WatchGuard SSL 100 User Guide. WatchGuard SSL Web UI v3.0 WatchGuard SSL 100

Transcription

1 WatchGuard SSL 100 User Guide WatchGuard SSL Web UI v3.0 WatchGuard SSL 100

2 Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revision: June 26, 2009 Copyright, Trademark, and Patent Information Copyright WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. This product is for indoor use only. WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the Terms of Use portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners. Microsoft, Internet Explorer, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reserved. OpenVPN is a trademark of OpenVPN Solutions LLC. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online: ii WatchGuard SSL 100

3 Table of Contents Chapter 1 Getting Started... 1 Before you begin... 1 Use the Quick Setup Wizard to set up a basic configuration... 2 Next steps after installation... 3 Get a feature key... 5 Restore the factory default settings... 6 About the WatchGuard SSL Web UI... 7 Customize your Application Portal... 9 Customize and brand the WatchGuard SSL Web UI and Application Portal... 9 Add the Access Client installer link in the Application Portal About WatchGuard LiveSecurity Service Support Information Chapter 2 Monitor System About Monitor System About the System Status page System overview Network status Authentication status Events status Device status Network tools Manage Settings View administrator activities About user sessions Manage search and display settings About Alerts Add an alert Edit and delete alerts Manage global alert settings Manage Logging Manage global logging settings Use Log Viewer About Reports Abolishment report Assessment report User Guide iii

4 Session Trend report Access report Authentication report Authorization report Account Statistics report Communication report Performance report Tunnel report System Report Alerts report Complete report Manage report database settings About the diagnostics file About the feature key Upload a new feature key Live Update Chapter 3 User Management About User Management User accounts User groups External Directory Service Self Service About user accounts Manually add a user account Import user accounts Link to a user account Repair a linked user account Edit user accounts Manage Global User Account Settings About user groups Add a user group Search, edit, or delete user groups About the External Directory Service Add an External Directory Service location Edit an External Directory Service Location About Self Service Manage Self Service Settings Modify System Challenges Chapter 4 Resource Access About Resource Access Resources Client firewall Access rules Application Portal SSO domains About Resources Manage Standard Resources Manage Tunnel Resource Hosts Manage Tunnel Sets Manage Global Tunnel Set Settings Manage Tunnel Resource Networks Manage Web Resource Hosts iv WatchGuard SSL 100

5 Manage Global Resource Settings About client firewalls Manage Internet Firewall Configurations About access rules Manage Access Rules Manage Global Access Rules About the Application Portal Manage Application Portal Items About SSO domains Manage SSO Domains Chapter 5 Manage System About Manage System About authentication methods About WatchGuard SSL authentication methods About other authentication methods Add an authentication method Manage an Authentication Method Manage global authentication service settings Manage RADIUS configuration About certificates Add a Certificate Authority Add a server certificate Edit or delete a Server Certificate Manage client certificate settings About Abolishment Configure General Settings Configure Cache Cleaner settings Configure Advanced settings About Assessment General Settings Advanced Settings About notification settings Configure the notification channel Configure the SMS notification channel Add or remove SMS plug-ins Manage Client Definitions Add a client definition Edit or delete a client definition About delegated management About administrative privileges Manage administrative roles About the Administration Service Manage Global Service Settings Restart the Administration service Manage Device settings General settings for the application portal Performance settings Cipher Suite settings Advanced settings Update the Device Update the OS Configure the system time and set the time zone Restore factory default settings User Guide v

6 Reinitialize the Local User Database Reboot the device Network Configuration Configure network routes Restore a saved configuration Manage saved configuration settings Import or export the configuration Chapter 6 Access Client About the Access Client Launch the Access Client About the Access Client menu Edit Access Client preferences Manage Access Client favorites Check Access Client status End your SSL VPN session Install the Access Client Use ESSP to link directly to a resource vi WatchGuard SSL 100

7 1 Getting Started Before you begin Before you install your WatchGuard SSL device, make sure you verify the basic components and get a feature key, as described in the subsequent sections. Verify basic components Make sure that you have these items: A computer with a 10/100BaseT Ethernet network interface card and a web browser installed WatchGuard SSL 100 device Ethernet cable Power cable Get a WatchGuard device feature key To enable all of the features on your WatchGuard SSL device, you must activate the device on the WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device. For instructions, see Get a feature key on page 5. User Guide 1

8 Getting Started Use the Quick Setup Wizard to set up a basic configuration The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL 100. Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory default settings. Before you start the Quick Setup Wizard, make sure you: Register your WatchGuard SSL 100 with LiveSecurity Service Save a copy of your feature key file from the LiveSecurity web site to your computer and extract the feature key from the compressed file For more information, see Getting Started on page 1. Run the Quick Setup Wizard 1. Make sure your computer is configured to use a static IP address on the /24 network. The default IP address on the WatchGuard SSL 100 is Do not use on your own computer. 2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device. 3. Plug the power cord into the WatchGuard device power input and into a power source. 4. Power on the WatchGuard SSL Open a web browser and type: The Quick Setup Wizard begins. Because the WatchGuard SSL 100 uses a self-signed certificate, you may see a certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox). 6. Upload your feature key file, if you have it. If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you finish the wizard. 7. Set the time zone and system time settings. 8. Create the Super Administrator credentials. These credentials do not have to correspond to an existing user in a directory service. The Super Administrator password must meet these password policy requirements: The password must be at least six characters long The password must include characters from at least three of the following four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (from 0 through 9) o Non-alphanumeric characters (for example:!, $, #, or %) 9. Select the network configuration mode. The choices are: Single Interface mode (default) Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active. 2 WatchGuard SSL 100

9 Getting Started Dual Interface mode Select this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active. 10. Type the network address information for each interface you enabled. After you complete the wizard, the device restarts with the settings you configured. Connect the WatchGuard SSL device to your network After you complete the Quick Setup Wizard, connect the WatchGuard SSL device to your network. 1. Connect the WatchGuard SSL device to your network. If you selected single interface mode, connect the WatchGuard SSL 100 to your network with Eth0. If you selected dual interface mode, connect the WatchGuard SSL 100 to your network with both Eth0 and Eth1. 2. Reset the IP address on your computer back to its original IP address and connect your computer to the network. You can now use the WatchGuard SSL Web UI to continue configuration, management, and monitoring tasks. For more information, see Next steps after installation on page 3. Next steps after installation After you complete basic configuration you can use the WatchGuard SSL Web UI to continue configuration, management, and monitoring tasks. Before you get started, make sure that you have: Connected the WatchGuard SSL device to your network Connected your computer to the network Reset the IP address of your computer Connect to the WatchGuard SSL Web UI The interface that you use to connect to the WatchGuard SSL Web UI is different for each network type. The WatchGuard SSL Web UI uses port 8443 by default for both network types. If you configured your device in single interface mode, you must connect to the Eth0 interface for management. 1. Connect your computer to the Eth0 network. 2. In a web browser, type IP address>: Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. If you configured your device in dual interface mode, you must connect to the Eth1 interface for management. 1. Connect your computer to the Eth1 network. 2. In a web browser, type IP address>: Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. User Guide 3

10 Getting Started Upload the feature key file If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you upload it now. 1. Get your feature key file from LiveSecurity. For instructions, see Get a feature key on page In the WatchGuard SSL Web UI, select Monitor System > Feature Key to upload the feature key file to the device. For more information, see Upload a new feature key on page 66. Download and install the latest software A newer version of operating system software for your WatchGuard SSL 100 could be available. To update your software: 1. Go to 2. Find and download the latest version of WatchGuard SSL OS. 3. From the Web UI, go to Manage System > Device Update. 4 WatchGuard SSL 100

11 Getting Started Get a feature key A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature key when you first install the device, and when you renew the LiveSecurity service. To activate your device and get the device feature key: 1. Open a web browser and go to If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears. If you are new to WatchGuard, follow the instructions to create a LiveSecurity profile. 2. Type your LiveSecurity user name and password. The Activate Products page appears. 3. Type the serial number of the device, including the hyphens. 4. Follow the instructions to register your device. 5. Save the feature key file to a location on your computer and extract the feature key from the compressed file. After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the location of the feature key on your computer and upload it to the WatchGuard SSL device. For more information, see: Use the Quick Setup Wizard to set up a basic configuration on page 2 Upload a new feature key on page 66 User Guide 5

12 Getting Started Restore the factory default settings There are two ways to reset your WatchGuard SSL device to the factory default settings: Use the WatchGuard SSL Web UI If you can log in to the WatchGuard SSL Web UI, you can restore the device to factory default settings from the Web UI. This is the easiest method to restore the factory default settings. For more information, see Restore factory default settings on page 218. Use recovery mode If you cannot log into the WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode, you can reinstall the software image and restart the device with factory default settings. Before you begin Before you start the recovery process, you must download and save a copy of the WatchGuard SSL OS on your computer. The file has an extension of.sysa-dl. You can download the file from the Software Downloads section of the WatchGuard web site at Start the WatchGuard SSL device in recovery mode 1. Turn the WatchGuard SSL power off. 2. Press and hold the up arrow button on the front panel while you turn the power on. 3. Continue to hold the up arrow button until you see the words Executing SysB on the LCD display. 4. When you see the words "Recovery Mode Ready" on the LCD display, the device is in recovery mode. In recovery mode, the Eth1 address of the device is set to Upload a new software image You must use a command line FTP program to upload the WatchGuard SSL OS software image. Many common FTP commands are disabled on the WatchGuard SSL device for security reasons. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and do not operate correctly when these commands are disabled. Use these steps to upload a new software image to your WatchGuard SSL device. 1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device. 2. Change the IP address of your computer to (or to another IP address on the network). 3. Open the command line interface of your computer. For example, select All Programs > Accessories > Command Prompt from the Windows Start Menu if you use Windows XP. 4. Change your working directory to the location where you saved the.sysa_dl file. 5. At the command prompt, type ftp to connect to your WatchGuard SSL. 6. When requested, type admin for both the user and the password. 7. Type bin to change the transfer type to binary mode. 8. Type put <filename>. Use the filename of the.sysa-dl file you downloaded from the WatchGuard Software Downloads page. The upload process can take several minutes to complete. Do not close the window or type more commands until another command prompt appears. 9. Type quit to close the FTP connection. Exit the command line interface program. 6 WatchGuard SSL 100

13 Getting Started After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts. The installation and reset process can take up to 10 minutes. Do not turn off the device during this process. Next Steps After you restore the software image and the device restarts with factory default settings, you can use the Quick Setup Wizard to set up your configuration again. After the reboot, the IP address of the Eth1 interface changes to You must change the IP address on your computer before you launch the Quick Setup Wizard. For more information, see Use the Quick Setup Wizard to set up a basic configuration on page 2. About the WatchGuard SSL Web UI The WatchGuard SSL Web UI is a web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage resource access, and manage your system settings. The WatchGuard SSL Web UI has two levels of menus: Main menu Includes the Monitor System, User Management, Resource Access, and Manage System sections. Left menu Includes options to manage your configuration in the sections of the main menu. Context-sensitive online help is integrated with the WatchGuard SSL Web UI. Click the question mark icon on any page to get help for that task. WatchGuard SSL Web UI Wizards All common tasks use wizards to guide you through the steps to complete your task. This includes procedures to add user accounts, resources, and many others. To start a wizard, click an Add button. To cancel a wizard at any time, select a different menu item or close your browser window or tab. To return to the previous page in a wizard, click Previous. To save your changes, click Finish Wizard or Save. Publish your configuration After you add or edit a setting in your configuration, you must save the changes to the WatchGuard SSL device and services before they can take effect. The Publish button changes from white to blue when you make changes that must be saved. To save your configuration changes to the system: Click Publish at the top of the Web UI. You can later review or restore a configuration. For more information about configurations, see Restore a saved configuration on page 222. User Guide 7

14 Getting Started System Messages When you use a wizard or make a change to your configuration, feedback messages appear in the WatchGuard SSL Web UI at the top of the current page. If the message text is red, you have made an error in your configuration selection. If the message text is green, your configuration change was successful. Use the File Browser You can use the WatchGuard SSL Web UI file browser to find files on your WatchGuard SSL device. This is helpful when you want to find a file name or path to include in your settings, for example with a script. To use the file browser: 1. At the top of the Web UI, click Browse. The file browser opens in a separate window or tab. 2. Select a folder from the navigation tree on the left. 3. To change a current file, select a file to edit, download, delete, or rename. To edit the file, click. Make changes to the file contents, then click Save. To download the file, click. Select to Open or Save the file. To delete the file, click. In the Warning dialog box, click OK. To rename the file, click. In the Rename File field, type a new name. Click Rename. 4. To upload a new file, adjacent to the Upload File field, click Browse and select a file. Click Upload. 8 WatchGuard SSL 100

15 Getting Started Customize your Application Portal You can customize your WatchGuard SSL Web UI and WatchGuard SSL Application Portal with your corporate brand. You can also add a link to the Access Client installer in your Application Portal. For more information, see: Customize and brand the WatchGuard SSL Web UI and Application Portal on page 9 Add the Access Client installer link in the Application Portal on page 19 Customize and brand the WatchGuard SSL Web UI and Application Portal You can customize and apply your own corporate brand to the WatchGuard SSL Web UI and Application Portal to fit the needs of your organization. You can apply your corporate brand to these parts of the WatchGuard SSL Web UI: WatchGuard SSL Web UI WatchGuard SSL Application Portal Authentication page WatchGuard SSL Application Portal page WatchGuard SSL Application Portal Online Help To make changes to the WatchGuard SSL Web UI files to apply your own corporate brand, you add a new set of files with the same names as the files in the original location to a folder specifically created for the files with the new brands. The files in this custom folder override the files in the original location. After you finish all your changes, make sure you publish your changes. Do not change the files in the access-point\built-in-files\ directory. Upload updated versions of these files to the access-point\custom-files\ directory instead. Apply your brand to text files 1. At the top of the WatchGuard SSL Web UI, click Browse. The File Browser appears. 2. Select the access-point\built-in-files\wwwroot\branding\folder. 3. Save the files you want to change to a location on your computer. 4. Update the saved files with your branding changes. 5. In the File Browser, select the access-point\custom-files\wwwroot\branding\folder. 6. Upload your customized files. For information about the specific files you can change, see WatchGuard SSL files to customize and brand on page 11. User Guide 9

16 Getting Started Apply your brand to images, style sheets, and templates You can customize images, style sheets, and template files. The template files specify the text used on the Application Portal Authentication page. The heading of each Authentication page is defined by the display name that you give the authentication method. Current image files are found in the access-point\built-in-files\wwwroot\wa\img folder. All other files are found in the folders in the access-point\built-in-files\wwwroot\wa directory. To apply your corporate brand to files: 1. Select the access-point\built-in-files\wwwroot\wa\ directory. 2. Select the folder in the directory with the files you want to change. 3. Save the files you want to change to a location on your computer. 4. Update the saved files with your branding changes. 5. In the File Browser, select the access-point\custom-files\wwwroot\wa\directory. 6. Select the folder with the same name as that from which you downloaded the files in the built-infiles directory. 7. Upload your customized files. Upload all branded files at one time If you branded many files, you can upload them all at one time in a ZIP file rather than one at a time. Make sure that the files you updated are in the correct folder that matches the original directory structure. 1. Download the files you want to change from the access-point\built-in-files\wwwroot directory. 2. Update the files and add them to a ZIP file with the correct directory structure. 3. In the File Browser, select the access-point\custom-files\wwwroot folder. 4. Click Browse and select the ZIP file. 5. Click Upload. The file is automatically unzipped and the files are added to the directory structure from the ZIP file. Publish your changes When you have uploaded all the changed files, you must publish your changes before they appear in the Web UI and Application Portal. 1. Connect to the WatchGuard SSL Web UI. If you made changes, the Publish button is blue. 2. Click Publish. Your branding changes appear in the Web UI and Application Portal. 10 WatchGuard SSL 100

17 Getting Started WatchGuard SSL files to customize and brand You can copy these files and upload updated versions of these files to customize and apply your own corporate brand to the WatchGuard SSL Web UI and Application Portal. Do not change the files in the access-point\built-in-files\ directory. Upload updated versions of these files to the access-point\custom-files\ directory instead. Text String Files These files are in the access-point\built-in-files\wwwroot\branding folder: authad.txt This file contains the heading for the Active Directory authentication page. This text appears on every Active Directory template. Other authentication methods do not need a branding text file. authselect.txt This file contains the heading for the Select Authentication Method page. authweb.txt This file contains the name of the WatchGuard SSL Web UI that appears in the JavaScript dialog boxes to accept ActiveX or Java Applet loader. company.txt This file contains the name of the company that appears in the application portal. company_about_url.txt This file contains the URL for information about the company. company_contact_url.txt This file contains the URL for company contact information. copyright.txt This file contains the company copyright notice. portal.txt This file contains the name of the Application Portal that appears on the Application Portal Help page. product.txt This file contains the name of the product that appears on the title of each page. tunnel.txt This file contains the name of the Access Client that appears in the JavaScript dialog boxes to accept the ActiveX or Java Applet loader. Authentication page style sheets, images, and template files The template files specify the text used on the Application Portal Authentication pages. The heading on each Authentication page is defined by the display name that you give the authentication method in the WatchGuard SSL Web UI. The existing files are in the folders in the access-point\built-in-files\wwwroot\wa\ directory. User Guide 11

18 Getting Started Make sure you upload your changed files to the folder in the custom-files directory with the same name as the folder you downloaded it from in the built-in-files directory. To customize Change File name The WatchGuard SSL Web UI The current skin WebSkin.zip Graphics on logon pages The background image background_img.gif Colors and fonts on authentication pages Text strings or buttons on authentication pages Application Portal style sheets, images, and template files You can customize the style sheets (.css files), images, and template files used in the Application Portal and associated authentication pages. These files are located in these folders: access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base access-point\built-in-files\wwwroot\wa\img access-point\built-in-files\wwwroot\wa\help Style sheets The style sheet for authentication pages The individual template files common.css Application Portal logotype The logotype logo.gif See the Template files section Application Portal resource icons The images [symbol_color].gif Colors and fonts in the Application The Application Portal style sheet access_portal.css Portal Colors and fonts in the Application The Application Portal Online default.css Portal Online Help Help style sheet Contents in the Application Portal Online Help The Online Help HTML page access_portal_help.html You can customize style sheets to change the colors and fonts for the Application Portal, the Application Portal authentication pages, and the Application Portal Online Help. Directory Location File Name Description \built-in-files\wwwroot\wa access_portal.css Controls colors, fonts, and the location and size of different page objects (for example, the logotype) in the WatchGuard SSL Application Portal (_menu.html\wml and _welcome.html\wml) common.css Controls colors and fonts in the Application Portal authentication pages \built-in-files\wwwroot\wa\help default.css Controls colors and fonts in the Application Portal Online Help 12 WatchGuard SSL 100

19 Getting Started Images You can replace or edit images to customize the WatchGuard SSL Web UI skin, the logotype or icons in the Application Portal, or graphics for the authentication pages. Images are GIF or JPEG format. The down.jpg and up.jpg web images can be in JPEG or GIF format. The mask.gif image must be in GIF format (indexed palette). All three files must have the same dimensions in pixels. Directory Location File Name Description \built-in-files\wwwroot\wa\img background_img.gif Background image for authentication pages logo.gif Logotype \built-in-files\wwwroot\wa\img\icons (Example) _orange.gif Icons for resources (applications) in the Application Portal \built-in-files\wwwroot\wa\authmech\webskin.zip mask.gif The mask that controls the placement of buttons and labels in WatchGuard SSL Web UI \built-in-files\wwwroot\wa\authmech\webskin.zip down.jpg WatchGuard SSL Web UI skin without background; buttons appear as selected \built-in-files\wwwroot\wa\authmech\webskin.zip up.jpg WatchGuard SSL Web UI skin with background; buttons appear as not selected Template files You can edit template files to customize text strings and buttons on individual authentication pages. The templates are available as HTML and WML files. Web authentication pages are HTML files and WAP authentication pages are WML files. All template files for the WatchGuard SSL Application Portal and associated authentication pages are located in these folders: access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base User Guide 13

20 Getting Started A list of some of the template files (with the folder location, description, and user variables) appears in the subsequent table. Folder Name File Name Description User variables access-point\built-infiles\wwwroot\wa _auto_reauthmessag e _chooseauthmech _closedown_messag e _deletelogoncred The page that appears when a user logs off and must authenticate again. The page that appears when a user must select an authentication method. The page that appears when a user session times out. The page that appears when the password database has been cleared. _error The error message users see. errmsg _InternalAuthenticati on _logoutpage _menu _no_session _popup_msg _reauthmessage _refresh_top _securitywarning _TimedoutPage _webclient.html _webclientjavaobj.ht ml _webclientobj.html Internal Authentication form. The page that appears when a user logs off. The template for the WatchGuard SSL Application Portal page. This is the menu page that is called from the welcome.html file. The page that appears when a session times out. The popup message that appears to users. The timeout message that appears to users. The page that appears when a user must refresh the browser. The page that appears for security warnings. The page that appears when a user is temporarily locked until a specific timeout occurs (SecurID only). The page that appears when the user selects a tunnel set in the Application Portal. Contains the Access Client Java applet. Contains the Access Client ActiveX. name displayname ihost iuid idom location errmsg errmsg auth_timeout 14 WatchGuard SSL 100

21 Getting Started Folder Name File Name Description User variables _welcome The page that appears when a user authenticates successfully. 302 A redirect page that appears when a page has moved. 302_top A redirect page that appears when a page has moved. 400 The page that appears after a bad request. 401E The page that appears after an external authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication. 401I The page that appears after an internal authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication. 401WIL The page that appears when a user fails to authenticate with a Windows Integrated Login. 403 The page that appears when a client requests a forbidden resource. 404 The page that appears when a requested file is not on the device. 405 The page that appears when client request uses a prohibited HTTP method. 500 The page that appears when a server error occurs. pocketclient Starts the Access Client for Pocket PC installation. location location authmech location eprot ehost uri eprot ehost file eprot ehost uri method allow errmsg User Guide 15

22 Getting Started Folder Name File Name Description User variables TestLogonLoginPage The Authentication page that appears for TestLogon. For example, when a user requests 6\wa\auth?authmech=Te stlogon access-point\built-infiles\wwwroot\wa\au thmech\base GenericForm The template for authentication forms used with GenericForm template specifications. The user variables in the template specifications manage the appearance of the authentication page. heading errmsg explanation message authmech texttext textname textvalue readonlytext readonlyname readonlyvalue passwordtext passwordname checkboxtext checkboxname checkboxvalue Dialog The template used with Dialog template specifications. heading errmsg explanation message authmech buttontext hiddenname hiddenvalue Applet The template used with Applet template specifications. Only used by the WatchGuard SSL Web UI. heading errmsg explanation message authmech buttontext hiddenname hiddenvalue username vendorbase64 arg1 arg2 16 WatchGuard SSL 100

23 Getting Started Apply your corporate brand to the WatchGuard SSL Web UI The required parameters are in the access-point\built-in-files\wwwroot\wa\authmech\base\web.js file. The values for the parameters required for the WatchGuard SSL Web UI are all set in JavaScript from values supplied by the server. Parameter Name UserName Config Challenge Modulus PostURL Function User ID of the user who requested to authenticate Configuration parameters Challenge from WatchGuard SSL Encryption Modulus URL where the results are posted User variables When a HTML or WML page appears, user variables in the template file are replaced with the related content. The descriptions of the content that user variables are replaced with appear in the subsequent table. User Variables allow auth_timeout authmech authmech authtimeout do ehost eprot errmsg explanation final_timeout heading idom ihost input-heading iprot iuid Description A comma-separated list of allowed HTTP methods for the current host and URI. The number of seconds that remain in the period of time a user is locked out and cannot authenticate to the WatchGuard SSL device (used with SecurID authentication). The authentication method for an authenticated user. The variable used in the template specification for the authentication method. The number of seconds that remain before an authenticated user is logged off. Used in the timeout warning page. The template specification parameter for the input data. The external host name, such as the HTTP Host in the client request to the WatchGuard SSL device. This a general variable that can be used in all templates. An external protocol, such as the protocol between the client and the WatchGuard SSL device (HTTP or HTTPS). This is a general variable that can be used in all templates. The error message from the WatchGuard SSL device. The explanatory text in a template specification. The number of minutes that remain before the maximum lifetime of the current session is reached and the session ends. The main heading text in a template specification. A variable for the internal domain. The internal host (alias) by which the user is currently connected. This is not necessarily the same as the HTTP "Host" header in the WatchGuard SSL device request to the internal host. The heading text for an input field in a template specification. The internal protocol by which the user is currently connected: HTTP or HTTPS. The internal UserID (uid filtered through NameMapper.wascr). This is a general variable that can be used in all templates. User Guide 17

24 Getting Started User Variables iuri location maxsessiontimeout message method ntdomain pin protocol reauth_uid redirect replymsg servernumber title tunnelcipheriv tunnelcipherkey upd uid uri waak warningtimeout wasid Description The internal URI, requested from the WatchGuard SSL device by the host. A URI or a URL that specifies where users are redirected when they authenticate. The maximum number of minutes for a user session. You specify this value when you set up your configuration. An authentication message from the WatchGuard SSL device. The HTTP method in a GET request. The NT domain name. The PIN for authentication. The URL parameter used for the Access Client that describes the protocol that the tunnel uses: EESSP or SSL. The User ID for RADIUS pages. The URL parameter for the Access Client. A variable in RADIUS pages. The authentication challenge number from the WatchGuard SSL device. A variable in a template specification. The Base64 encoded cipher IV parameter that the system generates dynamically. The Base64 encoded cipher key parameter that the system generates dynamically. The value of the UPD cookie used for session handling in a load-balanced environment that the system generates dynamically. The UserID for an authenticated user. This is a general variable that can be used in all templates. The URI request sent from the client to the WatchGuard SSL device. A parameter configured in the Web UI that is used in session handling. The number of seconds that remain before a warning message or another authentication page appears. The user WASID parameter that is configured in the Web UI to manage sessions. 18 WatchGuard SSL 100

25 Getting Started Add the Access Client installer link in the Application Portal To give your users the installed Access Client, you can add the Access Client installer to the WatchGuard SSL device, and then edit the Application Portal page to add a link to the installer. 1. Save the AccessClientInstall.exe file to a location on your computer. 2. In the WatchGuard SSL Web UI, click Browse. The File Browser appears. 3. In the File Browser, select the access-point\built-in-files\wwwroot\wa\includes\folder. 4. In the Upload File text box, type or browse to the location of the AccessClientInstall.exe file. 5. Click Upload. 6. Adjacent to the portaltext.txt file, click. The Edit File page appears. 7. Type or paste this text in the file where you want the link to appear: To install the Access Client on your Windows computer, click here: <a href="/wa/includes/accessclientinstall.exe">watchguard SSL Client</a> 8. Click Save. 9. Click Publish to save your configuration changes. User Guide 19

