WatchGuard SSL Web UI 3.1.3 User Guide WatchGuard SSL Web UI 3.1.3 User Guide WatchGuard SSL 100 WatchGuard SSL 560
About this User Guide The WatchGuard SSL Web UI User Guide is updated with each major product release. For minor product releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific, task-based implementation examples that are not available in the User Guide. For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard web site at: http://www.watchguard.com/help/documentation/. Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revised: 6/21/2012 Copyright, Trademark, and Patent Information Copyright 1998-2012 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/. Note This product is for indoor use only. About WatchGuard WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer rightsized security ranging from small businesses to enterprises with 10, 000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, call 206.613.6600 or go to www.watchguard.com. Address 505 Fifth Avenue South Suite 500 Seattle, WA 98104 Support www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 Sales U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 User Guide ii
Table of Contents Introduction to WatchGuard SSL 1 About the WatchGuard SSL solution 1 About the WatchGuard SSL Access Client 2 About the Application Portal 2 Getting Started 3 Verify Basic Components 3 Get a WatchGuard Device Feature Key 3 Install the WatchGuard SSL Device Behind a Firewall 3 Use the Quick Setup Wizard to Set Up a Basic Configuration 4 Run the Quick Setup Wizard 4 Connect the WatchGuard SSL Device to Your Network 5 Connect to WatchGuard SSL Web UI and Complete Initial Tasks 6 Connect to WatchGuard SSL Web UI 6 Upload the Feature Key File 6 Download and Install the Latest Software 6 Get a Feature Key 7 Activate your Device and Get a Feature Key 7 Retrieve a Current Feature Key 7 Restore Factory Default Settings 7 Before You Begin 8 Start the WatchGuard SSL Device in Recovery Mode 8 Upload a New Software Image 8 Next Steps 9 About WatchGuard SSL Web UI 9 WatchGuard SSL Web UI Wizards 10 Publish Your Configuration 10 System Messages 10 Use the File Browser 10 About WatchGuard LiveSecurity Service 11 LiveSecurity Service 11 User Guide iii
LiveSecurity Service Gold 12 Service expiration 12 Support Information 13 Online Resources 13 Telephone Numbers 13 Before You Call 13 Relevant Information 13 About Monitor System 15 About the System Status Page 16 View Status Information 17 Manage Settings 17 View Administrator Activities 18 System Overview 18 Network Status 21 Authentication 22 Events 23 Device Status 24 Network Tools 26 Manage Settings 27 View Administrator Activities 29 About User Sessions 29 Search for User Sessions 30 View a User Session 31 End a User Session 32 Manage Search and Display Settings 32 About Alerts 33 Manage Alerts 33 Add an Alert 34 Edit and Delete Alerts 39 Manage Global Alert Settings 40 Manage Logging 44 Edit Logging Settings 44 iv WatchGuard SSL Web UI
Set the Log Level Filter 46 Configure Log File Rotation 46 Debug Logs 46 Log File Information 47 Syslog 47 Manage Global Logging Settings 47 Use Log Viewer 49 About Log Viewer Search Criteria 50 About Reports 52 Available Reports 52 Generate a Report 53 Save a Report 54 Abolishment Report 55 Assessment Report 55 Session Trend Report 56 Session Trend Real-Time Report 56 Access Report 57 Authentication Report 57 Authorization Report 58 Account Statistics Report 59 User Policy Analysis Report 59 User Audit Report 59 Communication Report 60 Performance Report 60 Tunnel Report 61 Alerts Report 61 System Report 61 Complete Report 62 Manage Report Database Settings 63 About the Diagnostics File 63 About the Feature Key 64 Feature key information 65 User Guide v
Upload a New Feature Key 67 Live Update 67 Configure Live Update Settings 68 Reboot after Engine Updates 69 Check for New Live Update Files 69 User Management 71 User accounts 72 User groups 72 External Directory Service 72 Self Service 73 About User Accounts 73 User Account Search Result List 73 Manually Add a User Account 74 Import User Accounts 77 Link to a User Account 80 Repair a Linked User Account 82 Edit User Accounts 83 Manage Global User Account Settings 85 About User Groups 88 About user property groups 88 About user location groups 88 Add a User Group 89 Search, Edit, or Delete User Groups 90 About the External Directory Service 92 About Search Rules 92 About Directory Mapping 93 Add an External Directory Service Location 93 Edit an External Directory Service Location 96 About Self Service 99 Use the wizard to enable Self Service 99 Manually enable and configure Self Service 100 Disable or restore Self Service 100 vi WatchGuard SSL Web UI
Manage Self Service Settings 101 Modify System Challenges 103 Configure and Enable Self Service 105 About Resource Access 113 Resources 113 Client firewall 113 Access rules 114 Application Portal 114 SSO domains 114 About Resources 114 Manage Resources 114 Manage Global Tunnel Resource Settings 166 Manage Global Resource Settings 168 About Client Firewalls 187 Disable routes for other network connections 187 Check the integrity of application connections 187 How the client firewall works 187 Configure client definitions 188 Firewall rules based on a device 188 Incoming Firewall Rules 189 Outgoing firewall rules 189 Manage Internet Firewall Configurations 190 About Access Rules 195 Manage Access Rules 195 Manage Global Access Rules 199 Assessment Access Rule Requirements 200 Configure an Access Rule to Require Anti-virus or Anti-spyware Software 207 Configure an Access Rule to Verify the Windows Client Logon Domain 209 Configure an Access Rule to Verify a Windows File is Found 210 Configure an Access Rule to Verify a Windows File Digest is Found 211 Configure an Access Rule to Verify a Directory is Found 213 Configure an Access Rule to Verify the Client Computer MAC Address 215 User Guide vii
Configure an Access Rule to Combine Authentication Methods 216 About the Application Portal 218 About the Access Client 218 Manage Application Portal Items 218 Connect to the Application Portal 222 Customize your Web UI and Application Portal 222 About SSO Domains 240 Domain type attributes 240 Manage SSO Domains 241 Configure SSO for Outlook Web Access (Form Based Authentication) 245 Configure SSO with Outlook Web Access (Basic Authentication) 250 Configure SSO for Microsoft Outlook Web App 2010 253 Configure SSO for File Share Resources 256 Configure SSO for Remote Control Resources 260 Configure SSO for a Citrix MetaFrame Presentation Server Resource 264 About Manage System 275 About Authentication Methods 276 Supported Authentication Methods 277 About WatchGuard SSL Authentication Methods 278 About Other Authentication Methods 279 Add an Authentication Method 280 Manage an Authentication Method 282 Manage Global Authentication Service Settings 291 Manage RADIUS Configuration 297 Two-factor Authentication with Mobile ID 302 Configure Active Directory Authentication with LDAP over SSL 308 About Certificates 323 Certificate Lifetimes and CRLs 324 Certificate Authorities and Signing Requests 324 Manage Certificates 324 Add a Certificate Authority 324 Add a Server Certificate 327 viii WatchGuard SSL Web UI
Edit or Delete a Server Certificate 328 Manage Client Certificate Settings 329 Create a CSR with OpenSSL 330 About Abolishment 336 Configure General Settings 338 Configure Cache Cleaner Settings 339 Configure Advanced Settings 340 Post-connection Cleanup with Abolishment 342 About Assessment 344 Configure General Settings for Assessment 346 Configure Advanced Settings 348 Pre-connection End-point Integrity Check 351 About Notification Settings 354 Configure the Email Notification Channel 354 Configure the SMS Notification Channel 355 Manage SMS Plug-ins 369 Manage Client Definitions 370 Add Client Definitions 372 Edit or Delete Client Definitions 372 About Delegated Management 373 About Administrative Privileges 374 Manage Administrative Roles 375 About the Administration Service 378 Manage Administration Service Settings 378 Change the Super Administrator Password 379 Manage Global Settings 380 Restart the Administration Service 382 Manage Device Settings 383 General Settings for the Application Portal 384 Performance Settings 387 Cipher Suite Settings 389 Advanced Settings 391 User Guide ix
Update the Device 394 Update the OS 395 Configure the System Time and Time Zone 395 Restore Factory Default Configuration Settings 397 Reinitialize the Local User Database 397 Reboot the Device 398 Network Configuration 398 Configure the Network Type 398 Manage Global Tunnel Resource Settings 402 Configure Administration Service External Communication Settings 403 Confirm Network Configuration Settings 404 Configure Network Routes 405 Restore a Saved Configuration 406 Restore the Current Configuration 407 Restore a Saved Configuration 407 Add a Description to a Saved Configuration 408 Delete a Saved Configuration 408 Lock or Unlock a Saved Configuration 409 Manage Saved Configuration Settings 409 Import or Export the Configuration 410 Configure Active Directory Authentication on your SSL Device 411 Before You Begin 412 Enable your AD Server for LDAP over SSL 413 Configure Active Directory Authentication on your SSL device 415 Send One-Time Passwords (OTPs) to Users 421 Configure the SMS Channel to send email 421 Configure SMS Settings for each user account 422 Change the Directory Mapping Attribute for Notification SMS 423 Enable mobile text authentication for all users 424 Use the OTP to Authenticate 425 About the Access Client 427 Install the Access Client 428 x WatchGuard SSL Web UI
Before You Begin 428 Run the Installer 428 Launch the Installed Access Client 428 After You Install 428 Connect to the Application Portal 429 Uninstall the Access Client 429 Set up the Access Client for a Standard User 430 Installation 430 Use the Access Client as a Standard User 432 Limitations 432 Launch the Access Client 432 Launch the On-demand Access Client 432 Launch the Installed Access Client 432 About the Access Client Menu 433 Edit Access Client Preferences 434 Manage Access Client Favorites 437 Check Access Client Status 439 Close a Tunnel 439 End Your SSL VPN Session 440 Use ESSP to Link Directly to a Resource 440 Register the ESSP Protocol Handler 441 Use ESSP to Connect to a Resource 441 Example 442 User Guide xi
User Guide xii
1 Introduction to WatchGuard SSL Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote connectivity deployment as simple or as sophisticated as your business requirements dictate. If your business requires remote access to email and file shares, your WatchGuard SSL device delivers the security, flexibility, and breadth of options you need for secure remote access to your network. The WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides universal access to applications and network resources with no connectors, no modules, no client management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent users. The WatchGuard SSL 560 accommodates up to 500 concurrent users. About the WatchGuard SSL solution The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard SSL Application Portal, and the WatchGuard SSL Access Client. A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and WatchGuard servers for your solution. WatchGuard SSL Web UI is a Web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access to your resources, and manage your system settings. The WatchGuard SSL Application Portal is the web site where your users authenticate and get access to your network resources. The Access Client is a SSL VPN client that enables on-demand access to tunnel resources in your Application Portal. User Guide 1
Introduction to WatchGuard SSL About the WatchGuard SSL Access Client The WatchGuard SSL Access Client is an on-demand SSL VPN client. When a user selects a resource available through the tunnel, the Access Client automatically downloads and installs on the client computer through the web browser. The Access Client is available in two versions: the installed Access Client and the on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your configuration choices. To use the ActiveX client loader to install the client, users must have local administrator rights on their computers. For your users who do not have local administrator rights, you can download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your network. About the Application Portal The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any files accessible with a web browser, or applications with a web interface such as Outlook Web Access or WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client. Tunnel Resources are client-server applications or intranet sites. Examples of tunnel resources include Remote Desktop or a Windows file share. Users must have the Access Client to connect to Tunnel Resources. 2 WatchGuard SSL Web UI
2 Getting Started Before you install your WatchGuard SSL device, make sure you verify the basic components and get a feature key, as described in the subsequent sections. Verify Basic Components Make sure that you have these items: A computer with a 10/100BaseT Ethernet network interface card and a web browser installed WatchGuard SSL device Ethernet cable Power cable Get a WatchGuard Device Feature Key To enable all of the features on your WatchGuard SSL device, you must activate the device on the WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device. For more information, see Get a Feature Key. Install the WatchGuard SSL Device Behind a Firewall To protect your WatchGuard SSL device, we recommend that you install the device on your network behind the network firewall. You must then add an HTTPS policy to the firewall configuration to allow inbound traffic to the device. The procedure you use to add the policy depends on whether your WatchGuard SSL device has a public or private network IP address. User Guide 3
Getting Started If your WatchGuard SSL device has a private IP address Configure the firewall with an HTTPS policy that uses static NAT. This policy must allow all traffic on port 443 from any external IP address to the private IP address of the WatchGuard SSL device. If your WatchGuard SSL device has a public IP address Configure the firewall with an HTTPS policy that allows traffic on port 443 from any external IP address to the public IP address of the WatchGuard SSL device. For detailed examples about how to configure these policies on a WatchGuard firewall, see the Policies topics in the latest Fireware XTM documentation. Use the Quick Setup Wizard to Set Up a Basic Configuration The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device. Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory default settings. Before you start the Quick Setup Wizard, make sure you: Register your WatchGuard SSL device with LiveSecurity Service Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract the feature key from the compressed file For more information, see Getting Started. Run the Quick Setup Wizard 1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network. Note The default IP address on the WatchGuard SSL is 192.168.111.1. Do not use 192.168.111.1 on your own computer. 2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device. 3. Plug the power cord into the WatchGuard device power input and into a power source. 4. Power on the WatchGuard SSL. 5. Open a web browser and type: https://192.168.111.1:8443 The Quick Setup Wizard begins. Note Because the WatchGuard SSL device uses a self-signed certificate, you may see a certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox). 6. Upload your feature key file, if you have it. If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you finish the wizard. 4 WatchGuard SSL Web UI
Getting Started 7. Set the time zone and system time settings. Though the NTP server configuration is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not only for log file messages, but also for the SSL handshake. 8. Create the Super Administrator credentials. This is a local account on the SSL device. These credentials do not have to correspond to an existing user in a directory service. The Super Administrator password must be at least six characters long and must include characters from at least three of these four categories: English uppercase characters (from A through Z) English lowercase characters (from a through z) Base-10 digits (from 0 through 9) Non-alphanumeric characters (for example:!, $, #, or %) 9. Select the network configuration mode. The choices are: Single Interface mode (default) Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active. Dual Interface mode Select this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active. For more information about network interface modes, see Network Configuration. 10. Type the network address information for each interface you enabled. The final page of the Quick Setup Wizard shows a summary of the configuration settings, and the interface and IP address you must use to connect after the device reboots. After you complete the wizard, the device restarts with the settings you configured. Connect the WatchGuard SSL Device to Your Network After you complete the Quick Setup Wizard, connect the WatchGuard SSL device to your network. 1. Connect the WatchGuard SSL device to your network. If you selected single interface mode, connect the device to your network with Eth0. If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1. 2. Reset the IP address on your computer to the original IP address. 3. Connect your computer to the network. You can now use WatchGuard SSL Web UI to continue configuration, management, and monitoring tasks. For more information, see Connect to WatchGuard SSL Web UI and Complete Initial Tasks. User Guide 5
Getting Started Connect to WatchGuard SSL Web UI and Complete Initial Tasks After you complete the basic configuration, you can use WatchGuard SSL Web UI to continue the configuration, management, and monitoring tasks. Before you get started, make sure that you have: Connected the WatchGuard SSL device to your network Connected your computer to the network Reset the IP address of your computer Connect to WatchGuard SSL Web UI The interface that you use to connect to WatchGuard SSL Web UI is different depending on the deployment method you used for your device. WatchGuard SSL Web UI uses port 8443 by default. If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for management. 1. Connect your computer to the Eth0 network. 2. In a web browser, type https://<eth0 IP address>:8443. 3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. WatchGuard SSL Web UI appears. If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for management. 1. Connect your computer to the Eth1 network. 2. In a web browser, type https://<eth1 IP address>:8443. 3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. WatchGuard SSL Web UI appears. Upload the Feature Key File If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you upload it now. 1. Get your feature key file from LiveSecurity. For instructions, see Get a Feature Key. 2. In WatchGuard SSL Web UI, select Monitor System > Feature Key. The Feature Key page appears. 3. Upload the feature key file to the device. For more information, see Upload a New Feature Key. Download and Install the Latest Software A newer version of operating system software for your WatchGuard SSL device could be available. To update your software: 6 WatchGuard SSL Web UI
Getting Started 1. Go to www.watchguard.com/archive/softwarecenter.asp. 2. Find and download the latest version of WatchGuard SSL OS. 3. From the Web UI, select Manage System > Device Update. The Update the OS page appears. 4. Update the OS version on the device. For more information, see Update the OS. Get a Feature Key A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature key when you first install the device, and when you renew the LiveSecurity service. Activate your Device and Get a Feature Key To activate your device and get the device feature key: 1. Open a web browser and go to http://www.watchguard.com. Note If you are new to WatchGuard, follow the instructions on the web site to create a WatchGuard account profile. 2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click Activate a Product. The Activate Products page appears. 4. Type the serial number of the device. Make sure to include any hyphens. 5. Click Continue. 6. Follow the instructions to register your device. 7. Save the feature key as a text file on your computer. After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the location of the feature key on your computer and upload it to the WatchGuard SSL device. Retrieve a Current Feature Key You can retrieve a current feature key from the WatchGuard web site: 1. Open a web browser and go to http://www.watchguard.com. 2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click My Products. 4. In the list of products, select your device. 5. Use the on-screen instructions to obtain the feature key. 6. Save the feature key to a text file on your computer. For more information, see: Use the Quick Setup Wizard to Set Up a Basic Configuration Upload a New Feature Key Restore Factory Default Settings There are two ways to reset your WatchGuard SSL device to the factory default settings: User Guide 7
Getting Started Use the WatchGuard SSL Web UI If you can log in to the WatchGuard SSL Web UI, you can restore the device to factory default settings from the Web UI. This is the easiest method to restore the factory default settings. For more information, see Restore Factory Default Configuration Settings. Use recovery mode If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode, you can reinstall the software image and restart the device with factory default settings. Before You Begin Before you start the recovery process, you must download and save a copy of the WatchGuard SSL OS on your computer. The file has an extension of.sysa-dl. You can download the file from the Software Downloads section of the WatchGuard web site at http://www.watchguard.com/archive/softwarecenter.asp. Start the WatchGuard SSL Device in Recovery Mode 1. Power off the WatchGuard SSL device. 2. Press and hold the up arrow button on the front panel while you power on the device. 3. Continue to hold the up arrow button until Executing SysB appears on the LCD display. When Recovery Mode Ready appears on the LCD display, the device is in recovery mode. In recovery mode, the Eth1 address of the device is set to 10.0.1.1. Upload a New Software Image You must use a command line FTP program to upload the WatchGuard SSL OS software image. Many common FTP commands are disabled on the WatchGuard SSL device for security reasons. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and do not operate correctly when these commands are disabled. To upload a new software image to your WatchGuard SSL device: 1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device. 2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0 network). 3. Open the command line interface of your computer. For example, select All Programs > Accessories > Command Prompt from the Windows Start Menu if you use Windows XP. 4. Change your working directory to the location where you saved the.sysa_dl file. 5. At the command prompt, type ftp 10.0.1.1 to connect to your WatchGuard SSL. 6. When requested, type admin for both the user and the password. 7. Type bin to change the transfer type to binary mode. 8 WatchGuard SSL Web UI
Getting Started 8. Type put <filename>. Make sure you replace <filename> in the command with the name of the.sysa-dl file you downloaded from the WatchGuard Software Downloads page. The upload process can take several minutes to complete. Do not close the window or type more commands until another command prompt appears. 9. Type quit to close the FTP connection. 10. Exit the command line interface program. After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts. Next Steps Note The installation and reset process can take up to 10 minutes. Do not turn off the device before this process is complete. After you restore the software image and the device restarts with factory default settings, you can use the Quick Setup Wizard to set up your configuration again. Note After the reboot, the IP address of the Eth1 interface changes to 192.168.111.1. You must change the IP address on your computer before you launch the Quick Setup Wizard. For more information, see Use the Quick Setup Wizard to Set Up a Basic Configuration. About WatchGuard SSL Web UI WatchGuard SSL Web UI is a web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL device, add user accounts, manage resource access, and manage your system settings. WatchGuard SSL Web UI has two levels of menus: Main menu Includes these sections: Left menu Monitor System Monitor information about system status, user sessions, log files, reports, licenses, and alerts. User Management Manage user accounts, user groups, and configure an external directory service. Resource Access Create Application Portal items to give user access to applications, folders and files, and URLs. Manage System See and manage the overall configuration of your WatchGuard SSL system. Includes options to manage your configuration from the sections of the main menu. Context-sensitive Help is integrated with WatchGuard SSL Web UI. To open the Help topic for a task, click. User Guide 9
Getting Started WatchGuard SSL Web UI Wizards All common tasks use wizards to guide you through the steps to complete your task. This includes procedures to add user accounts, resources, and many others. To start a wizard, click Add. To cancel a wizard at any time, select a different menu item or close your browser window or tab. To return to the previous page in a wizard, click Previous. To save your changes, click Finish Wizard or Save. Publish Your Configuration After you add or edit a setting in your configuration, you must save the changes to the WatchGuard SSL device and services before they can take effect. The Publish button at the top of the Web UI changes from white to blue when you make changes that must be saved. To save your configuration changes: Click Publish at the top of the Web UI. You can later review or restore a configuration. For more information about configurations, see Restore a Saved Configuration. System Messages When you use a wizard or make a change to your configuration, feedback messages appear in WatchGuard SSL Web UI at the top of the current page. If the message text is red, you have made an error in your configuration selection. If the message text is green, your configuration change was successful. Use the File Browser You can use the WatchGuard SSL Web UI file browser to find files on your WatchGuard SSL device. This is helpful when you want to find a file name or path to include in your settings (for example, with a script). To use the file browser: 1. At the top of the Web UI, click Browse. The file browser opens in a separate window or tab. 10 WatchGuard SSL Web UI
Getting Started 2. Select a folder from the navigation tree on the left. 3. To change a current file, select a file to edit, download, delete, or rename. To edit the file, click. Make changes to the file contents, then click Save. To download the file, click. Select to Open or Save the file. To delete the file, click. In the Warning dialog box, click OK. To rename the file, click. In the Rename File text box, type a new name. Click Rename. 4. To upload a new file, adjacent to the Upload File text box, click Browse and select a file. Click Upload. About WatchGuard LiveSecurity Service WatchGuard knows just how important support is when you must secure your network with limited resources. Our customers require greater knowledge and assistance in a world where secure access is critical. LiveSecurity Service gives you the backup you need, with a subscription that supports you as soon as you register your WatchGuard SSL device. LiveSecurity Service Your WatchGuard SSL device includes a subscription to our ground-breaking LiveSecurity Service, which you activate online when you register your product. As soon as you activate, your LiveSecurity Service subscription gives you access to a support and maintenance program unmatched in the industry. LiveSecurity Service comes with the following benefits: Hardware Warranty with Advance Hardware Replacement An active LiveSecurity subscription extends the one-year hardware warranty that is included with each WatchGuard SSL device. Your subscription also provides advance hardware replacement to minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will ship a replacement unit to you before you have to ship back the original hardware. Software Updates Your LiveSecurity Service subscription gives you access to updates to current software and functional enhancements for your WatchGuard products. Technical Support When you need assistance, our expert teams are ready to help. Representatives available 12 hours a day, 5 days a week in your local time zone* Four-hour targeted maximum initial response time Access to online user forums moderated by senior support engineers User Guide 11
Getting Started Support Resources and Alerts Your LiveSecurity Service subscription gives you access to a variety of professionally produced instructional videos, interactive online training courses, and online tools specifically designed to answer questions you may have about network security in general or the technical aspects of installation, configuration, and maintenance of your WatchGuard products. Our Rapid Response Team, a dedicated group of network security experts, monitors the Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you specifically what you can do to address each new menace. You can customize your alert preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you. LiveSecurity Service Gold LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support service gives expanded hours of coverage and faster response times for around-the-clock remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage. Service Features LiveSecurity Service LiveSecurity Service Gold Technical Support hours 6 AM 6 PM, Monday Friday* 24/7 Number of support incidents (online or by phone) 5 per year Unlimited Targeted initial response time 4 hours 1 hour Interactive support forum Yes Yes Software updates Yes Yes Online self-help and training tools Yes Yes LiveSecurity broadcasts Yes Yes Installation Assistance Optional Optional Three-incident support package Optional N/A One-hour, single incident priority response upgrade Optional N/A Single incident after-hours upgrade Optional N/A * In the Asia Pacific region, standard support hours are 9AM 9PM, Monday Friday (GMT +8). Service expiration We recommend that you keep your subscription active to secure your organization. When your LiveSecurity subscription expires, you lose access to up-to-the-minute security warnings and regular software updates, which can put your network at risk. Damage to your network is much more expensive than a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement 12 WatchGuard SSL Web UI
Getting Started fee. Support Information WatchGuard offers a variety of technical support services for your purchased products and services. For more information, see the WatchGuard support web site. Online Resources Product documentation http://www.watchguard.com/help/documentation/ Knowledge Base http://customers.watchguard.com/ Training and courseware http://www.watchguard.com/training/courses.asp WatchGuard Forum http://www.watchguard.com/forum/ Telephone Numbers US & Canada +877.232.3531 International +1.206.613.0456 Before You Call When you create an incident, make sure you include all information required. Ask yourself these questions to help you find what you must include: 1. What are you trying to do? 2. Were you able to perform this action previously without problems? 3. What behavior do you see? 4. What behavior would you expect to see if the problem was not occurring? 5. How often do the symptoms occur? 6. What troubleshooting steps, if any, have you taken? Relevant Information When you contact technical support, you are often asked for basic information about your WatchGuard SSL device and LiveSecurity account. It is helpful to save this information when you create your configuration in case your device does not operate correctly. User Guide 13
Getting Started If possible, include these additional items when you call, so your technician can promptly resolve your issue: Logs Log messages are important. If you have access to the Log Viewer at the time of the error, include a section of the logs. Network diagrams Not all problems start from one device. Sometimes, a problem that appears to be related to the SSL device is actually caused by something else in the network. A diagram of your network is a valuable resource; we recommend that you make one and keep it updated. 14 WatchGuard SSL Web UI
3 About Monitor System You can use WatchGuard SSL Web UI to see information about system status, user sessions, log files, reports, licenses, and alerts. To monitor your WatchGuard SSL system, select Monitor System. The Monitor System menu includes: System Status You can see status information about your device. This includes the system, network, authentication, events, and devices. You can also manage monitoring settings and monitor administrator activities. For more information, see About the System Status Page. User Sessions Alerts Logging You can see a list of the current user sessions, and you can search sessions by User ID. For more information, see About User Sessions. You can manage administrator alerts. For more information, see About Alerts. You can manage logging settings for all registered servers. For more information, see Manage Logging. Log Viewer Reports You can search and see entries in the log files. For more information, see Use Log Viewer. You can generate reports and manage reports settings. For more information, see About Reports. User Guide 15
About Monitor System Diagnostics File You can create a compressed diagnostics file that contains configuration and log files for all services for a selected period. For more information, see About the Diagnostics File. Feature Key You can see information about the installed features. You can also upload a new feature key. For more information, see About the Feature Key. Live Update You can change the update settings for the End-Point Security definition file that is used for client scans to support Assessment access rules. For more information, see Live Update. About the System Status Page When you first log in to WatchGuard SSL Web UI, the System Status page appears. From the System Status page, you can select a tab to see an overview of information about your system, check the status of your network, review current authentication settings, identify events that have occurred on your system, verify the status of your device, and run basic debug tools to help you troubleshoot issues on your network. You can also click a link to manage settings for event monitoring, change the Super Administrator password, and view information about the date and time of administrator activities. To monitor the status of the WatchGuard SSL system: 1. Connect to WatchGuard SSL Web UI. 2. Select Monitor System > System Status. The System Status page appears. 16 WatchGuard SSL Web UI
About Monitor System 3. To update the information that appears on the System Status page, click Refresh. View Status Information On the System Status page, select a tab to choose the status information type. For more information about each tab, see: System Overview Network Status Authentication Events Device Status Network Tools Manage Settings To enable event monitoring and change the super administrator password: Click Manage Settings. The Settings page appears. User Guide 17
About Monitor System For more information, see Manage Settings. View Administrator Activities To view the recent activities of administrators: Click View Administrator Activities. The View Administrator Activities page appears. For more information, see View Administrator Activities. System Overview The System Overview page includes basic information about your system. This includes the version of software on your device, the current feature key version, information about administrators and users, and the registered resources and domains for your system. To see basic information about your WatchGuard SSL system: 1. Select Monitor System > System Status. 2. Select the System Overview tab. This tab is selected by default. 18 WatchGuard SSL Web UI
About Monitor System The System Overview tab has four sections, which include basic information about your system, as described in the subsequent sections. System Information The System Information section shows information about the installed software and feature keys. Software version The version and build number for the installed operating system software. Feature Key Version The version number in the feature key. Feature Key Type The type of feature key: Production or Evaluation. The Evaluation key allows only one authenticated user to get access through the SSL device. Current Server Time The date and time on the WatchGuard SSL device. User Guide 19
About Monitor System System Services The System Services section shows the services that are enabled on your SSL device. External Host Shows the IP address and port number configured for communication between the WatchGuard SSL Web UI and the client. Internal Host Shows the IP addresses and port numbers used for communication between services on the device. Administrators The Administrators section shows information about administrative users. Administrator The user name for the administrator account. Logged on Administrators Users The number of administrators currently logged in. The Users section shows status information about users and user accounts. Concurrent Users The number of users currently connected to the SSL device. The maximum number allowed by the feature key appears in parentheses. Registered User Accounts The number of registered user accounts. The maximum number allowed by the feature key appears in parentheses. Logged-on Users The number of users currently logged in. Active Users The number of active users currently logged in that have made a request within the last 15 minutes. Resources Registered Resources The number of registered resources on the Resources page. Registered SSO domains The number of registered Single Sign-On domains. 20 WatchGuard SSL Web UI
About Monitor System Network Status The Network Status tab includes configuration and statistical information for the network interfaces enabled on the SSL device. To see the status of the network interface configuration: 1. Select Monitor System > System Status. 2. Select the Network Status tab. The Network Status tab includes these sections: Eth0 Shows configuration information and traffic statistics for the Eth0 network interface. User Guide 21
About Monitor System Eth1 Shows configuration information and traffic statistics for the Eth1 interface. Eth1 is disabled in single interface mode. Routing Table Shows the routing table for the device. For more information about network configuration and interface modes, see Network Configuration. Authentication On the Authentication tab, you can review the configuration status of the enabled authentication methods, the status of notification channels, and configuration information for the databases used for authentication. To see the status of the authentication configuration: 1. Select Monitor System > System Status. 2. Select the Authentication tab. The Authentication tab includes these sections: 22 WatchGuard SSL Web UI
About Monitor System Authentication Methods Shows the IP address and port configured for each of the five WatchGuard authentication methods. RADIUS clients Shows the number of registered RADIUS clients. Email Notification Shows the status of email notification. If email notification is enabled, the email host information appears. SMS Distribution Shows the status of SMS distribution. If SMS distribution is configured, information about the primary and secondary SMS channels appears. Local User Database Shows the host IP address and account information for the local user database. External Directory Service Events Shows the name, IP address, and account information for the configured external directory service. The Events tab includes a list of events related to the status of connections and services. To see recent system events: 1. Select Monitor System > System Status. 2. Select the Events tab. For each event the Events tab shows: The date and time of the event Which service or policy the event involves A brief description of the event 3. To update the list of events with the latest information, click Refresh. User Guide 23
About Monitor System If you enable Event Monitoring on the Manage Settings page, the Events tab also shows events related to connectivity to the local user database and external directory services. For more information about the Manage Settings page, see Manage Settings. Device Status The Device Status tab includes information about your device (software version, connections, and resource use) and the SSL listener status for your device. To see statistics and configuration information for your WatchGuard SSL device: 1. Select Monitor System > System Status. 2. Select the Device Status tab. Device Overview The Device Overview section shows information about the device software, connections, and resource use. Host The IP address the device uses to communicate with itself. This is always set to 127.0.0.1. 24 WatchGuard SSL Web UI
About Monitor System Current Server Time Shows the current date and time for the SSL device. Server Started Version Shows the date and time the device was last started. The software version and build number. Client Connections The current number of active clients. Server Connections The current number of connections used to communicate with internal web sites, such as web resources. Some web applications require more than one connection per user. Queued Connections The current number of connections that are not yet processed Active Worker Threads The number of active threads is shown first. The maximum number of active threads is shown in parentheses. Available Memory The amount of available memory, in megabytes. Open SSL Version The version of OpenSSL that the WatchGuard SSL device uses. SSL Status for <IP address:port> The SSL Status section shows statistics about the SSL listener. By default, there is just one SSL listener. If you add additional listeners, this page displays the status for each listener. SSL Sessions in Cache SSL Accepts Finished SSL Accepts Renegotiates Session Cache Hits Session Cache Misses Session Cache Timeouts Callback Cache Hits Cache Full Overflows Cache Size For information about how to add a listener, see General Settings for the Application Portal. User Guide 25
About Monitor System Network Tools From the Network Tools tab, you can run some basic network commands. This can be helpful when you troubleshoot issues with your network. The network tools available in WatchGuard SSL Web UI are: ping A command to detect whether a connection to a specified hostname or IP address is possible. tcpdump A program to intercept and examine TCP/IP packets for diagnostic purposes. traceroute A command to show the routing path taken from the device to a hostname or IP address. nslookup A program that shows the information from the DNS records of a domain or hostname. To use the network tools: 1. Select Monitor System > System Status. 2. Select the Network Tools tab. 26 WatchGuard SSL Web UI
About Monitor System 3. From the Command Type drop-down list, select a command. The command appears in the Prepared Command list. 4. In the Extended Parameters text box, type the command line parameters for the command you selected. For example, if you selected ping, type the hostname or IP address to ping. The parameters appear in the Prepared Command list, after the command. 5. From the Max Run Time drop-down list, select the maximum amount of time you want the command to run. 6. To run the command shown in the Prepared Command list, click Run. The result of the command appears in the Result section. 7. To stop the command, click Stop. 8. To clear the Result section, click Clear. Manage Settings You can select whether to monitor the connection to the Local User Database or External Directory Service, change the Super Administrator password, and enable the password policy. Event Monitoring Settings When you enable event monitoring, the connection between your device and the Local User Database or External Directory Service is examined every 15 seconds and a log message is recorded in the service log. The log messages appear on the Events tab of the System Status page. This option is selected by default. To increase the performance of your system, disable this option. To enable event monitoring: 1. Select Monitor System > System Status. 2. Click Manage Settings. The Settings page appears. User Guide 27
About Monitor System 3. Select the Monitor connections to the local user database and external directory service check box. 4. Click Save. Change the Super Administrator Password When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards: The password must be at least six characters long The password must include characters from at least three of these four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (0 through 9) o Non-alphanumeric characters (for example,!, $, #, or %) To enable or disable the password policy, or change the password: 1. Select Monitor System > System Status. 2. Click Manage Settings. The Settings page appears. 28 WatchGuard SSL Web UI
About Monitor System 3. Select the Enable password policy check box. 4. In the Current Password text box, type the password currently assigned to the Super Administrator. 5. In the New Password and Verify New Password text boxes, type the new password. 6. Click Save. You can also change the password settings from the Manage System > Administration Service page, as described in Change the Super Administrator Password. View Administrator Activities You can use WatchGuard SSL Web UI to see a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator. 1. Select Monitor System > System Status. 2. Click View Administrator Activities. The Administrator Activities page appears. About User Sessions You can search for and manage all current user sessions to see which users are active in the system and information about their sessions. You can also stop active user sessions. To see a list of user sessions: Select Monitor System > User Sessions. The User Sessions page appears with a list of all the current user sessions. User Guide 29
About Monitor System Search for User Sessions By default, the User Sessions page shows a list of all active user sessions. You can use the search fields at the top of the page to search for a session by User ID and authentication method. On the User Sessions page: 1. In the Search by User ID text box, type a user name. To see all users, type only the * wildcard character. To search for partial user names, type the * wildcard character with the other characters. For example, type Wil* or *am to find the user name William. 2. From the Search by User ID drop-down list, select an authentication method. Select All to include all authentication methods in your search. 3. Click Search. The user names that match your search parameters appear in the User Sessions list. The User Sessions list shows summary information for each active session: Session ID User ID The unique ID number assigned to the user session. The user name assigned to the user in the directory service. Authentication Method The authentication method used to log in. IP Address The client and virtual IP addresses of the client computer. Life Time The number of minutes the user session has been active. 30 WatchGuard SSL Web UI
About Monitor System View a User Session In the search results list: 1. Click a Session ID to see details about that user session. The View User Session page appears, with this information for each session: Session ID The unique ID number assigned to the user session. User ID The user name assigned to the user in the directory service. Display Name The display name assigned to the user. Authentication Method The authentication method used to log in to the Application Portal. IP Address The client and virtual IP addresses of the client computer. Login time The date and time the user session began. Life Time The number of minutes the user session has been active. Last Access The date and time of the last user session for this user. Time to session timeout User Guide 31
About Monitor System The number of minutes until the user session timeout limit is reached. 2. Click Previous to return to the User Sessions page. End a User Session You can stop or close an active user session at any time. On the User Sessions page: 1. Select the Delete check box for each user session you want to end. 2. At the bottom of the Delete column, click Delete. Note The selected user sessions are stopped, but the user accounts are not deleted. The users can log on to the Application Portal again. Manage Search and Display Settings By default, the User Sessions search results include a maximum of 200 results, and show 20 results per page. To change these settings: 1. Select Monitor System > User Sessions. The User Sessions page appears. 2. Click Manage Search and Display Settings. The Manage User Sessions Settings page appears. 32 WatchGuard SSL Web UI
About Monitor System 3. In the Search Limit text box, type the maximum number of user sessions to appear in the User Sessions search results. 4. In the Results Per Page text box, type the number of user sessions to appear on each page of the User Sessions search results. 5. Click Save. The User Settings page appears. About Alerts Alerts are messages the system sends to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the local user database, or user account activity. You can configure alerts to be sent by email or as an SMS message. Alert messages contain information specific to the event. For example, you can configure an alert to be sent if the Administration service cannot communicate with the local user database. The alert message is sent to the selected recipients through the method you specify. Manage Alerts You can add, edit, and delete alerts from the Manage Alerts page. 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Configure alerts: Add an Alert Edit and Delete Alerts Manage Global Alert Settings Predefined Alert Event Types You can use these predefined alert events to configure Registered Alerts: User Accounts Resource Host Services User Guide 33
About Monitor System Local User Database Authentication Servers For more information about alert event types, see About Alert Event Types. Add an Alert When you configure an alert, you must select which types of events trigger the alert, configure which notification methods to use for the alert notification messages, and configure the recipients of those notifications. You can send an alert as an email message, an SMS message, or both. You must configure the email and SMS notification channels before you can use them in an alert. For more information about notification channel configuration, see About Notification Settings. You can configure alert notification messages to be sent to delegated administrative roles, or directly to email addresses or cell phone numbers that you specify. When you send an alert message to a delegated role, the alert message is sent to the email or SMS address of each administrator assigned to that role. For information about delegated roles, see About Delegated Management. To add an alert: 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Click Add Alert. The Add Alert page appears. 34 WatchGuard SSL Web UI
About Monitor System 3. In the Display Name text box, type a name for the alert. 4. In the Description text box, type the description that you want to appear with the alert in the Registered Alerts list. 5. Make sure the Enable Alert check box is selected. 6. In the Notification section, select the check box for each notification method for this alert. You can select Email, SMS, or both. 7. Click Next. The Add Alert Events Types page appears. User Guide 35
About Monitor System 8. Select the check box for each alert event type you want to trigger this alert. For more information about the alert event types, see About Alert Event Types. 9. Click Next. The Alert Notification Recipients page appears. 36 WatchGuard SSL Web UI
About Monitor System 10. To send the alert message to a set of people for which you have defined a delegated role, select the role in the Available Roles list. To select more than one role to receive this alert, hold down the Ctrl key while you select each role name. 11. Click Add. The selected roles appear in the Selected Roles list. 12. If you selected Email as a notification channel in Step 6, you can send the alert to a specific email address. Click Add Email address. Type the email address and click Next. The email address appears on the Registered Email Addresses list. 13. If you selected SMS as a notification channel in Step 6, you can send the alert as an SMS message to a specific cell phone number. Click Add Cell Phone Number. Type the cell phone number and click Next. The cell phone number appears in the Registered Cell Phone Numbers list. 14. After you add all recipients for this alert, click Finish Wizard. The Manage Alerts page appears. The alert you added appears in the list of registered alerts. User Guide 37
About Monitor System About Alert Event Types When you define an alert, you can select from these pre-defined alert event types: User Accounts Event Types Locked for Access Access is locked for a user. Unlocked for Access Administrator unlocks access for a user. Locked for Authentication Authentication is locked for a user. Unlocked for Authentication The administrator unlocks authentication for a user. Time-lock Locked A time-lock is activated for a user. Time-lock Unlocked The administrator disables a time-lock for a user. Resource Host Event Types Lost Connection The connection to a resource host is unavailable. Restored Connection The connection to a resource host is restored. Services event types Lost Connection The connection to a service is unavailable. Restored Connection The connection to a service is restored. Local User Database Event Types Lost Connection The connection to the local user database is unavailable. 38 WatchGuard SSL Web UI
About Monitor System Restored Connection The connection to the local user database is restored. Authentication Service Event Types Lost Connection The connection to the authentication method service is unavailable. Restored Connection The connection to the authentication method service is restored. Edit and Delete Alerts The Registered Alerts list includes all the currently configured alerts. You can select an alert to review or change any of the settings, or delete an alert that you no longer want to use. Review and Edit Registered Alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Select a Display Name in the Registered Alerts list to see the details of that alert. The Edit Alerts page appears. User Guide 39
About Monitor System 3. On the General Settings tab, you can change the Display Name, Description and Notification channel. 4. On the Alert Events tab, you can edit the types of alert events to include in this alert. 5. On the Alert Receivers tab, you can change who receives notifications from this alert. 6. Click Save. Delete Registered Alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Select a Display Name in the Registered Alerts list to see the details of that alert. The Edit Alerts page appears. 3. Click Delete. The Delete Alert page appears. 4. Click Yes to delete the alert. The Manage Alerts page appears with a message that the alert was deleted. Manage Global Alert Settings You can customize the alert message sent for each alert event type. 40 WatchGuard SSL Web UI
About Monitor System Edit the Alert Messages 1. Select Monitor System > Alerts. The Manage Alert page appears. 2. Click Manage Global Alert Settings. The Manage Global Alert Settings page appears. User Guide 41
About Monitor System 3. In the Subject text box, edit the subject line for all alert messages. 4. For each alert event type, you can edit the alert message. The default alert messages and a description of the variables used in the alert messages are described in the subsequent sections. 5. Click Save. 42 WatchGuard SSL Web UI
About Monitor System Note If you use SMS as your notification channel for alerts, we recommend you keep the alert messages short. SMS messages are limited to 160 characters on most mobile networks. Alert Message Variables Alert messages use two variables, {0} and {1}. {0} is replaced by the exact date and time of the event. The format of the date and time depends on the locale settings for your browser. {1} is replaced by the specific event trigger. This can be a user account, a WatchGuard SSL service, or a resource. Example alert message: {0}: User {1} has been locked for authentication. When this alert is sent, the alert message substitutes the user name for the variable {1}: 2005-09-01 09:11:31: User Joe Smith has been locked for authentication. Alert Message Defaults User Accounts Alert Event Type Locked for Access Unlocked for Access Locked for Authentication Default alert message {0}: User {1} has been locked for access {0}: User {1} has been unlocked for access {0}: User {1} has been locked for authentication Time-lock Locked {0}: User {1} has been Time-lock locked until {2} Time-lock Unlocked {0}: User {1} has been Time-lock unlocked Resource Host Alert Event Type Default alert message Lost Connection {0}: Lost connection to Resource Host {1} Restored Connection {0}: Restored connection to Resource Host {1} User Guide 43
About Monitor System Services Alert Event Type Default alert message Lost Connection {0}: Lost connection to {1} Restored Connection {0}: Restored connection to {1} Local User Database Alert Event Type Lost Connection Restored Connection Default alert message {0}: Lost connection to Local User Database{1} {0}: Restored connection to Local User Database{1} Authentication Method Servers Alert Event Type Lost Connection Default alert message {0}: Lost connection to Authentication Method Server used by Authentication Method {1} Restored Connection Manage Logging {0}: Restored connection to Authentication Method Server used by Authentication Method {1} You can configure logging settings, such as log level, log file rotation, and the types of information to include in the log messages for each registered service. You can configure logging for two registered services: accesspoint This includes all services related to the operation of the Application Portal. Administrator This includes all the services related to administration of your device. Edit Logging Settings 1. Select Monitor System > Logging. The Manage Logging page appears. 44 WatchGuard SSL Web UI
About Monitor System 2. To edit the logging settings for a registered service, click the Display Name. The Edit Logging Settings page for the service appears, with a separate tab for each log type. 3. Select a tab to configure the settings for each type of log. The available configuration settings on each tab include Log Level Filter, Log File Rotation, Debug Logs, and Syslog. Debug logs and syslog settings are only available after you enable them on the Manage Global Logging Settings page. For more information about these settings, see the subsequent sections. For more information about global logging settings, see Manage Global Logging Settings. 4. For the accesspoint service, on the Audit Log and HTTP Log tabs, select the check box for each Log File Information type to include in each log file. 5. Click Save. User Guide 45
About Monitor System Set the Log Level Filter For each service, you can configure a log level for each type of log file. You can use the Log Level Filter controls to ignore log messages that do not meet the severity requirements you specify. In the Log Level Filter drop-down list, select a log level filter. Available log level filters include: Off Fatal Disables logging for that service. Logs only fatal messages. Warning Info Logs only fatal and warning messages. Logs all levels of messages. This is the default setting. Configure Log File Rotation For each service, you can configure log file rotation for each type of log file. In the Log File Rotation section, select the radio button for the rotation schedule you want. Options include: Create a new log file every day The service creates a new log file every day. Disable log file rotation. Save all log messages in the same file The service logs all messages to the same file. Rotate log files based on size The service creates a new log file based on the Max File Size you type. In the Max Files in Rotation field, you must select the maximum number of concurrent log files. When the maximum number of log files is reached, the system removes the oldest log file and creates a new log file. Debug Logs If you enabled debug logs on the Manage Global Logging Settings page, you can specify the IP address for the HTTP traffic you want to include in the Diagnostics File. Client IP Address Type the IP address for HTTP traffic. 46 WatchGuard SSL Web UI
