Courseware: WatchGuard SSL Basics v3.2 Student Guide TRAINING www.watchguard.com/training training@watchguard.com SUPPORT www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 ii WatchGuard SSL Basics Disclaimer Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright and Patent Information Copyright 2012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. All other trademarks and tradenames are the property of their respective owners. Printed in the United States. iii Table of Contents Course Introduction ............................................................................................................... 1 Training Options ............................................................................................................ 1 Required Equipment and Software ............................................................................. 1 Training Scenario .......................................................................................................... 2 Prerequisites ................................................................................................................. 2 Certification .................................................................................................................. 2 Additional Resources ................................................................................................... 3 Getting Started ....................................................................................................................... 5 What You Will Learn ..................................................................................................... 5 Introduction to the WatchGuard SSL Solution ............................................................ 5 Components of the WatchGuard SSL solution ......................................................................... 5 Before You Begin .......................................................................................................... 6 Get a WatchGuard device feature key ....................................................................................... 6 Configuration Modes .................................................................................................... 6 Initial Configuration Steps ........................................................................................... 7 About the WatchGuard SSL Web UI ............................................................................. 7 Exercise 1: Reset the SSL Device to Factory Default Settings (Optional) ................... 8 Before You Begin ........................................................................................................................ 8 Start the WatchGuard SSL Device in Recovery Mode .............................................................. 8 Upload a New Software Image .................................................................................................. 8 Next Steps ................................................................................................................................... 9 Exercise 2: Run the Quick Setup Wizard ....................................................................... 9 Exercise 3: Use the WatchGuard SSL Web UI to Finish Initial Setup ........................ 13 Log in to the WatchGuard SSL Web UI .................................................................................... 13 Upload a Feature Key ............................................................................................................... 13 Test Your Knowledge .................................................................................................. 14 Authentication and Users ................................................................................................... 15 What You Will Learn ................................................................................................... 15 About Authentication .................................................................................................. 15 Authentication Methods ........................................................................................................... 15 WatchGuard SSL Authentication Methods ............................................................................. 15 Other Supported Authentication Methods .............................................................................. 16 Authentication Method Configuration ....................................................................... 17 General Settings ....................................................................................................................... 17 RADIUS Replies ......................................................................................................................... 17 Extended Properties ................................................................................................................. 17 About User Management ........................................................................................... 18 Local User Accounts ................................................................................................................. 18 How User Authentication Works ................................................................................ 19 iv WatchGuard SSL Basics Authentication with WatchGuard SSL Authentication Methods ............................................ 19 Authentication with non-WatchGuard Authentication Methods ............................................ 20 Exercise 1: Manually Add a User Account ................................................................... 20 Exercise 2: Configure Active Directory with LDAP over SSL ....................................... 23 Configure the Active Directory Authentication Method on your SSL Device ........................ 23 Enable the Active Directory Authentication Method .............................................................. 24 Exercise 3: Link User Accounts to the Existing AD Server .......................................... 27 Add an External Directory Service Location ........................................................................... 27 Link Users to the AD server ...................................................................................................... 31 Exercise 4: Connect to the Application Portal ............................................................. 32 Exercise 5: Enable Automatic User Link Repair .......................................................... 34 Test Your Knowledge .................................................................................................. 36 Resource Access ................................................................................................................. 39 What You Will Learn .................................................................................................... 39 Introduction ................................................................................................................. 39 Resource Types ........................................................................................................... 41 Web Resources ......................................................................................................................... 41 Tunnel Resources ..................................................................................................................... 41 Static and Dynamic Tunnels ...................................................................................... 42 How Static and Dynamic Tunnels Work ................................................................................... 42 About the Access Client ............................................................................................................ 43 Global Resource Settings ........................................................................................... 45 Protect Resources with Access Rules ........................................................................ 45 About Single Sign-On (SSO) ........................................................................................ 46 Exercise 1: Add a Resource for Secure Remote Web UI Access ............................... 47 Start the New Resource from the Application Portal ............................................................. 51 Exercise 2: Add an Access Rule and Apply it to a Resource ...................................... 53 Create the Access Rule ............................................................................................................ 53 Edit the Resource to Remove the Unnecessary Access Rule ................................................ 56 Test Resource Access in the Application Portal ..................................................................... 58 Exercise 3: Create an Outlook Web Access Resource ............................................... 60 Use the OWA 2003 Resource .................................................................................................. 63 Exercise 4: Configure SSO for Outlook Web Access ................................................... 65 Configure the Authentication Method for the SSO Domain ................................................... 69 Use the OWA 2003 Resource with SSO .................................................................................. 70 Exercise 5: Create a Full Network Access Tunnel Resource ...................................... 71 Exercise 6: Compare Static and Dynamic Tunnel Settings ........................................ 74 Configure an RDP resource with a Dynamic Tunnel .............................................................. 74 Configure an RDP Resource with a Static Tunnel .................................................................. 75 Examine the Tunnel Settings ................................................................................................... 76 Test Your Knowledge .................................................................................................. 78 Use the Access Client .......................................................................................................... 79 What You Will Learn .................................................................................................... 79 About the Access Client .............................................................................................. 79 Use the Access Client ................................................................................................. 80 Access Client Synchronization with the SSL Device ................................................. 81 Exercise 1: Use the On-demand Access Client ........................................................... 82 Before You Begin ...................................................................................................................... 82 Launch the On-demand Access Client .................................................................................... 82 Student Guide v See the Access Client Connection Status ............................................................................... 83 Close the Access Client and Tunnel Resource ........................................................................ 83 Exercise 2: Install the Access Client ............................................................................ 84 Install the Access Client ........................................................................................................... 84 Launch the Installed Access Client ......................................................................................... 84 Verify the Client Preferences .................................................................................................... 85 Exercise 3: Create and Use a Favorite Resource ........................................................ 86 Create a New Favorite .............................................................................................................. 86 Start the Favorite Automatically ............................................................................................... 86 Close and Start Favorite Resources from the Access Client Menu ....................................... 87 Edit or Delete Access Client Favorites ..................................................................................... 87 Test Your Knowledge .................................................................................................. 88 Assessment and Abolishment ............................................................................................ 89 What You Will Learn ................................................................................................... 89 End-Point Security Features ...................................................................................... 89 Assessment ............................................................................................................................... 89 Abolishment .............................................................................................................................. 90 End-Point Integrity Client .......................................................................................................... 90 Exercise 1: Create an Assessment Access Rule ......................................................... 91 Trigger the Assessment Access Rule ....................................................................................... 96 Exercise 2: Use Assessment to Check for Anti-Virus Software .................................. 98 Exercise 3: Create an Abolishment Access Rule ...................................................... 102 Trigger the Abolishment Access Rule .................................................................................... 104 Exercise 4: Change File Types to Monitor for Abolishment ...................................... 106 Test Your Knowledge ................................................................................................ 107 Administration ................................................................................................................... 109 What You Will Learn ................................................................................................. 109 Introduction ............................................................................................................... 109 Manage your Device Configuration Files ................................................................ 110 Manage Recent Configuration Files ...................................................................................... 110 Export and Import a Device Configuration File ..................................................................... 111 Update the WatchGuard SSL OS ............................................................................. 111 Install a Signed Certificate ....................................................................................... 112 Customize the Application Portal Page ................................................................... 113 Branding Changes from the WatchGuard SSL Web UI ........................................................ 113 Exercise 1: Restore a Saved Configuration ............................................................... 115 Exercise 2: Export and Import the Device Configuration .......................................... 116 Export the Configuration ........................................................................................................ 116 Import the saved configuration file ....................................................................................... 117 Exercise 3: Customize the Application Portal Page .................................................. 118 Customize the Application Portal Text and URLs ................................................................. 118 Customize the Application Portal Header Background Image ............................................ 119 Test Your Knowledge ................................................................................................ 121 Monitor the WatchGuard SSL System ............................................................................. 123 What You Will Learn ................................................................................................. 123 Introduction ............................................................................................................... 123 Exercise 1: Monitor System Status ............................................................................ 125 Exercise 2: Monitor User Sessions ............................................................................ 129 Exercise 3: Configure Administrative Alerts .............................................................. 130 vi WatchGuard SSL Basics Enable the Email Notification Channel ................................................................................. 130 Add Alerts ................................................................................................................................ 130 Exercise 4: Monitor System Logs ............................................................................... 133 Exercise 5: Create Reports ......................................................................................... 137 Test Your Knowledge ................................................................................................ 141 1 WatchGuard SSL Basics Student Guide Course Introduction About the WatchGuard SSL Device Solution Training Options Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote connectivity deployment as simple or as sophisticated as your business requires. If you use a WatchGuard SSL device, there are several training options available to you: Getting Started Presentation You can download and review the WatchGuard SSL Getting Started presentation. This PowerPoint presentation provides an overview of the WatchGuard SSL device solution and its features. WatchGuard SSL Basics Training Modules Each training module available for the WatchGuard SSL device solution focuses on a specific feature or function of configuration and management. For the most effective training path, we recommend that you complete the training modules in the order they are presented. To get access to the available training resources go to https://www.watchguard.com/training. You must log in to the web site to get access to all the available training resources. For more information, including configuration steps for advanced procedures, see the WatchGuard SSL Web UI Help. or WatchGuard SSL Web UI User Guide. Required Equipment and Software To complete the WatchGuard SSL Basics training modules, you must have administrative access to a WatchGuard SSL device. For all modules and exercises you must have: Computer requirements Your computer must be a personal computer with the Microsoft Windows XP, Windows Vista, Windows Server 2003, Windows 7, or Windows 8 operating system installed. Mac OS X is also supported, but the exercises in these modules are written for computers with a Windows operating system. Supported browsers are Internet Explorer 7 to 10, Mozilla Firefox, and Google Chrome. WatchGuard SSL device You must have a WatchGuard SSL 100 or SSL 560 device with WatchGuard SSL OS v3.2 or later installed. Devices WatchGuard SSL 100 and SSL 560 Device OS version WatchGuard SSL v3.2 Course Introduction 2 WatchGuard SSL Basics For some of the exercises you might need: WatchGuard SSL Access Client installer For the Access Client module, you must have the Access Client installer. If you have a LiveSecurity Service account, you can download the Access Client Installer from the WatchGuard web site through the Software Downloads page. Email server In some of the exercises, you configure settings for notification. Notification messages are sent over email or SMS. You must have an email server to complete these exercises. Active Directory server The Authentication and Users module describes how to use an Active Directory server for authentication and user linking. You must have administrative access to an Active Directory server for these exercises. Network resources or web-enabled software Some exercises show how to set up access to web-enabled applications or network resources. For example some exercises show how to set up Microsoft Outlook Web Access as a resource. If you do not have the software specified in a particular exercise, you can try to use whatever network resources or web-enabled software you have available on your network. Training Scenario Throughout the WatchGuard SSL Basics training modules, we use a fictional company called Successful Company. The modules build on a story of configuring an SSL Application Portal and remote application access for Successful Company, but you can complete many of the exercises using examples from your own network, or a set of addresses and situations provided by your WatchGuard Certified Training instructor. Any resemblance between the situations described for Successful Company and a real company are purely coincidental. Prerequisites This course is intended for moderately experienced network administrators. A basic understanding of TCP/IP networking is required. No previous experience with network security or WatchGuard devices is required. Certification The WatchGuard Certified System Professional (WCSP) exam is available for all WatchGuard partners. The exam is based on the contents of this course, and we recommend that you study these training modules to prepare for the exam. If you are a WCSP, you can log in to your LiveSecurity Service account and locate the exam on the training page. For more information about how to become a WCSP, see the Technical Certification page at: http://www.watchguard.com/training/cert.asp