watchguard ssl 100 user guide

WatchGuard SSL 100User Guide

WatchGuard SSL Web UI v3.0WatchGuard SSL 100

ii WatchGuard SSL 100

Notice to UsersInformation in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Guide revision: June 26, 2009

Copyright, Trademark, and Patent InformationCopyright © 1998–2009 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

This product is for indoor use only.

WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners.

Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT®, Windows® 2000, Windows® XP, and Windows® Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reserved.

“OpenVPN” is a trademark of OpenVPN Solutions LLC.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online:http://www.watchguard.com/help/documentation/

http://www.watchguard.com/help/documentation

User Guide iii

Table of Contents

Chapter 1 Getting Started .......................................................................................................................... 1

Before you begin .................................................................................................................................................... 1Use the Quick Setup Wizard to set up a basic configuration ................................................................. 2Next steps after installation................................................................................................................................ 3Get a feature key..................................................................................................................................................... 5Restore the factory default settings ................................................................................................................ 6About the WatchGuard SSL Web UI ................................................................................................................ 7Customize your Application Portal.................................................................................................................. 9

Customize and brand the WatchGuard SSL Web UI and Application Portal ............................... 9Add the Access Client installer link in the Application Portal ........................................................ 19

About WatchGuard LiveSecurity Service.................................................................................................... 20Support Information .......................................................................................................................................... 22

Chapter 2 Monitor System ....................................................................................................................... 23

About Monitor System...................................................................................................................................... 23About the System Status page....................................................................................................................... 25

System overview............................................................................................................................................. 26Network status ................................................................................................................................................ 28Authentication status ................................................................................................................................... 29Events status .................................................................................................................................................... 30Device status .................................................................................................................................................... 31Network tools .................................................................................................................................................. 32Manage Settings............................................................................................................................................. 34View administrator activities...................................................................................................................... 35

About user sessions............................................................................................................................................ 36Manage search and display settings ....................................................................................................... 39

About Alerts .......................................................................................................................................................... 39Add an alert ...................................................................................................................................................... 40Edit and delete alerts .................................................................................................................................... 44Manage global alert settings...................................................................................................................... 45

Manage Logging ................................................................................................................................................. 48Manage global logging settings............................................................................................................... 51

Use Log Viewer..................................................................................................................................................... 53About Reports ...................................................................................................................................................... 55

Abolishment report ....................................................................................................................................... 56Assessment report ......................................................................................................................................... 57

iv WatchGuard SSL 100

Session Trend report ..................................................................................................................................... 57Access report.................................................................................................................................................... 58Authentication report................................................................................................................................... 58Authorization report ..................................................................................................................................... 59Account Statistics report ............................................................................................................................. 59Communication report................................................................................................................................. 60Performance report ....................................................................................................................................... 60Tunnel report ................................................................................................................................................... 61System Report ................................................................................................................................................. 61Alerts report ..................................................................................................................................................... 61Complete report ............................................................................................................................................. 62Manage report database settings ............................................................................................................ 62

About the diagnostics file ................................................................................................................................ 63About the feature key........................................................................................................................................ 64

Upload a new feature key............................................................................................................................ 66Live Update ........................................................................................................................................................... 67

Chapter 3 User Management ................................................................................................................... 69

About User Management................................................................................................................................. 69User accounts .................................................................................................................................................. 70User groups ...................................................................................................................................................... 70External Directory Service ........................................................................................................................... 70Self Service........................................................................................................................................................ 70

About user accounts .......................................................................................................................................... 71Manually add a user account ..................................................................................................................... 72Import user accounts .................................................................................................................................... 74Link to a user account................................................................................................................................... 75Repair a linked user account ...................................................................................................................... 75Edit user accounts .......................................................................................................................................... 76Manage Global User Account Settings................................................................................................... 77

About user groups.............................................................................................................................................. 80Add a user group............................................................................................................................................ 80Search, edit, or delete user groups .......................................................................................................... 81

About the External Directory Service........................................................................................................... 83Add an External Directory Service location .......................................................................................... 83Edit an External Directory Service Location.......................................................................................... 86

About Self Service ............................................................................................................................................... 88Manage Self Service Settings ..................................................................................................................... 89Modify System Challenges.......................................................................................................................... 91

Chapter 4 Resource Access ...................................................................................................................... 93

About Resource Access..................................................................................................................................... 93Resources .......................................................................................................................................................... 93Client firewall ................................................................................................................................................... 93Access rules ...................................................................................................................................................... 93Application Portal........................................................................................................................................... 94SSO domains .................................................................................................................................................... 94

About Resources ................................................................................................................................................. 94Manage Standard Resources...................................................................................................................... 94Manage Tunnel Resource Hosts................................................................................................................ 99Manage Tunnel Sets .................................................................................................................................... 103Manage Global Tunnel Set Settings ...................................................................................................... 110Manage Tunnel Resource Networks...................................................................................................... 112Manage Web Resource Hosts .................................................................................................................. 114

User Guide v

Manage Global Resource Settings ......................................................................................................... 120About client firewalls ....................................................................................................................................... 128

Manage Internet Firewall Configurations............................................................................................ 130About access rules ............................................................................................................................................ 134

Manage Access Rules .................................................................................................................................. 134Manage Global Access Rules.................................................................................................................... 138

About the Application Portal ........................................................................................................................ 139Manage Application Portal Items ........................................................................................................... 140

About SSO domains ......................................................................................................................................... 142Manage SSO Domains ................................................................................................................................ 143

Chapter 5 Manage System ..................................................................................................................... 147

About Manage System.................................................................................................................................... 147About authentication methods ................................................................................................................... 149

About WatchGuard SSL authentication methods ............................................................................ 150About other authentication methods .................................................................................................. 151Add an authentication method .............................................................................................................. 152Manage an Authentication Method ...................................................................................................... 154Manage global authentication service settings ................................................................................ 161Manage RADIUS configuration ............................................................................................................... 166

About certificates .............................................................................................................................................. 171Add a Certificate Authority ....................................................................................................................... 171Add a server certificate............................................................................................................................... 174Edit or delete a Server Certificate ........................................................................................................... 175Manage client certificate settings .......................................................................................................... 176

About Abolishment.......................................................................................................................................... 176Configure General Settings ...................................................................................................................... 178Configure Cache Cleaner settings.......................................................................................................... 179Configure Advanced settings .................................................................................................................. 180

About Assessment ............................................................................................................................................ 181General Settings............................................................................................................................................ 183Advanced Settings....................................................................................................................................... 184

About notification settings............................................................................................................................ 186Configure the email notification channel............................................................................................ 186Configure the SMS notification channel .............................................................................................. 187Add or remove SMS plug-ins ................................................................................................................... 194

Manage Client Definitions ............................................................................................................................. 195Add a client definition ................................................................................................................................ 196Edit or delete a client definition.............................................................................................................. 197

About delegated management ................................................................................................................... 198About administrative privileges.............................................................................................................. 199Manage administrative roles.................................................................................................................... 200

About the Administration Service............................................................................................................... 203Manage Global Service Settings ............................................................................................................. 204Restart the Administration service......................................................................................................... 206

Manage Device settings ................................................................................................................................. 207General settings for the application portal......................................................................................... 208Performance settings.................................................................................................................................. 210Cipher Suite settings ................................................................................................................................... 212Advanced settings ....................................................................................................................................... 214

Update the Device ............................................................................................................................................ 216Update the OS ............................................................................................................................................... 216Configure the system time and set the time zone ........................................................................... 217Restore factory default settings .............................................................................................................. 218

vi WatchGuard SSL 100

Reinitialize the Local User Database...................................................................................................... 218Reboot the device ........................................................................................................................................ 219

Network Configuration ................................................................................................................................... 219Configure network routes ......................................................................................................................... 221

Restore a saved configuration...................................................................................................................... 222Manage saved configuration settings .................................................................................................. 223

Import or export the configuration ............................................................................................................ 224

Chapter 6 Access Client .......................................................................................................................... 227

About the Access Client.................................................................................................................................. 227Launch the Access Client........................................................................................................................... 227

About the Access Client menu..................................................................................................................... 228Edit Access Client preferences................................................................................................................. 229Manage Access Client favorites............................................................................................................... 231Check Access Client status ........................................................................................................................ 233

End your SSL VPN session .............................................................................................................................. 233Install the Access Client .................................................................................................................................. 234Use ESSP to link directly to a resource....................................................................................................... 236

User Guide 1

1 Getting Started

Before you beginBefore you install your WatchGuard SSL device, make sure you verify the basic components and get a feature key, as described in the subsequent sections.

Verify basic componentsMake sure that you have these items:

A computer with a 10/100BaseT Ethernet network interface card and a web browser installedWatchGuard SSL 100 deviceEthernet cablePower cable

Get a WatchGuard device feature keyTo enable all of the features on your WatchGuard SSL device, you must activate the device on the WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the wizard without a feature key. The SSL device only allows one authenticated user until you upload a feature key to the device.

For instructions, see “Get a feature key” on page 5.

Getting Started

2 WatchGuard SSL 100

Use the Quick Setup Wizard to set up a basic configuration

The Quick Setup Wizard helps you set up a basic network configuration for your WatchGuard SSL 100. Use the Quick Setup Wizard to set up the device for the first time, or after you reset the device to factory default settings.

Before you start the Quick Setup Wizard, make sure you:

Register your WatchGuard SSL 100 with LiveSecurity ServiceSave a copy of your feature key file from the LiveSecurity web site to your computer and extract the feature key from the compressed file

For more information, see “Getting Started” on page 1.

Run the Quick Setup Wizard1. Make sure your computer is configured to use a static IP address on the 192.168.111.0/24 network.

2. Connect the Ethernet interface on your computer to Eth1 on the WatchGuard SSL device.3. Plug the power cord into the WatchGuard device power input and into a power source.4. Power on the WatchGuard SSL 100.5. Open a web browser and type: https://192.168.111.1:8443

The Quick Setup Wizard begins.

6. Upload your feature key file, if you have it.If you do not upload a feature key file, only one authenticated user can get access to the device. If you do not have a feature key, you can continue with the wizard, and then upload a feature key from the Web UI after you finish the wizard.

7. Set the time zone and system time settings.8. Create the Super Administrator credentials. These credentials do not have to correspond to an existing

user in a directory service.The Super Administrator password must meet these password policy requirements:

The password must be at least six characters longThe password must include characters from at least three of the following four categories:o English uppercase characters (from A through Z)o English lowercase characters (from a through z)o Base-10 digits (from 0 through 9)o Non-alphanumeric characters (for example: !, $, #, or %)

9. Select the network configuration mode. The choices are:

Single Interface mode (default)Select this mode if you want to connect the WatchGuard SSL device to one network DMZ. In single interface mode, only the Eth0 interface is active.

The default IP address on the WatchGuard SSL 100 is 192.168.111.1. Do not use 192.168.111.1 on your own computer.

Because the WatchGuard SSL 100 uses a self-signed certificate, you may see a certificate warning in your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla Firefox).

User Guide 3

Getting Started

Dual Interface modeSelect this mode if you want to connect the WatchGuard SSL device to two separate networks (for example, two different DMZ networks). In dual interface mode, both the Eth0 and Eth1 interfaces are active.

10. Type the network address information for each interface you enabled.

After you complete the wizard, the device restarts with the settings you configured.

Connect the WatchGuard SSL device to your networkAfter you complete the Quick Setup Wizard, connect the WatchGuard SSL device to your network.

1. Connect the WatchGuard SSL device to your network. If you selected single interface mode, connect the WatchGuard SSL 100 to your network with Eth0. If you selected dual interface mode, connect the WatchGuard SSL 100 to your network with both Eth0 and Eth1.

2. Reset the IP address on your computer back to its original IP address and connect your computer to the network.

You can now use the WatchGuard SSL Web UI to continue configuration, management, and monitoring tasks.

For more information, see “Next steps after installation” on page 3.

Next steps after installationAfter you complete basic configuration you can use the WatchGuard SSL Web UI to continue configuration, management, and monitoring tasks. Before you get started, make sure that you have:

Connected the WatchGuard SSL device to your networkConnected your computer to the networkReset the IP address of your computer

Connect to the WatchGuard SSL Web UIThe interface that you use to connect to the WatchGuard SSL Web UI is different for each network type. The WatchGuard SSL Web UI uses port 8443 by default for both network types.

If you configured your device in single interface mode, you must connect to the Eth0 interface for management.

1. Connect your computer to the Eth0 network. 2. In a web browser, type https://<Eth0 IP address>:8443.3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

If you configured your device in dual interface mode, you must connect to the Eth1 interface for management.

1. Connect your computer to the Eth1 network. 2. In a web browser, type https://<Eth1 IP address>:8443.3. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.

Getting Started


Upload the feature key fileIf you did not upload your feature key file when you ran the Quick Setup Wizard, we recommend that you upload it now.

1. Get your feature key file from LiveSecurity.For instructions, see “Get a feature key” on page 5.

2. In the WatchGuard SSL Web UI, select Monitor System > Feature Key to upload the feature key file to the device.For more information, see “Upload a new feature key” on page 66.

Download and install the latest softwareA newer version of operating system software for your WatchGuard SSL 100 could be available. To update your software:

1. Go to www.watchguard.com/archive/softwarecenter.asp.2. Find and download the latest version of WatchGuard SSL OS.3. From the Web UI, go to Manage System > Device Update.

http://www.watchguard.com/archive/softwarecenter.asp

User Guide 5

Getting Started

Get a feature keyA feature key is a file that enables licensed features on your WatchGuard SSL device. You must get a feature key when you first install the device, and when you renew the LiveSecurity service.

To activate your device and get the device feature key:

1. Open a web browser and go to https://www.watchguard.com/activate.If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.

2. Type your LiveSecurity user name and password.The Activate Products page appears.

3. Type the serial number of the device, including the hyphens.4. Follow the instructions to register your device.5. Save the feature key file to a location on your computer and extract the feature key from the

compressed file.

After you download the feature key, you can use the Quick Setup Wizard or the Web UI to browse to the location of the feature key on your computer and upload it to the WatchGuard SSL device.

For more information, see:

“Use the Quick Setup Wizard to set up a basic configuration” on page 2“Upload a new feature key” on page 66

If you are new to WatchGuard, follow the instructions to create a LiveSecurity profile.

https://www.watchguard.com/activate

Getting Started


Restore the factory default settingsThere are two ways to reset your WatchGuard SSL device to the factory default settings:

Use the WatchGuard SSL Web UIIf you can log in to the WatchGuard SSL Web UI, you can restore the device to factory default settings from the Web UI. This is the easiest method to restore the factory default settings.

For more information, see “Restore factory default settings” on page 218.

Use recovery modeIf you cannot log into the WatchGuard SSL Web UI, you can start the device in recovery mode. When the device is in recovery mode, you can reinstall the software image and restart the device with factory default settings.

Before you beginBefore you start the recovery process, you must download and save a copy of the WatchGuard SSL OS on your computer. The file has an extension of .sysa-dl. You can download the file from the Software Downloads section of the WatchGuard web site at http://www.watchguard.com/archive/softwarecenter.asp.

Start the WatchGuard SSL device in recovery mode1. Turn the WatchGuard SSL power off.2. Press and hold the up arrow button on the front panel while you turn the power on. 3. Continue to hold the up arrow button until you see the words “Executing SysB” on the LCD display.4. When you see the words "Recovery Mode Ready" on the LCD display, the device is in recovery mode.

In recovery mode, the Eth1 address of the device is set to 10.0.1.1.

Upload a new software image

Use these steps to upload a new software image to your WatchGuard SSL device.

1. Connect an Ethernet network cable between your computer and the Eth1 interface on the WatchGuard SSL device.

2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0 network). 3. Open the command line interface of your computer.

For example, select All Programs > Accessories > Command Prompt from the Windows Start Menu if you use Windows XP.

4. Change your working directory to the location where you saved the .sysa_dl file. 5. At the command prompt, type ftp 10.0.1.1 to connect to your WatchGuard SSL.6. When requested, type admin for both the user and the password.7. Type bin to change the transfer type to binary mode.8. Type put <filename>. Use the filename of the .sysa-dl file you downloaded from the WatchGuard

Software Downloads page.The upload process can take several minutes to complete. Do not close the window or type more commands until another command prompt appears.

9. Type quit to close the FTP connection. Exit the command line interface program.

You must use a command line FTP program to upload the WatchGuard SSL OS software image. Many common FTP commands are disabled on the WatchGuard SSL device for security reasons. For example, you cannot change directories (cd) or show the remote working directory (pwd). Other FTP programs rely on these commands to show you a list of files in the remote directory, and do not operate correctly when these commands are disabled.

http://www.watchguard.com/archive/softwarecenter.asp

User Guide 7

Getting Started

After the software image upload completes, the WatchGuard SSL device installs the software and resets the configuration to the default settings. When the reset process completes, the device automatically restarts.

The installation and reset process can take up to 10 minutes. Do not turn off the device during this process.

Next StepsAfter you restore the software image and the device restarts with factory default settings, you can use the Quick Setup Wizard to set up your configuration again.

For more information, see ”Use the Quick Setup Wizard to set up a basic configuration” on page 2.

About the WatchGuard SSL Web UIThe WatchGuard SSL Web UI is a web-based administration application with a task-oriented approach. You can use the Web UI to monitor your WatchGuard SSL system, add user accounts, manage resource access, and manage your system settings.

The WatchGuard SSL Web UI has two levels of menus:

Main menuIncludes the Monitor System, User Management, Resource Access, and Manage System sections.

Left menuIncludes options to manage your configuration in the sections of the main menu.

Context-sensitive online help is integrated with the WatchGuard SSL Web UI. Click the question mark icon on any page to get help for that task.

WatchGuard SSL Web UI WizardsAll common tasks use wizards to guide you through the steps to complete your task. This includes procedures to add user accounts, resources, and many others.

To start a wizard, click an Add button. To cancel a wizard at any time, select a different menu item or close your browser window or tab. To return to the previous page in a wizard, click Previous. To save your changes, click Finish Wizard or Save.

