WatchGuard SSL Web UI 3.2 User Guide

Size: px
Start display at page:

Download "WatchGuard SSL Web UI 3.2 User Guide"

Transcription

1 WatchGuard SSL Web UI 3.2 User Guide WatchGuard SSL Web UI 3.2 User Guide WatchGuard SSL 100 WatchGuard SSL 560

2 About this User Guide The WatchGuard SSL Web UI User Guide is updated with each major product release. For minor product releases, only the WatchGuard SSL Web UI Help system is updated. The Help system also includes specific, task-based implementation examples that are not available in the User Guide. For the most recent product documentation, see the WatchGuard SSL Web UI Help on the WatchGuard web site at: Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revised: 8/8/2013 Copyright, Trademark, and Patent Information Copyright WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: Note This product is for indoor use only. About WatchGuard WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer rightsized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, call or go to Address 505 Fifth Avenue South Suite 500 Seattle, WA Support U.S. and Canada All Other Countries Sales U.S. and Canada All Other Countries User Guide ii

3 Table of Contents Introduction to WatchGuard SSL 1 About the WatchGuard SSL solution 1 About the WatchGuard SSL Access Client 2 About the Application Portal 2 Getting Started 3 Verify Basic Components 3 Get a WatchGuard Device Feature Key 3 Install the WatchGuard SSL Device Behind a Firewall 3 Use the Quick Setup Wizard to Set Up a Basic Configuration 4 Run the Quick Setup Wizard 4 Connect the WatchGuard SSL Device to Your Network 5 Connect to WatchGuard SSL Web UI and Complete Initial Tasks 6 Connect to WatchGuard SSL Web UI 6 Upload the Feature Key File 6 Download and Install the Latest Software 6 Get a Feature Key 7 Find your Serial Number 7 Activate your Device and Get a Feature Key 7 Retrieve a Current Feature Key 7 About WatchGuard SSL Web UI 8 WatchGuard SSL Web UI Wizards 8 Publish Your Configuration 8 System Messages 9 Use the File Browser 9 Get Started with Common Tasks 9 Create User Accounts and Configure Authentication 10 Configure Resource Access 10 Customize the Device Hostname 10 Add a Certificate to the SSL Device 11 About the Access Client 11 User Guide iii

4 Restore Factory Default Settings 11 Before You Begin 11 Start the WatchGuard SSL Device in Recovery Mode 12 Upload a New Software Image 12 Next Steps 12 About WatchGuard LiveSecurity Service 13 LiveSecurity Service 13 LiveSecurity Service Gold 14 Service expiration 14 Support Information 14 Online Resources 14 Telephone Numbers 15 Before You Call 15 Relevant Information 15 About Monitor System 17 About the System Status Page 18 View Status Information 19 Manage Settings 19 View Administrator Activities 20 System Overview 20 Network Status 23 Authentication 24 Events 25 Device Status 26 Network Tools 28 Manage Settings 29 View Administrator Activities 31 About User Sessions 31 Search for User Sessions 32 View a User Session 33 End a User Session 34 Manage Search and Display Settings 34 iv WatchGuard SSL Web UI

5 About Alerts 35 Manage Alerts 35 Add an Alert 36 Edit and Delete Alerts 41 Manage Global Alert Settings 42 Manage Logging 46 Edit Logging Settings 46 Set the Log Level Filter 48 Configure Log File Rotation 48 Debug Logs 49 Log File Information 49 Syslog 49 Manage Global Logging Settings 49 Use Log Viewer 51 About Log Viewer Search Criteria 52 About Reports 54 Available Reports 54 Generate a Report 55 Save a Report 56 Abolishment Report 57 Assessment Report 57 Session Trend Report 58 Session Trend Real-Time Report 58 Access Report 59 Authentication Report 59 Authorization Report 60 Account Statistics Report 61 User Policy Analysis Report 61 User Audit Report 61 Communication Report 62 Performance Report 62 Tunnel Report 63 User Guide v

6 Alerts Report 63 System Report 63 Complete Report 64 Manage Report Database Settings 65 About the Diagnostics File 65 About the Feature Key 66 Feature key information 67 Upload a New Feature Key 69 Live Update 69 Configure Live Update Settings 70 Reboot after Engine Updates 71 Check for New Live Update Files 71 User Management 73 User accounts 74 User groups 74 External Directory Service 74 Self Service 75 About User Accounts 75 User Account Search Result List 75 Manually Add a User Account 76 Import User Accounts 79 Link to a User Account 83 Repair a Linked User Account 84 Edit User Accounts 86 Manage Global User Account Settings 87 About User Groups 91 About User Property Groups 91 About User Location Groups 91 About User Groups and Access Rules 91 Add a User Group 92 Add a User to a Group using a Custom Attribute 93 Search, Edit, or Delete User Groups 95 vi WatchGuard SSL Web UI

7 About the External Directory Service 97 About Search Rules 97 About User Groups and Access Rules 98 About Directory Mapping 98 Add an External Directory Service Location 98 Edit an External Directory Service Location 102 About Self Service 105 Use the wizard to enable Self Service 105 Manually enable and configure Self Service 106 Disable or restore Self Service 106 Manage Self Service Settings 107 Modify System Challenges 109 Configure and Enable Self Service 111 About Resource Access 119 Resources 119 Client firewall 119 Access rules 120 Application Portal 120 SSO domains 120 About Resources 120 Manage Resources 120 Manage Global Tunnel Resource Settings 185 Manage Global Resource Settings 187 About Client Firewalls 207 Disable routes for other network connections 207 Check the integrity of application connections 207 How the client firewall works 207 Configure client definitions 208 Firewall rules based on a device 208 Incoming Firewall Rules 209 Outgoing firewall rules 209 Manage Internet Firewall Configurations 210 User Guide vii

8 About Access Rules 215 Manage Access Rules 215 Manage Global Access Rules 219 Assessment Access Rule Requirements 220 Configure an Access Rule to Require Anti-virus or Anti-spyware Software 227 Configure an Access Rule to Verify the Windows Client Logon Domain 229 Configure an Access Rule to Verify a Windows File is Found 230 Configure an Access Rule to Verify a Windows File Digest is Found 231 Configure an Access Rule to Verify a Directory is Found 234 Configure an Access Rule to Verify the Client Computer MAC Address 235 Configure an Access Rule to Combine Authentication Methods 236 About the Application Portal 238 About the Access Client 238 Manage Application Portal Items 238 Connect to the Application Portal 242 Customize your Web UI and Application Portal 242 Add Additional Application Portals 260 About SSO Domains 260 Domain type attributes 261 Manage SSO Domains 261 Configure SSO for Outlook Web Access (Form Based Authentication) 265 Configure SSO with Outlook Web Access (Basic Authentication) 270 Configure SSO for Microsoft Outlook Web App Configure SSO for File Share Resources 276 Configure SSO for Remote Control Resources 280 Configure SSO for a Citrix MetaFrame Presentation Server Resource 284 About Manage System 295 About Authentication Methods 296 Supported Authentication Methods 297 About WatchGuard SSL Authentication Methods 298 About Other Authentication Methods 299 Add an Authentication Method 300 viii WatchGuard SSL Web UI

9 Manage an Authentication Method 302 Manage Global Authentication Service Settings 311 Manage RADIUS Configuration 317 Two-factor Authentication with Mobile ID and Mobile OTP ios App 322 Configure Active Directory Authentication with LDAP over SSL 330 About Certificates 345 Certificate Lifetimes and CRLs 346 Certificate Authorities and Signing Requests 346 Default Certificate 346 Manage Certificates 346 Add a Certificate Authority 347 Add a Server Certificate 349 Edit or Delete a Server Certificate 350 Manage Client Certificate Settings 351 Create a CSR with OpenSSL 352 About Abolishment 358 Configure General Settings 360 Configure Cache Cleaner Settings 362 Configure Advanced Settings 363 Post-connection Cleanup with Abolishment 364 About Assessment 366 Configure General Settings for Assessment 368 Configure Advanced Settings 371 Pre-connection End-point Integrity Check 373 About Notification Settings 376 Notification Variables 377 Configure the Notification Channel 377 Configure the SMS Notification Channel 378 Manage SMS Plug-ins 392 Manage Client Definitions 393 Add Client Definitions 395 Edit or Delete Client Definitions 395 User Guide ix

10 About Delegated Management 396 About Administrative Privileges 397 Manage Administrative Roles 398 About the Administration Service 401 Manage Administration Service Settings 401 Change the Super Administrator Password 402 Manage Global Settings 403 Restart the Administration Service 405 Manage Device Settings 406 General Settings for the Application Portal 407 Performance Settings 410 Cipher Suite Settings 413 Advanced Settings 415 Update the Device 418 Update the OS 419 Configure the System Time and Time Zone 419 Restore Factory Default Configuration Settings 421 Reinitialize the Local User Database 421 Reboot the Device 422 Network Configuration 422 Configure the Network Type 422 Manage Global Tunnel Resource Settings 426 Configure Administration Service External Communication Settings 427 Confirm Network Configuration Settings 428 Configure Network Routes 429 Restore a Saved Configuration 430 Restore the Current Configuration 431 Restore a Saved Configuration 431 Add a Description to a Saved Configuration 432 Delete a Saved Configuration 432 Lock or Unlock a Saved Configuration 433 Manage Saved Configuration Settings 433 x WatchGuard SSL Web UI

11 Import or Export the Configuration 434 Configure Active Directory Authentication on your SSL Device 435 Before You Begin 436 Enable your AD Server for LDAP over SSL 437 Configure Active Directory Authentication on your SSL device 439 Send One-Time Passwords (OTPs) to Users 445 Configure the SMS Channel to send 445 Configure SMS Settings for each user account 446 Change the Directory Mapping Attribute for Notification SMS 447 Enable mobile text authentication for all users 448 Use the OTP to Authenticate 449 About the Access Client 451 Install the Access Client 452 Before You Begin 452 Run the Installer 452 Launch the Installed Access Client 452 After You Install 452 Connect to the Application Portal 453 Uninstall the Access Client 453 Set up the Access Client for a Standard User 454 Installation 454 Use the Access Client as a Standard User 456 Limitations 456 Launch the Access Client 456 Launch the On-demand Access Client 457 Launch the Installed Access Client 457 About the Access Client Menu 457 Edit Access Client Preferences 458 Manage Access Client Favorites 462 Check Access Client Status 465 Close a Tunnel 465 End Your SSL VPN Session 466 User Guide xi

12 Use ESSP to Link Directly to a Resource 466 Register the ESSP Protocol Handler 466 Use ESSP to Connect to a Resource 467 Example 467 xii WatchGuard SSL Web UI

13 1 Introduction to WatchGuard SSL Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote connectivity deployment as simple or as sophisticated as your business requirements dictate. If your business requires remote access to and file shares, your WatchGuard SSL device delivers the security, flexibility, and breadth of options you need for secure remote access to your network. The WatchGuard SSL stand-alone deployment implementation is a hassle-free VPN solution that provides universal access to applications and network resources with no connectors, no modules, no client management issues, and no extras to buy. The WatchGuard SSL 100 accommodates up to 100 concurrent users. The WatchGuard SSL 560 accommodates up to 500 concurrent users. About the WatchGuard SSL solution The WatchGuard SSL solution includes a WatchGuard SSL device, WatchGuard SSL Web UI, the WatchGuard SSL Application Portal, and the WatchGuard SSL Access Client. A WatchGuard SSL device is an all-in-one appliance that includes all the hardware, software, and WatchGuard servers for your solution. WatchGuard SSL Web UI is a Web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage access to your resources, and manage your system settings. The WatchGuard SSL Application Portal is the web site where your users authenticate and get access to your network resources. The Access Client is a SSL VPN client that enables on-demand access to tunnel resources in your Application Portal. User Guide 1

14 Introduction to WatchGuard SSL About the WatchGuard SSL Access Client The WatchGuard SSL Access Client is an on-demand SSL VPN client. When a user selects a resource available through the tunnel, the Access Client automatically downloads and installs on the client computer through the web browser. The Access Client is available in two versions: the installed Access Client and the on-demand Access Client. The Access Client is loaded with either ActiveX or a Java Applet, based on your configuration choices. To use the ActiveX client loader to install the client, users must have local administrator rights on their computers. For your users who do not have local administrator rights, you can download the Access Client from the WatchGuard web site and provide it to the SSL VPN users on your network. About the Application Portal The Application Portal provides access to Web Resources and Tunnel Resources. Web Resources are any files accessible with a web browser, or applications with a web interface such as Outlook Web Access or WatchGuard SSL Web UI. Users can connect to Web Resources without the Access Client. Tunnel Resources are client-server applications or intranet sites. Examples of tunnel resources include Remote Desktop or a Windows file share. Users must have the Access Client to connect to Tunnel Resources. 2 WatchGuard SSL Web UI

15 2 Getting Started Before you install your WatchGuard SSL device, make sure you verify the basic components and get a feature key, as described in the subsequent sections. Verify Basic Components Make sure that you have these items: A computer with a 10/100BaseT Ethernet network interface card and a web browser installed WatchGuard SSL device Ethernet cable Power cable Get a WatchGuard Device Feature Key To enable all of the features on your WatchGuard SSL device, you must activate the device on the WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device. For more information, see Get a Feature Key. Install the WatchGuard SSL Device Behind a Firewall To protect your WatchGuard SSL device, we recommend that you install the device on your network behind the network firewall. You must then add an HTTPS policy to the firewall configuration to allow inbound traffic to the device. The procedure you use to add the policy depends on whether your WatchGuard SSL device has a public or private network IP address. User Guide 3

16 Getting Started If your WatchGuard SSL device has a private IP address Configure the firewall with an HTTPS policy that uses static NAT. This policy must allow all traffic on port 443 from any external IP address to the private IP address of the WatchGuard SSL device. If your WatchGuard SSL device has a public IP address Configure the firewall with an HTTPS policy that allows traffic on port 443 from any external IP address to the public IP address of the WatchGuard SSL device. For detailed examples about how to configure these policies on a WatchGuard firewall, see the Policies topics in the latest Fireware XTM documentation. Use the Quick Setup Wizard to Set Up a Basic Configuration The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL device. Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory default settings. Before you start the Quick Setup Wizard, make sure you: Register your WatchGuard SSL device with LiveSecurity Service Save a copy of your feature key file from the LiveSecurity web site to your computer, and extract the feature key from the compressed file For more information, see Getting Started. Run the Quick Setup Wizard 1. Make sure your computer is configured to use a static IP address on the /24 network. Note The default IP address on the WatchGuard SSL is Do not use on your own computer. 2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device. 3. Plug the power cord into the WatchGuard device power input and into a power source. 4. Power on the WatchGuard SSL. 5. Open a web browser and type: The Quick Setup Wizard begins. Note Because the WatchGuard SSL device uses a self-signed certificate, you may see a certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox). 6. Upload your feature key file, if you have it. If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you finish the wizard. 4 WatchGuard SSL Web UI

17 Getting Started 7. Set the time zone and system time settings. Though the NTP server configuration is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not only for log file messages, but also for the SSL handshake. 8. Create the Super Administrator credentials. This is a local account on the SSL device. These credentials do not have to correspond to an existing user in a directory service. The Super Administrator password must be at least six characters long and must include characters from at least three of these four categories: English uppercase characters (from A through Z) English lowercase characters (from a through z) Base-10 digits (from 0 through 9) Non-alphanumeric characters (for example:!, $, #, or %) 9. Select the network configuration mode. The choices are: Single Interface mode (default) Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active. Dual Interface mode Select this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active. For more information about network interface modes, see Network Configuration. 10. Type the network address information for each interface you enabled. The final page of the Quick Setup Wizard shows a summary of the configuration settings, and the interface and IP address you must use to connect after the device reboots. After you complete the wizard, the device restarts with the settings you configured. Connect the WatchGuard SSL Device to Your Network After you complete the Quick Setup Wizard, connect the WatchGuard SSL device to your network. 1. Connect the WatchGuard SSL device to your network. If you selected single interface mode, connect the device to your network with Eth0. If you selected dual interface mode, connect the device to your network with both Eth0 and Eth1. 2. Reset the IP address on your computer to the original IP address. 3. Connect your computer to the network. You can now use WatchGuard SSL Web UI to continue configuration, management, and monitoring tasks. For more information, see Connect to WatchGuard SSL Web UI and Complete Initial Tasks. User Guide 5

18 Getting Started Connect to WatchGuard SSL Web UI and Complete Initial Tasks After you complete the basic configuration, you can use WatchGuard SSL Web UI to continue the configuration, management, and monitoring tasks. Before you get started, make sure that you have: Connected the WatchGuard SSL device to your network Connected your computer to the network Reset the IP address of your computer Connect to WatchGuard SSL Web UI The interface that you use to connect to WatchGuard SSL Web UI is different depending on the deployment method you used for your device. WatchGuard SSL Web UI uses port 8443 by default. If you configured your device in Single Interface Mode, you must connect to the Eth0 interface for management. 1. Connect your computer to the Eth0 network. 2. In a web browser, type IP address>: Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. WatchGuard SSL Web UI appears. If you configured your device in Dual Interface Mode, you must connect to the Eth1 interface for management. 1. Connect your computer to the Eth1 network. 2. In a web browser, type IP address>: Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. WatchGuard SSL Web UI appears. Upload the Feature Key File If you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you upload it now. 1. Get your feature key file from LiveSecurity. For instructions, see Get a Feature Key. 2. In WatchGuard SSL Web UI, select Monitor System > Feature Key. The Feature Key page appears. 3. Upload the feature key file to the device. For more information, see Upload a New Feature Key. Download and Install the Latest Software A newer version of operating system software for your WatchGuard SSL device could be available. To update your software: 6 WatchGuard SSL Web UI

19 Getting Started 1. Go to 2. Find and download the latest version of WatchGuard SSL OS. 3. From the Web UI, select Manage System > Device Update. The Update the OS page appears. 4. Update the OS version on the device. For more information, see Update the OS. Get a Feature Key A feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature key when you first install the device, and when you renew the LiveSecurity service. Find your Serial Number To activate your SSL device, retrieve a feature key, and activate support for your product, you need your device serial number. The device serial number is located on a sticker attached to the rear panel of the device in this format: xxxxxxxxxx-xxxx. Activate your Device and Get a Feature Key To activate your device and get the device feature key: 1. Open a web browser and go to Note If you are new to WatchGuard, follow the instructions on the web site to create a WatchGuard account profile. 2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click Activate a Product. The Activate Products page appears. 4. Type the serial number of the device. Make sure to include any hyphens. 5. Click Continue. 6. Follow the instructions to register your device. 7. Save the feature key as a text file on your computer. After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the location of the feature key on your computer and upload it to the WatchGuard SSL device. Retrieve a Current Feature Key You can retrieve a current feature key from the WatchGuard web site: 1. Open a web browser and go to 2. Log in with your WatchGuard account user name and password. 3. On the Support Home tab, click My Products. 4. In the list of products, select your device. 5. Use the on-screen instructions to obtain the feature key. 6. Save the feature key to a text file on your computer. User Guide 7

20 Getting Started For more information, see: Use the Quick Setup Wizard to Set Up a Basic Configuration Upload a New Feature Key About WatchGuard SSL Web UI WatchGuard SSL Web UI is a web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL device, add user accounts, manage resource access, and manage your system settings. WatchGuard SSL Web UI has two levels of menus: Main menu Includes these sections: Left menu Monitor System Monitor information about system status, user sessions, log files, reports, licenses, and alerts. User Management Manage user accounts, user groups, and configure an external directory service. Resource Access Create Application Portal items to give user access to applications, folders and files, and URLs. Manage System See and manage the overall configuration of your WatchGuard SSL system. Includes options to manage your configuration from the sections of the main menu. Context-sensitive Help is integrated with WatchGuard SSL Web UI. To open the Help topic for a task, click. WatchGuard SSL Web UI Wizards All common tasks use wizards to guide you through the steps to complete your task. This includes procedures to add user accounts, resources, and many others. To start a wizard, click Add. To cancel a wizard at any time, select a different menu item or close your browser window or tab. To return to the previous page in a wizard, click Previous. To save your changes, click Finish Wizard or Save. Publish Your Configuration After you add or edit a setting in your configuration, you must save the changes to the WatchGuard SSL device and services before they can take effect. The Publish button at the top of the Web UI changes from white to blue when you make changes that must be saved. To save your configuration changes: Click Publish at the top of the Web UI. You can later review or restore a configuration. For more information about configurations, see Restore a Saved Configuration. 8 WatchGuard SSL Web UI

21 Getting Started System Messages When you use a wizard or make a change to your configuration, feedback messages appear in WatchGuard SSL Web UI at the top of the current page. If the message text is red, you have made an error in your configuration selection. If the message text is green, your configuration change was successful. Use the File Browser You can use the WatchGuard SSL Web UI file browser to find files on your WatchGuard SSL device. This is helpful when you want to find a file name or path to include in your settings (for example, with a script). To use the file browser: 1. At the top of the Web UI, click Browse. The file browser opens in a separate window or tab. 2. Select a folder from the navigation tree on the left. 3. To change a current file, select a file to edit, download, delete, or rename. To edit the file, click. Make changes to the file contents, then click Save. To download the file, click. Select to Open or Save the file. To delete the file, click. In the Warning dialog box, click OK. To rename the file, click. In the Rename File text box, type a new name. Click Rename. 4. To upload a new file, adjacent to the Upload File text box, click Browse and select a file. Click Upload. Get Started with Common Tasks This topic provides an overview of several common administrative tasks that are performed when you setup and configure your SSL device for the first time. User Guide 9

22 Getting Started Create User Accounts and Configure Authentication When a user connects to your SSL device portal, they are required to authenticate. The user account can be on an external directory service, or stored locally on the SSL device. The user will be presented with one or more authentication methods, such as a simple password request, or a more secure challenge-response or two-factor authentication. See User Management for details on how to add and manage user accounts. See Authentication Methods to configure user authentication. About Active Directory If you have configured the SSL device to use your Active Directory server as an External Directory service, you can use either the LDAP or the Active Directory authentication method. The Active Directory method requires LDAP over SSL which is a secure method of communicating with the Active Directory server. See Add External Directory Service for information on how to add a directory service. Configure Resource Access The Application Portal is a web site on the WatchGuard SSL device where clients can connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons that your users can click. There are two main types of resources that users can access: Web Resources Web Resources are any files that you can connect to with a web browser, or applications with a web interface such as Outlook Web Access. You can connect to Web Resources without the Access Client. Tunnel Resources Tunnel Resources are client-server applications or intranet sites. To connect to tunnel resources, you must use the Access Client. With Tunnel Resources, you can either use client-server applications or connect to network resources that are not web-enabled. You can also use Tunnel Resources to get access to files on network servers. If you have a file share resource, you can open, copy, rename, and delete files. You can also download and upload files from your local computer. Examples of Tunnel Resources include Microsoft Outlook, Remote Desktop, or a Windows file share. See Manage Resources for information on how to create these resources. Customize the Device Hostname When the SSL device directs a user to a URL, such as a web resource or a Java-based tunnel resource, the URL provided includes the host name of the SSL device. To configure this hostname, select Manage System > Network Configuration. See Network Configuration for more details on the device hostname and network configuration. 10 WatchGuard SSL Web UI

23 Getting Started Add a Certificate to the SSL Device When your users connect to the SSL device, they will use a web browser to connect to the external public IP address of the device. If the device does not have a properly signed SSL certificate, your users will see a certificate warning. See About Certificates to add a certificate to the SSL device. Note Make sure you perform a backup of your configuration before you import a new certificate. If you import a certificate incorrectly, for example, if you do not enter the private key properly, further admin or client connections will be blocked. If this occurs, you must reset the device to factory install settings and reconfigure the device. About the Access Client When a user connects to the SSL device to access a tunnel resource, they will use the Access Client. The Access Client can be automatically installed and launched using Java or ActiveX in a supported web browser. Windows users can also install a downloadable access client on their computer. See About the Access Client for details on how to install and use the Access Client. Restore Factory Default Settings There are two ways to reset your WatchGuard SSL device to the factory default settings: Use the WatchGuard SSL Web UI If you can log in to the WatchGuard SSL Web UI, you can restore the device to factory default settings from the Web UI. This is the easiest method to restore the factory default settings. For more information, see Restore Factory Default Configuration Settings. Use recovery mode If you cannot log into WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode, you can reinstall the software image and restart the device with factory default settings. Before You Begin Before you start the recovery process, you must download and save a copy of the WatchGuard SSL OS on your computer. The file has an extension of.sysa-dl. You can download the file from the Software Downloads section of the WatchGuard web site at Note The installation and reset process can take up to 10 minutes. Do not turn off the device before this process is complete. User Guide 11

24 Getting Started Start the WatchGuard SSL Device in Recovery Mode 1. Power off the WatchGuard SSL device. 2. Press and hold the up arrow button on the front panel while you power on the device. 3. Continue to hold the up arrow button until Executing SysB appears on the LCD display. When Recovery Mode Ready appears on the LCD display, the device is in recovery mode. In recovery mode, the Eth1 address of the device is set to Upload a New Software Image You must use a command line FTP program to upload the WatchGuard SSL OS software image. Many common FTP commands are disabled on the WatchGuard SSL device for security reasons. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and do not operate correctly when these commands are disabled. To upload a new software image to your WatchGuard SSL device: 1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device. 2. Change the IP address of your computer to (or to another IP address on the network). 3. Open the command line interface of your computer. For example, select All Programs > Accessories > Command Prompt from the Windows Start Menu if you use Windows XP. 4. Change your working directory to the location where you saved the.sysa_dl file. 5. At the command prompt, type ftp to connect to your WatchGuard SSL. 6. When requested, type admin for both the user and the password. 7. Type bin to change the transfer type to binary mode. 8. Type put <filename>. Make sure you replace <filename> in the command with the name of the.sysa-dl file you downloaded from the WatchGuard Software Downloads page. The upload process can take several minutes to complete. Do not close the window or type more commands until another command prompt appears. 9. Type quit to close the FTP connection. 10. Exit the command line interface program. After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts. Next Steps Note The installation and reset process can take up to 10 minutes. Do not turn off the device before this process is complete. After you restore the software image and the device restarts with factory default settings, you can use the Quick Setup Wizard to set up your configuration again. 12 WatchGuard SSL Web UI

25 Getting Started Note After the reboot, the IP address of the Eth1 interface changes to You must change the IP address on your computer before you launch the Quick Setup Wizard. For more information, see Use the Quick Setup Wizard to Set Up a Basic Configuration. About WatchGuard LiveSecurity Service WatchGuard knows just how important support is when you must secure your network with limited resources. Our customers require greater knowledge and assistance in a world where secure access is critical. LiveSecurity Service gives you the backup you need, with a subscription that supports you as soon as you register your WatchGuard SSL device. LiveSecurity Service Your WatchGuard SSL device includes a subscription to our ground-breaking LiveSecurity Service, which you activate online when you register your product. As soon as you activate, your LiveSecurity Service subscription gives you access to a support and maintenance program unmatched in the industry. LiveSecurity Service comes with the following benefits: Hardware Warranty with Advance Hardware Replacement An active LiveSecurity subscription extends the one-year hardware warranty that is included with each WatchGuard SSL device. Your subscription also provides advance hardware replacement to minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will ship a replacement unit to you before you have to ship back the original hardware. Software Updates Your LiveSecurity Service subscription gives you access to updates to current software and functional enhancements for your WatchGuard products. Technical Support When you need assistance, our expert teams are ready to help. Representatives available 12 hours a day, 5 days a week in your local time zone* Four-hour targeted maximum initial response time Access to online user forums moderated by senior support engineers Support Resources and Alerts Your LiveSecurity Service subscription gives you access to a variety of professionally produced instructional videos, interactive online training courses, and online tools specifically designed to answer questions you may have about network security in general or the technical aspects of installation, configuration, and maintenance of your WatchGuard products. Our Rapid Response Team, a dedicated group of network security experts, monitors the Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you specifically what you can do to address each new menace. You can customize your alert preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you. User Guide 13

26 Getting Started LiveSecurity Service Gold LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support service gives expanded hours of coverage and faster response times for around-the-clock remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage. Service Features LiveSecurity Service LiveSecurity Service Gold Technical Support hours 6 AM 6 PM, Monday Friday* 24/7 Number of support incidents (online or by phone) 5 per year Unlimited Targeted initial response time 4 hours 1 hour Interactive support forum Yes Yes Software updates Yes Yes Online self-help and training tools Yes Yes LiveSecurity broadcasts Yes Yes Installation Assistance Optional Optional Three-incident support package Optional N/A One-hour, single incident priority response upgrade Optional N/A Single incident after-hours upgrade Optional N/A * In the Asia Pacific region, standard support hours are 9AM 9PM, Monday Friday (GMT +8). Service expiration We recommend that you keep your subscription active to secure your organization. When your LiveSecurity subscription expires, you lose access to up-to-the-minute security warnings and regular software updates, which can put your network at risk. Damage to your network is much more expensive than a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement fee. Support Information WatchGuard offers a variety of technical support services for your purchased products and services. For more information, see the WatchGuard support web site. Online Resources Product documentation 14 WatchGuard SSL Web UI

27 Getting Started Knowledge Base Training and courseware WatchGuard Forum Telephone Numbers US & Canada International Before You Call When you create an incident, make sure you include all information required. Ask yourself these questions to help you find what you must include: 1. What are you trying to do? 2. Were you able to perform this action previously without problems? 3. What behavior do you see? 4. What behavior would you expect to see if the problem was not occurring? 5. How often do the symptoms occur? 6. What troubleshooting steps, if any, have you taken? Relevant Information When you contact technical support, you are often asked for basic information about your WatchGuard SSL device and LiveSecurity account. It is helpful to save this information when you create your configuration in case your device does not operate correctly. If possible, include these additional items when you call, so your technician can promptly resolve your issue: Logs Log messages are important. If you have access to the Log Viewer at the time of the error, include a section of the logs. Network diagrams Not all problems start from one device. Sometimes, a problem that appears to be related to the SSL device is actually caused by something else in the network. A diagram of your network is a valuable resource; we recommend that you make one and keep it updated. User Guide 15

28 Getting Started User Guide 16

29 3 About Monitor System You can use WatchGuard SSL Web UI to see information about system status, user sessions, log files, reports, licenses, and alerts. To monitor your WatchGuard SSL system, select Monitor System. The Monitor System menu includes: System Status You can see status information about your device. This includes the system, network, authentication, events, and devices. You can also manage monitoring settings and monitor administrator activities. For more information, see About the System Status Page. User Sessions Alerts Logging You can see a list of the current user sessions, and you can search sessions by User ID. For more information, see About User Sessions. You can manage administrator alerts. For more information, see About Alerts. You can manage logging settings for all registered servers. For more information, see Manage Logging. Log Viewer Reports You can search and see entries in the log files. For more information, see Use Log Viewer. You can generate reports and manage reports settings. User Guide 17

30 About Monitor System For more information, see About Reports. Diagnostics File You can create a compressed diagnostics file that contains configuration and log files for all services for a selected period. For more information, see About the Diagnostics File. Feature Key You can see information about the installed features. You can also upload a new feature key. For more information, see About the Feature Key. Live Update You can change the update settings for the End-Point Security definition file that is used for client scans to support Assessment access rules. For more information, see Live Update. About the System Status Page When you first log in to WatchGuard SSL Web UI, the System Status page appears. From the System Status page, you can select a tab to see an overview of information about your system, check the status of your network, review current authentication settings, identify events that have occurred on your system, verify the status of your device, and run basic debug tools to help you troubleshoot issues on your network. You can also click a link to manage settings for event monitoring, change the Super Administrator password, and view information about the date and time of administrator activities. To monitor the status of the WatchGuard SSL system: 1. Connect to WatchGuard SSL Web UI. 2. Select Monitor System > System Status. The System Status page appears. 18 WatchGuard SSL Web UI

31 About Monitor System 3. To update the information that appears on the System Status page, click Refresh. View Status Information On the System Status page, select a tab to choose the status information type. For more information about each tab, see: System Overview Network Status Authentication Events Device Status Network Tools Manage Settings To enable event monitoring and change the super administrator password: Click Manage Settings. The Settings page appears. User Guide 19

32 About Monitor System For more information, see Manage Settings. View Administrator Activities To view the recent activities of administrators: Click View Administrator Activities. The View Administrator Activities page appears. For more information, see View Administrator Activities. System Overview The System Overview page includes basic information about your system. This includes the version of software on your device, the current feature key version, information about administrators and users, and the registered resources and domains for your system. To see basic information about your WatchGuard SSL system: 1. Select Monitor System > System Status. 2. Select the System Overview tab. This tab is selected by default. 20 WatchGuard SSL Web UI

33 About Monitor System The System Overview tab has four sections, which include basic information about your system, as described in the subsequent sections. System Information The System Information section shows information about the installed software and feature keys. Software version The version and build number for the installed operating system software. Feature Key Version The version number in the feature key. Feature Key Type The type of feature key: Production or Evaluation. The Evaluation key allows only one authenticated user to get access through the SSL device. User Guide 21

34 About Monitor System Current Server Time The date and time on the WatchGuard SSL device. System Services The System Services section shows the services that are enabled on your SSL device. External Host Shows the IP address and port number configured for communication between the WatchGuard SSL Web UI and the client. Internal Host Shows the IP addresses and port numbers used for communication between services on the device. Administrators The Administrators section shows information about administrative users. Administrator The user name for the administrator account. Logged on Administrators Users The number of administrators currently logged in. The Users section shows status information about users and user accounts. Concurrent Users The number of users currently connected to the SSL device. The maximum number allowed by the feature key appears in parentheses. Registered User Accounts The number of registered user accounts. The maximum number allowed by the feature key appears in parentheses. Logged-on Users The number of users currently logged in. Active Users The number of active users currently logged in that have made a request within the last 15 minutes. Resources Registered Resources The number of registered resources on the Resources page. 22 WatchGuard SSL Web UI

35 About Monitor System Registered SSO domains The number of registered Single Sign-On domains. Network Status The Network Status tab includes configuration and statistical information for the network interfaces enabled on the SSL device. To see the status of the network interface configuration: 1. Select Monitor System > System Status. 2. Select the Network Status tab. The Network Status tab includes these sections: Eth0 Shows configuration information and traffic statistics for the Eth0 network interface. User Guide 23

36 About Monitor System Eth1 Shows configuration information and traffic statistics for the Eth1 interface. Eth1 is disabled in single interface mode. Routing Table Shows the routing table for the device. For more information about network configuration and interface modes, see Network Configuration. Authentication On the Authentication tab, you can review the configuration status of the enabled authentication methods, the status of notification channels, and configuration information for the databases used for authentication. To see the status of the authentication configuration: 1. Select Monitor System > System Status. 2. Select the Authentication tab. The Authentication tab includes these sections: 24 WatchGuard SSL Web UI

37 About Monitor System Authentication Methods Shows the IP address and port configured for each of the five WatchGuard authentication methods. RADIUS clients Shows the number of registered RADIUS clients. Notification Shows the status of notification. If notification is enabled, the host information appears. SMS Distribution Shows the status of SMS distribution. If SMS distribution is configured, information about the primary and secondary SMS channels appears. Local User Database Shows the host IP address and account information for the local user database. External Directory Service Events Shows the name, IP address, and account information for the configured external directory service. The Events tab includes a list of events related to the status of connections and services. To see recent system events: 1. Select Monitor System > System Status. 2. Select the Events tab. For each event the Events tab shows: The date and time of the event Which service or policy the event involves A brief description of the event 3. To update the list of events with the latest information, click Refresh. User Guide 25

38 About Monitor System If you enable Event Monitoring on the Manage Settings page, the Events tab also shows events related to connectivity to the local user database and external directory services. For more information about the Manage Settings page, see Manage Settings. Device Status The Device Status tab includes information about your device (software version, connections, and resource use) and the SSL listener status for your device. To see statistics and configuration information for your WatchGuard SSL device: 1. Select Monitor System > System Status. 2. Select the Device Status tab. Device Overview The Device Overview section shows information about the device software, connections, and resource use. Host The IP address the device uses to communicate with itself. This is always set to WatchGuard SSL Web UI

39 About Monitor System Current Server Time Shows the current date and time for the SSL device. Server Started Version Shows the date and time the device was last started. The software version and build number. Client Connections The current number of active clients. Server Connections The current number of connections used to communicate with internal web sites, such as web resources. Some web applications require more than one connection per user. Queued Connections The current number of connections that are not yet processed Active Worker Threads The number of active threads is shown first. The maximum number of active threads is shown in parentheses. When there is a large amount of client connections, some connections may be queued. In this case you can increase the maximum work thread number in the device performance settings in Manage System > Device Settings > Performance tab. Available Memory The amount of available memory, in megabytes. Open SSL Version The version of OpenSSL that the WatchGuard SSL device uses. SSL Status for <IP address:port> The SSL Status section shows statistics about the SSL listener. By default, there is just one SSL listener. If you add additional listeners, this page displays the status for each listener. SSL Sessions in Cache SSL Accepts Finished SSL Accepts Renegotiates Session Cache Hits Session Cache Misses Session Cache Timeouts Callback Cache Hits Cache Full Overflows Cache Size For information about how to add a listener, see General Settings for the Application Portal. User Guide 27

40 About Monitor System Network Tools From the Network Tools tab, you can run some basic network commands. This can be helpful when you troubleshoot issues with your network. The network tools available in WatchGuard SSL Web UI are: ping A command to detect whether a connection to a specified hostname or IP address is possible. tcpdump A program to intercept and examine TCP/IP packets for diagnostic purposes. traceroute A command to show the routing path taken from the device to a hostname or IP address. nslookup A program that shows the information from the DNS records of a domain or hostname. To use the network tools: 1. Select Monitor System > System Status. 2. Select the Network Tools tab. 28 WatchGuard SSL Web UI

41 About Monitor System 3. From the Command Type drop-down list, select a command. The command appears in the Prepared Command list. 4. In the Extended Parameters text box, type the command line parameters for the command you selected. For example, if you selected ping, type the hostname or IP address to ping. The parameters appear in the Prepared Command list, after the command. 5. From the Max Run Time drop-down list, select the maximum amount of time you want the command to run. 6. To run the command shown in the Prepared Command list, click Run. The result of the command appears in the Result section. 7. To stop the command, click Stop. 8. To clear the Result section, click Clear. Manage Settings You can select whether to monitor the connection to the Local User Database or External Directory Service, change the Super Administrator password, and enable the password policy. Event Monitoring Settings When you enable event monitoring, the connection between your device and the Local User Database or External Directory Service is examined every 15 seconds and a log message is recorded in the service log. The log messages appear on the Events tab of the System Status page. This option is selected by default. To increase the performance of your system, disable this option. To enable event monitoring: 1. Select Monitor System > System Status. 2. Click Manage Settings. The Settings page appears. User Guide 29

42 About Monitor System 3. Select the Monitor connections to the local user database and external directory service check box. 4. Click Save. Change the Super Administrator Password When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards: The password must be at least six characters long The password must include characters from at least three of these four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (0 through 9) o Non-alphanumeric characters (for example,!, $, #, or %) To enable or disable the password policy, or change the password: 1. Select Monitor System > System Status. 2. Click Manage Settings. The Settings page appears. 30 WatchGuard SSL Web UI

43 About Monitor System 3. Select the Enable password policy check box. 4. In the Current Password text box, type the password currently assigned to the Super Administrator. 5. In the New Password and Verify New Password text boxes, type the new password. 6. Click Save. You can also change the password settings from the Manage System > Administration Service page, as described in Change the Super Administrator Password. View Administrator Activities You can use WatchGuard SSL Web UI to see a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator. 1. Select Monitor System > System Status. 2. Click View Administrator Activities. The Administrator Activities page appears. About User Sessions You can search for and manage all current user sessions to see which users are active in the system and information about their sessions. You can also stop active user sessions. To see a list of user sessions: Select Monitor System > User Sessions. The User Sessions page appears with a list of all the current user sessions. User Guide 31

44 About Monitor System Search for User Sessions By default, the User Sessions page shows a list of all active user sessions. You can use the search fields at the top of the page to search for a session by User ID and authentication method. On the User Sessions page: 1. In the Search by User ID text box, type a user name. To see all users, type only the * wildcard character. To search for partial user names, type the * wildcard character with the other characters. For example, type Wil* or *am to find the user name William. 2. From the Search by User ID drop-down list, select an authentication method. Select All to include all authentication methods in your search. 3. Click Search. The user names that match your search parameters appear in the User Sessions list. The User Sessions list shows summary information for each active session: Session ID User ID The unique ID number assigned to the user session. The user name assigned to the user in the directory service. Authentication Method The authentication method used to log in. IP Address The client and virtual IP addresses of the client computer. Life Time The number of minutes the user session has been active. 32 WatchGuard SSL Web UI

45 About Monitor System View a User Session In the search results list: 1. Click a Session ID to see details about that user session. The View User Session page appears, with this information for each session: Session ID The unique ID number assigned to the user session. User ID The user name assigned to the user in the directory service. Display Name The display name assigned to the user. Authentication Method The authentication method used to log in to the Application Portal. IP Address The client and virtual IP addresses of the client computer. Login time The date and time the user session began. Life Time The number of minutes the user session has been active. Last Access The date and time of the last user session for this user. Time to session timeout User Guide 33

46 About Monitor System The number of minutes until the user session timeout limit is reached. 2. Click Previous to return to the User Sessions page. End a User Session You can stop or close an active user session at any time. On the User Sessions page: 1. Select the Delete check box for each user session you want to end. 2. At the bottom of the Delete column, click Delete. Note The selected user sessions are stopped, but the user accounts are not deleted. The users can log on to the Application Portal again. Manage Search and Display Settings By default, the User Sessions search results include a maximum of 200 results, and show 20 results per page. To change these settings: 1. Select Monitor System > User Sessions. The User Sessions page appears. 2. Click Manage Search and Display Settings. The Manage User Sessions Settings page appears. 34 WatchGuard SSL Web UI

47 About Monitor System 3. In the Search Limit text box, type the maximum number of user sessions to appear in the User Sessions search results. 4. In the Results Per Page text box, type the number of user sessions to appear on each page of the User Sessions search results. 5. Click Save. The User Settings page appears. About Alerts Alerts are messages the system sends to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the local user database, or user account activity. You can configure alerts to be sent by or as an SMS message. Alert messages contain information specific to the event. For example, you can configure an alert to be sent if the Administration service cannot communicate with the local user database. The alert message is sent to the selected recipients through the method you specify. Manage Alerts You can add, edit, and delete alerts from the Manage Alerts page. 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Configure alerts: Add an Alert Edit and Delete Alerts Manage Global Alert Settings Predefined Alert Event Types You can use these predefined alert events to configure Registered Alerts: User Accounts Resource Host Services User Guide 35

48 About Monitor System Local User Database Authentication Servers For more information about alert event types, see About Alert Event Types. Add an Alert When you configure an alert, you must select which types of events trigger the alert, configure which notification methods to use for the alert notification messages, and configure the recipients of those notifications. You can send an alert as an message, an SMS message, or both. You must configure the and SMS notification channels before you can use them in an alert. For more information about notification channel configuration, see About Notification Settings. You can configure alert notification messages to be sent to delegated administrative roles, or directly to addresses or cell phone numbers that you specify. When you send an alert message to a delegated role, the alert message is sent to the or SMS address of each administrator assigned to that role. For information about delegated roles, see About Delegated Management. To add an alert: 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Click Add Alert. The Add Alert page appears. 36 WatchGuard SSL Web UI

49 About Monitor System 3. In the Display Name text box, type a name for the alert. 4. In the Description text box, type the description that you want to appear with the alert in the Registered Alerts list. 5. Make sure the Enable Alert check box is selected. 6. In the Notification section, select the check box for each notification method for this alert. You can select , SMS, or both. 7. Click Next. The Add Alert Events Types page appears. User Guide 37

50 About Monitor System 8. Select the check box for each alert event type you want to trigger this alert. For more information about the alert event types, see About Alert Event Types. 9. Click Next. The Alert Notification Recipients page appears. 38 WatchGuard SSL Web UI

51 About Monitor System 10. To send the alert message to a set of people for which you have defined a delegated role, select the role in the Available Roles list. To select more than one role to receive this alert, hold down the Ctrl key while you select each role name. 11. Click Add. The selected roles appear in the Selected Roles list. 12. If you selected as a notification channel in Step 6, you can send the alert to a specific address. Click Add address. Type the address and click Next. The address appears on the Registered Addresses list. 13. If you selected SMS as a notification channel in Step 6, you can send the alert as an SMS message to a specific cell phone number. Click Add Cell Phone Number. Type the cell phone number and click Next. The cell phone number appears in the Registered Cell Phone Numbers list. 14. After you add all recipients for this alert, click Finish Wizard. The Manage Alerts page appears. The alert you added appears in the list of registered alerts. User Guide 39

52 About Monitor System About Alert Event Types When you define an alert, you can select from these pre-defined alert event types: User Accounts Event Types Locked for Access Access is locked for a user. Unlocked for Access Administrator unlocks access for a user. Locked for Authentication Authentication is locked for a user. Unlocked for Authentication The administrator unlocks authentication for a user. Time-lock Locked A time-lock is activated for a user. Time-lock Unlocked The administrator disables a time-lock for a user. Resource Host Event Types Lost Connection The connection to a resource host is unavailable. Restored Connection The connection to a resource host is restored. Services event types Lost Connection The connection to a service is unavailable. Restored Connection The connection to a service is restored. Local User Database Event Types Lost Connection The connection to the local user database is unavailable. 40 WatchGuard SSL Web UI

53 About Monitor System Restored Connection The connection to the local user database is restored. Authentication Service Event Types Lost Connection The connection to the authentication method service is unavailable. Restored Connection The connection to the authentication method service is restored. Edit and Delete Alerts The Registered Alerts list includes all the currently configured alerts. You can select an alert to review or change any of the settings, or delete an alert that you no longer want to use. Review and Edit Registered Alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Select a Display Name in the Registered Alerts list to see the details of that alert. The Edit Alerts page appears. User Guide 41

54 About Monitor System 3. On the General Settings tab, you can change the Display Name, Description and Notification channel. 4. On the Alert Events tab, you can edit the types of alert events to include in this alert. 5. On the Alert Receivers tab, you can change who receives notifications from this alert. 6. Click Save. Delete Registered Alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. 2. Select a Display Name in the Registered Alerts list to see the details of that alert. The Edit Alerts page appears. 3. Click Delete. The Delete Alert page appears. 4. Click Yes to delete the alert. The Manage Alerts page appears with a message that the alert was deleted. Manage Global Alert Settings You can customize the alert message sent for each alert event type. 42 WatchGuard SSL Web UI

55 About Monitor System Edit the Alert Messages 1. Select Monitor System > Alerts. The Manage Alert page appears. 2. Click Manage Global Alert Settings. The Manage Global Alert Settings page appears. User Guide 43

56 About Monitor System 3. In the Subject text box, edit the subject line for all alert messages. 4. For each alert event type, you can edit the alert message. The default alert messages and a description of the variables used in the alert messages are described in the subsequent sections. 5. Click Save. 44 WatchGuard SSL Web UI

57 About Monitor System Note If you use SMS as your notification channel for alerts, we recommend you keep the alert messages short. SMS messages are limited to 160 characters on most mobile networks. Alert Message Variables Alert messages use two variables, {0} and {1}. {0} is replaced by the exact date and time of the event. The format of the date and time depends on the locale settings for your browser. {1} is replaced by the specific event trigger. This can be a user account, a WatchGuard SSL service, or a resource. Example alert message: {0}: User {1} has been locked for authentication. When this alert is sent, the alert message substitutes the user name for the variable {1}: :11:31: User Joe Smith has been locked for authentication. Alert Message Defaults User Accounts Alert Event Type Locked for Access Unlocked for Access Locked for Authentication Default alert message {0}: User {1} has been locked for access {0}: User {1} has been unlocked for access {0}: User {1} has been locked for authentication Time-lock Locked {0}: User {1} has been Time-lock locked until {2} Time-lock Unlocked {0}: User {1} has been Time-lock unlocked Resource Host Alert Event Type Default alert message Lost Connection {0}: Lost connection to Resource Host {1} Restored Connection {0}: Restored connection to Resource Host {1} User Guide 45

58 About Monitor System Services Alert Event Type Default alert message Lost Connection {0}: Lost connection to {1} Restored Connection {0}: Restored connection to {1} Local User Database Alert Event Type Lost Connection Restored Connection Default alert message {0}: Lost connection to Local User Database{1} {0}: Restored connection to Local User Database{1} Authentication Method Servers Alert Event Type Lost Connection Default alert message {0}: Lost connection to Authentication Method Server used by Authentication Method {1} Restored Connection Manage Logging {0}: Restored connection to Authentication Method Server used by Authentication Method {1} You can configure logging settings, such as log level, log file rotation, and the types of information to include in the log messages for each registered service. You can configure logging for two registered services: accesspoint This includes all services related to the operation of the Application Portal. Administrator This includes all the services related to administration of your device. Edit Logging Settings 1. Select Monitor System > Logging. The Manage Logging page appears. 46 WatchGuard SSL Web UI

59 About Monitor System 2. To edit the logging settings for a registered service, click the Display Name. The Edit Logging Settings page for the service appears, with a separate tab for each log type. 3. Select a tab to configure the settings for each type of log. The available configuration settings on each tab include Log Level Filter, Log File Rotation, Debug Logs, and Syslog. Debug logs and syslog settings are only available after you enable them on the Manage Global Logging Settings page. For more information about these settings, see the subsequent sections. For more information about global logging settings, see Manage Global Logging Settings. 4. For the accesspoint service, on the Audit Log and HTTP Log tabs, select the check box for each Log File Information type to include in each log file. 5. Click Save. User Guide 47

60 About Monitor System Set the Log Level Filter For each service, you can configure a log level for each type of log file. You can use the Log Level Filter controls to ignore log messages that do not meet the severity requirements you specify. In the Log Level Filter drop-down list, select a log level filter. Available log level filters include: Off Fatal Disables logging for that service. Logs only fatal messages. Warning Info Logs only fatal and warning messages. Logs all levels of messages. This is the default setting. Configure Log File Rotation For each service, you can configure log file rotation for each type of log file. In the Log File Rotation section, select the radio button for the rotation schedule you want. Options include: Create a new log file every day The service creates a new log file every day. Max Files in Rotation This option prevents excessive log files from filling up your disk space. This is set to 90 for each log type by default. You can enter a value between 2 and Disable log file rotation. Save all log messages in the same file The service logs all messages to the same file. Max File Size This option prevents excessive log file size. This is set to KB by default for each log type. Rotate log files based on size The service creates a new log file based on the Max File Size you type. In the Max Files in Rotation field, you must select the maximum number of concurrent log files. When the maximum number of log files is reached, the system removes the oldest log file and creates a new log file. 48 WatchGuard SSL Web UI

61 About Monitor System Debug Logs If you enabled debug logs on the Manage Global Logging Settings page, you can specify the IP address for the HTTP traffic you want to include in the Diagnostics File. Client IP Address Type the IP address for HTTP traffic. Log File Information These settings are only available for the accesspoint service. On the Audit Log and HTTP Log tabs, select the check box for each type of information you want to include in your log file. The available options are different for each type of log file. Syslog To configure syslog settings, you must first enable syslog on the Manage Global Logging Settings page. In the Log Level Filter drop-down list, select a log level filter for logging to a remote syslog server. Available log level filters include: Off Fatal Disables logging for that service. Logs only fatal messages. Warning Info Logs only fatal and warning messages. Logs all levels of messages. This is the default setting. If you set the syslog log level filter to Fatal, Warning, or Info, make sure that you configure the syslog server IP address in the Manage Global Logging Settings page. For more information, see Manage Global Logging Settings. Manage Global Logging Settings Global logging settings apply to all log files created by all services. To manage global logging settings: 1. Select Monitor System > Logging. 2. Click Manage Global Logging Settings. The Manage Global Logging Settings page appears. User Guide 49

62 About Monitor System 3. In the Time Zone section, you can change the time zone to use in log file messages. You can select Local Time or GMT. The default setting is Local Time. 4. In the Log collection interval text box, type the number of seconds between the collection of log messages. Log collection controls how often log messages are collected by the Administration service from other services. The default setting is 5 seconds. 5. Click Save. Note Alerts and reports both depend on log collection. If you set the log collection interval too high, you reduce your ability to see real-time report data., and you cause a delay for delivery of alerts. Enable Debug Logging To troubleshoot a problem with your WatchGuard SSL device, you can enable an additional level of logging. Select the Enable debug logging check box to enable debug logging. When you enable debug logging, several debug log files are created for the accesspoint service: Raw External log file Raw Internal log file 50 WatchGuard SSL Web UI

63 About Monitor System Raw Proxy Interchange log file Hyper Links log file Form Based log file For the Administrator service, an additional debug log file is created. You cannot see the debug log files in the WatchGuard SSL Web UI. To see the debug log files, you must download the diagnostics zip file that contains all log files. For information about the diagnostics file, see About the Diagnostics File. Enable Logging to a Remote Syslog Server You can also send syslog log file messages to a remote syslog server. When you enable syslog, the syslog messages from each service are sent to the syslog server at the IP address you specify. To enable syslog logging: 1. From the Manage Global Logging Settings page, select the Enable Syslog check box. 2. In the Log Facility text box, type the IP address of your syslog server. 3. Click Save. For information about how to set the syslog log level for each type of log file, see Manage Logging. Use Log Viewer You can use Log Viewer to see log messages from the configured services. You can specify search criteria to filter search results. The Log Viewer System Log only includes the severity levels INFO, WARNING, and FATAL. To search for log events: 1. Select Monitor System > Log Viewer. The Log Viewer page appears. User Guide 51

