Watchguard SSL Basics v3 2

WatchGuard Certified Training
WatchGuard SSL Basics

Courseware: WatchGuard SSL Basics v3.2
Student Guide
TRAINING
www.watchguard.com/training
training@watchguard.com
SUPPORT
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
ii WatchGuard SSL Basics
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information
Copyright 2012 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending
patent applications.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States.
iii
Table of Contents
Course Introduction ............................................................................................................... 1
Training Options ............................................................................................................ 1
Required Equipment and Software ............................................................................. 1
Training Scenario .......................................................................................................... 2
Prerequisites ................................................................................................................. 2
Certification .................................................................................................................. 2
Additional Resources ................................................................................................... 3
Getting Started ....................................................................................................................... 5
What You Will Learn ..................................................................................................... 5
Introduction to the WatchGuard SSL Solution ............................................................ 5
Components of the WatchGuard SSL solution ......................................................................... 5
Before You Begin .......................................................................................................... 6
Get a WatchGuard device feature key ....................................................................................... 6
Configuration Modes .................................................................................................... 6
Initial Configuration Steps ........................................................................................... 7
About the WatchGuard SSL Web UI ............................................................................. 7
Exercise 1: Reset the SSL Device to Factory Default Settings (Optional) ................... 8
Before You Begin ........................................................................................................................ 8
Start the WatchGuard SSL Device in Recovery Mode .............................................................. 8
Upload a New Software Image .................................................................................................. 8
Next Steps ................................................................................................................................... 9
Exercise 2: Run the Quick Setup Wizard ....................................................................... 9
Exercise 3: Use the WatchGuard SSL Web UI to Finish Initial Setup ........................ 13
Log in to the WatchGuard SSL Web UI .................................................................................... 13
Upload a Feature Key ............................................................................................................... 13
Test Your Knowledge .................................................................................................. 14
Authentication and Users ................................................................................................... 15
What You Will Learn ................................................................................................... 15
About Authentication .................................................................................................. 15
Authentication Methods ........................................................................................................... 15
WatchGuard SSL Authentication Methods ............................................................................. 15
Other Supported Authentication Methods .............................................................................. 16
Authentication Method Configuration ....................................................................... 17
General Settings ....................................................................................................................... 17
RADIUS Replies ......................................................................................................................... 17
Extended Properties ................................................................................................................. 17
About User Management ........................................................................................... 18
Local User Accounts ................................................................................................................. 18
How User Authentication Works ................................................................................ 19
iv WatchGuard SSL Basics
Authentication with WatchGuard SSL Authentication Methods ............................................ 19
Authentication with non-WatchGuard Authentication Methods ............................................ 20
Exercise 1: Manually Add a User Account ................................................................... 20
Exercise 2: Configure Active Directory with LDAP over SSL ....................................... 23
Configure the Active Directory Authentication Method on your SSL Device ........................ 23
Enable the Active Directory Authentication Method .............................................................. 24
Exercise 3: Link User Accounts to the Existing AD Server .......................................... 27
Add an External Directory Service Location ........................................................................... 27
Link Users to the AD server ...................................................................................................... 31
Exercise 4: Connect to the Application Portal ............................................................. 32
Exercise 5: Enable Automatic User Link Repair .......................................................... 34
Resource Access ................................................................................................................. 39
What You Will Learn .................................................................................................... 39
Introduction ................................................................................................................. 39
Resource Types ........................................................................................................... 41
Web Resources ......................................................................................................................... 41
Tunnel Resources ..................................................................................................................... 41
Static and Dynamic Tunnels ...................................................................................... 42
How Static and Dynamic Tunnels Work ................................................................................... 42
About the Access Client ............................................................................................................ 43
Global Resource Settings ........................................................................................... 45
Protect Resources with Access Rules ........................................................................ 45
About Single Sign-On (SSO) ........................................................................................ 46
Exercise 1: Add a Resource for Secure Remote Web UI Access ............................... 47
Start the New Resource from the Application Portal ............................................................. 51
Exercise 2: Add an Access Rule and Apply it to a Resource ...................................... 53
Create the Access Rule ............................................................................................................ 53
Edit the Resource to Remove the Unnecessary Access Rule ................................................ 56
Test Resource Access in the Application Portal ..................................................................... 58
Exercise 3: Create an Outlook Web Access Resource ............................................... 60
Use the OWA 2003 Resource .................................................................................................. 63
Exercise 4: Configure SSO for Outlook Web Access ................................................... 65
Configure the Authentication Method for the SSO Domain ................................................... 69
Use the OWA 2003 Resource with SSO .................................................................................. 70
Exercise 5: Create a Full Network Access Tunnel Resource ...................................... 71
Exercise 6: Compare Static and Dynamic Tunnel Settings ........................................ 74
Configure an RDP resource with a Dynamic Tunnel .............................................................. 74
Configure an RDP Resource with a Static Tunnel .................................................................. 75
Examine the Tunnel Settings ................................................................................................... 76
Use the Access Client .......................................................................................................... 79
What You Will Learn .................................................................................................... 79
About the Access Client .............................................................................................. 79
Use the Access Client ................................................................................................. 80
Access Client Synchronization with the SSL Device ................................................. 81
Exercise 1: Use the On-demand Access Client ........................................................... 82
Before You Begin ...................................................................................................................... 82
Launch the On-demand Access Client .................................................................................... 82
Student Guide v
See the Access Client Connection Status ............................................................................... 83
Close the Access Client and Tunnel Resource ........................................................................ 83
Exercise 2: Install the Access Client ............................................................................ 84
Install the Access Client ........................................................................................................... 84
Launch the Installed Access Client ......................................................................................... 84
Verify the Client Preferences .................................................................................................... 85
Exercise 3: Create and Use a Favorite Resource ........................................................ 86
Create a New Favorite .............................................................................................................. 86
Start the Favorite Automatically ............................................................................................... 86
Close and Start Favorite Resources from the Access Client Menu ....................................... 87
Edit or Delete Access Client Favorites ..................................................................................... 87
Assessment and Abolishment ............................................................................................ 89
What You Will Learn ................................................................................................... 89
End-Point Security Features ...................................................................................... 89
Assessment ............................................................................................................................... 89
Abolishment .............................................................................................................................. 90
End-Point Integrity Client .......................................................................................................... 90
Exercise 1: Create an Assessment Access Rule ......................................................... 91
Trigger the Assessment Access Rule ....................................................................................... 96
Exercise 2: Use Assessment to Check for Anti-Virus Software .................................. 98
Exercise 3: Create an Abolishment Access Rule ...................................................... 102
Trigger the Abolishment Access Rule .................................................................................... 104
Exercise 4: Change File Types to Monitor for Abolishment ...................................... 106
Test Your Knowledge ................................................................................................ 107
Administration ................................................................................................................... 109
What You Will Learn ................................................................................................. 109
Introduction ............................................................................................................... 109
Manage your Device Configuration Files ................................................................ 110
Manage Recent Configuration Files ...................................................................................... 110
Export and Import a Device Configuration File ..................................................................... 111
Update the WatchGuard SSL OS ............................................................................. 111
Install a Signed Certificate ....................................................................................... 112
Customize the Application Portal Page ................................................................... 113
Branding Changes from the WatchGuard SSL Web UI ........................................................ 113
Exercise 1: Restore a Saved Configuration ............................................................... 115
Exercise 2: Export and Import the Device Configuration .......................................... 116
Export the Configuration ........................................................................................................ 116
Import the saved configuration file ....................................................................................... 117
Exercise 3: Customize the Application Portal Page .................................................. 118
Customize the Application Portal Text and URLs ................................................................. 118
Customize the Application Portal Header Background Image ............................................ 119
Monitor the WatchGuard SSL System ............................................................................. 123
What You Will Learn ................................................................................................. 123
Introduction ............................................................................................................... 123
Exercise 1: Monitor System Status ............................................................................ 125
Exercise 2: Monitor User Sessions ............................................................................ 129
Exercise 3: Configure Administrative Alerts .............................................................. 130
vi WatchGuard SSL Basics
Enable the Email Notification Channel ................................................................................. 130
Add Alerts ................................................................................................................................ 130
Exercise 4: Monitor System Logs ............................................................................... 133
Exercise 5: Create Reports ......................................................................................... 137
1
Student Guide
Course Introduction
About the WatchGuard SSL Device Solution
Training Options
Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides
reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote
connectivity deployment as simple or as sophisticated as your business requires.
If you use a WatchGuard SSL device, there are several training options available to you:
Getting Started Presentation
You can download and review the WatchGuard SSL Getting Started presentation. This PowerPoint
presentation provides an overview of the WatchGuard SSL device solution and its features.
WatchGuard SSL Basics Training Modules
Each training module available for the WatchGuard SSL device solution focuses on a specific feature
or function of configuration and management. For the most effective training path, we recommend
that you complete the training modules in the order they are presented.
To get access to the available training resources go to https://www.watchguard.com/training. You must
log in to the web site to get access to all the available training resources.
For more information, including configuration steps for advanced procedures, see the WatchGuard SSL
Web UI Help. or WatchGuard SSL Web UI User Guide.
Required Equipment and Software
To complete the WatchGuard SSL Basics training modules, you must have administrative access to a
WatchGuard SSL device.
For all modules and exercises you must have:
Computer requirements
Your computer must be a personal computer with the Microsoft Windows XP, Windows Vista,
Windows Server 2003, Windows 7, or Windows 8 operating system installed. Mac OS X is also
supported, but the exercises in these modules are written for computers with a Windows operating
system. Supported browsers are Internet Explorer 7 to 10, Mozilla Firefox, and Google Chrome.
WatchGuard SSL device
You must have a WatchGuard SSL 100 or SSL 560 device with WatchGuard SSL OS v3.2 or later
installed.
Devices WatchGuard SSL 100 and SSL 560
Device OS version WatchGuard SSL v3.2
Course Introduction
2 WatchGuard SSL Basics
For some of the exercises you might need:
WatchGuard SSL Access Client installer
For the Access Client module, you must have the Access Client installer. If you have a LiveSecurity
Service account, you can download the Access Client Installer from the WatchGuard web site through
the Software Downloads page.
Email server
In some of the exercises, you configure settings for notification. Notification messages are sent over
email or SMS. You must have an email server to complete these exercises.
Active Directory server
The Authentication and Users module describes how to use an Active Directory server for
authentication and user linking. You must have administrative access to an Active Directory server for
these exercises.
Network resources or web-enabled software
Some exercises show how to set up access to web-enabled applications or network resources. For
example some exercises show how to set up Microsoft Outlook Web Access as a resource. If you do
not have the software specified in a particular exercise, you can try to use whatever network
resources or web-enabled software you have available on your network.
Training Scenario
Throughout the WatchGuard SSL Basics training modules, we use a fictional company called Successful
Company. The modules build on a story of configuring an SSL Application Portal and remote application
access for Successful Company, but you can complete many of the exercises using examples from your
own network, or a set of addresses and situations provided by your WatchGuard Certified Training
instructor. Any resemblance between the situations described for Successful Company and a real
company are purely coincidental.
Prerequisites
This course is intended for moderately experienced network administrators. A basic understanding of
TCP/IP networking is required. No previous experience with network security or WatchGuard devices is
required.
Certification
The WatchGuard Certified System Professional (WCSP) exam is available for all WatchGuard partners. The
exam is based on the contents of this course, and we recommend that you study these training modules
to prepare for the exam. If you are a WCSP, you can log in to your LiveSecurity Service account and
locate the exam on the training page.
For more information about how to become a WCSP, see the Technical Certification page at:
http://www.watchguard.com/training/cert.asp
Course Introduction
Student Guide 3
Additional Resources
For more information about how to install and configure your WatchGuard SSL device, see these
resources:
WatchGuard SSL Web UI v3.2 Help
You can launch the Help system from the WatchGuard SSL Web UI. For more information about the
features in a dialog box or application window, click (the Help icon). A Help topic that describes
the features you see in the Web UI, and provides links to additional information, appears in your web
browser.
For the most up-to-date information, go to http://www.watchguard.com/help/documentation/ and
click the WatchGuard SSL Current documentation link to launch the WatchGuard SSL Web UI v3.2 Help.
You can also download the Help system for offline use.
WatchGuard SSL v3.2 User Guide
Go to http://www.watchguard.com/help/documentation/ and download the WatchGuard SSL Web UI
v3.2 User Guide.
WatchGuard Online Knowledge Base
Go to http://customers.watchguard.com
Course Introduction
5
Student Guide
Getting Started
Set up your WatchGuard SSL Device
What You Will Learn
To manage your WatchGuard SSL device, you use a Web-based user interface. In this training module you
learn how to:
Register your device and get a feature key
Use the Quick Setup Wizard to set up a basic configuration
Connect to WatchGuard SSL Web UI and complete initial configuration tasks
Connect the WatchGuard SSL device to your network
Before you begin these exercises, make sure you read the Course Introduction module.
Introduction to the WatchGuard SSL Solution
Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides
your users reliable connectivity to your corporate data and resources, such as email and file shares. The
WatchGuard SSL 100 accommodates up to 100 concurrent users. The WatchGuard SSL 560
accommodates up to 500 concurrent users.
Components of the WatchGuard SSL solution
The WatchGuard SSL solution includes these major components:
WatchGuard SSL device An all-in-one appliance that includes all the hardware, software, and
WatchGuard servers for your solution.
WatchGuard SSL Web UI The Web-based administration application you use to monitor your
WatchGuard SSL device, add user accounts, manage access to your resources, and manage your
system settings.
The WatchGuard SSL Application Portal The web site where your users authenticate and get
access to your network resources.
WatchGuard SSL Access Client The On-demand SSL VPN client that enables access to tunnel
resources in your Application Portal.
WatchGuard Mobile ID software The software you install on the client computer or smartphone
to use either the WatchGuard SSL Challenge or WatchGuard SSL Synchronized authentication
methods.
Getting Started
Before You Begin
Before you start the installation of your WatchGuard SSL device, you must have:
A computer with an Ethernet network interface and a web browser installed
A WatchGuard SSL device with power cable
An Ethernet cable
Get a WatchGuard device feature key
If you take this course
with a training partner,
your WatchGuard SSL
device will already be
registered and your
training partner can
provide the feature key
to use during the course.
To enable all of the features on your WatchGuard SSL device, you must activate the device on the
WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in
the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the
wizard without a feature key. The SSL device only allows one authenticated user until you upload a
feature key to the device.
To register your WatchGuard SSL device, go to https://www.watchguard.com/activate.
To register your device, you must have the device serial number. We recommend that you register the
device and save a copy of the feature key from the LiveSecurity web site to your computer before you
start the Quick Setup Wizard.
Configuration Modes
You can configure your WatchGuard SSL device in one of two network configuration modes:
Single Interface Mode
Select this mode if you want to connect the
WatchGuard SSL device to one network DMZ. In
single interface mode, only the Eth0 interface is
active.
Dual Interface Mode
Select this mode if you want to connect the
WatchGuard SSL device to two separate
networks (for example, two different DMZ
networks). In dual interface mode, both the Eth0
and Eth1 interfaces are active.
Single Interface Mode is most commonly used, and
is the network configuration mode we use in the
exercise in this module.
Getting Started
Student Guide 7
Initial Configuration Steps
To configure your WatchGuard SSL device, you complete these basic steps:
(Optional) Reset the SSL device to factory default settings
You may need to reset the SSL device to factory default settings before you set up your SSL device
and work through the training exercises. See the optional exercise at the end of this module if you
want to reset your device before you begin.
Run the web-based Quick Setup Wizard to configure basic network and administrative settings.
Connect the device to your network.
Log into the WatchGuard SSL Web UI to complete additional configuration steps.
About the WatchGuard SSL Web UI
The WatchGuard SSL Web UI main menu includes four sections:
Monitor System
You can use the Monitor System menu to see information about system status, user sessions, log
files, reports, licenses, and alerts.
User Management
You can use the User Management menu to manage user accounts, user groups, and configure the
SSL device to use an External Directory Service.
Resource Access
You can use the Resource Access menu to create Application Portal items to give users access to
applications, folders and files, and URLs.
