Page is loading ...
WatchGuard SSL Web UI v3.1 User Guide
WatchGuard SSL
Web UI
v3.1 User Guide
WatchGuard SSL100
WatchGuard SSL 560
User Guide ii
About this User Guide
The WatchGuard SSL Web UI User Guide is updated with each major product release. For minor product
releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific,
task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission
of WatchGuard Technologies, Inc.
Guide revised: 6/17/2010
Copyright, Trademark, and Patent Information
Copyright © 1998-2010 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names
mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content security
solutions that provide defense-in-depth and help meet regulatory
compliance requirements. The WatchGuard XTM line combines firewall,
VPN, GAV, IPS, spam blocking and URL filtering to protect your network
from spam, viruses, malware, and intrusions. The new XCS line offers email
and web content security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging from small
businesses to enterprises with 10,000+ employees. WatchGuard builds
simple, reliable, and robust security appliances featuring fast
implementation and comprehensive management and reporting tools.
Enterprises throughout the world rely on our signature red boxes to
maximize security without sacrificing efficiency and productivity.
For more information, call 206.613.6600 or go to www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Introduction to WatchGuard SSL 1
About the WatchGuard SSL solution 1
About the WatchGuard SSL Access Client 2
About the Application Portal 2
Getting Started 3
Verify basic components 3
Get a WatchGuard device feature key 3
Use the Quick Setup Wizard to Set Up a Basic Configuration 3
Run the Quick Setup Wizard 4
Connect the WatchGuard SSL device to your network 5
Connect to WatchGuard SSL Web UI and Complete Initial Tasks 5
Connect to WatchGuard SSL Web UI 5
Upload the feature key file 5
Download and install the latest software 6
Get a Feature Key 6
Restore Factory Default Settings 6
Before you begin 7
Start the WatchGuard SSLdevice in recovery mode 7
Upload a new software image 7
Next steps 8
About WatchGuard SSLWeb UI 8
WatchGuard SSL Web UI Wizards 8
Publish your configuration 9
System Messages 9
Use the File Browser 9
About WatchGuard LiveSecurity Service 10
LiveSecurity Service 10
LiveSecurity Service Gold 11
Service expiration 11
Support Information 11
Online Resources 12
Telephone Numbers 12
Before you call 12
Relevant information 12
About Monitor System 15
About the System Status Page 17
View status information 18
Manage settings 18
View administrator activities 19
System Overview 19
Network Status 22
Authentication 23
Events 24
Device Status 25
Network Tools 27
Manage Settings 28
View Administrator Activities 30
About User Sessions 30
Search for User Sessions 32
View a User Session 33
End a User Session 34
Manage Search and Display Settings 34
About Alerts 35
Manage Alerts 35
Add an Alert 36
Edit and Delete Alerts 40
Manage Global Alert Settings 41
Manage Logging 45
Edit logging settings 45
Set the Log Level Filter 46
Configure log file rotation 47
Debug Logs 47
iv WatchGuard SSL Web UI
User Guide v
Log File Information 47
Syslog 47
Manage Global Logging Settings 48
Use Log Viewer 49
About Log Viewer Search Criteria 51
About Reports 52
Available Reports 52
Generate a report 53
Save a report 54
Abolishment Report 55
Assessment Report 55
Session Trend Report 56
Session Trend Real-Time Report 56
Access Report 57
Authentication Report 57
Authorization Report 58
Account Statistics Report 59
Communication Report 59
Performance Report 60
Tunnel Report 60
System Report 61
Alerts Report 61
Complete Report 61
Manage Report Database Settings 62
About the Diagnostics File 63
About the Feature Key 64
Feature key information 65
Upload a New Feature Key 66
Live Update 66
Configure Live Update settings 67
Reboot after engine updates 68
Check for new Live Update files 68
User Management 69
User accounts 70
User groups 70
External Directory Service 70
Self Service 71
About User Accounts 71
User Account Search Result List 71
Manually Add a User Account 72
Import User Accounts 75
Link to a User Account 78
Repair a Linked User Account 80
Edit User Accounts 81
Manage Global User Account Settings 83
About User Groups 86
About user property groups 86
About user location groups 86
Add a User Group 86
Search, Edit, or Delete User Groups 88
About the External Directory Service 90
About search rules 90
About directory mapping 91
Add an External Directory Service Location 91
Edit an External Directory Service Location 94