Publish your configurationAfter you add or edit a setting in your configuration, you must save the changes to the WatchGuard SSL device and services before they can take effect. The Publish button changes from white to blue when you make changes that must be saved.

To save your configuration changes to the system:

Click Publish at the top of the Web UI.You can later review or restore a configuration.

For more information about configurations, see ”Restore a saved configuration” on page 222.

After the reboot, the IP address of the Eth1 interface changes to 192.168.111.1. You must change the IP address on your computer before you launch the Quick Setup Wizard.

Getting Started


System MessagesWhen you use a wizard or make a change to your configuration, feedback messages appear in the WatchGuard SSL Web UI at the top of the current page. If the message text is red, you have made an error in your configuration selection. If the message text is green, your configuration change was successful.

Use the File BrowserYou can use the WatchGuard SSL Web UI file browser to find files on your WatchGuard SSL device. This is helpful when you want to find a file name or path to include in your settings, for example with a script.

To use the file browser:

1. At the top of the Web UI, click Browse.The file browser opens in a separate window or tab.

2. Select a folder from the navigation tree on the left.3. To change a current file, select a file to edit, download, delete, or rename.

To edit the file, click . Make changes to the file contents, then click Save.

To download the file, click . Select to Open or Save the file.

To delete the file, click . In the Warning dialog box, click OK.

To rename the file, click . In the Rename File field, type a new name. Click Rename.4. To upload a new file, adjacent to the Upload File field, click Browse and select a file. Click Upload.

User Guide 9

Getting Started

Customize your Application PortalYou can customize your WatchGuard SSL Web UI and WatchGuard SSL Application Portal with your corporate brand. You can also add a link to the Access Client installer in your Application Portal.


”Customize and brand the WatchGuard SSL Web UI and Application Portal” on page 9”Add the Access Client installer link in the Application Portal” on page 19

Customize and brand the WatchGuard SSL Web UI and Application PortalYou can customize and apply your own corporate brand to the WatchGuard SSL Web UI and Application Portal to fit the needs of your organization.

You can apply your corporate brand to these parts of the WatchGuard SSL Web UI:

WatchGuard SSL Web UIWatchGuard SSL Application Portal Authentication pageWatchGuard SSL Application Portal pageWatchGuard SSL Application Portal Online Help

To make changes to the WatchGuard SSL Web UI files to apply your own corporate brand, you add a new set of files with the same names as the files in the original location to a folder specifically created for the files with the new brands. The files in this custom folder override the files in the original location. After you finish all your changes, make sure you publish your changes.

Apply your brand to text files1. At the top of the WatchGuard SSL Web UI, click Browse.

The File Browser appears.

2. Select the access-point\built-in-files\wwwroot\branding\folder.3. Save the files you want to change to a location on your computer.4. Update the saved files with your branding changes.5. In the File Browser, select the access-point\custom-files\wwwroot\branding\folder.6. Upload your customized files.

For information about the specific files you can change, see “WatchGuard SSL files to customize and brand” on page 11.

Do not change the files in the access-point\built-in-files\ directory. Upload updated versions of these files to the access-point\custom-files\ directory instead.

Getting Started


Apply your brand to images, style sheets, and templatesYou can customize images, style sheets, and template files. The template files specify the text used on the Application Portal Authentication page. The heading of each Authentication page is defined by the display name that you give the authentication method.

Current image files are found in the access-point\built-in-files\wwwroot\wa\img folder.

All other files are found in the folders in the access-point\built-in-files\wwwroot\wa directory.

To apply your corporate brand to files:

1. Select the access-point\built-in-files\wwwroot\wa\ directory.2. Select the folder in the directory with the files you want to change.3. Save the files you want to change to a location on your computer.4. Update the saved files with your branding changes.5. In the File Browser, select the access-point\custom-files\wwwroot\wa\directory.6. Select the folder with the same name as that from which you downloaded the files in the built-in-

files directory.7. Upload your customized files.

Upload all branded files at one timeIf you branded many files, you can upload them all at one time in a ZIP file rather than one at a time. Make sure that the files you updated are in the correct folder that matches the original directory structure.

1. Download the files you want to change from the access-point\built-in-files\wwwroot directory.

2. Update the files and add them to a ZIP file with the correct directory structure.3. In the File Browser, select the access-point\custom-files\wwwroot folder.4. Click Browse and select the ZIP file.5. Click Upload.

The file is automatically unzipped and the files are added to the directory structure from the ZIP file.

Publish your changesWhen you have uploaded all the changed files, you must publish your changes before they appear in the Web UI and Application Portal.

1. Connect to the WatchGuard SSL Web UI.If you made changes, the Publish button is blue.

2. Click Publish. Your branding changes appear in the Web UI and Application Portal.

User Guide 11

Getting Started

WatchGuard SSL files to customize and brandYou can copy these files and upload updated versions of these files to customize and apply your own corporate brand to the WatchGuard SSL Web UI and Application Portal.

Text String Files

These files are in the access-point\built-in-files\wwwroot\branding folder:

authAD.txtThis file contains the heading for the Active Directory authentication page. This text appears on every Active Directory template. Other authentication methods do not need a branding text file.

authselect.txtThis file contains the heading for the Select Authentication Method page.

authweb.txtThis file contains the name of the WatchGuard SSL Web UI that appears in the JavaScript dialog boxes to accept ActiveX or Java Applet loader.

company.txtThis file contains the name of the company that appears in the application portal.

company_about_url.txtThis file contains the URL for information about the company.

company_contact_url.txtThis file contains the URL for company contact information.

copyright.txtThis file contains the company copyright notice.

portal.txtThis file contains the name of the Application Portal that appears on the Application Portal Help page.

product.txtThis file contains the name of the product that appears on the title of each page.

tunnel.txtThis file contains the name of the Access Client that appears in the JavaScript dialog boxes to accept the ActiveX or Java Applet loader.

Authentication page style sheets, images, and template files

The template files specify the text used on the Application Portal Authentication pages. The heading on each Authentication page is defined by the display name that you give the authentication method in the WatchGuard SSL Web UI.

The existing files are in the folders in the access-point\built-in-files\wwwroot\wa\ directory.

Do not change the files in the access-point\built-in-files\ directory. Upload updated versions of these files to the access-point\custom-files\ directory instead.

Getting Started


Make sure you upload your changed files to the folder in the custom-files directory with the same name as the folder you downloaded it from in the built-in-files directory.

Application Portal style sheets, images, and template files

You can customize the style sheets (.css files), images, and template files used in the Application Portal and associated authentication pages. These files are located in these folders:

access-point\built-in-files\wwwroot\wa\

access-point\built-in-files\wwwroot\wa\authmech

access-point\built-in-files\wwwroot\wa\authmech\base

access-point\built-in-files\wwwroot\wa\img

access-point\built-in-files\wwwroot\wa\help

Style sheets

You can customize style sheets to change the colors and fonts for the Application Portal, the Application Portal authentication pages, and the Application Portal Online Help.

To customize Change File name

The WatchGuard SSL Web UI The current skin WebSkin.zip

Graphics on logon pages The background image background_img.gif

Colors and fonts on authentication pages

The style sheet for authentication pages

common.css

Text strings or buttons on authentication pages

The individual template files See the Template files section

Application Portal logotype The logotype logo.gif

Application Portal resource icons The images [symbol_color].gif

Colors and fonts in the Application Portal

The Application Portal style sheet access_portal.css

Colors and fonts in the Application Portal Online Help

The Application Portal Online Help style sheet

default.css

Contents in the Application Portal Online Help

The Online Help HTML page access_portal_help.html

Directory Location File Name Description

\built-in-files\wwwroot\wa access_portal.css Controls colors, fonts, and the location and size of different page objects (for example, the logotype) in the WatchGuard SSL Application Portal (_menu.html\wml and _welcome.html\wml)

common.css Controls colors and fonts in the Application Portal authentication pages

\built-in-files\wwwroot\wa\help default.css Controls colors and fonts in the Application Portal Online Help

User Guide 13

Getting Started

Images

You can replace or edit images to customize the WatchGuard SSL Web UI skin, the logotype or icons in the Application Portal, or graphics for the authentication pages. Images are GIF or JPEG format. The down.jpg and up.jpg web images can be in JPEG or GIF format. The mask.gif image must be in GIF format (indexed palette). All three files must have the same dimensions in pixels.

Template files

You can edit template files to customize text strings and buttons on individual authentication pages. The templates are available as HTML and WML files. Web authentication pages are HTML files and WAP authentication pages are WML files.

All template files for the WatchGuard SSL Application Portal and associated authentication pages are located in these folders:

access-point\built-in-files\wwwroot\wa\ access-point\built-in-files\wwwroot\wa\authmech access-point\built-in-files\wwwroot\wa\authmech\base

Directory Location File Name Description

\built-in-files\wwwroot\wa\img background_img.gif Background image for authentication pages

logo.gif Logotype

\built-in-files\wwwroot\wa\img\icons (Example) email_orange.gif

Icons for resources (applications) in the Application Portal

\built-in-files\wwwroot\wa\authmech\WebSkin.zip mask.gif The mask that controls the placement of buttons and labels in WatchGuard SSL Web UI

\built-in-files\wwwroot\wa\authmech\WebSkin.zip down.jpg WatchGuard SSL Web UI skin without background; buttons appear as selected

\built-in-files\wwwroot\wa\authmech\WebSkin.zip up.jpg WatchGuard SSL Web UI skin with background; buttons appear as not selected

Getting Started


A list of some of the template files (with the folder location, description, and user variables) appears in the subsequent table.

Folder Name File Name Description User variables

access-point\built-in-files\wwwroot\wa

_auto_reauthmessage

The page that appears when a user logs off and must authenticate again.

_chooseAuthmech The page that appears when a user must select an authentication method.

name displayname

_closedown_message

The page that appears when a user session times out.

_deleteLogonCred The page that appears when the password database has been cleared.

_error The error message users see. errmsg

_InternalAuthentication

Internal Authentication form.

ihostiuididom

_logoutPage The page that appears when a user logs off.

_menu The template for the WatchGuard SSL Application Portal page. This is the menu page that is called from the welcome.html file.

_no_session The page that appears when a session times out.

_popup_msg The popup message that appears to users.

locationerrmsg

_reauthmessage The timeout message that appears to users.

_refresh_top The page that appears when a user must refresh the browser.

_securitywarning The page that appears for security warnings.

errmsg

_TimedoutPage The page that appears when a user is temporarily locked until a specific timeout occurs (SecurID only).

auth_timeout

_webclient.html The page that appears when the user selects a tunnel set in the Application Portal.

_webclientjavaobj.html

Contains the Access Client Java applet.

_webclientobj.html Contains the Access Client ActiveX.

User Guide 15

Getting Started

_welcome The page that appears when a user authenticates successfully.

302 A redirect page that appears when a page has moved.

location

302_top A redirect page that appears when a page has moved.

location

400 The page that appears after a bad request.

401E The page that appears after an external authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication.

authmechlocation

401I The page that appears after an internal authentication failure because of incorrect credentials, when the selected authentication method is Basic Authentication.

401WIL The page that appears when a user fails to authenticate with a Windows Integrated Login.

403 The page that appears when a client requests a forbidden resource.

eprotehosturi

404 The page that appears when a requested file is not on the device.

eprotehostfile

405 The page that appears when client request uses a prohibited HTTP method .

eprotehosturimethodallow

500 The page that appears when a server error occurs.

errmsg

pocketclient Starts the Access Client for Pocket PC installation.


Getting Started


TestLogonLoginPage The Authentication page that appears for TestLogon. For example, when a user requests http:\\127.0.0.1:19146\wa\auth?authmech=TestLogon

access-point\built-in-files\wwwroot\wa\authmech\base

GenericForm The template for authentication forms used with GenericForm template specifications. The user variables in the template specifications manage the appearance of the authentication page.

headingerrmsgexplanationmessageauthmechtextTexttextNametextValuereadonlyTextreadonlyNamereadonlyValuepasswordTextpasswordNamecheckboxTextcheckboxNamecheckboxValue

Dialog The template used with Dialog template specifications.

headingerrmsgexplanationmessageauthmechbuttonTexthiddenNamehiddenValue

Applet The template used with Applet template specifications. Only used by the WatchGuard SSL Web UI.

headingerrmsgexplanationmessageauthmechbuttonTexthiddenNamehiddenValueusernamevendorBase64arg1arg2


User Guide 17

Getting Started

Apply your corporate brand to the WatchGuard SSL Web UI

The required parameters are in the access-point\built-in-files\wwwroot\wa\authmech\base\Web.js file. The values for the parameters required for the WatchGuard SSL Web UI are all set in JavaScript from values supplied by the server.

User variables

When a HTML or WML page appears, user variables in the template file are replaced with the related content. The descriptions of the content that user variables are replaced with appear in the subsequent table.

Parameter Name Function

UserName User ID of the user who requested to authenticate

Config Configuration parameters

Challenge Challenge from WatchGuard SSL

Modulus Encryption Modulus

PostURL URL where the results are posted

User Variables Description

allow A comma-separated list of allowed HTTP methods for the current host and URI.

auth_timeout The number of seconds that remain in the period of time a user is locked out and cannot authenticate to the WatchGuard SSL device (used with SecurID authentication).

authmech The authentication method for an authenticated user.

authmech The variable used in the template specification for the authentication method.

authtimeout The number of seconds that remain before an authenticated user is logged off. Used in the timeout warning page.

do The template specification parameter for the input data.

ehost The external host name, such as the HTTP Host in the client request to the WatchGuard SSL device. This a general variable that can be used in all templates.

eprot An external protocol, such as the protocol between the client and the WatchGuard SSL device (HTTP or HTTPS). This is a general variable that can be used in all templates.

errmsg The error message from the WatchGuard SSL device.

explanation The explanatory text in a template specification.

final_timeout The number of minutes that remain before the maximum lifetime of the current session is reached and the session ends.

heading The main heading text in a template specification.

idom A variable for the internal domain.

ihost The internal host (alias) by which the user is currently connected. This is not necessarily the same as the HTTP "Host" header in the WatchGuard SSL device request to the internal host.

input-heading The heading text for an input field in a template specification.

iprot The internal protocol by which the user is currently connected: HTTP or HTTPS.

iuid The internal UserID (uid filtered through NameMapper.wascr). This is a general variable that can be used in all templates.

Getting Started


iuri The internal URI, requested from the WatchGuard SSL device by the host.

location A URI or a URL that specifies where users are redirected when they authenticate.

maxSessionTimeout The maximum number of minutes for a user session. You specify this value when you set up your configuration.

message An authentication message from the WatchGuard SSL device.

method The HTTP method in a GET request.

ntdomain The NT domain name.

pin The PIN for authentication.

protocol The URL parameter used for the Access Client that describes the protocol that the tunnel uses: EESSP or SSL.

reauth_uid The User ID for RADIUS pages.

redirect The URL parameter for the Access Client.

replyMsg A variable in RADIUS pages.

servernumber The authentication challenge number from the WatchGuard SSL device.

title A variable in a template specification.

tunnelCipherIv The Base64 encoded cipher IV parameter that the system generates dynamically.

tunnelCipherKey The Base64 encoded cipher key parameter that the system generates dynamically.

upd The value of the UPD cookie used for session handling in a load-balanced environment that the system generates dynamically.

uid The UserID for an authenticated user. This is a general variable that can be used in all templates.

uri The URI request sent from the client to the WatchGuard SSL device.

waak A parameter configured in the Web UI that is used in session handling.

warningtimeout The number of seconds that remain before a warning message or another authentication page appears.

wasid The user WASID parameter that is configured in the Web UI to manage sessions.

User Variables Description

User Guide 19

Getting Started

Add the Access Client installer link in the Application PortalTo give your users the installed Access Client, you can add the Access Client installer to the WatchGuard SSL device, and then edit the Application Portal page to add a link to the installer.

1. Save the AccessClientInstall.exe file to a location on your computer.2. In the WatchGuard SSL Web UI, click Browse.

The File Browser appears.

3. In the File Browser, select the access-point\built-in-files\wwwroot\wa\includes\folder.

4. In the Upload File text box, type or browse to the location of the AccessClientInstall.exe file.5. Click Upload.6. Adjacent to the portaltext.txt file, click .

The Edit File page appears.

7. Type or paste this text in the file where you want the link to appear:To install the Access Client on your Windows computer, click here: <a href="/wa/includes/AccessClientInstall.exe">WatchGuard SSL Client</a>

8. Click Save.9. Click Publish to save your configuration changes.

Getting Started


About WatchGuard LiveSecurity ServiceWatchGuard® knows just how important support is when you must secure your network with limited resources. Our customers require greater knowledge and assistance in a world where secure access is critical. LiveSecurity® Service gives you the backup you need, with a subscription that supports you as soon as you register your WatchGuard SSL device.

LiveSecurity ServiceYour WatchGuard SSL device includes a subscription to our ground-breaking LiveSecurity Service, which you activate online when you register your product. As soon as you activate, your LiveSecurity Service subscription gives you access to a support and maintenance program unmatched in the industry.

LiveSecurity Service comes with the following benefits:

Hardware Warranty with Advance Hardware ReplacementAn active LiveSecurity subscription extends the one-year hardware warranty that is included with each WatchGuard SSL device. Your subscription also provides advance hardware replacement to minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will ship a replacement unit to you before you have to ship back the original hardware.

Software UpdatesYour LiveSecurity Service subscription gives you access to updates to current software and functional enhancements for your WatchGuard products.

Technical SupportWhen you need assistance, our expert teams are ready to help.

Representatives available 12 hours a day, 5 days a week in your local time zone*Four-hour targeted maximum initial response time Access to online user forums moderated by senior support engineers

Support Resources and AlertsYour LiveSecurity Service subscription gives you access to a variety of professionally produced instructional videos, interactive online training courses, and online tools specifically designed to answer questions you may have about network security in general or the technical aspects of installation, configuration, and maintenance of your WatchGuard products.