Manage System
You can use the Manage System menu to see and manage the overall configuration of your
WatchGuard SSL system.
Above the main menu there are two buttons:
Browse
Click Browse to see the files on your WatchGuard SSL device or upload a file. You use this feature for
specific tasks that require you to upload a file or reference a file location on the device.
Publish
Click Publish after you make any configuration change to save the changes to the WatchGuard SSL
device. The Publish button changes from white to blue when you make changes that must be saved.
Getting Started
Exercise 1: Reset the SSL Device to Factory Default Settings
(Optional)
There are two ways to reset your WatchGuard SSL device to factory default settings:
Use the WatchGuard SSL Web UI
If you can log into the WatchGuard SSL Web UI, you can restore the device to factory default settings
in the Web UI. This is the easiest method to restore the factory default settings.
Use Recovery Mode
If you cannot log into the WatchGuard SSL Web UI, you can start the device in recovery mode. When
the device is in recovery mode you can reinstall the software image and restart the device with
factory default settings.
Before You Begin
Before you start the recovery process, you must download a copy of the WatchGuard SSL OS onto your
computer. The file has an extension of .sysa-dl. You can download the file from the WatchGuard SSL
Software Downloads article located in the WatchGuard Knowledge Base. If the file you download is a zip
file, you must extract the files before you start the recovery process.
Start the WatchGuard SSL Device in Recovery Mode
1. Turn the power off.
2. Press and hold the up arrow on the front panel while you turn the power on.
3. Keep the button depressed until you see the words "Executing SysB" on the LCD display.
When you see the words "Recovery Mode Ready" on the LCD display, the device is in recovery mode.
In recovery mode, the Eth1 address of the device is set to 10.0.1.1.
Upload a New Software Image
You must use the command line FTP command to upload the software image. This is because many
commands are disabled on the WatchGuard SSL device for security. For example, you cannot change
directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these
commands to show you a list of files in the remote directory, and cannot operate when these commands
are disabled.
Use these steps to upload a new software image to your WatchGuard SSL device.
1. Connect an Ethernet network cable between your computer and the Eth1 interface on the
2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0
network).
3. Open the command line interface of your computer. To do this: if you use Windows XP, select All
Programs > Accessories > Command Prompt from the Windows Start Menu.
4. Change your local working directory to the location where you saved the .sysa_dl file.
5. At the command prompt type:
ftp 10.0.1.1
6. Type admin as the user.
7. Type admin as the password.
8. At the ftp prompt, type:
bin
Getting Started
Student Guide 9
9. At the ftp prompt, type:
put <filename>
10. For the filename, type the name of the file you downloaded from the WatchGuard Software
Downloads knowledge base article.
11. Type quit to close the FTP connection and exit the program.
After the software image upload completes, the WatchGuard SSL device installs the software and resets
the configuration to the default settings. When the reset process completes, the device automatically
restarts.
Note
The installation and reset process can take up to 10 minutes. Do not turn off the device during this
process.
Next Steps
After you restore the software image and the device restarts with factory default settings, you can use
the Quick Setup Wizard to set up your configuration again.
Exercise 2: Run the Quick Setup Wizard
The Successful Company has purchased a new WatchGuard SSL device, and the administrator is ready to
start the installation.
In this exercise, we complete the initial installation with the Quick Setup Wizard. In the Quick Setup
Wizard, you set up a network interface and administrator credentials that enable you to connect to
WatchGuard SSL Web UI for administration.
1. Configure your computer to use a static IP address on the 192.168.111.0/24 network.
Note
The default IP address of the WatchGuard SSL device is 192.168.111.1. Do not set your computer to use
192.168.111.1.
2. Use an Ethernet cable to connect the Ethernet interface on your computer to the Eth1 interface
(labeled 1) on the WatchGuard SSL device.
3. Attach the power cord to the AC receptacle on the rear of the WatchGuard SSL device and to a power
source.
4. Power on the WatchGuard SSL device.
5. Open a web browser and type: ht t ps: / / 192. 168. 111. 1: 8443
The Quick Setup Wizard begins.
Getting Started
Note
Because the WatchGuard SSL device uses a self-signed certificate, you may see a certificate warning in
your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla
Firefox).
Your instructor will
provide you with the
information you need to
configure your
WatchGuard SSL device
for the training
environment.
6. Upload your feature key file, if you have it.
If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not
have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you
finish the wizard.
Note
You get the feature key for your SSL device when you register it at the WatchGuard.com web site. You
then save the feature key to a text file that you can upload to the device.
7. Select the Time Zone.
Getting Started
Student Guide 11
8. Set the current Date and Time, and specify an NTP Server.
Though it is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not
only for log file messages, but also for the SSL handshake.
9. Type the Super Administrator User Name and Password. This is a local account on the SSL device. It
does not correspond to any user object that exists in your organization.
You can disable
enforcement of the the
Super Administrator
password policy on the
Monitor System >
System Status >
Manage Settings page.
The Super Administrator password must be at least six characters long and must include characters
from at least three of these four categories:
- English uppercase characters (from A through Z)
- English lowercase characters (from a through z)
- Base-10 digits (from 0 through 9)
- Non-alphanumeric characters (for example: !, $, #, or %)
Getting Started
10. Select the Network Type. For this exercise, select Single Interface Mode.
In Single Interface Mode, only the Eth0 network interface is used.
If you select Dual
Interface Mode, you also
configure the IP Address
and Subnet Mask for the
Eth1 interface here.
11. Configure the network settings for the Eth0 network interface. The first four are required.
- In the IP Address text box, type the IP address to use for Eth0.
- In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0.
- In the Default Gateway text box, type the IP address of the default gateway on the Eth0
network.
- In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0
network.
- (Optional) In the Secondary DNS text box, type the IP address of the secondary DNS server.
- (Optional) In the Hostname text box, type the fully qualified host name of the device.
For example, ssl . mywat chguar d. comor vpn. mycompany. com.
The hostname must be a publicly resolvable hostname or external IP. The Hostname setting is
optional, but because it is required for some types of connections, we recommend that you
specify it here.
- (Optional) In the DNS Search Order text box, type the domain names to include in DNS name
searches. The order in which you type the names specifies the search order. When you add
more than one domain name, separate each name with only a space. Do not add other
punctuation or separation marks.
12. Finish the wizard.
On the final wizard page you see:
- A summary of the configured interface settings and network type.
- The interface and IP address you must use to connect after the device reboots.
Getting Started
Student Guide 13
Exercise 3: Use the WatchGuard SSL Web UI to Finish Initial Setup
After the Quick Setup Wizard finishes, you can connect to the WatchGuard SSL Web UI to continue the
configuration, management, and monitoring tasks.
Log in to the WatchGuard SSL Web UI
1. Connect the Eth0 network interface of WatchGuard SSL device to your network.
In Single Interface Mode, only the Eth0 interface is active.
2. Connect your computer to your network. Make sure to reset the IP address of your computer to an IP
address on the network.
3. In a web browser, type ht t ps: / / <Et h0 I P Addr ess>: 8443. Use the IP address you configured for
Eth0 in the previous exercise. 8443 is the default HTTPS Administrator Port.
4. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.
The WatchGuard SSL Web UI appears.
Upload a Feature Key
If you did not upload a feature key in the Quick Setup Wizard, you should do so now.
1. Select Monitor System > Feature Key.
The Feature Key page appears. The Upload a few feature key section appears at the bottom.
2. Select Upload a new feature key.
3. Click Browse and select the feature key file.
4. Click Upload New Feature Key to replace the current feature key.
5. Click Publish to update your configuration with the feature key change.
Getting Started
Test Your Knowledge
Use these questions to practice what you have learned and exercise new skills.
1. True or false? You must connect your computer to Eth1 to run the Quick Setup Wizard.
2. Which of these network settings are required in the Quick Setup Wizard? (Select all that apply.)
3. True or false? You can complete the Quick Setup Wizard without a feature key.
4. When should you select Dual Interface Mode? (Select one.)
5. True or false? The WatchGuard SSL Application Portal is the Web-based administration application
you use to monitor and manage your WatchGuard SSL device.
A) Primary DNS
B) Default Gateway
C) Subnet Mask
D) Interface name
E) IP Address
A) When you want to configure fail-over to a second device
B) When you want to use a dedicated interface for device management
C) When you want to give users different levels of network access
D) When you want to connect the device to more than one network
A N S W E R S
1 . T r u e
2 . A , B , C , E
3 . T r u e
5 . D
6 . F a l s e
15
Student Guide
Authentication and Users
Manage Authentication Methods and User Accounts
What You Will Learn
With WatchGuard SSL Web UI you can configure and manage multiple authentication methods, manage
local user accounts, and use an external directory service.
In this training module you learn how to:
Understand the five WatchGuard SSL authentication methods
Configure Active Directory authentication with LDAP over SSL
Configure global user account settings
Manually add a user to the Local User Database
Create user accounts by linking to an External Directory Service
About Authentication
Authentication is a central part of the configuration of your WatchGuard SSL device. You configure
authentication methods in the Manage System menu of WatchGuard SSL Web UI. This module focuses
on how to enable and configure the authentication methods you want to use, and how to enable one or
more authentication methods for your users.
You can also use authentication methods in access rules to control which authentication methods users
must use to connect to network resources. You learn about access rules and network resources in the
Resource Access training module.
Authentication Methods
WatchGuard SSL supports sixteen authentication methods. There are five WatchGuard SSL
authentication methods and eleven other authentication methods you can use to integrate with your
existing authentication services.
WatchGuard SSL Authentication Methods
The WatchGuard SSL authentication methods use the RADIUS (Remote Authentication Dial In User
Service) networking protocol. These methods are enabled on the WatchGuard SSL device by default.
WatchGuard SSL Web
You can use this method for authentication in a web browser. Users type their user names and then a
Java applet or ActiveX client is launched. The client prompts the user to type a password or PIN. The
password or PIN is then hashed and encrypted before it is returned to the server.
WatchGuard SSL Password
The WatchGuard SSL Password authentication method is based on static password authentication. A
static password is created and maintained to authenticate remote access with a RADIUS client.
WatchGuard SSL Challenge
You can use this method for authentication in a web browser, WAP client, or with a PDA. Users type
their user names, and are prompted (challenged) to provide private information (the response)
before they are allowed access. The challenge-response technique is most often used with a
hardware token that generates the response. In WatchGuard SSL Challenge, the Mobile ID software
client generates the response. Users type their PINs in the Mobile ID client and the Mobile ID software
generates a one-time-password (OTP).
You can install the Mobile ID client on a mobile device such as a handheld PC or a cell phone, or on a
laptop or desktop computer.
WatchGuard SSL Synchronized
You can use this method for two-factor authentication in a web browser, WAP client, or with a PDA.
Users type their user IDs and are prompted for a one-time password (OTP). In WatchGuard SSL
Synchronized, an integrated software client (Mobile ID) generates the OTP. Users type their PINs in the
Mobile ID client and the Mobile ID software generates the one-time-password (OTP) based on the PIN
and on a seed that is synchronized with the WatchGuard SSL device. The seed is different for each
user.
You can install the Mobile ID client on a mobile device, such as a handheld PC or a cell phone, or on
your laptop or desktop computer.
WatchGuard SSL Mobile Text
This method is based on a combination of an account password and one-time password (OTP)
distributed through an SMS channel. For this method, users type the account password on the web
login page. The WatchGuard SSL device generates an OTP and sends it to the cell phone number or
email address registered to that user account. The user must type the OTP to complete the
authentication process.
You can use the WatchGuard SSL Mobile Text authentication method on a mobile device such as a
handheld PC or a cell phone, as well as on a desktop PC or Mac computer.
When you select Allow Two-step Authentication in the authentication method configuration,
authentication is distributed over two sessions: the server sends the OTP to the mobile phone, and
then the user logs on with the OTP.
The WatchGuard SSL authentication methods Challenge and Synchronized use the WatchGuard SSL
Mobile ID client to generate the OTP response. The Mobile ID client is available on the WatchGuard web
site Software Downloads page as a separate file. You can download this file and distribute the Mobile ID
clients to your users to install on their mobile devices.
The five WatchGuard authentication methods also support the Self Service feature. With Self Service
enabled, users can create their own accounts, reset forgotten passwords, and retrieve a forgotten user
name. See the WatchGuard SSL Web UI Help or User Guide for information about how to configure Self
Service.
Other Supported Authentication Methods
In addition to the five WatchGuard SSL authentication methods, the WatchGuard SSL device supports
these authentication methods:
General RADIUS Can be used with any RADIUS-compliant authentication server.
SecurID Supports RSA SecurID tokens that generate a one-time-password (OTP).
LDAP This method performs an LDAP bind.
Active Directory This method performs an LDAP bind and provides the ability to enable users to
change their passwords. This is only supported with Microsoft Active Directory (AD) servers.
Novell eDirectory This method performs an LDAP bind and provides the ability to enable users
to change their passwords.
Student Guide 17
Windows Integrated Login This method uses Windows domain credentials for authentication.
NTLM This method uses the NTLM authentication protocol used in various Microsoft protocol
implementations.
Basic This method performs basic authentication according to RFC 2617, HTTP Authentication:
Basic and Digest Access Authentication.
User Certificate This method uses attribute mapping. The user is authenticated only if there is an
exact match between the configured User Attribute and the Certificate Attribute.
Form-Based Authentication This method uses HTML forms that you can edit.
Confidence Online This method uses the Confidence Online client for authentication.
Authentication Method Configuration
General Settings
For each authentication method you can configure these general settings:
Display Name
The name that appears in the Application Portal for this authentication method.
Template Name
The name of the template that defines the appearance of the Authentication Portal page when users
log on with this authentication method.
Template Specification
For most authentication methods, you can click Manage Default Template Specification to
customize the appearance of the Authentication Portal page.
Authentication Method Server
This is the server that provides authentication for this authentication method. For the five
WatchGuard SSL authentication methods, the Authentication Method Server is the RADIUS server on
the SSL device.
When you add an authentication method, the Template Name and Template Specification are
automatically configured with the default settings.
RADIUS Replies
For the authentication methods that use the RADIUS networking protocol, the authentication method
configuration includes some pre-defined RADIUS replies. The pre-defined RADIUS replies are different
for each authentication method. You can add, edit, or delete RADIUS replies to customize the messages
users see during authentication.
Extended Properties
Extended Properties define what happens when a user authenticates with each authentication method.
The default and available Extended Properties are different for each authentication method. You can
add, edit, or delete Extended Properties to customize the behavior of the authentication method you
selected.
About User Management
In the User Management menu of WatchGuard SSL Web UI you can manage user accounts and user
groups, configure an External Directory Service, and enable Self Service for user accounts.
The User Management menu of WatchGuard SSL Web UI has these menu options:
User Accounts
Manage user accounts and global user account settings. You can add users to the Local User
Database or link to an External Directory Service, if you have one configured.
User Groups
Manage user groups. You can create user groups based on either the properties of a user account or
the location of a user in the directory structure you specified. You can use user groups in Access Rules
to determine which resources a user has access to in the Application Portal.
External Directory Service
Configure an External Directory Service location, such as Active Directory or LDAP, where user
accounts are stored. When you use an External Directory Service, you can link user accounts to
existing user accounts that are configured in the directory service.
Self Service
Configure Self-Service to enable your users to activate an account, reset a forgotten password, or
retrieve a forgotten user name. To configure Self Service, you must enable an External Directory
Service, and you must manage the user passwords in the Local User Database. To use self-service,
your users must authenticate with one of the five WatchGuard SSL authentication methods.
Local User Accounts
Each local user account is stored in the WatchGuard SSL Local User Database. On the User Accounts
page, you can use one of these methods to create user accounts:
Add User
To manually add a user account to the Local User Database, select this method.
Create User Account by Linking
Create a basic user account based on an existing user in your External Directory Service. Basic
information for the user account is automatically copied from the External Directory Service and is
added to the Local User Database.
See the WatchGuard SSL
Web UI Help or
WatchGuard SSL User
Guide for details about
the User Import file.
