4.2. Setup - Users

User tree

User tree

User tree

In the SafeUTM management interface, users are displayed as a tree.


Users can be organized into trees. The group nesting level is not limited.
The user account tree is available in Users -> User & Group.

SafeUTM implements the principle of inheritance, which makes it easy to set and change parameters common for users, defining them for the parent group, for example, quotas or remote VPN access. The principle of inheritance is very convenient for performing management operations related to all users in the group.

An example of a user tree can be seen below:
1. User tree.png

The user’s icon can be colored differently. The table below provides a description of each color of the user’s icon:

 

User Account Status

Description

2. User tree.png

The user has completed the authorization procedure and has been granted internet access.

3. User tree.png

Authorization restriction has been set in the User Settings.

4. User tree.png

The user has not completed the authorization procedure and has not been granted internet access.

User tree

User & Group

Creating, deleting, and moving user accounts.


General

To manage groups and accounts in the user tree, there are corresponding buttons on each group:

Symbol

Description

1. User Management.png

Create user account

2. User Management.png

Create group

3. User Management.png

Delete user account or group


Creating User Account

To create an account in a certain group, click Create User Account in it. The control element symbols are illustrated in the table above.

The second way to create a user in a group is to select the designated group and click Create User in the right part of the window in the General tab.
4. User Management.png

Next, you will see a window for creating a user account, where you need to define a number of parameters. The form for creating a user account is shown below.
5. User Management.png

Login must be entered in lowercase Latin characters, for example, j.smith

Recommendations for creating password complexity: minimum length - 10 characters; use of lowercase and uppercase Latin characters; use of numbers and special characters. You can generate a password.

When you fill in the Additional settings, a corresponding rule will be created in the user card in the IP and MAC authorization tab and in the Authorization -> IP and MAC authorization section.
If this IP address or MAC address is used in DHCP server rules, then the DHCP server rule will be in priority.

For accounts imported from MS Active Directory (AD), password verification is carried out by means of AD. Active Directory user authorization is configured in the corresponding section.

You cannot create a user in the Active Directory group from SafeUTM. If you need to add an additional user to the Active Directory group, you must do so in the user tree on the domain controller.

It is impossible to view or restore the account password, only changing is allowed.

After you have entered all required parameters, click Save. An account will be created that will automatically get all the values of some parameters of the group in which it was created.


Creating Group

To create a group, you need to click on the corresponding control symbol to the right of the group name (you can create both a tree root group and a child group).

A window will open, in which you will need to type in the name of the new group and click Save. An example of adding a group can be seen below:
6. User Management.png


Mass Creation of Users with Authorization by IP

Mass creation of users for authorization by IP is possible. You can find out more in the article about this kind of authorization.

Alternatively, you can use Netscan to create them automatically when you try to access the internet.


Deleting Group or User Account

To delete a user account, select the user and click on the corresponding symbol. You can also select the user and click Delete in the General tab.
7. User Management.png

Deleting a group is done the same way.


Moving User Account or Group

To move a user account to another group, select this user in the General tab and find Found in a group field. From the drop-down list, select the group to move the user into and click Save.
8. User Management.png

User tree

Configuring Users

Configuring user account settings.


Categories

Users are configured in Users -> User & Group. To determine/edit the user account settings, select the account in the user tree by left-clicking on it. The parameters of the selected account will appear on the right side of the screen. All configurable parameters are divided into categories: GeneralQuota, IP and MAC authorization, and Sessions. If you want to change the parameters of all users in the group, select the corresponding group in the user tree. 


General category

The section of main settings includes many parameters determining the user account status.
The basic parameters are:

For users exported from Active Directory, there is a corresponding line above the user settings. For such users, it is impossible to edit the name, login, or move them to another group in the General tab.


Quota category

This section allows you to view and increase the user quota in case of using traffic limits.
3. Configuring Users.png

To increase the quota, use the Increase traffic for the current period field.
Example: A user is assigned a quota of 1000 MB for a week (Monday to Sunday). By Thursday, the amount of traffic exceeded the value set by the quota. It is required to provide the user with additional traffic once.
To do this, enter the required value in the Increase traffic for the current period field and click Increase. The Remaining line will reflect all available traffic, taking into account the added one.

You can find the information about how to set up traffic quotas in the User Quotas section.


IP and MAC Authorization category

This category contains authorization rules by IP and MAC created for a specific user in two sections:

The IP and MAC authorization rules also create a similar binding in the SafeUTM DHCP server. But if the same IP and MAC addresses are used in enabled DHCP server rules, then the DHCP server rules will be executed first.