Course Introduction Student Guide 3 Additional Resources For more information about how to install and configure your WatchGuard SSL device, see these resources: WatchGuard SSL Web UI v3.2 Help You can launch the Help system from the WatchGuard SSL Web UI. For more information about the features in a dialog box or application window, click (the Help icon). A Help topic that describes the features you see in the Web UI, and provides links to additional information, appears in your web browser. For the most up-to-date information, go to http://www.watchguard.com/help/documentation/ and click the WatchGuard SSL Current documentation link to launch the WatchGuard SSL Web UI v3.2 Help. You can also download the Help system for offline use. WatchGuard SSL v3.2 User Guide Go to http://www.watchguard.com/help/documentation/ and download the WatchGuard SSL Web UI v3.2 User Guide. WatchGuard Online Knowledge Base Go to http://customers.watchguard.com Course Introduction 4 WatchGuard SSL Basics 5 WatchGuard SSL Basics Student Guide Getting Started Set up your WatchGuard SSL Device What You Will Learn To manage your WatchGuard SSL device, you use a Web-based user interface. In this training module you learn how to: Register your device and get a feature key Use the Quick Setup Wizard to set up a basic configuration Connect to WatchGuard SSL Web UI and complete initial configuration tasks Connect the WatchGuard SSL device to your network Before you begin these exercises, make sure you read the Course Introduction module. Introduction to the WatchGuard SSL Solution Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides your users reliable connectivity to your corporate data and resources, such as email and file shares. The WatchGuard SSL 100 accommodates up to 100 concurrent users. The WatchGuard SSL 560 accommodates up to 500 concurrent users. Components of the WatchGuard SSL solution The WatchGuard SSL solution includes these major components: WatchGuard SSL device An all-in-one appliance that includes all the hardware, software, and WatchGuard servers for your solution. WatchGuard SSL Web UI The Web-based administration application you use to monitor your WatchGuard SSL device, add user accounts, manage access to your resources, and manage your system settings. The WatchGuard SSL Application Portal The web site where your users authenticate and get access to your network resources. WatchGuard SSL Access Client The On-demand SSL VPN client that enables access to tunnel resources in your Application Portal. WatchGuard Mobile ID software The software you install on the client computer or smartphone to use either the WatchGuard SSL Challenge or WatchGuard SSL Synchronized authentication methods. Getting Started 6 WatchGuard SSL Basics Before You Begin Before you start the installation of your WatchGuard SSL device, you must have: A computer with an Ethernet network interface and a web browser installed A WatchGuard SSL device with power cable An Ethernet cable Get a WatchGuard device feature key If you take this course with a training partner, your WatchGuard SSL device will already be registered and your training partner can provide the feature key to use during the course. To enable all of the features on your WatchGuard SSL device, you must activate the device on the WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device. To register your WatchGuard SSL device, go to https://www.watchguard.com/activate. To register your device, you must have the device serial number. We recommend that you register the device and save a copy of the feature key from the LiveSecurity web site to your computer before you start the Quick Setup Wizard. Configuration Modes You can configure your WatchGuard SSL device in one of two network configuration modes: Single Interface Mode Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active. Dual Interface Mode Select this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active. Single Interface Mode is most commonly used, and is the network configuration mode we use in the exercise in this module. Getting Started Student Guide 7 Initial Configuration Steps To configure your WatchGuard SSL device, you complete these basic steps: (Optional) Reset the SSL device to factory default settings You may need to reset the SSL device to factory default settings before you set up your SSL device and work through the training exercises. See the optional exercise at the end of this module if you want to reset your device before you begin. Run the web-based Quick Setup Wizard to configure basic network and administrative settings. Connect the device to your network. Log into the WatchGuard SSL Web UI to complete additional configuration steps. About the WatchGuard SSL Web UI The WatchGuard SSL Web UI main menu includes four sections: Monitor System You can use the Monitor System menu to see information about system status, user sessions, log files, reports, licenses, and alerts. User Management You can use the User Management menu to manage user accounts, user groups, and configure the SSL device to use an External Directory Service. Resource Access You can use the Resource Access menu to create Application Portal items to give users access to applications, folders and files, and URLs. Manage System You can use the Manage System menu to see and manage the overall configuration of your WatchGuard SSL system. Above the main menu there are two buttons: Browse Click Browse to see the files on your WatchGuard SSL device or upload a file. You use this feature for specific tasks that require you to upload a file or reference a file location on the device. Publish Click Publish after you make any configuration change to save the changes to the WatchGuard SSL device. The Publish button changes from white to blue when you make changes that must be saved. Getting Started 8 WatchGuard SSL Basics Exercise 1: Reset the SSL Device to Factory Default Settings (Optional) There are two ways to reset your WatchGuard SSL device to factory default settings: Use the WatchGuard SSL Web UI If you can log into the WatchGuard SSL Web UI, you can restore the device to factory default settings in the Web UI. This is the easiest method to restore the factory default settings. Use Recovery Mode If you cannot log into the WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode you can reinstall the software image and restart the device with factory default settings. Before You Begin Before you start the recovery process, you must download a copy of the WatchGuard SSL OS onto your computer. The file has an extension of .sysa-dl. You can download the file from the WatchGuard SSL Software Downloads article located in the WatchGuard Knowledge Base. If the file you download is a zip file, you must extract the files before you start the recovery process. Start the WatchGuard SSL Device in Recovery Mode 1. Turn the power off. 2. Press and hold the up arrow on the front panel while you turn the power on. 3. Keep the button depressed until you see the words "Executing SysB" on the LCD display. When you see the words "Recovery Mode Ready" on the LCD display, the device is in recovery mode. In recovery mode, the Eth1 address of the device is set to 10.0.1.1. Upload a New Software Image You must use the command line FTP command to upload the software image. This is because many commands are disabled on the WatchGuard SSL device for security. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and cannot operate when these commands are disabled. Use these steps to upload a new software image to your WatchGuard SSL device. 1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device. 2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0 network). 3. Open the command line interface of your computer. To do this: if you use Windows XP, select All Programs > Accessories > Command Prompt from the Windows Start Menu. 4. Change your local working directory to the location where you saved the .sysa_dl file. 5. At the command prompt type: ftp 10.0.1.1 6. Type admin as the user. 7. Type admin as the password. 8. At the ftp prompt, type: bin Getting Started Student Guide 9 9. At the ftp prompt, type: put <filename> 10. For the filename, type the name of the file you downloaded from the WatchGuard Software Downloads knowledge base article. 11. Type quit to close the FTP connection and exit the program. After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts. Note The installation and reset process can take up to 10 minutes. Do not turn off the device during this process. Next Steps After you restore the software image and the device restarts with factory default settings, you can use the Quick Setup Wizard to set up your configuration again. Exercise 2: Run the Quick Setup Wizard The Successful Company has purchased a new WatchGuard SSL device, and the administrator is ready to start the installation. In this exercise, we complete the initial installation with the Quick Setup Wizard. In the Quick Setup Wizard, you set up a network interface and administrator credentials that enable you to connect to WatchGuard SSL Web UI for administration. 1. Configure your computer to use a static IP address on the 192.168.111.0/24 network. Note The default IP address of the WatchGuard SSL device is 192.168.111.1. Do not set your computer to use 192.168.111.1. 2. Use an Ethernet cable to connect the Ethernet interface on your computer to the Eth1 interface (labeled 1) on the WatchGuard SSL device. 3. Attach the power cord to the AC receptacle on the rear of the WatchGuard SSL device and to a power source. 4. Power on the WatchGuard SSL device. 5. Open a web browser and type: ht t ps: / / 192. 168. 111. 1: 8443 The Quick Setup Wizard begins. Getting Started 10 WatchGuard SSL Basics Note Because the WatchGuard SSL device uses a self-signed certificate, you may see a certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox). Your instructor will provide you with the information you need to configure your WatchGuard SSL device for the training environment. 6. Upload your feature key file, if you have it. If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you finish the wizard. Note You get the feature key for your SSL device when you register it at the WatchGuard.com web site. You then save the feature key to a text file that you can upload to the device. 7. Select the Time Zone. Getting Started Student Guide 11 8. Set the current Date and Time, and specify an NTP Server. Though it is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not only for log file messages, but also for the SSL handshake. 9. Type the Super Administrator User Name and Password. This is a local account on the SSL device. It does not correspond to any user object that exists in your organization. You can disable enforcement of the the Super Administrator password policy on the Monitor System > System Status > Manage Settings page. The Super Administrator password must be at least six characters long and must include characters from at least three of these four categories: - English uppercase characters (from A through Z) - English lowercase characters (from a through z) - Base-10 digits (from 0 through 9) - Non-alphanumeric characters (for example: !, $, #, or %) Getting Started 12 WatchGuard SSL Basics 10. Select the Network Type. For this exercise, select Single Interface Mode. In Single Interface Mode, only the Eth0 network interface is used. If you select Dual Interface Mode, you also configure the IP Address and Subnet Mask for the Eth1 interface here. 11. Configure the network settings for the Eth0 network interface. The first four are required. - In the IP Address text box, type the IP address to use for Eth0. - In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0. - In the Default Gateway text box, type the IP address of the default gateway on the Eth0 network. - In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0 network. - (Optional) In the Secondary DNS text box, type the IP address of the secondary DNS server. - (Optional) In the Hostname text box, type the fully qualified host name of the device. For example, ssl . mywat chguar d. comor vpn. mycompany. com. The hostname must be a publicly resolvable hostname or external IP. The Hostname setting is optional, but because it is required for some types of connections, we recommend that you specify it here. - (Optional) In the DNS Search Order text box, type the domain names to include in DNS name searches. The order in which you type the names specifies the search order. When you add more than one domain name, separate each name with only a space. Do not add other punctuation or separation marks. 12. Finish the wizard. On the final wizard page you see: - A summary of the configured interface settings and network type. - The interface and IP address you must use to connect after the device reboots. Getting Started Student Guide 13 Exercise 3: Use the WatchGuard SSL Web UI to Finish Initial Setup After the Quick Setup Wizard finishes, you can connect to the WatchGuard SSL Web UI to continue the configuration, management, and monitoring tasks. Log in to the WatchGuard SSL Web UI 1. Connect the Eth0 network interface of WatchGuard SSL device to your network. In Single Interface Mode, only the Eth0 interface is active. 2. Connect your computer to your network. Make sure to reset the IP address of your computer to an IP address on the network. 3. In a web browser, type ht t ps: / / <Et h0 I P Addr ess>: 8443. Use the IP address you configured for Eth0 in the previous exercise. 8443 is the default HTTPS Administrator Port. 4. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in. The WatchGuard SSL Web UI appears. Upload a Feature Key If you did not upload a feature key in the Quick Setup Wizard, you should do so now. 1. Select Monitor System > Feature Key. The Feature Key page appears. The Upload a few feature key section appears at the bottom. 2. Select Upload a new feature key. 3. Click Browse and select the feature key file. 4. Click Upload New Feature Key to replace the current feature key. 5. Click Publish to update your configuration with the feature key change. Getting Started 14 WatchGuard SSL Basics Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? You must connect your computer to Eth1 to run the Quick Setup Wizard. 2. Which of these network settings are required in the Quick Setup Wizard? (Select all that apply.) 3. True or false? You can complete the Quick Setup Wizard without a feature key. 4. When should you select Dual Interface Mode? (Select one.) 5. True or false? The WatchGuard SSL Application Portal is the Web-based administration application you use to monitor and manage your WatchGuard SSL device. A) Primary DNS B) Default Gateway C) Subnet Mask D) Interface name E) IP Address A) When you want to configure fail-over to a second device B) When you want to use a dedicated interface for device management C) When you want to give users different levels of network access D) When you want to connect the device to more than one network A N S W E R S 1 . T r u e 2 . A , B , C , E 3 . T r u e 5 . D 6 . F a l s e 15 WatchGuard SSL Basics Student Guide Authentication and Users Manage Authentication Methods and User Accounts What You Will Learn With WatchGuard SSL Web UI you can configure and manage multiple authentication methods, manage local user accounts, and use an external directory service. In this training module you learn how to: Understand the five WatchGuard SSL authentication methods Configure Active Directory authentication with LDAP over SSL Configure global user account settings Manually add a user to the Local User Database Create user accounts by linking to an External Directory Service Before you begin these exercises, make sure you read the Course Introduction module. About Authentication Authentication is a central part of the configuration of your WatchGuard SSL device. You configure authentication methods in the Manage System menu of WatchGuard SSL Web UI. This module focuses on how to enable and configure the authentication methods you want to use, and how to enable one or more authentication methods for your users. You can also use authentication methods in access rules to control which authentication methods users must use to connect to network resources. You learn about access rules and network resources in the Resource Access training module. Authentication Methods WatchGuard SSL supports sixteen authentication methods. There are five WatchGuard SSL authentication methods and eleven other authentication methods you can use to integrate with your existing authentication services. WatchGuard SSL Authentication Methods The WatchGuard SSL authentication methods use the RADIUS (Remote Authentication Dial In User Service) networking protocol. These methods are enabled on the WatchGuard SSL device by default. WatchGuard SSL Web You can use this method for authentication in a web browser. Users type their user names and then a Java applet or ActiveX client is launched. The client prompts the user to type a password or PIN. The password or PIN is then hashed and encrypted before it is returned to the server. WatchGuard SSL Password The WatchGuard SSL Password authentication method is based on static password authentication. A static password is created and maintained to authenticate remote access with a RADIUS client. Authentication and Users 16 WatchGuard SSL Basics WatchGuard SSL Challenge You can use this method for authentication in a web browser, WAP client, or with a PDA. Users type their user names, and are prompted (challenged) to provide private information (the response) before they are allowed access. The challenge-response technique is most often used with a hardware token that generates the response. In WatchGuard SSL Challenge, the Mobile ID software client generates the response. Users type their PINs in the Mobile ID client and the Mobile ID software generates a one-time-password (OTP). You can install the Mobile ID client on a mobile device such as a handheld PC or a cell phone, or on a laptop or desktop computer. WatchGuard SSL Synchronized You can use this method for two-factor authentication in a web browser, WAP client, or with a PDA. Users type their user IDs and are prompted for a one-time password (OTP). In WatchGuard SSL Synchronized, an integrated software client (Mobile ID) generates the OTP. Users type their PINs in the Mobile ID client and the Mobile ID software generates the one-time-password (OTP) based on the PIN and on a seed that is synchronized with the WatchGuard SSL device. The seed is different for each user. You can install the Mobile ID client on a mobile device, such as a handheld PC or a cell phone, or on your laptop or desktop computer. WatchGuard SSL Mobile Text This method is based on a combination of an account password and one-time password (OTP) distributed through an SMS channel. For this method, users type the account password on the web login page. The WatchGuard SSL device generates an OTP and sends it to the cell phone number or email address registered to that user account. The user must type the OTP to complete the authentication process. You can use the WatchGuard SSL Mobile Text authentication method on a mobile device such as a handheld PC or a cell phone, as well as on a desktop PC or Mac computer. When you select Allow Two-step Authentication in the authentication method configuration, authentication is distributed over two sessions: the server sends the OTP to the mobile phone, and then the user logs on with the OTP. The WatchGuard SSL authentication methods Challenge and Synchronized use the WatchGuard SSL Mobile ID client to generate the OTP response. The Mobile ID client is available on the WatchGuard web site Software Downloads page as a separate file. You can download this file and distribute the Mobile ID clients to your users to install on their mobile devices. The five WatchGuard authentication methods also support the Self Service feature. With Self Service enabled, users can create their own accounts, reset forgotten passwords, and retrieve a forgotten user name. See the WatchGuard SSL Web UI Help or User Guide for information about how to configure Self Service. Other Supported Authentication Methods In addition to the five WatchGuard SSL authentication methods, the WatchGuard SSL device supports these authentication methods: General RADIUS Can be used with any RADIUS-compliant authentication server. SecurID Supports RSA SecurID tokens that generate a one-time-password (OTP). LDAP This method performs an LDAP bind. Active Directory This method performs an LDAP bind and provides the ability to enable users to change their passwords. This is only supported with Microsoft Active Directory (AD) servers. Novell eDirectory This method performs an LDAP bind and provides the ability to enable users to change their passwords. Authentication and Users Student Guide 17 Windows Integrated Login This method uses Windows domain credentials for authentication. NTLM This method uses the NTLM authentication protocol used in various Microsoft protocol implementations. Basic This method performs basic authentication according to RFC 2617, HTTP Authentication: Basic and Digest Access Authentication. User Certificate This method uses attribute mapping. The user is authenticated only if there is an exact match between the configured User Attribute and the Certificate Attribute. Form-Based Authentication This method uses HTML forms that you can edit. Confidence Online This method uses the Confidence Online client for authentication. Authentication Method Configuration General Settings For each authentication method you can configure these general settings: Display Name The name that appears in the Application Portal for this authentication method. Template Name The name of the template that defines the appearance of the Authentication Portal page when