Import User Account
Import user account information from a user import file. This is a text file, with column headings and a
row of data for each user account, with information separated by commas, semicolons, or tabs.
Student Guide 19
How User Authentication Works
Authentication on the WatchGuard SSL device involves several key components that work together.
Authentication Method Server
The Authentication Method Server checks the authentication credentials when a user authenticates.
You configure it when you add an Authentication Method. For the five WatchGuard SSL
authentication methods, the Authentication Method Server is a RADIUS server on the SSL device
itself. For the LDAP authentication method, the External Directory Service is used as the
Authentication Method Server.
Local User Database
The Local User Database is the local LDAP database on the SSL device that stores user account
information. All users who authenticate to the SSL device must have a user account in the local LDAP
database on the device, regardless of the authentication method used. In some cases, the local user
account is automatically created during the authentication process. The Local User Database also
stores the authentication credentials for the WatchGuard SSL authentication methods. It does not
store the authenticating credentials for other authentication methods.
External Directory Service
An External Directory Service can be used for linking to a user account on the WatchGuard SSL device
and for searching user groups defined in the External Directory Service.
Authentication with WatchGuard SSL Authentication Methods
When a user authenticates to the WatchGuard SSL device with one of the WatchGuard SSL
authentication methods (Web, Password, Challenge, Synchronized, or Mobile Text), the authentication
process follows this procedure:
1. The user selects a WatchGuard SSL authentication method, and types the user account credentials.
2. The internal RADIUS server on the WatchGuard SSL device looks up the user account in the Local
User Database.
3. If the user account is not linked to an External Directory Service, the credentials the user typed are
compared to the credentials stored in the Local User Database.
If the user account is linked to an External Directory Service, the SSL device makes a read-only
connection to the External Directory Service to look up the user password.
4. If the credentials match, the user is redirected to the Application Portal page.
Authentication with non-WatchGuard Authentication Methods
When a user authenticates with one of the other supported authentication methods, the authentication
process follows a slightly different procedure:
1. The user selects a supported authentication method, and types the account credentials.
2. The configured authentication server is used to check the user credentials.
If the user credentials are not correct, the user authentication fails at this step.
3. If the credentials are correct, authentication succeeds and the SSL device looks for the user in the
Local User Database.
- First the SSL device checks for a a matching user in the Local User Database.
- If the user does not exist in the Local User Database, the SSL device searches for the user in the
External Directory Service, if one is configured. If the user is found in the External Directory
Service, then the SSL device creates a user in the Local User Database.
- If the authentication method is configured with the Extended Property Allow user not listed
in any External Directory Service set to true, a user is created in the Local User Database
even if the user was not found in the External Directory Service.
4. If the user is found (or created) in the Local User Database in the previous step, the authentication
process is complete and the Application Portal appears.
If the user is not found, or was not created, the authentication process fails, and the user is not
allowed to connect to the Application Portal.
Exercise 1: Manually Add a User Account
The Successful Company administrator wants to create a local user account for testing on the
WatchGuard SSL device. In this exercise you manually add a user to the Local User Database, and
configure the user to use one of the five WatchGuard SSL authentication methods.
1. Select User Management.
The Manage All User Accounts page appears, with a list of existing users.
Student Guide 21
2. Click Add User.
The Add User Account page appears.
3. Type a User ID and Display Name.
The User ID is the user name that users type when they authenticate. The Display Name only
appears in WatchGuard SSL Web UI to help you to easily distinguish one user account from another.
4. Click Next.
A list of authentication methods appears.
5. Select the check box for each WatchGuard SSL authentication method to enable for this user.
For this exercise, select the Enable WatchGuard SSL Password for the user account check box.
6. In the Email Address text box, type the email address for this user.
In this example, the Email Address and SMS mobile phone number are not required. You should
type an email address or mobile phone number for SMS if you want the system to send notifications
to your users about changes to their authentication credentials (password, PIN, or seed).
If you select the WatchGuard SSL Mobile Text authentication method, you must type the users
mobile phone number in the SMS text box before you can continue.
7. Click Next.
The WatchGuard Authentication page appears with the settings for the authentication methods you selected.
Because we selected the WatchGuard SSL Password authentication method, we must specify the
password and properties for that authentication method. If we had selected other authentication
methods, the settings for those methods would also appear on this page.
8. In the WatchGuard SSL Password section, type and verify the password.
The password must be between six and sixteen characters and must include at least two numerals.
You can also select other Password Properties on this page. By default these properties are not
selected.
9. From the Notification drop-down list, select By Screen. This is the method the WatchGuard SSL
device uses to notify the administrator and user about changes to the user account.
The default notification method is By Screen, which displays the notification message about
updated authentication credentials to the administrator in the WatchGuard SSL Web UI after you
click Save.
You can customize the
content of the
notification messages in
the Global
Authentication Settings.
If the Email notification and SMS notification channels are enabled, you can also select these
notification options:
- By Email Send notification of updated authentication credentials to the user through email.
- By Screen and Email Use both the By Screen and By Email notification methods.
- By SMS Send notification of updated authentication credentials to the user through SMS.
- By Screen and SMS Use both the By Screen and By SMS notification methods.
If you select an Email or SMS notification option, you must also configure an email address in the
notification settings for this user account.
10. Click Finish Wizard.
The new user account appears in the User Accounts list.
Student Guide 23
Exercise 2: Configure Active Directory with LDAP over SSL
The Successful Company wants to use their existing Active Directory Server to authenticate users to the
WatchGuard SSL Application Portal. In this exercise you configure Active Directory with LDAP over SSL.
Note
LDAP over SSL is also known as LDAP/S, LDAPS, and LDAP over TLS. LDAP over SSL simply means that
the LDAP connection between the LDAP client (in this case, the WatchGuard SSL device) and LDAP
server (the Active Directory server) is authenticated by TLS (Transportation Layer Security), and the
data exchanges are encrypted by the different cipher suites supported by the TLS protocol.
To complete this exercise you must have access to a Microsoft Active Directory server that is configured
to accept LDAP connections.
Before You Begin
This exercise assumes that you have already completed these steps on your Active Directory server:
Exported the CA certificate from the Windows Certificate Server on your AD Server computer.
Enabled LDAP over SSL on your Active Directory server.
Issued the CA Certificate from the Windows Certificate Server on the Active Directory server
computer. You will import this CA certificate to your SSL device in this exercise.
For details about how to complete these required steps on your Active Directory server, see the
WatchGuard SSL Web UI Help or User Guide.
Configure the Active Directory Authentication Method on your SSL Device
After you have exported the certificate from your CA, enabled LDAP over SSL on your AD Server, and
issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device
to use Active Directory Authentication.
Add a Certificate Authority to your SSL Device
If you do not have a CA certificate for your Active Directory server, you can skip the steps to add the
Certificate Authority to your SSL device procedure for training purposes only. In a production
environment we strongly recommend that you import the CA certificate. This is required for the SSL
device to validate the certificate used by the LDAP/SSL server on your Active Directory server. Without
the imported CA certificate, the SSL device cannot detect a man-in-the-middle attack between the SSL
appliance and the LDAP/SSL server.
1. Connect to WatchGuard SSL Web UI for your device.
2. Select Manage System > Certificates.
The Manage Certificates page appears.
3. Click Add Certificate Authority.
The Add Certificate Authority page appears.
4. Make sure the Enable Certificate Authority check box is selected.
5. In the Display Name text box, type a name for the CA certificate.
This is the name that appears on the Manage Certificates page in the Registered Certificate
Authorities list.
6. Click Browse and select the CA certificate.
7. Select No certificate revocation checking should be performed.
The certificate name appears in the Registered Certificate Authorities list.
Enable the Active Directory Authentication Method
After you add the CA certificate to your device, you can add the Active Directory (AD) authentication
method to your configuration to make a connection between your SSL device and your AD server.
When you use an Active Directory server, you can choose from many authentication methods. Because
users can change their passwords when they authenticate, we recommend that you use the Active
Directory authentication method. With this method, the password policy settings you defined in Active
Directory are enforced.
To configure Active Directory authentication:
1. Select Manage System > Authentication.
The Authentication page appears.
2. Click Add Authentication Method.
The list of authentication methods appears.
Student Guide 25
3. Select Active Directory. Click Next.
Configuration settings for the Active Directory authentication method appear.
4. In the Display Name text box, type a name for this Active Directory authentication method.
This is the name that appears in the Registered Authentication Methods list.
5. Click Add Authentication Method Server.
The Add Authentication Method Server page appears.
6. In the Host text box, type the IP address or DNS name of your AD server.
7. If necessary, change the Port and Timeout settings.
In most cases you do not need to change these settings.
8. In the Account text box, type the user name for an account on the AD server. This can be a
Distinguished Name, User Principal Name. or NetBIOS name. Make sure you type the user name in the
correct form.
For example:
- username@myexample.com
- CN=username,OU=myexample,OU=com
- myexample\username
9. In the Password text box, type the password for the user name you specified.
10. In the Root DN text box, type the Root DN information for the AD server where user accounts are
stored. Make sure you use the correct Root DN form.
For example, dc=myexample,dc=com
11. Click Next.
The Authentication Method Server appears in the Registered Authentication Method Servers list.
12. Click Next.
The Extended Properties page appears with a default list of Registered Extended Properties.
The Active Directory authentication method appears in the Registered Authentication Methods list.
14. Click Publish to update your configuration with this change.
Student Guide 27
Exercise 3: Link User Accounts to the Existing AD Server
The Successful Company administrator wants to reuse the existing user account information on the
Active Directory server for accounts for the WatchGuard SSL device. In this exercise you configure the
Active Directory server as an External Directory Service Location and then link to it to create user
accounts.
Add an External Directory Service Location
1. Select User Management > External Directory Service.
The Manage External Directory Service page appears.
2. Click Add External Directory Service Location.
The Add External Directory Service Location page appears.
Microsoft Active Directory is automatically selected.
3. Click Next.
4. In the Display Name text box, type the name of this External Directory Service as you want it to
appear in the WatchGuard SSL Web UI. In this example, we use the domain of our Active Directory
Server, wgtraining.local, as the Display Name.
5. In the Host text box, type the IP address of your Active Directory server.
6. The Port is automatically set to 389. Verify that this is correct for your AD server.
7. Type the Account and Password of a user account you want the SSL device to use to contact your
AD server. For security reasons, this should be a read-only account, not the AD administrator
account.
8. Click Test Connection to test the connection to your AD server.
If your configuration is correct, a Connection test is successful message appears.
If the connection test fails, review the settings for your AD Server External Directory Service Location,
and correct any errors in the configuration.
Student Guide 29
9. Click Next.
The External Directory Service Location Search Rules settings appear.
The WatchGuard SSL Local User Database uses search rules to match users and user groups. You
must add search rules so that the users and groups can be found in the External Directory Service.
When you add search rules, make sure you define them based on the directory structure of your
organization and the user objects you want to use in your rules.
10. To add a User Search Rule, click Add User Search Rule.
The Add User Search Rule page appears.
11. In the User Root DN text box, type the location of the user (distinguished name) on your AD server.
Or, click Show Tree to select it.
Note
In this example, we use the Root DN. In a real deployment we recommend that you specify the
container on the AD server where the users are actually located. This provides added security, and
increases performance in large AD environments that have a large number of users and groups.
12. Click Next.
The User Search Rule you added appears in the Registered User Search Rules list.
13. To add a Group Search Rule, click Add User Group Search Rule.
The Add User Group Search Rule page appears.
14. In the User Root DN text box, type the location of the group on your AD server.
Or, click Show Tree to select it.
15. Click Next.
The Group Search Rule you added appears in the Registered User Search Rules list.
The Manage External Directory Service page appears.
The Registered External Directory Service Locations list now includes the External Directory
Service you added and shows the connection status. Make sure the status is Connected.
Student Guide 31
Link Users to the AD server
The Successful Company has added their Active Directory server as an External Directory Service.
Now they can link WatchGuard SSL users to the AD server.
1. Select User Management > User Accounts.
The Manage All User Accounts page appears.
2. At the bottom of the page, click Create User Account by Linking.
The Manage User Linking page appears.
3. In the User ID text box, type the user name for the user you want to add as it appears in the External
Directory Service.
4. Click Link User.
A message appears that says the user account information was successfully saved.
5. To create another user by linking, repeat Steps 34.
The second user is saved and linked.
6. After you add all linked users, select User Accounts to return to the list of users.
When you create a user account by linking, account information is automatically populated. You can
see in this example that the Display Name and Email address of the linked user account appear in
the User Accounts list.
Note
If the linked user account is later moved in the External Directory Service, the link is broken between
the Local User Database and the External Directory Service. On the User Accounts page, click Repair
Linked User Account to detect and fix broken links.
Exercise 4: Connect to the Application Portal
In this exercise, you connect to the WatchGuard SSL Application Portal as one of the users you created in
the previous exercises.
1. Open a web browser and type the address of the Application Portal domain name. You can also type
the IP address of the SSL device and the Application Portal port number.
For example, type ht t ps: / / 50. 50. 50. 106: 443
A list of enabled authentication methods appears.
2. Select an authentication method
The Authentication page for that method appears.
Student Guide 33
3. Type and submit your user credentials.
The Application Portal page appears.
Note
No resources will appear in your WatchGuard SSL Application Portal until you add them. We discuss
how to do that in the Resource Access training module.
Exercise 5: Enable Automatic User Link Repair
If a linked user account is moved in the External Directory Service, the link is broken between the Local
User Database and the External Directory Service. The Successful Company administrator wants the
system to automatically repair user links, when possible. In this exercise you edit the Global User Account
Settings to make this change.
The User Accounts page appears.
2. Click Global User Account Settings.
The Manage Global User Account Settings page appears. The General Settings tab is selected by default.
On the General Settings tab, the administrator can change the default settings for user account
access, WatchGuard authentication, and timeouts. The administrator reviews the settings, but does
not see a need to make any changes here.
Student Guide 35
3. Select the Repair User Links tab.
The Automatically Repair User Links page appears.
4. Select the Automatically repair user links check box.
If a user with a broken user account link tries to connect to the SSL device, the system automatically
tries to repair the user account link.
5. Click Save.
Test Your Knowledge
1. Which WatchGuard SSL authentication methods require that users install the Mobile ID client to
generate a one-time password? (Select two.)
2. Which authentication method setting controls the appearance of the authentication page?
(Select one.)
3. Which of these tasks must you complete before you can enable Active Directory over TLS on the
WatchGuard SSL device? (Select all that apply.)
4. Which of these options are methods to add user accounts to the Local User Database?
(Select all that apply.)
5. If a linked user account is moved in the External Directory Service, the link is broken between the
Local User Database and the External Directory Service. Which of these methods could you use to
repair the broken link? (Select all that apply.)
6. True or false? You must enable an External Directory Service to use the Self Service feature.
A) WatchGuard SSL Web
B) WatchGuard SSL Password
C) WatchGuard SSL Challenge
D) WatchGuard SSL Synchronized
E) WatchGuard SSL Mobile Text
A) Authentication Server
B) Registered RADIUS Replies
C) Template Specification
D) Layout Specification
E) Extended Properties
A) Issue the CA Certificate from the Windows Certificate Server on the Active
Directory server computer.
B) Install a Certificate Server on your WatchGuard SSL device
C) Enable LDAP over SSL on the Active Directory Server
D) Import the CA certificate to the WatchGuard SSL device
A) Manually add the users
B) Link to existing users in an External Directory Service
C) Import the user account information from an SQL database
D) Import the user account information from a text file
A) On the User Accounts page, select Repair linked User Account.
B) Enable Self Service so that users can fix their own broken account links.
C) In the Global User Account Settings, enable the option Automatically
repair user links.
D) Edit the user account and click Link User to repair the link.
