User Management
An Administrator must register the users who need to access applications securely over the network. zGateway supports multiple user roles and permission grouping. The security privilege of users depends on the role they perform. The different user roles are:
Security Officer (SO): The most privileged of all zGateway users. A Security Officer can create, delete, and modify other SOs, Administrators, High Security, and Low Security Users. An SO can also manage the Access Control Lists (ACL) for User Groups, as well as manage applications. Only a Security Officer can change the Server State, Database Password, and Basic Authentication Method and Enable/Disable SSH.
Administrator (Admin): Administrator can create, delete, and modify other Administrators, High Security, and Low Security Users. They can also administer Applications, User Groups, and Application Groups, and manage the Access Control Lists (ACL’s) for User Groups. Admin users cannot create, modify, or delete a
Security Officer
High Security Users: High Security Users are Power Users who are authenticated with the stronger Certificate-based authentication mechanism. Security Officers and Administrators are Power Users by default.
Low Security Users: Low Security Users can be Native, LDAP/ ADS, or RADIUS users who are authenticated with the weaker Basic Authentication mechanism. If you wish to have users login with their Active Directory credentials then you do not have to create them an account on the zGateway server. See configuring Authentication Servers for more information.
Machine Class Users: Machine Class Users are created only in the context of configuring chained VPN.
NB: Security Officers, Administrators, and High Security Users can also log on to server with Basic Authentication but they will NOT have the Power User privileges when they log on with Login ID and Password.
You can integrate zGateway with LDAP, ADS or RADIUS authentication servers. This allows the users registered with these servers to log on to VPN with their LDAP, ADS, or RADIUS user accounts. There is no need to create user accounts in the zGateway server (Native Database) for these users. However, the LDAP, ADS, or RADIUS users have only Low Security User privileges. For High Security User privileges, you must create an account for the user in the zGateway database.
ADD USERS
In the Administration menu on the left side of the VPN console, click to expand Access Management, and then click
Local Users and Add.
Username: Enter user’s full name.
User E-mail Address: Enter user’s email address.
Administrator E-mail Address: Enter Administrator’s email Address.
Mobile number: Enter users mobile number to send sms messages.
Class: From the Class drop-down menu select the user’s class from the list. Select User, if creating a user. Machine Class is relevant only for Site-to-Site configuration (Chained VPN).
Role: On the Role drop-down menu select the user’s role from the list. Choose from Security Officer, Administrator,
High Security User, or Low Security User. The default role is Low Security User.
Hostname: Hostname of the zGateway server (for Site-to-Site Connections).
User must change password at next logon: Check if users wants to change password at login, otherwise keep it unchecked.
Password never expires: Set for password to not expire.
Send details via email: Send authentication details via email.
Send details on mobile: Send authentication details via sms.
Account is disabled: Administrators can keep an account in disabled state for a time period. Check or uncheck the box and change the account status as necessary.
Account expires on: Administrator can set a date when the account will automatically expire. After the given date the user account is set to “disabled”. This option is applicable only for basic authentication and certificate users. This option is not applicable to security officers and administrators.
User ID: Enter username (this will be used by the user to login as Basic Authenticated User). This field is available to all types of users except Machine Class User.
Password: Type the user’s password in the Password field.
Subscribed User Groups: Assign user to local user groups. (Refer Add User to User Group section for more information).
Click Submit to create user or click Reset to clear the data entered in the fields. A success message confirms that the user has been created.
NB: All High Security Users must enroll in order to access VPN. All users must download the root certificate (cacert.cer) and import it to the browser, in the list of Trusted Root Certification Authorities.
EDIT/MODIFY USERS
In the zGateway management console, click Access Management and choose Local Users.
Type the user name you want to edit in the Search Users field. If entering multiple names, separate names with a comma.
Click Show to display the search results.
Click on the check box for the user you want to edit and click Modify. The Modify User screen appears. Modify values you want to edit and click submit button to save the changes.
DELETE USER
On the Local Users screen, check the boxes for the user(s) you want to delete. To select all users in the table, click on the Check all box below the table.
Click Delete to delete the selected user(s).
When prompted for deletion confirmation, click OK to delete user(s) or click Cancel to abort.
NB: Security Officers and Administrators cannot delete their own accounts.