64 About Monitor System 2. From the Log Type drop-down list, select the type of log message to include in the search: System log log messages for events related to system services Audit log log messages for user and administrator session activity RADIUS log log messages for RADIUS server requests HTTP log log messages for HTTP server requests Billing log log messages for events related to billing 3. From the Services list, select one or more services to include in the search. All services all services on the device accesspoint only services related to the operation of the Application Portal Administrator only services related to administration of your device 4. In the Search Criteria text box, type the criteria to use to filter the log messages. By default, the search function finds all log message entries that contain all the words in the search criteria anywhere in the log entry. For more information about Search Criteria, see the subsequent section. 5. In the Time Range section, select the time range to include in the search. To search recent log events, select Last. Specify the number of hours or days. To search for log events in a date range, select From. In the From and To text boxes, type the start and end dates. 6. Click View Log. The search runs and looks for log messages that meet your criteria. The search results appear in a separate browser window. Note If you search log files for a large number of services, the search can take a long time to complete. About Log Viewer Search Criteria You can use Search Criteria to trace specific log events, such as user activity, through your services. Searches are not case sensitive and search criteria can include multiple text strings. Exact Match To find log file message that contain an exact match, type quotation marks before and after the text exactly as it must appear in the log entry. For example: "server start" Search results include all log file entries that contain the exact phrase "server start". " info " When you include spaces between the quotation marks and the text, the search results include all log entries with a space before and after the text "info". Find log file events that contain all the search terms (AND) To find all log file messages that contain several search terms, type and in the search criteria. For example: 52 WatchGuard SSL Web UI

65 About Monitor System warning and authentication Search results include all log file entries that contain both the words warning and authentication. Find log file events that contain any of the search terms (OR) To find all log file entries that contain any of the search terms, type or in the search criteria. The OR keyword takes precedence over the AND keyword. For example: fatal or warning Search results include all log entries that contain the severity levels FATAL or WARNING. fatal or warning and sql Search results include log entries with the severity levels FATAL or WARNING that include the text "sql". Exclude terms from the search results (-) To exclude terms from a search, type a minus sign (-) before the term to exclude. For example: -info Search results include all severity levels except the INFO level. fatal or warning -sql Search results include all log entries with the FATAL or WARNING severity levels, except for entries that include the text "sql". fatal or warning -lcp -"tc5 system" Use wildcards Search results include all log entries with the severity levels FATAL or WARNING, but not log entries with LCP or the string "tc5 system". To search for part of a term, you can use the wildcard characters * and?. Type * in the place of any number of characters, and? in the place of exactly one character. For example: load* loade? Search results include all log entries with the text "load" followed by any other characters, such as "loaded" or "loading". Search results include all log entries with the text "loade" followed by only one other character, such as "loaded" or "loader". User Guide 53

66 About Monitor System About Reports To see the information in your log files, you can generate reports. Reports can include the current status of the device or service, or you can select a time range. Report information is also stored in a database for later use. After you generate a report, you can save it as a PDF or text file so you can examine the data with third-party programs at another time. Available Reports You can generate any of these reports, or select Complete Report to generate all of the reports at the same time. Report Name Abolishment Report Assessment Report Session Trend Report Session Trend Real-Time Report Access Report Authentication Report Authorization Report Account Statistics Report Communication Report User Policy Analysis Report User Audit Report Report Description Contains information about abolishment attempts over a selected time range. Contains information about assessment attempts over a selected time range. Contains information about the number of concurrent sessions over a selected time range. Contains information about the number of past and online sessions in real-time over a selected time range. Contains information about access requests over a selected time range. Contains information about failed and successful authentication attempts over a selected time range. Contains information about failed and successful authorization attempts over a selected time range. Contains information about the number of users per resource host over a selected time range. Contains information about lost connections over a selected time range. Contains information about the resources accessible to each user based on the user's access policies. Provides an audit trail that contains information on when a user logged in and logged out, and what resources the user accessed during their session. 54 WatchGuard SSL Web UI

67 About Monitor System Report Name Performance Report Tunnel Report System Report Alerts Report Complete Report Report Description Contains information about system performance over a selected time range. Contains information about tunnel transfer rate over a selected time range. Contains information about connections and system resource usage over a selected time period. Contains information about alerts triggered over a selected time range. Contains information from all the reports. Generate a Report 1. Select Monitor System > Reports. The Manage Reports page appears. 2. In the Generate Report column, click the name of the report you want to generate. The Generate Report page for the report you selected appears. The Time Range tab is selected by default. 3. Select the time range for the report. 4. Select the Filter tab. A list of filters for the selected report appears. 5. In the Select Filter column, click a filter to change the Current Filter settings. The default setting for all filters is All. 6. Select the Graphics tab. The graphics tab contains a list of charts you can generate. 7. Select the check box adjacent to each chart type to include in the report. 8. For each chart you select, in the adjacent drop-down list, select the chart style. 9. Click Generate Report. The View Report page appears for the current report. Each chart type appears on a separate tab. User Guide 55

68 About Monitor System 10. Select a tab to see each available chart. 11. To refresh the report data, click Refresh Charts. Save a Report To save a copy of a report to a local file: 1. Generate a report. The View Report page for the selected report type appears. 2. Click Save Report. 3. Select whether to save this as a PDF file, data file, or image file. The PDF contains all pages of the report. Data files are stored as plain text, one text file per report tab. Image files are stored as PNG image files, one file per chart. 4. Click Download. A file is generated. If you selected more than one file type, the files are in a ZIP file. 5. Click the file name to download the file. 56 WatchGuard SSL Web UI

69 About Monitor System Abolishment Report The Abolishment Report contains information about abolishment attempts over a time range you select. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: User ID Client Client IP Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed Attempts over Time Succeeded Attempts by User Succeeded Attempts over Time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. Assessment Report The Assessment Report contains information about assessment attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Assessment Rule User ID Client Client IP Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed assessment attempts over time Failed assessment attempts by reason User Guide 57

70 About Monitor System Failed assessment attempts by user Succeeded assessment attempts over time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. Session Trend Report The Session Trend Report contains information about session attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Authentication Method User ID Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Maximum concurrent sessions over time Ongoing sessions by user Average session duration over time Ended sessions by type For more information about how to generate a report, see About Reports. Session Trend Real-Time Report The Session Trend Real-Time Report contains information about past and online sessions attempts in realtime over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Authentication Method User ID Graphics Select the Graphics tab to choose the type of chart for the report data. This report includes one chart type: Past and on-line sessions Report For more information about how to generate a report, see About Reports. 58 WatchGuard SSL Web UI

71 About Monitor System Access Report The Access Report contains information about access requests over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Web Resource Host User ID Client Client IP Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Access Requests over Time Access Requests by User Access Requests by Web Resource Host Access Requests by Tunnel Resource Host For more information about how to generate a report, see About Reports. Authentication Report The Authentication Report contains information about failed and successful authentication attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Authentication Method User ID Client Client IP User Guide 59

72 About Monitor System Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed Attempts over Time Failed Attempts by Reason Failed Attempts by User Authentication method usage Average Attempts by Hour Succeeded Attempts over Time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. Authorization Report The Authorization Report contains information about failed and succeeded authorization attempts over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Client IP Client Web Resource Host User ID Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Failed Attempts over Time Failed Attempts by Reason Failed Attempts by User Average Attempts by Hour Succeeded Attempts over Time You can also select the style of each report. The default style for these charts is Bar. For more information about how to generate a report, see About Reports. 60 WatchGuard SSL Web UI

73 About Monitor System Account Statistics Report The Account Statistics Report contains information about the number of users per resource host over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: User ID Web Resource Host Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Users by Web Resource Host Users by Tunnel Resource Host You can also select the style of each report. The default style for these charts is Pie. For more information about how to generate a report, see About Reports. User Policy Analysis Report The User Policy Analysis Report contains information about the resources accessible to each user based on the user's access policies. The available reports fields include: User The user name. Accessible Resources A list of the resources for which this user has access based on the user's access policy. For more information about how to generate a report, see About Reports. User Audit Report The User Audit Report provides an audit trail that contains information on when a user logged in and logged out, and what resources the user accessed during their session.. The available reports fields include: User The user name. Login The date and time when the user logged in. User Guide 61

74 About Monitor System Logout The date and time when the user logged out. Authentication The type of authentication used to authenticate the user. Resources Used Lists which resources the user accessed during the user's session. For more information about how to generate a report, see About Reports. Communication Report The Communication Report contains information about lost connections over a selected time range. You can change the chart style to customize the report. Filters There are no filters for this report. Graphics Select the Graphics tab to choose the type of chart for the report data. For this report you can select one chart type: Lost Connections over time. You can also select the style of this report. By default, the style for this chart is set to Bar. For more information about how to generate a report, see About Reports. Performance Report The Performance Report contains information about system performance over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filter for the report. By default, this filter is set to All. For this report, you can select one filter: Web Resource Host Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Average request rate over time Average response time by web resource host Transfer rate device to web resource host Transfer rate web resource host to device Failed responses over time For more information about how to generate a report, see About Reports. 62 WatchGuard SSL Web UI

75 About Monitor System Tunnel Report The Tunnel Report contains information about tunnel transfer rate over a selected time range. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Transfer rate client to tunnel resource host Transfer rate tunnel resource host to client You can also select the style of each report. The default style for these charts is Line. For more information about how to generate a report, see About Reports. Alerts Report The Alerts Report contains information about alerts triggered over a selected time range. You can set filters and select chart types to customize the report. Filters There are no filters for this report. Graphics Select the Graphics tab to choose the type of chart for the report data. This report includes one chart type: Alerts by Type You can also select the style of each report. The default style for this chart is Pie. For more information about how to generate a report, see About Reports. System Report The System Report contains information about connections and system resource use over a selected time period. You can select chart types and styles to customize the report. User Guide 63

76 About Monitor System Filters There are no filters for this report. Graphics Select the Graphics tab to choose the type of chart for the report data. You can select one or more of these chart types: Maximum Client and Server Connections over Time Maximum SSL Sessions over Time Available Memory by WatchGuard Service Available Disk Space by WatchGuard Service You can also select the style of each report. The default style for these charts is Line. For more information about how to generate a report, see About Reports. Complete Report The Complete Report contains statistics from all available report types. You can set filters and select chart types to customize the report. Filters Select the Filter tab to modify the filters for the report. By default, all filters are set to All. The available filters include: User ID Client Client IP Web Resource Host Tunnel Resource Tunnel Protocol Tunnel IP Tunnel Port Assessment Rule Authentication Method Graphics You can select one or more of the chart types. The Complete Report includes the chart types available in all of the other reports. By default, all chart types are selected. For more information about how to generate a report, see About Reports. 64 WatchGuard SSL Web UI

77 About Monitor System Manage Report Database Settings All of the information used to generate reports is stored in a database. You can select whether to store the information from your reports, and for what period of time. To change the report database settings: 1. Select Monitor System > Reports. The Manage Reports page appears. 2. Click Manage Report Database Settings. The Manage Report Database Settings page appears. 3. Select the Store report information check box to enable report information to be stored in the database. This is enabled by default. If you do not want to store data for reports, clear this check box. 4. Select the Delete events older than check box. 5. In the days text box, type a number of days. When you Save and Publish your changes, data older than the specified number of days is deleted from the report database. 6. Click Save. 7. Click Publish to save your configuration changes. About the Diagnostics File To get all of your log files at one time, you can create a Diagnostics File. The Diagnostics File is a compressed (ZIP) file that includes all of the System, Audit, Billing, HTTP, and RADIUS debug logs, configuration files, and message log entries for all servers. WatchGuard technical support may ask you to generate this file to help troubleshoot your system and resolve issues with your configuration. To create a Diagnostics File: 1. Select Monitor System > Diagnostics File. The Diagnostics File page appears. User Guide 65

78 About Monitor System 2. In the Time Range section, select a date range: To see the most recent data, select Last and specify the number of days. To see data for a particular period of time, select From and specify a date range. 3. Click Create Diagnostics File. The time it takes to create the file depends on the time range you selected. The Download Diagnostics File page appears, with a download link. 4. Click Download diagnostic-yyyymmdd-xxxx.zip to download the file. yyyymmdd-xxxx in the file name represents the date and number for each Diagnostics File you create. The browser download page appears. 5. Select to open the file or save it, and click OK. We recommend that you enable debug logging for a period of time before you generate the Diagnostics File. When you enable debug logging, the Diagnostics File contains additional debug log files that can help WatchGuard technical support. For information about debug logging, see Manage Global Logging Settings. About the Feature Key Onthe FeatureKey page,you cansee informationabout the current feature key andupload anew feature key. To see the content of your current feature key: 1. Select Monitor System > Feature Key. The Feature Key page appears. 66 WatchGuard SSL Web UI

79 About Monitor System 2. Review the information for your current feature key. 3. To upload a new feature key, select Upload a new feature key and click Browse to select the file. To use the evaluation feature key, select Use the default feature key. When you select this option, only one authenticated user can connect to your SSL device at a time. For information about how to get a feature key for your device, see Get a Feature Key. For information about how to upload the new feature key to the WatchGuard SSL device, see Upload a New Feature Key. Feature key information The Feature Key page includes this information: Serial Number The unique serial number that identifies the feature key for this WatchGuard SSL device. If you use the default feature key, you cannot see the device serial number in the feature key. User Guide 67

80 About Monitor System Version Type Issued The installed software version. The type of the feature key. The type can be Evaluation or Production. The date the feature key was issued by WatchGuard. Issued To The name, company, and address for the person to whom the feature key was issued. Issued By The name, company, address for the organization that issued the feature key. Effective Dates The start and end date for the period the feature key is valid. Max Concurrent Users The maximum number of users allowed to simultaneously use the system. The number of users currently logged in to the system appears in parenthesis. Max Named Users The maximum number of named users allowed to use the system. The current number of registered named users appears in parenthesis. Max WatchGuard Authentication Users The maximum number of named users who can use WatchGuard authentication methods. The current number of registered users who can use WatchGuard authentication methods appears in parenthesis. If the wildcard character * is used, the number of named users is unlimited. Max RADIUS Clients The maximum number of RADIUS clients allowed. If the wildcard character * is used, the number of RADIUS clients is unlimited. Max Resources The maximum number of registered resources. If the wildcard character * is used, the number of resources is unlimited. The current number of registered resources appears in parentheses. Max Authentication Methods The maximum number of allowed authentication methods that you can configure. LiveSecurity Effective Dates The start and end date for the period the LiveSecurity subscription is valid. 68 WatchGuard SSL Web UI

81 About Monitor System Upload a New Feature Key A feature key is a file that enables licensed features on your WatchGuard SSL device. When you register your WatchGuard SSL device on the WatchGuard web site, you download a feature key file that enables all the licensed features. If you do not have your feature key, you can use the default feature key, which allows a maximum of one authenticated user. Note The default feature key is intended for evaluation purposes. The default feature key does not include LiveSecurity, so you cannot update the software or use the Live Update feature. For more information about how to get a feature key for your device, see Get a Feature Key. To upload a feature key file to the WatchGuard SSL device: 1. Select Monitor System > Feature Key. The Feature Key page appears. 2. Select Upload a new feature key. Upload New Feature Key appears at the bottom of the page. 3. Click Browse. Locate and select the feature key file. 4. Click Upload New Feature Key to replace the current feature key. To use the default feature key: 1. Select Use the default feature key. Upload New Feature Key appears at the bottom of the page. 2. Click Upload New Feature Key to replace the current feature key with the default feature key. Live Update Your WatchGuard SSL device uses an End-Point Security definition file to support the client scans used for assessment access rules. By default, the device automatically updates the engine and definition file. You can check the status of the last update or change the frequency of updates to the engine and definition file on the Live Update page. You can also check for available updates to the engine and definition files. Note You must have a valid LiveSecurity subscription to get these updates. Live Update settings are preconfigured to the recommended settings. WatchGuard recommends you do not change these settings unless instructed to do so by WatchGuard Technical Support. User Guide 69

82 About Monitor System Configure Live Update Settings 1. Select Monitor System > Live Update. The Live Update page appears. 2. In the Live Update Server URL text box, type the URL for the Live Update Server. This is automatically set to the WatchGuard Live Update server. 3. In the Max Connection Retries text box, specify the number of times the device tries to connect to the Live Update Server for each separate connection attempt. The default setting is 5 Times. 4. In the Definition Files Update Interval text box, specify how often the device checks for updates to the End-Point Security definition file. The default update interval is 20 Minutes. 5. In the Engine Files Update Interval text box, specify how often the device checks for updates to the engine file. The default engine update interval is 1 Month. 6. Select an option to update the engine and definition files: To automatically check for updates to the engine and definition file based on the configured Update Intervals, select Automatic Update. To disable automatic updates, select Manual Update. 7. If you selected Automatic Update, click Save and Start. If you selected Manual Update, click Save and Update. An update message appears at the top of the page. 70 WatchGuard SSL Web UI

83 About Monitor System While the update is in progress, you can leave the Live Update page. The update continues to run in the background until it is finished. When you return to the page, an update status link appears. 8. To see details about the update status, click the update status link. An update status message appears at the top of the page. Reboot after Engine Updates After the WatchGuard SSL device downloads an engine update from the WatchGuard Live Update server, you must reboot the WatchGuard SSL device for the new engine update to take effect. If a new engine update was downloaded with either the automatic or manual process, the status message on the Live Update page notifies you that you must reboot the device for the engine update to take effect. You do not have to reboot the device for definition file updates to take effect. Check for New Live Update Files When an update to the definition and engine files is available, it is posted on the WatchGuard web site.the Live Update page includes information about the current definition and engine files on your device, but it does not include information about available updates to these files. To check for new versions of the engine and definition files: 1. Select Monitor System > Live Update. The Live Update page appears. 2. Click Check Version. The device contacts the WatchGuard web site for information about the latest available versions. Information about the available updates appears on the Live Update page. User Guide 71

84 About Monitor System User Guide 72

85 4 User Management You can use WatchGuard SSL Web UI to manage user accounts, user groups, and configure the SSL device to use an External Directory Service. You can import user accounts from an external file, and create or repair a link to a user account in an existing authentication directory. If you use an External Directory Service, you can also enable Self Service, which allows your users to activate an account and find a forgotten password or user name. 1. Select User Management. The User Accounts page appears. User Guide 73

86 User Management 2. Select a left menu item to manage settings for your user accounts. For more information about these menu items, see the subsequent sections. User accounts WatchGuard SSL user accounts are linked to user information already stored in your directory service. An External Directory Service link establishes a connection to your local user information. Global User Account Settings Configure default global settings for authentication, timeouts, user linking, and to set up automatic user link repair. Manage All user accounts See all of the current user accounts and user groups. You can also disable or delete an account. Import User account Use this method to create user accounts instead of the Add User Account wizard. To create a number of user accounts simultaneously, you can import a file with user information. The file must be formatted correctly. User accounts are added as specified in the default settings you configure in the Global User Account Settings section. For more information about how to format a user import file, see Import User Accounts. Create User Account by Linking To add user accounts with this method, you create a link to an External Directory Service. User accounts are added as specified in the default settings you configure in the Global User Account Settings section. User groups WatchGuard SSL includes three types of user groups: User groups in your External Directory Service User location groups User property groups The main User Groups page includes a list of all current user groups. You can add a user group, or search the list to find a current group. External Directory Service The External Directory Service is the external location where user accounts are stored. When you configure the SSL device to use an External Directory Service, you use the user accounts that are configured in the directory service rather than create new accounts for your users. You specify the computer on which the External Directory Service is installed and define a set of search rules to find users and user groups. 74 WatchGuard SSL Web UI

87 User Management Self Service If you use an External Directory Service, you can use Self Service to enable your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. When you enable and configure Self Service, you can use the wizard to configure the settings, or you can manually configure the settings. To get information from Self Service, users must answer a series of challenge questions that you specify to verify their credentials. About User Accounts You can use WatchGuard SSL Web UI to create user accounts in your Local User Database with one of these methods: Add User Create User Account by Linking Import User Account Each of these methods gives you a different level of detail in the account settings. When you edit an account, you can change all account settings, regardless of the method you used to create the user account. Add User To manually add a user account to the Local User Database, select this method. It gives you the most flexibility in account configuration. For more information, see Manually Add a User Account. Create User Account by Linking To create a basic user account based on an existing user in your External Directory Service, select this method. Basic information for the user account is automatically copied from the directory service and is added to the Local User Database. For more information, see Link to a User Account. Import User Account To create multiple user accounts at one time, select this method to import a file with all the information for the user accounts. For more information, see Import User Accounts. User Account Search Result List You can search for, disable, and delete user accounts on the Manage All User Accounts page. 1. Select User Management. The Manage All User Accounts page appears. User Guide 75

88 User Management 2. To search for a user, in the Search by User ID text box, type a User ID. To expand the search results, you can use the * wildcard character. 3. From the Search by User ID drop-down list, select the search parameters. 4. Click Search. 5. To disable a user account, select the Disabled check box for a user account and click Save. The user can no longer connect to the Application Portal or network resources, but the account is not removed. 6. To delete a user account, select the Delete check box for a user account and click Delete. The user account is removed. Manually Add a User Account You can add user accounts to the Local User Database one at a time. This method gives you the most configuration options when you first create the account. For each user account, you can add a Display Name. The Display Name only appears in the Web UI and enables you to easily distinguish one user account from another. When you add a user account, you can also define custom attributes to add specific details to an account. For example, you can add an attribute that you use when you add the user to a user group. To add a user account: 1. Select User Management. The User Accounts page appears. 2. From the User Accounts table, select Add User. The Add User Account page appears. 76 WatchGuard SSL Web UI

89 User Management 3. In the User ID text box, type a name for this user account. 4. To get user account information from your External Directory Service, click Link User. The User Location in Directory and Display Name text boxes are populated with information from the External Directory Service account for the user. 5. If necessary, in the Display Name text box, type a new display name for the user account. 6. To add specific name and value information for the user, click Add Custom Attribute. The Add Custom Attribute page appears. 7. In the Name and Value text boxes, type the information for the attribute. Click Next. The Add User Account page appears. The new attribute appears in the Custom Attributes list. 8. (Optional) To add more attributes, repeat Steps Click Next. The Add User Account page appears. User Guide 77

90 User Management 10. Select the check box for each WatchGuard authentication method you want to enable for this user account. When you select an authentication method, the link at the bottom right of the page changes from Finish Wizard to Next. 11. If you selected an authentication method that sends the password or pin in an , in the Address text box, type the address for this user account. (Optional) 12. If you selected an authentication method that sends the password or pin as an SMS message, in the SMS text box, type the mobile phone number for this user account. (Optional) 13. Click Next. The WatchGuard Authentication page appears with the settings for the authentication methods you selected. 14. For each authentication method, type and verify the password or pin for this user account. For more information about the password or pin parameters for each authentication method, see the subsequent section. 15. In the Password Properties or Pin Properties section, select the settings for this user account. 16. From the Notification drop-down list, select the method to use to notify the user of the Password or PIN for the user account. The available options depend on the settings you selected for notification and SMS distribution. Available options include: By Screen - Displays the notification message about updated authentication credentials to the administrator and the user in the SSL Web UI. By - Send notification updates to the user by . By and Screen - Send notification updates to the user by and by screen. By SMS - Send notification updates to the user by SMS. By SMS and Screen - Send notification updates to the user by SMS and by screen. 17. Click Finish Wizard. The new user account is created. The Manage All user accounts page appears, with the new user account in the User Accounts table. 78 WatchGuard SSL Web UI

91 User Management Authentication method password and pin parameters Each password or pin you set for a WatchGuard authentication method must meet certain required parameters. If the password or pin you select does not meet the required parameters, a red notification appears at the top of the page when you finish the wizard. WatchGuard SSL Mobile Text The password must be between six and sixteen characters and must include at least two numerals. WatchGuard SSL Web The password must be between six and sixteen characters and must include at least two numerals. WatchGuard SSL Challenge The PIN must be six numerals. WatchGuard SSL Password The password must be between six and sixteen characters and must include at least two numerals. WatchGuard SSL Synchronized The PIN must be six numerals. Import User Accounts You can import user accounts from a file to add many user accounts to your Local User Database at the same time. The file you import must be a text (.txt) file with this information: The first row contains the column headings that specify the fields in the import file. Headings do not contain any spaces and are not case-sensitive. Each row contains data for only one user. If a row does not contain data, or begins with the comment sign, the row is ignored. For more information about the user import file, see the subsequent section. To import user accounts: 1. Select User Management. The Manage All User Accounts page appears. 2. Click Import User Account. The Manage User Import page appears. User Guide 79

92 User Management 3. From the Separator in File drop-down list, select the type of separator used in the file. The default separator is Comma. 4. Click Browse and select the file. The file name appears in the Import File text box. 5. Click Import Users. The file is imported and the user information is added to your Local User Database. About the User Import File The file you use to import user accounts must be a text file with information separated by commas, semicolons, or tabs, and must have only one user account per line. To create a user account, the import file must include at least the User ID and Display Name for each user account. When you import the file, the necessary user account information is automatically created for each user account, if it is not specified in the import file. This information includes: WatchGuard Access Number of Retries WatchGuard Authentication Number of Retries User Account Effective Dates For these settings, the default value is set to the value specified in the Global User Account Settings. Note The authentication methods you enable on the Global User Account Settings page are not applied to the user accounts you add when you import them in a file. Contents of the user import file The user import file must be formatted with these settings: The first row in the import file must contain the column headings, to specify the fields in the import file. The headings cannot contain any spaces and are not case-sensitive. Each row must contain data for only one user. Empty rows and rows that begin with a comment sign (#) are ignored when imported. For descriptions of the heading values, see the subsequent section. Heading Value Comment UID String Mandatory RealName String Mandatory 80 WatchGuard SSL Web UI

93 User Management Heading Value Comment Comments Column for comments; ignored when file is imported DirectoryLink UserStorage GroupName FramedIP MailAddress MobileNumber AccountDisabled AccountValidFrom AccountExpires AccountNeverExpires AccessMaxRetries AuthenticationMaxRetries ChallengeEnabled ChallengePIN ChallengePINNeverExpires ChallengePINCannotChange ChallengePINMustChange ChallengePINGenerate ChallengeSeed ChallengeSeedGenerate SynchronizedEnabled SynchronizedPIN SynchronizedPINNeverExpires SynchronizedPINCannotChange SynchronizedPINMustChange SynchronizedPINGenerate SynchronizedSeed String String String String String String Boolean Date Date Boolean Integer Integer Boolean Password Boolean Boolean Boolean Boolean String Boolean Boolean Password Boolean Boolean Boolean Boolean String User Guide 81

94 User Management Heading Value Comment SynchronizedSeedGenerate WebEnabled WebPwd WebPwdNeverExpires WebPwdCannotChange WebPwdMustChange WebPwdGenerate PasswordEnabled PasswordPwd PasswordPwdNeverExpires PasswordPwdCannotChange PasswordPwdMustChange PasswordPwdGenerate PasswordPwdUseDirectory MobileTextEnabled MobileTextPwd MobileTextPwdNeverExpires MobileTextPwdCannotChange MobileTextPwdMustChange MobileTextPwdGenerate MobileTextPwdUseDirectory NotifyByMail NotifyBySMS NotifyToAddress Boolean Boolean Password Boolean Boolean Boolean Boolean Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Boolean address Import File Heading Value Descriptions Item Description Comment String A string that contains any character 82 WatchGuard SSL Web UI

95 User Management Item Description Comment Integer Boolean Password Date Non-negative numeral True or false Password in clear text or {SHA}+ [base64- encoded SHA hashed password] The date format that corresponds to the language settings for your browser. Make sure the date format in the file matches your browser settings. Link to a User Account You can link to an existing user account in your External Directory Service to create a basic user account in your Local User Database. Linked user accounts are added according to your default settings on the Manage Global User Account Settings page. For more information about global user account settings, see Manage Global User Account Settings. To link to a user account: 1. Select User Management. The User Accounts page appears. 2. Click Create User Account by Linking. The Manage User Linking page appears. 3. In the User ID text box, type the User ID for the user you want to add. 4. From the Notification drop-down list, select the notification method for this account. For more information about the available options, see the subsequent section. 5. In the Message Set drop-down list, select the notification message to send. For more information about the available options, see the subsequent section. 6. Click Link User. The user account is added to your Local User Database and appears in the Manage All User Accounts table. User Guide 83

96 User Management Notification and Message Set options Notification Select the method to use to notify the user of the Password or PIN for the user account. The available options depend on the settings you selected for notification and SMS distribution. For more information about notification and SMS distribution settings, see About Notification Settings. Available options include: By Screen - Displays the notification message about updated authentication credentials to the administrator and the user in the SSL Web UI. By - Send notification updates to the user by . By and Screen - Send notification updates to the user by and by screen. By SMS - Send notification updates to the user by SMS. By SMS and Screen - Send notification updates to the user by SMS and by screen. The default setting is By Screen. Message Set A message set includes all the notification messages for the WatchGuard authentication methods. The message set Default includes all the messages specified on the Global Authentication Service Settings page. The default setting is Default. Repair a Linked User Account If a linked user account is moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. You can use the User Link Repair wizard to repair, remove, or delete the broken account. To repair a link for a user account: 1. Select User Management. The User Accounts page appears. 2. Click Repair Linked User Account. The User Link Repair page appears. If there are no broken links, the message "There are no user links to repair." appears. If there are broken links, a message about the number of broken links appears. 84 WatchGuard SSL Web UI

97 User Management 3. Click Start User Link Repair Wizard. The Overview page appears, with information about the first broken link. 4. Select an action. 5. Click Next. If there is more than one broken link, the first link is repaired. The Overview page appears for the next link. 6. If there is more than one broken link, repeat Steps 4 5 for the other broken links. When all links are repaired, the User Link Repair Result page appears with information about the repaired user accounts. User Guide 85

98 User Management Edit User Accounts You can edit or delete information and settings for each user account, regardless of which method you used to add the account. To edit a user account: 1. Select User Management. The User Accounts page appears. 2. In the User Accounts table, click the User ID for the account you want to edit. The Edit User Account page appears for the user you selected. 3. Select a tab and edit the information and settings for the user account. 4. Click Save. The user account is updated with the changes and the Manage All User Accounts page appears. 86 WatchGuard SSL Web UI

99 User Management To delete a user account: 1. Select User Management. The User Accounts page appears. 2. In the User Accounts table, click the User ID for the account you want to delete. The Edit User Account page appears for the user you selected. 3. Click Delete. The Delete User Account page appears. 4. Click Yes to delete the account. The user account is deleted and the Manage All User Accounts page appears. Manage Global User Account Settings The Global User Account Settings are the default settings that apply to all user accounts. These settings are divided into three sections: General Settings Includes default settings for user account access, WatchGuard authentication, and timeouts. User Linking Includes options to enable WatchGuard Authentication methods for user accounts created by a linking method, and to set notification methods. Repair User Links Includes the option to enable the device to automatically repair user links. User Client Settings Sync Includes the option to allow clients to synchronize their settings and favorites to the SSL device. To configure default user account settings: 1. Select User Management. The User Accounts page appears. 2. Click Global User Account Settings. The Manage Global User Account Settings page appears. User Guide 87

100 User Management 3. Configure the necessary settings on each tab. For more information about the settings on each tab, see the subsequent sections. 4. Click Save. 88 WatchGuard SSL Web UI

101 User Management General Settings On the General Settings tab, you can change the default settings for user account access, WatchGuard authentication, timeouts, and search limits. Default Account Settings Max Logon Retries Set the maximum number of times users can try to log on with invalid credentials before the account is locked. When set to 0, the user account is never locked. Note The Max Logon Retries value is applied to new users only. If you want to change this value for existing users, you must change this value for each individual user. Account Expires In Set the number of days the user account is active. When set to 0, the user account never expires. Default Account Settings for WatchGuard Authentication Max Logon Retries Set the maximum number of times users can try to log on with invalid credentials for WatchGuard Authentication methods before the account is locked. When set to 0, the user account is never locked. Account Settings for WatchGuard Authentication Use groups Select this option if you want to use group names when you manage user accounts. Group information is sent to the RADIUS client. The RADIUS client can then be configured to use this attribute for authorization. Use framed IP address Select this option to send the configured framed IP address to the system when a user authenticates. Time Lock Timeout Set the number of minutes before users can try to log on again after an account is locked when the Time Lock Interval settings are reached. Time Lock Interval Set the number of times a user can try to log on with invalid credentials for WatchGuard authentication methods before the account is locked. Set to 0 to disable the time lock. Change Password/PIN Notification Set the number of days before users are notified to change their passwords/pins. Timeout Settings Configure timeout settings for inactivity, sessions, warnings, and active users. Max Inactivity Time Maximum user inactivity time in minutes (1-1439) before re-authentication is required. When this time has elapsed since the user last access during a session, the user will be required to reauthenticate. The user session is not interrupted. User Guide 89

102 User Management Session Timeout This is the maximum user inactivity time in minutes (2-1440) before a user's session is terminated. The Session Timeout must be greater than the Max Inactivity Time. Absolute Timeout The time in minutes (0-1440) since a user was last authenticated before re-authentication is required. This option is independent of user activity. Set this option to 0 to disable re-authentication. Timeout Warning The time in seconds (0-3600) before a user is warned and prompted to re-authenticate. Set to 0 to disable the timeout warning. Active Users Timeout The amount of time in minutes (1-1440) that a user must be inactive before they are removed from the Active Users count on the Monitor System > System Status > System Overview page. The Active Users Timeout must be greater than or equal to the Max Inactivity Time. Search Limit Settings Note For a new Active Users Timeout setting to take effect, you must restart the administration service. To restart the service, select Manage System > Administration Service > Restart Service. Configure the maximum number of results to include and display in search results. User Linking On the User Linking tab, you can select whether to enable WatchGuard Authentication methods when you manually or automatically create a user account by linking. You can also select which authentication methods to enable, and configure the password properties for the methods you select. Notification Select whether to send user notification messages by or SMS. Authentication Methods Settings Select the check box for each authentication method you want to automatically enable for linked user accounts. After you select a method, the Password Properties section for that method appears. Select the check box for each password property to apply to the selected authentication method. The default password property for each method is Generate password. Repair User Links To enable the SSL device to automatically repair broken user account links when users authenticate, select the Automatically repair user links check box. User Client Settings Sync This option allows you to synchronize Access Client preferences, history, and favorite resources to the SSL device. To enable user client synchronization, select the Sync User Client Settings and Favorites check box. This option is enabled by default. See Access Client Preferences for detailed information on Access Client synchronization settings. 90 WatchGuard SSL Web UI

103 User Management Favorites You can also add favorites that are applied to any new users or for a specific user that can be synchronized to their Access Client settings. To add favorites that will be synchronized to new users, select Add Favorite Resource. Enter the Display Name, Server, and Configuration for the favorite. To manage favorites for a specific user, select User Management > User Accounts, select a specific user, then select the Favorites tab. About User Groups When you add your users to user groups, you can control the resources your users can select, or the actions users must take before they can select a resource. You can create user groups based on either the properties of a user account or the location of a user in the directory structure you specified. For information about how to add users to your Local User Database, see Manually Add a User Account, For information about how to specify an External Directory Service, see Add an External Directory Service Location. About User Property Groups User property groups are for groups of users with similar properties, such as job function. WatchGuard SSL manages these properties as attributes that contain a source, name, and value. Available attribute sources include: External directory service Custom-defined RADIUS session The attribute value you select must match the attribute name returned from the specified source type. When you select Custom-defined, you can use the user attributes specified on the General Settings page for user accounts. About User Location Groups User location groups are for groups of users that are all in a specified location. For example, ou=administr ators,dc=example,dc=com. Each user location group contains all the users who belong to the user group you select, as it is defined in your directory structure. The directory can be either your Local User Database or an External Directory Service. You can use this group type to integrate your existing local user groups. About User Groups and Access Rules You can apply access rules based on user group membership information imported from a directory service like Active Directory. If the directory tree is reorganized, this can affect how the SSL device applies the group access rule until the group information is refreshed. User Guide 91

104 User Management When a group is moved during a directory reorganization, you must open the group access rule and save it again. The SSL device will then re-search the group and apply the new group location for access rules. Add a User Group You can add a user location or user property group to categorize your user accounts. To add a user group: 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click Add User Group. The Add User Group page appears. 4. Select a user group type. Click Next. 5. Configure the settings for the user group. The settings that appear depend on the group type you selected. For more information about the settings, see the subsequent sections. 6. To see all user accounts that match the settings you selected, click View Users. 7. Click Finish Wizard. 92 WatchGuard SSL Web UI

105 User Management User Location Group settings Configure these settings for a User Location Group: Display Name Type a unique name to identify the user group. Description (Optional) Type a description to help you identify the user group. User Location DN Select the location of the users in the directory structure. User Property Group settings Configure these settings for a User Property Group: Display Name Type a unique name to identify the user group. Description (Optional) Type a description to help you identify the user group. Attribute Source Select the source for the user group attributes. The default setting is External directory service. Attribute Name Type the attribute name as it is defined in the selected directory service schema. If you set the Attribute Source to External directory serviceor Custom-defined, you must add an attribute name. Attribute Value Type the value of the attribute you specified. Add a User to a Group using a Custom Attribute You can use groups to efficiently use access rules to assign resources. If you do not use an external directory service with groups defined for your users, you can create custom groups on the SSL device using a custom attribute. To add a custom attribute and value to a user: 1. Select User Management. The User Accounts page appears. 2. Select a user. 3. Click Add Custom Attribute. 4. Add an attribute Name and a Value to match your group name. User Guide 93

106 User Management 5. Click Update. 6. Publish your configuration changes. Note A user can only have one value for each attribute. If you create more than one group with the same attribute, you cannot add a user to more than one of these groups with the same attribute. To create a User Property Group: 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click Add User Group. The Add User Group page appears. 94 WatchGuard SSL Web UI

107 User Management 4. Select User property group. Click Next. 5. In the Name field, type a name for the group. 6. From the Attribute Source drop-down list, select Custom-defined. 7. In the Attribute Name and Attribute Value fields, type the same attribute name and value you used for the user. 8. Click Finish Wizard. 9. Publish your configuration changes. Search, Edit, or Delete User Groups You can search the user group list to filter the groups you see in the list. You can also edit or delete the user groups you created. Default system user groups cannot be edited or deleted; you can only see information about these user groups. Search the user group list 1. Select User Management. The User Accounts page appears. 2. Select User Groups. The Manage User Groups page appears. User Guide 95

108 User Management 3. In the Search by display name text box, type the name of the user group you want to find. To expand your search, include the * wildcard character in your search text. 4. In the Search by display namedrop-down list, select the type of user group. 5. Click Search. The user groups that match your search parameters appear. Edit user group information 1. Select User Management. The User Accounts page appears. 2. Select User Groups in the left navigation menu. The Manage User Groups page appears. 3. Click the Display Name for the user group you want to edit. The Edit User Group page appears. 4. Change the settings for the user group. 5. To see all the users in the group, click View Users. 6. Click Save. 96 WatchGuard SSL Web UI

109 User Management Delete a user group 1. Select User Management. The User Accounts page appears. 2. Select User Groups. The Manage User Groups page appears. 3. Click the Display Name for the user group you want to edit. The Edit User Group page appears. 4. Click Delete. The Delete User Group page appears. 5. Click Yes. The user group is deleted. About the External Directory Service The External Directory Service is the location not on your SSL device where you can store user account information, such as an Active Directory or LDAP server. You can select one or more directory service locations of different brands and types. When you link the user accounts in your Local User Database to the External Directory Service, you can reuse the existing information for your user accounts. Linked user accounts have references to existing users and user groups that you can use for user authentication. To configure an External Directory Service, you must specify the host for the directory service and define the search rules used to find users and user groups. You can then link the accounts on your External Directory Service to the Local User Database. About Search Rules Your Local User Database uses search rules to match users and user groups. When you configure search rules, make sure you define them based on the directory structure of your organization and the user objects you want to use in your rules. User Guide 97

110 User Management About User Groups and Access Rules You can apply access rules based on user group membership information imported from a directory service like Active Directory. If the directory tree is reorganized, this can affect how the SSL device applies the group access rule until the group information is refreshed. When a group is moved during a directory reorganization, you must open the group access rule and save it again. The SSL device will then re-search the group and apply the new group location for access rules. About Directory Mapping Directory mapping enables you to use specified attributes to get the existing information from your External Directory Service so you can reuse this information in your Local User Database. For example, you can get passwords or addresses so you do not have to specify them in WatchGuard SSL Web UI when you create or link user accounts. Add an External Directory Service Location When you add an External Directory Service location you can link your Local User Database user accounts to your existing directory service. This enables you to reuse existing user account information and simplify user account creation. You must make sure you also add the group search rule. If you do not add a group search rule, it will not be possible to use Active Directory groups in any access rule. To add an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 98 WatchGuard SSL Web UI

111 User Management 4. Select the type of directory service. Click Next. The Add External Directory Service Location page appears. 5. In the Display Name text box, type the name to appear in the Registered External Directory Service Locations list for this External Directory Service. 6. In the Host text box, type the primary IP address of your External Directory Service server. 7. (Optional) In the Secondary Host text box, type the secondary IP address for your External Directory Service server. 8. In the Port text box, specify the port to use to connect to your External Directory Service server. The default value is 389. User Guide 99

112 User Management 9. In the Account text box, type the user name of the account to use to connect to your External Directory Service server. We recommend you select a read-only account (not the server administrator account) with a password that does not often change. 10. In the Password text box, type the password for the user name you specified. 11. To secure communication between the SSL device and your directory service: a. Select the Use SSL check box. b. From the CA Certificate drop-down list, select the certificate authority certificate to use with the SSL connection. 12. To change the amount of time the SSL device waits for a response from the External Directory Service, in the Timeout text box, type the number of seconds. 13. To change the number of times the SSL device tries to connect to the primary External Directory Service host, in the Retries text box, type a number. If the primary host does not respond within the specified number of retries, the SSL device tries to contact the Secondary Host you specified. 14. To enable the SSL device to use the links between your directory service servers, select the Follow links between External Directory Services check box. This option is selected by default. 15. To verify the connection information for your External Directory Service is correct, click Test Connection. If your configuration is correct, a Connection test is successful message appears. If the connection test fails, review the settings for your External Directory Service server location, and correct any errors in the configuration. 16. Click Next. The Add External Directory Service Location page appears. 17. To add search rules for your users, click Add User Search Rule. The Add User Search Rule page appears. 100 WatchGuard SSL Web UI

113 User Management 18. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. Note It is very important that you add the group search rule. If you do not add a group search rule, it will not be possible to use Active Directory groups in any access rule. If the group is moved during a directory reorganization, you must open the group access rule and save it again. The SSL device will then re-search the group and apply the new group location for access rules. 19. To add search rules for your user groups, click Add User Group Search Rule. The Add User Group Search Rule page appears. 20. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 21. To verify that the connection to your External Directory Service is active, click Test Connection. 22. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. User Guide 101

114 User Management Edit an External Directory Service Location You can edit an existing External Directory Service configuration to change the general and search rules settings, and to configure directory mapping settings. You can also delete an existing External Directory Service Location. To edit an External Directory Service location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. In the Registered External Directory Service Location list, click the Display Name of the directory service you want to change. The Edit Directory Service Location page appears. 102 WatchGuard SSL Web UI

115 User Management 4. Select a tab and edit the information and settings for the directory service. 5. To verify that the connection to your External Directory Service is active, click Test Connection. 6. Click Save. To configure Directory Mapping settings for an External Directory Service Location: 1. Select the Directory Mapping tab. The Directory Mapping Attributes page appears. User Guide 103

116 User Management 2. Specify the attributes to use to get existing user account information from your External Directory Service. The attributes you specify must match the attributes in the External Directory Service. 3. Click Save. To delete a Registered External Directory Service Location: 1. Select User Management. The User Accounts page appears. 2. Select External Directory Service. The Manage External Directory Service page appears. 3. In the Registered External Directory Service Locations list, click the Display Name of the directory service you want to delete. The Edit Directory Service Location page appears. 4. Click Delete. The Delete External Directory Service Location page appears. 104 WatchGuard SSL Web UI

117 User Management 5. Click Yes to delete the location. The External Directory Service Location is deleted and the Manage External Directory Service page appears. About Self Service You can use Self Service to allow your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. To get information from Self Service, users must answer a series of questions to verify their credentials before they get their information. You must have an External Directory Service configured to use Self Service. You cannot use Self Service if you have only a Local User Database. Before you can use Self Service, you must enable and configure it. You can use the wizard to enable it and configure the settings, or you can manually enable it and configure the settings. You can also disable Self Service. If you enable and then disable Self Service, you do not have to use the wizard to enable Self Service again. Use the wizard to enable Self Service You can use the WatchGuard SSL Self Service wizard to enable Self Service and configure the basic settings for you. This wizard is only available the first time you enable Self Service. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Yes - help me with the settings. The Manage Self Service page appears. Self Service is enabled by the system and partially configured. 3. To change the settings for Self Service, click Self Service Settings. The Manage Self Service Settings page appears. For more information, see Manage Self Service Settings. 4. To complete the configuration, click Modify System Challenges and add or edit a System Challenge. The Manage System Challenges page appears. For more information, see Modify System Challenges. 5. Click Save. User Guide 105

118 User Management Manually enable and configure Self Service You can choose to enable Self Service and configure the basic settings manually. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click No - I will do the configuration myself. The Manage Self Service page appears. The Self Service Enabled check box is selected, but settings are not configured. 3. To configure the settings for Self Service, click Self Service Settings. The Manage Self Service Settings page appears. For more information, see Manage Self Service Settings. 4. To complete the configuration, click the Modify System Challenges link and add or edit a System Challenge. The Manage System Challenges page appears. For more information, see Modify System Challenges. 5. Click Save. Disable or restore Self Service You can choose to disable Self Service after it is enabled and configured. When you disable Self Service, all your configuration settings are saved, so you can enable it again later. To disable Self Service: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Clear the Self Service Enabled check box. Self Service is disabled and all your configuration settings are saved. To restore Self Service: 1. Select User Management > Self Service. The Manage Self Service page appears. 106 WatchGuard SSL Web UI

119 User Management 2. Select the Self Service Enabled check box. Self Service is enabled and all your configuration settings are restored. Manage Self Service Settings You can configure the settings for Self Service that allow your users to activate their accounts and get their user names or passwords if they lose them. You can add one or more challenges to each type of setting. When you add more than one challenge to a setting, the challenges are applied in the order you specify. Self Service Settings types include: Auto Activation Settings Enable users to automatically activate their accounts. Forgotten Password Settings Enable users to find their forgotten passwords. You can choose to send a message to a secondary channel when the password is sent to the user. Forgotten User Name Settings Enable users to find their forgotten user names. You can configure the message that is sent to the user. Advanced Settings Set the amount of time users must wait between Self Service requests Before you can edit the setting type, you must have at least one system challenge. If there is not an available challenge, you can add one. For more information see, Modify System Challenges. Add or delete a challenge To add a challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. User Guide 107

120 User Management 3. In the section for the settings you want to modify, click the Add link. For example, Add Auto Activate Challenge. 4. Select a System Challenge from the drop-down list. 5. Click Add Challenge. The challenge appears in the Registered Challenges list. 6. Click Up or Down to change the order that each challenge is applied. 7. Click Save. 108 WatchGuard SSL Web UI

121 User Management To delete a challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. In the Registered Challenges list for the setting you want to change, click Remove for the challenge you want to delete. 4. Click Yes to delete the challenge. 5. Click Save. Configure Advanced Settings You can set the amount of time users must wait after they have submitted one Self Service request before they can submit another request. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 3. Find the Advanced Settings section. 4. In the Minimum time between requests field, type the number of hours users must wait between Self Service requests. 5. Click Save. Modify System Challenges System Challenges are used to confirm the identities of your users when they use Self Service. When users connect to Self Service, before they can get their account information, they must correctly answer a set of challenge questions that you select. You can add, edit, or delete System Challenges. Add a System Challenge To add a System Challenge: 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. User Guide 109

122 User Management 3. Click Add System Challenge. The Add System Challenge page appears. 4. In the Display Name, Challenge Question, and Attribute Name text boxes, type the settings for this system challenge. You can use the * wildcard character. 5. Click Next. The Summary page appears. 6. Review the settings for this system challenge. 7. Click Finish Wizard. The system challenge appears in the Registered System Challenges list. Edit a System Challenge You can edit any of the settings for the System Challenges you add. For the default System Challenges, you can only edit the Display Name and Challenge Question settings. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the challenge you want to change. The Edit System Challenge page appears. 110 WatchGuard SSL Web UI

123 User Management 4. Update the settings for the system challenge. 5. Click Save. Delete a System Challenge You can only delete System Challenges that you add. You cannot delete the default System Challenges. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the challenge you want to delete. The Edit System Challenge page appears. 4. Click Delete. The Delete Unknown Entity page appears. 5. Click Yes to delete the challenge. 6. Click Save. Configure and Enable Self Service With Self Service, users can get information about their own user accounts without interaction from the administrator. After users respond to the required user and system challenges, they can reset a forgotten password or retrieve a forgotten user name. Before you enable the Self Service feature, you must register at least one External Directory Service location, such as Active Directory, that contains a list of users and addresses. You must also make sure the notification channel is enabled. Note Self Service is only available for use with your External Directory Service, not the Local User Database. Verify your External Directory Service location is registered You must make sure that you have at least one External Directory Service location registered before you begin. To review or add an External Directory Service location: User Guide 111

124 User Management 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Review the Registered External Directory Service Locations list. 3. If your External Directory Service location is not in the list, click Add External Directory Service Location and add it. 4. If you make any changes, click Publish to update your configuration with the changes. Enable the notification channel Before you enable Self Service, you must enable a notification channel (for example, ). 1. Select Manage System > Notification Settings. 2. On the Channel tab, select the Enable channel check box. 3. In the Host text box, type the IP address or domain name of your local server. 4. In the Sender s Address text box, type the address that you want to use to send the notifications. You can use an address that is not on your mail server. 5. Click Save. Enable Self Service 1. Select User Management > Self Service. The Manage Self Service page appears. 112 WatchGuard SSL Web UI

125 User Management 2. Make sure the Self Service Enabled check box is selected. 3. Click Save. The Manage Self Service page reappears. Configure Self Service system challenges 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Modify System Challenges. The Manage System Challenges page appears. 3. In the Registered System Challenges list, click the System Challenge Name of the challenge you want to configure. The Edit System Challenge page appears. User Guide 113

126 User Management Or, to add a new system challenge, click Add System Challenge. The Add System Challenge page appears. 4. In the Display Name text box, type System To change the default challenge question message that users see, in the Challenge Question text box, type a new question. 6. In the Attribute Name text box, type If you added a new system challenge, click Next. Review the settings for the system challenge. Click Finish Wizard. Or, if you edited an existing system challenge, click Save. The Manage System Challenges page appears with the challenge information updated in the Registered System Challenges list. 8. Click Publish to update your configuration with the changes. Configure Self Service settings Self Service settings control the System Challenges for Auto Activation, Forgotten Password, and Forgotten User Name. 1. Select User Management > Self Service. The Manage Self Service page appears. 2. Click Self Service Settings. The Manage Self Service Settings page appears. 114 WatchGuard SSL Web UI

127 User Management 3. In the Auto Activation Settings section, click Add Auto Activate Challenge. The Select a Challenge page appears. User Guide 115

128 User Management 4. From the System Challenge drop-down list, select System Click Add. The System challenge appears in the Registered Challenges list. 6. If there are any other challenges in the Registered Challenges list, click Remove to delete them. This configures Self Service to require only the System challenge for Self Service account activation. 7. In the Forgotten Password Settings section, click Remove adjacent to all Registered Challenges except System and Userdefined Challenge. 8. In the Forgotten User Name Settings section, click Remove adjacent to all Registered Challenges except System and Userdefined Challenge. 9. Click Save. The Manage Self Service page appears. Enable Self Service forthe WatchGuardSSL Passwordauthentication method 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Select the WatchGuard SSL Password authentication method. The Edit Authentication Method page appears. 116 WatchGuard SSL Web UI

129 User Management 3. If you do not have a Registered Authentication Method Server, on the General Settings tab, click Add Authentication Method Server. The Add Authentication Method Server page appears. If you do have a Registered Authentication Method Server, proceed to Step Select your authentication server from the Display Name drop-down list. 5. Configure the Host, Port, and Timeout settings. 6. Click Add. The Edit Authentication Method page appears. 7. Click Manage Default Template Specification. The Manage Default Template Specification page appears. 8. Replace the code in the second line with: <templatespec type="selfserviceform"> 9. Click Update. 10. Click Save. 11. Click Publish to update your configuration with the changes. Reset your password with Self Service 1. Connect to the Application Portal Authentication page. The Application Portal Authentication page appears with a list of available authentication methods. 2. Select the WatchGuard SSL Password authentication method. The WatchGuard Password authentication page appears, with self service options enabled. 3. In the User Name text box, type your user name. 4. Click Forgotten Password. 5. Type your address. 6. Type the response to your personal challenge. 7. Select to receive the new password via . User Guide 117

130 User Management 8. Click Continue to restart authentication. 9. Use the new password you received in to log in. 118 WatchGuard SSL Web UI

131 5 About Resource Access The WatchGuard SSL Application Portal enables you to give your users secure access to your network resources. You can create Application Portal items for access to applications, folders and files, and URLs as web or tunnel resources. Create a web resource to give your users access to an online application. Create a tunnel resource to give your users access to a client-server application. To protect your resources, you configure access rules, authorization settings, and encryption levels to create seamless, secure access control. Users get access to resources through the WatchGuard SSL Application Portal. You can collect resources that share logon credentials in Single Sign-On (SSO) domains. This allows users to submit their credentials once to get access to several resources. For added security, you can add access rules for your SSO settings. Access rules are also used to enforce the End-Point Security feature Abolishment, which deletes Internet Explorer session files, the client cache, and the browser history when the user session ends. Resources You can add and manage standard resources, tunnel resource hosts, tunnel resource networks, tunnel sets, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. For more information, see About Resources. Client firewall You can configure client firewall configurations to control traffic to and from the WatchGuard SSL Access Client. For more information, see About Client Firewalls and About the Access Client. User Guide 119