26 Getting Started About WatchGuard LiveSecurity Service WatchGuard knows just how important support is when you must secure your network with limited resources. Our customers require greater knowledge and assistance in a world where secure access is critical. LiveSecurity Service gives you the backup you need, with a subscription that supports you as soon as you register your WatchGuard SSL device. LiveSecurity Service Your WatchGuard SSL device includes a subscription to our ground-breaking LiveSecurity Service, which you activate online when you register your product. As soon as you activate, your LiveSecurity Service subscription gives you access to a support and maintenance program unmatched in the industry. LiveSecurity Service comes with the following benefits: Hardware Warranty with Advance Hardware Replacement An active LiveSecurity subscription extends the one-year hardware warranty that is included with each WatchGuard SSL device. Your subscription also provides advance hardware replacement to minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will ship a replacement unit to you before you have to ship back the original hardware. Software Updates Your LiveSecurity Service subscription gives you access to updates to current software and functional enhancements for your WatchGuard products. Technical Support When you need assistance, our expert teams are ready to help. Representatives available 12 hours a day, 5 days a week in your local time zone* Four-hour targeted maximum initial response time Access to online user forums moderated by senior support engineers Support Resources and Alerts Your LiveSecurity Service subscription gives you access to a variety of professionally produced instructional videos, interactive online training courses, and online tools specifically designed to answer questions you may have about network security in general or the technical aspects of installation, configuration, and maintenance of your WatchGuard products. Our Rapid Response Team, a dedicated group of network security experts, monitors the Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you specifically what you can do to address each new menace. You can customize your alert preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you. 20 WatchGuard SSL 100

27 Getting Started LiveSecurity Service Gold LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support service gives expanded hours of coverage and faster response times for around-the-clock remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage. Service Features LiveSecurity Service LiveSecurity Service Gold Technical Support hours 6AM 6PM, Monday Friday* 24/7 Number of support incidents 5 per year Unlimited (online or by phone) Targeted initial response time 4 hours 1 hour Interactive support forum Yes Yes Software updates Yes Yes Online self-help and training tools Yes Yes LiveSecurity broadcasts Yes Yes Installation Assistance Optional Optional Three-incident support package Optional N/A One-hour, single incident Optional N/A priority response upgrade Single incident after-hours upgrade Optional N/A * In the Asia Pacific region, standard support hours are 9AM 9PM, Monday Friday (GMT +8). Service expiration We recommend that you keep your subscription active to secure your organization. When your LiveSecurity subscription expires, you lose access to up-to-the-minute security warnings and regular software updates, which can put your network at risk. Damage to your network is much more expensive than a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement fee. User Guide 21

28 Getting Started Support Information WatchGuard offers a variety of technical support services for your purchased products and services. For more information, see the WatchGuard support web site. Online Resources Product documentation Knowledge Base Training and courseware WatchGuard Forum Telephone Numbers US & Canada International Before you call When you create an incident, make sure you include all information required. Ask yourself the following questions to help you find what you must include: 1. What are you trying to do? 2. Were you able to perform this action previously without problems? 3. What behavior do you see? 4. What behavior would you expect to see if the problem was not occurring? 5. How often do the symptoms occur? 6. What troubleshooting steps, if any, have you taken? Relevant information When you contact technical support, you are often asked for basic information about your WatchGuard SSL device and LiveSecurity account. It is helpful to save this information when you create your configuration in case your device does not operate correctly. If possible, include the following additional items when you call so that your technician can promptly resolve your issue: Logs Log messages are important! If you have access to the Log Viewer at the time of the error, include a snippet of the logs. Network diagrams Not all problems start from one device. Sometimes, a problem that appears to be related to the SSL device is actually caused by something else in the network. A diagram of your network is a valuable resource; we recommend that you make one and keep it updated. 22 WatchGuard SSL 100

29 2 Monitor System About Monitor System You can use the WatchGuard SSL Web UI to see information about system status, user sessions, log files, reports, licenses, and alerts. 1. Connect to the WatchGuard SSL Web UI. 2. Select Monitor System. User Guide 23

30 Monitor System The Monitor System menu includes: System Status You can see status information about your device, including the system, network, authentication, events, and devices. You can also manage monitoring settings and monitor administrator activities. For more information, see About the System Status page on page 25. User Sessions You can see a list of the current user sessions, and you can search sessions by User ID. For more information, see About user sessions on page 36. Alerts You can manage administrator alerts. For more information, see About Alerts on page 39. Logging You can manage logging settings for all registered servers. For more information, see Manage Logging on page 48. Log Viewer You can search and see entries in the log files. For more information, see Use Log Viewer on page 53. Reports You can generate reports and manage reports settings. For more information, see About Reports on page 55. Diagnostics File You can create a compressed diagnostics file that contains configuration and log files for all services for a selected period. For more information, see About the diagnostics file on page 63. Feature Key You can see information about the installed feature. You can also upload a new feature key. For more information, see About the feature key on page 64. Live Update You can change the update settings for the End-Point Security definition file that is used for client scans to support Assessment access rules. For more information, see Live Update on page WatchGuard SSL 100

31 Monitor System About the System Status page To monitor the status of the WatchGuard SSL system, select Monitor System > System Status. View status information From the System Status page, click one of the tabs to get different types of status information. For more information about each tab, see: System overview on page 26 Network status on page 28 Authentication status on page 29 Events status on page 30 Device status on page 31 Network tools on page 32 Manage settings At the bottom of the System Status page, click Manage Settings to go to the settings page. You can enable event monitoring and change the super administrator password from this page. For more information, see Manage Settings on page 34. View administrator activities At the bottom of the System Status page, click View Administrator Activities to view the recent activities of administrators. For more information, see View administrator activities on page 35. User Guide 25

32 Monitor System System overview To see basic information about your WatchGuard SSL system: 1. Select Monitor System > System Status. 2. Click the System Overview tab. This tab is selected by default. The System Overview tab has four sections, with the basic system information described below. System Information The System Information section shows information about the installed software and feature keys. Software version The version and build number for the installed operating system software. Feature Key Version The version number in the feature key. Feature Key Type The type of feature key. The possible types are Production or Evaluation. The Evaluation key allows only one authenticated user to get access through the SSL device. Current Server Time The date and time on the WatchGuard SSL device. 26 WatchGuard SSL 100

33 Monitor System System Services The System Services section shows the services that are enabled on your SSL device. External Host Shows the IP address and port number configured for communication between the WatchGuard SSL Web UI and the client. Internal Host Shows the IP addresses and port numbers used for communication between services on the device. Administrators The Administrators section shows information about administrative users. Administrator The user name for the administrator account. Logged on Administrators The number of administrators currently logged in. Users The Users section shows status information about users and user accounts. Concurrent Users The number of users currently connected to the SSL device. The maximum number allowed by the feature key appears in parentheses. Registered User Accounts The number of registered user accounts. The maximum number allowed by the feature key appears in parentheses. Logged-on Users The number of users currently logged in. Active Users The number of active users currently logged in. Resources RegisteredResources The number of registered resources on the Resource Access tab. Registered SSO domains The number of registered Single Sign-On domains. User Guide 27

34 Monitor System Network status To see the status of the network interface configuration: 1. Select Monitor System > System Status. 2. Click the Network Status tab. The Network Status tab shows configuration and statistics for the enabled network interfaces. Eth0 Shows configuration information and traffic statistics for the Eth0 network interface. Eth1 Shows configuration information and traffic statistics for the Eth1 interface. Eth1 is disabled in single interface mode. Routing Table Shows the routing table for the device. For more information about network configuration and interface modes, see Network Configuration on page WatchGuard SSL 100

35 Monitor System Authentication status To see the status of the authentication configuration: 1. Select Monitor System > System Status. 2. Click the Authentication tab. The Authentication tab shows the configuration status of: Authentication Methods Shows a list of authentication methods, and the IP address and port configured for each method. RADIUS clients Shows the number of registered RADIUS clients. Notification If notification is enabled, this section shows the host. SMS Distribution If SMS distribution is configured, this section shows the primary and secondary SMS channels. Local User Database Shows the host IP address and account for the local user database. External Directory Service Shows the IP address and account for configured external directory services. User Guide 29

36 Monitor System Events status To see recent system events: 1. Select Monitor System > System Status. 2. Click the Events tab. The Events tab shows a list of events related to the status of connections and services. For each event the Events tab shows: The date and time of the event Which service or policy the event involves A brief description of the event If you enable Event Monitoring on the Manage Settings page, the Events tab also shows events related to connectivity to local user database and external directory services. For more information about the Manage Settings page, see Manage Settings on page WatchGuard SSL 100

37 Monitor System Device status To see statistics and configuration information for your WatchGuard SSL device: 1. Select Monitor System > System Status. The System Status page appears. 2. Click the Device Status tab. Device Overview The Device Overview section shows information about the device software, connections, and resource use. Host The IP address the device uses to communicate with itself. This is always set to Current Server Time Shows the current date and time for the SSL device. Server Started Shows the date and time the device was last started. Version The software version and build number. Client Connections The current number of client connections. Server Connections The current number of device connections. User Guide 31

38 Monitor System Queued Connections The current number of queued connections. Active Worker Threads The number of active threads is shown first. The maximum number of active threads is shown in parentheses. Available Memory The amount of available memory, in megabytes. Open SSL Version The version of OpenSSL used by the WatchGuard SSL device. SSL Status for <IP address:port> The SSL Status section shows statistics about the SSL listener. By default, there is just one SSL listener. If you add additional listeners, this page displays the status for each listener. SSL Sessions in Cache SSL Accepts Finished SSL Accepts Renegotiates Session Cache Hits Session Cache Misses Session Cache Timeouts Callback Cache Hits Cache Full Overflows Cache Size For information about how to add a listener, see General settings for the application portal on page 208. Network tools You can use network tools to run some basic network commands from the WatchGuard SSL Web UI. This can be useful for network troubleshooting. The network tools available in the WatchGuard SSL Web UI are: ping A command to detect whether a connection to a specified hostname or IP address is possible tcpdump A program to intercept and examine TCP/IP packets for diagnostic purposes traceroute A command to show the routing path taken from the device to a hostname or IP address nslookup A program that shows the information from the DNS records of a domain or hostname 32 WatchGuard SSL 100

39 Monitor System To use the network tools: 1. Select Monitor System > System Status. 2. Click the Network Tools tab. 3. From the Command Type drop-down list, select the command you want to use. The command appears in the Prepared Command text box. 4. In the Extended Parameters field, type the command line parameters for this command. The parameters appear in the Prepared Command text box, after the command. 5. From the Max Run Time drop-down list, select the maximum amount of time you want the command to run. 6. To run the command shown in the Prepared Command dialog, click Run. The result of the command appears in the Result area of the page. 7. To stop the command, click Stop. 8. To clear the Result area, click Clear. User Guide 33

40 Monitor System Manage Settings You can manage the settings for event monitoring or change the Super Administrator password. Event monitoring settings You can monitor the connections to the Local User Database and External Directory Service. When you enable event monitoring, the connection is examined every 15 seconds and a log message is recorded in the service log. The log messages appear on the Events tab in the System Status page. This option is selected by default. To increase the performance of your system, disable this option. To enable event monitoring: 1. Select Monitor System > System Status. 2. Click Manage Settings. The Settings page appears. 3. Select the Monitor connections to the local user database and external directory service check box. 4. Click Save. Change the Super Administrator password When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards: The password must be at least six characters long The password must include characters from at least three of the following four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (from 0 through 9) o Non-alphanumeric characters (for example:!, $, #, or %) 34 WatchGuard SSL 100

41 Monitor System To enable or disable the password policy or change the password: 1. Select Monitor System > System Status. 2. Click Manage Settings. The Settings page appears. 3. Select the Enable password policy check box. 4. Type the Current Password. 5. Type the new password twice in the New Password and Verify New Password text boxes. 6. Click Save. View administrator activities You can use the WatchGuard SSL Web UI to see a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator. 1. Select Monitor System > System Status. 2. Click View Administrator Activities. The Administrator Activities page appears. User Guide 35

42 Monitor System About user sessions You can search for and manage all current user sessions to see which users are active in the system and information about their sessions. You can also stop active user sessions. To see a list of user sessions: 1. Select Monitor System. The System Status page appears. 2. Select User Sessions. The User Sessions page appears. 36 WatchGuard SSL 100

43 Monitor System Search for User Sessions By default, the User Sessions page shows a list of all active user sessions. You can use the search fields at the top of the page to search for a session by User ID and authentication method. To search for current sessions: 1. Select Monitor System > User Sessions. The User Sessions page appears. 2. In the Search by User ID text box, type a user name. To see all users, type only the * wildcard character. To search for partial user names, type the * wildcard character with the other characters. For example, Wil* or *am can be used to find the user name "William". 3. From the adjacent drop-down list, select an authentication method. Select All to include all authentication methods in your search. 4. Click Search. The user names that match your search parameters appear in the User Sessions list. The User Sessions list shows summary information for each active session: Session ID The unique ID number assigned to the user session. User ID The user name assigned to the user in the directory service. Authentication Method The authentication method used to log in. Client IP Address The IP address of the client computer. Life Time The number of minutes the user session has been active. User Guide 37

44 Monitor System View a User Session 1. In the search results list, click a Session ID to see details about that user session. The View User Session page appears, with this information for each session: Session ID The unique ID number assigned to the user session. User ID The user name assigned to the user in the directory service. Display Name The display name assigned to the user. Authentication Method The authentication method used to log in to the Authentication Portal. Client IP Address The IP address of the client computer. Login time The date and time the user session began. Life Time The number of minutes the user session has been active. Last Access The date and time of the last user session for this user. Time to session timeout The number of minutes until the user session timeout limit is reached. 2. Click Previous to return to the User Sessions page. Stop User Sessions You can stop or close an active user session at any time. On the User Sessions page: 1. Select the Delete check box for each user session you want to end. 2. Click Delete at the bottom of the Delete column. The selected user sessions are stopped, but the user accounts are not deleted. The users can log on to the application portal again. 38 WatchGuard SSL 100

45 Monitor System Manage search and display settings By default, the User Sessions search results include a maximum of 200 results, and show 20 results per page. To change these settings: 1. Select Monitor System > User Sessions. The User Sessions page appears. 2. Click Manage Search and Display Settings. The Manage User Sessions Settings page appears. 3. In the Search Limit text box, type the maximum number of user sessions you want to appear in the User Sessions search results. 4. In the Results Per Page text box, type the number of user sessions to display on each page of the User Sessions search results. 5. Click Save. The User Settings page appears. About Alerts Alerts are messages the system can send to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the local user database, or user account activity. You can configure alerts to be sent by or as an SMS message. Alert messages contain event-specific information. For example, you can configure an alert to be sent if the Administration service cannot communicate with the local user database. The alert message is sent to the selected recipients through the method you specify. User Guide 39

46 Monitor System Manage Alerts You can add, edit, and delete alerts from the Manage Alerts page. 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Configure alerts: Add an alert Edit and delete alerts Manage global alert settings Predefined Alert Event Types You can use these predefined alert events to configure Registered Alerts: User Accounts Resource Host Services Local User Database Authentication Servers For more information about alert event types, see About alert event types on page 43. Add an alert When you configure an alert, you must select which types of events trigger the alert, configure which notification methods to use for the alert notification messages, and configure the recipients of those notifications. You can send an alert as an message, an SMS message, or both. You must configure the and SMS notification channels before you can use them in an alert. For more information about notification channel configuration, see General settings for the application portal on page 208. You can configure alert notification messages to be sent to delegated administrative roles, or directly to addresses or cell phone numbers that you specify. When you send an alert message to a delegated role, the alert message is sent to the or SMS address of each administrator assigned to that role. For information about delegated roles, see General settings for the application portal on page WatchGuard SSL 100

47 Monitor System To add an alert: 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Click Add Alert. The Add Alert page appears. 3. In the Display Name text box, type a name for the alert. 4. In the Description text box, type the description that you want to appear with the alert in the Registered Alerts list. 5. Make sure the Enable Alert check box is selected. 6. In the Notification section, use the check boxes to select the notification method. You can select , SMS, or both. User Guide 41

48 Monitor System 7. Click Next. The Alert Events Types page appears. 8. Select the check box for each alert event type you want to trigger this alert. For more information about the alert event types, see About alert event types on page Click Next. 10. To send the alert message to a set of people for which you have defined a delegated role, click the role in the Available Roles list. To select more than one role to receive this alert, hold down the Ctrl key while you click each role name. 11. Click Add. The selected roles appear in the Selected Roles list. 12. If you selected as a notification channel in Step 6, you can send the alert to a specific address. Click Add address. Type the address and click Next. The address appears on the Registered Addresses list. 13. If you selected the SMS notification channel in Step 6, you can send the alert as an SMS message to a specific cell phone number. Click Add Cell Phone Number. Type the cell phone number and click Next. The cell phone number appears in the Registered Cell Phone Numbers list. 14. After you add all recipients for this alert, click Finish Wizard. The Manage Alerts page appears. The alert you added appears in the list of registered alerts. 42 WatchGuard SSL 100

49 Monitor System About alert event types When you define an alert, you can select from these pre-defined alert event types: User Accounts event types Locked for Access Access is locked for a user. Unlocked for Access Administrator unlocks access for a user. Locked for Authentication Authentication is locked for a user. Unlocked for Authentication The administrator unlocks authentication for a user. Time-lock Locked A time-lock is activated for a user. Time-lock Unlocked The administrator disables a time-lock for a user. Resource Host event types Lost Connection The connection to a resource host is unavailable. Restored Connection The connection to a resource host is restored. Services event types Lost Connection The connection to a service is unavailable. Restored Connection The connection to a service is restored. Local User Database event types Lost Connection The connection to the local user database is unavailable. Restored Connection The connection to the local user database is restored. Authentication Service event types Lost Connection The connection to the authentication method service is unavailable. Restored Connection The connection to the authentication method service is restored. User Guide 43

50 Monitor System Edit and delete alerts You can see, edit, and delete current alerts in the Registered Alerts list. You can select an alert to see the settings, change any of the settings, or delete an alert that you no longer want to use. See and edit registered alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Select a Display Name in the Registered Alerts list to see the details of that alert. The Edit Alerts page appears. 3. On the General Settings tab, you can change the Display Name, Description and Notification channel. 4. On the Alert Events tab, you can edit the types of alert events to include in this alert. 5. On the Alert Receivers tab, you can change who receives notifications from this alert. 6. Click Save. 44 WatchGuard SSL 100

51 Monitor System Delete registered alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Select a Display Name in the Registered Alerts list to see the details of that alert. The Edit Alerts page appears. 3. Click Delete. The Delete Alert page appears. 4. Click Yes to delete the alert. The Manage Alerts page appears with a message that the alert was deleted. Manage global alert settings You can customize the alert message sent for each alert event type. Edit the alert messages 1. Select Monitor System > Alerts. The Manage Alert page appears. User Guide 45

52 Monitor System 2. On the Manage Alerts page, click Manage Global Alert Settings. The Manage Global Alert Settings page appears. 3. In the Subject field, edit the subject that you want to appear for all alert messages. 4. For each alert event type, you can edit the alert message. The default alert messages and a description of the variables used in the alert messages are described below. 5. Click Save. If you use SMS as your notification channel for alerts, we recommend you keep the alert messages short. SMS messages are limited to 160 characters on most mobile networks. 46 WatchGuard SSL 100

53 Monitor System Alert message variables The alert messages use two variables, {0} and (1}. {0} is replaced by the exact date and time of the event. The format of the date and time depends on the locale settings for your browser. {1} is replaced by the specific event trigger. This can be a user account, a WatchGuard SSL service, or a resource. Here is an example alert message: {0}: User {1} has been locked for authentication. When this alert is sent, the alert message substitutes the user name for the variable {1}: :11:31: User Joe Smith has been locked for authentication. Alert message defaults User Accounts Resource Host Services Alert Event Type Locked for Access Unlocked for Access Locked for Authentication Local User Database Default alert message {0}: User {1} has been locked for access {0}: User {1} has been unlocked for access {0}: User {1} has been locked for authentication Time-lock Locked {0}: User {1} has been Time-lock locked until {2} Time-lock Unlocked {0}: User {1} has been Time-lock unlocked Alert Event Type Default alert message Lost Connection {0}: Lost connection to Resource Host {1} Restored Connection {0}: Restored connection to Resource Host {1} Alert Event Type Default alert message Lost Connection {0}: Lost connection to {1} Restored Connection {0}: Restored connection to {1} Alert Event Type Lost Connection Restored Connection Default alert message {0}: Lost connection to Local User Database{1} {0}: Restored connection to Local User Database{1} Authentication Method Servers Alert Event Type Lost Connection Restored Connection Default alert message {0}: Lost connection to Authentication Method Server used by Authentication Method {1} {0}: Restored connection to Authentication Method Server used by Authentication Method {1} User Guide 47

54 Monitor System Manage Logging You can configure logging settings, such as log level, log file rotation, and the types of information to log for each registered service. Edit logging settings 1. Select Monitor System > Logging. The Manage Logging page appears. 2. Click the Display Name of a registered service to edit the log settings. The Edit Logging Settings page for the service appears, with a separate tab for each log type. 3. Click a tab to configure the settings for each log type. The available settings that you can configure on each tab include Log Level Filter, Log File Rotation, Debug Logs, and Syslog. Debug logs and syslog settings are only available after you enable them on the Manage Global Logging Settings page. For more information about these settings, see the subsequent sections. For more information about global logging settings, see Manage global logging settings on page For the accesspoint service, on the Audit Log tab, select the check box for each Log File Information type to include in the audit log file. 5. Click Save. 48 WatchGuard SSL 100

55 Monitor System Set the Log Level Filter For each service, you can configure a log level for each type of log file. You can use the Log Level Filter controls to ignore log messages that do not meet the severity requirements you specify. In the Log Level Filter drop-down list, select a log level filter. Available log level filters include: Off Disables logging for that service. Fatal Logs only fatal messages. Warning Logs only fatal and warning messages. Info Logs all levels of messages. This is the default setting. Configure log file rotation For each service, you can configure log file rotation for each type of log file. In the Log File Rotation section, select the radio button for the rotation schedule you want. Options include: Create a new log file every day The service creates a new log file every day. Disable log file rotation. Save all log messages in the same file The service logs all messages to the same file. Rotate log files based on size The service creates a new log file based on the Max File Size you type. In the Max Files in Rotation field, you must select the maximum number of concurrent log files. When the maximum number of log files is reached, the system removes the oldest log file and creates a new log file. Debug Logs If you enabled debug logs on the Manage Global Logging Settings page, you can specify the IP address for the HTTP traffic you want to include in the Diagnostics File. Client IP Address Type the IP address for HTTP traffic. Log File Information These settings are only available for the accesspoint service. Select the check box for each type of information you want to include in your HTTP log file. The available options depend on the type of log you selected. User Guide 49

56 Monitor System Syslog To configure syslog settings, you must first enable syslog on the Manage Global Logging Settings page. In the Log Level Filter drop-down list, select a log level filter for logging to a remote syslog server. Available log level filters include: Off Disables logging for that service. Fatal Logs only fatal messages. Warning Logs only fatal and warning messages. Info Logs all levels of messages. This is the default setting. If you set the syslog log level filter to Fatal, Warning, or Info, make sure that you configure the syslog server IP address in the Manage Global Logging Settings page. For more information, see Manage global logging settings on page WatchGuard SSL 100

57 Monitor System Manage global logging settings Global logging settings apply to all log files created by all services. To manage global logging settings: 1. Select Monitor System > Logging. 2. Click Manage Global Logging Settings. 3. In the Time Zone section, you can change the time zone to use in log file messages. You can select Local Time or GMT. The default setting is Local Time. 4. In the Log collection interval field, type the number of seconds between the collection of log messages. Log collection controls how often log messages are collected by the Administration service from other services. The default setting is 5 seconds. 5. Click Save. Alerts and reports both depend on log collection. If you set the log collection interval too high, you reduce your ability to see real-time report data., and you cause a delay for delivery of alerts. User Guide 51

58 Monitor System Enable debug logging To troubleshoot a problem with your WatchGuard SSL device, you can enable an additional level of logging. Select the Enable debug logging check box to enable debug logging. When you enable debug logging, several debug log files are created for the accesspoint service: Raw External log file Raw Internal log file Raw Proxy Interchange log file Hyper Links log file Form Based log file For the Administrator service, an additional debug log file is created. You cannot see the debug log files in the WatchGuard SSL Web UI. To see the debug log files, you must download the diagnostics zip file that contains all log files. For information about the diagnostics file, see About the diagnostics file on page 63. Enable logging to a remote syslog server You can also send syslog log file messages to a remote syslog server. When you enable syslog, the syslog messages from each service are sent to the syslog server at the IP address you specify. To enable syslog logging: 1. From the Manage Global Logging Settings page, select the Enable Syslog check box. 2. In the Syslog Server IP field, type the IP address of your syslog server. For information about how to set the syslog log level for each type of log file, see Manage Logging on page WatchGuard SSL 100

59 Monitor System Use Log Viewer You can use the Log Viewer to see log messages from the configured services. You can specify search criteria to filter search results. The Log Viewer System Log only includes the severity levels INFO, WARNING, and FATAL. To search for log events: 1. Select Monitor System > Log Viewer. The Log Viewer page appears. 2. From the Log Type drop-down list, select the log type. 3. From the Services list, select which services to search log files for. To select more than one service, hold down the Ctrl key while you click each service. 4. In the Search Criteria field, type the criteria to filter the log entries. By default, the search function finds all log entries that contain all the words in the search criteria anywhere in the log entry. For more information about how to use the Search Criteria field, see the subsequent section. 5. In the Time Range section, select the time range to search. To search recent log events, select the top radio button, then select the number of hours or days to view. To search for log events in a date range, select the second radio button, then type dates in the From and To fields. 6. Click View Log to search for log messages that meet your criteria. The search results appear in a separate browser window. If you search through log files for a large number of services, the search can take a long time to complete. User Guide 53