About Monitor System Log File Information These settings are only available for the accesspoint service. On the Audit Log and HTTP Log tabs, select the check box for each type of information you want to include in your log file. The available options are different for each type of log file. Syslog To configure syslog settings, you must first enable syslog on the Manage Global Logging Settings page. In the Log Level Filter drop-down list, select a log level filter for logging to a remote syslog server. Available log level filters include: Off Fatal Disables logging for that service. Logs only fatal messages. Warning Info Logs only fatal and warning messages. Logs all levels of messages. This is the default setting. If you set the syslog log level filter to Fatal, Warning, or Info, make sure that you configure the syslog server IP address in the Manage Global Logging Settings page. For more information, see Manage Global Logging Settings. Manage Global Logging Settings Global logging settings apply to all log files created by all services. To manage global logging settings: 1. Select Monitor System > Logging. 2. Click Manage Global Logging Settings. The Manage Global Logging Settings page appears. User Guide 47
About Monitor System 3. In the Time Zone section, you can change the time zone to use in log file messages. You can select Local Time or GMT. The default setting is Local Time. 4. In the Log collection interval text box, type the number of seconds between the collection of log messages. Log collection controls how often log messages are collected by the Administration service from other services. The default setting is 5 seconds. 5. Click Save. Note Alerts and reports both depend on log collection. If you set the log collection interval too high, you reduce your ability to see real-time report data., and you cause a delay for delivery of alerts. Enable Debug Logging To troubleshoot a problem with your WatchGuard SSL device, you can enable an additional level of logging. Select the Enable debug logging check box to enable debug logging. When you enable debug logging, several debug log files are created for the accesspoint service: Raw External log file Raw Internal log file 48 WatchGuard SSL Web UI
About Monitor System Raw Proxy Interchange log file Hyper Links log file Form Based log file For the Administrator service, an additional debug log file is created. You cannot see the debug log files in the WatchGuard SSL Web UI. To see the debug log files, you must download the diagnostics zip file that contains all log files. For information about the diagnostics file, see About the Diagnostics File. Enable Logging to a Remote Syslog Server You can also send syslog log file messages to a remote syslog server. When you enable syslog, the syslog messages from each service are sent to the syslog server at the IP address you specify. To enable syslog logging: 1. From the Manage Global Logging Settings page, select the Enable Syslog check box. 2. In the Log Facility text box, type the IP address of your syslog server. 3. Click Save. For information about how to set the syslog log level for each type of log file, see Manage Logging. Use Log Viewer You can use Log Viewer to see log messages from the configured services. You can specify search criteria to filter search results. The Log Viewer System Log only includes the severity levels INFO, WARNING, and FATAL. To search for log events: 1. Select Monitor System > Log Viewer. The Log Viewer page appears. User Guide 49
About Monitor System 2. From the Log Type drop-down list, select the type of log message to include in the search: System log log messages for events related to system services Audit log log messages for user and administrator session activity RADIUS log log messages for RADIUS server requests HTTP log log messages for HTTP server requests Billing log log messages for events related to billing 3. From the Services list, select one or more services to include in the search. All services all services on the device accesspoint only services related to the operation of the Application Portal Administrator only services related to administration of your device 4. In the Search Criteria text box, type the criteria to use to filter the log messages. By default, the search function finds all log message entries that contain all the words in the search criteria anywhere in the log entry. For more information about Search Criteria, see the subsequent section. 5. In the Time Range section, select the time range to include in the search. To search recent log events, select Last. Specify the number of hours or days. To search for log events in a date range, select From. In the From and To text boxes, type the start and end dates. 6. Click View Log. The search runs and looks for log messages that meet your criteria. The search results appear in a separate browser window. Note If you search log files for a large number of services, the search can take a long time to complete. About Log Viewer Search Criteria You can use Search Criteria to trace specific log events, such as user activity, through your services. Searches are not case sensitive and search criteria can include multiple text strings. Exact Match To find log file message that contain an exact match, type quotation marks before and after the text exactly as it must appear in the log entry. For example: "server start" Search results include all log file entries that contain the exact phrase "server start". " info " When you include spaces between the quotation marks and the text, the search results include all log entries with a space before and after the text "info". Find log file events that contain all the search terms (AND) To find all log file messages that contain several search terms, type and in the search criteria. For example: 50 WatchGuard SSL Web UI
About Monitor System warning and authentication Search results include all log file entries that contain both the words warning and authentication. Find log file events that contain any of the search terms (OR) To find all log file entries that contain any of the search terms, type or in the search criteria. The OR keyword takes precedence over the AND keyword. For example: fatal or warning Search results include all log entries that contain the severity levels FATAL or WARNING. fatal or warning and sql Search results include log entries with the severity levels FATAL or WARNING that include the text "sql". Exclude terms from the search results (-) To exclude terms from a search, type a minus sign (-) before the term to exclude. For example: -info Search results include all severity levels except the INFO level. fatal or warning -sql Search results include all log entries with the FATAL or WARNING severity levels, except for entries that include the text "sql". fatal or warning -lcp -"tc5 system" Use wildcards Search results include all log entries with the severity levels FATAL or WARNING, but not log entries with LCP or the string "tc5 system". To search for part of a term, you can use the wildcard characters * and?. Type * in the place of any number of characters, and? in the place of exactly one character. For example: load* loade? Search results include all log entries with the text "load" followed by any other characters, such as "loaded" or "loading". Search results include all log entries with the text "loade" followed by only one other character, such as "loaded" or "loader". User Guide 51
About Monitor System About Reports To see the information in your log files, you can generate reports. Reports can include the current status of the device or service, or you can select a time range. Report information is also stored in a database for later use. After you generate a report, you can save it as a PDF or text file so you can examine the data with third-party programs at another time. Available Reports You can generate any of these reports, or select Complete Report to generate all of the reports at the same time. Report Name Abolishment Report Assessment Report Session Trend Report Session Trend Real-Time Report Access Report Authentication Report Authorization Report Account Statistics Report Communication Report User Policy Analysis Report User Audit Report Report Description Contains information about abolishment attempts over a selected time range. Contains information about assessment attempts over a selected time range. Contains information about the number of concurrent sessions over a selected time range. Contains information about the number of past and online sessions in real-time over a selected time range. Contains information about access requests over a selected time range. Contains information about failed and successful authentication attempts over a selected time range. Contains information about failed and successful authorization attempts over a selected time range. Contains information about the number of users per resource host over a selected time range. Contains information about lost connections over a selected time range. Contains information about the resources accessible to each user based on the user's access policies. Provides an audit trail that contains information on when a user logged in and logged out, and what resources the user accessed during their session. 52 WatchGuard SSL Web UI
About Monitor System Report Name Performance Report Tunnel Report System Report Alerts Report Complete Report Report Description Contains information about system performance over a selected time range. Contains information about tunnel transfer rate over a selected time range. Contains information about connections and system resource usage over a selected time period. Contains information about alerts triggered over a selected time range. Contains information from all the reports. Generate a Report 1. Select Monitor System > Reports. The Manage Reports page appears. 2. In the Generate Report column, click the name of the report you want to generate. The Generate Report page for the report you selected appears. The Time Range tab is selected by default. 3. Select the time range for the report. 4. Select the Filter tab. A list of filters for the selected report appears. 5. In the Select Filter column, click a filter to change the Current Filter settings. The default setting for all filters is All. 6. Select the Graphics tab. The graphics tab contains a list of charts you can generate. 7. Select the check box adjacent to each chart type to include in the report. 8. For each chart you select, in the adjacent drop-down list, select the chart style. 9. Click Generate Report. The View Report page appears for the current report. Each chart type appears on a separate tab. User Guide 53
About Monitor System 10. Select a tab to see each available chart. 11. To refresh the report data, click Refresh Charts. Save a Report To save a copy of a report to a local file: 1. Generate a report. The View Report page for the selected report type appears. 2. Click Save Report. 3. Select whether to save this as a PDF file, data file, or image file. The PDF contains all pages of the report. Data files are stored as plain text, one text file per report tab. Image files are stored as PNG image files, one file per chart. 4. Click Download. A file is generated. If you selected more than one file type, the files are in a ZIP file. 5. Click the file name to download the file. 54 WatchGuard SSL Web UI
About Monitor System Abolishment Report The Abolishment Report contains information about abolishment attempts over a time range you select. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: User ID Client Client IP Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed Attempts over Time Succeeded Attempts by User Succeeded Attempts over Time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. Assessment Report The Assessment Report contains information about assessment attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Assessment Rule User ID Client Client IP Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed assessment attempts over time Failed assessment attempts by reason User Guide 55
About Monitor System Failed assessment attempts by user Succeeded assessment attempts over time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. Session Trend Report The Session Trend Report contains information about session attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Authentication Method User ID Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Maximum concurrent sessions over time Ongoing sessions by user Average session duration over time Ended sessions by type For more information about how to generate a report, see About Reports. Session Trend Real-Time Report The Session Trend Real-Time Report contains information about past and online sessions attempts in realtime over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Authentication Method User ID Graphics Select the Graphics tab to choose the type of chart for the report data. This report includes one chart type: Past and on-line sessions Report For more information about how to generate a report, see About Reports. 56 WatchGuard SSL Web UI
About Monitor System Access Report The Access Report contains information about access requests over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Web Resource Host User ID Client Client IP Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Access Requests over Time Access Requests by User Access Requests by Web Resource Host Access Requests by Tunnel Resource Host For more information about how to generate a report, see About Reports. Authentication Report The Authentication Report contains information about failed and successful authentication attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Authentication Method User ID Client Client IP User Guide 57
About Monitor System Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed Attempts over Time Failed Attempts by Reason Failed Attempts by User Authentication method usage Average Attempts by Hour Succeeded Attempts over Time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. Authorization Report The Authorization Report contains information about failed and succeeded authorization attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Client IP Client Web Resource Host User ID Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed Attempts over Time Failed Attempts by Reason Failed Attempts by User Average Attempts by Hour Succeeded Attempts over Time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. 58 WatchGuard SSL Web UI
About Monitor System Account Statistics Report The Account Statistics Report contains information about the number of users per resource host over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: User ID Web Resource Host Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Users by Web Resource Host Users by Tunnel Resource Host You can also select the style of each report. The default style for these charts is Pie. For more information about how to generate a report, see About Reports. User Policy Analysis Report The User Policy Analysis Report contains information about the resources accessible to each user based on the user's access policies. The available reports fields include: User The user name. Accessible Resources A list of the resources for which this user has access based on the user's access policy. For more information about how to generate a report, see About Reports. User Audit Report The User Audit Report provides an audit trail that contains information on when a user logged in and logged out, and what resources the user accessed during their session.. The available reports fields include: User The user name. Login The date and time when the user logged in. User Guide 59
About Monitor System Logout The date and time when the user logged out. Authentication The type of authentication used to authenticate the user. Resources Used Lists which resources the user accessed during the user's session. For more information about how to generate a report, see About Reports. Communication Report The Communication Report contains information about lost connections over a selected time range. You can change the chart style to customize the report. Filters There are no filters for this report. Graphics Select the Graphics tab to choose the type of chart for the report data. For this report you can select one chart type: Lost Connections over time. You can also select the style of this report. By default, the style for this chart is set to Bar. For more information about how to generate a report, see About Reports. Performance Report The Performance Report contains information about system performance over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filter for the report. By default, this filter is set to All. For this report, you can select one filter: Web Resource Host Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Average request rate over time Average response time by web resource host Transfer rate device to web resource host Transfer rate web resource host to device Failed responses over time For more information about how to generate a report, see About Reports. 60 WatchGuard SSL Web UI
About Monitor System Tunnel Report The Tunnel Report contains information about tunnel transfer rate over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Transfer rate client to tunnel resource host Transfer rate tunnel resource host to client You can also select the style of each report. The default style for these charts is Line. For more information about how to generate a report, see About Reports. Alerts Report The Alerts Report contains information about alerts triggered over a selected time range. You can set filters and select chart types to customize the report. Filters There are no filters for this report. Graphics Select the Graphics tab to choose the type of chart for the report data. This report includes one chart type: Alerts by Type You can also select the style of each report. The default style for this chart is Pie. For more information about how to generate a report, see About Reports. System Report The System Report contains information about connections and system resource use over a selected time period. You can select chart types and styles to customize the report. User Guide 61
About Monitor System Filters There are no filters for this report. Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Maximum Client and Server Connections over Time Maximum SSL Sessions over Time Available Memory by WatchGuard Service Available Disk Space by WatchGuard Service You can also select the style of each report. The default style for these charts is Line. For more information about how to generate a report, see About Reports. Complete Report The Complete Report contains statistics from all available report types. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: User ID Client Client IP Web Resource Host Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Assessment Rule Authentication Method Graphics You can select one or more of the chart types. The Complete Report includes the chart types available in all of the other reports. By default, all chart types are selected. For more information about how to generate a report, see About Reports. 62 WatchGuard SSL Web UI
About Monitor System Manage Report Database Settings All of the information used to generate reports is stored in a database. You can select whether to store the information from your reports, and for what period of time. To change the report database settings: 1. Select Monitor System > Reports. The Manage Reports page appears. 2. Click Manage Report Database Settings. The Manage Report Database Settings page appears. 3. Select the Store report information check box to enable report information to be stored in the database. This is enabled by default. If you do not want to store data for reports, clear this check box. 4. Select the Delete events older than check box. 5. In the days text box, type a number of days. When you Save and Publish your changes, data older than the specified number of days is deleted from the report database. 6. Click Save. 7. Click Publish to save your configuration changes. About the Diagnostics File To get all of your log files at one time, you can create a Diagnostics File. The Diagnostics File is a compressed (ZIP) file that includes all of the System, Audit, Billing, HTTP, and RADIUS debug logs, configuration files, and message log entries for all servers. WatchGuard technical support may ask you to generate this file to help troubleshoot your system and resolve issues with your configuration. To create a Diagnostics File: 1. Select Monitor System > Diagnostics File. The Diagnostics File page appears. User Guide 63
About Monitor System 2. In the Time Range section, select a date range: To see the most recent data, select Last and specify the number of days. To see data for a particular period of time, select From and specify a date range. 3. Click Create Diagnostics File. The time it takes to create the file depends on the time range you selected. The Download Diagnostics File page appears, with a download link. 4. Click Download diagnostic-yyyymmdd-xxxx.zip to download the file. yyyymmdd-xxxx in the file name represents the date and number for each Diagnostics File you create. The browser download page appears. 5. Select to open the file or save it, and click OK. We recommend that you enable debug logging for a period of time before you generate the Diagnostics File. When you enable debug logging, the Diagnostics File contains additional debug log files that can help WatchGuard technical support. For information about debug logging, see Manage Global Logging Settings. About the Feature Key Onthe FeatureKey page,you cansee informationabout the current feature key andupload anew feature key. To see the content of your current feature key: 1. Select Monitor System > Feature Key. The Feature Key page appears. 64 WatchGuard SSL Web UI
About Monitor System 2. Review the information for your current feature key. 3. To upload a new feature key, select Upload a new feature key and click Browse to select the file. To use the evaluation feature key, select Use the default feature key. When you select this option, only one authenticated user can connect to your SSL device at a time. For information about how to get a feature key for your device, see Get a Feature Key. For information about how to upload the new feature key to the WatchGuard SSL device, see Upload a New Feature Key. Feature key information The Feature Key page includes this information: Serial Number The unique serial number that identifies the feature key for this WatchGuard SSL device. If you use the default feature key, you cannot see the device serial number in the feature key. Version The installed software version. User Guide 65
About Monitor System Type Issued The type of the feature key. The type can be Evaluation or Production. The date the feature key was issued by WatchGuard. Issued To The name, company, and email address for the person to whom the feature key was issued. Issued By The name, company, email address for the organization that issued the feature key. Effective Dates The start and end date for the period the feature key is valid. Max Concurrent Users The maximum number of users allowed to simultaneously use the system. The number of users currently logged in to the system appears in parenthesis. Max Named Users The maximum number of named users allowed to use the system. The current number of registered named users appears in parenthesis. Max WatchGuard Authentication Users The maximum number of named users who can use WatchGuard authentication methods. The current number of registered users who can use WatchGuard authentication methods appears in parenthesis. If the wildcard character * is used, the number of named users is unlimited. Max RADIUS Clients The maximum number of RADIUS clients allowed. If the wildcard character * is used, the number of RADIUS clients is unlimited. Max Resources The maximum number of registered resources. If the wildcard character * is used, the number of resources is unlimited. The current number of registered resources appears in parentheses. Max Authentication Methods The maximum number of allowed authentication methods that you can configure. LiveSecurity Effective Dates The start and end date for the period the LiveSecurity subscription is valid. 66 WatchGuard SSL Web UI
About Monitor System Upload a New Feature Key A feature key is a file that enables licensed features on your WatchGuard SSL device. When you register your WatchGuard SSL device on the WatchGuard web site, you download a feature key file that enables all the licensed features. If you do not have your feature key, you can use the default feature key, which allows a maximum of one authenticated user. Note The default feature key is intended for evaluation purposes. The default feature key does not include LiveSecurity, so you cannot update the software or use the Live Update feature. For more information about how to get a feature key for your device, see Get a Feature Key. To upload a feature key file to the WatchGuard SSL device: 1. Select Monitor System > Feature Key. The Feature Key page appears. 2. Select Upload a new feature key. Upload New Feature Key appears at the bottom of the page. 3. Click Browse. Locate and select the feature key file. 4. Click Upload New Feature Key to replace the current feature key. To use the default feature key: 1. Select Use the default feature key. Upload New Feature Key appears at the bottom of the page. 2. Click Upload New Feature Key to replace the current feature key with the default feature key. Live Update Your WatchGuard SSL device uses an End-Point Security definition file to support the client scans used for assessment access rules. By default, the device automatically updates the engine and definition file. You can check the status of the last update or change the frequency of updates to the engine and definition file on the Live Update page. You can also check for available updates to the engine and definition files. Note You must have a valid LiveSecurity subscription to get these updates. Live Update settings are preconfigured to the recommended settings. WatchGuard recommends you do not change these settings unless instructed to do so by WatchGuard Technical Support. User Guide 67
About Monitor System Configure Live Update Settings 1. Select Monitor System > Live Update. The Live Update page appears. 2. In the Live Update Server URL text box, type the URL for the Live Update Server. This is automatically set to the WatchGuard Live Update server. 3. In the Max Connection Retries text box, specify the number of times the device tries to connect to the Live Update Server for each separate connection attempt. The default setting is 5 Times. 4. In the Definition Files Update Interval text box, specify how often the device checks for updates to the End-Point Security definition file. The default update interval is 20 Minutes. 5. In the Engine Files Update Interval text box, specify how often the device checks for updates to the engine file. The default engine update interval is 1 Month. 6. Select an option to update the engine and definition files: To automatically check for updates to the engine and definition file based on the configured Update Intervals, select Automatic Update. To disable automatic updates, select Manual Update. 7. If you selected Automatic Update, click Save and Start. If you selected Manual Update, click Save and Update. An update message appears at the top of the page. 68 WatchGuard SSL Web UI
About Monitor System While the update is in progress, you can leave the Live Update page. The update continues to run in the background until it is finished. When you return to the page, an update status link appears. 8. To see details about the update status, click the update status link. An update status message appears at the top of the page. Reboot after Engine Updates After the WatchGuard SSL device downloads an engine update from the WatchGuard Live Update server, you must reboot the WatchGuard SSL device for the new engine update to take effect. If a new engine update was downloaded with either the automatic or manual process, the status message on the Live Update page notifies you that you must reboot the device for the engine update to take effect. You do not have to reboot the device for definition file updates to take effect. Check for New Live Update Files When an update to the definition and engine files is available, it is posted on the WatchGuard web site.the Live Update page includes information about the current definition and engine files on your device, but it does not include information about available updates to these files. To check for new versions of the engine and definition files: 1. Select Monitor System > Live Update. The Live Update page appears. 2. Click Check Version. The device contacts the WatchGuard web site for information about the latest available versions. Information about the available updates appears on the Live Update page. User Guide 69
About Monitor System User Guide 70
4 User Management You can use WatchGuard SSL Web UI to manage user accounts, user groups, and configure the SSL device to use an External Directory Service. You can import user accounts from an external file, and create or repair a link to a user account in an existing authentication directory. If you use an External Directory Service, you can also enable Self Service, which allows your users to activate an account and find a forgotten password or user name. 1. Select User Management. The User Accounts page appears. User Guide 71
User Management 2. Select a left menu item to manage settings for your user accounts. For more information about these menu items, see the subsequent sections. User accounts WatchGuard SSL user accounts are linked to user information already stored in your directory service. An External Directory Service link establishes a connection to your local user information. Global User Account Settings Configure default global settings for authentication, timeouts, user linking, and to set up automatic user link repair. Manage All user accounts See all of the current user accounts and user groups. You can also disable or delete an account. Import User account Use this method to create user accounts instead of the Add User Account wizard. To create a number of user accounts simultaneously, you can import a file with user information. The file must be formatted correctly. User accounts are added as specified in the default settings you configure in the Global User Account Settings section. For more information about how to format a user import file, see Import User Accounts. Create User Account by Linking To add user accounts with this method, you create a link to an External Directory Service. User accounts are added as specified in the default settings you configure in the Global User Account Settings section. User groups WatchGuard SSL includes three types of user groups: User groups in your External Directory Service User location groups User property groups The main User Groups page includes a list of all current user groups. You can add a user group, or search the list to find a current group. External Directory Service The External Directory Service is the external location where user accounts are stored. When you configure the SSL device to use an External Directory Service, you use the user accounts that are configured in the directory service rather than create new accounts for your users. You specify the computer on which the External Directory Service is installed and define a set of search rules to find users and user groups. 72 WatchGuard SSL Web UI
User Management Self Service If you use an External Directory Service, you can use Self Service to enable your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. When you enable and configure Self Service, you can use the wizard to configure the settings, or you can manually configure the settings. To get information from Self Service, users must answer a series of challenge questions that you specify to verify their credentials. About User Accounts You can use WatchGuard SSL Web UI to create user accounts in your Local User Database with one of these methods: Add User Create User Account by Linking Import User Account Each of these methods gives you a different level of detail in the account settings. When you edit an account, you can change all account settings, regardless of the method you used to create the user account. Add User To manually add a user account to the Local User Database, select this method. It gives you the most flexibility in account configuration. For more information, see Manually Add a User Account. Create User Account by Linking To create a basic user account based on an existing user in your External Directory Service, select this method. Basic information for the user account is automatically copied from the directory service and is added to the Local User Database. For more information, see Link to a User Account. Import User Account To create multiple user accounts at one time, select this method to import a file with all the information for the user accounts. For more information, see Import User Accounts. User Account Search Result List You can search for, disable, and delete user accounts on the Manage All User Accounts page. 1. Select User Management. The Manage All User Accounts page appears. User Guide 73
User Management 2. To search for a user, in the Search by User ID text box, type a User ID. To expand the search results, you can use the * wildcard character. 3. From the Search by User ID drop-down list, select the search parameters. 4. Click Search. 5. To disable a user account, select the Disabled check box for a user account and click Save. The user can no longer connect to the Application Portal or network resources, but the account is not removed. 6. To delete a user account, select the Delete check box for a user account and click Delete. The user account is removed. Manually Add a User Account You can add user accounts to the Local User Database one at a time. This method gives you the most configuration options when you first create the account. For each user account, you can add a Display Name. The Display Name only appears in the Web UI and enables you to easily distinguish one user account from another. When you add a user account, you can also define custom attributes to add specific details to an account. For example, you can add an attribute that you use when you add the user to a user group. To add a user account: 1. Select User Management. The User Accounts page appears. 2. From the User Accounts table, select Add User. The Add User Account page appears. 74 WatchGuard SSL Web UI
User Management 3. In the User ID text box, type a name for this user account. 4. To get user account information from your External Directory Service, click Link User. The User Location in Directory and Display Name text boxes are populated with information from the External Directory Service account for the user. 5. If necessary, in the Display Name text box, type a new display name for the user account. 6. To add specific name and value information for the user, click Add Custom Attribute. The Add Custom Attribute page appears. 7. In the Name and Value text boxes, type the information for the attribute. Click Next. The Add User Account page appears. The new attribute appears in the Custom Attributes list. 8. (Optional) To add more attributes, repeat Steps 6 7. 9. Click Next. The Add User Account page appears. User Guide 75
User Management 10. Select the check box for each WatchGuard authentication method you want to enable for this user account. When you select an authentication method, the link at the bottom right of the page changes from Finish Wizard to Next. 11. (Optional) If you selected an authentication method that sends the password or pin in an email, in the Email Addresstext box, type the email address for this user account. 12. (Optional) If you selected an authentication method that sends the password or pin as an SMS message, in the SMS text box, type the mobile phone number for this user account. 13. Click Next. The WatchGuard Authentication page appears with the settings for the authentication methods you selected. 14. For each authentication method, type and verify the password or pin for this user account. For more information about the password or pin parameters for each authentication method, see the subsequent section. 15. In the Password Properties or Pin Properties section, select the settings for this user account. 16. Click Finish Wizard. The new user account is created. The Manage All user accounts page appears, with the new user account in the User Accounts table. Authentication method password and pin parameters Each password or pin you set for a WatchGuard authentication method must meet certain required parameters. If the password or pin you select does not meet the required parameters, a red notification appears at the top of the page when you finish the wizard. WatchGuard SSL Mobile Text The password must be between six and sixteen characters and must include at least two numerals. WatchGuard SSL Web The password must be between six and sixteen characters and must include at least two numerals. 76 WatchGuard SSL Web UI
User Management WatchGuard SSL Challenge The PIN must be six numerals. WatchGuard SSL Password The password must be between six and sixteen characters and must include at least two numerals. WatchGuard SSL Synchronized The PIN must be six numerals. Import User Accounts You can import user accounts from a file to add many user accounts to your Local User Database at the same time. The file you import must be a text (.txt) file with this information: The first row contains the column headings that specify the fields in the import file. Headings do not contain any spaces and are not case-sensitive. Each row contains data for only one user. If a row does not contain data, or begins with the comment sign, the row is ignored. For more information about the user import file, see the subsequent section. To import user accounts: 1. Select User Management. The Manage All User Accounts page appears. 2. Click Import User Account. The Manage User Import page appears. 3. From the Separator in File drop-down list, select the type of separator used in the file. The default separator is Comma. 4. Click Browse and select the file. The file name appears in the Import File text box. 5. Click Import Users. The file is imported and the user information is added to your Local User Database. User Guide 77
User Management About the User Import File The file you use to import user accounts must be a text file with information separated by commas, semicolons, or tabs, and must have only one user account per line. To create a user account, the import file must include at least the User ID and Display Name for each user account. When you import the file, the necessary user account information is automatically created for each user account, if it is not specified in the import file. This information includes: WatchGuard Access Number of Retries WatchGuard Authentication Number of Retries User Account Effective Dates For these settings, the default value is set to the value specified in the Global User Account Settings. Note The authentication methods you enable on the Global User Account Settings page are not applied to the user accounts you add when you import them in a file. Contents of the user import file The user import file must be formatted with these settings: The first row in the import file must contain the column headings, to specify the fields in the import file. The headings cannot contain any spaces and are not case-sensitive. Each row must contain data for only one user. Empty rows and rows that begin with a comment sign (#) are ignored when imported. For descriptions of the heading values, see the subsequent section. Heading Value Comment UID String Mandatory RealName String Mandatory Comments Column for comments; ignored when file is imported DirectoryLink UserStorage GroupName FramedIP MailAddress MobileNumber AccountDisabled AccountValidFrom AccountExpires String String String String String String Boolean Date Date 78 WatchGuard SSL Web UI
User Management User Guide 79 Heading Value Comment AccountNeverExpires Boolean AccessMaxRetries Integer AuthenticationMaxRetries Integer ChallengeEnabled Boolean ChallengePIN Password ChallengePINNeverExpires Boolean ChallengePINCannotChange Boolean ChallengePINMustChange Boolean ChallengePINGenerate Boolean ChallengeSeed String ChallengeSeedGenerate Boolean SynchronizedEnabled Boolean SynchronizedPIN Password SynchronizedPINNeverExpires Boolean SynchronizedPINCannotChange Boolean SynchronizedPINMustChange Boolean SynchronizedPINGenerate Boolean SynchronizedSeed String SynchronizedSeedGenerate Boolean WebEnabled Boolean WebPwd Password WebPwdNeverExpires Boolean WebPwdCannotChange Boolean WebPwdMustChange Boolean WebPwdGenerate Boolean PasswordEnabled Boolean PasswordPwd Password PasswordPwdNeverExpires Boolean
User Management Heading Value Comment PasswordPwdCannotChange PasswordPwdMustChange PasswordPwdGenerate PasswordPwdUseDirectory MobileTextEnabled MobileTextPwd MobileTextPwdNeverExpires MobileTextPwdCannotChange MobileTextPwdMustChange MobileTextPwdGenerate MobileTextPwdUseDirectory NotifyByMail NotifyBySMS NotifyToAddress Boolean Boolean Boolean Boolean Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Boolean email address Import File Heading Value Descriptions Item Description Comment String Integer Boolean Password Date A string that contains any character Non-negative numeral True or false Password in clear text or {SHA}+ [base64- encoded SHA hashed password] The date format that corresponds to the language settings for your browser. Make sure the date format in the file matches your browser settings. Link to a User Account You can link to an existing user account in your External Directory Service to create a basic user account in your Local User Database. Linked user accounts are added according to your default settings on the Manage Global User Account Settings page. For more information about global user account settings, see Manage Global User Account Settings. To link to a user account: 80 WatchGuard SSL Web UI
User Management 1. Select User Management. The User Accounts page appears. 2. Click Create User Account by Linking. The Manage User Linking page appears. 3. In the User ID text box, type the User ID for the user you want to add. 4. From the Notification drop-down list, select the notification method for this account. For more information about the available options, see the subsequent section. 5. In the Message Set drop-down list, select the notification message to send. For more information about the available options, see the subsequent section. 6. Click Link User. The user account is added to your Local User Database and appears in the Manage All User Accounts table. Notification and Message Set options Notification Select the method to use to notify the user of the Password or PIN for the user account. The available options depend on the settings you selected for notification and SMS distribution. For more information about notification and SMS distribution settings, see About Notification Settings. Available options include: By Screen By Email By Email and Screen By SMS By SMS and Screen The default setting is By Screen. Message Set A message set includes all the notification messages for the WatchGuard authentication methods. The message set Default includes all the messages specified on the Global Authentication Service Settings page. User Guide 81
User Management The default setting is Default. Repair a Linked User Account If a linked user account is moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. You can use the User Link Repair wizard to repair, remove, or delete the broken account. To repair a link for a user account: 1. Select User Management. The User Accounts page appears. 2. Click Repair Linked User Account. The User Link Repair page appears. If there are no broken links, the message "There are no user links to repair." appears. If there are broken links, a message about the number of broken links appears. 3. Click Start User Link Repair Wizard. The Overview page appears, with information about the first broken link. 82 WatchGuard SSL Web UI
User Management 4. Select an action. 5. Click Next. If there is more than one broken link, the first link is repaired. The Overview page appears for the next link. 6. If there is more than one broken link, repeat Steps 4 5 for the other broken links. When all links are repaired, the User Link Repair Result page appears with information about the repaired user accounts. Edit User Accounts You can edit or delete information and settings for each user account, regardless of which method you used to add the account. To edit a user account: 1. Select User Management. The User Accounts page appears. 2. In the User Accounts table, click the User ID for the account you want to edit. The Edit User Account page appears for the user you selected. User Guide 83
User Management 3. Select a tab and edit the information and settings for the user account. 4. Click Save. The user account is updated with the changes and the Manage All User Accounts page appears. To delete a user account: 1. Select User Management. The User Accounts page appears. 2. In the User Accounts table, click the User ID for the account you want to delete. The Edit User Account page appears for the user you selected. 3. Click Delete. The Delete User Account page appears. 84 WatchGuard SSL Web UI
User Management 4. Click Yes to delete the account. The user account is deleted and the Manage All User Accounts page appears. Manage Global User Account Settings The Global User Account Settings are the default settings that apply to all user accounts. These settings are divided into three sections: General Settings Includes default settings for user account access, WatchGuard authentication, and timeouts. User Linking Includes options to enable WatchGuard Authentication methods for user accounts created by a linking method, and to set notification methods. Repair User Links Includes the option to enable the device to automatically repair user links. To configure default user account settings: 1. Select User Management. The User Accounts page appears. 2. Click Global User Account Settings. The Manage Global User Account Settings page appears. User Guide 85
User Management 3. Configure the necessary settings on each tab. For more information about the settings on each tab, see the subsequent sections. 4. Click Save. 86 WatchGuard SSL Web UI
User Management General Settings On the General Settings tab, you can change the default settings for user account access, WatchGuard authentication, timeouts, and search limits. Default Account Settings Max Logon Retries Set the maximum number of times users can try to log on with invalid credentials before the account is disabled. When set to 0, the user account is never disabled. Account Expires In Set the number of days the user account is active. When set to 0, the user account never expires. Default Account Settings for WatchGuard Authentication Max Logon Retries Set the maximum number of times users can try to log on with invalid credentials for WatchGuard Authentication methods before the account is disabled. When set to 0, the user account is never disabled. Account Settings for WatchGuard Authentication Use groups Select this option if you want to use group names when you manage user accounts. Group information is sent to the RADIUS client. The RADIUS client can then be configured to use this attribute for authorization. Use framed IP address Select this option to send the configured framed IP address to the system when a user authenticates. Time Lock Timeout Set the number of minutes before users can try to log on again after an account is disabled when the Time Lock Interval settings are reached. Time Lock Interval Set the number of times a user can try to log on with invalid credentials before the account is disabled. Change Password/PIN Notification Set the number of days before users are notified to change their passwords/pins. Timeout Settings Configure timeout settings for inactivity, sessions, warnings, and active users. Search Limit Settings Configure the maximum number of results to include and display in search results. User Linking On the User Linking tab, you can select whether to enable WatchGuard Authentication methods when you manually or automatically create a user account by linking. You can also select which authentication methods to enable, and configure the password properties for the methods you select. User Guide 87
User Management Notification Select whether to send user notification messages by email or SMS. Authentication Methods Settings Select the check box for each authentication method you want to automatically enable for linked user accounts. After you select a method, the Password Properties section for that method appears. Select the check box for each password property to apply to the selected authentication method. The default password property for each method is Generate password. Repair User Links To enable the SSL device to automatically repair broken user account links when users authenticate, select the Automatically repair user links check box. About User Groups When you add your users to user groups, you can control the resources your users can select, or the actions users must take before they can select a resource. You can create user groups based on either the properties of a user account or the location of a user in the directory structure you specified. For information about how to add users to your Local User Database, see Manually Add a User Account, For information about how to specify an External Directory Service, see Add an External Directory Service Location. About user property groups User property groups are for groups of users with similar properties, such as job function. WatchGuard SSL manages these properties as attributes that contain a source, name, and value. Available attribute sources include: External directory service Custom-defined RADIUS session The attribute value you select must match the attribute name returned from the specified source type. When you select Custom-defined, you can use the user attributes specified on the General Settings page for user accounts. About user location groups User location groups are for groups of users that are all in a specified location. For example, ou=administrators,dc=example,dc=com. Each user location group contains all the users who belong to the user group you select, as it is defined in your directory structure. The directory can be either your Local User Database or an External Directory Service. You can use this group type to integrate your existing local user groups. 88 WatchGuard SSL Web UI
User Management Add a User Group You can add a user location or user property group to categorize your user accounts. To add a user group: 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click Add User Group. The Add User Group page appears. 4. Select a user group type. Click Next. 5. Configure the settings for the user group. The settings that appear depend on the group type you selected. For more information about the settings, see the subsequent sections. 6. To see all user accounts that match the settings you selected, click View Users. 7. Click Finish Wizard. User Location Group settings Configure these settings for a User Location Group: User Guide 89
User Management Display Name Type a unique name to identify the user group. Description (Optional) Type a description to help you identify the user group. User Location DN Select the location of the users in the directory structure. User Property Group settings Configure these settings for a User Property Group: Display Name Type a unique name to identify the user group. Description (Optional) Type a description to help you identify the user group. Attribute Source Select the source for the user group attributes. The default setting is External directory service. Attribute Name Type the attribute name as it is defined in the selected directory service schema. If you set the Attribute Source to External directory serviceor Custom-defined, you must add an attribute name. Attribute Value Type the value of the attribute you specified. Search, Edit, or Delete User Groups You can search the user group list to filter the groups you see in the list. You can also edit or delete the user groups you created. Default system user groups cannot be edited or deleted; you can only see information about these user groups. Search the user group list 1. Select User Management. The User Accounts page appears. 2. Select User Groups. The Manage User Groups page appears. 90 WatchGuard SSL Web UI
User Management 3. In the Search by display name text box, type the name of the user group you want to find. To expand your search, include the * wildcard character in your search text. 4. In the Search by display namedrop-down list, select the type of user group. 5. Click Search. The user groups that match your search parameters appear. Edit user group information 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click the Display Name for the user group you want to edit. The Edit User Group page appears. 4. Change the settings for the user group. 5. To see all the users in the group, click View Users. 6. Click Save. User Guide 91
User Management Delete a user group 1. Select User Management. The User Accounts page appears. 2. Select User Groups. The Manage User Groups page appears. 3. Click the Display Name for the user group you want to edit. The Edit User Group page appears. 4. Click Delete. The Delete User Group page appears. 5. Click Yes. The user group is deleted. About the External Directory Service The External Directory Service is the location not on your SSL device where you can store user account information, such as an Active Directory or LDAP server. You can select one or more directory service locations of different brands and types. When you link the user accounts in your Local User Database to the External Directory Service, you can reuse the existing information for your user accounts. Linked user accounts have references to existing users and user groups that you can use for user authentication. To configure an External Directory Service, you must specify the host for the directory service and define the search rules used to find users and user groups. You can then link the accounts on your External Directory Service to the Local User Database. About Search Rules Your Local User Database uses search rules to match users and user groups. When you configure search rules, make sure you define them based on the directory structure of your organization and the user objects you want to use in your rules. 92 WatchGuard SSL Web UI
User Management About Directory Mapping Directory mapping enables you to use specified attributes to get the existing information from your External Directory Service so you can reuse this information in your Local User Database. For example, you can get passwords or email addresses so you do not have to specify them in WatchGuard SSL Web UI when you create or link user accounts. Add an External Directory Service Location When you add an External Directory Service location you can link your Local User Database user accounts to your existing directory service. This enables you to reuse existing user account information and simplify user account creation. To add an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 4. Select the type of directory service. Click Next. The Add External Directory Service Location page appears. User Guide 93
User Management 5. In the Display Name text box, type the name to appear in the Registered External Directory Service Locations list for this External Directory Service. 6. In the Host text box, type the primary IP address of your External Directory Service server. 7. (Optional) In the Secondary Host text box, type the secondary IP address for your External Directory Service server. 8. In the Port text box, specify the port to use to connect to your External Directory Service server. The default value is 389. 9. In the Account text box, type the user name of the account to use to connect to your External Directory Service server. We recommend you select a read-only account (not the server administrator account) with a password that does not often change. 10. In the Password text box, type the password for the user name you specified. 11. To secure communication between the SSL device and your directory service: a. Select the Use SSL check box. b. From the CA Certificate drop-down list, select the certificate authority certificate to use with the SSL connection. 12. To change the amount of time the SSL device waits for a response from the External Directory Service, in the Timeout text box, type the number of seconds. 13. To change the number of times the SSL device tries to connect to the primary External Directory Service host, in the Retries text box, type a number. If the primary host does not respond within the specified number of retries, the SSL device tries to contact the Secondary Host you specified. 14. To enable the SSL device to use the links between your directory service servers, select the Follow links between External Directory Services check box. This option is selected by default. 94 WatchGuard SSL Web UI
User Management 15. To verify the connection information for your External Directory Service is correct, click Test Connection. If your configuration is correct, a Connection test is successful message appears. If the connection test fails, review the settings for your External Directory Service server location, and correct any errors in the configuration. 16. Click Next. The Add External Directory Service Location page appears. 17. To add search rules for your users, click Add User Search Rule. The Add User Search Rule page appears. 18. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. User Guide 95
User Management 19. To add search rules for your user groups, click Add User Group Search Rule. The Add User Group Search Rule page appears. 20. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 21. To verify that the connection to your External Directory Service is active, click Test Connection. 22. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. Edit an External Directory Service Location You can edit an existing External Directory Service configuration to change the general and search rules settings, and to configure directory mapping settings. You can also delete an existing External Directory Service Location. To edit an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. In the Registered External Directory Service Location list, click the Display Name of the directory service you want to change. 96 WatchGuard SSL Web UI
User Management The Edit Directory Service Location page appears. 4. Select a tab and edit the information and settings for the directory service. 5. To verify that the connection to your External Directory Service is active, click Test Connection. 6. Click Save. To configure Directory Mapping settings for an External Directory Service Location: 1. Select the Directory Mapping tab. The Directory Mapping Attributes page appears. User Guide 97
User Management 2. Specify the attributes to use to get existing user account information from your External Directory Service. The attributes you specify must match the attributes in the External Directory Service. 3. Click Save. To delete a Registered External Directory Service Location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. In the Registered External Directory Service Locations list, click the Display Name of the directory service you want to delete. The Edit Directory Service Location page appears. 4. Click Delete. The Delete External Directory Service Location page appears. 98 WatchGuard SSL Web UI
User Management 5. Click Yes to delete the location. The External Directory Service Location is deleted and the Manage External Directory Service page appears. About Self Service You can use Self Service to allow your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. To get information from Self Service, users must answer a series of questions to verify their credentials before they get their information. You must have an External Directory Service configured to use Self Service. You cannot use Self Service if you have only a Local User Database. Before you can use Self Service, you must enable and configure it. You can use the wizard to enable it and configure the settings, or you can manually enable it and configure the settings. You can also disable Self Service. If you enable and then disable Self Service, you do not have to use the wizard to enable Self Service again. Use the wizard to enable Self Service You can use the WatchGuard SSL Self Service wizard to enable Self Service and configure the basic settings for you. This wizard is only available the first time you enable Self Service. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Yes - help me with the settings. The Manage Self Service page appears. Self Service is enabled by the system and partially configured. 3. To change the settings for Self Service, click Self Service Settings. The Manage Self Service Settings page appears. For more information, see Manage Self Service Settings. 4. To complete the configuration, click Modify System Challenges and add or edit a System Challenge. The Manage System Challenges page appears. For more information, see Modify System Challenges. 5. Click Save. User Guide 99
