Watchguard SSL User guide

WatchGuard SSL Web UI v3.1 User Guide

WatchGuard SSL

Web UI

v3.1 User Guide

WatchGuard SSL100

WatchGuard SSL 560

User Guide ii

About this User Guide

The WatchGuard SSL Web UI User Guide is updated with each major product release. For minor product

releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific,

task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard

web site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission

of WatchGuard Technologies, Inc.

Guide revised: 6/17/2010

Copyright, Trademark, and Patent Information

mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content security

solutions that provide defense-in-depth and help meet regulatory

compliance requirements. The WatchGuard XTM line combines firewall,

VPN, GAV, IPS, spam blocking and URL filtering to protect your network

from spam, viruses, malware, and intrusions. The new XCS line offers email

and web content security combined with data loss prevention. WatchGuard

extensible solutions scale to offer right-sized security ranging from small

businesses to enterprises with 10,000+ employees. WatchGuard builds

simple, reliable, and robust security appliances featuring fast

implementation and comprehensive management and reporting tools.

Enterprises throughout the world rely on our signature red boxes to

maximize security without sacrificing efficiency and productivity.

For more information, call 206.613.6600 or go to www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii
Table of Contents
Introduction to WatchGuard SSL 1
About the WatchGuard SSL solution 1
About the WatchGuard SSL Access Client 2
About the Application Portal 2
Getting Started 3
Verify basic components 3
Get a WatchGuard device feature key 3
Use the Quick Setup Wizard to Set Up a Basic Configuration 3
Run the Quick Setup Wizard 4
Connect the WatchGuard SSL device to your network 5
Connect to WatchGuard SSL Web UI and Complete Initial Tasks 5
Connect to WatchGuard SSL Web UI 5
Upload the feature key file 5
Download and install the latest software 6
Get a Feature Key 6
Restore Factory Default Settings 6
Before you begin 7
Start the WatchGuard SSLdevice in recovery mode 7
Upload a new software image 7
Next steps 8
About WatchGuard SSLWeb UI 8
WatchGuard SSL Web UI Wizards 8
Publish your configuration 9
System Messages 9
Use the File Browser 9
About WatchGuard LiveSecurity Service 10
LiveSecurity Service 10
LiveSecurity Service Gold 11
Service expiration 11
Support Information 11

