You can manage access to the UserGate web console using additional accounts of network administrators, roles, password management policies and zone-based access permissions. As additional security measure, it is possible to use authentication to the web console based on administrators' certificates.
Important! During the initial configuration, UserGate creates the superuser called Admin.
To create additional accounts of network administrators for the device, perform the following:
|
Name |
Description |
|---|---|
|
Step 1. Create a new administrator's profile |
In the Device management section, go to Administrator profiles and click Add and set required permissions. |
|
Step 2. Create new administrator account and assign it to one of profiles created earlier |
Go to Administrators, click Add and select one of the following options:
|
Provide the following parameters when creating a new access profile for administrators:
|
Name |
Description |
|---|---|
|
Name |
Name of the profile |
|
Description |
Description of the profile |
|
API permissions |
The list of objects that are available for access delegation through an application programming interface (API). These objects are described in the API documentation. The following access options are available:
|
|
Web console permissions |
The list of web console tree objects that are available for delegation. The following access options are available:
|
|
CLI permissions |
Grants access to the CLI. The following access options are available:
|
Administrator can set up additional security parameters for accounts of other network administrators, such as password complexity and blocking of accounts in case of multiple failed attempts to log in to the system.
To set up these parameters, perform the following:
|
Name |
Description |
|---|---|
|
Step 1. Configure the password policy |
In the Device management section, go to Administrators and click Configure. |
|
Step 2. Fill in the necessary fields |
Fill in the following mandatory fields:
|
Admin can also specify zones from which the web console will be accessible (via the TCP 8001 port).
Important! It is not recommended that you permit access to the web console from zones connected to untrusted networks or to the Internet.
To enable access to the web console for a certain zone, go to the zone properties and enable the Administration console in the access control section. For more details on how to set up the access control for zones, please refer to the Configuring zones section.
Additional security measure is enabling authentication to web console using administrator certificates. To enable this mode, you need to perform the following steps (openssl utility commands are shown as an example):
|
Name |
Description |
|---|---|
|
Step 1. Create a new administrator's account |
Create account as it is described above in this chapter, e.g., create account for Administrator54. |
|
Step 2. Create or import an existing certificate of the type of "Web console auth CA" |
Create or import an existing certificate (only public key is required) of the type of "Web console auth CA" in accordance with the instructions in the Managing certificates section. To create a certificate with openssl, use the following commands:
openssl req -x509 -subj '/C=UK/ST=London/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem -nodes
openssl rsa -in ca-key.pem -out ca-key.pem
File named ca-key.pem will contain a private key, where ca.pem is the public key. Import public key for the UserGate. |
|
Step 3. Create certificates for administrators |
Create certificates for administrators using third party utilities. It is required that the Common field name exactly matches the name of the administrator's account as it was created in UserGate in step 1. Example for openssl and user Administrator54:
openssl req -subj '/C=UK/ST=London/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem -nodes
|
|
Step 4. Sign administrators' certificates using the web console auth CA certificate created in step 2 |
Using third party utilities sign certificates for administrators using the web console auth CA certificate created in step 2. Example for openssl and user Administrator54:
openssl x509 -req -days 9999 -CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem
openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate'
File admin.p12 contains the signed Administrator54's certificate. |
|
Step 5. Add signed certificates to OS which will be used by administrators to login to web console |
Add signed certificates to operating system (or to Firefox browser if it will be used to manage UserGate) which will be used by administrators to login to web console. For details please refer to manual for your OS. |
|
Step 6. Switch web console authentication mode to X.509 Certificate |
In General settings change Web console authentication mode to X.509 Certificate. |
Important! You can switch the web console authentication mode using the CLI commands.
In Administrators --> Administrator sessions, you can view all administrators who are currently logged in to the administration web console of UserGate. You can terminate (close) any session when necessary.