User Management Manually enable and configure Self Service You can choose to enable Self Service and configure the basic settings manually. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click No - I will do the configuration myself. The Manage Self Service page appears. The Self Service Enabled check box is selected, but settings are not configured. 3. To configure the settings for Self Service, click Self Service Settings. The Manage Self Service Settings page appears. For more information, see Manage Self Service Settings. 4. To complete the configuration, click the Modify System Challenges link and add or edit a System Challenge. The Manage System Challenges page appears. For more information, see Modify System Challenges. 5. Click Save. Disable or restore Self Service You can choose to disable Self Service after it is enabled and configured. When you disable Self Service, all your configuration settings are saved, so you can enable it again later. To disable Self Service: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Clear the Self Service Enabled check box. Self Service is disabled and all your configuration settings are saved. To restore Self Service: 1. Select User Management > Self Service. The Manage Self Service page appears. 100 WatchGuard SSL Web UI
User Management 2. Select the Self Service Enabled check box. Self Service is enabled and all your configuration settings are restored. Manage Self Service Settings You can configure the settings for Self Service that allow your users to activate their accounts and get their user names or passwords if they lose them. You can add one or more challenges to each type of setting. When you add more than one challenge to a setting, the challenges are applied in the order you specify. Self Service Settings types include: Auto Activation Settings Enable users to automatically activate their accounts. Forgotten Password Settings Enable users to find their forgotten passwords. You can choose to send a message to a secondary channel when the password is sent to the user. Forgotten User Name Settings Enable users to find their forgotten user names. You can configure the message that is sent to the user. Advanced Settings Set the amount of time users must wait between Self Service requests Before you can edit the setting type, you must have at least one system challenge. If there is not an available challenge, you can add one. For more information see, Modify System Challenges. Add or delete a challenge To add a challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. User Guide 101
User Management 3. In the section for the settings you want to modify, click the Add link. For example, Add Auto Activate Challenge. 4. Select a System Challenge from the drop-down list. 5. Click Add Challenge. The challenge appears in the Registered Challenges list. 6. Click Up or Down to change the order that each challenge is applied. 7. Click Save. To delete a challenge: 102 WatchGuard SSL Web UI
User Management 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. In the Registered Challenges list for the setting you want to change, click Remove for the challenge you want to delete. 4. Click Yes to delete the challenge. 5. Click Save. Configure Advanced Settings You can set the amount of time users must wait after they have submitted one Self Service request before they can submit another request. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. Find the Advanced Settings section. 4. In the Minimum time between requests field, type the number of hours users must wait between Self Service requests. 5. Click Save. Modify System Challenges System Challenges are used to confirm the identities of your users when they use Self Service. When users connect to Self Service, before they can get their account information, they must correctly answer a set of challenge questions that you select. You can add, edit, or delete System Challenges. Add a System Challenge To add a System Challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. User Guide 103
User Management 3. Click Add System Challenge. The Add System Challenge page appears. 4. In the Display Name, Challenge Question, and Attribute Name text boxes, type the settings for this system challenge. You can use the * wildcard character. 5. Click Next. The Summary page appears. 6. Review the settings for this system challenge. 7. Click Finish Wizard. The system challenge appears in the Registered System Challenges list. Edit a System Challenge You can edit any of the settings for the System Challenges you add. For the default System Challenges, you can only edit the Display Name and Challenge Question settings. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the challenge you want to change. The Edit System Challenge page appears. 4. Update the settings for the system challenge. 5. Click Save. 104 WatchGuard SSL Web UI
User Management Delete a System Challenge You can only delete System Challenges that you add. You cannot delete the default System Challenges. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the challenge you want to delete. The Edit System Challenge page appears. 4. Click Delete. The Delete Unknown Entity page appears. 5. Click Yes to delete the challenge. 6. Click Save. Configure and Enable Self Service With Self Service, users can get information about their own user accounts without interaction from the administrator. After users respond to the required user and system challenges, they can reset a forgotten password or retrieve a forgotten user name. Before you enable the Self Service feature, you must register at least one External Directory Service location, such as Active Directory, that contains a list of users and email addresses. You must also make sure the email notification channel is enabled. Note Self Service is only available for use with your External Directory Service, not the Local User Database. Verify your External Directory Service location is registered You must make sure that you have at least one External Directory Service location registered before you begin. To review or add an External Directory Service location: 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Review the Registered External Directory Service Locations list. 3. If your External Directory Service location is not in the list, click Add External Directory Service Location and add it. 4. If you make any changes, click Publish to update your configuration with the changes. Enable the email notification channel Before you enable Self Service, you must enable a notification channel (for example, email). 1. Select Manage System > Notification Settings. 2. On the Email Channel tab, select the Enable email channel check box. 3. In the Host text box, type the IP address or domain name of your local email server. User Guide 105
User Management 4. In the Sender s E-mail Address text box, type the email address that you want to use to send the notifications. You can use an email address that is not on your mail server. 5. Click Save. Enable Self Service 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Make sure the Self Service Enabled check box is selected. 3. Click Save. The Manage Self Service page reappears. Configure Self Service system challenges 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 106 WatchGuard SSL Web UI
User Management 3. In the Registered System Challenges list, click the System Challenge Name of the challenge you want to configure. The Edit System Challenge page appears. Or, to add a new system challenge, click Add System Challenge. The Add System Challenge page appears. 4. In the Display Name text box, type System email. 5. To change the default challenge question message that users see, in the Challenge Question text box, type a new question. 6. In the Attribute Name text box, type Email. User Guide 107
User Management 7. If you added a new system challenge, click Next. Review the settings for the system challenge. Click Finish Wizard. Or, if you edited an existing system challenge, click Save. The Manage System Challenges page appears with the challenge information updated in the Registered System Challenges list. 8. Click Publish to update your configuration with the changes. Configure Self Service settings Self Service settings control the System Challenges for Auto Activation, Forgotten Password, and Forgotten User Name. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 108 WatchGuard SSL Web UI
User Management 3. In the Auto Activation Settings section, click Add Auto Activate Challenge. The Select a Challenge page appears. User Guide 109
User Management 4. From the System Challenge drop-down list, select System email. 5. Click Add. The System email challenge appears in the Registered Challenges list. 6. If there are any other challenges in the Registered Challenges list, click Remove to delete them. This configures Self Service to require only the System email challenge for Self Service account activation. 7. In the Forgotten Password Settings section, click Remove adjacent to all Registered Challenges except System email and Userdefined Challenge. 8. In the Forgotten User Name Settings section, click Remove adjacent to all Registered Challenges except System email and Userdefined Challenge. 9. Click Save. The Manage Self Service page appears. Enable Self Service forthe WatchGuardSSL Passwordauthentication method 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Select the WatchGuard SSL Password authentication method. The Edit Authentication Method page appears. 110 WatchGuard SSL Web UI
User Management 3. If you do not have a Registered Authentication Method Server, on the General Settings tab, click Add Authentication Method Server. The Add Authentication Method Server page appears. If you do have a Registered Authentication Method Server, proceed to Step 7. 4. Select your authentication server from the Display Name drop-down list. 5. Configure the Host, Port, and Timeout settings. 6. Click Add. The Edit Authentication Method page appears. 7. Click Manage Default Template Specification. The Manage Default Template Specification page appears. 8. Replace the code in the second line with: <templatespec type="selfserviceform"> 9. Click Update. 10. Click Save. 11. Click Publish to update your configuration with the changes. Reset your password with Self Service 1. Connect to the Application Portal Authentication page. The Application Portal Authentication page appears with a list of available authentication methods. 2. Select the WatchGuard SSL Password authentication method. The WatchGuard Password authentication page appears, with self service options enabled. 3. In the User Name text box, type your user name. 4. Click Forgotten Password. 5. Type your email address. 6. Type the response to your personal challenge. 7. Select to receive the new password via email. User Guide 111
User Management 8. Click Continue to restart authentication. 9. Use the new password you received in email to log in. 112 WatchGuard SSL Web UI
5 About Resource Access The WatchGuard SSL Application Portal enables you to give your users secure access to your network resources. You can create Application Portal items for access to applications, folders and files, and URLs as web or tunnel resources. Create a web resource to give your users access to an online application. Create a tunnel resource to give your users access to a client-server application. To protect your resources, you configure access rules, authorization settings, and encryption levels to create seamless, secure access control. Users get access to resources through the WatchGuard SSL Application Portal. You can collect resources that share logon credentials in Single Sign-On (SSO) domains. This allows users to submit their credentials once to get access to several resources. For added security, you can add access rules for your SSO settings. Access rules are also used to enforce the End-Point Security feature Abolishment, which deletes Internet Explorer session files, the client cache, and the browser history when the user session ends. Resources You can add and manage standard resources, tunnel resource hosts, tunnel resource networks, tunnel sets, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. For more information, see About Resources. Client firewall You can configure client firewall configurations to control traffic to and from the WatchGuard SSL Access Client. For more information, see About Client Firewalls and About the Access Client. User Guide 113
About Resource Access Access rules Access rules are detailed requirements that users must meet to connect to resources. Available access rules include authentication methods, user group membership, date period, client IP address, client assessment, and client device. You can specify general access rules available for all resources or SSO domains, access rules that apply to individual resources, and global access rules that apply to all resources and SSO domains. For more information, see About Access Rules. Application Portal The Application Portal is the WatchGuard SSL web portal that your users can log on to and use to connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons with link text and are called Application Portal items. For more information, see About the Application Portal. SSO domains WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. For more information, see About SSO Domains. About Resources You can add, edit, and delete standard resources, tunnel resource hosts, tunnel resource networks, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. You can add restrictions to allow only specified users to see certain resources in the Application Portal. For more information about resources, see: Manage Resources Manage Global Tunnel Resource Settings Manage Global Resource Settings Manage Resources You can add, edit, or delete resources for commonly used applications in your configuration. These resources are partially configured so you can set them up quickly. When you add a resource, you use the wizard to configure and create the resource in the Application Portal. When you edit a resource after you add it, you use the configuration pages to make any changes. The available resources include: Web Resources Citrix MetaFrame Presentation Server Citrix XenApp Server 114 WatchGuard SSL Web UI
About Resource Access Microsoft Active Sync Microsoft Outlook Mobile Access Microsoft Outlook Web Access 2003 Microsoft Outlook Web Access 2007 Microsoft Outlook Web App 2010 Microsoft SharePoint Portal Server 2003 Microsoft SharePoint Portal Server 2007 Secure Remote Access to the Web UI Web Resource Tunnel Resources Access to Home Directory Full Tunnel Microsoft Outlook Client 2003/2007 Microsoft Windows File Share Microsoft Terminal Server 2003 Microsoft Terminal Server 2008 RDP Access SSH Access Tunnel Resource Add a Resource 1. Select Resource Access. The Resources page appears. User Guide 115
About Resource Access 2. Click Add Resource. The Add Resource page appears. 116 WatchGuard SSL Web UI
About Resource Access 3. In the Resources list, expand the group for the resource you want to add. 4. Select a resource. Information about the resource appears in the right column. User Guide 117
About Resource Access 5. Click Next. The Add Resource page appears. 118 WatchGuard SSL Web UI
About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Configure the Special Settings. The settings that appear in this section depend on the type of resource you select. 9. To enable the resource in the Application Portal, make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library. 11. In the Link Text text box, type the name to appear with the icon in the Application Portal. 12. Click Next. The Manage Access Rules page appears. 13. Select an Access Rule from the Available Access Rules list. Click Add > to add it to the Selected Access Rules list. For more information about Access Rules, see About Access Rules. 14. Click Next. The Add Resource Summary page appears. User Guide 119
About Resource Access 15. Review the settings for the resource. 16. Click Finish Wizard. For more information about how to add a resource for RDP or SSH access, see Add a Tunnel Resource for RDP Access or Add a Tunnel Resource for SSH Access. For more information about how to configure a resource for access to a Citrix MetaFrame Presentation Server with SSO, see Configure SSO for a Citrix MetaFrame Presentation Server Resource. Edit a Resource 1. Select Resource Access. The Resources page appears, with the Tunnel Resources tab selected. 2. Select the tab for the type of resource you want to edit: Tunnel Resources or Web Resources. 3. Select the Display Name of a resource. The Edit page appears for the resource you selected. 120 WatchGuard SSL Web UI
About Resource Access 4. Select a tab and update the settings for the resource. The tabs that are available depend on the type of resource you select. For more information about the settings available on each tab, see About Resource Settings on page 122. 5. Click Save. Delete a Resource You can delete any resource that you create. You cannot delete the system generated resources, such as the Access Point resource. You can delete a resource from either the main Resources page, or from the Edit Resource page. 1. Select Resource Access. The Resources page appears. 2. Select the tab for the type of resource you want to delete: Tunnel Resources or Web Resources. 3. Adjacent to the resource you want to delete, click Or, select the Display Name of the resource you want to delete. On the Edit Resource page, click Delete. The Delete Resource page appears, with a confirmation message. 4. Click Yes. The resource is removed from the Resources list. User Guide 121
About Resource Access About Resource Settings When you create a Tunnel Resource or a Web Resource, you define the basic parameters for that resource. You can later edit the resource to further define the configuration. You can change the options you configured when you created the resource and define additional settings. The available settings for Tunnel Resources and Web Resources are different. For more information about how to create a new resource, see Manage Resources. For more information about how to add a new static tunnel, see About Static Tunnel Settings. For more information about how to add a new dynamic tunnel, see About Dynamic Tunnel Settings. Tunnel Resource Settings On the Edit Tunnel Resource page, select a tab to change settings for the resource. You can edit the general settings you configured for the resource, specify a static or dynamic tunnel for the resource, configure startup commands, edit the access rules applied to the resource, and configure advanced settings for local lookups, drives, and the Access Client. After you have made changes to the resource settings on all the necessary tabs, click Save. If you do not save your changes before you go to another page (not another settings tab for the resource), all your changes are lost. General Settings Enable tunnel resource Select this check box to enable this tunnel resource. To disable the resource, clear this check box. Display Name In this text box, type a name for this resource. The display name you select appears in the resources list. Description (Optional) In this text box, type a descriptive name to help you identify this resource. Make this resource available in the Application Portal Icon Select this check box to add the resource to the Application Portal. If you do not select this option, your users cannot get access to this resource from the Application Portal. Select the image that appears in the Application Portal for this resource. Link Text To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library In this text box, type the name to appear with the icon in the Application Portal. 122 WatchGuard SSL Web UI
About Resource Access Tunnel Settings On the Tunnel Settings tab, you can add and edit the tunnel settings for this resource. You can also delete a static or dynamic tunnel For a resource that can connect to any operating system, you can add a static tunnel with a local IP address on a single port. If your resource uses an IP address on more than one port, and can connect to only Windows platforms, use a dynamic tunnel. Add Static Tunnel Note Static and dynamic tunnels can be configured for any TCP or UDP port, but other protocols cannot be used. For example, ICMP ping traffic cannot pass through the tunnel. Select this option to add a static tunnel to your resource. After you add a static tunnel, it appears in the Registered Static Tunnels list. To edit the settings for a static tunnel, or delete a dynamic tunnel, click the link in the Registered Static Tunnels list. Add Dynamic Tunnel Startup Select this option to add a dynamic tunnel to your resource. After you add a dynamic tunnel, it appears in the Registered Dynamic Tunnels list. To edit the settings for a dynamic tunnel, or delete a dynamic tunnel, click the link in the Registered Dynamic Tunnels list. On the Startup tab, you can configure the Startup Commands and specify the URL where your users are redirected for this resource. Startup Command Type one or more startup commands to start specific clients for the tunnel resource. Redirect URL Type the URL of the web site where you want to redirect your users when they connect to this resource. Depending on the type of resource you created, there can be additional startup options. For example, RDP resources have options for remote desktop screen size, keyboard layout, and redirection of local client resources. Access Rules On the Access Rules tab, you can see the Global Access Rules that apply to your resource. You can also add individual Available Access Rules to protect your resource. To add an access rule to your resource: User Guide 123
About Resource Access 1. In the Available Access Rules list, select an access rule. 2. Click Add >. The selected access rule appears in the Selected Access Rules list. 3. To enable all users to connect to this resource, select the Make this resource available to all users check box. 4. Click Save. For more information about access rules, see About Access Rules. Advanced Settings On the Advanced Settings tab, you can configure the settings for these additional options: Local Lookups Mapped Drives Access Client Loader Additional Client Configuration Specific Settings Provide IP Address DNS Forwarding WINS Forwarding Client Firewall Restrict User Editable Preferences For more information about advanced settings, see Tunnel Resource Advanced Settings. Web Resource Settings On the Edit Web Resource page, select a tab to change settings for the resource. You can edit the general settings you configured for the resource, specify a static or dynamic tunnel for the resource, configure startup commands, edit the access rules applied to the resource, and configure advanced settings for local lookups, drives, and the Access Client. After you have made changes to the resource settings on all the necessary tabs, click Save. If you do not save your changes before you go to another page (not another settings tab for the resource), all your changes are lost. General Settings Enable resource Select this check box to enable this web resource. To disable the resource, clear this check box. Display Name In this text box, type a name for this resource. The display name you select appears in the resources list. Description (Optional) In this text box, type a descriptive name to help you identify this resource. 124 WatchGuard SSL Web UI
About Resource Access Manually configure alternative hosts To manually add additional host IP addresses to your resource, or edit existing alternative hosts, select the Manually configure alternative hostscheck box. The Add Alternative Host link appears and any Registered Alternative Hosts change to active links. You can then select the alternative hosts that appear and edit or delete them. You can also add more alternative hosts. Add Alternative Hosts To add a new alternative host to the Registered Alternative Hosts list, click Add Alternative Host. On the Add Alternative Host page, in the Alternative Host text box, type the IP address for this alternative host. For example: 192.168.5.60 or 192.168.5.60:80. Automatically Generate Alternative Hosts You can also choose to automatically create alternative hosts. To generate alternative hosts from the host and port information you set for this resource, click Automatically Generate Alternative Hosts. To add, edit, or delete these alternative hosts, you must select the Manually configure alternative hosts check box. Make resource available in the Application Portal Icon Select this check box to add the resource to the Application Portal. If you do not select this option, your users cannot get access to this resource from the Application Portal. Select an Icon to appear in the Application Portal for this resource. Link Text To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library In this text box, type the name to appear with the icon in the Application Portal. Manage Paths On the Manage Paths tab, you can add, edit, or delete the paths available with this web resource. To add a new path: 1. Click Add Web Resource Path. The Add Web Resource Path page appears. 2. Make sure the Enable resource check box is selected. 3. In the Path text box, type the path to this resource. 4. To use the same authorization settings as the parent resource, select the Use Parent Authorization check box. To manually configure the authorization settings, clear the Use Parent Authorization check box. The Access Rules and Advanced Settings tabs appear for this resource path. 5. Configure the Application Portal Settings for this resource. For more information, see the previous section. 6. Click Save. The path appears in the Path list and in the Web Resources list. User Guide 125
About Resource Access To edit a path: 1. In the Path list, click the path to edit. The Add Web Resource Path page appears. 2. Change the settings. 3. Click Save. Access Rules On the Access Rules tab, you can see the Global Access Rules that apply to your resource. You can also add individual Available Access Rules to protect your resource. To add an access rule to your resource: 1. In the Available Access Rules list, select an access rule. 2. Click Add >. The selected access rule appears in the Selected Access Rules list. 3. To enable all users to connect to this resource, select the Make this resource available to all users check box. 4. Click Save. For more information about access rules, see About Access Rules. Advanced Settings On the Advanced Settings tab, you can configure the Authorization Settings and Encryption Level settings for this resource. Authorization Settings Require exact path match Select this check box to apply the access rules for this Web Resource Host to only this path. To apply the access rules for this resource to this path and all paths that begin with this path, clear this check box. Automatic access Select this check box to enable automatic access to the web resource path. When this automatic access is enabled, user session timeouts are not affected. Cache MIME Types Type the MIME types that you want the client browser to cache. You must use the text/html format. Require users to authenticate for each resource Select this option to require users to authenticate for each resource they select in the Application Portal. Use Timeout Select this option to use timeout settings to set when users must authenticate again. 126 WatchGuard SSL Web UI
About Resource Access Max Inactivity Time Select this check box to set the maximum amount of time user connections can be inactive before their sessions are disconnected. Type the timeout time in minutes. Absolute Timeout Select this check box to disconnect user sessions after a specified amount of time, regardless of their activity. Type the timeout time in minutes. Encryption Level Require SSL Select this check box to require your users to use SSL to connect to resources. Encryption Level Select the level of encryption to use with SSL. Strong encryption level, 128 bits Weak encryption level, 56 bits Custom encryption level, specify bits About Static Tunnel Settings In the Add Tunnel Resource wizard, you can choose to include one or more static or dynamic tunnels. If your tunnel resource has local IP addresses on a single port, choose a static tunnel. You can use static tunnels for access with any operating system. You can add, edit, or delete static tunnels. You can also add, edit, or delete static tunnels when you edit a Tunnel Resource. For more information, see About Resource Settings. Static Tunnel Operation When a user selects a tunnel resource in the Application Portal that is configured with a static tunnel, the Access Client software receives the traffic that your user s computer sends over the VPN, and then sends the traffic through the loopback interface of the user s computer. The Access Client then encrypts the data and sends it to the SSL device through the physical network interface of the user s computer. The loopback interface is not a physical interface. It is a virtual network interface that is used by the user s computer for internal communications, for diagnostics, and to send traffic to itself to be processed immediately. The most common IP address for the loopback interface is 127.0.0.1, although any address in the 127/8 network (from 127.0.0.1 127.255.255.254) maps to the loopback interface. Static Tunnel Configuration For a static tunnel, you configure the tunnel to use a specific loopback IP address and Client Port. This is the port that the client listens to. For each client, you can select only one port. If the port you select is not available, the next available port is used. We recommend that you specify the same port for both the client and the resource. When you configure a static tunnel, you must define: User Guide 127
About Resource Access The IP address of the resource This is the IP address of the host (computer) accessible through this static tunnel. The TCP or UDP port on the tunnel resource host that accepts the traffic. The IP address for the loopback interface on the user s computer This can be any address from 127.0.0.1 127.255.255.254. The TCP or UDP port that the user s computer connects to on its loopback IP address. When a user selects a resource that uses a static tunnel: 1. The user s computer sends the traffic to its own loopback interface. 2. The Access Client software intercepts the traffic sent to the loopback address, encrypts it, and sends it to the SSL device. 3. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination port, as defined in the static tunnel. Add a Static Tunnel From the Add Tunnel Resource wizard: 1. Click Add Static Tunnel. The Add Static Tunnel page appears. 2. In the Resource IP Address text box, type the IP address where this tunnel resource is located. 3. In the Resource Port text box, type the port to use to connect to this resource. We recommend you select the same port for the Client Port setting. 4. In the Protocol section, select the type of protocol to use for this resource: 128 WatchGuard SSL Web UI
About Resource Access TCP UDP 5. In the Loopback IP Address text box, type the IP address that the client listens on. The IP address must be in the range 127.x.x.x. The default setting is 127.0.0.1. 6. In the Client Port text box, type the port to use to connect to the client. We recommend you specify the same port that you selected for the Resource Port. 7. To enable users to confirm they have selected the correct tunnel resource before the connection is complete, select the Confirm connections check box. After users select this resource in the Application Portal, they see a Connection Alert and must accept or deny the connection. 8. (Optional) Configure the Advanced Settings for this tunnel. 9. Click Next. The Add Tunnel Resource page appears with the static tunnel in the Registered Static Tunnels list. Edit a Static Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Static Tunnels list, click the Resource IP Address of the static tunnel to change. The Edit Static Tunnel page appears. 2. Update the settings for the static tunnel. 3. Click Next. The Add Tunnel Resource page appears with the updated static tunnel in the Registered Static Tunnels list. User Guide 129
About Resource Access Delete a Static Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Static Tunnels list, click the Resource IP Address of the static tunnel to change. The Edit Static Tunnel page appears. 2. Click Delete. A confirmation message page appears. 3. Click Yes. The Add Resource page appears. The static tunnel is removed from the Registered Static Tunnels list. About Dynamic Tunnel Settings In the Add Tunnel Resource wizard, you can choose to include one or more static or dynamic tunnels. If your tunnel resource has local IP addresses on a more than one port, choose a dynamic tunnel. You can add, edit, or delete dynamic tunnels. You can also add, edit, or delete dynamic tunnels when you edit a Tunnel Resource. For more information, see About Resource Settings. Dynamic Tunnel Operation When a user selects a tunnel resource in the Application Portal that is configured with a dynamic tunnel, the Access Client software receives the traffic that your user s computer sends over the VPN, and then sends the traffic through the loopback interface of the user s computer. The Access Client then encrypts the data and sends it to the SSL device through the physical network interface of the user s computer. The loopback interface is not a physical interface. It is a virtual network interface that is used by the user s computer for internal communications, for diagnostics, and to send traffic to itself to be processed immediately. The most common IP address for the loopback interface is 127.0.0.1, although any address in the 127/8 network (from 127.0.0.1 127.255.255.254) maps to the loopback interface. Dynamic Tunnel Configuration For a dynamic tunnel, when a user selects a Tunnel Resource in the Application Portal, the user s computer sends the traffic directly to the IP address of the selected Tunnel Resource. The Access Client can make many connections through a dynamic tunnel because the network driver it installs can dynamically translate many traffic flows at one time. When a user selects a resource that uses a dynamic tunnel: The Windows network driver installed by the Access Client intercepts the traffic. The Access Client dynamically translates the traffic to the loopback interface on the user s computer, and dynamically selects a source port for the traffic. The Access Client encrypts the traffic and sends it to the SSL device. The SSL device decrypts the traffic andsends itto the correct destinationip addressand destinationport. 130 WatchGuard SSL Web UI
About Resource Access When you use one of the pre-defined Tunnel Resource templates to create a resource, the Add Tunnel Resource Wizard automatically uses the required tunnel type. If you select the default Tunnel Resource template, you must manually select and configure a dynamic tunnel for the resource to use. Add a Dynamic Tunnel From the Add Tunnel Resource wizard: 1. Click Add Dynamic Tunnel. The Add Dynamic Tunnel page appears. 2. From the Tunnel Mode drop-down list, select Network Range or Single Host. 3. If you select Network Range, in the IP Range text box, type the IP address range where this resource is located. If you select Single Host, in the IP Address text box, type the single IP address where this resource is located. 4. In the TCP Port Set text box, type the TCP port range to use to connect to this resource. 5. In the UDP Port Set text box, type the UDP port range to use to connect to this resource. 6. To enable users to confirm they have selected the correct tunnel resource before the connection is complete, select the Confirm connections check box. After users select this resource in the Application Portal, they see a Connection Alert and must accept or deny the connection. 7. (Optional) Configure the Advanced Settings for this tunnel. 8. Click Next. The Add Tunnel Resource page appears with the dynamic tunnel in the Registered Dynamic Tunnels list. Edit a Dynamic Tunnel From the Add Tunnel Resource wizard: User Guide 131
About Resource Access 1. In the Registered Dynamic Tunnels list, click the Resource IP Address of the dynamic tunnel to change. The Edit Dynamic Tunnel page appears. 2. Update the settings for the dynamic tunnel. 3. Click Next. The Add Tunnel Resource page appears with the updated dynamic tunnel in the Registered Dynamic Tunnels list. Delete a Dynamic Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Dynamic Tunnels list, click the Resource IP Address of the dynamic tunnel to change. The Edit Dynamic Tunnel page appears. 2. Click Delete. A confirmation message page appears. 3. Click Yes. The Add Resource page appears. The dynamic tunnel is removed from the Registered Dynamic Tunnels list. Tunnel Resource Advanced Settings You can configure the settings for local lookups, mapped drives, clients, DNS and WINS forwarding, and Internet firewall configurations. 132 WatchGuard SSL Web UI
About Resource Access Local Lookups You can add local lookups to define the host addresses to resolve on the client if no external DNS record is found. Local lookups and DNS forwarding require the user to always have administrator rights on the client. If your users install the Access Client rather than use the on-demand Access Client, they do not have to have administrator rights. To specify lookups, you add a fully qualified domain name, or a domain name with the * wildcard character and an IP address. If the tunnel is dynamic, use the virtual IP address for the dynamic tunnel. If the tunnel is static, use 127.0.0.1. Domain Name A fully qualified domain name. You can also use the * wildcard character with a partial domain name. For example, mailserver.*. IP Address The domain name is translated to the IP address you specify. Mapped Drives You can add mapped drives to map your network resources (printers or drives) to drive letters on your network. When you add a mapped drive, you specify the path to a mapped network resource. You can also specify a drive letter for the drive or printer to which the resource host is mapped. If the drive you select is already in use, the next available drive letter is used. You can specify a drive letter here and combine it with a Startup Command that you defined. You can also use cached credentials. Supported path variables include: [$ehost] The WatchGuard SSL device server name and port number. [$eprot] [$uid] [$iuid] The HTTP or HTTPS protocol. The external user name. The internal user name, usually [$uid]. To add a Mapped Drive, configure these General Settings: Network Resource The path to the mapped network resource. For example, \\192.168.12.55\[$uid]. User Guide 133
About Resource Access Drive Letter The drive letter to which the resource host is mapped. For example, M:. This can be a drive or a printer. Use cached credentials Select this option to automatically use cached credentials (Windows domain credentials) to map a drive. This option is selected by default. Access Client Loader Specify the client loader method you want to use for the Access Client. Loader options include: ActiveX / Java Applet ActiveX The system tries the ActiveX loader first. If it does not work, the Java Applet is used. The system only uses the ActiveX loader. Java Applet The system only uses the Java Applet loader. If you select any of the Java Applet options, you can also use Java rather than the Java Applet. Run VPN client in Java Select this check box to use Java, not the Java Applet. Additional Client Configuration You can configure your clients to use shutdown commands to automate some commands from the client. For example, to close a mapped drive or shut down a Tunnel Resource for a user. You can configure these options: Shutdown Command Define the commands you want to run automatically when this tunnel is shut down. You can define more than one command for each Tunnel Resource. Some commands require users to confirm or deny the action before the command runs. These default trusted commands run automatically: outlook explorer explorer /e explorer /e, A: to Z: Supported command variables include: 134 WatchGuard SSL Web UI
About Resource Access [$ehost] The WatchGuard SSL device server name and the port number [$eprot] HTTP or HTTPS [$uid] External user name [$iuid] Internal user name, usually [$uid] Error Codes to Suppress You can configure a list of specific error codes to suppress pop-up messages. Type the error codes as a comma separated list of 7-digit error codes. Fallback Tunnel Set Select the fallback tunnel set to use if the client computer is not able to load the ActiveX component or the Windows native client (with dynamic tunnels). Specific Settings If you include Microsoft Outlook in the applications for this tunnel resource, we recommend that you enable support for the MS Outlook patch. This patch solves a problem with Windows 2000 client authentication. Support MS Outlook patch for Windows 2000 Select this check box to enable support for the MS Outlook patch. The patch is supported when the client is on a Windows 2000 platform and is part of a domain. Provide IP Address You can select to specify a unique IP address for the client from the IP address pool. When you enable this option, if you add IP addresses from the IP address pool to a tunnel resource, the clients that use those IP addresses can connect to each other when they are connected to the network. Provide the client with an IP address from the IP address pool or an external DHCP server. Select this check box to use an IP address from the IP address pool an external DHCP server for the client. DNS Forwarding Enable DNS Forwarding Select this check box to temporarily redirect the DNS server for the client to the DNS server you specify in the global tunnel resource settings. This option is only available if you specified a DNS server for the client. WINS Forwarding Enable WINS Forwarding Select this check box to temporarily redirect the WINS server for the client to the WINS server you specify in the global tunnel resource settings. This option is only available if you specified a WINS server for the client. User Guide 135
About Resource Access Client Firewall Internet Firewall Configuration Select an available firewall configuration to use for this tunnel resource. To select a configuration, you must first Add an Internet Firewall Configuration. Restrict User Editable Preferences Restrict User Editable Preferences Select this check box to disable the Preferences and Favorites options in the Access Client menu. Configure Full Network Access Most of the resources you define give users remote access to specific applications. However, you can enable Full Network Access so users can get access to a set of network resources at the IP level, similar to traditional IP VPN solutions. Full Network Access enables network-based access, which means that your users can connect to all network resources and applications through passive FTP, RDP, or a web browser. You can enable network access to the whole network on a specified port set. Create a Full Tunnel Resource You can add a Full Tunnel resource and enable access to it with any of your configured authentication methods. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. The available tunnel resources appear. 136 WatchGuard SSL Web UI
About Resource Access 4. Select Full Tunnel. A description of the resource appears in the right pane. 5. Click Next. The Add Resource Full Tunnel page appears. User Guide 137
About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. From the Tunnel Mode drop-down list, select whether to use a single IP address or a range of IP addresses for this resource: To use a single IP address, select Single Host. To use a range of IP addresses, select Network Range. This is the default setting. 10. If you selected Single Host, in the IP Address text box, type the IP address for this resource. If you selected Network Range, in the IP Range text box, type the range of IP addresses for this resource. For example, to allow access to all IP addresses on the 192.168.54.0/24 network, type 192.168.54.0-192.168.54.255. 11. In the TCP Port Set text box, type a list or range of TCP ports. For example, to allow access to all ports, type 1-65535. 138 WatchGuard SSL Web UI
About Resource Access 12. In the UDP Port Set text box, type a range of UDP Ports. For example, to allow access to all UDP ports, type 1-65535. 13. Make sure the Make resource available in Application Portal check box is selected. 14. Select the Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 15. In the Link Text text box, type the name to appear with the icon in the Application Portal. 16. Click Next. The Manage Access Rules page appears. 17. Select the access rules for this resource. For more information about access rules, see About Access Rules. 18. Click Next. The Add Resource Full Tunnel Summary page appears. 19. Review the settings for the resource. 20. Click Finish Wizard. The Full Tunnel resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 21. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Use a Full Tunnel access resource to connect to network resources 1. Connect to the Application Portal. 2. Select an authentication method. The Authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the Full Tunnel resource. 4. Click the icon for the Full Tunnel resource. Access to the network resources is enabled. 5. Browse to an internal web site in the IP address range you specified for the Full Tunnel resource. The protected web site appears in the browser. 6. Use Microsoft Remote Desktop Connection (RDP) to log in to an IP address in the protected range. The Access Client starts. The RDP session is successful. Add an Outlook Web Access Resource You can add a Microsoft Outlook Web Access resource to the Application Portal to give your users access to their web mail. Add an Outlook Web Access Resource and Authentication Method You can add an Outlook Web Access resource to your network and enable access to it with any of the authentication methods you configured. 1. Select Resource Access. The Resources page appears. User Guide 139
About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list. 4. Select Microsoft Outlook Web Access 2003 or Microsoft Outlook Web Access 2007. The Microsoft Outlook Web Access resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Outlook Web Access page appears. 140 WatchGuard SSL Web UI
About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Host text box, type the valid DNS name or IP address of the email server for this resource. 9. Make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 11. In the Link Text text box, type the name to appear with the icon in the Application Portal. 12. Click Next. The Manage Access Rules page appears. 13. Select the default access rule Any Authentication. 14. Click Next. The Add Resource Microsoft Outlook Web Access 2007 Summary page appears. 15. Review the settings for the resource. 16. Click Finish Wizard. The resource appears in the Web Resources list. 17. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. User Guide 141
About Resource Access Use the Outlook Web Access resource 1. Connect to the Application Portal. 2. Select an authentication method. The authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the Outlook Web Access resource. 4. Click the icon for the Outlook Web Access resource. The Microsoft Outlook Web Access page appears. Configure a Bi-directional Tunnel Resource Most web and tunnel resources you add to your Application Portal enable SSL VPN users to get access to a protected network resource. You can also configure a bi-directional tunnel, which enables computers on both sides of the SSL device to get access to computers on the other side. For example, SSL administrators could use a bi-directional tunnel to provide technical support to their SSL VPN users. To configure a bi-directional tunnel, you must either create a range of IP addresses to assign to a client or select a DHCP server to assign the IP addresses, define an IP address pool to include the range of IP addresses or specify the DHCP server, and select to provide an IP address for all tunnel resources. Configure Global Tunnel Resource Settings 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Tunnel Resource Settings. The Manage Global Tunnel Resource Settings page appears. 142 WatchGuard SSL Web UI
About Resource Access 3. To use a DHCP server, from the Provide IP Address drop-down list, select Use DHCP Server. In the DHCP Server text box, type the IP address of the server. To use a range of IP addresses, from the Provide IP Address drop-down list, select Use IP Address Pool. In the IP Address Pool text boxes, type the range of IP addresses. 4. Click Save. The Resources page appears. Add a Tunnel Resource 1. Select Resource Access. The Resources page appears. User Guide 143
About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 144 WatchGuard SSL Web UI
About Resource Access 4. Select Full Tunnel. 5. Click Next. The Add Resource Full Tunnel page appears. User Guide 145
About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. From the Tunnel Mode drop-down list, select the option that corresponds to option you selected in the Global Tunnel Resource Settings: To use a single IP address, select Single Host. To use a range of IP addresses, select Network Range. This is the default setting. 10. If you selected Single Host, in the IP Address text box, type the IP address you configured for the DHCP server in the Global Tunnel Resource Settings. If you selected Network Range, in the IP Range text box, type the range of IP addresses you configured in the Global Tunnel Resource Settings. 11. In the TCP Port Set text box, type a list or range of TCP ports. For example, to allow access to all ports, type 1-65535. 146 WatchGuard SSL Web UI
About Resource Access 12. In the UDP Port Set text box, type a range of UDP Ports. For example, to allow access to all UDP ports, type 1-65535. 13. Make sure the Make resource available in Application Portal check box is selected. 14. Select the Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 15. In the Link Text text box, type the name to appear with the icon in the Application Portal. 16. Click Next. The Manage Access Rules page appears. 17. Select the access rules for this resource. For more information about access rules, see About Access Rules. 18. Click Next. The Add Resource Full Tunnel Summary page appears. 19. Review the settings for the resource. 20. Click Finish Wizard. The Full Tunnel resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 21. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. You can also add startup commands and a redirect URL to your resource. For more information, see About Resource Settings. Test the connection 1. Connect to the Application Portal. 2. Click the icon for the resource you created. The Access Client loader appears and loads the Access Client. 3. If you get a certificate warning, accept the certificate. 4. If another authentication window appears, type your credentials and authenticate. The resource you selected is now accessible. Configure the connection in the Access Client The Access Client refers to the WatchGuard SSL device as an Access Point. 1. In the Access Client Connection Alert dialog box, select the Always trust connections from this Access Point check box. 2. Click Accept. The WatchGuard SSL device is added to the Trusted Access Points list, and connection alerts do not appear after that for computers behind that device. To confirm the device was added to the Trusted Access Points list: 1. Click and select Preferences. The Access Client Preferences dialog box appears. User Guide 147
About Resource Access 2. Select the Trusted Access Points tab. 3. Review the list of trusted WatchGuard SSL devices. Add a Windows File Share Resource When you add a resource to your WatchGuard SSL Application Portal, your users can get access to any available applications with one click. You can add a Microsoft Windows File Share Resource and configure the WatchGuard SSL device to map the file share to a drive letter. Note For users with Windows Vista and later, you can only get access to mapped drive letters through the command prompt. You must have administrative privileges to get access to mapped drive letters. Before you begin, make sure you have at least one shared folder. To create a shared folder, select a folder and edit the Windows folder Sharing Properties to share it. Add a File Share resource and authentication method You can add a Microsoft Windows File Share resource to your network and enable access to it with any of the authentication methods you configured. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 148 WatchGuard SSL Web UI
About Resource Access 4. Select Microsoft Windows File Share. 5. Click Next. The Add Resource Microsoft Windows File Share page appears. 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the server where the share is located. 10. In the Share text box, type the name of the shared folder. 11. (Optional) From the Drive letter drop-down list, select a letter to map to this share. For example, W:. The drive letter is optional for a file share resource. 12. Make sure the Make resource available in Application Portal check box is selected. 13. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 14. In the Link Text text box, type the name to appear with the icon in the Application Portal. 15. Click Next. The Add Access Rules page appears. 16. Select the access rules for this resource. For more information about access rules, see About Access Rules. 17. Click Next. The Add Resource Microsoft Windows File Share Summary page appears. 18. Review the settings for the resource. 19. Click Finish Wizard. The resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 20. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Log on to the Application Portal to use the file share 1. Connect to the Application Portal. 2. Select an authentication method. The authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the file share resource. 4. Click the icon for the file share resource. The drive letter is now mapped to the shared resource. User Guide 149
About Resource Access Add a Tunnel Resource for RDP Access To enable your users to get remote access to a specific computer on your network, you can add a resource for RDP access. When this resource is added, the tunnel resources are automatically created. You can use the RDP Access resource with a dynamic or static tunnel. You can also specify optional commands to run when the RDP session launches, and select the keyboard language setting [the default setting is English (United Kingdom)]. Because the RDP Access resource is a Java Applet resource, you must have Java Runtime Environment (JRE) 1.6 on your client computers. You receive an installation error if you do not have JRE 1.6 when you try to add the RDP Access resource. When you log in to the Application Portal and select an RDP Access resource, the native RDP application for your client computer is automatically launched. If you use Internet Explorer to connect to the Application Portal, and receive an Access Client Command warning when you connect to the RDP resource, you can safely accept this command. To make sure you do not receive this message again, select the Always trust this command check box. To add an RDP Access resource: 1. Select Resource Access. The Resources page appears. 150 WatchGuard SSL Web UI
About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 4. Select RDP Access. Information about the RDP Access resource appears in the right pane. 5. Click Next. The Add Resource RDP Access page appears. User Guide 151
About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the computer for this RDP Access resource. 10. In the TCP Port text box, type the TCP port you want this resource to use. The default port number is 3389. 11. From the Tunnel Type drop-down list, select Windows Platform or All Platforms. 12. From the Connect Remote Desktop drop-down list, select the application to use for the RDP session: 152 WatchGuard SSL Web UI
About Resource Access Use native remote desktop application when available Use JavaRDP to connect to remote desktop 13. To enable the RDP session to open at full screen, select the Start in Full Screen Mode check box. 14. In the Screen Size (width x height) text box, type the maximum screen resolution for the RDP session. 15. In the Window Title text box, type a name for the RDP session. 16. To enable the resource in the Application Portal, make sure the Make resource available in Application Portal check box is selected. 17. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 19. In the Link Text text box, type the name to appear with the icon in the Application Portal. 20. Click Next. The Manage Access Rules page appears. 21. Select the access rules for this resource. For more information about access rules, see About Access Rules. 22. Click Next. The Add Resource RDP Access Summary page appears. 23. Review the settings for the resource. 24. Click Finish Wizard. The RDP Access resource appears in the Tunnel Resources list. Windows Remote Desktop Application Settings Add a Tunnel Resource for SSH Access To enable secure shell (SSH) command line access to a specific computer on your network, you can add a resource for SSH access. SSH creates an encrypted session from your computer to another computer so you can safely and securely log in to a remote computer to execute commands. When you log in to the Application Portal and select an SSH Access resource, the native SSH application for your client computer is automatically launched. To add an SSH Access Resource: 1. Select Resource Access. The Resources page appears. User Guide 153
About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 154 WatchGuard SSL Web UI
About Resource Access 4. Select SSH Access. Information about the SSH Access resource appears in the right pane. 5. Click Next. The Add Resource SSH Access page appears. User Guide 155
About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the computer for this SSH Access resource. 10. In the TCP Port text box, type the TCP port to use for this resource. The default port number is 22. 11. From the Tunnel Type drop-down list, select Windows Platform or All Platforms. 12. In the Application Portal Settings section, select the Make resource available in Application Portal check box. 13. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 10. In the Link Text text box, type the name to appear with the icon in the Application Portal. 11. Click Next. The Manage Access Rules page appears. 12. Select the access rules for this resource. For more information about access rules, see About Access Rules. 156 WatchGuard SSL Web UI
About Resource Access 13. Click Next. The Add Resource SSH Access Summary page appears. 14. Review the settings for the resource. 15. Click Finish Wizard. The SSH Access resource appears in the Tunnel Resources list. Add a Tunnel Resource for Access to Home Directory To map your user home directories as a local drive that your users can get access to from the Application Portal, you can create an Access to Home Directory tunnel resource. Before you add this resource to the Application Portal, you must first create a shared location for user home directories on your network, and configure Active Directory to either use the correct home directory or assign a home directory to a user. You can then create the Access to Home Directory tunnel resource that your users select to connect to the appropriate home directory. Before You Begin Before you create a Home Directory tunnel resource, you must first set up the home directories on your network, and configure Active Directory to assign the home directories to each user. For more information, see these Microsoft knowledge base articles: http://support.microsoft.com/kb/555046/en-us http://support.microsoft.com/kb/816313/en-us After you set up the home directories in Active Directory, you can create an Access to Home Directory tunnel resource in WatchGuard SSL Web UI. Create a Home Directory Tunnel Resource 1. Select Resource Access > Resources. The Resources page appears. User Guide 157
About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 158 WatchGuard SSL Web UI
About Resource Access 4. Select Access to Home Directory. 5. Click Next. The Add Resource Access to Home Directory page appears. User Guide 159
About Resource Access 6. In the Display Name text box, type a name for this resource. For example, type Home Directory Access. The display name you select appears in the Tunnel Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the server where the home directory is located. 10. Make sure the Make resource available in Application Portal check box is selected. 11. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 14. In the Link Text text box, type the name to appear with the icon in the Application Portal. 15. Click Next. The Add Access Rules page appears. 16. Select the access rules for this resource. For more information about access rules, see About Access Rules. 17. Click Next. The Add Resource Access to Home Directory page appears. 18. Review the settings for the resource. 19. Click Finish Wizard. The resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 160 WatchGuard SSL Web UI
About Resource Access 20. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. When you create the Access to Home Directory resource, the default settings for the startup command (the location of the home directory) and the mapped drive (drive H) are automatically selected for the resource. To use different startup commands or to map the resource to a different drive, you must edit the Access to Home Directory resource. Edit the Startup Command and Specify the Mapped Drive After you have created the Access Home Directory tunnel resource, you can add startup commands and specify the mapped drive that the resource connects to on your network. When you specify the startup command for the resource, make sure you include the correct symbols. If your \User\user_name folder does not include the symbol $ at the end of the folder name, you do not have to include it when you type the path to the user home directory. If your \User\user_name folder does include the symbol $at the end of the folder name, make sure you include the symbol when you type the startup command. 1. Select Resource Access > Resources. The Resources page appears. 2. In the Tunnel Resources list, select the Access to Home Directory resource you created. For example, Home Directory Access. The Edit Tunnel Resource "Home Directory Access" page appears. 3. Select the Startup tab. User Guide 161