132 About Resource Access Access rules Access rules are detailed requirements that users must meet to connect to resources. Available access rules include authentication methods, user group membership, date period, client IP address, client assessment, and client device. You can specify general access rules available for all resources or SSO domains, access rules that apply to individual resources, and global access rules that apply to all resources and SSO domains. For more information, see About Access Rules. Application Portal The Application Portal is the WatchGuard SSL web portal that your users can log on to and use to connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons with link text and are called Application Portal items. For more information, see About the Application Portal. SSO domains WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. For more information, see About SSO Domains. About Resources You can add, edit, and delete standard resources, tunnel resource hosts, tunnel resource networks, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. You can add restrictions to allow only specified users to see certain resources in the Application Portal. For more information about resources, see: Manage Resources Manage Global Tunnel Resource Settings Manage Global Resource Settings Manage Resources You can add, edit, or delete resources for commonly used applications in your configuration. These resources are partially configured so you can set them up quickly. When you add a resource, you use the wizard to configure and create the resource in the Application Portal. When you edit a resource after you add it, you use the configuration pages to make any changes. The available resources include: 120 WatchGuard SSL Web UI

133 About Resource Access Web Resources Web resources allow external users to access internal or external web sites accessible to the SSL device: Citrix MetaFrame Presentation Server Citrix XenApp Server Microsoft ActiveSync Microsoft Outlook Mobile Access Microsoft Outlook Web Access 2003 Microsoft Outlook Web Access 2007 Microsoft Outlook Web App 2010 Microsoft SharePoint Portal Server 2003 Microsoft SharePoint Portal Server 2007 Secure Remote Access to the Web UI Web Resource Tunnel Resources Tunnel resources allow external users to access network resources accessible to the SSL device using the Access Client. The WatchGuard SSL Access Client enables you to securely connect to tunnel resources: Access to Home Directory Full Tunnel Microsoft Outlook Client 2003/2007 Microsoft Windows File Share Microsoft Terminal Server 2003 Microsoft Terminal Server 2008 RDP Access SSH Access Tunnel Resource Add a Resource 1. Select Resource Access. The Resources page appears. User Guide 121

134 About Resource Access 2. Click Add Resource. The Add Resource page appears. 122 WatchGuard SSL Web UI

135 About Resource Access 3. In the Resources list, expand the group for the resource you want to add. 4. Select a resource. Information about the resource appears in the right column. User Guide 123

136 About Resource Access 5. Click Next. The Add Resource page appears. 124 WatchGuard SSL Web UI

137 About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Configure the Special Settings. The settings that appear in this section depend on the type of resource you select. 9. To enable the resource in the Application Portal, make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library. 11. In the Link Text text box, type the name to appear with the icon in the Application Portal. 12. Click Next. The Manage Access Rules page appears. 13. Select an Access Rule from the Available Access Rules list. Click Add > to add it to the Selected Access Rules list. For more information about Access Rules, see About Access Rules. 14. Click Next. The Add Resource Summary page appears. User Guide 125

138 About Resource Access 15. Review the settings for the resource. 16. Click Finish Wizard. For more information about how to add a resource for RDP or SSH access, see Add a Tunnel Resource for RDP Access or Add a Tunnel Resource for SSH Access. For more information about how to configure a resource for access to a Citrix MetaFrame Presentation Server with SSO, see Configure SSO for a Citrix MetaFrame Presentation Server Resource. Edit a Resource 1. Select Resource Access. The Resources page appears, with the Tunnel Resources tab selected. 2. Select the tab for the type of resource you want to edit: Tunnel Resources or Web Resources. 3. Select the Display Name of a resource. The Edit page appears for the resource you selected. 126 WatchGuard SSL Web UI

139 About Resource Access 4. Select a tab and update the settings for the resource. The tabs that are available depend on the type of resource you select. For more information about the settings available on each tab, see About Resource Settings on page Click Save. Delete a Resource You can delete any resource that you create. You cannot delete the system generated resources, such as the Access Point resource. You can delete a resource from either the main Resources page, or from the Edit Resource page. 1. Select Resource Access. The Resources page appears. 2. Select the tab for the type of resource you want to delete: Tunnel Resources or Web Resources. 3. Adjacent to the resource you want to delete, click Or, select the Display Name of the resource you want to delete. On the Edit Resource page, click Delete. The Delete Resource page appears, with a confirmation message. 4. Click Yes. The resource is removed from the Resources list. User Guide 127

140 About Resource Access About Resource Settings When you create a Tunnel Resource or a Web Resource, you define the basic parameters for that resource. You can later edit the resource to further define the configuration. You can change the options you configured when you created the resource and define additional settings. The available settings for Tunnel Resources and Web Resources are different. For more information about how to create a new resource, see Manage Resources. Static and Dynamic Tunnel Resources For a resource that can connect to any operating system, you can add a static tunnel with a local IP address on a single port. For more information about how to add a new static tunnel, see About Static Tunnel Settings. If your resource uses an IP address on more than one port, and can connect to only Windows platforms, use a dynamic tunnel. For more information about how to add a new dynamic tunnel, see About Dynamic Tunnel Settings. Tunnel Resource Settings On the Edit Tunnel Resource page, select a tab to change settings for the resource. You can edit the general settings you configured for the resource, specify a static or dynamic tunnel for the resource, configure startup commands, edit the access rules applied to the resource, and configure advanced settings for local lookups, drives, and the Access Client. After you have made changes to the resource settings on all the necessary tabs, click Save. If you do not save your changes before you go to another page (not another settings tab for the resource), all your changes are lost. General Settings Enable tunnel resource Select this check box to enable this tunnel resource. To disable the resource, clear this check box. Display Name In this text box, type a name for this resource. The display name you select appears in the resources list. Description (Optional) In this text box, type a descriptive name to help you identify this resource. Make this resource available in the Application Portal Icon Select this check box to add the resource to the Application Portal. If you do not select this option, your users cannot get access to this resource from the Application Portal. Select the image that appears in the Application Portal for this resource. 128 WatchGuard SSL Web UI

141 About Resource Access Link Text To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library In this text box, type the name to appear with the icon in the Application Portal. Tunnel Settings On the Tunnel Settings tab, you can add and edit the tunnel settings for this resource. You can also delete a static or dynamic tunnel For a resource that can connect to any operating system, you can add a static tunnel with a local IP address on a single port. If your resource uses an IP address on more than one port, and can connect to only Windows platforms, use a dynamic tunnel. Add Static Tunnel Note Static and dynamic tunnels can be configured for any TCP or UDP port, but other protocols cannot be used. For example, ICMP ping traffic cannot pass through the tunnel. Select this option to add a static tunnel to your resource. After you add a static tunnel, it appears in the Registered Static Tunnels list. To edit the settings for a static tunnel, or delete a dynamic tunnel, click the link in the Registered Static Tunnels list. Add Dynamic Tunnel Startup Select this option to add a dynamic tunnel to your resource. After you add a dynamic tunnel, it appears in the Registered Dynamic Tunnels list. To edit the settings for a dynamic tunnel, or delete a dynamic tunnel, click the link in the Registered Dynamic Tunnels list. On the Startup tab, you can configure the Startup Commands and specify the URL where your users are redirected for this resource. Startup Command Type one or more startup commands to start specific clients for the tunnel resource. Redirect URL Type the URL of the web site where you want to redirect your users when they connect to this resource. Confirm Command Select this option to display any startup commands and prompt you to confirm the command before it is run. If this option is disabled, any defined startup commands will be run automatically. By default, this option is enabled for all resource wizards except RDP Access and SSH Access where the command text is not readable. User Guide 129

142 About Resource Access Depending on the type of resource you created, there can be additional startup options. For example, RDP resources have options for remote desktop screen size, keyboard layout, and redirection of local client resources. Access Rules On the Access Rules tab, you can see the Global Access Rules that apply to your resource. You can also add individual Available Access Rules to protect your resource. To add an access rule to your resource: 1. In the Available Access Rules list, select an access rule. 2. Click Add >. The selected access rule appears in the Selected Access Rules list. 3. To enable all users to connect to this resource, select the Make this resource available to all users check box. 4. Click Save. For more information about access rules, see About Access Rules. Advanced Settings On the Advanced Settings tab, you can configure the settings for these additional options: Local Lookups Mapped Drives Access Client Loader Additional Client Configuration Specific Settings Provide IP Address DNS Forwarding WINS Forwarding Client Firewall Restrict User Editable Preferences For more information about advanced settings, see Tunnel Resource Advanced Settings. Web Resource Settings On the Edit Web Resource page, select a tab to change settings for the resource. You can edit the general settings you configured for the resource, specify a static or dynamic tunnel for the resource, configure startup commands, edit the access rules applied to the resource, and configure advanced settings for local lookups, drives, and the Access Client. After you have made changes to the resource settings on all the necessary tabs, click Save. If you do not save your changes before you go to another page (not another settings tab for the resource), all your changes are lost. 130 WatchGuard SSL Web UI

143 About Resource Access General Settings Enable resource Select this check box to enable this web resource. To disable the resource, clear this check box. Display Name In this text box, type a name for this resource. The display name you select appears in the resources list. Description (Optional) In this text box, type a descriptive name to help you identify this resource. Manually configure alternative hosts To manually add additional host IP addresses to your resource, or edit existing alternative hosts, select the Manually configure alternative hostscheck box. The Add Alternative Host link appears and any Registered Alternative Hosts change to active links. You can then select the alternative hosts that appear and edit or delete them. You can also add more alternative hosts. Add Alternative Hosts To add a new alternative host to the Registered Alternative Hosts list, click Add Alternative Host. On the Add Alternative Host page, in the Alternative Host text box, type the IP address for this alternative host. For example: or :80. Automatically Generate Alternative Hosts You can also choose to automatically create alternative hosts. To generate alternative hosts from the host and port information you set for this resource, click Automatically Generate Alternative Hosts. To add, edit, or delete these alternative hosts, you must select the Manually configure alternative hosts check box. Make resource available in the Application Portal Icon Select this check box to add the resource to the Application Portal. If you do not select this option, your users cannot get access to this resource from the Application Portal. Select an Icon to appear in the Application Portal for this resource. Link Text To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library In this text box, type the name to appear with the icon in the Application Portal. Manage Paths On the Manage Paths tab, you can add, edit, or delete the paths available with this web resource. This is the location on the server where files are accessible for this web resource. To add a new path: User Guide 131

144 About Resource Access 1. Click Add Web Resource Path. The Add Web Resource Path page appears. 2. Make sure the Enable resource check box is selected. 3. In the Path text box, type the path to this resource. 4. To use the same authorization settings as the parent resource, select the Use Parent Authorization check box. To manually configure the authorization settings, clear the Use Parent Authorization check box. The Access Rules and Advanced Settings tabs appear for this resource path. 5. Configure the Application Portal Settings for this resource. For more information, see the previous section. 6. Click Save. The path appears in the Path list and in the Web Resources list. To edit a path: 1. In the Path list, click the path to edit. The Add Web Resource Path page appears. 2. Change the settings. 3. Click Save. Access Rules On the Access Rules tab, you can see the Global Access Rules that apply to your resource. You can also add individual Available Access Rules to protect your resource. To add an access rule to your resource: 1. In the Available Access Rules list, select an access rule. 2. Click Add >. The selected access rule appears in the Selected Access Rules list. 3. To enable all users to connect to this resource, select the Make this resource available to all users check box. 4. Click Save. For more information about access rules, see About Access Rules. Advanced Settings On the Advanced Settings tab, you can configure Link Translation, Server DNS Name, Cookies, Authorization Settings and Encryption Level settings for this resource. Link Translation You set link translation type used: URL mapping, Pooled DNS Mapping or Reserved DNS Mapping. By default, a Web resource is set to not use a mapped DNS name. You can only assign reserved mapped DNS names that are not used for any other Web resource. When selecting Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used. When selecting Reserved DNS Mapping, you select among available DNS names displayed in a list to specify a DNS name for a resource. 132 WatchGuard SSL Web UI

145 About Resource Access Server DNS Name You can specify a host header used in the communication with the internal server. If a specific server DNS name is not defined, the host address (the connect address) is used. If you have a web server that hosts multiple web sites and uses the host header sent by the client to redirect to the correct web site, this can be used on the SSL device to ensure that configured web resources point to the correct web site. Cookies You have the option to forward cookies between client and resource. When the option is selected, cookies are allowed to pass through from the client to the resource and back. When not selected, all cookies are stopped at the Access Point. When forwarding cookies, you need to specify a list of cookies to either allow or block (or use the wildcard character * to allow or block all). If allowed, the cookies pass through from the client to the resource and back. If blocked, cookies are stopped at the Access Point. Authorization Settings Require exact path match Select this check box to apply the access rules for this Web Resource Host to only this path. To apply the access rules for this resource to this path and all paths that begin with this path, clear this check box. Automatic access Select this check box to enable automatic access to the web resource path. When this automatic access is enabled, user session timeouts are not affected. Cache MIME Types Type the MIME types that you want the client browser to cache. You must use the text/html format. Require users to authenticate for each resource Select this option to require users to authenticate for each resource they select in the Application Portal. Use Timeout Select this option to use timeout settings to set when users must authenticate again. Max Inactivity Time Select this check box to set the maximum amount of time user connections can be inactive before their sessions are disconnected. Type the timeout time in minutes. Absolute Timeout Select this check box to disconnect user sessions after a specified amount of time, regardless of their activity. Type the timeout time in minutes. User Guide 133

146 About Resource Access Encryption Level Require SSL Select this check box to require your users to use SSL to connect to resources. Encryption Level Select the level of encryption to use with SSL. Strong encryption level, 128 bits Weak encryption level, 56 bits Custom encryption level, specify bits About Static Tunnel Settings In the Add Tunnel Resource wizard, you can choose to include one or more static or dynamic tunnels. If your tunnel resource has local IP addresses on a single port, choose a static tunnel. You can use static tunnels for access with any operating system. You can add, edit, or delete static tunnels. You can also add, edit, or delete static tunnels when you edit a Tunnel Resource. For more information, see About Resource Settings. Static Tunnel Operation When a user selects a tunnel resource in the Application Portal that is configured with a static tunnel, the Access Client software receives the traffic that your user s computer sends over the VPN, and then sends the traffic through the loopback interface of the user s computer. The Access Client then encrypts the data and sends it to the SSL device through the physical network interface of the user s computer. The loopback interface is not a physical interface. It is a virtual network interface that is used by the user s computer for internal communications, for diagnostics, and to send traffic to itself to be processed immediately. The most common IP address for the loopback interface is , although any address in the 127/8 network (from ) maps to the loopback interface. Static Tunnel Configuration For a static tunnel, you configure the tunnel to use a specific loopback IP address and Client Port. This is the port that the client listens to. For each client, you can select only one port. If the port you select is not available, the next available port is used. We recommend that you specify the same port for both the client and the resource. When you configure a static tunnel, you must define: The IP address of the resource This is the IP address of the host (computer) accessible through this static tunnel. The TCP or UDP port on the tunnel resource host that accepts the traffic. The IP address for the loopback interface on the user s computer This can be any address from The TCP or UDP port that the user s computer connects to on its loopback IP address. When a user selects a resource that uses a static tunnel: 134 WatchGuard SSL Web UI

147 About Resource Access 1. The user s computer sends the traffic to its own loopback interface. 2. The Access Client software intercepts the traffic sent to the loopback address, encrypts it, and sends it to the SSL device. 3. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination port, as defined in the static tunnel. Add a Static Tunnel From the Add Tunnel Resource wizard: 1. Click Add Static Tunnel. The Add Static Tunnel page appears. 2. In the Resource IP Address text box, type the IP address where this tunnel resource is located. 3. In the Resource Port text box, type the port to use to connect to this resource. We recommend you select the same port for the Client Port setting. 4. In the Protocol section, select the type of protocol to use for this resource: TCP UDP 5. In the Loopback IP Address text box, type the IP address that the client listens on. The IP address must be in the range 127.x.x.x. The default setting is In the Client Port text box, type the port to use to connect to the client. We recommend you specify the same port that you selected for the Resource Port. User Guide 135

148 About Resource Access 7. To enable users to confirm they have selected the correct tunnel resource before the connection is complete, select the Confirm connections check box. After users select this resource in the Application Portal, they see a Connection Alert and must accept or deny the connection. 8. (Optional) Configure the Advanced Settings for this tunnel. 9. Click Next. The Add Tunnel Resource page appears with the static tunnel in the Registered Static Tunnels list. Edit a Static Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Static Tunnels list, click the Resource IP Address of the static tunnel to change. The Edit Static Tunnel page appears. 2. Update the settings for the static tunnel. 3. Click Next. The Add Tunnel Resource page appears with the updated static tunnel in the Registered Static Tunnels list. Delete a Static Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Static Tunnels list, click the Resource IP Address of the static tunnel to change. The Edit Static Tunnel page appears. 136 WatchGuard SSL Web UI

149 About Resource Access 2. Click Delete. A confirmation message page appears. 3. Click Yes. The Add Resource page appears. The static tunnel is removed from the Registered Static Tunnels list. About Dynamic Tunnel Settings In the Add Tunnel Resource wizard, you can choose to include one or more static or dynamic tunnels. If your tunnel resource has local IP addresses on a more than one port, choose a dynamic tunnel. You can add, edit, or delete dynamic tunnels. You can also add, edit, or delete dynamic tunnels when you edit a Tunnel Resource. For more information, see About Resource Settings. Dynamic Tunnel Operation When a user selects a tunnel resource in the Application Portal that is configured with a dynamic tunnel, the Access Client software receives the traffic that your user s computer sends over the VPN, and then sends the traffic through the loopback interface of the user s computer. The Access Client then encrypts the data and sends it to the SSL device through the physical network interface of the user s computer. The loopback interface is not a physical interface. It is a virtual network interface that is used by the user s computer for internal communications, for diagnostics, and to send traffic to itself to be processed immediately. The most common IP address for the loopback interface is , although any address in the 127/8 network (from ) maps to the loopback interface. Dynamic Tunnel Configuration For a dynamic tunnel, when a user selects a Tunnel Resource in the Application Portal, the user s computer sends the traffic directly to the IP address of the selected Tunnel Resource. The Access Client can make many connections through a dynamic tunnel because the network driver it installs can dynamically translate many traffic flows at one time. When a user selects a resource that uses a dynamic tunnel: The Windows network driver installed by the Access Client intercepts the traffic. The Access Client dynamically translates the traffic to the loopback interface on the user s computer, and dynamically selects a source port for the traffic. The Access Client encrypts the traffic and sends it to the SSL device. The SSL device decrypts the traffic andsends itto the correct destinationip addressand destinationport. When you use one of the pre-defined Tunnel Resource templates to create a resource, the Add Tunnel Resource Wizard automatically uses the required tunnel type. If you select the default Tunnel Resource template, you must manually select and configure a dynamic tunnel for the resource to use. Add a Dynamic Tunnel From the Add Tunnel Resource wizard: 1. Click Add Dynamic Tunnel. The Add Dynamic Tunnel page appears. User Guide 137

150 About Resource Access 2. From the Tunnel Mode drop-down list, select Network Range or Single Host. 3. If you select Network Range, in the IP Range text box, type the IP address range where this resource is located. If you select Single Host, in the IP Address text box, type the single IP address where this resource is located. 4. In the TCP Port Set text box, type the TCP port range to use to connect to this resource. 5. In the UDP Port Set text box, type the UDP port range to use to connect to this resource. 6. To enable users to confirm they have selected the correct tunnel resource before the connection is complete, select the Confirm connections check box. After users select this resource in the Application Portal, they see a Connection Alert and must accept or deny the connection. 7. (Optional) Configure the Advanced Settings for this tunnel. 8. Click Next. The Add Tunnel Resource page appears with the dynamic tunnel in the Registered Dynamic Tunnels list. Edit a Dynamic Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Dynamic Tunnels list, click the Resource IP Address of the dynamic tunnel to change. The Edit Dynamic Tunnel page appears. 138 WatchGuard SSL Web UI

151 About Resource Access 2. Update the settings for the dynamic tunnel. 3. Click Next. The Add Tunnel Resource page appears with the updated dynamic tunnel in the Registered Dynamic Tunnels list. Delete a Dynamic Tunnel From the Add Tunnel Resource wizard: 1. In the Registered Dynamic Tunnels list, click the Resource IP Address of the dynamic tunnel to change. The Edit Dynamic Tunnel page appears. 2. Click Delete. A confirmation message page appears. 3. Click Yes. The Add Resource page appears. The dynamic tunnel is removed from the Registered Dynamic Tunnels list. Tunnel Resource Advanced Settings You can configure the settings for local lookups, mapped drives, clients, DNS and WINS forwarding, and Internet firewall configurations. User Guide 139

152 About Resource Access Local Lookups You can add local lookups to define the host addresses to resolve on the client if no external DNS record is found. Local lookups and DNS forwarding require the user to always have administrator rights on the client. If your users install the Access Client rather than use the on-demand Access Client, they do not have to have administrator rights. To specify lookups, you add a fully qualified domain name, or a domain name with the * wildcard character and an IP address. If the tunnel is dynamic, use the virtual IP address for the dynamic tunnel. If the tunnel is static, use Domain Name A fully qualified domain name. You can also use the * wildcard character with a partial domain name. For example, mailserver.*. IP Address The domain name is translated to the IP address you specify. Mapped Drives You can add mapped drives to map your network resources (printers or drives) to drive letters on your network. When you add a mapped drive, you specify the path to a mapped network resource. You can also specify a drive letter for the drive or printer to which the resource host is mapped. If the drive you select is already in use, the next available drive letter is used. You can specify a drive letter here and combine it with a Startup Command that you defined. You can also use cached credentials. Supported path variables include: [$ehost] The WatchGuard SSL device server name and port number. [$eprot] [$uid] [$iuid] The HTTP or HTTPS protocol. The external user name. The internal user name, usually [$uid]. To add a Mapped Drive, configure these General Settings: Network Resource The path to the mapped network resource. For example, \\ \[$uid]. 140 WatchGuard SSL Web UI

153 About Resource Access Drive Letter The drive letter to which the resource host is mapped. For example, M:. This can be a drive or a printer. Use cached credentials Select this option to automatically use cached credentials (Windows domain credentials) to map a drive. This option is selected by default. Access Client Loader Specify the client loader method you want to use for the Access Client. Loader options include: ActiveX / Java Applet ActiveX The system tries the ActiveX loader first. If it does not work, the Java Applet is used. The system only uses the ActiveX loader. Java Applet The system only uses the Java Applet loader. If you select any of the Java Applet options, you can also use Java rather than the Java Applet. Run VPN client in Java Select this check box to use Java, not the Java Applet. Additional Client Configuration You can configure your clients to use shutdown commands to automate some commands from the client. For example, to close a mapped drive or shut down a Tunnel Resource for a user. You can configure these options: Shutdown Command Define the commands you want to run automatically when this tunnel is shut down. You can define more than one command for each Tunnel Resource. Some commands require users to confirm or deny the action before the command runs. These default trusted commands run automatically: outlook explorer explorer /e explorer /e, A: to Z: Supported command variables include: User Guide 141

154 About Resource Access [$ehost] The WatchGuard SSL device server name and the port number [$eprot] HTTP or HTTPS [$uid] External user name [$iuid] Internal user name, usually [$uid] Error Codes to Suppress You can configure a list of specific error codes to suppress pop-up messages. Type the error codes as a comma separated list of 7-digit error codes. Fallback Tunnel Set Select the fallback tunnel set to use if the client computer is not able to load the ActiveX component or the Windows native client (with dynamic tunnels). Specific Settings If you include Microsoft Outlook in the applications for this tunnel resource, we recommend that you enable support for the MS Outlook patch. This patch solves a problem with Windows 2000 client authentication. Support MS Outlook patch for Windows 2000 Select this check box to enable support for the MS Outlook patch. The patch is supported when the client is on a Windows 2000 platform and is part of a domain. Provide IP Address You can select to specify a unique IP address for the client from the IP address pool. When you enable this option, if you add IP addresses from the IP address pool to a tunnel resource, the clients that use those IP addresses can connect to each other when they are connected to the network. Provide the client with an IP address from the IP address pool or an external DHCP server. Select this check box to use an IP address from the IP address pool an external DHCP server for the client. DNS Forwarding Enable DNS Forwarding Select this check box to temporarily redirect the DNS server for the client to the DNS server you specify in the global tunnel resource settings. This option is only available if you specified a DNS server for the client. WINS Forwarding Enable WINS Forwarding Select this check box to temporarily redirect the WINS server for the client to the WINS server you specify in the global tunnel resource settings. This option is only available if you specified a WINS server for the client. 142 WatchGuard SSL Web UI

155 About Resource Access Client Firewall Internet Firewall Configuration Select an available firewall configuration to use for this tunnel resource. To select a configuration, you must first Add an Internet Firewall Configuration. Restrict User Editable Preferences Restrict User Editable Preferences Select this check box to disable the Preferences and Favorites options in the Access Client menu. Configure Full Network Access Most of the resources you define give users remote access to specific applications. However, you can enable Full Network Access so users can get access to a set of network resources at the IP level, similar to traditional IP VPN solutions. Full Network Access enables network-based access, which means that your users can connect to all network resources and applications through passive FTP, RDP, or a web browser. You can enable network access to the whole network on a specified port set. Create a Full Tunnel Resource You can add a Full Tunnel resource and enable access to it with any of your configured authentication methods. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. The available tunnel resources appear. User Guide 143

156 About Resource Access 4. Select Full Tunnel. A description of the resource appears in the right pane. 5. Click Next. The Add Resource Full Tunnel page appears. 144 WatchGuard SSL Web UI

157 About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. From the Tunnel Mode drop-down list, select whether to use a single IP address or a range of IP addresses for this resource: To use a single IP address, select Single Host. To use a range of IP addresses, select Network Range. This is the default setting. 10. If you selected Single Host, in the IP Address text box, type the IP address for this resource. If you selected Network Range, in the IP Range text box, type the range of IP addresses for this resource. For example, to allow access to all IP addresses on the /24 network, type In the TCP Port Set text box, type a list or range of TCP ports. For example, to allow access to all ports, type User Guide 145

158 About Resource Access 12. In the UDP Port Set text box, type a range of UDP Ports. For example, to allow access to all UDP ports, type Make sure the Make resource available in Application Portal check box is selected. 14. Select the Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 15. In the Link Text text box, type the name to appear with the icon in the Application Portal. 16. Click Next. The Manage Access Rules page appears. 17. Select the access rules for this resource. For more information about access rules, see About Access Rules. 18. Click Next. The Add Resource Full Tunnel Summary page appears. 19. Review the settings for the resource. 20. Click Finish Wizard. The Full Tunnel resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 21. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Use a Full Tunnel access resource to connect to network resources 1. Connect to the Application Portal. 2. Select an authentication method. The Authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the Full Tunnel resource. 4. Click the icon for the Full Tunnel resource. Access to the network resources is enabled. 5. Browse to an internal web site in the IP address range you specified for the Full Tunnel resource. The protected web site appears in the browser. 6. Use Microsoft Remote Desktop Connection (RDP) to log in to an IP address in the protected range. The Access Client starts. The RDP session is successful. Add an Outlook Web Access Resource You can add a Microsoft Outlook Web Access resource to the Application Portal to give your users access to their web mail. Add an Outlook Web Access Resource and Authentication Method You can add an Outlook Web Access resource to your network and enable access to it with any of the authentication methods you configured. 1. Select Resource Access. The Resources page appears. 146 WatchGuard SSL Web UI

159 About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list. 4. Select Microsoft Outlook Web Access 2003 or Microsoft Outlook Web Access The Microsoft Outlook Web Access resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Outlook Web Access page appears. User Guide 147

160 About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Host text box, type the valid DNS name or IP address of the server for this resource. 9. Make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 11. In the Link Text text box, type the name to appear with the icon in the Application Portal. 12. Click Next. The Manage Access Rules page appears. 13. Select the default access rule Any Authentication. 14. Click Next. The Add Resource Microsoft Outlook Web Access 2007 Summary page appears. 15. Review the settings for the resource. 16. Click Finish Wizard. The resource appears in the Web Resources list. 17. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. 148 WatchGuard SSL Web UI

161 About Resource Access Use the Outlook Web Access resource 1. Connect to the Application Portal. 2. Select an authentication method. The authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the Outlook Web Access resource. 4. Click the icon for the Outlook Web Access resource. The Microsoft Outlook Web Access page appears. Add an Outlook Anywhere Resource To add a resource for Outlook Anywhere, perform these steps: Note You must have WatchGuard SSL OS v3.2 or greater to support Outlook Anywhere. 1. Create a client definition for Outlook Anywhere. 2. Create an authentication method. 3. Add the Outlook Access Web Resource. 4. Configure the Outlook Client. Create a Client Definition for Outlook Anywhere 1. Select Manage System > Client Definitions. 2. Click Add Client Definition. 3. Enter a display name. 4. In the Definition text field, type: uri=*/rpc/* 5. Select Resource Access > Manage Global Resource Settings > Client Access. 6. Click Add Client Settings. 7. From the Client drop-down list, select the client created for Outlook Anywhere. 8. Select both the The device does not support cookies and The device cannot authenticate using HTML or WML check boxes. 9. Click Add. For the best user experience, we recommend that you use an authentication method that is connected to Active Directory so that Single Sign-On can be enabled for the end-users. Create an Authentication Method 1. Select Resource Access > SSO Domains. 2. Click Add SSO Domain. 3. In the Display Name text box, type your domain name, then click Next and finish the wizard. 4. Select Manage System > Authentication. 5. Click Add Authentication Method. 6. Select your authentication method. 7. Click Add Extended Property. 8. Select the Save credentials for SSO domain extended property. 9. In the Value field, type your SSO domain s display name. User Guide 149

162 About Resource Access 10. Click Finish. 11. Select Resource Access > Access Rules. 12. Click Add Access Rule. 13. Select Authentication method. 14. Select your configured authentication method. 15. Click Next to finish the wizard. Add the Outlook Access Web Resource 1. Select Resource Access > Resources. 2. Select Web Resources. 3. Click Add Resource. 4. Add Microsoft Outlook Web Access. 5. Configure the Outlook Web Access Resource. 6. When finished, edit the Outlook Web Access resource. 7. Click Add Resource Path, and type rpc/. 8. Clear the Use Parent Authentication check box. 9. Select the Access Rules tab. 10. Remove Any Authentication and add the access rule you created in the previous steps. 11. Click Save. 12. Edit the rpc/ resource. 13. Select Enable SSO. 14. From the SSO Type drop-down list, select Text. 15. From the SSO Domain drop-down list, select your SSO Domain. 16. Click Save. Create a Listener (Optional) Only perform this step if you require separate services for Outlook Anywhere, ActiveSync, Outlook Web Access, and regular VPN access. 1. Select Mange System > Certificates. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. 3. Enter the details for the certificate, then select the certificate file. 4. Click Save. 5. Select Manage System > Device Settings. 6. Click Add Additional listener. 7. In the Port field, type a port number for the additional listener. For example, From the Server Certificate drop-down list, select the certificate you imported in the previous step. 9. Click Add. 10. Click Save. 11. On your network firewall, create a NAT mapping for the listener to the external Internet interface of your firewall. Create a DNS Name for the SSL Device 1. Select Resource Access > Resources > Manage Global Resource Settings > DNS Name Pool. 2. Click Add DNS name for Device. 150 WatchGuard SSL Web UI

163 About Resource Access 3. Type a DNS name for your SSL device, then click Add. 4. Click Save. 5. Select Resource Access > Resources. 6. Edit the Outlook Web Access Resource. 7. Select Advanced Settings. 8. Set the Link Translation Type to Reserved DNS Mapping. 9. Set the Mapped DNS name for HTTPS to the DNS name you created in the previous steps. Configure the Outlook Client 1. On your client, select Control Panel > Mail > Accounts > Microsoft Exchange > More Settings > Connection > Outlook Anywhere. 2. Select the Check Connect to Microsoft Exchange using HTTP check box. 3. Click Exchange Proxy Settings. 4. Type the URL of the SSL VPN. For example, 5. Select the Only connect to proxy servers that have this principal name in their certificate check box, and then type msstd: followed by the SSL VPN URL. For example, msstd:sslvpn.example.com. 6. From the Proxy authentication settings drop-down list, select Basic Authentication. Note The WatchGuard SSL device only supports basic authentication with Outlook Anywhere, and you must ensure that the Exchange Server and Outlook Client are configured to use basic authentication. NTLM is not supported.. Add a Microsoft ActiveSync Resource You can use Microsoft ActiveSync to allow your users to keep their , calendars, tasks, and contacts updated on their mobile devices. To sync network information, ActiveSync must be installed on the user mobile devices. With your WatchGuard SSL device, you can securely run ActiveSync over SSL, even if your users do not install or start the Access Client on their mobile devices. About Microsoft Exchange ActiveSync Microsoft Exchange ActiveSync (EAS) sends HTTP and HTTPS-based communication between the client and the server. The client uses the virtual directory, /Microsoft-Server-ActiveSync, on your IIS server to connect to EAS. There are no files in this directory. All requests are managed by the MASSYNC.DLL file, which must have access to your user's mailboxes to operate. MASSYNC works only with Outlook Web Access. It does not work with MAPI or CDO applications, or any other hidden connection. Add a New Client Definition for ActiveSync The ActiveSync client for mobile devices does not support authentication through HTML, and your SSL device must use Basic Authentication for ActiveSync client devices. To configure Basic Authentication for client devices with ActiveSync, you must create a new client definition on your SSL device. 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Click Add Client Definition. The Add Client Definition page appears. User Guide 151

164 About Resource Access 3. In the Display Name text box, type a name for this client definition. 4. In the Definition text box, type uri = *Microsoft-Server-ActiveSync*. 5. Click Save. The client definition appears in the Registered Client Definitions list. Configure Client Access for the New ActiveSync Client 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Resource Settings. The Manage Global Resource Settings page appears with the General Settings tab selected. 3. Select the Client Access tab. 4. Click Add Client Settings. The Add Client Settings page appears. 152 WatchGuard SSL Web UI

165 About Resource Access 5. From the Client drop-down list, select the ActveSync client definition. 6. Select the The device does not support cookies and the The device cannot authenticate using HTML or WML forms check boxes. 7. Click Add. The Client Access Settings page appears with the new ActiveSync client in the Registered Client Settings list. 8. Click Save. Configure Additional Listener and Certificates You must deploy a named SSL certificate on your SSL device (for example, owa.example.com) because Windows Mobile devices do not accept wildcard SSL certificates. However, to fully support DNS-based link translation (for standard web applications), we recommend that you also add a wildcard certificate (such as, *.example.com) on your SSL device. Then, the main listener for your SSL device uses the wildcard certificate, and you create an additional listener that uses the named certificate. 1. Select Mange System > Device Settings. 2. Click Add Additional Listener. 3. In the Port text box, type the port to use for this listener. For example, type From the Server Certificate drop-down list, select the certificate to use for ActiveSync devices. 5. In the Type drop-down list, Web is the only option. 6. Click Add. The new listener appears in the Registered Additional Listeners list. 7. Click Save. User Guide 153

166 About Resource Access You must adjust your firewall policy to translate the external IP address from external port 443 to the internal port on your SSL device. This configuration is required because you can only add an additional listener port to your external IP address, and you cannot add a second IP address to the interface. For more information about additional listeners, see the Manage Additional Listeners section of the topic General Settings for the Application Portal on page 407. Upload a Server Certificate If your server certificate is provided by an external Certificate Authority (CA), any intermediate CA certificate must be uploaded to so that your SSL device can provide a trusted certification path to the connecting clients. To upload an intermediate CA certificate: 1. Select Mange System > Certificates. 2. Click Add Certificate Authority. The Add Certificate Authority General Settings page appears. 3. In the Display Name text box, type a name to identify this CA certificate. 4. Click Browse and select the certificate file. 5. Select the No certificate revocation checking should be performed option. 6. Click Finish Wizard. The Manage Certificates page appears with the CA you added in the Registered Certificate Authorities list. To upload a new server certificate: 1. Select Mange System > Certificates. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. 3. In the Display Name text box, type a name for this server certificate. 4. Adjacent to the Certificate text box, click Browse and select the location of the certificate for your server. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. If the key is encrypted, in the Password text box, type the password to use for the certificate. 7. If you installed an intermediate CA certificate for this server, in the CA Certificate section, select the checkbox for the intermediate CA certificate for this server. 8. Click Save. The certificate you added appears on the Registered Server Certificates list. Assign DNS Name to the Additional Listener For more information about how to add a DNS name and add the DNS name to the pool, see DNS Name Pool on page 190. To add a new DNS name for a device: 1. Select Resource Access. The Resources page appears. 154 WatchGuard SSL Web UI

167 About Resource Access 2. Click Manage Global Resource Settings. The Manage Global Resource Settings page appears. 3. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 4. Click Add DNS Name for Device. The Add DNS Name for Device page appears. 5. In the DNS Name text box, type the DNS name for the device. Make sure to specify a three segment DNS name, such as, my.example.com. 6. In the WWW Root text box, type the path to the DNS device. 7. Click Add. The DNS name appears in the Registered DNS Names for Device list. 8. Click Save. After you add the DNS name for the device, make sure that your external DNS server can resolve the DNS name you added. To assign the DNS name to the Additional Listener, add the DNS name to the DNS name pool: 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Resource Settings. The Manage Global Resource Settings page appears. 3. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 4. Click Add DNS Name to Pool. The Add DNS Name to DNS Name Pool page appears. 5. In the DNS Name text box, type the DNS name to use for the ActiveSync clients. This is the name of the device you added in the previous section. Make sure to use this name format: Name Segment 1>.<DNS Name Segment 2>.<extension> For example, if your DNS Name for your device is my.example.com, type 6. Click Add. The DNS name appears in the DNS Name Pool list. User Guide 155

168 About Resource Access 7. Click Save. Activate a Basic Authentication Method To use the ActiveSync client, you must configure a basic authentication method that uses only a static user name and password for the authentication credentials. You can choose the WatchGuard SSL Password, Active Directory, LDAP, or a RADIUS-based authentication method. We recommend that you select an authentication method that works with Active Directory so that you can also enable Single Sign-On. In the subsequent sections, the WatchGuard SSL Password authentication method is used to authenticate the ActiveSync users. To enable Single Sign-On, WatchGuard SSL Password must be configured to integrate with Active Directory as the External Directory Service. Edit WatchGuard SSL Password Authentication Method 1. Select Manage System in the main menu and click Authentication Methods in the left-hand menu. 2. Click on the WatchGuard SSL Password link. 3. Select the Extended Property tab and click on the Add Extended Property link. 4. Add the Save credentials for SSO domain extended property from the list. 5. Enter your SSO domain's display name in the Value field then click Add. 6. Click Save. Make sure that all ActiveSync users have the WatchGuard SSL Password method enabled, and that Use password from External Directory is enabled. Add the Outlook Web Access Resource If Outlook Web Access (OWA) is already a published resource, the web resource can be used for ActiveSync clients. To enable an existing OWA resource, you can configure a new resource path to the existing web resource host. If no OWA resource has been previously configured, the OWA resource path must first be configured before the ActiveSync Resource Path can be enabled. 156 WatchGuard SSL Web UI

169 About Resource Access Configure the OWA Web Resource 1. Select Resource Access in the main menu and select OWA resource. 2. Click on the Add Web Resource link. 3. Enter a display name, the IP address or hostname to the resource, and set the HTTPS port to 443. No HTTP port is required. 4. Click Enable Single Sign-On, specify Text based Single Sign-On and select your SSO domain from the list 5. Disable the Make resource available in Application Portal option. 6. Click Next. 7. Remove Any Authentication from Selected Access Rules. 8. Click Next, and then click Finish Wizard. Configure the ActiveSync Resource Path 1. Select Resource Access in the main menu, and then select the OWA resource. 2. Select Manage Paths. 3. Click Add Web Resource Path. 4. In the Path field, type Microsoft-Server-ActiveSync. 5. Disable the Use Parent Authentication option. 6. Disable the Make resource available in Application Portal option. 7. Click Save. 8. Select Access Rules in the left menu. 9. Click Add Access Rule, select Authentication Method, then click Next. 10. Add WatchGuard SSL Password then click Next, then click Finish Wizard. 11. Select your OWA resource and click Add, then click Finish Wizard. 12. Click Enable Single Sign-On, specify Text based Single Sign-On and select your SSO domain from the list. 13. Click the Advanced Settings tab. 14. Set Link Translation Type to Reserved DNS Mapping. 15. Set Mapped DNS name for HTTPS to the DNS name you defined for ActiveSync access. 16. Click Save. 17. Click Publish to publish the configuration. Add a Single Sign-On Domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. User Guide 157

170 About Resource Access 3. Click Add SSO Domain. The Add SSO Domain page appears. 4. In the Display Name text box, type a name for this SSO domain. 5. Configure the settings for SSO Restrictions. If you select the Cache on session only check box, SSO credentials are stored in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account. 6. Click Next. The Domain Attributes page appears. 158 WatchGuard SSL Web UI

171 About Resource Access 7. Click Add Domain Attribute. The Add Domain Attribute page appears. 8. From the Attribute Name drop-down list, select Domain. 9. From the Attribute Restriction drop-down list, select Locked. 10. From the Referenced By drop-down list, select Static. 11. In the Attribute Value text box, type the ActiveSync domain. 12. Click Next. The attribute appears in the Registered Domain Attributes list. 13. Click Next. The Apply SSO Domains to Resources page appears. 14. To select the resources to use this SSO domain, click Apply SSO Domains To Resources. The Select SSO Type page appears. 15. From the SSO Type drop-down list, select the SSO type: Text Form based Adaptive SSO File Share RDP 13. From the Available Resources list, select the Outlook Web Access or Outlook Web App resource with the ActiveSync resource path and click Add >. The resource appears in the Selected Resources list. 14. Click Next. The Apply SSO Domains page appears with the resource you added. 15. Click Next. The Add SSO Domain Summary page appears. User Guide 159

172 About Resource Access 16. Review the settings and click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. Activate Device Lock (Optional) Device Lock is designed to address the issue with lost or stolen mobile devices. When an ActiveSync client connects through the SSL device, a unique device identifier is passed as part of the SSL encrypted data. This ID is automatically associated to the particular user account the first time the user connects. If another user attempts to synchronize with this device, the connection will be blocked. If a device with cached user credentials is lost or stolen, the device can be easily disabled for the particular user account to prevent further access. To enable device lock: 1. Select Manage System in the main menu and click Authentication in the left-hand menu. 2. Click the WatchGuard SSL Password link. 3. Select the Extended Property tab and click the Add Extended Property link. 4. Set the ActiveSync DeviceID Locking option to true. 5. Click Add, then click Save. With ActiveSync DeviceID enabled, each user that connects with an ActiveSync client and authenticates with WatchGuard SSL Password receives a new custom user attribute containing the device unique identifier. Add a Windows File Share Resource When you add a resource to your WatchGuard SSL Application Portal, your users can get access to any available applications with one click. You can add a Microsoft Windows File Share Resource and configure the WatchGuard SSL device to map the file share to a drive letter. Note For users with Windows Vista and later, you can only get access to mapped drive letters through the command prompt. You must have administrative privileges to get access to mapped drive letters. Before you begin, make sure you have at least one shared folder. To create a shared folder, select a folder and edit the Windows folder Sharing Properties to share it. Add a File Share resource and authentication method You can add a Microsoft Windows File Share resource to your network and enable access to it with any of the authentication methods you configured. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 160 WatchGuard SSL Web UI

173 About Resource Access 4. Select Microsoft Windows File Share. 5. Click Next. The Add Resource Microsoft Windows File Share page appears. 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the server where the share is located. 10. In the Share text box, type the name of the shared folder. 11. (Optional) From the Drive letter drop-down list, select a letter to map to this share. For example, W:. The drive letter is optional for a file share resource. 12. Make sure the Make resource available in Application Portal check box is selected. 13. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 14. In the Link Text text box, type the name to appear with the icon in the Application Portal. 15. Click Next. The Add Access Rules page appears. 16. Select the access rules for this resource. For more information about access rules, see About Access Rules. User Guide 161

174 About Resource Access 17. Click Next. The Add Resource Microsoft Windows File Share Summary page appears. 18. Review the settings for the resource. 19. Click Finish Wizard. The resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 20. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Log on to the Application Portal to use the file share 1. Connect to the Application Portal. 2. Select an authentication method. The authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the file share resource. 4. Click the icon for the file share resource. The drive letter is now mapped to the shared resource. Configure a Bi-directional Tunnel Resource Most web and tunnel resources you add to your Application Portal enable SSL VPN users to get access to a protected network resource. You can also configure a bi-directional tunnel, which enables computers on both sides of the SSL device to get access to computers on the other side. For example, SSL administrators could use a bi-directional tunnel to provide technical support to their SSL VPN users. To configure a bi-directional tunnel, you must either create a range of IP addresses to assign to a client or select a DHCP server to assign the IP addresses, define an IP address pool to include the range of IP addresses or specify the DHCP server, and select to provide an IP address for all tunnel resources. Configure Global Tunnel Resource Settings 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Tunnel Resource Settings. The Manage Global Tunnel Resource Settings page appears. 162 WatchGuard SSL Web UI

175 About Resource Access 3. To use a DHCP server, from the Provide IP Address drop-down list, select Use DHCP Server. In the DHCP Server text box, type the IP address of the server. To use a range of IP addresses, from the Provide IP Address drop-down list, select Use IP Address Pool. In the IP Address Pool text boxes, type the range of IP addresses. 4. Click Save. The Resources page appears. Add a Tunnel Resource 1. Select Resource Access. The Resources page appears. User Guide 163

176 About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 164 WatchGuard SSL Web UI

177 About Resource Access 4. Select Full Tunnel. 5. Click Next. The Add Resource Full Tunnel page appears. User Guide 165

178 About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. From the Tunnel Mode drop-down list, select the option that corresponds to option you selected in the Global Tunnel Resource Settings: To use a single IP address, select Single Host. To use a range of IP addresses, select Network Range. This is the default setting. 10. If you selected Single Host, in the IP Address text box, type the IP address you configured for the DHCP server in the Global Tunnel Resource Settings. If you selected Network Range, in the IP Range text box, type the range of IP addresses you configured in the Global Tunnel Resource Settings. 11. In the TCP Port Set text box, type a list or range of TCP ports. For example, to allow access to all ports, type WatchGuard SSL Web UI

179 About Resource Access 12. In the UDP Port Set text box, type a range of UDP Ports. For example, to allow access to all UDP ports, type Make sure the Make resource available in Application Portal check box is selected. 14. Select the Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 15. In the Link Text text box, type the name to appear with the icon in the Application Portal. 16. Click Next. The Manage Access Rules page appears. 17. Select the access rules for this resource. For more information about access rules, see About Access Rules. 18. Click Next. The Add Resource Full Tunnel Summary page appears. 19. Review the settings for the resource. 20. Click Finish Wizard. The Full Tunnel resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 21. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. You can also add startup commands and a redirect URL to your resource. For more information, see About Resource Settings. Test the connection 1. Connect to the Application Portal. 2. Click the icon for the resource you created. The Access Client loader appears and loads the Access Client. 3. If you get a certificate warning, accept the certificate. 4. If another authentication window appears, type your credentials and authenticate. The resource you selected is now accessible. Configure the connection in the Access Client The Access Client refers to the WatchGuard SSL device as an Access Point. 1. In the Access Client Connection Alert dialog box, select the Always trust connections from this Access Point check box. 2. Click Accept. The WatchGuard SSL device is added to the Trusted Access Points list, and connection alerts do not appear after that for computers behind that device. To confirm the device was added to the Trusted Access Points list: 1. Click and select Preferences. The Access Client Preferences dialog box appears. User Guide 167

180 About Resource Access 2. Select the Trusted Access Points tab. 3. Review the list of trusted WatchGuard SSL devices. Add a Tunnel Resource for RDP Access To enable your users to get remote access to a specific computer on your network, you can add a resource for RDP access. When this resource is added, the tunnel resources are automatically created. You can use the RDP Access resource with a dynamic or static tunnel. You can also specify optional commands to run when the RDP session launches, and select the keyboard language setting [the default setting is English (United Kingdom)]. Because the RDP Access resource is a Java Applet resource, you must have Java Runtime Environment (JRE) 1.6 on your client computers. You receive an installation error if you do not have JRE 1.6 when you try to add the RDP Access resource. When you log in to the Application Portal and select an RDP Access resource, the native RDP application for your client computer is automatically launched. If you use Internet Explorer to connect to the Application Portal, and receive an Access Client Command warning when you connect to the RDP resource, you can safely accept this command. To make sure you do not receive this message again, select the Always trust this command check box. To add an RDP Access resource: 1. Select Resource Access. The Resources page appears. 168 WatchGuard SSL Web UI

181 About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. User Guide 169

182 About Resource Access 4. Select RDP Access. Information about the RDP Access resource appears in the right pane. 5. Click Next. The Add Resource RDP Access page appears. 170 WatchGuard SSL Web UI

183 About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the computer for this RDP Access resource. 10. In the TCP Port text box, type the TCP port you want this resource to use. The default port number is From the Tunnel Type drop-down list, select Windows Platform or All Platforms. 12. From the Connect Remote Desktop drop-down list, select the application to use for the RDP session: User Guide 171

184 About Resource Access Use native remote desktop application when available Use JavaRDP to connect to remote desktop 13. To enable the RDP session to open at full screen, select the Start in Full Screen Mode check box. 14. In the Screen Size (width x height) text box, type the maximum screen resolution for the RDP session. 15. In the Window Title text box, type a name for the RDP session. 16. To enable the resource in the Application Portal, make sure the Make resource available in Application Portal check box is selected. 17. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 19. In the Link Text text box, type the name to appear with the icon in the Application Portal. 20. Click Next. The Manage Access Rules page appears. 21. Select the access rules for this resource. For more information about access rules, see About Access Rules. 22. Click Next. The Add Resource RDP Access Summary page appears. 23. Review the settings for the resource. 24. Click Finish Wizard. The RDP Access resource appears in the Tunnel Resources list. Windows Remote Desktop Application Settings Add a Tunnel Resource for SSH Access To enable secure shell (SSH) command line access to a specific computer on your network, you can add a resource for SSH access. SSH creates an encrypted session from your computer to another computer so you can safely and securely log in to a remote computer to execute commands. When you log in to the Application Portal and select an SSH Access resource, the native SSH application for your client computer is automatically launched. To add an SSH Access Resource: 1. Select Resource Access. The Resources page appears. 172 WatchGuard SSL Web UI

185 About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. User Guide 173

186 About Resource Access 4. Select SSH Access. Information about the SSH Access resource appears in the right pane. 5. Click Next. The Add Resource SSH Access page appears. 174 WatchGuard SSL Web UI

187 About Resource Access 6. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the computer for this SSH Access resource. 10. In the TCP Port text box, type the TCP port to use for this resource. The default port number is From the Tunnel Type drop-down list, select Windows Platform or All Platforms. 12. In the Application Portal Settings section, select the Make resource available in Application Portal check box. 13. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 10. In the Link Text text box, type the name to appear with the icon in the Application Portal. 11. Click Next. The Manage Access Rules page appears. 12. Select the access rules for this resource. For more information about access rules, see About Access Rules. User Guide 175

188 About Resource Access 13. Click Next. The Add Resource SSH Access Summary page appears. 14. Review the settings for the resource. 15. Click Finish Wizard. The SSH Access resource appears in the Tunnel Resources list. Add a Tunnel Resource for Access to Home Directory To map your user home directories as a local drive that your users can get access to from the Application Portal, you can create an Access to Home Directory tunnel resource. Before you add this resource to the Application Portal, you must first create a shared location for user home directories on your network, and configure Active Directory to either use the correct home directory or assign a home directory to a user. You can then create the Access to Home Directory tunnel resource that your users select to connect to the appropriate home directory. Before You Begin Before you create a Home Directory tunnel resource, you must first set up the home directories on your network, and configure Active Directory to assign the home directories to each user. For more information, see these Microsoft knowledge base articles: After you set up the home directories in Active Directory, you can create an Access to Home Directory tunnel resource in WatchGuard SSL Web UI. Create a Home Directory Tunnel Resource 1. Select Resource Access > Resources. The Resources page appears. 176 WatchGuard SSL Web UI

189 About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. User Guide 177

190 About Resource Access 4. Select Access to Home Directory. 5. Click Next. The Add Resource Access to Home Directory page appears. 178 WatchGuard SSL Web UI

191 About Resource Access 6. In the Display Name text box, type a name for this resource. For example, type Home Directory Access. The display name you select appears in the Tunnel Resources list. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the server where the home directory is located. 10. Make sure the Make resource available in Application Portal check box is selected. 11. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 14. In the Link Text text box, type the name to appear with the icon in the Application Portal. 15. Click Next. The Add Access Rules page appears. 16. Select the access rules for this resource. For more information about access rules, see About Access Rules. 17. Click Next. The Add Resource Access to Home Directory page appears. 18. Review the settings for the resource. 19. Click Finish Wizard. The resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. User Guide 179

192 About Resource Access 20. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. When you create the Access to Home Directory resource, the default settings for the startup command (the location of the home directory) and the mapped drive (drive H) are automatically selected for the resource. To use different startup commands or to map the resource to a different drive, you must edit the Access to Home Directory resource. Edit the Startup Command and Specify the Mapped Drive After you have created the Access Home Directory tunnel resource, you can add startup commands and specify the mapped drive that the resource connects to on your network. When you specify the startup command for the resource, make sure you include the correct symbols. If your \User\user_name folder does not include the symbol $ at the end of the folder name, you do not have to include it when you type the path to the user home directory. If your \User\user_name folder does include the symbol $at the end of the folder name, make sure you include the symbol when you type the startup command. 1. Select Resource Access > Resources. The Resources page appears. 2. In the Tunnel Resources list, select the Access to Home Directory resource you created. For example, Home Directory Access. The Edit Tunnel Resource "Home Directory Access" page appears. 3. Select the Startup tab. 180 WatchGuard SSL Web UI