About Self Service 97
Use the wizard to enable Self Service 97
Manually enable and configure Self Service 98
Disable or restore Self Service 98
Manage Self Service Settings 99
Modify System Challenges 101
Configure and Enable Self Service 103
About Resource Access 111
Resources 111
vi WatchGuard SSL Web UI
User Guide vii
Client firewall 111
Access rules 112
Application Portal 112
SSO domains 112
About Resources 112
Manage Resources 112
Manage Global Tunnel Resource Settings 158
Manage Global Resource Settings 159
About Client Firewalls 178
Disable routes for other network connections 178
Check the integrity of application connections 178
How the client firewall works 178
Configure client definitions 179
Firewall rules based on a device 179
Incoming Firewall Rules 180
Outgoing firewall rules 180
Manage Internet Firewall Configurations 181
About Access Rules 186
Manage Access Rules 186
Manage Global Access Rules 190
Use an Assessment Access Rule to Verify the Windows Client Logon Domain 190
Configure an Access Rule to Require Anti-virus or Anti-spyware Software 192
About the Application Portal 193
About the Access Client 194
Manage Application Portal Items 194
Connect to the Application Portal 197
Customize your Web UI and Application Portal 197
About SSO Domains 214
Domain type attributes 214
Manage SSO Domains 215
Configure SSO for Outlook Web Access (Form Based Authentication) 218
Configure SSO with Outlook Web Access (basic authentication) 224
Configure SSO for File Share Resources 227
Configure SSO for Remote Control Resources 231
Configure SSO for a Citrix MetaFrame Presentation Server Resource 236
About Manage System 247
About Authentication Methods 248
Supported authentication methods 249
About WatchGuard SSL Authentication Methods 250
About Other Authentication Methods 251
Add an Authentication Method 252
Manage an Authentication Method 254
Manage Global Authentication Service Settings 263
Manage RADIUS Configuration 269
Two-factor Authentication with Mobile ID 273
Configure Active Directory authentication with LDAP over SSL 279
About Certificates 294
Certificate lifetimes and CRLs 295
Certificate authorities and signing requests 295
Manage Certificates 295
Add a Certificate Authority 295
Add a Server Certificate 298
Edit or Delete a Server Certificate 299
Manage Client Certificate Settings 300
Create a CSR with OpenSSL 300
About Abolishment 306
Configure General Settings 307
Configure Cache Cleaner Settings 309
Configure Advanced Settings 310
Post-connection Cleanup with Abolishment 311
About Assessment 313
Configure General Settings 314
Configure Advanced Settings 316
Pre-connection End-point Integrity Check 319
viii WatchGuard SSL Web UI
User Guide ix
About Notification Settings 322
Configure the Email Notification Channel 322
Configure the SMSNotification Channel 323
Manage SMSPlug-ins 337
Manage Client Definitions 338
Add Client Definitions 340
Edit or Delete Client Definitions 340
About Delegated Management 341
About Administrative Privileges 342
Manage Administrative Roles 343
About the Administration Service 346
Manage Administration Service Settings 346
Manage Global Settings 347
Restart the Administration Service 349
Manage Device Settings 350
General Settings for the Application Portal 350
Performance Settings 353
Cipher Suite Settings 355
Advanced Settings 357
Update the Device 360
Update the OS 360
Configure the System Time and Time Zone 361
Restore Factory Default Configuration Settings 363
Reinitialize the Local User Database 363
Reboot the Device 364
Network Configuration 364
Network Type 366
Configure network settings for Eth0 367
Configure network settings for Eth1 367
Configure Network Routes 367
Restore a Saved Configuration 368
Restore the current configuration 368
Restore a saved configuration 369
Add comments to a saved configuration 369
Delete a saved configuration 370
Manage Saved Configuration Settings 370
Import or Export the Configuration 371
Configure Active Directory Authentication on your SSL Device 372
Before you begin 373
Enable your AD Server for LDAP over SSL 374
Configure Active Directory Authentication on your SSL device 377
Send One-Time Passwords (OTPs) to Users 382
Configurethe SMS Channel to send email 382
Configure SMS Settings for each user account 383
Change the Directory Mapping Attribute for Notification SMS 384
Enable mobile text authentication for all users 385
Use the OTP to Authenticate 386
About the Access Client 387
Install the Access Client 387
Before you begin 387
Run the installer 387
Launch the installed Access Client 388