Student Guide 37
A N S W E R S
1 . C , D
2 . C
3 . A , C , D
4 . A , B , D
5 2 . A , C , D
6 . T r u e
39
Student Guide
Resource Access
Enable Access to Network Resources
What You Will Learn
The WatchGuard SSL Application Portal enables you to give your users secure access to your network
resources. In this training module you learn how to:
Configure Web Resources and Tunnel Resources
Define access rules to protect your resources
Add and remove resources from the Application Portal
Configure Single Sign-On (SSO) Domains for resources
Introduction
The Application Portal is a web site on the WatchGuard SSL device where users can connect to your
corporate applications and resources from remote locations. After a user authenticates to the
Application Portal, the applications and resources available to that user appear as icons the user can
select.
The applications and resources that appear in the Application Portal are called Application Portal items.
In this module you learn how to configure and control access to Application Portal items.
Resource Access
In the Resource Access section of the Web UI Main Menu, you define and manage the applications and
resources available to users in your Application Portal.
The Resource Access section has these left menu options:
Resources
Add, edit, and delete resources that can appear on your WatchGuard SSL Application Portal.
Resources can be Tunnel Resources or Web Resources. On this page you can also manage Global
Resource Settings.
Client Firewall
Add, edit, and delete client firewall configurations to control traffic between the WatchGuard Access
Client and Tunnel Resources.
Access Rules
Manage Access Rules that apply to specific resources, and Global Access Rules that apply to all
resources. Access Rules can include required authentication methods, group membership, date
period, client IP address, client assessment, and client device.
Application Portal
Define which resources to make available to users as Application Portal items. When you add a
resource, you select whether the resource is available in the Application Portal. The Application Portal
page shows only the resources that are available in the Application Portal.
SSO Domains
Create SSO (Single Sign-On) domains for resources. This enables users to authenticate with their user
credentials one time to get access to multiple resources in the same domain.
Resource Access
Student Guide 41
Resource Types
You define a resource for each network resource or application that you enable for your users. There are
two types of resources Web Resources and Tunnel Resources.
Web Resources
You can create Web Resources to give your users access to any files that you can connect to with a web
browser, or applications with a web interface such as Microsoft Outlook Web Access. Users can connect
to a Web Resource with just a web browser. The WatchGuard SSL Access Client is not required.
The WatchGuard SSL device includes Web Resource templates for several popular applications to help
you set them up quickly. Available Web Resources include:
Citrix MetaFrame Presentation Server
Citrix XenApp Server
Microsoft Active Sync
Microsoft Outlook Mobile Access
Microsoft Outlook Web Access 2003
Microsoft Outlook Web Access 2007
Microsoft Outlook Web App 2010
Microsoft SharePoint Portal Server 2003
Microsoft SharePoint Portal Server 2007
Secure Remote Access to the Web UI
Web Resource
Select the default template, Web Resource to create a resource for access to other web-enabled
applications.
Web Resource Paths
A Web Resource has a resource host which is the HTTP or HTTPS server specified in a URL. The Web
Resource may also have one or more web resource paths. A resource path is a location on a Web Resource,
and defines a subset of the web server. You can configure the access rules and other settings for
individual resource paths. When you use one of the pre-defined Web Resource templates to create a
resource, the Add Web Resource Wizard automatically adds and configures the required Web Resource
paths for you. Both resource hosts and resource paths appear on the Web Resources tab of the
Resources page.
Tunnel Resources
The Access Client is an
on-demand SSL VPN
client. You learn more
about this client in the
module Use the Access
Client.
You can create a Tunnel Resource to give your users access to client-server applications, intranet sites, or
network resources that are not web-enabled. To connect to Tunnel Resources, the user must use the
WatchGuard SSL Access Client. You can create a file share resource to enable users to open, copy,
rename, delete, upload, and download files. You can create a Full Tunnel resource to enable users to get
access to a set of network resources at the IP level, similar to traditional IP VPN solutions. Examples of
Tunnel Resources include Microsoft Outlook, Remote Desktop, or a Windows file share.
The WatchGuard SSL device includes Tunnel Resource templates with partial configurations for several
common resource types to help you set them up quickly.
Resource Access
Available Tunnel Resources include:
Access to Home Directory
Full Tunnel
Microsoft Outlook Client 2003/2007
Microsoft Windows File Share
Microsoft Terminal Server 2003
Microsoft Terminal Server 2008
RDP Access
SSH Access
Tunnel Resource
Select the default template, Tunnel Resource, to create a resource for access to other applications or
network resources that are not web-enabled.
Note
Tunnel resources support all TCP and UDP ports. Other protocols such as ICMP (ping), ESP, and GRE are
not supported.
Static and Dynamic Tunnels
You can configure a Tunnel Resource to use either a static or dynamic tunnel. To decide whether to use a
static tunnel or a dynamic tunnel, make sure you consider these factors:
Web Resources do not
use tunnels. Instead,
Web Resources open in a
web browser on the
users computer, which
then sends traffic to the
URLs generated by the
SSL device. To direct the
traffic, the SSL device
rewrites the URLs and
sends the traffic to the
correct web host.
The operating systems on the users computers that will use the resource.
- Only computers that use Windows can use dynamic tunnels.
- Any computer that has a browser and Java can use static tunnels.
The number of IP addresses to include in the resource.
- Use a dynamic tunnel for access to a tunnel resource with many IP addresses.
- Use a static tunnel for access to a tunnel resource with only one IP address.
The number of TCP or UDP ports to include in the resource.
- A dynamic tunnel enables access to many TCP and UDP ports on the Tunnel Resource.
- A static tunnel enables access to only one TCP or UDP port on the Tunnel Resource host.
How Static and Dynamic Tunnels Work
For both static and dynamic tunnels, the underlying mechanism is the same the Access Client software
receives the traffic that the users computer sends over the VPN, and then sends the traffic through the
loopback interface of the users computer. The Access Client then encrypts the data and sends it to the
SSL device through the physical network interface of the users computer.
The loopback interface is not a physical interface. It is a virtual network interface that is used by the users
computer for internal communications, for diagnostics, and to send traffic to itself to be processed
immediately. The most common IP address for the loopback interface is 127.0.0.1, although any address
in the 127/8 network (from 127.0.0.1127.255.255.254) maps to the loopback interface.
Ther two main differences between static and dynamic tunnels, are how the traffic is translated on the
users computer and the type of Access Client that each type of tunnel can use.
The users computer can use one of two different methods to send traffic to the loopback interface. The
method is different for a resource that uses a static tunnel than for a resource that uses a dynamic tunnel.
Resource Access
Student Guide 43
Method for a Static Tunnel
For a static tunnel, you configure the tunnel to use a specific loopback IP address and port. When you
configure a static tunnel, you must define:
The IP address of the resource This is the IP address of the host (computer) accessible through this
static tunnel.
The TCP or UDP port on the Tunnel Resource host that accepts the traffic.
The IP address for the loopback interface on the users computer This can be any address from
127.0.0.1127.255.255.254.
The TCP or UDP port that the users computer connects to on its loopback IP address.
When a user selects a resource that uses a static tunnel:
1. The users computer sends the traffic to its own loopback interface.
2. The Access Client software intercepts the traffic sent to the loopback address, encrypts it, and sends
it to the SSL device.
3. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination
port, as defined in this static tunnel.
Method for a Dynamic Tunnel
For a dynamic tunnel, the users computer sends traffic directly to the IP address of the Tunnel Resource
the user wants to reach. The Windows Access Client software can make many connections through a
dynamic tunnel because the network driver it installs can dynamically translate many traffic flows at one
time.
When a user selects a resource that uses a dynamic tunnel:
1. The Windows network driver installed by the Access Client intercepts the traffic.
2. The Access Client dynamically translates the traffic to the loopback interface on the users computer,
and dynamically selects a source port for the traffic.
3. The Access Client encrypts the traffic and sends it to the SSL device.
4. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination
port.
When you use one of the pre-defined Tunnel Resource templates to create a resource, the Add Tunnel
Resource Wizard automatically uses the required tunnel type. If a Tunnel Resource can be configured as
either a static or a dynamic tunnel, the Add Tunnel Resource Wizard enables you to set the Tunnel Type
to Windows (to configure the resource as a dynamic tunnel) or All Platforms (to configure the resource
as a static tunnel).
To see the static or dynamic tunnel settings that the Add Tunnel Resource Wizard configured, edit the
Tunnel Resource and select the Tunnel Settings tab.
If you use the default Tunnel Resource template, you must manually select and configure a static or
dynamic tunnel.
About the Access Client
There are two versions of the WatchGuard SSL Access Client a Windows executable client and a Java
client.
Windows computers almost always use the Windows executable version of the Access Client. The
Windows executable installs a Windows network driver that makes dynamic tunnels more versatile than
static tunnels. Windows computers can use the Windows executable Access Client for both static and
dynamic tunnels.
Resource Access
There are two types of the Windows executable client:
On-demand Access Client
Installed Access Client
The On-demand Access Client is the same executable client as the Installed Windows Access Client, but
instead of installing it on your users computers, it is loaded on Windows computers with either an
ActiveX control or a Java loader when your users connect to a Tunnel Resource in the Application Portal.
This enables it to be used only when needed.
The Installed Access Client is software that you install on a Windows computer, just as you install any
software application.
For more information about the Windows executable version of the Access Client, see the Use the Access
Client module.
The Java client is another version of the Access Client, and uses a Java Applet loader to run in a web
browser on any operating system. The Java Access Client can only be used with static tunnels. To launch
the Java Access Client, the users computer calls a Java Applet loader from the SSL device that launches
the Java client. The Java Applet stays active for the duration of the VPN session.
For other computer platforms, such as Mac or Linux, you must use the Java client version of the Access
Client.
When you use a static tunnel, you can force all computers, including Windows computers, to use the Java
version of the Access Client.
To force all computers to use the Java Access Client:
1. Select Resource Access and edit a Tunnel Resource that uses a static tunnel.
The Edit Tunnel Resource page appears.
2. Select the Advanced Settings tab.
3. For the Access Client Loader setting, select Java Applet.
4. Select the Run VPN client in Java (for static tunnels only) check box.
Select this option to force users
to use the Java version of the
Access Client.
Resource Access
Student Guide 45
Global Resource Settings
When you add a resource, you configure settings specific to that resource. You can also change some
global settings that affect multiple resources. You can do this from the Resource Access > Resources
page. There are two types of global settings you can configure for your resources:
Global Tunnel Resource Settings
Global Tunnel Resource Settings apply to all Tunnel Resources. These are connection settings for the
WatchGuard SSL Access Client that is used to connect to Tunnel Resources. These settings include:
- Client IP Address Provider Specify whether to, and how to, assign IP addresses to clients.
- DNS server This is the server to use for DNS forwarding.
- WINS server This is the server to use for WINS forwarding.
Global Resource Settings
Global Resource Settings apply to all Web Resources and Tunnel Resources. Global settings are
grouped into these categories:
- Internal proxy
- DNS name and DNS name pool
- Filters
- Link translation
- Client access
- Trusted gateways
- Cookies and cache control
Protect Resources with Access Rules
Access rules define the specific requirements for access control that you apply to a resource or SSO
domain in WatchGuard SSL Web UI. You can add general access rules that can be applied to any resource
or SSO domain, or specific access rules that you apply only to certain resources or SSO domains. You can
also define Global Access Rules that are automatically applied to all resources and SSO domains.
WatchGuard SSL Web UI includes many different types of access rules that you can use alone, or combine
to customize your security configuration.
An access rule can contain a single rule or a combination of rules of any type. You can use these access
rule types to control access to your resources:
Authentication method
Allow access only if the user authenticates with the specified authentication methods.
User group membership
Allow access only if the user belongs to the specified user group or groups.
IP address of incoming client
Allow access only if the client connects from an IP address in the specified list or range.
Client Definition
Allow access only if the client is of a specified type, for example, a particular browser version.
Day, date and/or time
Allow access only during a specified time period, date period, or on specified days of the week.
Resource Access
Assessment and
Abolishment are only
supported on Windows
clients. For information
about Assessment and
Abolishment settings,
see the Assessment and
Abolishment module.
Assessment
Allow access only if the client meets specified criteria. An Assessment client runs on the client
computer to make sure the client computer meets the Assessment criteria you specify. For example,
you could use Assessment to check whether the client has anti-virus software running.
Abolishment
Allow access only if the Abolishment client is running on the client. Abolishment is a feature that
monitors the files and stored browser data on a client during a user session, and then automatically
deletes the browser data and files that were downloaded or created during the user session. You can
configure the types of files and browser data that Abolishment deletes when the session ends.
Custom-defined
A custom-defined access rule can be tailored to meet specific needs. It must be imported from an xml
file. This type of rule is not commonly used.
About Single Sign-On (SSO)
To connect to the Application Portal, your users must first authenticate. Some applications and network
resources in the Application Poral also require users to authenticate. So, after users authenticate and
connect to the Application Portal, they are prompted to authenticate again each time they select a
resource that requires authentication. This can be a time consuming process that can be frustrating to
your users. To enable your users to authenticate only one time and then connect all their resources, you
can use Single Sign-On.
Single Sign-On (SSO) is a session/user authentication process that allows users to authenticate with their
user credentials one time to get access to multiple resources. When users authenticate with SSO, they
have instant access to Application Portal items, and they do not have to authenticate again if they select
a different item.
You configure WatchGuard SSL SSO domains to enable SSO for resources that require the same user
credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When
user credentials are modified, the changes are automatically applied to all resources in the SSO domain.
When resources are configured in an SSO domain:
1. Users provide their Active Directory credentials when they authenticate to the Application Portal.
2. The Application Portal securely stores those credentials for the user account.
3. When a user selects a resource in the SSO domain, the Application Portal automatically uses the
stored credentials instead of prompting the user for additional authentication to the resource.
Resource Access
Student Guide 47
Exercise 1: Add a Resource for Secure Remote Web UI Access
The Successful Company administrator wants the ability to monitor and manage the WatchGuard SSL
device remotely. In this exercise you add a Web Resource to enable remote access to WatchGuard SSL
Web UI.
1. Select Resource Access.
The Resources page appears.
The Resources page has two tabs, one for Tunnel Resources and one for Web Resources.
2. Click Add Resource.
The Add Resource wizard starts.
3. Expand the Web Resources group.
4. Select Secure Remote Access to the Web UI.
A description of the resource appears at the right side of the page.
Resource Access
5. Click Next.
The settings for the Secure Remote Web UI Access resource appear.
6. In the General Settings section, type a Display Name and Description for this resource.
The Display Name and Description only appear in the Web UI.
7. In the Special Settings section, make sure that the Enable resource check box is selected.
This controls whether the resource appears in the Application Portal.
The HTTP Port and HTTPS Port settings control what ports are used to connect to this resource. For
the Secure Remote Web UI Access resource, do not change these settings.
8. In the Host text box, type the IP address of the WatchGuard SSL device.
Resource Access
Student Guide 49
9. In the Application Portal Settings section select the icon that appears in the Application Portal for
this resource:
To select a custom icon, click Browse.
To select a system icon, click Select Icon in Icon Library.
The Select Icon page appears.
10. Click an icon to select it.
Icon Uploaded appears in the Application Portal Settings.
11. In the Link Text text box, type the name you want to appear with the resource icon in the
Application Portal.
12. Make sure the Make resource available in Application Portal check box is selected.
Resource Access
13. Click Next.
The Access Rules configuration settings for this resource appear.
The Any Authentication access rule is selected by default.
14. Click Next.
A summary of the settings for this resource appears.
Resource Access
Student Guide 51
The new resource appears on the Web Resources tab.
On the Web Resources
tab you also see the
default system resource
Access Point, with
associated Web
Resource paths. This
resource enables access
to the Application Portal
Authentication and
Welcome pages. You
cannot delete this
default Web Resource.
16. Click Publish to update your configuration with the change and make this resource available in the
Application Portal.
Start the New Resource from the Application Portal
If you have already created a user and an authentication method, you can authenticate to the
Application Portal to see the new resource.
1. Open a web browser and type https://<IP address of your Application Portal> to go to the
Application Portal authentication page.
2. Select an authentication method.
If a web browser security
certificate warning
appears, you can safely
bypass the warning and
continue.
3. Type the user authentication credentials.
The WatchGuard SSL Application Portal appears, with the resource you configured.
Resource Access
4. Click the resource icon.
The WatchGuard SSL Web UI login page appears.
