Watchguard XCSv Installation guide

Category
Servers
Type
Installation guide
WatchGuard
XCSv
Setup Guide
All XCSv Editions
ii WatchGuard XCSv
ADDRESS
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
SALES
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
ABOUT WATCHGUARD
WatchGuard offers affordable, all-in-one network and content security solutions that
provide defense-in-depth and help meet regulatory compliance requirements. The
WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL
filtering to protect your network from spam, viruses, malware, and intrusions. The new
XCS line offers email and web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized security ranging from small
businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable,
and robust security appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the world rely on our
signature red boxes to maximize security without sacrificing efficiency and
productivity.
For more information, please call 206.613.6600 or visit www.watchguard.com
.
Copyright and Patent Information
Copyright© 2010–2015 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of
the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies,
Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their
respective owners.
Printed in the United States of America.
Revised: October 14, 2015
Notice to Users
Information in this guide is subject to change without notice. Updates to this guide are posted at:
http://www.watchguard.com/wgrd-help/documentation/overview
Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Complete copyright, trademark, patent, and licensing information can be
found in the WatchGuard product documentation. You can find this
document online at:
http://www.watchguard.com/help/documentation/
Setup Guide 1
WatchGuard XCSv Setup
The WatchGuard® XCS is an easy-to-use, all-inclusive email and web appliance that provides security and
privacy of inbound and outbound traffic. The WatchGuard XCS provides content security that enables data
loss prevention, encryption, and content filtering with integrated threat prevention for viruses, spam,
spyware, phishing, and malware attacks, all in a secured appliance.
WatchGuard XCSv is a new email and web security solution that provides all the security features of our
WatchGuard XCS technology optimized for a VMware or Microsoft Hyper-V virtual machine environment.
You can use the WatchGuard XCS Web UI to manage an XCSv device just as you manage any other
WatchGuard XCS device.
This guide introduces the WatchGuard XCSv and provides detailed information on how to configure your
virtual environment and install the XCSv software.
WatchGuard XCSv Documentation
You can use the online help manual for the majority of your documentation needs. To access the online help,
from the Web UI, select Support > Online Manual.
You can view and download the most current documentation for the WatchGuard XCS on the WatchGuard
Product Documentation page:
http://www.watchguard.com/wgrd-help/documentation/overview
2 WatchGuard XCSv
WatchGuard XCSv Setup
WatchGuard XCSv Licensing
XCSv devices are licensed in several editions that provide different levels of scalability and performance:
Small Office Edition
Medium Office Edition
Large Office Edition
Large Office XC Edition
When you activate your XCSv device, you receive a feature key that enables the WatchGuard XCS capabilities
for the XCSv edition you have licensed. You can upgrade from one XCSv edition to another.
Note
To activate your device in the Setup Wizard, you must have the device serial number (V2C9xxxxx-
xxxx). You cannot use the serial number V2C900000-DC79, which is the default serial number for an
new unactivated device.
For a full description of the features and capabilities of each XCSv edition, see the Products section of the
WatchGuard web site at www.watchguard.com.
Get a Feature Key from WatchGuard
A feature key is a license that enables you to activate your purchased feature set on your WatchGuard XCSv.
You must register the device serial number on the WatchGuard web site and retrieve your feature key before
adding it to the WatchGuard XCSv.
To retrieve a feature key from the LiveSecurity web site:
1. Open a web browser and go to: https://www.watchguard.com/activate.
2. If you have not already logged in, the Log In page appears.
You can create an account if this is your first time logging in.
3. Enter your user name and password.
4. The Activate Products page appears.
5. Enter the serial number for the product, including the hyphens. For example, V2C9xxxxx-xxxx.
6. Click Continue.
7. Follow the prompts to activate your device.
8. Copy the feature key to a text file and save it on your computer.
9. Click Finish.
Setup Guide 3
WatchGuard XCSv Setup
Installation Prerequisites
These sections describe the installation prerequisites for XCSv on VMware and Microsoft Hyper-V.
VMware
You must install the XCSv virtual device in a VMware environment that meets these requirements.
VMware
To install an XCSv virtual device, you must have a VMware vSphere Hypervisor/ESXi v4.1 Update 2 (or
later version) host installed on any supported server hardware.