Our Rapid Response Team, a dedicated group of network security experts, monitors the Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you specifically what you can do to address each new menace. You can customize your alert preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you.

User Guide 21

Getting Started

LiveSecurity Service GoldLiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support service gives expanded hours of coverage and faster response times for around-the-clock remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage.

* In the Asia Pacific region, standard support hours are 9AM–9PM, Monday–Friday (GMT +8).

Service expirationWe recommend that you keep your subscription active to secure your organization. When your LiveSecurity subscription expires, you lose access to up-to-the-minute security warnings and regular software updates, which can put your network at risk. Damage to your network is much more expensive than a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement fee.

Service Features LiveSecurity Service LiveSecurity Service Gold

Technical Support hours 6AM–6PM, Monday–Friday* 24/7

Number of support incidents(online or by phone)

5 per year Unlimited

Targeted initial response time 4 hours 1 hour

Interactive support forum Yes Yes

Software updates Yes Yes

Online self-help and training tools Yes Yes

LiveSecurity broadcasts Yes Yes

Installation Assistance Optional Optional

Three-incident support package Optional N/A

One-hour, single incidentpriority response upgrade

Optional N/A

Single incident after-hours upgrade Optional N/A

Getting Started


Support InformationWatchGuard offers a variety of technical support services for your purchased products and services. For more information, see the WatchGuard support web site.

Online ResourcesProduct documentationhttp://www.watchguard.com/help/documentation/

Knowledge Basehttp://watchguard.custhelp.com/

Training and coursewarehttp://www.watchguard.com/training/courses.asp

WatchGuard Forumhttp://www.watchguard.com/forum/

Telephone NumbersUS & Canada+877.232.3531

International+1.206.613.0456

Before you callWhen you create an incident, make sure you include all information required. Ask yourself the following questions to help you find what you must include:

1. What are you trying to do?2. Were you able to perform this action previously without problems?3. What behavior do you see?4. What behavior would you expect to see if the problem was not occurring?5. How often do the symptoms occur?6. What troubleshooting steps, if any, have you taken?

Relevant informationWhen you contact technical support, you are often asked for basic information about your WatchGuard SSL device and LiveSecurity account. It is helpful to save this information when you create your configuration in case your device does not operate correctly.

If possible, include the following additional items when you call so that your technician can promptly resolve your issue:

LogsLog messages are important! If you have access to the Log Viewer at the time of the error, include a snippet of the logs.

Network diagramsNot all problems start from one device. Sometimes, a problem that appears to be related to the SSL device is actually caused by something else in the network. A diagram of your network is a valuable resource; we recommend that you make one and keep it updated.

https://www.watchguard.com/support/

http://www.watchguard.com/help/documentation/

http://watchguard.custhelp.com/

http://www.watchguard.com/training/courses.asp

http://www.watchguard.com/forum/

User Guide 23

2 Monitor System

About Monitor SystemYou can use the WatchGuard SSL Web UI to see information about system status, user sessions, log files, reports, licenses, and alerts.

1. Connect to the WatchGuard SSL Web UI.2. Select Monitor System.

Monitor System


The Monitor System menu includes:

System StatusYou can see status information about your device, including the system, network, authentication, events, and devices. You can also manage monitoring settings and monitor administrator activities.

For more information, see ”About the System Status page” on page 25.

User SessionsYou can see a list of the current user sessions, and you can search sessions by User ID.

For more information, see ”About user sessions” on page 36.

AlertsYou can manage administrator alerts.

For more information, see ”About Alerts” on page 39.

LoggingYou can manage logging settings for all registered servers.

For more information, see ”Manage Logging” on page 48.

Log ViewerYou can search and see entries in the log files.

For more information, see ”Use Log Viewer” on page 53.

ReportsYou can generate reports and manage reports settings.

For more information, see ”About Reports” on page 55.

Diagnostics FileYou can create a compressed diagnostics file that contains configuration and log files for all services for a selected period.

For more information, see ”About the diagnostics file” on page 63.

Feature KeyYou can see information about the installed feature. You can also upload a new feature key.

For more information, see ”About the feature key” on page 64.

Live UpdateYou can change the update settings for the End-Point Security definition file that is used for client scans to support Assessment access rules.

For more information, see ”Live Update” on page 67.

User Guide 25

Monitor System

About the System Status pageTo monitor the status of the WatchGuard SSL system, select Monitor System > System Status.

View status informationFrom the System Status page, click one of the tabs to get different types of status information.

For more information about each tab, see:

”System overview” on page 26”Network status” on page 28”Authentication status” on page 29”Events status” on page 30”Device status” on page 31”Network tools” on page 32

Manage settingsAt the bottom of the System Status page, click Manage Settings to go to the settings page. You can enable event monitoring and change the super administrator password from this page.

For more information, see ”Manage Settings” on page 34.

View administrator activitiesAt the bottom of the System Status page, click View Administrator Activities to view the recent activities of administrators.

For more information, see ”View administrator activities” on page 35.

Monitor System


System overviewTo see basic information about your WatchGuard SSL system:

1. Select Monitor System > System Status. 2. Click the System Overview tab.

This tab is selected by default.

The System Overview tab has four sections, with the basic system information described below.

System InformationThe System Information section shows information about the installed software and feature keys.

Software versionThe version and build number for the installed operating system software.

Feature Key VersionThe version number in the feature key.

Feature Key TypeThe type of feature key. The possible types are Production or Evaluation. The Evaluation key allows only one authenticated user to get access through the SSL device.

Current Server TimeThe date and time on the WatchGuard SSL device.

User Guide 27

Monitor System

System ServicesThe System Services section shows the services that are enabled on your SSL device.

External HostShows the IP address and port number configured for communication between the WatchGuard SSL Web UI and the client.

Internal HostShows the IP addresses and port numbers used for communication between services on the device.

AdministratorsThe Administrators section shows information about administrative users.

AdministratorThe user name for the administrator account.

Logged on AdministratorsThe number of administrators currently logged in.

UsersThe Users section shows status information about users and user accounts.

Concurrent UsersThe number of users currently connected to the SSL device. The maximum number allowed by the feature key appears in parentheses.

Registered User AccountsThe number of registered user accounts. The maximum number allowed by the feature key appears in parentheses.

Logged-on UsersThe number of users currently logged in.

Active UsersThe number of active users currently logged in.

ResourcesRegisteredResources

The number of registered resources on the Resource Access tab.

Registered SSO domainsThe number of registered Single Sign-On domains.

Monitor System


Network statusTo see the status of the network interface configuration:

1. Select Monitor System > System Status.2. Click the Network Status tab.

The Network Status tab shows configuration and statistics for the enabled network interfaces.

Eth0Shows configuration information and traffic statistics for the Eth0 network interface.

Eth1Shows configuration information and traffic statistics for the Eth1 interface. Eth1 is disabled in single interface mode.

Routing TableShows the routing table for the device.

For more information about network configuration and interface modes, see “Network Configuration” on page 219.

User Guide 29

Monitor System

Authentication statusTo see the status of the authentication configuration:

1. Select Monitor System > System Status.2. Click the Authentication tab.

The Authentication tab shows the configuration status of:

Authentication Methods Shows a list of authentication methods, and the IP address and port configured for each method.

RADIUS clientsShows the number of registered RADIUS clients.

Email NotificationIf email notification is enabled, this section shows the email host.

SMS DistributionIf SMS distribution is configured, this section shows the primary and secondary SMS channels.

Local User DatabaseShows the host IP address and account for the local user database.

External Directory ServiceShows the IP address and account for configured external directory services.

Monitor System


Events statusTo see recent system events:

1. Select Monitor System > System Status.2. Click the Events tab.

The Events tab shows a list of events related to the status of connections and services.

For each event the Events tab shows:

The date and time of the eventWhich service or policy the event involvesA brief description of the event

If you enable Event Monitoring on the Manage Settings page, the Events tab also shows events related to connectivity to local user database and external directory services.

For more information about the Manage Settings page, see ”Manage Settings” on page 34.

User Guide 31

Monitor System

Device statusTo see statistics and configuration information for your WatchGuard SSL device:

1. Select Monitor System > System Status.The System Status page appears.

2. Click the Device Status tab.

Device OverviewThe Device Overview section shows information about the device software, connections, and resource use.

HostThe IP address the device uses to communicate with itself. This is always set to 127.0.0.1.

Current Server TimeShows the current date and time for the SSL device.

Server StartedShows the date and time the device was last started.

VersionThe software version and build number.

Client ConnectionsThe current number of client connections.

Server ConnectionsThe current number of device connections.

Monitor System


Queued ConnectionsThe current number of queued connections.

Active Worker Threads The number of active threads is shown first. The maximum number of active threads is shown in parentheses.

Available MemoryThe amount of available memory, in megabytes.

Open SSL VersionThe version of OpenSSL used by the WatchGuard SSL device.

SSL Status for <IP address:port>The SSL Status section shows statistics about the SSL listener. By default, there is just one SSL listener. If you add additional listeners, this page displays the status for each listener.

SSL Sessions in CacheSSL AcceptsFinished SSL AcceptsRenegotiatesSession Cache HitsSession Cache MissesSession Cache TimeoutsCallback Cache HitsCache Full OverflowsCache Size

For information about how to add a listener, see “General settings for the application portal” on page 208.

Network toolsYou can use network tools to run some basic network commands from the WatchGuard SSL Web UI. This can be useful for network troubleshooting.

The network tools available in the WatchGuard SSL Web UI are:

ping A command to detect whether a connection to a specified hostname or IP address is possible

tcpdumpA program to intercept and examine TCP/IP packets for diagnostic purposes

tracerouteA command to show the routing path taken from the device to a hostname or IP address

nslookupA program that shows the information from the DNS records of a domain or hostname

User Guide 33

Monitor System

To use the network tools:

1. Select Monitor System > System Status.2. Click the Network Tools tab.

3. From the Command Type drop-down list, select the command you want to use. The command appears in the Prepared Command text box.

4. In the Extended Parameters field, type the command line parameters for this command. The parameters appear in the Prepared Command text box, after the command.

5. From the Max Run Time drop-down list, select the maximum amount of time you want the command to run.

6. To run the command shown in the Prepared Command dialog, click Run.The result of the command appears in the Result area of the page.

7. To stop the command, click Stop.8. To clear the Result area, click Clear.

Monitor System


Manage SettingsYou can manage the settings for event monitoring or change the Super Administrator password.

Event monitoring settingsYou can monitor the connections to the Local User Database and External Directory Service. When you enable event monitoring, the connection is examined every 15 seconds and a log message is recorded in the service log. The log messages appear on the Events tab in the System Status page. This option is selected by default. To increase the performance of your system, disable this option.

To enable event monitoring:

1. Select Monitor System > System Status.2. Click Manage Settings.

The Settings page appears.

3. Select the Monitor connections to the local user database and external directory service check box.

4. Click Save.

Change the Super Administrator passwordWhen you complete the Quick Setup Wizard, you set the Super Administrator password. You can change this password at any time. You can also enable or disable the WatchGuard SSL password policy, which requires that the Super Administrator password meet these specific standards:

The password must be at least six characters longThe password must include characters from at least three of the following four categories:

o English uppercase characters (from A through Z)o English lowercase characters (from a through z)o Base-10 digits (from 0 through 9)o Non-alphanumeric characters (for example: !, $, #, or %)

User Guide 35

Monitor System

To enable or disable the password policy or change the password:

1. Select Monitor System > System Status.2. Click Manage Settings.

The Settings page appears.

3. Select the Enable password policy check box.4. Type the Current Password.5. Type the new password twice in the New Password and Verify New Password text boxes. 6. Click Save.

View administrator activitiesYou can use the WatchGuard SSL Web UI to see a list of all the administrators logged on to the Web UI, as well as the date and time of recent actions for each administrator.

1. Select Monitor System > System Status.2. Click View Administrator Activities.

The Administrator Activities page appears.

Monitor System


About user sessionsYou can search for and manage all current user sessions to see which users are active in the system and information about their sessions. You can also stop active user sessions.

To see a list of user sessions:

1. Select Monitor System.The System Status page appears.

2. Select User Sessions.The User Sessions page appears.

User Guide 37

Monitor System

Search for User Sessions By default, the User Sessions page shows a list of all active user sessions. You can use the search fields at the top of the page to search for a session by User ID and authentication method.

To search for current sessions:

1. Select Monitor System > User Sessions.The User Sessions page appears.

2. In the Search by User ID text box, type a user name.To see all users, type only the * wildcard character.To search for partial user names, type the * wildcard character with the other characters.For example, Wil* or *am can be used to find the user name "William".

3. From the adjacent drop-down list, select an authentication method. Select All to include all authentication methods in your search.

4. Click Search.The user names that match your search parameters appear in the User Sessions list.

The User Sessions list shows summary information for each active session:

Session IDThe unique ID number assigned to the user session.

User IDThe user name assigned to the user in the directory service.

Authentication MethodThe authentication method used to log in.

Client IP AddressThe IP address of the client computer.

Life TimeThe number of minutes the user session has been active.

Monitor System


View a User Session1. In the search results list, click a Session ID to see details about that user session.

The View User Session page appears, with this information for each session:

Session IDThe unique ID number assigned to the user session.

User IDThe user name assigned to the user in the directory service.

Display NameThe display name assigned to the user.

Authentication MethodThe authentication method used to log in to the Authentication Portal.

Client IP AddressThe IP address of the client computer.

Login timeThe date and time the user session began.

Life TimeThe number of minutes the user session has been active.

Last AccessThe date and time of the last user session for this user.

Time to session timeoutThe number of minutes until the user session timeout limit is reached.

2. Click Previous to return to the User Sessions page.

Stop User SessionsYou can stop or close an active user session at any time.

On the User Sessions page:

1. Select the Delete check box for each user session you want to end.2. Click Delete at the bottom of the Delete column.

The selected user sessions are stopped, but the user accounts are not deleted. The users can log on to the application portal again.

User Guide 39

Monitor System

Manage search and display settingsBy default, the User Sessions search results include a maximum of 200 results, and show 20 results per page.

To change these settings:

1. Select Monitor System > User Sessions.The User Sessions page appears.

2. Click Manage Search and Display Settings.The Manage User Sessions Settings page appears.

3. In the Search Limit text box, type the maximum number of user sessions you want to appear in the User Sessions search results.

4. In the Results Per Page text box, type the number of user sessions to display on each page of the User Sessions search results.

5. Click Save.The User Settings page appears.

About AlertsAlerts are messages the system can send to notify administrators when specified events occur. Alert events include lost and restored connections between services, lost and restored connections to the local user database, or user account activity. You can configure alerts to be sent by email or as an SMS message.

Alert messages contain event-specific information. For example, you can configure an alert to be sent if the Administration service cannot communicate with the local user database. The alert message is sent to the selected recipients through the method you specify.

Monitor System


Manage AlertsYou can add, edit, and delete alerts from the Manage Alerts page.

1. Select Monitor System > Alerts.The Manage Alerts page appears.

2. Configure alerts:Add an alert Edit and delete alerts Manage global alert settings

Predefined Alert Event TypesYou can use these predefined alert events to configure Registered Alerts:

User AccountsResource HostServicesLocal User DatabaseAuthentication Servers

For more information about alert event types, see ”About alert event types” on page 43.

Add an alertWhen you configure an alert, you must select which types of events trigger the alert, configure which notification methods to use for the alert notification messages, and configure the recipients of those notifications. You can send an alert as an email message, an SMS message, or both. You must configure the email and SMS notification channels before you can use them in an alert.

For more information about notification channel configuration, see “General settings for the application portal” on page 208.

You can configure alert notification messages to be sent to delegated administrative roles, or directly to email addresses or cell phone numbers that you specify. When you send an alert message to a delegated role, the alert message is sent to the email or SMS address of each administrator assigned to that role.

For information about delegated roles, see “General settings for the application portal” on page 208.

User Guide 41

Monitor System

To add an alert:

1. Select Monitor System > Alerts.The Manage Alerts page appears.

2. Click Add Alert.The Add Alert page appears.

3. In the Display Name text box, type a name for the alert.4. In the Description text box, type the description that you want to appear with the alert in the

Registered Alerts list.5. Make sure the Enable Alert check box is selected.6. In the Notification section, use the check boxes to select the notification method. You can select

Email, SMS, or both.

Monitor System


7. Click Next.The Alert Events Types page appears.

8. Select the check box for each alert event type you want to trigger this alert.For more information about the alert event types, see ”About alert event types” on page 43.

9. Click Next.10. To send the alert message to a set of people for which you have defined a delegated role, click the role

in the Available Roles list. To select more than one role to receive this alert, hold down the Ctrl key while you click each role name.

11. Click Add.The selected roles appear in the Selected Roles list.

12. If you selected Email as a notification channel in Step 6, you can send the alert to a specific email address. Click Add Email address. Type the email address and click Next.The email address appears on the Registered Email Addresses list.

13. If you selected the SMS notification channel in Step 6, you can send the alert as an SMS message to a specific cell phone number. Click Add Cell Phone Number. Type the cell phone number and click Next.The cell phone number appears in the Registered Cell Phone Numbers list.

14. After you add all recipients for this alert, click Finish Wizard.The Manage Alerts page appears. The alert you added appears in the list of registered alerts.

User Guide 43

Monitor System

About alert event typesWhen you define an alert, you can select from these pre-defined alert event types:

User Accounts event types

Locked for AccessAccess is locked for a user.

Unlocked for AccessAdministrator unlocks access for a user.

Locked for AuthenticationAuthentication is locked for a user.

Unlocked for AuthenticationThe administrator unlocks authentication for a user.

Time-lock LockedA time-lock is activated for a user.

Time-lock UnlockedThe administrator disables a time-lock for a user.

Resource Host event types

Lost ConnectionThe connection to a resource host is unavailable.

Restored ConnectionThe connection to a resource host is restored.