193 About Resource Access 4. In the Startup Command text box, type the path to the location of the user home directories. For example, if the user home directories are on a server at the IP address in the \Users folder, and the symbol $ is not at the end of the folder name, type \\ \Users\[$uid]. If the symbol $ is at the end of the folder name, type \\ \Users\[$uid]$. 5. Keep the Redirect URL text box clear. 6. Select the Advanced Settings tab. User Guide 181

194 About Resource Access 7. From the Registered Mapped Drives list, select the Network Resource to update. The Edit Mapped Drive page appears. 8. (Optional) To change the location of the network resource, in the Network resource text box, type the path to the location of the user home directories. For example, if the user home directories are on a server at the IP address in the \Users folder, and the symbol $ is not at the end of the folder name, type \\ \Users\[$uid]. If the symbol $ is at the end of the folder name, type \\ \Users\[$uid]$. 9. From the Drive Letter drop-down list, select the drive letter to use for the home directory. 10. Click Update. The Edit Tunnel Resource "Home Directory Access" page appears, with the updated information for the mapped drive. 11. Click Save. The Resources page appears. 12. Click Publish to update your configuration with this change. See Also Add a Terminal Server Resource You can add a Terminal Server resource to the Application Portal to give your users access to specific applications. Before you begin, make sure that Microsoft Terminal Services is active on the computer that you want your users to connect to. If you use Windows Vista, consult the Windows help system for instructions to enable Terminal Services. For Windows XP or Windows Server 2003: 1. Select Control Panel > Administrative Tools > Services. 2. Verify that the status for Terminal Services is Started. Add the Terminal Server shared resource and Authentication Method You can add a Microsoft Terminal Server 2003 or 2008 resource to your network and enable access to it with any of the authentication methods you configured. 1. Select Resource Access > Add Resource. The Add Resource page appears. 2. Expand the Tunnel Resources list. 182 WatchGuard SSL Web UI

195 About Resource Access 3. Select Microsoft Terminal Server 2003 or Microsoft Terminal Server The Microsoft Terminal Server resource you selected is highlighted. 4. Click Next. The Add Resource Microsoft Terminal Server page appears. User Guide 183

196 About Resource Access 5. In the Display Name text box, type a name for this resource. The display name you select appears in the Resources list. 6. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 7. Make sure the Enable resource check box is selected. 8. In the IP Address text box, type the IP address of the server. 9. In the TCP Port text box, type the port to use to connect to this resource. 10. From the Tunnel Type drop-down list, select Windows Platform or All Platforms. 11. Make sure the Make resource available in Application Portal check box is selected. 12. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 13. In the Link Text text box, type the name to appear with the icon in the Application Portal. 14. Click Next. The Manage Access Rules page appears. 15. Select the access rules for this resource. For more information about access rules, see About Access Rules. 184 WatchGuard SSL Web UI

197 About Resource Access 16. Click Next. The Add Resource Summary page appears. 17. Review the settings for the resource. 18. Click Finish Wizard. The resource appears in the Tunnel Resources list, and in the Registered Application Portal Items list. 19. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Use the Terminal Server resource 1. Connect to the Application Portal. 2. Select an authentication method. The authentication page for the selected authentication method appears. 3. Type your credentials for the authentication method you selected. The Application Portal appears with an icon for the terminal service resource. 4. Click the icon for the terminal server resource. The terminal server starts and prompts the user to log in to the IP address you specified for this resource. Manage Global Tunnel Resource Settings You can configure connection settings for the WatchGuard SSL Access Client that apply to all your tunnel resources. Settings include the Client IP address provider, DNS server, and WINS server information. 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Tunnel Resource Settings. The Manage Global Tunnel Resource Settings page appears. User Guide 185

198 About Resource Access 3. Configure the settings for your tunnel resources. Provide IP Address You can choose to use an existing external DHCP server to assign IP addresses to Access Clients from the network, or to use IP addresses from the IP Address Pool for the Access Clients. Select an option: Use DHCP Server Use IP Address Pool To disable this feature, select None. If you configure resources with the Provide an IP Address option, you must specify a DHCP server or an IP address pool. DNS Server Note The DHCP server or address pool must be from a network that is physically accessible by the SSL device so that the client addresses are from the same network. Specify the IP address or DNS name of the DNS server used for DNS forwarding. When you enable DNS forwarding for a tunnel resource, the client s DNS server is temporarily redirected to the DNS Server you specify. Local lookups take precedence, and can override any external DNS. 186 WatchGuard SSL Web UI

199 About Resource Access The Require Authentication for DNS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page 128. WINS Server Specify the IP address or name of the WINS server used for WINS forwarding. When you enable WINS forwarding for a tunnel resource, the client s WINS server is temporarily redirected to the WINS server you specify. Local lookups take precedence, and can override any external WINS. The Require Authentication for WINS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page Click Save. 5. Click Publish to update your configuration with this change. Manage Global Resource Settings Global resource settings apply to all available resources. Global settings are grouped in these categories: Internal proxy DNS name and DNS name pool Filters Link translation Client access Trusted gateways Cookies and cache control Configure settings for global resources 1. Select Resource Access. The Resources page appears. 2. Click Manage Global Resource Settings. The Manage Global Resource Settings page appears. User Guide 187

200 About Resource Access 3. Select a tab to configure the settings for that category. For more information about the available settings, see the topic for each category. General Settings DNS Name Pool Filters Link Translation Client Access Trusted Gateways Advanced Cookies and Cache Control 4. Click Save. Note Make sure you save your changes before you leave a page. If you do not save your changes before you leave a page, all your changes are lost. 188 WatchGuard SSL Web UI

201 About Resource Access General Settings You can specify addresses for internal proxies on the General Settings tab. The addresses are used when a resource is accessed through a cache or an ordinary proxy server. You can select to use NTLM v2 for HTTP and HTTPS proxies. If you have authentication problems, disable NTLM v2. You can configure settings for these internal proxies: HTTP HTTPS TCP The TCP proxy is used for the WatchGuard SSL Access Client. To specify which addresses are used for resources reached through a cache or ordinary proxy server, you can configure Internal Host Access. To configure proxy settings: 1. Select the General Settings tab. User Guide 189

202 About Resource Access 2. For each proxy: In the Host text box, type the IP address or host name of the proxy server. In the Port text box, type the port number to use to connect to the proxy server. To use NTLM v2 for the connection, select the Use NTLM v2 check box. 3. To validate the certificate from the proxy sever before the connection to the resource is allowed, select the Validate server certificate check box. 4. If you select to validate the certificate, select the correct certificate from the CA Certificatedropdown list. 5. Click Save. DNS Name Pool To improve link translation and to use multiple DNS domains, you can configure the DNS name pool. Multiple DNS domains allow several customers to be hosted on the same WatchGuard SSL device to serve multiple logon page designs, as well as on the Application Portal. 190 WatchGuard SSL Web UI

203 About Resource Access The registered DNS names define the pool of available DNS names. To use multiple DNS domains, you define several DNS names for the device. Note All DNS names must also be registered with a public DNS server, or written to the hosts file on the client computer that uses the system. When a user makes a request with a registered mapped DNS name, the device looks up which server to connect to and which protocol to use, and sends the request to that server. WatchGuard SSL has three methods of DNS mapping: URL mapping The resource is mapped to a path instead of a mapped DNS name. Reserved DNS mapping The resource is mapped to a specific DNS name. Pooled DNS mapping The resource is assigned a DNS name on the first device request to an internal server. When you add or edit a resource, you can specify which method of DNS mapping you want to use. A DNS name for the SSL device is defined by a host name with three segments (such as my.example.com) and relative file path to the content of the wwwroot that appears when you use the corresponding DNS name. For example, if the host name is my.example.com the wwwroot is wwwroot/my.example. We recommend that you define the host name as a DNS name, but you can also use an IP address. The default DNS Name and WWW ROOT for each device are (default) and wwwroot. You cannot edit or delete the default DNS name. DNS Name Pool entries must end with the same string as an entry in the Registered DNS Names for Device list. For example, if the DNS Name for a device is my.example.com, the DNS Name Pool entry is Note Make sure you always click Save before you leave a page. If you do not click Save, any changes you made are lost when you leave the page. Add a DNS name for a device From the Manage Global Resource Settings page: 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. User Guide 191

204 About Resource Access 2. Click Add DNS Name for Device. The Add DNS Name for Device page appears. 3. In the DNS Name text box, type the DNS name for the device. 4. In the WWW Root text box, type the path to the HTML branding files for this device. 5. Click Add. The DNS name appears in the Registered DNS Names for Device list. 6. Click Save. 7. Click Publish to update your configuration with this change. Edit a DNS name for a device 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 192 WatchGuard SSL Web UI

205 About Resource Access 2. In the Registered DNS Names for Device list, click a DNS Name. The Edit DNS Name for Device page appears. 3. Update the DNS Name and the WWW Root details. 4. Click Save. The DNS name appears in the Registered DNS Names for Device list. Delete a DNS name for a device From the Manage Global Resource Settings page: 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. In theregistered DNS Names for Device list, click a DNS Name. The Edit DNS Name for Device page appears. 3. Click Delete. A confirmation message appears. 4. Click Yes. The DNS Name is deleted and the Manage DNS Name Pool page appears, with the DNS name removed from User Guide 193

206 About Resource Access the Registered DNS Names for Device list. 5. Click Save. Add a DNS name to the pool Before you can add a DNS name to the DNS Name Pool, you must first add a DNS name for a device and publish it to your configuration. 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. Click Add DNS Name to Pool. The Add DNS Name to DNS Name Pool page appears. 3. In the DNS Name text box, type the DNS name of the device to add it to the pool. Make sure to use the name format Name Segment 1>.<DNS Name Segment 2>.<exte nsion>. For example, if your DNS Name for your device is my.example.com, you type 4. Click Add. The DNS name appears in the DNS Name Pool list. 5. Click Save. Edit a DNS name in the pool 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. In the DNS Name Pool list, click a DNS Name. The Edit DNS Name in DNS Name Pool page appears. 3. In the DNS Name text box, type a new DNS name. 4. Click Update. The DNS name appears in the DNS Name Pool list. 5. Click Save. Delete a DNS name in the pool 1. Select the DNS Name Pool tab. The Manage DNS Name Pool page appears. 2. Click a name in the DNS Name Pool list. The Edit DNS Name in DNS Name Pool page appears. 3. Click Delete. A confirmation message appears. 194 WatchGuard SSL Web UI

207 About Resource Access 4. Click Yes. The DNS name is removed from the DNS Name Pool list. 5. Click Save. Filters Filters determine the content that your users see when they request a resource or a specific page. You can apply a filter to one or more resource hosts, requests or responses, and to content or headers. For general filters, you can use variables with name-value pairs instead of hard-coded values. You can add one or more variables to each filter. You can specify to filter file types or formats, images, and specific content in the Content Type text box. About Scripts Your WatchGuard SSL device includes scripts you can add to your filters. To find the available scripts: 1. At the top of the Web UI, click Browse. The File Browser appears. 2. Go to the \access-point\built-in-files\scripts\ folder. Scripts have the.wascr file extension. Add a filter 1. Select the Filters tab. The Filters page appears. 2. Click Add Filter. The Add Filter page appears. User Guide 195

208 About Resource Access 3. In the Display Name text box, type the display name for this filter. 4. In the Script Name text box, type the script to use for the filter. Make sure to include the.wascr extension. 5. From the Type of Filter drop-down list, select Request or Response. 6. From the Resource Hostdrop-down list, select a resource. 7. In the Path text box, type the path to the files to be filtered. You can use the * wildcard character. 8. From the Apply Filter To drop-down list, select Headers or Content. 9. In the Content Type text box, type the content types for this filter. You can use the * wildcard character. 10. To add a variable to the filter, click Add Variable. The Add Variable page appears. 11. In the Name and Value text boxes, type the name and value of the variable. 12. Click Add. The variable appears in the Registered Variables list. 13. Click Add. 196 WatchGuard SSL Web UI

209 About Resource Access The Filter appears in the Registered Filters list. 14. Click Save. Edit a filter 1. Select the Filters tab. The Filters page appears. 2. In the Registered Filters list, click a filter. The Edit Filter page appears. 3. Update the settings or variables for the filter. 4. Click Update. 5. Click Save. Delete a filter 1. Select the Filters tab. 2. In the Registered Filters list, click a filter. The Edit Filter page appears. 3. Click Delete. 4. Click Yes. 5. Click Save. User Guide 197

210 About Resource Access Link Translation Link translation is used to make sure that all traffic to registered Web resource hosts goes through the WatchGuard SSL device. With link translation, Web resource hosts are as secure as tunnel resource hosts. When a user connects to a page on a server through the WatchGuard SSL device, all links to other servers are changed to point to the WatchGuard SSL device. Translated links contain information about the original server and what protocol to use. For example, when users enter a URL to a registered Web resource, for example the device recognizes the link and automatically translates the URL to SSL Device>/ A link can be divided into subsets and then put together dynamically by the browser to form a link. Some examples of subsets are by protocol, host, and URI. If you use a subset, the WatchGuard SSL device cannot establish if it is a link and cannot translate it. If you want to use a subset, you can use DNS mapping. A DNS name or an IP address that points to the WatchGuard SSL device is mapped to an internal host and protocol (a mapped DNS name). All mapped DNS names are added to a DNS name pool. You then map the web hosts to DNS names with one of these methods: Reserved DNS mapping The Web resource is mapped to a specific DNS name in the DNS name pool. Pooled DNS mapping At the start of each session, the Web resource is assigned the first available DNS name from the DNS name pool. You can configure the headers and content types to filter. Headers must be single-valued. From the Manage Global Resource Settings page: 1. Select the Link Translation tab. The Link Translation page appears. 198 WatchGuard SSL Web UI

211 About Resource Access 2. In the request and response headers and content types text boxes, add, edit, or delete the headers and content types to filter. 3. Click Save. Client Access You can specify the paths for the Application Portal and Welcome pages, and the clients that users can use to connect to your network. Specify the paths for client access pages From the Manage Global Resource Settings page: 1. Select the Client Access tab. The Client Access Settings page appears. User Guide 199

212 About Resource Access 2. In the Default Page text box, type the path to the main page of the Application Portal. The default setting is /wa_default.html. 3. In the Welcome Page text box, type the path to the Welcome page that users see after they log on. The default setting is /wa/_welcome.html. 4. To configure Client Control settings, see the subsequent sections. 5. Click Publish to update your configuration with the changes. Client Control settings You can add, edit, and delete Client Control settings. To add Client Control settings: 1. On the Client Access tab, click Add Client Settings. The Add Client Settings page appears. 200 WatchGuard SSL Web UI

213 About Resource Access 2. From the Client drop-down list, select a client. 3. In the Session Settings section, select a check box to define the settings for this client: The client does not support cookies The client cannot authenticate using HTML or WML forms 4. In the File Extension text box, type the file type extension to use for this client. 5. In the Default Page text box, type the path and file name to this client. 6. In the Welcome Page text box, type the path and file name to the Welcome page for this client. 7. (Optional) In the GUI Constant and GUI Constant Value text boxes, type the GUI constant information for this client. 8. Click Add. The Client appears in the Registered Client Settings list. 9. Click Save. To edit Client Control settings: 1. In the Registered Client Settings list, click a Client. The Edit Client Settings page appear. User Guide 201

214 About Resource Access 2. Update the settings. 3. Click Update. 4. Click Save. To delete a client in the Registered Client Settings list: 1. In the Registered Client Settings list, click a Client. The Edit Client Settings page appear. 2. Click Delete. A confirmation message appears. 3. Click Yes. The client is removed from the Registered Client Settings list. 4. Click Save. Client Access Restrictions You can add, edit, and delete client access settings to restrict the use of specific clients for your network. If you select to deny access to a client or send a warning message for a client, you can choose to direct users to a web page for information about the action or include a feedback message about the action. If you do not redirect users to a feedback page for information, you must include a feedback message to explain why the client was denied access, or why a warning message was sent. To add Client Access restrictions: 1. On the Client Access tab, click Add Client Access Restriction. The Add Client Access Restriction page appears. 202 WatchGuard SSL Web UI

215 About Resource Access 2. From the Client drop-down list, select a client. 3. From the Permission drop-down list, select a permission level for this client: Accept, Deny, or Warn. 4. If you set the permission to Deny or Warn, select the HTTP Code, type a path to the Feedback page, and type a Feedback message that users see in a warning or deny message. 5. Click Add. The Client appears in the Registered Client Access Restrictions list. 6. Click Save. To edit Client Access restrictions: 1. In the Registered Client Access Restrictions list, click a Client. The Edit Registered Client Access Restrictions page appear. 2. Update the settings. 3. Click Update. To delete a client in the Registered Client Access Restrictions list: 1. In the Registered Client Access Restrictions list, click a client. The Edit Registered Client Access Restrictions page appear. 2. Click Delete. 3. Click Yes. User Guide 203

216 About Resource Access The client is removed from the Registered Client Access Restrictions list. 4. Click Save. Trusted Gateways You can add, edit, and delete the trusted gateways for your network. Add trusted gateways 1. Select the Trusted Gateways tab. The Manage Trusted Gateways page appears. 2. Click Add Trusted Gateway. The Add Trusted Gateway page appears. 3. In the IP Address text box, type the IP address of the trusted gateway. 4. In the Port text box, type the port to use to connect to the trusted gateway. The default port number is Click Add. The IP Address appears in the Registered Trusted Gateways list. 204 WatchGuard SSL Web UI

217 About Resource Access Edit a trusted gateway 1. In the Registered Trusted Gateways list, click an IP Address. The Edit Registered Trusted Gateways page appears. 2. Update the settings. 3. Click Update. The updated gateway information appears in the Registered Trusted Gateways list. Delete a trusted gateway 1. In the Registered Trusted Gateways list, click an IP Address. The Edit Trusted Gateway page appears. 2. Click Delete. The Confirm Delete message page appears. 3. Click Yes. The trusted gateway is removed from the Registered Trusted Gateway list. 4. Click Save. User Guide 205

218 About Resource Access Advanced Cookies and Cache Control On the Manage Global Resource Settings Advanced tab, you can configure the settings for Internal Cookies and Internet Explorer Cache Control. You can choose which information types to include in cookie requests. You can also set whether Internet Explorer caches data and allows these file types:.doc.xls.ppt.pdf To configure cookie and cache control settings: 1. Select the Advanced tab. 2. In the Internal Cookies section, select the check box for each information type for which you want to allow cookies. 3. To cache data in Internet Explorer, clear the Do not cache data for Internet Explorer users check box. This also enables users to download the allowed file types. 4. Click Save. 206 WatchGuard SSL Web UI

219 About Resource Access About Client Firewalls Client firewalls are Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the WatchGuard SSL Access Client. Each configuration is connected to a tunnel resource. The WatchGuard SSL Access Client has two tasks related to your firewall configuration: Disable routes for other network connections Check the integrity of application connections You can configure rules based on these parameters: Network Incoming or outgoing traffic Ports Allow or block traffic These rules are downloaded to the client computer with the tunnel resource. The rules are then applied to network traffic at the client. When you add a new Internet firewall configuration, the rule lists have default entries that block all connections. You must add a rule above the default rule to accept specific connections. Note The order of the rules is significant because the firewall starts at the top of the list and stops as soon as it finds a match between the rule and the connection. Disable routes for other network connections You can choose to disable routes for other network connections. Apply the rules you configure to disable specific routes. Check the integrity of application connections For each connection that goes through the WatchGuard SSL Access Client, information about application paths and the checksum is added. When the authorization process determines if the client can connect to your resources, it uses this information. How the client firewall works When your users connect to the WatchGuard SSL device with the Access Client, the client firewall is used locally on their computers. Firewall rules are configured on the server and cannot be overridden by the user. You can only use one Internet firewall configuration per tunnel resource. The firewall is activated when a user clicks an Application Portal icon that connects to a tunnel resource configured to use the client firewall. The firewall is deactivated as soon as the user closes the Access Client or logs off the portal. The firewall is active as long as the associated Tunnel Resource is used. User Guide 207

220 About Resource Access Note If several Tunnel Resources are used at the same time by the same user, the firewall configurations of all the tunnels are active and the most restrictive rules are applied. When active, the firewall checks to make sure each connection from and to the client computer matches the client firewall configuration. You can add incoming and outgoing rules, and exceptions to those rules, to your client firewall configuration. Incoming Rules When a connection comes in to the computer, the firewall goes through the list of Incoming Firewall rules. Each rule is checked to see if it matches the incoming connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. The firewall does not check any more rules in the list. If the rule denies the connection, it is dropped. If the rule accepts the connection, it is connected to the client computer. Outgoing Rules When an application on the client computer tries to connect to the Internet, the firewall goes through the list of Outgoing Firewall rules. Each rule is checked to see if it matches the outgoing connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. If the rule denies the connection, it is rejected. If the rule accepts the connection, it connects to the Internet. Exceptions The client firewall checks all TCP and UDP connections except: Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel). Connections to the WatchGuard SSL device Connections to an IP address of a configured resource on the intranet through the tunnel. For these connections, the access rules of the configured resource are applied instead of the firewall rules. Configure client definitions You can configure the definitions for the clients used with your firewall configuration. For more information, see Manage Client Definitions on page 393. Firewall rules based on a device The client firewall can be used to specify rules based on the path or checksum of the process that tries to connect to the Internet. To enable this option, you must first add a client definition that specifies the values of the path, and/or checksum of the process. You can use one of these client firewall variables in the Client Definitions: 208 WatchGuard SSL Web UI

221 About Resource Access clientfirewall-path clientfirewall-checksum Note You can only use client definitions with these variables in the Client Firewall Rules. To add Internet Explorer as a client definition, add a Client Definition with these settings: Display Name: Internet Explorer Process Definition: clientfirewall-path=%programfiles%\internet Explorer\iexplore.exe %ProgramFiles% is a variable that is used on the Access Client to enable the client definition on all clients, regardless of the language of the operating system. You can also use a more complex rule that is based on the MD5 checksum of the executable. To define a client based on the checksum, use a hexadecimal representation of the MD5 checksum. For example: Display Name: Internet Explorer Process Definition: clientfirewall-checksum=e c be7b4dc c8 When you use clientfirewall-checksum, the client is only valid for a specific version of Internet Explorer. It is also possible to combine both checksum and path with AND/OR between expressions. For example, you can create a list of valid checksums with the pipe character (OR) between the entries. All entries between the (OR) operator must be on the same line. For example: clientfirewall-checksum=<checksum1> clientfirewall-checksum=<checksum2> clien tfirewall-checksum=<checksum3> You can also use the Client Definitions for client firewalls in Access Rules for tunnel resources. Incoming Firewall Rules For Incoming Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for incoming traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies incoming traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application. Outgoing firewall rules For Outgoing Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for outgoing traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies outgoing traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application. User Guide 209

222 About Resource Access Manage Internet Firewall Configurations You can add, edit, and delete Internet firewall configurations for your client firewall. After you change the configuration, make sure you click Publish to update your configuration with your changes. Add an Internet Firewall Configuration 1. Select Resource Access > Client Firewall. The Client Firewall page appears. 2. Click Add Internet Firewall Configuration. The Add Internet Firewall Configuration page appears. 210 WatchGuard SSL Web UI

223 About Resource Access 3. In the Display Name text box, type a name for this firewall configuration. 4. (Optional) Add an incoming firewall rule. 5. (Optional) Add an outgoing firewall rule. For information about how to add firewall rules, see the subsequent sections. 6. Click Add. The configuration appears in the Registered Internet Firewall Configurations list. Add an incoming firewall rule You can add incoming firewall rules to your Internet Firewall Configurations. On the Add Internet Firewall Configuration or Edit Internet Firewall Configuration page. 1. Click Add Incoming Firewall Rule. The Add Incoming Firewall Rule page appears. User Guide 211

224 About Resource Access 2. In the Remote IP text box, type the IP address range for this firewall configuration rule. 3. In the Local Port text box, type the port to use for this rule. 4. Select a Protocol. 5. Set the rule to Accept or Deny connection attempts from the selected IP address. 6. From the Clients drop-down list, select Any Client or a specific client to which the rule applies. 7. (Optional) In the Comment text box, type a description of the rule. 8. Click Add. The rule appears in the Registered Incoming Firewall Rules list. Add an outgoing firewall rule You can add outgoing firewall rules on the Add Internet Firewall Configuration page. 1. Click Add Outgoing Firewall Rule. The Add Outgoing Firewall Rule page appears. 212 WatchGuard SSL Web UI

225 About Resource Access 2. In the Remote IP text box, type the IP address range for this firewall configuration rule. 3. In the Local Port text box, type the port to use for this rule. 4. Select a Protocol. 5. Set the rule to Accept or Deny connection attempts from the selected IP address. 6. From the Clients drop-down list, select Any Client or a specific client to which the rule applies. 7. (Optional) In the Comment text box, type a description of the rule. 8. Click Add. The rule appears in the Registered Incoming Firewall Rules list. Edit an Internet Firewall Configuration You can edit your Internet firewall configurations on the Client Firewall page. 1. In the Registered Internet Firewall Configurations list, click the configuration you want to change. The Edit Internet Firewall Configuration page appears. User Guide 213

226 About Resource Access 2. Update the incoming or outgoing firewall rules in the configuration. 3. Click Save. Delete an Internet Firewall Configuration You can delete your Internet firewall configurations on the Client Firewall page. 1. In the Registered Internet Firewall Configurations list, click the configuration to delete. The Edit Internet Firewall Configuration page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. 4. Click Save. The configuration is removed from the Registered Internet Firewall Configurations list. Edit an incoming or outgoing firewall rule You can make changes to any incoming or outgoing firewall rule in the corresponding Registered Firewall Rules list. 214 WatchGuard SSL Web UI

227 About Resource Access 1. Click the rule to change. The Edit Firewall Rule page appears. 2. Update the settings for the rule. 3. Click Update. Delete an incoming or outgoing firewall rule You can delete any incoming or outgoing firewall rule that you added. You cannot delete the default rules. 1. Click the rule to delete. The Edit Firewall Rule page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. 4. Click Save. About Access Rules Access rules define the specific requirements for access control that you apply to a resource or SSO domain in WatchGuard SSL Web UI. You can add general access rules that can be applied to any resource or SSO domain, or specific access rules that you apply only to certain resources or SSO domains. You can also define global access rules that are applied to all resources and SSO domains. WatchGuard SSL Web UI includes many different types of access rules that you can use alone or combine to increase the complexity of your security. When you add access rules to a resource, you can use the AND operator to combine general access rules with resource and SSO domain specific access rules. You can only use the OR operator for resource and SSO domain specific access rules. For more information about access rules, see: Manage Access Rules Manage Global Access Rules Manage Access Rules You can add, edit, and delete the access rules to use with specific resources and Single Sign-On (SSO) domains. When you create an access rule, you add rules to define user access to your network. You can add one or more rules to each access rule. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. Add an Access Rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. User Guide 215

228 About Resource Access 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for this access rule. 4. Click Next. The Select Type of Access Rule page appears. 216 WatchGuard SSL Web UI

229 About Resource Access 5. Select an access rule type for this rule. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. Note For detailed information on Assessment access rules and requirement criteria, see Assessment Access Rule Requirements 6. Complete the subsequent pages for the type of access rule you selected. Click Next. 7. On the Summary page, confirm the settings for your access rule. Click Next. The Add Access Rule page appears with your access rule in the Allow user access when list. 8. To add another rule, repeat Steps If you have more than one rule and you want to combine them, select the Select Rule check box for the rules to combine and click Combine. 10. Click Next. The Apply Access Rule to Resources page appears. 11. From the Available Resources list, select the resources for this access rule and click Add >. The resources appear in the Selected Resources list. 12. Click Next. The Confirm Access Rule Summary page appears. 13. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. Edit an Access Rule When you edit an access rule, you can change the Display Name, add, edit, or delete the rules included in the access rule, and apply the access rule to your resources. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. In the Registered Access Rules list, click the access rule to change. The Edit Access Rule page appears. User Guide 217

230 About Resource Access 3. To change the settings for an existing rule: a. From the Allow user access when list, select the rule to change. The Edit Access Rule page appears. b. Update the settings for the rule. 4. To add a new rule to the access rule: a. Click Add Rule. The Add Access Rule page appears. b. Select an access rule type for this rule. Click Next. The subsequent pages that you see depend on the type of access rule that you selected. c. Complete the subsequent pages for the type of access rule you selected. Click Next. d. On the Summary page, confirm the settings for your access rule. Click Next. The Add Access Rule page appears with your access rule in the Allow user access when list. e. Click Finish Wizard 5. To delete a rule from this access rule: a. From the Allow user access when list, select the rule to delete. The Edit Access Rule page appears. b. Click Delete. 6. To select which resources are protected by this access rule: a. Click Apply Access Rules To Resources. The Apply Access Rule To Resources page appears. b. From the Available Resources list, select the resources to protect with this access rule and click Add >. The resources are moved to the Selected Resources list. c. Click Next. 218 WatchGuard SSL Web UI

231 About Resource Access 7. Click Save. Delete an Access Rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. In the Registered Access Rules list, adjacent to the access rule to delete, click. The Delete Access Rule page appears. 3. Click Yes. The access rule is removed from the Registered Access Rules list. Manage Global Access Rules Global access rules are rules that apply to all of your resources and SSO domains. To add a global access rule, you can create a new access rule or select any of the registered access rules that you have already created, and then add the access rule to the Global Access Rules list. For more information about how to add a new access rule, see Manage Access Rules. To add an access rule to the Global Access Rules list: 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Manage Global Access Rule. The Manage Global Access Rule page appears. User Guide 219

232 About Resource Access 3. From the Available Access Rules list, select one or more access rules. 4. Click Add >. The rule is moved to the Selected Access Rules list. 5. Click Save. The global access rules are saved and the Manage Access Rules page appears. Assessment Access Rule Requirements You can create an Assessment access rule to verify a wide variety of requirements before you allow access to your network resources from Windows clients. Some examples include these types of client access rules and requirements: Configure an Access Rule to Require Anti-virus or Anti-spyware Software Configure an Access Rule to Verify a Windows File is Found Configure an Access Rule to Verify a Windows File Digest is Found Configure an Access Rule to Verify a Directory is Found Configure an Access Rule to Verify the Windows Client Logon Domain Configure an Access Rule to Verify the Client Computer MAC Address Pre-connection End-point Integrity Check For more information about how to create an access rule, see Manage Access Rules. Assessment Access Rule Requirements These sections describe the different types of requirement criteria you can apply to an access rule. To create an Assessment access rule: 1. Select Resource Access > Access Rules. 2. Click Add Access Rule. 3. Type a Display Name for your access rule. 4. Click Next. The Select Type of Access Rule page appears. 220 WatchGuard SSL Web UI

233 About Resource Access 5. Select Assessment as the rule type. 6. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a descriptive name for this rule. 8. In the Operating System drop-down list, Windows is the only option. 9. In the Information Type drop-down list, select the information type for which you want to set requirements. File information Directory information Process information Windows user information Windows domain information Network interface information TCP Port information UDP Port information Registry Key information User Guide 221

234 About Resource Access Registry Sub Key information Antivirus information Firewall information Spyware information See the subsequent sections for detailed information in each information type. 10. Do not select the Deny access check box, because you want to allow access if the conditions of this rule are met. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. Client Data - Select which client data the requirement applies to. Matching Restriction - Select how to match the requirement based on the Matching Rule. Use Match to exactly match your data. Use Wildcard to add an asterisk * before and after the match data. For example, *WatchGuard*. Matching Rules - Type the matching rule for the selected Client Data. 13. Add the details of the requirement, then click Add. You can add several requirements, but you can add only one requirement per client data type. File Information File attributes r (read-only) d (directory) e (encrypted) h (hidden) s (system file) t (temporary) File name Format: C:\boot.ini 222 WatchGuard SSL Web UI

235 About Resource Access File digest Format: 08d26906c74805bee8deca4c7be8c7f5 File time created Format: 01/16/ :38 File time last written Format: 03/07/ :21 File time last accessed Format: 03/03/ :04 Directory Information Attributes d (directory) h (hidden) Directory digest Format: 08d26906c74805bee8deca4c7be8c7f5 Directory name Format: C:\Windows\System32\ Process Information Process name Format: *Mozilla.exe Process digest Format: 84885f9b82f4d55c6146ebf6065d75d2 Process ID Format: 1184 Windows User Information Windows logon domain Format: WatchGuard Windows alternative domains Format: WatchGuard1, WatchGuard 2 Windows user name Format: userid User Guide 223

236 About Resource Access Windows logon server Format: SRV-EXCHANGE Windows Domain Computer name Format: USERDEV LAN group Format: WatchGuard Major version Format: 5 Minor version Format: 1 Platform ID Format: 500 Network Interface Information Physical address Format: e Name Format: {8F952A80-FAE4-4AFE-898D-F67B67C6ED61} Description Format: MS TCP Loopback interface TCP Port Information Local address Format: Local port Format: 8300 Remote address Format: Remote port Format: WatchGuard SSL Web UI

237 About Resource Access State Established Listen TimeWait UDP Port Information Local address Format: Local port Format: 1025 Registry Key Information Registry name Format: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid Registry type Format: value Registry value Format: 87e4d320-ee1a eb-34db24ae5ec6 Registry Sub Key Information Registry name Format: HKEY_CURRENT_USER\Software\Watchguard Registry type Format: subkey Registry value Format: AbolishClient Antivirus Information Product Vendor Select the name of the anti-virus software vendor. To enable access if any anti-virus software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. Product Name Select the name of your anti-virus software. User Guide 225

238 About Resource Access Product Version Select the version of your anti-virus software. File System Real-time Protection (FSRTP) Status Select whether to include the status of the anti-virus software's file system real-time protection (FSRTP) in the rule. If included, select whether it should be On or Off for this rule. Action to take if the product requirements are not met Select whether to Deny access or Warn and grant access. Definition Configuration Select how recent the configuration definition must be. Last Scan Time Select when the last scan must have occurred. Firewall Information Product Vendor Select the name of the firewall software vendor. To enable access if any firewall software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. Product Name Select the name of your firewall software. Product Version Select the version of your firewall software. Action to take if the product requirements are not met Select whether to Deny access or Warn and grant access. Enabled Status Select if the firewall software is Enabled or Disabled. Spyware Information Product Vendor Select the name of the anti-spyware software vendor. To enable access if any anti-spyware software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. Product Name Select the name of your anti-spyware software. 226 WatchGuard SSL Web UI

239 About Resource Access Product Version Select the version of your anti-spyware software. FSRTP Status Select whether to include the status of the anti-spyware software real-time protection in the rule. If included, select whether it should be On or Off for this rule. Action to take if the product requirements are not met Select whether to Deny access or Warn and grant access. Definition Configuration See Also Select how recent the configuration definition must be. Configure an Access Rule to Require Anti-virus or Anti-spyware Software When you configure WatchGuard SSL End-Point Integrity to verify that client devices meet your defined security profile, you select the Assessment Access Rules that apply to the Assessment process. You can add an access rule that requires the client to run a specific anti-virus or anti-spyware program before it can connect to your network. 1. Select Resource Access > Access Rules. 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for the access rule. For example, Require Anti-virus. 4. Click Next. The Select Type of Access Rule page appears. 5. From the Select Type of Access Rule list, select Assessment. 6. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Antivirus information. 10. To allow access if this rule is met, make sure the Deny access check box is not selected. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. User Guide 227

240 About Resource Access 13. Select the requirements for this rule. The options that appear depend on the Product Vendor you select. From the Product Vendor drop-down list, select the name of the anti-virus software vendor. To enable access if any anti-virus software is installed on the client, select Any product. After you select the Product Vendor, the other product fields appear. The fields you see depend on the product you selected. From the Product Name drop-down list, select the name of your anti-virus software. From the Product Version drop-down list, select the version of your anti-virus software. From the File System Real-time Protection Status drop-down list, select whether to include the status of the anti-virus software's file system real-time protection (FSRTP) in the rule. If included, select whether it should be On or Off for this rule. From the Action to take if the product requirements are not met drop-down list, select whether to Deny access or Warn and grant access. In the Definition Configuration section, select how recent the configuration definition must be. In the Last Scan Time section, select when the last scan must have occurred. 14. Click Add. The Specify Requirements page appears with the new rule in the Registered Requirements list. 15. To add more requirements, repeat Steps Click Next. The Feedback Message page appears. 17. In the Feedback Message text box, type the message users see if access to a resource is denied because the client scan results do not match the specified requirements. 18. Click Next. The Summary page appears. 19. Review the summary page and click Next. The Add Access Rule page appears. 20. To add more rules, repeat Steps Click Next. The Apply Access Rule to Resources page appears. 22. In the Available Resources list, select the resources for this rule and click Add >. The resources appear in the Selected Resources list. 23. Click Next. The Confirm Access Rule Summary page appears. 228 WatchGuard SSL Web UI

241 About Resource Access 24. Review the summary page and click Finish Wizard. 25. Click Publish to update your configuration with this change. After you create the Access Rule, you can use it to protect a resource. Configurean AccessRuletoVerifytheWindowsClient Logon Domain If you want to verify the logon domain for your users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the client logon domain before they are granted access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-Logon-Domain. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Windows user information. 10. To allow access to clients that meet the selected criteria, clear the Deny Access check box. This is the default setting. To deny access to clients that meet the selected criteria, select the Deny Access check box. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select Windows logon domain. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the name of your logon domain. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. User Guide 229

242 About Resource Access 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. To add another rule, repeat Steps If you have more than one rule and you want to combine them, select the Select Rule check box for the rules to combine and click Combine. 24. Click Next. The Apply Access Rule to Resources page appears. 25. In the Available Resources list, select the resources for this rule and click Add >. The resources appear in the Selected Resources list. 26. Click Next. The Confirm Access Rule Summary page appears. 27. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. Configure an Access Rule to Verify a Windows File is Found To verify that a specific file exists on the client computers of your users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the computer to make sure the file is located in the correct directory on the computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-File. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-File. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select File information. 10. To allow access to clients with the correct Windows file, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 230 WatchGuard SSL Web UI

243 About Resource Access 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select File name. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the full Windows path to the file. For example, C:\Documents and Settings\example.txt. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. Click Next. The Apply Access Rule to Resources page appears. 23. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. 24. Click Next. The Confirm Access Rule Summary page appears. 25. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. To automatically apply this access rule to all resources, you can add it to a global access rule. For more information about how to create global access rules, see Manage Global Access Rules. Because you typed the full path to the Windows file, the path for the Assessment client scan was automatically added to the Client Scan Path list. For more information about the client scan path, see Configure General Settings for Assessment on page 368. Configurean AccessRule toverify awindows FileDigest isfound To verify that a specific file digest exists on the client computers of your users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the computer to make sure the file digest is located in the correct directory on the computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. Add an Access Rule and Apply It to Resources 1. Select Resource Access. The Resources page appears. User Guide 231

244 About Resource Access 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-File-Digest. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-File-Digest. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select File information. 10. To allow access to clients with the correct Windows file, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select File digest. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the text of the MD5 checksum file. For example, 08d26906c74805bee8deca4c7be8c7f Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. Click Next. The Apply Access Rule to Resources page appears. 23. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. To automatically apply this access rule to all resources, you can add it to a global access rule. For more information about how to create global access rules, see Manage Global Access Rules. 24. Click Next. The Confirm Access Rule Summary page appears. 25. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. 232 WatchGuard SSL Web UI

245 About Resource Access Add a Client Scan Path To specify which directory the Assessment client scans for the MD5 checksum file, you must also add a client scan path. 1. Select Manage System > Assessment. The Manage Assessment page appears with the General Settings tab selected. 2. Click Add Client Scan Path. The Add Client Scan Path page appears. 3. In the Operating System drop-down list, Windows is the only available option. 4. From the Type drop-down list, select File. 5. In the Path text box, type the full Windows path to the file. For example, C:\Documents and Settings\example.doc. User Guide 233

246 About Resource Access 6. Click Add. The path is added to the Client Scan Path list. 7. Click Save. 8. Click Publish to update your configuration with this change. Configure an Access Rule to Verify a Directory is Found To verify that a specific directory exists on the client computers of the users who connect to your network resources with Windows clients, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the computer to make sure the directory is on the computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-Directory. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-Directory. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Directory information. 10. To allow access to clients with the correct Windows file, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select Directory name. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the full Windows path to the directory. For example, C:\Documents and Settings\example. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 234 WatchGuard SSL Web UI

247 About Resource Access 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 21. Click Next. The Apply Access Rule to Resources page appears. 22. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. 23. Click Next. The Confirm Access Rule Summary page appears. 24. Click Finish Wizard. The new Access Rule appears in the Registered Access Rules list. See Also Configure an Access Rule to Verify the Client Computer MAC Address To verify the MAC address of the Windows client computers that connect to your network resources, you can create an Assessment access rule. When your users try to connect to a network resource, the Assessment access rule checks the client computer before your users are allowed access to the resource. For each access rule, you can add one or more rules. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you must combine them. For more information about how to combine rules in an access rule, see Manage Access Rules. 1. Select Resource Access. The Resources page appears. 2. Select Access Rules. The Manage Access Rules page appears. 3. Click Add Access Rule. The Add Access Rule page appears. 4. In the Display Name text box, type a name for the access rule. For example, Assessment-Windows-MAC-Address. 5. Click Next. The Select Type of Access Rule page appears. 6. Select Assessment. Click Next. The Select Criteria page appears. 7. In the Display Name text box, type a name for this rule. For example, Windows-MAC-Address. 8. In the Operating System drop-down list, Windows is the only available option. 9. From the Information Type drop-down list, select Network interface information. 10. To allow access to clients with the correct MAC address, clear the Deny Access check box. This is the default setting. 11. Click Next. The Specify Requirements page appears. User Guide 235

248 About Resource Access 12. Click Add Requirement. The Add Requirement page appears. 13. From the Client Data drop-down list, select Physical address. 14. From the Matching Restriction drop-down list, select Match. 15. In the Matching Rules text box, type the MAC address of the client computer. For example, e. 16. Click Add. The Specify Requirements page appears. The requirement you added appears in the Registered Requirements list. 17. Click Next. The Feedback Message page appears. 18. (Optional) In the Feedback Message text box, type the message you want users to see when they are denied access to a resource because of the client scan results. 19. Click Next. The Summary page appears. 20. Review the settings for your access rule. 21. Click Next. The Add Access Rule page appears. The rule you added appears in the Allow user access when list. 22. Click Next. The Apply Access Rule to Resources page appears. 23. From the Available Resources list, select the resources for this rule and click Add >. The selected resources are moved to the Selected Resources list. 24. Click Next. The Confirm Access Rule Summary page appears. 25. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. To automatically apply this access rule to all resources, you can add it to a global access rule. For more information about how to create global access rules, see Manage Global Access Rules. Because you typed the full path to the Windows file, the path for the Assessment client scan was automatically added to the Client Scan Path list. For more information about the client scan path, see Configure General Settings for Assessment on page 368. Configure an Access Rule to Combine Authentication Methods From WatchGuard SSL Web UI, you can configure multiple authentication methods and use access rules to combine them for added security. When you combine authentication methods to secure your Application Portal, users are prompted for their credentials for each selected authentication method before they log in to the Application Portal. When users try to log in, they supply their credentials for the first authentication method. After they are authenticated with the first method, the authentication page for each subsequent method appears, one at a time. This process continues until all authentication method requirements are met. Before you can combine authentication methods, you must configure and enable each authentication method. For information about how to configure authentication methods, see Add an Authentication Method on page 300. After the authentication methods are configured, you use access rules to combine them. To force your users to authenticate with two or more authentication methods before they can log in to the Application Portal, you create a Global Access Rule that uses the access rule with the combined authentication methods. 236 WatchGuard SSL Web UI

249 About Resource Access In the subsequent example, Active Directory is the first authentication method and WatchGuard SSL Password is the second authentication method. You can, however, combine any of your enabled authentication methods in access rules to secure your Application Portal. Before you begin, make sure that the Active Directory and WatchGuard SSL Password authentication methods are enabled. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Verify the Status of the Active Directory and WatchGuard SSL Password authentication methods is Enabled. Add an Access Rule to Combine Authentication Methods In this example, we create an access rule that combines the Active Directory and WatchGuard SSL Password authentication methods. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for this access rule. Click Next. The Select Type of Access Rule page appears. 4. Select Authentication method. Click Next. The Select Authentication Methods page appears. 5. From the Available Authentication Methods list, select Active Directory. Click Add >. The authentication method moves to the Selected Authentication Methods list. 6. From the Available Authentication Methods list, select WatchGuard SSL Password. Click Add >. The authentication method moves to the Selected Authentication Methods list. 7. Select Combine with 'And?. 8. Click Next. The Summary page appears with details of the authentication methods you selected. 9. Click Next. The Add Access Rule page appears. 10. Verify the information for the access rule is correct. Click Next. The Select Resources page appears. 11. Do not select any resources. Click Next. The Summary page appears. 12. Verify the access rule settings are correct. Click Finish Wizard. The Manage Access Rules page appears with the new access rule in the Registered Access Rules list. Create a Global Access Rule After you have created an access rule to combine the authentication methods, you add the access rule to a Global Access Rule, which is automatically applied to all resources and the Application Portal. 1. On the Manage Access Rules page, click Manage Global Access Rule. The Manage Global Access Rule page appears. 2. From the Available Access Rules list, select the access rule for the combined authentication methods. Click Add >. The access rule is moved to the Selected Access Rules list. User Guide 237

250 About Resource Access 3. Click Save. The Manage Access Rules page appears with the access rule in the Global Access Rules list. 4. Click Publish to update your configuration and the Application Portal with this change. Now, when your users try to log in to the Application Portal, they must first authenticate with their Active Directory credentials and then with their WatchGuard SSL Password credentials. When users successfully supply their credentials for both authentication methods, the Application Portal appears. About the Application Portal The Application Portal is a web site on the WatchGuard SSL device where clients can connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons that your users can click. These applications and resources are called Application Portal items. You can create Application Portal items for these resource types: Web resources Tunnel resources External sites All Web resources and tunnel resources that you add to the Application Portal are automatically associated with an Application Portal item. You can also manually add Application Portal items for web resources or tunnel resources. For Web resources, you can also configure shortcuts. These shortcuts allow your users to connect directly to a resource with a web browser rather than through the Application Portal. You can also add Application Portal items for external sites, such as external URIs that are not registered as Web resources. For more information about the settings for the Application Portal, see General Settings for the Application Portal. About the Access Client The WatchGuard SSL Access Client allows users to securely connect to your tunnel resources in the Application Portal. When users authenticate to the Application Portal and select a resource other than a web resource, the on-demand Access Client launches to load the tunnel. You can choose to load the Access Client with an ActiveX loader, Java Applet, or to run the VPN client in Java. When the user session ends, the on-demand Access Client closes and is not accessible to the user. Your users can also select to install the Access Client on their client computers. The installed Access Client is available when users are not authenticated to the Application Portal and can be configured separately. Manage Application Portal Items Items that you put in the Application Portal enable your user to get access to your network. You can add, edit, and delete the resources that appear in the Application Portal. To add a tunnel resource to the Application Portal, you must first create the tunnel resource. For more information about how to create a tunnel resource, see Manage Resources. 238 WatchGuard SSL Web UI

251 About Resource Access Add an Application Portal Item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. Click Add Application Portal Item. The Application Portal Item page appears. 4. Select the resource type for this portal item. Click Next. The subsequent pages that you see depend on the type of resource that you selected. 5. Complete the subsequent pages for the resource type you selected. 6. To enable the resource in the Application Portal, select the Make resource available in Application Portal check box. To add the Application Portal item, but not enable it, clear this check box. 7. Select the Icon that appears in the Application Portal for this resource. User Guide 239

252 About Resource Access To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 8. In the Link Text text box, type the text to appear with the icon in the Application Portal. 9. Complete the additional settings for the resource you selected. The available options depend on the resource type you selected. Options include: Shortcut For web resources, you can add a shortcut path to the resource to enable your users to connect to the resource and not log in to the Application Portal. Type the shortcut IP address users can follow to this resource. For example: Hide Resource in URL To force users to use the shortcut for this resource, select this check box. External URL Type the URL of the web site where you want to redirect your users when they select this item in the Application Portal. URL Query Protocol For web resources, you can define a URL query that is added to the web resource address when a user selects the resource in the Application Portal. You can use a URL query to find data, or to configure other operations (for example, to add, update, or delete data). For example: For web resources, you can configure the protocol to use when the Access Client connects to the web resource. This option is only available if both HTTP and HTTPS can be used to connect to the resource. Select whether to use the HTTP or HTTPS protocol for this resource. 10. Click Finish Wizard. The resource appears in the Registered Application Portal Items list. After you add resources to your Application Portal, you can Connect to the Application Portal and test the resources you added. Edit an Application Portal item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. In the Registered Application Portal Items list, click the item to edit. The Edit Application Portal Item page appears. 240 WatchGuard SSL Web UI

253 About Resource Access 4. Edit the settings in the Application Portal Settings section. You can update these settings: Select the Make resource available in Application Portal check box to enable the resource in the Application Portal. Clear this check box if you do not want this resource to appear on the Application Portal. Change the Icon that appears on the Application Portal for this resource Change the Link Text that appears on the Application Portal for this item 5. Click Save. To edit the resource settings that appear in the Tunnel Resource Information section, edit the resource on the Resources page. For more information, see Manage Resources. Delete an Application Portal item 1. Select Resource Access. The Resources page appears. 2. Select Application Portal. The Manage Application Portal page appears. 3. In the Registered Application Portal Items list, click the item you want to delete. The Edit Application Portal Item page appears. 4. Click Delete. A confirmation message appears. 5. Click Yes. The Application Portal item is removed from the Registered Application Portal Items list. User Guide 241

254 About Resource Access Connect to the Application Portal After you have added resources to your Application Portal configuration, you can connect to the WatchGuard SSL Application Portal Authentication page to test and use your resources. To connect to the Application Portal: 1. Open a web browser and type the address of the Application Portal domain name. You can also type the IP address of the SSL device and the Application Portal port number. For example: address of the SSL device>:443 The Authentication page appears with a list of available authentication methods. 2. Select an authentication method. For example, WatchGuard SSL Password. The Authentication page for the selected authentication method appears. 3. Type and submit your user credentials. The Application Portal appears with icons for the resources you can access. Note The system warns you if you have your CAPS LOCK key enabled when you enter your credentials. Customize your Web UI and Application Portal You can customize your WatchGuard SSL Web UI and WatchGuard SSL Application Portal with your corporate brand. You can also add a link to the Access Client installer in your Application Portal. For more information, about how to add an Access Client installer link, see Add the Access Client Installer Link in the Application Portal. Customize and Brand the Web UI and Application Portal You can use two methods to customize and apply your corporate brand to your Application Portal: the Customize Application Portal page or the File Browser. To customize and brand WatchGuard SSL Web UI, you must use the File Browser. For information about how to use the Customize Application Portal page to customize your Application Portal, see About the Customize Application Portal Page. For information about how to use the File Browser to customize your Web UI and Application Portal, see Customize your Web UI and Application Portal with the File Browser. About the Customize Application Portal Page You can use the Customize Application Portal page to make basic changes to the look and feel of your Application Portal. You can change these items: 242 WatchGuard SSL Web UI

255 About Resource Access Company name the name that appears in the About and Contact links Company URLs the URLs associated with the About and Contact links Welcome message the text that appears above the Resources section of the Application Portal Language the display language for the Application Portal. Client Authentication Portal background image the image on the page where users select an authentication method Client Portal header image the image that appears across the top of the Application Portal Web site icon the icon that appears in the address bar of the browser Apply Your Brand to the Application Portal To apply your corporate brand to your Application Portal, you can replace the default content with your company information and images. 1. Select Resources Access > Application Portal. The Manage Application Portal page appears. 2. Click Customize Application Portal. The Customize Application Portal page appears. User Guide 243

256 About Resource Access 3. From the Language drop-down list, select the display language to use on the Application Portal. 4. In the Company Name text box, type the name of your company as you want it to appear on the Application Portal. 5. In the Company URL text box, type the URL of your company web site. For example, 6. In the Company Contact URL text box, type the URL to the page on your company web site with your company contact information. For example, 7. In the Portal Name text box, type the name to appear at the top of your Application Portal window. 8. In the Portal Information Text text box, type the message you want your users to see when they log in to the Application Portal. 244 WatchGuard SSL Web UI

257 About Resource Access 9. To change the background image for the Authentication Portal, adjacent to the Client Authentication Portal Background Image text box, click Browse and select a GIF image file. The maximum image size is 799 x 70 pixels. 10. To change the header image for the Application Portal, adjacent to the Portal Header Image text box, click Browse and select a GIF image file. The maximum image size is 456 x 360 pixels. 11. To change the icon that appears in the browser address bar when users connect to the Application Portal, adjacent to the Website Icon text box, click Browse and select a Windows icon (.ico) file. 12. Click Save. The Manage Application Portal page appears. 13. Click Publish to update your configuration. Your branding changes appear in the Application Portal. Remove Your Company Information from the Application Portal You can remove the text changes you made to the application portal and revert to the default settings. This process does not change the images you selected back to the default settings. You must select each image file manually. To revert to the default text settings: 1. Select Resources Access > Application Portal. The Manage Application Portal page appears. 2. Click Customize Application Portal. The Customize Application Portal page appears. 3. Click Reset branding text to WatchGuard default. The text changes back to the default values. 4. Click Save. The Manage Application Portal page appears. 5. Click Publish to update your configuration. The default branding changes appear in the Application Portal. Customize your Web UI and Application Portal with the File Browser You can apply your corporate brand to these parts of the Web UI: WatchGuard SSL Web UI WatchGuard SSL Application Portal Authentication page WatchGuard SSL Application Portal page WatchGuard SSL Application Portal Online Help To make changes to the WatchGuard SSL Web UI files and apply your own corporate brand, you add a new set of files to a folder specifically created for the files with the new brands. The new set of files must have the same names as the files in the original location. The files in the custom folder override the files in the original location. After you finish all your changes, make sure you click Publish to submit your changes. Note Do not change the files in the access-point\built-in-files\ directory. Instead, upload updated versions of these files to the access-point\custom-files\ directory. User Guide 245

