Watchguard SSL User guide

WatchGuard SSL Web UI 3.1.3 User Guide

WatchGuard SSL

Web UI

3.1.3 User Guide

WatchGuard SSL100

WatchGuard SSL 560

User Guide ii

About this User Guide

The WatchGuard SSL Web UI User Guide is updated with each major product release. For minor product

releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific,

task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard

web site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission

of WatchGuard Technologies, Inc.

Guide revised: 6/21/2012

Copyright, Trademark, and Patent Information

mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content security

solutions that provide defense-in-depth and help meet regulatory

compliance requirements. The WatchGuard XTM line combines

firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect

your network from spam, viruses, malware, and intrusions. The new

XCS line offers email and web content security combined with data

loss prevention. WatchGuard extensible solutions scale to offer right-

sized security ranging from small businesses to enterprises with 10,

000+ employees. WatchGuard builds simple, reliable, and robust

security appliances featuring fast implementation and comprehensive

management and reporting tools. Enterprises throughout the world

rely on our signature red boxes to maximize security without

sacrificing efficiency and productivity.

For more information, call 206.613.6600 or go to

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii
Table of Contents
Introduction to WatchGuard SSL 1
About the WatchGuard SSL solution 1
About the WatchGuard SSL Access Client 2
About the Application Portal 2
Getting Started 3
Verify Basic Components 3
Get a WatchGuard Device Feature Key 3
Install the WatchGuard SSL Device Behind a Firewall 3
Use the Quick Setup Wizard to Set Up a Basic Configuration 4
Run the Quick Setup Wizard 4
Connect the WatchGuard SSL Device to Your Network 5
Connect to WatchGuard SSL Web UI and Complete Initial Tasks 6
Connect to WatchGuard SSL Web UI 6
Upload the Feature Key File 6
Download and Install the Latest Software 6
Get a Feature Key 7
Activate your Device and Get a Feature Key 7
Retrieve a Current Feature Key 7
Restore Factory Default Settings 7
Before You Begin 8
Start the WatchGuard SSLDevice in Recovery Mode 8
Upload a New Software Image 8
Next Steps 9
About WatchGuard SSLWeb UI 9
WatchGuard SSL Web UI Wizards 10
Publish Your Configuration 10
System Messages 10
Use the File Browser 10
About WatchGuard LiveSecurity Service 11
LiveSecurity Service 11

LiveSecurity Service Gold 12

Service expiration 12

Support Information 13

Online Resources 13

Telephone Numbers 13

Before You Call 13

Relevant Information 13

About Monitor System 15

About the System Status Page 16

View Status Information 17

Manage Settings 17

View Administrator Activities 18

System Overview 18

Network Status 21

Authentication 22

Events 23

Device Status 24

Network Tools 26

Manage Settings 27

View Administrator Activities 29

About User Sessions 29

Search for User Sessions 30

View a User Session 31

End a User Session 32

Manage Search and Display Settings 32

About Alerts 33

Manage Alerts 33

Add an Alert 34

Edit and Delete Alerts 39

Manage Global Alert Settings 40

Manage Logging 44

Edit Logging Settings 44

iv WatchGuard SSL Web UI

User Guide v

Set the Log Level Filter 46

Configure Log File Rotation 46

Debug Logs 46

Log File Information 47

Syslog 47

Manage Global Logging Settings 47

Use Log Viewer 49

About Log Viewer Search Criteria 50

About Reports 52

Available Reports 52

Generate a Report 53

Save a Report 54

Abolishment Report 55

Assessment Report 55

Session Trend Report 56

Session Trend Real-Time Report 56

Access Report 57

Authentication Report 57

Authorization Report 58

Account Statistics Report 59

User Policy Analysis Report 59

User Audit Report 59

Communication Report 60

Performance Report 60

Tunnel Report 61

Alerts Report 61

System Report 61

Complete Report 62

Manage Report Database Settings 63

About the Diagnostics File 63

About the Feature Key 64

Feature key information 65

Upload a New Feature Key 67
Live Update 67
Configure Live Update Settings 68
Reboot after Engine Updates 69
Check for New Live Update Files 69
User Management 71
User accounts 72
User groups 72
External Directory Service 72
Self Service 73
About User Accounts 73
User Account Search Result List 73
Manually Add a User Account 74
Import User Accounts 77
Link to a User Account 80
Repair a Linked User Account 82
Edit User Accounts 83
Manage Global User Account Settings 85
About User Groups 88
About user property groups 88
About user location groups 88
Add a User Group 89
Search, Edit, or Delete User Groups 90
About the External Directory Service 92
About Search Rules 92
About Directory Mapping 93
Add an External Directory Service Location 93
Edit an External Directory Service Location 96
About Self Service 99
Use the wizard to enable Self Service 99
Manually enable and configure Self Service 100
Disable or restore Self Service 100
vi WatchGuard SSL Web UI