After you install 388
Connect to the Application Portal 389
Uninstall the Access Client 389
Launch the Access Client 389
Launch the on-demand Access Client 389
Launch the installed Access Client 389
About the Access Client Menu 390
Edit Access Client Preferences 391
Manage Access Client Favorites 394
Check Access Client Status 396
Close a Tunnel 397
End Your SSL VPN Session 397
x WatchGuard SSL Web UI
User Guide xii
User Guide 1
1
Introduction to WatchGuard SSL
Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides
reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote
connectivity deployment as simple or as sophisticated as your business requirements dictate.
If your business requires remote access to email and file shares, your WatchGuard SSL device delivers the
security, flexibility, and breadth of options you need for secure remote access to your network. The
WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides
universal access to applications and network resources with no connectors, no modules, no client
management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent
users. The WatchGuard SSL 560 accommodates up to 500 concurrent users.
About the WatchGuard SSL solution
The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard
SSL Application Portal, and the WatchGuard SSL Access Client.
n A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and
WatchGuard servers for your solution.
n WatchGuard SSLWeb UIis a Web-based administration application with a task-oriented approach.
You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access
to your resources, and manage your system settings.
n The WatchGuard SSL Application Portal is the web site where your users authenticate and get access
to your network resources.
n The Access Client is a SSL VPN client that enables on-demand access to tunnel resources in your
Application Portal.
About the WatchGuard SSL Access Client
The WatchGuard SSLAccess Client is an on-demand SSL VPN client. When a user selects a resource
available through the tunnel, the Access Client automatically downloads and installs on the client computer
through the web browser. The Access Client is available in two versions: the installed Access Client and the
on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your
configuration choices. To use the ActiveX client loader to install the client, users must have local
administrator rights on their computers. For your users who do not have local administrator rights, you can
download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your
network.
About the Application Portal
The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any
files accessible with a web browser, or applications with a web interface such as Outlook Web Access or
WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client.
Tunnel Resources are client-server applications or intranet sites. Examples of tunnel resources include
Remote Desktop or a Windows file share. Users must have the Access Client to connect to Tunnel
Resources.
Introduction to WatchGuard SSL
2 WatchGuard SSL Web UI
User Guide 3
2
Getting Started
Before you install your WatchGuard SSLdevice, make sure you verify the basic components and get a
feature key, as described in the subsequent sections.
Verify basic components
Make sure that you have these items:
n A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
n WatchGuard SSL device
n Ethernet cable
n Power cable
Get a WatchGuard device feature key
To enable all of the features on your WatchGuard SSL device, you must activate the device on the
WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the
Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard
without a feature key. The SSL device only allows one authenticated user until you upload a feature key to
the device.
For more information, see Get a Feature Key.
Use the Quick Setup Wizard to Set Up a Basic
Configuration
The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device.
Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory
default settings.
Before you start the Quick Setup Wizard, make sure you:
n Register your WatchGuard SSL device with LiveSecurity Service
n Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract
the feature key from the compressed file
For more information, see Getting Started.
Run the Quick Setup Wizard
1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network.
Note The default IP address on the WatchGuard SSL is 192.168.111.1. Do not use
192.168.111.1 on your own computer.
2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device.