Services event types

Lost ConnectionThe connection to a service is unavailable.

Restored ConnectionThe connection to a service is restored.

Local User Database event types

Lost Connection The connection to the local user database is unavailable.

Restored ConnectionThe connection to the local user database is restored.

Authentication Service event types

Lost ConnectionThe connection to the authentication method service is unavailable.

Restored ConnectionThe connection to the authentication method service is restored.

Monitor System


Edit and delete alertsYou can see, edit, and delete current alerts in the Registered Alerts list. You can select an alert to see the settings, change any of the settings, or delete an alert that you no longer want to use.

See and edit registered alerts1. Select Monitor System > Alerts.

The Manage Alerts page appears.

2. Select a Display Name in the Registered Alerts list to see the details of that alert.The Edit Alerts page appears.

3. On the General Settings tab, you can change the Display Name, Description and Notification channel.

4. On the Alert Events tab, you can edit the types of alert events to include in this alert.5. On the Alert Receivers tab, you can change who receives notifications from this alert. 6. Click Save.

User Guide 45

Monitor System

Delete registered alerts1. Select Monitor System > Alerts.

The Manage Alerts page appears.

2. Select a Display Name in the Registered Alerts list to see the details of that alert.The Edit Alerts page appears.

3. Click Delete.The Delete Alert page appears.

4. Click Yes to delete the alert.The Manage Alerts page appears with a message that the alert was deleted.

Manage global alert settingsYou can customize the alert message sent for each alert event type.

Edit the alert messages1. Select Monitor System > Alerts.

The Manage Alert page appears.

Monitor System


2. On the Manage Alerts page, click Manage Global Alert Settings.The Manage Global Alert Settings page appears.

3. In the Subject field, edit the subject that you want to appear for all alert messages.4. For each alert event type, you can edit the alert message. The default alert messages and a description

of the variables used in the alert messages are described below. 5. Click Save.

If you use SMS as your notification channel for alerts, we recommend you keep the alert messages short. SMS messages are limited to 160 characters on most mobile networks.

User Guide 47

Monitor System

Alert message variablesThe alert messages use two variables, {0} and (1}.

{0} is replaced by the exact date and time of the event. The format of the date and time depends on the locale settings for your browser.{1} is replaced by the specific event trigger. This can be a user account, a WatchGuard SSL service, or a resource.

Here is an example alert message:

{0}: User {1} has been locked for authentication.

When this alert is sent, the alert message substitutes the user name for the variable {1}:

2005-09-01 09:11:31: User Joe Smith has been locked for authentication.

Alert message defaults

User Accounts

Resource Host

Services

Local User Database

Authentication Method Servers

Alert Event Type Default alert message

Locked for Access {0}: User {1} has been locked for access

Unlocked for Access {0}: User {1} has been unlocked for access

Locked for Authentication {0}: User {1} has been locked for authentication

Time-lock Locked {0}: User {1} has been Time-lock locked until {2}

Time-lock Unlocked {0}: User {1} has been Time-lock unlocked


Lost Connection {0}: Lost connection to Resource Host {1}

Restored Connection {0}: Restored connection to Resource Host {1}


Lost Connection {0}: Lost connection to {1}

Restored Connection {0}: Restored connection to {1}


Lost Connection {0}: Lost connection to Local User Database{1}

Restored Connection {0}: Restored connection to Local User Database{1}


Lost Connection {0}: Lost connection to Authentication Method Server used by Authentication Method {1}

Restored Connection {0}: Restored connection to Authentication Method Server used by Authentication Method {1}

Monitor System


Manage LoggingYou can configure logging settings, such as log level, log file rotation, and the types of information to log for each registered service.

Edit logging settings1. Select Monitor System > Logging.

The Manage Logging page appears.

2. Click the Display Name of a registered service to edit the log settings.The Edit Logging Settings page for the service appears, with a separate tab for each log type.

3. Click a tab to configure the settings for each log type. The available settings that you can configure on each tab include Log Level Filter, Log File Rotation, Debug Logs, and Syslog. Debug logs and syslog settings are only available after you enable them on the Manage Global Logging Settings page.For more information about these settings, see the subsequent sections.

For more information about global logging settings, see ”Manage global logging settings” on page 51.

4. For the accesspoint service, on the Audit Log tab, select the check box for each Log File Information type to include in the audit log file.

5. Click Save.

User Guide 49

Monitor System

Set the Log Level FilterFor each service, you can configure a log level for each type of log file. You can use the Log Level Filter controls to ignore log messages that do not meet the severity requirements you specify.

In the Log Level Filter drop-down list, select a log level filter. Available log level filters include:

OffDisables logging for that service.

FatalLogs only fatal messages.

WarningLogs only fatal and warning messages.

InfoLogs all levels of messages. This is the default setting.

Configure log file rotationFor each service, you can configure log file rotation for each type of log file.

In the Log File Rotation section, select the radio button for the rotation schedule you want. Options include:

Create a new log file every dayThe service creates a new log file every day.

Disable log file rotation. Save all log messages in the same fileThe service logs all messages to the same file.

Rotate log files based on sizeThe service creates a new log file based on the Max File Size you type.In the Max Files in Rotation field, you must select the maximum number of concurrent log files. When the maximum number of log files is reached, the system removes the oldest log file and creates a new log file.

Debug LogsIf you enabled debug logs on the Manage Global Logging Settings page, you can specify the IP address for the HTTP traffic you want to include in the Diagnostics File.

Client IP AddressType the IP address for HTTP traffic.

Log File InformationThese settings are only available for the accesspoint service. Select the check box for each type of information you want to include in your HTTP log file. The available options depend on the type of log you selected.

Monitor System


SyslogTo configure syslog settings, you must first enable syslog on the Manage Global Logging Settings page.

In the Log Level Filter drop-down list, select a log level filter for logging to a remote syslog server. Available log level filters include:

OffDisables logging for that service.

FatalLogs only fatal messages.

WarningLogs only fatal and warning messages.

InfoLogs all levels of messages. This is the default setting.

If you set the syslog log level filter to Fatal, Warning, or Info, make sure that you configure the syslog server IP address in the Manage Global Logging Settings page.

For more information, see ”Manage global logging settings” on page 51.

User Guide 51

Monitor System

Manage global logging settingsGlobal logging settings apply to all log files created by all services. To manage global logging settings:

1. Select Monitor System > Logging.2. Click Manage Global Logging Settings.

3. In the Time Zone section, you can change the time zone to use in log file messages. You can select Local Time or GMT. The default setting is Local Time.

4. In the Log collection interval field, type the number of seconds between the collection of log messages. Log collection controls how often log messages are collected by the Administration service from other services. The default setting is 5 seconds.

5. Click Save.

Alerts and reports both depend on log collection. If you set the log collection interval too high, you reduce your ability to see real-time report data., and you cause a delay for delivery of alerts.

Monitor System


Enable debug loggingTo troubleshoot a problem with your WatchGuard SSL device, you can enable an additional level of logging. Select the Enable debug logging check box to enable debug logging. When you enable debug logging, several debug log files are created for the accesspoint service:

Raw External log fileRaw Internal log fileRaw Proxy Interchange log fileHyper Links log fileForm Based log file

For the Administrator service, an additional debug log file is created.

You cannot see the debug log files in the WatchGuard SSL Web UI. To see the debug log files, you must download the diagnostics zip file that contains all log files.

For information about the diagnostics file, see ”About the diagnostics file” on page 63.

Enable logging to a remote syslog serverYou can also send syslog log file messages to a remote syslog server. When you enable syslog, the syslog messages from each service are sent to the syslog server at the IP address you specify.

To enable syslog logging:

1. From the Manage Global Logging Settings page, select the Enable Syslog check box.2. In the Syslog Server IP field, type the IP address of your syslog server.

For information about how to set the syslog log level for each type of log file, see ”Manage Logging” on page 48.

User Guide 53

Monitor System

Use Log ViewerYou can use the Log Viewer to see log messages from the configured services. You can specify search criteria to filter search results. The Log Viewer System Log only includes the severity levels INFO, WARNING, and FATAL.

To search for log events:

1. Select Monitor System > Log Viewer.The Log Viewer page appears.

2. From the Log Type drop-down list, select the log type.3. From the Services list, select which services to search log files for.

To select more than one service, hold down the Ctrl key while you click each service.4. In the Search Criteria field, type the criteria to filter the log entries.

By default, the search function finds all log entries that contain all the words in the search criteria anywhere in the log entry.For more information about how to use the Search Criteria field, see the subsequent section.

5. In the Time Range section, select the time range to search.To search recent log events, select the top radio button, then select the number of hours or days to view.To search for log events in a date range, select the second radio button, then type dates in the From and To fields.

6. Click View Log to search for log messages that meet your criteria.The search results appear in a separate browser window.

If you search through log files for a large number of services, the search can take a long time to complete.

Monitor System


About Log Viewer Search CriteriaYou can use Search Criteria to trace specific log events, such as user activity, through your services. Searches are not case sensitive and search criteria can include multiple text strings. You can combine all these methods to define a very specific search result.

Exact MatchTo find log file message that contain an exact match, type quotation marks before and after the text exactly as it must appear in the log entry. For example:

"server start"Search results include all log file entries that contain the exact phrase "server start".

" info "

When you include spaces between the quotation marks and the text, the search results include all log entries with a space before and after the text “info”.

Find log file events that contain all the search terms (AND)To find all log file messages that contain several search terms, type and in the search criteria. For example:

warning and authentication Search results include all log file entries that contain both the words "warning" and "authentication".

Find log file events that contain any of the search terms (OR)To find all log file entries that contain any of the search terms, type or in the search criteria. The OR keyword takes precedence over the AND keyword. For example:

fatal or warning Search results include all log entries that contain the severity levels FATAL or WARNING.

fatal or warning and sqlSearch results include log entries with the severity levels FATAL or WARNING that include the text "sql".

Exclude terms from the search results (-)To exclude terms from a search, type a minus sign (-) before the term to exclude. For example:

-infoSearch results include all severity levels except the INFO level.

fatal or warning -sql Search results include all log entries with the FATAL or WARNING severity levels, except for entries that include the text "sql".

fatal or warning -lcp -"tc5 system" Search results include all log entries with the severity levels FATAL or WARNING, but not log entries with “LCP” or the string “tc5 system”.

Use wildcards To search for part of a term, you can use the wildcard characters * and ?. Type * in the place of any number of characters, and ? in the place of exactly one character. For example:

load*

Search results include all log entries with the text “load” followed by any other characters, such as “loaded” or “loading”.

loade? Search results include all log entries with the text “loade” followed by only one other character, such as “loaded” or “loader”.

User Guide 55

Monitor System

About ReportsYou can generate reports in the WatchGuard Web UI to see information from the log files. You can generate a report that shows the current status of the device or service, or you can select a time range. Report information is also stored in a database for later use. After you generate a report, you can save it in PDF or text file format so you can examine the data with third-party programs at another time.

Available ReportsYou can generate any of these twelve reports, or select Complete Report to generate all of the reports at the same time.

Generate a report1. Select Monitor System > Reports.

The Manage Reports page appears.

2. In the Generate Report column, click the name of the report you want to generate. The Generate Report page for the report you selected appears.

3. On the Time Range tab, select the time range for the report. 4. Click the Filter tab.

A list of filters for the selected report appears.

5. Click a filter to change filter settings. By default, all filters are set to All.

Report name Report Description

Abolishment report Contains information about abolishment attempts over a selected time range.

Assessment report Contains information about assessment attempts over a selected time range.

Session Trend report Contains information about the number of concurrent sessions over a selected time range.

Access report Contains information about access requests over a selected time range.

Authentication report Contains information about failed and successful authentication attempts over a selected time range.

Authorization report Contains information about failed and successful authorization attempts over a selected time range.

Account Statistics report Contains information about the number of users per resource host over a selected time range.

Communication report Contains information about lost connections over a selected time range.

Performance report Contains information about system performance over a selected time range.

Tunnel report Contains information about tunnel transfer rate over a selected time range.

System Report Contains information about connections and system resource usage over a selected time period.

Alerts report Contains information about alerts triggered over a selected time range.

Complete report Contains information from all the reports.

Monitor System


6. Click the Graphics tab.The graphics tab contains a list of charts you can generate.

7. Select the check box adjacent to each chart type that you want to include in the report.8. For each chart you select, use the adjacent drop-down list to select the chart style.9. Click Generate Report.

The View Report page appears for the current report.

10. Click each tab on the View Report page to see each chart.11. Click Refresh Charts to refresh the report data.

Save a reportTo save a copy of a report to a local file:

1. Use the steps above to generate the report. 2. On the View Report page, click Save Report.3. Select whether to save this as a PDF file, data file, or image file.

The PDF contains all pages of the report.Data files are stored as plain text, one text file per report tab.Image files are stored as PNG image files, one file per chart.

4. Click Download.A file is generated. If you selected more than one file type, the files are in a ZIP file.

5. Click the file name to download the file.

Abolishment reportThe Abolishment report contains information about abolishment attempts over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for the Abolishment Report:

User IDClientClient IP

By default, all filters are set to All.

GraphicsYou can select one or more of these chart types:

Failed Attempts over TimeSucceeded Attempts by UserSucceeded Attempts over Time

By default, the style for these charts is set to Bar.

For more information about how to generate a report, see ”About Reports” on page 55.

User Guide 57

Monitor System

Assessment reportThe Assessment report contains information about assessment attempts over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for the Assessment Report:

Assessment RuleUser IDClientClient IP



Failed assessment attempts over timeFailed assessment attempts by reasonFailed assessment attempts by userSucceeded assessment attempts over time

By default, the style for these chart types is set to Bar.


Session Trend reportThe Session Trend report contains information about session attempts over a selected time range. You can set filters and select chart types to customize the report.

FiltersThe available filter for the Session Trend report is User ID.

By default, the User ID filter is set to All.

GraphicsYou can select one, several, or all of the following chart types:

Maximum concurrent sessions over timeOngoing sessions by userAverage session duration over timeEnded sessions by type


Monitor System


Access reportThe Access report contains information about access requests over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for the Access report:

Web Resource HostUser IDClientClient IPTunnel ResourceTunnel ProtocolTunnel IPTunnel Port



Access Requests over TimeAccess Requests by UserAccess Requests by Web Resource HostAccess Requests by Tunnel Resource Host


Authentication reportThe Authentication report contains information about failed and successful authentication attempts over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for authentication report:

Authentication MethodUser IDClientClient IP



Failed Attempts over TimeFailed Attempts by ReasonFailed Attempts by UserAuthentication method usageAverage Attempts by HourSucceeded Attempts over Time

User Guide 59

Monitor System



Authorization reportThe authorization report contains information about failed and succeeded authorization attempts over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for assessment reports:

Client IPClientWeb Resource HostUser IDTunnel ResourceTunnel ProtocolTunnel IPTunnel Port


GraphicsYou can select one, several, or all of the following chart types:

Failed Attempts over TimeFailed Attempts by ReasonFailed Attempts by UserAverage Attempts by HourSucceeded Attempts over Time



Account Statistics reportThe Account Statistics report contains information about the number of users per resource host over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for the Account Statistics report:

User IDWeb Resource HostTunnel ResourceTunnel ProtocolTunnel IPTunnel Port


Monitor System



Users by Web Resource HostUsers by Tunnel Resource Host

By default, the style for these charts is set to Pie.


Communication reportThe Communication report contains information about lost connections over a selected time range. You can change the chart style to customize the report.

FiltersThere are no filters for the Communication report.

GraphicsYou can select this chart type:

Lost Connections over time.

By default, the style for this chart is set to Bar.


Performance reportThe Performance report contains information about system performance over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify this filter for the performance report:

Web Resource Host

By default, the filter is set to All.

GraphicsThe performance report includes these chart types:

Average request rate over timeAverage response time by web resource hostTransfer rate - device to web resource hostTransfer rate - web resource host to deviceFailed responses over time


User Guide 61

Monitor System

Tunnel reportThe Tunnel report contains information about tunnel transfer rate over a selected time range. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for the Tunnel report:

Tunnel ResourceTunnel ProtocolTunnel IPTunnel Port

GraphicsThe Tunnel report includes these chart types:

Transfer Rate - Client to Tunnel Resource HostTransfer Rate - Tunnel Resource Host to Client

By default, the style for these charts is set to Line.


System ReportThe System report contains information about connections and system resource use over a selected time period. You can select chart types and styles to customize the report.

FiltersThere are no filters for the System report.

GraphicsThe system report includes these chart types:

Maximum Client and Server Connections over TimeMaximum SSL Sessions over TimeAvailable Memory by WatchGuard ServiceAvailable Disk Space by WatchGuard Service

By default, the style for these charts is set to Line.


Alerts reportThe Alerts report contains information about alerts triggered over a selected time range. You can set filters and select chart types to customize the report.

FiltersThere are no filters for the Alerts report.

Monitor System


GraphicsThe Alert report includes this chart type:

Alerts by Type

By default, the style for this chart is set to Pie.


Complete reportThe Complete report contains statistics from all available report types. You can set filters and select chart types to customize the report.

FiltersYou can modify these filters for a Complete report:

User IDClientClient IPWeb Resource HostTunnel ResourceTunnel ProtocolTunnel IPTunnel PortAssessment RuleAuthentication Method


GraphicsYou can select one or more of the chart types. The Complete report includes chart types for all of the other reports.

By default, all chart types are selected.


Manage report database settingsAll of the information used to generate reports is stored in a database. Use the Manage Report Database Settings page to configure if the information is stored, and for what period of time.

To change the report database settings:

1. Select Monitor System > Reports.2. Click Manage Report Database Settings.3. Select the Store report information check box to enable storage of report information in the

database. This is enabled by default. Only clear this check box if you do not want to store data for reports.

4. Select the Delete events older than check box.5. In the days field, type a number of days.

When you confirm your changes, data older than the specified number of days is deleted from the report database.