User Guide vii
Manage Self Service Settings 101
Modify System Challenges 103
Configure and Enable Self Service 105
About Resource Access 113
Resources 113
Client firewall 113
Access rules 114
Application Portal 114
SSO domains 114
About Resources 114
Manage Resources 114
Manage Global Tunnel Resource Settings 166
Manage Global Resource Settings 168
About Client Firewalls 187
Disable routes for other network connections 187
Check the integrity of application connections 187
How the client firewall works 187
Configure client definitions 188
Firewall rules based on a device 188
Incoming Firewall Rules 189
Outgoing firewall rules 189
Manage Internet Firewall Configurations 190
About Access Rules 195
Manage Access Rules 195
Manage Global Access Rules 199
Assessment Access Rule Requirements 200
Configure an Access Rule to Require Anti-virus or Anti-spyware Software 207
Configure an Access Rule to Verify the Windows Client Logon Domain 209
Configure an Access Rule to Verify a Windows File is Found 210
Configure an Access Rule to Verify a Windows File Digest is Found 211
Configure an Access Rule to Verify a Directory is Found 213
Configure an Access Rule to Verify the Client Computer MAC Address 215

Configure an Access Rule to Combine Authentication Methods 216
About the Application Portal 218
About the Access Client 218
Manage Application Portal Items 218
Connect to the Application Portal 222
Customize your Web UI and Application Portal 222
About SSO Domains 240
Domain type attributes 240
Manage SSO Domains 241
Configure SSO for Outlook Web Access (Form Based Authentication) 245
Configure SSO with Outlook Web Access (Basic Authentication) 250
Configure SSO for Microsoft Outlook Web App 2010 253
Configure SSO for File Share Resources 256
Configure SSO for Remote Control Resources 260
Configure SSO for a Citrix MetaFrame Presentation Server Resource 264
About Manage System 275
About Authentication Methods 276
Supported Authentication Methods 277
About WatchGuard SSL Authentication Methods 278
About Other Authentication Methods 279
Add an Authentication Method 280
Manage an Authentication Method 282
Manage Global Authentication Service Settings 291
Manage RADIUS Configuration 297
Two-factor Authentication with Mobile ID 302
Configure Active Directory Authentication with LDAP over SSL 308
About Certificates 323
Certificate Lifetimes and CRLs 324
Certificate Authorities and Signing Requests 324
Manage Certificates 324
Add a Certificate Authority 324
Add a Server Certificate 327
viii WatchGuard SSL Web UI

User Guide ix
Edit or Delete a Server Certificate 328
Manage Client Certificate Settings 329
Create a CSR with OpenSSL 330
About Abolishment 336
Configure General Settings 338
Configure Cache Cleaner Settings 339
Configure Advanced Settings 340
Post-connection Cleanup with Abolishment 342
About Assessment 344
Configure General Settings for Assessment 346
Configure Advanced Settings 348
Pre-connection End-point Integrity Check 351
About Notification Settings 354
Configure the Email Notification Channel 354
Configure the SMSNotification Channel 355
Manage SMSPlug-ins 369
Manage Client Definitions 370
Add Client Definitions 372
Edit or Delete Client Definitions 372
About Delegated Management 373
About Administrative Privileges 374
Manage Administrative Roles 375
About the Administration Service 378
Manage Administration Service Settings 378
Change the Super Administrator Password 379
Manage Global Settings 380
Restart the Administration Service 382
Manage Device Settings 383
General Settings for the Application Portal 384
Performance Settings 387
Cipher Suite Settings 389
Advanced Settings 391