RESET PASSPHRASE
This option allows the administrator to reissue a certificate passphrase to users. The new passphrase will be sent to user’s registered email ID.
NB: Passphrase recovery is available only for Certificate users.
On the Local Users screen click on the check box for the user who needs passphrase recovery.
Click Reset Passphrase
Click OK in the confirmation window to reset the passphrase, or click Cancel to exit.
A success message confirms that a new Passphrase has been emailed to the specified user.
While re-enrolling into zGateway the user must use the newly e-mailed Passphrase and enter a new password to generate a new Certificate.
The User can now login into zGateway, using the new certificate and password.
LOCAL GROUPS
User Groups allow you to organize Users on the basis of function, logistics or any criteria that suits your organization.
zGateway has three default User Groups:
SYSTEM
DEFAULT_USER_GROUP
DEFAULT_BA_USER_GROUP
The Security Officers and Administrators belong to SYSTEM group. The other Certificate-based (High Security Users) users belong to DEFAULT_USER_GROUP. And the Native Basic Authentication Users (Low Security Users) belong to
DEFAULT_BA_USER_GROUP.
zGateway Administrator can create other User Groups of the following types:
High Security(HS) User Group
Basic Authentication(BA) User Group
The Native Basic Authentication Users can be subscribed to BA User Group while the High Security Users can be subscribed to both HS and BA User Groups.
NB: The User Groups for the LDAP/ADS users are obtained from the LDAP/ADS servers. The RADIUS users belong to DEFAULT_RADIUS_USER_GROUP group.
CREATE USER GROUP
In the Administration menu on the left side of the management console, click Access Management > Local Groups. Choose to Add Local Group.
Type the group name in the User Group Name field.
Type the group description in the User Group Description field.
To create a High Security User Group, click on the check box for High Security Level. To create a Basic Authentication User Group, leave it empty.
Click Submit to create the User Group or click Reset to clear all data in this screen.
A success message confirms that the User Group has been created.
DELETE USER GROUP
In the Local Groups screen, click on the box for the User Group(s) you want to delete. To select all groups, click on the Check all box below the table.
Click Delete to delete the selected group(s).
When prompted for deletion confirmation, click OK to delete the group(s) or click Cancel to abort.
ADD LOW SECURITY USERS TO USER GROUPS
While in the Create User screen or Modify User screen, click on the Subscribe User to User Group link. The Add/Delete user group screen appears.
Select the User group(s) in the Basic Security User Groups table to which this user should be subscribed, and click Add. The selected user group(s) move from Basic Security User groups table to the User Groups table on the opposite side of the screen.
Click Submit to subscribe the user to the selected user groups or click Cancel to abort.
The group name(s) will be listed in the Subscribed User Group list on the user’s account screen.
ADD HIGH SECURITY USERS TO USER GROUPS
While in the Create User screen or Modify User screen, click on the Subscribe User to User Group link. The Add/Delete user group screen appears.
Select the High Security User Group(s) to which this user should be subscribed, and click Add. The selected user group(s) move from High Security User groups table to the User Groups table on the opposite side of the screen.
Select the Basic Security User Group(s) to which this user should be subscribed, and click Add. The selected user group(s) move from Basic Security User Groups table to the User Groups table on the opposite side of the screen.
Click Submit to subscribe the user to the selected user groups or click Cancel to abort.
The group name(s) will be listed in the Subscribed User Group list on the user’s account screen.
NB: Subscription to user groups is not applied until after you have completely saved the User data.
MODIFY SUBSCRIPTION TO USER GROUP
In the Modify User screen, click on the Subscribe User to User Group link. The Add/Delete user group screen appears (this screen varies, depending on the user type).
To remove the user from any User Groups, select the subscribed User group(s) from which the user should be removed in the User Groups table and click Delete.
The selected group(s) move from the User groups table to the Basic Security User Groups or High Security User Groups table on the opposite side of the screen.
Click Submit to update the list of selected user groups or click Cancel to abort.
The changes will be listed in the Subscribed User Group list on this user’s Modify User screen.
LOCAL GROUPS
The Administrator can specify a list of native/local groups that are not allowed to login into the zGateway server. This feature can be used when the external authentication server cannot provide any role information and local groups need to be used to put users into particular roles. In that case specific, local groups can be blocked to login into zGateway.