Online Resources 12

Telephone Numbers 12

Before you call 12

Relevant information 12

About Monitor System 15

About the System Status Page 17

View status information 18

Manage settings 18

View administrator activities 19

System Overview 19

Network Status 22

Authentication 23

Events 24

Device Status 25

Network Tools 27

Manage Settings 28

View Administrator Activities 30

About User Sessions 30

Search for User Sessions 32

View a User Session 33

End a User Session 34

Manage Search and Display Settings 34

About Alerts 35

Manage Alerts 35

Add an Alert 36

Edit and Delete Alerts 40

Manage Global Alert Settings 41

Manage Logging 45

Edit logging settings 45

Set the Log Level Filter 46

Configure log file rotation 47

Debug Logs 47

iv WatchGuard SSL Web UI

User Guide v

Log File Information 47

Syslog 47

Manage Global Logging Settings 48

Use Log Viewer 49

About Log Viewer Search Criteria 51

About Reports 52

Available Reports 52

Generate a report 53

Save a report 54

Abolishment Report 55

Assessment Report 55

Session Trend Report 56

Session Trend Real-Time Report 56

Access Report 57

Authentication Report 57

Authorization Report 58

Account Statistics Report 59

Communication Report 59

Performance Report 60

Tunnel Report 60

System Report 61

Alerts Report 61

Complete Report 61

Manage Report Database Settings 62

About the Diagnostics File 63

About the Feature Key 64

Feature key information 65

Upload a New Feature Key 66

Live Update 66

Configure Live Update settings 67

Reboot after engine updates 68

Check for new Live Update files 68

User Management 69
User accounts 70
User groups 70
External Directory Service 70
Self Service 71
About User Accounts 71
User Account Search Result List 71
Manually Add a User Account 72
Import User Accounts 75
Link to a User Account 78
Repair a Linked User Account 80
Edit User Accounts 81
Manage Global User Account Settings 83
About User Groups 86
About user property groups 86
About user location groups 86
Add a User Group 86
Search, Edit, or Delete User Groups 88
About the External Directory Service 90
About search rules 90
About directory mapping 91
Add an External Directory Service Location 91
Edit an External Directory Service Location 94
About Self Service 97
Use the wizard to enable Self Service 97
Manually enable and configure Self Service 98
Disable or restore Self Service 98
Manage Self Service Settings 99
Modify System Challenges 101
Configure and Enable Self Service 103
About Resource Access 111
Resources 111
vi WatchGuard SSL Web UI

User Guide vii
Client firewall 111
Access rules 112
Application Portal 112
SSO domains 112
About Resources 112
Manage Resources 112
Manage Global Tunnel Resource Settings 158
Manage Global Resource Settings 159
About Client Firewalls 178
Disable routes for other network connections 178
Check the integrity of application connections 178
How the client firewall works 178
Configure client definitions 179
Firewall rules based on a device 179
Incoming Firewall Rules 180
Outgoing firewall rules 180
Manage Internet Firewall Configurations 181
About Access Rules 186
Manage Access Rules 186
Manage Global Access Rules 190
Use an Assessment Access Rule to Verify the Windows Client Logon Domain 190
Configure an Access Rule to Require Anti-virus or Anti-spyware Software 192
About the Application Portal 193
About the Access Client 194
Manage Application Portal Items 194
Connect to the Application Portal 197
Customize your Web UI and Application Portal 197
About SSO Domains 214
Domain type attributes 214
Manage SSO Domains 215
Configure SSO for Outlook Web Access (Form Based Authentication) 218
Configure SSO with Outlook Web Access (basic authentication) 224

Configure SSO for File Share Resources 227
Configure SSO for Remote Control Resources 231
Configure SSO for a Citrix MetaFrame Presentation Server Resource 236
About Manage System 247
About Authentication Methods 248
Supported authentication methods 249
About WatchGuard SSL Authentication Methods 250
About Other Authentication Methods 251
Add an Authentication Method 252
Manage an Authentication Method 254
Manage Global Authentication Service Settings 263
Manage RADIUS Configuration 269
Two-factor Authentication with Mobile ID 273
Configure Active Directory authentication with LDAP over SSL 279
About Certificates 294
Certificate lifetimes and CRLs 295
Certificate authorities and signing requests 295
Manage Certificates 295
Add a Certificate Authority 295
Add a Server Certificate 298
Edit or Delete a Server Certificate 299
Manage Client Certificate Settings 300
Create a CSR with OpenSSL 300
About Abolishment 306
Configure General Settings 307
Configure Cache Cleaner Settings 309
Configure Advanced Settings 310
Post-connection Cleanup with Abolishment 311
About Assessment 313
Configure General Settings 314
Configure Advanced Settings 316
Pre-connection End-point Integrity Check 319
viii WatchGuard SSL Web UI

User Guide ix
About Notification Settings 322
Configure the Email Notification Channel 322
Configure the SMSNotification Channel 323
Manage SMSPlug-ins 337
Manage Client Definitions 338
Add Client Definitions 340
Edit or Delete Client Definitions 340
About Delegated Management 341
About Administrative Privileges 342
Manage Administrative Roles 343
About the Administration Service 346
Manage Administration Service Settings 346
Manage Global Settings 347
Restart the Administration Service 349
Manage Device Settings 350
General Settings for the Application Portal 350
Performance Settings 353
Cipher Suite Settings 355
Advanced Settings 357
Update the Device 360
Update the OS 360
Configure the System Time and Time Zone 361
Restore Factory Default Configuration Settings 363
Reinitialize the Local User Database 363
Reboot the Device 364
Network Configuration 364
Network Type 366
Configure network settings for Eth0 367
Configure network settings for Eth1 367
Configure Network Routes 367
Restore a Saved Configuration 368
Restore the current configuration 368