Update the Device 394
Update the OS 395
Configure the System Time and Time Zone 395
Restore Factory Default Configuration Settings 397
Reinitialize the Local User Database 397
Reboot the Device 398
Network Configuration 398
Configure the Network Type 398
Manage Global Tunnel Resource Settings 402
Configure Administration Service External Communication Settings 403
Confirm Network Configuration Settings 404
Configure Network Routes 405
Restore a Saved Configuration 406
Restore the Current Configuration 407
Restore a Saved Configuration 407
Add a Description to a Saved Configuration 408
Delete a Saved Configuration 408
Lock or Unlock a Saved Configuration 409
Manage Saved Configuration Settings 409
Import or Export the Configuration 410
Configure Active Directory Authentication on your SSL Device 411
Before You Begin 412
Enable your AD Server for LDAP over SSL 413
Configure Active Directory Authentication on your SSL device 415
Send One-Time Passwords (OTPs) to Users 421
Configurethe SMS Channel to send email 421
Configure SMS Settings for each user account 422
Change the Directory Mapping Attribute for Notification SMS 423
Enable mobile text authentication for all users 424
Use the OTP to Authenticate 425
About the Access Client 427
Install the Access Client 428
x WatchGuard SSL Web UI

User Guide xi
Before You Begin 428
Run the Installer 428
Launch the Installed Access Client 428
After You Install 428
Connect to the Application Portal 429
Uninstall the Access Client 429
Set up the Access Client for a Standard User 430
Installation 430
Use the Access Client as a Standard User 432
Limitations 432
Launch the Access Client 432
Launch the On-demand Access Client 432
Launch the Installed Access Client 432
About the Access Client Menu 433
Edit Access Client Preferences 434
Manage Access Client Favorites 437
Check Access Client Status 439
Close a Tunnel 439
End Your SSL VPN Session 440
Use ESSP to Link Directly to a Resource 440
Register the ESSP Protocol Handler 441
Use ESSP to Connect to a Resource 441
Example 442

User Guide xii

User Guide 1

1

Introduction to WatchGuard SSL

Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides

reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote

connectivity deployment as simple or as sophisticated as your business requirements dictate.

If your business requires remote access to email and file shares, your WatchGuard SSL device delivers the

security, flexibility, and breadth of options you need for secure remote access to your network. The

WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides

universal access to applications and network resources with no connectors, no modules, no client

management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent

users. The WatchGuard SSL 560 accommodates up to 500 concurrent users.

About the WatchGuard SSL solution

The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard

SSL Application Portal, and the WatchGuard SSL Access Client.

n A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and

WatchGuard servers for your solution.

n WatchGuard SSLWeb UIis a Web-based administration application with a task-oriented approach.

You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access

to your resources, and manage your system settings.

n The WatchGuard SSL Application Portal is the web site where your users authenticate and get access

to your network resources.

n The Access Client is a SSL VPN client that enables on-demand access to tunnel resources in your

Application Portal.

About the WatchGuard SSL Access Client

The WatchGuard SSLAccess Client is an on-demand SSL VPN client. When a user selects a resource

available through the tunnel, the Access Client automatically downloads and installs on the client computer

through the web browser. The Access Client is available in two versions: the installed Access Client and the

on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your

configuration choices. To use the ActiveX client loader to install the client, users must have local

administrator rights on their computers. For your users who do not have local administrator rights, you can

download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your

network.

About the Application Portal

The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any

files accessible with a web browser, or applications with a web interface such as Outlook Web Access or

WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client.

Tunnel Resources are client-server applications or intranet sites. Examples of tunnel resources include

Remote Desktop or a Windows file share. Users must have the Access Client to connect to Tunnel

Resources.

Introduction to WatchGuard SSL

2 WatchGuard SSL Web UI

User Guide 3

2

Getting Started

Before you install your WatchGuard SSLdevice, make sure you verify the basic components and get a

feature key, as described in the subsequent sections.

Verify Basic Components

Make sure that you have these items:

n A computer with a 10/100BaseT Ethernet network interface card and a web browser installed

n WatchGuard SSL device

n Ethernet cable

n Power cable

Get a WatchGuard Device Feature Key

To enable all of the features on your WatchGuard SSL device, you must activate the device on the

WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the

Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard

without a feature key. The SSL device only allows one authenticated user until you upload a feature key to

the device.

For more information, see Get a Feature Key.