258 About Resource Access Apply your Brand to Text Files 1. At the top of WatchGuard SSL Web UI, click Browse. The File Browser appears. 2. Select the access-point\built-in-files\wwwroot\branding\ folder. 3. Save the files you want to change to a location on your computer. For information about the files you can change, see WatchGuard SSL Files to Customize and Brand. 4. Update the locally saved files with your branding changes. 5. In the File Browser, select the access-point\custom-files\wwwroot\branding\ folder. 6. Upload your customized files. 246 WatchGuard SSL Web UI

259 About Resource Access Apply your Brand to Images, Style Sheets, and Templates You can customize images, style sheets, and template files. The template files specify the text used on the Application Portal Authentication page. The heading of each Authentication page is defined by the display name that you give the authentication method. Current image files are found in the access-point\built-in-files\wwwroot\wa\img folder. All other files are found in the folders in the access-point\built-in-files\wwwroot\wa directory. To apply your corporate brand to files: 1. Select the access-point\built-in-files\wwwroot\wa\ directory. 2. Select the folder in the directory with the files you want to change. 3. Save the files you want to change to a location on your computer. 4. Update the saved files with your branding changes. 5. In the File Browser, select the access-point\custom-files\wwwroot\wa\ directory. 6. Select the folder with the same name as that from which you downloaded the files in the built-infiles directory. 7. Upload your customized files. Upload all Branded Files at One Time If you branded many files, you can upload them all at one time in a ZIP file rather than one at a time. Make sure that the files you updated are in the correct folder that matches the original directory structure. 1. Download the files you want to change from the access-point\built-in-files\wwwroot directory. 2. Update the files and add them to a ZIP file with the correct directory structure. 3. In the File Browser, select the access-point\custom-files\wwwroot folder. 4. Click Browse and select the ZIP file. 5. Click Upload. The file is automatically unzipped and the files are added to the directory structure from the ZIP file. Publish Your Changes When you have uploaded all the changed files, you must publish your changes before they appear in the Web UI and Application Portal. 1. Connect to WatchGuard SSL Web UI. If you made changes, the Publish button is blue. 2. Click Publish to update your configuration. Your branding changes appear in the Web UI and Application Portal. WatchGuard SSL Files to Customize and Brand You can copy these files and upload updated versions of these files to customize and apply your own corporate brand to WatchGuard SSL Web UI and the Application Portal. User Guide 247

260 About Resource Access Note Do not change the files in the access-point\built-in-files\ directory. Upload updated versions of these files to the access-point\custom-files\ directory instead. Text String Files These files are in the access-point\built-in-files\wwwroot\branding folder: authad.txt This file contains the heading for the Active Directory authentication page. This text appears on every Active Directory template. Other authentication methods do not need a branding text file. authnovell.txt This file contains the heading for the Novell edirectory authentication page. authselect.txt This file contains the heading for the Select Authentication Method page. authweb.txt This file contains the name of WatchGuard SSL Web UI that appears in the JavaScript dialog boxes to accept ActiveX or Java Applet loader. company.txt This file contains the name of the company that appears in the Application Portal. company_about_url.txt This file contains the URL for information about the company. company_contact_url.txt This file contains the URL for company contact information. copyright.txt This file contains the company copyright notice. portal.txt This file contains the name of the Application Portal that appears on the Application Portal Help page. product.txt This file contains the name of the product that appears on the title of each page. tunnel.txt This file contains the name of the Access Client that appears in the JavaScript dialog boxes to accept the ActiveX or Java Applet loader. 248 WatchGuard SSL Web UI

261 About Resource Access Authentication page style sheets, images, and template files The template files specify the text used on the Application Portal Authentication pages. The heading on each Authentication page is defined by the display name that you give the authentication method in WatchGuard SSL Web UI. The existing files are in the folders in the access-point\built-in-files\wwwroot\wa\ directory. Make sure you upload your changed files to the folder in the custom-files directory with the same name as the folder you downloaded it from in the built-in-files directory. To customize Change File name WatchGuard SSL Web UI The current skin WebSkin.zip Graphics on logon pages The background image background_img.gif Colors and fonts on authentication pages Text strings or buttons on authentication pages The style sheet for authentication pages The individual template files common.css See the Template files section Application Portal logotype The logotype logo.gif Application Portal resource icons The images [symbol_color].gif Colors and fonts in the Application Portal The Application Portal style sheet access_portal.css Colors and fonts in the Application Portal Online Help Contents in the Application Portal Online Help The Application Portal Online Help style sheet The Online Help HTML page default.css access_portal_ help.html Application Portal style sheets, images, and template files You can customize the style sheets (.css files), images, and template files used in the Application Portal and associated authentication pages. These files are located in these folders: access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base access-point\built-in-files\wwwroot\wa\img access-point\built-in-files\wwwroot\wa\help Style sheets You can customize style sheets to change the colors and fonts for the Application Portal, the Application Portal authentication pages, and the Application Portal Online Help. User Guide 249

262 About Resource Access Directory Location File Name Description access_ portal.css common.css default.css Controls colors, fonts, and the location and size of different page objects (for example, the logotype) in the WatchGuard SSL Application Portal (_menu.html\wml and _welcome.html\wml) Controls colors and fonts in the Application Portal authentication pages Controls colors and fonts in the Application Portal Online Help Images You can replace or edit images to customize the WatchGuard SSL Web UI skin, the logotype or icons in the Application Portal, or graphics for the authentication pages. Images are GIF or JPEG format. The down.jpg and up.jpg web images can be in JPEG or GIF format. The mask.gif image must be in GIF format (indexed palette). All three files must have the same dimensions in pixels. Directory Location File Name Description \built-in-files\wwwroot\wa\img \built-in-files\wwwroot\wa\img\icons \built-infiles\wwwroot\wa \built-infiles\wwwroot\wa\help \built-infiles\wwwroot\wa\authmech\webskin.zip \built-infiles\wwwroot\wa\authmech\webskin.zip \built-infiles\wwwroot\wa\authmech\webskin.zip background_ img.gif logo.gif (Example) _ orange.gif mask.gif down.jpg up.jpg Background image for authentication pages Logotype Icons for resources (applications) in the Application Portal The mask that controls the placement of buttons and labels in WatchGuard SSL Web UI WatchGuard SSL Web UI skin without background; buttons appear as selected WatchGuard SSL Web UI skin with background; buttons appear as not selected Template files You can edit template files to customize text strings and buttons on individual authentication pages. The templates are available as HTML and WML files. Web authentication pages are HTML files and WAP authentication pages are WML files. All template files for the WatchGuard SSL Application Portal and associated authentication pages are located in these folders: 250 WatchGuard SSL Web UI

263 About Resource Access access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base A list of some of the template files (with the folder location, description, and user variables) appears in the subsequent table. Folder Name File Name Description User variables access-point\ built-in-files\ wwwroot\wa _auto_ reauthmessage The page that appears when a user logs off and must authenticate again. _ chooseauthmech _closedown_ message _deletelogoncred The page that appears when a user must select an authentication method. The page that appears when a user session times out. The page that appears when the password database has been cleared. name displayname _error The error message users see. errmsg _Internal Authentication _logoutpage _menu _no_session Internal Authentication form. The page that appears when a user logs off. The template for the WatchGuard SSL Application Portal page. This is the menu page that is called from the welcome.html file. The page that appears when a session times out. ihost iuid idom _popup_msg The popup message that appears to users. location errmsg _reauthmessage _refresh_top The timeout message that appears to users. The page that appears when a user must refresh the browser. _securitywarning The page that appears for security warnings. errmsg _TimedoutPage _webclient.html The page that appears when a user is temporarily locked until a specific timeout occurs (SecurID only). The page that appears when the user selects a tunnel set in the Application Portal. auth_timeout User Guide 251

264 About Resource Access Folder Name File Name Description User variables _webclient javaobj.html _ webclientobj.html _welcome Contains the Access Client Java applet. Contains the Access Client ActiveX. The page that appears when a user authenticates successfully. 302 A redirect page that appears when a page has moved. location 302_top A redirect page that appears when a page has moved. location 400 The page that appears after a bad request. 401E 401I 401WIL The page that appears after an external authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication. The page that appears after an internal authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication. The page that appears when a user fails to authenticate with a Windows Integrated Login. authmech location 403 The page that appears when a client requests a forbidden resource. 404 The page that appears when a requested file is not on the device. 405 The page that appears when client request uses a prohibited HTTP method. 500 The page that appears when a server error occurs. eprot ehost uri eprot ehost file eprot ehost uri method allow errmsg pocketclient Starts the Access Client for Pocket PC installation. 252 WatchGuard SSL Web UI

265 About Resource Access Folder Name File Name Description User variables TestLogon LoginPage The Authentication page that appears for TestLogon. For example, when a user requests: authmech=testlogon access-point\ built-in-files\ wwwroot\ wa\authmech\ base GenericForm The template for authentication forms used with GenericForm template specifications. The user variables in the template specifications manage the appearance of the authentication page. heading errmsg explanation message authmech texttext textname textvalue readonlytext readonlyname readonlyvalue passwordtext passwordnam e checkboxtext checkboxnam e checkboxvalue Dialog The template used with Dialog template specifications. heading errmsg explanation message authmech buttontext hiddenname hiddenvalue Applet The template used with Applet template specifications. Only used by WatchGuard SSL Web UI. heading errmsg explanation message authmech buttontext hiddenname hiddenvalue username vendorbase64 arg1 arg2 User Guide 253

266 About Resource Access Apply your corporate brand to WatchGuard SSL Web UI The required parameters are in the access-point\built-in-files\wwwroot\wa\authmech\base\we b.js file. The values for the parameters required for WatchGuard SSL Web UI are all set in JavaScript from values supplied by the server. Parameter Name UserName Config Challenge Modulus PostURL Function User ID of the user who requested to authenticate Configuration parameters Challenge from WatchGuard SSL Encryption Modulus URL where the results are posted User variables When a HTML or WML page appears, user variables in the template file are replaced with the related content. The descriptions of the content that user variables are replaced with appear in the subsequent table. User Variables allow auth_timeout authmech authmech authtimeout do ehost eprot errmsg explanation final_timeout Description A comma-separated list of allowed HTTP methods for the current host and URI. The number of seconds that remain in the period of time a user is locked out and cannot authenticate to the WatchGuard SSL device (used with SecurID authentication). The authentication method for an authenticated user. The variable used in the template specification for the authentication method. The number of seconds that remain before an authenticated user is logged off. Used in the timeout warning page. The template specification parameter for the input data. The external host name, such as the HTTP Host in the client request to the WatchGuard SSL device. This a general variable that can be used in all templates. An external protocol, such as the protocol between the client and the WatchGuard SSL device (HTTP or HTTPS). This is a general variable that can be used in all templates. The error message from the WatchGuard SSL device. The explanatory text in a template specification. The number of minutes that remain before the maximum lifetime of the current 254 WatchGuard SSL Web UI

267 About Resource Access User Variables Description session is reached and the session ends. heading idom ihost input-heading iprot iuid iuri location maxsessiontimeout message method ntdomain pin protocol reauth_uid redirect replymsg servernumber title tunnelcipheriv tunnelcipherkey upd uid The main heading text in a template specification. A variable for the internal domain. The internal host (alias) by which the user is currently connected. This is not necessarily the same as the HTTP "Host" header in the WatchGuard SSL device request to the internal host. The heading text for an input field in a template specification. The internal protocol by which the user is currently connected: HTTP or HTTPS. The internal UserID (uid filtered through NameMapper.wascr). This is a general variable that can be used in all templates. The internal URI, requested from the WatchGuard SSL device by the host. A URI or a URL that specifies where users are redirected when they authenticate. The maximum number of minutes for a user session. You specify this value when you set up your configuration. An authentication message from the WatchGuard SSL device. The HTTP method in a GET request. The NT domain name. The PIN for authentication. The URL parameter used for the Access Client that describes the protocol that the tunnel uses: EESSP or SSL. The User ID for RADIUS pages. The URL parameter for the Access Client. A variable in RADIUS pages. The authentication challenge number from the WatchGuard SSL device. A variable in a template specification. The Base64 encoded cipher IV parameter that the system generates dynamically. The Base64 encoded cipher key parameter that the system generates dynamically. The value of the UPD cookie used for session handling in a load-balanced environment that the system generates dynamically. The UserID for an authenticated user. This is a general variable that can be used in all templates. User Guide 255

268 About Resource Access User Variables uri waak warningtimeout wasid Description The URI request sent from the client to the WatchGuard SSL device. A parameter configured in the Web UI that is used in session handling. The number of seconds that remain before a warning message or another authentication page appears. The user WASID parameter that is configured in the Web UI to manage sessions. Add the Access Client Installer Link in the Application Portal To give your users the installed Access Client, you can add the Access Client installer to the WatchGuard SSL device, and then edit the Application Portal page to add a link to the installer. 1. Save the AccessClientInstall.exe file on your computer. 2. In WatchGuard SSL Web UI, click Browse. The File Browser appears. 3. Select the access-point\built-in-files\wwwroot\wa\includes\ folder. 4. In the Upload File text box, type or browse to the location of the AccessClientInstall.exe file. 5. Click Upload. 6. Adjacent to the portaltext.txt file, click. The Edit File page appears. 7. Type or paste this text in the file where you want the link to appear: To install the Access Client on your Windows computer, click here: <a href="/ wa/includes/accessclientinstall.exe">watchguard SSL Client</a 8. Click Save. 9. Click Publish to update your configuration with these changes. 256 WatchGuard SSL Web UI

269 About Resource Access Add the Access Client Installer as an Application Portal Resource To give your users the installed Access Client, you can add the Access Client installer to the WatchGuard SSL device, and then create a resource for the Access Client installer in the Application Portal. Upload the Access Client Installer to the WatchGuard SSL device You must upload the Access Client installer to the device before you can create a resource for it. 1. Save the AccessClientInstall.exe file on your computer. 2. In WatchGuard SSL Web UI, click Browse. The File Browser appears. 3. In the File Browser, select the access-point\custom-files\wwwroot\files\folder. 4. In the Upload File text box, type or browse to the location of the AccessClientInstall.exe file. 5. Click Upload. 6. Close the File Browser window. Create a web resource for the Access Client installer You can add a web resource to allow your users to install the Access Client you uploaded to your WatchGuard SSL device. You can also add access rules for this resource, to restrict who can install it. 1. Select Resource Access. The Resources page appears. 2. Select the Web Resources tab. 3. Click Access Point. The Edit Web Resource Host Access Point page appears. User Guide 257

270 About Resource Access 4. Select the Manage Paths tab. The Manage Paths page appears. 5. Click Add Web Resource Path. The Add Web Resource Path page appears. 258 WatchGuard SSL Web UI

271 About Resource Access 6. In the Path text box, type files/accessclientinstall.exe. 7. To add access rules specific to this resource, clear the Use Parent Authorization check box. Additional tabs for Access Rules and Advanced Settings appear. Use these tabs to add access rules for this resource. 8. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library Icon Uploaded appears below the Icon text box. 9. In the Link Text text box, type the name to appear with the icon in the Application Portal. 10. Click Save. The Manage Paths page appears. 11. Click Save. The Resources page appears. 12. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. After you add this resource, it appears on the Resources page in the Resources list, with the Access Point resource group. User Guide 259

272 About Resource Access Add Additional Application Portals In some cases, you may want to display a different Application Portal depending on the address used by the client to connect to the SSL device. This allows you to create a custom Application Portal for different departments or regions in your organization. 1. Select Resource Access > Manage Global Resource Settings. 2. Select the DNS Name Pool tab. 3. Click Add DNS Name for Device. For example: DNS Name: test.example.com WWW Root: test 4. Click Browse at the top of the SSL Web UI to open the File Browser. 5. Upload your set of customized branding files to: /access-point/custom-files/ You can upload a.zip file, it will be automatically expanded in the appropriate directory. 6. Save and publish your configuration. 7. On your client, change your host files to point the domain test.example.com to the external IP address of your SSL device. About SSO Domains Single Sign-On (SSO) is a session/user authentication process that allows users to authenticate with their user credentials one time to get access to multiple resources. When users authenticate with SSO, they have instant access to application portal items, and they do not have to authenticate again if they select a different item. WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. 260 WatchGuard SSL Web UI

273 About Resource Access When users first log on to the Application Portal with SSO, they are prompted for their credentials once for each SSO domain when they select a resource that is in that SSO domain. The user credentials are then stored indefinitely on the WatchGuard SSL user account in the Local User Database. You can also choose to cache user credentials, which then are only valid during the user session. After users authenticate successfully, they can select different internal applications that are part of a the SSO domain. They do not have to authenticate again each time they select a resource in the Application Portal. Domain type attributes WatchGuard SSL SSO domains are text domains. When you add an SSO domain, you can associate different domain attributes with the SSO domain. Text This domain type is used to send user credentials as text, with different attributes that define the authentication information. Available domain attributes: User name Password Domain The domain attributes you select to add to the domain type depend on the type of authentication method you select. Standard domain attributes for the authentication methods are: NTLM All domain attributes for the domain type text (user name, password, and domain) are added to the domain type. Basic The user name and password attributes are added to the domain type. Basic is the most commonly used authentication method for web environments. Form based The user name and password attributes are added to the domain type. To use form-based logon for an SSO domain, you must design a web form for access to each resource in the SSO domain. You do this when you add or edit a resource. Manage SSO Domains You can add, edit, and delete the Single Sign-On (SSO) domains that are available for resource access with SSO. Add an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. User Guide 261

274 About Resource Access 3. Click Add SSO Domain. The Add SSO Domain page appears. 4. In the Display Name text box, type a name for this SSO domain. 5. Configure the settings for SSO Restrictions. If you select the Cache on session only check box, SSO credentials are kept in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account. 6. Click Next. The Domain Attributes page appears. 262 WatchGuard SSL Web UI

275 About Resource Access 7. To add an attribute, click Add Domain Attribute. The Add Domain Attribute page appears. 8. Configure the settings for the attribute. If you set Referenced By to User Input, do not type a value in the Attribute Value text box. 9. Click Next. The attribute appears in the Registered Domain Attributes list. 10. Click Next. The Apply SSO Domains to Resources page appears. 11. To select the resources to use this SSO domain, click Apply SSO Domains To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select the SSO type: Text Form based Adaptive SSO File Share RDP 13. From the Available Resources list, select the resources to use this SSO domain and click Add >. The resources you selected appear in the Selected Resources list. 14. Click Next. The Apply SSO Domains page appears with the resource you added. 15. Click Next. The Add SSO Domain Summary page appears. 16. Review the settings for this SSO domain and click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. User Guide 263

276 About Resource Access Edit an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. In the Registered SSO Domains list, click the domain to change. The Edit SSO Domains page appears. 4. On the General Settings tab, change the Display Name or the SSO Restrictions settings. 5. To add an attribute to this SSO domain: a. Click Add Domain Attribute. The Add SSO Domain Attribute page appears. b. Configure the settings for the attribute. If you set Referenced By to User Input, do not type a value in the Attribute Value text box. c. Click Add. The attribute appears in the Registered Domain Attributes list. 6. To delete an attribute from this SSO domain: a. Select the Domain Attributes tab. The Domain Attributes page appears. b. From the Registered Domain Attributes list, select the attribute to delete. The Edit Domain Attribute page appears. c. Click Delete. A confirmation message appears. 264 WatchGuard SSL Web UI

277 About Resource Access d. Click Yes. The attribute is removed from the Registered Domain Attributes list. 7. To add resources to this SSO domain: a. Select the Apply to Resources tab. b. Click Apply Access Rules To Resources. The Apply Access Rule To Resources page appears. c. From the SSO Type drop-down list, select the SSO type. The resources available with the selected SSO type appear in the Available Resources list. d. From the Available Resources list, select the resources to protect with this access rule and click Add >. The resources are moved to the Selected Resources list. e. Click Add. The names of the selected resources appear in the SSO Type list. 8. To remove resources from this SSO domain: a. Select the Apply to Resources tab. b. In the SSO Type list, adjacent to the resource to delete, click. A confirmation message appears. c. Click Yes. The resource is removed from the list. 9. Click Save. Delete an SSO domain 1. Select Resource Access. The Resources page appears. 2. Select SSO Domains. The Manage SSO Domains page appears. 3. In the Registered SSO Domains list, adjacent to the domain to delete, click. A confirmation message page appears. 4. Click Yes. The SSO Domain is deleted and is removed from the Registered SSO Domains list. 5. Click Publish to update your configuration with this change. Configure SSO for Outlook Web Access (Form Based Authentication) If you have users who use Outlook Web Access (OWA) with form-based authentication, you can use WatchGuard SSL Web UI to configure SSO (Single Sign-On) authentication for this feature. To set up SSO for OWA forms-based authentication, you must complete a several step process. You must add a resource for OWA, specify the SSO domain to use and configure form based authentication, and select and configure an authentication method. User Guide 265

278 About Resource Access Add an Outlook Web Access Resource 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list. 4. Select Microsoft Outlook Web Access The Microsoft Outlook Web Access resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Outlook Web Access page appears. 6. In the Display Name text box, type OWA (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Host text box, type the valid DNS name or IP address of the server for this resource. 9. Make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 266 WatchGuard SSL Web UI

279 About Resource Access 11. In the Link Text text box, type the text you want to appear with this icon in the Application Portal. For this example, type MS Outlook Web Access Click Next. The Manage Access Rules page appears. 13. Select the default access rule Any Authentication. 14. Click Next. The Add Resource Summary page appears. 15. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. Add an SSO domain for form based authentication 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a name for this SSO domain. For this example, type AD. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. If you select the Domain attribute, in the Attribute Value text box, type the domain name. For all other attributes, the Attribute Value text box can be empty. 8. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 9. Click Next. The Apply SSO Domains To Resources page appears. 10. Click Apply SSO Domains To Resources. The Select SSO Type page appears. 11. From the SSO Type drop-down list, select Form based. 13. From the Available Resources list, select OWA 2007 and click Add >. The resource you selected appears in the Selected Resources list. User Guide 267

280 About Resource Access 14. Click Add. The Selected Resources page appears with the Form Based SSO settings for the OWA 2007 resource. 268 WatchGuard SSL Web UI

281 About Resource Access 15. In the Method section, select POST. 16. In the Form Action (URL) text box, type Address>/OWA/auth/owaauth.dll?. Make sure you replace <IP Address> with the IP address of your Exchange Server. 17. In the Form Data text box, type destination= Address>/OWA/&flags=0&forced ownlevel=0&isutf8=1 &password=[$password]&trusted=0&username=[$username]. Make sure you replace <IP Address> with the IP address of your Exchange Server. 18. In the Verification URL text box, type Address>/owa/auth/logon.aspx? Make sure you replace <IP Address> with the IP address of your Exchange Server. 19. In the Form Response text box, type the message that appears when a user authentication attempt fails. Type: url= Address>/owa/&reason=2 Make sure you replace <IP Address> with the IP address of your Exchange Server. 20. In the Form Response Interpretation section, select Authentication has failed. 21. Click Save. The Apply SSO Domains to Resources page appears. 22. Click Next. The Add SSO Domain Summary page appears. 23. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with AD in the Registered SSO Domains list. Configure the authentication method and link translation 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. User Guide 269

282 About Resource Access 4. Click Add Extended Property. The Add Extended Property page appears. 5. From the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the domain name you created. For this example, type AD. 7. Click Add. The extended property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Configure SSO with Outlook Web Access (Basic Authentication) Use these steps to configure SSO (Single Sign-On) authentication for your Outlook Web Access users who use basic authentication. To set up SSO for OWA with basic authentication, you must complete a several step process. You must add a resource for OWA, specify the SSO domain to use and apply it to the resource, and select and configure an authentication method. Add an Outlook Web Access 2003 resource 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list. 4. Select Microsoft Outlook Web Access The Microsoft Outlook Web Access resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Outlook Web Access 2003 page appears. 270 WatchGuard SSL Web UI

283 About Resource Access 6. In the Display Name text box, type a name for this resource. For this example, type OWA (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Hosttext box, type the valid DNS name or IP address of the server for this resource. 9. Make sure the Make resource available in Application Portal check box is selected. 10. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 11. In the Link Text text box, type the text to appear with this icon in the Application Portal. 12. Click Next. The Manage Access Rules page appears. 13. Select the default access rule Any Authentication. 14. Click Next. The Summary page appears. 15. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 16. Click Publish to update your configuration with this change. User Guide 271

284 About Resource Access Add an SSO domain 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For this example, type AD-OWA (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. 7. In the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. If you select the Domain attribute, in the Attribute Value text box, type the domain. For all other attributes, the Attribute Value text box can be empty. 8. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 9. Click Next. The Apply SSO Domains to Resources page appears 10. Click Apply SSO Domains To Resources. The Select SSO Type page appears. 11. From the SSO Type drop-down list, select Text. 12. From the Available Resources list, select OWA 2003 and click Add >. The resource you selected appears in the Selected Resources list. 13. Click Add. The Apply SSO Domains to Resources page appears with the OWA 2003 resource. 14. Click Next. The Add SSO Domain Summary page appears. 15. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with the new SSO domain in the Registered SSO Domains list. 16. Click Publish to update your configuration with this change. 272 WatchGuard SSL Web UI

285 About Resource Access Configure the authentication method for the SSO domain 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. 5. In the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the domain name you created. For this example, type AD-OWA Click Save. 8. Click Publish to update your configuration with this change. Configure SSO for Microsoft Outlook Web App 2010 To enable your users who use Outlook Web App 2010 to get access to their web mail, you can use WatchGuard SSL Web UI to add a Microsoft Outlook Web App 2010 resource to the Application Portal and configure adaptive SSO (Single Sign-On) authentication. To set up SSO for Outlook Web App 2010, you must complete a several step process. You must add a resource for Outlook Web App 2010, specify the SSO domain to use and configure adaptive SSO, and select and configure an authentication method. Add a Microsoft Outlook Web App 2010 Resource You can add an Outlook Web Access resource to your network and enable access to it with any of your configured authentication methods. 1. Select Resource Access. The Resources page appears. User Guide 273

286 About Resource Access 2. Click Add Resource. The Add Resource page appears. 3. Expand the Web Resources list and select Microsoft Outlook Web App Click Next. The Add Resource Microsoft Outlook Web App 2010 page appears. 5. In the Display Name text box, type a name for this resource. For example, type Outlook Web App (Optional) In the Description text box, type a descriptive name to help you identify this resource. 7. In the Host text box, type the IP address of the server for this resource. 8. Make sure the Make resource available in Application Portal check box is selected. 9. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 11. In the Link Text text box, type the text to appear with the icon in the Application Portal. For example, type MS Outlook Web App Click Next. The Manage Access Rules page appears. 13. From the Available Access Rules list, select the default access rule Any Authentication. Click Add >. The authentication method is moved to the Selected Access Rules list. 274 WatchGuard SSL Web UI

287 About Resource Access 14. Click Next. The Add Resource Summary page appears. 15. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 16. Click Publish to update your configuration with this change. The resource is now available in the Application Portal. Configure Adaptive SSO for the Resource 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For example, type WATCHGUARDSSL. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. 7. From the Attribute Name drop-down list, select Domain. 8. From the Attribute Restriction drop-down list, select Hidden. 9. From the Referenced By drop-down list, select Static. 10. In the Attribute Value text box, type your domain attribute. 11. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 12. Click Next. The Apply SSO Domains to Resources page appears 13. Click Apply SSO Domains To Resources. The Select SSO Type page appears. 14. From the SSO Type drop-down list, select Adaptive. 15. From the Available Resources list, select the Outlook Web App 2010 Resource and click Add >. The resource you selected appears in the Selected Resources list. User Guide 275

288 About Resource Access 16. Click Add. The Apply SSO Domains to Resources page appears with the Outlook Web App 2010 resource. 17. Click Next. The Add SSO Domain Summary page appears. 18. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with the new SSO domain in the Registered SSO Domains list. 19. Click Publish to update your configuration with this change. Configure the Authentication Method 1. Select Manage System. The Authentication page appears. 2. From the Registered Authentication Methods list, select an authentication method for the SSO domain. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. 5. From the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the name of the SSO domain you created. For this example, type WATCHGUARDSSL. 7. Click Save. 8. Click Publish to update your configuration with this change. Configure SSO for File Share Resources When your users log in to the Application Portal, they must first choose an authentication method and then authenticate with their user credentials. After they have logged in to the Application Portal, they select an available resource, and then they supply their user credentials again. Single Sign-On (SSO) is a feature you can enable for an Application Portal resource that allows your users to supply their credentials only one time. When SSO is enabled for a resource, such as a Windows File Share resource, your users have instant access to that resource in the Application Portal. Add a Windows File Share resource You can add a Windows File Share Resource to your network and enable access to it with any enabled authentication methods. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 4. Select Microsoft Windows File Share. Microsoft Windows File Share is highlighted. 5. Click Next. The Add Resource Microsoft Windows File Share page appears. 276 WatchGuard SSL Web UI

289 About Resource Access 6. In the Display Name text box, type a name for this resource. For this example, type File Share. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. In the Hosttext box, type the valid DNS name or IP address of the server where the share is located. 9. (Optional) From the Drive letter the drop-down list, select a drive to map to this share. For example, S. 10. Make sure the Make resource available in Application Portal check box is selected. 11. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 12. In the Link Text text box, type the text to appear with this icon in the Application Portal. 13. Click Next. The Manage Access Rules page appears. 14. Select the default access rule Any Authentication. 15. Click Next. The Summary page appears. 16. Review the settings for the resource and click Finish Wizard. The Resources page appears with a message that the resource was added successfully. 17. Click Publish to update your configuration with this change. The file share resource is now available in the Application Portal. User Guide 277

290 About Resource Access Add an SSO domain and enable SSO for the resource The first step you complete to enable SSO for a resource is to add your SSO domain information to your configuration. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For this example, type AD. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. 8. If you select the Domain attribute, in the Attribute Value text box, type the domain of the share. Make sure the domain name you select matches the actual domain name for your network. For this example, type AD. 9. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 278 WatchGuard SSL Web UI

291 About Resource Access 10. Click Next. The Apply SSO Domains To Resources page appears. 11. Click Apply SSO Domain To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select File Share. 13. From the Available Resources list, select the File Share resources to use this SSO domain and click Add >. The File Share resources appears in the Selected Resources list. 14. Click Add. The Apply SSO Domain To Resources page appears with the resources you selected. 15. Click Next. The Add SSO Domain Summary page appears. 16. Click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. Configure the authentication method for the SSO domain After you add your SSO domain information to your configuration, you select an authentication method to use with your SSO domain. 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. The Add Extended Property page appears. User Guide 279

292 About Resource Access 5. In the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the domain name you created. For this example, type AD. 7. Click Add. The extended property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Configure SSO for Remote Control Resources When your users log in to the Application Portal, they must first choose an authentication method and then authenticate with their user credentials. After they have logged in to the Application Portal, they select an available resource, and then they supply their user credentials again. Single Sign-On (SSO) is a feature you can enable for an Application Portal resource that allows your users to only supply their credentials one time. When SSO is enabled for a resource, such as a Remote Control (Terminal Server) Resource, your users have instant access to that resource in the Application Portal. Add a Terminal Server resource Before you begin, make sure that Microsoft Terminal Services is active on the computer that you want your users to connect to. If you use Windows Vista, consult the Windows Help system for instructions to enable Terminal Services. For Windows XP or Windows Server 2003: 1. Select Control Panel > Administrative Tools > Services. 2. Verify that the status for Terminal Services is Started. You can add a Microsoft Terminal Server 2003 or 2008 resource to your network and enable access to it with any of the available authentication methods. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 4. Select Microsoft Terminal Server 2003 or Microsoft Terminal Server The Microsoft Terminal Server resource you selected is highlighted. 5. Click Next. The Add Resource Microsoft Terminal Server page appears. 280 WatchGuard SSL Web UI

293 About Resource Access 6. In the Display Name text box, type a name for this resource. For this example, type Terminal Server. 7. (Optional) In the Description text box, type a descriptive name to help you identify this resource. 8. Make sure the Enable resource check box is selected. 9. In the IP Address text box, type the IP address of the terminal server computer. 10. Inthe TCP Port textbox,type the porttouse toconnecttothe terminalserver.the defaultsettingis From the Tunnel Type drop-down list, select the type of operating systems of the clients that can use this resource: Windows Platform or All Platforms. 12. Make sure the Make resource available in Application Portal check box is selected. 13. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 14. In the Link Text text box, type the text to appear with this icon in the Application Portal. 15. Click Next. The Manage Access Rules page appears. 16. Make sure the default access rule Any Authentication appears in the Selected Access Rules list. 17. Click Next. The Summary page appears. 18. Review the settings for this resource and click Finish Wizard. User Guide 281

294 About Resource Access 19. Click Publish to update your configuration with this change. The resource appears in the Application Portal. Add an SSO domain To enable SSO for a resource you must add your SSO domain information to your configuration. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a display name for this SSO domain. For this example, type AD. 4. (Optional) Configure the settings for SSO Restrictions. 5. Click Next. The Domain Attributes page appears. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Attribute Name drop-down list, select an attribute: User name, Password, or Domain. 8. If you select the Domain attribute, in the Attribute Value text box, type the domain of the terminal server. Make sure the domain name you select matches the actual domain name for your network. For this example, type AD. 9. Click Next. The Add SSO Domain page appears. The new attribute appears in the Registered Domain Attributes list. 282 WatchGuard SSL Web UI

295 About Resource Access 10. Click Next. The Apply SSO Domains To Resources page appears. 11. Click Apply SSO Domain To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select RDP. 13. From the Available Resources list, select the Terminal Server resource to use this SSO domain and click Add >. The Terminal Server resource appears in the Selected Resources list. 14. Click Add. The Apply SSO Domain To Resources page appears with the resource you selected. 15. Click Next. The Add SSO Domain Summary page appears. 16. Review your settings for the SSO domain and click Finish Wizard. The SSO Domain appears in the Registered SSO Domains list. SSO is now enabled for the Terminal Services resource. Configure the authentication method for the SSO domain After you add your SSO domain information to your configuration, you select an authentication method to use with your SSO domain. 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select an Active Directory or LDAP authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. User Guide 283

296 About Resource Access 4. Click Add Extended Property. The Add Extended Property page appears. 5. In the Key drop-down list, select Save credentials for SSO domains. 6. In the Value text box, type the SSO domain name you created. For this example, type AD. 7. Click Add. The extended property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Configure SSO for a Citrix MetaFrame Presentation Server Resource You can configure your WatchGuard SSL device to use Single Sign-On (SSO) with a Citrix MetaFrame Presentation Server. To enable SSO to work with your Citrix MetaFrame Presentation Server, you add a web resource for the Citrix MetaFrame Presentation Server, add an SSO domain and a resource path, and edit the web resource and the tunnel resource. Make sure that the Citrix Presentation Server does not use the nfuse15.wascr and nfuse16.wascr scripts. These scripts change the real IP address of the NFuse server that is sent to the client in the ICA file to and :1494. Because the resource for the Citrix Presentation Server uses dynamic tunnels, you must be logged in to the client computer with an account that has administrative rights the first time you use the resource. Add the Citrix MetaFrame Presentation Server resource To add a resource for the Citrix MetaFrame Presentation Server: 1. Select Resource Access. The Resources page appears. 284 WatchGuard SSL Web UI

297 About Resource Access 2. Click Add Resource. The Add Resources page appears. 3. Expand Web Resources and select Citrix MetaFrame Presentation Server. 4. Click Next. The Add Resource Citrix MetaFrame Presentation Server page appears. User Guide 285

298 About Resource Access 5. In the Display Name text box, type a name for this resource. For this example, type Citrix (Web). 6. (Optional) In the Description text box, type a description to help you identify the resource. 7. Make sure the Enable resource check box is selected. 8. In the Host text box, type the IP address of your Citrix Web Server. 9. In the HTTP Port text box, type the port to use to connect to your Citrix Web Server. We recommend you keep the default setting of port In the Citrix MetaFrame Server text boxes, type the IP addresses of your Citrix MetaFrame Servers. You can specify up to three servers. 286 WatchGuard SSL Web UI

299 About Resource Access 11. Make sure the Make resource available in Application Portal check box is selected. 12. Select the Icon that appears in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library. 13. In the Link Text text box, type the name to appear with the icon in the Application Portal. 14. Click Next. The Manage Access Rules page appears. 15. Select an access rule in the Available Access Rules list and click Add > to add it to the Selected Access Rules list. 16. Click Next. The Summary page appears. 17. Review the settings for the resource. 18. Click Finish Wizard. The Citrix resource appears in the Resources list. 19. Click Publish to update your configuration with this change. Edit the Advanced Settings for the Citrix web resource After you add the Citrix MetaFrame Presentation Server Resource, you edit the web resource to configure the advanced settings. 1. Select Resource Access. The Resources page appears. 2. Select the Web Resources tab. 3. Select the Citrix (Web) web resource you created in the previous procedure. The Edit Web Resource Citrix (Web) page appears. 4. Select the Advanced Settings tab. 5. Make sure the Share cookies between client and resource check box is selected. 6. In the Cookies to Check text box, type the * wildcard character. 7. In the Action section, select Allow. 8. Click Save. The Resources page appears with a message that the resource was successfully saved. 9. Click Publish to update your configuration with the changes. Add an SSO domain After you edit the web resource, you configure the SSO domains for the resource. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The Add SSO Domain page appears. 3. In the Display Name text box, type a name for this SSO domain. For this example, type Citrix_SSO_Domain. User Guide 287

300 About Resource Access 4. From the Domain Type drop-down list, select Text or Cookie. 5. Configure the settings for SSO Restrictions. If you select Cache on session only, SSO credentials are kept in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account. 6. Click Next. The Domain Attributes page appears. 7. Click Add Domain Attribute. The Add Domain Attribute page appears. 288 WatchGuard SSL Web UI

301 About Resource Access 8. From the Attribute Name drop-down list, select User Name. 9. From the Attribute Restriction drop-down list, select Editable. 10. From the Referenced By drop-down list, select User Input. 11. Do not type an Attribute Value. 12. Click Next. The attribute appears in the Registered Domain Attribute list. 13. Click Add Domain Attribute, and configure the attribute with these settings: Attribute Name Password Attribute Restriction Editable Referenced By User input Attribute Value Keep blank 13. Click Next. The attribute appears in the Registered Domain Attribute list. 14. Click Add Domain Attribute, and configure the attribute with these settings: Attribute Name Domain Attribute Restriction Hidden Referenced By Static Attribute Value Type a value for the attribute that matches the domain attribute for your Citrix server. For this example, type Citrix_SSO_Domain. 15. Click Next. The attribute appears in the Registered Domain Attribute list. 16. Click Next. The Apply SSO Domain to Resources page appears. 17. Click Apply SSO Domains to Resources. The Select SSO Type page appears. 18. From the Available Resources list, select the Citrix (Web) resource you created. 19. Click Add >. The Citrix (Web) resource appears in the Selected Resources list. 20. Click Add. The Apply SSO Domains To Resources page appears with the resource you selected. 21. Click Next. The Add SSO Domains Summary page appears. 22. Review your settings and click Finish Wizard. The Manage SSO Domains page appears with the new domain in the Registered SSO Domains list. User Guide 289

302 About Resource Access Add a resource path After the web resource is configured, you can add a resource path to the web resource. 1. Select Resource Access > Resources. The Resources page appears. 2. Select the Web Resources tab. 3. Select the Citrix (Web) resource. The Edit Web Resource Host Citrix (Web) page appears. 4. Select the Manage Paths tab. 5. Click Add Web Resource Path. The Add Web Resource Path General Settings page appears. 6. Make sure the Enable resource check box is selected. 7. In the Path text box, type Citrix/AccessPlatform/site/default.aspx. 8. Select the Make resource available in Application Portal check box. 9. Select an Icon to appear in the Application Portal for this resource. To select a custom icon, click Browse. To select a default icon, click Select icon in Icon Library 10. In the Link Text text box, type the text to appear with this icon in the Application Portal. 11. Click Save. The Manage Paths page appears with the new path in the Paths list. 12. Click Save. The Resources page appears with the updated resource and path on the Web Resources tab. 13. Select the path you added. The Edit Web Resource Path page appears. 290 WatchGuard SSL Web UI

303 About Resource Access 14. Select the Enable Single Sign-On check box. 15. In the Single Sign-On Type drop-down list, select Adaptive SSO. 16. From the SSO Domain drop-down list, select the SSO domain you added. For this example, select Citrix_SSO_Domain. 17. Click Save. The Resources page appears. 18. Click Publish to update your configuration with this change. Edit the tunnel resource To redirect your users to the correct location for the Citrix MetaFrame Presentation Server, you must edit the tunnel resource and set the Redirect URL for the Citrix web resource. 1. Select Resource Access. The Resources page appears. 2. Select the Tunnel Resources tab. 3. Select the Citrix (Web) tunnel resource. The Edit Tunnel Resource Citrix (Web) page appears. User Guide 291

304 About Resource Access 4. Select the Startup tab. 5. In the Redirect URL text box, type /http/citrix(web)/citrix/accessplatform/site/defau lt.aspx. The /Citrix(Web)/ section of the Redirect URL path is set based on the Display Name setting for the Citrix web resource. For example, if the Display Name of the Citrix web resource is CitrixSSO, the redirect URL path is /h ttp/citrixsso/citrix/accessplatform/site/default.aspx. 292 WatchGuard SSL Web UI

305 About Resource Access 6. Click Save. After you have completed all the settings for access to the Citrix MetaFrame Presentation Resource, your users can log in to the Application Portal and select this resource to launch the Citrix MetaFrame Web Server. User Guide 293

306 About Resource Access User Guide 294

307 6 About Manage System To review and manage the overall configuration of your WatchGuard SSL system, from the WatchGuard SSL Web UI top menu, select Manage System. The Manage System submenu items are: Authentication Configure and manage the authentication methods and global authentication settings. For more information, see About Authentication Methods. Certificates Manage Certificate Authorities (CAs), Server Certificates, and Client Certificates. For more information, see About Certificates. Abolishment Configure the settings for Abolishment (file removal, and Internet Explorer history and cache deletion). For more information, see About Abolishment. Assessment Configure settings for the client scans performed on clients that access a resource protected by an Assessment access rule. You can also configure other Assessment settings. For more information, see About Assessment. Notification Settings Configure the settings for and SMS notifications. For more information, see About Notification Settings. Client Definitions Configure the clients that can access resources. For more information, see Manage Client Definitions. User Guide 295

308 About Manage System Delegated Management Create and edit administrative roles with different configuration and monitoring responsibilities. For more information, see About Delegated Management. Administration Service Configure all settings for the Administration Service, including the port, certificate, and other settings. You can also restart the Administration Service. For more information, see About the Administration Service. Device Settings Configure settings for the Application Portal, performance, cipher suites, security, and session control. For more information, see Manage Device Settings. Device Update Configure settings for the WatchGuard SSL device. From this page you can change time settings, upgrade the system software, reset the device to the factory default settings, and reboot the device. For more information, see Update the Device. Network Configuration Configure the network type (single or dual interface mode), the network settings for the Eth0 interface, and the network routes. For more information, see Network Configuration. Restore Configuration Restore the most recently published system configuration, or a configuration from an earlier date. For more information, see Restore a Saved Configuration. Import/Export Configuration Import and export the configuration data to or from an archive file. For more information, see Import or Export the Configuration. About Authentication Methods You can configure one or more authentication methods to secure your network. You configure authentication methods in the Manage System section of WatchGuard SSL Web UI. To configure supported authentication methods: 1. Select Manage System > Authentication. The Authentication page appears. 296 WatchGuard SSL Web UI

309 About Manage System 2. From the Authentication menu, you can complete these tasks: Add an Authentication Method Manage an Authentication Method Manage Global Authentication Service Settings Manage RADIUS Configuration Supported Authentication Methods When you create an authentication method access rule, you add one or more authentication methods to the access rule. There are 16 supported authentication methods. There are five WatchGuard SSL authentication methods and eleven other authentication methods you can use to integrate with your existing authentication services. WatchGuard authentication methods: WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized For more information, see About WatchGuard SSL Authentication Methods. Additional authentication methods: General RADIUS SecurID LDAP Active Directory Novel edirectory Windows Integrated Login NTLM Basic User Certificate User Guide 297

310 About Manage System Form-Based Authentication Confidence Online For more information, see About Other Authentication Methods. About WatchGuard SSL Authentication Methods The WatchGuard SSL authentication methods are Web, Challenge, Synchronized, Mobile Text, and Password. All of these methods use a RADIUS server integrated on the SSL device. WatchGuard SSL Web You can use this method for authentication in a web browser. Users type their user IDs and a Java applet or ActiveX component is launched. The client prompts the user to enter a password or PIN. The password or PIN is then hashed and encrypted before it is returned to the server. WatchGuard SSL Challenge You can use this method for authentication in a web browser, WAP client, or with a PDA. Users type their user names, and are prompted (challenged) to provide private information (the response) before they are allowed access. The challenge-response technique is most often used with a hardware token that generates the response. In WatchGuard SSL Challenge, the Mobile ID software client or Mobile OTP ios app generates the response. Users type their PINs in the Mobile ID or Mobile OTP App Challenge client and the application generates a one-time-password (OTP). You can install the Mobile ID client on a mobile device such as a handheld PC or a cell phone, or on a laptop or desktop computer. The Mobile OTP ios app is for Apple ios devices. WatchGuard SSL Synchronized You can use this method for two-factor authentication in a Web browser, WAP client, or with a PDA. Users type their user IDs and are prompted for a one-time password (OTP). In WatchGuard SSL Synchronized, an integrated software client (Mobile ID) or Mobile OTP ios App generates the OTP. Users type their PINs in the Mobile ID or Mobile OTP App client and the application software generates the one-time-password (OTP) based on the PIN and on a seed that is synchronized with the WatchGuard SSL device. The seed is different for each user. You can install the Mobile ID client on a mobile device, such as a handheld PC or a cell phone, or on your laptop or desktop computer. The Mobile OTP ios app is for Apple ios devices. WatchGuard SSL Mobile Text This method is based on a combination of an account password and a one-time password (OTP) distributed through an SMS channel. For this method, users type the account password on the web login page. The WatchGuard SSL device generates an OTP and sends it to the cell phone number or address for that user account. All authentication and notification messages are sent through mobile text to the cell phone number or address registered to that specific user account. The user must type the OTP to complete the authentication process. You can use the WatchGuard SSL Mobile Text authentication method on a mobile device such as a handheld PC or a cell phone, as well as on a desktop PC or Mac computer. 298 WatchGuard SSL Web UI

311 About Manage System When you select Allow Two-step Authentication in the authentication method configuration, authentication is distributed over two sessions: the server sends the OTP to the mobile phone, and then the user logs on with the OTP. WatchGuard SSL Password The WatchGuard SSL Password authentication method is based on static password authentication. A static password is created and maintained to authenticate remote access with a RADIUS client. Authentication Method Server The Authentication Method Server checks the authentication credentials when a user authenticates. You configure the server when you add an Authentication Method. For the five WatchGuard SSL authentication methods, the Authentication Method Server is a RADIUS server on the SSL device itself. For the LDAP authentication method, the External Directory Service is used as the Authentication Method Server. Download Mobile ID and Mobile OTP ios clients The WatchGuard SSL authentication methods Challenge and Synchronized use the Mobile ID client or Mobile OTP ios App to generate the OTP response. The Mobile ID client is available on the WatchGuard web site software downloads page as a separate file. You can download this file and distribute the Mobile ID clients to your users to install on their mobile devices. The Mobile OTP ios App is for Apple ios devices and can be downloaded from the Apple App store for your device. About Other Authentication Methods In addition to the five WatchGuard SSL authentication methods, WatchGuard SSL supports these eleven authentication methods: General RADIUS This authentication method can be used with any RADIUS-compliant authentication server. SECUREMATRIX This is a unique, web-based authentication method that uses identity verification and pattern recognition to generate a one-time-password (OTP) each time a user logs in. You can add only one SECUREMATRIX authentication method to your configuration. SecurID LDAP This method supports RSA SecurID tokens that generate a one-time-password (OTP). This method performs an LDAP bind. User Guide 299

312 About Manage System Active Directory This method is an LDAP bind authentication method with the ability to enable users to change their passwords. This functionality is only supported with Microsoft Active Directory (AD) servers. The External Directory Service (your AD server) must be configured for SSL communication, because this functionality is only allowed over SSL. Novell edirectory This method is an LDAP bind authentication method with the ability to enable users to change their passwords. Windows Integrated Login NTLM Basic This method enables the Windows domain credentials to be used automatically for authentication. When the Application Portal is protected by Windows integrated login authentication, Windows users do not have to type their credentials to log on to the Application Portal. Instead, the SSL device gets the user credentials from the client. The NTLM authentication method uses the NTLM authentication protocol used in various Microsoft network protocol implementations. This method performs a basic authentication according to RFC 2617, HTTP Authentication: Basic and Digest Access Authentication. User Certificate This method uses attribute mapping. The user is authenticated only if there is an exact match between the configured User Attribute and the Certificate Attribute. Form-Based Authentication This authentication method uses HTML forms that you can edit. You can also add new HTML forms. The credentials submitted to the device are posted in the form for authentication. When the credentials are accepted, the user is authenticated and allowed access to the network. Confidence Online This method uses the Confidence Online client for authentication. Add an Authentication Method You can add, edit, and delete authentication methods. By default, the five WatchGuard SSL authentication methods are enabled. You can add other supported authentication methods to the Registered Authentication Methods list. To add an authentication method: 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 300 WatchGuard SSL Web UI

313 About Manage System 2. Select Add Authentication Method. The Add Authentication Method page appears. 3. Select an authentication method. For more information about the available authentication methods, see About WatchGuard SSL Authentication Methods on page 298 and About Other Authentication Methods on page 299. User Guide 301

314 About Manage System 4. Click Next. 5. Configure the settings for the selected authentication method. Some of these settings do not apply to all authentication methods. Enable Authentication Method Select this check box to enable the new authentication method. To add an authentication method but not enable it in the Application Portal, clear this check box. Display Name The Display Name is the name that appears in the Application Portal for this authentication method. Template Name The Template Name is the name of the template that defines the appearance of the logon page when users log on with this authentication method. The name of the default template is automatically filled in. Template Specification For most authentication methods, you can select Manage Default Template Specification to customize the appearance of the Application Portal authentication page. When you add an authentication method, these settings are configured automatically. Authentication Method Server This is the server that provides authentication for this authentication method. For the five WatchGuard SSL authentication methods, the Authentication Method Server is the RADIUS server on the SSL device. For most authentication methods you must specify an authentication server to use for the authentication method. RADIUS replies The authentication methods that use RADIUS include some pre-defined RADIUS replies. You can edit these replies or you can add new ones. Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a RADIUS Template Specification. The template specification controls how the reply appears to the user. Extended Properties You can define extended properties for some authentication methods to customize what happens when a user authenticates. You can edit the existing extended properties or you can add new ones. Each extended property includes a Key and a Value. 6. Click Finish Wizard to save the new authentication method. Manage an Authentication Method You can edit or delete the registered authentication methods. To edit an authentication method: 1. Select Manage System > Authentication. The Authentication page appears. 302 WatchGuard SSL Web UI

315 About Manage System 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Select a tab to edit the authentication method configuration settings. For more information about the settings on each tab, see: Edit General Settings Manage RADIUS Replies Manage Extended Properties 4. Click Save. To delete an authentication method: User Guide 303

316 About Manage System 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to delete. The Edit Authentication Method page appears. 3. Click Delete. 4. Click Yes. The authentication method is removed from the Registered Authentication Methods list. Edit General Settings To edit the general settings for an authentication method: 1. On the Authentication page, click an authentication method to edit it. The Edit Authentication Method page appears. 2. Select the General Settings tab. 3. To disable the authentication method, clear the Enable Authentication Method check box. 4. Update the settings. Some of these settings do not apply to all authentication methods. Display Name The name that appears in the Application Portal for this authentication method. Template Name The name of the template that defines the appearance of the logon page when users log on with this authentication method. Template Specification 304 WatchGuard SSL Web UI

317 About Manage System For most authentication methods, you can click Manage Default Template Specification to customize the appearance of the login page. Authentication Method Server 5. Click Save. For most authentication methods, you must specify an authentication method server to use for the authentication method. Manage RADIUS Replies The authentication methods that use RADIUS include some pre-defined RADIUS replies. You can add, edit, or delete RADIUS replies. Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a Template Specification. Add a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Select the RADIUS Replies tab. The list of configured RADIUS replies appears. User Guide 305

318 About Manage System 4. Click Add RADIUS Reply. The Add RADIUS Reply page appears. 306 WatchGuard SSL Web UI

319 About Manage System 5. In the Display Name text box, type the name of the RADIUS reply. 6. In the RADIUS Reply Matching String text box, type the message to show the user for this RADIUS reply. 7. In the RADIUS Template Specification text box, type or paste the template for this RADIUS reply. 8. Click Add. The reply appears in the Registered RADIUS Replies list. 9. Click Save. Edit a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method to edit. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Select the RADIUS Replies tab. The list of configured RADIUS replies appears. 4. In the Registered RADIUS Reply list, click the reply you want to edit. The Edit RADIUS Reply page appears. User Guide 307

320 About Manage System 5. Edit the reply information. 6. Click Update. The updated reply appears in the Registered RADIUS Replies list. 7. Click Save. Delete a RADIUS reply 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Method list, click the method to delete. If the authentication method uses RADIUS replies, there is a RADIUS Replies tab. 3. Select the RADIUS Replies tab. The list of configured RADIUS replies appears. 4. In the Registered RADIUS Reply list, click the reply you want to delete. The Edit RADIUS Reply page appears. 5. Click Delete. A confirmation message appears. 6. Click Yes. 308 WatchGuard SSL Web UI