About Resource Access 4. In the Startup Command text box, type the path to the location of the user home directories. For example, if the user home directories are on a server at the IP address 10.0.1.7 in the \Users folder, and the symbol $ is not at the end of the folder name, type \\10.0.1.7\Users\[$uid]. If the symbol $ is at the end of the folder name, type \\10.0.1.7\Users\[$uid]$. 5. Keep the Redirect URL text box clear. 6. Select the Advanced Settings tab. 162 WatchGuard SSL Web UI
About Resource Access 7. From the Registered Mapped Drives list, select the Network Resource to update. The Edit Mapped Drive page appears. 8. (Optional) To change the location of the network resource, in the Network resource text box, type the path to the location of the user home directories. For example, if the user home directories are on a server at the IP address 10.0.1.7 in the \Users folder, and the symbol $ is not at the end of the folder name, type \\10.0.1.7\Users\[$uid]. If the symbol $ is at the end of the folder name, type \\10.0.1.7\Users\[$uid]$. 9. From the Drive Letter drop-down list, select the drive letter to use for the home directory. 10. Click Update. The Edit Tunnel Resource "Home Directory Access" page appears, with the updated information for the mapped drive. 11. Click Save. The Resources page appears. 12. Click Publish to update your configuration with this change. See Also Add a Terminal Server Resource You can add a Terminal Server resource to the Application Portal to give your users access to specific applications. Before you begin, make sure that Microsoft Terminal Services is active on the computer that you want your users to connect to. If you use Windows Vista, consult the Windows help system for instructions to enable Terminal Services. For Windows XP or Windows Server 2003: 1. Select Control Panel > Administrative Tools > Services. 2. Verify that the status for Terminal Services is Started. Add the Terminal Server shared resource and Authentication Method You can add a Microsoft Terminal Server 2003 or 2008 resource to your network and enable access to it with any of the authentication methods you configured. 1. Select Resource Access > Add Resource. The Add Resource page appears. 2. Expand the Tunnel Resources list. User Guide 163
About Resource Access 3. Select Microsoft Terminal Server 2003 or Microsoft Terminal Server 2008. The Microsoft Terminal Server resource you selected is highlighted. 4. Click Next. The Add Resource Microsoft Terminal Server page appears. 164 WatchGuard SSL Web UI
About Resource Access 5. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 6. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 7. Make sure the Enable resource check box is selected. 8. In the IP Address text box, type the IP address of the server. 9. In the TCP Port text box, type the port to use to connect to this resource. 10. From the Tunnel Type drop-down list, select Windows Platform or All Platforms. 11. Make sure the Make resource available in Application Portal check box is selected. 12. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 13. In the Link Text text box, type the name to appear with the icon in the Application Portal. 14. Click Next. The Manage Access Rules page appears. 15. Select the access rules for this resource. For more information about access rules, see About Access Rules. User Guide 165
About Resource Access 16. Click Next. The Add Resource Summary page appears. 17. Review the settings for the resource. 18. Click Finish Wizard. The resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 19. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Use the Terminal Server resource 1. Connect to the Application Portal. 2. Select an authentication method. The authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the terminal service resource. 4. Click the icon for the terminal server resource. The terminal server starts and prompts the user to log in to the IP address you specified for this resource. Manage Global Tunnel Resource Settings You can configure connection settings for the WatchGuard SSL Access Client that apply to all your tunnel resources. Settings include the Client IP address provider, DNS server, and WINS server information. 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Tunnel Resource Settings. The Manage Global Tunnel Resource Settings page appears. 166 WatchGuard SSL Web UI
About Resource Access 3. Configure the settings for your tunnel resources. Provide IP Address You can choose to use an existing external DHCP server to assign IP addresses to Access Clients from the network, or to use IP addresses from the IP Address Pool for the Access Clients. Select an option: Use DHCP Server Use IP Address Pool To disable this feature, select None. If you configure resources with the Provide an IP Address option, you must specify a DHCP server or an IP address pool. DNS Server Specify the IP address or DNS name of the DNS server used for DNS forwarding. When you enable DNS forwarding for a tunnel resource, the client s DNS server is temporarily redirected to the DNS Server you specify. Local lookups take precedence, and can override any external DNS. The Require Authentication for DNS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page 122. User Guide 167
About Resource Access WINS Server Specify the IP address or name of the WINS server used for WINS forwarding. When you enable WINS forwarding for a tunnel resource, the client s WINS server is temporarily redirected to the WINS server you specify. Local lookups take precedence, and can override any external WINS. The Require Authentication for WINS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page 122. 4. Click Save. 5. Click Publish to update your configuration with this change. Manage Global Resource Settings Global resource settings apply to all available resources. Global settings are grouped in these categories: Internal proxy DNS name and DNS name pool Filters Link translation Client access Trusted gateways Cookies and cache control Configure settings for global resources 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Resource Settings. The Manage Global Resource Settings page appears. 168 WatchGuard SSL Web UI
About Resource Access 3. Select a tab to configure the settings for that category. For more information about the available settings, see the topic for each category. General Settings DNS Name Pool Filters Link Translation Client Access Trusted Gateways Advanced Cookies and Cache Control 4. Click Save. Note Make sure you save your changes before you leave a page. If you do not save your changes before you leave a page, all your changes are lost. User Guide 169
About Resource Access General Settings You can specify addresses for internal proxies on the General Settings tab. The addresses are used when a resource is accessed through a cache or an ordinary proxy server. You can select to use NTLM v2 for HTTP and HTTPS proxies. If you have authentication problems, disable NTLM v2. You can configure settings for these internal proxies: HTTP HTTPS TCP The TCP proxy is used for the WatchGuard SSL Access Client. To specify which addresses are used for resources reached through a cache or ordinary proxy server, you can configure Internal Host Access. To configure proxy settings: 1. Select the General Settings tab. 170 WatchGuard SSL Web UI
About Resource Access 2. For each proxy: In the Host text box, type the IP address or host name of the proxy server. In the Port text box, type the port number to use to connect to the proxy server. To use NTLM v2 for the connection, select the Use NTLM v2 check box. 3. To validate the certificate from the proxy sever before the connection to the resource is allowed, select the Validate server certificate check box. 4. If you select to validate the certificate, select the correct certificate from the CA Certificatedropdown list. 5. Click Save. DNS Name Pool To improve link translation and to use multiple DNS domains, you can configure the DNS name pool. Multiple DNS domains allow several customers to be hosted on the same WatchGuard SSL device to serve multiple logon page designs, as well as on the Application Portal. The registered DNS names define the pool of available DNS names. To use multiple DNS domains, you define several DNS names for the device. Note All DNS names must also be registered with a public DNS server, or written to the hosts file on the client computer that uses the system. When a user makes a request with a registered mapped DNS name, the device looks up which server to connect to and which protocol to use, and sends the request to that server. WatchGuard SSL has three methods of DNS mapping: URL mapping The resource is mapped to a path instead of a mapped DNS name. Reserved DNS mapping The resource is mapped to a specific DNS name. Pooled DNS mapping The resource is assigned a DNS name on the first device request to an internal server. When you add or edit a resource, you can specify which method of DNS mapping you want to use. A DNS name for the SSL device is defined by a host name with three segments (such as my.example.com) and relative file path to the content of the wwwroot that appears when you use the corresponding DNS name. For example, if the host name is my.example.com the wwwroot is wwwroot/my.example. We recommend that you define the host name as a DNS name, but you can also use an IP address. The default DNS Name and WWW ROOT for each device are (default) and wwwroot. You cannot edit or delete the default DNS name. DNS Name Pool entries must end with the same string as an entry in the Registered DNS Names for Device list. For example, if the DNS Name for a device is my.example.com, the DNS Name Pool entry is www.my.example.com. User Guide 171
About Resource Access Note Make sure you always click Save before you leave a page. If you do not click Save, any changes you made are lost when you leave the page. Add a DNS name for a device From the Manage Global Resource Settings page: 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. Click Add DNS Name for Device. The Add DNS Name for Device page appears. 3. In the DNS Name text box, type the DNS name for the device. 4. In the WWW Root text box, type the path to the DNS device. 5. Click Add. The DNS name appears in the Registered DNS Names for Device list. 6. Click Save. 7. Click Publish to update your configuration with this change. 172 WatchGuard SSL Web UI
About Resource Access Edit a DNS name for a device 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. In the Registered DNS Names for Device list, click a DNS Name. The Edit DNS Name for Device page appears. 3. Update the DNS Name and the WWW Root details. 4. Click Save. The DNS name appears in the Registered DNS Names for Device list. Delete a DNS name for a device From the Manage Global Resource Settings page: 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. In theregistered DNS Names for Device list, click a DNS Name. The Edit DNS Name for Device page appears. User Guide 173
About Resource Access 3. Click Delete. A confirmation message appears. 4. Click Yes. The DNS Name is deleted and the Manage DNS Name Pool page appears, with the DNS name removed from the Registered DNS Names for Device list. 5. Click Save. Add a DNS name to the pool Before you can add a DNS name to the DNS Name Pool, you must first add a DNS name for a device and publish it to your configuration. 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. Click Add DNS Name to Pool. The Add DNS Name to DNS Name Pool page appears. 3. In the DNS Name text box, type the DNS name of the device to add it to the pool. Make sure to use the name format www.<dns Name Segment 1>.<DNS Name Segment 2>.<extension>. For example, if your DNS Name for your device is my.example.com, you type www.my.example.com. 4. Click Add. The DNS name appears in the DNS Name Pool list. 5. Click Save. Edit a DNS name in the pool 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. In the DNS Name Pool list, click a DNS Name. The Edit DNS Name in DNS Name Pool page appears. 3. In the DNS Name text box, type a new DNS name. 4. Click Update. The DNS name appears in the DNS Name Pool list. 5. Click Save. Delete a DNS name in the pool 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 174 WatchGuard SSL Web UI
About Resource Access 2. Click a name in the DNS Name Pool list. The Edit DNS Name in DNS Name Pool page appears. 3. Click Delete. A confirmation message appears. 4. Click Yes. The DNS name is removed from the DNS Name Pool list. 5. Click Save. Filters Filters determine the content that your users see when they request a resource or a specific page. You can apply a filter to one or more resource hosts, requests or responses, and to content or headers. For general filters, you can use variables with name-value pairs instead of hard-coded values. You can add one or more variables to each filter. You can specify to filter file types or formats, images, and specific content in the Content Type text box. About Scripts Your WatchGuard SSL device includes scripts you can add to your filters. To find the available scripts: 1. At the top of the Web UI, click Browse. The File Browser appears. 2. Go to the \access-point\built-in-files\scripts\ folder. Scripts have the.wascr file extension. Add a filter 1. Select the Filters tab. The Filters page appears. 2. Click Add Filter. The Add Filter page appears. User Guide 175
About Resource Access 3. In the Display Name text box, type the display name for this filter. 4. In the Script Name text box, type the script to use for the filter. Make sure to include the.wascr extension. 5. From the Type of Filter drop-down list, select Request or Response. 6. From the Resource Hostdrop-down list, select a resource. 7. In the Path text box, type the path to the files to be filtered. You can use the * wildcard character. 8. From the Apply Filter To drop-down list, select Headers or Content. 9. In the Content Type text box, type the content types for this filter. You can use the * wildcard character. 10. To add a variable to the filter, click Add Variable. The Add Variable page appears. 11. In the Name and Value text boxes, type the name and value of the variable. 12. Click Add. The variable appears in the Registered Variables list. 13. Click Add. 176 WatchGuard SSL Web UI
About Resource Access The Filter appears in the Registered Filters list. 14. Click Save. Edit a filter 1. Select the Filters tab. The Filters page appears. 2. In the Registered Filters list, click a filter. The Edit Filter page appears. 3. Update the settings or variables for the filter. 4. Click Update. 5. Click Save. Delete a filter 1. Select the Filters tab. 2. In the Registered Filters list, click a filter. The Edit Filter page appears. 3. Click Delete. 4. Click Yes. 5. Click Save. User Guide 177
About Resource Access Link Translation Link translation is used to make sure that all traffic to registered Web resource hosts goes through the WatchGuard SSL device. With link translation, Web resource hosts are as secure as tunnel resource hosts. When a user connects to a page on a server through the WatchGuard SSL device, all links to other servers are changed to point to the WatchGuard SSL device. Translated links contain information about the original server and what protocol to use. For example, when users enter a URL to a registered Web resource, for example http://www.example.com/start.asp, the device recognizes the link and automatically translates the URL to https://<watchguard SSL Device>/http://www.example.com/start.asp. A link can be divided into subsets and then put together dynamically by the browser to form a link. Some examples of subsets are by protocol, host, and URI. If you use a subset, the WatchGuard SSL device cannot establish if it is a link and cannot translate it. If you want to use a subset, you can use DNS mapping. A DNS name or an IP address that points to the WatchGuard SSL device is mapped to an internal host and protocol (a mapped DNS name). All mapped DNS names are added to a DNS name pool. You then map the web hosts to DNS names with one of these methods: Reserved DNS mapping The Web resource is mapped to a specific DNS name in the DNS name pool. Pooled DNS mapping At the start of each session, the Web resource is assigned the first available DNS name from the DNS name pool. You can configure the headers and content types to filter. Headers must be single-valued. From the Manage Global Resource Settings page: 1. Select the Link Translation tab. The Link Translation page appears. 178 WatchGuard SSL Web UI
About Resource Access 2. In the request and response headers and content types text boxes, add, edit, or delete the headers and content types to filter. 3. Click Save. Client Access You can specify the paths for the Application Portal and Welcome pages, and the clients that users can use to connect to your network. Specify the paths for client access pages From the Manage Global Resource Settings page: 1. Select the Client Access tab. The Client Access Settings page appears. User Guide 179
About Resource Access 2. In the Default Page text box, type the path to the main page of the Application Portal. The default setting is /wa_default.html. 3. In the Welcome Page text box, type the path to the Welcome page that users see after they log on. The default setting is /wa/_welcome.html. 4. To configure Client Control settings, see the subsequent sections. 5. Click Publish to update your configuration with the changes. Client Control settings You can add, edit, and delete Client Control settings. To add Client Control settings: 1. On the Client Access tab, click Add Client Settings. The Add Client Settings page appears. 180 WatchGuard SSL Web UI
About Resource Access 2. From the Client drop-down list, select a client. 3. In the Session Settings section, select a check box to define the settings for this client: The client does not support cookies The client cannot authenticate using HTML or WML forms 4. In the File Extension text box, type the file type extension to use for this client. 5. In the Default Page text box, type the path and file name to this client. 6. In the Welcome Page text box, type the path and file name to the Welcome page for this client. 7. (Optional) In the GUI Constant and GUI Constant Value text boxes, type the GUI constant information for this client. 8. Click Add. The Client appears in the Registered Client Settings list. 9. Click Save. To edit Client Control settings: 1. In the Registered Client Settings list, click a Client. The Edit Client Settings page appear. User Guide 181
About Resource Access 2. Update the settings. 3. Click Update. 4. Click Save. To delete a client in the Registered Client Settings list: 1. In the Registered Client Settings list, click a Client. The Edit Client Settings page appear. 2. Click Delete. A confirmation message appears. 3. Click Yes. The client is removed from the Registered Client Settings list. 4. Click Save. Client Access Restrictions You can add, edit, and delete client access settings to restrict the use of specific clients for your network. If you select to deny access to a client or send a warning message for a client, you can choose to direct users to a web page for information about the action or include a feedback message about the action. If you do not redirect users to a feedback page for information, you must include a feedback message to explain why the client was denied access, or why a warning message was sent. To add Client Access restrictions: 1. On the Client Access tab, click Add Client Access Restriction. The Add Client Access Restriction page appears. 182 WatchGuard SSL Web UI
About Resource Access 2. From the Client drop-down list, select a client. 3. From the Permission drop-down list, select a permission level for this client: Accept, Deny, or Warn. 4. If you set the permission to Deny or Warn, select the HTTP Code, type a path to the Feedback page, and type a Feedback message that users see in a warning or deny message. 5. Click Add. The Client appears in the Registered Client Access Restrictions list. 6. Click Save. To edit Client Access restrictions: 1. In the Registered Client Access Restrictions list, click a Client. The Edit Registered Client Access Restrictions page appear. 2. Update the settings. 3. Click Update. To delete a client in the Registered Client Access Restrictions list: 1. In the Registered Client Access Restrictions list, click a client. The Edit Registered Client Access Restrictions page appear. 2. Click Delete. 3. Click Yes. User Guide 183
About Resource Access The client is removed from the Registered Client Access Restrictions list. 4. Click Save. Trusted Gateways You can add, edit, and delete the trusted gateways for your network. Add trusted gateways 1. Select the Trusted Gateways tab. The Manage Trusted Gateways page appears. 2. Click Add Trusted Gateway. The Add Trusted Gateway page appears. 3. In the IP Address text box, type the IP address of the trusted gateway. 4. In the Port text box, type the port to use to connect to the trusted gateway. The default port number is 80. 5. Click Add. The IP Address appears in the Registered Trusted Gateways list. 184 WatchGuard SSL Web UI
About Resource Access Edit a trusted gateway 1. In the Registered Trusted Gateways list, click an IP Address. The Edit Registered Trusted Gateways page appears. 2. Update the settings. 3. Click Update. The updated gateway information appears in the Registered Trusted Gateways list. Delete a trusted gateway 1. In the Registered Trusted Gateways list, click an IP Address. The Edit Trusted Gateway page appears. 2. Click Delete. The Confirm Delete message page appears. 3. Click Yes. The trusted gateway is removed from the Registered Trusted Gateway list. 4. Click Save. User Guide 185
About Resource Access Advanced Cookies and Cache Control On the Manage Global Resource Settings Advanced tab, you can configure the settings for Internal Cookies and Internet Explorer Cache Control. You can choose which information types to include in cookie requests. You can also set whether Internet Explorer caches data and allows these file types:.doc.xls.ppt.pdf To configure cookie and cache control settings: 1. Select the Advanced tab. 2. In the Internal Cookies section, select the check box for each information type for which you want to allow cookies. 3. To cache data in Internet Explorer, clear the Do not cache data for Internet Explorer users check box. This also enables users to download the allowed file types. 4. Click Save. 186 WatchGuard SSL Web UI
About Resource Access About Client Firewalls Client firewalls are Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the WatchGuard SSL Access Client. Each configuration is connected to a tunnel resource. The WatchGuard SSL Access Client has two tasks related to your firewall configuration: Disable routes for other network connections Check the integrity of application connections You can configure rules based on these parameters: Network Incoming or outgoing traffic Ports Allow or block traffic These rules are downloaded to the client computer with the tunnel resource. The rules are then applied to network traffic at the client. When you add a new Internet firewall configuration, the rule lists have default entries that block all connections. You must add a rule above the default rule to accept specific connections. Note The order of the rules is significant because the firewall starts at the top of the list and stops as soon as it finds a match between the rule and the connection. Disable routes for other network connections You can choose to disable routes for other network connections. Apply the rules you configure to disable specific routes. Check the integrity of application connections For each connection that goes through the WatchGuard SSL Access Client, information about application paths and the checksum is added. When the authorization process determines if the client can connect to your resources, it uses this information. How the client firewall works When your users connect to the WatchGuard SSL device with the Access Client, the client firewall is used locally on their computers. Firewall rules are configured on the server and cannot be overridden by the user. You can only use one Internet firewall configuration per tunnel resource. The firewall is activated when a user clicks an Application Portal icon that connects to a tunnel resource configured to use the client firewall. The firewall is deactivated as soon as the user closes the Access Client or logs off the portal. The firewall is active as long as the associated Tunnel Resource is used. User Guide 187
About Resource Access Note If several Tunnel Resources are used at the same time by the same user, the firewall configurations of all the tunnels are active and the most restrictive rules are applied. When active, the firewall checks to make sure each connection from and to the client computer matches the client firewall configuration. You can add incoming and outgoing rules, and exceptions to those rules, to your client firewall configuration. Incoming Rules When a connection comes in to the computer, the firewall goes through the list of Incoming Firewall rules. Each rule is checked to see if it matches the incoming connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. The firewall does not check any more rules in the list. If the rule denies the connection, it is dropped. If the rule accepts the connection, it is connected to the client computer. Outgoing Rules When an application on the client computer tries to connect to the Internet, the firewall goes through the list of Outgoing Firewall rules. Each rule is checked to see if it matches the outgoing connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. If the rule denies the connection, it is rejected. If the rule accepts the connection, it connects to the Internet. Exceptions The client firewall checks all TCP and UDP connections except: Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel). Connections to the WatchGuard SSL device Connections to an IP address of a configured resource on the intranet through the tunnel. For these connections, the access rules of the configured resource are applied instead of the firewall rules. Configure client definitions You can configure the definitions for the clients used with your firewall configuration. For more information, see Manage Client Definitions on page 370. Firewall rules based on a device The client firewall can be used to specify rules based on the path or checksum of the process that tries to connect to the Internet. To enable this option, you must first add a client definition that specifies the values of the path, and/or checksum of the process. You can use one of these client firewall variables in the Client Definitions: 188 WatchGuard SSL Web UI
About Resource Access clientfirewall-path clientfirewall-checksum Note You can only use client definitions with these variables in the Client Firewall Rules. To add Internet Explorer as a client definition, add a Client Definition with these settings: Display Name: Internet Explorer Process Definition: clientfirewall-path=%programfiles%\internet Explorer\iexplore.exe %ProgramFiles% is a variable that is used on the Access Client to enable the client definition on all clients, regardless of the language of the operating system. You can also use a more complex rule that is based on the MD5 checksum of the executable. To define a client based on the checksum, use a hexadecimal representation of the MD5 checksum. For example: Display Name: Internet Explorer Process Definition: clientfirewall-checksum=e7484514c0464642be7b4dc2689354c8 When you use clientfirewall-checksum, the client is only valid for a specific version of Internet Explorer. It is also possible to combine both checksum and path with AND/OR between expressions. For example, you can create a list of valid checksums with the pipe character (OR) between the entries. All entries between the (OR) operator must be on the same line. For example: clientfirewall-checksum=<checksum1> clientfirewall-checksum=<checksum2> clientfirewall-checksum=<checksum3> You can also use the Client Definitions for client firewalls in Access Rules for tunnel resources. Incoming Firewall Rules For Incoming Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for incoming traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies incoming traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application. Outgoing firewall rules For Outgoing Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for outgoing traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies outgoing traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application. User Guide 189
About Resource Access Manage Internet Firewall Configurations You can add, edit, and delete Internet firewall configurations for your client firewall. After you change the configuration, make sure you click Publish to update your configuration with your changes. Add an Internet Firewall Configuration 1. Select Resource Access > Client Firewall. The Client Firewall page appears. 2. Click Add Internet Firewall Configuration. The Add Internet Firewall Configuration page appears. 190 WatchGuard SSL Web UI
About Resource Access 3. In the Display Name text box, type a name for this firewall configuration. 4. (Optional) Add an incoming firewall rule. 5. (Optional) Add an outgoing firewall rule. For information about how to add firewall rules, see the subsequent sections. 6. Click Add. The configuration appears in the Registered Internet Firewall Configurations list. Add an incoming firewall rule You can add incoming firewall rules to your Internet Firewall Configurations. On the Add Internet Firewall Configuration or Edit Internet Firewall Configuration page. 1. Click Add Incoming Firewall Rule. The Add Incoming Firewall Rule page appears. User Guide 191
About Resource Access 2. In the Remote IP text box, type the IP address range for this firewall configuration rule. 3. In the Local Port text box, type the port to use for this rule. 4. Select a Protocol. 5. Set the rule to Accept or Deny connection attempts from the selected IP address. 6. From the Clients drop-down list, select Any Client or a specific client to which the rule applies. 7. (Optional) In the Comment text box, type a description of the rule. 8. Click Add. The rule appears in the Registered Incoming Firewall Rules list. Add an outgoing firewall rule You can add outgoing firewall rules on the Add Internet Firewall Configuration page. 1. Click Add Outgoing Firewall Rule. The Add Outgoing Firewall Rule page appears. 192 WatchGuard SSL Web UI
About Resource Access 2. In the Remote IP text box, type the IP address range for this firewall configuration rule. 3. In the Local Port text box, type the port to use for this rule. 4. Select a Protocol. 5. Set the rule to Accept or Deny connection attempts from the selected IP address. 6. From the Clients drop-down list, select Any Client or a specific client to which the rule applies. 7. (Optional) In the Comment text box, type a description of the rule. 8. Click Add. The rule appears in the Registered Incoming Firewall Rules list. Edit an Internet Firewall Configuration You can edit your Internet firewall configurations on the Client Firewall page. 1. In the Registered Internet Firewall Configurations list, click the configuration you want to change. The Edit Internet Firewall Configuration page appears. User Guide 193
About Resource Access 2. Update the incoming or outgoing firewall rules in the configuration. 3. Click Save. Delete an Internet Firewall Configuration You can delete your Internet firewall configurations on the Client Firewall page. 1. In the Registered Internet Firewall Configurations list, click the configuration to delete. The Edit Internet Firewall Configuration page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. 4. Click Save. The configuration is removed from the Registered Internet Firewall Configurations list. Edit an incoming or outgoing firewall rule You can make changes to any incoming or outgoing firewall rule in the corresponding Registered Firewall Rules list. 194 WatchGuard SSL Web UI
About Resource Access 1. Click the rule to change. The Edit Firewall Rule page appears. 2. Update the settings for the rule. 3. Click Update. Delete an incoming or outgoing firewall rule You can delete any incoming or outgoing firewall rule that you added. You cannot delete the default rules. 1. Click the rule to delete. The Edit Firewall Rule page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. 4. Click Save. About Access Rules Access rules define the specific requirements for access control that you apply to a resource or SSO domain in WatchGuard SSL Web UI. You can add general access rules that can be applied to any resource or SSO domain, or specific access rules that you apply only to certain resources or SSO domains. You can also define global access rules that are applied to all resources and SSO domains. WatchGuard SSL Web UI includes many different types of access rules that you can use alone or combine to increase the complexity of your security. When you add access rules to a resource, you can use the AND operator to combine general access rules with resource and SSO domain specific access rules. You can only use the OR operator for resource and SSO domain specific access rules. For more information about access rules, see: Manage Access Rules Manage Global Access Rules Manage Access Rules You can add, edit, and delete the access rules to use with specific resources and Single Sign-On (SSO) domains. When you create an access rule, you add rules to define user access to your network. You can add one or more rules to each access rule. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. Add an Access Rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. User Guide 195
About Resource Access 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for this access rule. 4. Click Next. The Select Type of Access Rule page appears. 196 WatchGuard SSL Web UI
About Resource Access 5. Select an access rule type for this rule. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. Note For detailed information on Assessment access rules and requirement criteria, see Assessment Access Rule Requirements 6. Complete the subsequent pages for the type of access rule you selected. Click Next. 7. On the Summary page, confirm the settings for your access rule. Click Next. The Add Access Rule page appears with your access rule in the Allow user access when list. 8. To add another rule, repeat Steps 5 8. 9. If you have more than one rule and you want to combine them, select the Select Rule check box for the rules to combine and click Combine. 10. Click Next. The Apply Access Rule to Resources page appears. 11. From the Available Resources list, select the resources for this access rule and click Add >. The resources appear in the Selected Resources list. 12. Click Next. The Confirm Access Rule Summary page appears. 13. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. Edit an Access Rule When you edit an access rule, you can change the Display Name, add, edit, or delete the rules included in the access rule, and apply the access rule to your resources. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. In the Registered Access Rules list, click the access rule to change. The Edit Access Rule page appears. User Guide 197
About Resource Access 3. To change the settings for an existing rule: a. From the Allow user access when list, select the rule to change. The Edit Access Rule page appears. b. Update the settings for the rule. 4. To add a new rule to the access rule: a. Click Add Rule. The Add Access Rule page appears. b. Select an access rule type for this rule. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. c. Complete the subsequent pages for the type of access rule you selected. Click Next. d. On the Summary page, confirm the settings for your access rule. Click Next. The Add Access Rule page appears with your access rule in the Allow user access when list. e. Click Finish Wizard 5. To delete a rule from this access rule: a. From the Allow user access when list, select the rule to delete. The Edit Access Rule page appears. b. Click Delete. 6. To select which resources are protected by this access rule: a. Click Apply Access Rules To Resources. The Apply Access Rule To Resources page appears. b. From the Available Resources list, select the resources to protect with this access rule and click Add >. The resources are moved to the Selected Resources list. c. Click Next. 198 WatchGuard SSL Web UI
About Resource Access 7. Click Save. Delete an Access Rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. In the Registered Access Rules list, adjacent to the access rule to delete, click. The Delete Access Rule page appears. 3. Click Yes. The access rule is removed from the Registered Access Rules list. Manage Global Access Rules Global access rules are rules that apply to all of your resources and SSO domains. To add a global access rule, you can create a new access rule or select any of the registered access rules that you have already created, and then add the access rule to the Global Access Rules list. For more information about how to add a new access rule, see Manage Access Rules. To add an access rule to the Global Access Rules list: 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Manage Global Access Rule. The Manage Global Access Rule page appears. User Guide 199
About Resource Access 3. From the Available Access Rules list, select one or more access rules. 4. Click Add >. The rule is moved to the Selected Access Rules list. 5. Click Save. The global access rules are saved and the Manage Access Rules page appears. Assessment Access Rule Requirements You can create an Assessment access rule to verify a wide variety of requirements before you allow access to your network resources from Windows clients. Some examples include these types of client access rules and requirements: Configure an Access Rule to Require Anti-virus or Anti-spyware Software Configure an Access Rule to Verify a Windows File is Found Configure an Access Rule to Verify a Windows File Digest is Found Configure an Access Rule to Verify a Directory is Found Configure an Access Rule to Verify the Windows Client Logon Domain Configure an Access Rule to Verify the Client Computer MAC Address Pre-connection End-point Integrity Check For more information about how to create an access rule, see Manage Access Rules. Assessment Access Rule Requirements These sections describe the different types of requirement criteria you can apply to an access rule. To create an Assessment access rule: 1. Select Resource Access > Access Rules. 2. Click Add Access Rule. 3. Type a Display Name for your access rule. 4. Click Next. The Select Type of Access Rule page appears. 200 WatchGuard SSL Web UI
About Resource Access 5. Select Assessment as the rule type. 6. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a descriptive name for this rule. 8. In the Operating System drop-down list, Windows is the only option. 9. In the Information Type drop-down list, select the information type for which you want to set requirements. File information Directory information Process information Windows user information Windows domain information Network interface information TCP Port information UDP Port information Registry Key information User Guide 201
About Resource Access Registry Sub Key information Antivirus information Firewall information Spyware information See the subsequent sections for detailed information in each information type. 10. Do not select the Deny access check box, because you want to allow access if the conditions of this rule are met. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. Client Data - Select which client data the requirement applies to. Matching Restriction - Select how to match the requirement based on the Matching Rule. Use Match to exactly match your data. Use Wildcard to add an asterisk * before and after the match data. For example, *WatchGuard*. Matching Rules - Type the matching rule for the selected Client Data. 13. Add the details of the requirement, then click Add. You can add several requirements, but you can add only one requirement per client data type. File Information File attributes r (read-only) d (directory) e (encrypted) h (hidden) s (system file) t (temporary) File name Format: C:\boot.ini 202 WatchGuard SSL Web UI
About Resource Access File digest Format: 08d26906c74805bee8deca4c7be8c7f5 File time created Format: 01/16/2012 22:38 File time last written Format: 03/07/2012 15:21 File time last accessed Format: 03/03/2012 06:04 Directory Information Attributes d (directory) h (hidden) Directory digest Format: 08d26906c74805bee8deca4c7be8c7f5 Directory name Format: C:\Windows\System32\ Process Information Process name Format: *Mozilla.exe Process digest Format: 84885f9b82f4d55c6146ebf6065d75d2 Process ID Format: 1184 Windows User Information Windows logon domain Format: WatchGuard Windows alternative domains Format: WatchGuard1, WatchGuard 2 Windows user name Format: userid User Guide 203
About Resource Access Windows logon server Format: SRV-EXCHANGE Windows Domain Computer name Format: USERDEV LAN group Format: WatchGuard Major version Format: 5 Minor version Format: 1 Platform ID Format: 500 Network Interface Information Physical address Format: 00502239056e Name Format: {8F952A80-FAE4-4AFE-898D-F67B67C6ED61} Description Format: MS TCP Loopback interface TCP Port Information Local address Format: 127.0.0.1 Local port Format: 8300 Remote address Format: 127.0.0.1 Remote port Format: 3662 204 WatchGuard SSL Web UI
About Resource Access State Established Listen TimeWait UDP Port Information Local address Format: 127.0.0.1 Local port Format: 1025 Registry Key Information Registry name Format: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid Registry type Format: value Registry value Format: 87e4d320-ee1a-4321-93eb-34db24ae5ec6 Registry Sub Key Information Registry name Format: HKEY_CURRENT_USER\Software\Watchguard Registry type Format: subkey Registry value Format: AbolishClient Antivirus Information Product Vendor Select the name of the anti-virus software vendor. To enable access if any anti-virus software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. Product Name Select the name of your anti-virus software. User Guide 205
About Resource Access Product Version Select the version of your anti-virus software. File System Real-time Protection (FSRTP) Status Select whether to include the status of the anti-virus software's file system real-time protection (FSRTP) in the rule. If included, select whether it should be On or Off for this rule. Action to take if the product requirements are not met Select whether to Deny access or Warn and grant access. Definition Configuration Select how recent the configuration definition must be. Last Scan Time Select when the last scan must have occurred. Firewall Information Product Vendor Select the name of the firewall software vendor. To enable access if any firewall software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. Product Name Select the name of your firewall software. Product Version Select the version of your firewall software. Action to take if the product requirements are not met Select whether to Deny access or Warn and grant access. Enabled Status Select if the firewall software is Enabled or Disabled. Spyware Information Product Vendor Select the name of the anti-spyware software vendor. To enable access if any anti-spyware software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. Product Name Select the name of your anti-spyware software. 206 WatchGuard SSL Web UI
About Resource Access Product Version Select the version of your anti-spyware software. FSRTP Status Select whether to include the status of the anti-spyware software real-time protection in the rule. If included, select whether it should be On or Off for this rule. Action to take if the product requirements are not met Select whether to Deny access or Warn and grant access. Definition Configuration See Also Select how recent the configuration definition must be. Configure an Access Rule to Require Anti-virus or Anti-spyware Software When you configure WatchGuard SSL End-Point Integrity to verify that client devices meet your defined security profile, you select the Assessment Access Rules that apply to the Assessment process. You can add an access rule that requires the client to run a specific anti-virus or anti-spyware program before it can connect to your network. 1. Select Resource Access > Access Rules. 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for the access rule. For example, Require Anti-virus. 4. Click Next. The Select Type of Access Rule page appears. 5. From the Select Type of Access Rule list, select Assessment. 6. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Antivirus information. 10. To allow access if this rule is met, make sure the Deny access check box is not selected. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. User Guide 207
About Resource Access 13. Select the requirements for this rule. The options that appear depend on the Product Vendor you select. From the Product Vendor drop-down list, select the name of the anti-virus software vendor. To enable access if any anti-virus software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. From the Product Name drop-down list, select the name of your anti-virus software. From the Product Version drop-down list, select the version of your anti-virus software. From the File System Real-time Protection Status drop-down list, select whether to include the status of the anti-virus software's file system real-time protection (FSRTP) in the rule. If included, select whether it should be On or Off for this rule. From the Action to take if the product requirements are not met drop-down list, select whether to Deny access or Warn and grant access. In the Definition Configuration section, select how recent the configuration definition must be. In the Last Scan Time section, select when the last scan must have occurred. 14. Click Add. The Specify Requirements page appears with the new rule in the Registered Requirements list. 15. To add more requirements, repeat Steps 9 11. 16. Click Next. The Feedback Message page appears. 17. In the Feedback Message text box, type the message users see if access to a resource is denied because the client scan results do not match the specified requirements. 18. Click Next. The Summary page appears. 19. Review the summary page and click Next. The Add Access Rule page appears. 20. To add more rules, repeat Steps 4 16. 21. Click Next. The Apply Access Rule to Resources page appears. 22. In the Available Resources list, select the resources for this rule and click Add >. The resources appear in the Selected Resources list. 23. Click Next. The Confirm Access Rule Summary page appears. 208 WatchGuard SSL Web UI
About Resource Access 24. Review the summary page and click Finish Wizard. 25. Click Publish to update your configuration with this change. After you create the Access Rule, you can use it to protect a resource. Configurean AccessRuletoVerifytheWindowsClient Logon Domain If you want to verify the logon domain for your users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the client logon domain before they are granted access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-Logon-Domain. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Windows user information. 10. To allow access to clients that meet the selected criteria, clear the Deny Access check box. This is the default setting. To deny access to clients that meet the selected criteria, select the Deny Access check box. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select Windows logon domain. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the name of your logon domain. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. User Guide 209
About Resource Access 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. To add another rule, repeat Steps 5 19. 23. If you have more than one rule and you want to combine them, select the Select Rule check box for the rules to combine and click Combine. 24. Click Next. The Apply Access Rule to Resources page appears. 25. In the Available Resources list, select the resources for this rule and click Add >. The resources appear in the Selected Resources list. 26. Click Next. The Confirm Access Rule Summary page appears. 27. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. Configure an Access Rule to Verify a Windows File is Found To verify that a specific file exists on the client computers of your users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the computer to make sure the file is located in the correct directory on the computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-File. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-File. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select File information. 10. To allow access to clients with the correct Windows file, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 210 WatchGuard SSL Web UI
About Resource Access 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select File name. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the full Windows path to the file. For example, C:\Documents and Settings\example.txt. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. Click Next. The Apply Access Rule to Resources page appears. 23. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. 24. Click Next. The Confirm Access Rule Summary page appears. 25. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. To automatically apply this access rule to all resources, you can add it to a global access rule. For more information about how to create global access rules, see Manage Global Access Rules. Because you typed the full path to the Windows file, the path for the Assessment client scan was automatically added to the Client Scan Path list. For more information about the client scan path, see Configure General Settings for Assessment on page 346. Configurean AccessRule toverify awindows FileDigest isfound To verify that a specific file digest exists on the client computers of your users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the computer to make sure the file digest is located in the correct directory on the computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. Add an Access Rule and Apply It to Resources 1. Select Resource Access. The Resources page appears. User Guide 211
About Resource Access 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-File-Digest. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-File-Digest. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select File information. 10. To allow access to clients with the correct Windows file, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select File digest. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the text of the MD5 checksum file. For example, 08d26906c74805bee8deca4c7be8c7f5. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. Click Next. The Apply Access Rule to Resources page appears. 23. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. To automatically apply this access rule to all resources, you can add it to a global access rule. For more information about how to create global access rules, see Manage Global Access Rules. 24. Click Next. The Confirm Access Rule Summary page appears. 25. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. 212 WatchGuard SSL Web UI
About Resource Access Add a Client Scan Path To specify which directory the Assessment client scans for the MD5 checksum file, you must also add a client scan path. 1. Select Manage System > Assessment. The Manage Assessment page appears with the General Settings tab selected. 2. Click Add Client Scan Path. The Add Client Scan Path page appears. 3. In the Operating System drop-down list, Windows is the only available option. 4. From the Type drop-down list, select File. 5. In the Path text box, type the full Windows path to the file. For example, C:\Documents and Settings\example.doc. 6. Click Add. The path is added to the Client Scan Path list. 7. Click Save. 8. Click Publish to update your configuration with this change. Configure an Access Rule to Verify a Directory is Found To verify that a specific directory exists on the client computers of the users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the computer to make sure the directory is on the computer before your users are allowed access to the resource. User Guide 213
About Resource Access For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-Directory. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-Directory. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Directory information. 10. To allow access to clients with the correct Windows file, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select Directory name. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the full Windows path to the directory. For example, C:\Documents and Settings\example. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 21. Click Next. The Apply Access Rule to Resources page appears. 22. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. 23. Click Next. The Confirm Access Rule Summary page appears. 24. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. 214 WatchGuard SSL Web UI
About Resource Access See Also Configure an Access Rule to Verify the Client Computer MAC Address To verify the MAC address of the Windows client computers that connect to your network resources, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the client computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-MAC-Address. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-MAC-Address. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Network interface information. 10. To allow access to clients with the correct MAC address, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select Physical address. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the MAC address of the client computer. For example, 00502239056e. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. User Guide 215
About Resource Access 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. Click Next. The Apply Access Rule to Resources page appears. 23. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. 24. Click Next. The Confirm Access Rule Summary page appears. 25. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. To automatically apply this access rule to all resources, you can add it to a global access rule. For more information about how to create global access rules, see Manage Global Access Rules. Because you typed the full path to the Windows file, the path for the Assessment client scan was automatically added to the Client Scan Path list. For more information about the client scan path, see Configure General Settings for Assessment on page 346. Configure an Access Rule to Combine Authentication Methods From WatchGuard SSL Web UI, you can configure multiple authentication methods and use access rules to combine them for added security. When you combine authentication methods to secure your Application Portal, users are prompted for their credentials for each selected authentication method before they log in to the Application Portal. When users try to log in, they supply their credentials for the first authentication method. After they are authenticated with the first method, the authentication page for each subsequent method appears, one at a time. This process continues until all authentication method requirements are met. Before you can combine authentication methods, you must configure and enable each authentication method. For information about how to configure authentication methods, see Add an Authentication Method on page 280. After the authentication methods are configured, you use access rules to combine them. To force your users to authenticate with two or more authentication methods before they can log in to the Application Portal, you create a Global Access Rule that uses the access rule with the combined authentication methods. In the subsequent example, Active Directory is the first authentication method and WatchGuard SSL Password is the second authentication method. You can, however, combine any of your enabled authentication methods in access rules to secure your Application Portal. Before you begin, make sure that the Active Directory and WatchGuard SSL Password authentication methods are enabled. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Verify the Status of the Active Directory and WatchGuard SSL Password authentication methods is Enabled. 216 WatchGuard SSL Web UI
About Resource Access Add an Access Rule to Combine Authentication Methods In this example, we create an access rule that combines the Active Directory and WatchGuard SSL Password authentication methods. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for this access rule. Click Next. The Select Type of Access Rule page appears. 4. Select Authentication method. Click Next. The Select Authentication Methods page appears. 5. From the Available Authentication Methods list, select Active Directory. Click Add >. The authentication method moves to the Selected Authentication Methods list. 6. From the Available Authentication Methods list, select WatchGuard SSL Password. Click Add >. The authentication method moves to the Selected Authentication Methods list. 7. Select Combine with 'And?. 8. Click Next. The Summary page appears with details of the authentication methods you selected. 9. Click Next. The Add Access Rule page appears. 10. Verify the information for the access rule is correct. Click Next. The Select Resources page appears. 11. Do not select any resources. Click Next. The Summary page appears. 12. Verify the access rule settings are correct. Click Finish Wizard. The Manage Access Rules page appears with the new access rule in the Registered Access Rules list. Create a Global Access Rule After you have created an access rule to combine the authentication methods, you add the access rule to a Global Access Rule, which is automatically applied to all resources and the Application Portal. 1. On the Manage Access Rules page, click Manage Global Access Rule. The Manage Global Access Rule page appears. 2. From the Available Access Rules list, select the access rule for the combined authentication methods. Click Add >. The access rule is moved to the Selected Access Rules list. 3. Click Save. The Manage Access Rules page appears with the access rule in the Global Access Rules list. 4. Click Publish to update your configuration and the Application Portal with this change. Now, when your users try to log in to the Application Portal, they must first authenticate with their Active Directory credentials and then with their WatchGuard SSL Password credentials. When users successfully supply their credentials for both authentication methods, the Application Portal appears. User Guide 217
About Resource Access About the Application Portal The Application Portal is a web site on the WatchGuard SSL device where clients can connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons that your users can click. These applications and resources are called Application Portal items. You can create Application Portal items for these resource types: Web resources Tunnel resources External sites All Web resources and tunnel resources that you add to the Application Portal are automatically associated with an Application Portal item. You can also manually add Application Portal items for web resources or tunnel resources. For Web resources, you can also configure shortcuts. These shortcuts allow your users to connect directly to a resource with a web browser rather than through the Application Portal. You can also add Application Portal items for external sites, such as external URIs that are not registered as Web resources. For more information about the settings for the Application Portal, see General Settings for the Application Portal. About the Access Client The WatchGuard SSL Access Client allows users to securely connect to your tunnel resources in the Application Portal. When users authenticate to the Application Portal and select a resource other than a web resource, the on-demand Access Client launches to load the tunnel. You can choose to load the Access Client with an ActiveX loader, Java Applet, or to run the VPN client in Java. When the user session ends, the on-demand Access Client closes and is not accessible to the user. Your users can also select to install the Access Client on their client computers. The installed Access Client is available when users are not authenticated to the Application Portal and can be configured separately. Manage Application Portal Items Items that you put in the Application Portal enable your user to get access to your network. You can add, edit, and delete the resources that appear in the Application Portal. To add a tunnel resource to the Application Portal, you must first create the tunnel resource. For more information about how to create a tunnel resource, see Manage Resources. Add an Application Portal Item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 218 WatchGuard SSL Web UI