60 Monitor System About Log Viewer Search Criteria You can use Search Criteria to trace specific log events, such as user activity, through your services. Searches are not case sensitive and search criteria can include multiple text strings. You can combine all these methods to define a very specific search result. Exact Match To find log file message that contain an exact match, type quotation marks before and after the text exactly as it must appear in the log entry. For example: "server start" Search results include all log file entries that contain the exact phrase "server start". " info " When you include spaces between the quotation marks and the text, the search results include all log entries with a space before and after the text info. Find log file events that contain all the search terms (AND) To find all log file messages that contain several search terms, type and in the search criteria. For example: warning and authentication Search results include all log file entries that contain both the words "warning" and "authentication". Find log file events that contain any of the search terms (OR) To find all log file entries that contain any of the search terms, type or in the search criteria. The OR keyword takes precedence over the AND keyword. For example: fatal or warning Search results include all log entries that contain the severity levels FATAL or WARNING. fatal or warning and sql Search results include log entries with the severity levels FATAL or WARNING that include the text "sql". Exclude terms from the search results (-) To exclude terms from a search, type a minus sign (-) before the term to exclude. For example: -info Search results include all severity levels except the INFO level. fatal or warning -sql Search results include all log entries with the FATAL or WARNING severity levels, except for entries that include the text "sql". fatal or warning -lcp -"tc5 system" Search results include all log entries with the severity levels FATAL or WARNING, but not log entries with LCP or the string tc5 system. Use wildcards To search for part of a term, you can use the wildcard characters * and?. Type * in the place of any number of characters, and? in the place of exactly one character. For example: load* Search results include all log entries with the text load followed by any other characters, such as loaded or loading. loade? Search results include all log entries with the text loade followed by only one other character, such as loaded or loader. 54 WatchGuard SSL 100

61 Monitor System About Reports You can generate reports in the WatchGuard Web UI to see information from the log files. You can generate a report that shows the current status of the device or service, or you can select a time range. Report information is also stored in a database for later use. After you generate a report, you can save it in PDF or text file format so you can examine the data with third-party programs at another time. Available Reports You can generate any of these twelve reports, or select Complete Report to generate all of the reports at the same time. Report name Abolishment report Assessment report Session Trend report Access report Authentication report Authorization report Account Statistics report Communication report Performance report Tunnel report System Report Alerts report Complete report Report Description Contains information about abolishment attempts over a selected time range. Contains information about assessment attempts over a selected time range. Contains information about the number of concurrent sessions over a selected time range. Contains information about access requests over a selected time range. Contains information about failed and successful authentication attempts over a selected time range. Contains information about failed and successful authorization attempts over a selected time range. Contains information about the number of users per resource host over a selected time range. Contains information about lost connections over a selected time range. Contains information about system performance over a selected time range. Contains information about tunnel transfer rate over a selected time range. Contains information about connections and system resource usage over a selected time period. Contains information about alerts triggered over a selected time range. Contains information from all the reports. Generate a report 1. Select Monitor System > Reports. The Manage Reports page appears. 2. In the Generate Report column, click the name of the report you want to generate. The Generate Report page for the report you selected appears. 3. On the Time Range tab, select the time range for the report. 4. Click the Filter tab. A list of filters for the selected report appears. 5. Click a filter to change filter settings. By default, all filters are set to All. User Guide 55

62 Monitor System 6. Click the Graphics tab. The graphics tab contains a list of charts you can generate. 7. Select the check box adjacent to each chart type that you want to include in the report. 8. For each chart you select, use the adjacent drop-down list to select the chart style. 9. Click Generate Report. The View Report page appears for the current report. 10. Click each tab on the View Report page to see each chart. 11. Click Refresh Charts to refresh the report data. Save a report To save a copy of a report to a local file: 1. Use the steps above to generate the report. 2. On the View Report page, click Save Report. 3. Select whether to save this as a PDF file, data file, or image file. The PDF contains all pages of the report. Data files are stored as plain text, one text file per report tab. Image files are stored as PNG image files, one file per chart. 4. Click Download. A file is generated. If you selected more than one file type, the files are in a ZIP file. 5. Click the file name to download the file. Abolishment report The Abolishment report contains information about abolishment attempts over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for the Abolishment Report: User ID Client Client IP By default, all filters are set to All. Graphics You can select one or more of these chart types: Failed Attempts over Time Succeeded Attempts by User Succeeded Attempts over Time By default, the style for these charts is set to Bar. For more information about how to generate a report, see About Reports on page WatchGuard SSL 100

63 Monitor System Assessment report The Assessment report contains information about assessment attempts over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for the Assessment Report: Assessment Rule User ID Client Client IP By default, all filters are set to All. Graphics You can select one or more of these chart types: Failed assessment attempts over time Failed assessment attempts by reason Failed assessment attempts by user Succeeded assessment attempts over time By default, the style for these chart types is set to Bar. For more information about how to generate a report, see About Reports on page 55. Session Trend report The Session Trend report contains information about session attempts over a selected time range. You can set filters and select chart types to customize the report. Filters The available filter for the Session Trend report is User ID. By default, the User ID filter is set to All. Graphics You can select one, several, or all of the following chart types: Maximum concurrent sessions over time Ongoing sessions by user Average session duration over time Ended sessions by type For more information about how to generate a report, see About Reports on page 55. User Guide 57

64 Monitor System Access report The Access report contains information about access requests over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for the Access report: Web Resource Host User ID Client Client IP Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port By default, all filters are set to All. Graphics You can select one or more of these chart types: Access Requests over Time Access Requests by User Access Requests by Web Resource Host Access Requests by Tunnel Resource Host For more information about how to generate a report, see About Reports on page 55. Authentication report The Authentication report contains information about failed and successful authentication attempts over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for authentication report: Authentication Method User ID Client Client IP By default, all filters are set to All. Graphics You can select one or more of these chart types: Failed Attempts over Time Failed Attempts by Reason Failed Attempts by User Authentication method usage Average Attempts by Hour Succeeded Attempts over Time 58 WatchGuard SSL 100

65 Monitor System By default, the style for these charts is set to Bar. For more information about how to generate a report, see About Reports on page 55. Authorization report The authorization report contains information about failed and succeeded authorization attempts over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for assessment reports: Client IP Client Web Resource Host User ID Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port By default, all filters are set to All. Graphics You can select one, several, or all of the following chart types: Failed Attempts over Time Failed Attempts by Reason Failed Attempts by User Average Attempts by Hour Succeeded Attempts over Time By default, the style for these charts is set to Bar. For more information about how to generate a report, see About Reports on page 55. Account Statistics report The Account Statistics report contains information about the number of users per resource host over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for the Account Statistics report: User ID Web Resource Host Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port By default, all filters are set to All. User Guide 59

66 Monitor System Graphics You can select one or more of these chart types: Users by Web Resource Host Users by Tunnel Resource Host By default, the style for these charts is set to Pie. For more information about how to generate a report, see About Reports on page 55. Communication report The Communication report contains information about lost connections over a selected time range. You can change the chart style to customize the report. Filters There are no filters for the Communication report. Graphics You can select this chart type: Lost Connections over time. By default, the style for this chart is set to Bar. For more information about how to generate a report, see About Reports on page 55. Performance report The Performance report contains information about system performance over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify this filter for the performance report: Web Resource Host By default, the filter is set to All. Graphics The performance report includes these chart types: Average request rate over time Average response time by web resource host Transfer rate - device to web resource host Transfer rate - web resource host to device Failed responses over time For more information about how to generate a report, see About Reports on page WatchGuard SSL 100

67 Monitor System Tunnel report The Tunnel report contains information about tunnel transfer rate over a selected time range. You can set filters and select chart types to customize the report. Filters You can modify these filters for the Tunnel report: Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics The Tunnel report includes these chart types: Transfer Rate - Client to Tunnel Resource Host Transfer Rate - Tunnel Resource Host to Client By default, the style for these charts is set to Line. For more information about how to generate a report, see About Reports on page 55. System Report The System report contains information about connections and system resource use over a selected time period. You can select chart types and styles to customize the report. Filters There are no filters for the System report. Graphics The system report includes these chart types: Maximum Client and Server Connections over Time Maximum SSL Sessions over Time Available Memory by WatchGuard Service Available Disk Space by WatchGuard Service By default, the style for these charts is set to Line. For more information about how to generate a report, see About Reports on page 55. Alerts report The Alerts report contains information about alerts triggered over a selected time range. You can set filters and select chart types to customize the report. Filters There are no filters for the Alerts report. User Guide 61

68 Monitor System Graphics The Alert report includes this chart type: Alerts by Type By default, the style for this chart is set to Pie. For more information about how to generate a report, see About Reports on page 55. Complete report The Complete report contains statistics from all available report types. You can set filters and select chart types to customize the report. Filters You can modify these filters for a Complete report: User ID Client Client IP Web Resource Host Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Assessment Rule Authentication Method By default, all filters are set to All. Graphics You can select one or more of the chart types. The Complete report includes chart types for all of the other reports. By default, all chart types are selected. For more information about how to generate a report, see About Reports on page 55. Manage report database settings All of the information used to generate reports is stored in a database. Use the Manage Report Database Settings page to configure if the information is stored, and for what period of time. To change the report database settings: 1. Select Monitor System > Reports. 2. Click Manage Report Database Settings. 3. Select the Store report information check box to enable storage of report information in the database. This is enabled by default. Only clear this check box if you do not want to store data for reports. 4. Select the Delete events older than check box. 5. In the days field, type a number of days. When you confirm your changes, data older than the specified number of days is deleted from the report database. 62 WatchGuard SSL 100

69 Monitor System About the diagnostics file You can create a diagnostics file that you can download to get all of your log files at one time. The diagnostics file is a compressed (ZIP) file that includes all of the System, Audit, Billing, HTTP, and RADIUS debug logs, configuration files, and message log entries for all servers. WatchGuard technical support may ask you to generate this file to help troubleshoot your system and resolve issues with your configuration. To create a diagnostics file: 1. Select Monitor System > Diagnostics File. The Diagnostics File page appears. 2. Select a date range in the Time Range fields. You can select to see the most recent data for a number of days or specify a specific date range. 3. Click Create Diagnostics File. The Download Diagnostics File page appears, with a download link. It can take a long time to create the diagnostics file if you select a long time range. 4. Click Download diagnostic-yyyymmdd-xxxx.zip to download the file. The browser download page appears. yyyymmdd-xxxx in the file name represents the date and number for each diagnostics file you create. 5. Select to open the file or save it, and click OK. It is a good idea to enable debug logging for a period of time before you generate the diagnostics file. When you enable debug logging, the diagnostics file contains additional debug log files that can help WatchGuard technical support. For information about debug logging, see Manage global logging settings on page 51. User Guide 63

70 Monitor System About the feature key The Feature Key page shows information about the feature key, and includes a section where you can upload a new feature key. To see the content of your feature key: 1. Select Monitor System. The System Status page appears. 2. Select Feature Key. The Feature Key page appears. The feature key information includes: Serial Number The unique serial number that identifies the feature key for this WatchGuard SSL device. If you use the default feature key, you cannot see the device serial number in the feature key. Version The installed software version. Type The type of the feature key. The type can be Evaluation or Production. Issued The date the feature key was issued by WatchGuard. 64 WatchGuard SSL 100

71 Monitor System Issued To The name, company, and address for the person to whom the feature key was issued. Issued By The name, company, address for the organization that issued the feature key. Effective Dates The start and end date for the period the feature key is valid. Max Concurrent Users The maximum number of users allowed to simultaneously use the system. The number of users currently logged in to the system appears in parenthesis. Max Named Users The maximum number of named users allowed to use the system. The current number of registered named users appears in parenthesis. Max WatchGuard Authentication Users The maximum number of named users who can use WatchGuard authentication methods. The current number of registered users who can use WatchGuard authentication methods appears in parenthesis. If the wildcard character * is used, the number of named users is unlimited. Max RADIUS Clients The maximum number of RADIUS clients allowed. If the wildcard character * is used, the number of RADIUS clients is unlimited. Max Resources The maximum number of registered resources. If the wildcard character * is used, the number of resources is unlimited. The current number of registered resources appears in parentheses. Max Authentication Methods The maximum number of allowed authentication methods that you can configure. LiveSecurity Effective Dates The start and end date for the period the LiveSecurity subscription is valid. For information about how to get a feature key for your device, see Get a feature key on page 5. For information about how to upload the new feature key to the WatchGuard SSL device, see Upload a new feature key on page 66. User Guide 65

72 Monitor System Upload a new feature key A feature key is a file that enables licensed features on your WatchGuard SSL device. When you register your WatchGuard SSL device on the WatchGuard web site, you download a feature key file that enables all the licensed features. If you do not have your feature key, you can use the default feature key, which allows a maximum of one authenticated user. The default feature key is intended for evaluation purposes. The default feature key does not include LiveSecurity, so you cannot update the software or use the Live Update feature. For more information about how to get a feature key for your device, see Get a feature key on page 5. To upload the feature key file to the WatchGuard SSL device: 1. Select Monitor System > Feature Key. The Feature Key page appears. 2. In the Upload a new feature key section, select Upload a new feature key. 3. Click Browse. Locate and select the feature key file. 4. Click Upload New Feature Key to replace the current feature key. To use the default feature key: 1. Select Use the default feature key. 2. Click Upload New Feature Key to replace the current feature key with the default feature key. 66 WatchGuard SSL 100

73 Monitor System Live Update Your WatchGuard SSL uses an End-Point Security definition file to support the client scans used for assessment access rules. By default, the device automatically updates the engine and definition file. You can check the status of the last update or to change the frequency of updates to the engine and definition file on the Live Update page. You must have a valid LiveSecurity subscription to get these updates. Live Update settings are preconfigured to the recommended settings. WatchGuard recommends you do not change these settings unless instructed to do so by WatchGuard Technical Support. Configure Live Update settings 1. Select Monitor System > Live Update. The Live Update page appears. 2. Check the Live Update status. At the top of the page is a message that shows the status of Live Updates. 3. Configure the Live Update Server URL. This is automatically set to the WatchGuard Live Update server. 4. In the Max Connection Retries field, specify the number of retries for each attempt to connect to the Live Update Server. The default setting is 5 retries. 5. In the Engine Update Interval field, you can specify how often the device checks for engine updates. The default engine update interval is 1 month. 6. In the Definition File Update Interval field, you can specify how often the device checks for updates to the End-Point Security definition file. The default update interval is every 20 minutes. 7. Select an option to update the engine and definition file: Select Automatic Update to automatically check for updates to the engine and definition file based on the configured Update Intervals. Select Manual Update to disable automatic updates. 8. Click Save. Update immediately To immediately download any available engine and definition file updates from the WatchGuard Live Update server, you can click Download and Upgrade. You can do this regardless of whether you selected Automatic Update or Manual Update. Reboot after engine updates After the WatchGuard SSL device downloads an engine update from the WatchGuard Live Update server, you must reboot the WatchGuard SSL device for the new engine update to take effect. If a new engine update has been downloaded with either the automatic or manual process, the status message on the Live Update page notifies you that you must reboot the device for the engine update to take effect. You do not have to reboot the device for definition file updates to take effect. User Guide 67

74 Monitor System 68 WatchGuard SSL 100

75 3 User Management About User Management You can use the WatchGuard SSL Web UI to manage user accounts, user groups, and configure the SSL device to use an External Directory Service. You can import user accounts from an external file, and create or repair a link to a user account in an existing authentication directory. If you use an External Directory Service, you can also enable Self Service, which allows your users to activate an account and find a forgotten password or user name. 1. Select User Management. The User Accounts page appears. 2. Select a left menu item to manage settings for your user accounts. For more information about these menu items, see the subsequent sections. User Guide 69

76 User Management User accounts WatchGuard SSL user accounts are linked to user information already stored in your directory service. An External Directory Service link establishes a connection to your local user information. Global User Account Settings Configure default global settings for authentication, timeouts, user linking, and to set up automatic user link repair. Manage All user accounts See all of the current user accounts and user groups. You can also disable or delete an account. Import User account Use this method to create user accounts instead of the Add User Account wizard. To create a number of user accounts simultaneously, you can import a file with user information. The file must be formatted correctly. User accounts are added according to the default settings you configure in the Global User Account Settings section. Create User Account by Linking Use this method to create user accounts by linking to an External Directory Service. User accounts are added according to the default settings you configure in the Global User Account Settings section. User groups WatchGuard SSL includes three types of user groups: User groups in your External Directory Service User location groups User property groups The main User Groups page includes a list of all existing user groups. You can add a user group, or search the list to find an existing group. External Directory Service External Directory Service is the external location where user accounts are stored. When you configure the SSL device to use an external directory service, you can use the existing user accounts in the directory service instead of creating new accounts for your users. You specify the computer on which the directory service is installed and define a set of search rules to find users and user groups. Self Service If you use an External Directory Service, you can use Self Service to allow your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. When you enable and configure Self Service, you can use the wizard to configure the settings, or you can manually configure the settings. To get information from Self Service, users must answer a series of challenge questions that you specify to verify their credentials. 70 WatchGuard SSL 100

77 User Management About user accounts You can use the WatchGuard SSL Web UI to create user accounts in your Local User Database with one of these methods: Add User Account User Linking User Import Each of these methods gives you a different level of detail in the account settings. When you edit an account, you can change all account settings, regardless of the method you used to create the user account. Add User Account To manually add a user account to the Local User Database, select this method. It gives you the most flexibility in account configuration. For more information, see Manually add a user account on page 72. User Linking To create a basic user account based on an existing user in your External Directory Service, select this method. Basic information for the user account is automatically copied from the directory service and is added to the Local User Database. For more information, see Link to a user account on page 75. User Import To create multiple user accounts at one time, select this method to import a file with all the information for the user accounts you want to add. For more information, see Import user accounts on page 74. User Account Search Result List You can search for, disable, and delete user accounts on the Manage All User Accounts page. 1. Select User Management. The Manage All User Accounts page appears. 2. To search for a user, in the Search by User ID field, type a User ID. You can use the * wildcard character to expand your search results. 3. From the Search by User ID drop-down list, select the search parameters. 4. Click Search. 5. To disable a user account, select the Disabled check box for the user account you want to disable, and click Save. The user can no longer connect to the Application Portal or network resources, but the account is not removed. 6. To delete a user account, select the Delete check box for the user account you want to delete, and click Delete. The user account is removed. User Guide 71

78 User Management Manually add a user account You can add user accounts to the Local User Database one at a time. This method gives you the most configuration options when you first create the account. When you add a user account, you can define custom attributes to add specific details to an account. For example, you can add an attribute that you use when you add the user to a user group. To add a user account: 1. Select User Management. The User Accounts page appears. 2. From the User Accounts table, select Add User. The Add User Account page appears. 3. Type a User ID for the user. 4. To get user account information from your External Directory Service, click Link User. The User Location in Directory and Display Name fields are populated with information from the External Directory Service account for the user. 5. If necessary, type a new Display Name for the user. 6. To add specific name=value information for the user, click Add Custom Attribute. The Add Custom Attribute page appears. 7. Type the Name and Value information for the attribute. Click Next. The Add User Account page appears. The new attribute appears in the Custom Attributes list. 8. (Optional) You can add more attributes before you continue. 72 WatchGuard SSL 100

79 User Management 9. Click Next. The Add User Account page appears. 10. Select the check box for the WatchGuard authentication methods you want to enable for the user. 11. (Optional) Type the Address or SMS notification information for the user. Click Next. The SSO Settings page appears. 12. If you want to define Single Sign-On (SSO) domains for this user, select and configure one or more SSO domains. 13. Click Finish Wizard. The new user account is created. The Manage All user accounts page appears, with the new user account in the User Accounts table. User Guide 73

80 User Management Import user accounts You can import user accounts from a file to add many user accounts to your Local User Database at the same time. The file you import must be a text (.txt) file with this information: The first row contains the column headings that specify the fields in the import file. Headings do not contain any spaces and are not case-sensitive. Each row contains data for only one user. If a row does not contain data, or begins with the comment sign, the row is ignored. For more information about the user import file, see the subsequent section. To import user accounts: 1. Select User Management. The User Accounts page appears. 2. Click Import User Account. The Manage User Import page appears. 3. From the Separator in File drop-down list, select the type of separator used in the file. The default separator is Comma. 4. Click Browse and select the file. 5. Click Import Users. The file is imported and the user information is added to your Local User Database. About the User Import File The file you use to import user accounts must be a text file with information separated by commas, semicolons, or tabs, and must have only one user account per line. To create a user account, the import file must include at least the user ID and display name for each user account. When you import the file, the following information is automatically created for each user account, if it is not specified in the import file: WatchGuard Access Number of Retries WatchGuard Authentication Number of Retries User Account Effective Dates For these settings, the default value is set to the value specified in the Global User Account Settings. The authentication methods you enable on the Global User Account Settings page are not applied to the user accounts you add when you import them in a file. 74 WatchGuard SSL 100

81 User Management Link to a user account You can link to an existing user account in your External Directory Service to create a basic user account in your Local User Database. Linked user accounts are added according to your default settings on the Manage Global User Account Settings page. To link to a user account: 1. Select User Management. The User Accounts page appears. 2. Click Create User Account by Linking. The Manage User Linking page appears. 3. Type the User ID for the user you want to add. 4. Select a Notification method and Message Set for the user. 5. Click Link User. The user account is added to your Local User Database and appears in the Manage All User Accounts table. Repair a linked user account If a user account is moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. You can use the Link Repair wizard to repair or delete the broken account. To repair a link for a user account: 1. Select User Management. The User Accounts page appears. 2. Click Repair Linked User Account. The User Link Repair page appears. 3. Click Start User Link Repair Wizard. The Overview page appears, with information about the first broken link. 4. Select an action. 5. Click Next. The user link is repaired. User Guide 75

82 User Management Edit user accounts You can edit or delete information and settings for each user account, regardless of which method you used to add the account. To edit a user account: 1. Select User Management. The User Accounts page appears. 2. In the User Accounts table, click the User ID for the account you want to edit. The Edit User Account page appears for the user you selected. 3. Select a tab and edit the information and settings for the user as necessary. 4. Click Save. The user account is updated with the changes and the Manage All User Accounts page appears. 76 WatchGuard SSL 100

83 User Management To delete a user account: 1. Select User Management. The User Accounts page appears. 2. In the User Accounts table, click the User ID for the account you want to delete. The Edit User Account page appears for the user you selected. 3. Click Delete. The Delete User Account page appears. 4. Click Yes to delete the account. The user account is deleted and the Manage All User Accounts page appears. Manage Global User Account Settings The Global User Account Settings are the default settings that apply to all user accounts. These settings are divided into three sections: General Settings Includes default settings for user account access, WatchGuard authentication, and timeouts. User Linking Includes options to enable WatchGuard Authentication methods for user accounts created by a linking method, and to set notification methods. Auto Repair Includes the option to enable the system to automatically repair user links. User Guide 77

84 User Management To configure default user account settings: 1. Select User Management. The User Accounts page appears. 2. Click Global User Account Settings. The Manage Global User Account Settings page appears. 3. Configure the default settings on each tab as necessary. For more information about the settings on each tab, see the subsequent sections. 4. When you have completed the settings, click Save. 78 WatchGuard SSL 100

85 User Management General Settings Default Account Settings Max Logon Retries Set the maximum number of times users can try to log on with invalid credentials before the account is disabled. When set to 0, the user account is never disabled. Account Expires In Set the number of days the user account is active. When set to 0, the user account never expires. Default Account Settings for WatchGuard Authentication Max Logon Retries Set the maximum number of times users can try to log on with invalid credentials for WatchGuard Authentication methods before the account is disabled. When set to 0, the user account is never disabled. Account Settings for WatchGuard Authentication Use groups Select this option if you want to use group names when you manage user accounts. Group information is sent to the RADIUS client. The RADIUS client can then be configured to use this attribute for authorization. Use framed IP address Select this option to send the configured framed IP address to the system when a user authenticates. Time Lock Timeout Set the number of minutes before users can try to log on again after an account is disabled when the Time Lock Interval settings are reached. Time Lock Interval Set the number of times a user can try to log on with invalid credentials before the account is disabled. Change Password/PIN Notification Set the number of days before users are notified to change their passwords/pins. Timeout Settings Configure timeout settings for inactivity, sessions, warnings, and active users. Search Limit Settings Configure the maximum number of results to include and display in search results. User Linking Select an option to enable WatchGuard Authentication methods when you manually or automatically create a user account by linking. Notification Select whether to send user notification messages by or SMS. Authentication Methods Settings Select the authentication methods you want to automatically enable for linked user accounts. Repair User Links Select Automatically repair user links to automatically repair broken user account links when users authenticate. User Guide 79

86 User Management About user groups When you add your users to user groups, you can control the resources the users can select, or the actions users must take before they can select a resource. User location groups Select a user location group for all users in a specified location in the Local User Database. For example: ou=administrators,dc=watchguard,dc=com When you add a user to a user location group, authentication performance increases because no other authentication checks are performed. This can decrease flexibility for authentication. About user property groups Select a user property group for user accounts with similar properties, such as job function. WatchGuard SSL manages these properties as attributes that contain a source, name, and value. Available attribute sources are: External directory service, Custom-defined, and RADIUS session. The attribute value you select must match the attribute name returned from the specified source type. When you select Custom-defined, you can use the user attributes specified on the General Settings page for user accounts. You can define user property groups to help increase the performance of your WatchGuard SSL device. About user location groups User location groups contain all users who belong to a certain user group that is defined in your External Directory Service. You can use this group type to integrate your existing local user groups. The advantage of this approach is high flexibility with low administration, however, this can decrease performance. This type cannot be added or modified. Add a user group You can add a user location or user property group to categorize your user accounts. To add a user group: 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 80 WatchGuard SSL 100

87 User Management 3. Click Add User Group. The Add User Group page appears 4. Select a user group type. Click Next. 5. Configure the settings for the user group. 6. To see all user accounts that match the settings you selected, click View Users. 7. Click Finish Wizard. Search, edit, or delete user groups You can search the user group list to filter the groups you see in the list. You can also edit or delete the user groups you created. Default system user groups cannot be edited or deleted, you can only see information about the user group. Search the user group list 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Type the value you want to search on in the Search Display Name field. To expand your search, you can use the * wildcard character. 4. Select the type of user group to search for in the drop-down list. 5. Click Search. The user groups that match your search parameters appear. Edit user group information 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click the Display Name for the user group you want to edit. The Edit User Group page appears. 4. Change the settings for the user group. 5. Click Save. User Guide 81

88 User Management Delete a user group 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click the Display Name for the user group you want to edit. The Edit User Group page appears. 4. Click Delete. The Delete User Group page appears. 5. Click Yes. The user group is deleted. 82 WatchGuard SSL 100

89 User Management About the External Directory Service The External Directory Service is the external location where you can store user account information, for example, an Active Directory or LDAP server. You can select one or more directory service locations of different brands and types. When you link the user accounts in your Local User Database to the External Directory Service, you can reuse the existing information for your user accounts. Linked user accounts have references to existing users and user groups that you can use for user authentication. You must specify the host for the External Directory Service and define the search rules the system uses to find users and user groups. You can then link the accounts on your External Directory Service to the Local User Database. About search rules Your Local User Database uses search rules to match users and user groups. When you configure search rules, make sure you define them based on the directory structure of your organization and the user objects you want to use in your rules. About directory mapping Directory mapping enables you to use specified attributes to get the existing information from your External Directory Service so you can reuse this information in your Local User Database. For example, you can get passwords or addresses so you do not have to specify them in WatchGuard SSL Web UI when you create or link user accounts. Add an External Directory Service location When you add an External Directory Service location you can link your Local User Database user accounts to your existing directory service. This enables you to reuse existing user account information and simplify user account creation. To add an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. User Guide 83