Sessions category

Contains a table with information about all active user sessions:
6. Configuring Users.pngWhen you click on "X" in the Operations column, UTM will terminate the user's session.
A similar table is located in the Monitoring -> Authorized users section.

User tree

Terminal Server Users

Used for remote work with the provision of a separate desktop for each user. Provides a service for the work of dozens and even hundreds of users.


Terminal Server Authorization

If the admin does not need the separate authorization of terminal server users, and the same access settings (content filtering and user firewall) can be applied to them, the server can be authenticated as a single user.

The best option is authorization by IP address.

Please note that when the number of users on the terminal server is large, it may be necessary to increase the number of simultaneous sessions from one address in advanced security settings.


Authorization of Terminal Server Users

Separate authorization of terminal server users (running under Windows Server 2008 R2 and Windows Server 2012 OS) is possible using SSO (NTLM). In such a case server authorization by IP is not necessary.

For separate authorization of terminal server users, Remote Desktop IP Virtualization must be configured on the terminal server, and user authorization via web authorization (SSO or NTLM) must be configured on the SafeUTM server. Authorization of terminal server users based on logs of the AD domain controller has not yet been implemented.


Configuring Remote Desktop IP Virtualization on Windows Server 2012

For the Remote Desktop IP Virtualization to work on one of Windows servers, the role of a DHCP server must be added (this function may not work correctly with other DHCP servers) and an IP address area for terminal server users must be allocated.

In Group Policy Management Editor, you need to navigate to Computer Configuration –> Administrative Templates –>Windows Components -> Remote Desktop Services –> Remote Desktop Session Host –> App Compatibility.

Enable the option Turn on Remote Desktop IP Virtualization in group policy with the option Per Sessions:
1. Terminal Server Users.png

It is also recommended to enable the option Do not use the IP address of the remote desktop session host server if the virtual IP address is unavailable.

Use command gpupdate /force to update all policies.

You can check that the settings have changed using the following command in PowerShell:

Get-WmiObject -Namespace root\cimv2\TerminalServices -query "select * from Win32_TSVirtualIP"

Where values must be: VirtualIPActive = 1 (virtualization on) and VirtualIPMode=0 (for a session).

User Authorization

User Authorization

User Authorization

Authorization is a necessary condition for users to access the internet.


General Information

There are several authorization methods that you can find in this subsection.

All types of authorizations on SafeUTM are IP-based (based on the host IP address) and any authorization session is bound to the IP of the host from which it was installed. Simultaneous authorization of up to five devices is possible under one user account (by dynamic authorization methods, web, Kerberos/NTLM, security logs of Active Directory domain controllers, and VPN).

The user is automatically logged out when inactive (no internet connections) for 15 minutes (except connections via VPN).

Keep in mind, that the operating system itself can also generate traffic (for example Windows telemetry) without user intervention. Because of this, the timeout for the user will be constantly reset and will not be able to function correctly.

You can change the time of automatic logout using the settings Disconnection timeout by going to Users -> Authorization:
1. User Authorization.png

For the new timeout to be applied, you need to reboot SafeUTM.

 

You can also authenticate users connecting via VPN using IPSec IKEv2, SSTP, L2TP IPSec, PPTP, and PowerShell scripts.

User Authorization

Web Authorization

Supported browsers:
- Google Chrome, version >= 76
- Firefox, version >= 71
- Safari, version >= 13

In this type of authorization, any request from an unauthenticated user sent via a web browser will be redirected to a special authorization page of SafeUTM. After successful authorization, you will be redirected to the specified request.

For this type of authorization, the user must have the IP address of the SafeUTM local network interface specified on the network card as a gateway (chained into a gateway chain) or for direct connections to a proxy. Also, before connecting to the Internet, the DNS resolution of addresses must work, otherwise, the browser request to the example.com address will not be redirected to the gateway and the username and password request will not appear in the browser.

You can check name resolution in Windows using the command: nslookup google.com. The output of this command must contain IP addresses.

To configure authorization via the web interface, go to Users -> Authorization and select Web authentication and Authentication through web Interface, as shown in the screenshot below:
1. Web Authorization.png

After filling in the Domain name field and saving the settings, a Let’s Encrypt certificate will be issued and the user will be redirected to the authorization window, bypassing the security exception page:
2. Web Authorization.png

If a certificate for such a domain has already been loaded in the Certificates section, then it will be used and a new certificate will not be issued.

Next, try to access the internet via a web browser. An authorization window should appear where you need to type in the account’s login and password of the user created on SafeUTM. The authorization window can be seen in the screenshot below:
3. Web Authorization.pngWhen the user is authenticated via the web, access to the internet will be provided until the authorization is forcibly canceled or terminated due to the user’s inactivity.