3. Plug the power cord into the WatchGuard device power input and into a power source.
4. Power on the WatchGuard SSL.
5. Open a web browser and type: https://192.168.111.1:8443
The Quick Setup Wizard begins.
Note Because the WatchGuard SSLdevice uses a self-signed certificate, you may see a
certificate warning in your browser. It is safe to ignore the warning (Internet
Explorer) or add a certificate exception (Mozilla Firefox).
6. Upload your feature key file, if you have it.
If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not
have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you
finish the wizard.
7. Set the time zone and system time settings.
8. Create the Super Administrator credentials. These credentials do not have to correspond to an
existing user in a directory service.
The Super Administrator password must be at least six characters long and must include characters
from at least three of these four categories:
n English uppercase characters (from A through Z)
n English lowercase characters (from a through z)
n Base-10 digits (from 0 through 9)
n Non-alphanumeric characters (for example: !, $, #, or %)
9. Select the network configuration mode. The choices are:
Single Interface mode (default)
Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In
single interface mode, only the Eth0 interface is active.
Dual Interface mode
Select this mode if you want to connect the WatchGuard SSL device to two separate networks
(for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1
interfaces are active.
10. Type the network address information for each interface you enabled.
After you complete the wizard, the device restarts with the settings you configured.
Getting Started
4 WatchGuard SSL Web UI
Getting Started
User Guide 5
Connect the WatchGuard SSL device to your network
After you complete the Quick Setup Wizard, connect the WatchGuard SSLdevice to your network.
1. Connect the WatchGuard SSL device to your network.
n If you selected single interface mode, connect the device to your network with Eth0.
n If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1.
2. Reset the IPaddress on your computer to the original IPaddress.
3. Connect your computer to the network.
You can now use WatchGuard SSLWeb UI to continue configuration, management, and monitoring tasks.
For more information, see Connect to WatchGuard SSL Web UI and Complete Initial Tasks.
Connect to WatchGuard SSL Web UI and
Complete Initial Tasks
After you complete the basic configuration, you can use WatchGuard SSLWeb UI to continue the
configuration, management, and monitoring tasks. Before you get started, make sure that you have:
n Connected the WatchGuard SSL device to your network
n Connected your computer to the network
n Reset the IPaddress of your computer
Connect to WatchGuard SSL Web UI
The interface that you use to connect to WatchGuard SSLWeb UI is different depending on the deployment
method you used for your device. WatchGuard SSLWeb UI uses port 8443 by default.
If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for
management.
1. Connect your computer to the Eth0 network.
2. In a web browser, type https://<Eth0 IP address>:8443.
3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.
WatchGuard SSL Web UIappears.
If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for
management.
1. Connect your computer to the Eth1 network.
2. In a web browser, type https://<Eth1 IP address>:8443.
3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.
WatchGuard SSL Web UIappears.
Upload the feature key file
If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you
upload it now.
1. Get your feature key file from LiveSecurity.
For instructions, see Get a Feature Key.
2. In WatchGuard SSLWeb UI, select Monitor System > Feature Key.
The Feature Key page appears.
3. Upload the feature key file to the device.
For more information, see Upload a New Feature Key.
Download and install the latest software
A newer version of operating system software for your WatchGuard SSLdevice could be available. To
update your software:
1. Go to www.watchguard.com/archive/softwarecenter.asp.
2. Find and download the latest version of WatchGuard SSLOS.
3. From the Web UI, select Manage System > Device Update.
The Update the OSpage appears.
4. Update the OS version on the device.
For more information, see Update the OS.
Get a Feature Key
A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature
key when you first install the device, and when you renew the LiveSecurity service.
To activate your device and get the device feature key:
1. Open a web browser and go to https://www.watchguard.com/activate.
If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.
Note If you are new to WatchGuard, follow the instructions on the web site to create a
LiveSecurity profile.
2. Type your LiveSecurity user name and password.
The Activate Products page appears.
3. Type the serial number of the device. Make sure to include any hyphens.
4. Follow the instructions to register your device.
5. Save the feature key file and extract the feature key from the compressed file.
After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the
location of the feature key on your computer and upload it to the WatchGuard SSL device.