Note
Make sure your VMware vSphere/ESXi software is updated to the latest patch level.
You must also install the VMware vSphere Client on a supported Windows computer to manage the
virtual machines on your VMware host.
VMware Tools is installed by default with the XCSv virtual device. VMware Tools is a suite of utilities that
enhances and improves the performance and management of the virtual machine, and includes the
ability to cleanly power off or reset the guest operating system software from the host system.
Hardware
The hardware requirements for XCSv are the same as the hardware requirements for VMware vSphere
Hypervisor/ESXi. For information about VMware hardware compatibility, see the VMware
Compatibility Guide at: http://www.vmware.com/resources/compatibility/search.php
WatchGuard XCSv requires that your host hardware supports Intel Virtualization Technology (Intel VT)
or AMD Virtualization (AMD-V) and has these options enabled in the host system BIOS.
For more information about Intel VT compatibility, see the Intel Virtualization Technology List at:
http://ark.intel.com/VTList.aspx
AMD-V is supported in all K8 AMD (Athlon 64) processors from revision F, and all newer processors
support AMD-V technology.
Features Not Supported
These features are not supported for use with WatchGuard XCSv on VMware:
Network storage disks for the virtual host are not supported.
XCSv does not support vMotion for virtual device migration between VMware hosts.
XCSv console options:
Serial console — This feature is redundant with the physical host system serial console.
UPS configuration — UPS communications must be configured on the physical host system.
4 WatchGuard XCSv
WatchGuard XCSv Setup
Microsoft Hyper-V
You must install the XCSv virtual device in a Hyper-V environment that meets these requirements.
Hyper-V
Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V
Server 2008 R2 or Hyper-V Server 2012.
Make sure your Windows Server or Hyper-V Server software is updated to the latest patch level.
You can use the Hyper-V Manager on Windows Server 2012 to deploy, configure , and provision the
XCSv virtual machine in the Hyper-V environment. You can also use System Center Virtual Machine
Manager (VMM) interface, or a Hyper-V role on a client computer instead of Hyper-V Manager.
Hardware
The hardware requirements for XCSv are the same as the hardware requirements for Hyper-V on
Windows Server 2008 R2 or Windows Server 2012.
Network
You can configure a maximum of 8 interfaces.
Features Not Supported
These features are not supported for use with WatchGuard XCSv on Hyper-V:
XCSv does not support the dynamic memory setting on Hyper-V.
The Data Exchange and Volume Backup features are not supported.
Time synchronization is not supported. We recommend you use an NTP server in the XCSv network
configuration.
XCSv console options:
Serial console — This feature is redundant with the physical host system serial console.
UPS configuration — UPS communications must be configured on the physical host system.
Setup Guide 5
WatchGuard XCSv Setup
Recommended Resource Allocation
WatchGuard XCSv performance is heavily dependent on CPU, memory, and disk resources. Resources are
shared between all virtual machines on a virtual host, and you must make sure that enough resources are
available to the XCSv virtual machine. To enable all functionality and provide optimal performance for your
XCSv edition, you must allocate these resources to the XCSv virtual machine:
For information about how to add resources for a VMware virtual machine, see “VMware Virtual Machine
Resource Allocation” on page 12.
For information on monitoring VMware resource usage, see “Resource Monitoring on VMware” on page 43.
For information about how to add resources for a Hyper-V virtual machine, see “Hyper-V Virtual Machine
Resource Allocation” on page 20.
For information on monitoring Hyper-V resource usage, see “Resource Monitoring on Hyper-V” on page 45.
Small Office
Edition
Medium Office
Edition
Large Office
Edition
Large Office XC
Edition
Virtual CPUs 1 2 4 8
Memory 2 GB 2 GB 4 GB 8 GB
Network
Adapters
2 3 4 4
OS Disk space
(Fixed)
24 GB 24 GB 24 GB 24 GB
Data Disk
Space
40 GB 80 GB 160 GB 256 GB
6 WatchGuard XCSv
WatchGuard XCSv Setup
Deployment
The WatchGuard XCSv is designed to be situated between internal email servers and clients, and external
servers on the Internet so that there are no direct connections between external and internal systems.
