliance, which makes deploying PAX systems a convenient and straightforward process. -
Page 7: Licensed Units
You can, of course, also configure your system manually. 1.6. About VASCO VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts, identities and transactions. As a global software company, VASCO serves a customer base of approximately 10,000 companies in over 100 countries, including approximately 1,500 international financial institutions. -
Page 8: Before You Begin
Personal aXsGUARD - 7.7.1 Chapter 2. Before You Begin 2.1. PAX Models There are two hardware models: • The AG-1296: This model is still supported, but has been discontinued. Please see prior documentation for reference. • The AG-1497: See Section 2.3, “Hardware and Environmental Specifications”. - Page 9 Chapter 2. Before You Begin Personal aXsGUARD - 7.7.1 Hardware Features Dimensions (W X D 9.6x6.4x1.3 in.(243x160.6x32.5mm) X H) Antenna 3 external detachable dual band antennas (RP-SMA) Wireless Features Wireless Standards IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n Frequency 2.4GHz &...
-
Page 10: Features And Concepts
Personal aXsGUARD - 7.7.1 Chapter 3. Features and Concepts 3.1. Documentation You May Need The concepts mentioned in this guide, i.e. certificates, IP address ranges, DHCP, NAT, routing, DNS and firewall settings, are fully explained in separate guides which can be accessed by clicking on the permanently available Documentation button in the aXsGUARD Gatekeeper Administrator Tool. -
Page 11: Security Recommendations
Firewall Policies. However, we strongly encourage system administrators to implement their own Firewall Policies, install a client-side firewall and anti-malware software. • VASCO recommends a setup where potentially dangerous or infected client computers connect directly to the Internet using an existing installation. Only computers that need remote access to the corporate LAN... -
Page 12: Nat Traversal
Chapter 3. Features and Concepts Personal aXsGUARD - 7.7.1 should be connected to the PAX. A secure option is to connect the Internet Interface of the PAX to the user’s LAN and only connect the client computers that actually need access to corporate resources to the PAX LAN (double NAT). -
Page 13: Snat And Masquerading
Chapter 3. Features and Concepts Personal aXsGUARD - 7.7.1 With the option enabled (see Section 4.6, “Network Settings”), hosts in the NAT’d network connected to the PAX’s WAN interface can connect seamlessly to machines in the PAX’s LAN, as if they were a part of the same network segment. -
Page 14: Vpn Failover
Chapter 3. Features and Concepts Personal aXsGUARD - 7.7.1 Figure 3.4. SNAT and Masquerading 3.5. VPN Failover In computing, failover is the capability to switch over automatically to a redundant or secondary computer server, system, or a network upon the failure or abnormal termination of the primary server, system, or network. -
Page 15: Wireless Access Point
Chapter 3. Features and Concepts Personal aXsGUARD - 7.7.1 will first try to establish a TCP connection with the same server, before it switches to the second server. If a connection is made to the second server, UDP will be attempted first. In case a specific VPN protocol is selected, the failover occurs without delay, as only the selected protocol is used. -
Page 16: Remote Administration
Users can request remote support via the web interface of the PAX system. This action initiates a secure connection towards the VASCO support center, which enables our support engineers to access the PAX for troubleshooting. As an alternative, VASCO can configure any PAX so that it has a permanent secured connection to the VASCO service center. -
Page 17: Server-Side Configuration
How To, which can be accessed via the Documentation button in the Administrator Tool. 2. Navigate to System ⇒ Feature Activation 3. Expand the VPN & RAS tree. 4. Check the Do you use the Personal aXsGUARD Gatekeeper? option. 5. Click on Update. Figure 4.1. PAX Feature Activation 4.3. -
Page 18: Client Options
Gatekeeper. Certain configuration tabs only appear when the corresponding options are enabled. 1. Navigate to VPN & RAS ⇒ Personal aXsGUARD ⇒ Client. 2. Click on Add New. 3. Enter the common settings as explained in the table below. -
Page 19: General Settings
Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 Parameter Description Hardware Model Select the model that applies to you. Enable DHCP Server Check this option to enable the DHCP server on the PAX unit. If enabled, the PAX will assign IP addresses to its DHCP clients in the specified range (see Section 4.7, “DHCP... -
Page 20: Pax Network Settings
Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 Figure 4.3. PAX Network Settings Parameter Description Remote LAN IP – Address Netmask This is the LAN IP address and subnet mask to be assigned to the PAX. Use the CIDR notation, e.g. 10.0.0.1/24 . Use the IP address specified... -
Page 21: Dhcp Settings
Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 When the VPN tunnel is down, the client will use its ISP’s DNS server(s). 4.7. DHCP Settings In this section, we provide a table explaining the DHCP settings of the PAX (the DHCP tab). Via this tab you can configure the IP range to be assigned to the PAX client(s) and restrict VPN access based on a client’s... -
Page 22: Firewall Settings
Scenarios”, there are two firewall scenarios depending on the state of the VPN tunnel. Even though pre-configured VPN Firewall Policies exists (fwd-access-lan), VASCO highly recommends that system administrators implement their own Firewall Policies to serve their specific needs (see Section 3.3,... -
Page 23: Nat Traversal
Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 “Security Recommendations”). Use the Add Policy button to select a firewall policy. The difference between regular and Tunnel Firewall Policies is explained in the table below. Figure 4.6. PAX Firewall Configuration Firewall Policy... -
Page 24: Automated Nat
Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 Figure 4.7. Activating NAT 4.10.2. Automated NAT In this section, we explain how to enable UPnP and NAT-PMP (see Section 3.4.2, “UPnP and NAT-PMP”). These options are only available if you checked "Activate NAT" (see Section 4.10.1, “Activating... -
Page 25: Snat And Masquerading
Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 Parameter Description Description A description for the new NAT rule, e.g. mail. Source IP Specify the Source IP address (range) to which the port forwarding rule must be applied. Use the CIDR notation to specify a range. If left empty, the rule applies to any source IP address. - Page 26 Chapter 4. Server-Side Configuration Personal aXsGUARD - 7.7.1 Parameter Description Destination IP Specify the destination IP address or network for which SNAT must be performed. Use the CIDR notation to specify a network, e.g. 192.168.0.1/24. If left empty, the rule applies to any destination IP address.
