Users

In this page, all users that have an account on the UTM are displayed in the table, and for each the following information is shown.

• Name. The name of the user.

• Provider. The provider where this user is located (e.g. Local, LDAP, etc).

• Additional Comment. Any remarks or descriptions for this user

• 2FA. Status of 2-factor authentication (on/off) for this user

• Actions. The available operation that can be carried out on the account.

Note

Editing an LDAP user only allows one to modify the local options, not other data like username or password, which are entirely managed by the LDAP server.

Click on New user above the table to add a new local account. In the form that will show up, the following options can be specified for each user.

New User

Basic Info

Username

The login name of the user.

Enabled

Checkbox to enable/disable this user account.

Authentication

Use external password provider

This checkbox is only visible if at least one external authentication server has been configured. Once it has been selected the following password input fields will disappear and the user will be authenticated by using the external authentication servers.

Password, Confirm password

The password for the user, to be entered twice. The passwords are actually not shown: To see them, tick the eye icon on the right side of the input field.

Email Address

Enter the email address to be used for this user account.

Additional Comment

An additional comment.

Additional User Info

Organizational Unit Name

The Organisation Unit to which the user belongs to, i.e., the company, enterprise, or institution department identified with the certificate.

Organization Name

The organisation to which the user belongs to.

City

The city (L in the certificate) in which the organisation is located.

State

The state or province (ST in the certificate) in which the organisation is located.

Country

The Country (C in the certificate) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.

Group Membership

Edit members

In this part of the panel it is possible to assign membership to one or more groups to the user. After clicking the Edit members it is possible to select and/or filter existing groups to find matching groups. Group membership is added by clicking on the + on the right of the group name. Groups to which the user belongs then show their action as Delete. Once added, the Edit members will then show the number of groups selected inside the parenthesis of the button label.

Services

Enable this user for the following VPN Services:

Enabled services

By default, a user can use all services, i.e., OpenVPN, XAuth (IPsec), and L2TP. For any new authentication sever defined, checkboxes will appear. Tick any checkboxes to enable or disable the service for the user.

Changed in version 5.1.

OTP

One Time Password secret

This field contains the TOTP secret for the specific user. Due to the constraints in creating these secrets it is not possible to insert them manually but they must be generated by clicking on the Generate new secret button. A QR code representation of the secret will be displayed automatically next to the button.

One-Time Passwords

There are many different one-time password algorithms. On UTM systems the Time-based One-Time Password algorithm has been implemented as described in RFC 6238. Since this is an open standard, applications exist for almost all devices (Android, iOS and Windows smartphones, PCs etc.). To be able to use a device, it needs to be initialized with the One Time Password Secret: Either do this by entering the secret manually or by taking a picture of the QR code.

OpenVPN

Select the OpenVPN User Type

Remote Access

Click this box to utilize this user account for OpenVPN remote access which is used by users using the Connect App (or OpenVPN) to connect remotely to this appliance in order to access internal network resources.

Net2Net

Click this box to utilize this user account for a Net2Net OpenVPN connection in order to connect two Endian gateways together so they each access the others internal networks.

---

Accessible Remote Networks Through this Connection

When setting up a Net2Net connection you must provide the remote subnets of the remote gateway connecting to this UTM. In this way, this UTM will know which routes to add for this specific Net2Net connection.

---

Override the global OpenVPN configuration for this user

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, see below.

Override OpenVPN Options

Custom Client Routing

Direct all client traffic through the VPN (full tunnel)

If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the UTM. The default is to route through the VPN only the client traffic to the internal networks (see next options).

Hint

If this is selected then relevant options below are hidden since they are not able to be used simultaneously.

Or push the following routes

When not using full tunnel mode, the user can optionally choose to select GREEN, BLUE, or ORANGE zones to be pushed to the client. These options have no effect if the corresponding zones are not enabled.

Push only these networks

If any networks is written here (one per line and in CIDR notation), only routes to these networks will be sent to the client.

Push Other Client Settings

Static IP addresses

Dynamic IP addresses are assigned by default to clients, but a static IP address provided here will be assigned to the client whenever it connects.

Note

If the client connects to a multicore VPN server running on the UTM, this assignment will not be taken into account.

Push these nameservers

Assign custom nameservers on a per-client basis here.

Push these domains

Assign custom search domains on a per-client basis here.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, there are several advantages, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.