321 About Manage System The selected reply is removed from the Registered RADIUS Replies list. 7. Click Save. Manage Extended Properties You can add, edit, or delete Extended Properties for some authentication methods. Extended Properties define what happens when a user authenticates with each method. When you add authentication methods, you can use Extended Properties to specify particular settings for the authentication method you selected. Some examples of Extended Properties include: Save credentials for SSO domain, Allow unknown user ID, and Lock user ID for session. Each Extended Property consists of a Key and a Value. When you edit an extended property, you can only change the Value. To change the Key, you must delete the Extended Property and add a new one with the correct Key Value pair. Add an Extended Property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. 4. Click Add Extended Property. The Add Extended Property page appears. 5. From the Key drop-down list, select an option for this Extended Property. Some of these settings do not apply to all authentication methods. User attribute WatchGuard account required prior authentication User name may not change during session Lock user ID to session Allow user not listed in any External Directory Service Force create user User Guide 309

322 About Manage System Save credentials for SSO domain Create user on failed logon Reveal RADIUS reject reason RADIUS character encoding ActiveSync Device ID Locking 12. If you select User Attribute, in the Value text box, type the attribute information. If you select any other Key option, in the Value drop-down list, select true or false. 13. Click Add. The Extended Property appears in the Registered Extended Properties list. 14. Click Save. Edit an Extended Property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. The list of registered Extended Properties appears. 4. In the Registered Extended Properties list, click the extended property to edit. The Edit Extended Property page appears. 310 WatchGuard SSL Web UI

323 About Manage System 5. Update the Value. 6. Click Update. 7. Click Save. Delete an extended property 1. Select Manage System > Authentication. The Authentication page appears. 2. In the Registered Authentication Methods list, click the authentication method to edit. The Edit Authentication Method page appears. 3. Click the Extended Properties tab. 4. In the Registered Extended Properties list, click the Extended Property to delete. The Edit Extended Property page appears. 5. Click Delete. 6. Click Yes. 7. Click Save. Manage Global Authentication Service Settings You can manage the authentication settings that apply to all authentication methods. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. User Guide 311

324 About Manage System 3. Select a tab to configure the settings: Manage Global RADIUS Authentication Settings Manage Password and PIN Settings Manage Messages Settings Manage SMS/Screen Message Settings 4. Click Save. Manage Global RADIUS Authentication Settings You can configure the settings for RADIUS authentication. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Click the RADIUS Authentication tab and configure the settings. The RADIUS Authentication page appears. 312 WatchGuard SSL Web UI

325 About Manage System For more information about the settings, see the subsequent section. 4. Click Save. RADIUS Authentication settings Drop unknown sessions When selected, access requests by unknown RADIUS sessions are dropped without notification. If this option is not selected, the server sends the reply Access Denied. Drop unknown users When selected, access requests by unknown users are dropped without notification. If this option is not selected, the request is accepted, but the authentication fails. The server sends an access reject message. This setting can be useful for chained authentication. Proxy unknown users When selected, unknown users are authenticated with another RADIUS server. The server tries to proxy the request to the configured RADIUS back-end server. If the request is not serviced, the server responds with the action set for Drop unknown users. Proxy unknown users takes precedence over Drop unknown users if both are selected. Reveal reject reason When selected, the reason why a request is rejected is sent to the RADIUS client. Session Timeout This setting defines the number of seconds before the RADIUS session times out. If a RADIUS session is not used before this amount of time passes, the session ends and this value is reset. The default value is 180 seconds. User Guide 313

326 About Manage System RADIUS Encoding When the system receives a RADIUS package, it changes the data to strings that match the UTF-8 standard. Some RADIUS clients do not support the UTF-8 standard. For these RADIUS clients, you can specify another standard. The default value is UTF-8. Manage Password and PIN Settings You can configure the global password and PIN settings for WatchGuard authentication methods. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Select the Password/PIN Settings tab and configure the settings. For more information about these settings, see the subsequent sections. 4. Click Save. Password/PIN Settings For each setting, the default values appear in parentheses. WatchGuard SSL Mobile Text The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to zero, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. The OTP (one-time password) length in number of characters (6). 314 WatchGuard SSL Web UI

327 About Manage System The alphabet base for OTP. The default value excludes characters and numbers that can easily be confused, such as: 0/o/O 1/i/I/l/L.( abcdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ) The notification message the user sees for the OTP. Allow two-step authentication. When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile phone, and one to login with the OTP. WatchGuard SSL Web The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to zero, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. Keyboard appearance Fixed, Shift, or Random (random). Allow use of desktop keyboard for numbers (off). WatchGuard SSL Challenge The PIN expiration period in days (90). When set to zero, the PIN does not expire. The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history. Support value signing (off). Direct PIN change (off). WatchGuard SSL Password The minimum (6) and maximum (16) number of characters. The minimum number of letters (2) and numbers (2). The password expiration period in days (90). When set to 0, the password does not expire. The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history. The OTP (one-time password) length in number of characters (6). WatchGuard SSL Synchronized The PIN expiration period in days (90). When set to 0, the PIN does not expire. The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history. Offset before prompt The number of login attempts allowed before the user is prompted for a new OTP (3). Offset before access denied The number of login attempts allowed before the user is denied access (10). Direct PIN change. Manage Messages Settings You can configure the settings for the notification messages that are sent to users when they get new passwords, PINs, or seeds. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. User Guide 315

328 About Manage System 2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears. 3. Select the Messages tab and configure the settings. For more information about the settings, see the subsequent sections. 4. Click Save. Settings Addresses Type the addresses of any additional recipients you want to receive notifications about new or changed passwords, PINs, or seeds. Messages Modify the message used to notify users about changes to their authentication credentials. You can change the text used in the message to notify users about each type of password, PIN, or seed change. WatchGuard Authentication Method Messages For each WatchGuard authentication method, you can set messages that users see when they get a new password, PIN, or seed in an message. Manage SMS/Screen Message Settings You can configure the SMS/Screen messages that users get for new or changed passwords, PINs, or seeds. General settings include the header and footer of the SMS/Screen message. You can also specify different password, PIN, or seed messages for each authentication method. 316 WatchGuard SSL Web UI

329 About Manage System 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Manage Global Authentication Settings. The Manage Global Authentication Service Settings page appears. 3. Select the SMS/Screen Messages tab. 4. In the SMS/Screen Messages Header and Footer text boxes, type the information that appears in the header and footer of the messages your users receive. 5. For each Authentication method, type the Password or PIN messages your users receive. 6. Click Save. Manage RADIUS Configuration You configure RADIUS settings for each available authentication method to accept, reject, or challenge the request. You can also select to send authentication requests to an authentication server that uses third-party authentication methods such as RSA SecurID. To do this, you must add a RADIUS back-end server as an authentication server. You can use one or several RADIUS back-end servers simultaneously. To add the RADIUS configuration methods: 1. Select Manage System > Authentication. The Authentication page appears. 2. Click RADIUS Configuration. The Manage RADIUS Configuration page appears. User Guide 317

330 About Manage System 3. Configure the RADIUS client settings: Add a RADIUS Client Edit or Delete a RADIUS Client Add a RADIUS Back-End Server Edit or Delete a RADIUS Back-End Server Add a RADIUS Client On the Manage RADIUS Configuration page, you can add a RADIUS client. 1. Click Add RADIUS Client. The Add RADIUS Client page appears. 318 WatchGuard SSL Web UI

331 About Manage System 2. In the IP Address text box, type the IP address for this RADIUS client. 3. In the Shared Secret and Verify Shared Secret text boxes, type and confirm the shared secret for this RADIUS client. 4. If your RADIUS client requires attributes, configure them in the Attributes section. You can configure three types of attributes: Accept Attributes Challenge Attributes Reject Attributes 5. Click Save. Edit or Delete a RADIUS Client On the Manage RADIUS Configuration page, you can edit or delete a RADIUS client. To edit a RADIUS client: 1. In the Registered RADIUS Clients list, click the IP address of a client. The Edit RADIUS Client page appears. User Guide 319

332 About Manage System 2. Configure the settings for the client. 3. Click Save. To delete a RADIUS client: 1. In the Registered RADIUS Clients list, click the IP address of a client. The Edit RADIUS Client page appears. 2. Click Delete. 3. Click Yes. The client you selected is deleted and removed from the Registered RADIUS Clients list. Add a RADIUS Back-End Server On the Manage RADIUS Configuration page, you can add a RADIUS server. 1. Click Add RADIUS Back-End Server. The Add RADIUS Back-End Server page appears. 320 WatchGuard SSL Web UI

333 About Manage System 2. In the Display Name text box, type the name of this server. 3. In the Host text box, type the IP address of the RADIUS back-end server. 4. If necessary, change the default values in the Port and Timeout text boxes. 5. In the Shared Secret and Verify Shared Secret text boxes, type and confirm the shared secret for this RADIUS server. 6. Click Save. The server you added appears in the Registered RADIUS Back-End Servers list. Edit or Delete a RADIUS Back-End Server On the Manage RADIUS Configuration page, you can edit or delete a RADIUS back-end server. To edit a RADIUS back-end server: 1. In the Registered RADIUS Back-End Server list, click a server. The Edit RADIUS Back-End Server page appears. 2. Configure the settings for the back-end server. 3. Click Save. User Guide 321

334 About Manage System To delete a RADIUS back-end server: 1. In the Registered RADIUS Back-End Servers list, click the IP address of a back-end server. The Edit RADIUS Back-End Servers page appears. 2. Click Delete. 3. Click Yes. The server you selected is deleted and removed from the Registered RADIUS Back-End Servers list. Two-factor Authentication with Mobile ID and Mobile OTP ios App For stronger authentication, you can use two-factor authentication. For two-factor authentication, you configure a resource in the Application Portal to require users to complete the steps for two different authentication methods before they can get access to the resource. Two-factor authentication is stronger because it uses: Something the user knows Personal Identification Number (PIN) Something the user has Software token installed on a PC or mobile device WatchGuard provides two different applications that can be used for configuring two-factor authentication on Windows operating systems and ios-based mobile devices. WatchGuard Mobile ID Mobile ID is a software application installed on a client device that acts as a software token and generates one-time passwords (OTP). This token works like any hardware security token, but runs on hardware that the user already has, such as a PC, a mobile phone, or a PDA. You can install the WatchGuard Mobile ID client on a Windows computer, personalize it (with a seed), and configure it for the WatchGuard SSL Synchronized authentication method. Note To use MobileID, make sure that your mail server has an SMTP packet filter that accepts EHLO or HELO commands that do not include an argument. WatchGuard Mobile OTP ios App For Apple ios devices. WatchGuard provides a mobile application called the WatchGuard Mobile OTP app. This application is available from the Apple App store. The Mobile OTP app acts as a software token and generates one-time passwords (OTP) for authentication to a WatchGuard SSL device. You can install the WatchGuard Mobile OTP app on an Apple ios device, personalize it (with a seed), and configure it for the WatchGuard SSL Synchronized authentication method. Download and install Mobile ID or Mobile OTP ios App Use these instructions to download the Mobile ID client or the Mobile OTP ios app. Mobile ID Client To obtain and install the Mobile ID software: 1. Open a web browser and go the WatchGuard Software Downloads page at: 2. Download the Mobile ID client software for your platform (Windows, Java, or Linux). 322 WatchGuard SSL Web UI

335 About Manage System 3. After you get the Mobile ID software from the WatchGuard Downloads page, you can put it somewhere on your network where your users can safely get access to it. You can then install Mobile ID on your users client computers. Mobile ID installs for only the user who is currently logged in to the computer. Before you install the software, make sure you are logged in as the correct user. 4. On the client computer, go to the IP address or URL where the MobileID software is available. For example, The Mobile ID Client download page appears. 5. Click Download for the Windows Mobile ID client. 6. Follow the instructions to install the client. Mobile OTP ios App To obtain and install the Mobile OTP ios app: 1. Connect to the Apple App store with your ios device. 2. Download and install the WatchGuard Mobile OTP app. Note You must be running ios 5.x or greater on your ios device. Add or enable the WatchGuard SSL Synchronized authentication method For Mobile ID and the Mobile OTP app to work correctly, you must make sure the WatchGuard SSL Synchronized authentication method is enabled on your SSL device. To add the WatchGuard SSL Synchronized authentication method: 1. Select Manage System. The Registered Authentication Methods page appears. 2. Click Add Authentication Method. The Add Authentication Method page appears, with a list of all the available authentication methods. 3. Select WatchGuard SSL Synchronized. 4. Click Next. 5. Make sure the Enable authentication method check box is selected. 6. In the Display Name text box, type a descriptive name for this authentication method. This is the name that appears in the Registered Authentication Methods list. 7. Click Add Authentication Method Server. The Add Authentication Method Server page appears. 8. Make sure the Enable authentication method on the Authentication Service check box is selected. 9. From the Display Name drop-down list, select an authentication service. 10. Verify the other settings are correct. 11. Click Next on the next three pages of the wizard. 12. Click Finish Wizard. The new authentication method appears in the Registered Authentication Methods list. To enable the WatchGuard SSL Synchronized authentication method: 1. Select Manage System. The Registered Authentication Methods page appears. User Guide 323

336 About Manage System 2. In the Registered Authentication Methods list, click WatchGuard SSL Synchronized (or the descriptive name for your WatchGuard SSL Synchronized authentication method). The Edit Authentication Method page appears. 3. Select the Enable authentication method check box. 4. Make sure all the settings for the authentication method are correct. 5. Click Save. The Registered Authentication Methods page appears. The Status of the WatchGuard SSL Synchronized method is Enabled. Create the seed and PIN for the User 1. Select User Management. The Manage All User Accounts page appears. 2. In the Search by User ID text box, type a User ID. You can type a partial user name with the '*' wildcard character to broaden your search results. To see a list of all users, type only the '*' wildcard character. 3. From the Search by User IDdrop-down list, select the parameters for the search. 4. Click Search. A list of users appears in the search results section. 5. In the Search Result list, click a User ID. The Edit User Account page appears. 6. Select the WatchGuard Authentication tab. 324 WatchGuard SSL Web UI

337 About Manage System 7. Select the Enable WatchGuard SSL Synchronized for the user account check box. Additional settings for the WatchGuard SSL Synchronized authentication method appear. User Guide 325

338 About Manage System 8. In the PIN and Verify PIN Code text boxes, type a 6-digit PIN Code for this user. 9. Select the Generate seed check box. 10. ClickSave. TheManage UserAccounts pageappears. ThePIN andsynchronized seedfor theuser appearat thetop of the page. 326 WatchGuard SSL Web UI

339 About Manage System 11. Make a copy of the PIN and Synchronized seedand save them in a safe location to give to the user. The user must type both codes in the Mobile ID client and the Mobile OTP app to generate the OTP. Add the seed and PIN in the Mobile ID client or Mobile OTP ios App In the next step, you must add the seed and PIN in the client. Mobile ID Client To add the seed and PIN in the MobileID client, the user launches Mobile ID on the client computer. 1. Select Start > All Programs > WatchGuard SSL > Mobile ID > WatchGuard Mobile ID. The Mobile ID client appears. The user must type the seed code the first time the client appears. 2. Type the seed code. Or, copy the seed code and select Seed > Paste to paste the seed code. User Guide 327

340 About Manage System 3. Click CONTINUE. 4. When prompted to select a client mode, select Synchronized. A numeric keypad appears. 5. Click the numbers on the keypad to type the 6-digit PIN. The location of the numbers on the keypad are different each time the keypad appears. A one-time password (OTP) appears. 6. Use the one-time password to authenticate to the Application Portal with the WatchGuard SSL Synchronized authentication method. Mobile OTP ios App To add the seed and PIN in the Mobile OTP ios app: 1. Launch the Mobile OTP app. 2. Select the Reset Seed tab. 328 WatchGuard SSL Web UI

341 About Manage System 3. Select the Synchronized Client Mode. 4. Tap the Enter Seed Value text box. A keypad appears. 5. Type the seed value. 6. Tap OK. The Enter Pin Code page appears. 7. Tap the Enter Pin Code field. A keypad appears. User Guide 329

342 About Manage System 8. Type the pin code. 9. Tap Enter. The Generated OTP is displayed. 10. Tap Copy OTP to copy it to your device clipboard. 11. Tap Close to exit the page. Authenticate with the one-time password 1. Connect to the Application Portal. 2. Select the WatchGuard SSL Synchronized authentication method. The WatchGuard SSL Synchronized authentication page appears. 3. Type the User Name and the OTP from the Mobile ID client or Mobile OTP ios app. 4. Click Submit. The WatchGuard SSL Application Portal appears. Configure Active Directory Authentication with LDAP over SSL You can use both WatchGuard authentication methods and third-party authentication methods with your WatchGuard SSL device. One available third-party method is Active Directory. The Active Directory authentication method is an LDAP bind authentication method that allows users to change their domain passwords through the WatchGuard SSL Application Portal and enforces strong password restrictions. This functionality is only supported with Microsoft Active Directory (AD) servers. To use this method, you must configure the authentication method for LDAP over SSL communication because this functionality is only allowed over SSL. 330 WatchGuard SSL Web UI

343 About Manage System Configure the Active Directory server with LDAP over SSL You can use your existing Active Directory (AD) server to authenticate users to your WatchGuard SSL Application Portal. Because the WatchGuard SSL Active Directory authentication method uses LDAP over SSL, before you configure your SSL device, you must first make sure that LDAP over SSL (also known as LDAPS or LDAP over TLS) is enabled on your Active Directory server. LDAP connections are not enabled by default. LDAP over SSL is also known as LDAP/S, LDAPS, and LDAP over TLS. LDAP over SSL simply means that the LDAP connection between the LDAP client (in this case, the WatchGuard SSL device) and LDAP server (the Active Directory server) is authenticated by TLS (Transportation Layer Security), and the data exchanges are encrypted by the different cipher suites supported by the TLS protocol. To enable LDAP over SSL, you can use one of two methods: Instructions from Microsoft: (How to enable LDAP over SSL with a third-party certification authority) Instructions in the subsequent sections, which use the certificate services web enrollment form instead of command line tools. We recommend that you do not use both sets of instructions. If you choose to use both procedures, the process can be complicated and prone to failure. Note WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a non- WatchGuard product, see the documentation and support resources for that product. For the subsequent procedures, Active Directory is installed on a Windows Server 2003 computer; the server name is 2003ADsrv, and the domain name is ADexample.com. Importing a CA Certificate for your Active Directory Server We strongly recommend that you import a CA certificate for your Active Directory server to your SSL device. This is required for the SSL device to validate the certificate used by the LDAP/SSL services on your Active Directory server. Without the imported CA certificate, the SSL device cannot detect a man-in-themiddle attack between the SSL device and the LDAP/SSL server. For instructions, see Add a Certificate Authority to your SSL device. Before you begin Make sure your server has these applications and tools configured, with the services started: ldp.exe Microsoft Support Tool Utility (for LDAP configuration). This tool is used to connect to Active Directory and verify that the LDAPS protocol is running properly. Internet Information Services (IIS) IIS must be installed and the service must be started. User Guide 331

344 About Manage System Certificate Services Certificate Services must be installed and started on the AD server. This component is not installed by default, but is a common component that is frequently added to many AD servers. After you have verified the correct applications and tools are configured, you export the CA certificate from your Windows Certificate Server. Verify the status of IIS IIS must be installed and started correctly before you enable LDAP over SSL. If it is not, when you run the certsrv command in the process to enable LDAP over SSL, you receive a 404 error message. 1. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. 2. Expand your server entry in the list. 3. Select Web Sites. 4. For Default Web Site, verify the State is Running. Install Certificate Services on your AD server If Certificate Services is already installed on your AD server, you can continue to the next procedure. Make sure that both the Certificate Services CA and Certificate Services Web Enrollment Supportoptions are enabled. When you enable Certificate Services, you can select to use either an Enterprise root CA or a Stand-alone root CA. We recommend you choose a Stand-alone root CA, which is simpler to use and acceptable for most use cases. From your Windows 2003 AD Server computer: 1. Select Start > Control Panel > Add or Remove Programs. The Add or Remove programs dialog box appears. 2. Select Add/Remove Windows Components. The Windows Components Wizard dialog box appears. 3. In the Components list, select the Certificate Services check box. A notification message appears. 4. Click Yes. 5. Click Details. The Certificate Services dialog box appears. 6. Select the Certificate Services CA and Certificate Services Web Enrollment Support check boxes. 7. Click OK. The Certificate Services dialog box closes and the Windows Components Wizard dialog box appears. 8. Click Next. The CA Type page appears. 9. Select Stand-alone root CA.Click Next. 10. Complete the wizard and finish the Certificate Services installation. Export the CA Certificate from your Windows Certificate Server From your Windows 2003 AD Server computer: 1. Select Start > Program > Administrative Tools > Certification Authority. The Certification Authority dialog box appears. 332 WatchGuard SSL Web UI

345 About Manage System 2. Right-click the name of your Certificate Authority. Select Properties. 3. On the General tab, click View Certificate. The Certificate dialog box appears. 4. Select the Details tab. 5. Click Copy to file. The Certificate Export Wizard appears. 6. Click Next. The Export File Format page appears. 7. Select the Base-64 encoded X.509 (CER) file format. The File to Export page appears. 8. To save the certificate file to the default location, in the File Name text box, type a name for the certificate. To select a different location to save the file, click Browse. Select the location and type a file name for the certificate. For example, cacert.cer. 9. Click Next. The Completing the Certificate Export Wizard page appears. 10. Review the certificate information. Click Finish. Enable your AD Server for LDAP over SSL To enable your AD server to use LDAP over SSL you can request the certificate from the Certificate Authority and use the Certificate Services Web UI to import it. Request a certificate from the CA From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to Replace <servername> in the web address with the host name or IP address of your AD server. For this example, type If a certificate warning appears, add the URL to the list of trusted sites in Internet Explorer. Select Tools > Internet Options. Select the Security tab. Add the exception. 2. Click Request a Certificate. The Request a Certificate page appears. 3. Click Submit an advanced certificate request. The Advanced Certificate Request page appears. 4. Click Create and submit a request to this CA. 5. In the Name text box, type the fully qualified domain name of your server. Make sure the name is correct and in the FQDN format. For this example, type 2003ADsrv.ADexample.com. 6. In the Type of Certificate Needed drop-down list, select Server Authentication Certificate. 7. Configure Key Options: a. Select Create new key set. b. From the CSP drop-down list, select Microsoft RSA SChannel Cryptographic Provider. c. Set the Key Usage to Exchange. d. In the Key Size text box, type User Guide 333

346 About Manage System e. Select Automatic key container name. f. Select the Mark keys as exportable check box. g. Make sure the Enable strong private key protection check box is not selected. h. Select the Store certificate in the local computer certificate store check box. 8. Configure Additional Options: a. Set the Request format to PKCS10. b. From the Hash Algorithm drop-down list, select SHA-1. c. Clear the Save request to a file check box. If you select this check box, you must manually submit the request and manually import the certificate to your server. When you do not select this option, the request is submitted automatically and the certificate is automatically imported to your server. 9. Click Submit. The certificate request is submitted. Issue the certificate After you have requested the certificate from the CA, you must issue the certificate before you can import it. From your Windows 2003 AD Server computer: 1. Select Start > Programs > Administrative Tools > Certification Authority. 2. Expand the Certification Authority list. 3. Select the Pending Requests folder. 4. Select the pending request for the certificate you want to issue. 5. Right-click the request and select All tasks > Issue. The CA issues the certificate. Import the certificate After you have requested the certificate from the CA, you can import it to the server certificate store. These instructions use the Internet Explorer web browser. If you use a different web browser the instructions might be different. From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to Replace <servername> in the web address with the host name of your AD server. For this example, type 2. Click View the status of a pending certificate request. The View the Status of a Pending Certificate Request page appears. 3. Select the certificate you want to import. 4. Follow the instructions to import the certificate. 5. Reboot your Windows 2003 AD Server computer. Test the LDAP over TLS connection To test if LDAP over TLS works properly, use the ldp.exe tool. 1. Open a command prompt and type ldp. The LDP application appears. 334 WatchGuard SSL Web UI

347 About Manage System 2. Select Connection > Connect. The Connect dialog box appears. 3. In the Server text box, type the name of your AD server. For this example, type 2003ADsrv. 4. In the Port text box, type Select the SSL check box. 6. Click OK. A list of attributes appears, which indicates a successful connection. Some errors can also appear, but they are not fatal errors and do not indicate a problem with the connection. If a connection error appears, there is an incorrect setting in the configuration. Review your configuration with the steps in the previous procedure to correct any errors. For the Active Directory authentication method to work correctly, LDAP over SSL must also work correctly. Verify the HTTP SSL properties The last step to configure LDAP over TLS for your AD server is to make sure the HTTP SSL service is running correctly. From your Windows 2003 AD Server computer: 1. Select Start > Administrative Tools > Services. The Services tool appears. 2. In the Services list, find the HTTP SSL service. 3. Right-click HTTP SSL and select Properties. The HTTP SSL Properties dialog box appears. 4. Make sure the General tab is selected. 5. From the Startup type drop-down list, select Automatic. This is to make sure the HTTP SSL service starts automatically hen the server is rebooted. 6. Click OK. Configure the Active Directory Authentication method on your SSL device Now that you have issued the certificate from your CA, enabled LDAP over SSL on your AD Server, and issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device to use Active Directory Authentication. Add a Certificate Authority to your SSL device If you did not import the CA certificate when you ran the Setup Wizard, you must import it to configure Active Directory Authentication. 1. Connect to WatchGuard SSL Web UI for your device. 2. Select Manage System > Certificates. The Manage Certificates page appears. 3. In the Certificate Authorities section, click Add Certificate Authority. The Add Certificate Authority page appears. 4. Make sure the Enable Certificate Authority check box is selected. User Guide 335

348 About Manage System 5. In the Display Name text box, type a name for the CA certificate. This is the name that appears on the Manage Certificates page in the Registered Certificate Authorities list. 6. Click Browse and select the CA certificate. 7. In the Revocation Control section, select No certificate revocation checking should be performed. 8. Click Finish Wizard. The certificate name appears in the Registered Certificate Authorities list. Enable SSL for Active Directory Authentication services After you add the CA certificate to your device, you add the Active Directory Authentication Method to your configuration to make a connection between your SSL device and your AD server. When you use an Active Directory server you can choose from many authentication methods. Because users can change their passwords when they authenticate, we recommend that you use the Active Directory authentication method. With this method, the password policy settings you defined in Active Directory are enforced. To configure Active Directory authentication: 1. Select Manage System > Authentication. The Authentication page appears. 2. Click Add Authentication Method. The Add Authentication Method page appears. 336 WatchGuard SSL Web UI

349 About Manage System 3. Select Active Directory. Click Next. 4. Make sure the Enable authentication method check box is selected. If you choose to configure this method but not enable it, you can enable it at another time. 5. In the Display Name text box, type a name for this Active Directory Authentication method. This is the name that appears in the Registered Authentication Methods list. User Guide 337

350 About Manage System 6. To select a different template for this method, in the Template Name text box, type the name of the template to use. We recommend you use the default template. 7. To specify the AD server to use for authentication, click Add Authentication Method Server. You can specify more than one AD server. The Add Authentication Method Server page appears. 8. In the Host text box, type the IP address or DNS name of your AD server. 9. To use a port other than the default port, in the Porttext box, type a new value. We recommend you keep the default value, To use a timeout value other than the default setting, in the Timeouttext box, type a new value. This is the amount of time the client waits for a response from the AD server before it tries to connect with another authentication method. 11. In the Account text box, type the user name for the administrator of the AD server. This can be a Distinguished Name or Principal Name. Make sure you use the correct user name form. For example: username@myexample.com myexample\username CN=username,OU=myexample,OU=com 12. In the Password text box, type the password for the administrator of the AD server. 13. In the Root DN text box, type the Root DN information for the AD server where user accounts are stored. Make sure you use the correct Root DN form. For example, dc=exampleadserver,dc=com 14. Click Next. The Authentication Method Server appears in the Registered Authentication Method Servers list. 338 WatchGuard SSL Web UI

351 About Manage System 15. Click Next. The Extended Properties page appears with a default list of Registered Extended Properties. Extended properties are actions that occur when your users authenticate with this method. 16. To add an extended property, click Add Extended Property. The Add Extended Property page appears. 17. Select a Key and a Value. For more information about Extended Property settings, see Manage Extended Properties. 18. Click Next. The Extended Property appears in the Registered Extended Properties list. 19. Make any changes to the Registered Extended Properties list for this authentication method. 20. Click Finish Wizard. The AD authentication method appears in the Registered Authentication Methods list with the Display Name you specified. 21. Click Publish to update your configuration with this change. If you do not enable the Active Directory authentication method, your remote users can still authenticate to the WatchGuard SSL Application Portal with their Active Directory credentials. You can create user accounts in the Local User Database and link them to their Active Directory user accounts to use the same credentials. Then you enable the WatchGuard SSL Password authentication method. When your users authenticate, WatchGuard SSL automatically queries the AD server for the user credentials. If your users change their passwords when they authenticate, the passwords are only changed in the Local User Database, not the AD server, and any policy settings you configured in the AD server are not applied. To link users in your Local User Database to your AD server: 1. Select User Management > User Accounts. The Manage All User Accounts page appears. User Guide 339

352 About Manage System 2. Click Global User Accounts Settings. The Manage Global User Account Settings page appears. 340 WatchGuard SSL Web UI

353 About Manage System 3. Select User Linking. 4. Configure the global settings for User Linking. 5. Click Save. User Guide 341

354 About Manage System Verify your SSL device is connected to your AD server Before you can verify the connection between your AD server and your SSL device, you must first add the AD server to your SSL device as an External Directory Service location. To add an External Directory Service location: 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 3. Select Microsoft Active Directory. Click Next. The Add External Directory Service Location page appears. 342 WatchGuard SSL Web UI

355 About Manage System 4. Configure the settings for this External Directory Service location. Make sure the settings match those you configured for your AD Server Authentication Method. 5. Click Next. The Add External Directory Service Location page appears. User Guide 343

356 About Manage System 6. To add search rules for your users, click Add User Search Rule. The Add User Search Rule page appears. 7. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 8. To add search rules for your user groups, click Add User Group Search Rule. The Add User Group Search Rule page appears. 344 WatchGuard SSL Web UI

357 About Manage System 9. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 10. To verify the connection to your External Directory Service is active, click Test Connection. 11. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. After your AD server is added as an External Directory service location, you can test the connection between the AD server and the SSL device at any time. 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. In the Registered External Directory Service Locations list, select your AD server. The Edit External Directory Service Location page appears. 3. Select the Search Rules tab. 4. Click Test Connection to the External Directory Service Location. The SSL device tries to contact the AD server. If your configuration is correct, a Connection test ran successfully message appears. If the connection test fails, review the settings for your AD Server External Directory Service Location, and correct any errors in the configuration. About Certificates Certificates are a type of digital signature that matches the identity of a person or organization with an encryption method. This method is a security component called a key pair, or two mathematically related numbers called the private key and the public key. A certificate includes both a statement of identity and a public key, and is signed by a private key. The private key used to sign a certificate request can be from the same person or organization that originally created the certificate, or from a certificate authority. If the private key is from the same person or organization that created the certificate, the result is called a self-signed certificate. If the private key is from a certificate authority (CA), the result is called a CA certificate. A certificate authority is an organization or application that creates, signs, and disables certificates. Most applications and devices have a list of trusted CAs whose certificates are automatically accepted. WatchGuard SSL supports 1024-bit and 2048-bit SSL certificates. User Guide 345

358 About Manage System Certificate Lifetimes and CRLs When a certificate is created, it has a set lifetime. At the end date of the certificate lifetime, the certificate expires and can no longer be used. Sometimes, certificates are revoked, or disabled by the CA,before the expiration. To cancel a client certificate that has already been issued, the client certificate validation routine checks against a list of canceled client certificates. This list is called a Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP). The supported CDP protocols are HTTP and LDAP. You configure whether to use the CRL when you add a Certificate Authority. Certificate Authorities and Signing Requests To create a third-party certificate, you put part of a cryptographic key pair in a certificate signing request (CSR) and send the request to a CA. It is important that you use a new key pair for each CSR you create. The CA issues a certificate after it receives the CSR and verifies your identity. You can also use tools such as OpenSSL, or the Microsoft CA Server that comes with most Windows Server operating systems, to create a CSR. If you do not have a PKI (public key infrastructure) set up in your organization, we recommend that you choose a prominent CA to sign your CSR. If a prominent CA signs your certificate, your certificate is automatically trusted by most users. WatchGuard has tested certificates signed by VeriSign, Microsoft CA Server, Entrust, and RSA KEON. Default Certificate The WatchGuard SSL Server default configuration has a self-signed server certificate named TestCert. When you use the default certificate, a client browser displays a certificate warning because the distinguished name in the default self-signed certificate does not match your organization, and the certificate is not signed by a trusted certificate authority. If you install a server certificate signed by a wellknown (trusted) CA, the certificate warnings do not appear because the browser trusts the certificate. We recommend that you replace the default certificate with your own signed certificate. To create your own signed certificate, you must first create a Certificate Signing Request (CSR). Then you send the CSR to a certificate authority (CA), which issues a signed certificate. WatchGuard SSL supports 1024-bit and 2048-bit SSL certificates. For more information, see Create a CSR with OpenSSL. Manage Certificates In WatchGuard SSL Web UI, you manage Certificate Authorities, server certificates and client certificates. For more information, see: Add a Certificate Authority Add a Server Certificate Edit or Delete a Server Certificate Manage Client Certificate Settings 346 WatchGuard SSL Web UI

359 About Manage System Add a Certificate Authority A certificate authority (CA) issues client certificates used for authentication. For the WatchGuard SSL device to authenticate a user, you must upload a CA certificate. You register certificate authorities (CA) to be used for validation of certificates. You type a Display Name for the CA and specify a CA certificate file. You then select whether to use a certificate revocation list (CRL) or to perform no revocation checks at all. If you choose to enable CRL checking, the Add Certificate Authority wizard includes an additional step to configure a Control Distribution Point for the CRL. Configure CA General Settings 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Certificate Authority. The Add Certificate Authority General Settings page appears. User Guide 347

360 About Manage System 3. Select the Enable Certificate Authority check box. 4. In the Display Name text box, type a name for this Certificate Authority. 5. Adjacent to the CA Certificate text box, click Browse and select the location of the certificate for your CA. The certificate must be in a PEM or DER format. 6. In the Revocation Control section, to enable certificate revocation checking, select CRL. CRL checking is enabled by default. If you do not want to enable CRL checking, select No certificate revocation checking should be performed. 7. If you did not enable CRL checking, proceed to Step 8. If you enabled CRL checking, click Next and specify at least one control distribution point (CDP). For more information, see the subsequent section. 8. Click Finish Wizard. The Certificate Authority appears in the Registered Certificate Authorities list. Configure Control Distribution Points If you enable CRL checking for your CA, you must specify at least one Control Distribution Point (CDP). The CDP verifies the certificates issued by the CA. To add a CDP, click Add Control Distribution Point on the second page of the Add Certificate Authority wizard. Specify settings for these fields: Address The address can be an LDAP address (RFC2255) or an HTTP address. Example LDAP address: 348 WatchGuard SSL Web UI

361 About Manage System ldap:// /cn=win2k%20root%20ca,cn=test-win2kad, CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2kad, DC=examplecompany,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoin t Example HTTP address: Fetch Time Adjustment Adjusted time in seconds when revocation information is retrieved, compared to the time when revocation information is set to be retrieved. The allowed interval is This option is useful when there is latency when the CA issues a new CRL. Latency can occur if there are replicated directories involved. This option is set to zero (0) by default. Update Time Select this option to configure a custom update time. When not selected, the attribute Next Update Time from the CRL is used. This option is not selected by default. Retry Interval Interval in seconds before the system tries to contact the CRL again, if the CRL cannot be accessed. The allowed interval is seconds, or a maximum of 365 days. The Retry Interval is set to 300 seconds by default. You must also specify the action to take if the CRL cannot be retrieved from the CDP. In the CRL Invalid Action section, select one of these options: Authentication is denied If a valid CRL cannot be retrieved, deny authentication for all users. Authentication is allowed, previous CRL is used If a valid CRL cannot be retrieved, use the previously retrieved CRL for certificate revocation control. If a user authenticates with an invalid CRL, this event is written to the log file. Add a Server Certificate You must add at least one server certificate to use when the device communicates with end users. Note PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format, surrounded by ASCII headers, suitable for text mode transfers between systems. DER format can contain private keys, public keys, and certificates. It stores data according to the ASN1 DER format. PEM format includes a text header wrapped around the headerless DER format. This is the default format for most browsers. User Guide 349

362 About Manage System Warning If you import a certificate incorrectly, for example, if you do not enter the private key properly, further admin or client connections will be blocked. If this occurs, you must reset the device to factory install settings and reconfigure the device. Make sure you perform a backup of your configuration before you import a new certificate. To add a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. 3. In the Display Name text box, type a name for this server certificate. 4. Adjacent to the Certificate text box, click Browse and select the location of the certificate for your server. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. If the key is encrypted, in the Password text box, type the password to use for the certificate. 7. Click Save. The certificate you added appears on the Registered Server Certificates list. To see details about a server certificate: 1. In the Registered Server Certificates list, click the certificate. 2. Click View Certificate Details. For more information about how to edit certificates, see Edit or Delete a Server Certificate. Edit or Delete a Server Certificate You can edit or delete the server certificate that the device uses when it communicates with end users. 350 WatchGuard SSL Web UI

363 About Manage System To edit a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. In the Registered Server Certificates list, click the display name of the server certificate to edit. The Edit Server Certificates General Settings page appears. 3. To see details about the certificate, click View Certificate Details. 4. Update the settings for the server certificate. 5. Click Save. To delete a server certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. In the Registered Server Certificates list, click the display name of the server certificate to delete. The Edit Server Certificates General Settings page appears. 3. Click Delete. 4. Click Yes. Manage Client Certificate Settings You can add and edit the PEM formatted client certificates that clients use to communicate with resources. If you use SSL, you can specify only one client certificate. To add or edit a client certificate: 1. Select Manage System > Certificates. The Manage Certificates page appears. User Guide 351

364 About Manage System 2. Click Manage Client Certificate Settings. The Add Client Certificate page appears. 3. In the Display Name text box, type the name for this client certificate. 4. Adjacent to the Certificate text box, click Browse and select the client certificate file. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the private key file for the client certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. In the Password text box, specify the password to use if the private key is encrypted. 7. Click Save. Create a CSR with OpenSSL The WatchGuard SSL Server default configuration has a self-signed server certificate named TestCert. We recommend that you replace this with your own signed certificate. To create your own signed certificate, you must first create a Certificate Signing Request (CSR). Then you send the CSR to a certificate authority (CA), which issues a signed certificate. WatchGuard SSL supports 1024-bit and 2048-bit SSL certificates. When you use the default certificate, the browser displays a certificate warning because the distinguished name in the default self-signed certificate does not match your organization, and the certificate is not signed by a trusted certificate authority. If you install a server certificate signed by a well-known (trusted) CA, the certificate warnings do not appear because the browser trusts the certificate. Before You Begin You can use OpenSSL to create a private key and certificate signing request. For a list of sites where you can download OpenSSL, see Use OpenSSL to Generate a CSR 1. Open a command line interface. 2. To generate a private key, type openssl genrsa -out wgnet.key WatchGuard SSL Web UI

365 About Manage System 3. To generate a CSR with the private key, type openssl req -new -key wgnet.key -out wgnet. csr. In this example wgnet.csr is the certificate signing request. Submit the CSR to a Certificate Authority Use the CSR to request a certificate from Thawte, Verisign, or another certificate authority (CA). Use the instructions from your CA to submit the CSR. The CA returns to you a signed certificate. Convert the Private Key to PKCS#8 Format Before you import the certificate and private key, you must use OpenSSL to convert the private key to PKCS#8 format. 1. Open a command line interface. 2. Type openssl pkcs8 -topk8 -in wgnet.key -out wgnet.pk8. In this example, wgnet.pk8 is the PKCS#8 private key file. Add the New CA Certificates to WatchGuard SSL Web UI Before you add the server certificate, you must add to WatchGuard SSL Web UI all the certificates that the CA provided to you. If the CA sent more than one certificate, you must add each certificate separately. You can add the certificates in any order. When you add the certificates, make sure you disable the certificate revocation control option. 1. Select Manage System > Certificates. The Manage Certificates page appears. User Guide 353

366 About Manage System 2. Click Add Certificate Authority. The Add Certificate Authority General Settings page appears. 354 WatchGuard SSL Web UI

367 About Manage System 3. Make sure the Enable Certificate Authority check box is selected. 4. In the Display Name text box, type the name for this Certificate Authority. 5. Adjacent to the CA Certificate text box, click Browse and select the location of the certificate for your CA. The certificate must be in a PEM or DER format. 6. In the Revocation Control section, select No certificate revocation checking should be performed. 7. Click Finish Wizard. The CA certificate appears in the Registered Certificate Authorities list. 8. To add more CA certificates, repeat Steps 3 8. Add the New Server Certificate to WatchGuard SSL Web UI If your certificate is a bundled certificate, you must split the certificate before you add it to WatchGuard SSL Web UI. 1. Select Manage System > Certificates. The Manage Certificates page appears. 2. Click Add Server Certificate. The Add Server Certificate General Settings page appears. User Guide 355

368 About Manage System 3. In the Display Name text box, type an identifying name for the certificate. This is the name that appears in the Registered Certificate Authorities list. 4. Adjacent to the Certificate text box, click Browse and select the location of the server certificate. The certificate must be in PEM format. 5. Adjacent to the Key text box, click Browse and select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format. 6. If you created an encrypted key, in the Passwordtext box, type the correct password for the encrypted key. 7. Click Save. 8. Select Administration Service. The Manage Administration Service page appears. 356 WatchGuard SSL Web UI

369 About Manage System 9. From the Server Certificate drop-down list, select the certificate you added. 10. Click Save. Apply the Server Certificate to Your SSL Device After you have imported the new server certificate, you can apply it to your SSL device. You can specify only one server certificate. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Generaltab. The General Settings page appears. User Guide 357

370 About Manage System 3. From the Server Certificate drop-down list, select the server certificate you added in the previous section. 4. Click Save. About Abolishment Abolishment is an End-Point Security feature that monitors the files and stored browser data on a client during a user session, and then automatically deletes the browser data and files (for example, URL history, cache, cookies, and downloaded files) that were downloaded or created during the user session. You can configure the types of files and browser data that Abolishment deletes when the session ends. You can configure Abolishment to automatically delete the changed files or to notify the user and let the user choose which items to delete. You can use Abolishment for access control. When you protect a resource with an Abolishment access rule, the Abolishment settings specify what type of files are deleted on the client after the session is completed. By default, the Abolishment client monitors these file types:.htm.pdf.txt 358 WatchGuard SSL Web UI

371 About Manage System.exe.doc.html.gif.jpg When a user attempts to connect to the resource, access is allowed only if the Abolishment client is running. This is to make sure that Abolishment can be performed when the session is completed. For your users of Microsoft Internet Explorer 7 or later, make sure the HTTPS IP address of the SSL device is added to the Internet Explorer Trusted sites list. WatchGuard SSL supports Abolishment on Microsoft Windows clients. Abolishment is performed by the Abolishment client that is loaded on the client computer with an ActiveX or Java client loader. If a user connects to the Application Portal with Internet Explorer, the first time the user clicks a resource that requires Abolishment, the user must agree to install the ActiveX client loader. The user must restart the web browser after the ActiveX loader installs. By default, the Abolishment Client Loader tries to use ActiveX first, and if it is not available, it uses a Java applet. You can change this in the Advanced Settings for Abolishment. Note When the user is notified about Abolishment, the Abolishment client is called the End-Point Protection scan. To manage Abolishment settings: 1. Select Manage System > Abolishment. The Manage Abolishment page appears. User Guide 359

372 About Manage System 2. Configure Abolishment settings on these tabs: General Settings Cache Cleaner Advanced Settings 3. Click Save. Configure General Settings You can configure the settings used by Abolishment Access Rules to determine which file types to monitor on the client. You also configure whether to notify the user at the completion of the session about all monitored files that were downloaded or created. If you select to notify the user, the user can choose which files to delete. If you do not notify the user, at the end of the session the Abolishment client automatically deletes the monitored files that were downloaded or created during the session. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the General Settings tab. The General Settings page appears. 360 WatchGuard SSL Web UI

373 About Manage System 3. Configure the settings to monitor and delete downloaded files. For more information about these settings, see the subsequent section. 4. Click Save. General Settings Monitor Downloaded Files Specify the file types to monitor during a user session. You can only monitor files on Windows clients. By default, the file types that are monitored for abolishment are:.htm.pdf.txt.exe.doc.html.gif.jpg Delete Downloaded Files Specify whether to delete monitored files that have been created or downloaded during the session when the session ends, and whether to notify the user and let the user select which files to delete. You can configure these settings: User Guide 361

374 About Manage System Enable Delete To delete monitored files that have changed at the end of the session, select this check box. Notify User To show the user a message at the end of the session, select this check box. This message includes information about which files have been downloaded or created, and allows the user to select which files to delete. Notification Message If you select the Notify User check box, type the message that users see with the list of files to delete. Configure Cache Cleaner Settings You can configure settings that control the deletion of cached Internet Explorer web content and the browser history created during the user session. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the Cache Cleaner tab. The Cache Cleaner page appears. 3. Configure the settings to delete cached Internet content and browser history. For more information about these settings, see the subsequent section. 4. Click Save. Cache Cleaner settings Delete the Internet Explorer history and typed URLs Select this check box to delete the Internet Explorer browser history and the web site addresses that the user created during the session. This is not selected by default. Delete the browser cache entries Select this check box to delete the cached pages in the Internet Explorer browser. You can use the URL filter to specify which cached pages to delete. This is not selected by default. 362 WatchGuard SSL Web UI

375 About Manage System URL Filter Type the URL pattern of the files to remove from the browser cache. The Abolishment client monitors the cached files in the Windows Temporary Internet Files folder. At the end of the session, the Abolishment client deletes all cached files that match the URL filter and that were created during the session. You can use a wildcard character (*). If you use the * wildcard character alone, the Abolishment client deletes all cache entries created during the user session. This is the default setting. Here are some other examples of URL filters: https* Removes all cache entries downloaded from a secure server during the user session. Removes all cache entries from the specified server during the user session. Configure Advanced Settings You can configure the settings that control how Abolishment works. 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Select the Advanced Settings tab. The Advanced Settings page appears. User Guide 363

376 About Manage System 3. Configure the Abolishment settings for resource display, whether to automatically start Abolishment, and choose how to load the Abolishment client. For more information about these settings, see the subsequent section. 4. Click Save. Advanced Settings Display resources Select the Display resource in Application Portal check box if you want the icons for all resources to appear in the Application Portal before Abolishment starts to monitor the client. Automatically start Abolishment When the user selects a resource protected by an Abolishment access rule, a notification message appears that tells the user that the End-Point Integrity client is required. If you do not select the Automatically start Abolishment check box, the user must click a button on the notification page to start the abolishment client. If you select this check box, the notification message appears briefly and the Abolishment client starts automatically. Abolishment Client Loader Select which type of loader to use for the Abolishment client. ActiveX - Java Applet Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting. ActiveX Use the ActiveX client loader only. Java Applet Use the Java applet client loader only. Post-connection Cleanup with Abolishment When a remote user connects to sensitive web-based resources on your network from a computer that is not under your control (such as a home computer or kiosk), confidential information can remain on the computer after the VPN session is terminated. You can use Abolishment to erase all traces of the session from the client device (for example, URL history, cache, cookies, and downloaded files). You can apply an Abolishment rule to any web-based resource. The Abolishment agent runs when the user disconnects from the WatchGuard SSL device, or when the client browser closes. The Abolishment agent loads in the client web browser with either Java or ActiveX technology. You can enable Abolishment when the user accesses a web-based resource and allow the user to decide which files to delete. This subsequent procedure modifies a file sharing resource to add a client Abolishment rule. Enable Abolishment 1. Select Manage System > Abolishment. The Manage Abolishment page appears. 2. Click the General Settings tab. 364 WatchGuard SSL Web UI

377 About Manage System 3. In the Windows text box, type any additional file types to monitor. The default file types are htm, pdf, txt, exe, doc, html, gif, and jpg. 4. In the Delete Downloaded Files section, select the Enable delete check box. 5. To enable your users to choose which files to delete, select the Notify user check box. 6. In the Notification Message text box, type the message users see when their sessions end. 7. Select the Cache Cleaner tab. 8. Select the Delete the Internet Explorer history and typed URLs check box. 9. Select the Delete the Internet Explorer cache entries check box. 10. Click Save. Create a new Abolishment access rule and protect a file share resource with the rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule page appears. 3. In the Display Name text box, type a name for your access rule. 4. Click Add Rule. The Select Type of Access Rule page appears. 5. Select Abolishment for the access rule type. 6. Click Next. The Add Access Rule - Abolishment summary page appears. User Guide 365

378 About Manage System 7. Review the summary page and click Next. The Add Access Rule page appears. 8. Click Next. The Apply Access Rule To Resources page appears. 9. In the Available Resources list, select the file share resources to use this Abolishment rule, and click Add >. The resources appear in the Selected Resources list. 10. Click Next. The Confirm Access Rule Summary page appears. 11. Review the summary page and click Finish Wizard. The Manage Access Rule page appears with the new access rule in the Registered Access Rules list. 12. Click Publish to update your configuration with this change. Trigger Abolishment If you use Internet Explorer, the first time you click a resource that requires Abolishment or Assessment, you install the Assessment loader ActiveX component. You must restart the web browser after the ActiveX loader installs. 1. Connect to the Application Portal. 2. Select the file sharing resource you protected with the Abolishment rule. The End-Point Integrity scan notification appears. 3. Click Continue to accept the End-Point Integrity notification. 4. Go to the mapped drive letter defined in this file share resource. For example, W:. 5. Save a file from the file share resource to the local hard drive. The file must be one of the file types configured in the Abolishment settings. The default file types are htm, pdf, txt, exe, doc, html, gif, and jpg. 6. Log off the Application Portal or exit your browser. The WatchGuard SSL Abolishment client prompts the user to delete new or changed files. 7. Select the check box next to each file to delete. Or, click Select All. 8. Click Delete Files. The selected files are deleted. About Assessment Assessment is an End-Point Security feature that scans the client computer to assess whether the client meets certain criteria. You can configure the Assessment criteria that a client computer must meet in order to get access to a resource protected by an Assessment access rule. You can define an Assessment access rule to check for: File or directory information Registry key or sub-key information Process information Windows user information Windows domain information Network interface information 366 WatchGuard SSL Web UI

379 About Manage System TCP and UDP port information Anti-virus and anti-spyware information Firewall information After a user authenticates, but before the user connects to a network resource, you can require an assessment of their computers to find whether the computer meets your security requirements. This is the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. The Assessment Agent automatically launches in a client web browser. At the start of a user session, the Assessment client scans the client computer to make sure it meets the Assessment criteria you specify. If the client computer meets the criteria, the user is allowed to access the protected resource. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the assessment definition file is no longer updated, but continues to operate with the criteria available at the time of expiration. WatchGuard SSL supports Assessment on Microsoft Windows clients. Assessment is performed by the Assessment client loaded on the client computer with an ActiveX or Java client loader. If a user connects to the Application Portal with Internet Explorer, the first time the user clicks a resource that requires Assessment, the user must agree to install the ActiveX client loader. The user must restart the web browser after the ActiveX loader installs. By default, the Assessment Client Loader tries to use ActiveX first, and if it is not available, they use a Java applet. You can change this in the Advanced Settings for Assessment. To manage Assessment settings: Note When the user is notified about Assessment, the Assessment scan is called the End- Point Integrity scan. 1. Select Manage System > Assessment. The Manage Assessment page appears. User Guide 367

380 About Manage System 2. Configure Assessment on these tabs: General Settings Advanced Settings 3. Click Save. Configure General Settings for Assessment You can configure the client scan settings the Assessment Access Rules use when a user selects a protected resource. This includes Real-time Scan and the client scan path settings. 1. Select Manage System > Assessment. The Manage Assessment page appears with the General Settings tab selected. 368 WatchGuard SSL Web UI

381 About Manage System 2. Configure the Real-time Scan and Client Scan Path settings. For more information about these settings, see the subsequent sections. 3. Click Save. 4. Click Publish to update your configuration with this change. Real-time Scan The client scan is always performed the first time a user requests a resource that is protected by an Assessment Access Rule. If you want the client scan to continue assessment during the session, you must select this option. Real-time Scan is disabled by default. To enable real-time scan: 1. Select the Enable Real-time Scan check box. 2. In the Interval text box, type the number of seconds between scans. The default interval is to scan every 120 seconds. User Guide 369

382 About Manage System Client Scan Path You can select one or more paths that you want the Assessment client to scan on the client computer. For each client scan path you must set this information: Operating System Type Path The client operating system to scan. Windows is the only option. The type of client data the client scan looks for. The client can search for four types of data: File file attributes, file name, file digest, file time created, and file time last written Directory directory name and attributes Registry Key registry name, registry type, and registry value Registry Sub Key registry name, registry type, and registry value The path on the client computer to scan for the selected client data type. Add a Client Scan Path To add a client scan path. 1. In the Client Scan Path section, click Add Client Scan Path. The Add Client Scan Path page appears. 2. In the Type drop-down list, select the type of client data. 3. In the Path text box, type or paste the path to scan on the client computer. 4. Click Add. The new path appears in the Client Scan Path list. Edit a Client Scan Path After you have configured the path for a client scan, you can edit it to change the type of path and the path details. 1. In the Client Scan Path list, click the client scan path you want to change. The Edit Client Scan Path page appears. 2. Change the Type and Path settings. You cannot change the Operating System selection. 3. Click Update. The edited path appears in the Client Scan Path list. Delete a Client Scan Path You can also delete a path in the list. 1. In the Client Scan Path list, click the client scan path you want to delete. The Edit Client Scan Path page appears. 370 WatchGuard SSL Web UI