About Resource Access 3. Click Add Application Portal Item. The Application Portal Item page appears. 4. Select the resource type for this portal item. Click Next. The subsequent pages that you see depend on the type of resource that you selected. 5. Complete the subsequent pages for the resource type you selected. 6. To enable the resource in the Application Portal, select the Make resource available in Application Portal check box. To add the Application Portal item, but not enable it, clear this check box. 7. Select the Icon that appears in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 8. In the Link Text text box, type the text to appear with the icon in the Application Portal. 9. Complete the additional settings for the resource you selected. The available options depend on the resource type you selected. Options include: Shortcut User Guide 219
About Resource Access For web resources, you can add a shortcut path to the resource to enable your users to connect to the resource and not log in to the Application Portal. Type the shortcut IP address users can follow to this resource. For example: http://www.example.com/shortcut Hide Resource in URL To force users to use the shortcut for this resource, select this check box. External URL Type the URL of the web site where you want to redirect your users when they select this item in the Application Portal. URL Query Protocol For web resources, you can define a URL query that is added to the web resource address when a user selects the resource in the Application Portal. You can use a URL query to find data, or to configure other operations (for example, to add, update, or delete data). For example: http://www.example.com/index.php?id=2&page=1 For web resources, you can configure the protocol to use when the Access Client connects to the web resource. This option is only available if both HTTP and HTTPS can be used to connect to the resource. Select whether to use the HTTP or HTTPS protocol for this resource. 10. Click Finish Wizard. The resource appears in the Registered Application Portal Items list. After you add resources to your Application Portal, you can Connect to the Application Portal and test the resources you added. Edit an Application Portal item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. In the Registered Application Portal Items list, click the item to edit. The Edit Application Portal Item page appears. 220 WatchGuard SSL Web UI
About Resource Access 4. Edit the settings in the Application Portal Settings section. You can update these settings: Select the Make resource available in Application Portal check box to enable the resource in the Application Portal. Clear this check box if you do not want this resource to appear on the Application Portal. Change the Icon that appears on the Application Portal for this resource Change the Link Text that appears on the Application Portal for this item 5. Click Save. To edit the resource settings that appear in the Tunnel Resource Information section, edit the resource on the Resources page. For more information, see Manage Resources. Delete an Application Portal item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. In the Registered Application Portal Items list, click the item you want to delete. The Edit Application Portal Item page appears. 4. Click Delete. A confirmation message appears. 5. Click Yes. The Application Portal item is removed from the Registered Application Portal Items list. User Guide 221
About Resource Access Connect to the Application Portal After you have added resources to your Application Portal configuration, you can connect to the WatchGuard SSL Application Portal Authentication page to test and use your resources. To connect to the Application Portal: 1. Open a web browser and type the address of the Application Portal domain name. You can also type the IP address of the SSL device and the Application Portal port number. For example: https://ap.example.com http://<ip address of the SSL device>:443 The Authentication page appears with a list of available authentication methods. 2. Select an authentication method. For example, WatchGuard SSL Password. The Authentication page for the selected authentication method appears. 3. Type and submit your user credentials. The Application Portal appears with icons for the resources you can access. Note The system warns you if you have your CAPS LOCK key enabled when you enter your credentials. Customize your Web UI and Application Portal You can customize your WatchGuard SSL Web UI and WatchGuard SSL Application Portal with your corporate brand. You can also add a link to the Access Client installer in your Application Portal. For more information, about how to add an Access Client installer link, see Add the Access Client Installer Link in the Application Portal. Customize and Brand the Web UI and Application Portal You can use two methods to customize and apply your corporate brand to your Application Portal: the Customize Application Portal page or the File Browser. To customize and brand WatchGuard SSL Web UI, you must use the File Browser. For information about how to use the Customize Application Portal page to customize your Application Portal, see About the Customize Application Portal Page. For information about how to use the File Browser to customize your Web UI and Application Portal, see Customize your Web UI and Application Portal with the File Browser. About the Customize Application Portal Page You can use the Customize Application Portal page to make basic changes to the look and feel of your Application Portal. You can change these items: 222 WatchGuard SSL Web UI
About Resource Access Company name the name that appears in the About and Contact links Company URLs the URLs associated with the About and Contact links Welcome message the text that appears above the Resources section of the Application Portal Language the display language for the Application Portal. Client Authentication Portal background image the image on the page where users select an authentication method Client Portal header image the image that appears across the top of the Application Portal Web site icon the icon that appears in the address bar of the browser Apply Your Brand to the Application Portal To apply your corporate brand to your Application Portal, you can replace the default content with your company information and images. 1. Select Resources Access > Application Portal. The Manage Application Portal page appears. 2. Click Customize Application Portal. The Customize Application Portal page appears. User Guide 223
About Resource Access 3. From the Language drop-down list, select the display language to use on the Application Portal. 4. In the Company Name text box, type the name of your company as you want it to appear on the Application Portal. 5. In the Company URL text box, type the URL of your company web site. For example, http://www.example.com. 6. In the Company Contact URL text box, type the URL to the page on your company web site with your company contact information. For example, http://www.example.com/about/contact.asp. 7. In the Portal Name text box, type the name to appear at the top of your Application Portal window. 8. In the Portal Information Text text box, type the message you want your users to see when they log in to the Application Portal. 224 WatchGuard SSL Web UI
About Resource Access 9. To change the background image for the Authentication Portal, adjacent to the Client Authentication Portal Background Image text box, click Browse and select a GIF image file. The maximum image size is 799 x 70 pixels. 10. To change the header image for the Application Portal, adjacent to the Portal Header Image text box, click Browse and select a GIF image file. The maximum image size is 456 x 360 pixels. 11. To change the icon that appears in the browser address bar when users connect to the Application Portal, adjacent to the Website Icon text box, click Browse and select a Windows icon (.ico) file. 12. Click Save. The Manage Application Portal page appears. 13. Click Publish to update your configuration. Your branding changes appear in the Application Portal. Remove Your Company Information from the Application Portal You can remove the text changes you made to the application portal and revert to the default settings. This process does not change the images you selected back to the default settings. You must select each image file manually. To revert to the default text settings: 1. Select Resources Access > Application Portal. The Manage Application Portal page appears. 2. Click Customize Application Portal. The Customize Application Portal page appears. 3. Click Reset branding text to WatchGuard default. The text changes back to the default values. 4. Click Save. The Manage Application Portal page appears. 5. Click Publish to update your configuration. The default branding changes appear in the Application Portal. Customize your Web UI and Application Portal with the File Browser You can apply your corporate brand to these parts of the Web UI: WatchGuard SSL Web UI WatchGuard SSL Application Portal Authentication page WatchGuard SSL Application Portal page WatchGuard SSL Application Portal Online Help To make changes to the WatchGuard SSL Web UI files and apply your own corporate brand, you add a new set of files to a folder specifically created for the files with the new brands. The new set of files must have the same names as the files in the original location. The files in the custom folder override the files in the original location. After you finish all your changes, make sure you click Publish to submit your changes. Note Do not change the files in the access-point\built-in-files\ directory. Instead, upload updated versions of these files to the access-point\custom-files\ directory. User Guide 225
About Resource Access Apply your Brand to Text Files 1. At the top of WatchGuard SSL Web UI, click Browse. The File Browser appears. 2. Select the access-point\built-in-files\wwwroot\branding\ folder. 3. Save the files you want to change to a location on your computer. For information about the files you can change, see WatchGuard SSL Files to Customize and Brand. 4. Update the locally saved files with your branding changes. 5. In the File Browser, select the access-point\custom-files\wwwroot\branding\ folder. 6. Upload your customized files. 226 WatchGuard SSL Web UI
About Resource Access Apply your Brand to Images, Style Sheets, and Templates You can customize images, style sheets, and template files. The template files specify the text used on the Application Portal Authentication page. The heading of each Authentication page is defined by the display name that you give the authentication method. Current image files are found in the access-point\built-in-files\wwwroot\wa\img folder. All other files are found in the folders in the access-point\built-in-files\wwwroot\wa directory. To apply your corporate brand to files: 1. Select the access-point\built-in-files\wwwroot\wa\ directory. 2. Select the folder in the directory with the files you want to change. 3. Save the files you want to change to a location on your computer. 4. Update the saved files with your branding changes. 5. In the File Browser, select the access-point\custom-files\wwwroot\wa\ directory. 6. Select the folder with the same name as that from which you downloaded the files in the built-infiles directory. 7. Upload your customized files. Upload all Branded Files at One Time If you branded many files, you can upload them all at one time in a ZIP file rather than one at a time. Make sure that the files you updated are in the correct folder that matches the original directory structure. 1. Download the files you want to change from the access-point\built-in-files\wwwroot directory. 2. Update the files and add them to a ZIP file with the correct directory structure. 3. In the File Browser, select the access-point\custom-files\wwwroot folder. 4. Click Browse and select the ZIP file. 5. Click Upload. The file is automatically unzipped and the files are added to the directory structure from the ZIP file. Publish Your Changes When you have uploaded all the changed files, you must publish your changes before they appear in the Web UI and Application Portal. 1. Connect to WatchGuard SSL Web UI. If you made changes, the Publish button is blue. 2. Click Publish to update your configuration. Your branding changes appear in the Web UI and Application Portal. WatchGuard SSL Files to Customize and Brand You can copy these files and upload updated versions of these files to customize and apply your own corporate brand to WatchGuard SSL Web UI and the Application Portal. User Guide 227
About Resource Access Note Do not change the files in the access-point\built-in-files\ directory. Upload updated versions of these files to the access-point\custom-files\ directory instead. Text String Files These files are in the access-point\built-in-files\wwwroot\branding folder: authad.txt This file contains the heading for the Active Directory authentication page. This text appears on every Active Directory template. Other authentication methods do not need a branding text file. authnovell.txt This file contains the heading for the Novell edirectory authentication page. authselect.txt This file contains the heading for the Select Authentication Method page. authweb.txt This file contains the name of WatchGuard SSL Web UI that appears in the JavaScript dialog boxes to accept ActiveX or Java Applet loader. company.txt This file contains the name of the company that appears in the Application Portal. company_about_url.txt This file contains the URL for information about the company. company_contact_url.txt This file contains the URL for company contact information. copyright.txt This file contains the company copyright notice. portal.txt This file contains the name of the Application Portal that appears on the Application Portal Help page. product.txt This file contains the name of the product that appears on the title of each page. tunnel.txt This file contains the name of the Access Client that appears in the JavaScript dialog boxes to accept the ActiveX or Java Applet loader. 228 WatchGuard SSL Web UI
About Resource Access Authentication page style sheets, images, and template files The template files specify the text used on the Application Portal Authentication pages. The heading on each Authentication page is defined by the display name that you give the authentication method in WatchGuard SSL Web UI. The existing files are in the folders in the access-point\built-in-files\wwwroot\wa\ directory. Make sure you upload your changed files to the folder in the custom-files directory with the same name as the folder you downloaded it from in the built-in-files directory. To customize Change File name WatchGuard SSL Web UI The current skin WebSkin.zip Graphics on logon pages The background image background_img.gif Colors and fonts on authentication pages Text strings or buttons on authentication pages The style sheet for authentication pages The individual template files common.css See the Template files section Application Portal logotype The logotype logo.gif Application Portal resource icons The images [symbol_color].gif Colors and fonts in the Application Portal The Application Portal style sheet access_portal.css Colors and fonts in the Application Portal Online Help Contents in the Application Portal Online Help The Application Portal Online Help style sheet The Online Help HTML page default.css access_portal_ help.html Application Portal style sheets, images, and template files You can customize the style sheets (.css files), images, and template files used in the Application Portal and associated authentication pages. These files are located in these folders: access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base access-point\built-in-files\wwwroot\wa\img access-point\built-in-files\wwwroot\wa\help Style sheets You can customize style sheets to change the colors and fonts for the Application Portal, the Application Portal authentication pages, and the Application Portal Online Help. User Guide 229
About Resource Access Directory Location File Name Description access_ portal.css common.css default.css Controls colors, fonts, and the location and size of different page objects (for example, the logotype) in the WatchGuard SSL Application Portal (_menu.html\wml and _welcome.html\wml) Controls colors and fonts in the Application Portal authentication pages Controls colors and fonts in the Application Portal Online Help Images You can replace or edit images to customize the WatchGuard SSL Web UI skin, the logotype or icons in the Application Portal, or graphics for the authentication pages. Images are GIF or JPEG format. The down.jpg and up.jpg web images can be in JPEG or GIF format. The mask.gif image must be in GIF format (indexed palette). All three files must have the same dimensions in pixels. Directory Location File Name Description \built-in-files\wwwroot\wa\img \built-in-files\wwwroot\wa\img\icons \built-infiles\wwwroot\wa \built-infiles\wwwroot\wa\help \built-infiles\wwwroot\wa\authmech\webskin.zip \built-infiles\wwwroot\wa\authmech\webskin.zip \built-infiles\wwwroot\wa\authmech\webskin.zip background_ img.gif logo.gif (Example) email_ orange.gif mask.gif down.jpg up.jpg Background image for authentication pages Logotype Icons for resources (applications) in the Application Portal The mask that controls the placement of buttons and labels in WatchGuard SSL Web UI WatchGuard SSL Web UI skin without background; buttons appear as selected WatchGuard SSL Web UI skin with background; buttons appear as not selected Template files You can edit template files to customize text strings and buttons on individual authentication pages. The templates are available as HTML and WML files. Web authentication pages are HTML files and WAP authentication pages are WML files. All template files for the WatchGuard SSL Application Portal and associated authentication pages are located in these folders: 230 WatchGuard SSL Web UI
About Resource Access access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base A list of some of the template files (with the folder location, description, and user variables) appears in the subsequent table. Folder Name File Name Description User variables access-point\ built-in-files\ wwwroot\wa _auto_ reauthmessage The page that appears when a user logs off and must authenticate again. _ chooseauthmech _closedown_ message _deletelogoncred The page that appears when a user must select an authentication method. The page that appears when a user session times out. The page that appears when the password database has been cleared. name displayname _error The error message users see. errmsg _Internal Authentication _logoutpage _menu _no_session Internal Authentication form. The page that appears when a user logs off. The template for the WatchGuard SSL Application Portal page. This is the menu page that is called from the welcome.html file. The page that appears when a session times out. ihost iuid idom _popup_msg The popup message that appears to users. location errmsg _reauthmessage _refresh_top The timeout message that appears to users. The page that appears when a user must refresh the browser. _securitywarning The page that appears for security warnings. errmsg _TimedoutPage _webclient.html The page that appears when a user is temporarily locked until a specific timeout occurs (SecurID only). The page that appears when the user selects a tunnel set in the Application Portal. auth_timeout User Guide 231
About Resource Access Folder Name File Name Description User variables _webclient javaobj.html _ webclientobj.html _welcome Contains the Access Client Java applet. Contains the Access Client ActiveX. The page that appears when a user authenticates successfully. 302 A redirect page that appears when a page has moved. location 302_top A redirect page that appears when a page has moved. location 400 The page that appears after a bad request. 401E 401I 401WIL The page that appears after an external authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication. The page that appears after an internal authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication. The page that appears when a user fails to authenticate with a Windows Integrated Login. authmech location 403 The page that appears when a client requests a forbidden resource. 404 The page that appears when a requested file is not on the device. 405 The page that appears when client request uses a prohibited HTTP method. 500 The page that appears when a server error occurs. eprot ehost uri eprot ehost file eprot ehost uri method allow errmsg pocketclient Starts the Access Client for Pocket PC installation. 232 WatchGuard SSL Web UI
About Resource Access Folder Name File Name Description User variables TestLogon LoginPage The Authentication page that appears for TestLogon. For example, when a user requests: http:\\127.0.0.1:19146\wa\auth? authmech=testlogon access-point\ built-in-files\ wwwroot\ wa\authmech\ base GenericForm The template for authentication forms used with GenericForm template specifications. The user variables in the template specifications manage the appearance of the authentication page. heading errmsg explanation message authmech texttext textname textvalue readonlytext readonlyname readonlyvalue passwordtext passwordname checkboxtext checkboxname checkboxvalue Dialog The template used with Dialog template specifications. heading errmsg explanation message authmech buttontext hiddenname hiddenvalue Applet The template used with Applet template specifications. Only used by WatchGuard SSL Web UI. heading errmsg explanation message authmech buttontext hiddenname hiddenvalue username vendorbase64 arg1 arg2 User Guide 233
About Resource Access Apply your corporate brand to WatchGuard SSL Web UI The required parameters are in the access-point\built-infiles\wwwroot\wa\authmech\base\web.js file. The values for the parameters required for WatchGuard SSL Web UI are all set in JavaScript from values supplied by the server. Parameter Name UserName Config Challenge Modulus PostURL Function User ID of the user who requested to authenticate Configuration parameters Challenge from WatchGuard SSL Encryption Modulus URL where the results are posted User variables When a HTML or WML page appears, user variables in the template file are replaced with the related content. The descriptions of the content that user variables are replaced with appear in the subsequent table. User Variables allow auth_timeout authmech authmech authtimeout do ehost eprot errmsg explanation final_timeout Description A comma-separated list of allowed HTTP methods for the current host and URI. The number of seconds that remain in the period of time a user is locked out and cannot authenticate to the WatchGuard SSL device (used with SecurID authentication). The authentication method for an authenticated user. The variable used in the template specification for the authentication method. The number of seconds that remain before an authenticated user is logged off. Used in the timeout warning page. The template specification parameter for the input data. The external host name, such as the HTTP Host in the client request to the WatchGuard SSL device. This a general variable that can be used in all templates. An external protocol, such as the protocol between the client and the WatchGuard SSL device (HTTP or HTTPS). This is a general variable that can be used in all templates. The error message from the WatchGuard SSL device. The explanatory text in a template specification. The number of minutes that remain before the maximum lifetime of the current 234 WatchGuard SSL Web UI
About Resource Access User Variables Description session is reached and the session ends. heading idom ihost input-heading iprot iuid iuri location maxsessiontimeout message method ntdomain pin protocol reauth_uid redirect replymsg servernumber title tunnelcipheriv tunnelcipherkey upd uid The main heading text in a template specification. A variable for the internal domain. The internal host (alias) by which the user is currently connected. This is not necessarily the same as the HTTP "Host" header in the WatchGuard SSL device request to the internal host. The heading text for an input field in a template specification. The internal protocol by which the user is currently connected: HTTP or HTTPS. The internal UserID (uid filtered through NameMapper.wascr). This is a general variable that can be used in all templates. The internal URI, requested from the WatchGuard SSL device by the host. A URI or a URL that specifies where users are redirected when they authenticate. The maximum number of minutes for a user session. You specify this value when you set up your configuration. An authentication message from the WatchGuard SSL device. The HTTP method in a GET request. The NT domain name. The PIN for authentication. The URL parameter used for the Access Client that describes the protocol that the tunnel uses: EESSP or SSL. The User ID for RADIUS pages. The URL parameter for the Access Client. A variable in RADIUS pages. The authentication challenge number from the WatchGuard SSL device. A variable in a template specification. The Base64 encoded cipher IV parameter that the system generates dynamically. The Base64 encoded cipher key parameter that the system generates dynamically. The value of the UPD cookie used for session handling in a load-balanced environment that the system generates dynamically. The UserID for an authenticated user. This is a general variable that can be used in all templates. User Guide 235
About Resource Access User Variables uri waak warningtimeout wasid Description The URI request sent from the client to the WatchGuard SSL device. A parameter configured in the Web UI that is used in session handling. The number of seconds that remain before a warning message or another authentication page appears. The user WASID parameter that is configured in the Web UI to manage sessions. Add the Access Client Installer Link in the Application Portal To give your users the installed Access Client, you can add the Access Client installer to the WatchGuard SSL device, and then edit the Application Portal page to add a link to the installer. 1. Save the AccessClientInstall.exe file on your computer. 2. In WatchGuard SSL Web UI, click Browse. The File Browser appears. 3. Select the access-point\built-in-files\wwwroot\wa\includes\ folder. 4. In the Upload File text box, type or browse to the location of the AccessClientInstall.exe file. 5. Click Upload. 6. Adjacent to the portaltext.txt file, click. The Edit File page appears. 7. Type or paste this text in the file where you want the link to appear: To install the Access Client on your Windows computer, click here: <a href="/wa/includes/accessclientinstall.exe">watchguard SSL Client</a 8. Click Save. 9. Click Publish to update your configuration with these changes. 236 WatchGuard SSL Web UI
About Resource Access Add the Access Client Installer as an Application Portal Resource To give your users the installed Access Client, you can add the Access Client installer to the WatchGuard SSL device, and then create a resource for the Access Client installer in the Application Portal. Upload the Access Client Installer to the WatchGuard SSL device You must upload the Access Client installer to the device before you can create a resource for it. 1. Save the AccessClientInstall.exe file on your computer. 2. In WatchGuard SSL Web UI, click Browse. The File Browser appears. 3. In the File Browser, select the access-point\custom-files\wwwroot\files\folder. 4. In the Upload File text box, type or browse to the location of the AccessClientInstall.exe file. 5. Click Upload. 6. Close the File Browser window. Create a web resource for the Access Client installer You can add a web resource to allow your users to install the Access Client you uploaded to your WatchGuard SSL device. You can also add access rules for this resource, to restrict who can install it. 1. Select Resource Access. The Resources page appears. 2. Select the Web Resources tab. 3. Click Access Point. The Edit Web Resource Host Access Point page appears. User Guide 237
About Resource Access 4. Select the Manage Paths tab. The Manage Paths page appears. 5. Click Add Web Resource Path. The Add Web Resource Path page appears. 238 WatchGuard SSL Web UI
About Resource Access 6. In the Path text box, type files/accessclientinstall.exe. 7. To add access rules specific to this resource, clear the Use Parent Authorization check box. Additional tabs for Access Rules and Advanced Settings appear. Use these tabs to add access rules for this resource. 8. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 9. In the Link Text text box, type the name to appear with the icon in the Application Portal. 10. Click Save. The Manage Paths page appears. 11. Click Save. The Resources page appears. 12. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. After you add this resource, it appears on the Resources page in the Resources list, with the Access Point resource group. User Guide 239
About Resource Access About SSO Domains Single Sign-On (SSO) is a session/user authentication process that allows users to authenticate with their user credentials one time to get access to multiple resources. When users authenticate with SSO, they have instant access to application portal items, and they do not have to authenticate again if they select a different item. WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. When users first log on to the Application Portal with SSO, they are prompted for their credentials once for each SSO domain when they select a resource that is in that SSO domain. The user credentials are then stored indefinitely on the WatchGuard SSL user account in the Local User Database. You can also choose to cache user credentials, which then are only valid during the user session. After users authenticate successfully, they can select different internal applications that are part of a the SSO domain. They do not have to authenticate again each time they select a resource in the Application Portal. Domain type attributes WatchGuard SSL SSO domains are text domains. When you add an SSO domain, you can associate different domain attributes with the SSO domain. Text This domain type is used to send user credentials as text, with different attributes that define the authentication information. Available domain attributes: User name Password Domain 240 WatchGuard SSL Web UI
About Resource Access The domain attributes you select to add to the domain type depend on the type of authentication method you select. Standard domain attributes for the authentication methods are: NTLM All domain attributes for the domain type text (user name, password, and domain) are added to the domain type. Basic The user name and password attributes are added to the domain type. Basic is the most commonly used authentication method for web environments. Form based The user name and password attributes are added to the domain type. To use form-based logon for an SSO domain, you must design a web form for access to each resource in the SSO domain. You do this when you add or edit a resource. Manage SSO Domains You can add, edit, and delete the Single Sign-On (SSO) domains that are available for resource access with SSO. Add an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. Click Add SSO Domain. The Add SSO Domain page appears. User Guide 241
About Resource Access 4. In the Display Name text box, type a name for this SSO domain. 5. Configure the settings for SSO Restrictions. If you select the Cache on session only check box, SSO credentials are kept in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account. 6. Click Next. The Domain Attributes page appears. 7. To add an attribute, click Add Domain Attribute. The Add Domain Attribute page appears. 242 WatchGuard SSL Web UI
About Resource Access 8. Configure the settings for the attribute. If you set Referenced By to User Input, do not type a value in the Attribute Value text box. 9. Click Next. The attribute appears in the Registered Domain Attributes list. 10. Click Next. The Apply SSO Domains to Resources page appears. 11. To select the resources to use this SSO domain, click Apply SSO Domains To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select the SSO type: Text Form based Adaptive SSO File Share RDP 13. From the Available Resources list, select the resources to use this SSO domain and click Add >. The resources you selected appear in the Selected Resources list. 14. Click Next. The Apply SSO Domains page appears with the resource you added. 15. Click Next. The Add SSO Domain Summary page appears. 16. Review the settings for this SSO domain and click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. Edit an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. In the Registered SSO Domains list, click the domain to change. The Edit SSO Domains page appears. User Guide 243
About Resource Access 4. On the General Settings tab, change the Display Name or the SSO Restrictions settings. 5. To add an attribute to this SSO domain: a. Click Add Domain Attribute. The Add SSO Domain Attribute page appears. b. Configure the settings for the attribute. If you set Referenced By to User Input, do not type a value in the Attribute Value text box. c. Click Add. The attribute appears in the Registered Domain Attributes list. 6. To delete an attribute from this SSO domain: a. Select the Domain Attributes tab. The Domain Attributes page appears. b. From the Registered Domain Attributes list, select the attribute to delete. The Edit Domain Attribute page appears. c. Click Delete. A confirmation message appears. d. Click Yes. The attribute is removed from the Registered Domain Attributes list. 7. To add resources to this SSO domain: a. Select the Apply to Resources tab. b. Click Apply Access Rules To Resources. The Apply Access Rule To Resources page appears. c. From the SSO Type drop-down list, select the SSO type. The resources available with the selected SSO type appear in the Available Resources list. 244 WatchGuard SSL Web UI
About Resource Access d. From the Available Resources list, select the resources to protect with this access rule and click Add >. The resources are moved to the Selected Resources list. e. Click Add. The names of the selected resources appear in the SSO Type list. 8. To remove resources from this SSO domain: a. Select the Apply to Resources tab. b. In the SSO Type list, adjacent to the resource to delete, click. A confirmation message appears. c. Click Yes. The resource is removed from the list. 9. Click Save. Delete an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. In the Registered SSO Domains list, adjacent to the domain to delete, click. A confirmation message page appears. 4. Click Yes. The SSO Domain is deleted and is removed from the Registered SSO Domains list. 5. Click Publish to update your configuration with this change. Configure SSO for Outlook Web Access (Form Based Authentication) If you have users who use Outlook Web Access (OWA) with form-based authentication, you can use WatchGuard SSL Web UI to configure SSO (Single Sign-On) authentication for this feature. To set up SSO for OWA forms-based authentication, you must complete a several step process. You must add a resource for OWA, specify the SSO domain to use and configure form based authentication, and select and configure an authentication method. Add an Outlook Web Access Resource 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list. 4. Select Microsoft Outlook Web Access 2007. The Microsoft Outlook Web Access resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Outlook Web Access page appears. User Guide 245
About Resource Access 6. In the Display Name text box, type OWA 2007. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Host text box, type the valid DNS name or IP address of the email server for this resource. 9. Make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 11. In the Link Text text box, type the text you want to appear with this icon in the Application Portal. For this example, type MS Outlook Web Access 2007. 12. Click Next. The Manage Access Rules page appears. 13. Select the default access rule Any Authentication. 14. Click Next. The Add Resource Summary page appears. 15. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 246 WatchGuard SSL Web UI
About Resource Access Add an SSO domain for form based authentication 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a name for this SSO domain. For this example, type AD. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. If you select the Domain attribute, in the Attribute Value text box, type the domain name. For all other attributes, the Attribute Value text box can be empty. 8. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 9. Click Next. The Apply SSO Domains To Resources page appears. 10. Click Apply SSO Domains To Resources. The Select SSO Type page appears. 11. From the SSO Type drop-down list, select Form based. 13. From the Available Resources list, select OWA 2007 and click Add >. The resource you selected appears in the Selected Resources list. 14. Click Add. The Selected Resources page appears with the Form Based SSO settings for the OWA 2007 resource. User Guide 247
About Resource Access 15. In the Method section, select POST. 16. In the Form Action (URL) text box, type https://<ip Address>/OWA/auth/owaauth.dll?. Make sure you replace <IP Address> with the IP address of your Exchange Server. 248 WatchGuard SSL Web UI
About Resource Access 17. In the Form Data text box, type destination=https://<ip Address>/OWA/&flags=0&forcedownlevel=0&isUtf8=1 &password=[$password]&trusted=0&username=[$username]. Make sure you replace <IP Address> with the IP address of your Exchange Server. 18. In the Verification URL text box, type https://<ip Address>/owa/auth/logon.aspx? Make sure you replace <IP Address> with the IP address of your Exchange Server. 19. In the Form Response text box, type the message that appears when a user authentication attempt fails. Type: url=https://<ip Address>/owa/&reason=2 Make sure you replace <IP Address> with the IP address of your Exchange Server. 20. In the Form Response Interpretation section, select Authentication has failed. 21. Click Save. The Apply SSO Domains to Resources page appears. 22. Click Next. The Add SSO Domain Summary page appears. 23. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with AD in the Registered SSO Domains list. Configure the authentication method and link translation 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. User Guide 249
About Resource Access 4. Click Add Extended Property. The Add Extended Property page appears. 5. From the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the domain name you created. For this example, type AD. 7. Click Add. The extended property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Configure SSO with Outlook Web Access (Basic Authentication) Use these steps to configure SSO (Single Sign-On) authentication for your Outlook Web Access users who use basic authentication. To set up SSO for OWA with basic authentication, you must complete a several step process. You must add a resource for OWA, specify the SSO domain to use and apply it to the resource, and select and configure an authentication method. Add an Outlook Web Access 2003 resource 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list. 4. Select Microsoft Outlook Web Access 2003. The Microsoft Outlook Web Access resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Outlook Web Access 2003 page appears. 250 WatchGuard SSL Web UI
About Resource Access 6. In the Display Name text box, type a name for this resource. For this example, type OWA 2003. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Hosttext box, type the valid DNS name or IP address of the email server for this resource. 9. Make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 11. In the Link Text text box, type the text to appear with this icon in the Application Portal. 12. Click Next. The Manage Access Rules page appears. 13. Select the default access rule Any Authentication. 14. Click Next. The Summary page appears. 15. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 16. Click Publish to update your configuration with this change. User Guide 251
About Resource Access Add an SSO domain 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For this example, type AD-OWA 2003. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. 7. In the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. If you select the Domain attribute, in the Attribute Value text box, type the email domain. For all other attributes, the Attribute Value text box can be empty. 8. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 9. Click Next. The Apply SSO Domains to Resources page appears 10. Click Apply SSO Domains To Resources. The Select SSO Type page appears. 11. From the SSO Type drop-down list, select Text. 12. From the Available Resources list, select OWA 2003 and click Add >. The resource you selected appears in the Selected Resources list. 13. Click Add. The Apply SSO Domains to Resources page appears with the OWA 2003 resource. 14. Click Next. The Add SSO Domain Summary page appears. 15. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with the new SSO domain in the Registered SSO Domains list. 16. Click Publish to update your configuration with this change. 252 WatchGuard SSL Web UI
About Resource Access Configure the authentication method for the SSO domain 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. 5. In the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the domain name you created. For this example, type AD-OWA 2003. 7. Click Save. 8. Click Publish to update your configuration with this change. Configure SSO for Microsoft Outlook Web App 2010 To enable your users who use Outlook Web App 2010 to get access to their web mail, you can use WatchGuard SSL Web UI to add a Microsoft Outlook Web App 2010 resource to the Application Portal and configure adaptive SSO (Single Sign-On) authentication. To set up SSO for Outlook Web App 2010, you must complete a several step process. You must add a resource for Outlook Web App 2010, specify the SSO domain to use and configure adaptive SSO, and select and configure an authentication method. Add a Microsoft Outlook Web App 2010 Resource You can add an Outlook Web Access resource to your network and enable access to it with any of your configured authentication methods. 1. Select Resource Access. The Resources page appears. User Guide 253
About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list and select Microsoft Outlook Web App 2010. 4. Click Next. The Add Resource Microsoft Outlook Web App 2010 page appears. 5. In the Display Name text box, type a name for this resource. For example, type Outlook Web App 2010. 6. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 7. In the Host text box, type the IP address of the email server for this resource. 8. Make sure the Make resource available in Application Portal check box is selected. 9. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 11. In the Link Text text box, type the text to appear with the icon in the Application Portal. For example, type MS Outlook Web App 2010. 12. Click Next. The Manage Access Rules page appears. 13. From the Available Access Rules list, select the default access rule Any Authentication. Click Add >. The authentication method is moved to the Selected Access Rules list. 254 WatchGuard SSL Web UI
About Resource Access 14. Click Next. The Add Resource Summary page appears. 15. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 16. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Configure Adaptive SSO for the Resource 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For example, type WATCHGUARDSSL. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. 7. From the Attribute Name drop-down list, select Domain. 8. From the Attribute Restriction drop-down list, select Hidden. 9. From the Referenced By drop-down list, select Static. 10. In the Attribute Value text box, type your domain attribute. 11. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 12. Click Next. The Apply SSO Domains to Resources page appears 13. Click Apply SSO Domains To Resources. The Select SSO Type page appears. 14. From the SSO Type drop-down list, select Adaptive. 15. From the Available Resources list, select the Outlook Web App 2010 Resource and click Add >. The resource you selected appears in the Selected Resources list. User Guide 255
About Resource Access 16. Click Add. The Apply SSO Domains to Resources page appears with the Outlook Web App 2010 resource. 17. Click Next. The Add SSO Domain Summary page appears. 18. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with the new SSO domain in the Registered SSO Domains list. 19. Click Publish to update your configuration with this change. Configure the Authentication Method 1. Select Manage System. The Authentication page appears. 2. From the Registered Authentication Methods list, select an authentication method for the SSO domain. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. 5. From the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the name of the SSO domain you created. For this example, type WATCHGUARDSSL. 7. Click Save. 8. Click Publish to update your configuration with this change. Configure SSO for File Share Resources When your users log in to the Application Portal, they must first choose an authentication method and then authenticate with their user credentials. After they have logged in to the Application Portal, they select an available resource, and then they supply their user credentials again. Single Sign-On (SSO) is a feature you can enable for an Application Portal resource that allows your users to supply their credentials only one time. When SSO is enabled for a resource, such as a Windows File Share resource, your users have instant access to that resource in the Application Portal. Add a Windows File Share resource You can add a Windows File Share Resource to your network and enable access to it with any enabled authentication methods. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 4. Select Microsoft Windows File Share. Microsoft Windows File Share is highlighted. 5. Click Next. The Add Resource Microsoft Windows File Share page appears. 256 WatchGuard SSL Web UI
About Resource Access 6. In the Display Name text box, type a name for this resource. For this example, type File Share. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Hosttext box, type the valid DNS name or IP address of the server where the share is located. 9. (Optional) From the Drive letter the drop-down list, select a drive to map to this share. For example, S. 10. Make sure the Make resource available in Application Portal check box is selected. 11. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 12. In the Link Text text box, type the text to appear with this icon in the Application Portal. 13. Click Next. The Manage Access Rules page appears. 14. Select the default access rule Any Authentication. 15. Click Next. The Summary page appears. 16. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 17. Click Publish to update your configuration with this change. The file share resource is now available in the Application Portal. User Guide 257
About Resource Access Add an SSO domain and enable SSO for the resource The first step you complete to enable SSO for a resource is to add your SSO domain information to your configuration. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For this example, type AD. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. 8. If you select the Domain attribute, in the Attribute Value text box, type the domain of the share. Make sure the domain name you select matches the actual domain name for your network. For this example, type AD. 9. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 258 WatchGuard SSL Web UI
About Resource Access 10. Click Next. The Apply SSO Domains To Resources page appears. 11. Click Apply SSO Domain To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select File Share. 13. From the Available Resources list, select the File Share resources to use this SSO domain and click Add >. The File Share resources appears in the Selected Resources list. 14. Click Add. The Apply SSO Domain To Resources page appears with the resources you selected. 15. Click Next. The Add SSO Domain Summary page appears. 16. Click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. Configure the authentication method for the SSO domain After you add your SSO domain information to your configuration, you select an authentication method to use with your SSO domain. 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. The Add Extended Property page appears. User Guide 259
About Resource Access 5. In the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the domain name you created. For this example, type AD. 7. Click Add. The extended property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Configure SSO for Remote Control Resources When your users log in to the Application Portal, they must first choose an authentication method and then authenticate with their user credentials. After they have logged in to the Application Portal, they select an available resource, and then they supply their user credentials again. Single Sign-On (SSO) is a feature you can enable for an Application Portal resource that allows your users to only supply their credentials one time. When SSO is enabled for a resource, such as a Remote Control (Terminal Server) Resource, your users have instant access to that resource in the Application Portal. Add a Terminal Server resource Before you begin, make sure that Microsoft Terminal Services is active on the computer that you want your users to connect to. If you use Windows Vista, consult the Windows Help system for instructions to enable Terminal Services. For Windows XP or Windows Server 2003: 1. Select Control Panel > Administrative Tools > Services. 2. Verify that the status for Terminal Services is Started. You can add a Microsoft Terminal Server 2003 or 2008 resource to your network and enable access to it with any of the available authentication methods. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 4. Select Microsoft Terminal Server 2003 or Microsoft Terminal Server 2008. The Microsoft Terminal Server resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Terminal Server page appears. 260 WatchGuard SSL Web UI
About Resource Access 6. In the Display Name text box, type a name for this resource. For this example, type Terminal Server. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the terminal server computer. 10. Inthe TCP Port textbox,type the porttouse toconnecttothe terminalserver.the defaultsettingis3389. 11. From the Tunnel Type drop-down list, select the type of operating systems of the clients that can use this resource: Windows Platform or All Platforms. 12. Make sure the Make resource available in Application Portal check box is selected. 13. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 14. In the Link Text text box, type the text to appear with this icon in the Application Portal. 15. Click Next. The Manage Access Rules page appears. 16. Make sure the default access rule Any Authentication appears in the Selected Access Rules list. 17. Click Next. The Summary page appears. User Guide 261
About Resource Access 18. Review the settings for this resource and click Finish Wizard. 19. Click Publish to update your configuration with this change. The resource appears in the Application Portal. Add an SSO domain To enable SSO for a resource you must add your SSO domain information to your configuration. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For this example, type AD. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. 8. If you select the Domain attribute, in the Attribute Value text box, type the domain of the terminal server. Make sure the domain name you select matches the actual domain name for your network. For this example, type AD. 9. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 262 WatchGuard SSL Web UI
About Resource Access 10. Click Next. The Apply SSO Domains To Resources page appears. 11. Click Apply SSO Domain To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select RDP. 13. From the Available Resources list, select the Terminal Server resource to use this SSO domain and click Add >. The Terminal Server resource appears in the Selected Resources list. 14. Click Add. The Apply SSO Domain To Resources page appears with the resource you selected. 15. Click Next. The Add SSO Domain Summary page appears. 16. Review your settings for the SSO domain and click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. SSO is now enabled for the Terminal Services resource. Configure the authentication method for the SSO domain After you add your SSO domain information to your configuration, you select an authentication method to use with your SSO domain. 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. User Guide 263
About Resource Access 4. Click Add Extended Property. The Add Extended Property page appears. 5. In the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the SSO domain name you created. For this example, type AD. 7. Click Add. The extended property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Configure SSO for a Citrix MetaFrame Presentation Server Resource You can configure your WatchGuard SSL device to use Single Sign-On (SSO) with a Citrix MetaFrame Presentation Server. To enable SSO to work with your Citrix MetaFrame Presentation Server, you add a web resource for the Citrix MetaFrame Presentation Server, add an SSO domain and a resource path, and edit the web resource and the tunnel resource. Make sure that the Citrix Presentation Server does not use the nfuse15.wascr and nfuse16.wascr scripts. These scripts change the real IP address of the NFuse server that is sent to the client in the ICA file to 127.0.0.1 and 127.0.0.1:1494. Because the resource for the Citrix Presentation Server uses dynamic tunnels, you must be logged in to the client computer with an account that has administrative rights the first time you use the resource. Add the Citrix MetaFrame Presentation Server resource To add a resource for the Citrix MetaFrame Presentation Server: 1. Select Resource Access. The Resources page appears. 264 WatchGuard SSL Web UI
About Resource Access 2. Click Add Resource. The Add Resources page appears. 3. Expand Web Resources and select Citrix MetaFrame Presentation Server. 4. Click Next. The Add Resource Citrix MetaFrame Presentation Server page appears. User Guide 265
About Resource Access 5. In the Display Name text box, type a name for this resource. For this example, type Citrix (Web). 6. (Optional) In the Description text box, type a description to help you identify the resource. 7. Make sure the Enable resource check box is selected. 8. In the Host text box, type the IP address of your Citrix Web Server. 9. In the HTTP Port text box, type the port to use to connect to your Citrix Web Server. We recommend you keep the default setting of port 80. 10. In the Citrix MetaFrame Server text boxes, type the IP addresses of your Citrix MetaFrame Servers. You can specify up to three servers. 266 WatchGuard SSL Web UI
About Resource Access 11. Make sure the Make resource available in Application Portal check box is selected. 12. Select the Icon that appears in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library. 13. In the Link Text text box, type the name to appear with the icon in the Application Portal. 14. Click Next. The Manage Access Rules page appears. 15. Select an access rule in the Available Access Rules list and click Add > to add it to the Selected Access Rules list. 16. Click Next. The Summary page appears. 17. Review the settings for the resource. 18. Click Finish Wizard. The Citrix resource appears in the Resources list. 19. Click Publish to update your configuration with this change. Edit the Advanced Settings for the Citrix web resource After you add the Citrix MetaFrame Presentation Server Resource, you edit the web resource to configure the advanced settings. 1. Select Resource Access. The Resources page appears. 2. Select the Web Resources tab. 3. Select the Citrix (Web) web resource you created in the previous procedure. The Edit Web Resource Citrix (Web) page appears. 4. Select the Advanced Settings tab. 5. Make sure the Share cookies between client and resource check box is selected. 6. In the Cookies to Check text box, type the * wildcard character. 7. In the Action section, select Allow. 8. Click Save. The Resources page appears with a message that the resource was successfully saved. 9. Click Publish to update your configuration with the changes. Add an SSO domain After you edit the web resource, you configure the SSO domains for the resource. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a name for this SSO domain. For this example, type Citrix_SSO_Domain. User Guide 267
About Resource Access 4. From the Domain Type drop-down list, select Text or Cookie. 5. Configure the settings for SSO Restrictions. If you select Cache on session only, SSO credentials are kept in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account. 6. Click Next. The Domain Attributes page appears. 7. Click Add Domain Attribute. The Add Domain Attribute page appears. 268 WatchGuard SSL Web UI
About Resource Access 8. From the Attribute Name drop-down list, select User Name. 9. From the Attribute Restriction drop-down list, select Editable. 10. From the Referenced By drop-down list, select User Input. 11. Do not type an Attribute Value. 12. Click Next. The attribute appears in the Registered Domain Attribute list. 13. Click Add Domain Attribute, and configure the attribute with these settings: Attribute Name Password Attribute Restriction Editable Referenced By User input Attribute Value Keep blank 13. Click Next. The attribute appears in the Registered Domain Attribute list. 14. Click Add Domain Attribute, and configure the attribute with these settings: Attribute Name Domain Attribute Restriction Hidden Referenced By Static Attribute Value Type a value for the attribute that matches the domain attribute for your Citrix server. For this example, type Citrix_SSO_Domain. 15. Click Next. The attribute appears in the Registered Domain Attribute list. 16. Click Next. The Apply SSO Domain to Resources page appears. 17. Click Apply SSO Domains to Resources. The Select SSO Type page appears. 18. From the Available Resources list, select the Citrix (Web) resource you created. 19. Click Add >. The Citrix (Web) resource appears in the Selected Resources list. 20. Click Add. The Apply SSO Domains To Resources page appears with the resource you selected. 21. Click Next. The Add SSO Domains Summary page appears. 22. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with the new domain in the Registered SSO Domains list. User Guide 269
About Resource Access Add a resource path After the web resource is configured, you can add a resource path to the web resource. 1. Select Resource Access > Resources. The Resources page appears. 2. Select the Web Resources tab. 3. Select the Citrix (Web) resource. The Edit Web Resource Host Citrix (Web) page appears. 4. Select the Manage Paths tab. 5. Click Add Web Resource Path. The Add Web Resource Path General Settings page appears. 6. Make sure the Enable resource check box is selected. 7. In the Path text box, type Citrix/AccessPlatform/site/default.aspx. 8. Select the Make resource available in Application Portal check box. 9. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 10. In the Link Text text box, type the text to appear with this icon in the Application Portal. 11. Click Save. The Manage Paths page appears with the new path in the Paths list. 12. Click Save. The Resources page appears with the updated resource and path on the Web Resources tab. 13. Select the path you added. The Edit Web Resource Path page appears. 270 WatchGuard SSL Web UI
About Resource Access 14. Select the Enable Single Sign-On check box. 15. In the Single Sign-On Type drop-down list, select Adaptive SSO. 16. From the SSO Domain drop-down list, select the SSO domain you added. For this example, select Citrix_SSO_Domain. 17. Click Save. The Resources page appears. 18. Click Publish to update your configuration with this change. Edit the tunnel resource To redirect your users to the correct location for the Citrix MetaFrame Presentation Server, you must edit the tunnel resource and set the Redirect URL for the Citrix web resource. 1. Select Resource Access. The Resources page appears. 2. Select the Tunnel Resources tab. 3. Select the Citrix (Web) tunnel resource. The Edit Tunnel Resource Citrix (Web) page appears. User Guide 271
About Resource Access 4. Select the Startup tab. 5. In the Redirect URL text box, type /http/citrix(web) /Citrix/AccessPlatform/site/default.aspx. The /Citrix(Web)/ section of the Redirect URL path is set based on the Display Name setting for the Citrix web resource. For example, if the Display Name of the Citrix web resource is CitrixSSO, the redirect URL path is /http/citrixsso/citrix/accessplatform/site/default.aspx. 272 WatchGuard SSL Web UI
About Resource Access 6. Click Save. After you have completed all the settings for access to the Citrix MetaFrame Presentation Resource, your users can log in to the Application Portal and select this resource to launch the Citrix MetaFrame Web Server. User Guide 273
About Resource Access User Guide 274