The WatchGuard SSL Web UI resource enables the authenticated user to get to the WatchGuard SSL
Web UI log in page, but the user must still know the administrative credentials to log in and use the
Web UI.
Resource Access
Student Guide 53
Exercise 2: Add an Access Rule and Apply it to a Resource
The Successful Company administrator wants the Secure Remote Web UI Access resource to be available
only for users who authenticate with the WatchGuard SSL Web authentication method.
In this exercise you create an authentication method access rule and apply this access rule to the Secure
Remote Web UI Access resource.
Note
You can modify this exercise to create an access rule that uses any enabled authentication method.
Create the Access Rule
1. Select Resource Access > Access Rules.
The Manage Access Rules page appears.
2. Click Add Access Rule.
The first page of the Add Access Rule wizard appears.
Resource Access
3. Type a Display Name for this access rule. Click Next.
The list of access rule types appears.
4. Select Authentication method. Click Next.
The list of configured authentication methods appears.
5. In the Available Authentication Methods list, select WatchGuard SSL Web. Click Add.
WatchGuard SSL Web is moved to the Selected Authentication Methods list.
6. Click Next.
A summary page appears with the access rules you have added to this rule.
Resource Access
Student Guide 55
7. Click Next.
The rule you added appears in the Allow user access when list. You can add other rules to this access rule before
you continue.
You can combine different types of rules in the same access rule. For this exercise, we only need to
include one rule.
8. Click Next.
A list of resources that you can apply this rule to appears.
9. In the Available Resources list, select Web UI Access. Click Add.
The resource is moved to the Selected Resources list.
Resource Access
10. Click Next.
The Summary page appears.
The access rule is saved and is applied to the Secure Remote Web UI Access resource.
This rule enables only those users who authenticate with the WatchGuard SSL Web Authentication
method to get access this resource. If a user selects a different authentication method, this resource is
not available in the Application Portal for that user.
Edit the Resource to Remove the Unnecessary Access Rule
When you apply a new access rule to a resource, the new access rule is added to any existing access rules
that were already configured for the resource. In some cases, you need to remove the existing access
rule, because it conflicts with the new one. In this example, because the added access rule (require
WatchGuard SSL Web authentication) is more specific than the existing access rule (Any authentication),
you do not need to remove the old access rule. To make sure the access rules work as you expect, it is a
good idea to remove any unnecessary access rules from your resources.
Resource Access
Student Guide 57
To edit the resource and remove the unnecessary access rule:
1. Select Resource Access in the top menu.
2. Select the Web Resources tab.
The Web UI Access resource now has multiple authentication access rules applied.
3. Click the Web UI Access resource to edit it.
The Edit Web Resource Host page appears.
4. Select the Access Rules tab.
The Selected Access Rules list includes two authentication methods. Because we only want to allow
access by users who authenticate with the SSL Web Authentication method, we need to remove the
Any Authentication rule.
5. In the Selected Access Rules list, select Any Authentication. Click Remove.
The Any Authentication access rule is moved to the Available Access Rules list.
6. Click Save to update this resource.
Resource Access
Test Resource Access in the Application Portal
First, verify that this resource is not available to users who do not use the WatchGuard SSL Web
authentication method.
2. Select the WatchGuard SSL Password authentication method.
Or, select any authentication method other than WatchGuard SSL Web.
3. Type the user authentication credentials
The WatchGuard SSL Application Portal appears, but the Admin Web UI resource is not visible.
Next, you can verify that the resource is available to users who use the WatchGuard SSL Web
authentication method. To do this, you must enable the WatchGuard SSL Web authentication method for
a user account. Then use that user account to log in to the Application Portal.
The Manage All user accounts page appears.
2. Select a user account.
The Edit User Account page appears.
3. Select the WatchGuard Authentication tab.
WatchGuard Authentication Methods settings appear.
4. Select the Enable WatchGuard SSL Web for the user account check box.
The settings for the WatchGuard SSL Web authentication method appear.
5. Type and verify the Password.
For example, type Password123.
6. Click Save.
The user account is updated.
Now you can use the WatchGuard SSL Web authentication method to log in to the Application Portal as
this user and verify that the user can see the Admin Web UI resource.
2. Select the WatchGuard SSL Web authentication method.
The WatchGuard SSL Web authentication page appears.
Resource Access
Student Guide 59
3. Type the User Name of the user who has WatchGuard SSL Web authentication enabled. Click
Submit.
The WatchGuard SSL Web authentication keypad appears.
Note
When you use the WatchGuard SSL Web authentication method, if the user password contains letters
and numbers, the user must use the keyboard to type the letters and the on-screen keypad to select
the numbers.
4. Use your keyboard and the on-screen keypad to type the numbers.
For this example, type Password on the keyboard and then click the numbers 1, 2, and 3 on the on-
screen keypad.
5. Press Enter.
The WatchGuard SSL Application Portal appears, and the Admin Web UI resource is now visible.
Resource Access
Exercise 3: Create an Outlook Web Access Resource
The Successful Company wants to allow users to connect to their email remotely through the
Application Portal. In this exercise you add a Microsoft Outlook Web Access resource to the Application
Portal.
Note
To complete this exercise, you must have a Microsoft Exchange Server with Outlook Web Access
enabled.
1. Select Resource Access.
The Add Resource wizard starts.
3. Expand the Web Resources group.
The list of available Web Resources appears.
4. Select Microsoft Outlook Web Access 2003. Click Next.
The Add Resource page appears.
5. In the General Settings section, type a Display Name and Description for this resource.
6. Make sure that the Enable resource check box is selected.
This controls whether the resource appears in the Application Portal.
7. In the Host text box, type the valid DNS name or IP address of the email server for this resource.
8. Click Select Icon in Icon Library and select the icon that appears in the Application Portal for this
resource.
Resource Access
Student Guide 61
9. In the Link Text text box, type the text that appears in the Application Portal for this resource.
Resource Access
10. Click Next.
The Access Rules configuration settings for this resource appear.
The Any Authentication access rule is selected by default.
11. Click Next.
A summary of the settings for this resource appears.
Resource Access
Student Guide 63
The resource is added to the Web Resources list.
The Add Resource wizard automatically added three Web Resource paths for the OWA 2003 resource.
Each resource path describes a location on the Microsoft Exchange Server that is accessible from this
Web Resource.
13. Click Publish to update your configuration with this change and make this resource available in the
Application Portal.
Use the OWA 2003 Resource
Connect to the Application Portal and authenticate with an Active Directory authentication method.
For example, type ht t ps: / / 50. 50. 50. 106.
2. Select the Active Directory authentication method.
Resource Access
3. Type the authentication credentials. Click Submit.
4. Click the OWA 2003 resource.
An additional authentication page appears for the user to log in to OWA. The User Name appears
automatically.
5. In the Password text box, type the Active Directory password for this user.
6. In the Domain text box, type the domain.
For example, type wgtraining.
7. Click Submit.
Microsoft Outlook Web Access appears.
In this example, the user had to log in twice, and had to type the domain. In the next exercise we use
Single Sign-On so the user does not have to authenticate twice.
Resource Access
Student Guide 65
Exercise 4: Configure SSO for Outlook Web Access
The Successful Company uses an Active Directory server to store user credentials for authentication with
the Application Portal and for Outlook Web Access. The administrator wants to avoid the need for users
to type in their password and domain when they connect to the OWA 2003 resource from the
Application Portal.
In this exercise you configure an SSO Domain to avoid the need for authenticated users to type their
credentials a second time when they launch the OWA 2003 resource.
In this exercise, we set up
SSO for Outlook Web
Access basic
authentication. You can
also configure SSO for
Outlook Web Access
form-based
authentication. For
information, see the
WatchGuard SSL Web UI
Help or User Guide.
1. Select Resource Access > SSO Domains.
The Manage SSO Domains page appears.
2. Click Add SSO Domain.
The first page of the Add SSO Domain wizard appears.
3. Type a Display Name.
4. Do not change the default SSO Restrictions settings.
SSO restrictions control how long the SSO credentials are stored.
- If you select Cache on session only, SSO credentials are kept in memory only during the user
session.
- If you do not select this option, SSO credentials are stored in the user account for a period of
time determined by the User Inactivity and Absolute Time Limit settings.
Resource Access
5. Click Next.
The Domain Attributes page appears.
The User name and Password domain attributes are registered by default. You must add a third
attribute for the domain information.
6. Click Add Domain Attribute.
The Add Domain Attribute page appears.
7. From the Referenced By drop-down list, select Static.
8. In the Attribute Value text box, type the domain where your Active Directory Server and Microsoft
Exchange Server reside.
9. Click Next.
The Domain attribute is added to the Registered Domain Attributes list.
Resource Access
Student Guide 67
10. Click Next.
The Apply SSO Domains To Resources page appears.
11. To select which resources use this SSO domain, click Apply SSO Domains To Resources.
The Select SSO Type page appears.
12. From the SSO Type drop-down list, select Text. This is the default value.
13. From the Available Resources list, select OWA 2003. Click Add >.
14. Click Add at the bottom of the page to add your selected resources to this SSO domain.
Resource Access
15. Click Next.
The SSO domain is added.
Note
If the Application Portal has other resources that all use the same Active Directory server for
authentication, the administrator can add those additional applications to the same SSO domain so
that the user must only authenticate once to get access to all applications in the SSO domain.
Resource Access
Student Guide 69
Configure the Authentication Method for the SSO Domain
For the last step, you must edit the Active Directory authentication method so that it saves user
credentials for this SSO domain.
1. Select Manage System.
The Authentication page appears.
2. In the Registered Authentication Methods list, select the Active Directory authentication
method.
The Edit Authentication Method page appears.
3. Select the Extended Properties tab.
The Extended Properties for this authentication method appear.
4. Click Add Extended Property.
The Add Extended Property page appears.
5. From the Key drop-down list, select Save credentials for SSO domain.
6. In the Value text box, type the name of the SSO domain you just created.
Resource Access
7. Click Add.
The Extended Property appears in the Registered Extended Properties list.
8. Click Save.
Use the OWA 2003 Resource with SSO
WIth SSO configured, after a user authenticates to the Application Portal with the Active Directory
authentication method, the user can start the OWA 2003 resource without an additional authentication
method.
For example, type ht t ps: / / 50. 50. 50. 106.
2. Select Active Directory.
3. Type the authentication credentials. Click Submit.
4. Click OWA 2003.
Microsoft Outlook Web Access appears.
Resource Access
Student Guide 71
Exercise 5: Create a Full Network Access Tunnel Resource
Successful Company wants to enable remote users to get access to all network resources when they are
not physically in the office. In this exercise, you set up a Full Network Access Tunnel Resource.
1. Select Resource Access > Resources.
The Add Resource page appears.
3. Expand the Tunnel Resources list.
4. Select Full Tunnel.
5. Click Next.
The settings for the Full Tunnel resource appear.
Resource Access
6. Type a Display Name and Description for this resource.
7. Make sure that the Enable resource check box is selected.
This is enabled by default.
8. From the Tunnel Mode drop-down list, select Network Range to use a range of IP addresses for this
resource. This is the default setting.
9. In the IP Range text boxes, type the range of IP addresses to which you want to enable access.
For example, to enable access to all IP addresses on the 192.168.54.0/24 network, type
192.168.54.1192.168.54.254.
10. To restrict access to TCP and UDP ports, edit the TCP Port Set and UDP Port Set.
The default settings for a Full Tunnel resource enable access to all TCP and UDP ports.
11. Select an Icon and Link Text for this resource.
12. Click Next.
The Access Rules settings for this resource appear.
13. To use the default Any Authentication access rule, click Next.
Resource Access
Student Guide 73
The Full Tunnel resource is added to the Tunnel Resources list.
To use this resource, authenticate to the Application Portal as any user. Because this is a Tunnel
Resource, the Access Client is automatically installed the first time a user starts the resource.
For more information about the Access Client, see the Use the Access Client module.
Resource Access
Exercise 6: Compare Static and Dynamic Tunnel Settings
If a resource has a single IP address and uses a single port, you can configure it to use either a dynamic
tunnel or a static tunnel. In this exercise you use the Add Tunnel Resource Wizard to configure an RDP
resource, first with a dynamic tunnel, and then with a static tunnel. Then you compare the settings the
wizard creates for these two resources.
Note
For this exercise, you can use any IP address because you will not actually connect to the resource. The
purpose of this exercise is to compare the settings for a static tunnel and a dynamic tunnel.
Configure an RDP resource with a Dynamic Tunnel
3. From the Tunnel Resources list, select RDP Access. Click Next.
4. In the Display Name text box, type a name for this resource.
For example, Dynamic RDP Access.
5. In the IP address text box, type the IP address for this resource.
This can be any IP address for the purpose of this exercise.
6. Make sure the Tunnel Type is set to Windows Platform.
This setting configures this resource as a dynamic tunnel.
7. Select an Icon and type the Link Text.
8. Click Next.
The Access Rules for this resource appear.
9. Click Next to use the default access rule.
The Tunnel Resource is added.
Resource Access
Student Guide 75
Configure an RDP Resource with a Static Tunnel
Now we create another resource to the same IP address, but this time configure it with a static tunnel.
3. From the Tunnel Resources list, select RDP Access. Click Next.
4. In the Display Name text box, type a display name for this resource.
For example, Static RDP Access.
5. In the IP Address text box, type the same IP address for this resource that you used for the RDP
resource with a dynamic tunnel.
6. From the Tunnel Type drop-down list, select All Platform.
This setting configures this resource with a static tunnel.
7. Select an Icon and type the Link Text.
8. Click Next.
The Access Rules for this resource appear.
9. Click Next to use the default access rule.
The Tunnel Resource is added.
Resource Access
Examine the Tunnel Settings
1. On the Resources page, click the Display Name of the resource with the dynamic tunnel.
For example, Dynamic RDP Access.
The Tunnel Resource settings page appears.
2. Select the Tunnel Settings tab.
The Tunnel Resource has one Registered Dynamic Tunnel.
The settings for this resource with a dynamic tunnel include:
- Resource IP Address The IP address of the host accessible through this tunnel.
- TCP Port Set The TCP ports of the host accessible through this tunnel.
- UDP Port Set The UDP ports of the host accessible through this tunnel.
- Confirm connections This setting determines whether users are prompted to accept or
deny the connection to this resource.
When a remote Windows computer connects to this resource:
- The Windows network driver installed by the Access Client intercepts this traffic.
- The Access Client dynamically translates this traffic to the computers loopback interface. It
dynamically selects a source port for the traffic.
- The Access Client encrypts the traffic and sends it to the SSL device.
- The SSL device decrypts the traffic and sends it to the correct destination IP address and
destination port, in this example, 192. 168. 50. 100: 3389.
Resource Access
Student Guide 77
Now, we can compare the configuration of this resource to the other Tunnel Resource that was
configured with a static tunnel.
1. On the Resources page, click the Display Name of the resource with the static tunnel.
For example, Static RDP Access.
The Tunnel Resource Settings page appears.
2. Select the Tunnel Settings tab.
The Tunnel Resource has one Registered Static Tunnel.
The settings for this resource with a static tunnel include:
- Resource IP Address The IP address of the one host accessible through this tunnel.
- Resource Port The TCP or UDP port on the Tunnel Resource host that accepts the traffic.
- Protocol The type of port (TCP or UDP) to use for the Resource Port and Client Port.
- Client IP Address The IP address for the remote clients loopback interface. This can be any
address from 127.0.0.1127.255.255.254.
- Client Port The TCP or UDP port that the client connects to on its loopback IP address.
When a remote computer connects to this resource:
- The traffic is sent to the loopback interface specified in the Client IP Address and Client Port
(in this example 127. 0. 0. 1: 13389).
- The Access Client intercepts the traffic sent to the loopback interface and port, encrypts it, and
sends it to the SSL device.
- The SSL device decrypts the traffic and sends it to the correct destination IP address and
destination port, as defined in this static tunnel (in this example, 192. 168. 50. 100: 3389).
Resource Access
Test Your Knowledge
1. Which of these options are examples of Web Resources? (Select all that apply.)
2. True or false? A single access rule can combine rules for authentication, assessment, and user group
membership.