The WatchGuard XCSv is typically installed in one of these locations:
On the DMZ (Demilitarized Zone) of a network firewall
Behind the existing firewall on the internal network
In parallel with a network firewall
Messaging traffic is redirected from either the external interface of the network firewall or from the external
router to the WatchGuard XCSv. When the WatchGuard XCSv accepts and processes a message, the device
initiates a connection to the internal mail servers to deliver the messages.
WatchGuard XCSv deployed on the DMZ of the network firewall
The secure architecture of the hardware appliance-based WatchGuard XCS eliminates the risk associated with
deploying a physical appliance on the perimeter of a network. Because the WatchGuard XCSv is installed as a
virtual machine on a host where the host operating system can be vulnerable to security issues, we
recommend you install the virtual host and XCSv virtual machine on the DMZ of your network firewall or
behind your network firewall for greater security.
See the WatchGuard XCS User Guide for detailed information on the advantages and disadvantages of each
type of deployment.
Cluster Support
Clustering provides a scalable, redundant messaging security infrastructure that enables two or more XCSv
devices to act as a single logical unit for processing messages for redundancy and high availability benefits.
You can use multiple instances of XCSv in a cluster.
To provide proper hardware redundancy, we recommend you run clustered XCSv devices on separate virtual
host systems. If you run multiple XCSv devices on the same virtual host hardware, you can provide software
redundancy in the event a specific XCSv device is unavailable, but this does not provide redundancy if the
virtual host hardware or software fails.
For more information on configuring XCSv clustering with a virtual host, see “Cluster Configuration” on
page 36.
Setup Guide 7
WatchGuard XCSv Setup
VMware Installation
Before You Begin
To prepare for your installation, make sure you have these items:
VMware vSphere Hypervisor/ESXi 4.1 Update 2 (or later version) host installed on a supported server
platform.
VMware vSphere 4.1 (or later version) client installed on a Windows computer
WatchGuard XCSv device serial number
You receive the serial number when you purchase the XCSv virtual device.
Your WatchGuard XCSv feature key
You receive the feature key when you activate your device on the LiveSecurity web site.
WatchGuard XCSv OVF template
The file name is xcsv-<version>.ova, where <version> is the XCS version.
Download the XCSv OVF template file from http://software.watchguard.com.
Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections:
1. In the VMware vSphere client, deploy the XCSv OVF template file to the VMware host.
2. Perform any resource allocation (CPU, memory, disk, network) modifications on the VMware host
based on your XCSv edition.
3. Power on the XCSv virtual device.
4. Connect to the XCSv device to run the Setup Wizard.
Network Considerations
When you deploy the XCSv OVF template to the VMware virtual device, it is initially configured for the Medium
Office Edition with three active interfaces. You must map each of these interfaces to a physical destination
network on your VMware host. After you configure the XCSv device, you can enable and configure additional
XCSv device interfaces or remove interfaces if you need fewer interfaces. The maximum number of interfaces
you can enable in VMware is 10. For information about how to add resources to the device, see “VMware
Virtual Machine Resource Allocation” on page 12.
Time Synchronization Considerations
The WatchGuard XCSv OVF template automatically installs the VMware Tools utility software. VMware Tools is
a suite of utilities for managing your virtual device, and includes a time synchronization service that
synchronizes with the host system time. This service is disabled by default.
We recommend that you use the WatchGuard XCSv NTP settings to configure an NTP server, and keep the
VMware Tools time synchronization service disabled. These services must not be enabled and running at the
same time.
Note
The WatchGuard XCSv NTP settings must be configured if you are setting up an XCSv cluster.
8 WatchGuard XCSv
WatchGuard XCSv Setup
Installation
Perform the following steps to install WatchGuard XCSv on a VMware host
Install the VMware vSphere Client
To install the vSphere client:
1. Launch a web browser on your computer and type the IP address or host name of the VMware host
server as the URL in the location bar.
2. To download and install the vSphere Client, click Download vSphere Client.
Connect to the VMware Host
To connect to the VMware host:
1. Launch the VMware vSphere Client.
2. Type the IP address, User name, and Password for the VMware host, then click Login.
Setup Guide 9
WatchGuard XCSv Setup
Deploy the XCSv OVF File
To create the XCSv virtual device, you must deploy the XCSv OVF template in the vSphere client.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. In the vSphere client, select File > Deploy OVF Template.