Install the WatchGuard SSL Device Behind a

Firewall

To protect your WatchGuard SSLdevice, we recommend that you install the device on your network

behind the network firewall. You must then add an HTTPSpolicy to the firewall configuration to allow

inbound traffic to the device. The procedure you use to add the policy depends on whether your

WatchGuard SSL device has a public or private network IP address.

If your WatchGuard SSL device has a private IP address

Configure the firewall with an HTTPSpolicy that uses static NAT.This policy must allow all traffic on

port 443 from any external IPaddress to the private IP address of the WatchGuard SSL device.

If your WatchGuard SSLdevice has a public IP address

Configure the firewall with an HTTPS policy that allows traffic on port 443 from any external IP

address to the public IP address of the WatchGuard SSL device.

For detailed examples about how to configure these policies on a WatchGuard firewall, see the Policies

topics in the latest Fireware XTMdocumentation.

Use the Quick Setup Wizard to Set Up a Basic

Configuration

The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device.

Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory

default settings.

Before you start the Quick Setup Wizard, make sure you:

n Register your WatchGuard SSL device with LiveSecurity Service

n Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract

the feature key from the compressed file

For more information, see Getting Started.

Run the Quick Setup Wizard

1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network.

Note The default IP address on the WatchGuard SSL is 192.168.111.1. Do not use

192.168.111.1 on your own computer.

2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device.

3. Plug the power cord into the WatchGuard device power input and into a power source.

4. Power on the WatchGuard SSL.

5. Open a web browser and type:https://192.168.111.1:8443

The Quick Setup Wizard begins.

Note Because the WatchGuard SSLdevice uses a self-signed certificate, you may see a

certificate warning in your browser. It is safe to ignore the warning (Internet

Explorer) or add a certificate exception (Mozilla Firefox).

6. Upload your feature key file, if you have it.

If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not

have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you

finish the wizard.

Getting Started

4 WatchGuard SSL Web UI

Getting Started

User Guide 5

7. Set the time zone and system time settings.

Though the NTPserver configuration is optional, we recommend that you specify an NTP Server. Accurate time

stamps are important not only for log file messages, but also for the SSL handshake.

8. Create the Super Administrator credentials. This is a local account on the SSL device. These

credentials do not have to correspond to an existing user in a directory service.

The Super Administrator password must be at least six characters long and must include characters

from at least three of these four categories:

n English uppercase characters (from A through Z)

n English lowercase characters (from a through z)

n Base-10 digits (from 0 through 9)

n Non-alphanumeric characters (for example: !, $, #, or %)

9. Select the network configuration mode. The choices are:

Single Interface mode (default)

Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In

single interface mode, only the Eth0 interface is active.

Dual Interface mode

Select this mode if you want to connect the WatchGuard SSL device to two separate networks

(for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1

interfaces are active.

For more information about network interface modes, see Network Configuration.

10. Type the network address information for each interface you enabled.

The final page of the Quick Setup Wizard shows a summary of the configuration settings, and the interface

and IPaddress you must use to connect after the device reboots. After you complete the wizard, the device

restarts with the settings you configured.

Connect the WatchGuard SSL Device to Your Network

After you complete the Quick Setup Wizard, connect the WatchGuard SSLdevice to your network.

1. Connect the WatchGuard SSL device to your network.

n If you selected single interface mode, connect the device to your network with Eth0.

n If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1.

2. Reset the IPaddress on your computer to the original IPaddress.

3. Connect your computer to the network.

You can now use WatchGuard SSLWeb UI to continue configuration, management, and monitoring tasks.

For more information, see Connect to WatchGuard SSL Web UI and Complete Initial Tasks.

Connect to WatchGuard SSL Web UI and

Complete Initial Tasks

After you complete the basic configuration, you can use WatchGuard SSLWeb UI to continue the

configuration, management, and monitoring tasks. Before you get started, make sure that you have:

n Connected the WatchGuard SSL device to your network

n Connected your computer to the network

n Reset the IPaddress of your computer

Connect to WatchGuard SSL Web UI

The interface that you use to connect to WatchGuard SSLWeb UI is different depending on the deployment

method you used for your device. WatchGuard SSLWeb UI uses port 8443 by default.

If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for

management.

1. Connect your computer to the Eth0 network.

2. In a web browser, type https://<Eth0 IP address>:8443.

3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

WatchGuard SSL Web UIappears.

If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for

management.