3. What example best describes what you can do with an access rule? (Select one.)
4. True or false? WatchGuard SSL SSO domains are configured to enable SSO for resources that use the
same user credentials.
5. True or false? If a resource is configured to use an access rule that requires the WatchGuard SSL
Password authentication method, the resource is still visible in the Application Portal to all users. But,
a user who uses another method to authenticate must authenticate again to use the resource.

A) Microsoft Outlook Web Access 2003
B) Full Tunnel
C) Secure Remote Access to the Web UI
D) Microsoft Windows File Share
E) Access to a company Intranet web site
A) Assign the access rule to a user to control the users access level.
B) Assign the access rule to a resources to control requirements for user access
to the resource.
C) Assign the access rule to an SSO domain to control which applications can
be accessed in that domain.
A N S W E R S
1 . A , C , E
2 . T r u e
3 . B
4 . T r u e
5 . F a l s e . T h e r e s o u r c e i s o n l y v i s i b l e i n t h e A p p l i c a t i o n P o r t a l t o u s e r s w h o u s e t h e a u t h e n t i c a t i o n m e t h o d
s p e c i f i e d i n t h e a c c e s s r u l e f o r t h a t r e s o u r c e .
79
Student Guide
Use the Access Client
Install and use the WatchGuard SSL Access Client
What You Will Learn
The WatchGuard SSL Access Client enables you to securely connect to resources you make available to
your users in the WatchGuard SSL Application Portal. In this training module you learn how to:
Use the On-demand Access Client
Install the Access Client
Use the Access Client to connect to a Tunnel Resource
Configure the Access Client to start automatically when Windows starts
About the Access Client
The WatchGuard SSL Access Client enables you to securely connect to Tunnel Resources in the
WatchGuard SSL Application Portal. The Access Client is not required to connect to a Web Resource.
There are two versions of the WatchGuard SSL Access Client a Windows executable client and a Java
client.
Windows computers almost always use the Windows executable version of the Access Client. The
Windows executable installs a Windows network driver that makes dynamic tunnels more versatile than
static tunnels. Windows computers can use the Windows executable Access Client for both static and
dynamic tunnels.
The Java client is another version of the Access Client, and uses a Java Applet loader to run in a web
browser on any operating system. The Java Access Client can only be used with static tunnels. To launch
the Java Access Client, the users computer calls a Java Applet loader from the SSL device that launches
the Java client. The Java Applet stays active for the duration of the VPN session.
For other computer platforms, such as Mac or Linux, you must use the Java client version of the Access
Client.
In this training module, we use the Windows executable version of the Access Client.
There are two types of the Windows executable version of the Access Client:
When you authenticate to the Application Portal and select a resource other than a Web Resource,
the On-demand Access Client launches to load the tunnel. When your session ends, the On-demand
Access Client closes. The client software is not installed on your computer, instead it is loaded on
Windows computers with either an ActiveX control or a Java loader when your users connect to a
Tunnel Resource in the Application Portal. This enables it to be used only when needed.
Optionally, you can install the Access Client on your users computer, just as you install any software
application. You can configure the Installed Access Client to automatically start when Windows starts,
and to automatically connect to resources.
To decide whether to use the On-demand Access Client or the Installed Access Client, you must consider
the advantages of each client. The On-demand Access Client is the simplest to use and manage, but the
Installed Access Client provides more configuration options.
Advantages of the On-demand Access Client
Simplest to use The client automatically downloads and starts when a user selects a Tunnel
Resource in the Application Portal.
No installation or local client configuration is required.
Users always use the most current resource definitions, because they must use the Application Portal
to start a resource.
Advantages of the Installed Access Client
Users can save and start favorite resources from the Access Client, instead of the Application Portal.
You can configure the Installed Access Client to automatically start when Windows starts.
You can configure the client to enable users to launch a resource directly from a browser or from the
Windows Start menu. To do this you must register the essp protocol handler.
For more information, see the WatchGuard SSL Online Help or User Guide.
When the WatchGuard Access Client is started, click in the Windows system tray to see the Access
Client menu, which includes these options:
Preferences
Configure client preferences. These settings mostly apply to the Installed Access Client. From the
Access Client Preferences dialog box, you can configure the client update server, enable the Access
Client to start automatically when you start Windows, define trusted Access Points and commands,
change diagnostic logging settings, and configure settings and favorites synchronization.
History
When a tunnel is loaded successfully, the details of the tunnel configuration are automatically saved
in the History. This allows you to easily open a recently accessed tunnel resource. The History menu
can contain a maximum of 15 items.
Favorites
Save and manage favorite Application Portal resources. After you add favorite resources, you can
select the resource from the Favorites menu to start the resource. Administrators can also add
favorites on the SSL device that are synchronized to the Access Client.
Status
See the status of your SSL connection.
About
See the Access Client version and copyright information.
Close Tunnels
Close the connection to a Tunnel Resource.
Exit
Close the Access Client. The connections to all Tunnel Resources are also closed.
Student Guide 81
Access Client Synchronization with the SSL Device
You can synchronize your Access Client preferences, history, and favorites to the SSL device. There are
two methods to synchronize your client settings: automatic and manual.
Automatic
Automatically synchronize when you start an SSL tunnel and when you make any changes to your
settings or favorites while connected to the tunnel. By default the automatic client synchronization is
disabled.
Manual
Immediately perform a manual synchronization with the SSL device while connected to the tunnel. If
you are not connected, a pop-up authentication dialog appears, and the client will synchronize to the
SSL device after successfully authentication.
Exercise 1: Use the On-demand Access Client
The Successful Company has installed the WatchGuard SSL device and has configured some Tunnel
Resources in the Application Portal. In this exercise, you connect to the Application Portal and
automatically launch the On-demand Access Client to start the tunnel to that resource.
Before You Begin
You must define at least one Tunnel Resource in your Application Portal. For instructions, see the
exercises in the Resource Access training module.
Launch the On-demand Access Client
1. Open a web browser and type the address of the Application Portal domain name.
Or, you can type the IP address of the SSL device and the Application Portal port number.
For example:
https://ap.example.com
https://<IP address of the SSL device>:<port number>
https://50.50.50.106:443
Note
Because the WatchGuard SSL device uses a self-signed certificate, a security warning appears. It is safe
to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox).
For information about
how to replace the self-
signed certificate and
avoid this warning, see
the Administration
module.
2. Use a configured authentication method to authenticate to the Application Portal.
The WatchGuard SSL Application Portal page appears with icons for the resources you can access.
3. Click a Tunnel Resource icon.
For example, click the Full Tunnel Access 1 resource icon.
For more information
about how to to create a
Full Tunnel resource, see
the Resource Access
module.
The Application Portal automatically downloads and launches the Access Client to create a connection to the
Tunnel Resource. Actions associated with this resource, such as Assessment, also occur at this time.
4. If this is the first time you selected a Tunnel Resource, the web browser prompts you to download
either a Java Applet loader (Firefox) or an ActiveX control (Internet Explorer). Accept the download to
get the Access Client software that enables you to use the Tunnel Resource.
The Access Client is loaded and the Access Client icon appears in the Windows system tray.
Student Guide 83
See the Access Client Connection Status
After the Access Client has started, you can see the connection status and statistics.
1. Click in the Windows system tray.
The Access Client menu appears.
2. Click Status.
The Access Client Status dialog box appears.
To see a brief status, you
can also move the
mouse pointer over the
Access Client icon in the
Windows system tray.
Close the Access Client and Tunnel Resource
2. To close all tunnels and close the Access Client, select Exit.
Exercise 2: Install the Access Client
The Successful Company has some remote users who always use the SSL VPN. To help streamline VPN
access for these users, the administrator wants to install the Access Client on the users computers. In this
exercise you install the Access Client on a users workstation.
To do this exercise, you must have the Access Client installer for your Windows version. Access Client
installer files for Windows 32-bit and Windows 64-bit are available on the WatchGuard software center at:
www.watchguard.com/archive/softwarecenter.asp
For this example, we use the WatchGuard SSL Access Client Installer for Win32 installation file,
wgssl31aci_win32.exe.
Install the Access Client
1. Connect to a Tunnel Resource in the Application Portal, as described in Exercise 1.
The On-demand Acce-ss Client starts. This automatically captures some of the configuration information
necessary for client installation.
2. Run the wgssl31aci_win32.exe file.
A security warning appears. You can safely ignore this warning.
3. Click Run to continue the installation.
4. On the License Agreement page, review and accept the License Agreement.
5. On the Select Destination Location page, select a location to install the Access Client.
The default location is C: \ Pr ogr amFi l es\ Wat chGuar d\ SSL\ Access Cl i ent . We recommend you
use the default location.
6. On the last page of the wizard, click Finish.
Launch the Installed Access Client
Select Start > Programs > WatchGuard SSL > Access Client > WatchGuard Access Client.
Or, click the WatchGuard Access Client shortcut on the Windows desktop.
After the administrator installs the Access Client, WatchGuard Access Client Helper Service enables a user
without administrative rights to use the Access Client on this computer.
Student Guide 85
Verify the Client Preferences
After you launch the Installed Access Client, verify the client update settings so that the Access Client can
automatically check for and download client updates when they are available.
2. Select Preferences.
The Access Client Preferences dialog box appears.
3. Verify that the Update server is set to the URL or IP address of your WatchGuard SSL device. This is
automatically set the first time the Access Client connects to a resource.
If you did not connect to a Tunnel Resource in the Application Portal at least once before you
installed the Access Client, you must manually add the address of your Application Portal.
If the Update server text box is empty, type the address of the WatchGuard SSL Application Portal.
Do not include ht t ps: / / .
4. To automatically launch the Access Client when Windows starts, select the Launch Access Client on
startup check box.
The Access Client is added to the Windows Startup folder.
5. Click OK.
Exercise 3: Create and Use a Favorite Resource
The Successful Company has created a Full Tunnel resource that gives full access to their local network.
The administrator wants to create this as a local favorite on the client so remote users can quickly access
the full local network, but not have to connect to the Application Portal.
See the Resource Access
module for an exercise
to create a Full Tunnel
network resource.
Create a New Favorite
1. Authenticate to the WatchGuard SSL Application Portal.
2. Click the Full Tunnel Access resource to start it.
4. Select Favorites > Add.
A list of connected Tunnel Resources appears.
5. Select the name of the connected resource to save as a favorite
The Edit Favorite dialog box appears.
6. Type a Display name for this favorite. This can be different from the name of this resource on the
Application Portal.
For this example, type Full Network Access.
7. The Server and Configuration text boxes are automatically configured. Do not change these
settings.
8. To automatically start this resource when the client is launched, select the Load on startup check
box.
9. Click OK.
10. Click Close to exit the Access Client Favorites window.
12. Select Exit.
The Access Client exits, and the Tunnel Resource closes.
Start the Favorite Automatically
If you configured the favorite to start automatically when the Access Client starts, to start the favorite
resource you only need to launch the client.
1. Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client.
The Access Client starts and the Authentication dialog box appears.
For information about
how to replace the self-
signed certificate on the
device to avoid these
security warnings, see
the Administration
module .
Note
Because the WatchGuard SSL device uses a self-signed certificate, the Access Client displays a series of
security warnings. You must click Yes several times to acknowledge the security warnings.
2. Authenticate to the Authentication Portal.
The Full Tunnel Access resource automatically loads.
If you have configured the Access Client to launch when Windows starts, the resource is automatically
started. This is a great efficiency for remote users who use the Access Client to connect to your network,
because the VPN client and Tunnel Resources are loaded automatically when Windows starts.
Student Guide 87
Close and Start Favorite Resources from the Access Client Menu
2. To close an active tunnel, select Close Tunnels and select the active tunnel from the list.
3. To start a favorite resource, select Favorites and select the name of the favorite resouce from the list.
Edit or Delete Access Client Favorites
2. Select Favorites > Manage.
The Access Client Favorites dialog box appears.
3. Click a favorite to select it.
4. To edit the favorite, click Edit.
To remove the favorite, click Delete.
Test Your Knowledge
1. You must use the Access Client to connect to which types of resources? (Select all that apply.)
2. True or false? You can configure the On-demand Access Client to automatically start and launch
Tunnel Resources when you start Windows.
3. Why does the Access Client display a series of security warnings? (Select one.)
4. How can you see status information about your Access Client connection? (Select all that apply.)
A) File Share Resource
B) Full Tunnel Resource
C) Web Resource
D) Tunnel Resource
A) Because the user has not yet authenticated.
B) Because the WatchGuard SSL device uses a self-signed certificate.
C) Because the WatchGuard SSL Access Client uses a self-signed certificate.
A) Move the mouse pointer over the Access Client icon in the Windows system
tray.
B) Select Start > All Programs > WatchGuard SSL > Access Client > Status.
C) Select Status from the Access Client menu in the Windows system tray.
A N S W E R S
1 . A , B , D
2 . F a l s e . Y o u m u s t u s e t h e i n s t a l l e d A c c e s s C l i e n t t o d o t h i s .
3 . B
4 . A , C
89
Student Guide
Assessment and Abolishment
Use End-Point Security to Protect Resources
What You Will Learn
Assessment and Abolishment are end-point security features that you can use to protect your resources.
In this training module you learn how to:
Configure Assessment settings
Configure Abolishment settings
Create Assessment and Abolishment Access Rules
End-Point Security Features
The WatchGuard SSL device includes two end-point security features you can use to protect your
resources. End-point security features require that client computers meet certain criteria before they can
connect to resources on the Application Portal. These features also remove temporary files at the end of
an SSL VPN session. The two types of end-point security we review in this training module are
Assessment and Abolishment.
Assessment
Assessment is an end-point security feature that scans the client computer to examine whether the
client meets certain criteria. You can configure the Assessment criteria that a client computer must meet
in order to get access to a resource protected by an Assessment access rule.
You can define an Assessment access rule to check for these criteria:
File or directory information
Registry key or sub-key information
Process information
Windows user information
Windows domain information
Network interface information
TCP and UDP port information
Anti-virus and anti-spyware information
Firewall information
After a user authenticates, but before the user connects to a network resource, you can require an
assessment of their computers to find whether the computer meets your security requirements. This is
the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. The
Assessment Agent automatically launches in a client web browser.
If the client computer meets the criteria, the user is allowed to access the protected resource. If you have
a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the
time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the
Assessment definition file is no longer updated, but Assessment continues to operate with the criteria
available at the time of expiration.
WatchGuard SSL supports Assessment on Microsoft Windows clients.
Abolishment
When a remote user connects to sensitive resources on your network from a computer that is not in your
control (such as a home computer or kiosk), confidential information can remain on the computer after
the VPN session is terminated. You can use Abolishment to erase all traces of the session from the client
device (for example, URL history, cache, cookies, and downloaded files).
Abolishment is an end-point security feature that monitors the files and stored browser data on a client
throughout a user session. When the user disconnects, the Abolishment agent requests the user to
delete the files that were downloaded or created during the user session. Monitored files include those
that a user downloads, edits, or creates during the user session. Administrators can also configure the
SSL device to automatically delete these files when the user session is complete.
When you protect a resource with an Abolishment access rule, the Abolishment settings specify what
type of files are monitored for changes and deleted from the client after the session is completed. By
default, the Abolishment client monitors these file types:
.htm
.pdf
.txt
.exe
.doc
.html
.gif
.jpg
When a user tries to connect to the resource, access is allowed only if the Abolishment client is running.
This makes sure that Abolishment can be performed when the session is completed. For your users of
Microsoft Internet Explorer 7 or later, make sure the HTTPS IP address of the SSL device is added to the
Internet Explorer Trusted Sites list.
WatchGuard SSL supports Abolishment on Microsoft Windows clients.
End-Point Integrity Client
Abolishment and Assessment are performed by Abolishment and Assessment clients that are loaded on
the client computer with an ActiveX or Java client loader.
If a user connects to the Application Portal with Internet Explorer, the first time the user clicks a resource
that requires Abolishment or Assessment, the user must agree to install the ActiveX client loader. The
user must restart the web browser after the ActiveX loader installs.
Note
When the user is notified about Assessment, the client is called the End-Point Integrity scan. When the
user is notified about Abolishment, the client is called the End-Point Protection scan.
Student Guide 91
By default, the Assessment Client Loader and Abolishment Client Loader try to use ActiveX first, and if it
is not available, they use a Java applet. You can change this in the Advanced Settings for Assessment and
Abolishment.
Exercise 1: Create an Assessment Access Rule
The Successful Company wants to make sure that computers that use the Application Portal meet the
defined security requirements before users can get access to certain internal resources through the
Application Portal.
The Successful Company standard corporate computer configuration includes a file that contains the
asset tag number of the computer. If this file is not present, the computer might not be a corporate
computer and should be denied access.
In this exercise you configure an Assessment Access rule to enable access to a resource only if the asset-
tag.txt file is present on the client computer.
The Add Access Rule wizard starts.
3. In the Display Name text box, type a name for this Access Rule. Click Next.
A list of Access Rule types appears.
4. Select Assessment. Click Next.
The Select Criteria page appears.
5. In the Display Name text box, type a name for this rule.
6. From the Information Type drop-down list, select File information. Click Next.
The Specify Requirements page appears. This is where you specify the requirements for this rule.
Student Guide 93
7. Click Add Requirement.
The Add Requirements page appears.
8. From the Client Data drop-down list, select File name.
If you select Wildcard
match as the Matching
Restriction, a first and
last * is applied by
default to the Matching
Rule.
9. From the Matching Restriction drop-down list, select Match. This is the default setting.
10. In the Matching Rules text box, type the path and name of the file that must be present on the
computer.
For this exercise, type c:\asset-tag.txt.
11. Click Add.
The requirement is added to this rule.
12. To configure the Assessment client to check for the presence of other files, or to check for file
attributes, repeat Steps 711 to add other requirements to this rule.
13. Click Next.
The Feedback Message page appears.
14. In the Feedback Message text box, type a message that you want users to see if their computer
does not meet the criteria specified in this access rule. Click Next.
A summary of this Access Rule appears.
15. Click Next.
This access rule now has one rule in it. A single access rule can contain more than one type of rule.
You can add others. For this example, we do not need to add more rules.
Student Guide 95
16. Click Next.
The Select Resources page appears.
17. Select the resource to apply this access rule to.
For example, select OWA 2003. Click Add >.
18. Click Next.
The new access rule appears in the list.
Trigger the Assessment Access Rule
To see what this looks like from the users point of view, we first want to see what happens when the
asset-tag.txt file is not present on the client computer.
1. In a browser, authenticate to the Application Portal as any user who can get access to the resource
you protected with the Assessment access rule.
2. In the Application Portal, click the resource that you protected with the Assessment access rule.
The End-Point Integrity dialog appears in a separate browser window or tab.
This notifies the user that their computer must be scanned before the resource can be accessed.
3. Click Continue.
The Assessment client loads and scans for the Assessment criteria.
Note
The first time an Assessment scan runs, a browser warning appears that asks whether you want to
allow the ActiveX or Java client loader component. This warning looks different depending on your
browser. You must allow the client loader, or the Assessment scan cannot run.
Student Guide 97
If the assessment criteria is not met, the End-Point Integrity scan failed page appears.
The text on this page is the Feedback text you configured for the Assessment access rule.
4. Use a text editor to create the asset-tag.txt file in the C:\ folder.
5. Click Try Again in the End-Point Integrity scan failed page.
The End-Point Integrity page appears again.
6. Click Continue.
This time, the Assessment access rule finds the file and the resource opens.
Exercise 2: Use Assessment to Check for Anti-Virus Software
The Successful Company requires that all computers that connect to the Full Network resource in the
Application Portal must use anti-virus software. In this exercise, you create an Assessment rule that
checks for a running anti-virus client, and then apply this rule to the Full Network resource.
3. Type a Display Name for this access rule.
For example Anti-Virus check.
4. Click Next.
The Select Type of Access Rule page appears.
5. Select Assessment. Click Next.
The Select Criteria page appears.
6. Type a Display Name for this rule.
Student Guide 99
7. From the Information Type drop-down list, select Antivirus information. Click Next.
The Specify Requirements page appears.
8. Click Add Requirement.
The Add Requirement page appears.
9. From the Product Vendor drop-down list, select the name of the anti-virus vendor for the anti-virus
product you want to check for.
To check for the presence of anti-virus software from any vendor in the list, select Any product.
Note
If your training computer uses anti-virus software, you can select that vendor. Or, if you want the
Assessment scan to deny access, select an anti-virus vendor that is different than the anti-virus
software on your computer.
10. The Action to take if the product requirements are not met is automatically set to Deny access.
For this exercise, do not change this setting.
11. Click Add.
The Specify Requirements page appears again.
12. Click Next.
The Feedback Message page appears.
13. In the Feedback Message text box, type the message that you want users to see if their computer
does not have the required anti-virus software.
14. Click Next.
The Summary page for this access rule appears.
15. Click Next.
The Add Access Rule page appears.
16. Click Next.
17. Select Full Tunnel and click Add >.
The Full Tunnel resources is moved to the Selected Resources list.
Student Guide 101
18. Click Next.
The Confirmation page appears with the settings for this access rule.
The new access rule appears in the Registered Access Rules list.
Exercise 3: Create an Abolishment Access Rule
The Successful Company wants to enable access to some Application Portal resources to users from any
computer, such as a kiosk. The administrator wants to create an Abolishment rule to make sure that files
that contain potentially confidential information are not left behind on the computer after the user ends
the connection to the resource. In this exercise, you create an Abolishment access rule and apply it to a
resource.
3. Type a Display Name for this access rule. Click Next.
The list of access rule types appears.
4. Select Abolishment as the access rule type. Click Next.
5. Click Next.
The Add Access Rule page appears.
You can click Add Rule to add more rules to this access rule. For this exercise, we will not add more
rules.
Student Guide 103
6. Click Next.
7. From the Available Resources list, select a resource. Click Add >.
The resources is moved to the Selected Resources list.
8. Click Next.
The new access rule appears in the Registered Access Rules list.
Trigger the Abolishment Access Rule
When an Abolishment Access Rule is applied to a resource, at the end of a user session, the user sees a list
of files that were added or changed since the user connected to the protected resource. The new or
changed files are not deleted automatically. The user must take action to select the files to delete before
abolishment can complete.
1. Authenticate to the Application Portal.
2. Click the resource you protected with the Abolishment access rule.
The End-Point Protection notification dialog box appears.
3. Click Continue.
The selected resource appears.
4. Download or create a file of one of the monitored file types.
For example, use create a .txt file and save it to C:\.
5. Close the resource.
Student Guide 105
6. Log out of the Application Portal or close the browser.
The WatchGuard Abolishment dialog box appears with a list of files created or changed during the session.
7. Select the check box for each file to delete, or click Select All.
The Delete Files button is enabled.
8. Click Delete Files.
The All selected files were deleted successfully message appears.
Exercise 4: Change File Types to Monitor for Abolishment
The Successful Company uses Microsoft Word 2007 for document creation. In addition to the default file
types, the Successful Company also wants the Assessment client to perform Abolishment for .docx files.
In this exercise, you change the Abolishment General Settings to add the .docx file type to the list of file
types to monitor.
1. Select Manage System > Abolishment.
The Manage Abolishment General Settings page appears.
2. In the Windows text box, add the .docx file type. Make sure to separate each file type with a comma
and a space.
3. Click Save.
The Abolishment settings are saved.
Student Guide 107
Test Your Knowledge
1. Which of these options is not a check that an Assessment access rule can perform?
(Select all that apply.)
2. True or false? You can create an access rule that contains multiple Assessment rules.
3. True or false? When a user connects to a resource protected by an Abolishment access rule, by
default, at the end of the user session, the Abolishment client automatically deletes all files that a
user downloaded, edited, or created during the user session.
4. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur
automatically at the time interval you specify in Monitor System > Live Update. What happens if
your LiveSecurity subscription expires? (Select all that apply.)
5. True or false? You can create multiple Abolishment rules that monitor different file types.
A) If a process is running on the client computer.
B) If the client computer has a removable USB drive attached.
C) If a registry value exists on the client computer.
D) If a file exists on the client computer.
E) If the client computer is running anti-virus software.
A) The assessment definition file is no longer updated.
B) Assessment continues to operate with the criteria available at the time the
LiveSecurity subscription expired.
C) Assessment does not continue to operate because the criteria is not current.
A N S W E R S
1 . A , C , D , E
2 . T r u e
3 . F a l s e . I n t h e d e f a u l t c o n f i g u r a t i o n , t h e A s s e s s m e n t c l i e n t d i s p l a y s a l i s t o f c h a n g e d f i l e s t o t h e u s e r a t t h e
e n d o f t h e s e s s i o n , b u t t h e u s e r m u s t t a k e a c t i o n t o d e l e t e t h e m .
4 . A , B
5 . F a l s e . B e c a u s e y o u c o n f i g u r e t h e l i s t o f m o n i t o r e d f i l e t y p e s i n t h e A b o l i s h m e n t G e n e r a l S e t t i n g s , t h e s a m e
s e t o f f i l e t y p e s i s m o n i t o r e d f o r a l l A b o l i s h m e n t a c c e s s r u l e s .
109
Student Guide
Administration
Manage and Customize your WatchGuard SSL Device
What You Will Learn
In the Getting Started module, you learned how to set up your WatchGuard SSL device. In this training
module you learn about:
How to restore a previous configuration
How to import and export your device configuration
How to update the WatchGuard SSL OS
Why you should request and install a signed server certificate
How to customize the branding on your Application Portal
Introduction
You used the Quick Setup Wizard to create your initial device configuration. You can manage many of
those initial configuration settings, and many other system settings, in the Manage System section of
WatchGuard SSL Web UI.
In the other training modules, you learned about many of these system settings, such as Authentication,
Assessment, Abolishment, and Notification. In this training module, we focus on some of the other
system management settings used to maintain your WatchGuard SSL device.
Administration
Manage your Device Configuration Files
There are two ways to save and restore previous configuration files. Recent configuration files are
automatically stored on the device. You can also export your configuration to an archive file for off site
storage or backup.
Manage Recent Configuration Files
The WatchGuard SSL device automatically saves copies of your last configuration each time you publish
a configuration change. After you click Publish, the Publish Summary page appears.
By default, the WatchGuard SSL device saves the 20 most recent configuration files. If you have reached
the maximum allowed number of saved configuration files, each time you publish a new configuration,
the oldest saved configuration file is removed to make room for the newest one, unless the configuration
file is locked.
To see the saved configuration files:
On the Publish Summary page, click Restore Configuration.
Or, select Manage System > Restore Configuration.
On the Restore Configuration page, you can:
Restore a saved configuration file
Delete saved configuration files
Delete multiple backup configuration files
Add comments to a saved configuration file
Change the maximum number of configuration files to save
The saved configuration files are stored on the WatchGuard SSL device. To save a backup of your
configuration to a location other than the SSL device, you must export the configuration as described in
the next section.
Administration
Student Guide 111
Export and Import a Device Configuration File
It is a good idea to periodically back up your device configuration to another location. Off site system
backups are usually a required part of an organizations disaster recovery plan. We recommend that you
export your configuration before you upgrade your device OS, to help you recover in the unlikely event
that there are problems during the upgrade process.
When you export the device configuration it creates an encrypted zip archive file that contains all the
configuration files for your device.8
You can import the exported device configuration to the same device or to a different WatchGuard SSL
device. You can use the export and import processes to migrate your configuration from one device to
another, or to replicate the configuration on more than one device.
Update the WatchGuard SSL OS
WatchGuard provides software updates in a file that you can use to update the software on your SSL
device. We recommend that you export your configuration to create a backup before you update the OS
on your device.
WatchGuard posts
Release Notes with each
software update. We
strongly recommend
you read the Release
Notes before you update
the OS. The Release
Notes include a
description of what is
new in the OS update,
any special upgrade
instructions, and a list of
resolved and known
issues.
The software update file is delivered as a zip file. After you download the software upgrade file from the
WatchGuard Software Downloads page and extract the contents, you can use the file to upgrade your
device.
To update the OS:
1. Select Manage System > Device Update.
2. Click Browse to locate the software update file.
3. Click Update.
The WatchGuard SSL device automatically reboots as part of the upgrade process.
Administration
Install a Signed Certificate
The WatchGuard SSL default configuration includes a self-signed server certificate named TestCert. We
recommend that you replace this with your own signed certificate. To create your own signed certificate,
you must first create a Certificate Signing Request (CSR). Then you send the CSR to a certificate authority
(CA), which issues a signed certificate.
When you use the default certificate, the browser displays a certificate warning because the
distinguished name in the default self-signed certificate does not match your organization, and the
certificate is not signed by a trusted certificate authority. If you install a server certificate signed by a well-
known (trusted) CA, the certificate warnings do not appear because the browser trusts the certificate.
To see and manage the certificates on your device, select Manage System > Certificates.
The basic process you must use to request and use a signed certificate includes these steps:
1. Create a private key and certificate signing request (CSR). You can use OpenSSL, a free command line
utility, to do this.
For a list of sites from which you can download OpenSSL, see http://www.openssl.org/related/
binaries.html.
2. Use the CSR to request a certificate from Thawte, Verisign, or another well-known certificate
authority (CA). Use the instructions from your CA to submit the CSR. The CA returns a signed
certificate to you.
3. Convert the private key to PKCS#8 format with a program such as OpenSSL.
4. On the Manage Certificates page, add the new CA certificate and the new server certificate to the
5. On the Manage System > Device Settings page, configure the SSL device to use the new server
certificate.
6. Save the configuration, and publish it to update your configuration with the change.
For a detailed description of these steps, including the OpenSSL commands, see the WatchGuard SSL
Web UI Help or User Guide.
Administration
Student Guide 113
Customize the Application Portal Page
You can change the WatchGuard SSL Application Portal and Web UI to reflect your corporate branding.
There are two methods you can use to apply your corporate brand or other customizations:
Customize Application Portal Page
On the WatchGuard SSL Web UI Customize Application Portal page, you can easily customize the
most visible text and images that appear in the Application Portal and the Authentication Portal
pages.
File Browser
Use the file browser for more detailed customization of the Application Portal or to customize the
Web UI.
For more information about the file browser, and details about all the things you can customize, see
the WatchGuard SSL Web UI Help or User Guide.
Branding Changes from the WatchGuard SSL Web UI
From WatchGuard SSL Web UI, you can make many changes to the Application Portal branding.
In the default configuration, the Application Portal page looks like this:
From WatchGuard SSL Web UI you can easily customize many parts of this page:
- Company Name The name that appears in the About and Contact links.
- Company URL The URL associated with the About link.
- Company Contact URL The URL associated with the Contact link.
- Portal Name The large text heading at the top of the Application Portal page.
- Portal Information Text The welcome text that appears above the Resources on the
Application Portal page.
- Client Portal Header Image The grey background image at the top of the page.
- Website Icon The icon that appears in the browser tab for the Application Portal.
Administration
In the default configuration, the Application Portal authentication page looks like this:
The red and grey borders of this page are a background image. To change the look of this page, in
WatchGuard SSL Web UI, replace the Client authentication portal background image with a different
image.
Administration
Student Guide 115
Exercise 1: Restore a Saved Configuration
The Successful Company administrator wants to use an earlier saved configuration saved to the device.
In this exercise, you restore a saved configuration on the device.
1. Select Manage System > Restore Configuration.
The Restore Configuration page appears.
2. Select the configuration you want to restore.
3. Click Restore.
A message appears on the System Status page after the configuration is successfully restored.
Administration
Exercise 2: Export and Import the Device Configuration
The Successful Company is required to maintain periodic off site backups of their key systems and to test
the recovery process to verify the backup process is successful.
In this exercise, you export the device configuration to an archive file and then import it.
Export the Configuration
1. Select Manage System > Import/Export Configuration.
The Configuration Import/Export page appears.
2. Click Export 3.x Configuration.
The system creates an encrypted zip archive that contains all configuration files for the system.