3. Browse to the location where you saved the WatchGuard XCSv OVF template file, xcsv-<version>.ova.
Click Next.
The XCSv OVF Template Details page appears.
4. Click Next.
The End User License Agreement appears.
5. Review the End-User License Agreement. Click Accept. Click Next.
The Name and Location page appears.
6. In the Name text box, type a name for this virtual device.
10 WatchGuard XCSv
WatchGuard XCSv Setup
7. Select a resource pool within which to deploy this template. Click Next.
The Disk Format page appears.
8. Select the format to store the virtual disks. We recommend that you select Thick provisioned format
to allocate all storage immediately.
9. Click Next.
The Network Mapping page appears.
Setup Guide 11
WatchGuard XCSv Setup
10. In the Destination Networks column, select the networks to map to each network interface.
11. Click Next.
The Ready to Complete page appears.
12. Review the settings. Click Back to change any settings, if necessary.
13. Click Finish to deploy the template.
The virtual appliance is deployed. This can take a few minutes.
The deployed virtual device appears in the vSphere Inventory in the selected resource pool.
12 WatchGuard XCSv
WatchGuard XCSv Setup
VMware Virtual Machine Resource Allocation
The default WatchGuard XCSv OVF template installation is configured for a “Medium Office Edition” resource
environment with two virtual CPUs, 2 GB memory, three network adapters, and 80 GB data disk space.
If your feature key is for a different edition, such as Small or Large edition, you must modify your VMware host
resources for virtual processors, memory, and disk space to properly support your licensed software edition.
For information on recommended resource settings for each XCSv edition, see “Recommended Resource
Allocation” on page 5.
Configure Virtual CPUs
By default, the XCSv virtual machine is allocated two virtual CPUs. For optimal performance, configure the
virtual machine to use the recommended number of CPUs for your XCSv edition.
To configure CPU resources:
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select CPUs.
6. From the Number of virtual sockets drop-down list, select the number of virtual processors
recommended for your XCSv edition.
7. Click OK.
Configure Memory Resources
By default the XCSv virtual machine is allocated 2 GB of memory. For optimal performance, configure the
virtual machine to use the recommended amount of memory for your XCSv edition.
To configure memory resources:
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select Memory.
6. In the Memory Size text box, type or select the memory size recommended for your XCSv edition.
7. Click OK.
Configure Hard Disk Resources
By default the XCSv virtual device is allocated two hard drives, a primary fixed OS system disk (Hard Disk 1, 24
GB), and a data disk for messages, logs, reports, and any other data (Hard Disk 2, 80 GB for default XCSv
Medium Edition).
For optimal disk space allocation, configure the virtual machine to use the recommended amount of disk
space for your specific XCSv edition and allow for any requirements for additional data disk space for logs and
reports.
Caution
Do not modify the Hard Disk 1. This disk is a fixed size and contains the OS for the XCSv.
Setup Guide 13
WatchGuard XCSv Setup
To increase the size of the Hard Disk 2 data disk for other XCSv editions (160 GB Large and 256 GB Large XC):
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select Hard disk 2.
6. In the Disk Provisioning section, modify the Provisioned Size setting to the required value (160 GB
Large or 256 GB Large XC).
7. Click OK.
To decrease the size of the Hard Disk 2 data disk for the XCSv Small Edition, you must remove Hard Disk 2 and
add a new hard disk with a recommended size of 40 GB.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select Hard disk 2.
6. Click Remove.
7. Select Remove from virtual machine and delete files from disk.
8. Click OK.
9. Right click the virtual machine, select Edit Settings.
10. Click Add.
11. Select Hard Disk and click Next.
12. Select Create a new virtual disk and click Next.
13. Set the Disk Size to 40 GB.
14. In the Disk Provisioning section, select Thick Provisioned Lazy Zeroed.
15. Select Store with the virtual machine and click Next.
16. In the Advanced Options, leave the default settings and click Next.
17. Click Finish.
18. Click OK.
Add Network Adapters
When you deployed the XCSv OVF template, you selected networks to map to the XCSv device interfaces that
are active by default. To enable other interfaces, you must add network adapters to the XCSv device.