1. Connect your computer to the Eth1 network.

2. In a web browser, type https://<Eth1 IP address>:8443.

3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

WatchGuard SSL Web UIappears.

Upload the Feature Key File

If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you

upload it now.

1. Get your feature key file from LiveSecurity.

For instructions, see Get a Feature Key.

2. In WatchGuard SSLWeb UI, select Monitor System > Feature Key.

The Feature Key page appears.

3. Upload the feature key file to the device.

For more information, see Upload a New Feature Key.

Download and Install the Latest Software

A newer version of operating system software for your WatchGuard SSLdevice could be available. To

update your software:

Getting Started

6 WatchGuard SSL Web UI

Getting Started

User Guide 7

1. Go to www.watchguard.com/archive/softwarecenter.asp.

2. Find and download the latest version of WatchGuard SSLOS.

3. From the Web UI, select Manage System > Device Update.

The Update the OSpage appears.

4. Update the OS version on the device.

For more information, see Update the OS.

Get a Feature Key

A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature

key when you first install the device, and when you renew the LiveSecurity service.

Activate your Device and Get a Feature Key

To activate your device and get the device feature key:

1. Open a web browser and go to http://www.watchguard.com.

Note If you are new to WatchGuard, follow the instructions on the web site to create a

WatchGuard account profile.

2. Log in with your WatchGuard account user name and password.

3. On the Support Home tab, click Activate a Product.

The Activate Products page appears.

4. Type the serial number of the device. Make sure to include any hyphens.

5. Click Continue.

6. Follow the instructions to register your device.

7. Save the feature key as a text file on your computer.

After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the

location of the feature key on your computer and upload it to the WatchGuard SSL device.

Retrieve a Current Feature Key

You can retrieve a current feature key from the WatchGuard web site:

1. Open a web browser and go to http://www.watchguard.com.

2. Log in with your WatchGuard account user name and password.

3. On the Support Home tab, click My Products.

4. In the list of products, select your device.

5. Use the on-screen instructions to obtain the feature key.

6. Save the feature key to a text file on your computer.

For more information, see:

n Use the Quick Setup Wizard to Set Up a Basic Configuration

n Upload a New Feature Key

Restore Factory Default Settings

There are two ways to reset your WatchGuard SSLdevice to the factory default settings:

Use the WatchGuard SSLWeb UI

If you can log in to the WatchGuard SSLWeb UI, you can restore the device to factory default

settings from the Web UI. This is the easiest method to restore the factory default settings.

For more information, see Restore Factory Default Configuration Settings.

Use recovery mode

If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the

device is in recovery mode, you can reinstall the software image and restart the device with factory

default settings.

Before You Begin

Before you start the recovery process, you must download and save a copy of the WatchGuard SSLOS on

your computer. The file has an extension of .sysa-dl. You can download the file from the Software

Downloads section of the WatchGuard web site at

http://www.watchguard.com/archive/softwarecenter.asp.

Start the WatchGuard SSLDevice in Recovery Mode

1. Power off the WatchGuard SSLdevice.

2. Press and hold the up arrow button on the front panel while you power on the device.

3. Continue to hold the up arrow button until Executing SysB appears on the LCDdisplay.

When Recovery Mode Ready appears on the LCD display, the device is in recovery mode. In

recovery mode, the Eth1 address of the device is set to 10.0.1.1.

Upload a New Software Image

You must use a command line FTP program to upload the WatchGuard SSLOSsoftware image. Many

common FTPcommands are disabled on the WatchGuard SSL device for security reasons. For example, you

cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on

these commands to show you a list of files in the remote directory, and do not operate correctly when

these commands are disabled.

To upload a new software image to your WatchGuard SSL device:

1. Connect an Ethernet network cable between your computer and the Eth1 interface on the

WatchGuard SSL device.

2. Change the IPaddress of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0

network).

3. Open the command line interface of your computer. For example, select All Programs >

Accessories > Command Prompt from the Windows Start Menu if you use Windows XP.

4. Change your working directory to the location where you saved the .sysa_dl file.

5. At the command prompt, type ftp 10.0.1.1 to connect to your WatchGuard SSL.

6. When requested, type admin for both the user and the password.

7. Type bin to change the transfer type to binary mode.

Getting Started

8 WatchGuard SSL Web UI

Page is loading ...

Watchguard SSL User guide

Related papers

Other documents