6 About Manage System To review and manage the overall configuration of your WatchGuard SSL system, from the WatchGuard SSL Web UI top menu, select Manage System. The Manage System submenu items are: Authentication Configure and manage the authentication methods and global authentication settings. For more information, see About Authentication Methods. Certificates Manage Certificate Authorities (CAs), Server Certificates, and Client Certificates. For more information, see About Certificates. Abolishment Configure the settings for Abolishment (file removal, and Internet Explorer history and cache deletion). For more information, see About Abolishment. Assessment Configure settings for the client scans performed on clients that access a resource protected by an Assessment access rule. You can also configure other Assessment settings. For more information, see About Assessment. Notification Settings Configure the settings for email and SMS notifications. For more information, see About Notification Settings. Client Definitions Configure the clients that can access resources. For more information, see Manage Client Definitions. User Guide 275
About Manage System Delegated Management Create and edit administrative roles with different configuration and monitoring responsibilities. For more information, see About Delegated Management. Administration Service Configure all settings for the Administration Service, including the port, certificate, and other settings. You can also restart the Administration Service. For more information, see About the Administration Service. Device Settings Configure settings for the Application Portal, performance, cipher suites, security, and session control. For more information, see Manage Device Settings. Device Update Configure settings for the WatchGuard SSL device. From this page you can change time settings, upgrade the system software, reset the device to the factory default settings, and reboot the device. For more information, see Update the Device. Network Configuration Configure the network type (single or dual interface mode), the network settings for the Eth0 interface, and the network routes. For more information, see Network Configuration. Restore Configuration Restore the most recently published system configuration, or a configuration from an earlier date. For more information, see Restore a Saved Configuration. Import/Export Configuration Import and export the configuration data to or from an archive file. For more information, see Import or Export the Configuration. About Authentication Methods You can configure one or more authentication methods to secure your network. You configure authentication methods in the Manage System section of WatchGuard SSL Web UI. To configure supported authentication methods: 1. Select Manage System > Authentication. The Authentication page appears. 276 WatchGuard SSL Web UI
About Manage System 2. From the Authentication menu, you can complete these tasks: Add an Authentication Method Manage an Authentication Method Manage Global Authentication Service Settings Manage RADIUS Configuration Supported Authentication Methods When you create an authentication method access rule, you add one or more authentication methods to the access rule. There are 16 supported authentication methods. There are five WatchGuard SSL authentication methods and eleven other authentication methods you can use to integrate with your existing authentication services. WatchGuard authentication methods: WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized For more information, see About WatchGuard SSL Authentication Methods. Additional authentication methods: General RADIUS SecurID LDAP Active Directory Novel edirectory Windows Integrated Login NTLM Basic User Certificate User Guide 277
About Manage System Form-Based Authentication Confidence Online For more information, see About Other Authentication Methods. About WatchGuard SSL Authentication Methods The WatchGuard SSL authentication methods are Web, Challenge, Synchronized, Mobile Text, and Password. All of these methods use the RADIUS protocol. WatchGuard SSL Web You can use this method for authentication in a web browser. Users type their user IDs and a Java applet or ActiveX component is launched. The client prompts the user to enter a password or PIN. The password or PIN is then hashed and encrypted before it is returned to the server. WatchGuard SSL Challenge You can use this method for authentication in a web browser, WAP client, or with a PDA. Users type their user names, and are prompted (challenged) to provide private information (the response) before they are allowed access. The challenge-response technique is most often used with a hardware token that generates the response. In WatchGuard SSL Challenge, the Mobile ID software client generates the response. Users type their PINs in the Mobile ID Challenge client and the Mobile ID software generates a onetime-password (OTP). You can install the Mobile ID client on a mobile device such as a handheld PC or a cell phone, or on a laptop or desktop computer. WatchGuard SSL Synchronized You can use this method for two-factor authentication in a Web browser, WAP client, or with a PDA. Users type their user IDs and are prompted for a one-time password (OTP). In WatchGuard SSL Synchronized, an integrated software client (Mobile ID) generates the OTP. Users type their PINs in the Mobile ID client and the Mobile ID software generates the one-time-password (OTP) based on the PIN and on a seed that is synchronized with the WatchGuard SSL device. The seed is different for each user. You can install the Mobile ID client on a mobile device, such as a handheld PC or a cell phone, or on your laptop or desktop computer. WatchGuard SSL Mobile Text This method is based on a combination of an account password and a one-time password (OTP) distributed through an SMS channel. For this method, users type the account password on the web login page. The WatchGuard SSL device generates an OTP and sends it to the cell phone number or email address for that user account. All authentication and notification messages are sent through mobile text to the cell phone number or email address registered to that specific user account. The user must type the OTP to complete the authentication process. You can use the WatchGuard SSL Mobile Text authentication method on a mobile device such as a handheld PC or a cell phone, as well as on a desktop PC or Mac computer. 278 WatchGuard SSL Web UI
About Manage System When you select Allow Two-step Authentication in the authentication method configuration, authentication is distributed over two sessions: the server sends the OTP to the mobile phone, and then the user logs on with the OTP. WatchGuard SSL Password The WatchGuard SSL Password authentication method is based on static password authentication. A static password is created and maintained to authenticate remote access with a RADIUS client. Download Mobile ID clients The WatchGuard SSL authentication methods Challenge and Synchronized use the Mobile ID client to generate the OTP response. The Mobile ID client is available on the WatchGuard web site software downloads page as a separate file. You can download this file and distribute the Mobile ID clients to your users to install on their mobile devices. About Other Authentication Methods In addition to the five WatchGuard SSL authentication methods, WatchGuard SSL supports these eleven authentication methods: General RADIUS This authentication method can be used with any RADIUS-compliant authentication server. SECUREMATRIX This is a unique, web-based authentication method that uses identity verification and pattern recognition to generate a one-time-password (OTP) each time a user logs in. You can add only one SECUREMATRIX authentication method to your configuration. SecurID LDAP This method supports RSA SecurID tokens that generate a one-time-password (OTP). This method performs an LDAP bind. Active Directory This method is an LDAP bind authentication method with the ability to enable users to change their passwords. This functionality is only supported with Microsoft Active Directory (AD) servers. The External Directory Service (your AD server) must be configured for SSL communication, because this functionality is only allowed over SSL. Novell edirectory This method is an LDAP bind authentication method with the ability to enable users to change their passwords. User Guide 279
About Manage System Windows Integrated Login NTLM Basic This method enables the Windows domain credentials to be used automatically for authentication. When the Application Portal is protected by Windows integrated login authentication, Windows users do not have to type their credentials to log on to the Application Portal. Instead, the SSL device gets the user credentials from the client. The NTLM authentication method uses the NTLM authentication protocol used in various Microsoft network protocol implementations. This method performs a basic authentication according to RFC 2617, HTTP Authentication: Basic and Digest Access Authentication. User Certificate This method uses attribute mapping. The user is authenticated only if there is an exact match between the configured User Attribute and the Certificate Attribute. Form-Based Authentication This authentication method uses HTML forms that you can edit. You can also add new HTML forms. The credentials submitted to the device are posted in the form for authentication. When the credentials are accepted, the user is authenticated and allowed access to the network. Confidence Online This method uses the Confidence Online client for authentication. Add an Authentication Method You can add, edit, and delete authentication methods. By default, the five WatchGuard SSL authentication methods are enabled. You can add other supported authentication methods to the Registered Authentication Methods list. To add an authentication method: 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 280 WatchGuard SSL Web UI
About Manage System 2. Select Add Authentication Method. The Add Authentication Method page appears. 3. Select an authentication method. For more information about the available authentication methods, see About WatchGuard SSL Authentication Methods on page 278 and About Other Authentication Methods on page 279. User Guide 281
About Manage System 4. Click Next. 5. Configure the settings for the selected authentication method. Some of these settings do not apply to all authentication methods. Enable Authentication Method Select this check box to enable the new authentication method. To add an authentication method but not enable it in the Application Portal, clear this check box. Display Name The Display Name is the name that appears in the Application Portal for this authentication method. Template Name The Template Name is the name of the template that defines the appearance of the logon page when users log on with this authentication method. The name of the default template is automatically filled in. Template Specification For most authentication methods, you can select Manage Default Template Specification to customize the appearance of the Application Portal authentication page. When you add an authentication method, these settings are configured automatically. Authentication Method Server This is the server that provides authentication for this authentication method. For the five WatchGuard SSL authentication methods, the Authentication Method Server is the RADIUS server on the SSL device. For most authentication methods you must specify an authentication server to use for the authentication method. RADIUS replies The authentication methods that use RADIUS include some pre-defined RADIUS replies. You can edit these replies or you can add new ones. Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a RADIUS Template Specification. The template specification controls how the reply appears to the user. Extended Properties You can define extended properties for some authentication methods to customize what happens when a user authenticates. You can edit the existing extended properties or you can add new ones. Each extended property includes a Key and a Value. 6. Click Finish Wizard to save the new authentication method. Manage an Authentication Method You can edit or delete the registered authentication methods. To edit an authentication method: 1. Select Manage System > Authentication. The Authentication page appears. 282 WatchGuard SSL Web UI
About Manage System 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Select a tab to edit the authentication method configuration settings. For more information about the settings on each tab, see: Edit General Settings Manage RADIUS Replies Manage Extended Properties 4. Click Save. To delete an authentication method: User Guide 283
About Manage System 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to delete. The Edit Authentication Method page appears. 3. Click Delete. 4. Click Yes. The authentication method is removed from the Registered Authentication Methods list. Edit General Settings To edit the general settings for an authentication method: 1. On the Authentication page, click an authentication method to edit it. The Edit Authentication Method page appears. 2. Select the General Settings tab. 3. To disable the authentication method, clear the Enable Authentication Method check box. 4. Update the settings. Some of these settings do not apply to all authentication methods. Display Name The name that appears in the Application Portal for this authentication method. Template Name The name of the template that defines the appearance of the logon page when users log on with this authentication method. Template Specification 284 WatchGuard SSL Web UI
About Manage System For most authentication methods, you can click Manage Default Template Specification to customize the appearance of the login page. Authentication Method Server 5. Click Save. For most authentication methods, you must specify an authentication method server to use for the authentication method. Manage RADIUS Replies The authentication methods that use RADIUS include some pre-defined RADIUS replies. You can add, edit, or delete RADIUS replies. Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a Template Specification. Add a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Select the RADIUS Replies tab. The list of configured RADIUS replies appears. User Guide 285
About Manage System 4. Click Add RADIUS Reply. The Add RADIUS Reply page appears. 286 WatchGuard SSL Web UI
About Manage System 5. In the Display Name text box, type the name of the RADIUS reply. 6. In the RADIUS Reply Matching String text box, type the message to show the user for this RADIUS reply. 7. In the RADIUS Template Specification text box, type or paste the template for this RADIUS reply. 8. Click Add. The reply appears in the Registered RADIUS Replies list. 9. Click Save. Edit a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Select the RADIUS Replies tab. The list of configured RADIUS replies appears. 4. In the Registered RADIUS Reply list, click the reply you want to edit. The Edit RADIUS Reply page appears. User Guide 287
About Manage System 5. Edit the reply information. 6. Click Update. The updated reply appears in the Registered RADIUS Replies list. 7. Click Save. Delete a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method to delete. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Select the RADIUS Replies tab. The list of configured RADIUS replies appears. 4. In the Registered RADIUS Reply list, click the reply you want to delete. The Edit RADIUS Reply page appears. 5. Click Delete. A confirmation message appears. 6. Click Yes. 288 WatchGuard SSL Web UI
About Manage System The selected reply is removed from the Registered RADIUS Replies list. 7. Click Save. Manage Extended Properties You can add, edit, or delete Extended Properties for some authentication methods. Extended Properties define what happens when a user authenticates with each method. When you add authentication methods, you can use Extended Properties to specify particular settings for the authentication method you selected. Some examples of Extended Properties include: Save credentials for SSO domain, Allow unknown user ID, and Lock user ID for session. Each Extended Property consists of a Key and a Value. When you edit an extended property, you can only change the Value. To change the Key, you must delete the Extended Property and add a new one with the correct Key Value pair. Add an Extended Property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. The Add Extended Property page appears. 5. From the Key drop-down list, select an option for this Extended Property. Some of these settings do not apply to all authentication methods. User attribute WatchGuard account required prior authentication User name may not change during session Lock user ID to session Allow user not listed in any External Directory Service Force create user User Guide 289
About Manage System Save credentials for SSO domain Create user on failed logon Reveal RADIUS reject reason RADIUS character encoding ActiveSync Device ID Locking 12. If you select User Attribute, in the Value text box, type the attribute information. If you select any other Key option, in the Value drop-down list, select true or false. 13. Click Add. The Extended Property appears in the Registered Extended Properties list. 14. Click Save. Edit an Extended Property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. The list of registered Extended Properties appears. 4. In the Registered Extended Properties list, click the extended property to edit. The Edit Extended Property page appears. 290 WatchGuard SSL Web UI
About Manage System 5. Update the Value. 6. Click Update. 7. Click Save. Delete an extended property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Click the Extended Properties tab. 4. In the Registered Extended Properties list, click the Extended Property to delete. The Edit Extended Property page appears. 5. Click Delete. 6. Click Yes. 7. Click Save. Manage Global Authentication Service Settings You can manage the authentication settings that apply to all authentication methods. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. User Guide 291
About Manage System 3. Select a tab to configure the settings: Manage Global RADIUS Authentication Settings Manage Password and PIN Settings Manage Email Messages Settings Manage SMS/Screen Message Settings 4. Click Save. Manage Global RADIUS Authentication Settings You can configure the settings for RADIUS authentication. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Click the RADIUS Authentication tab and configure the settings. The RADIUS Authentication page appears. 292 WatchGuard SSL Web UI
About Manage System For more information about the settings, see the subsequent section. 4. Click Save. RADIUS Authentication settings Drop unknown sessions When selected, access requests by unknown RADIUS sessions are dropped without notification. If this option is not selected, the server sends the reply Access Denied. Drop unknown users When selected, access requests by unknown users are dropped without notification. If this option is not selected, the request is accepted, but the authentication fails. The server sends an access reject message. This setting can be useful for chained authentication. Proxy unknown users When selected, unknown users are authenticated with another RADIUS server. The server tries to proxy the request to the configured RADIUS back-end server. If the request is not serviced, the server responds with the action set for Drop unknown users. Proxy unknown users takes precedence over Drop unknown users if both are selected. Reveal reject reason When selected, the reason why a request is rejected is sent to the RADIUS client. Session Timeout This setting defines the number of seconds before the RADIUS session times out. If a RADIUS session is not used before this amount of time passes, the session ends and this value is reset. The default value is 180 seconds. User Guide 293
About Manage System RADIUS Encoding When the system receives a RADIUS package, it changes the data to strings that match the UTF-8 standard. Some RADIUS clients do not support the UTF-8 standard. For these RADIUS clients, you can specify another standard. The default value is UTF-8. Manage Password and PIN Settings You can configure the global password and PIN settings for WatchGuard authentication methods. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Select the Password/PIN Settings tab and configure the settings. For more information about these settings, see the subsequent sections. 4. Click Save. Password/PIN Settings For each setting, the default values appear in parentheses. WatchGuard SSL Mobile Text The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to zero, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. The OTP (one-time password) length in number of characters (6). 294 WatchGuard SSL Web UI
About Manage System The alphabet base for OTP. The default value excludes characters and numbers that can easily be confused, such as: 0/o/O 1/i/I/l/L.(23456789abcdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ) The notification message the user sees for the OTP. Allow two-step authentication. When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile phone, and one to login with the OTP. WatchGuard SSL Web The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to zero, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. Keyboard appearance Fixed, Shift, or Random (random). Allow use of desktop keyboard for numbers (off). WatchGuard SSL Challenge The PIN expiration period in days (90). When set to zero, the PIN does not expire. The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history. Support value signing (off). Direct PIN change (off). WatchGuard SSL Password The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to 0, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. The OTP (one-time password) length in number of characters (6). WatchGuard SSL Synchronized The PIN expiration period in days (90). When set to 0, the PIN does not expire. The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history. Offset before prompt The number of login attempts allowed before the user is prompted for a new OTP (3). Offset before access denied The number of login attempts allowed before the user is denied access (10). Direct PIN change. Manage Email Messages Settings You can configure the settings for the notification messages that are sent to users when they get new passwords, PINs, or seeds. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. User Guide 295
About Manage System 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Select the Email Messages tab and configure the settings. For more information about the settings, see the subsequent sections. 4. Click Save. Email Settings Email Addresses Type the email addresses of any additional recipients you want to receive notifications about new or changed passwords, PINs, or seeds. Email Messages Modify the message used to notify users about changes to their authentication credentials. You can change the text used in the email message to notify users about each type of password, PIN, or seed change. WatchGuard Authentication Method Messages For each WatchGuard authentication method, you can set messages that users see when they get a new password, PIN, or seed in an email message. Manage SMS/Screen Message Settings You can configure the SMS/Screen messages that users get for new or changed passwords, PINs, or seeds. General settings include the header and footer of the SMS/Screen message. You can also specify different password, PIN, or seed messages for each authentication method. 296 WatchGuard SSL Web UI
About Manage System 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Manage Global Authentication Service Settings page appears. 3. Select the SMS/Screen Messages tab. 4. In the SMS/Screen Messages Header and Footer text boxes, type the information that appears in the header and footer of the messages your users receive. 5. For each Authentication method, type the Password or PIN messages your users receive. 6. Click Save. Manage RADIUS Configuration You configure RADIUS settings for each available authentication method to accept, reject, or challenge the request. You can also select to send authentication requests to an authentication server that uses third-party authentication methods such as RSA SecurID. To do this, you must add a RADIUS back-end server as an authentication server. You can use one or several RADIUS back-end servers simultaneously. To add the RADIUS configuration methods: 1. Select Manage System > Authentication. The Authentication page appears. 2. Click RADIUS Configuration. The Manage RADIUS Configuration page appears. User Guide 297
About Manage System 3. Configure the RADIUS client settings: Add a RADIUS Client Edit or Delete a RADIUS Client Add a RADIUS Back-End Server Edit or Delete a RADIUS Back-End Server Add a RADIUS Client On the Manage RADIUS Configuration page, you can add a RADIUS client. 1. Click Add RADIUS Client. The Add RADIUS Client page appears. 298 WatchGuard SSL Web UI
About Manage System 2. In the IP Address text box, type the IP address for this RADIUS client. 3. In the Shared Secret and Verify Shared Secret text boxes, type and confirm the shared secret for this RADIUS client. 4. If your RADIUS client requires attributes, configure them in the Attributes section. You can configure three types of attributes: Accept Attributes Challenge Attributes Reject Attributes 5. Click Save. Edit or Delete a RADIUS Client On the Manage RADIUS Configuration page, you can edit or delete a RADIUS client. To edit a RADIUS client: 1. In the Registered RADIUS Clients list, click the IP address of a client. The Edit RADIUS Client page appears. User Guide 299
About Manage System 2. Configure the settings for the client. 3. Click Save. To delete a RADIUS client: 1. In the Registered RADIUS Clients list, click the IP address of a client. The Edit RADIUS Client page appears. 2. Click Delete. 3. Click Yes. The client you selected is deleted and removed from the Registered RADIUS Clients list. Add a RADIUS Back-End Server On the Manage RADIUS Configuration page, you can add a RADIUS server. 1. Click Add RADIUS Back-End Server. The Add RADIUS Back-End Server page appears. 300 WatchGuard SSL Web UI
About Manage System 2. In the Display Name text box, type the name of this server. 3. In the Host text box, type the IP address of the RADIUS back-end server. 4. If necessary, change the default values in the Port and Timeout text boxes. 5. In the Shared Secret and Verify Shared Secret text boxes, type and confirm the shared secret for this RADIUS server. 6. Click Save. The server you added appears in the Registered RADIUS Back-End Servers list. Edit or Delete a RADIUS Back-End Server On the Manage RADIUS Configuration page, you can edit or delete a RADIUS back-end server. To edit a RADIUS back-end server: 1. In the Registered RADIUS Back-End Server list, click a server. The Edit RADIUS Back-End Server page appears. 2. Configure the settings for the back-end server. 3. Click Save. User Guide 301
About Manage System To delete a RADIUS back-end server: 1. In the Registered RADIUS Back-End Servers list, click the IP address of a back-end server. The Edit RADIUS Back-End Servers page appears. 2. Click Delete. 3. Click Yes. The server you selected is deleted and removed from the Registered RADIUS Back-End Servers list. Two-factor Authentication with Mobile ID For stronger authentication, you can use two-factor authentication. For two-factor authentication, you configure a resource in the Application Portal to require users to complete the steps for two different authentication methods before they can get access to the resource. Two-factor authentication is stronger because it uses: Something the user knows Personal Identification Number (PIN) Something the user has Software token installed on a PC or mobile device WatchGuard Mobile ID is software installed on a client device that acts as a software token and generates one-time passwords (OTP). This token works like any hardware security token, but runs on hardware that the user already has, such as a PC, a mobile phone, or a PDA. You can install the WatchGuard Mobile ID client on a Windows computer, personalize it (with a seed), and configure it for the WatchGuard SSL Synchronized authentication method. Note To use MobileID, make sure that your mail server has an SMTP packet filter that accepts EHLO or HELO commands that do not include an argument. Download and install Mobile ID To install the Mobile ID software: 1. Open a web browser and go the WatchGuard Software Downloads page at: https://www.watchguard.com/archive/softwarecenter.asp. 2. Download the Mobile ID client software for your platform (Windows, Java, or Linux). 3. Run the EXE file. 4. Follow the steps in the wizard to complete installation. Install Mobile ID for Windows on the client computer After you get the Mobile ID software from the WatchGuard Downloads page, you can put it somewhere on your network where your users can safely get access to it. You can then install Mobile ID on your users client computers. Mobile ID installs for only the user who is currently logged in to the computer. Before you install the software, make sure you are logged in as the correct user. 1. On the client computer, go to the IP address or URL where the MobileID software is available. For example, http://clients.example.com/. 302 WatchGuard SSL Web UI
About Manage System The Mobile ID Client download page appears. 2. Click Download for the Windows Mobile ID client. 3. Follow the instructions to install the client. Add or enable the WatchGuard SSL Synchronized authentication method For Mobile ID to work correctly, you must make sure the WatchGuard SSL Synchronized authentication method is enabled on your SSL device. To add the WatchGuard SSL Synchronized authentication method: 1. Select Manage System. The Registered Authentication Methods page appears. 2. Click Add Authentication Method. The Add Authentication Method page appears, with a list of all the available authentication methods. 3. Select WatchGuard SSL Synchronized. 4. Click Next. 5. Make sure the Enable authentication method check box is selected. 6. In the Display Name text box, type a descriptive name for this authentication method. This is the name that appears in the Registered Authentication Methods list. 7. Click Add Authentication Method Server. The Add Authentication Method Server page appears. 8. Make sure the Enable authentication method on the Authentication Service check box is selected. 9. From the Display Name drop-down list, select an authentication service. 10. Verify the other settings are correct. 11. Click Next on the next three pages of the wizard. 12. Click Finish Wizard. The new authentication method appears in the Registered Authentication Methods list. To enable the WatchGuard SSL Synchronized authentication method: 1. Select Manage System. The Registered Authentication Methods page appears. 2. In the Registered Authentication Methods list, click WatchGuard SSL Synchronized (or the descriptive name for your WatchGuard SSL Synchronized authentication method). The Edit Authentication Method page appears. User Guide 303
About Manage System 3. Select the Enable authentication method check box. 4. Make sure all the settings for the authentication method are correct. 5. Click Save. The Registered Authentication Methods page appears. The Status of the WatchGuard SSL Synchronized method is Enabled. Create the seed and PIN for the User 1. Select User Management. The Manage All User Accounts page appears. 2. In the Search by User ID text box, type a User ID. You can type a partial user name with the '*' wildcard character to broaden your search results. To see a list of all users, type only the '*' wildcard character. 3. From the Search by User IDdrop-down list, select the parameters for the search. 4. Click Search. A list of users appears in the search results section. 5. In the Search Result list, click a User ID. The Edit User Account page appears. 6. Select the WatchGuard Authentication tab. 304 WatchGuard SSL Web UI
About Manage System 7. Select the Enable WatchGuard SSL Synchronized for the user account check box. Additional settings for the WatchGuard SSL Synchronized authentication method appear. User Guide 305
About Manage System 8. In the PIN and Verify PIN Code text boxes, type a 6-digit PIN Code for this user. 9. Select the Generate seed check box. 10. ClickSave. TheManage UserAccounts pageappears. ThePIN andsynchronized seedfor theuser appearat thetop of the page. 306 WatchGuard SSL Web UI
About Manage System 11. Make a copy of the PIN and Synchronized seedand save them in a safe location to give to the user. The user must type both codes in the Mobile ID client to generate the OTP. Add the seed and PIN in the Mobile ID client To add the seed and PIN in the MobileID client, the user launches Mobile ID on the client computer. 1. Select Start > All Programs > WatchGuard SSL > Mobile ID > WatchGuard Mobile ID. The Mobile ID client appears. The user must type the seed code the first time the client appears. 2. Type the seed code. Or, copy the seed code and select Seed > Paste to paste the seed code. 3. Click CONTINUE. 4. When prompted to select a client mode, select Synchronized. A numeric keypad appears. User Guide 307
About Manage System 5. Click the numbers on the keypad to type the 6-digit PIN. The location of the numbers on the keypad are different each time the keypad appears. A one-time password (OTP) appears. 6. Use the one-time password to authenticate to the Application Portal with the WatchGuard SSL Synchronized authentication method. Authenticate with the one-time password 1. Connect to the Application Portal. 2. Select the WatchGuard SSL Synchronized authentication method. The WatchGuard SSL Synchronized authentication page appears. 3. Type the User Name and the OTP from the Mobile ID client. 4. Click Submit. The WatchGuard SSL Application Portal appears. Configure Active Directory Authentication with LDAP over SSL You can use both WatchGuard authentication methods and third-party authentication methods with your WatchGuard SSL device. One available third-party method is Active Directory. The Active Directory authentication method is an LDAP bind authentication method that allows users to change their domain passwords through the WatchGuard SSL Application Portal and enforces strong password restrictions. This functionality is only supported with Microsoft Active Directory (AD) servers. To use this method, you must configure the authentication method for LDAP over SSL communication because this functionality is only allowed over SSL. Configure the Active Directory server with LDAP over SSL You can use your existing Active Directory (AD) server to authenticate users to your WatchGuard SSL Application Portal. Because the WatchGuard SSL Active Directory authentication method uses LDAP over SSL, before you configure your SSL device, you must first make sure that LDAP over SSL (also known as LDAPS or LDAP over TLS) is enabled on your Active Directory server. LDAP connections are not enabled by 308 WatchGuard SSL Web UI
About Manage System default. LDAP over SSL is also known as LDAP/S, LDAPS, and LDAP over TLS. LDAP over SSL simply means that the LDAP connection between the LDAP client (in this case, the WatchGuard SSL device) and LDAP server (the Active Directory server) is authenticated by TLS (Transportation Layer Security), and the data exchanges are encrypted by the different cipher suites supported by the TLS protocol. To enable LDAP over SSL, you can use one of two methods: Instructions from Microsoft: http://support.microsoft.com/kb/321051 (How to enable LDAP over SSL with a third-party certification authority) Instructions in the subsequent sections, which use the certificate services web enrollment form instead of command line tools. We recommend that you do not use both sets of instructions. If you choose to use both procedures, the process can be complicated and prone to failure. Note WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a non- WatchGuard product, see the documentation and support resources for that product. For the subsequent procedures, Active Directory is installed on a Windows Server 2003 computer; the server name is 2003ADsrv, and the domain name is ADexample.com. Before you begin Make sure your server has these applications and tools configured, with the services started: ldp.exe Microsoft Support Tool Utility (for LDAP configuration). This tool is used to connect to Active Directory and verify that the LDAPS protocol is running properly. Internet Information Services (IIS) IIS must be installed and the service must be started. Certificate Services Certificate Services must be installed and started on the AD server. This component is not installed by default, but is a common component that is frequently added to many AD servers. After you have verified the correct applications and tools are configured, you export the CA certificate from your Windows Certificate Server. Verify the status of IIS IIS must be installed and started correctly before you enable LDAP over SSL. If it is not, when you run the certsrv command in the process to enable LDAP over SSL, you receive a 404 error message. 1. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. 2. Expand your server entry in the list. 3. Select Web Sites. 4. For Default Web Site, verify the State is Running. User Guide 309
About Manage System Install Certificate Services on your AD server If Certificate Services is already installed on your AD server, you can continue to the next procedure. Make sure that both the Certificate Services CA and Certificate Services Web Enrollment Supportoptions are enabled. When you enable Certificate Services, you can select to use either an Enterprise root CA or a Stand-alone root CA. We recommend you choose a Stand-alone root CA, which is simpler to use and acceptable for most use cases. From your Windows 2003 AD Server computer: 1. Select Start > Control Panel > Add or Remove Programs. The Add or Remove programs dialog box appears. 2. Select Add/Remove Windows Components. The Windows Components Wizard dialog box appears. 3. In the Components list, select the Certificate Services check box. A notification message appears. 4. Click Yes. 5. Click Details. The Certificate Services dialog box appears. 6. Select the Certificate Services CA and Certificate Services Web Enrollment Support check boxes. 7. Click OK. The Certificate Services dialog box closes and the Windows Components Wizard dialog box appears. 8. Click Next. The CA Type page appears. 9. Select Stand-alone root CA.Click Next. 10. Complete the wizard and finish the Certificate Services installation. Export the CA Certificate from your Windows Certificate Server From your Windows 2003 AD Server computer: 1. Select Start > Program > Administrative Tools > Certification Authority. The Certification Authority dialog box appears. 2. Right-click the name of your Certificate Authority. Select Properties. 3. On the General tab, click View Certificate. The Certificate dialog box appears. 4. Select the Details tab. 5. Click Copy to file. The Certificate Export Wizard appears. 6. Click Next. The Export File Format page appears. 7. Select the Base-64 encoded X.509 (CER) file format. The File to Export page appears. 8. To save the certificate file to the default location, in the File Name text box, type a name for the certificate. To select a different location to save the file, click Browse. Select the location and type a file name for the certificate. For example, cacert.cer. 310 WatchGuard SSL Web UI
About Manage System 9. Click Next. The Completing the Certificate Export Wizard page appears. 10. Review the certificate information. Click Finish. Enable your AD Server for LDAP over SSL To enable your AD server to use LDAP over SSL you can request the certificate from the Certificate Authority and use the Certificate Services Web UI to import it. Request a certificate from the CA From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to http://<servername>/certsrv. Replace <servername> in the web address with the host name or IP address of your AD server. For this example, type http://2003adsrv/cersrv. If a certificate warning appears, add the URL to the list of trusted sites in Internet Explorer. Select Tools > Internet Options. Select the Security tab. Add the exception. 2. Click Request a Certificate. The Request a Certificate page appears. 3. Click Submit an advanced certificate request. The Advanced Certificate Request page appears. 4. Click Create and submit a request to this CA. 5. In the Name text box, type the fully qualified domain name of your server. Make sure the name is correct and in the FQDN format. For this example, type 2003ADsrv.ADexample.com. 6. In the Type of Certificate Needed drop-down list, select Server Authentication Certificate. 7. Configure Key Options: a. Select Create new key set. b. From the CSP drop-down list, select Microsoft RSA SChannel Cryptographic Provider. c. Set the Key Usage to Exchange. d. In the Key Size text box, type 1024. e. Select Automatic key container name. f. Select the Mark keys as exportable check box. g. Make sure the Enable strong private key protection check box is not selected. h. Select the Store certificate in the local computer certificate store check box. 8. Configure Additional Options: a. Set the Request format to PKCS10. b. From the Hash Algorithm drop-down list, select SHA-1. c. Clear the Save request to a file check box. If you select this check box, you must manually submit the request and manually import the certificate to your server. When you do not select this option, the request is submitted automatically and the certificate is automatically imported to your server. 9. Click Submit. The certificate request is submitted. User Guide 311
About Manage System Issue the certificate After you have requested the certificate from the CA, you must issue the certificate before you can import it. From your Windows 2003 AD Server computer: 1. Select Start > Programs > Administrative Tools > Certification Authority. 2. Expand the Certification Authority list. 3. Select the Pending Requests folder. 4. Select the pending request for the certificate you want to issue. 5. Right-click the request and select All tasks > Issue. The CA issues the certificate. Import the certificate After you have requested the certificate from the CA, you can import it to the server certificate store. These instructions use the Internet Explorer web browser. If you use a different web browser the instructions might be different. From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to http://<servername>/certsrv. Replace <servername> in the web address with the host name of your AD server. For this example, type http://2003adsrv/cersrv. 2. Click View the status of a pending certificate request. The View the Status of a Pending Certificate Request page appears. 3. Select the certificate you want to import. 4. Follow the instructions to import the certificate. 5. Reboot your Windows 2003 AD Server computer. Test the LDAP over TLS connection To test if LDAP over TLS works properly, use the ldp.exe tool. 1. Open a command prompt and type ldp. The LDP application appears. 2. Select Connection > Connect. The Connect dialog box appears. 3. In the Server text box, type the name of your AD server. For this example, type 2003ADsrv. 4. In the Port text box, type 636. 5. Select the SSL check box. 6. Click OK. A list of attributes appears, which indicates a successful connection. Some errors can also appear, but they are not fatal errors and do not indicate a problem with the connection. If a connection error appears, there is an incorrect setting in the configuration. Review your configuration with the steps in the previous procedure to correct any errors. For the Active Directory authentication method to work correctly, LDAP over SSL must also work correctly. 312 WatchGuard SSL Web UI
About Manage System Verify the HTTP SSL properties The last step to configure LDAP over TLS for your AD server is to make sure the HTTP SSL service is running correctly. From your Windows 2003 AD Server computer: 1. Select Start > Administrative Tools > Services. The Services tool appears. 2. In the Services list, find the HTTP SSL service. 3. Right-click HTTP SSL and select Properties. The HTTP SSL Properties dialog box appears. 4. Make sure the General tab is selected. 5. From the Startup type drop-down list, select Automatic. This is to make sure the HTTP SSL service starts automatically hen the server is rebooted. 6. Click OK. Configure the Active Directory Authentication method on your SSL device Now that you have issued the certificate from your CA, enabled LDAP over SSL on your AD Server, and issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device to use Active Directory Authentication. Add a Certificate Authority to your SSL device If you did not import the CA certificate when you ran the Setup Wizard, you must import it to configure Active Directory Authentication. 1. Connect to WatchGuard SSL Web UI for your device. 2. Select Manage System > Certificates. The Manage Certificates page appears. 3. In the Certificate Authorities section, click Add Certificate Authority. The Add Certificate Authority page appears. 4. Make sure the Enable Certificate Authority check box is selected. 5. In the Display Name text box, type a name for the CA certificate. This is the name that appears on the Manage Certificates page in the Registered Certificate Authorities list. 6. Click Browse and select the CA certificate. 7. In the Revocation Control section, select No certificate revocation checking should be performed. 8. Click Finish Wizard. The certificate name appears in the Registered Certificate Authorities list. Enable SSL for Active Directory Authentication services After you add the CA certificate to your device, you add the Active Directory Authentication Method to your configuration to make a connection between your SSL device and your AD server. User Guide 313
About Manage System When you use an Active Directory server you can choose from many authentication methods. Because users can change their passwords when they authenticate, we recommend that you use the Active Directory authentication method. With this method, the password policy settings you defined in Active Directory are enforced. To configure Active Directory authentication: 1. Select Manage System > Authentication. The Authentication page appears. 2. Click Add Authentication Method. The Add Authentication Method page appears. 314 WatchGuard SSL Web UI
About Manage System 3. Select Active Directory. Click Next. 4. Make sure the Enable authentication method check box is selected. If you choose to configure this method but not enable it, you can enable it at another time. 5. In the Display Name text box, type a name for this Active Directory Authentication method. This is the name that appears in the Registered Authentication Methods list. User Guide 315
About Manage System 6. To select a different template for this method, in the Template Name text box, type the name of the template to use. We recommend you use the default template. 7. To specify the AD server to use for authentication, click Add Authentication Method Server. You can specify more than one AD server. The Add Authentication Method Server page appears. 8. In the Host text box, type the IP address or DNS name of your AD server. 9. To use a port other than the default port, in the Porttext box, type a new value. We recommend you keep the default value, 636. 10. To use a timeout value other than the default setting, in the Timeouttext box, type a new value. This is the amount of time the client waits for a response from the AD server before it tries to connect with another authentication method. 11. In the Account text box, type the user name for the administrator of the AD server. This can be a Distinguished Name or Principal Name. Make sure you use the correct user name form. For example: username@myexample.com myexample\username CN=username,OU=myexample,OU=com 12. In the Password text box, type the password for the administrator of the AD server. 13. In the Root DN text box, type the Root DN information for the AD server where user accounts are stored. Make sure you use the correct Root DN form. For example, dc=exampleadserver,dc=com 14. Click Next. The Authentication Method Server appears in the Registered Authentication Method Servers list. 316 WatchGuard SSL Web UI
About Manage System 15. Click Next. The Extended Properties page appears with a default list of Registered Extended Properties. Extended properties are actions that occur when your users authenticate with this method. 16. To add an extended property, click Add Extended Property. The Add Extended Property page appears. 17. Select a Key and a Value. For more information about Extended Property settings, see Manage Extended Properties. 18. Click Next. The Extended Property appears in the Registered Extended Properties list. 19. Make any changes to the Registered Extended Properties list for this authentication method. 20. Click Finish Wizard. The AD authentication method appears in the Registered Authentication Methods list with the Display Name you specified. 21. Click Publish to update your configuration with this change. If you do not enable the Active Directory authentication method, your remote users can still authenticate to the WatchGuard SSL Application Portal with their Active Directory credentials. You can create user accounts in the Local User Database and link them to their Active Directory user accounts to use the same credentials. Then you enable the WatchGuard SSL Password authentication method. When your users authenticate, WatchGuard SSL automatically queries the AD server for the user credentials. If your users change their passwords when they authenticate, the passwords are only changed in the Local User Database, not the AD server, and any policy settings you configured in the AD server are not applied. To link users in your Local User Database to your AD server: 1. Select User Management > User Accounts. The Manage All User Accounts page appears. User Guide 317
About Manage System 2. Click Global User Accounts Settings. The Manage Global User Account Settings page appears. 318 WatchGuard SSL Web UI
About Manage System 3. Select User Linking. 4. Configure the global settings for User Linking. 5. Click Save. User Guide 319
About Manage System Verify your SSL device is connected to your AD server Before you can verify the connection between your AD server and your SSL device, you must first add the AD server to your SSL device as an External Directory Service location. To add an External Directory Service location: 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 3. Select Microsoft Active Directory. Click Next. The Add External Directory Service Location page appears. 320 WatchGuard SSL Web UI
About Manage System 4. Configure the settings for this External Directory Service location. Make sure the settings match those you configured for your AD Server Authentication Method. 5. Click Next. The Add External Directory Service Location page appears. User Guide 321
About Manage System 6. To add search rules for your users, click Add User Search Rule. The Add User Search Rule page appears. 7. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 8. To add search rules for your user groups, click Add User Group Search Rule. The Add User Group Search Rule page appears. 322 WatchGuard SSL Web UI
About Manage System 9. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 10. To verify the connection to your External Directory Service is active, click Test Connection. 11. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. After your AD server is added as an External Directory service location, you can test the connection between the AD server and the SSL device at any time. 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. In the Registered External Directory Service Locations list, select your AD server. The Edit External Directory Service Location page appears. 3. Select the Search Rules tab. 4. Click Test Connection to the External Directory Service Location. The SSL device tries to contact the AD server. If your configuration is correct, a Connection test ran successfully message appears. If the connection test fails, review the settings for your AD Server External Directory Service Location, and correct any errors in the configuration. About Certificates Certificates are a type of digital signature that matches the identity of a person or organization with an encryption method. This method is a security component called a key pair, or two mathematically related numbers called the private key and the public key. A certificate includes both a statement of identity and a public key, and is signed by a private key. The private key used to sign a certificate request can be from the same person or organization that originally created the certificate, or from a certificate authority. If the private key is from the same person or organization that created the certificate, the result is called a self-signed certificate. If the private key is from a certificate authority (CA), the result is called a CA certificate. A certificate authority is an organization or application that creates, signs, and disables certificates. Most applications and devices have a list of trusted CAs whose certificates are automatically accepted. WatchGuard SSL supports 1024-bit and 2048-bit SSL certificates. User Guide 323
About Manage System Certificate Lifetimes and CRLs When a certificate is created, it has a set lifetime. At the end date of the certificate lifetime, the certificate expires and can no longer be used. Sometimes, certificates are revoked, or disabled by the CA,before the expiration. To cancel a client certificate that has already been issued, the client certificate validation routine checks against a list of canceled client certificates. This list is called a Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP). The supported CDP protocols are HTTP and LDAP. You configure whether to use the CRL when you add a Certificate Authority. Certificate Authorities and Signing Requests To create a third-party certificate, you put part of a cryptographic key pair in a certificate signing request (CSR) and send the request to a CA. It is important that you use a new key pair for each CSR you create. The CA issues a certificate after it receives the CSR and verifies your identity. You can also use tools such as OpenSSL, or the Microsoft CA Server that comes with most Windows Server operating systems, to create a CSR. If you do not have a PKI (public key infrastructure) set up in your organization, we recommend that you choose a prominent CA to sign your CSR. If a prominent CA signs your certificate, your certificate is automatically trusted by most users. WatchGuard has tested certificates signed by VeriSign, Microsoft CA Server, Entrust, and RSA KEON. Manage Certificates In WatchGuard SSL Web UI, you manage Certificate Authorities, server certificates and client certificates. For more information, see: Add a Certificate Authority Add a Server Certificate Edit or Delete a Server Certificate Manage Client Certificate Settings Add a Certificate Authority A certificate authority (CA) issues client certificates used for authentication. For the WatchGuard SSL device to authenticate a user, you must upload a CA certificate. You register certificate authorities (CA) to be used for validation of certificates. You type a Display Name for the CA and specify a CA certificate file. You then select whether to use a certificate revocation list (CRL) or to perform no revocation checks at all. If you choose to enable CRL checking, the Add Certificate Authority wizard includes an additional step to configure a Control Distribution Point for the CRL. Configure CA General Settings 1. Select Manage System > Certificates. The Manage Certificates page appears. 324 WatchGuard SSL Web UI
About Manage System 2. Click Add Certificate Authority. The Add Certificate Authority General Settings page appears. User Guide 325
About Manage System 3. Select the Enable Certificate Authority check box. 4. In the Display Name text box, type a name for this Certificate Authority. 5. Adjacent to the CA Certificate text box, click Browse and select the location of the certificate for your CA. The certificate must be in a PEM or DER format. 6. In the Revocation Control section, to enable certificate revocation checking, select CRL. CRL checking is enabled by default. If you do not want to enable CRL checking, select No certificate revocation checking should be performed. 7. If you did not enable CRL checking, proceed to Step 8. If you enabled CRL checking, click Next and specify at least one control distribution point (CDP). For more information, see the subsequent section. 8. Click Finish Wizard. The Certificate Authority appears in the Registered Certificate Authorities list. Configure Control Distribution Points If you enable CRL checking for your CA, you must specify at least one Control Distribution Point (CDP). The CDP verifies the certificates issued by the CA. To add a CDP, click Add Control Distribution Point on the second page of the Add Certificate Authority wizard. Specify settings for these fields: Address The address can be an LDAP address (RFC2255) or an HTTP address. Example LDAP address: ldap://192.168.96.52/cn=win2k%20root%20ca,cn=test-win2kad, CN=CDP, CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2kad, DC=examplecompany, DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint Example HTTP address: http://www.example.com:80/ldap/crl.cer Fetch Time Adjustment Adjusted time in seconds when revocation information is retrieved, compared to the time when revocation information is set to be retrieved. The allowed interval is 0 86400. This option is useful when there is latency when the CA issues a new CRL. Latency can occur if there are replicated directories involved. This option is set to zero (0) by default. Update Time Select this option to configure a custom update time. When not selected, the attribute Next Update Time from the CRL is used. This option is not selected by default. 326 WatchGuard SSL Web UI
About Manage System Retry Interval Interval in seconds before the system tries to contact the CRL again, if the CRL cannot be accessed. The allowed interval is 0 31536000 seconds, or a maximum of 365 days. The Retry Interval is set to 300 seconds by default. You must also specify the action to take if the CRL cannot be retrieved from the CDP. In the CRL Invalid Action section, select one of these options: Authentication is denied If a valid CRL cannot be retrieved, deny authentication for all users. Authentication is allowed, previous CRL is used If a valid CRL cannot be retrieved, use the previously retrieved CRL for certificate revocation control. If a user authenticates with an invalid CRL, this event is written to the log file. Add a Server Certificate You must add at least one server certificate to use when the device communicates with end users. Note PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format, surrounded by ASCII headers, suitable for text mode transfers between systems. DER format can contain private keys, public keys, and certificates. It stores data according to the ASN1 DER format. PEM format includes a text header wrapped around the headerless DER format. This is the default format for most browsers. Warning If you import a certificate incorrectly, for example, if you do not enter the private key properly, further admin or client connections will be blocked. If this occurs, you must reset the device to factory install settings and reconfigure the device. Make sure you perform a backup of your configuration before you import a new certificate. To add a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. User Guide 327
About Manage System 3. In the Display Name text box, type a name for this server certificate. 4. Adjacent to the Certificate text box, click Browse and select the location of the certificate for your server. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. If the key is encrypted, in the Password text box, type the password to use for the certificate. 7. Click Save. The certificate you added appears on the Registered Server Certificates list. To see details about a server certificate: 1. In the Registered Server Certificates list, click the certificate. 2. Click View Certificate Details. For more information about how to edit certificates, see Edit or Delete a Server Certificate. Edit or Delete a Server Certificate You can edit or delete the server certificate that the device uses when it communicates with end users. To edit a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. In the Registered Server Certificates list, click the display name of the server certificate to edit. The Edit Server Certificates General Settings page appears. 328 WatchGuard SSL Web UI
About Manage System 3. To see details about the certificate, click View Certificate Details. 4. Update the settings for the server certificate. 5. Click Save. To delete a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. In the Registered Server Certificates list, click the display name of the server certificate to delete. The Edit Server Certificates General Settings page appears. 3. Click Delete. 4. Click Yes. Manage Client Certificate Settings You can add and edit the PEM formatted client certificates that clients use to communicate with resources. If you use SSL, you can specify only one client certificate. To add or edit a client certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Manage Client Certificate Settings. The Add Client Certificate page appears. User Guide 329