users log on with this authentication method. Template Specification For most authentication methods, you can click Manage Default Template Specification to customize the appearance of the Authentication Portal page. Authentication Method Server This is the server that provides authentication for this authentication method. For the five WatchGuard SSL authentication methods, the Authentication Method Server is the RADIUS server on the SSL device. When you add an authentication method, the Template Name and Template Specification are automatically configured with the default settings. RADIUS Replies For the authentication methods that use the RADIUS networking protocol, the authentication method configuration includes some pre-defined RADIUS replies. The pre-defined RADIUS replies are different for each authentication method. You can add, edit, or delete RADIUS replies to customize the messages users see during authentication. Extended Properties Extended Properties define what happens when a user authenticates with each authentication method. The default and available Extended Properties are different for each authentication method. You can add, edit, or delete Extended Properties to customize the behavior of the authentication method you selected. Authentication and Users 18 WatchGuard SSL Basics About User Management In the User Management menu of WatchGuard SSL Web UI you can manage user accounts and user groups, configure an External Directory Service, and enable Self Service for user accounts. The User Management menu of WatchGuard SSL Web UI has these menu options: User Accounts Manage user accounts and global user account settings. You can add users to the Local User Database or link to an External Directory Service, if you have one configured. User Groups Manage user groups. You can create user groups based on either the properties of a user account or the location of a user in the directory structure you specified. You can use user groups in Access Rules to determine which resources a user has access to in the Application Portal. External Directory Service Configure an External Directory Service location, such as Active Directory or LDAP, where user accounts are stored. When you use an External Directory Service, you can link user accounts to existing user accounts that are configured in the directory service. Self Service Configure Self-Service to enable your users to activate an account, reset a forgotten password, or retrieve a forgotten user name. To configure Self Service, you must enable an External Directory Service, and you must manage the user passwords in the Local User Database. To use self-service, your users must authenticate with one of the five WatchGuard SSL authentication methods. Local User Accounts Each local user account is stored in the WatchGuard SSL Local User Database. On the User Accounts page, you can use one of these methods to create user accounts: Add User To manually add a user account to the Local User Database, select this method. Create User Account by Linking Create a basic user account based on an existing user in your External Directory Service. Basic information for the user account is automatically copied from the External Directory Service and is added to the Local User Database. See the WatchGuard SSL Web UI Help or WatchGuard SSL User Guide for details about the User Import file. Import User Account Import user account information from a user import file. This is a text file, with column headings and a row of data for each user account, with information separated by commas, semicolons, or tabs. Authentication and Users Student Guide 19 How User Authentication Works Authentication on the WatchGuard SSL device involves several key components that work together. Authentication Method Server The Authentication Method Server checks the authentication credentials when a user authenticates. You configure it when you add an Authentication Method. For the five WatchGuard SSL authentication methods, the Authentication Method Server is a RADIUS server on the SSL device itself. For the LDAP authentication method, the External Directory Service is used as the Authentication Method Server. Local User Database The Local User Database is the local LDAP database on the SSL device that stores user account information. All users who authenticate to the SSL device must have a user account in the local LDAP database on the device, regardless of the authentication method used. In some cases, the local user account is automatically created during the authentication process. The Local User Database also stores the authentication credentials for the WatchGuard SSL authentication methods. It does not store the authenticating credentials for other authentication methods. External Directory Service An External Directory Service can be used for linking to a user account on the WatchGuard SSL device and for searching user groups defined in the External Directory Service. Authentication with WatchGuard SSL Authentication Methods When a user authenticates to the WatchGuard SSL device with one of the WatchGuard SSL authentication methods (Web, Password, Challenge, Synchronized, or Mobile Text), the authentication process follows this procedure: 1. The user selects a WatchGuard SSL authentication method, and types the user account credentials. 2. The internal RADIUS server on the WatchGuard SSL device looks up the user account in the Local User Database. 3. If the user account is not linked to an External Directory Service, the credentials the user typed are compared to the credentials stored in the Local User Database. If the user account is linked to an External Directory Service, the SSL device makes a read-only connection to the External Directory Service to look up the user password. 4. If the credentials match, the user is redirected to the Application Portal page. Authentication and Users 20 WatchGuard SSL Basics Authentication with non-WatchGuard Authentication Methods When a user authenticates with one of the other supported authentication methods, the authentication process follows a slightly different procedure: 1. The user selects a supported authentication method, and types the account credentials. 2. The configured authentication server is used to check the user credentials. If the user credentials are not correct, the user authentication fails at this step. 3. If the credentials are correct, authentication succeeds and the SSL device looks for the user in the Local User Database. - First the SSL device checks for a a matching user in the Local User Database. - If the user does not exist in the Local User Database, the SSL device searches for the user in the External Directory Service, if one is configured. If the user is found in the External Directory Service, then the SSL device creates a user in the Local User Database. - If the authentication method is configured with the Extended Property Allow user not listed in any External Directory Service set to true, a user is created in the Local User Database even if the user was not found in the External Directory Service. 4. If the user is found (or created) in the Local User Database in the previous step, the authentication process is complete and the Application Portal appears. If the user is not found, or was not created, the authentication process fails, and the user is not allowed to connect to the Application Portal. Exercise 1: Manually Add a User Account The Successful Company administrator wants to create a local user account for testing on the WatchGuard SSL device. In this exercise you manually add a user to the Local User Database, and configure the user to use one of the five WatchGuard SSL authentication methods. 1. Select User Management. The Manage All User Accounts page appears, with a list of existing users. Authentication and Users Student Guide 21 2. Click Add User. The Add User Account page appears. 3. Type a User ID and Display Name. The User ID is the user name that users type when they authenticate. The Display Name only appears in WatchGuard SSL Web UI to help you to easily distinguish one user account from another. 4. Click Next. A list of authentication methods appears. 5. Select the check box for each WatchGuard SSL authentication method to enable for this user. For this exercise, select the Enable WatchGuard SSL Password for the user account check box. 6. In the Email Address text box, type the email address for this user. In this example, the Email Address and SMS mobile phone number are not required. You should type an email address or mobile phone number for SMS if you want the system to send notifications to your users about changes to their authentication credentials (password, PIN, or seed). If you select the WatchGuard SSL Mobile Text authentication method, you must type the users mobile phone number in the SMS text box before you can continue. Authentication and Users 22 WatchGuard SSL Basics 7. Click Next. The WatchGuard Authentication page appears with the settings for the authentication methods you selected. Because we selected the WatchGuard SSL Password authentication method, we must specify the password and properties for that authentication method. If we had selected other authentication methods, the settings for those methods would also appear on this page. 8. In the WatchGuard SSL Password section, type and verify the password. The password must be between six and sixteen characters and must include at least two numerals. You can also select other Password Properties on this page. By default these properties are not selected. 9. From the Notification drop-down list, select By Screen. This is the method the WatchGuard SSL device uses to notify the administrator and user about changes to the user account. The default notification method is By Screen, which displays the notification message about updated authentication credentials to the administrator in the WatchGuard SSL Web UI after you click Save. You can customize the content of the notification messages in the Global Authentication Settings. If the Email notification and SMS notification channels are enabled, you can also select these notification options: - By Email Send notification of updated authentication credentials to the user through email. - By Screen and Email Use both the By Screen and By Email notification methods. - By SMS Send notification of updated authentication credentials to the user through SMS. - By Screen and SMS Use both the By Screen and By SMS notification methods. If you select an Email or SMS notification option, you must also configure an email address in the notification settings for this user account. 10. Click Finish Wizard. The new user account appears in the User Accounts list. Authentication and Users Student Guide 23 Exercise 2: Configure Active Directory with LDAP over SSL The Successful Company wants to use their existing Active Directory Server to authenticate users to the WatchGuard SSL Application Portal. In this exercise you configure Active Directory with LDAP over SSL. Note LDAP over SSL is also known as LDAP/S, LDAPS, and LDAP over TLS. LDAP over SSL simply means that the LDAP connection between the LDAP client (in this case, the WatchGuard SSL device) and LDAP server (the Active Directory server) is authenticated by TLS (Transportation Layer Security), and the data exchanges are encrypted by the different cipher suites supported by the TLS protocol. To complete this exercise you must have access to a Microsoft Active Directory server that is configured to accept LDAP connections. Before You Begin This exercise assumes that you have already completed these steps on your Active Directory server: Exported the CA certificate from the Windows Certificate Server on your AD Server computer. Enabled LDAP over SSL on your Active Directory server. Issued the CA Certificate from the Windows Certificate Server on the Active Directory server computer. You will import this CA certificate to your SSL device in this exercise. For details about how to complete these required steps on your Active Directory server, see the WatchGuard SSL Web UI Help or User Guide. Configure the Active Directory Authentication Method on your SSL Device After you have exported the certificate from your CA, enabled LDAP over SSL on your AD Server, and issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device to use Active Directory Authentication. Add a Certificate Authority to your SSL Device If you do not have a CA certificate for your Active Directory server, you can skip the steps to add the Certificate Authority to your SSL device procedure for training purposes only. In a production environment we strongly recommend that you import the CA certificate. This is required for the SSL device to validate the certificate used by the LDAP/SSL server on your Active Directory server. Without the imported CA certificate, the SSL device cannot detect a man-in-the-middle attack between the SSL appliance and the LDAP/SSL server. 1. Connect to WatchGuard SSL Web UI for your device. 2. Select Manage System > Certificates. The Manage Certificates page appears. Authentication and Users 24 WatchGuard SSL Basics 3. Click Add Certificate Authority. The Add Certificate Authority page appears. 4. Make sure the Enable Certificate Authority check box is selected. 5. In the Display Name text box, type a name for the CA certificate. This is the name that appears on the Manage Certificates page in the Registered Certificate Authorities list. 6. Click Browse and select the CA certificate. 7. Select No certificate revocation checking should be performed. 8. Click Finish Wizard. The certificate name appears in the Registered Certificate Authorities list. Enable the Active Directory Authentication Method After you add the CA certificate to your device, you can add the Active Directory (AD) authentication method to your configuration to make a connection between your SSL device and your AD server. When you use an Active Directory server, you can choose from many authentication methods. Because users can change their passwords when they authenticate, we recommend that you use the Active Directory authentication method. With this method, the password policy settings you defined in Active Directory are enforced. To configure Active Directory authentication: 1. Select Manage System > Authentication. The Authentication page appears. 2. Click Add Authentication Method. The list of authentication methods appears. Authentication and Users Student Guide 25 3. Select Active Directory. Click Next. Configuration settings for the Active Directory authentication method appear. 4. In the Display Name text box, type a name for this Active Directory authentication method. This is the name that appears in the Registered Authentication Methods list. 5. Click Add Authentication Method Server. The Add Authentication Method Server page appears. 6. In the Host text box, type the IP address or DNS name of your AD server. 7. If necessary, change the Port and Timeout settings. In most cases you do not need to change these settings. 8. In the Account text box, type the user name for an account on the AD server. This can be a Distinguished Name, User Principal Name. or NetBIOS name. Make sure you type the user name in the correct form. For example: - username@myexample.com - CN=username,OU=myexample,OU=com - myexample\username 9. In the Password text box, type the password for the user name you specified. 10. In the Root DN text box, type the Root DN information for the AD server where user accounts are stored. Make sure you use the correct Root DN form. For example, dc=myexample,dc=com Authentication and Users 26 WatchGuard SSL Basics 11. Click Next. The Authentication Method Server appears in the Registered Authentication Method Servers list. 12. Click Next. The Extended Properties page appears with a default list of Registered Extended Properties. 13. Click Finish Wizard. The Active Directory authentication method appears in the Registered Authentication Methods list. 14. Click Publish to update your configuration with this change. Authentication and Users Student Guide 27 Exercise 3: Link User Accounts to the Existing AD Server The Successful Company administrator wants to reuse the existing user account information on the Active Directory server for accounts for the WatchGuard SSL device. In this exercise you configure the Active Directory server as an External Directory Service Location and then link to it to create user accounts. Add an External Directory Service Location 1. Select User Management > External Directory Service. The Manage External Directory Service page appears. 2. Click Add External Directory Service Location. The Add External Directory Service Location page appears. Microsoft Active Directory is automatically selected. Authentication and Users 28 WatchGuard SSL Basics 3. Click Next. 4. In the Display Name text box, type the name of this External Directory Service as you want it to appear in the WatchGuard SSL Web UI. In this example, we use the domain of our Active Directory Server, wgtraining.local, as the Display Name. 5. In the Host text box, type the IP address of your Active Directory server. 6. The Port is automatically set to 389. Verify that this is correct for your AD server. 7. Type the Account and Password of a user account you want the SSL device to use to contact your AD server. For security reasons, this should be a read-only account, not the AD administrator account. 8. Click Test Connection to test the connection to your AD server. If your configuration is correct, a Connection test is successful message appears. If the connection test fails, review the settings for your AD Server External Directory Service Location, and correct any errors in the configuration. Authentication and Users Student Guide 29 9. Click Next. The External Directory Service Location Search Rules settings appear. The WatchGuard SSL Local User Database uses search rules to match users and user groups. You must add search rules so that the users and groups can be found in the External Directory Service. When you add search rules, make sure you define them based on the directory structure of your organization and the user objects you want to use in your rules. 10. To add a User Search Rule, click Add User Search Rule. The Add User Search Rule page appears. 11. In the User Root DN text box, type the location of the user (distinguished name) on your AD server. Or, click Show Tree to select it. Note In this example, we use the Root DN. In a real deployment we recommend that you specify the container on the AD server where the users are actually located. This provides added security, and increases performance in large AD environments that have a large number of users and groups. Authentication and Users 30 WatchGuard SSL Basics 12. Click Next. The User Search Rule you added appears in the Registered User Search Rules list. 13. To add a Group Search Rule, click Add User Group Search Rule. The Add User Group Search Rule page appears. 14. In the User Root DN text box, type the location of the group on your AD server. Or, click Show Tree to select it. 15. Click Next. The Group Search Rule you added appears in the Registered User Search Rules list. 16. Click Finish Wizard. The Manage External Directory Service page appears. The Registered External Directory Service Locations list now includes the External Directory Service you added and shows the connection status. Make sure the status is Connected. Authentication and Users Student Guide 31 Link Users to the AD server The Successful Company has added their Active Directory server as an External Directory Service. Now they can link WatchGuard SSL users to the AD server. 1. Select User Management > User Accounts. The Manage All User Accounts page appears. 2. At the bottom of the page, click Create User Account by Linking. The Manage User Linking page appears. 3. In the User ID text box, type the user name for the user you want to add as it appears in the External Directory Service. 4. Click Link User. A message appears that says the user account information was successfully saved. 5. To create another user by linking, repeat Steps 34. The second user is saved and linked. 6. After you add all linked users, select User Accounts to return to the list of users. When you create a user account by linking, account information is automatically populated. You can see in this example that the Display Name and Email address of the linked user account appear in the User Accounts list. Note If the linked user account is later moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. On the User Accounts page, click Repair Linked User Account to detect and fix broken links. Authentication and Users 32 WatchGuard SSL Basics Exercise 4: Connect to the Application Portal In this exercise, you connect to the WatchGuard SSL Application Portal as one of the users you created in the previous exercises. 1. Open a web browser and type the address of the Application Portal domain name. You can also type the IP address of the SSL device and the Application Portal port number. For example, type ht t ps: / / 50. 50. 50. 106: 443 A list of enabled authentication methods appears. 2. Select an authentication method The Authentication page for that method appears. Authentication and Users Student Guide 33 3. Type and submit your user credentials. The Application Portal page appears. Note No resources will appear in your WatchGuard SSL Application Portal until you add them. We discuss how to do that in the Resource Access training module. Authentication and Users 34 WatchGuard SSL Basics Exercise 5: Enable Automatic User Link Repair If a linked user account is moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. The Successful Company administrator wants the system to automatically repair user links, when possible. In this exercise you edit the Global User Account Settings to make this change. 1. Select User Management > User Accounts. The User Accounts page appears. 2. Click Global User Account Settings. The Manage Global User Account Settings page appears. The General Settings tab is selected by default. On the General Settings tab, the administrator can change the default settings for user account access, WatchGuard authentication, and timeouts. The administrator reviews the settings, but does not see a need to make any changes here. Authentication and Users Student Guide 35 3. Select the Repair User Links tab. The Automatically Repair User Links page appears. 4. Select the Automatically repair user links check box. If a user with a broken user account link tries to connect to the SSL device, the system automatically tries to repair the user account link. 5. Click Save. Authentication and Users 36 WatchGuard SSL Basics Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Which WatchGuard SSL authentication methods require that users install the Mobile ID client to generate a one-time password? (Select two.) 2. Which authentication method setting controls the appearance of the authentication page? (Select one.) 3. Which of these tasks must you complete before you can enable Active Directory over TLS on the WatchGuard SSL device? (Select all that apply.) 4. Which of these options are methods to add user accounts to the Local User Database? (Select all that apply.) 5. If a linked user account is moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. Which of these methods could you use to repair the broken link? (Select all that apply.) 6. True or false? You must enable an External Directory Service to use the Self Service feature. A) WatchGuard SSL Web B) WatchGuard SSL Password C) WatchGuard SSL Challenge D) WatchGuard SSL Synchronized E) WatchGuard SSL Mobile Text A) Authentication Server B) Registered RADIUS Replies C) Template Specification D) Layout Specification E) Extended Properties A) Issue the CA Certificate from the Windows Certificate Server on the Active Directory server computer. B) Install a Certificate Server on your WatchGuard SSL device C) Enable LDAP over SSL on the Active Directory Server D) Import the CA certificate to the WatchGuard SSL device A) Manually add the users B) Link to existing users in an External Directory Service C) Import the user account information from an SQL database D) Import the user account information from a text file A) On the User Accounts page, select Repair linked User Account. B) Enable Self Service so that users can fix their own broken account links. C) In the Global User Account Settings, enable the option Automatically repair user links. D) Edit the user account and click Link User to repair the link. Authentication and Users Student Guide 37 A N S W E R S 1 . C , D 2 . C 3 . A , C , D 4 . A , B , D 5 2 . A , C , D 6 . T r u e Authentication and Users 38 WatchGuard SSL Basics 39 WatchGuard SSL Basics Student Guide Resource Access Enable Access to Network Resources What You Will Learn The WatchGuard SSL Application Portal enables you to give your users secure access to your network resources. In this training module you learn how to: Configure Web Resources and Tunnel Resources Define access rules to protect your resources Add and remove resources from the Application Portal Configure Single Sign-On (SSO) Domains for resources Before you begin these exercises, make sure you read the Course Introduction module. Introduction The Application Portal is a web site on the WatchGuard SSL device where users can connect to your corporate applications and resources from remote locations. After a user authenticates to the Application Portal, the applications and resources available to that user appear as icons the user can select. The applications and resources that appear in the Application Portal are called Application Portal items. In this module you learn how to configure and control access to Application Portal items. Resource Access 40 WatchGuard SSL Basics In the Resource Access section of the Web UI Main Menu, you define and manage the applications and resources available to users in your Application Portal. The Resource Access section has these left menu options: Resources Add, edit, and delete resources that can appear on your WatchGuard SSL Application Portal. Resources can be Tunnel Resources or Web Resources. On this page you can also manage Global Resource Settings. Client Firewall Add, edit, and delete client firewall configurations to control traffic between the WatchGuard Access Client and Tunnel Resources. Access Rules Manage Access Rules that apply to specific resources, and Global Access Rules that apply to all resources. Access Rules can include required authentication methods, group membership, date period, client IP address, client assessment, and client device. Application Portal Define which resources to make available to users as Application Portal items. When you add a resource, you select whether the resource is available in the Application Portal. The Application Portal page shows only the resources that are available in the Application Portal. SSO Domains Create SSO (Single Sign-On) domains for resources. This enables users to authenticate with their user credentials one time to get access to multiple resources in the same domain. Resource Access Student Guide 41 Resource Types You define a resource for each network resource or application that you enable for your users. There are two types of resources Web Resources and Tunnel Resources. Web Resources You can create Web Resources to give your users access to any files that you can connect to with a web browser, or applications with a web interface such as Microsoft Outlook Web Access. Users can connect to a Web Resource with just a web browser. The WatchGuard SSL Access Client is not required. The WatchGuard SSL device includes Web Resource templates for several popular applications to help you set them up quickly. Available Web Resources include: Citrix MetaFrame Presentation Server Citrix XenApp Server Microsoft Active Sync Microsoft Outlook Mobile Access Microsoft Outlook Web Access 2003 Microsoft Outlook Web Access 2007 Microsoft Outlook Web App 2010 Microsoft SharePoint Portal Server 2003 Microsoft SharePoint Portal Server 2007 Secure Remote Access to the Web UI Web Resource Select the default template, Web Resource to create a resource for access to other web-enabled applications. Web Resource Paths A Web Resource has a resource host which is the HTTP or HTTPS server specified in a URL. The Web Resource may also have one or more web resource paths. A resource path is a location on a Web Resource, and defines a subset of the web server. You can configure the access rules and other settings for individual resource paths. When you use one of the pre-defined Web Resource templates to create a resource, the Add Web Resource Wizard automatically adds and configures the required Web Resource paths for you. Both resource hosts and resource paths appear on the Web Resources tab of the Resources page. Tunnel Resources The Access Client is an on-demand SSL VPN client. You learn more about this client in the module Use the Access Client. You can create a Tunnel Resource to give your users access to client-server applications, intranet sites, or network resources that are not web-enabled. To connect to Tunnel Resources, the user must use the WatchGuard SSL Access Client. You can create a file share resource to enable users to open, copy, rename, delete, upload, and download files. You can create a Full Tunnel resource to enable users to get access to a set of network resources at the IP level, similar to traditional IP VPN solutions. Examples of Tunnel Resources include Microsoft Outlook, Remote Desktop, or a Windows file share. The WatchGuard SSL device includes Tunnel Resource templates with partial configurations for several common resource types to help you set them up quickly. Resource Access 42 WatchGuard SSL Basics Available Tunnel Resources include: Access to Home Directory Full Tunnel Microsoft Outlook Client 2003/2007 Microsoft Windows File Share Microsoft Terminal Server 2003 Microsoft Terminal Server 2008 RDP Access SSH Access Tunnel Resource Select the default template, Tunnel Resource, to create a resource for access to other applications or network resources that are not web-enabled. Note Tunnel resources support all TCP and UDP ports. Other protocols such as ICMP (ping), ESP, and GRE are not supported. Static and Dynamic Tunnels You can configure a Tunnel Resource to use either a static or dynamic tunnel. To decide whether to use a static tunnel or a dynamic tunnel, make sure you consider these factors: Web Resources do not use tunnels. Instead, Web Resources open in a web browser on the users computer, which then sends traffic to the URLs generated by the SSL device. To direct the traffic, the SSL device rewrites the URLs and sends the traffic to the correct web host. The operating systems on the users computers that will use the resource. - Only computers that use Windows can use dynamic tunnels. - Any computer that has a browser and Java can use static tunnels. The number of IP addresses to include in the resource. - Use a dynamic tunnel for access to a tunnel resource with many IP addresses. - Use a static tunnel for access to a tunnel resource with only one IP address. The number of TCP or UDP ports to include in the resource. - A dynamic tunnel enables access to many TCP and UDP ports on the Tunnel Resource. - A static tunnel enables access to only one TCP or UDP port on the Tunnel Resource host. How Static and Dynamic Tunnels Work For both static and dynamic tunnels, the underlying mechanism is the same the Access Client software receives the traffic that the users computer sends over the VPN, and then sends the traffic through the loopback interface of the users computer. The Access Client then encrypts the data and sends it to the SSL device through the physical network interface of the users computer. The loopback interface is not a physical interface. It is a virtual network interface that is used by the users computer for internal communications, for diagnostics, and to send traffic to itself to be processed immediately. The most common IP address for the loopback interface is 127.0.0.1, although any address in the 127/8 network (from 127.0.0.1127.255.255.254) maps to the loopback interface. Ther two main differences between static and dynamic tunnels, are how the traffic is translated on the users computer and the type of Access Client that each type of tunnel can use. The users computer can use one of two different methods to send traffic to the loopback interface. The method is different for a resource that uses a static tunnel than for a resource that uses a dynamic tunnel. Resource Access Student Guide 43 Method for a Static Tunnel For a static tunnel, you configure the tunnel to use a specific loopback IP address and port. When you configure a static tunnel, you must define: The IP address of the resource This is the IP address of the host (computer) accessible through this static tunnel. The TCP or UDP port on the Tunnel Resource host that accepts the traffic. The IP address for the loopback interface on the users computer This can be any address from 127.0.0.1127.255.255.254. The TCP or UDP port that the users computer connects to on its loopback IP address. When a user selects a resource that uses a static tunnel: 1. The users computer sends the traffic to its own loopback interface. 2. The Access Client software intercepts the traffic sent to the loopback address, encrypts it, and sends it to the SSL device. 3. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination port, as defined in this static tunnel. Method for a Dynamic Tunnel For a dynamic tunnel, the users computer sends traffic directly to the IP address of the Tunnel Resource the user wants to reach. The Windows Access Client software can make many connections through a dynamic tunnel because the network driver it installs can dynamically translate many traffic flows at one time. When a user selects a resource that uses a dynamic tunnel: 1. The Windows network driver installed by the Access Client intercepts the traffic. 2. The Access Client dynamically translates the traffic to the loopback interface on the users computer, and dynamically selects a source port for the traffic. 3. The Access Client encrypts the traffic and sends it to the SSL device. 4. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination port. When you use one of the pre-defined Tunnel Resource templates to create a resource, the Add Tunnel Resource Wizard automatically uses the required tunnel type. If a Tunnel Resource can be configured as either a static or a dynamic tunnel, the Add Tunnel Resource Wizard enables you to set the Tunnel Type to Windows (to configure the resource as a dynamic tunnel) or All Platforms (to configure the resource as a static tunnel). To see the static or dynamic tunnel settings that the Add Tunnel Resource Wizard configured, edit the Tunnel Resource and select the Tunnel Settings tab. If you use the default Tunnel Resource template, you must manually select and configure a static or dynamic tunnel. About the Access Client There are two versions of the WatchGuard SSL Access Client a Windows executable client and a Java client. Windows computers almost always use the Windows executable version of the Access Client. The Windows executable installs a Windows network driver that makes dynamic tunnels more versatile than static tunnels. Windows computers can use the Windows executable Access Client for both static and dynamic tunnels. Resource Access 44 WatchGuard SSL Basics There are two types of the Windows executable client: On-demand Access Client Installed Access Client The On-demand Access Client is the same executable client as the Installed Windows Access Client, but instead of installing it on your users computers, it is loaded on Windows computers with either an ActiveX control or a Java loader when your users connect to a Tunnel Resource in the Application Portal. This enables it to be used only when needed. The Installed Access Client is software that you install on a Windows computer, just as you install any software application. For more information about the Windows executable version of the Access Client, see the Use the Access Client module. The Java client is another version of the Access Client, and uses a Java Applet loader to run in a web browser on any operating system. The Java Access Client can only be used with static tunnels. To launch the Java Access Client, the users computer calls a Java Applet loader from the SSL device that launches the Java client. The Java Applet stays active for the duration of the VPN session. For other computer platforms, such as Mac or Linux, you must use the Java client version of the Access Client. When you use a static tunnel, you can force all computers, including Windows computers, to use the Java version of the Access Client. To force all computers to use the Java Access Client: 1. Select Resource Access and edit a Tunnel Resource that uses a static tunnel. The Edit Tunnel Resource page appears. 2. Select the Advanced Settings tab. 3. For the Access Client Loader setting, select Java Applet. 4. Select the Run VPN client in Java (for static tunnels only) check box. Select this option to force users to use the Java version of the Access Client. Resource Access Student Guide 45 Global Resource Settings When you add a resource, you configure settings specific to that resource. You can also change some global settings that affect multiple resources. You can do this from the Resource Access > Resources page. There are two types of global settings you can configure for your resources: Global Tunnel Resource Settings Global Tunnel Resource Settings apply to all Tunnel Resources. These are connection settings for the WatchGuard SSL Access Client that is used to connect to Tunnel Resources. These settings include: - Client IP Address Provider Specify whether to, and how to, assign IP addresses to clients. - DNS server This is the server to use for DNS forwarding. - WINS server This is the server to use for WINS forwarding. Global Resource Settings Global Resource Settings apply to all Web Resources and Tunnel Resources. Global settings are grouped into these categories: - Internal proxy - DNS name and DNS name pool - Filters - Link translation - Client access - Trusted gateways - Cookies and cache control Protect Resources with Access Rules Access rules define the specific requirements for access control that you apply to a resource or SSO domain in WatchGuard SSL Web UI. You can add general access rules that can be applied to any resource or SSO domain, or specific access rules that you apply only to certain resources or SSO domains. You can also define Global Access Rules that are automatically applied to all resources and SSO domains. WatchGuard SSL Web UI includes many different types of access rules that you can use alone, or combine to customize your security configuration. An access rule can contain a single rule or a combination of rules of any type. You can use these access rule types to control access to your resources: Authentication method Allow access only if the user authenticates with the specified authentication methods. User group membership Allow access only if the user belongs to the specified user group or groups. IP address of incoming client Allow access only if the client connects from an IP address in the specified list or range. Client Definition Allow access only if the client is of a specified type, for example, a particular browser version. Day, date and/or time Allow access only during a specified time period, date period, or on specified days of the week. Resource Access 46 WatchGuard SSL Basics Assessment and Abolishment are only supported on Windows clients. For information about Assessment and Abolishment settings, see the Assessment and Abolishment module. Assessment Allow access only if the client meets specified criteria. An Assessment client runs on the client computer to make sure the client computer meets the Assessment criteria you specify. For example, you could use Assessment to check whether the client has anti-virus software running. Abolishment Allow access only if the Abolishment client is running on the client. Abolishment is a feature that monitors the files and stored browser data on a client during a user session, and then automatically deletes the browser data and files that were downloaded or created during the user session. You can configure the types of files and browser data that Abolishment deletes when the session ends. Custom-defined A custom-defined access rule can be tailored to meet specific needs. It must be imported from an xml file. This type of rule is not commonly used. About Single Sign-On (SSO) To connect to the Application Portal, your users must first authenticate. Some applications and network resources in the Application Poral also require users to authenticate. So, after users authenticate and connect to the Application Portal, they are prompted to authenticate again each time they select a resource that requires authentication. This can be a time consuming process that can be frustrating to your users. To enable your users to authenticate only one time and then connect all their resources, you can use Single Sign-On. Single Sign-On (SSO) is a session/user authentication process that allows users to authenticate with their user credentials one time to get access to multiple resources. When users authenticate with SSO, they have instant access to Application Portal items, and they do not have to authenticate again if they select a different item. You configure WatchGuard SSL SSO domains to enable SSO for resources that require the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. When resources are configured in an SSO domain: 1. Users provide their Active Directory credentials when they authenticate to the Application Portal. 2. The Application Portal securely stores those credentials for the user account. 3. When a user selects a resource in the SSO domain, the Application Portal automatically uses the stored credentials instead of prompting the user for additional authentication to the resource. Resource Access Student Guide 47 Exercise 1: Add a Resource for Secure Remote Web UI Access The Successful Company administrator wants the ability to monitor and manage the WatchGuard SSL device remotely. In this exercise you add a Web Resource to enable remote access to WatchGuard SSL Web UI. 1. Select Resource Access. The Resources page appears. The Resources page has two tabs, one for Tunnel Resources and one for Web Resources. 2. Click Add Resource. The Add Resource wizard starts. 3. Expand the Web Resources group. 4. Select Secure Remote Access to the Web UI. A description of the resource appears at the right side of the page. Resource Access 48 WatchGuard SSL Basics 5. Click Next. The settings for the Secure Remote Web UI Access resource appear. 6. In the General Settings section, type a Display Name and Description for this resource. The Display Name and Description only appear in the Web UI. 7. In the Special Settings section, make sure that the Enable resource check box is selected. This controls whether the resource appears in the Application Portal. The HTTP Port and HTTPS Port settings control what ports are used to connect to this resource. For the Secure Remote Web UI Access resource, do not change these settings. 8. In the Host text box, type the IP address of the WatchGuard SSL device. Resource Access Student Guide 49 9. In the Application Portal Settings section select the icon that appears in the Application Portal for this resource: To select a custom icon, click Browse. To select a system icon, click Select Icon in Icon Library. The Select Icon page appears. 