Restore a saved configuration 369
Add comments to a saved configuration 369
Delete a saved configuration 370
Manage Saved Configuration Settings 370
Import or Export the Configuration 371
Configure Active Directory Authentication on your SSL Device 372
Before you begin 373
Enable your AD Server for LDAP over SSL 374
Configure Active Directory Authentication on your SSL device 377
Send One-Time Passwords (OTPs) to Users 382
Configurethe SMS Channel to send email 382
Configure SMS Settings for each user account 383
Change the Directory Mapping Attribute for Notification SMS 384
Enable mobile text authentication for all users 385
Use the OTP to Authenticate 386
About the Access Client 387
Install the Access Client 387
Before you begin 387
Run the installer 387
Launch the installed Access Client 388
After you install 388
Connect to the Application Portal 389
Uninstall the Access Client 389
Launch the Access Client 389
Launch the on-demand Access Client 389
Launch the installed Access Client 389
About the Access Client Menu 390
Edit Access Client Preferences 391
Manage Access Client Favorites 394
Check Access Client Status 396
Close a Tunnel 397
End Your SSL VPN Session 397
x WatchGuard SSL Web UI

User Guide xi

Use ESSP to Link Directly to a Resource 398

Register the ESSP protocol handler 398

Use ESSP to connect to a resource 398

Example 399

User Guide xii

User Guide 1

1

Introduction to WatchGuard SSL

Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides

reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote

connectivity deployment as simple or as sophisticated as your business requirements dictate.

If your business requires remote access to email and file shares, your WatchGuard SSL device delivers the

security, flexibility, and breadth of options you need for secure remote access to your network. The

WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides

universal access to applications and network resources with no connectors, no modules, no client

management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent

users. The WatchGuard SSL 560 accommodates up to 500 concurrent users.

About the WatchGuard SSL solution

The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard

SSL Application Portal, and the WatchGuard SSL Access Client.

n A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and

WatchGuard servers for your solution.

n WatchGuard SSLWeb UIis a Web-based administration application with a task-oriented approach.

You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access

to your resources, and manage your system settings.

n The WatchGuard SSL Application Portal is the web site where your users authenticate and get access

to your network resources.

n The Access Client is a SSL VPN client that enables on-demand access to tunnel resources in your

Application Portal.

About the WatchGuard SSL Access Client

The WatchGuard SSLAccess Client is an on-demand SSL VPN client. When a user selects a resource

available through the tunnel, the Access Client automatically downloads and installs on the client computer

through the web browser. The Access Client is available in two versions: the installed Access Client and the

on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your

configuration choices. To use the ActiveX client loader to install the client, users must have local

administrator rights on their computers. For your users who do not have local administrator rights, you can

download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your

network.

About the Application Portal

The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any

files accessible with a web browser, or applications with a web interface such as Outlook Web Access or

WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client.

Tunnel Resources are client-server applications or intranet sites. Examples of tunnel resources include

Remote Desktop or a Windows file share. Users must have the Access Client to connect to Tunnel

Resources.

Introduction to WatchGuard SSL

2 WatchGuard SSL Web UI

User Guide 3

2

Getting Started

Before you install your WatchGuard SSLdevice, make sure you verify the basic components and get a

feature key, as described in the subsequent sections.

Verify basic components

Make sure that you have these items:

n A computer with a 10/100BaseT Ethernet network interface card and a web browser installed

n WatchGuard SSL device

n Ethernet cable

n Power cable

Get a WatchGuard device feature key

To enable all of the features on your WatchGuard SSL device, you must activate the device on the

WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the

Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard

without a feature key. The SSL device only allows one authenticated user until you upload a feature key to

the device.

For more information, see Get a Feature Key.

Use the Quick Setup Wizard to Set Up a Basic

Configuration

The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device.

Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory

default settings.

Before you start the Quick Setup Wizard, make sure you:

n Register your WatchGuard SSL device with LiveSecurity Service

n Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract

the feature key from the compressed file

For more information, see Getting Started.

Run the Quick Setup Wizard

1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network.

Note The default IP address on the WatchGuard SSL is 192.168.111.1. Do not use

192.168.111.1 on your own computer.

2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device.