90 User Management 3. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 4. Select the type of directory service. Click Next. The Add External Directory Service Location page appears. 84 WatchGuard SSL 100

91 User Management 5. Configure the settings for this External Directory Service location. Click Next. The Add External Directory Service Location page appears. 6. To add search rules for your users, click Add User Search Rule. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. User Guide 85

92 User Management 7. To add search rules for your user groups, click Add User Group Search Rule. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 8. To verify that the connection to your External Directory Service is active, click Test Connection. 9. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. Edit an External Directory Service Location You can edit an existing External Directory Service configuration to change the general and search rules settings, and to configure directory mapping settings. You can also delete an existing External Directory Service Location. To edit an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 86 WatchGuard SSL 100

93 User Management 3. In the Registered External Directory Service Location list, click the Display Name of the directory service you want to change. The Edit Directory Service Location page appears. 4. Select a tab and edit the information and settings for the directory service as necessary. 5. Click Save. To configure Directory Mapping settings: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. Click the Display Name of the directory service to which you want to add Directory Mapping attributes. The Edit Directory Service Location page appears. 4. Select the Directory Mapping tab. 5. Specify the attributes you want to use to get existing user account information from your External Directory Service. 6. Click Save. To delete an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. In the Registered External Directory Service Location list, click the Display Name of the directory service you want to delete. The Edit Directory Service Location page appears. User Guide 87

94 User Management 4. Click Delete. The Delete External Directory Service Location page appears. 5. Click Yes to delete the location. The External Directory Service Location is deleted and the Manage External Directory Service page appears. About Self Service You can use Self Service to allow your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. To get information from Self Service, users must answer a series of questions to verify their credentials before they get their information. You must have an External Directory Service configured to use Self Service. You cannot use Self Service if you have only a Local User Database. Before you can use Self Service, you must enable and configure it. You can use the wizard to enable it and configure the settings, or you can manually enable it and configure the settings. You can also disable Self Service. If you enable and then disable Self Service, you do not have to use the wizard to enable Self Service again. Use the wizard to enable Self Service You can use the WatchGuard SSL Self Service wizard to enable Self Service and configure the basic settings for you. This wizard is only available the first time you enable Self Service. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Yes - help me with the settings. The Manage Self Service page appears. Self Service is enabled by the system and partially configured. 3. To change the settings for Self Service, click Self Service Settings. The Manage Self Service Settings page appears. For more information, see Manage Self Service Settings on page To complete the configuration, click the Modify System Challenges link and add or edit a System Challenge. The Manage System Challenges page appears. For more information, see Modify System Challenges on page Click Save. 88 WatchGuard SSL 100

95 User Management Manually enable and configure Self Service You can choose to enable Self Service and configure the basic settings manually. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click No - I will do the configuration myself. The Manage Self Service page appears. The Self Service Enabled check box is selected, but settings are not configured. 3. To configure the settings for Self Service, click Self Service Settings. The Manage Self Service Settings page appears. For more information, see Manage Self Service Settings on page To complete the configuration, click the Modify System Challenges link and add or edit a System Challenge. The Manage System Challenges page appears. For more information, see Modify System Challenges on page Click Save. Disable and restore Self Service You can choose to disable Self Service after it is enabled and configured. When you disable Self Service, all your configuration settings are saved, so you can enable it again later. To disable Self Service: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Clear the Self Service Enabled check box. Self Service is disabled and all your configuration settings are saved. To restore Self Service: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Select the Self Service Enabled check box. Self Service is enabled and all your configuration settings are restored. Manage Self Service Settings You can configure the settings for Self Service that allow your users to activate their accounts and get their user names or passwords if they lose them. You can add one or more challenges to each type of setting. When you add more than one challenge to a setting, the challenges are applied in the order you specify. Self Service Settings types include: Auto Activation Settings Enable users to automatically activate their accounts. Forgotten Password Settings Enable users to find their forgotten passwords. You can choose to send a message to a secondary channel when the password is sent to the user. Forgotten User Name Settings Enable users to find their forgotten user names. You can configure the message that is sent to the user. Advanced Settings Set the amount of time users must wait between Self Service requests Before you can edit the setting type, you must have at least one system challenge. If there is not an available challenge, you can add one. For more information see, Modify System Challenges on page 91. User Guide 89

96 User Management Add or delete a challenge To add a challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. Click the Add link for the setting you want to modify. For example, Add Auto Activate Challenge. 4. Select a System Challenge from the drop-down list. 5. Click Add Challenge. The challenge appears in the Registered Challenges list. 6. Click Up or Down to change the order that each challenge is applied. 7. Click Save. To delete a challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. In the Registered Challenges list for the setting you want to change, click Remove for the challenge you want to delete. 4. Click Yes to delete the challenge. 5. Click Save. Configure Advanced Settings You can set the amount of time users must wait after they have submitted one Self Service request before they can submit another request. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. Find the Advanced Settings section. 4. In the Minimum time between requests field, type the number of hours users must wait between Self Service requests. 5. Click Save. 90 WatchGuard SSL 100

97 User Management Modify System Challenges System Challenges are used to confirm the identities of your users when they use Self Service. When users connect to Self Service, before they can get their account information, they must correctly answer a set of challenge questions that you select. You can add, edit, or delete System Challenges. Add a System Challenge To add a System Challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. Click Add System Challenge. The Add System Challenge page appears. 4. Type the Display Name, Challenge Question, and Attribute Name. You can use the * wildcard character. 5. Click Finish Wizard. The system challenge appears in the Registered System Challenges list. User Guide 91

98 User Management Edit a System Challenge You can edit any of the fields for the System Challenges you add. For the default System Challenges, you can only edit the Display Name and Challenge Question fields. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the challenge you want to change. The Edit System Challenge page appears. 4. Update the settings for the system challenge. 5. Click Save. Delete a System Challenge You can only delete System Challenges that you add. You cannot delete the default System Challenges. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the challenge you want to delete. The Edit System Challenge page appears. 4. Click Delete. 5. Click Yes to delete the challenge. 6. Click Save. 92 WatchGuard SSL 100

99 4 Resource Access About Resource Access The WatchGuard SSL Application Portal enables you to give your users secure access to your network resources. You can create Application Portal items for access to applications, folders and files, and URLs as web or tunnel resources. Create a web resource to give your users access to an online application. Create a tunnel resource to give your users access to a client-server application. To protect your resources, you configure access rules, authorization settings, and encryption levels to create seamless, secure access control. Users get access to resources through the WatchGuard SSL Application Portal. You can collect resources that share logon credentials in Single Sign-On (SSO) domains. This allows users to submit their credentials once to get access to several resources. For added security, you can add access rules for your SSO settings. Access rules are also used to enforce the End-Point Security feature Abolishment, which deletes Internet Explorer session files, the client cache, and the browser history when the user session ends. Resources You can add and manage standard resources, tunnel resource hosts, tunnel resource networks, tunnel sets, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. For more information, see About Resources on page 94. Client firewall You can configure client firewall configurations to control traffic to and from the WatchGuard SSL Access Client. For more information, see About client firewalls on page 128 and About the Access Client on page 227. Access rules Access rules are detailed requirements that users must meet to connect to resources. Available access rules include authentication methods, user group membership, date period, client IP address, client assessment, and client device. You can specify general access rules available for all resources or SSO domains, access rules that apply to individual resources, and global access rules that apply to all resources and SSO domains. For more information, see About access rules on page 134. User Guide 93

100 Resource Access Application Portal The Application Portal is the WatchGuard SSL web portal that your users can log on to and use to connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons with link text and are called Application Portal items. For more information, see About the Application Portal on page 139. SSO domains WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. For more information, see About SSO domains on page 142. About Resources You can add, edit, and delete standard resources, tunnel resource hosts, tunnel resource networks, tunnel sets, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. You can add restrictions to allow only specified users to see certain resources in the Application Portal. For more information about resources, see: Manage Standard Resources on page 94 Manage Tunnel Resource Hosts on page 99 Manage Tunnel Sets on page 103 Manage Global Tunnel Set Settings on page 110 Manage Tunnel Resource Networks on page 112 Manage Web Resource Hosts on page 114 Manage Global Resource Settings on page 120 Manage Standard Resources You can add, edit, or delete Standard Resources for commonly used applications in your configuration. These resource are partially configured so you can set them up quickly. When you add a standard resource, you use the wizard to configure and create the resource in the Application Portal. When you edit a standard resource after you add it, you use the configuration pages to make any changes. Standard resources are available for these applications: Mail Resources IMAP/SMTP POP3/SMTP Microsoft Outlook Web Access 2003 Microsoft Outlook Web Access 2007 Microsoft Outlook Client 2003/2007 WatchGuard Resources Secure Remote Access to the Web UI 94 WatchGuard SSL 100

101 Resource Access Portal Resources Citrix Metaframe Presentation Server Microsoft Sharepoint Portal Server 2003 Microsoft Sharepoint Portal Server 2007 Remote Control Resources Microsoft Terminal Server 2003 Microsoft Terminal Server 2008 File Sharing Resources Microsoft Windows File Share Access to Home Directory Add a Standard Resource 1. Select Resource Access. The Resources page appears. User Guide 95

102 Resource Access 2. Click Add Standard Resource. The Add Standard Resource page appears. 3. In the Standard Resources list, expand the group for the resource you want to add. 4. Click the standard resource. Information about the standard resource appears in the right column. 96 WatchGuard SSL 100

103 Resource Access 5. Click Add this Standard Resource. The Add Standard Resource page appears. 6. Type a Display Name and (optional) a Description. 7. Configure the Special Settings. 8. Configure the Application Portal Settings. 9. Click Next. The Manage Access Rules page appears. 10. Configure the access rules for this resource. For more information about Access Rules, see About access rules on page Click Next. The Add Standard Resource Summary page appears. 12. Click Finish Wizard. User Guide 97

104 Resource Access Edit a Standard Resource 1. Select Resource Access. The Resources page appears. 2. Select the resource you want to edit. Different buttons appear for the type of resource you selected. 3. Click the Edit option for the resource you selected. 4. Update the standard resource settings. 5. Click Save. Delete a Standard Resource 1. Select Resource Access. The Resources page appears. 2. Select the resource you want to delete. Different buttons appear for the type of resource you selected. 3. Click the Edit option for the resource you selected. 4. Click Delete. 5. Click Yes. The standard resource is removed from the Resources list. 98 WatchGuard SSL 100

105 Resource Access Manage Tunnel Resource Hosts You can add, edit, or delete tunnel resource hosts for client-server applications that are not web-enabled, such as Remote Desktop. Tunnels route TCP/UDP traffic between the client and the server over a protected SSL connection. An active tunnel is not part of the HTTP communication, even if the tunnel was initiated by an HTTP request. The tunnel closes when both ends of the connection are closed. To add a tunnel resource to the Application Portal, you configure a tunnel set with static and/or dynamic tunnels for the resource. You can set security levels with access rules for specific client applications and servers. If you add a tunnel resource with web-based authentication, the WatchGuard SSL Access Client is not used. Instead users must authenticate to the Application Portal with the WatchGuard SSL Web authentication method. Add a Tunnel Resource Host 1. Select Resource Access. The Resources page appears. User Guide 99

106 Resource Access 2. Click Add Tunnel Resource Host. The Add Tunnel Resource Host page appears. 3. Type a Display Name and (optional) a Description. 4. Type the Host address. 5. Type the TCP Port and/or UDP Port. 6. To add another host address, click Add Alternative Host. Click Add. 7. To use SSO with this tunnel, select an SSO check box and domain. 100 WatchGuard SSL 100

107 Resource Access 8. Click Next. The Add Tunnel Resource Host page appears. 9. Configure the access rules for this resource. For more information, see About access rules on page Click Next. The Add Tunnel Resource Host Summary page appears. 11. To configure Access Settings or Authorization Settings for this resource, click Advanced Settings. For more information, see Tunnel Resource Hosts Advanced Settings on page 102. User Guide 101

108 Resource Access 12. Click Next. The Add Tunnel Resource Host Summary page appears. 13. Click Finish Wizard. Edit a Tunnel Resource Host 1. Select Resource Access. The Resources page appears. 2. Select the Resource Name for the resource you want to edit. 3. Click Edit Resource Host. 4. Update the tunnel resource host settings. 5. Click Save. Delete a Tunnel Resource Host 1. Select Resource Access. The Resources page appears. 2. Select the Resource Name for the resource you want to delete. 3. Click Edit Resource Host. 4. Click Delete. 5. Click Yes. The Tunnel Resource Host is removed from the Resources list. Tunnel Resource Hosts Advanced Settings You can configure the Advanced Settings for this Tunnel Resource Host to set the access and authorization settings. Access Settings Connect via proxy Select this check box to use a proxy server to connect to this resource. 102 WatchGuard SSL 100

109 Resource Access Authorization Settings Use these settings to specify how users can connect to this resource. Automatic Access Select this check box to enable users to automatically access this resource. When Automatic Access is enabled, user session timeouts are not affected. Max Inactivity Time Select this check box and specify the number of minutes a user session can be inactive before the user session times out. Absolute Timeout Select this check box and specify the maximum number of minutes a user can be connected before the user session times out. The Session Time-Out setting (on the Global User Account Settings page) controls the validity time for a session. Manage Tunnel Sets Tunnel Sets can include one or more tunnel resources, with one or more static and/or dynamic tunnels for each resource in the set. You can add these tunnel sets to your Application Portal for each tunnel resource that you configure. Your users can click on an icon in the Application Portal and use the WatchGuard SSL Access Client to connect to the tunnel resources in that tunnel set. The Access Client is available in two application formats: Win32 (ActiveX Web loader) or Java (Java Applet Web loader). You must have administrator privileges on the client the first time you use the ActiveX loader. If your configuration includes local lookups and DNS forwarding, you must have administrator privileges on the client each time they are used. Administrator privileges are not required to use the Access Client for local lookups. Advanced settings for the tunnel set include mapped drives, client configuration, and local lookups. The local lookups define the host addresses that resolve on the client if no external DNS record is found. Local lookups are checked before any external DNS, so the external DNS can be overridden. Static tunnels Static tunnels are configured to tunnel resources on the local interface with a single port, and can be used on all platforms. Dynamic tunnels Dynamic tunnels are configured to tunnel resources with any IP address on one or a range of ports, and can only be used on Windows platforms. Access rules The tunnel resources you collect in a tunnel set are protected by access rules. You can also apply access rules to the tunnel set itself, to control how and when users can get access to the tunnel set. You can include the same tunnel resource in several tunnel sets. This enables you to associate tunnel sets with different levels of access control, for example for different user groups. Access control of a specific tunnel resource is always done using the access rules configured for that tunnel resource. The only use of access rules on a tunnel set is to make the associated icon in the Application Portal subject to access control as well. Access client When a user clicks an icon for a tunnel set in the Application Portal, the Access Client loads the tunnel with either an ActiveX Web loader or a Java Applet loader. User Guide 103

110 Resource Access Add a Tunnel Set 1. Select Resource Access. The Resources page appears. 2. Click Add Tunnel Set. The Add Tunnel Set page appears. 3. Type a Display Name. 4. Select the Icon and Link Text to appear in the Application Portal. 104 WatchGuard SSL 100

111 Resource Access 5. Click Next. The Add Tunnel Set page appears. 6. To add a tunnel, click Add Static Tunnel or Add Dynamic Tunnel. 7. Configure the settings for the tunnel. Click Next. The tunnel appears in the Static Tunnels or Dynamic Tunnels list. 8. Click Next. The Manage Startup Settings page appears. 9. (Optional) Configure Startup Command and Redirect URL settings. 10. Click Next. 11. Configure the access rules for this resource. For more information about Access Rules, see About access rules on page 134. User Guide 105

112 Resource Access 12. Click Next. The Add Tunnel Set Summary page appears. 13. To configure settings for lookups, drives, or clients, click Advanced Settings. The Advanced Settings page appears. 14. Configure any advanced settings. Click Next. 15. Click Finish Wizard. Edit a Tunnel Set 1. Select Resource Access. The Resources page appears. 2. Select the tunnel set you want to edit. 3. Click Edit Tunnel Set. 4. Update the settings for the tunnel set. 5. Click Save. Delete a Tunnel Set 1. Select Resource Access. The Resources page appears. 2. Select the resource you want to delete. 3. Click Edit Tunnel Set. 4. Click Delete. 5. Click Yes. The Tunnel Set is removed from the Resources list. Tunnel Set Advanced Settings You can configure the settings for local lookups, mapped drives, clients, DNS and WINS forwarding, and Internet firewall configurations. For instructions to configure these settings for the Tunnel Set, see Manage Tunnel Sets on page 103. Local Lookups You can add local lookups to define the host addresses to resolve on the client if no external DNS record is found. Local lookups and DNS forwarding require the user to always have administrator rights on the client. If your users install the Access Client rather than use the on-demand Access Client, they do not have to have administrator rights. 106 WatchGuard SSL 100

113 Resource Access To specify lookups, you add a fully qualified domain name, or a domain name with the * wildcard character and an IP address. If the tunnel is dynamic, use the virtual IP address for the dynamic tunnel. If the tunnel is static, use Domain Name A fully qualified domain name. You can also use the * wildcard character with a partial domain name. For example, mailserver.*. IP Address The domain name is translated to the IP address you specify. Mapped Drives You can add mapped drives to the Tunnel Set drives to map your network resources (printers or drives) to drive letters on your network. When you add a mapped drive, you specify the path to a mapped network resource. You can also specify a drive letter for the drive or printer to which the resource host is mapped. If the drive you select is already in use, the next available drive letter is used. You can specify a drive letter here and combine it with a Startup Command that you defined. You can also use cached credentials. Supported path variables include: [$ehost] The WatchGuard SSL device server name and port number. [$eprot] The HTTP or HTTPS protocol. [$uid] The external user name. [$iuid] The internal user name, usually [$uid]. To add a Tunnel Set Mapped Drive, configure these General Settings: Network Resource The path to the mapped network resource. For example, \\ \[$uid]. Drive Letter The drive letter to which the resource host is mapped. For example, M:. This can be a drive or a printer. Use cached credentials Select this option to automatically use cached credentials (Windows domain credentials) to map a drive. This option is selected by default. Access Client Loader Specify the client loader method you want to use for the Access Client. Loader options include: ActiveX / Java Applet The system tries the ActiveX loader first. If it does not work, the Java Applet is used. ActiveX The system only uses the ActiveX loader. Java Applet The system only uses the Java Applet loader. If you select any of the Java Applet options, you can also use Java rather than the Java Applet. Run VPN client in Java Select this check box to use Java, not the Java Applet. User Guide 107

114 Resource Access Additional Client Configuration You can configure your clients to use shutdown commands to automate some commands from the client. For example, to close a mapped drive or shut down a Tunnel Set for a user. You can configure these options: Shutdown Command Define the commands you want to run automatically when this tunnel is shut down. You can define more than one command for each Tunnel Set. Some commands require users to confirm or deny the action before the command runs. These default trusted commands run automatically: outlook explorer explorer /e explorer /e, A: to Z: Supported command variables include: [$ehost] The WatchGuard SSL device server name and the port number [$eprot] HTTP or HTTPS [$uid] External user name [$iuid] Internal user name, usually [$uid] Error Codes to Suppress You can configure a list of specific error codes to suppress pop-up messages. Type the error codes as a comma separated list of 7-digit error codes. Fallback Tunnel Set Select the fallback tunnel set to use if the client computer is not able to load the ActiveX component or the Windows native client (with dynamic tunnels). Specific Settings If you include Microsoft Outlook in the applications for this tunnel set, we recommend that you enable support for the MS Outlook patch. This patch solves a problem with Windows 2000 client authentication. Support MS Outlook patch for Windows 2000 Select this check box to enable support for the MS Outlook patch. The patch is supported when the client is on a Windows 2000 platform and is part of a domain. Provide IP Address You can select to specify a unique IP address for the client from the IP address pool. When you enable this option, if you add IP addresses from the IP address pool to a tunnel resource, the clients that use those IP addresses can connect to each other when they are connected to the network. Provide the client with an IP address from the IP address pool or an external DHCP server. Select this check box to use an IP address from the IP address pool an external DHCP server for the client. DNS Forwarding Enable DNS Forwarding Select this check box to temporarily redirect the DNS server for the client to the DNS server you specify in the global tunnel set settings. This option is only available if you specified a DNS server for the client. 108 WatchGuard SSL 100

115 Resource Access WINS Forwarding Enable WINS Forwarding Select this check box to temporarily redirect the WINS server for the client to the WINS server you specify in the global tunnel set settings. This option is only available if you specified a WINS server for the client. Client Firewall Internet Firewall Configuration Select an available firewall configuration to use for this tunnel set. To select a configuration, you must first Add an Internet Firewall Configuration. Restrict User Editable Preferences Restrict User Editable Preferences Select this check box to disable the Preferences and Favorites options in the Access Client menu. User Guide 109

116 Resource Access Manage Global Tunnel Set Settings You can configure connection settings for the WatchGuard SSL Access Client that apply to all your tunnel sets. 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Tunnel Set Settings. The Manage Global Tunnel Set Settings page appears. 3. Configure the settings for your tunnel sets. Use External DHCP Select this check box to use an existing external DHCP server to assign IP addresses to the Access Client from the network. To use this setting, you must select the Provide IP Address check box in the tunnel set that uses DHCP. DHCP Server Specify the host address of the DHCP Server you want to use. IP Address Pool Specify a range of IP addresses for the IP address pool. The IP address pool is used to define a set of IP addresses to assign to clients. This enables the WatchGuard SSL device to route traffic from the system to the clients. This option is disabled if External DHCP is defined. 110 WatchGuard SSL 100

117 Resource Access Timeout (Optional) Specify how long the Access Client waits for a response when it fails to get an IP address from the IP address pool, and when it detects possible IP address conflicts on the internal network. This timeout is set to 100 milliseconds by default. DNS Server Specify the IP address or DNS name of the DNS server used for DNS forwarding. When you enable DNS forwarding for a tunnel set, the client s DNS server is temporarily redirected to the DNS Server you specify. Local lookups take precedence, and can override any external DNS. WINS Server Specify the IP address or name of the WINS server used for WINS forwarding. When you enable WINS forwarding for a tunnel set, the client s WINS server is temporarily redirected to the WINS server you specify. Local lookups take precedence, and can override any external WINS. 4. Click Save. User Guide 111

118 Resource Access Manage Tunnel Resource Networks Tunnel resource networks are a range or collection of IP addresses and ports that include tunnel resource hosts. When you add a tunnel resource host with an IP address inside a tunnel resource network, it is automatically included in the network. You can also add tunnel resource hosts outside the tunnel resource network. You can use access rules to set the security levels for specific client applications and servers in your tunnel resource networks. You can also specify exceptions, which are tunnel resources that have different access controls than the network. Add a Tunnel Resource Network To add tunnel resource hosts outside the tunnel resource network: 1. Select Resource Access. The Resources page appears. 2. Click Add Tunnel Resource Network. The Add Tunnel Resource Network page appears. The resource is enabled by default. 3. If you want to add the tunnel resource network, but not enable it, clear the Enable resource check box. 4. Type a Display Name for this resource. 5. (Optional) Type a Description for this resource to identify it in the Resources list. 6. Type the IP Address Range for this resource. 7. Type the TCP Port Set and/or the UDP Port Set for this resource. 8. If you want to use SSO (Single Sign-On) for a file share or remote desktop connections, select the related check box and select a domain from the drop-down list. 9. Click Next. The Add Tunnel Resource Network page appears. 10. Configure the access rules for this resource. For more information about Access Rules, see About access rules on page Click Next. The Add Tunnel Resource Network Summary page appears. 112 WatchGuard SSL 100

119 Resource Access 12. To configure settings for lookups, drives, or clients, click Advanced Settings. The Advanced Settings page appears. 13. Configure the advanced settings. Click Next. The Add Tunnel Resource Network Summary page appears. 14. Click Finish Wizard. Edit a Tunnel Resource Network 1. Select Resource Access. The Resources page appears. 2. Select the Tunnel Resource Network you want to edit. 3. Click Edit Tunnel Resource Network. The Edit Tunnel Resource Network page appears. 4. Update the settings for the Tunnel Resource Network. 5. Click Save. User Guide 113

120 Resource Access Delete a Tunnel Resource Network 1. Select Resource Access. The Resources page appears. 2. Select the Tunnel Resource Network you want to delete. 3. Click Edit Tunnel Resource Network. 4. Click Delete. 5. Click Yes. The Web Resource Host is removed from the Resources list. Manage Web Resource Hosts Web resource hosts are applications with a web interface, or files accessible with a web browser. A Web resource has a resource host, or root, that may have one or more resource paths connected to it. The resource host defines an HTTP or HTTPS server based on a URI (Uniform Resource Indicator). The resource path defines a subset of a web server, so you can restrict user access for only that subset. For example: Host Path When you use Web resource paths, you can set your own security levels with access rules for specific applications and files. You can also choose to allow Web resource paths to get authorization settings (access rules and advanced settings) from the parent Web resource host or path. Single Sign-On When SSO is enabled and used, it performs a POST or a GET request to a URL. The form data usually includes a user name and a password together with some static fields. The variables [$username], [$password], and [$domain] are replaced by the stored user name, password and NTLM domain from the SSO database. If the back-end server requires the logon request to include specific headers, you can add them as additional headers. For example: User-Agent: Mozilla/4.6 Enterprise Edition (compatible; MSIE 6.0; Windows NT 5.1;.NET CLR ) Accept: */* 114 WatchGuard SSL 100

121 Resource Access Add a Web Resource Host 1. Select Resource Access. The Resources page appears. 2. Click Add Web Resource Host. The Add Web Resource Host page appears. User Guide 115

122 Resource Access 3. Configure the settings for the Web Resource Host. General Settings Set the Display Name, Description, Host, HTTP Port, and HTTPS Port information. Alternative Hosts Add, edit, or delete alternative hosts for this resource. Click Automatically Generate Alternative Hosts to generate alternative hosts from the host and port information you set. If you want to add, edit, or delete these alternative hosts, you must select the Manually configure alternative hosts check box. Select the Manually configure alternative hosts check box to generate default alternative hosts from the host and port information you set. You can then select the alternative hosts the system generates and edit or delete them. You can also add more alternative hosts. Single Sign-On To enable this feature, select the Enable Single Sign-On check box. Select the Single Sign-On Type and SSO Domain. Application Portal Settings To add this resource to the Application Portal, Select the Make resource available in Application Portal check box. Select the Icon and Link Text that appear in the Application Portal for this resource. 116 WatchGuard SSL 100