10. Click an icon to select it. Icon Uploaded appears in the Application Portal Settings. 11. In the Link Text text box, type the name you want to appear with the resource icon in the Application Portal. 12. Make sure the Make resource available in Application Portal check box is selected. Resource Access 50 WatchGuard SSL Basics 13. Click Next. The Access Rules configuration settings for this resource appear. The Any Authentication access rule is selected by default. 14. Click Next. A summary of the settings for this resource appears. Resource Access Student Guide 51 15. Click Finish Wizard. The new resource appears on the Web Resources tab. On the Web Resources tab you also see the default system resource Access Point, with associated Web Resource paths. This resource enables access to the Application Portal Authentication and Welcome pages. You cannot delete this default Web Resource. 16. Click Publish to update your configuration with the change and make this resource available in the Application Portal. Start the New Resource from the Application Portal If you have already created a user and an authentication method, you can authenticate to the Application Portal to see the new resource. 1. Open a web browser and type https://<IP address of your Application Portal> to go to the Application Portal authentication page. 2. Select an authentication method. If a web browser security certificate warning appears, you can safely bypass the warning and continue. 3. Type the user authentication credentials. The WatchGuard SSL Application Portal appears, with the resource you configured. Resource Access 52 WatchGuard SSL Basics 4. Click the resource icon. The WatchGuard SSL Web UI login page appears. The WatchGuard SSL Web UI resource enables the authenticated user to get to the WatchGuard SSL Web UI log in page, but the user must still know the administrative credentials to log in and use the Web UI. Resource Access Student Guide 53 Exercise 2: Add an Access Rule and Apply it to a Resource The Successful Company administrator wants the Secure Remote Web UI Access resource to be available only for users who authenticate with the WatchGuard SSL Web authentication method. In this exercise you create an authentication method access rule and apply this access rule to the Secure Remote Web UI Access resource. Note You can modify this exercise to create an access rule that uses any enabled authentication method. Create the Access Rule 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The first page of the Add Access Rule wizard appears. Resource Access 54 WatchGuard SSL Basics 3. Type a Display Name for this access rule. Click Next. The list of access rule types appears. 4. Select Authentication method. Click Next. The list of configured authentication methods appears. 5. In the Available Authentication Methods list, select WatchGuard SSL Web. Click Add. WatchGuard SSL Web is moved to the Selected Authentication Methods list. 6. Click Next. A summary page appears with the access rules you have added to this rule. Resource Access Student Guide 55 7. Click Next. The rule you added appears in the Allow user access when list. You can add other rules to this access rule before you continue. You can combine different types of rules in the same access rule. For this exercise, we only need to include one rule. 8. Click Next. A list of resources that you can apply this rule to appears. 9. In the Available Resources list, select Web UI Access. Click Add. The resource is moved to the Selected Resources list. Resource Access 56 WatchGuard SSL Basics 10. Click Next. The Summary page appears. 11. Click Finish Wizard. The access rule is saved and is applied to the Secure Remote Web UI Access resource. 12. Click Publish to update your configuration with this change. This rule enables only those users who authenticate with the WatchGuard SSL Web Authentication method to get access this resource. If a user selects a different authentication method, this resource is not available in the Application Portal for that user. Edit the Resource to Remove the Unnecessary Access Rule When you apply a new access rule to a resource, the new access rule is added to any existing access rules that were already configured for the resource. In some cases, you need to remove the existing access rule, because it conflicts with the new one. In this example, because the added access rule (require WatchGuard SSL Web authentication) is more specific than the existing access rule (Any authentication), you do not need to remove the old access rule. To make sure the access rules work as you expect, it is a good idea to remove any unnecessary access rules from your resources. Resource Access Student Guide 57 To edit the resource and remove the unnecessary access rule: 1. Select Resource Access in the top menu. The Resources page appears. 2. Select the Web Resources tab. The Web UI Access resource now has multiple authentication access rules applied. 3. Click the Web UI Access resource to edit it. The Edit Web Resource Host page appears. 4. Select the Access Rules tab. The Selected Access Rules list includes two authentication methods. Because we only want to allow access by users who authenticate with the SSL Web Authentication method, we need to remove the Any Authentication rule. 5. In the Selected Access Rules list, select Any Authentication. Click Remove. The Any Authentication access rule is moved to the Available Access Rules list. 6. Click Save to update this resource. 7. Click Publish to update your configuration with this change. Resource Access 58 WatchGuard SSL Basics Test Resource Access in the Application Portal First, verify that this resource is not available to users who do not use the WatchGuard SSL Web authentication method. 1. Open a web browser and type https://<IP address of your Application Portal> to go to the Application Portal authentication page. 2. Select the WatchGuard SSL Password authentication method. Or, select any authentication method other than WatchGuard SSL Web. 3. Type the user authentication credentials The WatchGuard SSL Application Portal appears, but the Admin Web UI resource is not visible. Next, you can verify that the resource is available to users who use the WatchGuard SSL Web authentication method. To do this, you must enable the WatchGuard SSL Web authentication method for a user account. Then use that user account to log in to the Application Portal. 1. Select User Management > User Accounts. The Manage All user accounts page appears. 2. Select a user account. The Edit User Account page appears. 3. Select the WatchGuard Authentication tab. WatchGuard Authentication Methods settings appear. 4. Select the Enable WatchGuard SSL Web for the user account check box. The settings for the WatchGuard SSL Web authentication method appear. 5. Type and verify the Password. For example, type Password123. 6. Click Save. The user account is updated. Now you can use the WatchGuard SSL Web authentication method to log in to the Application Portal as this user and verify that the user can see the Admin Web UI resource. 1. Open a web browser and type https://<IP address of your Application Portal> to go to the Application Portal authentication page. 2. Select the WatchGuard SSL Web authentication method. The WatchGuard SSL Web authentication page appears. Resource Access Student Guide 59 3. Type the User Name of the user who has WatchGuard SSL Web authentication enabled. Click Submit. The WatchGuard SSL Web authentication keypad appears. Note When you use the WatchGuard SSL Web authentication method, if the user password contains letters and numbers, the user must use the keyboard to type the letters and the on-screen keypad to select the numbers. 4. Use your keyboard and the on-screen keypad to type the numbers. For this example, type Password on the keyboard and then click the numbers 1, 2, and 3 on the on- screen keypad. 5. Press Enter. The WatchGuard SSL Application Portal appears, and the Admin Web UI resource is now visible. Resource Access 60 WatchGuard SSL Basics Exercise 3: Create an Outlook Web Access Resource The Successful Company wants to allow users to connect to their email remotely through the Application Portal. In this exercise you add a Microsoft Outlook Web Access resource to the Application Portal. Note To complete this exercise, you must have a Microsoft Exchange Server with Outlook Web Access enabled. 1. Select Resource Access. The Resources page appears. 2. Click Add Resource. The Add Resource wizard starts. 3. Expand the Web Resources group. The list of available Web Resources appears. 4. Select Microsoft Outlook Web Access 2003. Click Next. The Add Resource page appears. 5. In the General Settings section, type a Display Name and Description for this resource. The Display Name and Description only appear in the Web UI. 6. Make sure that the Enable resource check box is selected. This controls whether the resource appears in the Application Portal. 7. In the Host text box, type the valid DNS name or IP address of the email server for this resource. 8. Click Select Icon in Icon Library and select the icon that appears in the Application Portal for this resource. Resource Access Student Guide 61 9. In the Link Text text box, type the text that appears in the Application Portal for this resource. Resource Access 62 WatchGuard SSL Basics 10. Click Next. The Access Rules configuration settings for this resource appear. The Any Authentication access rule is selected by default. 11. Click Next. A summary of the settings for this resource appears. Resource Access Student Guide 63 12. Click Finish Wizard. The resource is added to the Web Resources list. The Add Resource wizard automatically added three Web Resource paths for the OWA 2003 resource. Each resource path describes a location on the Microsoft Exchange Server that is accessible from this Web Resource. 13. Click Publish to update your configuration with this change and make this resource available in the Application Portal. Use the OWA 2003 Resource Connect to the Application Portal and authenticate with an Active Directory authentication method. 1. Open a web browser and type https://<IP address of your Application Portal> to go to the Application Portal authentication page. For example, type ht t ps: / / 50. 50. 50. 106. A list of authentication methods appears. 2. Select the Active Directory authentication method. Resource Access 64 WatchGuard SSL Basics 3. Type the authentication credentials. Click Submit. The Application Portal page appears. 4. Click the OWA 2003 resource. An additional authentication page appears for the user to log in to OWA. The User Name appears automatically. 5. In the Password text box, type the Active Directory password for this user. 6. In the Domain text box, type the domain. For example, type wgtraining. 7. Click Submit. Microsoft Outlook Web Access appears. In this example, the user had to log in twice, and had to type the domain. In the next exercise we use Single Sign-On so the user does not have to authenticate twice. Resource Access Student Guide 65 Exercise 4: Configure SSO for Outlook Web Access The Successful Company uses an Active Directory server to store user credentials for authentication with the Application Portal and for Outlook Web Access. The administrator wants to avoid the need for users to type in their password and domain when they connect to the OWA 2003 resource from the Application Portal. In this exercise you configure an SSO Domain to avoid the need for authenticated users to type their credentials a second time when they launch the OWA 2003 resource. In this exercise, we set up SSO for Outlook Web Access basic authentication. You can also configure SSO for Outlook Web Access form-based authentication. For information, see the WatchGuard SSL Web UI Help or User Guide. 1. Select Resource Access > SSO Domains. The Manage SSO Domains page appears. 2. Click Add SSO Domain. The first page of the Add SSO Domain wizard appears. 3. Type a Display Name. 4. Do not change the default SSO Restrictions settings. SSO restrictions control how long the SSO credentials are stored. - If you select Cache on session only, SSO credentials are kept in memory only during the user session. - If you do not select this option, SSO credentials are stored in the user account for a period of time determined by the User Inactivity and Absolute Time Limit settings. Resource Access 66 WatchGuard SSL Basics 5. Click Next. The Domain Attributes page appears. The User name and Password domain attributes are registered by default. You must add a third attribute for the domain information. 6. Click Add Domain Attribute. The Add Domain Attribute page appears. 7. From the Referenced By drop-down list, select Static. 8. In the Attribute Value text box, type the domain where your Active Directory Server and Microsoft Exchange Server reside. 9. Click Next. The Domain attribute is added to the Registered Domain Attributes list. Resource Access Student Guide 67 10. Click Next. The Apply SSO Domains To Resources page appears. 11. To select which resources use this SSO domain, click Apply SSO Domains To Resources. The Select SSO Type page appears. 12. From the SSO Type drop-down list, select Text. This is the default value. 13. From the Available Resources list, select OWA 2003. Click Add >. The resource is moved to the Selected Resources list. 14. Click Add at the bottom of the page to add your selected resources to this SSO domain. Resource Access 68 WatchGuard SSL Basics 15. Click Next. The Summary page appears. 16. Click Finish Wizard. The SSO domain is added. 17. Click Publish to update your configuration with this change. Note If the Application Portal has other resources that all use the same Active Directory server for authentication, the administrator can add those additional applications to the same SSO domain so that the user must only authenticate once to get access to all applications in the SSO domain. Resource Access Student Guide 69 Configure the Authentication Method for the SSO Domain For the last step, you must edit the Active Directory authentication method so that it saves user credentials for this SSO domain. 1. Select Manage System. The Authentication page appears. 2. In the Registered Authentication Methods list, select the Active Directory authentication method. The Edit Authentication Method page appears. 3. Select the Extended Properties tab. The Extended Properties for this authentication method appear. 4. Click Add Extended Property. The Add Extended Property page appears. 5. From the Key drop-down list, select Save credentials for SSO domain. 6. In the Value text box, type the name of the SSO domain you just created. Resource Access 70 WatchGuard SSL Basics 7. Click Add. The Extended Property appears in the Registered Extended Properties list. 8. Click Save. 9. Click Publish to update your configuration with this change. Use the OWA 2003 Resource with SSO WIth SSO configured, after a user authenticates to the Application Portal with the Active Directory authentication method, the user can start the OWA 2003 resource without an additional authentication method. 1. Open a web browser and type https://<IP address of your Application Portal> to go to the Application Portal authentication page. For example, type ht t ps: / / 50. 50. 50. 106. A list of authentication methods appears. 2. Select Active Directory. 3. Type the authentication credentials. Click Submit. The Application Portal page appears. 4. Click OWA 2003. Microsoft Outlook Web Access appears. Resource Access Student Guide 71 Exercise 5: Create a Full Network Access Tunnel Resource Successful Company wants to enable remote users to get access to all network resources when they are not physically in the office. In this exercise, you set up a Full Network Access Tunnel Resource. 1. Select Resource Access > Resources. 2. Click Add Resource. The Add Resource page appears. 3. Expand the Tunnel Resources list. 4. Select Full Tunnel. 5. Click Next. The settings for the Full Tunnel resource appear. Resource Access 72 WatchGuard SSL Basics 6. Type a Display Name and Description for this resource. The Display Name and Description only appear in the Web UI. 7. Make sure that the Enable resource check box is selected. This is enabled by default. 8. From the Tunnel Mode drop-down list, select Network Range to use a range of IP addresses for this resource. This is the default setting. 9. In the IP Range text boxes, type the range of IP addresses to which you want to enable access. For example, to enable access to all IP addresses on the 192.168.54.0/24 network, type 192.168.54.1192.168.54.254. 10. To restrict access to TCP and UDP ports, edit the TCP Port Set and UDP Port Set. The default settings for a Full Tunnel resource enable access to all TCP and UDP ports. 11. Select an Icon and Link Text for this resource. 12. Click Next. The Access Rules settings for this resource appear. 13. To use the default Any Authentication access rule, click Next. The Summary page appears. Resource Access Student Guide 73 14. Click Finish Wizard. The Full Tunnel resource is added to the Tunnel Resources list. To use this resource, authenticate to the Application Portal as any user. Because this is a Tunnel Resource, the Access Client is automatically installed the first time a user starts the resource. For more information about the Access Client, see the Use the Access Client module. Resource Access 74 WatchGuard SSL Basics Exercise 6: Compare Static and Dynamic Tunnel Settings If a resource has a single IP address and uses a single port, you can configure it to use either a dynamic tunnel or a static tunnel. In this exercise you use the Add Tunnel Resource Wizard to configure an RDP resource, first with a dynamic tunnel, and then with a static tunnel. Then you compare the settings the wizard creates for these two resources. Note For this exercise, you can use any IP address because you will not actually connect to the resource. The purpose of this exercise is to compare the settings for a static tunnel and a dynamic tunnel. Configure an RDP resource with a Dynamic Tunnel 1. Select Resource Access > Resources. 2. Click Add Resource. 3. From the Tunnel Resources list, select RDP Access. Click Next. 4. In the Display Name text box, type a name for this resource. For example, Dynamic RDP Access. 5. In the IP address text box, type the IP address for this resource. This can be any IP address for the purpose of this exercise. 6. Make sure the Tunnel Type is set to Windows Platform. This setting configures this resource as a dynamic tunnel. 7. Select an Icon and type the Link Text. 8. Click Next. The Access Rules for this resource appear. 9. Click Next to use the default access rule. The Summary page appears. 10. Click Finish Wizard. The Tunnel Resource is added. Resource Access Student Guide 75 Configure an RDP Resource with a Static Tunnel Now we create another resource to the same IP address, but this time configure it with a static tunnel. 1. Select Resource Access > Resources. 2. Click Add Resource. 3. From the Tunnel Resources list, select RDP Access. Click Next. 4. In the Display Name text box, type a display name for this resource. For example, Static RDP Access. 5. In the IP Address text box, type the same IP address for this resource that you used for the RDP resource with a dynamic tunnel. 6. From the Tunnel Type drop-down list, select All Platform. This setting configures this resource with a static tunnel. 7. Select an Icon and type the Link Text. 8. Click Next. The Access Rules for this resource appear. 9. Click Next to use the default access rule. The Summary page appears. 10. Click Finish Wizard. The Tunnel Resource is added. Resource Access 76 WatchGuard SSL Basics Examine the Tunnel Settings 1. On the Resources page, click the Display Name of the resource with the dynamic tunnel. For example, Dynamic RDP Access. The Tunnel Resource settings page appears. 2. Select the Tunnel Settings tab. The Tunnel Resource has one Registered Dynamic Tunnel. The settings for this resource with a dynamic tunnel include: - Resource IP Address The IP address of the host accessible through this tunnel. - TCP Port Set The TCP ports of the host accessible through this tunnel. - UDP Port Set The UDP ports of the host accessible through this tunnel. - Confirm connections This setting determines whether users are prompted to accept or deny the connection to this resource. When a remote Windows computer connects to this resource: - The Windows network driver installed by the Access Client intercepts this traffic. - The Access Client dynamically translates this traffic to the computers loopback interface. It dynamically selects a source port for the traffic. - The Access Client encrypts the traffic and sends it to the SSL device. - The SSL device decrypts the traffic and sends it to the correct destination IP address and destination port, in this example, 192. 168. 50. 100: 3389. Resource Access Student Guide 77 Now, we can compare the configuration of this resource to the other Tunnel Resource that was configured with a static tunnel. 1. On the Resources page, click the Display Name of the resource with the static tunnel. For example, Static RDP Access. The Tunnel Resource Settings page appears. 2. Select the Tunnel Settings tab. The Tunnel Resource has one Registered Static Tunnel. The settings for this resource with a static tunnel include: - Resource IP Address The IP address of the one host accessible through this tunnel. - Resource Port The TCP or UDP port on the Tunnel Resource host that accepts the traffic. - Protocol The type of port (TCP or UDP) to use for the Resource Port and Client Port. - Client IP Address The IP address for the remote clients loopback interface. This can be any address from 127.0.0.1127.255.255.254. - Client Port The TCP or UDP port that the client connects to on its loopback IP address. When a remote computer connects to this resource: - The traffic is sent to the loopback interface specified in the Client IP Address and Client Port (in this example 127. 0. 0. 1: 13389). - The Access Client intercepts the traffic sent to the loopback interface and port, encrypts it, and sends it to the SSL device. - The SSL device decrypts the traffic and sends it to the correct destination IP address and destination port, as defined in this static tunnel (in this example, 192. 168. 50. 100: 3389). Resource Access 78 WatchGuard SSL Basics Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Which of these options are examples of Web Resources? (Select all that apply.) 2. True or false? A single access rule can combine rules for authentication, assessment, and user group membership. 3. What example best describes what you can do with an access rule? (Select one.) 4. True or false? WatchGuard SSL SSO domains are configured to enable SSO for resources that use the same user credentials. 5. True or false? If a resource is configured to use an access rule that requires the WatchGuard SSL Password authentication method, the resource is still visible in the Application Portal to all users. But, a user who uses another method to authenticate must authenticate again to use the resource.
A) Microsoft Outlook Web Access 2003 B) Full Tunnel C) Secure Remote Access to the Web UI D) Microsoft Windows File Share E) Access to a company Intranet web site A) Assign the access rule to a user to control the users access level. B) Assign the access rule to a resources to control requirements for user access to the resource. C) Assign the access rule to an SSO domain to control which applications can be accessed in that domain. A N S W E R S 1 . A , C , E 2 . T r u e 3 . B 4 . T r u e 5 . F a l s e . T h e r e s o u r c e i s o n l y v i s i b l e i n t h e A p p l i c a t i o n P o r t a l t o u s e r s w h o u s e t h e a u t h e n t i c a t i o n m e t h o d s p e c i f i e d i n t h e a c c e s s r u l e f o r t h a t r e s o u r c e . 79 WatchGuard SSL Basics Student Guide Use the Access Client Install and use the WatchGuard SSL Access Client What You Will Learn The WatchGuard SSL Access Client enables you to securely connect to resources you make available to your users in the WatchGuard SSL Application Portal. In this training module you learn how to: Use the On-demand Access Client Install the Access Client Use the Access Client to connect to a Tunnel Resource Configure the Access Client to start automatically when Windows starts Before you begin these exercises, make sure you read the Course Introduction module. About the Access Client The WatchGuard SSL Access Client enables you to securely connect to Tunnel Resources in the WatchGuard SSL Application Portal. The Access Client is not required to connect to a Web Resource. There are two versions of the WatchGuard SSL Access Client a Windows executable client and a Java client. Windows computers almost always use the Windows executable version of the Access Client. The Windows executable installs a Windows network driver that makes dynamic tunnels more versatile than static tunnels. Windows computers can use the Windows executable Access Client for both static and dynamic tunnels. The Java client is another version of the Access Client, and uses a Java Applet loader to run in a web browser on any operating system. The Java Access Client can only be used with static tunnels. To launch the Java Access Client, the users computer calls a Java Applet loader from the SSL device that launches the Java client. The Java Applet stays active for the duration of the VPN session. For other computer platforms, such as Mac or Linux, you must use the Java client version of the Access Client. In this training module, we use the Windows executable version of the Access Client. There are two types of the Windows executable version of the Access Client: On-demand Access Client Installed Access Client On-demand Access Client When you authenticate to the Application Portal and select a resource other than a Web Resource, the On-demand Access Client launches to load the tunnel. When your session ends, the On-demand Access Client closes. The client software is not installed on your computer, instead it is loaded on Windows computers with either an ActiveX control or a Java loader when your users connect to a Tunnel Resource in the Application Portal. This enables it to be used only when needed. Use the Access Client 80 WatchGuard SSL Basics Installed Access Client Optionally, you can install the Access Client on your users computer, just as you install any software application. You can configure the Installed Access Client to automatically start when Windows starts, and to automatically connect to resources. To decide whether to use the On-demand Access Client or the Installed Access Client, you must consider the advantages of each client. The On-demand Access Client is the simplest to use and manage, but the Installed Access Client provides more configuration options. Advantages of the On-demand Access Client Simplest to use The client automatically downloads and starts when a user selects a Tunnel Resource in the Application Portal. No installation or local client configuration is required. Users always use the most current resource definitions, because they must use the Application Portal to start a resource. Advantages of the Installed Access Client Users can save and start favorite resources from the Access Client, instead of the Application Portal. You can configure the Installed Access Client to automatically start when Windows starts. You can configure the client to enable users to launch a resource directly from a browser or from the Windows Start menu. To do this you must register the essp protocol handler. For more information, see the WatchGuard SSL Online Help or User Guide. Use the Access Client When the WatchGuard Access Client is started, click in the Windows system tray to see the Access Client menu, which includes these options: Preferences Configure client preferences. These settings mostly apply to the Installed Access Client. From the Access Client Preferences dialog box, you can configure the client update server, enable the Access Client to start automatically when you start Windows, define trusted Access Points and commands, change diagnostic logging settings, and configure settings and favorites synchronization. History When a tunnel is loaded successfully, the details of the tunnel configuration are automatically saved in the History. This allows you to easily open a recently accessed tunnel resource. The History menu can contain a maximum of 15 items. Favorites Save and manage favorite Application Portal resources. After you add favorite resources, you can select the resource from the Favorites menu to start the resource. Administrators can also add favorites on the SSL device that are synchronized to the Access Client. Status See the status of your SSL connection. About See the Access Client version and copyright information. Close Tunnels Close the connection to a Tunnel Resource. Exit Close the Access Client. The connections to all Tunnel Resources are also closed. Use the Access Client Student Guide 81 Access Client Synchronization with the SSL Device You can synchronize your Access Client preferences, history, and favorites to the SSL device. There are two methods to synchronize your client settings: automatic and manual. Automatic Automatically synchronize when you start an SSL tunnel and when you make any changes to your settings or favorites while connected to the tunnel. By default the automatic client synchronization is disabled. Manual Immediately perform a manual synchronization with the SSL device while connected to the tunnel. If you are not connected, a pop-up authentication dialog appears, and the client will synchronize to the SSL device after successfully authentication. Use the Access Client 82 WatchGuard SSL Basics Exercise 1: Use the On-demand Access Client The Successful Company has installed the WatchGuard SSL device and has configured some Tunnel Resources in the Application Portal. In this exercise, you connect to the Application Portal and automatically launch the On-demand Access Client to start the tunnel to that resource. Before You Begin You must define at least one Tunnel Resource in your Application Portal. For instructions, see the exercises in the Resource Access training module. Launch the On-demand Access Client 1. Open a web browser and type the address of the Application Portal domain name. Or, you can type the IP address of the SSL device and the Application Portal port number. For example: https://ap.example.com https://<IP address of the SSL device>:<port number> https://50.50.50.106:443 Note Because the WatchGuard SSL device uses a self-signed certificate, a security warning appears. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox). For information about how to replace the self- signed certificate and avoid this warning, see the Administration module. 2. Use a configured authentication method to authenticate to the Application Portal. The WatchGuard SSL Application Portal page appears with icons for the resources you can access. 3. Click a Tunnel Resource icon. For example, click the Full Tunnel Access 1 resource icon. For more information about how to to create a Full Tunnel resource, see the Resource Access module. The Application Portal automatically downloads and launches the Access Client to create a connection to the Tunnel Resource. Actions associated with this resource, such as Assessment, also occur at this time. 4. If this is the first time you selected a Tunnel Resource, the web browser prompts you to download either a Java Applet loader (Firefox) or an ActiveX control (Internet Explorer). Accept the download to get the Access Client software that enables you to use the Tunnel Resource. The Access Client is loaded and the Access Client icon appears in the Windows system tray. Use the Access Client Student Guide 83 See the Access Client Connection Status After the Access Client has started, you can see the connection status and statistics. 1. Click in the Windows system tray. The Access Client menu appears. 2. Click Status. The Access Client Status dialog box appears. To see a brief status, you can also move the mouse pointer over the Access Client icon in the Windows system tray. Close the Access Client and Tunnel Resource 1. Click in the Windows system tray. 2. To close all tunnels and close the Access Client, select Exit. Use the Access Client 84 WatchGuard SSL Basics Exercise 2: Install the Access Client The Successful Company has some remote users who always use the SSL VPN. To help streamline VPN access for these users, the administrator wants to install the Access Client on the users computers. In this exercise you install the Access Client on a users workstation. To do this exercise, you must have the Access Client installer for your Windows version. Access Client installer files for Windows 32-bit and Windows 64-bit are available on the WatchGuard software center at: www.watchguard.com/archive/softwarecenter.asp For this example, we use the WatchGuard SSL Access Client Installer for Win32 installation file, wgssl31aci_win32.exe. Install the Access Client 1. Connect to a Tunnel Resource in the Application Portal, as described in Exercise 1. The On-demand Acce-ss Client starts. This automatically captures some of the configuration information necessary for client installation. 2. Run the wgssl31aci_win32.exe file. A security warning appears. You can safely ignore this warning. 3. Click Run to continue the installation. 4. On the License Agreement page, review and accept the License Agreement. 5. On the Select Destination Location page, select a location to install the Access Client. The default location is C: \ Pr ogr amFi l es\ Wat chGuar d\ SSL\ Access Cl i ent . We recommend you use the default location. 6. On the last page of the wizard, click Finish. Launch the Installed Access Client Select Start > Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. Or, click the WatchGuard Access Client shortcut on the Windows desktop. After the administrator installs the Access Client, WatchGuard Access Client Helper Service enables a user without administrative rights to use the Access Client on this computer. Use the Access Client Student Guide 85 Verify the Client Preferences After you launch the Installed Access Client, verify the client update settings so that the Access Client can automatically check for and download client updates when they are available. 1. Click in the Windows system tray. 2. Select Preferences. The Access Client Preferences dialog box appears. 3. Verify that the Update server is set to the URL or IP address of your WatchGuard SSL device. This is automatically set the first time the Access Client connects to a resource. If you did not connect to a Tunnel Resource in the Application Portal at least once before you installed the Access Client, you must manually add the address of your Application Portal. If the Update server text box is empty, type the address of the WatchGuard SSL Application Portal. Do not include ht t ps: / / . 4. To automatically launch the Access Client when Windows starts, select the Launch Access Client on startup check box. The Access Client is added to the Windows Startup folder. 5. Click OK. Use the Access Client 86 WatchGuard SSL Basics Exercise 3: Create and Use a Favorite Resource The Successful Company has created a Full Tunnel resource that gives full access to their local network. The administrator wants to create this as a local favorite on the client so remote users can quickly access the full local network, but not have to connect to the Application Portal. See the Resource Access module for an exercise to create a Full Tunnel network resource. Create a New Favorite 1. Authenticate to the WatchGuard SSL Application Portal. 2. Click the Full Tunnel Access resource to start it. 3. Click in the Windows system tray. The Access Client menu appears. 4. Select Favorites > Add. A list of connected Tunnel Resources appears. 5. Select the name of the connected resource to save as a favorite The Edit Favorite dialog box appears. 6. Type a Display name for this favorite. This can be different from the name of this resource on the Application Portal. For this example, type Full Network Access. 7. The Server and Configuration text boxes are automatically configured. Do not change these settings. 8. To automatically start this resource when the client is launched, select the Load on startup check box. 9. Click OK. 10. Click Close to exit the Access Client Favorites window. 11. Click in the Windows system tray. 12. Select Exit. The Access Client exits, and the Tunnel Resource closes. Start the Favorite Automatically If you configured the favorite to start automatically when the Access Client starts, to start the favorite resource you only need to launch the client. 1. Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client. The Access Client starts and the Authentication dialog box appears. For information about how to replace the self- signed certificate on the device to avoid these security warnings, see the Administration module . Note Because the WatchGuard SSL device uses a self-signed certificate, the Access Client displays a series of security warnings. You must click Yes several times to acknowledge the security warnings. 2. Authenticate to the Authentication Portal. The Full Tunnel Access resource automatically loads. If you have configured the Access Client to launch when Windows starts, the resource is automatically started. This is a great efficiency for remote users who use the Access Client to connect to your network, because the VPN client and Tunnel Resources are loaded automatically when Windows starts. Use the Access Client Student Guide 87 Close and Start Favorite Resources from the Access Client Menu 1. Click in the Windows system tray. The Access Client menu appears. 2. To close an active tunnel, select Close Tunnels and select the active tunnel from the list. 3. To start a favorite resource, select Favorites and select the name of the favorite resouce from the list. Edit or Delete Access Client Favorites 1. Click in the Windows system tray. The Access Client menu appears. 2. Select Favorites > Manage. The Access Client Favorites dialog box appears. 3. Click a favorite to select it. 4. To edit the favorite, click Edit. To remove the favorite, click Delete. Use the Access Client 88 WatchGuard SSL Basics Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. You must use the Access Client to connect to which types of resources? (Select all that apply.) 2. True or false? You can configure the On-demand Access Client to automatically start and launch Tunnel Resources when you start Windows. 3. Why does the Access Client display a series of security warnings? (Select one.) 4. How can you see status information about your Access Client connection? (Select all that apply.) A) File Share Resource B) Full Tunnel Resource C) Web Resource D) Tunnel Resource A) Because the user has not yet authenticated. B) Because the WatchGuard SSL device uses a self-signed certificate. C) Because the WatchGuard SSL Access Client uses a self-signed certificate. A) Move the mouse pointer over the Access Client icon in the Windows system tray. B) Select Start > All Programs > WatchGuard SSL > Access Client > Status. C) Select Status from the Access Client menu in the Windows system tray. A N S W E R S 1 . A , B , D 2 . F a l s e . Y o u m u s t u s e t h e i n s t a l l e d A c c e s s C l i e n t t o d o t h i s . 3 . B 4 . A , C 89 WatchGuard SSL Basics Student Guide Assessment and Abolishment Use End-Point Security to Protect Resources What You Will Learn Assessment and Abolishment are end-point security features that you can use to protect your resources. In this training module you learn how to: Configure Assessment settings Configure Abolishment settings Create Assessment and Abolishment Access Rules Before you begin these exercises, make sure you read the Course Introduction module. End-Point Security Features The WatchGuard SSL device includes two end-point security features you can use to protect your resources. End-point security features require that client computers meet certain criteria before they can connect to resources on the Application Portal. These features also remove temporary files at the end of an SSL VPN session. The two types of end-point security we review in this training module are Assessment and Abolishment. Assessment Assessment is an end-point security feature that scans the client computer to examine whether the client meets certain criteria. You can configure the Assessment criteria that a client computer must meet in order to get access to a resource protected by an Assessment access rule. You can define an Assessment access rule to check for these criteria: File or directory information Registry key or sub-key information Process information Windows user information Windows domain information Network interface information TCP and UDP port information Anti-virus and anti-spyware information Firewall information After a user authenticates, but before the user connects to a network resource, you can require an assessment of their computers to find whether the computer meets your security requirements. This is the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. The Assessment Agent automatically launches in a client web browser. Assessment and Abolishment 90 WatchGuard SSL Basics If the client computer meets the criteria, the user is allowed to access the protected resource. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the Assessment definition file is no longer updated, but Assessment continues to operate with the criteria available at the time of expiration. WatchGuard SSL supports Assessment on Microsoft Windows clients. Abolishment When a remote user connects to sensitive resources on your network from a computer that is not in your control (such as a home computer or kiosk), confidential information can remain on the computer after the VPN session is terminated. You can use Abolishment to erase all traces of the session from the client device (for example, URL history, cache, cookies, and downloaded files). Abolishment is an end-point security feature that monitors the files and stored browser data on a client throughout a user session. When the user disconnects, the Abolishment agent requests the user to delete the files that were downloaded or created during the user session. Monitored files include those that a user downloads, edits, or creates during the user session. Administrators can also configure the SSL device to automatically delete these files when the user session is complete. When you protect a resource with an Abolishment access rule, the Abolishment settings specify what type of files are monitored for changes and deleted from the client after the session is completed. By default, the Abolishment client monitors these file types: .htm .pdf .txt .exe .doc .html .gif .jpg When a user tries to connect to the resource, access is allowed only if the Abolishment client is running. This makes sure that Abolishment can be performed when the session is completed. For your users of Microsoft Internet Explorer 7 or later, make sure the HTTPS IP address of the SSL device is added to the Internet Explorer Trusted Sites list. WatchGuard SSL supports Abolishment on Microsoft Windows clients. End-Point Integrity Client Abolishment and Assessment are performed by Abolishment and Assessment clients that are loaded on the client computer with an ActiveX or Java client loader. If a user connects to the Application Portal with Internet Explorer, the first time the user clicks a resource that requires Abolishment or Assessment, the user must agree to install the ActiveX client loader. The user must restart the web browser after the ActiveX loader installs. Note When the user is notified about Assessment, the client is called the End-Point Integrity scan. When the user is notified about Abolishment, the client is called the End-Point Protection scan. Assessment and Abolishment Student Guide 91 By default, the Assessment Client Loader and Abolishment Client Loader try to use ActiveX first, and if it is not available, they use a Java applet. You can change this in the Advanced Settings for Assessment and Abolishment. Exercise 1: Create an Assessment Access Rule The Successful Company wants to make sure that computers that use the Application Portal meet the defined security requirements before users can get access to certain internal resources through the Application Portal. The Successful Company standard corporate computer configuration includes a file that contains the asset tag number of the computer. If this file is not present, the computer might not be a corporate computer and should be denied access. In this exercise you configure an Assessment Access rule to enable access to a resource only if the asset- tag.txt file is present on the client computer. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule wizard starts. Assessment and Abolishment 92 WatchGuard SSL Basics 3. In the Display Name text box, type a name for this Access Rule. Click Next. A list of Access Rule types appears. 4. Select Assessment. Click Next. The Select Criteria page appears. 5. In the Display Name text box, type a name for this rule. 6. From the Information Type drop-down list, select File information. Click Next. The Specify Requirements page appears. This is where you specify the requirements for this rule. Assessment and Abolishment Student Guide 93 7. Click Add Requirement. The Add Requirements page appears. 8. From the Client Data drop-down list, select File name. If you select Wildcard match as the Matching Restriction, a first and last * is applied by default to the Matching Rule. 9. From the Matching Restriction drop-down list, select Match. This is the default setting. 10. In the Matching Rules text box, type the path and name of the file that must be present on the computer. For this exercise, type c:\asset-tag.txt. 11. Click Add. The requirement is added to this rule. 12. To configure the Assessment client to check for the presence of other files, or to check for file attributes, repeat Steps 711 to add other requirements to this rule. Assessment and Abolishment 94 WatchGuard SSL Basics 13. Click Next. The Feedback Message page appears. 14. In the Feedback Message text box, type a message that you want users to see if their computer does not meet the criteria specified in this access rule. Click Next. A summary of this Access Rule appears. 15. Click Next. This access rule now has one rule in it. A single access rule can contain more than one type of rule. You can add others. For this example, we do not need to add more rules. Assessment and Abolishment Student Guide 95 16. Click Next. The Select Resources page appears. 17. Select the resource to apply this access rule to. For example, select OWA 2003. Click Add >. The resource is moved to the Selected Resources list. 18. Click Next. The Summary page appears. Assessment and Abolishment 96 WatchGuard SSL Basics 19. Click Finish Wizard. The new access rule appears in the list. 20. Click Publish to update your configuration with this change. Trigger the Assessment Access Rule To see what this looks like from the users point of view, we first want to see what happens when the asset-tag.txt file is not present on the client computer. 1. In a browser, authenticate to the Application Portal as any user who can get access to the resource you protected with the Assessment access rule. 2. In the Application Portal, click the resource that you protected with the Assessment access rule. The End-Point Integrity dialog appears in a separate browser window or tab. This notifies the user that their computer must be scanned before the resource can be accessed. 3. Click Continue. The Assessment client loads and scans for the Assessment criteria. Note The first time an Assessment scan runs, a browser warning appears that asks whether you want to allow the ActiveX or Java client loader component. This warning looks different depending on your browser. You must allow the client loader, or the Assessment scan cannot run. Assessment and Abolishment Student Guide 97 If the assessment criteria is not met, the End-Point Integrity scan failed page appears. The text on this page is the Feedback text you configured for the Assessment access rule. 4. Use a text editor to create the asset-tag.txt file in the C:\ folder. 5. Click Try Again in the End-Point Integrity scan failed page. The End-Point Integrity page appears again. 6. Click Continue. This time, the Assessment access rule finds the file and the resource opens. Assessment and Abolishment 98 WatchGuard SSL Basics Exercise 2: Use Assessment to Check for Anti-Virus Software The Successful Company requires that all computers that connect to the Full Network resource in the Application Portal must use anti-virus software. In this exercise, you create an Assessment rule that checks for a running anti-virus client, and then apply this rule to the Full Network resource. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule wizard starts. 3. Type a Display Name for this access rule. For example Anti-Virus check. 4. Click Next. The Select Type of Access Rule page appears. 5. Select Assessment. Click Next. The Select Criteria page appears. 6. Type a Display Name for this rule. Assessment and Abolishment Student Guide 99 7. From the Information Type drop-down list, select Antivirus information. Click Next. The Specify Requirements page appears. 8. Click Add Requirement. The Add Requirement page appears. 9. From the Product Vendor drop-down list, select the name of the anti-virus vendor for the anti-virus product you want to check for. To check for the presence of anti-virus software from any vendor in the list, select Any product. Note If your training computer uses anti-virus software, you can select that vendor. Or, if you want the Assessment scan to deny access, select an anti-virus vendor that is different than the anti-virus software on your computer. Assessment and Abolishment 100 WatchGuard SSL Basics 10. The Action to take if the product requirements are not met is automatically set to Deny access. For this exercise, do not change this setting. 11. Click Add. The Specify Requirements page appears again. 12. Click Next. The Feedback Message page appears. 13. In the Feedback Message text box, type the message that you want users to see if their computer does not have the required anti-virus software. 14. Click Next. The Summary page for this access rule appears. 15. Click Next. The Add Access Rule page appears. 16. Click Next. The Select Resources page appears. 17. Select Full Tunnel and click Add >. The Full Tunnel resources is moved to the Selected Resources list. Assessment and Abolishment Student Guide 101 18. Click Next. The Confirmation page appears with the settings for this access rule. 19. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. 20. Click Publish to update your configuration with this change. Assessment and Abolishment 102 WatchGuard SSL Basics Exercise 3: Create an Abolishment Access Rule The Successful Company wants to enable access to some Application Portal resources to users from any computer, such as a kiosk. The administrator wants to create an Abolishment rule to make sure that files that contain potentially confidential information are not left behind on the computer after the user ends the connection to the resource. In this exercise, you create an Abolishment access rule and apply it to a resource. 1. Select Resource Access > Access Rules. The Manage Access Rules page appears. 2. Click Add Access Rule. The Add Access Rule wizard starts. 3. Type a Display Name for this access rule. Click Next. The list of access rule types appears. 4. Select Abolishment as the access rule type. Click Next. The Summary page for this access rule appears. 5. Click Next. The Add Access Rule page appears. You can click Add Rule to add more rules to this access rule. For this exercise, we will not add more rules. Assessment and Abolishment Student Guide 103 6. Click Next. The Select Resources page appears. 7. From the Available Resources list, select a resource. Click Add >. The resources is moved to the Selected Resources list. 8. Click Next. The Summary page for this access rule appears. 9. Click Finish Wizard. The new access rule appears in the Registered Access Rules list. 10. Click Publish to update your configuration with this change. Assessment and Abolishment 104 WatchGuard SSL Basics Trigger the Abolishment Access Rule When an Abolishment Access Rule is applied to a resource, at the end of a user session, the user sees a list of files that were added or changed since the user connected to the protected resource. The new or changed files are not deleted automatically. The user must take action to select the files to delete before abolishment can complete. 1. Authenticate to the Application Portal. 2. Click the resource you protected with the Abolishment access rule. The End-Point Protection notification dialog box appears. 3. Click Continue. The selected resource appears. 4. Download or create a file of one of the monitored file types. For example, use create a .txt file and save it to C:\. 5. Close the resource. Assessment and Abolishment Student Guide 105 6. Log out of the Application Portal or close the browser. The WatchGuard Abolishment dialog box appears with a list of files created or changed during the session. 7. Select the check box for each file to delete, or click Select All. The Delete Files button is enabled. 8. Click Delete Files. The All selected files were deleted successfully message appears. Assessment and Abolishment 106 WatchGuard SSL Basics Exercise 4: Change File Types to Monitor for Abolishment The Successful Company uses Microsoft Word 2007 for document creation. In addition to the default file types, the Successful Company also wants the Assessment client to perform Abolishment for .docx files. In this exercise, you change the Abolishment General Settings to add the .docx file type to the list of file types to monitor. 1. Select Manage System > Abolishment. The Manage Abolishment General Settings page appears. 2. In the Windows text box, add the .docx file type. Make sure to separate each file type with a comma and a space. 3. Click Save. The Abolishment settings are saved. 4. Click Publish to update your configuration with this change. Assessment and Abolishment Student Guide 107 Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. Which of these options is not a check that an Assessment access rule can perform? (Select all that apply.) 2. True or false? You can create an access rule that contains multiple Assessment rules. 3. True or false? When a user connects to a resource protected by an Abolishment access rule, by default, at the end of the user session, the Abolishment client automatically deletes all files that a user downloaded, edited, or created during the user session. 4. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the time interval you specify in Monitor System > Live Update. What happens if your LiveSecurity subscription expires? (Select all that apply.) 5. True or false? You can create multiple Abolishment rules that monitor different file types. A) If a process is running on the client computer. B) If the client computer has a removable USB drive attached. C) If a registry value exists on the client computer. D) If a file exists on the client computer. E) If the client computer is running anti-virus software. A) The assessment definition file is no longer updated. B) Assessment continues to operate with the criteria available at the time the LiveSecurity subscription expired. C) Assessment does not continue to operate because the criteria is not current. Assessment and Abolishment 108 WatchGuard SSL Basics A N S W E R S 1 . A , C , D , E 2 . T r u e 3 . F a l s e . I n t h e d e f a u l t c o n f i g u r a t i o n , t h e A s s e s s m e n t c l i e n t d i s p l a y s a l i s t o f c h a n g e d f i l e s t o t h e u s e r a t t h e e n d o f t h e s e s s i o n , b u t t h e u s e r m u s t t a k e a c t i o n t o d e l e t e t h e m . 4 . A , B 5 . F a l s e . B e c a u s e y o u c o n f i g u r e t h e l i s t o f m o n i t o r e d f i l e t y p e s i n t h e A b o l i s h m e n t G e n e r a l S e t t i n g s , t h e s a m e s e t o f f i l e t y p e s i s m o n i t o r e d f o r a l l A b o l i s h m e n t a c c e s s r u l e s . 109 WatchGuard SSL Basics Student Guide Administration Manage and Customize your WatchGuard SSL Device What You Will Learn In the Getting Started module, you learned how to set up your WatchGuard SSL device. In this training module you learn about: How to restore a previous configuration How to import and export your device configuration How to update the WatchGuard SSL OS Why you should request and install a signed server certificate How to customize the branding on your Application Portal Before you begin these exercises, make sure you read the Course Introduction module. Introduction You used the Quick Setup Wizard to create your initial device configuration. You can manage many of those initial configuration settings, and many other system settings, in the Manage System section of WatchGuard SSL Web UI. In the other training modules, you learned about many of these system settings, such as Authentication, Assessment, Abolishment, and Notification. In this training module, we focus on some of the other system management settings used to maintain your WatchGuard SSL device. Administration 110 WatchGuard SSL Basics Manage your Device Configuration Files There are two ways to save and restore previous configuration files. Recent configuration files are automatically stored on the device. You can also export your configuration to an archive file for off site storage or backup. Manage Recent Configuration Files The WatchGuard SSL device automatically saves copies of your last configuration each time you publish a configuration change. After you click Publish, the Publish Summary page appears. By default, the WatchGuard SSL device saves the 20 most recent configuration files. If you have reached the maximum allowed number of saved configuration files, each time you publish a new configuration, the oldest saved configuration file is removed to make room for the newest one, unless the configuration file is locked. To see the saved configuration files: On the Publish Summary page, click Restore Configuration. Or, select Manage System > Restore Configuration. On the Restore Configuration page, you can: Restore a saved configuration file Delete saved configuration files Delete multiple backup configuration files Add comments to a saved configuration file Change the maximum number of configuration files to save The saved configuration files are stored on the WatchGuard SSL device. To save a backup of your configuration to a location other than the SSL device, you must export the configuration as described in the next section. Administration Student Guide 111 Export and Import a Device Configuration File It is a good idea to periodically back up your device configuration to another location. Off site system backups are usually a required part of an organizations disaster recovery plan. We recommend that you export your configuration before you upgrade your device OS, to help you recover in the unlikely event that there are problems during the upgrade process. When you export the device configuration it creates an encrypted zip archive file that contains all the configuration files for your device.8 You can import the exported device configuration to the same device or to a different WatchGuard SSL device. You can use the export and import processes to migrate your configuration from one device to another, or to replicate the configuration on more than one device. Update the WatchGuard SSL OS WatchGuard provides software updates in a file that you can use to update the software on your SSL device. We recommend that you export your configuration to create a backup before you update the OS on your device. WatchGuard posts Release Notes with each software update. We strongly recommend you read the Release Notes before you update the OS. The Release Notes include a description of what is new in the OS update, any special upgrade instructions, and a list of resolved and known issues. The software update file is delivered as a zip file. After you download the software upgrade file from the WatchGuard Software Downloads page and extract the contents, you can use the file to upgrade your device. To update the OS: 1. Select Manage System > Device Update. 2. Click Browse to locate the software update file. 3. Click Update. The WatchGuard SSL device automatically reboots as part of the upgrade process. Administration 112 WatchGuard SSL Basics Install a Signed Certificate The WatchGuard SSL default configuration includes a self-signed server certificate named TestCert. We recommend that you replace this with your own signed certificate. To create your own signed certificate, you must first create a Certificate Signing Request (CSR). Then you send the CSR to a certificate authority (CA), which issues a signed certificate. When you use the default certificate, the browser displays a certificate warning because the distinguished name in the default self-signed certificate does not match your organization, and the certificate is not signed by a trusted certificate authority. If you install a server certificate signed by a well- known (trusted) CA, the certificate warnings do not appear because the browser trusts the certificate. To see and manage the certificates on your device, select Manage System > Certificates. The basic process you must use to request and use a signed certificate includes these steps: 1. Create a private key and certificate signing request (CSR). You can use OpenSSL, a free command line utility, to do this. For a list of sites from which you can download OpenSSL, see http://www.openssl.org/related/ binaries.html. 2. Use the CSR to request a certificate from Thawte, Verisign, or another well-known certificate authority (CA). Use the instructions from your CA to submit the CSR. The CA returns a signed certificate to you. 3. Convert the private key to PKCS#8 format with a program such as OpenSSL. 4. On the Manage Certificates page, add the new CA certificate and the new server certificate to the WatchGuard SSL device. 5. On the Manage System > Device Settings page, configure the SSL device to use the new server certificate. 6. Save the configuration, and publish it to update your configuration with the change. For a detailed description of these steps, including the OpenSSL commands, see the WatchGuard SSL Web UI Help or User Guide. Administration Student Guide 113 Customize the Application Portal Page You can change the WatchGuard SSL Application Portal and Web UI to reflect your corporate branding. There are two methods you can use to apply your corporate brand or other customizations: Customize Application Portal Page On the WatchGuard SSL Web UI Customize Application Portal page, you can easily customize the most visible text and images that appear in the Application Portal and the Authentication Portal pages. File Browser Use the file browser for more detailed customization of the Application Portal or to customize the Web UI. For more information about the file browser, and details about all the things you can customize, see the WatchGuard SSL Web UI Help or User Guide. Branding Changes from the WatchGuard SSL Web UI From WatchGuard SSL Web UI, you can make many changes to the Application Portal branding. In the default configuration, the Application Portal page looks like this: From WatchGuard SSL Web UI you can easily customize many parts of this page: - Company Name The name that appears in the About and Contact links. - Company URL The URL associated with the About link. - Company Contact URL The URL associated with the Contact link. - Portal Name The large text heading at the top of the Application Portal page. - Portal Information Text The welcome text that appears above the Resources on the Application Portal page. - Client Portal Header Image The grey background image at the top of the page. - Website Icon The icon that appears in the browser tab for the Application Portal. Administration 114 WatchGuard SSL Basics In the default configuration, the Application Portal authentication page looks like this: The red and grey borders of this page are a background image. To change the look of this page, in WatchGuard SSL Web UI, replace the Client authentication portal background image with a different image. Administration Student Guide 115 Exercise 1: Restore a Saved Configuration The Successful Company administrator wants to use an earlier saved configuration saved to the device. In this exercise, you restore a saved configuration on the device. 1. Select Manage System > Restore Configuration. The Restore Configuration page appears. 2. Select the configuration you want to restore. 3. Click Restore. A message appears on the System Status page after the configuration is successfully restored. 4. Click Publish to update your configuration with this change. Administration 116 WatchGuard SSL Basics Exercise 2: Export and Import the Device Configuration The Successful Company is required to maintain periodic off site backups of their key systems and to test the recovery process to verify the backup process is successful. In this exercise, you export the device configuration to an archive file and then import it. Export the Configuration 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. Click Export 3.x Configuration. The system creates an encrypted zip archive that contains all configuration files for the system. The file name has the date and time the export file was created as a part of the file name. 3. Click the Download link to download the encrypted zip file. The save file dialog for your browser appears. 4. Save the file to a location on your computer. Administration Student Guide 117 Import the saved configuration file To import the file, select the file you just saved. After you import a saved configuration file, the device must reboot. 1. Select Manage System > Import/Export Configuration. The Configuration Import/Export page appears. 2. In the Import Configuration section, click Browse to select the configuration file to import. 3. Click Import Configuration. The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes. 4. After the device reboots, log in to WatchGuard SSL Web UI again. Administration 118 WatchGuard SSL Basics Exercise 3: Customize the Application Portal Page The Successful Company wants to update the Application Portal page to use their own company name and information. In this exercise you learn how to customize the Application Portal page from WatchGuard SSL Web UI. Customize the Application Portal Text and URLs 1. Select Resource Access > Application Portal. The Manage Application Portal page appears. 2. Click Customize Application Portal. The Customize Application Portal page appears. 3. Change the text and URLs that appear in the Application Portal. 4. Click Save. 5. Click Publish to update your configuration with this change and update the Application Portal. 6. Authenticate to the Application Portal. The updated text and URLs appear on the Application Portal page. Administration Student Guide 119 Customize the Application Portal Header Background Image If you are comfortable editing image files, you can try this additional exercise to customize the background image that appears in the header of the Application Portal. To do this part of the exercise, you must first create a new background image in GIF format that is the correct size. If you do not already have an image file of the correct size (456 x 360 pixels), one way to create a new background image for this exercise is to edit the existing image. From the Application Portal page, in Internet Explorer you can right click on the top of the page to save a copy of the background image to a local file. In Firefox, right-click the top of the Application Portal page, then right-click again to save the image to a file. You can then edit it with image editing software. 1. Select Resource Access > Application Portal. The Manage Application Portal page appears. 2. Click Customize Application Portal. The Customize Application Portal page appears. You can change the background images and the website icon. This page also displays the maximum image size for each background image: - Client Authentication Portal Background Image: 456 x 360 pixels. - Client Portal Header Image: 799 x 70 pixels. 3. In the Client Portal Header Image section, click Browse to locate the GIF file to use. 4. Click Save. 5. Click Publish to update your configuration with this change. Administration 120 WatchGuard SSL Basics 6. Authenticate to the Application Portal to see the updated header image. You can use similar steps to replace the background image on the authentication page. On the Customize Application Portal page, this image is called the Client Authentication Portal Background Image. The size of the Client Authentication Portal Background Image is 456 x 360 pixels. Administration Student Guide 121 Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? To restore a recent configuration, you must import the configuration from a backup file. 2. By default, how many recent published device configurations does the WatchGuard SSL device save locally? (Select one.) 3. Which of these option require the WatchGuard SSL device to restart? (Select all that apply.) 4. True or false? To eliminate browser warnings about a mismatched or untrusted certificate when a user connects to the Application Portal, you can install a server certificate signed by a trusted CA. 5. Which of these changes can you make from WatchGuard SSL Web UI? (Select all that apply.) A) 10 B) 20 C) 40 D) There is no limit A) Restore a saved configuration. B) Update the OS. C) Export the configuration. D) Import the configuration. E) Publish an update to the configuration. A) Change the branding on the Application Portal page. B) Change the branding on WatchGuard SSL Web UI. C) Change the branding on the Application Portal authentication page. D) Change the branding on the WatchGuard SSL Access Client. Administration 122 WatchGuard SSL Basics A N S W E R S 1 . F a l s e 2 . B 3 . B , D 4 . T r u e 5 . A , C 123 WatchGuard SSL Basics Student Guide Monitor the WatchGuard SSL System Monitor WatchGuard SSL System Status and Activity What You Will Learn You can use WatchGuard SSL Web UI to see information about the system status, user sessions, log files, reports, licenses, and alerts. In this training module you learn how to: Monitor WatchGuard SSL system status Manage current user sessions Add alerts to notify you of specific events Manage log file settings and see log messages Create reports Before you begin these exercises, make sure you read the Course Introduction module. Introduction When you log in to WatchGuard SSL Web UI you can immediately see key information regarding the status of your system. The Monitor System section of the Main Menu contains all the management features you use to monitor the status and events on your WatchGuard SSL device. The System Status page, in the sub-menu below Monitor System is automatically selected when you log in. Monitor the WatchGuard SSL System 124 WatchGuard SSL Basics The Monitor System section of the Web UI has these left menu options: System Status In this section you can see an overview of information about your system, check the status of your network, review current authentication settings, identify events that have occurred on your system, verify the status of your device, and run basic debug tools to help you troubleshoot issues on your network. You can also manage settings for event monitoring, change the Super Administrator password, and see information about the date and time of administrator activities. User Sessions Search for and manage all current user sessions to see which users are active in the system and information about their sessions. You can also stop active user sessions. Alerts Add, edit, and delete the alerts the system sends when specified events occur, and manage global alert settings. You can configure the system to send alerts by email or as an SMS message. Logging Configure logging settings, such as log level, log file rotation, and the types of information to include in the log messages for each registered service. Log Viewer See log messages from the configured services. You can specify search criteria to filter search results by severity level or search for specific messages. Reports Generate reports about the current status of the device or service, or select a time range. Diagnostics File Create a compressed diagnostics log file that contains log file events from all log files for a specified time range. WatchGuard technical support may ask you to generate this file to help troubleshoot issues with your system and resolve issues with your configuration. Feature Key See information about the current feature key and upload a new feature key. Live Update Check the status of updates to the engine and definition files used for End-Point Security Assessment access rules. Live Update settings are preconfigured to the recommended settings. We recommend that you do not change these settings unless instructed to do so by WatchGuard technical support. At the bottom of the Monitor System page, there are two links that enable you to change some additional global monitoring settings: Manage Settings Select whether to monitor the connection to the Local User Database or External Directory Service, change the Super Administrator password, and enable password policy. View Administrator Activities See a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator. Monitor the WatchGuard SSL System Student Guide 125 Exercise 1: Monitor System Status A new network administrator has joined Successful Company and wants to learn about the configuration of the installed WatchGuard SSL device. In this exercise you explore the System Status section of the Web UI to learn about the system. 1. Select Monitor System > System Status. Or, log in to WatchGuard SSL Web UI. The System Status page appears automatically when you log in. An evaluation feature key allows a maximum of one authenticated user. The evaluation feature key does not include LiveSecurity, so you cannot update the software or use the Live Update feature. Some of the information you can learn immediately from this page includes: - Which Software Version is installed. - The Feature Key Type (Production or Evaluation) installed on this device. - Status information about registered and connected users. Concurrent Users The current number of users logged in to the Application Portal. The maximum number of allowed concurrent users is shown in parentheses. Registered User Accounts The number of user accounts on this system. The maximum number of user accounts is shown in parentheses; (*) indicates there is no limit. Logged on Users The number of users logged in to the Application Portal. This includes all logged in users, whether or not the users are actively connected to a resource. Active Users The number of users logged in and actively connected to a resource. At the bottom of the page, you can see the number of Registered Resources configured for the Application Portal and the number of Registered SSO Domains configured for Single Sign-On. Monitor the WatchGuard SSL System 126 WatchGuard SSL Basics 2. Select the Network Status tab. The Network Status page appears. Single Interface Mode and Dual Interface Mode are described in the Getting Started training module. From this tab, you can see the status of the network configuration for this device. At a glance, you can see that this device is configured in Single Interface Mode, because there is only one interface (Eth0) configured. If the device was configured in Dual Interface Mode, you would also see status information for Eth1. You can also see the Routing Table configured for this device. Monitor the WatchGuard SSL System Student Guide 127 3. Select the Authentication tab. The authentication settings appear. This page includes a summary of configured authentication methods and directory services, as well as information about RADIUS clients and configured email notification and SMS distribution channels. In this example, on this page you can learn: It is important for you to know which distribution methods are configured on your system. These notification channels are used to send alerts and for distribution of one-time-passwords (OTPs), passwords and PINs, and seed notifications. - The five WatchGuard authentication methods are configured. - There are no RADIUS clients registered. - The Email Notification channel is configured. - The SMS Distribution Channels are disabled. - This device is configured with both a Local User Database and an External Directory Service. Monitor the WatchGuard SSL System 128 WatchGuard SSL Basics 4. Select the Device Status tab. The Device Overview section shows information about the installed software, current connections, and resource use, which includes: - Current Server Time Shows the current date and time for the SSL device (this also appears on the System Overview page). - Server Started Shows the date and time the system was last started. - Version Shows the software version (this also appears on the System Overview page). The SSL Status section shows information about SSL Listeners. Listeners are additional ports or IP addresses on which the Application Portal accepts connections. By default, the Application Portal listens on one IP address on the Eth0 port. If you added additional listeners, their status would also appear in this section. In this example, only one SSL Listener is enabled. Monitor the WatchGuard SSL System Student Guide 129 Exercise 2: Monitor User Sessions The administrator wants to see more information about the current user sessions. In this exercise you look at user session information and learn how to end a user session. 1. In the WatchGuard SSL Web UI, select Monitor System. The System Status page appears. 2. Select User Sessions. The User Sessions page appears with a list of all active user sessions. 3. Click a user session to see details about it. The View User Session page appears. 4. To return to the User Sessions page, click Previous. 5. If you want to end a user session, select the Delete check box adjacent to that session. Click Delete. The selected user sessions are stopped and are removed from the list. Monitor the WatchGuard SSL System 130 WatchGuard SSL Basics Exercise 3: Configure Administrative Alerts Alerts are messages the system sends to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the Local User Database, or user account activity. You can configure alerts to be sent by email or as an SMS message. The Successful Company administrator wants the help desk to receive an alert as an email when a user account is locked. Enable the Email Notification Channel To use Administrative Alerts, you must enable a notification channel. For this example, we use the email channel. You may have already enabled the email notification channel if you completed the exercises in the Authentication and Users module. 1. Select Manage System > Notification Settings. The Manage Notification Settings page appears. 2. On the Email Channel tab, select the Enable email channel check box. 3. In the Host text box, type the IP address or domain name of your local email server. 4. In the Senders E-mail Address text box, type the email address that you want to use to send the administrative alerts. You can use an email address that is not on your mail server. 5. Click Save. Add Alerts 1. Select Monitor System > Alerts. The Manage Alerts page appears. Monitor the WatchGuard SSL System Student Guide 131 2. Click Add Alert. The Add Alert page appears. 3. Type a Display Name and Description for this alert. 4. Select a notification method. For this example, select Email. Note You must also make sure the notification channel is configured for the notification method you select. You can see the status of notification methods in the System Status > Authentication tab. To configure a notification channel, select Manage System > Notification Settings. 5. Click Next. The next page of the Add Alert wizard appears. 6. Select one or more event types to trigger this alert. For this example, select Locked for Access. Monitor the WatchGuard SSL System 132 WatchGuard SSL Basics 7. Click Next. 8. Click Add Email address. Type an email address to receive notification for this alert. 9. Click Finish Wizard. The Manage Alerts page appears, with the new alert added to the Registered Alerts list. Monitor the WatchGuard SSL System Student Guide 133 Exercise 4: Monitor System Logs The new administrator at Successful Company also monitors the system log files as another way to learn about the system status and activity. In this exercise you learn about the default logging settings, which are a good starting point for most environments. You also learn how to use the Log Viewer to search for information in the log files. Configure the Logging Settings 1. Select Monitor System > Logging. The Manage Logging page appears. You can configure logging settings, such as the log level, log file rotation, and the types of information to include in the log messages for each registered service. You can configure logging for two registered services: - accesspoint This includes all services related to the operation of the Application Portal. - Administrator The WatchGuard Administration Service includes all the services and settings related to administration of your device. You can also select Manage Global Logging Settings on this page to change logging settings that apply to all registered services. Monitor the WatchGuard SSL System 134 WatchGuard SSL Basics 2. Click accesspoint. The Edit Logging Settings page for the accesspoint service appears, with a separate tab for each log type. This example shows the default logging settings. - Log Level Filter is set to Info, which means that the service saves all log messages (Info, Warning, and Fatal) to the log file for this service. - Log File Rotation is set to Create a new log file every day, which means that the service creates a new file for log messages every day. Monitor the WatchGuard SSL System Student Guide 135 3. Select the Audit Log tab. The Audit Log settings appear. For the Audit Log, in addition to the Log Level Filter and Log File Rotation settings, you can also see and change which types of information are included in log messages. The Log File Information settings are only available for the accesspoint service. You can also configure a similar group of settings on the HTTP Log tab. The default logging settings are a good starting point for most environments. You can select other types of information to include in your log files if you want to see that information in the Log Viewer for monitoring. Monitor the WatchGuard SSL System 136 WatchGuard SSL Basics See Contents of the Log Files You use the Log Viewer to search the log files for events, filtered on the criteria you select. 1. Select Monitor System > Log Viewer. The Log Viewer page appears. By default, the Log Viewer is set to show the System log messages for all services for the last hour. You can select a different Log Type or select a specific service from the Services list. You can use Search Criteria to trace specific log events, such as user activity, through your services. Searches are not case sensitive and search criteria can include multiple text strings. For example, if you want to see only warnings, you could type WARNING in the Search Criteria text box. For details about how to use the Search Criteria for sophisticated searches, see the WatchGuard SSL Web UI Help or WatchGuard SSL User Guide. 2. Click View Log. The WatchGuard Web UI System Log shows log messages that meet the criteria you specified. Note You might need to allow the pop-up in your browser to see the View Log window. Monitor the WatchGuard SSL System Student Guide 137 Exercise 5: Create Reports The Successful Company administrator realizes that, while searching the log files might be good for troubleshooting, the built-in reports provide a better way to get an overall view of system activity in a format that is prefiltered and easier to read. In this exercise you generate an Authentication Report of all system activity, and you learn how to generate a Complete Report of all system activity. 1. Select Monitor System > Reports. The Manage Reports page appears, with a list of all available reports. The Manage Reports page includes a list of all available reports, grouped based on the type of events they report about. At the bottom is a Complete Report, which includes all of the others. Monitor the WatchGuard SSL System 138 WatchGuard SSL Basics 2. Click one of the report links. For this example, click Authentication Report. The Generate Authentication Report page appears. By default, the report is generated for all data for the past week. 3. Select the Filter tab. Data filters for this report appear. Each report type has different data filters, based on the input data for that report type. You can click a data filter to edit it for this report. For this exercise, leave the filters set to All. 4. Select the Graphics tab. The chart types and styles for the charts in the selected report appear. For this exercise, you can change the chart styles, or use the default Bar settings. Monitor the WatchGuard SSL System Student Guide 139 5. Click Generate Report. The Authentication Report page appears. 6. Select each report tab to see the other charts for this report. Monitor the WatchGuard SSL System 140 WatchGuard SSL Basics 7. Click Save Report. The Save Report page appears for the selected report. You can save the report as a PDF, data file, or image file. PDF is the default setting. - The PDF includes all pages of the report. - Data files are stored as plain text, with one text file for each report tab. - Image files are stored as PNG image files, with one file for each chart. 8. Click Download. The selected report file is generated. If your report download includes more than one file, the files are combined into one zip file. 9. Click the file name to download the file. Monitor the WatchGuard SSL System Student Guide 141 Test Your Knowledge Use these questions to practice what you have learned and exercise new skills. 1. True or false? The date and time the system was last started appears on the System Overview tab of the System Status page. 2. Which notification methods can you select for Alerts? (Select all that apply.) 3. True or false? If you set the Log Level for a service to Info, the log file includes all levels of messages. 4. You can save Reports in which of these formats? (Select all that apply.) A) IM B) SMS C) Email D) Pop-up message in the SSL Web UI A) PDF B) .csv C) plain text report D) PNG image file Monitor the WatchGuard SSL System TRAINING www.watchguard.com/training training@watchguard.com COPYRIGHT 2012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. A N S W E R S 1 . F a l s e . I t a p p e a r s o n t h e D e v i c e S t a t u s t a b o f t h e S y s t e m S t a t u s p a g e . 2 . B , C 4 . T r u e 5 . A , C , D