When logging into an HTTPS website, the user must confirm the trust of the SafeUTM certificate. Alternatively, the certificate can be added to trusted root certification centers on the device (for example, through domain policies).

 

You can learn more about the authorization of Active Directory (SSO-authentication) users by clicking on this link.

User Authorization

Authorization by IP and MAC address

General Information

The IP and MAC authorization rules also create a similar binding in the SafeUTM DHCP server. However, if the same IP and MAC addresses will be used in the enabled rules of the DHCP server, then the DHCP server rules will be executed first.

To configure IP and MAC authorization, you must:

  1. In section Authorization -> IP and MAC authorization click Add.
  2. Create an IP and MAC authorization binding rule:

    1. Authorization by IP and MAC address.png

 

Set the flag Permanently authorized to provide unlimited internet connection even if the user is not active.
The rules created in this section are reflected in the user card.
Find out more about user authorization only by IP address or MAC address in the articles Authorization by IP address and Authorization by MAC address

User Authorization

Authorization by IP address

Configuring Authorization by IP

Authorization by IP implies that an authorized user will gain access to Internet resources without entering a username and password, but simply by initiating a connection to these resources.

You can also authorize network devices (such as CCTV cameras, network printers, etc.) that are located in broadcast domains other than SafeUTM, and that require Internet access.

If the device is a router and SNAT is enabled on it, then when its external IP is authorized in UTM, all users behind this router will gain Internet access.
Users who are behind the router in the local UTM network cannot be authorized using the IP address - MAC address bind, since the router does not handle L2-level traffic.
If authorization by IP address is configured, this IP will not be issued by DHCP.

To authorize a user by IP address:

1. Create a user that will be authorized by IP in SafeUTM or import a user from Active Directory.
2. Go to Users -> Authorization -> IP and MAC authorization.
3. Create a binding rule IP address <--> User, as shown in the screenshot.
1. Authorization by IP address.png

The user's IP address is to be used when creating a session. The computer/device's IP address must match the one specified in the rule.

If the user is network equipment (video cameras, servers, etc.), it is recommended to select Permanently Authorized, in which case the user session will be created after the UTM is turned on, and the network equipment does not need to make a web request. For such equipment, it is recommended to configure a static IP address or DHCP with an IP address binding.
This is required, for example, for resources published via DNAT.

After the user makes a web request, a session with the IP authorization type will automatically be created on UTM in Monitoring -> Authorized Users.
2. Authorization by IP address.png

For sessions with an IP authorization type, the MAC address field is not filled in, because, with this type of authorization, there is already an IP address required to create an authorization session.

You can use device search to automatically create users when they try to access the Internet. To do this, see the Netscan article.

Only one device can be authorized under one user by IP address (simultaneously with this type of authorization, two more devices can be authorized under one user by any other authorization method).


Adding Group of Devices with Authorization by IP

You can add users from a range of IP addresses (for example, a network distributed by access points to wireless devices over Wi-Fi). To do this, you need to follow these steps:

  1. Create a new group in the user tree.
  2. Select a group from the user tree to which you want to add devices.
  3. In the General tab, click Create Users.

A window opens with the settings of the users created. Fill in the following fields:

  1. Name Prefix. Users will be created with names of the type "User IP address ".
  2. Login prefix. Users will be created with logins of the type "user_ip-address ".
  3. IP addresses of the first and last users.
    3. Authorization by IP address.png
    4. Authorization by IP address.png5. Authorization by IP address.png

If some IP addresses from the range are already used by other SafeUTM users, they will be skipped during creation, and as a result, fewer users will be created than addresses in the range.

Users will be created with the settings of the created group and an IP address from the range. In addition to the user tree, in the section Users -> Authorization -> IP and MAC authorization for each user, a binding rule IP address <--> User will be created automatically, as shown in the screenshot:
6. Authorization by IP address.png

 

If you use IP authorization with static binding in DHCP, it is preferable to transfer such rules to authorization by MAC address.

User Authorization

Authorization by MAC address

This type of authorization is suitable for those devices whose location changes from time to time between local networks within the organization (for example, employees' work laptops) or network devices that are issued an IP address via DHCP, on which IP+MAC binding is not configured.

In order for a device to be authorized on UTM by MAC address, they must both be in the same broadcast domain, and UTM serves as the gateway for the devices.

Users who are behind the router in the local UTM network cannot authorize by MAC address, since the router breaks broadcast domains and does not process L2-level traffic. Such users can authorize only by IP address.


Configuring MAC Authorization

To authorize a user by MAC address, you need to do the following:

1. You need to find out the MAC address of the device. To do this, in the Windows command prompt, type the command: ipconfig /all | findstr Address