About Manage System 3. In the Display Name text box, type the name for this client certificate. 4. Adjacent to the Certificate text box, click Browse and select the client certificate file. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the private key file for the client certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. In the Password text box, specify the password to use if the private key is encrypted. 7. Click Save. Create a CSR with OpenSSL The WatchGuard SSL Server default configuration has a self-signed server certificate named TestCert. We recommend that you replace this with your own signed certificate. To create your own signed certificate, you must first create a Certificate Signing Request (CSR). Then you send the CSR to a certificate authority (CA), which issues a signed certificate. WatchGuard SSL supports 1024-bit and 2048-bit SSL certificates. Before You Begin You can use OpenSSL to create a private key and certificate signing request. For a list of sites where you can download OpenSSL, see http://www.openssl.org/related/binaries.html. Use OpenSSL to Generate a CSR 1. Open a command line interface. 2. To generate a private key, type openssl genrsa -out wgnet.key 2048. 3. To generate a CSR with the private key, type openssl req -new -key wgnet.key -out wgnet.csr. In this example wgnet.csr is the certificate signing request. 330 WatchGuard SSL Web UI
About Manage System Submit the CSR to a Certificate Authority Use the CSR to request a certificate from Thawte, Verisign, or another certificate authority (CA). Use the instructions from your CA to submit the CSR. The CA returns to you a signed certificate. Convert the Private Key to PKCS#8 Format Before you import the certificate and private key, you must use OpenSSL to convert the private key to PKCS#8 format. 1. Open a command line interface. 2. Type openssl pkcs8 -topk8 -in wgnet.key -out wgnet.pk8. In this example, wgnet.pk8 is the PKCS#8 private key file. Add the New CA Certificates to WatchGuard SSL Web UI Before you add the server certificate, you must add to WatchGuard SSL Web UI all the certificates that the CA provided to you. If the CA sent more than one certificate, you must add each certificate separately. You can add the certificates in any order. When you add the certificates, make sure you disable the certificate revocation control option. 1. Select Manage System > Certificates. The Manage Certificates page appears. User Guide 331
About Manage System 2. Click Add Certificate Authority. The Add Certificate Authority General Settings page appears. 332 WatchGuard SSL Web UI
About Manage System 3. Make sure the Enable Certificate Authority check box is selected. 4. In the Display Name text box, type the name for this Certificate Authority. 5. Adjacent to the CA Certificate text box, click Browse and select the location of the certificate for your CA. The certificate must be in a PEM or DER format. 6. In the Revocation Control section, select No certificate revocation checking should be performed. 7. Click Finish Wizard. The CA certificate appears in the Registered Certificate Authorities list. 8. To add more CA certificates, repeat Steps 3 8. Add the New Server Certificate to WatchGuard SSL Web UI If your certificate is a bundled certificate, you must split the certificate before you add it to WatchGuard SSL Web UI. 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. User Guide 333
About Manage System 3. In the Display Name text box, type an identifying name for the certificate. This is the name that appears in the Registered Certificate Authorities list. 4. Adjacent to the Certificate text box, click Browse and select the location of the server certificate. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. If you created an encrypted key, in the Passwordtext box, type the correct password for the encrypted key. 7. Click Save. 8. Select Administration Service. The Manage Administration Service page appears. 334 WatchGuard SSL Web UI
About Manage System 9. From the Server Certificate drop-down list, select the certificate you added. 10. Click Save. Apply the Server Certificate to Your SSL Device After you have imported the new server certificate, you can apply it to your SSL device. You can specify only one server certificate. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Generaltab. The General Settings page appears. User Guide 335
About Manage System 3. From the Server Certificate drop-down list, select the server certificate you added in the previous section. 4. Click Save. About Abolishment Abolishment is an End-Point Security feature that monitors the files and stored browser data on a client during a user session, and then automatically deletes the browser data and files (for example, URL history, cache, cookies, and downloaded files) that were downloaded or created during the user session. You can configure the types of files and browser data that Abolishment deletes when the session ends. You can configure Abolishment to automatically delete the changed files or to notify the user and let the user choose which items to delete. You can use Abolishment for access control. When you protect a resource with an Abolishment access rule, the Abolishment settings specify what type of files are deleted on the client after the session is completed. By default, the Abolishment client monitors these file types:.htm.pdf.txt 336 WatchGuard SSL Web UI
About Manage System.exe.doc.html.gif.jpg When a user attempts to connect to the resource, access is allowed only if the Abolishment client is running. This is to make sure that Abolishment can be performed when the session is completed. For your users of Microsoft Internet Explorer 7 or later, make sure the HTTPS IP address of the SSL device is added to the Internet Explorer Trusted sites list. WatchGuard SSL supports Abolishment on Microsoft Windows clients. Abolishment is performed by the Abolishment client that is loaded on the client computer with an ActiveX or Java client loader. If a user connects to the Application Portal with Internet Explorer, the first time the user clicks a resource that requires Abolishment, the user must agree to install the ActiveX client loader. The user must restart the web browser after the ActiveX loader installs. By default, the Abolishment Client Loader tries to use ActiveX first, and if it is not available, it uses a Java applet. You can change this in the Advanced Settings for Abolishment. Note When the user is notified about Abolishment, the Abolishment client is called the End-Point Protection scan. To manage Abolishment settings: 1. Select Manage System > Abolishment. The Manage Abolishment page appears. User Guide 337
About Manage System 2. Configure Abolishment settings on these tabs: General Settings Cache Cleaner Advanced Settings 3. Click Save. Configure General Settings You can configure the settings used by Abolishment Access Rules to determine which file types to monitor on the client. You also configure whether to notify the user at the completion of the session about all monitored files that were downloaded or created. If you select to notify the user, the user can choose which files to delete. If you do not notify the user, at the end of the session the Abolishment client automatically deletes the monitored files that were downloaded or created during the session. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the General Settings tab. The General Settings page appears. 3. Configure the settings to monitor and delete downloaded files. For more information about these settings, see the subsequent section. 4. Click Save. 338 WatchGuard SSL Web UI
About Manage System General Settings Monitor Downloaded Files Specify the file types to monitor during a user session. You can only monitor files on Windows clients. By default, the file types that are monitored for abolishment are:.htm.pdf.txt.exe.doc.html.gif.jpg Delete Downloaded Files Specify whether to delete monitored files that have been created or downloaded during the session when the session ends, and whether to notify the user and let the user select which files to delete. You can configure these settings: Enable Delete To delete monitored files that have changed at the end of the session, select this check box. Notify User To show the user a message at the end of the session, select this check box. This message includes information about which files have been downloaded or created, and allows the user to select which files to delete. Notification Message If you select the Notify User check box, type the message that users see with the list of files to delete. Configure Cache Cleaner Settings You can configure settings that control the deletion of cached Internet Explorer web content and the browser history created during the user session. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the Cache Cleaner tab. The Cache Cleaner page appears. User Guide 339
About Manage System 3. Configure the settings to delete cached Internet content and browser history. For more information about these settings, see the subsequent section. 4. Click Save. Cache Cleaner settings Delete the Internet Explorer history and typed URLs Select this check box to delete the Internet Explorer browser history and the web site addresses that the user created during the session. This is not selected by default. Delete the browser cache entries Select this check box to delete the cached pages in the Internet Explorer browser. You can use the URL filter to specify which cached pages to delete. This is not selected by default. URL Filter Type the URL pattern of the files to remove from the browser cache. The Abolishment client monitors the cached files in the Windows Temporary Internet Files folder. At the end of the session, the Abolishment client deletes all cached files that match the URL filter and that were created during the session. You can use a wildcard character (*). If you use the * wildcard character alone, the Abolishment client deletes all cache entries created during the user session. This is the default setting. Here are some other examples of URL filters: https* Removes all cache entries downloaded from a secure server during the user session. http://www.example.com/* Removes all cache entries from the specified server during the user session. Configure Advanced Settings You can configure the settings that control how Abolishment works. 340 WatchGuard SSL Web UI
About Manage System 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the Advanced Settings tab. The Advanced Settings page appears. 3. Configure the Abolishment settings for resource display, whether to automatically start Abolishment, and choose how to load the Abolishment client. For more information about these settings, see the subsequent section. 4. Click Save. Advanced Settings Display resources Select the Display resource in Application Portal check box if you want the icons for all resources to appear in the Application Portal before Abolishment starts to monitor the client. Automatically start Abolishment When the user selects a resource protected by an Abolishment access rule, a notification message appears that tells the user that the End-Point Integrity client is required. User Guide 341
About Manage System If you do not select the Automatically start Abolishment check box, the user must click a button on the notification page to start the abolishment client. If you select this check box, the notification message appears briefly and the Abolishment client starts automatically. Abolishment Client Loader Select which type of loader to use for the Abolishment client. ActiveX - Java Applet Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting. ActiveX Use the ActiveX client loader only. Java Applet Use the Java applet client loader only. Post-connection Cleanup with Abolishment When a remote user connects to sensitive web-based resources on your network from a computer that is not under your control (such as a home computer or kiosk), confidential information can remain on the computer after the VPN session is terminated. You can use Abolishment to erase all traces of the session from the client device (for example, URL history, cache, cookies, and downloaded files). You can apply an Abolishment rule to any web-based resource. The Abolishment agent runs when the user disconnects from the WatchGuard SSL device, or when the client browser closes. The Abolishment agent loads in the client web browser with either Java or ActiveX technology. You can enable Abolishment when the user accesses a web-based resource and allow the user to decide which files to delete. This subsequent procedure modifies a file sharing resource to add a client Abolishment rule. Enable Abolishment 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Click the General Settings tab. 342 WatchGuard SSL Web UI
About Manage System 3. In the Windows text box, type any additional file types to monitor. The default file types are htm, pdf, txt, exe, doc, html, gif, and jpg. 4. In the Delete Downloaded Files section, select the Enable delete check box. 5. To enable your users to choose which files to delete, select the Notify user check box. 6. In the Notification Message text box, type the message users see when their sessions end. 7. Select the Cache Cleaner tab. 8. Select the Delete the Internet Explorer history and typed URLs check box. 9. Select the Delete the Internet Explorer cache entries check box. 10. Click Save. Create a new Abolishment access rule and protect a file share resource with the rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for your access rule. 4. Click Add Rule. The Select Type of Access Rule page appears. 5. Select Abolishment for the access rule type. 6. Click Next. The Add Access Rule - Abolishment summary page appears. User Guide 343
About Manage System 7. Review the summary page and click Next. The Add Access Rule page appears. 8. Click Next. The Apply Access Rule To Resources page appears. 9. In the Available Resources list, select the file share resources to use this Abolishment rule, and click Add >. The resources appear in the Selected Resources list. 10. Click Next. The Confirm Access Rule Summary page appears. 11. Review the summary page and click Finish Wizard. The Manage Access Rule page appears with the new access rule in the Registered Access Rules list. 12. Click Publish to update your configuration with this change. Trigger Abolishment If you use Internet Explorer, the first time you click a resource that requires Abolishment or Assessment, you install the Assessment loader ActiveX component. You must restart the web browser after the ActiveX loader installs. 1. Connect to the Application Portal. 2. Select the file sharing resource you protected with the Abolishment rule. The End-Point Integrity scan notification appears. 3. Click Continue to accept the End-Point Integrity notification. 4. Go to the mapped drive letter defined in this file share resource. For example, W:. 5. Save a file from the file share resource to the local hard drive. The file must be one of the file types configured in the Abolishment settings. The default file types are htm, pdf, txt, exe, doc, html, gif, and jpg. 6. Log off the Application Portal or exit your browser. The WatchGuard SSL Abolishment client prompts the user to delete new or changed files. 7. Select the check box next to each file to delete. Or, click Select All. 8. Click Delete Files. The selected files are deleted. About Assessment Assessment is an End-Point Security feature that scans the client computer to assess whether the client meets certain criteria. You can configure the Assessment criteria that a client computer must meet in order to get access to a resource protected by an Assessment access rule. You can define an Assessment access rule to check for: File or directory information Registry key or sub-key information Process information Windows user information Windows domain information Network interface information 344 WatchGuard SSL Web UI
About Manage System TCP and UDP port information Anti-virus and anti-spyware information Firewall information After a user authenticates, but before the user connects to a network resource, you can require an assessment of their computers to find whether the computer meets your security requirements. This is the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. The Assessment Agent automatically launches in a client web browser. At the start of a user session, the Assessment client scans the client computer to make sure it meets the Assessment criteria you specify. If the client computer meets the criteria, the user is allowed to access the protected resource. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the assessment definition file is no longer updated, but continues to operate with the criteria available at the time of expiration. WatchGuard SSL supports Assessment on Microsoft Windows clients. Assessment is performed by the Assessment client loaded on the client computer with an ActiveX or Java client loader. If a user connects to the Application Portal with Internet Explorer, the first time the user clicks a resource that requires Assessment, the user must agree to install the ActiveX client loader. The user must restart the web browser after the ActiveX loader installs. By default, the Assessment Client Loader tries to use ActiveX first, and if it is not available, they use a Java applet. You can change this in the Advanced Settings for Assessment. To manage Assessment settings: Note When the user is notified about Assessment, the Assessment scan is called the End- Point Integrity scan. 1. Select Manage System > Assessment. The Manage Assessment page appears. User Guide 345
About Manage System 2. Configure Assessment on these tabs: General Settings Advanced Settings 3. Click Save. Configure General Settings for Assessment You can configure the client scan settings the Assessment Access Rules use when a user selects a protected resource. This includes Real-time Scan and the client scan path settings. 1. Select Manage System > Assessment. The Manage Assessment page appears with the General Settings tab selected. 346 WatchGuard SSL Web UI
About Manage System 2. Configure the Real-time Scan and Client Scan Path settings. For more information about these settings, see the subsequent sections. 3. Click Save. 4. Click Publish to update your configuration with this change. Real-time Scan The client scan is always performed the first time a user requests a resource that is protected by an Assessment Access Rule. If you want the client scan to continue assessment during the session, you must select this option. Real-time Scan is disabled by default. To enable real-time scan: 1. Select the Enable Real-time Scan check box. 2. In the Interval text box, type the number of seconds between scans. The default interval is to scan every 120 seconds. Client Scan Path You can select one or more paths that you want the Assessment client to scan on the client computer. For each client scan path you must set this information: Operating System Type The client operating system to scan. Windows is the only option. The type of client data the client scan looks for. The client can search for four types of data: User Guide 347
About Manage System Path File file attributes, file name, file digest, file time created, and file time last written Directory directory name and attributes Registry Key registry name, registry type, and registry value Registry Sub Key registry name, registry type, and registry value The path on the client computer to scan for the selected client data type. Add a Client Scan Path To add a client scan path. 1. In the Client Scan Path section, click Add Client Scan Path. The Add Client Scan Path page appears. 2. In the Type drop-down list, select the type of client data. 3. In the Path text box, type or paste the path to scan on the client computer. 4. Click Add. The new path appears in the Client Scan Path list. Edit a Client Scan Path After you have configured the path for a client scan, you can edit it to change the type of path and the path details. 1. In the Client Scan Path list, click the client scan path you want to change. The Edit Client Scan Path page appears. 2. Change the Type and Path settings. You cannot change the Operating System selection. 3. Click Update. The edited path appears in the Client Scan Path list. Delete a Client Scan Path You can also delete a path in the list. 1. In the Client Scan Path list, click the client scan path you want to delete. The Edit Client Scan Path page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. The Client Scan Path is removed from the list. Configure Advanced Settings You can configure the settings that control how Assessment works. 1. Select Manage System > Assessment. The Manage Assessment page appears. 348 WatchGuard SSL Web UI
About Manage System 2. Select the Advanced Settings tab. The Advanced Settings page appears. User Guide 349
About Manage System 3. Configure the Display Resources, Assessment Client Scan, and Assessment Client Loader settings. For more information about these settings, see the subsequent sections. 4. Click Save. Display Resources To enable the icons for all resources to appear in the Application Portal before the Assessment client scan is completed, select the Display resource in Application Portal check box. Users may see resources that they cannot access. Automatically start the Assessment client scan When the user selects a resource protected by an Assessment access rule, a notification message appears that tells the user that the End-Point Integrity client is required. If you do not select the Automatically start the Assessment client scan check box, the user must click a button on the notification page to start the client scan. If you select this check box, the notification message appears and the Assessment client scan starts automatically. Assessment Client Loader Select which type of loader to use for the Assessment client. 350 WatchGuard SSL Web UI
About Manage System ActiveX - Java Applet Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting. ActiveX Use the ActiveX client loader only. Java Applet Use the Java applet client loader only. Pre-connection End-point Integrity Check You can use WatchGuard SSL End-Point Integrity to verify that client devices meet your defined security profile, before users can access your internal resources through the Application Portal. After users authenticate, but before they connect to network resources, you can require an assessment of their computers to find whether they meet your security requirements. This is the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. This process checks that all security requirements are met, such as security patch level, anti-virus protection, client firewall protection, or home domain. The Assessment Agent automatically launches in a client Web browser. You can configure the WatchGuard SSL device to allow access only if a specific process is active on the client computer. You can apply this type of access rule to any resource. Some examples of processes are executable files, anti-virus software, or client firewall software. This subsequent procedure uses notepad.exe and modifies a file sharing resource as an example. Enable real-time scan and client information collection 1. Select Manage System > Assessment. The Manage Assessment page appears. 2. Click the General Settings tab. User Guide 351
About Manage System 3. Select the Enable Real-time Scan check box. 4. In the Interval text box, type how often the scan is to occur in seconds. 5. Click Add Client Scan Path. The Add Client Scan Path page appears. 6. In the Operating System drop-down list, Windows is the only option. 7. In the Type drop-down list, select File. 8. In the Path text box, type the directory location for the files to scan. 9. Click Add. The Manage Assessment page appears. 10. Click Save. Create a new Assessment access rule 1. Select Resource Access > Access Rules. 2. Click Add Access Rule. 3. Type a Display Name for your access rule. For example, Require Notepad. 4. Click Next. The Select Type of Access Rule page appears. 5. Select Assessment as the rule type. 6. Click Next. The Select Criteria page appears. 7. Select the criteria for this rule. For example, to check for notepad.exe: In the Display Name text box, type a descriptive name for this rule. In the Operating System drop-down list, Windows is the only option. 352 WatchGuard SSL Web UI
About Manage System In the Information Type drop-down list, select Process information. Do not select the Deny access check box, because you want to allow access if the conditions of this rule are met. 8. Click Next. The Specify Requirements page appears. 9. Click Add Requirement. The Add Requirement page appears. 10. Select the requirements for this rule. For example, to check for notepad.exe: In the Client Data drop-down list, select Process name. In the Matching Restriction drop-down list, select Wildcard match. In the Matching Rules text box, type *notepad.exe. If you do not include the '*' wildcard character, you must type the complete path to the executable file. 11. Click Add. The Specify Requirements page appears with the new rule in the Registered Requirements list. 12. Click Next. The Feedback Message page appears. 13. In the Feedback Message text box, type the message that users see if access to a resource is denied because the client scan results do not match the specified requirements. 14. Click Next. The Summary page appears. 15. Review the summary page and click Next. The Add Access Rule page appears. 16. Click Next. The Apply Access Rule To Resources page appears. 17. In the Available Resources list, select the resources to protect with this rule and click Add >. The resources appear in the Selected Resources list. 18. Click Next. The Confirm Access Rule Summary page appears. 19. Review the summary page and click Finish Wizard. The Manage Access Rules page appears with the new access rule in the Registered Access Rules list. 20. Click Publish to update your configuration with this change. Trigger Assessment If you use Internet Explorer, the first time you click a resource that requires Abolishment or Assessment, you must install the Assessment loader ActiveX component. Restart your Web browser after the ActiveX loader installs. 1. Connect to the Application Portal. 2. Click the File Sharing resource you protected with the Assessment rule. The End-Point Integrity scan notification appears. 3. Click Continue to accept the End-Point Integrity notification. If notepad.exe is not active on the client computer, access to the resource is denied. 4. Launch notepad.exe. 5. Click Try again. The End-Point Integrity scan notification appears again. User Guide 353
About Manage System 6. Click Continue to accept the End-Point Integrity notification. The scan proceeds and the Access Client loads. The resource is now connected. About Notification Settings You can configure the email and SMS notification channel to send notification messages. These notification channels are used to send alerts and for distribution of one-time-passwords (OTPs), passwords and PINs, and seed notifications. To configure notification settings: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Configure these settings for notification: Email Channel SMS Channel SMS Plug-ins 3. Click Save. Configure the Email Notification Channel You can enable and configure email settings and the email address of the sender. You must configure the email channel if you select email notification in any of these areas: For a user account In the Global User Account Settings For an alert To configure the email channel: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the Email Channel tab. The Email Channel page appears. 354 WatchGuard SSL Web UI
About Manage System 3. Select the Enable email channel check box. 4. In the Host text box, type the IP address or DNS name of the server that sends the PIN, password, and seed to users. The default is localhost. 5. In the Port text box, type the port number. The default port is 25. 6. In the Sender's Email Address text box, type the email address that you want to appear in the From field of the notification messages. For example, admin@example.com. 7. Click Save. Configure the SMS Notification Channel You can add one or more SMS channels. You must define an SMS channel when you enable SMS notification in these places: For a user account For user linking For alerts You can configure multiple SMS channels. Each channel is handled by an SMS plug-in. Add an SMS channel Note Make sure you save your changes before you select another page in the UI. If you do not save your changes before you go to another page, all your changes are lost. 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the SMS Channel tab. User Guide 355
About Manage System 3. Click Add SMS Channel. The Add SMS Channel page appears. 4. In the Display Name text box, type a name for this channel. 5. From the Plug-in drop-down list, select the SMS plug-in for the SMS protocol you want to use. 6. Click Next. 7. Configure the settings for the selected SMS channel. The configuration settings are different for each SMS protocol. The number of tabs with SMS settings to configure depends on the plug-in you selected. For information about settings for each of the default SMS plug-ins, see: SMTP Channel Settings SMPP Channel Settings Netsize Channel Settings HTTP Channel Settings CIMD Channel Settings 8. Click Finish Wizard. 9. Click Save. To add a plug-in,click the SMS Plug-in tab. For more information, see Manage SMS Plug-ins. Reorder the Registered SMS Channels list To change the order in which the channels are used, change the order of the channels in the Registered SMS Channels list. 356 WatchGuard SSL Web UI
About Manage System 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, in the Move column, click Up or Down for the channel you want to move. The channel moves up or down in the list. 3. Click Save. Edit an SMS channel 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to change. The Edit SMS Channel page appears. 3. Update the settings for the SMS channel. 4. Click Finish Wizard. Delete an SMS channel 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to delete. The Edit SMS Channel page appears. 3. Click Delete. A confirmation message appears. 4. Click Yes. 5. Click Save. SMTP Channel Settings If you select the SMTP SMS plug-in when you add an SMS channel you configure the connection, mobile number format, and message settings. Connection tab Channel Setting Host Address Port Account Description The IP address or DNS name of the SMTP server. Set to localhost by default. The port of the SMTP server. Set to 25 by default. The service account to use to log into the SMTP service. User Guide 357
About Manage System Channel Setting Password Start TLS Timeout Connection Timeout Close Socket Debug Mode Description The service account password to use to log into the SMTP service. Select this check box to use TLS (Transport Layer Security). This is not enabled by default. The length of time (in milliseconds) to wait for a response from the SMTP server. Set to 10000 by default. The length of time (in milliseconds) for a socket connection timeout. Select the Close Socket check box to close the socket after communication. Select the Debug Mode check box to enable debug mode. Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. 358 WatchGuard SSL Web UI
About Manage System Message tab Channel Setting To To Personal From From Personal Subject Message Body Description The email address to put in the To text box. The friendly name to put in the To text box. The email address to put in the From text box. The friendly name to put in the From text box. The content of the Subject text box. The content of the message body. SMPP Channel Settings If you select the SMPP SMS plug-in when you add an SMS channel you configure the connection, mobile number format, and submission parameter settings. User Guide 359
About Manage System Connection tab Channel Setting Host Address Port Timeout Keep Alive System ID Password System Type Interface Version Description The IP address or DNS name of the SMPP server. Set to localhost by default. The port of the SMPP server. Set to 25 by default. The length of time (in milliseconds) to wait for a response from the SMPP server. Set to 10000 by default. Select this to keep the connection alive. This is not selected by default. The service account to use to log into the SMPP service. The service account password that should be used to log in to the SMPP service. The SMPP System Type. See your SMPP server documentation for more Information. The Interface version. Set to 52 by default. 360 WatchGuard SSL Web UI
About Manage System Channel Setting Address TON Address NPI Address Range Description See your SMPP server documentation for more Information. See your SMPP server documentation for more Information. See your SMPP server documentation for more Information. Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. Submission Parameters tab For information about the settings on this tab, see the documentation for your SMPP server. User Guide 361
About Manage System Netsize Channel Settings If you select the Netsize SMS plug-in when you add an SMS channel you configure the general and mobile number format settings. 362 WatchGuard SSL Web UI
About Manage System General tab Channel Setting Host Address Port Client Account Password Timeout Message Class Description The IP address or DNS name of the Netsize server. The port of the Netsize server. Set to 25 by default. The client account to use to log into the Netsize service. The service account to use to log into the Netsize service. The service account password to use to log into the Netsize service. The length of time (in milliseconds) to wait for a response from the Netsize server. Set to 10000 by default. The Message Class for this message. Valid entries are: Default, Immediate Display (Flash), Store on Mobile Phone, Store on SIM, Store on Terminal Equipment. Contact your Netsize vendor for more information about these settings. User Guide 363
About Manage System Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. HTTP Channel Settings If you select the HTTP SMS plug-in when you add an SMS channel you configure the general, mobile number format, and response parsing settings. 364 WatchGuard SSL Web UI
About Manage System General tab Channel Setting URL Account Password Use Basic Authentication Post Data Follow Redirects Description The URL or DNS name of the HTTP server. Set to http://localhost by default. The service account to use to log into the HTTP service. The service account password to use to log into the HTTP service. Select this check box to use basic authentication for this HTTP service. The POST data that must be present in the HTTP post. Select this check box to consider redirects when parsing User Guide 365
About Manage System Channel Setting Description responses. Use HTTP 1.1 User Agent Additional Headers Timeout Connection Timeout Select this check box to use HTTP version 1.1. This is selected by default. Specify the user agent if the HTTP Services requires a specific user agent. Specify the content of any additional headers that the HTTP service requires in the request. The length of time (in milliseconds) to wait for a response from the HTTP server. Set to 10000 by default. The length of time (in milliseconds) to wait for a connection to the HTTP Server. Set to 10000 by default. Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. 366 WatchGuard SSL Web UI
About Manage System Response Parsing Format tab Channel Setting Success Response Codes Failure Response Codes Description The HTTP Response Codes that will indicate success. 200, 201, and 202 are selected by default. The HTTP Response Codes that indicate failure. 400, 401, and User Guide 367
About Manage System Channel Setting Description 402 are selected by default. Success Response Body Failure Response Body Default State Contents in the HTTP Response Body that indicate success. Contents in the HTTP Response Body that indicate failure. Select whether the default state is Success or Failure. This is set to Failure by default. CIMD Channel Settings If you select the CIMD SMS plug-in when you add an SMS channel you configure the general and mobile number format settings. General tab Channel Setting Host Address Port Account Password Timeout Description The IP address or DNS name of the CIMD server. Set to localhost by default. The port of the CIMD Server. Set to 3000 by default. The service account that to use to log into the CIMD service. The service account password that should be used to log in to the CIMD service. The length of time (in milliseconds) to wait for a response from the CIMD server. Set to 15000 by default. 368 WatchGuard SSL Web UI
About Manage System Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. Manage SMS Plug-ins Plug-ins are used to communicate with different SMS vendors. You select plug-ins when you configure an SMS channel. The default plug-ins available are: SMTP (1.0) SMPP (1.10) Netsize (1.0) HTTP (1.12) CIMD (1.10) You can write additional plug-ins for compatibility with other SMS protocols. To add an SMS plug-in: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. User Guide 369
About Manage System 2. Select the SMS Plug-ins tab. A list of installed SMS plug-ins appears. 3. To add a plug-in, click Browse to locate the plug-in file. 4. Click Upload Plug-in. The plug-in is added to the list, and is available when you add an SMS Channel. 5. Click Save. To remove an SMS plug-in: 1. Select the Remove check box for the plug-in you want to delete. 2. Click Remove. 3. Click Save. Manage Client Definitions You can use client definitions to create Access Rules that enable access to a resource only if the client is of a specified type. By default, the WatchGuard SSL device includes these client definitions: Internet Explorer 6, 7, 8, 9 Netscape 7, 9 Google Chrome Opera Mozilla Firefox Safari 370 WatchGuard SSL Web UI
About Manage System WAP Phone Access Client Microsoft-AirSync Java Mac OS Windows Unix Linux Windows CE PDA The WatchGuard SSL device identifies a client based on the content of the HTTP headers. Client definitions define what values the WatchGuard SSL device looks for in the HTTP header to identify specific clients. When you create an Access Rule of the type Client Definition, the Available Clients you can select are those you define on the Client Definitions page. After you add a client definition, you can select that client when you create an Access Rule. To manage client definitions: 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Configure client definitions: User Guide 371
About Manage System Add a client definition. Edit or delete a client definition. Add Client Definitions To add a client definition: 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Click Add Client Definition The Add Client Definition page appears. 3. In the Display Name text box, type a name for this client. 4. In the Definition text box, type the name=value pair that appears in the HTTP header of the client. You can use the * wildcard character in the value. You can include more than one name=value pair. To use an AND operator, add the pairs on the same line, separated by a space. To use an OR operator, add the pairs on the same line, separated by the pipe ( ) symbol. To specify a NOT operator, add an exclamation mark (!) before the pair. Note For examples of correct client definitions, view an existing client definition. 5. Click Save. The client definition you added appears in the Registered Client Definitions list. Edit or Delete Client Definitions Edit a client definition 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 372 WatchGuard SSL Web UI
About Manage System 2. In the Registered Client Definitions list, click the display name of a client. The Edit Client Definition page appears. 3. Edit the Display Name and Definition. 4. Click Save. Delete a client definition 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. In the Registered Client Definitions list, click the display name of the client. 3. Click Delete. A confirmation message appears. 4. Click Yes. The client definition is removed from the Registered Client Definitions list. About Delegated Management After you configure an External Directory Service, you can use delegated management to create administrative roles with different configuration and monitoring responsibilities. You can then assign each role to one or more users in the registered External Directory Service. Note Delegated Management is only available in the Web UI if you have configured an External Directory Service and published the configuration change. When you create an alert on the Manage Alerts page, you can assign which alerts are sent to the various administrative roles. The users you assign to each of these roles then receive the alert notification messages about alert events. If you plan to use an administrative role for alerts, make sure that the users you assign to that role have email addresses and/or cell phone numbers defined in their user accounts. By default the WatchGuard SSL has two built-in administrative roles: User Guide 373
About Manage System Help Desk Super Administrator For each role, you can assign different administrative privileges. For a description of the privileges you can assign to a role, see About Administrative Privileges. To add or edit administrative roles: 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. Add, edit, or delete an administrative role. About Administrative Privileges For the administrative roles that you create, you can assign one or more of these privileges to each role. Help desk administration Allows users to add, edit, and delete all settings saved for a user account. User account management Allows users to get access to all functionality available in the User Management menu. Resource management Allows users to add, edit, and delete resources (resource hosts and resource paths) and to manage Application Portal items. Resource path management Allows users to add, edit, and delete resource paths for selected resource hosts. View logs Allows users to use the Log Viewer to see log files. 374 WatchGuard SSL Web UI
About Manage System Publish Allows users to publish an updated configuration. Privileges for the Default Administrative Roles You cannot see or edit privileges for the default administrative roles. These roles have privileges permanently assigned. The Super Administrator role has all privileges enabled. The Help Desk role has the Help desk administration privilege enabled. Manage Administrative Roles You can add, edit, or delete administrative roles. Add an Administrative Role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. Click Add Role. The Add Role page appears. 3. In the Display Name text box, type a name for this role. 4. (Optional) In the Description text box, type a description of this role. 5. In the Privileges section, select the check box for each privilege to assign to this role: User Guide 375
About Manage System Help desk administration User account management Resource management Resource path management View logs Publish For more information, see About Administrative Privileges. 6. Click Next. 7. Complete the next pages of the wizard for the privileges you selected. Select User Accounts From the Select User Group drop-down list, select a user group that this role can manage and click Add Group. Repeat to add each user group this role can manage. Select Resources Select a resource in the Available Resources list and click Add. The resource appears in the Selected Resources list. 8. Click Next. The Select Administrators page appears. 9. To add this role to the Administrators group, click Add Administrator to assign a user to this role. a. In the User ID text box, type a full or partial user name to search for. You can use the * wildcard character in your search. For example, type *smith* to find all user IDs that contain "smith". The user names that match your search criteria appear in the Search Result list. b. In the Search Result list, select the Assign Role check box for each user you want to assign to this role. c. Click Update. d. To search for other users to assign to this role, repeat these steps. 10. Click Finish Wizard. Edit an Administrative Role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. In the Registered Roles list, click a role. The Edit Role page appears. 376 WatchGuard SSL Web UI
About Manage System 3. Select the General Settings tab to edit these settings: Display Name Description Privileges (cannot be changed for the two default roles) Select the check box for each privilege to assign to this role. For more information, see About Administrative Privileges. 4. To edit the User Groups this role can manage, select the User Accounts tab. 5. To change the resources this role can manage, select the Resources tab. 6. To change which users are assigned to this role, select the Administrators tab. 7. Click Save. Delete an Administrative Role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. In the Registered Roles list, click a role. The Edit Role page appears. 3. Click Delete. A confirmation message appears. 4. Click Yes. The role is removed from the Registered Roles list. User Guide 377
About Manage System About the Administration Service The Administration Service includes all the services and settings related to administration of your device. On the Manage Administration Service page you can configure the HTTP and HTTPS ports and server certificate to use for communication between WatchGuard SSL Web UI and the client. Manage Administration Service Settings 1. Select Manage System > Administration Service. The External Communication Settings page appears. 2. Configure these settings for external communication: Administrator Host Select which interface to use when you connect to the WatchGuard SSL Web UI to manage the device. If your device is in single interface mode, this is always set to Eth0. If your device is in dual interface mode, you can select Eth0 or Eth1. In dual interface mode, this is set to Eth1 by default. Administrator HTTP Port The HTTP port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 80 by default. Administrator HTTPS Port The HTTPS port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 8443 by default. Server Certificate 378 WatchGuard SSL Web UI
About Manage System The server certificate the Administration Service uses in HTTPS communication. You add the server certificate on the Certificates page. For more information, see Add a Server Certificate. manage 3. Click Save. From the Manage Administration Service page you can also: Change the Super Administrator Password Manage Global Settings Restart the Administration Service Change the Super Administrator Password When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards: The password must be at least six characters long The password must include characters from at least three of these four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (0 through 9) o Non-alphanumeric characters (for example,!, $, #, or %) To enable or disable the password policy, or change the password: 1. Select Manage System > Administration Service. 2. Click Change Password. The Super Administrator Password page appears. User Guide 379
About Manage System 3. Select the Enable password policy check box. 4. In the Current Password text box, type the password currently assigned to the Super Administrator. 5. In the New Password and Verify New Password text boxes, type the new password. 6. Click Save. Manage Global Settings You can manage the settings for all services from the Administration Service page. We recommend that you do not change these settings unless you are asked by a WatchGuard technical support representative to change a setting to help troubleshoot a specific problem. To configure the global settings for the services: 1. Select Manage System > Administration Service. The Manage Administration Service page appears. 2. Click Manage Global Settings. The Manage Global Service Settings page appears. 380 WatchGuard SSL Web UI
About Manage System 3. Configure the global settings for the services. For more information about these settings, see the subsequent sections. 4. Click Save. Communication Settings To control the communication between the Administration service and the Device service, configure these settings: Timeout Check Interval Number of seconds (0-3600) between checks for sessions that have timed out. This is set to 1 second by default. User Lifetime in Cache Number of seconds (0 31,536,000) to keep user account information in the cache before the Administration service reloads it from the Internal User Database or External Directory Service. This setting is not related to user activity. This is set to 900 seconds by default. The maximum value is equal to 365 days. Heartbeat Interval Number of seconds (1 30) between status checks on services on the device. This is set to 10 seconds by default. User Guide 381
About Manage System Missing Heartbeat Limit Number of missing heartbeats, or status checks, that are allowed (1 100) before the services reconnect to each other if a service does not respond. This is set to 12 heartbeats by default. Send cache specification Select this check box if you want the Administration service to send the cache specification to the Device service that controls the Application Portal. This is selected by default. Heap Size Settings To control the amount of memory that the Administration service uses, configure these settings. Minimum Memory Default is set to 64 MB. Maximum Memory Default is set to 256 MB. Save Heap Size specification Select this check box to save the Heap Size specification. Restart the Administration Service You can restart the Administration service without an interruption for any current client SSL sessions. To restart the Administration service: 1. Select Manage System > Administration Service. The Manage Administration Service page appears. 382 WatchGuard SSL Web UI
About Manage System 2. Click Restart Service. A confirmation message appears. 3. Click Yes. The Administration Service restarts. Manage Device Settings You can configure the settings for connections to your Application Portal. You can configure the settings for available ports, connection times, encryption protocols, session controls, cookie persistence, and client access. To configure device settings for the Application Portal: 1. Select Manage System > Device Settings. The Manage Device page appears. User Guide 383
About Manage System 2. Select a tab and configure the settings: General Performance Cipher Suite Advanced 3. Click Save. General Settings for the Application Portal You can configure the basic settings for the Application Portal. These settings control on which interfaces, ports, and IP addresses the Application Portal is available. By default, the application portal listens on one IP address on the Eth0 port. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the General tab. The General Settings page appears. 384 WatchGuard SSL Web UI
About Manage System 3. Configure the General Settings and Add additional listeners. For more information about these settings, see the subsequent sections. 4. Click Save. General Settings Display Name The name used to identify this device. This is automatically set to accesspoint. You cannot change this setting. Application Portal Host The IP address or DNS name to bind all incoming external traffic to the Application Portal. This is automatically set to the IP address configured for Eth0. To change this IP address you must change the Eth0 IP address on the Network Configuration page. Application Portal Port The HTTPS port for incoming traffic to the Application Portal. Set to 443 by default. User Guide 385
About Manage System Server Certificate The server certificate that the Application Portal uses for external communication. For HTTPS connections, you must specify a server certificate. Listen on all interfaces Select this check box to set the device to listen on all active interfaces. If the device is in dual interface mode, select this check box to make the Application Portal available on both Eth0 and Eth1. Manage Additional Listeners Additional listeners are additional ports or IP addresses on which the Application Portal accepts connections. You can add, edit, and delete additional listeners. To add a listener: 1. Click Add Additional Listener. The Add Additional Listener page appears. 2. The Host is automatically set to the Eth0 IP address. You cannot change this setting on this page. 3. In the Port text box, type the port number for incoming HTTP or HTTPS traffic. Set to 80 by default. 4. From the Server Certificate drop-down list, select the certificate to use for this listener. For HTTPS connections, you must specify a server certificate. 5. From the Type drop-down list, select the type of listener to add. The default setting is Web. We recommend you use the default setting. 6. If your device is configured in Dual Interface mode, select the Listen on all interfaces check box for this listener to listen on Eth0 and Eth1 interfaces. If your device is configured in single interface mode, the Listen on all interfaces setting does not have any effect. Eth0 is the only active interface in single interface mode. 7. Click Add. The listener appears in the Registered Additional Listeners list. To edit an additional listener: 386 WatchGuard SSL Web UI
About Manage System 1. In the Registered Additional Listeners list, click a listener. The Edit Additional Listener page appears. 2. Update the settings for the additional listener. 3. Click Update. To delete an additional listener: 1. In the Registered Additional Listeners list, select a listener. The Edit Additional Listener page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. The Manage Device Settings page appears. 4. Click Save. Performance Settings You can change settings that affect the performance of the Application Portal. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Performance tab. The Performance Settings page appears. User Guide 387
About Manage System 3. Configure the Performance Settings and Data Compression Settings. For more information about these settings, see the subsequent sections. 4. Click Save. Performance Settings Performance settings include timeout settings for idle connections. You can also limit the number of TCP connections that the operating system is able to queue, and allow the WatchGuard SSL device to cache SSL sessions for communication with internal servers. Max Worker Threads Set to 200 threads by default. Connection Timeout Set to 60 seconds by default. 388 WatchGuard SSL Web UI
About Manage System UDP Tunnel Timeout Set to 120 seconds by default. Garbage Collection Interval Set to 1 minute by default. Size of Socket Listening Backlog Set to 25 connections by default. Max Tunnel Connections Set to 1500 connections by default. Cache internal SSL sessions Enabled by default. No delay on tunnel connections Enabled by default. Data Compression Settings These settings allow you to control how web files are stored. Compress static Web files Not enabled by default. Compress dynamic Web files Dynamic files are Web files on the device that contain user variables. Not enabled by default. File types to compress The types of files to compress. You can use the wildcard character * to compress all file types. The default setting is text/html, text/xml. Cipher Suite Settings You can change the Application Portal settings related to encryption. When the client and server negotiate an SSL connection, they agree on a common cipher value to use for key exchange and encryption. You can select which protocols and cipher suites the Application Portal supports. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Cipher Suites tab. The Cipher Suites page appears. User Guide 389
About Manage System 3. Configure the Protocols and Cipher Suites settings. For more information about these settings, see the subsequent sections. 4. Click Save. Protocols In the Protocols Supported section, select one or more protocols to enable. You can select from these protocols: TLS v1.0 SSL v3.0 SSL v2.0 TLS v1.0 and SSL v3.0 are enabled by default. 390 WatchGuard SSL Web UI
About Manage System Cipher Suites In the TLS v1.0 and SSL v3.0 Cipher Suites section, select which cipher suites to support for these protocols. By default, these cipher suites are supported: TLS_RSA_WITH_AES_256_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 In the SSL v2.0 Cipher Suites section, select which cipher suites to support for this protocol. By default, these cipher suites are supported: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5 Advanced Settings You can change advanced settings related to session control, cookie persistence, client access, and bad URIs. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Advanced tab. The advanced settings appear. User Guide 391
About Manage System 392 WatchGuard SSL Web UI
About Manage System 3. Configure the advanced settings. For more information about these settings, see the subsequent sections. 4. Click Save. Session Control settings In the Session Control section, you can configure client session control using the WAAK (Web access authentication key) option. WAAK is more secure than HTTP. If you enable WAAK, you can also set the strength of the secure authentication cookie. Secure Web access authentication key cookie (WAAK) Select this check box to use the WAAK secure authentication cookie. This is selected by default. Strength of WAAK The strength of the WAAK secure authentication cookie. The default value is 128 bits. Random Value of WASID The number of bits in the Web Access Session ID (WASID). The WASID is a random hexadecimal value generated by the device. The default value is 64 bits. Bind session to client IP Select this check box to allow the client session to move from one computer to another if the client source IP address does not change during the session. This is not selected by default. Allow duplicate user name logon Select this check box to allow multiple users to connect to the Application Portal at the same time with the same user name. This is selected by default. Duplicate user name logon reverse action Select this check box to automatically disconnect a user session if another user connects to the Application Portal with the same user name. This is not selected by default. Show shutdown message This is not selected by default. SSL/TLS Renegotiation Select this option to disable SSL renegotiation. This option mitigates SSL/TLS renegotiation denial-of-service attacks, but can cause interoperability issues with some types of SSL/TLS connections. You should enable SSL/TLS renegotiation if problems with SSL connections occur. Cookie Persistence settings Select this check box to change session cookies to persistent cookies. This setting only applies to resources protected by Abolishment and to Internet Explorer users. When you select this option, abolishment behavior changes in two ways: User Guide 393
About Manage System The Abolishment client makes sure all persistent cookies are removed from the client. When an Abolish access rule is in effect, the WatchGuard SSL device transforms the session cookies to persistent cookies in runtime as soon as the client successfully authenticates. Client Access settings These settings control communication between the clients and the Application Portal. Show error on SSL v2 access Select this check box if you want to include error messages in SSL v2 communication sent to users. This is not selected by default. Hide server header Select this check box if you want to hide server headers from the client. This is selected by default. Default authentication method Bad URIs Select the default authentication method to use when a user accesses the main page of the Application Portal without the parameter authmech specified. In the Bad URIs text box you can edit the locations or files on the device that clients are not allowed to use or view by default. We recommend you do not remove any of the default items in the Bad URIs list. Update the Device You can use the Device Update pages to update, restore, reboot, or set the time for your WatchGuard SSL device. 1. Select Manage System > Device Update. The Update the OS page appears. 2. Configure the device: Update the OS Configure the System Time and Time Zone 394 WatchGuard SSL Web UI
About Manage System Restore Factory Default Configuration Settings Reinitialize the Local User Database Reboot the Device Update the OS WatchGuard provides software updates in a file that you can use to update the software on your SSL device. We recommend that you export your configuration to create a backup before you update the OS on your device. For more information about how to export your configuration, see Import or Export the Configuration. To update the OS for your device: 1. Select Manage System > Device Update. The Update OS page appears. 2. In the Update the OS section, click Browse to locate the software update file. 3. Click Update. The OS is updated and the device reboots. This can take several minutes. 4. After the device update is complete, log on to WatchGuard SSL Web UI again. The System Status page appears. Configure the System Time and Time Zone The system date and time is primarily used in log file messages. You can manually set the system time, or you can enable NTP so the device automatically gets time updates from an NTP server. You can also configure the time zone for your device. To configure the system time settings: 1. Select Manage System > Device Update. The Update OS page appears. 2. Click System time settings. The System Time Setting page appears. User Guide 395
About Manage System 3. Select Enable NTP and configure the NTP server. Or, set the system Date and Time. 4. Click Save. To configure the time zone: 1. Select Manage System > Device Update. The Update OS page appears. 2. Click Time zone setting. The Time zone setting page appears. 396 WatchGuard SSL Web UI