For more information, see:
n Use the Quick Setup Wizard to Set Up a Basic Configuration
n Upload a New Feature Key
Restore Factory Default Settings
There are two ways to reset your WatchGuard SSLdevice to the factory default settings:
Getting Started
6 WatchGuard SSL Web UI
Getting Started
User Guide 7
Use the WatchGuard SSLWeb UI
If you can log in to the WatchGuard SSLWeb UI, you can restore the device to factory default
settings from the Web UI. This is the easiest method to restore the factory default settings.
For more information, see Restore Factory Default Configuration Settings.
Use recovery mode
If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the
device is in recovery mode, you can reinstall the software image and restart the device with factory
default settings.
Before you begin
Before you start the recovery process, you must download and save a copy of the WatchGuard SSLOS on
your computer. The file has an extension of .sysa-dl. You can download the file from the Software
Downloads section of the WatchGuard web site at
http://www.watchguard.com/archive/softwarecenter.asp.
Start the WatchGuard SSLdevice in recovery mode
1. Power off the WatchGuard SSLdevice.
2. Press and hold the up arrow button on the front panel while you power on the device.
3. Continue to hold the up arrow button until Executing SysB appears on the LCDdisplay.
When Recovery Mode Ready appears on the LCD display, the device is in recovery mode. In
recovery mode, the Eth1 address of the device is set to 10.0.1.1.
Upload a new software image
You must use a command line FTP program to upload the WatchGuard SSLOSsoftware image. Many
common FTPcommands are disabled on the WatchGuard SSL device for security reasons. For example, you
cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on
these commands to show you a list of files in the remote directory, and do not operate correctly when
these commands are disabled.
To upload a new software image to your WatchGuard SSL device:
1. Connect an Ethernet network cable between your computer and the Eth1 interface on the
WatchGuard SSL device.
2. Change the IPaddress of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0
network).
3. Open the command line interface of your computer. For example, select All Programs >
Accessories > Command Prompt from the Windows Start Menu if you use Windows XP.
4. Change your working directory to the location where you saved the .sysa_dl file.
5. At the command prompt, type ftp 10.0.1.1 to connect to your WatchGuard SSL.
6. When requested, type admin for both the user and the password.
7. Type bin to change the transfer type to binary mode.
8. Type put <filename>.
Make sure you replace <filename> in the command with the name of the .sysa-dl file you
downloaded from the WatchGuard Software Downloads page.
The upload process can take several minutes to complete. Do not close the window or type more commands
until another command prompt appears.
9. Type quit to close the FTP connection.
10. Exit the command line interface program.
After the software image upload completes, the WatchGuard SSL device installs the software and resets the
configuration to the default settings. When the reset process completes, the device automatically restarts.
Note The installation and reset process can take up to 10 minutes. Do not turn off the
device before this process is complete.
Next steps
After you restore the software image and the device restarts with factory default settings, you can use the
Quick Setup Wizard to set up your configuration again.
Note After the reboot, the IPaddress of the Eth1 interface changes to 192.168.111.1.
You must change the IP address on your computer before you launch the Quick
Setup Wizard.
For more information, see Use the Quick Setup Wizard to Set Up a Basic Configuration.
About WatchGuard SSLWeb UI
WatchGuard SSLWeb UIis a web-based administration application with a task-oriented approach. You can
use the Web UI to monitor your WatchGuard SSL device, add user accounts, manage resource access, and
manage your system settings.
WatchGuard SSLWeb UIhas two levels of menus:
Main menu
Includes these sections:
n Monitor System
n User Management
n Resource Access
n Manage System
Left menu
Includes options to manage your configuration from the sections of the main menu.
Context-sensitive Help is integrated with WatchGuard SSL Web UI. To open the Help topic for a task, click .
WatchGuard SSL Web UI Wizards
All common tasks use wizards to guide you through the steps to complete your task. This includes
procedures to add user accounts, resources, and many others.
Getting Started
8 WatchGuard SSL Web UI
/