3. Plug the power cord into the WatchGuard device power input and into a power source.

4. Power on the WatchGuard SSL.

5. Open a web browser and type: https://192.168.111.1:8443

The Quick Setup Wizard begins.

Note Because the WatchGuard SSLdevice uses a self-signed certificate, you may see a

certificate warning in your browser. It is safe to ignore the warning (Internet

Explorer) or add a certificate exception (Mozilla Firefox).

6. Upload your feature key file, if you have it.

If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not

have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you

finish the wizard.

7. Set the time zone and system time settings.

8. Create the Super Administrator credentials. These credentials do not have to correspond to an

existing user in a directory service.

The Super Administrator password must be at least six characters long and must include characters

from at least three of these four categories:

n English uppercase characters (from A through Z)

n English lowercase characters (from a through z)

n Base-10 digits (from 0 through 9)

n Non-alphanumeric characters (for example: !, $, #, or %)

9. Select the network configuration mode. The choices are:

Single Interface mode (default)

Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In

single interface mode, only the Eth0 interface is active.

Dual Interface mode

Select this mode if you want to connect the WatchGuard SSL device to two separate networks

(for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1

interfaces are active.

10. Type the network address information for each interface you enabled.

After you complete the wizard, the device restarts with the settings you configured.

Getting Started

4 WatchGuard SSL Web UI

Getting Started

User Guide 5

Connect the WatchGuard SSL device to your network

After you complete the Quick Setup Wizard, connect the WatchGuard SSLdevice to your network.

1. Connect the WatchGuard SSL device to your network.

n If you selected single interface mode, connect the device to your network with Eth0.

n If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1.

2. Reset the IPaddress on your computer to the original IPaddress.

3. Connect your computer to the network.

You can now use WatchGuard SSLWeb UI to continue configuration, management, and monitoring tasks.

For more information, see Connect to WatchGuard SSL Web UI and Complete Initial Tasks.

Connect to WatchGuard SSL Web UI and

Complete Initial Tasks

After you complete the basic configuration, you can use WatchGuard SSLWeb UI to continue the

configuration, management, and monitoring tasks. Before you get started, make sure that you have:

n Connected the WatchGuard SSL device to your network

n Connected your computer to the network

n Reset the IPaddress of your computer

Connect to WatchGuard SSL Web UI

The interface that you use to connect to WatchGuard SSLWeb UI is different depending on the deployment

method you used for your device. WatchGuard SSLWeb UI uses port 8443 by default.

If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for

management.

1. Connect your computer to the Eth0 network.

2. In a web browser, type https://<Eth0 IP address>:8443.

3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

WatchGuard SSL Web UIappears.

If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for

management.

1. Connect your computer to the Eth1 network.

2. In a web browser, type https://<Eth1 IP address>:8443.

3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

WatchGuard SSL Web UIappears.

Upload the feature key file

If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you

upload it now.

1. Get your feature key file from LiveSecurity.

For instructions, see Get a Feature Key.

2. In WatchGuard SSLWeb UI, select Monitor System > Feature Key.

The Feature Key page appears.

3. Upload the feature key file to the device.

For more information, see Upload a New Feature Key.

Download and install the latest software

A newer version of operating system software for your WatchGuard SSLdevice could be available. To

update your software:

1. Go to www.watchguard.com/archive/softwarecenter.asp.

2. Find and download the latest version of WatchGuard SSLOS.

3. From the Web UI, select Manage System > Device Update.

The Update the OSpage appears.

4. Update the OS version on the device.

For more information, see Update the OS.

Get a Feature Key

A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature

key when you first install the device, and when you renew the LiveSecurity service.

To activate your device and get the device feature key:

1. Open a web browser and go to https://www.watchguard.com/activate.

If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.

Note If you are new to WatchGuard, follow the instructions on the web site to create a

LiveSecurity profile.

2. Type your LiveSecurity user name and password.

The Activate Products page appears.

3. Type the serial number of the device. Make sure to include any hyphens.

4. Follow the instructions to register your device.

5. Save the feature key file and extract the feature key from the compressed file.

After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the

location of the feature key on your computer and upload it to the WatchGuard SSL device.