123 Resource Access 4. Click Next. The Add Web Resource Host page appears. 5. Configure the access rules for this resource. For more information about Access Rules, see About access rules on page Click Next. The Add Web Resource Host Summary page appears. User Guide 117

124 Resource Access 7. To configure settings for access, authorization, and encryption, click Advanced Settings. The Advanced Settings page appears. 8. Configure the Advanced Settings. 9. Click Next. 10. Click Finish Wizard. 118 WatchGuard SSL 100

125 Resource Access Edit a Web Resource Host 1. Select Resource Access. The Resources page appears. 2. Select the web resource host you want to edit. 3. Click Edit Resource Host. 4. Update the settings for the Web Resource Host. 5. Click Save. Delete a Web Resource Host 1. Select Resource Access. The Resources page appears. 2. Select the web resource host you want to delete. 3. Click Edit Resource Host. 4. Click Delete. 5. Click Yes. The Web Resource Host is removed from the Resources list. Web Resource Host Advanced Settings You can configure the Advanced Settings for a Web Resource Host to set the Access Settings, Authorization Settings, and Encryption Level. Access Settings Link Translation Type Select the link translation type URL Mapping, Pooled DNS Mapping, or Reserved DNS Mapping. The default setting is URL Mapping. If you select Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used. If you select Reserved DNS Mapping, the Mapped DNS Name for HTTP list appears. Choose a DNS name in the list to specify a DNS name for the resource. You can only assign reserved mapped DNS names that are not used for any other Web resource. Server DNS Name Type the name of the DNS server to use for communication with the internal server. If you do not specify a DNS server name, the host address is used. Connect via proxy Select this check box to connect to the DNS server with a proxy connection. Forward cookies between client and resource Select this check box to forward cookies between the client and the resource. Cookies to check Type the name of the cookies you want to allow or block. You can use the * wildcard character. Select to Allow or Block the cookies you specified. Use NTLM v2 Select this check box to use NTLM v2 when possible. User Guide 119

126 Resource Access Authorization Settings Require exact path match Select this check box to apply the access rules for this Web Resource Host to only this path. To apply the access rules for this resource to this path and all paths that begin with this path, clear this check box. Automatic access Select this check box to enable automatic access to the web resource path. When this automatic access is enabled, user session timeouts are not affected. Cache MIME Types Type the MIME types that you want the client browser to cache. You must use the text/html format. Use Expression of Will Select this option to require users to authenticate for each resource they select in the Application Portal. Use Timeout Select this option to use timeout settings for set when users must authenticate again. Max Inactivity Time Select this check box to set the maximum amount of time user connections can be inactive before their sessions are disconnected. Type the timeout time in minutes. Absolute Timeout Select this check box to disconnect user sessions after a specified amount of time, regardless of their activity. Type the timeout time in minutes. Encryption Level Require SSL Select this check box to require your users to use SSL to connect to resources. Encryption Level Select the level of encryption to use with SSL. Manage Global Resource Settings Global resource settings apply to all resources in the WatchGuard SSL system. The global settings are grouped in these categories: Internal proxy DNS name and DNS name pool Filters Link translation Client access Trusted gateways Cookies and cache control 120 WatchGuard SSL 100

127 Resource Access Configure settings for global resources 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Resource Settings. The Manage Global Resource Settings page appears. 3. Click a tab to configure the settings for that category. For more information about the settings, see the topic for each category. 4. Click Save. Make sure you save your changes before you leave a page. If you do not save your changes before you leave a page, all your changes are lost. User Guide 121

128 Resource Access General Settings You can specify addresses for internal proxies on the General Settings tab. The addresses are used when a resource is accessed through a cache or an ordinary proxy server. You can select to use NTLM v2 for HTTP and HTTPS proxies. If you have authentication problems, disable NTLM v2. You can configure settings for these internal proxies: HTTP HTTPS TCP The TCP proxy is used for the WatchGuard SSL Access Client. You can also configure Internal Host Access to specify which addresses are used for resources reached through a cache or ordinary proxy server. To configure proxy settings: 1. Select the General Settings tab. 2. For each proxy, type a Host and Port, and select whether to Use NTLM v2. 3. In the Internal Host Access section, select whether to Validate the server certificate. 4. If you select to validate the certificate, select a CA Certificate from the drop-down list. 5. Click Save. DNS name pool To improve link translation and to use multiple DNS domains, you can configure the DNS name pool. Multiple DNS domains allow several customers to be hosted on the same WatchGuard SSL device to serve multiple logon page designs as well as of the Application Portal. The registered DNS names define the pool of available DNS names. To use multiple DNS domains, you define several DNS names for the device. All DNS names must also be registered with a public DNS server, or written to the hosts file on the client computer that uses the system. When a user makes a request using a registered mapped DNS name, the device looks up which server to connect to and which protocol to use, and sends the request to this server. WatchGuard SSL has three methods of DNS mapping: URL mapping The resource is mapped to a path instead of a mapped DNS name. Reserved DNS mapping The resource is mapped to a specific DNS name. Pooled DNS mapping The resource is assigned a DNS name on the first device request to an internal server. When you add or edit a resource, you can specify which method of DNS mapping you want to use. A DNS name for the device is defined by a host name and relative file path to the content of the wwwroot that appears when you use the corresponding DNS name. For example, if the host name is myexample.com the wwwroot is wwwroot/myexample. We recommend that you define the host name as a DNS name, but you can also use an IP address. The default DNS Name and WWW ROOT for each device are (default) and wwwroot. You cannot edit or delete the default DNS name. 122 WatchGuard SSL 100

129 Resource Access DNS Name Pool entries must end with the same string as an entry in the Registered DNS Names for Device list. For example, if the DNS Name for a device is my.example.com, the DNS Name Pool entry is Add a DNS name for a device 1. Select the DNS Name Pool tab. 2. Click Add DNS Name for Device. The Add DNS Name for Device page appears. 3. Type a DNS Name for the device. 4. Type the path to the WWW Root folder. 5. Click Add. The DNS name appears in the Registered DNS Names for Device list. Edit a DNS name for a device 1. Select the DNS Name Pool tab. 2. Click a device in the Registered DNS Names for Device list. The Edit DNS Name for Device page appears. 3. Update the DNS Name and the WWW Root details. 4. Click Save. The DNS name appears in the Registered DNS Names for Device list. Delete a DNS name for a device 1. Select the DNS Name Pool tab. 2. Click a device in theregistered DNS Names for Device list. The Edit DNS Name for Device page appears. 3. Click Delete. 4. Click Yes. 5. Click Save. The DNS name is removed from the Registered DNS Names for Device list. Add a DNS name to the pool 1. Select the DNS Name Pool tab. 2. Click Add DNS Name to Pool. The Add DNS Name to DNS Name Pool page appears. 3. Type a DNS Name that you want to add to the pool. 4. Click Add. The DNS name appears in the DNS Name Pool list. Edit a DNS name in the pool 1. Select the DNS Name Pool tab. 2. Click a name in the DNS Name Pool list. The Edit DNS Name in DNS Name Pool page appears. 3. Type a new DNS Name. 4. Click Update. The DNS name appears in the DNS Name Pool list. User Guide 123

130 Resource Access Delete a DNS name in the pool 1. Select the DNS Name Pool tab. 2. Click a name in the DNS Name Pool list. The Edit DNS Name in DNS Name Pool page appears. 3. Click Delete. 4. Click Yes. 5. Click Save. The DNS name is removed from the DNS Name Pool list. Filters Filters determine the content that your users see when they request a resource or a specific page. You can apply a filter to one or more resource hosts, requests or responses, and to content or headers. For general filters, you can use variables with name-value pairs instead of hard-coded values. You can add one or more variables to each filter. You can specify to filter file types or formats, images, and specific content in the Content Type field. Scripts are located in <WatchGuard installation folder>\access-point\built-in-files\scripts\ and have the file suffix.wascr. Add a filter 1. Select the Filters tab. 2. Click Add Filter. The Add Filter page appears. 3. Type the Scrip Name for the filter. 4. From the Type of Filter drop-down list, select Request or Response. 5. Select the Resource Host for this filter from the drop-down list. 6. Type the Path to the files to be filtered. You can use the * wildcard character. 7. From the Apply Filter To drop-down list, select Headers or Content. 8. Type the Content Type you want to filter. You can use the * wildcard character. 9. To add a variable, click Add Variable. Type the Name and Value. Click Add. The variable appears in the Registered Variables list. 10. Click Add. The Filter appears in the Registered Filters list. 11. Click Save. Edit a filter 1. Select the Filters tab. 2. Click a filter in the Registered Filters list. The Edit Filter page appears. 3. Update the settings or variables for the filter. 4. Click Update. 5. Click Save. Delete a filter 1. Select the Filters tab. 2. Click a filter in the Registered Filters list. The Edit Filter page appears. 3. Click Delete. 4. Click Yes. 5. Click Save. 124 WatchGuard SSL 100

131 Resource Access Link translation Link translation is used to make sure that all traffic to registered Web resource hosts goes through the WatchGuard SSL device. With link translation, Web resource hosts are as secure as tunnel resource hosts. When a user connects to a page on a server through the WatchGuard SSL device, all links to other servers are changed to point to the WatchGuard SSL device. Translated links contain information about the original server and what protocol to use. For example, when users enter a URL to a registered Web resource, for example the device recognizes the link and automatically translates the URL to SSL Device>/ A link can be divided into subsets and then put together dynamically by the browser to form a link. Some examples of subsets are by protocol, host, and URI. If you use a subset, the WatchGuard SSL device cannot establish if it is a link and cannot translate it. If you want to use a subset, you can use DNS mapping. A DNS name or an IP address that points to the WatchGuard SSL device is mapped to an internal host and protocol (a mapped DNS name). All mapped DNS names are added to a DNS name pool. You then map the web hosts to DNS names with one of these methods: Reserved DNS mapping The Web resource is mapped to a specific DNS name in the DNS name pool. Pooled DNS mapping At the start of each session, the Web resource is assigned the first available DNS name from the DNS name pool. You can configure the headers and content types to filter. Headers must be single-valued. 1. On the Manage Global Resource Settings page, select the Link Translation tab. 2. In the headers and content types fields, add, edit, or delete entries. 3. Click Save. Client Access You can specify the paths for the Application Portal and Welcome pages, and the clients users can select from to connect to your network. Specify the paths for client access pages To configure Client Access Settings: 1. Select the Client Access tab. 2. Type the path to the Default Page for the Application Portal. 3. Type the path to the Welcome Page. Client Control settings You can add, edit, and delete Client Control settings. To add Client Control settings: 1. On the Client Access tab, click Add Client Settings. The Add Client Settings page appears. 2. In the Client drop-down list, select a client. 3. Select a check box to define the Session Settings. 4. Type a File Extension. 5. Type the path and file name to the Default Page for this client. User Guide 125

132 Resource Access 6. Type the path and file name to the Welcome page for this client. 7. (Optional) type the GUI Constant and GUI Constant Value. 8. Click Add. The Client appears in the Registered Client Settings list. To edit Client Control settings: 1. In the Registered Client Settings list, click a Client. The Edit Client Settings page appear. 2. Update the settings. 3. Click Update. To delete a client in the Registered Client Settings list: 1. In the Registered Client Settings list, click a Client. The Edit Client Settings page appear. 2. Click Delete. 3. Click Yes. The client is removed from the Registered Client Settings list. 4. Click Save. Client Access Restrictions You can add, edit, and delete client access restrictions. To add Client Access restrictions: 1. On the Client Access tab, click Add Client Access Restriction. The Add Client Access Restriction page appears. 2. From the Client drop-down list, select a client. 3. From the Permission drop-down list, select a permission level for this client: Accept, Deny, Warn. 4. If you set the permission to Deny or Warn, select the HTTP code, Feedback page, and Feedback message that users see. 5. Click Add. The Client appears in the Registered Client Access Restrictions list. To edit Client Access restrictions: 1. In the Registered Client Access Restrictions list, click a client. The Edit Registered Client Access Restrictions page appear. 2. Update the settings. 3. Click Update. To delete a client in the Registered Client Access Restrictions list: 1. In the Registered Client Access Restrictions list, click a client. The Edit Registered Client Access Restrictions page appear. 2. Click Delete. 3. Click Yes. The client is removed from the Registered Client Access Restrictions list. 4. Click Save. 126 WatchGuard SSL 100

133 Resource Access Trusted Gateways You can add, edit, and delete the trusted gateways for your network. Add trusted gateways 1. Click the Trusted Gateways tab. The Manage Trusted Gateways page appears. 2. Click Add Trusted Gateway. The Add Trusted Gateway page appears. 3. Type the IP Address of the trusted gateway. 4. Type the Port for the trusted gateway. 5. Click Add. The IP Address appears in the Registered Trusted Gateways list. Edit a trusted gateway 1. In the Registered Trusted Gateways list, click an IP Address. The Edit Registered Trusted Gateways page appear. 2. Update the settings. 3. Click Update. Delete a trusted gateway 1. In the Registered Trusted Gateway list, click an IP Address. The Edit Trusted Gateway page appear. 2. Click Delete. 3. Click Yes. The trusted gateway is removed from the Registered Trusted Gateway list. 4. Click Save. Cookies and Cache Control On the Manage Global Resource Settings Advanced tab, you can configure the settings for Internal Cookies and Internet Explorer Cache Control. You can choose which information types to include in cookie requests. You can also set whether Internet Explorer caches data and allows these file types:.doc.xls.ppt.pdf To configure cookie and cache control settings: 1. Click the Advanced tab. 2. In the Internal Cookies section, select the check box for each information type for which you want to allow cookies. 3. If you want to cache data in Internet Explorer, clear the Do not cache data for Internet Explorer users check box. This also allows users to download the file types shown above. 4. Click Save. User Guide 127

134 Resource Access About client firewalls Client firewalls are Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the WatchGuard SSL Access Client. Each configuration is connected to a tunnel set. The WatchGuard SSL Access Client has two tasks related to your firewall configuration: Disable routes for other network connections Check the integrity of application connections You can configure rules based on these parameters: Network Incoming or outgoing traffic Ports Allow or block traffic These rules are downloaded to the client computer with the tunnel set. The rules are then applied to network traffic at the client. When you add a new Internet firewall configuration, the rule lists have default entries that block all connections. You must add a rule above the default rule to accept specific connections. The order of the rules is significant because the firewall starts at the top of the list and stops as soon as it finds a match between the rule and the connection. Disable routes for other network connections You can choose to disable routes for other network connections. Apply the rules you configure to disable specific routes. Check the integrity of application connections For each connection that goes through the WatchGuard SSL Access Client, information about application paths and the checksum is added. When the authorization process determines if the client can connect to your resources, it uses this information. How does the client firewall work? When your users connect to the WatchGuard SSL device with the Access Client, the client firewall is used locally on their computers. Firewall rules are configured on the server and cannot be overridden by the user. You can only use one Internet firewall configuration per tunnel set. The firewall is activated when a user clicks an Application Portal icon that connects to a tunnel set configured to use the client firewall. The firewall is deactivated as soon as the user closes the Access Client or logs off the portal. The firewall is active as long as the associated Tunnel Set is used. If several Tunnel Sets are used at the same time by the same user, the firewall configurations of all the Tunnel Sets are active and the most restrictive rules are applied. When active, the firewall checks to make sure each connection from and to the client computer matches the client firewall configuration. You can add incoming and outgoing rules, and exceptions to those rules, to your client firewall configuration. 128 WatchGuard SSL 100

135 Resource Access Incoming Rules When a connection comes in to the computer, the firewall goes through the list of Incoming Firewall rules. Each rule is checked to see if it matches the incoming connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. The firewall does not check any more rules in the list. If the rule denies the connection, it is dropped. If the rule accepts the connection, it is connected to the client computer. Outgoing Rules When an application on the client computer tries to connect to the Internet, the firewall goes through the list of Outgoing Firewall rules. Each rule is checked to see if it matches the outgoing connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. If the rule denies the connection, it is rejected. If the rule accepts the connection, it connects to the Internet. Exceptions The client firewall checks all TCP and UDP connections except: Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel). Connections to the WatchGuard SSL device Connections to an IP address of a configured resource on the intranet through the tunnel. For these connections, the access rules of the configured resource are applied instead of the firewall rules. Configure client definitions You can configure the definitions for the clients used with your firewall configuration. For more information, see Manage Client Definitions on page 195. Firewall rules based on a device The client firewall can be used to specify rules based on the path or checksum of the process that tries to connect to the Internet. To enable this option, you must first add a client definition that specifies the values of the path, and/or checksum of the process. You can use one of these client firewall variables in the Client Definitions: clientfirewall-path clientfirewall-checksum You can only use client definitions with these variables in the Client Firewall Rules. To add Internet Explorer as a client definition, add a Client Definition with these settings: Display Name: Internet Explorer Process Definition: clientfirewall-path=%programfiles%\internet Explorer\iexplore.exe %ProgramFiles% is a variable that is used on the Access Client to enable the client definition on all clients, regardless of the language of the operating system. You can also use a more complex rule that is based on the MD5 checksum of the executable. To define a client based on the checksum, use a hexadecimal representation of the MD5 checksum. User Guide 129

136 Resource Access For example: Display Name: Internet Explorer Process Definition: clientfirewallchecksum=e c be7b4dc c8 When you use clientfirewall-checksum, the client is only valid for a specific version of Internet Explorer. It is also possible to combine both checksum and path with AND/OR between expressions. For example, you can create a list of valid checksums with the pipe character (OR) between the entries. All entries between the (OR) operator must be on the same line. For example: clientfirewall-checksum=<checksum1> clientfirewallchecksum=<checksum2> clientfirewall-checksum=<checksum3> You can also use the Client Definitions for client firewalls in Access Rules for tunnel resources. Incoming Firewall Rules For Incoming Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for incoming traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies incoming traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application. Outgoing firewall rules For Outgoing Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for outgoing traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies outgoing traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application. Manage Internet Firewall Configurations You can add, edit, and delete Internet firewall configurations for your client firewall. After you change the configuration, make sure you click Publish to commit your changes. 130 WatchGuard SSL 100

137 Resource Access Add an Internet Firewall Configuration 1. Select Resource Access. The Resources page appears. 2. Select Client Firewall. The Client Firewall page appears. 3. Click Add Internet Firewall Configuration. The Add Internet Firewall Configuration page appears. 4. Type a Display Name. 5. (Optional) Add an incoming firewall rule. 6. (Optional) Add an outgoing firewall rule. For information about how to add firewall rules, see the subsequent sections. 7. Click Add. The configuration appears in the Registered Internet Firewall Configurations list. User Guide 131

138 Resource Access Edit an Internet Firewall Configuration You can edit your Internet firewall configurations on the Client Firewall page. 1. In the Registered Internet Firewall Configurations list, click the configuration you want to change. The Edit Internet Firewall Configuration page appears. 2. Update the settings or rules in the configuration. 3. Click Save. Delete an Internet Firewall Configuration You can delete your Internet firewall configurations on the Client Firewall page. 1. In the Registered Internet Firewall Configurations list, click the configuration you want to delete. The Edit Internet Firewall Configuration page appears. 2. Click Delete. 3. Click Yes. 4. Click Save. Add an incoming firewall rule You can add incoming firewall rules on the Add Internet Firewall Configuration page. 1. Click Add Incoming Firewall Rule. The Add Incoming Firewall Rule page appears. 132 WatchGuard SSL 100

139 Resource Access 2. Type the range for the Remote IP address. 3. Type the Local Port. 4. Select a Protocol. 5. Set the rule to Accept or Deny connection attempts from the selected IP address. 6. In the Clients drop-down list, select Any Client or a specific client to which the rule applies. 7. (Optional) Add a Comment to include a description of the rule. 8. Click Add. The rule appears in the Registered Incoming Firewall Rules list. Add an outgoing firewall rule You can add outgoing firewall rules on the Add Internet Firewall Configuration page. 1. Click Add Outgoing Firewall Rule. The Add Outgoing Firewall Rule page appears. 2. Type the range for the Remote IP address. 3. Type the Local Port. 4. Select a Protocol. 5. Set the rule to Accept or Deny connection attempts to the selected IP address. 6. In the Clients drop-down list, select Any Client or a specific client to which the rule applies. 7. (Optional) Add a Comment to include a description of the rule. 8. Click Add. The rule appears in the Registered Outgoing Firewall Rules list. User Guide 133

140 Resource Access Edit an incoming or outgoing firewall rule You can make changes to any incoming or outgoing firewall rule in the corresponding Registered Firewall Rules list. 1. Click the rule that you want to change. The Edit Firewall Rule page appears. 2. Update the settings for the rule. 3. Click Update. Delete an incoming or outgoing firewall rule You can delete any incoming or outgoing firewall rule that you added. You cannot delete the default rules. 1. Click the rule that you want to delete. The Edit Firewall Rule page appears. 2. Click Delete. 3. Click Yes. 4. Click Save. About access rules Access rules define the specific requirements for access control that you apply to a resource or SSO domain in the WatchGuard SSL Web UI. You can add general access rules that can be applied to any resource or SSO domain, or specific access rules that are applied to only certain resources or SSO domains. You can also define global access rules that are applied to all resources and SSO domains. WatchGuard SSL Web UI includes many different types of access rules that you can use alone or combine to increase the complexity of your security. When you add access rules to a resource, you can use the AND operator to combine general access rules with resource and SSO domain specific access rules. You can only use the OR operator for resource and SSO domain specific access rules. For more information about access rules, see: Manage Access Rules on page 134 Manage Global Access Rules on page 138 Manage Access Rules You can add, edit, and delete the access rules to use with specific resources and Single Sign-On (SSO) domains. When you create an access rule, you add rules to define user access to your network. You can add one or more rules to each access rule. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you can combine them. 134 WatchGuard SSL 100

141 Resource Access Add an Access Rule 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. Type a Display Name. User Guide 135

142 Resource Access 5. Click Add Rule. The Select Type of Access Rule page appears. 6. Select an access rule type for this rule. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. 7. Complete the subsequent pages for the access rule type you selected. Click Next. 8. On the Summary page, confirm the settings for your access rule. Click Next. 9. To add another rule, repeat Steps If you have more than one rule and you want to combine them, select the Select Rule check box for the rules you want to combine and click Combine. 11. Click Next. The Confirm Access Rule Summary page appears. 12. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. Edit an Access Rule 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 136 WatchGuard SSL 100

143 Resource Access 3. In the Registered Access Rules list, click the access rule you want to change. The Edit Access Rule page appears. 4. Update the settings for the rule. 5. Click Save. Delete an Access Rule 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. In the Registered Access Rules list, click the access rule you want to change. The Edit Access Rule page appears. 4. Click Delete. 5. Click Yes. 6. Click Save. User Guide 137

144 Resource Access Manage Global Access Rules You can manage the global access rules that apply to all of your resources and SSO domains. You can select the Registered Access Rules that you have already created, or you can add a new access rule. 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Access Rule. The Manage Global Access Rule page appears. 3. To select an existing rule, in the Available Access Rules list, select an access rule. Click Add. The rule appears in the Selected Access Rules list. 4. To add a new access rule, click Add Access Rule. The Add Access Rule, Select Type of Access Rule page appears. 138 WatchGuard SSL 100

145 Resource Access 5. Select an access rule type. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. 6. Complete the subsequent pages for the access rule type you selected. Click Next. The access rule appears on the Manage Global Access Rule page in the Allow user access when list. 7. To add more access rules, repeat Steps Click Save. The global access rules are saved and the Manage Access Rules page appears. About the Application Portal The Application Portal is a web site on the WatchGuard SSL where clients can connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons that your users can click and are called Application Portal items. You can create Application Portal items for these resource types: Web resources Tunnel sets External sites All Web resources and tunnel sets that you add to the Application Portal are automatically associated with an Application Portal item. You can also manually add Application Portal items for Web resources or tunnel sets. For Web resources, you can also configure shortcuts. These shortcuts allow your users to connect directly to a resource with a web browser rather than through the Application Portal. You can also add Application Portal items for external sites, such as external URIs that are not registered as Web resources. About the Access Client The WatchGuard SSL Access Client allows users to securely connect to your tunnel resources in the Application Portal. When users authenticate to the Application Portal and select a resource other than a Web resource, the on-demand Access Client launches to load the tunnel. You can choose to load the Access Client with an ActiveX loader, Java Applet, or to run the VPN client in Java. When the user session ends, the on-demand Access Client closes and is not accessible to the user. Your users can also select to install the Access Client on their client computers. The installed Access Client is available when users are not authenticated to the Application Portal and can be configured separately. User Guide 139

146 Resource Access Manage Application Portal Items You can add, edit, and delete the resources that appear in the Application Portal. Add an Application Portal Item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. Click Add Application Portal Item. The Application Portal Item page appears. 4. Select the resource type for this portal item. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. 5. Complete the subsequent pages for the access rule type you selected. 6. To enable the resource in the Application Portal, select the Make resource available in Application Portal check box. If you want to add the Application Portal item, but not enable it, clear this check box. 7. Select an Icon for the resource. 8. Type the Link Text for the resource. 9. Click Finish Wizard. The resource appears in the Registered Application Portal Items list. 140 WatchGuard SSL 100

147 Resource Access Edit an Application Portal item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. In the Registered Application Portal Items list, click the item you want to edit. The Edit Application Portal Item page appears. 4. Update the settings for the item. 5. Click Save. Delete an Application Portal item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. In the Registered Application Portal Items list, click the item you want to delete. The Edit Application Portal Item page appears. 4. Click Delete. 5. Click Yes. The Application Portal item is removed from the Registered Application Portal Items list. User Guide 141

148 Resource Access About SSO domains Single Sign-On (SSO) is a session/user authentication process that allows users to authenticate with their user credentials one time to get access to several resources. When users authenticate with SSO, they have instant access to application portal items, and they do not have to authenticate again if they select a different item. WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. When users first log on to the Application Portal with SSO, they are prompted for their credentials once for each SSO domain when they select a resource that is in that SSO domain. The user credentials are then stored indefinitely on the WatchGuard SSL user account in the Local User Database. You can also choose to cache user credentials, which then are only valid during the user session. After users authenticate successfully, they can select different internal applications that are part of a the SSO domain. They do not have to authenticate again each time they select a resource in the Application Portal. Access rules You add Access Rules to the SSO domain to define how and when Single Sign-On is used. The access rules you specify for the SSO domain only apply to the SSO functionality, not to the resources in the SSO domain. For example, if a user successfully connects to a resource in the SSO domain but the SSO access rule fails, the user can select resources in the domain. However, the user must authenticate again for each resource. Domain types WatchGuard SSL SSO domains are available in these domain types: Text (default) Cookie You can associate different domain attributes with the SSO domain for each domain type. Text This domain type is used to send user credentials as text, with different attributes that define the authentication information. Available domain attributes for this domain type: User name Password Domain The domain attributes you select to add to the domain type depend on the type of authentication method you select. Standard domain attributes for the authentication methods are: NTLM All domain attributes for the domain type text (user name, password, and domain) are added to the domain type. Basic The user name and password attributes are added to the domain type. Basic is the most commonly used authentication method for web environments. Form-based The user name and password attributes are added to the domain type. To use form-based logon for an SSO domain, you must design a web form for access to each resource in the SSO domain. You do this when you add or edit a resource. 142 WatchGuard SSL 100