To add a network adapter:
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware tab, click Add.
6. Select Ethernet Adapter as the type of device you want to add. Click Next.
7. From the Type drop-down list, select the type of virtual network adapter to use. The recommended
type, E1000, is selected by default.
8. From the Network label drop-down list, select the name of the virtual network to add.
9. Click Next.
14 WatchGuard XCSv
WatchGuard XCSv Setup
10. Review the selected options. Click Finish.
Repeat these steps for each network adapter you want to add.
When you power on the XCSv device the additional network adapter is connected.
Start your XCSv Virtual Device
1. In the vSphere Client Inventory tree, select the virtual device.
2. Click the Summary tab.
3. In the Commands section, select Power on.
The WatchGuard XCSv virtual device is powered on with factory default settings.
4. Click the Console tab to view the installation process.
Note
The WatchGuard XCSv performs an automatic installation. Do not interrupt the installation process.
Setup Guide 15
WatchGuard XCSv Setup
Microsoft Hyper-V Installation
Before You Begin
To prepare for your installation, make sure you have these items:
Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V
Server 2008 R2 or Hyper-V Server 2012.
WatchGuard XCSv device serial number
You receive the serial number when you purchase the XCSv virtual device.
Your WatchGuard XCSv feature key
You receive the feature key when you activate your device on the LiveSecurity web site.
WatchGuard XCSv Hyper-V package
The file name is XCSv-<version>-HyperV.zip where <version> is the XCS version. The file contains a EULA, a
README file, and two virtual hard disk (.vhd) files, xcs-1.vhd (system) and xcs-2.vhd (data).
Download the XCSv Hyper-V package from http://software.watchguard.com.
Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections:
1. In Hyper-V, create your virtual machine for the XCSv software.
2. Perform any resource allocation (Processors, memory, disk, network) modifications on the Hyper-V
host based on your XCSv edition.
3. Power on the XCSv virtual machine.
4. Connect to the XCSv virtual machine to run the Setup Wizard.
Network Considerations
When you deploy the XCSv software to the Hyper-V virtual device, it is initially configured with a single
network interface. You must add a network adapter for each XCSv network interface you require.
You must map each of these interfaces to a physical destination network on your Hyper-V virtual host.
After you configure the XCSv device, you can enable and configure additional XCSv device interfaces or
remove interfaces if you need fewer interfaces. The maximum number of interfaces you can enable in Hyper-
V is 8.
Time Synchronization Considerations
The use of the Hyper-V Time synchronization feature is not supported. We recommend you use an NTP server
in the XCSv network configuration. WatchGuard XCSv NTP settings must be configured if you are setting up
an XCSv cluster.
16 WatchGuard XCSv
WatchGuard XCSv Setup
Installation
Perform the following steps to install WatchGuard XCSv on a Hyper-V host.
Create the XCSv Virtual Machine
To create the XCSv virtual machine on the Hyper-V host:
1. Extract the contents of the Hyper-V zip file to a suitable location on your Hyper-V host where your
virtual hard disks are stored.
2. In Hyper-V Manager, select Action > New > Virtual Machine.
3. Type a Name for your virtual machine and specify a Location.
You can use the default location, or select a new location for the virtual machine on your Hyper-V host.
Setup Guide 17
WatchGuard XCSv Setup
4. Specify the amount of Startup memory to assign to the virtual machine.
This value must be a minimum of 2GB (2000 MB) and depends on which XCSv edition you want to
install and your available resources. (Small - 2GB, Medium - 2GB, Large - 4GB, Large XC - 8GB).
Caution
Do not enable the Use Dynamic Memory for this virtual machine option. This option is not
supported for XCSv.
18 WatchGuard XCSv
WatchGuard XCSv Setup
5. From the Connection drop-down list, select “Not Connected”.
Later in the installation you will configure virtual network adapters and map them to the network
interfaces on your Hyper-V host.
6. Select the Use an existing virtual hard disk option.
Click Browse, then select the location of the xcs-1.vhd file.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48

Watchguard XCSv Installation guide

Category
Servers
Type
Installation guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI