AD Integration with Cyberoam

In this post I would like to talk about the integration between AD and Cyberoam.

What is the need for the integration?

First of all, Cyberoam can have as many users as you want configured on it. Lets say that you would like to have (LAN - WAN) traffic to be configured per user instead of Machines' MACs.

Another case could be VPN policies. Lets say that you want a group of employees to have a certain VPN-SSL policy and another group of employees to have another policy, the easiest and most efficient way to achieve this is by importing users from AD, and assigning the desired policy from AD instead of manually logging into Cyberoam and change it by yourself.

There are many cases that I can talk about, but for now lets get to the point.

Steps for integrating Active Directory Domain Service Server with Cyberoam are simple, as follows:

1. Configure AD server on Cyberoam and create a successful connection.

2. Make the configured AD server as the primary authentication server on Cyberoam instead of the local database (users configured manually on Cyberoam)

3. Change the local policy on the AD so that it records users' logins through the event viewer.

4. Install the CTA agent (Cyberoam Transparent Authentication agent), a small exe file that captures the users logins via events generated on the AD itself. This agent in turn communicates with Cyberoam, so Cyberoam can tell that a user has logged in from a specific machine, and records this user on the live users list.

5. Create Security groups on AD that represnt internet-access policy.

6. Add users to the desired security group from AD.

7. Import these security groups into Cyberoam through the import-groups wizard.

8. Give each imported group the desired web, application filters...etc on Cyberoam.

9. Create a LAN-WAN rule that is attached to the user identity.

Thats it!!

Now each time a user opens a browser, cyberoam will note the user's username, then Cyberoam will check which group that user is a member of, then, it will the appropriate policy - the user's group policy.

I know that this post needs more details and screen shots, I just wrote this post in my way home. I will talk later about it in future posts.

Best regards

Abed Jaber

Appliance Access - SSH

Secure Shell (SSH) is the best and recommended way to communicate with Cyberoam – or even any device – on a network using CLI.

SSH provides a secured communication channel between the client and the SSH Server. The reason for that is because the information being exchanged between the client and the server are encrypted, thus, preventing (Man-in-the-middle) intrusion. SSH is used to execute predefined commands on Cyberoam.

More about SSH can be found at this Wikipedia page here:

https://en.wikipedia.org/wiki/Secure_Shell

You, as an SSH-Client can connect to Cyberoam, the SSH-Server, using many applications, but the most easy and well known application is (PuTTY). Download.

PuTTY is a light weight application that can be used not only for SSH, but also for other connections such as serial Connections using serial cables.

Just download PuTTY, double click on it, and then the below window will appear:

As you can see, SSH operates over port number (22). Do not make any changes on any field, just enter Cyberoam’s IP or any sub-interface IP for Cyberoam in the (Host Name) field, let’s say the IP is (10.10.10.1), type it in and then hit Open, a separate CLI window will appear, enter (admin) as a username, and the admin’s password. Cyberoam will not accept any other credentials, hit Enter as below:

After entering the correct credentials, Cyberoam will direct you to the main menu which is actually the same window that appears when you connect to Cyberoam using Telnet, however, this time, your connection is over a secured channel, as below image:

That’s it. You can start modifying the settings as you wish

Best Regards

Abed Jaber

Appliance Access - Telnet

Telnet is a great way to communicate with Cyberoam if you don’t have access to the appliance GUI. However, the bad side of Telnet is that the connection between you and Cyberoam is being sent in a clear text including the password you type to log on (there is no encryption involved), which is not good if there is a sniffer in your network, thus, telnet in most cases is not recommended.

More about telnet can be found at this Wikipedia page:

https://en.wikipedia.org/wiki/Telnet

To establish a connection, just open a CMD window and type the following command to access Cyberoam CLI:

telnet (Cyberoam IP or the sub-interface IP)

 

Cyberoam will ask for the (admin user) password. The default password for the admin user is (admin), if successfully authenticated, the following menu will appear (depending on the firmware you have):

You can see from the image above that the CLI provides major operations on the appliance, such as resetting the firewall to its factory defaults (5 > 2), the ability to change the interfaces configuration (1 > 1), an access to Cyberoam console (5), shutting down or rebooting the device (7), and many other important sub commnads which you can explore, however, I will not go through all the available options, but I would like to point out some important and quick notes to get started:

To access Cyberoam through telnet, you have to change the settings on Cyberoam to allow telnet connections from the zone (s) you want. Please check my previous post: Appliance Access.

You must have (telnet client) enabled on your operating system in order to be able to connect to Cyberoam CLI. For Windows 7 or 8 or 10, you can install (telnet client) by going to the Control Panel, Programs and features and clicking on (turning windows features on or off), and for Windows Server Operating System, you can add the (telnet client) as a feature through “Server Manager”.

 If you failed to provide the correct password once, Cyberoam will close the connection, and you have to try to telnet the appliance again.

Cyberoam only accepts the (admin user) password, it will not accept other user’s passwords, in case you have added users to Cyberoam.

Thank you

Abed Jaber

Appliance Access - HTTPS

Cyberoam offers a great way of controlling how the device is accessed, from which zone, what type of access, what type of services it offers…etc.

To access (Appliance Access) page, simply go to: System, Administration, Appliance Access.

Let’s take a look at the below picture for example, the client has two Vlans (Vlan 10 and Vlan 20), the other zones are pre-configured in Cyberoam. Let’s say that you want to allow Cyberoam to be accessed from the zone (Vlan20) using https access mode only, simply click on the tick next to Vlan20 zone, under HTTPS (Admin Services). If you left the other zones unticked, then whenever you try to access Cyberoam from Vlan10 or any other zone, the browser will keep searching for the entered URL and nothing will be displayed.

From my humble experience in network security and Cyberoam, I recommend allowing access to Cyberoam from LAN zone, using HTTPS access mode only. And to be able to access Cyberoam when you’re out of the office, you can allow HTTPS access for the zone VPN. This means that when you connect to your Company’s Network using the SSL VPN Connection, you can log in to Cyberoam and do any modifications or upgrades needed, such as the firmware upgrade – which should not be carried out during working hours hopefully - I will cover this topic in a future post.

I recommend not to tick any mark under HTTP access for any zone.

I will cover each service separately in a different post with more screen shots.

Thank you

Best Regards

Abed Jaber

Modifying SSL Connection Settings

When creating multiple SSL VPN Policies on Cyberoam, you may want to assign different Hosts to each SSL VPN Policy. Hosts may represent Server (s), AP (s), Switches, DVR (s)... etc.

For Example, lets say that you have an outsourcing company that requires an SSL connection in order to work remotely, and its work will be limited to a host named: Failover Cluster. They do not need access to all of your network hosts. When creating the SSL policy to the outsourcing company, you need to define the (Tunnel Access Settings) for that SSL Policy.

To do so: login to Cyberoam, Go to: VPN, SSL, click on the (Policy) Tab, then choose the policy which you created to that outsource company, (e.g: ABC Outsourcing Co.), as below:

From the: Tunnel Access Settings Section, and from the Available Hosts/Networks, you can choose the host(s) which can be accessed by the user whom you have assigned the (SSL VPN Policy) to them in their account. Each host you choose is automatically transferred to the (Selected Hosts/Networks) Tab. You can remove the selected host - if you want - by simply clicking the small (x) mark next to it. Click Ok and that's it!

Now, each time a user who have been assigned the SSL VPN Policy (ABC Outsourcing Co.) in their account on Cyberoam, can access the host named: Failover Cluster Only!

Ofcourse, you can add as many hosts as you want in Cyberoam by clicking on Objects, Hosts and then add.

Best Regard
Abed Jaber

Cyberoam HTTPS Port

Some times - for security reasons - you would like to change the default port which you use in order to access Cyberoam.

I recommend changing the settings on Cyberoam to make the access to the portal using only SSL (https) and changing the default port of the SSL (443) to a different port.

To do do, log in to Cyberoam, Go to: System, Administration, and click on the (Settings) Tab, as below:

Enter a value in the (HTTPS Port) such as: 8988. From here after, you can access the Portal only using that port. Lets say that Cyberoam IP is: 10.10.10.1, then, you have to enter the below address in order to access the Portal:

https://10.10.10.1:8988.