383 About Manage System 2. Click Delete. A confirmation message appears. 3. Click Yes. The Client Scan Path is removed from the list. Windows The SSL device caches the results of assessment access rules to improve the efficiency of assessing connections where multiple access rules are applied globally or applied to many resources. These options are enabled when you create a corresponding assessment access rule, and allow you to collect and cache Windows, process, network, anti-virus, firewall, and anti-spyware information. If you remove the original access rules, these options remain enabled for caching purposes. You can disable these options to improve client scanning efficiency during assessment when you no longer require these assessment options. Configure Advanced Settings You can configure the settings that control how Assessment works. 1. Select Manage System > Assessment. The Manage Assessment page appears. User Guide 371

384 About Manage System 2. Select the Advanced Settings tab. The Advanced Settings page appears. 3. Configure the Display Resources, Assessment Client Scan, and Assessment Client Loader settings. For more information about these settings, see the subsequent sections. 4. Click Save. Display Resources To enable the icons for all resources to appear in the Application Portal before the Assessment client scan is completed, select the Display resource in Application Portal check box. In this case, users may see resources that they cannot access. If this option is disabled, only resources that the user is allowed access to are displayed. Automatically start the Assessment client scan When the user selects a resource protected by an Assessment access rule, a notification message appears that tells the user that the End-Point Integrity client is required. 372 WatchGuard SSL Web UI

385 About Manage System If you do not select the Automatically start the Assessment client scan check box, the user must click a button on the notification page to start the client scan. If you select this check box, the notification message appears and the Assessment client scan starts automatically. Assessment Client Loader Select which type of loader to use for the Assessment client. ActiveX - Java Applet Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting. ActiveX Use the ActiveX client loader only. Java Applet Use the Java applet client loader only. Pre-connection End-point Integrity Check You can use WatchGuard SSL End-Point Integrity to verify that client devices meet your defined security profile, before users can access your internal resources through the Application Portal. After users authenticate, but before they connect to network resources, you can require an assessment of their computers to find whether they meet your security requirements. This is the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. This process checks that all security requirements are met, such as security patch level, anti-virus protection, client firewall protection, or home domain. The Assessment Agent automatically launches in a client Web browser. You can configure the WatchGuard SSL device to allow access only if a specific process is active on the client computer. You can apply this type of access rule to any resource. Some examples of processes are executable files, anti-virus software, or client firewall software. This subsequent procedure uses notepad.exe and modifies a file sharing resource as an example. Enable real-time scan and client information collection 1. Select Manage System > Assessment. The Manage Assessment page appears. 2. Click the General Settings tab. User Guide 373

386 About Manage System 3. Select the Enable Real-time Scan check box. 4. In the Interval text box, type how often the scan is to occur in seconds. 5. Click Add Client Scan Path. The Add Client Scan Path page appears. 6. In the Operating System drop-down list, Windows is the only option. 7. In the Type drop-down list, select File. 8. In the Path text box, type the directory location for the files to scan. 9. Click Add. The Manage Assessment page appears. 10. Click Save. 374 WatchGuard SSL Web UI

387 About Manage System Create a new Assessment access rule 1. Select Resource Access > Access Rules. 2. Click Add Access Rule. 3. Type a Display Name for your access rule. For example, Require Notepad. 4. Click Next. The Select Type of Access Rule page appears. 5. Select Assessment as the rule type. 6. Click Next. The Select Criteria page appears. 7. Select the criteria for this rule. For example, to check for notepad.exe: In the Display Name text box, type a descriptive name for this rule. In the Operating System drop-down list, Windows is the only option. In the Information Type drop-down list, select Process information. Do not select the Deny access check box, because you want to allow access if the conditions of this rule are met. 8. Click Next. The Specify Requirements page appears. 9. Click Add Requirement. The Add Requirement page appears. 10. Select the requirements for this rule. For example, to check for notepad.exe: In the Client Data drop-down list, select Process name. In the Matching Restriction drop-down list, select Wildcard match. In the Matching Rules text box, type *notepad.exe. If you do not include the '*' wildcard character, you must type the complete path to the executable file. 11. Click Add. The Specify Requirements page appears with the new rule in the Registered Requirements list. 12. Click Next. The Feedback Message page appears. 13. In the Feedback Message text box, type the message that users see if access to a resource is denied because the client scan results do not match the specified requirements. 14. Click Next. The Summary page appears. 15. Review the summary page and click Next. The Add Access Rule page appears. 16. Click Next. The Apply Access Rule To Resources page appears. 17. In the Available Resources list, select the resources to protect with this rule and click Add >. The resources appear in the Selected Resources list. 18. Click Next. The Confirm Access Rule Summary page appears. 19. Review the summary page and click Finish Wizard. User Guide 375

388 About Manage System The Manage Access Rules page appears with the new access rule in the Registered Access Rules list. 20. Click Publish to update your configuration with this change. Trigger Assessment If you use Internet Explorer, the first time you click a resource that requires Abolishment or Assessment, you must install the Assessment loader ActiveX component. Restart your Web browser after the ActiveX loader installs. 1. Connect to the Application Portal. 2. Click the File Sharing resource you protected with the Assessment rule. The End-Point Integrity scan notification appears. 3. Click Continue to accept the End-Point Integrity notification. If notepad.exe is not active on the client computer, access to the resource is denied. 4. Launch notepad.exe. 5. Click Try again. The End-Point Integrity scan notification appears again. 6. Click Continue to accept the End-Point Integrity notification. The scan proceeds and the Access Client loads. The resource is now connected. About Notification Settings You can configure the and SMS notification channel to send notification messages. These notification channels are used to send alerts and for distribution of one-time-passwords (OTPs), passwords and PINs, and seed notifications. To configure notification settings: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Configure these settings for notification: Channel SMS Channel SMS Plug-ins 376 WatchGuard SSL Web UI

389 About Manage System 3. Click Save. Notification Variables The following variables can be used in all notifications. These variables will be replaced with the corresponding content from the user account. Variables must be surrounded with brackets and preceded with a dollar sign. For example, [$user-mobile]. Variable Name [$message] [$user-id] [$user-display-name] [$user-mobile] [$user-mobile-raw] [$user-mail-address] [$administrator-id] Description The notification message that should be sent. The id of the user. The display name of the user. The mobile-number of the user (processed). The mobile-number of the user (unprocessed). The mail address of the user. The ID of the Administrator. Configure the Notification Channel You can enable and configure settings and the address of the sender. You must configure the channel if you select notification in any of these areas: For a user account In the Global User Account Settings For an alert To configure the channel: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the Channel tab. The Channel page appears. User Guide 377

390 About Manage System 3. Select the Enable channel check box. 4. In the Host text box, type the IP address or DNS name of the server that sends the PIN, password, and seed to users. The default is localhost. 5. In the Port text box, type the port number. The default port is In the Sender's Address text box, type the address that you want to appear in the From field of the notification messages. For example, 7. Click Save. Configure the SMS Notification Channel You can add one or more SMS channels. You must define an SMS channel when you enable SMS notification in these places: For a user account For user linking For alerts You can configure multiple SMS channels. Each channel is handled by an SMS plug-in. Add an SMS channel Note Make sure you save your changes before you select another page in the UI. If you do not save your changes before you go to another page, all your changes are lost. 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. Select the SMS Channel tab. 378 WatchGuard SSL Web UI

391 About Manage System 3. Click Add SMS Channel. The Add SMS Channel page appears. 4. In the Display Name text box, type a name for this channel. 5. From the Plug-in drop-down list, select the SMS plug-in for the SMS protocol you want to use. 6. Click Next. 7. Configure the settings for the selected SMS channel. The configuration settings are different for each SMS protocol. The number of tabs with SMS settings to configure depends on the plug-in you selected. For information about settings for each of the default SMS plug-ins, see: SMTP Channel Settings SMPP Channel Settings Netsize Channel Settings HTTP Channel Settings CIMD Channel Settings 8. Click Finish Wizard. 9. Click Save. To add a plug-in,click the SMS Plug-in tab. For more information, see Manage SMS Plug-ins. Reorder the Registered SMS Channels list To change the order in which the channels are used, change the order of the channels in the Registered SMS Channels list. User Guide 379

392 About Manage System 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, in the Move column, click Up or Down for the channel you want to move. The channel moves up or down in the list. 3. Click Save. Edit an SMS channel 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to change. The Edit SMS Channel page appears. 3. Update the settings for the SMS channel. 4. Click Finish Wizard. Delete an SMS channel 1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to delete. The Edit SMS Channel page appears. 3. Click Delete. A confirmation message appears. 4. Click Yes. 5. Click Save. SMTP Channel Settings If you select the SMTP SMS plug-in when you add an SMS channel you configure the connection, mobile number format, and message settings. For notification variables, see About Notification Settings. Connection tab Channel Setting Host Address Port Description The IP address or DNS name of the SMTP server. Set to localhost by default. The port of the SMTP server. Set to 25 by default. 380 WatchGuard SSL Web UI

393 About Manage System Channel Setting Account Password Start TLS Timeout Connection Timeout Close Socket Debug Mode Description The service account to use to log into the SMTP service. The service account password to use to log into the SMTP service. Select this check box to use TLS (Transport Layer Security). This is not enabled by default. The length of time (in milliseconds) to wait for a response from the SMTP server. Set to by default. The length of time (in milliseconds) for a socket connection timeout. Select the Close Socket check box to close the socket after communication. Select the Debug Mode check box to enable debug mode. Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. User Guide 381

394 About Manage System Message tab Channel Setting To To Personal From From Personal Subject Message Body Description The address to put in the To text box. The friendly name to put in the To text box. The address to put in the From text box. The friendly name to put in the From text box. The content of the Subject text box. The content of the message body. SMPP Channel Settings If you select the SMPP SMS plug-in when you add an SMS channel you configure the connection, mobile number format, and submission parameter settings. For notification variables, see About Notification Settings. 382 WatchGuard SSL Web UI

395 About Manage System Connection tab Channel Setting Host Address Port Timeout Keep Alive System ID Password System Type Interface Version Description The IP address or DNS name of the SMPP server. Set to localhost by default. The port of the SMPP server. Set to 25 by default. The length of time (in milliseconds) to wait for a response from the SMPP server. Set to by default. Select this to keep the connection alive. This is not selected by default. The service account to use to log into the SMPP service. The service account password that should be used to log in to the SMPP service. The SMPP System Type. See your SMPP server documentation for more Information. The Interface version. Set to 52 by default. User Guide 383

396 About Manage System Channel Setting Address TON Address NPI Address Range Description See your SMPP server documentation for more Information. See your SMPP server documentation for more Information. See your SMPP server documentation for more Information. Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. Submission Parameters tab For information about the settings on this tab, see the documentation for your SMPP server. 384 WatchGuard SSL Web UI

397 About Manage System Netsize Channel Settings If you select the Netsize SMS plug-in when you add an SMS channel you configure the general and mobile number format settings. For notification variables, see About Notification Settings. User Guide 385

398 About Manage System General tab Channel Setting Host Address Port Client Account Password Timeout Message Class Description The IP address or DNS name of the Netsize server. The port of the Netsize server. Set to 25 by default. The client account to use to log into the Netsize service. The service account to use to log into the Netsize service. The service account password to use to log into the Netsize service. The length of time (in milliseconds) to wait for a response from the Netsize server. Set to by default. The Message Class for this message. Valid entries are: Default, Immediate Display (Flash), Store on Mobile Phone, Store on SIM, Store on Terminal Equipment. Contact your Netsize vendor for more information about these settings. 386 WatchGuard SSL Web UI

399 About Manage System Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. HTTP Channel Settings If you select the HTTP SMS plug-in when you add an SMS channel you configure the general, mobile number format, and response parsing settings. For notification variables, see About Notification Settings. User Guide 387

400 About Manage System General tab Channel Setting URL Account Password Use Basic Authentication Post Data Follow Redirects Description The URL or DNS name of the HTTP server. Set to by default. The service account to use to log into the HTTP service. The service account password to use to log into the HTTP service. Select this check box to use basic authentication for this HTTP service. The POST data that must be present in the HTTP post. Select this check box to consider redirects when parsing 388 WatchGuard SSL Web UI

401 About Manage System Channel Setting Description responses. Use HTTP 1.1 User Agent Additional Headers Timeout Connection Timeout Select this check box to use HTTP version 1.1. This is selected by default. Specify the user agent if the HTTP Services requires a specific user agent. Specify the content of any additional headers that the HTTP service requires in the request. The length of time (in milliseconds) to wait for a response from the HTTP server. Set to by default. The length of time (in milliseconds) to wait for a connection to the HTTP Server. Set to by default. Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. User Guide 389

402 About Manage System Response Parsing Format tab Channel Setting Success Response Codes Failure Response Codes Description The HTTP Response Codes that will indicate success. 200, 201, and 202 are selected by default. The HTTP Response Codes that indicate failure. 400, 401, and 390 WatchGuard SSL Web UI

403 About Manage System Channel Setting Description 402 are selected by default. Success Response Body Failure Response Body Default State Contents in the HTTP Response Body that indicate success. Contents in the HTTP Response Body that indicate failure. Select whether the default state is Success or Failure. This is set to Failure by default. CIMD Channel Settings If you select the CIMD SMS plug-in when you add an SMS channel you configure the general and mobile number format settings. For notification variables, see About Notification Settings. General tab Channel Setting Host Address Port Account Password Timeout Description The IP address or DNS name of the CIMD server. Set to localhost by default. The port of the CIMD Server. Set to 3000 by default. The service account that to use to log into the CIMD service. The service account password that should be used to log in to the CIMD service. The length of time (in milliseconds) to wait for a response from the CIMD server. Set to by default. User Guide 391

404 About Manage System Mobile Number Format tab Channel Setting Remove Replace Prefix New Prefix Description Type any characters you want to automatically remove from the mobile number. For example, ()+. If the prefix of the mobile number is incorrect for the service, you can automatically replace it. In the Replace Prefix text box, type the prefix to replace. In the New Prefix text box, type the prefix to use instead of the prefix in the Replace Prefix text box. Manage SMS Plug-ins Plug-ins are used to communicate with different SMS vendors. You select plug-ins when you configure an SMS channel. The default plug-ins available are: SMTP (1.0) SMPP (1.10) Netsize (1.0) HTTP (1.12) CIMD (1.10) You can write additional plug-ins for compatibility with other SMS protocols. To add an SMS plug-in: 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 392 WatchGuard SSL Web UI

405 About Manage System 2. Select the SMS Plug-ins tab. A list of installed SMS plug-ins appears. 3. To add a plug-in, click Browse to locate the plug-in file. 4. Click Upload Plug-in. The plug-in is added to the list, and is available when you add an SMS Channel. 5. Click Save. To remove an SMS plug-in: 1. Select the Remove check box for the plug-in you want to delete. 2. Click Remove. 3. Click Save. Manage Client Definitions You can use client definitions to create Access Rules that enable access to a resource only if the client is of a specified type. By default, the WatchGuard SSL device includes these client definitions: Internet Explorer 6, 7, 8, 9 Netscape 7, 9 Google Chrome Opera Mozilla Firefox Safari User Guide 393

406 About Manage System WAP Phone Access Client Microsoft-AirSync Java Mac OS Windows Unix Linux Windows CE PDA The WatchGuard SSL device identifies a client based on the content of the HTTP headers. Client definitions define what values the WatchGuard SSL device looks for in the HTTP header to identify specific clients. When you create an Access Rule of the type Client Definition, the Available Clients you can select are those you define on the Client Definitions page. After you add a client definition, you can select that client when you create an Access Rule. To manage client definitions: 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Configure client definitions: 394 WatchGuard SSL Web UI

407 About Manage System Add a client definition. Edit or delete a client definition. Add Client Definitions To add a client definition: 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. Click Add Client Definition The Add Client Definition page appears. 3. In the Display Name text box, type a name for this client. 4. In the Definition text box, type the name=value pair that appears in the HTTP header of the client. You can use the * wildcard character in the value. You can include more than one name=value pair. To use an AND operator, add the pairs on the same line, separated by a space. To use an OR operator, add the pairs on the same line, separated by the pipe ( ) symbol. To specify a NOT operator, add an exclamation mark (!) before the pair. Note For examples of correct client definitions, view an existing client definition. 5. Click Save. The client definition you added appears in the Registered Client Definitions list. Edit or Delete Client Definitions Edit a client definition 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. User Guide 395

408 About Manage System 2. In the Registered Client Definitions list, click the display name of a client. The Edit Client Definition page appears. 3. Edit the Display Name and Definition. 4. Click Save. Delete a client definition 1. Select Manage System > Client Definitions. The Manage Client Definitions page appears. 2. In the Registered Client Definitions list, click the display name of the client. 3. Click Delete. A confirmation message appears. 4. Click Yes. The client definition is removed from the Registered Client Definitions list. About Delegated Management After you configure an External Directory Service, you can use delegated management to create administrative roles with different configuration and monitoring responsibilities. You can then assign each role to one or more users in the registered External Directory Service. Note Delegated Management is only available in the Web UI if you have configured an External Directory Service and published the configuration change. When you create an alert on the Manage Alerts page, you can assign which alerts are sent to the various administrative roles. The users you assign to each of these roles then receive the alert notification messages about alert events. If you plan to use an administrative role for alerts, make sure that the users you assign to that role have addresses and/or cell phone numbers defined in their user accounts. By default the WatchGuard SSL has two built-in administrative roles: 396 WatchGuard SSL Web UI

409 About Manage System Help Desk Super Administrator For each role, you can assign different administrative privileges. For a description of the privileges you can assign to a role, see About Administrative Privileges. To add or edit administrative roles: 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. Add, edit, or delete an administrative role. About Administrative Privileges For the administrative roles that you create, you can assign one or more of these privileges to each role. Help desk administration Allows users to add, edit, and delete all settings saved for a user account. User account management Allows users to get access to all functionality available in the User Management menu. Resource management Allows users to add, edit, and delete resources (resource hosts and resource paths) and to manage Application Portal items. Resource path management Allows users to add, edit, and delete resource paths for selected resource hosts. View logs Allows users to use the Log Viewer to see log files. User Guide 397

410 About Manage System Publish Allows users to publish an updated configuration. Privileges for the Default Administrative Roles You cannot see or edit privileges for the default administrative roles. These roles have privileges permanently assigned. The Super Administrator role has all privileges enabled. The Help Desk role has the Help desk administration privilege enabled. Manage Administrative Roles You can add, edit, or delete administrative roles. Add an Administrative Role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. Click Add Role. The Add Role page appears. 3. In the Display Name text box, type a name for this role. 4. (Optional) In the Description text box, type a description of this role. 5. In the Privileges section, select the check box for each privilege to assign to this role: 398 WatchGuard SSL Web UI

411 About Manage System Help desk administration User account management Resource management Resource path management View logs Publish For more information, see About Administrative Privileges. 6. Click Next. 7. Complete the next pages of the wizard for the privileges you selected. Select User Accounts From the Select User Group drop-down list, select a user group that this role can manage and click Add Group. Repeat to add each user group this role can manage. Select Resources Select a resource in the Available Resources list and click Add. The resource appears in the Selected Resources list. 8. Click Next. The Select Administrators page appears. 9. To add this role to the Administrators group, click Add Administrator to assign a user to this role. a. In the User ID text box, type a full or partial user name to search for. You can use the * wildcard character in your search. For example, type *smith* to find all user IDs that contain "smith". The user names that match your search criteria appear in the Search Result list. b. In the Search Result list, select the Assign Role check box for each user you want to assign to this role. c. Click Update. d. To search for other users to assign to this role, repeat these steps. 10. Click Finish Wizard. Edit an Administrative Role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. In the Registered Roles list, click a role. The Edit Role page appears. User Guide 399

412 About Manage System 3. Select the General Settings tab to edit these settings: Display Name Description Privileges (cannot be changed for the two default roles) Select the check box for each privilege to assign to this role. For more information, see About Administrative Privileges. 4. To edit the User Groups this role can manage, select the User Accounts tab. 5. To change the resources this role can manage, select the Resources tab. 6. To change which users are assigned to this role, select the Administrators tab. 7. Click Save. Delete an Administrative Role 1. Select Manage System > Delegated Management. The Delegated Management page appears. 2. In the Registered Roles list, click a role. The Edit Role page appears. 3. Click Delete. A confirmation message appears. 4. Click Yes. The role is removed from the Registered Roles list. 400 WatchGuard SSL Web UI

413 About Manage System About the Administration Service The Administration Service includes all the services and settings related to administration of your device. On the Manage Administration Service page you can configure the HTTP and HTTPS ports and server certificate to use for communication between WatchGuard SSL Web UI and the client. Manage Administration Service Settings 1. Select Manage System > Administration Service. The External Communication Settings page appears. 2. Configure these settings for external communication: Administrator Host Select which interface to use when you connect to the WatchGuard SSL Web UI to manage the device. If your device is in single interface mode, this is always set to Eth0. If your device is in dual interface mode, you can select Eth0 or Eth1. In dual interface mode, this is set to Eth1 by default. Administrator HTTP Port The HTTP port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 80 by default. Administrator HTTPS Port The HTTPS port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 8443 by default. Server Certificate User Guide 401

414 About Manage System manage 3. Click Save. The server certificate the Administration Service uses in HTTPS communication. You add the server certificate on the Certificates page. For more information, see Add a Server Certificate. From the Manage Administration Service page you can also: Change the Super Administrator Password Manage Global Settings Restart the Administration Service Change the Super Administrator Password When you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards: The password must be at least six characters long The password must include characters from at least three of these four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base-10 digits (0 through 9) o Non-alphanumeric characters (for example,!, $, #, or %) To enable or disable the password policy, or change the password: 1. Select Manage System > Administration Service. 2. Click Change Password. The Super Administrator Password page appears. 402 WatchGuard SSL Web UI

415 About Manage System 3. Select the Enable password policy check box. 4. In the Current Password text box, type the password currently assigned to the Super Administrator. 5. In the New Password and Verify New Password text boxes, type the new password. 6. Click Save. Manage Global Settings You can manage the settings for all services from the Administration Service page. We recommend that you do not change these settings unless you are asked by a WatchGuard technical support representative to change a setting to help troubleshoot a specific problem. To configure the global settings for the services: 1. Select Manage System > Administration Service. The Manage Administration Service page appears. 2. Click Manage Global Settings. The Manage Global Service Settings page appears. User Guide 403

416 About Manage System 3. Configure the global settings for the services. For more information about these settings, see the subsequent sections. 4. Click Save. Communication Settings To control the communication between the Administration service and the Device service, configure these settings: Timeout Check Interval Number of seconds (0-3600) between checks for sessions that have timed out. This is set to 1 second by default. User Lifetime in Cache Number of seconds (0 31,536,000) to keep user account information in the cache before the Administration service reloads it from the Internal User Database or External Directory Service. This setting is not related to user activity. This is set to 900 seconds by default. The maximum value is equal to 365 days. Heartbeat Interval Number of seconds (1 30) between status checks on services on the device. This is set to 10 seconds by default. 404 WatchGuard SSL Web UI

417 About Manage System Missing Heartbeat Limit Number of missing heartbeats, or status checks, that are allowed (1 100) before the services reconnect to each other if a service does not respond. This is set to 12 heartbeats by default. Send cache specification Select this check box if you want the Administration service to send the cache specification to the Device service that controls the Application Portal. This is selected by default. Heap Size Settings To control the amount of memory that the Administration service uses, configure these settings. Minimum Memory Default is set to 64 MB. Maximum Memory Default is set to 256 MB. Save Heap Size specification Select this check box to save the Heap Size specification. Restart the Administration Service You can restart the Administration service without an interruption for any current client SSL sessions. To restart the Administration service: 1. Select Manage System > Administration Service. The Manage Administration Service page appears. User Guide 405

418 About Manage System 2. Click Restart Service. A confirmation message appears. 3. Click Yes. The Administration Service restarts. Manage Device Settings You can configure the settings for connections to your Application Portal. You can configure the settings for available ports, connection times, encryption protocols, session controls, cookie persistence, and client access. To configure device settings for the Application Portal: 1. Select Manage System > Device Settings. The Manage Device page appears. 406 WatchGuard SSL Web UI

419 About Manage System 2. Select a tab and configure the settings: General Performance Cipher Suite Advanced 3. Click Save. General Settings for the Application Portal You can configure the basic settings for the Application Portal. These settings control on which interfaces, ports, and IP addresses the Application Portal is available. By default, the application portal listens on one IP address on the Eth0 port. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the General tab. The General Settings page appears. User Guide 407

420 About Manage System 3. Configure the General Settings and Add additional listeners. For more information about these settings, see the subsequent sections. 4. Click Save. General Settings Display Name The name used to identify this device. This is automatically set to accesspoint. You cannot change this setting. Application Portal Host The IP address or DNS name to bind all incoming external traffic to the Application Portal. This is automatically set to the IP address configured for Eth0. To change this IP address you must change the Eth0 IP address on the Network Configuration page. Application Portal Port The HTTPS port for incoming traffic to the Application Portal. Set to 443 by default. 408 WatchGuard SSL Web UI

421 About Manage System Server Certificate The server certificate that the Application Portal uses for external communication. For HTTPS connections, you must specify a server certificate. Listen on all interfaces Select this check box to set the device to listen on all active interfaces. If the device is in dual interface mode, select this check box to make the Application Portal available on both Eth0 and Eth1. Manage Additional Listeners Additional listeners are additional ports or IP addresses on which the Application Portal accepts connections. You can add, edit, and delete additional listeners. To add a listener: 1. Click Add Additional Listener. The Add Additional Listener page appears. 2. The Host is automatically set to the Eth0 IP address. You cannot change this setting on this page. 3. In the Port text box, type the port number for incoming HTTP or HTTPS traffic. Set to 80 by default. 4. From the Server Certificate drop-down list, select the certificate to use for this listener. For HTTPS connections, you must specify a server certificate. 5. From the Type drop-down list, select the type of listener to add. The default setting is Web. We recommend you use the default setting. 6. If your device is configured in Dual Interface mode, select the Listen on all interfaces check box for this listener to listen on Eth0 and Eth1 interfaces. If your device is configured in single interface mode, the Listen on all interfaces setting does not have any effect. Eth0 is the only active interface in single interface mode. 7. Click Add. The listener appears in the Registered Additional Listeners list. To edit an additional listener: User Guide 409

422 About Manage System 1. In the Registered Additional Listeners list, click a listener. The Edit Additional Listener page appears. 2. Update the settings for the additional listener. 3. Click Update. To delete an additional listener: 1. In the Registered Additional Listeners list, select a listener. The Edit Additional Listener page appears. 2. Click Delete. A confirmation message appears. 3. Click Yes. The Manage Device Settings page appears. 4. Click Save. Performance Settings You can change settings that affect the performance of the Application Portal. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Performance tab. The Performance Settings page appears. 410 WatchGuard SSL Web UI

423 About Manage System 3. Configure the Performance Settings and Data Compression Settings. For more information about these settings, see the subsequent sections. 4. Click Save. Performance Settings Performance settings include timeout settings for idle connections. You can also limit the number of TCP connections that the operating system is able to queue, and allow the WatchGuard SSL device to cache SSL sessions for communication with internal servers. Max Worker Threads This value indicates the maximum worker threads the device has available. Active worker threads are monitored in Monitor System > System Status > Device Status. When the number of client connections exceeds the maximum, some connections may be queued. If this occurs, you should increase this value. Set to 200 threads by default. User Guide 411

424 About Manage System Connection Timeout Note We recommend that if you run into performance issues with the number of client connections, set the Max Worker Threads value to 1000, and set the Max Tunnel Connections value to You must reboot the device for the new values to take effect. This is the timeout value for data communications between the Access Client and the SSL device during tunnel and web resource connections. If no data is transferred from the client during this period of time, the connection is closed. For example when you load a tunnel, the Access Client may display a certificate warning. If you do not confirm the warning in 60 seconds, the tunnel connection times out and you must reload the tunnel. Set to 60 seconds by default. UDP Tunnel Timeout This option is used to timeout UDP tunnel traffic to close open connections that are not transmitting data. For example, if you send reverse UDP traffic, it uses connections on the Access Client but the connections will not time out even when you stop the reverse UDP traffic. You can set the value between 30 and 180 seconds. Set to 120 seconds by default. Garbage Collection Interval The time, in minutes, between removal of unused session data. Set to 1 minute by default. Size of Socket Listening Backlog This value is the number of TCP connections that the operating system is able to keep in the listening socket queue. Set to 25 connections by default. Max Tunnel Connections This is the maximum number of concurrent TCP tunnel connections for SSL device internal servers. Set to 1500 connections by default. Note You should increase this value if you are having performance issues when too many users are connected. For example, set this value to 5000, and also increase the Max Worker Threads to You must reboot the device for the new values to take effect. Cache internal SSL sessions When this option is enabled, the SSL device caches the host and port of SSL sessions, and tries to resume sessions when communicating with internal servers. Enabled by default. No delay on tunnel connections Enabled by default. This option uses a special algorithm to improve the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. Data Compression Settings These settings allow you to control how web files are stored. 412 WatchGuard SSL Web UI

425 About Manage System Compress static Web files Static files are web files located on the device that do not contain dynamic user variables or serverside includes. Not enabled by default. Compress dynamic Web files Dynamic files are Web files on the device that contain user variables or server-side includes. Not enabled by default. File types to compress The types of files to compress. You can use the wildcard character * to compress all file types. The default setting is text/html, text/xml. This option is mandatory if Compress Static Web Files or Compress Dynamic Web Files are enabled. Cipher Suite Settings You can change the Application Portal settings related to encryption. When the client and server negotiate an SSL connection, they agree on a common cipher value to use for key exchange and encryption. You can select which protocols and cipher suites the Application Portal supports. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Cipher Suites tab. The Cipher Suites page appears. User Guide 413

426 About Manage System 3. Configure the Protocols and Cipher Suites settings. For more information about these settings, see the subsequent sections. 4. Click Save. Protocols In the Protocols Supported section, select one or more protocols to enable. You can select from these protocols: TLS v1.0 SSL v3.0 SSL v2.0 TLS v1.0 and SSL v3.0 are enabled by default. 414 WatchGuard SSL Web UI

427 About Manage System Cipher Suites In the TLS v1.0 and SSL v3.0 Cipher Suites section, select which cipher suites to support for these protocols. By default, these cipher suites are supported: TLS_RSA_WITH_AES_256_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 In the SSL v2.0 Cipher Suites section, select which cipher suites to support for this protocol. By default, these cipher suites are supported: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5 Advanced Settings You can change advanced settings related to session control, cookie persistence, client access, and bad URIs. 1. Select Manage System > Device Settings. The Manage Device Settings page appears. 2. Select the Advanced tab. The advanced settings appear. User Guide 415

428 About Manage System 416 WatchGuard SSL Web UI

429 About Manage System 3. Configure the advanced settings. For more information about these settings, see the subsequent sections. 4. Click Save. Session Control settings In the Session Control section, you can configure client session control using the WAAK (Web access authentication key) option. WAAK is more secure than HTTP. If you enable WAAK, you can also set the strength of the secure authentication cookie. Secure Web access authentication key cookie (WAAK) Select this check box to use the WAAK secure authentication cookie. This is selected by default. Strength of WAAK The strength of the WAAK secure authentication cookie. The default value is 128 bits. Random Value of WASID The number of bits in the Web Access Session ID (WASID). The WASID is a random hexadecimal value generated by the device. The default value is 64 bits. Bind session to client IP Select this check box to allow the client session to move from one computer to another if the client source IP address does not change during the session. This is not selected by default. Allow duplicate user name logon Select this check box to allow multiple users to connect to the Application Portal at the same time with the same user name. This is selected by default. Duplicate user name logon reverse action Select this check box to automatically disconnect a user session if another user connects to the Application Portal with the same user name. This is not selected by default. Show shutdown message This is not selected by default. SSL/TLS Renegotiation Select this option to disable SSL renegotiation. This option mitigates SSL/TLS renegotiation denial-of-service attacks, but can cause interoperability issues with some types of SSL/TLS connections. You should enable SSL/TLS renegotiation if problems with SSL connections occur. Cookie Persistence settings Select this check box to change session cookies to persistent cookies. This setting only applies to resources protected by Abolishment and to Internet Explorer users. When you select this option, abolishment behavior changes in two ways: User Guide 417

430 About Manage System The Abolishment client makes sure all persistent cookies are removed from the client. When an Abolish access rule is in effect, the WatchGuard SSL device transforms the session cookies to persistent cookies in runtime as soon as the client successfully authenticates. Client Access settings These settings control communication between the clients and the Application Portal. Show error on SSL v2 access Select this check box if you want to include error messages in SSL v2 communication sent to users. This is not selected by default. Hide server header Select this check box if you want to hide server headers from the client. This is selected by default. Default authentication method Bad URIs Select the default authentication method to use when a user accesses the main page of the Application Portal without the parameter authmech specified. In the Bad URIs text box you can edit the locations or files on the device that clients are not allowed to use or view by default. We recommend you do not remove any of the default items in the Bad URIs list. Update the Device You can use the Device Update pages to update, restore, reboot, or set the time for your WatchGuard SSL device. 1. Select Manage System > Device Update. The Update the OS page appears. 2. Configure the device: Update the OS Configure the System Time and Time Zone 418 WatchGuard SSL Web UI

431 About Manage System Restore Factory Default Configuration Settings Reinitialize the Local User Database Reboot the Device Update the OS WatchGuard provides software updates in a file that you can use to update the software on your SSL device. We recommend that you export your configuration to create a backup before you update the OS on your device. For more information about how to export your configuration, see Import or Export the Configuration. To update the OS for your device: 1. Select Manage System > Device Update. The Update OS page appears. 2. In the Update the OS section, click Browse to locate the software update file. 3. Click Update. The OS is updated and the device reboots. This can take several minutes. 4. After the device update is complete, log on to WatchGuard SSL Web UI again. The System Status page appears. Configure the System Time and Time Zone The system date and time is primarily used in log file messages. You can manually set the system time, or you can enable NTP so the device automatically gets time updates from an NTP server. You can also configure the time zone for your device. To configure the system time settings: 1. Select Manage System > Device Update. The Update OS page appears. 2. Click System time settings. The System Time Setting page appears. User Guide 419

432 About Manage System 3. Select Enable NTP and configure the NTP server. Or, set the system Date and Time. 4. Click Save. To configure the time zone: 1. Select Manage System > Device Update. The Update OS page appears. 2. Click Time zone setting. The Time zone setting page appears. 420 WatchGuard SSL Web UI

433 About Manage System 3. From the Time Zone drop-down list, select the time zone. 4. Click Save. Restore Factory Default Configuration Settings You can reset your WatchGuard SSL device to its factory default settings. After you reset your device, you can use the Quick Setup Wizard to build your configuration again. When you restore the factory default settings, the software version does not change, but any configuration changes you made are removed. To restore the factory default settings: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Restore factory defaults. The Restore factory defaults page appears. 3. Click Yes. The device reboots and the default configuration is restored. After the reboot, the default IP address of the Eth1 interface is Reinitialize the Local User Database If the data in the Local User Database for your WatchGuard SSL device is corrupted, you can either restore the factory default settings for your device, or you can reinitialize the Local User Database. If you choose to restore the factory default settings, all of your network and configuration settings are lost with the database configuration. You must run the Quick Setup Wizard to configure your WatchGuard SSL device again. If you choose to reinitialize your Local User Database, only the data in your Local User Database tables is cleared. All of your network settings are saved. You can then restore a previous configuration to recover your Local User Database information. To reinitialize your Local User Database: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Reinitialize Local User Database. The Reinitialize Local User Database page appears. User Guide 421

434 About Manage System 3. Click Yes. The data in the tables of your Local User Database is cleared and the WatchGuard SSL device reboots. To restore a previous configuration and recover the data in your Local User Database, see Restore a Saved Configuration. Reboot the Device You can reboot your WatchGuard SSL device from WatchGuard SSL Web UI. To reboot the system: 1. Select Manage System > Device Update. The Update the OS page appears. 2. Click Reboot. The Reboot page appears. 3. Click Yes. The device reboots. This can take a few minutes to complete. 4. Log in to WatchGuard SSL Web UI again. Network Configuration Configure the Network Type You can select the network type and specify network address information for your WatchGuard SSL network. This is the same network information that you configured in the Quick Setup Wizard. 1. Select Manage System > Network Configuration. The Network Configuration page appears. 422 WatchGuard SSL Web UI

435 About Manage System 2. Select a Network Type. If you select Single Interface Mode, only Eth0 is active. If you select Dual Interface Mode, both Eth0 and Eth1 are active. User Guide 423

436 About Manage System 3. Configure the network settings for the selected network type. For more information, see the subsequent sections. Network Types You can configure the WatchGuard SSL device in one of two configuration modes: Single Interface Mode (default) Select this mode if you want to connect the WatchGuard SSL device to one network. In single interface mode, only the Eth0 interface is active. The One Interface Architecture diagram illustrates one configuration of Single Interface Mode. Dual Interface Mode Select this mode if you want to connect the WatchGuard SSL device to two networks. In dual interface mode, both the Eth0 and Eth1 interfaces are active. The Two Interface Architecture diagram illustrates one configuration of Dual Interface Mode. These network diagrams illustrate the two network configuration modes: 424 WatchGuard SSL Web UI

437 About Manage System Configure network settings for Eth0 1. In the IP Address text box, type the IP address you want to use for Eth0. 2. In the Subnet Mask text box, type the subnet mask. For example, In the Default Gateway text box, type the IP address of the default gateway on the Eth0 network. 4. In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0 network. 5. (Optional) In the Secondary DNS text box, type the name of a secondary DNS server. 6. In the Hostname text box, type the domain name or publicly resolvable IP address for this SSL device. This is the hostname used by clients to connect to the SSL device access point. 7. (Optional) In the DNS Search Order text box, type the domain names to include in DNS name searches. The order in which you type the names specifies the search order. When you add more than one domain name, separate each name with only a space. Do not add other punctuation or separation marks. The search list is limited to six domains and a total of 256 characters. 8. Click Next. The Manage Global Tunnel Resource Settings page appears. Configure network settings for Eth1 If you select Dual Interface Mode, you can also configure the network settings for the Eth1 interface. 1. In the IP Address text box, type the IP address you want to use for Eth1. 2. In the Subnet Mask text box, type the subnet mask. For example, Click Next. The Manage Global Tunnel Resource Settings page appears. User Guide 425

438 About Manage System Manage Global Tunnel Resource Settings On the Manage Global Tunnel Resource Settings page, you can configure connection settings for the WatchGuard SSL Access Client that apply to all your tunnel resources. Settings include the Client IP address provider, DNS server, and WINS server information. 1. Configure the settings for your tunnel resources. Provide IP Address You can choose to use an existing external DHCP server to assign IP addresses to Access Clients from the network, or to use IP addresses from the IP Address Pool for the Access Clients. Select an option: Use DHCP Server Use IP Address Pool To disable this feature, select None. If you configure resources with the Provide an IP Address option, you must specify a DHCP server or an IP address pool. 426 WatchGuard SSL Web UI

439 About Manage System DNS Server Note The DHCP server or address pool must be from a network that is physically accessible by the SSL device so that the client addresses are from the same network. Specify the IP address or DNS name of the DNS server used for DNS forwarding. When you enable DNS forwarding for a tunnel resource, the client s DNS server is temporarily redirected to the DNS Server you specify. Local lookups take precedence, and can override any external DNS. The Require Authentication for DNS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page 128. WINS Server Specify the IP address or name of the WINS server used for WINS forwarding. When you enable WINS forwarding for a tunnel resource, the client s WINS server is temporarily redirected to the WINS server you specify. Local lookups take precedence, and can override any external WINS. The Require Authentication for WINS Forwarder check box is selected by default. We recommend that you do not change the default setting unless you add tunnel resources that you make available to all users in your Application Portal. For more information about how to make a tunnel resource available to all users, see the Advanced Settings section of the topic, About Resource Settings on page Click Next. The Manage Administration Service page appears. Configure Administration Service External Communication Settings On the Manage Administration Service page, you configure settings for communication between the WatchGuard SSL Web UI and the client. User Guide 427

440 About Manage System 1. Configure these settings for external communication: Administrator Host Select which interface to use when you connect to the WatchGuard SSL Web UI to manage the device. If your device is in single interface mode, this is always set to Eth0. If your device is in dual interface mode, you can select Eth0 or Eth1. In dual interface mode, this is set to Eth1 by default. Administrator HTTP Port The HTTP port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 80 by default. Administrator HTTPS Port The HTTPS port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 8443 by default. Server Certificate The server certificate the Administration Service uses in HTTPS communication. You add the server certificate on the Certificates page. For more information, see Add a Server Certificate. 2. Click Next. The Network Completed page appears. Confirm Network Configuration Settings After you specify all the network settings, the Network Completed page shows a summary of your selected configuration settings. 428 WatchGuard SSL Web UI

441 About Manage System Click Confirm to confirm these settings. The network configuration settings are saved. Configure Network Routes You can add a static route to each computer that you want the WatchGuard SSL device to send traffic to. This is particularly important if you configure your WatchGuard SSL device in Dual Interface mode, because resources could be on a different network than the client. If you do not define a default route, packets are routed based on the default gateway for the device. After you create a route, you cannot edit it. If you want to change a route, you must delete the route you want to change and add a new route. To add a network route: 1. Select Manage System > Network Configuration. The Network Configuration page appears. 2. Click Route Configuration. The Route Configuration page appears with a list of all the current network routes. User Guide 429

442 About Manage System 3. To add a route, click Add New Route. The Add Route page appears. 4. In the Destination IP Address, type the IP address for this route. 5. In the Subnet Mask text box, type the subnet mask for this route. For example, In the Gateway text box, type the IP address of the gateway. 7. Click Save. The network route you added appears in the table on the Route Configuration page. To delete a network route: 1. On the Route Configuration page, select the Delete check box for each network route you want to delete. 2. Click Delete. The route is deleted. Restore a Saved Configuration Each time you publish a configuration update to the device, a copy of that configuration is saved on the device. You can set the maximum number of configurations to save and restore saved configurations. With WatchGuard SSL Web UI, you can: Restore the most recent configuration (remove all unpublished changes) Restore an older saved configuration Add a description of the changes in a saved configuration Delete a saved configuration Lock and unlock a saved configuration Manage Saved Configuration Settings 430 WatchGuard SSL Web UI

443 About Manage System Restore the Current Configuration To remove any unpublished changes to your configuration, you can restore the current configuration. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the current published configuration section, click Restore. The current published configuration is restored and the System Status page appears. Restore a Saved Configuration To revert to a previous configuration, you can restore a configuration saved on your device. User Guide 431

444 About Manage System 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the saved configurations section, in the Restore column, click Restore for the configuration you want to restore. The saved configuration is restored and the System Status page appears. Add a Description to a Saved Configuration To add a description to help you identify a saved configuration, you can add comments to a saved configuration. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the Descriptions column, click Add description for the configuration you want to add a description to. The Add/Modify Description page appears. 3. In the Description text box, type the description of this saved configuration. 4. Click Save. The description appears in the Description column for the configuration you selected. Delete a Saved Configuration To make space for a new configuration file, you can delete a saved configuration. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. In the saved configurations section, select the check box for each saved configuration to delete. 3. Click Delete. The selected configurations are delete 432 WatchGuard SSL Web UI

445 About Manage System Lock or Unlock a Saved Configuration Each time you publish a change to your SSL device configuration, a backup copy of your previous configuration is automatically created. On the Manage Saved Configuration Settings page, you can set the maximum number of saved configuration files you want to store. If you have a configuration file that you want to make sure is not deleted because you have exceeded this maximum number, you can lock that configuration file. When you lock a saved configuration file, it cannot be automatically deleted. You must always have at least one configuration file that is not locked to make sure your maximum number of saved files is not exceeded. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. Below the saved configurations section,select the check box for each saved configuration file you want to lock or unlock. 3. Click Lock/Unlock. The selected configurations are locked or unlocked. Manage Saved Configuration Settings You can set the maximum number of configurations to save on your device. When the number of saved configurations reaches the selected limit, the next time a configuration is saved, the system deletes the oldest saved configuration and saves the new one. You can also set the number of configurations to appear on a page. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. Click Manage Settings. The Manage Published Configurations page appears. 3. Inthe MaximumSavedtextbox,setthe maximum number ofpublishedconfigurationsyouwanttokeep. 4. In the Configurations per Page text box, set the number of configuration files to appear on each page. 5. Click Save. User Guide 433

446 About Manage System Import or Export the Configuration You can export the configuration data from your WatchGuard SSL device to a configuration file that you save in an external location. You can also import configuration data from a saved configuration file to your device. If you have a WatchGuard SSL v2.x device, you can also export the configuration from your WatchGuard SSL v2.x device. To export from a WatchGuard SSL v2.x system, you must connect to the v3.x Web UI from the computer that runs the v2.x Administration Service. You can import a saved v3.x or v2.x configuration file to your WatchGuard SSL v3.x device. To export a configuration: 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. Click Export 3.x Configuration or Export 2.x Configuration. The Download Exported Configuration File page appears. 3. Click the Download link. The configuration files are exported to a zip file. 4. Select Save File. 434 WatchGuard SSL Web UI

447 About Manage System 5. Click OK. 6. Save the file in a location where you can get access to import it later. 7. Click Save. To import a configuration: 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. In the Import Configuration section, click Browse to select a configuration file to import. 3. Click Import Configuration. The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes. 4. After the device reboots, log in to WatchGuard SSL Web UI again. Configure Active Directory Authentication on your SSL Device You can use your existing Active Directory (AD) server to authenticate users to your WatchGuard SSL Application Portal. Before you configure your SSL device, you must first make sure that LDAP over SSL (also known as LDAPS or LDAP over TLS) is enabled on your Active Directory server. This service is not enabled by default, regardless of whether you have certificate services installed on your Active Directory server. To enable LDAP over SSL, you can use one of two methods: Instructions from Microsoft: Instructions in the subsequent section, which use the certificate services web enrollment form instead of command line tools. We recommend that you do not use both sets of instructions. If you choose to use both procedures, the process can be complicated and prone to failure. User Guide 435

448 About Manage System For the subsequent procedure, Active Directory is installed on a Windows Server 2003 computer; the server name is 2003ADsrv, and the domain name is ADexample.com. Before You Begin Make sure your server has these applications and tools configured, with the services started: ldp.exe Microsoft Support Tool Utility (for LDAP configuration). This tool is used to connect to Active Directory and verify that the LDAPS protocol is running correctly. Internet Information Services (IIS) IIS must be installed and the service must be started. Certificate Services Certificate Services must be installed and started on the AD server. This component is not installed by default, but is a common component that is frequently added to many AD servers. After you have verified the correct applications and tools are configured, you export the CA certificate from your Windows Certificate Server. Verify the Status of IIS IIS must be installed and started correctly before you enable LDAP over SSL. If it is not, when you run the certsrv command in the process to enable LDAP over SSL, you receive a 404 error message. 1. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. 2. Expand your server entry in the list. 3. Select Web Sites. 4. For Default Web Site, verify the State is Running. Install Certificate Services on Your AD Server If Certificate Services is already installed on your AD server, you can continue to the next procedure. Make sure that both the Certificate Services CA and Certificate Services Web Enrollment Supportoptions are enabled. When you enable Certificate Services, you can select to use either an Enterprise root CA or a Stand-alone root CA. We recommend you choose a Stand-alone root CA, which is simpler to use and acceptable for most use cases. From your Windows 2003 AD Server computer: 1. Select Start > Control Panel > Add or Remove Programs. The Add or Remove programs dialog box appears. 2. Select Add/Remove Windows Components. The Windows Components Wizard dialog box appears. 3. In the Components list, select the Certificate Services check box. A notification message appears. 4. Click Yes and continue. 5. Click Details. The Certificate Services dialog box appears. 6. Select the Certificate Services CA and Certificate Services Web Enrollment Support check boxes. 7. Click OK. The Certificate Services dialog box closes and the Windows Components Wizard dialog box appears. 436 WatchGuard SSL Web UI

449 About Manage System 8. Click Next. The CA Type page appears. 9. Select Stand-alone root CA.Click Next. 10. Complete the wizard and finish the Certificate Services installation. Export the CA Certificate from Your Windows Certificate Server From your Windows 2003 AD Server computer: 1. Select Start > Program > Administrative Tools > Certification Authority. The Certification Authority dialog box appears. 2. Right-click the name of your Certificate Authority. Select Properties. 3. On the General tab, click View Certificate. The Certificate dialog box appears. 4. Select the Details tab. 5. Click Copy to file. The Certificate Export Wizard appears. 6. Click Next. The Export File Format page appears. 7. Select the Base-64 encoded X.509 (CER) file format. The File to Export page appears. 8. To save the certificate file to the default location, in the File Name text box, type a name for the certificate. To select a different location to save the file, click Browse. Select the location and type a file name for the certificate. For example, cacert.cer. 9. Click Next. The Completing the Certificate Export Wizard page appears. 10. Review the certificate information. Click Finish. Enable your AD Server for LDAP over SSL To enable your AD server to use LDAP over SSL you can request the certificate from the Certificate Authority and use the Certificate Services Web UI to import it. Request a Certificate from the CA From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to Replace <servername> in the web address with the host name or IP address of your AD server. For this example, type If a certificate warning appears, add the URL to the list of trusted sites in Internet Explorer. Select Tools > Internet Options. Select the Security tab. Add the exception. 2. Click Request a Certificate. The Request a Certificate page appears 3. Click Submit an advanced certificate request. The Advanced Certificate Request page appears. User Guide 437

450 About Manage System 4. Click Create and submit a request to this CA. 5. In the Name text box, type the fully qualified domain name of your server. Make sure the name is correct and in the FQDN format. For this example, type 2003ADsrv.ADexample.com. 6. In the Type of Certificate Needed drop-down list, select Server Authentication Certificate. 7. Configure Key Options: a. Select Create new key set. b. From the CSP drop-down list, select Microsoft RSA Channel Cryptographic Provider. c. Set the Key Usage to Exchange. d. In the Key Size text box, type e. Select Automatic key container name. f. Select the Mark keys as exportable check box. g. Make sure the Enable strong private key protection check box is not selected. h. Select the Store certificate in the local computer certificate store check box. 8. Configure Additional Options: a. Set the Request format to PKCS10. b. From the Hash Algorithm drop-down list, select SHA-1. c. Clear the Save request to a file check box. If you select this check box, you must manually submit the request and manually import the certificate to your server. When you do not select this option, the request is submitted automatically and the certificate is automatically imported to your server. 9. Click Submit. The certificate request is submitted. Issue the Certificate After you have requested the certificate from the CA, you must issue the certificate before you can import it. From your Windows 2003 AD Server computer: 1. Select Start > Programs > Administrative Tools > Certification Authority. 2. Expand the Certification Authority list. 3. Select the Pending Requests folder. 4. Select the pending request for the certificate you want to issue. 5. Right-click the request and select All tasks > Issue. The CA issues the certificate. Import the Certificate After you have requested the certificate from the CA, you can import it to the server certificate store. These instructions use the Internet Explorer web browser. If you use a different web browser the instructions might be different. From your Windows 2003 AD Server computer: 1. Open Internet Explorer and go to Replace <servername> in the web address with the host name of your AD server. For this example, type 2. Click View the status of a pending certificate request. The View the Status of a Pending Certificate Request page appears. 438 WatchGuard SSL Web UI

451 About Manage System 3. Select the certificate you want to import. 4. Follow the instructions to import the certificate. 5. Reboot your Windows 2003 AD Server computer. Test the LDAP over TLS Connection To test if LDAP over TLS works correctly, use the ldp.exe tool. 1. Open a command prompt and type ldp. The LDP application appears. 2. Select Connection > Connect. The Connect dialog box appears. 3. In the Server text box, type the name of your AD server. For this example, type 2003ADsrv. 4. In the Port text box, type Select the SSL check box. 6. Click OK. A list of attributes appears, which indicates a successful connection. Some errors can also appear, but they are not fatal errors and do not indicate a problem with the connection. If a connection error appears, there is an incorrect setting in the configuration. Review your configuration with the steps in the previous procedure to correct any errors. For the Active Directory authentication method to work correctly, LDAP over SSL must also work correctly. Verify the HTTP SSL Properties The last step to configure LDAP over TLS for your AD server is to make sure the HTTP SSL service is running correctly. From your Windows 2003 AD Server computer: 1. Select Start > Administrative Tools > Services. The Services tool appears. 2. In the Services list, find the HTTP SSL service. 3. Right-click HTTP SSL and select Properties. The HTTP SSL Properties dialog box appears. 4. Make sure the General tab is selected. 5. From the Startup type drop-down list, select Automatic. This is to make sure the HTTP SSL service starts automatically hen the server is rebooted. 6. Click OK. Configure Active Directory Authentication on your SSL device Now that you have issued the certificate from your CA, enabled LDAP over SSL on your AD Server, and issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device to use Active Directory Authentication. User Guide 439

452 About Manage System Add a Certificate Authority to Your SSL Device If you did not import the CA certificate when you ran the Setup Wizard, you must import it to configure Active Directory Authentication. 1. Connect to WatchGuard SSL Web UI for your device. 2. Select Manage System > Certificates. The Manage Certificates page appears. 3. In the Certificate Authorities section, click Add Certificate Authority. The Add Certificate Authority page appears. 4. Make sure the Enable Certificate Authority check box is selected. 5. In the Display Name text box, type a name for the CA certificate. This is the name that appears on the Manage Certificates page in the Registered Certificate Authorities list. 6. Click Browse and select the CA certificate. 7. In the Revocation Control section, select No certificate revocation checking should be performed. 8. Click Finish Wizard. The certificate name appears in the Registered Certificate Authorities list. Enable SSL for Active Directory Authentication Services After you add the CA certificate to your device, you add the Active Directory Authentication Method to your configuration to make a connection between your SSL device and your AD server. 1. Select Manage System > Authentication. The Registered Authentication Methods page appears. 2. Click Add Authentication Method. The Add Authentication Method page appears. 440 WatchGuard SSL Web UI