User Guide 63

Monitor System

About the diagnostics fileYou can create a diagnostics file that you can download to get all of your log files at one time. The diagnostics file is a compressed (ZIP) file that includes all of the System, Audit, Billing, HTTP, and RADIUS debug logs, configuration files, and message log entries for all servers. WatchGuard technical support may ask you to generate this file to help troubleshoot your system and resolve issues with your configuration.

To create a diagnostics file:

1. Select Monitor System > Diagnostics File.The Diagnostics File page appears.

2. Select a date range in the Time Range fields.You can select to see the most recent data for a number of days or specify a specific date range.

3. Click Create Diagnostics File.The Download Diagnostics File page appears, with a download link.

4. Click Download diagnostic-yyyymmdd-xxxx.zip to download the file.The browser download page appears.

5. Select to open the file or save it, and click OK.

It is a good idea to enable debug logging for a period of time before you generate the diagnostics file. When you enable debug logging, the diagnostics file contains additional debug log files that can help WatchGuard technical support.

For information about debug logging, see ”Manage global logging settings” on page 51.

It can take a long time to create the diagnostics file if you select a long time range.

yyyymmdd-xxxx in the file name represents the date and number for each diagnostics file you create.

Monitor System


About the feature keyThe Feature Key page shows information about the feature key, and includes a section where you can upload a new feature key.

To see the content of your feature key:

1. Select Monitor System.The System Status page appears.

2. Select Feature Key.The Feature Key page appears.

The feature key information includes:

Serial NumberThe unique serial number that identifies the feature key for this WatchGuard SSL device. If you use the default feature key, you cannot see the device serial number in the feature key.

VersionThe installed software version.

TypeThe type of the feature key. The type can be Evaluation or Production.

IssuedThe date the feature key was issued by WatchGuard.

User Guide 65

Monitor System

Issued ToThe name, company, and email address for the person to whom the feature key was issued.

Issued ByThe name, company, email address for the organization that issued the feature key.

Effective Dates The start and end date for the period the feature key is valid.

Max Concurrent UsersThe maximum number of users allowed to simultaneously use the system. The number of users currently logged in to the system appears in parenthesis.

Max Named UsersThe maximum number of named users allowed to use the system. The current number of registered named users appears in parenthesis.

Max WatchGuard Authentication UsersThe maximum number of named users who can use WatchGuard authentication methods. The current number of registered users who can use WatchGuard authentication methods appears in parenthesis. If the wildcard character * is used, the number of named users is unlimited.

Max RADIUS ClientsThe maximum number of RADIUS clients allowed. If the wildcard character * is used, the number of RADIUS clients is unlimited.

Max ResourcesThe maximum number of registered resources. If the wildcard character * is used, the number of resources is unlimited. The current number of registered resources appears in parentheses.

Max Authentication MethodsThe maximum number of allowed authentication methods that you can configure.

LiveSecurity Effective DatesThe start and end date for the period the LiveSecurity subscription is valid.

For information about how to get a feature key for your device, see “Get a feature key” on page 5.

For information about how to upload the new feature key to the WatchGuard SSL device, see “Upload a new feature key” on page 66.

Monitor System


Upload a new feature keyA feature key is a file that enables licensed features on your WatchGuard SSL device. When you register your WatchGuard SSL device on the WatchGuard web site, you download a feature key file that enables all the licensed features. If you do not have your feature key, you can use the default feature key, which allows a maximum of one authenticated user.

For more information about how to get a feature key for your device, see “Get a feature key” on page 5.

To upload the feature key file to the WatchGuard SSL device:

1. Select Monitor System > Feature Key.The Feature Key page appears.

2. In the Upload a new feature key section, select Upload a new feature key.3. Click Browse. Locate and select the feature key file.4. Click Upload New Feature Key to replace the current feature key.

To use the default feature key:

1. Select Use the default feature key. 2. Click Upload New Feature Key to replace the current feature key with the default feature key.

The default feature key is intended for evaluation purposes. The default feature key does not include LiveSecurity, so you cannot update the software or use the Live Update feature.

User Guide 67

Monitor System

Live UpdateYour WatchGuard SSL uses an End-Point Security definition file to support the client scans used for assessment access rules. By default, the device automatically updates the engine and definition file. You can check the status of the last update or to change the frequency of updates to the engine and definition file on the Live Update page.

Live Update settings are preconfigured to the recommended settings. WatchGuard recommends you do not change these settings unless instructed to do so by WatchGuard Technical Support.

Configure Live Update settings1. Select Monitor System > Live Update.

The Live Update page appears.

2. Check the Live Update status. At the top of the page is a message that shows the status of Live Updates.3. Configure the Live Update Server URL.

This is automatically set to the WatchGuard Live Update server.

4. In the Max Connection Retries field, specify the number of retries for each attempt to connect to the Live Update Server. The default setting is 5 retries.

5. In the Engine Update Interval field, you can specify how often the device checks for engine updates.The default engine update interval is 1 month.

6. In the Definition File Update Interval field, you can specify how often the device checks for updates to the End-Point Security definition file.The default update interval is every 20 minutes.

7. Select an option to update the engine and definition file:Select Automatic Update to automatically check for updates to the engine and definition file based on the configured Update Intervals.Select Manual Update to disable automatic updates.

8. Click Save.

Update immediatelyTo immediately download any available engine and definition file updates from the WatchGuard Live Update server, you can click Download and Upgrade. You can do this regardless of whether you selected Automatic Update or Manual Update.

Reboot after engine updatesAfter the WatchGuard SSL device downloads an engine update from the WatchGuard Live Update server, you must reboot the WatchGuard SSL device for the new engine update to take effect. If a new engine update has been downloaded with either the automatic or manual process, the status message on the Live Update page notifies you that you must reboot the device for the engine update to take effect.

You do not have to reboot the device for definition file updates to take effect.

You must have a valid LiveSecurity subscription to get these updates.

Monitor System


User Guide 69

3 User Management

About User ManagementYou can use the WatchGuard SSL Web UI to manage user accounts, user groups, and configure the SSL device to use an External Directory Service. You can import user accounts from an external file, and create or repair a link to a user account in an existing authentication directory. If you use an External Directory Service, you can also enable Self Service, which allows your users to activate an account and find a forgotten password or user name.

1. Select User Management.The User Accounts page appears.

2. Select a left menu item to manage settings for your user accounts.For more information about these menu items, see the subsequent sections.

User Management


User accountsWatchGuard SSL user accounts are linked to user information already stored in your directory service. An External Directory Service link establishes a connection to your local user information.

Global User Account SettingsConfigure default global settings for authentication, timeouts, user linking, and to set up automatic user link repair.

Manage All user accountsSee all of the current user accounts and user groups. You can also disable or delete an account.

Import User accountUse this method to create user accounts instead of the Add User Account wizard. To create a number of user accounts simultaneously, you can import a file with user information. The file must be formatted correctly. User accounts are added according to the default settings you configure in the Global User Account Settings section.

Create User Account by LinkingUse this method to create user accounts by linking to an External Directory Service. User accounts are added according to the default settings you configure in the Global User Account Settings section.

User groupsWatchGuard SSL includes three types of user groups:

User groups in your External Directory ServiceUser location groupsUser property groups

The main User Groups page includes a list of all existing user groups. You can add a user group, or search the list to find an existing group.

External Directory ServiceExternal Directory Service is the external location where user accounts are stored. When you configure the SSL device to use an external directory service, you can use the existing user accounts in the directory service instead of creating new accounts for your users.

You specify the computer on which the directory service is installed and define a set of search rules to find users and user groups.

Self ServiceIf you use an External Directory Service, you can use Self Service to allow your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. When you enable and configure Self Service, you can use the wizard to configure the settings, or you can manually configure the settings. To get information from Self Service, users must answer a series of challenge questions that you specify to verify their credentials.

User Guide 71

User Management

About user accountsYou can use the WatchGuard SSL Web UI to create user accounts in your Local User Database with one of these methods:

Add User AccountUser LinkingUser Import

Each of these methods gives you a different level of detail in the account settings. When you edit an account, you can change all account settings, regardless of the method you used to create the user account.

Add User AccountTo manually add a user account to the Local User Database, select this method. It gives you the most flexibility in account configuration.

For more information, see ”Manually add a user account” on page 72.

User Linking To create a basic user account based on an existing user in your External Directory Service, select this method. Basic information for the user account is automatically copied from the directory service and is added to the Local User Database.

For more information, see ”Link to a user account” on page 75.

User ImportTo create multiple user accounts at one time, select this method to import a file with all the information for the user accounts you want to add.

For more information, see ”Import user accounts” on page 74.

User Account Search Result ListYou can search for, disable, and delete user accounts on the Manage All User Accounts page.

1. Select User Management.The Manage All User Accounts page appears.

2. To search for a user, in the Search by User ID field, type a User ID. You can use the * wildcard character to expand your search results.

3. From the Search by User ID drop-down list, select the search parameters.4. Click Search.5. To disable a user account, select the Disabled check box for the user account you want to disable, and

click Save. The user can no longer connect to the Application Portal or network resources, but the account is not removed.

6. To delete a user account, select the Delete check box for the user account you want to delete, and click Delete.The user account is removed.

User Management


Manually add a user accountYou can add user accounts to the Local User Database one at a time. This method gives you the most configuration options when you first create the account. When you add a user account, you can define custom attributes to add specific details to an account. For example, you can add an attribute that you use when you add the user to a user group.

To add a user account:


2. From the User Accounts table, select Add User.The Add User Account page appears.

3. Type a User ID for the user.4. To get user account information from your External Directory Service, click Link User.

The User Location in Directory and Display Name fields are populated with information from the External Directory Service account for the user.

5. If necessary, type a new Display Name for the user.6. To add specific name=value information for the user, click Add Custom Attribute.

The Add Custom Attribute page appears.

7. Type the Name and Value information for the attribute. Click Next.The Add User Account page appears. The new attribute appears in the Custom Attributes list.

8. (Optional) You can add more attributes before you continue.

User Guide 73

User Management

9. Click Next.The Add User Account page appears.

10. Select the check box for the WatchGuard authentication methods you want to enable for the user.11. (Optional) Type the Email Address or SMS notification information for the user. Click Next.

The SSO Settings page appears.

12. If you want to define Single Sign-On (SSO) domains for this user, select and configure one or more SSO domains.

13. Click Finish Wizard.The new user account is created. The Manage All user accounts page appears, with the new user account in the User Accounts table.

User Management


Import user accountsYou can import user accounts from a file to add many user accounts to your Local User Database at the same time.

The file you import must be a text (.txt) file with this information:

The first row contains the column headings that specify the fields in the import file.Headings do not contain any spaces and are not case-sensitive.Each row contains data for only one user.If a row does not contain data, or begins with the comment sign, the row is ignored.

For more information about the user import file, see the subsequent section.

To import user accounts:


2. Click Import User Account.The Manage User Import page appears.

3. From the Separator in File drop-down list, select the type of separator used in the file. The default separator is Comma.

4. Click Browse and select the file.5. Click Import Users.

The file is imported and the user information is added to your Local User Database.

About the User Import FileThe file you use to import user accounts must be a text file with information separated by commas, semicolons, or tabs, and must have only one user account per line. To create a user account, the import file must include at least the user ID and display name for each user account. When you import the file, the following information is automatically created for each user account, if it is not specified in the import file:

WatchGuard Access Number of RetriesWatchGuard Authentication Number of RetriesUser Account Effective Dates

For these settings, the default value is set to the value specified in the Global User Account Settings.

The authentication methods you enable on the Global User Account Settings page are not applied to the user accounts you add when you import them in a file.

User Guide 75

User Management

Link to a user accountYou can link to an existing user account in your External Directory Service to create a basic user account in your Local User Database. Linked user accounts are added according to your default settings on the Manage Global User Account Settings page.

To link to a user account:


2. Click Create User Account by Linking.The Manage User Linking page appears.

3. Type the User ID for the user you want to add.4. Select a Notification method and Message Set for the user.5. Click Link User.

The user account is added to your Local User Database and appears in the Manage All User Accounts table.

Repair a linked user accountIf a user account is moved in the External Directory Service, the link is broken between the Local User Database and the External Directory Service. You can use the Link Repair wizard to repair or delete the broken account.

To repair a link for a user account:


2. Click Repair Linked User Account.The User Link Repair page appears.

3. Click Start User Link Repair Wizard.The Overview page appears, with information about the first broken link.

4. Select an action. 5. Click Next.

The user link is repaired.

User Management


Edit user accountsYou can edit or delete information and settings for each user account, regardless of which method you used to add the account.

To edit a user account:


2. In the User Accounts table, click the User ID for the account you want to edit.The Edit User Account page appears for the user you selected.

3. Select a tab and edit the information and settings for the user as necessary.4. Click Save.

The user account is updated with the changes and the Manage All User Accounts page appears.

User Guide 77

User Management

To delete a user account:


2. In the User Accounts table, click the User ID for the account you want to delete.The Edit User Account page appears for the user you selected.

3. Click Delete.The Delete User Account page appears.

4. Click Yes to delete the account.The user account is deleted and the Manage All User Accounts page appears.

Manage Global User Account SettingsThe Global User Account Settings are the default settings that apply to all user accounts. These settings are divided into three sections:

General SettingsIncludes default settings for user account access, WatchGuard authentication, and timeouts.

User LinkingIncludes options to enable WatchGuard Authentication methods for user accounts created by a linking method, and to set notification methods.

Auto RepairIncludes the option to enable the system to automatically repair user links.

User Management


To configure default user account settings:


2. Click Global User Account Settings.The Manage Global User Account Settings page appears.

3. Configure the default settings on each tab as necessary.For more information about the settings on each tab, see the subsequent sections.

4. When you have completed the settings, click Save.

User Guide 79

User Management

General SettingsDefault Account Settings

Max Logon RetriesSet the maximum number of times users can try to log on with invalid credentials before the account is disabled. When set to 0, the user account is never disabled.Account Expires InSet the number of days the user account is active. When set to 0, the user account never expires.

Default Account Settings for WatchGuard AuthenticationMax Logon RetriesSet the maximum number of times users can try to log on with invalid credentials for WatchGuard Authentication methods before the account is disabled. When set to 0, the user account is never disabled.

Account Settings for WatchGuard AuthenticationUse groups Select this option if you want to use group names when you manage user accounts. Group information is sent to the RADIUS client. The RADIUS client can then be configured to use this attribute for authorization.Use framed IP addressSelect this option to send the configured framed IP address to the system when a user authenticates.Time Lock TimeoutSet the number of minutes before users can try to log on again after an account is disabled when the Time Lock Interval settings are reached.Time Lock IntervalSet the number of times a user can try to log on with invalid credentials before the account is disabled.Change Password/PIN NotificationSet the number of days before users are notified to change their passwords/PINs.

Timeout SettingsConfigure timeout settings for inactivity, sessions, warnings, and active users.

Search Limit SettingsConfigure the maximum number of results to include and display in search results.

User LinkingSelect an option to enable WatchGuard Authentication methods when you manually or automatically create a user account by linking.

NotificationSelect whether to send user notification messages by email or SMS.

Authentication Methods SettingsSelect the authentication methods you want to automatically enable for linked user accounts.

Repair User LinksSelect Automatically repair user links to automatically repair broken user account links when users authenticate.

User Management


About user groupsWhen you add your users to user groups, you can control the resources the users can select, or the actions users must take before they can select a resource.

User location groupsSelect a user location group for all users in a specified location in the Local User Database.

For example: ou=administrators,dc=watchguard,dc=com

When you add a user to a user location group, authentication performance increases because no other authentication checks are performed. This can decrease flexibility for authentication.

About user property groupsSelect a user property group for user accounts with similar properties, such as job function. WatchGuard SSL manages these properties as attributes that contain a source, name, and value.

Available attribute sources are: External directory service, Custom-defined, and RADIUS session. The attribute value you select must match the attribute name returned from the specified source type. When you select Custom-defined, you can use the user attributes specified on the General Settings page for user accounts.

You can define user property groups to help increase the performance of your WatchGuard SSL device.

About user location groupsUser location groups contain all users who belong to a certain user group that is defined in your External Directory Service. You can use this group type to integrate your existing local user groups.

The advantage of this approach is high flexibility with low administration, however, this can decrease performance.

Add a user groupYou can add a user location or user property group to categorize your user accounts.

To add a user group:


2. Select User Groups in the left navigation menu.The Manage User Groups page appears.

This type cannot be added or modified.

User Guide 81

User Management

3. Click Add User Group.The Add User Group page appears

4. Select a user group type. Click Next.5. Configure the settings for the user group.6. To see all user accounts that match the settings you selected, click View Users.7. Click Finish Wizard.

Search, edit, or delete user groupsYou can search the user group list to filter the groups you see in the list. You can also edit or delete the user groups you created. Default system user groups cannot be edited or deleted, you can only see information about the user group.

Search the user group list1. Select User Management.

The User Accounts page appears.


3. Type the value you want to search on in the Search Display Name field. To expand your search, you can use the * wildcard character.

4. Select the type of user group to search for in the drop-down list.5. Click Search.

The user groups that match your search parameters appear.

Edit user group information1. Select User Management.



3. Click the Display Name for the user group you want to edit.The Edit User Group page appears.

4. Change the settings for the user group.5. Click Save.

User Management


Delete a user group1. Select User Management.



3. Click the Display Name for the user group you want to edit.The Edit User Group page appears.

4. Click Delete.The Delete User Group page appears.

5. Click Yes.The user group is deleted.

User Guide 83

User Management

About the External Directory ServiceThe External Directory Service is the external location where you can store user account information, for example, an Active Directory or LDAP server. You can select one or more directory service locations of different brands and types.

When you link the user accounts in your Local User Database to the External Directory Service, you can reuse the existing information for your user accounts. Linked user accounts have references to existing users and user groups that you can use for user authentication.

You must specify the host for the External Directory Service and define the search rules the system uses to find users and user groups. You can then link the accounts on your External Directory Service to the Local User Database.

About search rulesYour Local User Database uses search rules to match users and user groups. When you configure search rules, make sure you define them based on the directory structure of your organization and the user objects you want to use in your rules.

About directory mappingDirectory mapping enables you to use specified attributes to get the existing information from your External Directory Service so you can reuse this information in your Local User Database. For example, you can get passwords or email addresses so you do not have to specify them in WatchGuard SSL Web UI when you create or link user accounts.

Add an External Directory Service locationWhen you add an External Directory Service location you can link your Local User Database user accounts to your existing directory service. This enables you to reuse existing user account information and simplify user account creation.

To add an External Directory Service location:


2. Select External Directory Service.The Manage External Directory Service page appears.

User Management


3. Click Add External Directory Service Location.The Add External Directory Service Location page appears.

4. Select the type of directory service. Click Next.The Add External Directory Service Location page appears.

User Guide 85

User Management

5. Configure the settings for this External Directory Service location. Click Next.The Add External Directory Service Location page appears.

6. To add search rules for your users, click Add User Search Rule. Configure the search rule. Click Next.The External Directory Service Location Search Rules page appears.

User Management


7. To add search rules for your user groups, click Add User Group Search Rule. Configure the search rule. Click Next.The External Directory Service Location Search Rules page appears.

8. To verify that the connection to your External Directory Service is active, click Test Connection.9. Click Finish Wizard.

The directory service is added and appears in the Registered External Directory Service Location list.

Edit an External Directory Service LocationYou can edit an existing External Directory Service configuration to change the general and search rules settings, and to configure directory mapping settings. You can also delete an existing External Directory Service Location.

To edit an External Directory Service location:



User Guide 87

User Management

3. In the Registered External Directory Service Location list, click the Display Name of the directory service you want to change.The Edit Directory Service Location page appears.

4. Select a tab and edit the information and settings for the directory service as necessary.5. Click Save.

To configure Directory Mapping settings:



3. Click the Display Name of the directory service to which you want to add Directory Mapping attributes.The Edit Directory Service Location page appears.

4. Select the Directory Mapping tab.5. Specify the attributes you want to use to get existing user account information from your External

Directory Service.6. Click Save.

To delete an External Directory Service location:



3. In the Registered External Directory Service Location list, click the Display Name of the directory service you want to delete.The Edit Directory Service Location page appears.

User Management


4. Click Delete.The Delete External Directory Service Location page appears.

5. Click Yes to delete the location.The External Directory Service Location is deleted and the Manage External Directory Service page appears.

About Self ServiceYou can use Self Service to allow your users to get their own user information, such as a forgotten password or user name. You can also allow your users to activate their accounts. To get information from Self Service, users must answer a series of questions to verify their credentials before they get their information. You must have an External Directory Service configured to use Self Service. You cannot use Self Service if you have only a Local User Database.

Before you can use Self Service, you must enable and configure it. You can use the wizard to enable it and configure the settings, or you can manually enable it and configure the settings.

You can also disable Self Service. If you enable and then disable Self Service, you do not have to use the wizard to enable Self Service again.

Use the wizard to enable Self ServiceYou can use the WatchGuard SSL Self Service wizard to enable Self Service and configure the basic settings for you. This wizard is only available the first time you enable Self Service.

1. Select User Management > Self Service.The Manage Self Service page appears.

2. Click Yes - help me with the settings.The Manage Self Service page appears. Self Service is enabled by the system and partially configured.

3. To change the settings for Self Service, click Self Service Settings.The Manage Self Service Settings page appears.

For more information, see ”Manage Self Service Settings” on page 89.

4. To complete the configuration, click the Modify System Challenges link and add or edit a System Challenge.The Manage System Challenges page appears.

For more information, see ”Modify System Challenges” on page 91.

5. Click Save.

User Guide 89

User Management

Manually enable and configure Self ServiceYou can choose to enable Self Service and configure the basic settings manually.


2. Click No - I will do the configuration myself.The Manage Self Service page appears. The Self Service Enabled check box is selected, but settings are not configured.

3. To configure the settings for Self Service, click Self Service Settings.The Manage Self Service Settings page appears.

For more information, see ”Manage Self Service Settings” on page 89.

4. To complete the configuration, click the Modify System Challenges link and add or edit a System Challenge.The Manage System Challenges page appears.

For more information, see ”Modify System Challenges” on page 91.

5. Click Save.

Disable and restore Self ServiceYou can choose to disable Self Service after it is enabled and configured. When you disable Self Service, all your configuration settings are saved, so you can enable it again later.

To disable Self Service:


2. Clear the Self Service Enabled check box.Self Service is disabled and all your configuration settings are saved.

To restore Self Service:


2. Select the Self Service Enabled check box.Self Service is enabled and all your configuration settings are restored.

Manage Self Service SettingsYou can configure the settings for Self Service that allow your users to activate their accounts and get their user names or passwords if they lose them. You can add one or more challenges to each type of setting. When you add more than one challenge to a setting, the challenges are applied in the order you specify.

Self Service Settings types include:

Auto Activation SettingsEnable users to automatically activate their accounts.

Forgotten Password SettingsEnable users to find their forgotten passwords. You can choose to send a message to a secondary channel when the password is sent to the user.

Forgotten User Name SettingsEnable users to find their forgotten user names. You can configure the message that is sent to the user.

Advanced SettingsSet the amount of time users must wait between Self Service requests

Before you can edit the setting type, you must have at least one system challenge. If there is not an available challenge, you can add one. For more information see, ”Modify System Challenges” on page 91.

User Management


Add or delete a challengeTo add a challenge:


2. Click Self Service Settings.The Manage Self Service Settings page appears.

3. Click the Add link for the setting you want to modify. For example, Add Auto Activate Challenge.

4. Select a System Challenge from the drop-down list.5. Click Add Challenge.

The challenge appears in the Registered Challenges list.

6. Click Up or Down to change the order that each challenge is applied.7. Click Save.

To delete a challenge:



3. In the Registered Challenges list for the setting you want to change, click Remove for the challenge you want to delete.

4. Click Yes to delete the challenge.5. Click Save.

Configure Advanced SettingsYou can set the amount of time users must wait after they have submitted one Self Service request before they can submit another request.



3. Find the Advanced Settings section.4. In the Minimum time between requests field, type the number of hours users must wait between Self

Service requests.5. Click Save.

User Guide 91

User Management

Modify System ChallengesSystem Challenges are used to confirm the identities of your users when they use Self Service. When users connect to Self Service, before they can get their account information, they must correctly answer a set of challenge questions that you select. You can add, edit, or delete System Challenges.

Add a System ChallengeTo add a System Challenge:


2. Click Modify System Challenges.The Manage System Challenges page appears.

3. Click Add System Challenge.The Add System Challenge page appears.

4. Type the Display Name, Challenge Question, and Attribute Name.You can use the * wildcard character.

5. Click Finish Wizard.The system challenge appears in the Registered System Challenges list.

User Management


Edit a System ChallengeYou can edit any of the fields for the System Challenges you add. For the default System Challenges, you can only edit the Display Name and Challenge Question fields.



3. In the Registered System Challenges list, click the challenge you want to change.The Edit System Challenge page appears.

4. Update the settings for the system challenge.5. Click Save.

Delete a System ChallengeYou can only delete System Challenges that you add. You cannot delete the default System Challenges.



3. In the Registered System Challenges list, click the challenge you want to delete.The Edit System Challenge page appears.

4. Click Delete.5. Click Yes to delete the challenge.6. Click Save.

User Guide 93

4 Resource Access

About Resource AccessThe WatchGuard SSL Application Portal enables you to give your users secure access to your network resources. You can create Application Portal items for access to applications, folders and files, and URLs as web or tunnel resources. Create a web resource to give your users access to an online application. Create a tunnel resource to give your users access to a client-server application.

To protect your resources, you configure access rules, authorization settings, and encryption levels to create seamless, secure access control. Users get access to resources through the WatchGuard SSL Application Portal.

You can collect resources that share logon credentials in Single Sign-On (SSO) domains. This allows users to submit their credentials once to get access to several resources. For added security, you can add access rules for your SSO settings. Access rules are also used to enforce the End-Point Security feature Abolishment, which deletes Internet Explorer session files, the client cache, and the browser history when the user session ends.

ResourcesYou can add and manage standard resources, tunnel resource hosts, tunnel resource networks, tunnel sets, web resource hosts, and the global settings for tunnels that enable your users to use your network resources.

For more information, see ”About Resources” on page 94.

Client firewallYou can configure client firewall configurations to control traffic to and from the WatchGuard SSL Access Client.

For more information, see ”About client firewalls” on page 128 and “About the Access Client” on page 227.

Access rulesAccess rules are detailed requirements that users must meet to connect to resources. Available access rules include authentication methods, user group membership, date period, client IP address, client assessment, and client device. You can specify general access rules available for all resources or SSO domains, access rules that apply to individual resources, and global access rules that apply to all resources and SSO domains.

For more information, see ”About access rules” on page 134.

Resource Access


Application PortalThe Application Portal is the WatchGuard SSL web portal that your users can log on to and use to connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons with link text and are called Application Portal items.

For more information, see ”About the Application Portal” on page 139.

SSO domainsWatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain.

For more information, see ”About SSO domains” on page 142.

About ResourcesYou can add, edit, and delete standard resources, tunnel resource hosts, tunnel resource networks, tunnel sets, web resource hosts, and the global settings for tunnels that enable your users to use your network resources. You can add restrictions to allow only specified users to see certain resources in the Application Portal.

For more information about resources, see:

”Manage Standard Resources” on page 94”Manage Tunnel Resource Hosts” on page 99”Manage Tunnel Sets” on page 103”Manage Global Tunnel Set Settings” on page 110”Manage Tunnel Resource Networks” on page 112”Manage Web Resource Hosts” on page 114”Manage Global Resource Settings” on page 120

Manage Standard ResourcesYou can add, edit, or delete Standard Resources for commonly used applications in your configuration. These resource are partially configured so you can set them up quickly. When you add a standard resource, you use the wizard to configure and create the resource in the Application Portal. When you edit a standard resource after you add it, you use the configuration pages to make any changes.

Standard resources are available for these applications:

Mail ResourcesIMAP/SMTPPOP3/SMTPMicrosoft Outlook Web Access 2003Microsoft Outlook Web Access 2007Microsoft Outlook Client 2003/2007

WatchGuard ResourcesSecure Remote Access to the Web UI

User Guide 95

Resource Access

Portal ResourcesCitrix Metaframe Presentation ServerMicrosoft Sharepoint Portal Server 2003Microsoft Sharepoint Portal Server 2007

Remote Control ResourcesMicrosoft Terminal Server 2003Microsoft Terminal Server 2008

File Sharing ResourcesMicrosoft Windows File Share Access to Home Directory

Add a Standard Resource1. Select Resource Access.

The Resources page appears.

Resource Access


2. Click Add Standard Resource.The Add Standard Resource page appears.

3. In the Standard Resources list, expand the group for the resource you want to add.4. Click the standard resource.

Information about the standard resource appears in the right column.

User Guide 97

Resource Access

5. Click Add this Standard Resource.The Add Standard Resource page appears.

6. Type a Display Name and (optional) a Description.7. Configure the Special Settings.8. Configure the Application Portal Settings.9. Click Next.

The Manage Access Rules page appears.

10. Configure the access rules for this resource.For more information about Access Rules, see ”About access rules” on page 134.

11. Click Next.The Add Standard Resource Summary page appears.

12. Click Finish Wizard.

Resource Access


Edit a Standard Resource1. Select Resource Access.


2. Select the resource you want to edit.Different buttons appear for the type of resource you selected.

3. Click the Edit option for the resource you selected.4. Update the standard resource settings.5. Click Save.

Delete a Standard Resource1. Select Resource Access.


2. Select the resource you want to delete.Different buttons appear for the type of resource you selected.

3. Click the Edit option for the resource you selected.4. Click Delete.5. Click Yes.

The standard resource is removed from the Resources list.

User Guide 99

Resource Access

Manage Tunnel Resource HostsYou can add, edit, or delete tunnel resource hosts for client-server applications that are not web-enabled, such as Remote Desktop. Tunnels route TCP/UDP traffic between the client and the server over a protected SSL connection. An active tunnel is not part of the HTTP communication, even if the tunnel was initiated by an HTTP request. The tunnel closes when both ends of the connection are closed.

To add a tunnel resource to the Application Portal, you configure a tunnel set with static and/or dynamic tunnels for the resource. You can set security levels with access rules for specific client applications and servers. If you add a tunnel resource with web-based authentication, the WatchGuard SSL Access Client is not used. Instead users must authenticate to the Application Portal with the WatchGuard SSL Web authentication method.

Add a Tunnel Resource Host1. Select Resource Access.


Resource Access


2. Click Add Tunnel Resource Host.The Add Tunnel Resource Host page appears.

3. Type a Display Name and (optional) a Description.4. Type the Host address.5. Type the TCP Port and/or UDP Port.6. To add another host address, click Add Alternative Host. Click Add.7. To use SSO with this tunnel, select an SSO check box and domain.

User Guide 101

Resource Access

8. Click Next.The Add Tunnel Resource Host page appears.

9. Configure the access rules for this resource.For more information, see ”About access rules” on page 134.

10. Click Next.The Add Tunnel Resource Host Summary page appears.

11. To configure Access Settings or Authorization Settings for this resource, click Advanced Settings.For more information, see ”Tunnel Resource Hosts Advanced Settings” on page 102.

Resource Access


12. Click Next.The Add Tunnel Resource Host Summary page appears.


Edit a Tunnel Resource Host1. Select Resource Access.


2. Select the Resource Name for the resource you want to edit.3. Click Edit Resource Host.4. Update the tunnel resource host settings.5. Click Save.

Delete a Tunnel Resource Host1. Select Resource Access.


2. Select the Resource Name for the resource you want to delete.3. Click Edit Resource Host.4. Click Delete.5. Click Yes.

The Tunnel Resource Host is removed from the Resources list.

Tunnel Resource Hosts Advanced SettingsYou can configure the Advanced Settings for this Tunnel Resource Host to set the access and authorization settings.

Access Settings Connect via proxySelect this check box to use a proxy server to connect to this resource.

User Guide 103

Resource Access

Authorization SettingsUse these settings to specify how users can connect to this resource.

Automatic AccessSelect this check box to enable users to automatically access this resource. When Automatic Access is enabled, user session timeouts are not affected.

Max Inactivity TimeSelect this check box and specify the number of minutes a user session can be inactive before the user session times out.

Absolute Timeout Select this check box and specify the maximum number of minutes a user can be connected before the user session times out.

Manage Tunnel SetsTunnel Sets can include one or more tunnel resources, with one or more static and/or dynamic tunnels for each resource in the set. You can add these tunnel sets to your Application Portal for each tunnel resource that you configure. Your users can click on an icon in the Application Portal and use the WatchGuard SSL Access Client to connect to the tunnel resources in that tunnel set. The Access Client is available in two application formats: Win32 (ActiveX Web loader) or Java (Java Applet Web loader).

Advanced settings for the tunnel set include mapped drives, client configuration, and local lookups. The local lookups define the host addresses that resolve on the client if no external DNS record is found. Local lookups are checked before any external DNS, so the external DNS can be overridden.

Static tunnelsStatic tunnels are configured to tunnel resources on the local interface with a single port, and can be used on all platforms.

Dynamic tunnelsDynamic tunnels are configured to tunnel resources with any IP address on one or a range of ports, and can only be used on Windows platforms.

Access rulesThe tunnel resources you collect in a tunnel set are protected by access rules. You can also apply access rules to the tunnel set itself, to control how and when users can get access to the tunnel set. You can include the same tunnel resource in several tunnel sets. This enables you to associate tunnel sets with different levels of access control, for example for different user groups.

Access clientWhen a user clicks an icon for a tunnel set in the Application Portal, the Access Client loads the tunnel with either an ActiveX Web loader or a Java Applet loader.

The Session Time-Out setting (on the Global User Account Settings page) controls the validity time for a session.

You must have administrator privileges on the client the first time you use the ActiveX loader. If your configuration includes local lookups and DNS forwarding, you must have administrator privileges on the client each time they are used. Administrator privileges are not required to use the Access Client for local lookups.

Access control of a specific tunnel resource is always done using the access rules configured for that tunnel resource. The only use of access rules on a tunnel set is to make the associated icon in the Application Portal subject to access control as well.

Resource Access


Add a Tunnel Set1. Select Resource Access.


2. Click Add Tunnel Set.The Add Tunnel Set page appears.

3. Type a Display Name.4. Select the Icon and Link Text to appear in the Application Portal.

User Guide 105

Resource Access

5. Click Next.The Add Tunnel Set page appears.

6. To add a tunnel, click Add Static Tunnel or Add Dynamic Tunnel.7. Configure the settings for the tunnel. Click Next.

The tunnel appears in the Static Tunnels or Dynamic Tunnels list.

8. Click Next.The Manage Startup Settings page appears.

9. (Optional) Configure Startup Command and Redirect URL settings.10. Click Next.11. Configure the access rules for this resource.

For more information about Access Rules, see ”About access rules” on page 134.

Resource Access


12. Click Next.The Add Tunnel Set Summary page appears.

13. To configure settings for lookups, drives, or clients, click Advanced Settings.The Advanced Settings page appears.

14. Configure any advanced settings. Click Next.15. Click Finish Wizard.

Edit a Tunnel Set1. Select Resource Access.


2. Select the tunnel set you want to edit.3. Click Edit Tunnel Set.4. Update the settings for the tunnel set.5. Click Save.

Delete a Tunnel Set1. Select Resource Access.


2. Select the resource you want to delete.3. Click Edit Tunnel Set.4. Click Delete.5. Click Yes.

The Tunnel Set is removed from the Resources list.

Tunnel Set Advanced SettingsYou can configure the settings for local lookups, mapped drives, clients, DNS and WINS forwarding, and Internet firewall configurations.

For instructions to configure these settings for the Tunnel Set, see ”Manage Tunnel Sets” on page 103.

Local Lookups

You can add local lookups to define the host addresses to resolve on the client if no external DNS record is found. Local lookups and DNS forwarding require the user to always have administrator rights on the client. If your users install the Access Client rather than use the on-demand Access Client, they do not have to have administrator rights.

User Guide 107

Resource Access

To specify lookups, you add a fully qualified domain name, or a domain name with the * wildcard character and an IP address. If the tunnel is dynamic , use the virtual IP address for the dynamic tunnel. If the tunnel is static, use 127.0.0.1.

Domain NameA fully qualified domain name. You can also use the * wildcard character with a partial domain name. For example, mailserver.*.

IP AddressThe domain name is translated to the IP address you specify.

Mapped Drives

You can add mapped drives to the Tunnel Set drives to map your network resources (printers or drives) to drive letters on your network. When you add a mapped drive, you specify the path to a mapped network resource. You can also specify a drive letter for the drive or printer to which the resource host is mapped. If the drive you select is already in use, the next available drive letter is used. You can specify a drive letter here and combine it with a Startup Command that you defined. You can also use cached credentials.

Supported path variables include:

[$ehost] The WatchGuard SSL device server name and port number.

[$eprot] The HTTP or HTTPS protocol.

[$uid] The external user name.

[$iuid] The internal user name, usually [$uid].

To add a Tunnel Set Mapped Drive, configure these General Settings:

Network Resource The path to the mapped network resource. For example, \\192.168.12.55\[$uid].

Drive LetterThe drive letter to which the resource host is mapped. For example, M:. This can be a drive or a printer.

Use cached credentials Select this option to automatically use cached credentials (Windows domain credentials) to map a drive. This option is selected by default.

Access Client Loader

Specify the client loader method you want to use for the Access Client.

Loader options include:

ActiveX / Java Applet The system tries the ActiveX loader first. If it does not work, the Java Applet is used.

ActiveX The system only uses the ActiveX loader.

Java Applet The system only uses the Java Applet loader.

If you select any of the Java Applet options, you can also use Java rather than the Java Applet.

Run VPN client in JavaSelect this check box to use Java, not the Java Applet.

Resource Access


Additional Client Configuration

You can configure your clients to use shutdown commands to automate some commands from the client. For example, to close a mapped drive or shut down a Tunnel Set for a user.

You can configure these options:

Shutdown CommandDefine the commands you want to run automatically when this tunnel is shut down. You can define more than one command for each Tunnel Set.

Some commands require users to confirm or deny the action before the command runs. These default trusted commands run automatically:

outlookexplorerexplorer /eexplorer /e,A: to Z:

Supported command variables include:

[$ehost] — The WatchGuard SSL device server name and the port number[$eprot] — HTTP or HTTPS [$uid] — External user name[$iuid] — Internal user name, usually [$uid]

Error Codes to SuppressYou can configure a list of specific error codes to suppress pop-up messages. Type the error codes as a comma separated list of 7-digit error codes.

Fallback Tunnel SetSelect the fallback tunnel set to use if the client computer is not able to load the ActiveX component or the Windows native client (with dynamic tunnels).

Specific Settings

If you include Microsoft Outlook in the applications for this tunnel set, we recommend that you enable support for the MS Outlook patch. This patch solves a problem with Windows 2000 client authentication.

Support MS Outlook patch for Windows 2000Select this check box to enable support for the MS Outlook patch. The patch is supported when the client is on a Windows 2000 platform and is part of a domain.

Provide IP Address

You can select to specify a unique IP address for the client from the IP address pool. When you enable this option, if you add IP addresses from the IP address pool to a tunnel resource, the clients that use those IP addresses can connect to each other when they are connected to the network.

Provide the client with an IP address from the IP address pool or an external DHCP server.Select this check box to use an IP address from the IP address pool an external DHCP server for the client.

DNS Forwarding

Enable DNS ForwardingSelect this check box to temporarily redirect the DNS server for the client to the DNS server you specify in the global tunnel set settings. This option is only available if you specified a DNS server for the client.

User Guide 109

Resource Access

WINS Forwarding

Enable WINS ForwardingSelect this check box to temporarily redirect the WINS server for the client to the WINS server you specify in the global tunnel set settings. This option is only available if you specified a WINS server for the client.

Client Firewall

Internet Firewall ConfigurationSelect an available firewall configuration to use for this tunnel set. To select a configuration, you must first Add an Internet Firewall Configuration.

Restrict User Editable Preferences

Restrict User Editable PreferencesSelect this check box to disable the Preferences and Favorites options in the Access Client menu.

Resource Access


Manage Global Tunnel Set SettingsYou can configure connection settings for the WatchGuard SSL Access Client that apply to all your tunnel sets.

1. Select Resource Access.The Resources page appears.

2. Click Manage Global Tunnel Set Settings.The Manage Global Tunnel Set Settings page appears.

3. Configure the settings for your tunnel sets.

Use External DHCP Select this check box to use an existing external DHCP server to assign IP addresses to the Access Client from the network. To use this setting, you must select the Provide IP Address check box in the tunnel set that uses DHCP.

DHCP ServerSpecify the host address of the DHCP Server you want to use.

IP Address Pool Specify a range of IP addresses for the IP address pool. The IP address pool is used to define a set of IP addresses to assign to clients. This enables the WatchGuard SSL device to route traffic from the system to the clients. This option is disabled if External DHCP is defined.

User Guide 111

Resource Access

Timeout (Optional)Specify how long the Access Client waits for a response when it fails to get an IP address from the IP address pool, and when it detects possible IP address conflicts on the internal network. This timeout is set to 100 milliseconds by default.

DNS ServerSpecify the IP address or DNS name of the DNS server used for DNS forwarding. When you enable DNS forwarding for a tunnel set, the client’s DNS server is temporarily redirected to the DNS Server you specify. Local lookups take precedence, and can override any external DNS.

WINS Server Specify the IP address or name of the WINS server used for WINS forwarding. When you enable WINS forwarding for a tunnel set, the client’s WINS server is temporarily redirected to the WINS server you specify. Local lookups take precedence, and can override any external WINS.

4. Click Save.

Resource Access


Manage Tunnel Resource NetworksTunnel resource networks are a range or collection of IP addresses and ports that include tunnel resource hosts. When you add a tunnel resource host with an IP address inside a tunnel resource network, it is automatically included in the network. You can also add tunnel resource hosts outside the tunnel resource network.

You can use access rules to set the security levels for specific client applications and servers in your tunnel resource networks. You can also specify exceptions, which are tunnel resources that have different access controls than the network.

Add a Tunnel Resource NetworkTo add tunnel resource hosts outside the tunnel resource network:


2. Click Add Tunnel Resource Network.The Add Tunnel Resource Network page appears. The resource is enabled by default.

3. If you want to add the tunnel resource network, but not enable it, clear the Enable resource check box.4. Type a Display Name for this resource.5. (Optional) Type a Description for this resource to identify it in the Resources list.6. Type the IP Address Range for this resource.7. Type the TCP Port Set and/or the UDP Port Set for this resource.8. If you want to use SSO (Single Sign-On) for a file share or remote desktop connections, select the

related check box and select a domain from the drop-down list.9. Click Next.

The Add Tunnel Resource Network page appears.


11. Click Next.The Add Tunnel Resource Network Summary page appears.

User Guide 113

Resource Access

12. To configure settings for lookups, drives, or clients, click Advanced Settings.The Advanced Settings page appears.

13. Configure the advanced settings. Click Next.The Add Tunnel Resource Network Summary page appears.


Edit a Tunnel Resource Network1. Select Resource Access.


2. Select the Tunnel Resource Network you want to edit.3. Click Edit Tunnel Resource Network.

The Edit Tunnel Resource Network page appears.

4. Update the settings for the Tunnel Resource Network.5. Click Save.

Resource Access


Delete a Tunnel Resource Network1. Select Resource Access.


2. Select the Tunnel Resource Network you want to delete.3. Click Edit Tunnel Resource Network.4. Click Delete.5. Click Yes.

The Web Resource Host is removed from the Resources list.

Manage Web Resource HostsWeb resource hosts are applications with a web interface, or files accessible with a web browser.

A Web resource has a resource host, or root, that may have one or more resource paths connected to it. The resource host defines an HTTP or HTTPS server based on a URI (Uniform Resource Indicator). The resource path defines a subset of a web server, so you can restrict user access for only that subset.

For example:

Host — https://www.example.com

Path — https://www.example.com/securefolder/securepage.html

When you use Web resource paths, you can set your own security levels with access rules for specific applications and files. You can also choose to allow Web resource paths to get authorization settings (access rules and advanced settings) from the parent Web resource host or path.

Single Sign-OnWhen SSO is enabled and used, it performs a POST or a GET request to a URL. The form data usually includes a user name and a password together with some static fields. The variables [$username], [$password], and [$domain] are replaced by the stored user name, password and NTLM domain from the SSO database. If the back-end server requires the logon request to include specific headers, you can add them as additional headers.

For example:

User-Agent: Mozilla/4.6 Enterprise Edition (compatible; MSIE 6.0; Windows NT 5.1;

.NET CLR 1.1.4322)

Accept: */*

User Guide 115

Resource Access

Add a Web Resource Host1. Select Resource Access.


2. Click Add Web Resource Host.The Add Web Resource Host page appears.

Resource Access


3. Configure the settings for the Web Resource Host.

General SettingsSet the Display Name, Description, Host, HTTP Port, and HTTPS Port information.

Alternative HostsAdd, edit, or delete alternative hosts for this resource.

Click Automatically Generate Alternative Hosts to generate alternative hosts from the host and port information you set. If you want to add, edit, or delete these alternative hosts, you must select the Manually configure alternative hosts check box.

Select the Manually configure alternative hosts check box to generate default alternative hosts from the host and port information you set. You can then select the alternative hosts the system generates and edit or delete them. You can also add more alternative hosts.

Single Sign-OnTo enable this feature, select the Enable Single Sign-On check box. Select the Single Sign-On Type and SSO Domain.

Application Portal SettingsTo add this resource to the Application Portal, Select the Make resource available in Application Portal check box. Select the Icon and Link Text that appear in the Application Portal for this resource.

User Guide 117

Resource Access

4. Click Next.The Add Web Resource Host page appears.


6. Click Next.The Add Web Resource Host Summary page appears.

Resource Access


7. To configure settings for access, authorization, and encryption, click Advanced Settings.The Advanced Settings page appears.

8. Configure the Advanced Settings.9. Click Next.10. Click Finish Wizard.

User Guide 119

Resource Access

Edit a Web Resource Host1. Select Resource Access.


2. Select the web resource host you want to edit.3. Click Edit Resource Host.4. Update the settings for the Web Resource Host.5. Click Save.

Delete a Web Resource Host1. Select Resource Access.


2. Select the web resource host you want to delete.3. Click Edit Resource Host.4. Click Delete.5. Click Yes.

The Web Resource Host is removed from the Resources list.

Web Resource Host Advanced SettingsYou can configure the Advanced Settings for a Web Resource Host to set the Access Settings, Authorization Settings, and Encryption Level.

Access Settings

Link Translation TypeSelect the link translation type — URL Mapping, Pooled DNS Mapping, or Reserved DNS Mapping.

The default setting is URL Mapping.

If you select Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used.

If you select Reserved DNS Mapping, the Mapped DNS Name for HTTP list appears. Choose a DNS name in the list to specify a DNS name for the resource. You can only assign reserved mapped DNS names that are not used for any other Web resource.

Server DNS NameType the name of the DNS server to use for communication with the internal server. If you do not specify a DNS server name, the host address is used.

Connect via proxySelect this check box to connect to the DNS server with a proxy connection.

Forward cookies between client and resourceSelect this check box to forward cookies between the client and the resource.

Cookies to checkType the name of the cookies you want to allow or block. You can use the * wildcard character. Select to Allow or Block the cookies you specified.

Use NTLM v2Select this check box to use NTLM v2 when possible.

Resource Access


Authorization Settings

Require exact path matchSelect this check box to apply the access rules for this Web Resource Host to only this path. To apply the access rules for this resource to this path and all paths that begin with this path, clear this check box.

Automatic accessSelect this check box to enable automatic access to the web resource path. When this automatic access is enabled, user session timeouts are not affected.

Cache MIME TypesType the MIME types that you want the client browser to cache. You must use the text/html format.

Use Expression of WillSelect this option to require users to authenticate for each resource they select in the Application Portal.

Use TimeoutSelect this option to use timeout settings for set when users must authenticate again.

Max Inactivity TimeSelect this check box to set the maximum amount of time user connections can be inactive before their sessions are disconnected. Type the timeout time in minutes.

Absolute TimeoutSelect this check box to disconnect user sessions after a specified amount of time, regardless of their activity. Type the timeout time in minutes.

Encryption Level

Require SSLSelect this check box to require your users to use SSL to connect to resources.

Encryption LevelSelect the level of encryption to use with SSL.

Manage Global Resource SettingsGlobal resource settings apply to all resources in the WatchGuard SSL system. The global settings are grouped in these categories:

Internal proxy DNS name and DNS name pool Filters Link translation Client access Trusted gateways Cookies and cache control

User Guide 121

Resource Access

Configure settings for global resources1. Select Resource Access.


2. Click Manage Global Resource Settings.The Manage Global Resource Settings page appears.

3. Click a tab to configure the settings for that category.For more information about the settings, see the topic for each category.

4. Click Save.

Make sure you save your changes before you leave a page. If you do not save your changes before you leave a page, all your changes are lost.

Resource Access


General SettingsYou can specify addresses for internal proxies on the General Settings tab. The addresses are used when a resource is accessed through a cache or an ordinary proxy server. You can select to use NTLM v2 for HTTP and HTTPS proxies. If you have authentication problems, disable NTLM v2.

You can configure settings for these internal proxies:

HTTPHTTPSTCP

The TCP proxy is used for the WatchGuard SSL Access Client.

You can also configure Internal Host Access to specify which addresses are used for resources reached through a cache or ordinary proxy server.

To configure proxy settings:

1. Select the General Settings tab.2. For each proxy, type a Host and Port, and select whether to Use NTLM v2.3. In the Internal Host Access section, select whether to Validate the server certificate.4. If you select to validate the certificate, select a CA Certificate from the drop-down list.5. Click Save.

DNS name poolTo improve link translation and to use multiple DNS domains, you can configure the DNS name pool. Multiple DNS domains allow several customers to be hosted on the same WatchGuard SSL device to serve multiple logon page designs as well as of the Application Portal.

The registered DNS names define the pool of available DNS names. To use multiple DNS domains, you define several DNS names for the device.

When a user makes a request using a registered mapped DNS name, the device looks up which server to connect to and which protocol to use, and sends the request to this server.

WatchGuard SSL has three methods of DNS mapping:

URL mappingThe resource is mapped to a path instead of a mapped DNS name.

Reserved DNS mappingThe resource is mapped to a specific DNS name.

Pooled DNS mappingThe resource is assigned a DNS name on the first device request to an internal server.

When you add or edit a resource, you can specify which method of DNS mapping you want to use.

A DNS name for the device is defined by a host name and relative file path to the content of the wwwroot that appears when you use the corresponding DNS name. For example, if the host name is myexample.com the wwwroot is wwwroot/myexample. We recommend that you define the host name as a DNS name, but you can also use an IP address.

The default DNS Name and WWW ROOT for each device are (default) and wwwroot. You cannot edit or delete the default DNS name.

All DNS names must also be registered with a public DNS server, or written to the hosts file on the client computer that uses the system.

User Guide 123

Resource Access

DNS Name Pool entries must end with the same string as an entry in the Registered DNS Names for Device list. For example, if the DNS Name for a device is my.example.com, the DNS Name Pool entry is www.my.example.com.

Add a DNS name for a device

1. Select the DNS Name Pool tab.2. Click Add DNS Name for Device.

The Add DNS Name for Device page appears.

3. Type a DNS Name for the device.4. Type the path to the WWW Root folder.5. Click Add.

The DNS name appears in the Registered DNS Names for Device list.

Edit a DNS name for a device

1. Select the DNS Name Pool tab.2. Click a device in the Registered DNS Names for Device list.

The Edit DNS Name for Device page appears.

3. Update the DNS Name and the WWW Root details.4. Click Save.

The DNS name appears in the Registered DNS Names for Device list.

Delete a DNS name for a device

1. Select the DNS Name Pool tab.2. Click a device in theRegistered DNS Names for Device list.

The Edit DNS Name for Device page appears.

3. Click Delete.4. Click Yes.5. Click Save.

The DNS name is removed from the Registered DNS Names for Device list.

Add a DNS name to the pool

1. Select the DNS Name Pool tab.2. Click Add DNS Name to Pool.

The Add DNS Name to DNS Name Pool page appears.

3. Type a DNS Name that you want to add to the pool.4. Click Add.

The DNS name appears in the DNS Name Pool list.

Edit a DNS name in the pool

1. Select the DNS Name Pool tab.2. Click a name in the DNS Name Pool list.

The Edit DNS Name in DNS Name Pool page appears.

3. Type a new DNS Name.4. Click Update.

The DNS name appears in the DNS Name Pool list.

Resource Access


Delete a DNS name in the pool

1. Select the DNS Name Pool tab.2. Click a name in the DNS Name Pool list.

The Edit DNS Name in DNS Name Pool page appears.


The DNS name is removed from the DNS Name Pool list.

FiltersFilters determine the content that your users see when they request a resource or a specific page. You can apply a filter to one or more resource hosts, requests or responses, and to content or headers. For general filters, you can use variables with name-value pairs instead of hard-coded values. You can add one or more variables to each filter. You can specify to filter file types or formats, images, and specific content in the Content Type field.

Scripts are located in <WatchGuard installation folder>\access-point\built-in-files\scripts\ and have the file suffix .wascr.

Add a filter

1. Select the Filters tab.2. Click Add Filter.

The Add Filter page appears.

