4.4. Managing access to the UserGate console

You can manage access to the UserGate web console using additional accounts of network administrators, roles, password management policies and zone-based access permissions. As additional security measure, it is possible to use authentication to the web console based on administrators' certificates.

Important! During the initial configuration, UserGate creates the superuser called Admin.

To create additional accounts of network administrators for the device, perform the following:

Name

Description

Step 1. Create a new administrator's profile

In the Device management section, go to Administrator profiles and click Add and set required permissions.

Step 2. Create new administrator account and assign it to one of profiles created earlier

Go to Administrators, click Add and select one of the following options:

  • Add a local administrator - create a local user, set an access password and assign them the previously created access profile

  • Add an LDAP user - add a user from the existing domain. This will require you to set up a valid LDAP connector in Authentication servers. For access to the administration console, the credentials must be entered in the user@domain format. Assign administrator's profile created earlier.

  • Add an LDAP group - add a user group from the existing domain. This will require you to set up a valid LDAP connector in Authentication servers. For access to the administration console, the credentials must be entered in the user@domain format. Assign administrator's profile created earlier.

Provide the following parameters when creating a new access profile for administrators:

Name

Description

Name

Name of the profile

Description

Description of the profile

API permissions

The list of objects that are available for access delegation through an application programming interface (API). These objects are described in the API documentation. The following access options are available:

  • No access

  • Read only

  • Read and write

Web console permissions

The list of web console tree objects that are available for delegation. The following access options are available:

  • No access

  • Read only

  • Read and write

CLI permissions

Grants access to the CLI. The following access options are available:

  • No access

  • Read only

  • Read and write

Administrator can set up additional security parameters for accounts of other network administrators, such as password complexity and blocking of accounts in case of multiple failed attempts to log in to the system.

To set up these parameters, perform the following:

Name

Description

Step 1. Configure the password policy

In the Device management section, go to Administrators and click Configure.

Step 2. Fill in the necessary fields

Fill in the following mandatory fields:

  • Strong password - enables additional requirement for password complexity, such as, number of uppercase and lowercase characters, digits, special characters, total password length etc.

  • Number of invalid auth attempts - total number of unsuccessful attempts to log in to the administrator's account after which this account will be blocked for Block time

  • Block time - period for which the account will be blocked

Admin can also specify zones from which the web console will be accessible (via the TCP 8001 port).

Important! It is not recommended that you permit access to the web console from zones connected to untrusted networks or to the Internet.

To enable access to the web console for a certain zone, go to the zone properties and enable the Administration console in the access control section. For more details on how to set up the access control for zones, please refer to the Configuring zones section.

Additional security measure is enabling authentication to web console using administrator certificates. To enable this mode, you need to perform the following steps (openssl utility commands are shown as an example):

Name

Description

Step 1. Create a new administrator's account

Create account as it is described above in this chapter, e.g., create account for Administrator54.

Step 2. Create or import an existing certificate of the type of "Web console auth CA"

Create or import an existing certificate (only public key is required) of the type of "Web console auth CA" in accordance with the instructions in the Managing certificates section.

To create a certificate with openssl, use the following commands:
openssl req -x509 -subj '/C=UK/ST=London/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem -nodes
openssl rsa -in ca-key.pem -out ca-key.pem

File named ca-key.pem will contain a private key, where ca.pem is the public key. Import public key for the UserGate.

Step 3. Create certificates for administrators

Create certificates for administrators using third party utilities. It is required that the Common field name exactly matches the name of the administrator's account as it was created in UserGate in step 1.

Example for openssl and user Administrator54:
openssl req -subj '/C=UK/ST=London/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem -nodes

Step 4. Sign administrators' certificates using the web console auth CA certificate created in step 2

Using third party utilities sign certificates for administrators using the web console auth CA certificate created in step 2.

Example for openssl and user Administrator54:
openssl x509 -req -days 9999 -CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem
openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate'

File admin.p12 contains the signed Administrator54's certificate.

Step 5. Add signed certificates to OS which will be used by administrators to login to web console

Add signed certificates to operating system (or to Firefox browser if it will be used to manage UserGate) which will be used by administrators to login to web console. For details please refer to manual for your OS.

Step 6. Switch web console authentication mode to X.509 Certificate

In General settings change Web console authentication mode to X.509 Certificate.

Important! You can switch the web console authentication mode using the CLI commands.

In Administrators --> Administrator sessions, you can view all administrators who are currently logged in to the administration web console of UserGate. You can terminate (close) any session when necessary.