149 Resource Access Cookie Cookie authentication is used to send authentication information in HTTP headers. When the domain type Cookie is used, a cookie is set on the device before it sends a proxy request to the back-end server. Use Cookie SSO for back-end applications that only read the authentication information at the first request. Available attributes are: Cookie name Cookie value Cookie secure Cookie domain Manage SSO Domains You can add, edit, and delete the Single Sign-On (SSO) domains that are available for resource access with SSO. Add an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. Click Add SSO Domain. The Add SSO Domain page appears. User Guide 143

150 Resource Access 4. Type a Display Name. 5. Select a Domain Type from the drop-down list. 6. Configure the settings for SSO Restrictions. If you select Cache on session only, SSO credentials are kept in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account. 7. Click Next. The Domain Attributes page appears. 8. To add an attribute, click Add Domain Attribute. The Add Domain Attribute page appears. 9. Configure the settings for the attribute. If you set Referenced By to User Input, do not add a setting in the Attribute Value field. The attribute appears in the Registered Domain Attributes list. 10. Click Next. The Manage Access Rules page appears. 11. Select the access rules for this SSO domain. To add a new access rule, click Add Access Rule. 12. Click Next. The Add SSO Domain Summary page appears. 13. Click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. 144 WatchGuard SSL 100

151 Resource Access Edit an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. In the Registered SSO Domains list, click the domain you want to change. The Edit SSO Domains page appears. 4. Update the rule settings. 5. Click Save. Delete an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. In the Registered SSO Domains list, click the domain you want to change. The Edit SSO Domains page appears. 4. Click Delete. 5. Click Yes. The SSO Domain is deleted and is removed from the Registered SSO Domains list. User Guide 145

152 Resource Access 146 WatchGuard SSL 100

153 5 Manage System About Manage System To see and manage the overall configuration of your WatchGuard SSL system, from the WatchGuard SSL Web UI top menu, select Manage System. The Manage System submenu items are: Authentication Configure and manage the authentication methods and global authentication settings. For more information, see About authentication methods on page 149. Certificates Manage Certificate Authorities (CAs), Server Certificates, and Client Certificates. For more information, see About certificates on page 171. Abolishment Configure the settings for Abolishment (file removal, and Internet Explorer history and cache deletion). For more information, see About Abolishment on page 176. Assessment Configure settings for the client scans performed on clients that access a resource protected by an Assessment access rule. You can also configure other Assessment settings. For more information, see About Assessment on page 181. Notification Settings Configure the settings for and SMS notifications. For more information, see About notification settings on page 186. Client Definitions Configure the clients that can access resources. For more information, see Manage Client Definitions on page 195. Delegated Management Create and edit administrative roles with different configuration and monitoring responsibilities. For more information, see About delegated management on page 198. User Guide 147

154 Manage System Administration Service Configure all settings for the Administration Service, including the port, certificate, and other settings. You can also restart the Administration Service. For more information, see About the Administration Service on page 203. Device Settings Configure settings for the Application Portal, performance, cipher suites, security, and session control. For more information, see Manage Device settings on page 207. Device Update Configure settings for the WatchGuard SSL device. From this page you can change time settings, upgrade the system software, reset the device to the factory default settings, and reboot the device. For more information, see Update the Device on page 216. Network Configuration Configure the network type (single or dual interface mode), the network settings for the Eth0 interface, and the network routes. For more information, see Network Configuration on page 219. Restore Configuration Restore the most recently published system configuration, or a configuration from an earlier date. For more information, see Restore a saved configuration on page 222. Import/Export Configuration Import and export the configuration data to or from an archive file. For more information, see Import or export the configuration on page WatchGuard SSL 100

155 Manage System About authentication methods To configure supported authentication methods: 1. Select Manage System > Authentication. The Authentication page appears. 2. Complete these tasks: Add an authentication method on page 152 Manage an Authentication Method on page 154 Manage global authentication service settings on page 161 Manage RADIUS configuration on page 166 Supported authentication methods When you create an authentication method access rule, you add one or more authentication methods to the access rule. There are 16 supported authentication methods. WatchGuard authentication methods: WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized For more information, see About WatchGuard SSL authentication methods on page 150. Additional authentication methods: General RADIUS SecurID LDAP Active Directory Novel edirectory Windows Integrated Login NTLM Basic User Certificate Form-Based Authentication Confidence Online For more information, see About other authentication methods on page 151. User Guide 149

156 Manage System About WatchGuard SSL authentication methods The WatchGuard SSL authentication methods are Web, Challenge, Synchronized, Mobile Text, and Password. All of these methods use the RADIUS protocol. WatchGuard SSL Web You can use this method for authentication in a web browser. Users type their user IDs and a Java applet or ActiveX component is launched. The client prompts the user to enter a password or PIN. The password or PIN is then hashed and encrypted before it is returned to the server. WatchGuard SSL Challenge You can use this method for authentication in a web browser, WAP client, or with a PDA. Users type their user IDs, and are prompted (challenged) to provide private information (the response) before they are allowed access. The challenge-response technique is most often used with a hardware token that generates the response. In WatchGuard SSL Challenge, the Mobile ID software client generates the response. Users type their PINs in the Mobile ID Challenge client and the Mobile ID software generates a one-timepassword (OTP). You can install the Mobile ID client on a mobile device such as a handheld PC or a cell phone, or on a laptop or desktop computer. WatchGuard SSL Synchronized You can use this method for authentication in a Web browser, WAP client, or with a PDA. Users type their user IDs and are prompted for a one-time password (OTP). In WatchGuard SSL Synchronized, an integrated software client (Mobile ID) generates the OTP. Users type their PINs in the Mobile ID Challenge client and the Mobile ID software generates the one-time-password (OTP). You can install the Mobile ID client on a mobile device, such as a handheld PC or a cell phone, or on your laptop or desktop computer. WatchGuard SSL Mobile Text This method is based on a combination of a PIN and one-time password (OTP) distributed through an SMS channel. For this method, users type the PIN on the web login page while an OTP is generated and distributed to the user s cell phone. All authentication and notification messages are sent through mobile text to the cell phone number or address registered to that specific user account. You can use the WatchGuard SSL Mobile Text authentication method on a mobile device such as a handheld PC or a cell phone, as well as on a desktop PC or Macintosh computer. When you select Allow Two-step Authentication in the authentication method configuration, authentication is distributed over two sessions: the server sends the OTP to the mobile phone, and then the user logs on with the OTP. WatchGuard SSL Password The WatchGuard SSL Password authentication method is based on static password authentication. A static password is created and maintained to authenticate remote access with a RADIUS client. Download Mobile ID clients The WatchGuard SSL authentication methods Challenge and Synchronized use the Mobile ID client to generate the OTP response that these methods use. The Mobile ID client is available on the WatchGuard web site software downloads page as a separate file. You can download this file and distribute the Mobile ID clients to your users to install on their mobile devices. 150 WatchGuard SSL 100

157 Manage System About other authentication methods In addition to the WatchGuard SSL authentication methods, WatchGuard SSL supports these authentication methods. General RADIUS This authentication method can be used with any RADIUS-compliant authentication server. SecurID This method supports RSA SecurID tokens that generate a one-time-password (OTP). LDAP This method performs an LDAP bind. Active Directory This method is an LDAP bind authentication method with the ability to allow users to change their passwords. This functionality is only supported with Microsoft Active Directory (AD) servers. The External Directory Service (your AD server) must be configured for SSL communication since this functionality is only allowed over SSL. Novel edirectory This method is an LDAP bind authentication method with the ability to allow users to change their passwords. Windows Integrated Login This method allows the Windows domain credentials to be used automatically for authentication. When the application portal is protected by Windows integrated login authentication, Windows users do not have to type their credentials to log on to the Application Portal. Instead, the system gets user credentials from the client. NTLM The NTLM authentication method uses the NTLM authentication protocol used in various Microsoft network protocol implementations. Basic This method performs a basic authentication according to RFC 2617, HTTP Authentication: Basic and Digest Access Authentication. User Certificate This method uses attribute mapping. The user is authenticated only if there is an exact match between the configured User Attribute and the Certificate Attribute. Form-Based Authentication This authentication method uses HTML forms that you can edit. You can also add new HTML forms. The credentials submitted to the device are posted in the form for authentication. When the credentials are accepted, the user is authenticated and allowed access to the network. Confidence Online This method uses the Confidence Online client for authentication. User Guide 151

158 Manage System Add an authentication method You can add, edit, and delete authentication methods. By default, the five WatchGuard SSL authentication methods are enabled. You can add other supported authentication methods to the Registered Authentication Methods list. To add an authentication method: 1. Select Manage System > Authentication. The Authentication page appears. 2. Select Add Authentication Method. The Add Authentication Method page appears. 3. Select an authentication method in the list. Click Next. 152 WatchGuard SSL 100

159 Manage System 4. Configure the settings for the selected authentication method. Some of these settings do not apply to all authentication methods. Enable Authentication Method Select this check box to enable the new authentication method. To add this method but not enable it, clear this check box. Display Name The Display Name is the name that appears in the application portal for this authentication method. Template Name The Template Name is the name of the template that defines the appearance of the logon page when users log on with this authentication method. The name of the default template is automatically filled in. Template Specification For most authentication methods, you can select Manage Default Template Specification to customize the appearance of the Application Portal authentication page. Authentication Method Server For most authentication methods you must specify an authentication method server to use for the authentication method. RADIUS replies The authentication methods that use RADIUS include some pre-defined RADIUS replies. You can edit these replies or you can add new ones. Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a RADIUS Template Specification. The template specification controls how the reply appears to the user. Extended Properties You can define extended properties for some authentication methods to customize what happens when a user authenticates. You can edit the extended properties or you can add new ones. Each extended property includes a Key and a Value. 5. Click Finish Wizard to save the new authentication method. User Guide 153

160 Manage System Manage an Authentication Method You can edit or delete the registered authentication methods. To edit an authentication method: 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method you want to edit. The Edit Authentication Method page appears. 3. Click the tabs to edit the authentication method configuration settings. For more information about the settings on each tab, see: Edit general settings on page 155 Manage RADIUS replies on page 156 Manage extended properties on page Click Save. 154 WatchGuard SSL 100

161 Manage System To delete an authentication method: 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method you want to edit. The Edit Authentication Method page appears. 3. Click Delete. 4. Click Yes. The authentication method is removed from the Registered Authentication Methods list. Edit general settings To edit the general settings for an authentication method: 1. On the Authentication page, click an authentication method to edit it. The Edit Authentication Method page appears. 2. Click the General Settings tab. 3. To disable the authentication method, clear the Enable Authentication Method check box. 4. Update the settings: Display Name The name that appears in the application portal for this authentication method. Template Name The name of the template that defines the appearance of the logon page when users logon with this authentication method. Template Specification For most authentication methods, you can click Manage Default Template Specification to customize the appearance of the login page. Authentication Method Server For most authentication methods, you must specify an authentication method server to use for the authentication method. 5. Click Save. User Guide 155

162 Manage System Manage RADIUS replies The authentication methods that use RADIUS include some pre-defined RADIUS replies. You can add, edit, or delete RADIUS replies. Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a Template Specification. Add a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method you want to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Click the RADIUS Replies tab. The list of configured RADIUS replies appears. 156 WatchGuard SSL 100

163 Manage System 4. Click Add RADIUS Reply. The Add RADIUS Reply page appears. 5. In the Display Name field, type the name of the RADIUS reply. 6. In the RADIUS Reply Matching String field, type the message to show the user for this RADIUS reply. 7. In the RADIUS Template Specification text box, type or paste the template for this RADIUS reply. 8. Click Add. The reply appears in the Registered RADIUS Replies list. 9. Click Save. Edit a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method you want to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Click the RADIUS Replies tab. The list of configured RADIUS replies appears. User Guide 157

164 Manage System 4. In the Registered RADIUS Reply list, click the reply you want to edit. The Edit RADIUS Reply page appears. 5. Edit the reply information. 6. Click Update. The updated reply appears in the Registered RADIUS Replies list. 7. Click Save. Delete a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method you want to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Click the RADIUS Replies tab. The list of configured RADIUS replies appears. 4. In the Registered RADIUS Reply list, click the reply you want to edit. The Edit RADIUS Reply page appears. 5. Edit the reply information. 6. Click Update. The updated reply appears in the Registered RADIUS Replies list. 7. Click Save. 158 WatchGuard SSL 100

165 Manage System Manage extended properties You can add, edit, or delete extended properties for some authentication methods. Extended Properties define what happens when a user authenticates with each method. When adding authentication methods, you can specify settings using extended properties. These include, for example, Save credentials for SSO domain, Allow unknown user ID, Lock user ID for session, and many more depending on the authentication method you choose. Each extended property consists of a Key and a Value. When you edit an extended property, you can only change the Value field. If you want to change the Key field, you must delete the Extended Property and add a new one with the correct Key Value pair. Add an extended property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method you want to edit. The Edit Authentication Method page appears. 3. Click the Extended Properties tab. 4. Click Add Extended Property. The Add Extended Property page appears. 5. Select a Key in the drop-down list. 6. In the Value drop-down list, select whether the Key is true or false. 7. Click Add. The Extended Property appears in the Registered Extended Properties list. 8. Click Save. Edit an extended property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method you want to edit. The Edit Authentication Method page appears. User Guide 159

166 Manage System 3. Click the Extended Properties tab. The list of registered Extended Properties appears. 4. In the Registered Extended Properties list, click the extended property you want to edit. The Edit Extended Property page appears. 5. Update the Value. 6. Click Update. 7. Click Save. Delete an extended property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method you want to edit. The Edit Authentication Method page appears. 3. Click the Extended Properties tab. 4. In the Registered Extended Properties list, click the extended property you want to edit. The Edit Extended Property page appears. 5. Click Delete. 6. Click Yes. 7. Click Save. 160 WatchGuard SSL 100

167 Manage System Manage global authentication service settings You can manage the authentication settings that apply to all authentication methods. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Click a tab to configure the settings: Manage global RADIUS authentication settings on page 162 Manage password and PIN requirements on page 163 Manage authentication settings on page 164 Manage SMS and screen message settings on page Click Save. User Guide 161

168 Manage System Manage global RADIUS authentication settings You can configure the settings for RADIUS authentication. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Click the RADIUS Authentication tab and configure the settings. The RADIUS Authentication page appears. For more information about the settings, see the subsequent sections. 4. Click Save. RADIUS Authentication settings Drop unknown sessions When selected, access requests by unknown RADIUS sessions are dropped without notification. If this option is not selected, the server sends the reply Access Denied. Drop unknown users When selected, access requests by unknown users are dropped without notification. If this option is not selected, the request is accepted, but the authentication fails. The server sends an access reject message. This setting can be useful for chained authentication. Proxy unknown users When selected, unknown users are authenticated with another RADIUS server. The server tries to proxy the request to the configured RADIUS back-end server. If the request is not serviced, the server responds with the action set for Drop unknown users. Proxy unknown users takes precedence over Drop unknown users if both are selected. Reveal reject reason When selected, the reason why a request is rejected is sent to the RADIUS client. Session Timeout This setting defines the number of seconds before the RADIUS session times out. If a RADIUS session is not used before this amount of time passes, the session ends and this value is reset. The default value is 180 seconds. RADIUS Encoding When the system receives a RADIUS package, it changes the data to strings that match the UTF-8 standard. Some RADIUS clients do not support the UTF-8 standard. For these RADIUS clients, you can specify another standard. The default value is UTF WatchGuard SSL 100

169 Manage System Manage password and PIN requirements You can configure the global password and PIN settings for WatchGuard authentication methods. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Click the Password/PIN Settings tab and configure the settings. For more information about these settings, see the subsequent sections. 4. Click Save. Password/PIN Settings For each setting, the default values appear in parentheses. WatchGuard SSL Mobile Text The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to zero, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. The OTP (one-time password) length in number of characters (6). The alphabet base for OTP. The default value excludes characters and numbers that can easily be confused, such as: o 0/o/O o 1/i/I/l/L.( abcdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ) The notification message the user sees for the OTP. Allow two-step authentication. When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile phone, and one to login with the OTP. WatchGuard SSL Web The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to zero, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. Keyboard appearance Fixed, Shift, or Random (random). Allow use of desktop keyboard for numbers (off). WatchGuard SSL Challenge The PIN expiration period in days (90). When set to zero, the PIN does not expire. The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history. Support value signing (off). Direct PIN change (off). WatchGuard SSL Password The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to 0, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. The OTP (one-time password) length in number of characters (6). User Guide 163

170 Manage System WatchGuard SSL Synchronized The PIN expiration period in days (90). When set to 0, the PIN does not expire. The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history. Offset before prompt The number of login attempts allowed before the user is prompted for a new OTP (3). Offset before access denied The number of login attempts allowed before the user is denied access. (10) Direct PIN change. Manage authentication settings You can configure the settings for the notification messages that are sent to users when they get new passwords, PINs, or seeds on the tab. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Click the Messages tab and configure the settings. For more information about the settings, see the subsequent sections. 4. Click Save. Settings Addresses Type the addresses of any additional recipients you want to get notifications sent about new or changed passwords, PINs, or seeds. Messages Modify the message used to notify users about changes to their authentication credentials. You can change the text used in the message to notify users about each type of password, PIN, or seed change. WatchGuard Authentication Method Messages For each WatchGuard authentication method, you can set messages that users see when they get a new password, PIN, or seed in an message. Manage SMS and screen message settings You can configure the SMS/Screen messages that users get for new or changed passwords, PINS, or seeds. General settings include header and footer of the SMS/Screen message. You can also specify different password, PIN, or seed messages for each authentication method. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 164 WatchGuard SSL 100

171 Manage System 3. Click the SMS/Screen Messages tab and configure the settings. 4. Click Save. User Guide 165

172 Manage System Manage RADIUS configuration You configure RADIUS settings for each available authentication method to accept, reject, or challenge the request. You can also select to send authentication requests to an authentication server that uses third-party authentication methods such as RSA SecurID. To do this, you must add a RADIUS back-end server as an authentication server. You can use one or several RADIUS back-end servers simultaneously. To add the RADIUS configuration methods: 1. Select Manage System > Authentication. The Authentication page appears. 2. Click RADIUS Configuration. The Manage RADIUS Configuration page appears. 3. Configure the RADIUS client settings: Add a RADIUS client Edit or delete a RADIUS client Add a RADIUS Back-End Server Edit or delete a RADIUS Back-End Server 166 WatchGuard SSL 100

173 Manage System Add a RADIUS client On the Manage RADIUS Configuration page, you can add a RADIUS client. 1. Click Add RADIUS Client. The Add RADIUS Client page appears. 2. In the IP Address field, type the IP address for this RADIUS client. 3. Type and verify the Shared Secret. 4. If your RADIUS client requires attributes, configure them in the Attributes section. You can configure three types of attributes: Accept Attributes Challenge Attributes Reject Attributes 5. Click Save. User Guide 167

174 Manage System Edit or delete a RADIUS client On the Manage RADIUS Configuration page, you can edit or delete a RADIUS client. To edit a RADIUS client: 1. In the Registered RADIUS Clients list, click the IP address of a client. The Edit RADIUS Client page appears. 2. Configure the settings for the client. 3. Click Save. To delete a RADIUS client: 1. In the Registered RADIUS Clients list, click the IP address of a client. The Edit RADIUS Client page appears. 2. Click Delete. 3. Click Yes. The client you selected is deleted and removed from the Registered RADIUS Clients list. 168 WatchGuard SSL 100

175 Manage System Add a RADIUS Back-End Server On the Manage RADIUS Configuration page, you can add a RADIUS server. 1. Click Add RADIUS Back-End Server. The Add RADIUS Back-End Server page appears. 2. In the Display Name field, type the name of this server. 3. In the Host field, type the IP address of the RADIUS back-end server. 4. If necessary, change the default values in the Port and Timeout fields. 5. Type and verify the Shared Secret for this RADIUS server. 6. Click Save. The server you added appears in the Registered RADIUS Back-End Servers list. Edit or delete a RADIUS Back-End Server On the Manage RADIUS Configuration page, you can edit or delete a RADIUS back-end server. To edit a RADIUS back-end server: 1. In the Registered RADIUS Back-End Server list, click the display name of a server. 2. Configure the settings for the back-end server. 3. Click Save. User Guide 169

176 Manage System To delete a RADIUS back-end server: 1. In the Registered RADIUS Back-End Servers list, click the IP address of a back-end server. The Edit RADIUS Back-End Servers page appears. 2. Click Delete. 3. Click Yes. The server you selected is deleted and removed from the Registered RADIUS Back-End Servers list. 170 WatchGuard SSL 100

177 Manage System About certificates Certificates are a type of digital signature that matches the identity of a person or organization with an encryption method. This method is a security component called a key pair, or two mathematically related numbers called the private key and the public key. A certificate includes both a statement of identity and a public key, and is signed by a private key. The private key used to sign a certificate request can be from the same person or organization that originally created the certificate, or from a certificate authority. If the private key is from the same person or organization that created the certificate, the result is called a self-signed certificate. If the private key is from a certificate authority (CA), the result is called a CA certificate. A certificate authority is an organization or application that creates, signs, and disables certificates. Most applications and devices have a list of trusted CAs whose certificates are automatically accepted. Certificate lifetimes and CRLs When a certificate is created, it has a set lifetime. At the end date of the certificate lifetime, the certificate expires and can no longer be used. Sometimes, certificates are revoked, or disabled by the CA,before the expiration. To cancel a client certificate that has already been issued, the client certificate validation routine checks against a list of canceled client certificates. This list is called a Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP). The supported CDP protocols are HTTP and LDAP. You configure whether to use the CRL when you add a Certificate Authority. Certificate authorities and signing requests To create a third-party certificate, you put part of a cryptographic key pair in a certificate signing request (CSR) and send the request to a CA. It is important that you use a new key pair for each CSR you create. The CA issues a certificate after it receives the CSR and verifies your identity. You can also use tools such as OpenSSL or the Microsoft CA Server that comes with most Windows Server operating systems to create a CSR. If you do not have a PKI (public key infrastructure) set up in your organization, we recommend that you choose a prominent CA to sign your CSR. If a prominent CA signs your certificate, your certificate is automatically trusted by most users. WatchGuard has tested certificates signed by VeriSign, Microsoft CA Server, Entrust, and RSA KEON. Manage Certificates In the WatchGuard SSL Web UI, you manage Certificate Authorities, server certificates and client certificates. For more information, see: Add a Certificate Authority on page 171 Add a server certificate on page 174 Edit or delete a Server Certificate on page 175 Manage client certificate settings on page 176 Add a Certificate Authority A certificate authority (CA) issues client certificates used for authentication. For the WatchGuard SSL device to authenticate a user, you must upload a CA certificate. You register certificate authorities (CA) to be used for validation of certificates. You type a Display Name for the CA and specify a CA certificate file. You then select whether to use a certificate revocation list (CRL) or to perform no revocation checks at all. If you choose to enable CRL checking, the Add Certificate Authority wizard includes an additional step to configure a Control Distribution Point for the CRL. User Guide 171

178 Manage System Configure CA general settings 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Certificate Authority. The Add Certificate Authority General Settings page appears. 3. Select the Enable Certificate Authority check box. 4. Type a Display Name for this Certificate Authority. 5. In the CA Certificate field, select the location of the certificate for your CA. The certificate must be in a PEM or DER format. 6. In the Revocation Control section, select the CRL radio button to enable certificate revocation checking. CRL checking is enabled by default. If you do not want to do CRL checking, select the No certificate revocation checking should be performed radio button. 172 WatchGuard SSL 100

179 Manage System 7. If you did not enable CRL checking, skip to Step 8. If you enabled CRL checking, click Next to specify at least one control distribution point (CDP). For more information, see the subsequent section. 8. Click Finish Wizard. Configure Control Distribution Points If you enable CRL checking for your CA, you must specify at least one Control Distribution Point (CDP). The CDP verifies the certificates issued by the CA. To add a CDP, click Add Control Distribution Point on the second page of the Add Certificate Authority wizard. Specify settings for these fields: Address The address can be an LDAP address (RFC2255) or an HTTP address. Example LDAP address: ldap:// /cn=win2k%20root%20ca,cn=test-win2kad, CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2kad, DC=examplecompany,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint Example HTTP address: Fetch Time Adjustment Adjusted time in seconds when revocation information is retrieved, compared to the time when revocation information is set to be retrieved. The allowed interval is This option is useful when there is latency when the CA issues a new CRL. Latency can occur if there are replicated directories involved. This option is set to zero (0) by default. Update Time Select this option to configure a custom update time. When not selected, the attribute Next Update Time from the CRL is used. This option is not selected by default. Retry Interval Interval in seconds before the system tries to contact the CRL again, if the CRL cannot be accessed. The allowed interval is seconds, or a maximum of 365 days. The Retry Interval is set to 300 seconds by default. You must also specify the action to take if the CRL cannot be retrieved from the CDP. In the CRL Invalid Action section, select one of these options: Authentication is denied If a valid CRL cannot be retrieved, deny authentication for all users. Authentication is allowed, previous CRL is used If a valid CRL cannot be retrieved, use the previously retrieved CRL for certificate revocation control. If a user authenticates with an invalid CRL, this event is written to the log file. User Guide 173

180 Manage System Add a server certificate You must add at least one server certificate to use when the device communicates with end users. PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format, surrounded by ASCII headers, suitable for text mode transfers between systems. DER format can contain private keys, public keys, and certificates. It stores data according to the ASN1 DER format. PEM format includes a text header wrapped around the headerless DER format. This is the default format for most browsers. To add a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. 3. Type a Display Name for this server certificate. 4. In the Certificate field, select the location of the certificate for your server. The certificate must be in PEM format. 5. In the Key field, select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. In the Password field, if the key is encrypted, specify a password to use. 7. Click Save to save the server certificate. The certificate you added appears on the Registered Server Certificates list. To see details about a server certificate: 1. In the Registered Server Certificates list, click the certificate. 2. Click View Certificate Details. For more information about how to edit certificates, see Edit or delete a Server Certificate on page WatchGuard SSL 100