The file name has the date and time the export file was created as a part of the file name.
3. Click the Download link to download the encrypted zip file.
The save file dialog for your browser appears.
4. Save the file to a location on your computer.
Administration
Student Guide 117
Import the saved configuration file
To import the file, select the file you just saved. After you import a saved configuration file, the device
must reboot.
1. Select Manage System > Import/Export Configuration.
The Configuration Import/Export page appears.
2. In the Import Configuration section, click Browse to select the configuration file to import.
3. Click Import Configuration.
The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes.
4. After the device reboots, log in to WatchGuard SSL Web UI again.
Administration
Exercise 3: Customize the Application Portal Page
The Successful Company wants to update the Application Portal page to use their own company name
and information. In this exercise you learn how to customize the Application Portal page from
WatchGuard SSL Web UI.
Customize the Application Portal Text and URLs
1. Select Resource Access > Application Portal.
The Manage Application Portal page appears.
2. Click Customize Application Portal.
The Customize Application Portal page appears.
3. Change the text and URLs that appear in the Application Portal.
4. Click Save.
5. Click Publish to update your configuration with this change and update the Application Portal.
6. Authenticate to the Application Portal.
The updated text and URLs appear on the Application Portal page.
Administration
Student Guide 119
Customize the Application Portal Header Background Image
If you are comfortable editing image files, you can try this additional exercise to customize the
background image that appears in the header of the Application Portal.
To do this part of the exercise, you must first create a new background image in GIF format that is the
correct size. If you do not already have an image file of the correct size (456 x 360 pixels), one way to
create a new background image for this exercise is to edit the existing image. From the Application Portal
page, in Internet Explorer you can right click on the top of the page to save a copy of the background
image to a local file. In Firefox, right-click the top of the Application Portal page, then right-click again to
save the image to a file. You can then edit it with image editing software.
1. Select Resource Access > Application Portal.
The Manage Application Portal page appears.
2. Click Customize Application Portal.
The Customize Application Portal page appears.
You can change the background images and the website icon.
This page also displays the maximum image size for each background image:
- Client Authentication Portal Background Image: 456 x 360 pixels.
- Client Portal Header Image: 799 x 70 pixels.
3. In the Client Portal Header Image section, click Browse to locate the GIF file to use.
4. Click Save.
Administration
6. Authenticate to the Application Portal to see the updated header image.
You can use similar steps to replace the background image on the authentication page. On the
Customize Application Portal page, this image is called the Client Authentication Portal Background
Image.
The size of the Client Authentication Portal Background Image is 456 x 360 pixels.
Administration
Student Guide 121
Test Your Knowledge
1. True or false? To restore a recent configuration, you must import the configuration from a backup
file.
2. By default, how many recent published device configurations does the WatchGuard SSL device save
locally? (Select one.)
3. Which of these option require the WatchGuard SSL device to restart? (Select all that apply.)
4. True or false? To eliminate browser warnings about a mismatched or untrusted certificate when a
user connects to the Application Portal, you can install a server certificate signed by a trusted CA.
5. Which of these changes can you make from WatchGuard SSL Web UI? (Select all that apply.)
A) 10
B) 20
C) 40
D) There is no limit
A) Restore a saved configuration.
B) Update the OS.
C) Export the configuration.
D) Import the configuration.
E) Publish an update to the configuration.
A) Change the branding on the Application Portal page.
B) Change the branding on WatchGuard SSL Web UI.
C) Change the branding on the Application Portal authentication page.
D) Change the branding on the WatchGuard SSL Access Client.
Administration
A N S W E R S
1 . F a l s e
2 . B
3 . B , D
4 . T r u e
5 . A , C
123
Student Guide
Monitor the WatchGuard SSL System
Monitor WatchGuard SSL System Status and Activity
What You Will Learn
You can use WatchGuard SSL Web UI to see information about the system status, user sessions, log files,
reports, licenses, and alerts. In this training module you learn how to:
Monitor WatchGuard SSL system status
Manage current user sessions
Add alerts to notify you of specific events
Manage log file settings and see log messages
Create reports
Introduction
When you log in to WatchGuard SSL Web UI you can immediately see key information regarding the
status of your system. The Monitor System section of the Main Menu contains all the management
features you use to monitor the status and events on your WatchGuard SSL device. The System Status
page, in the sub-menu below Monitor System is automatically selected when you log in.
The Monitor System section of the Web UI has these left menu options:
System Status
In this section you can see an overview of information about your system, check the status of your
network, review current authentication settings, identify events that have occurred on your system,
verify the status of your device, and run basic debug tools to help you troubleshoot issues on your
network. You can also manage settings for event monitoring, change the Super Administrator
password, and see information about the date and time of administrator activities.
User Sessions
Search for and manage all current user sessions to see which users are active in the system and
information about their sessions. You can also stop active user sessions.
Alerts
Add, edit, and delete the alerts the system sends when specified events occur, and manage global
alert settings. You can configure the system to send alerts by email or as an SMS message.
Logging
Configure logging settings, such as log level, log file rotation, and the types of information to include
in the log messages for each registered service.
Log Viewer
See log messages from the configured services. You can specify search criteria to filter search results
by severity level or search for specific messages.
Reports
Generate reports about the current status of the device or service, or select a time range.
Diagnostics File
Create a compressed diagnostics log file that contains log file events from all log files for a specified
time range. WatchGuard technical support may ask you to generate this file to help troubleshoot
issues with your system and resolve issues with your configuration.
Feature Key
See information about the current feature key and upload a new feature key.
Live Update
Check the status of updates to the engine and definition files used for End-Point Security Assessment
access rules. Live Update settings are preconfigured to the recommended settings. We recommend
that you do not change these settings unless instructed to do so by WatchGuard technical support.
At the bottom of the Monitor System page, there are two links that enable you to change some
additional global monitoring settings:
Manage Settings
Select whether to monitor the connection to the Local User Database or External Directory Service,
change the Super Administrator password, and enable password policy.
View Administrator Activities
See a list of all the administrators logged on to the Web UI, as well as the date and time of recent
actions for each administrator.
Student Guide 125
Exercise 1: Monitor System Status
A new network administrator has joined Successful Company and wants to learn about the configuration
of the installed WatchGuard SSL device. In this exercise you explore the System Status section of the Web
UI to learn about the system.
1. Select Monitor System > System Status.
Or, log in to WatchGuard SSL Web UI.
The System Status page appears automatically when you log in.
An evaluation feature
key allows a maximum
of one authenticated
user. The evaluation
feature key does not
include LiveSecurity, so
you cannot update the
software or use the Live
Update feature.
Some of the information you can learn immediately from this page includes:
- Which Software Version is installed.
- The Feature Key Type (Production or Evaluation) installed on this device.
- Status information about registered and connected users.
Concurrent Users The current number of users logged in to the Application Portal. The
maximum number of allowed concurrent users is shown in parentheses.
Registered User Accounts The number of user accounts on this system. The maximum
number of user accounts is shown in parentheses; (*) indicates there is no limit.
Logged on Users The number of users logged in to the Application Portal. This includes
all logged in users, whether or not the users are actively connected to a resource.
Active Users The number of users logged in and actively connected to a resource.
At the bottom of the page, you can see the number of Registered Resources configured for the
Application Portal and the number of Registered SSO Domains configured for Single Sign-On.
2. Select the Network Status tab.
The Network Status page appears.
Single Interface Mode
and Dual Interface
Mode are described in
the Getting Started
training module.
From this tab, you can see the status of the network configuration for this device. At a glance, you
can see that this device is configured in Single Interface Mode, because there is only one interface
(Eth0) configured. If the device was configured in Dual Interface Mode, you would also see status
information for Eth1.
You can also see the Routing Table configured for this device.
Student Guide 127
3. Select the Authentication tab.
The authentication settings appear.
This page includes a summary of configured authentication methods and directory services, as well
as information about RADIUS clients and configured email notification and SMS distribution
channels.
In this example, on this page you can learn:
It is important for you to
know which distribution
methods are configured
on your system. These
notification channels
are used to send alerts
and for distribution of
one-time-passwords
(OTPs), passwords and
PINs, and seed
notifications.
- The five WatchGuard authentication methods are configured.
- There are no RADIUS clients registered.
- The Email Notification channel is configured.
- The SMS Distribution Channels are disabled.
- This device is configured with both a Local User Database and an External Directory Service.
4. Select the Device Status tab.
The Device Overview section shows information about the installed software, current connections,
and resource use, which includes:
- Current Server Time Shows the current date and time for the SSL device (this also appears
on the System Overview page).
- Server Started Shows the date and time the system was last started.
- Version Shows the software version (this also appears on the System Overview page).
The SSL Status section shows information about SSL Listeners. Listeners are additional ports or
IP addresses on which the Application Portal accepts connections. By default, the Application Portal
listens on one IP address on the Eth0 port. If you added additional listeners, their status would also
appear in this section. In this example, only one SSL Listener is enabled.
Student Guide 129
Exercise 2: Monitor User Sessions
The administrator wants to see more information about the current user sessions. In this exercise you
look at user session information and learn how to end a user session.
1. In the WatchGuard SSL Web UI, select Monitor System.
The System Status page appears.
2. Select User Sessions.
The User Sessions page appears with a list of all active user sessions.
3. Click a user session to see details about it.
The View User Session page appears.
4. To return to the User Sessions page, click Previous.
5. If you want to end a user session, select the Delete check box adjacent to that session. Click Delete.
The selected user sessions are stopped and are removed from the list.
Exercise 3: Configure Administrative Alerts
Alerts are messages the system sends to notify administrators when specified events occur. Alert events
include lost and restored connections between services, lost and restored connections to the Local User
Database, or user account activity. You can configure alerts to be sent by email or as an SMS message.
The Successful Company administrator wants the help desk to receive an alert as an email when a user
account is locked.
Enable the Email Notification Channel
To use Administrative Alerts, you must enable a notification channel. For this example, we use the email
channel.
You may have already
enabled the email
notification channel if
you completed the
exercises in the
Authentication and
Users module.
1. Select Manage System > Notification Settings.
The Manage Notification Settings page appears.
2. On the Email Channel tab, select the Enable email channel check box.
3. In the Host text box, type the IP address or domain name of your local email server.
4. In the Senders E-mail Address text box, type the email address that you want to use to send the
administrative alerts. You can use an email address that is not on your mail server.
5. Click Save.
Add Alerts
1. Select Monitor System > Alerts.
The Manage Alerts page appears.
Student Guide 131
2. Click Add Alert.
The Add Alert page appears.
3. Type a Display Name and Description for this alert.
4. Select a notification method. For this example, select Email.
Note
You must also make sure the notification channel is configured for the notification method you select.
You can see the status of notification methods in the System Status > Authentication tab. To
configure a notification channel, select Manage System > Notification Settings.
5. Click Next.
The next page of the Add Alert wizard appears.
6. Select one or more event types to trigger this alert.
For this example, select Locked for Access.
7. Click Next.
8. Click Add Email address. Type an email address to receive notification for this alert.
The Manage Alerts page appears, with the new alert added to the Registered Alerts list.
Student Guide 133
Exercise 4: Monitor System Logs
The new administrator at Successful Company also monitors the system log files as another way to learn
about the system status and activity.
In this exercise you learn about the default logging settings, which are a good starting point for most
environments. You also learn how to use the Log Viewer to search for information in the log files.
Configure the Logging Settings
1. Select Monitor System > Logging.
The Manage Logging page appears.
You can configure logging settings, such as the log level, log file rotation, and the types of
information to include in the log messages for each registered service.
You can configure logging for two registered services:
- accesspoint This includes all services related to the operation of the Application Portal.
- Administrator The WatchGuard Administration Service includes all the services and
settings related to administration of your device.
You can also select Manage Global Logging Settings on this page to change logging settings that
apply to all registered services.
2. Click accesspoint.
The Edit Logging Settings page for the accesspoint service appears, with a separate tab for each log type.
This example shows the default logging settings.
- Log Level Filter is set to Info, which means that the service saves all log messages (Info,
Warning, and Fatal) to the log file for this service.
- Log File Rotation is set to Create a new log file every day, which means that the service
creates a new file for log messages every day.
Student Guide 135
3. Select the Audit Log tab.
The Audit Log settings appear.
For the Audit Log, in addition to the Log Level Filter and Log File Rotation settings, you can also
see and change which types of information are included in log messages. The Log File Information
settings are only available for the accesspoint service. You can also configure a similar group of
settings on the HTTP Log tab.
The default logging settings are a good starting point for most environments. You can select other
types of information to include in your log files if you want to see that information in the Log Viewer
for monitoring.
See Contents of the Log Files
You use the Log Viewer to search the log files for events, filtered on the criteria you select.
1. Select Monitor System > Log Viewer.
The Log Viewer page appears.
By default, the Log Viewer is set to show the System log messages for all services for the last hour.
You can select a different Log Type or select a specific service from the Services list.
You can use Search Criteria to trace specific log events, such as user activity, through your services.
Searches are not case sensitive and search criteria can include multiple text strings. For example, if
you want to see only warnings, you could type WARNING in the Search Criteria text box.
For details about how to use the Search Criteria for sophisticated searches, see the WatchGuard SSL
Web UI Help or WatchGuard SSL User Guide.
2. Click View Log.
The WatchGuard Web UI System Log shows log messages that meet the criteria you specified.
Note
You might need to allow the pop-up in your browser to see the View Log window.
Student Guide 137
Exercise 5: Create Reports
The Successful Company administrator realizes that, while searching the log files might be good for
troubleshooting, the built-in reports provide a better way to get an overall view of system activity in a
format that is prefiltered and easier to read.
In this exercise you generate an Authentication Report of all system activity, and you learn how to
generate a Complete Report of all system activity.
1. Select Monitor System > Reports.
The Manage Reports page appears, with a list of all available reports.
The Manage Reports page includes a list of all available reports, grouped based on the type of
events they report about. At the bottom is a Complete Report, which includes all of the others.
2. Click one of the report links.
For this example, click Authentication Report.
The Generate Authentication Report page appears.
By default, the report is generated for all data for the past week.
3. Select the Filter tab.
Data filters for this report appear.
Each report type has different data filters, based on the input data for that report type. You can click
a data filter to edit it for this report. For this exercise, leave the filters set to All.
4. Select the Graphics tab.
The chart types and styles for the charts in the selected report appear.
For this exercise, you can change the chart styles, or use the default Bar settings.
Student Guide 139
5. Click Generate Report.
The Authentication Report page appears.
6. Select each report tab to see the other charts for this report.
7. Click Save Report.
The Save Report page appears for the selected report.
You can save the report as a PDF, data file, or image file. PDF is the default setting.
- The PDF includes all pages of the report.
- Data files are stored as plain text, with one text file for each report tab.
- Image files are stored as PNG image files, with one file for each chart.
8. Click Download.
The selected report file is generated.
If your report download
includes more than one
file, the files are
combined into one zip
file.
9. Click the file name to download the file.
Student Guide 141
Test Your Knowledge
1. True or false? The date and time the system was last started appears on the System Overview tab of
the System Status page.
2. Which notification methods can you select for Alerts? (Select all that apply.)
3. True or false? If you set the Log Level for a service to Info, the log file includes all levels of messages.
4. You can save Reports in which of these formats? (Select all that apply.)
A) IM
B) SMS
C) Email
D) Pop-up message in the SSL Web UI
A) PDF
B) .csv
C) plain text report
D) PNG image file
TRAINING
www.watchguard.com/training
training@watchguard.com
COPYRIGHT 2012 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered
trademarks or trademarks of WatchGuard Technologies, Inc. in the United
States and/or other countries.
A N S W E R S
1 . F a l s e . I t a p p e a r s o n t h e D e v i c e S t a t u s t a b o f t h e S y s t e m S t a t u s p a g e .
2 . B , C
4 . T r u e
5 . A , C , D

Watchguard SSL Basics v3 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Watchguard SSL Basics v3 2

Uploaded by

Copyright:

Available Formats

WatchGuard Certified Training

WatchGuard SSL Basics

You might also like