About Manage System 3. From the Time Zone drop-down list, select the time zone. 4. Click Save. Restore Factory Default Configuration Settings You can reset your WatchGuard SSL device to its factory default settings. After you reset your device, you can use the Quick Setup Wizard to build your configuration again. When you restore the factory default settings, the software version does not change, but any configuration changes you made are removed. To restore the factory default settings: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Restore factory defaults. The Restore factory defaults page appears. 3. Click Yes. The device reboots and the default configuration is restored. After the reboot, the default IP address of the Eth1 interface is 192.168.111.1. Reinitialize the Local User Database If the data in the Local User Database for your WatchGuard SSL device is corrupted, you can either restore the factory default settings for your device, or you can reinitialize the Local User Database. If you choose to restore the factory default settings, all of your network and configuration settings are lost with the database configuration. You must run the Quick Setup Wizard to configure your WatchGuard SSL device again. If you choose to reinitialize your Local User Database, only the data in your Local User Database tables is cleared. All of your network settings are saved. You can then restore a previous configuration to recover your Local User Database information. To reinitialize your Local User Database: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Reinitialize Local User Database. The Reinitialize Local User Database page appears. User Guide 397
About Manage System 3. Click Yes. The data in the tables of your Local User Database is cleared and the WatchGuard SSL device reboots. To restore a previous configuration and recover the data in your Local User Database, see Restore a Saved Configuration. Reboot the Device You can reboot your WatchGuard SSL device from WatchGuard SSL Web UI. To reboot the system: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Reboot. The Reboot page appears. 3. Click Yes. The device reboots. This can take a few minutes to complete. 4. Log in to WatchGuard SSL Web UI again. Network Configuration Configure the Network Type You can select the network type and specify network address information for your WatchGuard SSL network. This is the same network information that you configured in the Quick Setup Wizard. 1. Select Manage System > Network Configuration. The Network Configuration page appears. 398 WatchGuard SSL Web UI
About Manage System 2. Select a Network Type. If you select Single Interface Mode, only Eth0 is active. If you select Dual Interface Mode, both Eth0 and Eth1 are active. User Guide 399
About Manage System 3. Configure the network settings for the selected network type. For more information, see the subsequent sections. Network Types You can configure the WatchGuard SSL device in one of two configuration modes: Single Interface Mode (default) Select this mode if you want to connect the WatchGuard SSL device to one network. In single interface mode, only the Eth0 interface is active. The One Interface Architecture diagram illustrates one configuration of Single Interface Mode. Dual Interface Mode Select this mode if you want to connect the WatchGuard SSL device to two networks. In dual interface mode, both the Eth0 and Eth1 interfaces are active. The Two Interface Architecture diagram illustrates one configuration of Dual Interface Mode. These network diagrams illustrate the two network configuration modes: 400 WatchGuard SSL Web UI
About Manage System Configure network settings for Eth0 1. In the IP Address text box, type the IP address you want to use for Eth0. 2. In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0. 3. In the Default Gateway text box, type the IP address of the default gateway on the Eth0 network. 4. In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0 network. 5. (Optional) In the Secondary DNS text box, type the name of a secondary DNS server. 6. In the Hostname text box, type the domain name or publicly resolvable IP address for this device. 7. (Optional) In the DNS Search Order text box, type the domain names to include in DNS name searches. The order in which you type the names specifies the search order. When you add more than one domain name, separate each name with only a space. Do not add other punctuation or separation marks. The search list is limited to six domains and a total of 256 characters. 8. Click Next. The Manage Global Tunnel Resource Settings page appears. Configure network settings for Eth1 If you select Dual Interface Mode, you can also configure the network settings for the Eth1 interface. 1. In the IP Address text box, type the IP address you want to use for Eth1. 2. In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0. 3. Click Next. The Manage Global Tunnel Resource Settings page appears. User Guide 401
About Manage System Manage Global Tunnel Resource Settings On the Manage Global Tunnel Resource Settings page, you can configure connection settings for the WatchGuard SSL Access Client that apply to all your tunnel resources. Settings include the Client IP address provider, DNS server, and WINS server information. 1. Configure the settings for your tunnel resources. Provide IP Address You can choose to use an existing external DHCP server to assign IP addresses to Access Clients from the network, or to use IP addresses from the IP Address Pool for the Access Clients. Select an option: Use DHCP Server Use IP Address Pool To disable this feature, select None. If you configure resources with the Provide an IP Address option, you must specify a DHCP server or an IP address pool. DNS Server 402 WatchGuard SSL Web UI
About Manage System Specify the IP address or DNS name of the DNS server used for DNS forwarding. When you enable DNS forwarding for a tunnel resource, the client s DNS server is temporarily redirected to the DNS Server you specify. Local lookups take precedence, and can override any external DNS. The Require Authentication for DNS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page 122. WINS Server Specify the IP address or name of the WINS server used for WINS forwarding. When you enable WINS forwarding for a tunnel resource, the client s WINS server is temporarily redirected to the WINS server you specify. Local lookups take precedence, and can override any external WINS. The Require Authentication for WINS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page 122. 2. Click Next. The Manage Administration Service page appears. Configure Administration Service External Communication Settings On the Manage Administration Service page, you configure settings for communication between the WatchGuard SSL Web UI and the client. 1. Configure these settings for external communication: User Guide 403
About Manage System Administrator Host Select which interface to use when you connect to the WatchGuard SSL Web UI to manage the device. If your device is in single interface mode, this is always set to Eth0. If your device is in dual interface mode, you can select Eth0 or Eth1. In dual interface mode, this is set to Eth1 by default. Administrator HTTP Port The HTTP port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 80 by default. Administrator HTTPS Port The HTTPS port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 8443 by default. Server Certificate The server certificate the Administration Service uses in HTTPS communication. You add the server certificate on the Certificates page. For more information, see Add a Server Certificate. 2. Click Next. The Network Completed page appears. Confirm Network Configuration Settings After you specify all the network settings, the Network Completed page shows a summary of your selected configuration settings. 404 WatchGuard SSL Web UI
About Manage System Click Confirm to confirm these settings. The network configuration settings are saved. Configure Network Routes You can add a static route to each computer that you want the WatchGuard SSL device to send traffic to. This is particularly important if you configure your WatchGuard SSL device in Dual Interface mode, because resources could be on a different network than the client. If you do not define a default route, packets are routed based on the default gateway for the device. After you create a route, you cannot edit it. If you want to change a route, you must delete the route you want to change and add a new route. To add a network route: 1. Select Manage System > Network Configuration. The Network Configuration page appears. 2. Click Route Configuration. The Route Configuration page appears with a list of all the current network routes. User Guide 405
About Manage System 3. To add a route, click Add New Route. The Add Route page appears. 4. In the Destination IP Address, type the IP address for this route. 5. In the Subnet Mask text box, type the subnet mask for this route. For example, 255.255.255.0 6. In the Gateway text box, type the IP address of the gateway. 7. Click Save. The network route you added appears in the table on the Route Configuration page. To delete a network route: 1. On the Route Configuration page, select the Delete check box for each network route you want to delete. 2. Click Delete. The route is deleted. Restore a Saved Configuration Each time you publish a configuration update to the device, a copy of that configuration is saved on the device. You can set the maximum number of configurations to save and restore saved configurations. With WatchGuard SSL Web UI, you can: Restore the most recent configuration (remove all unpublished changes) Restore an older saved configuration Add a description of the changes in a saved configuration Delete a saved configuration Lock and unlock a saved configuration Manage Saved Configuration Settings 406 WatchGuard SSL Web UI
About Manage System Restore the Current Configuration To remove any unpublished changes to your configuration, you can restore the current configuration. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the current published configuration section, click Restore. The current published configuration is restored and the System Status page appears. Restore a Saved Configuration To revert to a previous configuration, you can restore a configuration saved on your device. User Guide 407
About Manage System 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the saved configurations section, in the Restore column, click Restore for the configuration you want to restore. The saved configuration is restored and the System Status page appears. Add a Description to a Saved Configuration To add a description to help you identify a saved configuration, you can add comments to a saved configuration. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the Descriptions column, click Add description for the configuration you want to add a description to. The Add/Modify Description page appears. 3. In the Description text box, type the description of this saved configuration. 4. Click Save. The description appears in the Description column for the configuration you selected. Delete a Saved Configuration To make space for a new configuration file, you can delete a saved configuration. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the saved configurations section, select the check box for each saved configuration to delete. 3. Click Delete. The selected configurations are delete 408 WatchGuard SSL Web UI
About Manage System Lock or Unlock a Saved Configuration Each time you publish a change to your SSL device configuration, a backup copy of your previous configuration is automatically created. On the Manage Saved Configuration Settings page, you can set the maximum number of saved configuration files you want to store. If you have a configuration file that you want to make sure is not deleted because you have exceeded this maximum number, you can lock that configuration file. When you lock a saved configuration file, it cannot be automatically deleted. You must always have at least one configuration file that is not locked to make sure your maximum number of saved files is not exceeded. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. Below the saved configurations section,select the check box for each saved configuration file you want to lock or unlock. 3. Click Lock/Unlock. The selected configurations are locked or unlocked. Manage Saved Configuration Settings You can set the maximum number of configurations to save on your device. When the number of saved configurations reaches the selected limit, the next time a configuration is saved, the system deletes the oldest saved configuration and saves the new one. You can also set the number of configurations to appear on a page. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. Click Manage Settings. The Manage Published Configurations page appears. 3. Inthe MaximumSavedtextbox,setthe maximum number ofpublishedconfigurationsyouwanttokeep. 4. In the Configurations per Page text box, set the number of configuration files to appear on each page. 5. Click Save. User Guide 409
About Manage System Import or Export the Configuration You can export the configuration data from your WatchGuard SSL device to a configuration file that you save in an external location. You can also import configuration data from a saved configuration file to your device. If you have a WatchGuard SSL v2.x device, you can also export the configuration from your WatchGuard SSL v2.x device. To export from a WatchGuard SSL v2.x system, you must connect to the v3.x Web UI from the computer that runs the v2.x Administration Service. You can import a saved v3.x or v2.x configuration file to your WatchGuard SSL v3.x device. To export a configuration: 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. Click Export 3.x Configuration or Export 2.x Configuration. The Download Exported Configuration File page appears. 3. Click the Download link. The configuration files are exported to a zip file. 4. Select Save File. 410 WatchGuard SSL Web UI
About Manage System 5. Click OK. 6. Save the file in a location where you can get access to import it later. 7. Click Save. To import a configuration: 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. In the Import Configuration section, click Browse to select a configuration file to import. 3. Click Import Configuration. The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes. 4. After the device reboots, log in to WatchGuard SSL Web UI again. Configure Active Directory Authentication on your SSL Device You can use your existing Active Directory (AD) server to authenticate users to your WatchGuard SSL Application Portal. Before you configure your SSL device, you must first make sure that LDAP over SSL (also known as LDAPS or LDAP over TLS) is enabled on your Active Directory server. This service is not enabled by default, regardless of whether you have certificate services installed on your Active Directory server. To enable LDAP over SSL, you can use one of two methods: Instructions from Microsoft: http://support.microsoft.com/kb/321051 Instructions in the subsequent section, which use the certificate services web enrollment form instead of command line tools. We recommend that you do not use both sets of instructions. If you choose to use both procedures, the process can be complicated and prone to failure. User Guide 411
About Manage System For the subsequent procedure, Active Directory is installed on a Windows Server 2003 computer; the server name is 2003ADsrv, and the domain name is ADexample.com. Before You Begin Make sure your server has these applications and tools configured, with the services started: ldp.exe Microsoft Support Tool Utility (for LDAP configuration). This tool is used to connect to Active Directory and verify that the LDAPS protocol is running correctly. Internet Information Services (IIS) IIS must be installed and the service must be started. Certificate Services Certificate Services must be installed and started on the AD server. This component is not installed by default, but is a common component that is frequently added to many AD servers. After you have verified the correct applications and tools are configured, you export the CA certificate from your Windows Certificate Server. Verify the Status of IIS IIS must be installed and started correctly before you enable LDAP over SSL. If it is not, when you run the certsrv command in the process to enable LDAP over SSL, you receive a 404 error message. 1. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. 2. Expand your server entry in the list. 3. Select Web Sites. 4. For Default Web Site, verify the State is Running. Install Certificate Services on Your AD Server If Certificate Services is already installed on your AD server, you can continue to the next procedure. Make sure that both the Certificate Services CA and Certificate Services Web Enrollment Supportoptions are enabled. When you enable Certificate Services, you can select to use either an Enterprise root CA or a Stand-alone root CA. We recommend you choose a Stand-alone root CA, which is simpler to use and acceptable for most use cases. From your Windows 2003 AD Server computer: 1. Select Start > Control Panel > Add or Remove Programs. The Add or Remove programs dialog box appears. 2. Select Add/Remove Windows Components. The Windows Components Wizard dialog box appears. 3. In the Components list, select the Certificate Services check box. A notification message appears. 4. Click Yes and continue. 5. Click Details. The Certificate Services dialog box appears. 6. Select the Certificate Services CA and Certificate Services Web Enrollment Support check boxes. 7. Click OK. The Certificate Services dialog box closes and the Windows Components Wizard dialog box appears. 412 WatchGuard SSL Web UI
About Manage System 8. Click Next. The CA Type page appears. 9. Select Stand-alone root CA.Click Next. 10. Complete the wizard and finish the Certificate Services installation. Export the CA Certificate from Your Windows Certificate Server From your Windows 2003 AD Server computer: 1. Select Start > Program > Administrative Tools > Certification Authority. The Certification Authority dialog box appears. 2. Right-click the name of your Certificate Authority. Select Properties. 3. On the General tab, click View Certificate. The Certificate dialog box appears. 4. Select the Details tab. 5. Click Copy to file. The Certificate Export Wizard appears. 6. Click Next. The Export File Format page appears. 7. Select the Base-64 encoded X.509 (CER) file format. The File to Export page appears. 8. To save the certificate file to the default location, in the File Name text box, type a name for the certificate. To select a different location to save the file, click Browse. Select the location and type a file name for the certificate. For example, cacert.cer. 9. Click Next. The Completing the Certificate Export Wizard page appears. 10. Review the certificate information. Click Finish. Enable your AD Server for LDAP over SSL To enable your AD server to use LDAP over SSL you can request the certificate from the Certificate Authority and use the Certificate Services Web UI to import it. Request a Certificate from the CA From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to http://<servername>/certsrv. Replace <servername> in the web address with the host name or IP address of your AD server. For this example, type http://2003adsrv/cersrv. If a certificate warning appears, add the URL to the list of trusted sites in Internet Explorer. Select Tools > Internet Options. Select the Security tab. Add the exception. 2. Click Request a Certificate. The Request a Certificate page appears 3. Click Submit an advanced certificate request. The Advanced Certificate Request page appears. User Guide 413
About Manage System 4. Click Create and submit a request to this CA. 5. In the Name text box, type the fully qualified domain name of your server. Make sure the name is correct and in the FQDN format. For this example, type 2003ADsrv.ADexample.com. 6. In the Type of Certificate Needed drop-down list, select Server Authentication Certificate. 7. Configure Key Options: a. Select Create new key set. b. From the CSP drop-down list, select Microsoft RSA Channel Cryptographic Provider. c. Set the Key Usage to Exchange. d. In the Key Size text box, type 1024. e. Select Automatic key container name. f. Select the Mark keys as exportable check box. g. Make sure the Enable strong private key protection check box is not selected. h. Select the Store certificate in the local computer certificate store check box. 8. Configure Additional Options: a. Set the Request format to PKCS10. b. From the Hash Algorithm drop-down list, select SHA-1. c. Clear the Save request to a file check box. If you select this check box, you must manually submit the request and manually import the certificate to your server. When you do not select this option, the request is submitted automatically and the certificate is automatically imported to your server. 9. Click Submit. The certificate request is submitted. Issue the Certificate After you have requested the certificate from the CA, you must issue the certificate before you can import it. From your Windows 2003 AD Server computer: 1. Select Start > Programs > Administrative Tools > Certification Authority. 2. Expand the Certification Authority list. 3. Select the Pending Requests folder. 4. Select the pending request for the certificate you want to issue. 5. Right-click the request and select All tasks > Issue. The CA issues the certificate. Import the Certificate After you have requested the certificate from the CA, you can import it to the server certificate store. These instructions use the Internet Explorer web browser. If you use a different web browser the instructions might be different. From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to http://<servername>/certsrv. Replace <servername> in the web address with the host name of your AD server. For this example, type http://2003adsrv/cersrv. 2. Click View the status of a pending certificate request. The View the Status of a Pending Certificate Request page appears. 414 WatchGuard SSL Web UI
About Manage System 3. Select the certificate you want to import. 4. Follow the instructions to import the certificate. 5. Reboot your Windows 2003 AD Server computer. Test the LDAP over TLS Connection To test if LDAP over TLS works correctly, use the ldp.exe tool. 1. Open a command prompt and type ldp. The LDP application appears. 2. Select Connection > Connect. The Connect dialog box appears. 3. In the Server text box, type the name of your AD server. For this example, type 2003ADsrv. 4. In the Port text box, type 636. 5. Select the SSL check box. 6. Click OK. A list of attributes appears, which indicates a successful connection. Some errors can also appear, but they are not fatal errors and do not indicate a problem with the connection. If a connection error appears, there is an incorrect setting in the configuration. Review your configuration with the steps in the previous procedure to correct any errors. For the Active Directory authentication method to work correctly, LDAP over SSL must also work correctly. Verify the HTTP SSL Properties The last step to configure LDAP over TLS for your AD server is to make sure the HTTP SSL service is running correctly. From your Windows 2003 AD Server computer: 1. Select Start > Administrative Tools > Services. The Services tool appears. 2. In the Services list, find the HTTP SSL service. 3. Right-click HTTP SSL and select Properties. The HTTP SSL Properties dialog box appears. 4. Make sure the General tab is selected. 5. From the Startup type drop-down list, select Automatic. This is to make sure the HTTP SSL service starts automatically hen the server is rebooted. 6. Click OK. Configure Active Directory Authentication on your SSL device Now that you have issued the certificate from your CA, enabled LDAP over SSL on your AD Server, and issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device to use Active Directory Authentication. User Guide 415
About Manage System Add a Certificate Authority to Your SSL Device If you did not import the CA certificate when you ran the Setup Wizard, you must import it to configure Active Directory Authentication. 1. Connect to WatchGuard SSL Web UI for your device. 2. Select Manage System > Certificates. The Manage Certificates page appears. 3. In the Certificate Authorities section, click Add Certificate Authority. The Add Certificate Authority page appears. 4. Make sure the Enable Certificate Authority check box is selected. 5. In the Display Name text box, type a name for the CA certificate. This is the name that appears on the Manage Certificates page in the Registered Certificate Authorities list. 6. Click Browse and select the CA certificate. 7. In the Revocation Control section, select No certificate revocation checking should be performed. 8. Click Finish Wizard. The certificate name appears in the Registered Certificate Authorities list. Enable SSL for Active Directory Authentication Services After you add the CA certificate to your device, you add the Active Directory Authentication Method to your configuration to make a connection between your SSL device and your AD server. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Add Authentication Method. The Add Authentication Method page appears. 416 WatchGuard SSL Web UI
About Manage System 3. Select Active Directory. Click Next. 4. Make sure the Enable authentication method check box is selected. 5. In the Display Name text box, type a name for this Active Directory Authentication method. This is the name that appears in the Registered Authentication Methods list. 6. To select a different template for this method, in the Template Name text box, type the name of the template you want to use. We recommend you use the default template. 7. To select the AD server to use for authentication, click Add Authentication Method Server. The Add Authentication Method Server page appears. 8. In the Host text box, type the IP address or DNS name of your AD server. 9. To use a port other than the default port, in the Porttext box, type a new value. We recommend you keep the default value, 636. 10. To use a timeout value other than the default setting, in the Timeouttext box, type a new value. This is the amount of time the client waits for a response from the AD server before it tries to connect with another authentication method. 11. In the Account text box, type the user name for the administrator of the AD server. This can be a Distinguished Name or Principal Name. Make sure you use the correct user name form. For example: username@my.example.com my.example\username User Guide 417
About Manage System CN=username,OU=my,OU=example,OU=com 12. In the Password text box, type the password for the administrator of the AD server. 13. In the Root DN text box, type the Root DN information for the AD server where user accounts are stored. Make sure you use the correct Root DN form. For example, dc=exampleadserver,dc=com 14. Click Next. The Authentication Method Server appears in the Registered Authentication Method Servers list. 15. Click Next. The Extended Properties page appears with a default list of Registered Extended Properties. Extended properties are actions that occur when your users authenticate with this method. 16. Make any changes to the Registered Extended Properties list for this authentication method. 17. Click Finish Wizard. The Active Directory Authentication method appears in the Registered Authentication Methods list. Verify your SSL Device is Connected to Your AD Server Before you can verify the connection between your AD server and your SSL device, you must first add the AD server to your SSL device as an External Directory Service location. To add an External Directory Service location: 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 418 WatchGuard SSL Web UI
About Manage System 3. Select Microsoft Active Directory. Click Next. The Add External Directory Service Location page appears. 4. Configure the settings for this External Directory Service location. Make sure the settings match those you configured for your AD Server Authentication Method. 5. Click Next. The Add External Directory Service Location page appears. User Guide 419
About Manage System 6. To add search rules for your users, click Add User Search Rule. The Add User Search Rule page appears. 7. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 8. To add search rules for your user groups, click Add User Group Search Rule. The Add User Group Search Rule page appears. 420 WatchGuard SSL Web UI
About Manage System 9. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 10. To verify the connection to your External Directory Service is active, click Test Connection. 11. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. After your AD server is added as an External Directory service location, you can test the connection between the AD server and the SSL device at any time. 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. In the Registered External Directory Service Locations list, select your AD server. The Edit External Directory Service Location page appears. 3. Select the Search Rules tab. 4. Click Test Connection to the External Directory Service Location. The SSL device tries to contact the AD server. If your configuration is correct, a Connection test ran successfully message appears. If the connection test fails, review the settings for your AD Server External Directory Service Location, and change any errors in the configuration. Send One-Time Passwords (OTPs) to Users You can configure the WatchGuard SSL device to send Mobile Text OTPs (One-Time Passwords) directly to your users through email messages. When you send OTPs with this method, no client software is required. Configure the SMS Channel to send email If you have an available SMS gateway, you can use the WatchGuard SSL Mobile Text authentication method to give your users one-time passwords (OTPs) through SMS. If you do not have an available SMS gateway, you can configure the SMS channel to send OTPs through email. 1. Select Manage System. The Registered Authentication Methods page appears. 2. Select Notification Settings. The Manage Notification Settings page appears. User Guide 421
About Manage System 3. Select the SMS Channel tab. 4. Click Add SMS channel. The Add SMS Channel page appears. 5. In the Display Name text box, type a name for the SMS Channel. 6. From the Plug-in drop-down list, select SMTP Plugin (1.0). 7. Click Next. 8. Select the Connection tab. 9. In the Host Address text box, type the host IP address or host name of your email server. 10. Select the Message tab. 11. In the To text box, the default value is [$user-mail-address]. We recommend you do not change this value. 12. In the From text box, type: <valid e-mail address for your SMTP server>. 13. Click Finish Wizard. The Manage Notification Settings page appears. 14. Click Save. Configure SMS Settings for each user account 1. Select User Management. 2. In the Search by User ID text box, type the User ID and select the type of account to search from the drop-down list. To search for all available accounts, type the * wildcard character. 3. Click Search. The user accounts appears in the Search Results list. 4. Select the User ID to configure. The Edit User Account General Settings page appears. 422 WatchGuard SSL Web UI
About Manage System 5. In the SMS text box, type the email address of the user. 6. Click Save. Change the Directory Mapping Attribute for Notification SMS 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. In the Registered External Directory Service Locations list, select the Display Name of the directory service to use. The Edit External Directory Service Location page appears. 3. Select the Directory Mapping tab. User Guide 423
About Manage System 4. In the Notification SMS text box, delete the default value mobile and type mail. 5. Click Save. 6. Click Publish to update your configuration with these changes. Enable mobile text authentication for all users This is a global process that applies to all user accounts. If you want to manually configure mobile text for each individual user account, do not use this process. You must edit each user account separately. 1. Select User Management > User Accounts. The Manage All user accounts page appears. 2. Select Global User Account Settings. The Global User Account Settings page appears. 3. Select the User Linking tab. 4. Select the Enable WatchGuard SSL Mobile Text check box. Additional settings for the WatchGuard SSL Mobile Text method appear. 424 WatchGuard SSL Web UI
About Manage System 5. Clear the Generate password check box. 6. Select the Use password from External Directory Service check box. 7. Click Save. 8. Click Publishto update your configuration with this change. Use the OTP to Authenticate 1. Connect to the Application Portal. 2. Select the WatchGuard SSL Mobile Text authentication method. 3. Type your user name and password. The WatchGuard SSL device sends the OTP to your email address. 4. Find the OTP message in your email. 5. Type the OTP in your browser when prompted. 6. Click Submit. The WatchGuard SSL Application Portal appears. User Guide 425
About Manage System User Guide 426
7 About the Access Client The WatchGuard SSL Access Client enables you to securely connect to tunnel resources in the WatchGuard SSL Application Portal. There are two versions of the Access Client - a Windows executable client and a Java client. Windows computers almost always use the Windows executable version of the Access Client. The Windows executable Access Client installs a Windows network driver, which allows the Access Client to connect to dynamic tunnels. The Java client is another version of the Access Client, and uses a Java Applet loader to run in a web browser on any operating system, such as Mac or Linux. The Java Access Client can only connect to static tunnels. To launch the Java Access Client, the user's computer calls a Java Applet loader from the SSL device that launches the Java client. The Java Applet stays active for the duration of the VPN session. There are two types of the Windows executable version of the Access Client: On-demand Access Client When a user authenticates to the Application Portal and selects a resource other than a Web resource, the on-demand Access Client launches to load the tunnel. When the session ends, the ondemand Access Client closes. The client software is not installed on the user's computer. Installed Access Client You can also select to install the Access Client on the user's computer. The installed Access Client is available when the user is not authenticated to the Application Portal. You can configure the installed Access Client to automatically start when Windows starts and to automatically connect to resources. For information about how to install the Access Client, see Install the Access Client on page 428. For your users to be able to load and use resources based on dynamic tunnels, the Access Client must be installed by someone who has administrative privileges. After the Access Client is installed, anyone with standard user privileges can run the Access Client, through the use of a component called Helper Service User Guide 427
About the Access Client that is automatically installed with the client. This service runs with administrative privileges to give standard (non-admin) users the ability to do operations that require admin privileges. Some operations, such as client software upgrades, can be more difficult to do with the Helper Service. See Set up the Access Client for a Standard User for more information. For information about how to configure the Access Client, see About the Access Client Menu on page 433. Install the Access Client Use this procedure to install the Windows executable version of the Access Client on your Windows computer. Note A user with administrative rights on your computer must install the Access Client software. This is usually the system or network administrator. Once the Access Client has been installed, administrative privileges are no longer necessary. Before You Begin 1. Get the Access Client installer (AccessClientInstall.exe) from your network administrator 2. On the computer where you want to install the Access Client, connect to the WatchGuard SSL Application Portal and open a tunnel resource. This launches the on-demand version of the Access Client and automatically captures some of the configuration information needed for the installation. Run the Installer 1. Run AccessClientInstall.exe. A security warning appears. You can safely ignore this warning. 2. To continue the installation, click Run. 3. On the License Agreement page, review and accept the License Agreement. 4. On the Select Destination Location page, select a location to install the Access Client. The default location is C:\Program Files\WatchGuard\SSL\Access Client. 5. On the last page of the installation wizard, click Finish. The Access Client is now available in the Windows Start menu. Launch the Installed Access Client Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. After You Install After you install, verify that the server address is correct in the Access Client Preferences dialog box. If you did not connect to a tunnel resource in the Application Portal at least once before you installed the Access Client, you must manually add the address of your Application Portal. 1. Click. The Access Client menu appears. 2. Select Preferences. The Access Client Preferences dialog box appears. 428 WatchGuard SSL Web UI
About the Access Client 3. If the Update server text box includes an address, we recommend you do not change this setting. This is the URL of the WatchGuard SSL device that hosts the client updates. This is automatically set the first time the Access Client connects to a resource. If the Update server text box is empty, type the URL or IP address of the WatchGuard SSL Application Portal. Do not include https:// in the address. 4. Click OK. Connect to the Application Portal To start a resource, authenticate to the Application Portal with a web browser and select a resource. If you want the Access Client to automatically connect to certain resources, you can configure favorites in the Access Client, as described in Manage Access Client Favorites. Uninstall the Access Client Before you uninstall the Access Client, we recommend that you first delete any favorites. When you uninstall the Access Client, the favorites you have configured are not automatically removed. To delete your resource favorites: 1. Click. The Access Client menu appears. 2. Select Favorites > Manage. 3. Click each favorite to select it and click Delete. To uninstall the Access Client: Note If you do not remove the favorites before you uninstall, the old favorites are still available in the Access Client favorites list when you reinstall the Access Client, or if you use the on-demand Access Client. User Guide 429
About the Access Client 1. Open the Windows Control Panel. 2. Select Add or Remove Programs. 3. Click the WatchGuard Access Client program. 4. Click Remove. Set up the Access Client for a Standard User The WatchGuard SSL Access Client is the client application that allows a user to connect to tunnel resources published on any WatchGuard SSL VPN Application Portal. The Access Client requires elevated access privileges to perform certain administrative tasks, such as to install a driver and to assign an IP address to a network adapter. In Access Client versions prior to SSL v3.1.1, users were required to log in to their Windows operating system as an administrative user before they could install or use the Access Client. Access Client v3.1.1 (and subsequent releases) allows Windows standard users (users without administrator privileges) to connect to tunnel resources. Administrator privileges are still required for the initial installation of the Access Client software. Access Client v3.1.1 and subsequent releases include a component, called the WatchGuard Access Client Helper Service, which performs the tasks that require elevated access privileges. This allows a user without administrator privileges to use the Access Client. The subsequent sections describe the installation requirements and limitations of the Access Client for users without Windows administrator privileges. Installation To install the Access Client so that it operates correctly for a Windows standard user, an administrator must complete these steps: Install the Access Client software on the client computer. Add an exception for "AccessClient.exe" to the Windows Firewall on the client computer If the standard user uses Internet Explorer 7 or later version, add the Application Portal as a trusted site, and verify that protected mode is not used for trusted sites. You can log on to the client computer as an administrative user to do these steps manually, or you can use Windows Group Policy to push these changes to the client computers. Install the Access Client Software To set up a computer to run the Access Client for a standard user, you must first install the Access Client software. You can use Windows Group Policy to remotely install the software, or you can manually install it as an administrative user. For more information about manual installation, see Install the Access Client. For information about Group Policy, see the Microsoft documentation or knowledge base. The Access Client installer installs these components: Access Client enables a user to connect to any WatchGuard SSL VPN tunnel resource Device Driver redirects traffic through the VPN tunnel, after the tunnel is established WatchGuardAccessClient HelperService allowsthe AccessClienttorunfor non-administrative users You download the Access Client installer from the Software Downloads section of the WatchGuard web site at http://www.watchguard.com/archive/softwarecenter.asp. 430 WatchGuard SSL Web UI
About the Access Client Even if the standard user wants to use the on-demand client, you still must install the Access Client software on the client computer so that the WatchGuard Access Client Helper Service is installed. The Helper Service must be installed and running for a Windows standard user to use the Access Client. Install the ActiveX Controls After you install the client software, you must install the required ActiveX controls. You can use an administrator account to do this manually, or a standard user can do this if Group Policies are configured correctly. When you start a dynamic tunnel resource on the SSL Application Portal, a prompt appears for you to install the ActiveX control. To manually install the ActiveX controls: 1. Log in to the client computer as an administrative user. 2. Authenticate to the Application Portal. 3. Start a dynamic tunnel resource. For example, start a Full Tunnel resource. If the ActiveX control is not installed, a prompt appears for you to install it. 4. Install the ActiveX Controls. Note You cannot install ActiveX controls from Internet Explorer 7 or later version when protected mode is enabled. Configure Firewall Exceptions The first time you start the Access Client on a client computer, Windows prompts you to add an exception to the existing firewall rules. You must add a Windows Firewall exception for AccessClient.exe to allow the Access Client to communicate through Windows Firewall. In Windows 7, you must enable this exception for home and public. You can add this exception manually in the Windows Control Panel if you are logged on to the client computer as a user with administrative privileges. Or, you can push this setting through Group Policies in Windows. Add the SSL Application Portal to the Trusted Sites List The Access Client does not operate correctly when started from Internet Explorer 7 or later version in protected mode. To make sure that the browser is not in protected mode, in the Internet Options configuration, add the address of the SSL Application Portal to the list of trusted sites. Then, verify that the Internet Options configuration does not require protected mode for trusted sites. You can either ask the user to perform this step, or you can use Group Policy to update the trusted sites list on the client computer. To manually add the SSL Application Portal to the trusted sites list and configure trusted sites settings: 1. Log in to the client computer as the Windows standard user. 2. In Control panel, open Internet Options. 3. Select the Security tab 4. Select Trusted Sites. 5. Click Sites. 6. Add the URL of the WatchGuard SSL Application Portal to the trusted sites list. For example, add "https://sslvpn.example.com". User Guide 431
About the Access Client 7. If the client computer uses Windows Vista or Windows 7, clear the Protected Mode for Trusted Sites check box. Use the Access Client as a Standard User For a standard user, the purpose of installing the Access Client is to install the WatchGuard Access Client Helper Service. This service is started by the installer, and automatically restarts when the computer is restarted. After the WatchGuard Access Client Helper Service is installed and running, a standard user can use either the installed Access Client or the on-demand Access Client. Limitations The Access Client can be used by a standard user, with these limitations: The Access Client software must be installed by an administrative user prior to use by a standard user. ActiveX Controls cannot be installed in Internet Explorer 7 or later version in protected mode. A standard user can only update Access Client components if the Helper Service is running. If a standard user downgrades the Access Client to a version earlier than v3.1.1, the administrator must reinstall the v3.1.1 (or later) Access Client. A client downgrade could happen, for example, if a standard user connects to an SSL device that uses an older version of SSL OS, and sees a prompt that a different client software version is available. If the user accepts the different client software, the client is downgraded. Access Client cannot be run in low-integrity mode. Low integrity mode is not very common, but if the executable has been downloaded by a lowintegrity process (e.g. IE 7 or later version with Protected Mode enabled); the same integrity levels apply and the Access Client does not run. Launch the Access Client After you log on to the WatchGuard SSL Application Portal, you can connect to your network resources. For some resources your computer must run the Access Client. The Access Client is a Windows client that sets up the SSL VPN tunnel between your computer and the network resources. The Access Client is not required for online applications. Launch the On-demand Access Client When you click a resource in the WatchGuard SSL Application Portal that requires the Access Client, the Application Portal automatically downloads and launches the on-demand Access Client. Launch the Installed Access Client If you have installed the Access Client software on your computer, you can also launch the client from the Windows Start menu. For instructions to install the Access Client, see Install the Access Client. To launch the installed Access Client on a computer with Windows XP: Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. The Access Client launches and appears in the Windows system tray. 432 WatchGuard SSL Web UI
About the Access Client Note If you have a complicated network setup, or use some third-party software (for example, certain versions of OpenVPN client), a Cannot Acquire IP error message can appear when the Access Client initializes. You can safely ignore this error message. This does not affect your ability to use network resources through the secure VPN tunnel. About the Access Client Menu When the Access Client starts, (the Access Client icon) appears in the Windows system tray. To configure your Access Client: Note If your tunnel connection is disconnected, an exclamation mark alert appears on the Access Icon client. 1. Click. The Access Client menu appears. 2. Configure these options: Preferences Favorites Status About Set preferences for the Access Client. For more information, see Edit Access Client Preferences. Add and manage favorite Application Portal resources. After you add favorite resources, you can select a resource from the Favorites menu to start the resource. For more information, see Manage Access Client Favorites. See the status of your SSL connection. For more information, see Check Access Client Status. See Access Client version and copyright information. Close tunnels Close the connection to a tunnel resource. For more information, see Close a Tunnel. User Guide 433
About the Access Client Exit Close the Access Client. The connections to all tunnel resources are also closed. For more information, see End Your SSL VPN Session. Edit Access Client Preferences You can configure the Access Client settings to customize the way the client operates on your computer. Configure General Preferences 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. The Access Client Preferences dialog box appears. 4. Select the General tab. 5. To automatically launch the Access Client when Windows starts, select the Launch Access Client on startup check box. The Access Client is added to the Windows Startup folder. 6. To create shortcuts or launch commands that connect directly to a resource, select the Register essp:// protocol handler check box. For more information, see Use ESSP to Link Directly to a Resource. 7. If you do not want the client to automatically check for available updates, clear the Enable automatic update check box. We recommend you do not clear this check box. 8. If the Update server text box includes an address, we recommend you do not change this setting. This is the URL or IP address of the WatchGuard SSL device that hosts the client updates. This is automatically set the first time the Access Client connects to a resource. 434 WatchGuard SSL Web UI
About the Access Client If the Update server text box is blank, type the URL or IP address of the WatchGuard SSL Application Portal. Do not include https://. 9. To check for an updated client at the Update server address, click Update. 10. Click OK. Edit Trusted Commands If your network administrator has configured commands that automatically run when you start a resource, before each command runs, a notification dialog box appears. To disable the pop-up notification for a command: 1. In the notification dialog box, select the Always trust this command check box. 2. Click OK. In the Access Client Preferences dialog box, the Trusted Commands tab includes a list of commands you have selected to always trust. To see the list of trusted commands, and delete commands: 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. 4. Select the Trusted Commands tab. The list of trusted commands appears. 5. To remove a command from the trusted list, select the command and click Delete. The command is removed from the list. The next time you connect to a resource that uses the command you removed, the Access Client prompts you before it runs the command. 6. Click OK. Edit Diagnostic Settings The Access Client can send diagnostic information to a log file. WatchGuard technical support may ask you to change the log level or send a diagnostic file to help troubleshoot issues with the Access Client. We recommend that you do not change the diagnostic settings unless asked to do so by a WatchGuard technical support representative. You can configure the log level and diagnostic file separately for each of these client applications: Access Client The VPN client that provides secure remote access over SSL Assessment The client that completes the integrity scan required for access Abolishment The client that securely deletes files used during the session To see and manage the diagnostic settings: 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. 4. Select the Diagnostic tab. User Guide 435
About the Access Client 5. In the Application section, from the Configure diagnostic settings for drop-down list, select Access Client, Assessment, or Abolishment. The settings for the selected application appear in the Settings section. 6. To change the location of the diagnostic log file, in the Diagnostic file text box, type the new path and file name. 7. To view the diagnostic file for the currently selected application, click View. 8. To export all diagnostic log files to a local zip file, click Export. 9. To change the level of detail to include in the diagnostic log file, adjust the Log level slider. When you click and hold the Log level slider, the current log level appears. The available log levels for each application include: Off Error Disables logging to the diagnostic file for the selected application. Includes only log messages about serious errors that cause an interruption in service. Warning Info Debug Includes details about errors that might not impact service. Includes details about normal or successful operations. Includes details that can help you troubleshoot problems. We recommend you only select this level when directed to do so by a WatchGuard Technical Support representative. 436 WatchGuard SSL Web UI
About the Access Client Trace Includes details about the status of application processes. We recommend you only select this level when directed to do so by a WatchGuard Technical Support representative. Log levels are cumulative. A higher log level also includes messages included in the lower log levels. Manage Access Client Favorites You can add network resources to the Access Client Favorites list. When you add a favorite, you can start that resource from the Access Client menu in the Windows system tray. You can also configure favorite resources to automatically start when you launch the Access Client. Note You can only add a favorite resource for a tunnel resource. The Access Client does not connect to web resources. Add a Favorite Resource To add a favorite, start the resource from the WatchGuard Application Portal and then add it as a favorite. 1. Authenticate to the WatchGuard SSL Application Portal. 2. Connect to the tunnel resource that you want to save as a favorite. 3. Click. The Access Client menu appears. 4. Select Favorites > Add. The tunnel resources you are connected to appear in the menu. 5. Select the name of the resource to add as a favorite. The name can be different from the name of this resource in the Application Portal. The Edit Favorite dialog box appears. 6. To change the name that appears in the Access Client Favorites menu for this favorite, in the Display Name text box, type a new name. 7. The Server and Configuration text boxes are automatically configured. Do not change these settings. User Guide 437
About the Access Client 8. To enable the Access Client to start this resource each time you start the Access Client, select the Load on startup check box. 9. Click OK. The favorite is added to the Access Client Favorites list. See and Edit Access Client favorites 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Favorites > Manage. The Access Client Favorites list appears. 4. To add a new favorite, click New. The Add Favorite dialog box appears. 5. In the Display name text box, type the name for this favorite to appear in the Access Client Favorites list. 6. In the Server text box, type the URL of the WatchGuard SSL Application Portal. 7. In the Configuration text box, type the configuration tag that identifies this tunnel resource in the portal. To find the configuration tag for a tunnel resource: a. Authenticate to the WatchGuard SSL Application Portal. b. Right-click the resource to make a favorite. c. Select Copy link location (Firefox) or Copy shortcut (Internet Explorer). d. In the Add Favorite dialog box, paste the link in the Configuration text box. For example, javascript:openmessagewindow ('/wa/webclient/26gp52085p1c'); The number near the end is the tunnel tag that identifies this resource. 438 WatchGuard SSL Web UI
About the Access Client e. Edit the link to remove all characters except the number. For example, 26gp52085p1c. 8. To enable the Access Client to start this resource each time you start the Access Client, select the Load on startup check box. 9. Click OK. The favorite is added to the Access Client Favorites list. 10. To edit an existing favorite, select the favorite and click Edit. The Edit Favorite dialog box appears. 11. To remove an existing favorite, select the favorite to delete and click Delete. 12. Click Close to save your changes. Start a Favorite Resource If you selected the Load on startup check box when you added the favorite, the resource automatically loads when you start the client. If you did not select the Load on startup check box: 1. Click. The Access Client menu appears. 2. Select Favorites and click the name of the resource to load. Check Access Client Status You can check the status of the Access Client from the Access Client menu. The Access Client Status dialog box shows the number of active connections, the acquired IP address (if any), the amount of data transferred, and the throughput. To see the status of the Access Client: 1. Click. The Access Client menu appears. 2. Select Status. The Access Client Status dialog box appears. Close a Tunnel A tunnel resource is any resource that does not use a web browser. For example, when you connect to a network drive, you use a tunnel resource. You can use the Access Client to connect to more than one tunnel resource. Use the Access Client Close Tunnels command if you want to close the connection to only one connected tunnel resource. User Guide 439
About the Access Client To close a tunnel: 1. Click. The Access Client menu appears. 2. Select Close Tunnels. A list of all the tunnels you are connected to appears. 3. Click the name of the tunnel to close. The Access Client closes the connection to the tunnel you selected. If you use the on-demand Access Client, when you close the last tunnel connection, the Access Client closes. If you use the installed Access Client, when you close the last tunnel connection, the Access Client does not close. For more information about the two types of Access Clients, see About the Access Client. End Your SSL VPN Session As a good security practice, we recommend that you close your SSL VPN session when you are finished with the network resources. There are several ways to do this. The method you choose depends on how you started the connection to the network resources. If you connected to a resource from the Application Portal, there are two methods to close the connection: In the Application Portal, click Log out. Your connections to resources are closed, and the client automatically exits. Close the web browser that is connected to the Application Portal. You are logged out of the application portal, your resource connections are closed, and the client exits. If you used an ESSP link or command to start the connection to a resource, you must exit the Access Client to close the connections to all resources. 1. Click. The Access Client menu appears. 2. Select Exit. All resource connections are closed. For information about how to use ESSP with the installed Access Client, see Use ESSP to Link Directly to a Resource. Use ESSP to Link Directly to a Resource ESSP (Extended Security Session Protocol) is the protocol used for communication between the Access Client and the WatchGuard SSL device. You can use the ESSP protocol to connect directly to a tunnel resource, but not connect to the Application Portal. A tunnel resource is any resource that does not use a web browser. For example, when you connect to a network drive, you use a tunnel resource. When you use ESSP to launch a tunnel resource, you are prompted to authenticate before you can connect to the resource. Note To use this feature, you must install the Access Client on your Windows computer. This feature is not available when you use the on-demand Access Client. 440 WatchGuard SSL Web UI
About the Access Client Register the ESSP Protocol Handler If you install the Access Client, you can configure the Access Client preferences to register the ESSP protocol handler. 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. The Access Client Preferences dialog box appears. 4. On the General tab, select the Register essp:// protocol handler check box. 5. Click OK. Use ESSP to Connect to a Resource After you register the ESSP protocol handler, you can use a web browser, or the Windows Start menu, to launch the Access Client and automatically connect to a resource. To use ESSP to start a resource in a browser: 1. Open a web browser. 2. Type or select a URI. For example, essp://<address of Application Portal>/<resource configuration tag> To start a resource from the Windows Start menu: 1. Select Start > Run. The Run dialog box appears. 2. Type essp://<address of Application Portal>/<resource configuration tag>. User Guide 441
About the Access Client Example This example shows how to find the resource configuration tag for a resource, and how to construct the ESSP command. For this example, the URI for the Application Portal is: sslvpn.example.com. To find the resource configuration tag for a tunnel resource: 1. Authenticate to the Application Portal. The Application Portal page appears. 2. Right-click a tunnel resource. 3. Select Copy link location (Firefox) or Copy shortcut (Internet Explorer). 4. Paste the link into a text editor, such as Notepad. For example: javascript:openmessagewindow('/wa/webclient/26gp52085p1c'); The number at the end is the resource configuration tag. For this example resource the configuration tag is: 26gp52085p1c To start the example resource in a web browser, type this in the browser address bar: essp://sslvpn.example.com/26gp52085p1c To start this resource from the Windows Start menu, select Start > Run, then type: essp://sslvpn.example.com/26gp52085p1c 442 WatchGuard SSL Web UI