181 Manage System Edit or delete a Server Certificate You can edit or delete the server certificate that the device uses when it communicates with end users. To edit a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. In the Registered Server Certificates list, click the display name of the server certificate you want to edit. The Edit Server Certificates General Settings page appears. 3. To see details about the certificate, click View Certificate Details. 4. Update the settings for the server certificate. 5. Click Save. To delete a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. In the Registered Server Certificates list, click the display name of the server certificate you want to edit. The Edit Server Certificates General Settings page appears. 3. Click Delete. 4. Click Yes. User Guide 175

182 Manage System Manage client certificate settings You can add and edit the PEM formatted client certificates that clients use to communicate with resources. You can specify only one client certificate. To add or edit a client certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Manage Client Certificate Settings. The Add Client Certificate page appears. 3. Type a Display Name for this client certificate. 4. In the Certificate field, select the location of the client certificate. The certificate must be in PEM format. 5. In the Key field, select the location of the private key for the client certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. In the Password field, specify a password to use if the private key is encrypted. 7. Click Save. About Abolishment Abolishment is an End-Point Security feature that monitors the files and stored browser data on a client during a user session, and then automatically deletes the browser data and files that were downloaded or created during the user session. You can configure the types of files and browser data that Abolishment deletes when the session ends. You can configure Abolishment to automatically delete the changed files or to notify the user and let the user choose which items to delete. You can use Abolishment for access control. When you protect a resource with an Abolishment Access Rule, the Abolishment settings specify what type of files are deleted on the client after the session is completed. When a user attempts to connect to the resource, access is allowed only if the Abolishment client is running. This ensures that Abolishment can be performed when the session is completed. WatchGuard SSL supports Abolishment on Microsoft Windows clients. When the user is notified about Abolishment, the Abolishment client is called the End-Point Integrity client. 176 WatchGuard SSL 100

183 Manage System To manage Abolishment settings: 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Configure Abolishment settings on these tabs: General Settings Cache Cleaner settings Advanced Settings 3. Click Save. User Guide 177

184 Manage System Configure General Settings You can configure the settings used by Abolishment Access Rules to determine which file types to monitor on the client. You also configure whether to notify the user at the completion of the session about all monitored files that were downloaded or created. If you select to notify the user, the user can choose which files to delete. If you do not notify the user, at the end of the session the abolishment client automatically deletes the monitored files that were downloaded or created during the session. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the General Settings tab. The General Settings page appears. 3. Configure the settings to monitor and delete downloaded files. For more information about these settings, see the subsequent section. 4. Click Save. General Settings Monitor Downloaded Files Specify the file types to monitor during a user session. You can only monitor files on Windows clients. By default, the file types that are monitored for abolishment are htm, pdf, txt, doc, xls, ppt, exe, and zip. Delete Downloaded Files Specify whether to delete monitored files that have been created or downloaded during the session when the session ends, and whether to notify the user and let the user select which files to delete. You can configure these settings: Enable Delete To delete monitored files that have changed at the end of the session, select this check box. 178 WatchGuard SSL 100

185 Manage System Notify User To show the user a message at the end of the session, select this check box. This message includes information about which files have been downloaded or created, and allows the user to select which files to delete. Notification Message If you select the Notify User check box, type the message that users see with the list of files to delete. Configure Cache Cleaner settings You can configure settings that control the deletion of cached Internet Explorer web content and the browser history created during the user session. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the Cache Cleaner tab. The Cache Cleaner page appears. 3. Configure the settings to delete cached Internet content and browser history. For more information about these settings, see the subsequent section. 4. Click Save. Cache Cleaner settings Delete the Internet Explorer history and typed URLs Select this check box to delete the Internet Explorer browser history and the web site addresses that the user created during the session. This is not selected by default. Delete the browser cache entries Select this check box to delete the cached pages in the Internet Explorer browser. You can use the URL filter to specify which cached pages to delete. This is not selected by default. URL Filter Type the URL pattern of the files to remove from the browser cache. The Abolishment client monitors the cached files in the Windows Temporary Internet Files folder. At the end of the session, the Abolishment client deletes all cached files that match the URL filter and that were created during the session. You can use a wildcard (*). If you use the * wildcard character alone, the Abolishment client deletes all cache entries created during the user session. This is the default setting. Here are some other examples of URL filters: https* Removes all cache entries downloaded from a secure server during the user session. Removes all cache entries from the specified server during the user session. User Guide 179

186 Manage System Configure Advanced settings You can configure the settings that control how Abolishment works. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the Advanced Settings tab. The Advanced Settings page appears. 3. Configure the Abolishment settings for resource display, whether to automatically start Abolishment, and choose how to load the Abolishment client. For more information about these settings, see the subsequent section. 4. Click Save. Advanced Settings Display resources Select the Display resource in Application Portal check box if you want the icons for all resources to appear in the Application Portal before Abolishment starts to monitor the client. Automatically start Abolishment When the user selects a resource protected by an Abolishment access rule, a notification message appears that tells the user that the End-Point Integrity client is required. If you do not select the Automatically start Abolishment check box, the user must click a button on the notification page to start the abolishment client. If you select this check box, the notification message appears briefly and the Abolishment client starts automatically. 180 WatchGuard SSL 100

187 Manage System Abolishment Client Loader Select which type of loader to use for the Abolishment client. ActiveX - Java Applet Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting. ActiveX Use the ActiveX client loader only. Java Applet Use the Java applet client loader only. About Assessment Assessment is an End-Point Security feature that scans the client computer to assess whether the client meets certain criteria. You can configure the assessment criteria that a client computer must meet in order to get access to a resource protected by an Assessment Access Rule. Access Rules for Assessment can complete these checks: If a process is running (for example, antivirus program or firewall) If a registry value exists If a file exists At the start of a user session, the Assessment client scans the client computer to make sure it meets the Assessment criteria you specify. If the client computer meets the criteria, the user is allowed to access the protected resource. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the assessment definition file is no longer updated, but continues to operate with the criteria available at the time of expiration. WatchGuard SSL supports Assessment on Microsoft Windows clients. When the user is notified about Assessment, the Assessment scan is called the End-Point Integrity scan. User Guide 181

188 Manage System To manage Assessment settings: 1. Select Manage System > Assessment. The Manage Assessment page appears. 2. Configure Assessment on these tabs: General Settings Advanced Settings 3. Click Save. 182 WatchGuard SSL 100

189 Manage System General Settings You can configure the client scan settings the Assessment Access Rules use when a user selects a protected resource. 1. Select Manage System > Assessment. The Manage Assessment page appears. 2. Select the General Settings tab. The General Settings page appears. 3. Configure the Real-time Scan and Client Scan Path settings. For more information about these settings, see the subsequent sections. 4. Click Save. Real-time Scan The client scan is always performed the first time a user requests a resource that is protected by an Assessment Access Rule. If you want the client scan to continue assessment during the session, select the Enable Realtime Scan check box. Real-time Scan is disabled by default. If you enable Real-time Scan, type the number of seconds between scans in the Interval field. The default interval is to scan every 120 seconds. User Guide 183

190 Manage System Client Scan Path Click Add Client Scan Path to select the paths that you want the Assessment client to scan on the client. You can specify one or more client scan paths. For each client scan path you must set this information: Operating System The client operating system to scan. Windows is the only option. Type The type of client data the client scan looks for. The client can search for four types of data: File file attributes, file name, file digest, file time created, and file time last written Directory directory name and attributes Registry Key registry name, registry type, and registry value Registry Sub Key registry name, registry type, and registry value Path the path on the client computer to scan for the selected client data type Advanced Settings You can configure the settings that control how Assessment works. 1. Select Manage System > Assessment. The Manage Assessment page appears. 2. Select the Advanced Settings tab. The Advanced Settings page appears. 3. Configure the Display Resources, Assessment Client Scan, and Abolishment Client Loader settings. For more information about these settings, see the subsequent sections. 4. Click Save. 184 WatchGuard SSL 100

191 Manage System Display Resources Select the Display resource in Application Portal check box if you want the icons for all resources to appear in the Application Portal before the Assessment client scan is completed. Users may see resources that they cannot access. Automatically start the Assessment client scan When the user selects a resource protected by an Assessment access rule, a notification message appears that tells the user that the End-Point Integrity client is required. If you do not select the Automatically start the Assessment client scan check box, the user must click a button on the notification page to start the client scan. If you select this check box, the notification message appears and the Assessment client scan starts automatically. Abolishment Client Loader Select which type of loader to use for the Assessment client. ActiveX - Java Applet Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting. ActiveX Use the ActiveX client loader only. Java Applet Use the Java applet client loader only. User Guide 185

192 Manage System About notification settings You can configure the and SMS notification channel to send notification messages. These notification channels are used to send alerts and for distribution of one-time-passwords (OTPs), passwords and PINs, and seed notifications. To configure notification settings: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Configure these settings for notification: channel SMS channel SMS plug-ins 3. Click Save. Configure the notification channel You can enable and configure settings and the address of the sender. You must configure the channel if you select notification in any of these areas: For a user account In the Global User Account Settings For an alert 186 WatchGuard SSL 100

193 Manage System To configure the channel: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the Channel tab. The Channel page appears. 3. Select the Enable channel check box. 4. In the Host field, type the IP address or DNS name of the server that sends the PIN, password, and seed to users. The default is localhost. 5. In the Port field, type the port number. The default port is In the Sender s Address field, type the address that you want to appear in the From field of the notification messages. For example, [email protected].. 7. Click Save. Configure the SMS notification channel You can add one or more SMS channels. You must define an SMS channel when you enable SMS notification in these places: For a user account In the Global User Account Settings User Linking tab For alerts You can configure multiple SMS channels. Each channel is handled by an SMS plug-in. Make sure you save your changes before you select another page in the UI. If you do not save your changes before you go to another page, all your changes are lost. Add an SMS channel 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the SMS Channel tab. User Guide 187

194 Manage System 3. Click Add SMS Channel. The Add SMS Channel page appears. 4. Type a Display Name for this channel. 5. From the Plug-in drop-down list, select the SMS plug-in for the SMS protocol you want to use. 6. Click Next. 7. Configure the settings for the selected SMS channel. The configuration settings are different for each SMS protocol. The number of tabs with SMS settings to configure depends on the plug-in you selected. For information about settings for each of the default SMS plug-ins, see: SMTP channel settings on page 189 SMPP channel settings on page 190 Netsize channel settings on page 191 HTTP channel settings on page 192 CIMD channel settings on page Click Finish Wizard. 9. Click Save. To add a plug-in,click the SMS Plug-in tab. For more information, see Add or remove SMS plug-ins on page 194. Reorder the Registered SMS Channels list You can change the order of the channels in the Registered SMS Channels list to change the order in which the channels are used. 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, in the Move column, click Up or Down for the channel you want to move. The channel moves up or down in the list. 3. Click Save. Edit an SMS channel 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to change. The Edit SMS Channel page appears. 3. Update the settings for the SMS channel. 4. Click Finish Wizard. 188 WatchGuard SSL 100

195 Manage System Delete an SMS channel 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to remove. The Edit SMS Channel page appears. 3. Click Delete. 4. Click Yes. 5. Click Save. SMTP channel settings Configure these settings if you select the SMTP SMS plug-in when you add an SMS channel. SMTP channel settings on the Connection tab Channel Setting Host Address Port Account Password Start TLS Timeout Connection Timeout Close Socket Debug Mode Description The IP address or DNS name of the SMTP server. Set to localhost by default. The port of the SMTP server. Set to 25 by default. The service account to use to log into the SMTP service. The service account password to use to log into the SMTP service. Select this check box to use TLS (Transport Layer Security). This is not enabled by default. The length of time (in milliseconds) to wait for a response from the SMTP server. Set to by default. The length of time (in milliseconds) for a socket connection timeout. Select the Close Socket check box to close the socket after communication. Select the Debug Mode check box to enable debug mode. SMTP channel settings on the Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. Type the prefix to replace in the Replace Prefix field. The new prefix to use in place of the prefix in the Replace Prefix field. SMTP channel settings on the Message tab Channel Setting To address To friendly name From address From friendly name Subject Message Body Description The address to put in the To field. The friendly name to put in the To field. The address to put in the From field. The friendly name to put in the From field. The content of the Subject field. The content of the message body. User Guide 189

196 Manage System SMPP channel settings Configure these settings if you select the SMPP SMS plug-in when you add an SMS channel. SMPP channel settings on the Connection tab Channel Setting Host Address Port Timeout Keep Alive System ID Password System Type Interface Version Address TON Address NPI Address Range Description The IP address or DNS name of the SMPP server. Set to localhost by default. The port of the SMPP server. Set to 25 by default. The length of time (in milliseconds) to wait for a response from the SMPP server. Set to by default. Select this to keep the connection alive. This is not selected by default. The service account to use to log into the SMPP service. The service account password that should be used to log in to the SMPP service. The SMPP System Type. See your SMPP server documentation for more Information. The Interface version. Set to 52 by default. See your SMPP server documentation for more Information. See your SMPP server documentation for more Information. See your SMPP server documentation for more Information. SMPP channel settings on the Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. Type the prefix to replace in the Replace Prefix field. The new prefix to use in place of the prefix in the Replace Prefix field. SMPP channel settings on the Submission Parameters tab For information about the settings on this tab, see the documentation for your SMPP server. Channel Setting Service Type Source Address TON Source Address NPI Source Address Destination Address TON Destination Address ESM Class Protocol ID Priority Flag Description See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. The destination address is required. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. 190 WatchGuard SSL 100

197 Manage System Channel Setting Registered Delivery Replace if present Data Coding Character Set Default Message ID Message Class Description See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. See your SMPP server documentation for information. Netsize channel settings Configure these settings if you select the Netsize SMS plug-in when you add an SMS channel. Netsize channel settings on the General tab Channel Setting Host Address Port Client Account Password Timeout Message Class Description The IP address or DNS name of the Netsize server. The port of the Netsize server. Set to 25 by default. The client account to use to log into the Netsize service. The service account to use to log into the Netsize service. The service account password to use to log into the Netsize service. The length of time (in milliseconds) to wait for a response from the Netsize server. Set to by default. The Message Class for this message. Valid entries are: Default, Immediate Display (Flash), Store on Mobile Phone, Store on SIM, Store on Terminal Equipment. Contact your Netsize vendor for more information about these settings. Netsize channel settings on the Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. Type the prefix to replace in the Replace Prefix field. The new prefix to use in place of the prefix in the Replace Prefix field. User Guide 191

198 Manage System HTTP channel settings Configure these settings if you select the HTTP SMS plug-in when you add an SMS channel. HTTP channel settings for the General tab Channel Setting URL Account Password Use Basic Authentication Post Data Follow Redirects Use HTTP 1.1 User Agent Additional Headers Timeout Connection Timeout Description The URL or DNS name of the HTTP server. Set to by default. The service account to use to log into the HTTP service. The service account password to use to log into the HTTP service. Select this check box to use basic authentication for this HTTP service. The POST data that must be present in the HTTP post. Select this check box to consider redirects when parsing responses. Select this check box to use HTTP version 1.1. This is selected by default. Specify the user agent if the HTTP Services requires a specific user agent. Specify the content of any additional headers that the HTTP service requires in the request. The length of time (in milliseconds) to wait for a response from the HTTP server. Set to by default. HTTP channel settings on the Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. Type the prefix to replace in the Replace Prefix field. The new prefix to use in place of the prefix in the Replace Prefix field. HTTP channel settings on the Response Parsing Format tab Channel Setting Description Success Response Codes The HTTP Response Codes that will indicate success. 200, 201, and 202 are selected by default. Failure Response Codes The HTTP Response Codes that indicate failure. 400, 401, and 402 are selected by default. Success Response Body Contents in the HTTP Response Body that indicate success. Failure Response Body Default State Contents in the HTTP Response Body that indicate failure. Select whether the default state is Success or Failure. This is set to Failure by default. 192 WatchGuard SSL 100

199 Manage System CIMD channel settings Configure these settings if you select the CIMD SMS plug-in when you add an SMS channel. CIMD channel settings on the Connection tab Channel Setting Host Address Port Account Password Timeout Description The IP address or DNS name of the CIMD server. Set to localhost by default. The port of the CIMD Server. Set to 3000 by default. The service account that to use to log into the CIMD service. The service account password that should be used to log in to the CIMD service. The length of time (in milliseconds) to wait for a response from the CIMD server. Set to by default. CIMD channel settings on the Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. Type the prefix to replace in the Replace Prefix field. The new prefix to use in place of the prefix in the Replace Prefix field. User Guide 193

200 Manage System Add or remove SMS plug-ins Plug-ins are used to communicate with different SMS vendors. You select plug-ins when you configure an SMS channel. The default plug-ins available are: SMTP (1.0) SMPP (1.10) Netsize (1.0) HTTP (1.12) CIMD (1.10) You can write additional plug-ins for compatibility with other SMS protocols. To add an SMS plug-in: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the SMS Plug-ins tab. A list of installed SMS plug-ins appears. 3. To add a plug-in, click Browse to locate the plug-in file. 4. Click Upload Plug-in. The plug-in is added to the list, and is available when you add an SMS Channel. 5. Click Save. To remove an SMS plug-in: 1. Select the Remove check box for the plug-in you want to delete. 2. Click Remove. 3. Click Save. 194 WatchGuard SSL 100

201 Manage System Manage Client Definitions You can use client definitions to create an Access Rule that allows access to a resource only if the client is of a specified type. By default, the WatchGuard SSL device includes these client definitions: Internet Explorer 6 Internet Explorer 7 Netscape 7 Netscape 9 Opera Mozilla Firefox Safari WAP Phone Access Client Microsoft-AirSync Java Mac OS Windows Unix Linux Windows CE PDA The WatchGuard SSL device identifies a client based on the content of its HTTP headers. Client definitions define what values the WatchGuard SSL device looks for in the HTTP header to identify specific clients. When you create an Access Rule of the type Client Definition, the Available Clients you can select are those you define on the Client Definitions page. After you add a client definition, you can select that client when you create an Access Rule. User Guide 195

202 Manage System To manage client definitions: 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Configure client definitions: Add a client definition Edit or delete a client definition Add a client definition To add a client definition: 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Click Add Client Definition The Add Client Definition page appears. 196 WatchGuard SSL 100

203 Manage System 3. Type the Display Name for this client. 4. In the Definition field, type the "name=value" pair that appears in the HTTP header of the client. You can use the * wildcard character in the value. You can include more than one "name=value" pair. To use an AND operator, add the pairs on the same line, separated by a space. To use an OR operator, add the pairs on the same line, separated by the pipe ( ) symbol. To specify a NOT operator, add an exclamation mark (!) before the pair. For examples of how the client definition should look, click on an existing client definition to view it. 5. Click Save. The client definition you added appears in the Registered Client Definitions list. Edit or delete a client definition Edit a client definition 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. In the Registered Client Definitions list, click the display name of the client. The Edit Client Definition page appears. 3. Edit the Display Name and Definition. 4. Click Save. Delete a client definition 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. In the Registered Client Definitions list, click the display name of the client. 3. Click Delete. 4. Click Yes. The client definition is removed from the Registered Client Definitions list. User Guide 197

204 Manage System About delegated management After you configure an External Directory Service, you can use delegated management to create administrative roles with different configuration and monitoring responsibilities. You can then assign each role to one or more users in the registered External Directory Service. Delegated Management is only available in the Web UI if you have configured an External Directory Service and published the configuration change. When you create an alert on the Manage Alerts page, you can assign which alerts are sent to the various administrative roles. The users you assign to each of these roles then receive the alert notification messages about alert events. If you plan to use an administrative role for alerts, make sure that the users you assign to that role have addresses and/or cell phone numbers defined in their user accounts. By default the WatchGuard SSL has two built-in administrative roles: Help Desk Super Administrator For each role, you can assign different administrative privileges. For a description of the privileges you can assign to a role, see About administrative privileges on page 199. To add or edit administrative roles: 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. Add, edit, or delete an administrative role. 198 WatchGuard SSL 100

205 Manage System About administrative privileges For the administrative roles that you create, you can assign one or more of these privileges to each role. Help desk administration Allows users to add, edit, and delete all settings saved for a user account. User account management Allows users to get access to all functionality available in the User Management menu. Resource management Allows users to add, edit, and delete resources (resource hosts and resource paths) and to manage Application Portal items. Resource path management Allows users to add, edit, and delete resource paths for selected resource hosts. View logs Allows users to use the Log Viewer to see log files. Publish Allows users to publish an updated configuration. Privileges for the default administrative roles You cannot see or edit privileges for the default administrative roles. These roles have privileges permanently assigned. The Super Administrator role has all privileges enabled. The Help Desk role has the Help desk administration privilege enabled. User Guide 199

206 Manage System Manage administrative roles You can add, edit, or delete administrative roles. Add an administrative role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. Click Add Role. The Add Role page appears. 3. Type a Display Name for this role. 4. Type a Description for this role. 5. In the Privileges section, select the check box for each privilege you want to assign to this role: Help desk administration User account management Resource management Resource path management View logs Publish For more information, see About administrative privileges on page Click Next. 200 WatchGuard SSL 100

207 Manage System 7. Complete the next pages of the wizard for the privileges you selected. Select User Accounts From the Select User Group drop-down list, select a user group that this role can manage and click Add Group. Repeat to add each user group this role can manage. Select Administrators Click Add Administrator to assign a user to this role. In the User ID field, type a full or partial user name to search for. You can use the * wildcard character in your search. For example, type *smith* to find all user IDs that contain "smith". The user names that match your search criteria appear in the Search Result list. In the Search Result list, select the Assign Role check box for each user you want to assign to this role. Click Update. To search for other users to assign to this role, repeat these steps. Select Resources Select a resource in the Available Resources list and click Add. The resource appears in the Selected Resources list. 8. Click Next. 9. Click Finish Wizard. Edit an administrative role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. In the Registered Roles list, click a role. The Edit Role page appears. 3. Click the General Settings tab to edit these settings: Display Name Description Privileges (cannot be changed for the two default roles) Select the check box for each privilege to assign to this role. For more information, see About administrative privileges on page To edit the User Groups this role can manage, click the User Accounts tab. 5. To change the resources this role can manage, click the Resources tab. 6. To change which users are assigned to this role, click the Administrators tab. 7. Click Save. User Guide 201

208 Manage System Delete an administrative role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. In the Registered Roles list, click a role. The Edit Role page appears. 3. Click Delete. 4. Click Yes. The role is removed from the Registered Roles list. 202 WatchGuard SSL 100

209 Manage System About the Administration Service The Administration Service includes all the services and settings related to administration of your device. On the Manage Administration Service page you can configure the HTTP and HTTPS ports and server certificate to use for communication between the WatchGuard SSL Web UI and the client. Manage Administration Service Settings 1. Select Manage System > Administration Service. The External Communication Settings page appears. 2. Configure these settings for external communication: Administrator Host Select which interface to use when you connect to the WatchGuard SSL Web UI to manage the device. If your device is in single interface mode, this is always set to Eth0. If your device is in dual interface mode, you can select Eth0 or Eth1. In dual interface mode, this is set to Eth1 by default. Administrator HTTP Port The HTTP port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 80 by default. Administrator HTTPS Port The HTTPS port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 8443 by default. Server Certificate The server certificate the Administration Service uses in HTTPS communication. You add the server certificate on the Certificates page. For more information, see Add a server certificate on page Click Save. From the Manage Administration Service page you can also: Manage global settings Restart the Administration service User Guide 203

210 Manage System Manage Global Service Settings You can manage the settings for all services from the Administration Service page. We recommend that you do not change these settings unless you are asked by a WatchGuard technical support representative to change a setting to help troubleshoot a specific problem. To configure the global settings for the services: 1. Select Manage System > Administration Service. The Manage Administration Service page appears. 2. Click Manage Global Settings. The Manage Global Service Settings page appears. 3. Configure the global settings for the services. For more information about these settings, see the subsequent sections. 4. Click Save. 204 WatchGuard SSL 100

211 Manage System Communication settings To control the communication between the Administration service and the Device service, configure these settings: Timeout Check Interval Number of seconds (0-3600) between checks for sessions that have timed out. This is set to 1 second by default. User Lifetime in Cache Number of seconds (0 31,536,000) to keep user account information in the cache before the Administration service reloads it from the Internal User Database or External Directory Service. This setting is not related to user activity. This is set to 900 seconds by default. The maximum value is equal to 365 days. Heartbeat Interval Number of seconds (1 30) between status checks on services on the device. This is set to 10 seconds by default. Missing Heartbeat Limit Number of missing heartbeats, or status checks, that are allowed (1 100) before the services reconnect to each other if a service does not respond. This is set to 12 heartbeats by default. Send cache specification Select this check box if you want the Administration service to send the cache specification to the Device service that controls the Application Portal. This is selected by default. Heap size settings To control the amount of memory that the Administration service uses, configure these settings. Minimum Memory Default is set to 64 MB. Maximum Memory Default is set to 256 MB. Save Heap Size specification Select this check box to save the Heap Size specification. User Guide 205

212 Manage System Restart the Administration service You can restart the Administration service without an interruption for any current client SSL sessions. To restart the Administration service: 1. Select Manage System > Administration Service. The Manage Administration Service page appears. 2. Click Restart Service. 3. Click Yes. 206 WatchGuard SSL 100

213 Manage System Manage Device settings You can configure the settings for the Application Portal to which your users connect. These settings enable you to select the settings for available ports, connection times, encryption protocols, session controls, cookie persistence, and client access. To configure device settings for the Application Portal: 1. Select Manage System > Device Settings. The Manage Device page appears. 2. Click each tab and configure the settings: General settings Performance settings Cipher Suite settings Advanced settings 3. Click Save. User Guide 207

214 Manage System General settings for the application portal You can configure the basic settings for the Application Portal. These settings control on which interfaces, ports, and IP addresses the Application Portal is available. By default, the application portal listens on one IP addresses on the Eth0 port. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the General Settings tab. The General Settings page appears. 3. Configure the General Settings and Add additional listeners. For more information about these settings, see the subsequent sections. 4. Click Save. General Settings Display Name The name used to identify this device. This is automatically set to accesspoint. You cannot change this setting. Application Portal Host The IP address or DNS name to bind all incoming external traffic to the Application Portal. This is automatically set to the IP address configured for Eth0. To change this IP address you must change the Eth0 IP address on the Network Configuration page. Application Portal Port The HTTPS port for incoming traffic to the Application Portal. Set to 443 by default. Server Certificate The server certificate that the Application Portal uses for external communication. For HTTPS connections, you must specify a server certificate. Listen on all interfaces Select this check box to set the device to listen on all active interfaces. If the device is in dual interface mode, select this check box to make the Application Portal available on both Eth0 and Eth WatchGuard SSL 100