For more information, see:

n Use the Quick Setup Wizard to Set Up a Basic Configuration

n Upload a New Feature Key

Restore Factory Default Settings

There are two ways to reset your WatchGuard SSLdevice to the factory default settings:

Getting Started

6 WatchGuard SSL Web UI

Getting Started

User Guide 7

Use the WatchGuard SSLWeb UI

If you can log in to the WatchGuard SSLWeb UI, you can restore the device to factory default

settings from the Web UI. This is the easiest method to restore the factory default settings.

For more information, see Restore Factory Default Configuration Settings.

Use recovery mode

If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the

device is in recovery mode, you can reinstall the software image and restart the device with factory

default settings.

Before you begin

Before you start the recovery process, you must download and save a copy of the WatchGuard SSLOS on

your computer. The file has an extension of .sysa-dl. You can download the file from the Software

Downloads section of the WatchGuard web site at

http://www.watchguard.com/archive/softwarecenter.asp.

Start the WatchGuard SSLdevice in recovery mode

1. Power off the WatchGuard SSLdevice.

2. Press and hold the up arrow button on the front panel while you power on the device.

3. Continue to hold the up arrow button until Executing SysB appears on the LCDdisplay.

When Recovery Mode Ready appears on the LCD display, the device is in recovery mode. In

recovery mode, the Eth1 address of the device is set to 10.0.1.1.

Upload a new software image

You must use a command line FTP program to upload the WatchGuard SSLOSsoftware image. Many

common FTPcommands are disabled on the WatchGuard SSL device for security reasons. For example, you

cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on

these commands to show you a list of files in the remote directory, and do not operate correctly when

these commands are disabled.

To upload a new software image to your WatchGuard SSL device:

1. Connect an Ethernet network cable between your computer and the Eth1 interface on the

WatchGuard SSL device.

2. Change the IPaddress of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0

network).

3. Open the command line interface of your computer. For example, select All Programs >

Accessories > Command Prompt from the Windows Start Menu if you use Windows XP.

4. Change your working directory to the location where you saved the .sysa_dl file.

5. At the command prompt, type ftp 10.0.1.1 to connect to your WatchGuard SSL.

6. When requested, type admin for both the user and the password.

7. Type bin to change the transfer type to binary mode.

8. Type put <filename>.

Make sure you replace <filename> in the command with the name of the .sysa-dl file you

downloaded from the WatchGuard Software Downloads page.

The upload process can take several minutes to complete. Do not close the window or type more commands

until another command prompt appears.

9. Type quit to close the FTP connection.

10. Exit the command line interface program.

After the software image upload completes, the WatchGuard SSL device installs the software and resets the

configuration to the default settings. When the reset process completes, the device automatically restarts.

Note The installation and reset process can take up to 10 minutes. Do not turn off the

device before this process is complete.

Next steps

After you restore the software image and the device restarts with factory default settings, you can use the

Quick Setup Wizard to set up your configuration again.

Note After the reboot, the IPaddress of the Eth1 interface changes to 192.168.111.1.

You must change the IP address on your computer before you launch the Quick

Setup Wizard.

For more information, see Use the Quick Setup Wizard to Set Up a Basic Configuration.

About WatchGuard SSLWeb UI

WatchGuard SSLWeb UIis a web-based administration application with a task-oriented approach. You can

use the Web UI to monitor your WatchGuard SSL device, add user accounts, manage resource access, and

manage your system settings.

WatchGuard SSLWeb UIhas two levels of menus:

Main menu

Includes these sections:

n Monitor System

n User Management

n Resource Access

n Manage System

Left menu

Includes options to manage your configuration from the sections of the main menu.

Context-sensitive Help is integrated with WatchGuard SSL Web UI. To open the Help topic for a task, click .

WatchGuard SSL Web UI Wizards

All common tasks use wizards to guide you through the steps to complete your task. This includes

procedures to add user accounts, resources, and many others.

Getting Started

8 WatchGuard SSL Web UI

Page is loading ...

Watchguard SSL User guide

Watchguard SSL User guide

Related papers

Other documents