-
Page 27: Client-Side Configuration
Personal aXsGUARD - 7.7.1 Chapter 5. Client-Side Configuration 5.1. Overview In this chapter, we explain how to configure your PAX, once the server-side configuration has been completed (see Chapter 4, Server-Side Configuration). Topics covered in this chapter include: • The Factory Default Settings of the PAX. -
Page 28: Installation Instructions
Chapter 5. Client-Side Configuration Personal aXsGUARD - 7.7.1 • Choose a complex user password and keep it secret if you want to prevent users from rebooting the PAX or controlling the VPN Tunnel (see Section 4.5, “General Settings”). • The default passwords (see Table 5.1, “PAX Factory Default... - Page 29 Chapter 5. Client-Side Configuration Personal aXsGUARD - 7.7.1 Figure 5.2. Internet Connection and NTP Settings Parameter Description Network Time Server The IP address or FQDN of an Internet Time Server. Internet Type Select the appropriate method to connect to the Internet. See the information provided by your ISP.
-
Page 30: Reboot Procedure
Chapter 5. Client-Side Configuration Personal aXsGUARD - 7.7.1 Figure 5.3. PAX Status Overview The VPN tunnel will start automatically after importing the PAX certificate (PKCS12). Rebooting is allowed, but not required. The PAX automatically checks whether a valid client certificate is present. -
Page 31: Status, Logging And Diagnostics
1. Log on to the aXsGUARD Gatekeeper, as explained in the aXsGUARD Gatekeeper System Administration How To, which is accessible via the Documentation button in the Administrator Tool. 2. Navigate to VPN & RAS ⇒ Status ⇒ Personal aXsGUARD. Figure 6.1. Status Information Screen aXsGUARD Gatekeeper administrators can easily reboot any connected PAX by clicking on the reboot button. -
Page 32: On The Personal Axsguard
Chapter 6. Status, Logging and Diagnostics Personal aXsGUARD - 7.7.1 2. Navigate to VPN & RAS ⇒ Logs ⇒ Personal aXsGUARD. 3. Select the appropriate logs (Server or Clients). 4. Click on the appropriate log date to view the corresponding log file. -
Page 33: Initiating A Remote Support Connection
Chapter 6. Status, Logging and Diagnostics Personal aXsGUARD - 7.7.1 Figure 6.4. Example of a PAX Diagnostics Result If your VPN Tunnel disconnects and reconnects frequently, check the load averages in the status screen. If the load is persistently high, try rebooting the PAX. If rebooting doesn’t solve the problem, contact VASCO Support. -
Page 34: Troubleshooting
My VPN Tunnel disconnects and reconnects frequently • Check the load averages of the PAX, as explained in Section 6.4, “Using the Diagnostic Tool” and reboot it. • If the high load persists after rebooting, contact VASCO Support. © VASCO Data Security 2013... -
Page 35: Support
2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the VASCO product. 3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert. For details about support capabilities by user, visit: http://www.vasco.com/support/support_services/... - Page 36 Personal aXsGUARD - 7.7.1 List of Figures 2.1. AG-1296 Front and Back Panel ..................4 2.2. AG-1497 Front and Back Panel ..................4 3.1. Relationship between PAX and aXsGUARD Gatekeeper ............6 3.2. PAX Firewall Scenarios ..................... 7 3.3. WAN to LAN Option in NAT Environment ................9 3.4.
- Page 37 Personal aXsGUARD - 7.7.1 List of Tables 4.1. PAX Client Settings ......................14 4.2. Client Settings - General Tab .................... 15 4.3. PAX Client Settings - Network Tab ..................16 4.4. PAX Client - DHCP Tab ....................17 4.5. PAX Wireless Settings Tab ....................18 4.6.
- Page 38 Personal aXsGUARD - 7.7.1 List of Examples 3.1. Maintenance of master in HA cluster .................. 11 3.2. Selecting UDP as the VPN protocol ................... 11 © VASCO Data Security 2013 xxxiv...
-
Page 39: Alphabetical Index
Alphabetical Index UPnP, 8 AES, 11 aXsGUARD Gatekeeper, 2 WEP, 11 Wireless, 18 Wireless access, 11 CA, 6 WPA, 11 Certificate authority, 6 WPA2, 11 DHCP, 17 Digital certificate, 6 Documentation, 1 Failover, 10 Firewall, 7 fwd-access-lan, 7, 18 Licensed appliance, 3 Logging, 27 Masquerading, 21 NAT, 8, 21...