215 Manage System Add additional listeners Additional listeners are additional ports or IP addresses on which the Application Portal accepts connections. You can add, edit, and delete additional listeners. To add a listener: 1. On the Manage Device Settings page, click Add Additional Listener. The Add Additional Listener page appears. 2. The Host field is automatically set to the Eth0 IP address. You cannot change this field on this page. 3. In the Port field, set the port for incoming HTTP or HTTPS traffic. Set to 80 by default. 4. In the Server Certificate drop-down list, select the certificate to use for this listener. For HTTPS connections, you must specify a server certificate. 5. The Type is automatically set to Web. 6. If your device is configured in Dual Interface mode, select the Listen on all interfaces check box for this listener to listen on Eth0 and Eth1 interfaces. 7. Click Add. The listener appears in the Registered Additional Listeners list. To edit an additional listener: The Listen on all interfaces setting does not have any effect if the device is configured in single interface mode. Eth0 is the only active interface in single interface mode. 1. On the Manage Device Settings page, in the Registered Additional Listeners list, click the listener you want to edit. The Edit Additional Listener page appears. 2. Update the settings for the additional listener. 3. Click Update. User Guide 209

216 Manage System To delete an additional listener: 1. On the Manage Device Settings page, in the Registered Additional Listeners list, click the listener you want to delete. The Edit Additional Listener page appears. 2. Click Delete. 3. Click Yes. The Manage Device Settings page appears. 4. Click Save. Performance settings You can change settings that affect the performance of the Application Portal. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Performance tab. The Performance Settings page appears. 3. Configure the Performance Settings and Data Compression Settings. For more information about these settings, see the subsequent sections. 4. Click Save. 210 WatchGuard SSL 100

217 Manage System Performance Settings Performance settings include timeout settings for idle connections. You can also limit the number of TCP connections that the operating system is able to queue, and allow the WatchGuard SSL device to cache SSL sessions for communication with internal servers. Max Worker Threads Set to 200 threads by default. Connection Timeout Set to 60 seconds by default. UDP Tunnel Timeout Set to 120 seconds by default. Garbage Collection Interval Set to 1 minute by default. Size of Socket Listening Backlog Set to 25 connections by default. Max Tunnel Connections Set to 1500 connections by default. Cache internal SSL sessions Enabled by default. No delay on tunnel connections Enabled by default. Data Compression Settings These settings allow you to control how web files are stored. Compress static Web files Not enabled by default. Compress dynamic Web files Dynamic files are Web files on the device that contain user variables. Not enabled by default. File types to compress The types of files to compress. You can use the wildcard character * to compress all file types. The default setting is text/html, text/xml. User Guide 211

218 Manage System Cipher Suite settings You can change the Application Portal settings related to encryption. When the client and server negotiate an SSL connection, they agree on a common cipher value to use for key exchange and encryption. You can select which protocols and cipher suites the Application Portal supports. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Cipher Suites tab. The Cipher Suites page appears. 3. Configure the Protocols and Cipher Suites settings. For more information about these settings, see the subsequent sections. 4. Click Save. Protocols In the Protocols Supported section, select one or more protocols to enable. You can select from these protocols: TLS v1.0 SSL v3.0 SSL v2.0 TLS v1.0 and SSL v3.0 are enabled by default. 212 WatchGuard SSL 100

219 Manage System Cipher Suites In the TLS v1.0 and SSL v3.0 Cipher Suites section, select which cipher suites to support for these protocols. By default, these cipher suites are supported: TLS_RSA_WITH_AES_256_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 In the SSL v2.0 Cipher Suites section, select which cipher suites to support for this protocol. By default, these cipher suites are supported: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5 User Guide 213

220 Manage System Advanced settings You can change advanced settings related to session control, cookie persistence, client access, and bad URIs. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Advanced tab. The Advanced Settings page appears. 3. Configure the advanced settings. For more information about these settings, see the subsequent sections. 4. Click Save. 214 WatchGuard SSL 100

221 Manage System Session Control settings In the Session Control section, you can configure client session control using the WAAK (Web access authentication key) option. WAAK is more secure than HTTP. If you enable WAAK, you can also set the strength of the secure authentication cookie. Secure Web access authentication by key cookie (WAAK) Select this check box to use the WAAK secure authentication cookie. This is selected by default. Strength of WAAK The strength of the WAAK secure authentication cookie. The default value is 128 bits. Random Value of WASID The number of bits in the Web Access Session ID (WASID). The WASID is a random hexadecimal value generated by the device. The default value is 64 bits. Bind session to client IP Select this check box to allow the client session to move from one computer to another if the client source IP address does not change during the session. This is not selected by default. Allow duplicate user name logon This is selected by default. Duplicate user name logon reverse action This is not selected by default. Show shutdown message This is not selected by default. Cookie Persistence settings Select this check box to change session cookies to persistent cookies. This setting only applies to resources protected by Abolishment and to Internet Explorer users. When you select this option, abolishment behavior changes in two ways: The Abolishment client makes sure all persistent cookies are removed from the client. When an Abolish access rule is in effect, the WatchGuard SSL device transforms the session cookies to persistent cookies in runtime as soon as the client successfully authenticates. Client Access settings These settings control communication between the clients and the Application Portal. Show error on SSL v2 access Select this check box if you want to include error messages in SSL v2 communication sent to users. This is not selected by default. Hide server header Select this check box if you want to hide server headers from the client. This is selected by default. Default authentication method Select the default authentication method to use when a user accesses the main page of the Application Portal without the parameter authmech specified. Bad URIs In the Bad URIs text box you can edit the locations or files on the device that clients are not allowed to use or view by default. We recommend you do not remove any of the default items in the Bad URIs list. User Guide 215

222 Manage System Update the Device You can use the Device Update pages to update, restore, reboot, or set the time for your WatchGuard SSL device. 1. Select Manage System > Device Update. The Update the OS page appears. Update the OS 2. Configure the device: Update the OS Set the time zone, system time, and configure an NTP server Restore the configuration to factory default settings Reboot the device WatchGuard provides software updates in a file that you can use to update the software on the device. To update the OS for your device: 1. Select Manage System > Device Update. The Update OS page appears. 2. In the Update the OS section, click Browse to locate the software update file. 3. Click Update. The OS is updated and the device reboots. This can take several minutes. 4. After the device update is complete, log in to the WatchGuard SSL Web UI again. 216 WatchGuard SSL 100

223 Manage System Configure the system time and set the time zone The system date and time is primarily used in log file messages. You can manually set the system time, or you can enable NTP so the device automatically gets time updates from an NTP server. You can also configure the time zone for your device. To configure the system time settings: 1. Select Manage System > Device Update. The Update OS page appears. 2. Click System Time Settings. The System Time Setting page appears. 3. Select Enable NTP and configure the NTP server. Or, set the system Date and Time. 4. Click Save. To configure the time zone: 1. Select Manage System > Device Update. The Update OS page appears. 2. Click Time Zone Setting. The Time Zone Setting page appears. 3. In the Time Zone drop-down list, select the time zone. 4. Click Save. User Guide 217

224 Manage System Restore factory default settings You can reset your WatchGuard SSL device to its factory default settings. After you reset your device, you can use the Quick Setup Wizard to build your configuration again. When you restore the factory default settings, the software version does not change, but any configuration changes you have previously made are removed. To restore the factory default settings: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Restore factory defaults. The Restore factory defaults page appears. 3. Click Yes. The device reboots and the default configuration is restored. Reinitialize the Local User Database If the data in the Local User Database for your WatchGuard SSL device is corrupted, you can either restore the factory default settings for your device, or you can reinitialize the Local User Database. If you choose to restore the factory default settings, all of your network and configuration settings are lost with the database configuration. You must run the Quick Setup Wizard to configure your WatchGuard SSL device again. If you choose to reinitialize your Local User Database, only the data in your Local User Database tables is cleared. All of your network settings are saved. You can then restore a previous configuration to recover your Local User Database information. To reinitialize your Local User Database: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Reinitialize Local User Database. The Reinitialize Local User Database page appears. 3. Click Yes. The data in the tables of your Local User Database is cleared and the WatchGuard SSL device reboots. To restore a previous configuration to recover the data in your Local User Database, see Restore a saved configuration on page WatchGuard SSL 100

225 Manage System Reboot the device You can reboot your WatchGuard SSL device from the WatchGuard SSL Web UI. To reboot the system: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Reboot. The Reboot page appears. 3. Click Yes. The device reboots. 4. Log in to the WatchGuard SSL Web UI again. Network Configuration You can select the network type and specify network address information for your WatchGuard SSL network. This is the same network information that you configured in the Quick Setup Wizard. 1. Select Manage System > Network Configuration. The Network Configuration page appears. 2. Select a Network Type. If you select Single Interface Mode, only Eth0 is active. If you select Dual Interface Mode, both Eth0 and Eth1 are active. 3. Configure the network settings. For more information, see the subsequent sections. 4. Click Save. User Guide 219

226 Manage System Network Type You can configure the WatchGuard SSL device in one of two network types: Single Interface Mode (default) Select this mode if you want to connect the WatchGuard SSL device to one network. In single interface mode, only the Eth0 interface is active. Dual Interface Mode Select this mode if you want to connect the WatchGuard SSL device to two networks. In dual interface mode, the Eth0 and Eth1 interfaces are both active. These diagrams illustrate the two network types: Configure network settings for Eth0 1. In the IP Address text box, type the IP address you want to use for Eth0. 2. In the Subnet Mask text box, type the subnet mask. For example, In the Default Gateway text box, type the IP address of the default gateway on the Eth0 network. 4. In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0 network. 5. (Optional) In the Secondary DNS text box, type the name of a secondary DNS server. 6. (Optional) In the DNS Name text box, type the domain name for your organization. 7. Click Save. Configure network settings for Eth1 If you select Dual Interface Mode, you can also configure the network settings for the Eth1 interface. You can only configure the settings for Eth1. 1. In the IP Address text box, type the IP address you want to use for Eth1. 2. In the Subnet Mask text box, type the subnet mask. For example, Click Save. 220 WatchGuard SSL 100

227 Manage System Configure network routes You can add a static route to each computer that you want the WatchGuard SSL device to send traffic to. This is particularly important if you configure your WatchGuard SSL device in Dual Interface mode, because resources could be on a different network than the client. If you do not define a default route, packets are routed based on the default gateway for the device. After you create a route, you cannot edit it. If you want to change a route, you must delete the route you want to change and add a new route. To add a network route: 1. Select Manage System > Network Configuration. The Network Configuration page appears. 2. Click Route Configuration. The Route Configuration page appears with a list of all the current network routes. 3. To add a route, click Add New Route. The Add Route page appears. 4. Type the Destination IP Address, Subnet Mask, and Gateway. 5. Click Save. The network route you added appears in the table on the Route Configuration page. To delete a network route: 1. On the Route Configuration page, select the Delete check box for each network route you want to delete. 2. Click Delete. The route is deleted. User Guide 221

228 Manage System Restore a saved configuration Each time you publish a configuration update to the device, a copy of that configuration is saved. You can use the WatchGuard SSL Web UI to: Restore the most recent configuration (remove all unpublished changes) Restore an older saved configuration Add comments to describe the changes in a saved configuration Delete a saved configuration Set the maximum number of saved configurations and the number you see per page To restore the current configuration: 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the top section, click Restore. The selected configuration is restored and the System Status page appears. To restore a saved configuration: 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the bottom section, select the radio button adjacent to the configuration you want to restore. 3. Click Restore. The selected configuration is restored and the System Status page appears. 222 WatchGuard SSL 100

229 Manage System To add comments to a saved configuration: 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the bottom section, select the radio button for the configuration you want to change. 3. Click Modify Comments. The Add/Modify User Comments page appears. 4. In the Comment field, type your comments. 5. Click Save. The comment appears in the Comments column for the configuration you selected. To delete a saved configuration: 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the bottom section, select the radio button for the configuration you want to delete. 3. Click Delete. The selected configuration is deleted. Manage saved configuration settings You can set the maximum number of configurations you want to save. When you reach that limit, the next time you save a configuration, the system deletes the oldest saved configuration and saves the new one. You can also set the number of configurations you want to see on a page. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. Click Manage Settings. The Manage Published Configurations page appears. 3. In the Maximum Saved field, set the maximum number of published configurations you want to keep. 4. In the Configurations per Page field, set the number of configuration files you want to appear on each page. 5. Click Save. User Guide 223

230 Manage System Import or export the configuration You can export the configuration data from your WatchGuard SSL device to a file, and you can import configuration data from a saved configuration file. If you have a WatchGuard SSL v2.x device, you can also export the configuration from your WatchGuard SSL v2.x device. To export from a WatchGuard SSL v2.x system, you must connect to the v3.x Web UI from the computer that runs the v 2.x Administration Service. You can import a saved v3.x or v2.x configuration file to your WatchGuard SSL v3.x device. To export a configuration: 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. Click Export 3.x Configuration or Export 2.x Configuration. The Download Exported Configuration File page appears. 3. Click the Download link. The configuration files are exported to a zip file. 4. Select Save File. 5. Click OK. 6. Select a location to save the file where you can get access to import it later. 7. Click Save. 224 WatchGuard SSL 100

231 Manage System To import a configuration: 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. In the Import Configuration section, click Browse to select a configuration file to import. 3. Click Import Configuration. The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes. 4. After the device reboots, log in to the WatchGuard SSL Web UI again. User Guide 225

232 Manage System 226 WatchGuard SSL 100

233 6 Access Client About the Access Client The WatchGuard SSL Access Client enables you to securely connect to tunnel resources in the WatchGuard SSL Application Portal. There are two versions of the Access Client: On-demand Access Client When you authenticate to the Application Portal and select a resource other than a Web resource, the on-demand Access Client launches to load the tunnel. When your session ends, the on-demand Access Client closes. The client software is not installed on your computer. Installed Access Client You can also select to install the Access Client on your client computer. The installed Access Client is available when you are not authenticated to the Application Portal. You can configure the installed Access Client to automatically start when Windows starts and to automatically connect to resources. For information about how to install the Access Client, see Install the Access Client on page 234. For information about how to configure the Access Client, see About the Access Client menu on page 228. Launch the Access Client When you log on to the WatchGuard SSL Application Portal, you can click on resources to start them. Some resources require that your computer run the Access Client. The Access Client is a Windows client that sets up the SSL VPN tunnel between your computer and the network resources. The Access Client is not required for access to online applications. Launch the Access Client on demand When you click a resource in the WatchGuard SSL Application Portal that requires the Access Client, the Application Portal automatically downloads and launches the Access Client. User Guide 227

234 Access Client Launch the installed Access Client If you have installed the Access Client software on your computer, you can also start the client from the Windows Start menu. For instructions to install the Access Client, see Install the Access Client on page 234. To launch the installed Access Client on a computer with Windows XP: Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. The Access Client launches and appears in the Windows system tray. If you have a complicated network setup, or use some third-party software (for example, certain versions of OpenVPN client), you could see a "Cannot Acquire IP" error message when the Access Client initializes. You can safely ignore this error message. This does not affect your ability to use network resources through the secure VPN tunnel. About the Access Client menu When the Access Client starts, the Access Client icon appears in the Windows system tray. To configure your Access Client, click. The Access Client menu appears, with these options: Preferences Set preferences for the Access Client. For more information, see Edit Access Client preferences on page 229. Favorites Add and manage favorite Application Portal resources. After you add favorite resources, you can select a resource from the favorites menu to start the resource. For more information, see Manage Access Client favorites on page 231. Status See the status of your SSL connection. For more information, see Check Access Client status on page 233. About See Access Client version and copyright information. Close tunnels This feature is not implemented in this release. For information about how to close tunnels, see End your SSL VPN session on page 233. Exit Close the Access Client. The connections to all tunnel resources are also closed. 228 WatchGuard SSL 100

235 Access Client Edit Access Client preferences You can configure some settings for the Access Client to customize the way the client operates on your computer. Configure general preferences 1. Launch the Access Client. 2. Click in the Windows system tray and select Preferences. The Access Client Preferences dialog box appears. 3. Click the General tab. 4. Select the Launch Access Client on startup check box if you want the Access Client to launch automatically when Windows starts up. When you select this check box, the Access Client is added to the Windows Startup folder. 5. Select the Register essp:// protocol handler check box if you want the ability to create shortcuts or launch commands that connect directly to a resource. For more information, see Use ESSP to link directly to a resource on page Clear the Enable automatic update check box if you do not want the client to automatically check for available client updates. We recommend you do not clear this check box. 7. If the Update server field includes an address, we recommend you do not change this setting. This is the URL of the WatchGuard SSL device that hosts the client updates. This is usually set automatically the first time the Access Client connects to a resource. If the Update server field is blank, type the address of the WatchGuard SSL Application Portal. Do not include 8. Click Update Now to check for an updated client. 9. Click OK. User Guide 229

236 Access Client Edit Trusted Commands If your network administrator has set up commands that run automatically when you start a resource, the Access Client prompts you before it runs each command. To disable the pop-up notification for a command: Select the Always trust this command check box in the notification dialog box. The Trusted Commands tab in the Access Client Preferences dialog box shows the list of commands you have selected to trust. To see and delete this list of trusted commands: 1. Launch the Access Client. 2. Click in the Windows system tray and select Preferences. 3. Click the Trusted Commands tab. The list of trusted commands appears. 4. To remove a command from the trusted list, select the command and click Delete. The command is removed from the list. The next time you connect to a resource that uses the command you removed, the Access Client prompts you before it runs the command. 5. Click OK. Edit Trusted Access Points When you use the Access Client to connect to a resource, and a resource host on the intranet tries to connect to your computer, an Access Client Connection Alert appears. You can then choose whether to trust connections from this Access Point, or deny them. Access Point is another name for your WatchGuard SSL device. To add a device to the Trusted Access Points list: 1. In the Access Client Connection Alert dialog box, select the Always trust connections from this Access Point check box. 2. Click OK. The device is added to the Trusted Access Points tab in the Access Client Preferences dialog box. After the device is added to the Trusted Access Points list, connection alerts do not appear again for computers behind that WatchGuard SSL device. You only see connection alerts if your connection is assigned a virtual IP address, which is required for a resource host to start a connection to your computer. You can use the Access Client Preferences dialog box to see and delete devices in the Trusted Access Points list. To see and delete trusted devices: 1. Launch the Access Client. 2. Click in the Windows system tray and select Preferences. 3. Click the Trusted Access Points tab. The Trusted Access Points list appears. 4. To remove a device from the list, select the IP address of the device, and click Delete. 5. Click OK. 230 WatchGuard SSL 100

237 Access Client Manage Access Client favorites You can add network resources to the Access Client Favorites list. When you add a favorite, you can start that resource from the Access Client menu in the Windows system tray. You can also configure favorite resources to automatically start when you launch the Access Client. You can only add a favorite resource for a tunnel resource. Web resources do not use the Access Client. Add a favorite resource To add a favorite, you start the resource from the WatchGuard Application Portal and then add it as a favorite. 1. Authenticate to the WatchGuard SSL Application Portal. 2. Click a tunnel resource. 3. Click in the Windows system tray and select Favorite > Add. 4. Select the name for the resource you want to add as a favorite. The name can be different from the name you see for this resource in the Application Portal. The Edit Favorite dialog box appears. 5. To change the name that appears in the Access Client Favorites menu for this favorite, type a new Display Name. 6. The Server and Configuration fields are automatically configured. Do not change these settings. 7. If you want the Access Client to start this resource each time you start the Access Client, select the Load on startup check box. 8. Click OK. The favorite is added to the Access Client Favorites list. User Guide 231

238 Access Client See and edit Access Client favorites 1. Launch the Access Client. 2. Click in the Windows system tray and select Favorites > Manage. The Access Client Favorites list appears. 3. To edit an existing favorite, click the item in the list and click Edit. The Edit Favorite dialog box appears. For more information, see the subsequent Steps 6 8 and the previous Add a favorite resource section. 4. To remove an existing favorite, click the item in the list and click Delete. 5. To add a new favorite, click New. The Add Favorite dialog box appears. All the fields are blank. 6. In the Display name field, type the name for this favorite as you want it to appear in the Access Client favorites list. 7. In the Server field, type the URL of the WatchGuard SSL Application Portal. 8. In the Configuration field, type the configuration tag that identifies this tunnel resource in the portal. To find the configuration tag for a tunnel resource: Authenticate to the WatchGuard SSL Application Portal. Right click the resource you want to make a favorite. Select Copy link location (Firefox) or Copy shortcut (Internet Explorer). Paste the link into the Configuration field of the Add Favorite dialog box. For example, javascript:openmessagewindow( /wa/webclient/26gp52085p1c ); The number near the end is the tunnel tag that identifies this resource. Edit the link to remove all characters except the number. For example, 26gp52085p1c. 9. If you want the Access Client to start this resource each time you start the Access Client, select the Load on startup check box. 10. Click OK. The favorite is added to the Access Client Favorites list. 232 WatchGuard SSL 100

239 Access Client Start a favorite resource If you selected the Load on startup check box when you added the favorite, the resource automatically loads when you start the client. If you did not select the Load on startup check box: 1. Click in the Windows system tray. 2. Select Favorites and click the name of the resource you want to load. Check Access Client status You can check the status of the Access Client from the Access Client menu. The Access Client Status dialog shows the number of active connections, the acquired IP address (if any), the amount of data transferred, and the throughput. To see the status of the Access Client: 1. Click in the Windows system tray. The Access Client menu appears. 2. Select Status. The Access Client Status dialog box appears. End your SSL VPN session As a good security practice, we recommend that you close your SSL VPN session when you are finished with the network resources. There are several ways to do this. The method you choose depends on how you started the connection to the network resources. If you connected to a resource from the Application Portal, there are two methods to close the connection: In the Application Portal, click Log out. Your connections to resources are closed, and the client automatically exits. Close the web browser that is connected to the Application Portal. You are logged out of the application portal, your resource connections are closed, and the client exits. If you used an ESSP link or command to start the connection to a resource, you must exit the Access Client to close the connections to all resources. Click in the Windows system tray and select Exit. All resource connections are closed. For information about how to use ESSP with the installed Access Client, see Use ESSP to link directly to a resource on page 236. User Guide 233

240 Access Client Install the Access Client You can use this procedure to install the Access Client on your Windows computer. Before you begin Get the Access Client installer (AccessClientInstall.exe) from your network administrator. Connect to the WatchGuard SSL Application Portal and select a resource with the on-demand version of the Access Client before you install the Access Client. This automatically captures some of the configuration information for the installation. Run the installer 1. Run AccessClientInstall.exe. A security warning appears. You can safely ignore this warning. 2. Click Run to continue the installation. 3. On the License Agreement page, review and accept the License Agreement. 4. On the Select Destination Location page, select a location to install the Access Client. The default location is C:\Program Files\WatchGuard\SSL\Access Client. 5. On the last page of the installation wizard, click Finish. The Access Client is now available in the Windows Start menu. Launch the installed Access Client Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. After you install After you install, verify that the server address is correct in the Access Client Preferences dialog box. If you did not connect to a tunnel resource in the Application Portal at least once before you installed the Access Client, you have to manually add the address of your Application Portal. 1. Click in the Windows system tray and select Preferences. The Access Client Preferences dialog box appears. 234 WatchGuard SSL 100

241 Access Client 2. If the Update server field includes an address, we recommend you do not change this setting. This is the URL of the WatchGuard SSL device that hosts the client updates. This is usually set automatically the first time the Access Client connects to a resource. If the Update server field is blank, type the address of the WatchGuard SSL Application Portal. Do not include 3. Click OK. Connect to the Application Portal To start a resource, authenticate to the Application Portal with a web browser and click on a resource. If you want the Access Client to automatically connect to certain resources, you can configure favorites in the Access Client, as described in Manage Access Client favorites on page 231. Uninstall the Access Client Before you uninstall the Access Client, we recommend that you delete any favorite resources. When you uninstall the Access Client, the favorites you have configured are not automatically removed. To delete your resource favorites: 1. Click in the Windows system tray. 2. Select Favorites > Manage. 3. Click each favorite to select it and click Delete. If you do not remove the favorites before you uninstall, the old favorites are still available in the Access Client favorites list when you reinstall the Access Client, or if you use the on-demand Access Client. To uninstall the Access Client: 1. Open the Windows Control Panel. 2. Select Add or Remove Programs. 3. Click the WatchGuard Access Client program. 4. Click Remove. User Guide 235

242 Access Client Use ESSP to link directly to a resource You must install the Access Client on your Windows computer to use this feature. This feature is not available when you use the on-demand Access Client. ESSP (Extended Security Session Protocol) is the protocol used for communication between the Access Client and the WatchGuard SSL device. You can use the ESSP protocol to connect directly to a Tunnel Resource without going to the Application Portal. A Tunnel Resource is any resource that does not use a web browser. For example, when you connect to a network drive, you use a Tunnel Resource. When you use ESSP to launch a tunnel resource, you are prompted to authenticate before you can connect to the resource. Register the ESSP protocol handler ESSP is the protocol used to build an SSL VPN tunnel to a Tunnel Resource. If you install the Access Client, you can configure the Access Client preferences to register the ESSP protocol handler. 1. Launch the Access Client. 2. Click in the Windows system tray and select Preferences. The Access Client Preferences dialog box appears. 3. On the General tab, select the Register essp:// protocol handler check box. 4. Click OK. Use ESSP to connect to a resource After you register the ESSP protocol handler, you can use a web browser or the Windows Start menu to launch the Access Client and automatically connect to a resource. To use ESSP to start a resource in a browser, type or select a URI that looks like this: essp://<address of Application Portal>/<resource configuration tag> To directly start a resource from the Windows Start menu, select Start > Run. In the Run dialog, type: essp://<address of Application Portal>/<resource configuration tag> 236 WatchGuard SSL 100

243 Access Client Example This example shows how to find the resource configuration tag for a resource, and how to construct the ESSP command. For this example, the URI for the Application Portal is: sslvpn.example.com To find the resource configuration tag for a tunnel resource: 1. Authenticate to the Application Portal. The Application Portal page appears. 2. Right-click a tunnel resource. 3. Select Copy link location (Firefox) or Copy shortcut (Internet Explorer). 4. Paste the link into a text editor, such as Notepad. For example: javascript:openmessagewindow( /wa/webclient/26gp52085p1c ); The number near the end is the resource configuration tag. For this example resource the configuration tag is: 26gp52085p1c To start the example resource in a web browser, type this in the browser address bar: essp://sslvpn.example.com/26gp52085p1c To start this resource from the Windows Start menu, select Start > Run, then type: essp://sslvpn.example.com/26gp52085p1c User Guide 237

244 Access Client 238 WatchGuard SSL 100