453 About Manage System 3. Select Active Directory. Click Next. 4. Make sure the Enable authentication method check box is selected. 5. In the Display Name text box, type a name for this Active Directory Authentication method. This is the name that appears in the Registered Authentication Methods list. 6. To select a different template for this method, in the Template Name text box, type the name of the template you want to use. We recommend you use the default template. 7. To select the AD server to use for authentication, click Add Authentication Method Server. The Add Authentication Method Server page appears. 8. In the Host text box, type the IP address or DNS name of your AD server. 9. To use a port other than the default port, in the Porttext box, type a new value. We recommend you keep the default value, To use a timeout value other than the default setting, in the Timeouttext box, type a new value. This is the amount of time the client waits for a response from the AD server before it tries to connect with another authentication method. 11. In the Account text box, type the user name for the administrator of the AD server. This can be a Distinguished Name or Principal Name. Make sure you use the correct user name form. For example: username@my.example.com my.example\username User Guide 441

454 About Manage System CN=username,OU=my,OU=example,OU=com 12. In the Password text box, type the password for the administrator of the AD server. 13. In the Root DN text box, type the Root DN information for the AD server where user accounts are stored. Make sure you use the correct Root DN form. For example, dc=exampleadserver,dc=com 14. Click Next. The Authentication Method Server appears in the Registered Authentication Method Servers list. 15. Click Next. The Extended Properties page appears with a default list of Registered Extended Properties. Extended properties are actions that occur when your users authenticate with this method. 16. Make any changes to the Registered Extended Properties list for this authentication method. 17. Click Finish Wizard. The Active Directory Authentication method appears in the Registered Authentication Methods list. Verify your SSL Device is Connected to Your AD Server Before you can verify the connection between your AD server and your SSL device, you must first add the AD server to your SSL device as an External Directory Service location. To add an External Directory Service location: 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Click Add External Directory Service Location. The Add External Directory Service Location page appears. 442 WatchGuard SSL Web UI

455 About Manage System 3. Select Microsoft Active Directory. Click Next. The Add External Directory Service Location page appears. 4. Configure the settings for this External Directory Service location. Make sure the settings match those you configured for your AD Server Authentication Method. 5. Click Next. The Add External Directory Service Location page appears. User Guide 443

456 About Manage System 6. To add search rules for your users, click Add User Search Rule. The Add User Search Rule page appears. 7. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 8. To add search rules for your user groups, click Add User Group Search Rule. The Add User Group Search Rule page appears. 444 WatchGuard SSL Web UI

457 About Manage System 9. Configure the search rule. Click Next. The External Directory Service Location Search Rules page appears. 10. To verify the connection to your External Directory Service is active, click Test Connection. 11. Click Finish Wizard. The directory service is added and appears in the Registered External Directory Service Location list. After your AD server is added as an External Directory service location, you can test the connection between the AD server and the SSL device at any time. 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. In the Registered External Directory Service Locations list, select your AD server. The Edit External Directory Service Location page appears. 3. Select the Search Rules tab. 4. Click Test Connection to the External Directory Service Location. The SSL device tries to contact the AD server. If your configuration is correct, a Connection test ran successfully message appears. If the connection test fails, review the settings for your AD Server External Directory Service Location, and change any errors in the configuration. Send One-Time Passwords (OTPs) to Users You can configure the WatchGuard SSL device to send Mobile Text OTPs (One-Time Passwords) directly to your users through messages. When you send OTPs with this method, no client software is required. Configure the SMS Channel to send If you have an available SMS gateway, you can use the WatchGuard SSL Mobile Text authentication method to give your users one-time passwords (OTPs) through SMS. If you do not have an available SMS gateway, you can configure the SMS channel to send OTPs through Select Manage System. The Registered Authentication Methods page appears. 2. Select Notification Settings. The Manage Notification Settings page appears. User Guide 445

458 About Manage System 3. Select the SMS Channel tab. 4. Click Add SMS channel. The Add SMS Channel page appears. 5. In the Display Name text box, type a name for the SMS Channel. 6. From the Plug-in drop-down list, select SMTP Plugin (1.0). 7. Click Next. 8. Select the Connection tab. 9. In the Host Address text box, type the host IP address or host name of your server. 10. Select the Message tab. 11. In the To text box, the default value is [$user-mail-address]. We recommend you do not change this value. 12. In the From text box, type: <valid address for your SMTP server>. 13. Click Finish Wizard. The Manage Notification Settings page appears. 14. Click Save. Configure SMS Settings for each user account 1. Select User Management. 2. In the Search by User ID text box, type the User ID and select the type of account to search from the drop-down list. To search for all available accounts, type the * wildcard character. 3. Click Search. The user accounts appears in the Search Results list. 4. Select the User ID to configure. The Edit User Account General Settings page appears. 446 WatchGuard SSL Web UI

459 About Manage System 5. In the SMS text box, type the address of the user. 6. Click Save. Change the Directory Mapping Attribute for Notification SMS 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. In the Registered External Directory Service Locations list, select the Display Name of the directory service to use. The Edit External Directory Service Location page appears. 3. Select the Directory Mapping tab. User Guide 447

460 About Manage System 4. In the Notification SMS text box, delete the default value mobile and type mail. 5. Click Save. 6. Click Publish to update your configuration with these changes. Enable mobile text authentication for all users This is a global process that applies to all user accounts. If you want to manually configure mobile text for each individual user account, do not use this process. You must edit each user account separately. 1. Select User Management > User Accounts. The Manage All user accounts page appears. 2. Select Global User Account Settings. The Global User Account Settings page appears. 3. Select the User Linking tab. 4. Select the Enable WatchGuard SSL Mobile Text check box. Additional settings for the WatchGuard SSL Mobile Text method appear. 448 WatchGuard SSL Web UI

461 About Manage System 5. Clear the Generate password check box. 6. Select the Use password from External Directory Service check box. 7. Click Save. 8. Click Publishto update your configuration with this change. Use the OTP to Authenticate 1. Connect to the Application Portal. 2. Select the WatchGuard SSL Mobile Text authentication method. 3. Type your user name and password. The WatchGuard SSL device sends the OTP to your address. 4. Find the OTP message in your Type the OTP in your browser when prompted. 6. Click Submit. The WatchGuard SSL Application Portal appears. User Guide 449

462 About Manage System User Guide 450

463 7 About the Access Client The WatchGuard SSL Access Client enables you to securely connect to tunnel resources in the WatchGuard SSL Application Portal. There are two versions of the Access Client - a Windows executable client and a Java client. Windows computers almost always use the Windows executable version of the Access Client. The Windows executable Access Client installs a Windows network driver, which allows the Access Client to connect to dynamic tunnels. The Java client is another version of the Access Client, and uses a Java Applet loader to run in a web browser on any operating system, such as Mac or Linux, and most Java-enabled devices. The Java Access Client can only connect to static tunnels. To launch the Java Access Client, the user's computer calls a Java Applet loader from the SSL device that launches the Java client. The Java Applet stays active for the duration of the VPN session. There are two types of the Windows executable version of the Access Client: On-demand Access Client When a user authenticates to the Application Portal and selects a resource other than a Web resource, the on-demand Access Client launches to load the tunnel. When the session ends, the ondemand Access Client closes. The client software is not installed on the user's computer. Installed Access Client You can also select to install the Access Client on the user's computer. The installed Access Client is available when the user is not authenticated to the Application Portal. You can configure the installed Access Client to automatically start when Windows starts and to automatically connect to resources. For information about how to install the Access Client, see Install the Access Client on page 452. User Guide 451

464 About the Access Client For your users to be able to load and use resources based on dynamic tunnels, the Access Client must be installed by someone who has administrative privileges. After the Access Client is installed, anyone with standard user privileges can run the Access Client, through the use of a component called Helper Service that is automatically installed with the client. This service runs with administrative privileges to give standard (non-admin) users the ability to do operations that require admin privileges. Some operations, such as client software upgrades, can be more difficult to do with the Helper Service. See Set up the Access Client for a Standard User for more information. For information about how to configure the Access Client, see About the Access Client Menu on page 457. Install the Access Client Use this procedure to install the Windows executable version of the Access Client on your Windows computer. Note A user with administrative rights on your computer must install the Access Client software. This is usually the system or network administrator. Once the Access Client has been installed, administrative privileges are no longer necessary. Before You Begin 1. Get the Access Client installer (AccessClientInstall.exe) from your network administrator 2. On the computer where you want to install the Access Client, connect to the WatchGuard SSL Application Portal and open a tunnel resource. This launches the on-demand version of the Access Client and automatically captures some of the configuration information needed for the installation. Run the Installer 1. Run AccessClientInstall.exe. A security warning appears. You can safely ignore this warning. 2. To continue the installation, click Run. 3. On the License Agreement page, review and accept the License Agreement. 4. On the Select Destination Location page, select a location to install the Access Client. The default location is C:\Program Files\WatchGuard\SSL\Access Client. 5. On the last page of the installation wizard, click Finish. The Access Client is now available in the Windows Start menu. Launch the Installed Access Client Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. After You Install After you install, verify that the server address is correct in the Access Client Preferences dialog box. If you did not connect to a tunnel resource in the Application Portal at least once before you installed the Access Client, you must manually add the address of your Application Portal. 452 WatchGuard SSL Web UI

465 About the Access Client 1. Click. The Access Client menu appears. 2. Select Preferences. The Access Client Preferences dialog box appears. 3. If the Update server text box includes an address, we recommend you do not change this setting. This is the URL of the WatchGuard SSL device that hosts the client updates. This is automatically set the first time the Access Client connects to a resource. If the Update server text box is empty, type the URL or IP address of the WatchGuard SSL Application Portal. Do not include in the address. 4. Click OK. Connect to the Application Portal To start a resource, authenticate to the Application Portal with a web browser and select a resource. If you want the Access Client to automatically connect to certain resources, you can configure favorites in the Access Client, as described in Manage Access Client Favorites. Uninstall the Access Client Before you uninstall the Access Client, we recommend that you first delete any favorites. When you uninstall the Access Client, the favorites you have configured are not automatically removed. To delete your resource favorites: 1. Click. The Access Client menu appears. 2. Select Favorites > Manage. 3. Click each favorite to select it and click Delete. User Guide 453

466 About the Access Client To uninstall the Access Client: Note If you do not remove the favorites before you uninstall, the old favorites are still available in the Access Client favorites list when you reinstall the Access Client, or if you use the on-demand Access Client. 1. Open the Windows Control Panel. 2. Select Add or Remove Programs. 3. Click the WatchGuard Access Client program. 4. Click Remove. Set up the Access Client for a Standard User The WatchGuard SSL Access Client is the client application that allows a user to connect to tunnel resources published on any WatchGuard SSL VPN Application Portal. The Access Client requires elevated access privileges to perform certain administrative tasks, such as to install a driver and to assign an IP address to a network adapter. In Access Client versions prior to SSL v3.1.1, users were required to log in to their Windows operating system as an administrative user before they could install or use the Access Client. Access Client v3.1.1 (and subsequent releases) allows Windows standard users (users without administrator privileges) to connect to tunnel resources. Administrator privileges are still required for the initial installation of the Access Client software. Access Client v3.1.1 and subsequent releases include a component, called the WatchGuard Access Client Helper Service, which performs the tasks that require elevated access privileges. This allows a user without administrator privileges to use the Access Client. The subsequent sections describe the installation requirements and limitations of the Access Client for users without Windows administrator privileges. Installation To install the Access Client so that it operates correctly for a Windows standard user, an administrator must complete these steps: Install the Access Client software on the client computer. Add an exception for "AccessClient.exe" to the Windows Firewall on the client computer If the standard user uses Internet Explorer 7 or later version, add the Application Portal as a trusted site, and verify that protected mode is not used for trusted sites. You can log on to the client computer as an administrative user to do these steps manually, or you can use Windows Group Policy to push these changes to the client computers. Install the Access Client Software To set up a computer to run the Access Client for a standard user, you must first install the Access Client software. You can use Windows Group Policy to remotely install the software, or you can manually install it as an administrative user. For more information about manual installation, see Install the Access Client. For information about Group Policy, see the Microsoft documentation or knowledge base. The Access Client installer installs these components: 454 WatchGuard SSL Web UI

467 About the Access Client Access Client enables a user to connect to any WatchGuard SSL VPN tunnel resource Device Driver redirects traffic through the VPN tunnel, after the tunnel is established WatchGuardAccessClient HelperService allowsthe AccessClienttorunfor non-administrative users You download the Access Client installer from the Software Downloads section of the WatchGuard web site at Even if the standard user wants to use the on-demand client, you still must install the Access Client software on the client computer so that the WatchGuard Access Client Helper Service is installed. The Helper Service must be installed and running for a Windows standard user to use the Access Client. Install the ActiveX Controls After you install the client software, you must install the required ActiveX controls. You can use an administrator account to do this manually, or a standard user can do this if Group Policies are configured correctly. When you start a dynamic tunnel resource on the SSL Application Portal, a prompt appears for you to install the ActiveX control. To manually install the ActiveX controls: 1. Log in to the client computer as an administrative user. 2. Authenticate to the Application Portal. 3. Start a dynamic tunnel resource. For example, start a Full Tunnel resource. If the ActiveX control is not installed, a prompt appears for you to install it. 4. Install the ActiveX Controls. Note You cannot install ActiveX controls from Internet Explorer 7 or later version when protected mode is enabled. Configure Firewall Exceptions The first time you start the Access Client on a client computer, Windows prompts you to add an exception to the existing firewall rules. You must add a Windows Firewall exception for AccessClient.exe to allow the Access Client to communicate through Windows Firewall. In Windows 7, you must enable this exception for home and public. You can add this exception manually in the Windows Control Panel if you are logged on to the client computer as a user with administrative privileges. Or, you can push this setting through Group Policies in Windows. Note that these exceptions are stored on a per-user basis. You must enter these exceptions as a standard user (not the admin user), and enter the admin password each time. Add the SSL Application Portal to the Trusted Sites List The Access Client does not operate correctly when started from Internet Explorer 7 or later version in protected mode. To make sure that the browser is not in protected mode, in the Internet Options configuration, add the address of the SSL Application Portal to the list of trusted sites. Then, verify that the Internet Options configuration does not require protected mode for trusted sites. You can either ask the user to perform this step, or you can use Group Policy to update the trusted sites list on the client computer. User Guide 455

468 About the Access Client Note that the Trusted Sites list is stored on a per-user basis. You must enter these sites as a standard user (not the admin user), and enter the admin password each time. To manually add the SSL Application Portal to the trusted sites list and configure trusted sites settings: 1. Log in to the client computer as the Windows standard user. 2. In Control panel, open Internet Options. 3. Select the Security tab 4. Select Trusted Sites. 5. Click Sites. 6. Add the URL of the WatchGuard SSL Application Portal to the trusted sites list. For example, add " 7. If the client computer uses Windows Vista or Windows 7, clear the Protected Mode for Trusted Sites check box. Use the Access Client as a Standard User For a standard user, the purpose of installing the Access Client is to install the WatchGuard Access Client Helper Service. This service is started by the installer, and automatically restarts when the computer is restarted. After the WatchGuard Access Client Helper Service is installed and running, a standard user can use either the installed Access Client or the on-demand Access Client. Limitations The Access Client can be used by a standard user, with these limitations: The Access Client software must be installed by an administrative user prior to use by a standard user. Windows Firewall exceptions and Internet Explorer Trusted Sites lists are stored per-user, so you must enter these when logged in as a standard user (non-admin). ActiveX Controls cannot be installed in Internet Explorer 7 or later version in protected mode. A standard user can only update Access Client components if the Helper Service is running. If a standard user downgrades the Access Client to a version earlier than v3.1.1, the administrator must reinstall the v3.1.1 (or later) Access Client. A client downgrade could happen, for example, if a standard user connects to an SSL device that uses an older version of SSL OS, and sees a prompt that a different client software version is available. If the user accepts the different client software, the client is downgraded. Access Client cannot be run in low-integrity mode. Low integrity mode is not very common, but if the executable has been downloaded by a lowintegrity process (e.g. IE 7 or later version with Protected Mode enabled); the same integrity levels apply and the Access Client does not run. Launch the Access Client After you log on to the WatchGuard SSL Application Portal, you can connect to your network resources. For some resources your computer must run the Access Client. The Access Client is a Windows client that sets up the SSL VPN tunnel between your computer and the network resources. The Access Client is not required for online applications. 456 WatchGuard SSL Web UI

469 About the Access Client Launch the On-demand Access Client When you click a resource in the WatchGuard SSL Application Portal that requires the Access Client, the Application Portal automatically downloads and launches the on-demand Access Client. Launch the Installed Access Client If you have installed the Access Client software on your computer, you can also launch the client from the Windows Start menu. For instructions to install the Access Client, see Install the Access Client. To launch the installed Access Client on a computer with Windows XP: Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. The Access Client launches and appears in the Windows system tray. Note If you have a complicated network setup, or use some third-party software (for example, certain versions of OpenVPN client), a Cannot Acquire IP error message can appear when the Access Client initializes. You can safely ignore this error message. This does not affect your ability to use network resources through the secure VPN tunnel. About the Access Client Menu When the Access Client starts, (the Access Client icon) appears in the Windows system tray. To configure your Access Client: Note If your tunnel connection is disconnected, an exclamation mark alert appears on the Access Icon client. 1. Click. The Access Client menu appears. 2. Configure these options: Preferences Set preferences for the Access Client. For more information, see Edit Access Client Preferences. History User Guide 457

470 About the Access Client When a tunnel is loaded successfully, the details of the tunnel configuration are automatically saved in the History. This allows you to easily open a recently accessed tunnel resource. The History menu can contain a maximum of 15 items. Favorites Status About Add and manage favorite Application Portal resources. After you add favorite resources, you can select a resource from the Favorites menu to start the resource. For more information, see Manage Access Client Favorites. See the status of your SSL connection. For more information, see Check Access Client Status. See Access Client version and copyright information. Close tunnels Exit Close the connection to a tunnel resource. For more information, see Close a Tunnel. Close the Access Client. The connections to all tunnel resources are also closed. For more information, see End Your SSL VPN Session. Edit Access Client Preferences You can configure the Access Client settings to customize the way the client operates on your computer. Configure General Preferences 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. The Access Client Preferences dialog box appears. 458 WatchGuard SSL Web UI

471 About the Access Client 4. Select the General tab. 5. To automatically launch the Access Client when Windows starts, select the Launch Access Client on startup check box. The Access Client is added to the Windows Startup folder. 6. To create shortcuts or launch commands that connect directly to a resource, select the Register essp:// protocol handler check box. For more information, see Use ESSP to Link Directly to a Resource. 7. If you do not want the client to automatically check for available updates, clear the Enable automatic update check box. We recommend you do not clear this check box. 8. If the Update server text box includes an address, we recommend you do not change this setting. This is the URL or IP address of the WatchGuard SSL device that hosts the client updates. This is automatically set the first time the Access Client connects to a resource. If the Update server text box is blank, type the URL or IP address of the WatchGuard SSL Application Portal. Do not include 9. To check for an updated client at the Update server address, click Update. 10. Click OK. Edit Trusted Commands If your network administrator has configured commands that automatically run when you start a resource, before each command runs, a notification dialog box appears. To disable the pop-up notification for a command: 1. In the notification dialog box, select the Always trust this command check box. 2. Click OK. In the Access Client Preferences dialog box, the Trusted Commands tab includes a list of commands you have selected to always trust. User Guide 459

472 About the Access Client To see the list of trusted commands, and delete commands: 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. 4. Select the Trusted Commands tab. The list of trusted commands appears. 5. To remove a command from the trusted list, select the command and click Delete. The command is removed from the list. The next time you connect to a resource that uses the command you removed, the Access Client prompts you before it runs the command. 6. Click OK. Edit Diagnostic Settings The Access Client can send diagnostic information to a log file. WatchGuard technical support may ask you to change the log level or send a diagnostic file to help troubleshoot issues with the Access Client. We recommend that you do not change the diagnostic settings unless asked to do so by a WatchGuard technical support representative. You can configure the log level and diagnostic file separately for each of these client applications: Access Client The VPN client that provides secure remote access over SSL Assessment The client that completes the integrity scan required for access Abolishment The client that securely deletes files used during the session To see and manage the diagnostic settings: 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Preferences. 4. Select the Diagnostic tab. 460 WatchGuard SSL Web UI

473 About the Access Client 5. In the Application section, from the Configure diagnostic settings for drop-down list, select Access Client, Assessment, or Abolishment. The settings for the selected application appear in the Settings section. 6. To change the location of the diagnostic log file, in the Diagnostic file text box, type the new path and file name. 7. To view the diagnostic file for the currently selected application, click View. 8. To export all diagnostic log files to a local zip file, click Export. 9. To change the level of detail to include in the diagnostic log file, adjust the Log level slider. When you click and hold the Log level slider, the current log level appears. The available log levels for each application include: Off Error Disables logging to the diagnostic file for the selected application. Includes only log messages about serious errors that cause an interruption in service. Warning Info Debug Trace Includes details about errors that might not impact service. Includes details about normal or successful operations. Includes details that can help you troubleshoot problems. We recommend you only select this level when directed to do so by a WatchGuard Technical Support representative. Includes details about the status of application processes. We recommend you only select this level when directed to do so by a WatchGuard Technical Support representative. Log levels are cumulative. A higher log level also includes messages included in the lower log levels. Edit Client Synchronization Settings You can synchronize your Access Client preferences, history, and favorites to the SSL device. In the Sync Server field, enter or select the address of the synchronization server which is the SSL device. User Guide 461

474 About the Access Client There are two methods to synchronize your client settings: automatic and manual. Select Enable Automatic Synchronization to automatically synchronize when you start an SSL tunnel and when you make any changes to your settings or favorites while connected to the tunnel. By default the automatic client synchronization is disabled. Click Synchronize Now to immediately perform a manual synchronization with the SSL device while connected to the tunnel. If you are not connected, a pop-up authentication dialog appears, and the client will synchronize to the SSL device after successfully authentication. Manage Access Client Favorites You can add network resources to the Access Client Favorites list. When you add a favorite, you can start that resource from the Access Client menu in the Windows system tray. You can also configure favorite resources to automatically start when you launch the Access Client. Favorites can also be synchronized to the SSL device if client synchronization is enabled. See Access Client Preferences for detailed information on synchronization. Note You can only add a favorite resource for a tunnel resource. The Access Client does not connect to web resources. Add a Favorite Resource To add a favorite, start the resource from the WatchGuard Application Portal and then add it as a favorite. 1. Authenticate to the WatchGuard SSL Application Portal. 2. Connect to the tunnel resource that you want to save as a favorite. 3. Click. The Access Client menu appears. 4. Select Favorites > Add. The tunnel resources you are connected to appear in the menu. 462 WatchGuard SSL Web UI

475 About the Access Client 5. Select the name of the resource to add as a favorite. The name can be different from the name of this resource in the Application Portal. The Edit Favorite dialog box appears. 6. To change the name that appears in the Access Client Favorites menu for this favorite, in the Display Name text box, type a new name. 7. The Server and Configuration text boxes are automatically configured. Do not change these settings. 8. To enable the Access Client to start this resource each time you start the Access Client, select the Load on startup check box. 9. Click OK. The favorite is added to the Access Client Favorites list. See and Edit Access Client favorites 1. Launch the Access Client. 2. Click. The Access Client menu appears. 3. Select Favorites > Manage. The Access Client Favorites list appears. 4. To add a new favorite, click New. The Add Favorite dialog box appears. User Guide 463

476 About the Access Client 5. In the Display name text box, type the name for this favorite to appear in the Access Client Favorites list. 6. In the Server text box, type the URL of the WatchGuard SSL Application Portal. 7. In the Configuration text box, type the configuration tag that identifies this tunnel resource in the portal. To find the configuration tag for a tunnel resource: a. Authenticate to the WatchGuard SSL Application Portal. b. Right-click the resource to make a favorite. c. Select Copy link location (Firefox) or Copy shortcut (Internet Explorer). d. In the Add Favorite dialog box, paste the link in the Configuration text box. For example, javascript:openmessagewindow('/wa/webclient/26gp52085p1 c'); The number near the end is the tunnel tag that identifies this resource. e. Edit the link to remove all characters except the number. For example, 26gp52085p1c. 8. To enable the Access Client to start this resource each time you start the Access Client, select the Load on startup check box. 9. Click OK. The favorite is added to the Access Client Favorites list. 10. To edit an existing favorite, select the favorite and click Edit. The Edit Favorite dialog box appears. 11. To remove an existing favorite, select the favorite to delete and click Delete. 12. Click Close to save your changes. Start a Favorite Resource If you selected the Load on startup check box when you added the favorite, the resource automatically loads when you start the client. If you did not select the Load on startup check box: 1. Click. The Access Client menu appears. 2. Select Favorites and click the name of the resource to load. 464 WatchGuard SSL Web UI

477 About the Access Client Synchronization of Favorites to the SSL Device Administrators can add favorites globally for new users, or for a specific user that can be synchronized to their Access Client settings. To add favorites that will be synchronized to new users, on the SSL device, click User Management > Global User Account Settings, select the User Client Settings Sync tab, then select Add Favorite Resource. To manage favorites for a specific user, select User Management > User Accounts, select a specific user, then select the Favorites tab. See User Accounts Global Settings for detailed information. Check Access Client Status You can check the status of the Access Client from the Access Client menu. The Access Client Status dialog box shows the number of active connections, the acquired IP address (if any), the amount of data transferred, and the throughput. To see the status of the Access Client: 1. Click. The Access Client menu appears. 2. Select Status. The Access Client Status dialog box appears. Close a Tunnel A tunnel resource is any resource that does not use a web browser. For example, when you connect to a network drive, you use a tunnel resource. You can use the Access Client to connect to more than one tunnel resource. Use the Access Client Close Tunnels command if you want to close the connection to only one connected tunnel resource. To close a tunnel: 1. Click. The Access Client menu appears. 2. Select Close Tunnels. A list of all the tunnels you are connected to appears. 3. Click the name of the tunnel to close. The Access Client closes the connection to the tunnel you selected. User Guide 465

478 About the Access Client If you use the on-demand Access Client, when you close the last tunnel connection, the Access Client closes. If you use the installed Access Client, when you close the last tunnel connection, the Access Client does not close. For more information about the two types of Access Clients, see About the Access Client. End Your SSL VPN Session As a good security practice, we recommend that you close your SSL VPN session when you are finished with the network resources. There are several ways to do this. The method you choose depends on how you started the connection to the network resources. If you connected to a resource from the Application Portal, there are two methods to close the connection: In the Application Portal, click Log out. Your connections to resources are closed, and the client automatically exits. Close the web browser that is connected to the Application Portal. You are logged out of the application portal, your resource connections are closed, and the client exits. If you used an ESSP link or command to start the connection to a resource, you must exit the Access Client to close the connections to all resources. 1. Click. The Access Client menu appears. 2. Select Exit. All resource connections are closed. For information about how to use ESSP with the installed Access Client, see Use ESSP to Link Directly to a Resource. Use ESSP to Link Directly to a Resource ESSP (Extended Security Session Protocol) is the protocol used for communication between the Access Client and the WatchGuard SSL device. You can use the ESSP protocol to connect directly to a tunnel resource, but not connect to the Application Portal. A tunnel resource is any resource that does not use a web browser. For example, when you connect to a network drive, you use a tunnel resource. When you use ESSP to launch a tunnel resource, you are prompted to authenticate before you can connect to the resource. Note To use this feature, you must install the Access Client on your Windows computer. This feature is not available when you use the on-demand Access Client. Register the ESSP Protocol Handler If you install the Access Client, you can configure the Access Client preferences to register the ESSP protocol handler. 1. Launch the Access Client. 2. Click. The Access Client menu appears. 466 WatchGuard SSL Web UI

479 About the Access Client 3. Select Preferences. The Access Client Preferences dialog box appears. 4. On the General tab, select the Register essp:// protocol handler check box. 5. Click OK. Use ESSP to Connect to a Resource After you register the ESSP protocol handler, you can use a web browser, or the Windows Start menu, to launch the Access Client and automatically connect to a resource. To use ESSP to start a resource in a browser: 1. Open a web browser. 2. Type or select a URI. For example, essp://<address of Application Portal>/<resource configuration tag> To start a resource from the Windows Start menu: 1. Select Start > Run. The Run dialog box appears. 2. Type essp://<address of Application Portal>/<resource configuration tag>. Example This example shows how to find the resource configuration tag for a resource, and how to construct the ESSP command. For this example, the URI for the Application Portal is: sslvpn.example.com. To find the resource configuration tag for a tunnel resource: User Guide 467

WatchGuard XTMv Setup Guide

WatchGuard XTMv Setup Guide WatchGuard XTMv Setup Guide All XTMv Editions Copyright and Patent Information Copyright 1998 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, LiveSecurity, and

More information

Configuration Example

Configuration Example Configuration Example Use NAT for Public Access to Servers with Private IP Addresses on the Private Network Example configuration files created with WSM v11.10.1 Revised 7/21/2015 Use Case In this use

More information

WatchGuard XTMv Setup Guide Fireware XTM v11.8

WatchGuard XTMv Setup Guide Fireware XTM v11.8 WatchGuard XTMv Setup Guide Fireware XTM v11.8 All XTMv Editions Copyright and Patent Information Copyright 1998 2013 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo,

More information

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client. WatchGuard SSL v3.2 Update 2 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 452330 Revision Date 11 November 2014 Introduction WatchGuard is pleased to announce the release of

More information

Configuration Example

Configuration Example Configuration Example Use a Branch Office VPN for Failover From a Private Network Link Example configuration files created with WSM v11.10.1 Revised 7/22/2015 Use Case In this configuration example, an

More information

Quick Start Guide WatchGuard Technologies, Inc.

Quick Start Guide WatchGuard Technologies, Inc. WatchGuard XCS Platform Appliance Models: 970 and 1170 Quick Start Guide WatchGuard Technologies, Inc. WatchGuard XCS Quick Start Guide Registration and Configuration 1 2 Register with LiveSecurity Service

More information

Quick Start Guide. WatchGuard XCS Platform Appliance Models: 170, 370, 570, 770, and 770R. Guide de démarrage rapide Kurzanleitung Guida introduttiva

Quick Start Guide. WatchGuard XCS Platform Appliance Models: 170, 370, 570, 770, and 770R. Guide de démarrage rapide Kurzanleitung Guida introduttiva WatchGuard XCS Platform Appliance Models: 170, 370, 570, 770, and 770R Quick Start Guide Guide de démarrage rapide Kurzanleitung Guida introduttiva Guía Rápida WatchGuard Technologies, Inc. XCS_170_370_570_770_770R_QSG_FINAL_0110110.indd

More information

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide SonicWALL Security Appliances SonicWALL SSL-VPN 200 Getting Started Guide SonicWALL SSL-VPN 200 Appliance Getting Started Guide This Getting Started Guide contains installation procedures and configuration

More information

LifeSize Control Installation Guide

LifeSize Control Installation Guide LifeSize Control Installation Guide January 2009 Copyright Notice 2005-2009 LifeSize Communications Inc, and its licensors. All rights reserved. LifeSize Communications has made every effort to ensure

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file

More information

Version Installation Guide. 1 Bocada Installation Guide

Version Installation Guide. 1 Bocada Installation Guide Version 19.4 Installation Guide 1 Bocada Installation Guide Copyright 2019 Bocada LLC. All Rights Reserved. Bocada and BackupReport are registered trademarks of Bocada LLC. Vision, Prism, vpconnect, and

More information

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide Okta SAML Authentication with WatchGuard Access Portal Integration Guide i WatchGuard Technologies, Inc. Okta SAML Authentication with WatchGuard Access Portal Deployment Overview You can configure Single

More information

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1 WatchGuard System Manager Fireware Configuration Guide WatchGuard Fireware Pro v8.1 Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples

More information

Cisco Unified Serviceability

Cisco Unified Serviceability Cisco Unified Serviceability Introduction, page 1 Installation, page 5 Introduction This document uses the following abbreviations to identify administration differences for these Cisco products: Unified

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Configuring the SMA 500v Virtual Appliance

Configuring the SMA 500v Virtual Appliance Using the SMA 500v Virtual Appliance Configuring the SMA 500v Virtual Appliance Registering Your Appliance Using the 30-day Trial Version Upgrading Your Appliance Configuring the SMA 500v Virtual Appliance

More information

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide i WatchGuard Technologies, Inc. One Login SAML Authentication with WatchGuard Access Portal Deployment Overview You can configure

More information

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Fireware-Essentials.  Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7. Fireware-Essentials Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.0 http://www.gratisexam.com/ Fireware Essentials Fireware Essentials Exam Exam A QUESTION 1 Which

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

Release Notes. Dell SonicWALL SRA Release Notes

Release Notes. Dell SonicWALL SRA Release Notes Secure Remote Access Contents Platform Compatibility... 1 Licensing on the Dell SonicWALL SRA Appliances and Virtual Appliance... 1 Important Differences between the SRA Appliances... 2 Known Issues...

More information

DSS User Guide. End User Guide. - i -

DSS User Guide. End User Guide. - i - DSS User Guide End User Guide - i - DSS User Guide Table of Contents End User Guide... 1 Table of Contents... 2 Part 1: Getting Started... 1 How to Log in to the Web Portal... 1 How to Manage Account Settings...

More information

Browser Configuration Reference

Browser Configuration Reference Sitecore CMS 7.0 or later Browser Configuration Reference Rev: 2013-09-30 Sitecore CMS 7.0 or later Browser Configuration Reference Optimizing Internet Explorer and other web browsers to work with Sitecore

More information

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration.

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration. Administrator Guide Find out how to set up and use MyKerio to centralize and unify your Kerio software administration. The information and content in this document is provided for informational purposes

More information

SafeNet Authentication Manager

SafeNet Authentication Manager SafeNet Authentication Manager Version 8.0 Rev A User s Guide Copyright 2010 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.

More information

SonicOS Enhanced Release Notes SonicWALL, Inc. Software Release: February 8, 2007

SonicOS Enhanced Release Notes SonicWALL, Inc. Software Release: February 8, 2007 SonicOS Enhanced 3.2.3.0 SonicWALL, Inc. Software Release: February 8, 2007 CONTENTS PLATFORM COMPATIBILITY OVERVIEW KNOWN ISSUES RESOLVED KNOWN ISSUES UPGRADING SONICOS STANDARD/ENHANCED IMAGE PROCEDURES

More information

Aventail Connect Client with Smart Tunneling

Aventail Connect Client with Smart Tunneling Aventail Connect Client with Smart Tunneling User s Guide Windows v8.9.0 1996-2007 Aventail Corporation. All rights reserved. Aventail, Aventail Cache Control, Aventail Connect, Aventail Connect Mobile,

More information

SonicOS Release Notes

SonicOS Release Notes SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 4 Upgrading SonicOS Enhanced Image Procedures... 5 Related Technical Documentation... 10 Platform Compatibility The SonicOS

More information

Atlona Manuals Software AMS

Atlona Manuals Software AMS AMS Atlona Manuals Software Version Information Version Release Date Notes 1 03/18 Initial release AMS 2 Welcome to Atlona! Thank you for purchasing this Atlona product. We hope you enjoy it and will take

More information

SonicOS Enhanced Release Notes

SonicOS Enhanced Release Notes SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 4 Related Technical Documentation...7 Platform Compatibility The

More information

StoneGate SSL VPN Release Notes for Version 1.3.1

StoneGate SSL VPN Release Notes for Version 1.3.1 StoneGate SSL VPN Release Notes for Version 1.3.1 Created: July 29, 2009 Table of Contents What s New... 3 System Requirements... 4 Build Version... 4 Product Binary Checksums... 4 Compatibility... 5 Upgrade

More information

NetExtender for SSL-VPN

NetExtender for SSL-VPN NetExtender for SSL-VPN Document Scope This document describes how to plan, design, implement, and manage the NetExtender feature in a SonicWALL SSL-VPN Environment. This document contains the following

More information

Version 5.0 September P Xerox App Gallery. App Gallery User Guide

Version 5.0 September P Xerox App Gallery. App Gallery User Guide Version 5.0 September 2018 702P06709 Xerox App Gallery App Gallery User Guide 2018 Xerox Corporation. All rights reserved. Xerox, Xerox and Design, ConnectKey, VersaLink, AltaLink, Xerox Extensible Interface

More information

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6 Getting Started Guide Copyright 2017 SonicWall Inc. All rights reserved. SonicWall is a trademark or registered trademark of SonicWall Inc.

More information

Xerox App Gallery App Gallery User Guide. Version 5.0 September P06709

Xerox App Gallery App Gallery User Guide. Version 5.0 September P06709 Xerox App Gallery App Gallery User Guide Version 5.0 September 2018 702P06709 2018 Xerox Corporation. All rights reserved. Xerox, Xerox and Design, ConnectKey, VersaLink, AltaLink, Xerox Extensible Interface

More information

Release Notes. Dell SonicWALL SRA Release Notes

Release Notes. Dell SonicWALL SRA Release Notes Secure Remote Access Contents Release Purpose... 1 Platform Compatibility... 1 Licensing on the Dell SonicWALL SRA Appliances and Virtual Appliance... 1 Important Differences Between the SRA Appliances...

More information

SonicOS Standard Release Notes SonicWALL Secure Anti-Virus Router 80 Series SonicWALL, Inc. Software Release: March 15, 2007

SonicOS Standard Release Notes SonicWALL Secure Anti-Virus Router 80 Series SonicWALL, Inc. Software Release: March 15, 2007 SonicOS Standard 3.8.0.1 SonicWALL Secure Anti-Virus Router 80 Series SonicWALL, Inc. Software Release: March 15, 2007 CONTENTS PLATFORM COMPATIBILITY KEY FEATURES KNOWN ISSUES UPGRADING SONICOS STANDARD

More information

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1 Aspera Connect 2.6.3 Windows XP, 2003, Vista, 2008, 7 Document Version: 1 2 Contents Contents Introduction... 3 Setting Up... 4 Upgrading from a Previous Version...4 Installation... 4 Set Up Network Environment...

More information

Symantec ediscovery Platform

Symantec ediscovery Platform Symantec ediscovery Platform Native Viewer (ActiveX) Installation Guide 7.1.5 Symantec ediscovery Platform : Native Viewer (ActiveX) Installation Guide The software described in this book is furnished

More information

Installation and Configuration Guide

Installation and Configuration Guide CYBERSECURITY, EVOLVED EdgeWave iprism Web Security Installation and Configuration Guide V8.0 15333 Avenue of Science, Suite 100 San Diego, CA 92128 Give us a call 1-855-881-2004 Send us an email: info@edgewave.com

More information

WhatsUp Gold 2016 Installation and Configuration Guide

WhatsUp Gold 2016 Installation and Configuration Guide WhatsUp Gold 2016 Installation and Configuration Guide Contents Installing and Configuring WhatsUp Gold using WhatsUp Setup 1 Installation Overview 1 Overview 1 Security considerations 2 Standard WhatsUp

More information

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418 This chapter describes how to maintain the configuration and firmware, reboot or reset the security appliance, manage the security license and digital certificates, and configure other features to help

More information

vcenter CapacityIQ Installation Guide

vcenter CapacityIQ Installation Guide vcenter CapacityIQ 1.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

More information

Threat Detection and Response. Deployment Guide

Threat Detection and Response. Deployment Guide Threat Detection and Response Deployment Guide About This Guide The Threat Detection and Response Getting Started Guide is a guide to help you set up the Threat Detection and Response subscription service.

More information

Barracuda Link Balancer

Barracuda Link Balancer Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.3 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.3-111215-01-1215

More information

Total Protection Service

Total Protection Service User Guide McAfee Total Protection Service for Microsoft Windows Home Server COPYRIGHT Copyright 2008 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed,

More information

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure Firebox Cloud Deployment Guide Firebox Cloud for AWS and Microsoft Azure About This Guide The Firebox Cloud Deployment Guide is a guide for deployment of a WatchGuard Firebox Cloud virtual security appliance.

More information

Release Notes Dell SonicWALL SRA Contents Platform Compatibility Licensing on the SRA Appliances and Virtual Appliance

Release Notes Dell SonicWALL SRA Contents Platform Compatibility Licensing on the SRA Appliances and Virtual Appliance Secure Remote Access Dell SonicWALL SRA 7.0.0.2 Contents Platform Compatibility... 1 Licensing on the SRA Appliances and Virtual Appliance... 1 Important Differences between the SRA Appliances... 2 Feature

More information

VI. Corente Services Client

VI. Corente Services Client VI. Corente Services Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 II. Corente Client Configuration...

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file

More information

SonicWALL SSL VPN 2.5 Early Field Trial

SonicWALL SSL VPN 2.5 Early Field Trial Secure Remote Access Contents Platform Compatibility New Features Known Issues Resolved Issues Upgrading SonicWALL SSL VPN Software Procedures Related Technical Documentation Platform Compatibility The

More information

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file

More information

SecureW2 and Wi-Fi Cloud. Integration Guide

SecureW2 and Wi-Fi Cloud. Integration Guide SecureW2 and Wi-Fi Cloud Integration Guide SecureW2 and Wi-Fi Cloud Integration Guide Deployment Overview This guide demonstrates how to integrate a WatchGuard Wi-Fi Cloud Captive Portal with SecureW2

More information

Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation...

Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation... SonicOS Contents Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation...7 Platform Compatibility The SonicOS

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,

More information

Junos Pulse for Google Android

Junos Pulse for Google Android Junos Pulse for Google Android User Guide Release 2.1 November 2011 R3 Copyright 2011, Juniper Networks, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks

More information

Sophos Enterprise Console Help. Product version: 5.3

Sophos Enterprise Console Help. Product version: 5.3 Sophos Enterprise Console Help Product version: 5.3 Document date: September 2015 Contents 1 About Sophos Enterprise Console 5.3...6 2 Guide to the Enterprise Console interface...7 2.1 User interface layout...7

More information

Contents. Platform Compatibility. New Features. Secure Remote Access SonicWALL SSL VPN 2.5 Early Field Trial (EFT) for SSL-VPN 200

Contents. Platform Compatibility. New Features. Secure Remote Access SonicWALL SSL VPN 2.5 Early Field Trial (EFT) for SSL-VPN 200 Secure Remote Access SonicWALL SSL VPN 2.5 Early Field Trial (EFT) for SSL-VPN 200 Contents Platform Compatibility New Features Known Issues Resolved Issues Upgrading SonicWALL SSL VPN Software Procedures

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,

More information

Installation and Configuration Guide

Installation and Configuration Guide Installation and Configuration Guide h-series 800-782-3762 www.edgewave.com 2001 2011 EdgeWave Inc. (formerly St. Bernard Software). All rights reserved. The EdgeWave logo, iprism and iguard are trademarks

More information

HySecure Quick Start Guide. HySecure 5.0

HySecure Quick Start Guide. HySecure 5.0 HySecure Quick Start Guide HySecure 5.0 Last Updated: 25 May 2017 2012-2017 Propalms Technologies Private Limited. All rights reserved. The information contained in this document represents the current

More information

Clearspan Hosted Thin Call Center R Release Notes JANUARY 2019 RELEASE NOTES

Clearspan Hosted Thin Call Center R Release Notes JANUARY 2019 RELEASE NOTES Clearspan Hosted Thin Call Center R22.0.39 Release Notes JANUARY 2019 RELEASE NOTES NOTICE The information contained in this document is believed to be accurate in all respects but is not warranted by

More information

Dell SupportAssist for PCs. User s Guide

Dell SupportAssist for PCs. User s Guide Dell SupportAssist for PCs User s Guide Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential

More information

ZENworks Service Desk 8.0 Using ZENworks with ZENworks Service Desk. November 2018

ZENworks Service Desk 8.0 Using ZENworks with ZENworks Service Desk. November 2018 ZENworks Service Desk 8.0 Using ZENworks with ZENworks Service Desk November 2018 Legal Notices For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions,

More information

Remote Support 19.1 Web Rep Console

Remote Support 19.1 Web Rep Console Remote Support 19.1 Web Rep Console 2003-2019 BeyondTrust Corporation. All Rights Reserved. BEYONDTRUST, its logo, and JUMP are trademarks of BeyondTrust Corporation. Other trademarks are the property

More information

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until

More information

Amigopod Release Notes. Updating to Amigopod Document Overview. Overview of the Update Process. Verify the System s Memory Limit

Amigopod Release Notes. Updating to Amigopod Document Overview. Overview of the Update Process. Verify the System s Memory Limit Amigopod 3.5.4 Release Notes This document contains release information for version 3.5.4 of the Aruba Amigopod visitor management appliance. Document Overview This document is organized into the following

More information

VII. Corente Services SSL Client

VII. Corente Services SSL Client VII. Corente Services SSL Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements...

More information

Symptom Condition / Workaround Issue No validation is provided for name and IP address fields when creating bookmarks.

Symptom Condition / Workaround Issue No validation is provided for name and IP address fields when creating bookmarks. Secure Remote Access Contents Platform Compatibility...1 Known Issues...1 Resolved Issues...2 Upgrading SonicOS SSL VPN Firmware Procedures...3 Related Technical Documentation...5 Platform Compatibility

More information

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform Installation Guide McAfee Web Gateway for Riverbed Services Platform COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed,

More information

Five9 Plus Adapter for Agent Desktop Toolkit

Five9 Plus Adapter for Agent Desktop Toolkit Cloud Contact Center Software Five9 Plus Adapter for Agent Desktop Toolkit Administrator s Guide September 2017 The Five9 Plus Adapter for Agent Desktop Toolkit integrates the Five9 Cloud Contact Center

More information

TDR and Microsoft Security Essentials. Integration Guide

TDR and Microsoft Security Essentials. Integration Guide TDR and Microsoft Security Essentials Integration Guide i WatchGuard Technologies, Inc. TDR and Microsoft Security Essentials Deployment Overview Threat Detection and Response (TDR) is a collection of

More information

WatchGuard Dimension v1.1 Update 1 Release Notes

WatchGuard Dimension v1.1 Update 1 Release Notes WatchGuard Dimension v1.1 Update 1 Release Notes Build Number 442674 Revision Date March 25, 2014 WatchGuard Dimension is the next-generation cloud-ready visibility solution for our Unified Threat Management

More information

SonicOS Enhanced Release Notes

SonicOS Enhanced Release Notes SonicOS Contents Platform Compatibility... 1 Known Issues... 2 Resolved Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 5 Related Technical Documentation...8 Platform Compatibility The

More information

Quick Setup & Getting Started

Quick Setup & Getting Started Quick Setup & Getting Started HP Compaq Business PC Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft, Windows, and

More information

Platform Compatibility... 1 Known Issues... 1 Resolved Issues... 2 Deploying the SRA Virtual Appliance... 3 Related Technical Documentation...

Platform Compatibility... 1 Known Issues... 1 Resolved Issues... 2 Deploying the SRA Virtual Appliance... 3 Related Technical Documentation... Secure Remote Access SonicWALL SRA 5.0.0.3 Contents Platform Compatibility... 1 Known Issues... 1 Resolved Issues... 2 Deploying the SRA Virtual Appliance... 3 Related Technical Documentation... 17 Platform

More information

AppController :20:49 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

AppController :20:49 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement AppController 2.0 2014-03-18 13:20:49 UTC 2014 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents AppController 2.0... 5 About This Release... 7 Introduction...

More information

User Guide SecureLogin 8.1

User Guide SecureLogin 8.1 User Guide SecureLogin 8.1 November, 2015 www.netiq.com/documentation Legal Notice For information about NetIQ legal notices, disclaimers, warranties, export and other use restrictions, U.S. Government

More information

AMS Device View Installation Guide. Version 2.0 Installation Guide May 2018

AMS Device View Installation Guide. Version 2.0 Installation Guide May 2018 AMS Device View Installation Guide Version 2.0 Installation Guide May 2018 Disclaimer The contents of this publication are presented for informational purposes only, and while every effort has been made

More information

SuperLumin Nemesis. Getting Started Guide. February 2011

SuperLumin Nemesis. Getting Started Guide. February 2011 SuperLumin Nemesis Getting Started Guide February 2011 SuperLumin Nemesis Legal Notices Information contained in this document is believed to be accurate and reliable. However, SuperLumin assumes no responsibility

More information

Installation Procedure Windows 2000 with Internet Explorer 5.x & 6.0

Installation Procedure Windows 2000 with Internet Explorer 5.x & 6.0 Installation Procedure Windows 2000 with Internet Explorer 5.x & 6.0 Printer Friendly Version [ PDF 266K ] Before You Begin Before proceeding with the installation of a SOHO 6 appliance, you must have

More information

Juniper Secure Analytics Patch Release Notes

Juniper Secure Analytics Patch Release Notes Juniper Secure Analytics Patch Release Notes 7.3.0 January 2018 7.3.0.20171205025101 patch resolves several known issues in Juniper Secure Analytics (JSA). Contents Administrator Notes..................................................

More information

SonicOS Standard Release Notes SonicWALL, Inc. Software Release: June 4, 2009

SonicOS Standard Release Notes SonicWALL, Inc. Software Release: June 4, 2009 Release Notes SonicOS Standard 3.1.6.3 Release Notes SonicWALL, Inc. Software Release: June 4, 2009 CONTENTS Platform Compatibility...1 Software Release Caveats...1 Known Issues...2 Resolved Issues...2

More information

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver LevelOne FBR-1416 1W, 4L 10/100 Mbps ADSL Router User s Manual Ver 1.00-0510 Table of Contents CHAPTER 1 INTRODUCTION... 1 FBR-1416 Features... 1 Package Contents... 3 Physical Details... 3 CHAPTER 2

More information

Getting Started. Citrix Secure Gateway. Version 1.0. Citrix Systems, Inc.

Getting Started. Citrix Secure Gateway. Version 1.0. Citrix Systems, Inc. Getting Started Citrix Secure Gateway Version 1.0 Citrix Systems, Inc. Copyright and Trademark Notice Information in this document is subject to change without notice. Companies, names, and data used in

More information

Aventail README ASAP Platform version 8.0

Aventail README ASAP Platform version 8.0 Aventail README 1 Aventail README ASAP Platform version 8.0 Part No. 0850-000010-01 October 19, 2004 This README highlights new features and provides late-breaking information about the Aventail EX-1500

More information

TDR and Windows Defender. Integration Guide

TDR and Windows Defender. Integration Guide TDR and Windows Defender Integration Guide i WatchGuard Technologies, Inc. TDR and Windows Defender Deployment Overview Threat Detection and Response (TDR) is a collection of advanced malware defense tools

More information

FieldView. Management Suite

FieldView. Management Suite FieldView The FieldView Management Suite (FMS) system allows administrators to view the status of remote FieldView System endpoints, create and apply system configurations, and manage and apply remote

More information

End User Manual. December 2014 V1.0

End User Manual. December 2014 V1.0 End User Manual December 2014 V1.0 Contents Getting Started... 4 How to Log into the Web Portal... 5 How to Manage Account Settings... 6 The Web Portal... 8 How to Upload Files in the Web Portal... 9 How

More information

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas System Recovery 18 Management Solution Administrator's Guide Veritas System Recovery 18 Management Solution Administrator's Guide Documentation version: 18 Legal Notice Copyright 2018 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo are

More information

Installation Procedure Windows NT with Netscape 4.x

Installation Procedure Windows NT with Netscape 4.x Installation Procedure Windows NT with Netscape 4.x Printer Friendly Version [ PDF 232K ] Before You Begin Before proceeding with the installation of a SOHO 6 appliance, you must have the following: A

More information

PGP NetShare Quick Start Guide Version 10.2

PGP NetShare Quick Start Guide Version 10.2 PGP NetShare Quick Start Guide Version 10.2 What is PGP NetShare? The PGP NetShare product is a software tool that provides multiple ways to protect and share your data. Use PGP NetShare to: Let authorized

More information

Symptom Condition / Workaround Issue Full domain name is not resolved by the RDP- ActiveX Client.

Symptom Condition / Workaround Issue Full domain name is not resolved by the RDP- ActiveX Client. Secure Remote Access Contents Platform Compatibility...1 Known Issues...1 Resolved Issues...3 Upgrading SonicOS SSL VPN Firmware Procedures...4 Related Technical Documentation...6 Platform Compatibility

More information

Desktop Installation Guide

Desktop Installation Guide Desktop Installation Guide Desktop Installation Guide Legal notice Copyright 2017 LAVASTORM ANALYTICS, INC. ALL RIGHTS RESERVED. THIS DOCUMENT OR PARTS HEREOF MAY NOT BE REPRODUCED OR DISTRIBUTED IN ANY

More information

Cisco CTL Client setup

Cisco CTL Client setup Cisco CTL Client setup This chapter provides information about Cisco CTL client setup. About Cisco CTL Client setup, page 2 Remove etoken Run Time Environment 3.00 for CTL Client 5.0 plug-in, page 2 Cisco

More information

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide BlackBerry Enterprise Server for Microsoft Office 365 Version: 1.0 Administration Guide Published: 2013-01-29 SWD-20130131125552322 Contents 1 Related resources... 18 2 About BlackBerry Enterprise Server

More information

Upgrading to Sage ACT! 2013 from ACT! 3.x, 4.x, 5.x (2000), or 6.x (2004)

Upgrading to Sage ACT! 2013 from ACT! 3.x, 4.x, 5.x (2000), or 6.x (2004) Upgrading to Sage ACT! 2013 from ACT! 3.x, 4.x, 5.x (2000), or 6.x (2004) Copyright 2012 Sage Software, Inc. All Rights Reserved. Sage, the Sage logos, ACT!, and the Sage product and service names mentioned

More information

Wavelink Avalanche Site Edition Java Console User Guide. Version 5.3

Wavelink Avalanche Site Edition Java Console User Guide. Version 5.3 Wavelink Avalanche Site Edition Java Console User Guide Version 5.3 Revised 04/05/2012 ii Copyright 2012 by Wavelink Corporation. All rights reserved. Wavelink Corporation 10808 South River Front Parkway,

More information