3. Type the Scrip Name for the filter.4. From the Type of Filter drop-down list, select Request or Response.5. Select the Resource Host for this filter from the drop-down list.6. Type the Path to the files to be filtered. You can use the * wildcard character.7. From the Apply Filter To drop-down list, select Headers or Content.8. Type the Content Type you want to filter. You can use the * wildcard character.9. To add a variable, click Add Variable. Type the Name and Value. Click Add.

The variable appears in the Registered Variables list.

10. Click Add.The Filter appears in the Registered Filters list.

11. Click Save.

Edit a filter

1. Select the Filters tab.2. Click a filter in the Registered Filters list.

The Edit Filter page appears.

3. Update the settings or variables for the filter.4. Click Update.5. Click Save.

Delete a filter

1. Select the Filters tab.2. Click a filter in the Registered Filters list.

The Edit Filter page appears.


User Guide 125

Resource Access

Link translationLink translation is used to make sure that all traffic to registered Web resource hosts goes through the WatchGuard SSL device. With link translation, Web resource hosts are as secure as tunnel resource hosts.

When a user connects to a page on a server through the WatchGuard SSL device, all links to other servers are changed to point to the WatchGuard SSL device.

Translated links contain information about the original server and what protocol to use. For example, when users enter a URL to a registered Web resource, for example http://www.example.com/start.asp, the device recognizes the link and automatically translates the URL to https://<WatchGuard SSL Device>/http://www.example.com/start.asp.

A link can be divided into subsets and then put together dynamically by the browser to form a link. Some examples of subsets are by protocol, host, and URI. If you use a subset, the WatchGuard SSL device cannot establish if it is a link and cannot translate it. If you want to use a subset, you can use DNS mapping. A DNS name or an IP address that points to the WatchGuard SSL device is mapped to an internal host and protocol (a mapped DNS name).

All mapped DNS names are added to a DNS name pool. You then map the web hosts to DNS names with one of these methods:

Reserved DNS mappingThe Web resource is mapped to a specific DNS name in the DNS name pool.

Pooled DNS mappingAt the start of each session, the Web resource is assigned the first available DNS name from the DNS name pool.

You can configure the headers and content types to filter. Headers must be single-valued.

1. On the Manage Global Resource Settings page, select the Link Translation tab.2. In the headers and content types fields, add, edit, or delete entries.3. Click Save.

Client AccessYou can specify the paths for the Application Portal and Welcome pages, and the clients users can select from to connect to your network.

Specify the paths for client access pages

To configure Client Access Settings:

1. Select the Client Access tab.2. Type the path to the Default Page for the Application Portal.3. Type the path to the Welcome Page.

Client Control settings

You can add, edit, and delete Client Control settings.

To add Client Control settings:

1. On the Client Access tab, click Add Client Settings.The Add Client Settings page appears.

2. In the Client drop-down list, select a client.3. Select a check box to define the Session Settings.4. Type a File Extension.5. Type the path and file name to the Default Page for this client.

Resource Access


6. Type the path and file name to the Welcome page for this client.7. (Optional) type the GUI Constant and GUI Constant Value.8. Click Add.

The Client appears in the Registered Client Settings list.

To edit Client Control settings:

1. In the Registered Client Settings list, click a Client.The Edit Client Settings page appear.

2. Update the settings.3. Click Update.

To delete a client in the Registered Client Settings list:

1. In the Registered Client Settings list, click a Client.The Edit Client Settings page appear.

2. Click Delete.3. Click Yes.

The client is removed from the Registered Client Settings list.

4. Click Save.

Client Access Restrictions

You can add, edit, and delete client access restrictions.

To add Client Access restrictions:

1. On the Client Access tab, click Add Client Access Restriction.The Add Client Access Restriction page appears.

2. From the Client drop-down list, select a client.3. From the Permission drop-down list, select a permission level for this client: Accept, Deny, Warn.4. If you set the permission to Deny or Warn, select the HTTP code, Feedback page, and Feedback

message that users see.5. Click Add.

The Client appears in the Registered Client Access Restrictions list.

To edit Client Access restrictions:

1. In the Registered Client Access Restrictions list, click a client.The Edit Registered Client Access Restrictions page appear.


To delete a client in the Registered Client Access Restrictions list:

1. In the Registered Client Access Restrictions list, click a client.The Edit Registered Client Access Restrictions page appear.


The client is removed from the Registered Client Access Restrictions list.

4. Click Save.

User Guide 127

Resource Access

Trusted GatewaysYou can add, edit, and delete the trusted gateways for your network.

Add trusted gateways

1. Click the Trusted Gateways tab.The Manage Trusted Gateways page appears.

2. Click Add Trusted Gateway.The Add Trusted Gateway page appears.

3. Type the IP Address of the trusted gateway.4. Type the Port for the trusted gateway.5. Click Add.

The IP Address appears in the Registered Trusted Gateways list.

Edit a trusted gateway

1. In the Registered Trusted Gateways list, click an IP Address.The Edit Registered Trusted Gateways page appear.


Delete a trusted gateway

1. In the Registered Trusted Gateway list, click an IP Address.The Edit Trusted Gateway page appear.


The trusted gateway is removed from the Registered Trusted Gateway list.

4. Click Save.

Cookies and Cache ControlOn the Manage Global Resource Settings Advanced tab, you can configure the settings for Internal Cookies and Internet Explorer Cache Control. You can choose which information types to include in cookie requests. You can also set whether Internet Explorer caches data and allows these file types:

.doc

.xls

.ppt

.pdf

To configure cookie and cache control settings:

1. Click the Advanced tab.2. In the Internal Cookies section, select the check box for each information type for which you want to

allow cookies.3. If you want to cache data in Internet Explorer, clear the Do not cache data for Internet Explorer users

check box. This also allows users to download the file types shown above.4. Click Save.

Resource Access


About client firewallsClient firewalls are Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the WatchGuard SSL Access Client. Each configuration is connected to a tunnel set.

The WatchGuard SSL Access Client has two tasks related to your firewall configuration:

Disable routes for other network connectionsCheck the integrity of application connections

You can configure rules based on these parameters:

NetworkIncoming or outgoing trafficPortsAllow or block traffic

These rules are downloaded to the client computer with the tunnel set. The rules are then applied to network traffic at the client.

When you add a new Internet firewall configuration, the rule lists have default entries that block all connections. You must add a rule above the default rule to accept specific connections.

Disable routes for other network connectionsYou can choose to disable routes for other network connections. Apply the rules you configure to disable specific routes.

Check the integrity of application connectionsFor each connection that goes through the WatchGuard SSL Access Client, information about application paths and the checksum is added. When the authorization process determines if the client can connect to your resources, it uses this information.

How does the client firewall work?When your users connect to the WatchGuard SSL device with the Access Client, the client firewall is used locally on their computers. Firewall rules are configured on the server and cannot be overridden by the user. You can only use one Internet firewall configuration per tunnel set.

The firewall is activated when a user clicks an Application Portal icon that connects to a tunnel set configured to use the client firewall. The firewall is deactivated as soon as the user closes the Access Client or logs off the portal. The firewall is active as long as the associated Tunnel Set is used.

When active, the firewall checks to make sure each connection from and to the client computer matches the client firewall configuration.

You can add incoming and outgoing rules, and exceptions to those rules, to your client firewall configuration.

The order of the rules is significant because the firewall starts at the top of the list and stops as soon as it finds a match between the rule and the connection.

If several Tunnel Sets are used at the same time by the same user, the firewall configurations of all the Tunnel Sets are active and the most restrictive rules are applied.

User Guide 129

Resource Access

Incoming RulesWhen a connection comes in to the computer, the firewall goes through the list of Incoming Firewall rules. Each rule is checked to see if it matches the incoming connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. The firewall does not check any more rules in the list. If the rule denies the connection, it is dropped. If the rule accepts the connection, it is connected to the client computer.

Outgoing RulesWhen an application on the client computer tries to connect to the Internet, the firewall goes through the list of Outgoing Firewall rules. Each rule is checked to see if it matches the outgoing connection. If it does not match, the firewall looks at the next rule in the list. If it does match, the connection is accepted or denied based on the rule configuration. If the rule denies the connection, it is rejected. If the rule accepts the connection, it connects to the Internet.

ExceptionsThe client firewall checks all TCP and UDP connections except:

Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel).Connections to the WatchGuard SSL deviceConnections to an IP address of a configured resource on the intranet through the tunnel.

For these connections, the access rules of the configured resource are applied instead of the firewall rules.

Configure client definitionsYou can configure the definitions for the clients used with your firewall configuration.

For more information, see “Manage Client Definitions” on page 195.

Firewall rules based on a deviceThe client firewall can be used to specify rules based on the path or checksum of the process that tries to connect to the Internet. To enable this option, you must first add a client definition that specifies the values of the path, and/or checksum of the process. You can use one of these client firewall variables in the Client Definitions:

clientfirewall-pathclientfirewall-checksum

To add Internet Explorer as a client definition, add a Client Definition with these settings:

Display Name: Internet Explorer Process

Definition: clientfirewall-path=%ProgramFiles%\Internet Explorer\iexplore.exe

%ProgramFiles% is a variable that is used on the Access Client to enable the client definition on all clients, regardless of the language of the operating system.

You can also use a more complex rule that is based on the MD5 checksum of the executable. To define a client based on the checksum, use a hexadecimal representation of the MD5 checksum.

You can only use client definitions with these variables in the Client Firewall Rules.

Resource Access


For example:

Display Name: Internet Explorer Process

Definition: clientfirewall-checksum=e7484514c0464642be7b4dc2689354c8

When you use clientfirewall-checksum, the client is only valid for a specific version of Internet Explorer.

It is also possible to combine both checksum and path with AND/OR between expressions. For example, you can create a list of valid checksums with the pipe character | (OR) between the entries. All entries between the | (OR) operator must be on the same line.

For example:

clientfirewall-checksum=<checksum1> | clientfirewall-checksum=<checksum2> | clientfirewall-checksum=<checksum3>

You can also use the Client Definitions for client firewalls in Access Rules for tunnel resources.

Incoming Firewall RulesFor Incoming Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for incoming traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies incoming traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application.

Outgoing firewall rules For Outgoing Firewall Rules, you specify a remote IP address or range of IP addresses that are allowed for outgoing traffic. You can also specify the port set, with a single port, several ports, and/or a range of ports. Use a comma to separate port numbers. In your rules, you also select whether to use TCP or UDP, and if the firewall rule accepts or denies outgoing traffic from the IP addresses and ports you specified. You can also choose whether the rule applies to a specific client or to any client. When you select Any Client, the rule is applied to all connected clients. A client can be a hardware device or an application.

Manage Internet Firewall ConfigurationsYou can add, edit, and delete Internet firewall configurations for your client firewall. After you change the configuration, make sure you click Publish to commit your changes.

User Guide 131

Resource Access

Add an Internet Firewall Configuration1. Select Resource Access.


2. Select Client Firewall.The Client Firewall page appears.

3. Click Add Internet Firewall Configuration.The Add Internet Firewall Configuration page appears.

4. Type a Display Name.5. (Optional) Add an incoming firewall rule.6. (Optional) Add an outgoing firewall rule.

For information about how to add firewall rules, see the subsequent sections.

7. Click Add.The configuration appears in the Registered Internet Firewall Configurations list.

Resource Access


Edit an Internet Firewall ConfigurationYou can edit your Internet firewall configurations on the Client Firewall page.

1. In the Registered Internet Firewall Configurations list, click the configuration you want to change.The Edit Internet Firewall Configuration page appears.

2. Update the settings or rules in the configuration.3. Click Save.

Delete an Internet Firewall ConfigurationYou can delete your Internet firewall configurations on the Client Firewall page.

1. In the Registered Internet Firewall Configurations list, click the configuration you want to delete.The Edit Internet Firewall Configuration page appears.


Add an incoming firewall ruleYou can add incoming firewall rules on the Add Internet Firewall Configuration page.

1. Click Add Incoming Firewall Rule.The Add Incoming Firewall Rule page appears.

User Guide 133

Resource Access

2. Type the range for the Remote IP address.3. Type the Local Port.4. Select a Protocol.5. Set the rule to Accept or Deny connection attempts from the selected IP address.6. In the Clients drop-down list, select Any Client or a specific client to which the rule applies.7. (Optional) Add a Comment to include a description of the rule.8. Click Add.

The rule appears in the Registered Incoming Firewall Rules list.

Add an outgoing firewall ruleYou can add outgoing firewall rules on the Add Internet Firewall Configuration page.

1. Click Add Outgoing Firewall Rule.The Add Outgoing Firewall Rule page appears.

2. Type the range for the Remote IP address.3. Type the Local Port.4. Select a Protocol.5. Set the rule to Accept or Deny connection attempts to the selected IP address.6. In the Clients drop-down list, select Any Client or a specific client to which the rule applies.7. (Optional) Add a Comment to include a description of the rule.8. Click Add.

The rule appears in the Registered Outgoing Firewall Rules list.

Resource Access


Edit an incoming or outgoing firewall ruleYou can make changes to any incoming or outgoing firewall rule in the corresponding Registered Firewall Rules list.

1. Click the rule that you want to change.The Edit Firewall Rule page appears.

2. Update the settings for the rule.3. Click Update.

Delete an incoming or outgoing firewall ruleYou can delete any incoming or outgoing firewall rule that you added. You cannot delete the default rules.

1. Click the rule that you want to delete.The Edit Firewall Rule page appears.


About access rulesAccess rules define the specific requirements for access control that you apply to a resource or SSO domain in the WatchGuard SSL Web UI. You can add general access rules that can be applied to any resource or SSO domain, or specific access rules that are applied to only certain resources or SSO domains. You can also define global access rules that are applied to all resources and SSO domains. WatchGuard SSL Web UI includes many different types of access rules that you can use alone or combine to increase the complexity of your security.

When you add access rules to a resource, you can use the AND operator to combine general access rules with resource and SSO domain specific access rules. You can only use the OR operator for resource and SSO domain specific access rules.

For more information about access rules, see:

”Manage Access Rules” on page 134”Manage Global Access Rules” on page 138

Manage Access RulesYou can add, edit, and delete the access rules to use with specific resources and Single Sign-On (SSO) domains. When you create an access rule, you add rules to define user access to your network. You can add one or more rules to each access rule. If you add more than one rule to an access rule, an OR operator is applied to the rules. If you want the rules to be applied with an AND operator, you can combine them.

User Guide 135

Resource Access

Add an Access Rule1. Select Resource Access.


2. Select Access Rules.The Manage Access Rules page appears.

3. Click Add Access Rule.The Add Access Rule page appears.

4. Type a Display Name.

Resource Access


5. Click Add Rule.The Select Type of Access Rule page appears.

6. Select an access rule type for this rule. Click Next.The subsequent pages that you see depend on the type of access rule that you selected.

7. Complete the subsequent pages for the access rule type you selected. Click Next.8. On the Summary page, confirm the settings for your access rule. Click Next.9. To add another rule, repeat Steps 5–8.10. If you have more than one rule and you want to combine them, select the Select Rule check box for the

rules you want to combine and click Combine.11. Click Next.

The Confirm Access Rule Summary page appears.

12. Click Finish Wizard.The new Access Rule appears in the Registered Access Rules list.

Edit an Access Rule1. Select Resource Access.



User Guide 137

Resource Access

3. In the Registered Access Rules list, click the access rule you want to change.The Edit Access Rule page appears.

4. Update the settings for the rule.5. Click Save.

Delete an Access Rule1. Select Resource Access.



3. In the Registered Access Rules list, click the access rule you want to change.The Edit Access Rule page appears.


Resource Access


Manage Global Access RulesYou can manage the global access rules that apply to all of your resources and SSO domains. You can select the Registered Access Rules that you have already created, or you can add a new access rule.


2. Click Manage Global Access Rule.The Manage Global Access Rule page appears.

3. To select an existing rule, in the Available Access Rules list, select an access rule. Click Add.The rule appears in the Selected Access Rules list.

4. To add a new access rule, click Add Access Rule.The Add Access Rule, Select Type of Access Rule page appears.

User Guide 139

Resource Access

5. Select an access rule type. Click Next.The subsequent pages that you see depend on the type of access rule that you selected.

6. Complete the subsequent pages for the access rule type you selected. Click Next.The access rule appears on the Manage Global Access Rule page in the Allow user access when list.

7. To add more access rules, repeat Steps 4–7.8. Click Save.

The global access rules are saved and the Manage Access Rules page appears.

About the Application PortalThe Application Portal is a web site on the WatchGuard SSL where clients can connect to your corporate applications and resources from remote locations. In the Application Portal, the applications and resources appear as icons that your users can click and are called Application Portal items.

You can create Application Portal items for these resource types:

Web resourcesTunnel setsExternal sites

All Web resources and tunnel sets that you add to the Application Portal are automatically associated with an Application Portal item. You can also manually add Application Portal items for Web resources or tunnel sets. For Web resources, you can also configure shortcuts. These shortcuts allow your users to connect directly to a resource with a web browser rather than through the Application Portal. You can also add Application Portal items for external sites, such as external URIs that are not registered as Web resources.

About the Access ClientThe WatchGuard SSL Access Client allows users to securely connect to your tunnel resources in the Application Portal. When users authenticate to the Application Portal and select a resource other than a Web resource, the on-demand Access Client launches to load the tunnel. You can choose to load the Access Client with an ActiveX loader, Java Applet, or to run the VPN client in Java.

When the user session ends, the on-demand Access Client closes and is not accessible to the user. Your users can also select to install the Access Client on their client computers. The installed Access Client is available when users are not authenticated to the Application Portal and can be configured separately.

Resource Access


Manage Application Portal ItemsYou can add, edit, and delete the resources that appear in the Application Portal.

Add an Application Portal Item1. Select Resource Access.


2. Select Application Portal.The Manage Application Portal page appears.

3. Click Add Application Portal Item.The Application Portal Item page appears.

4. Select the resource type for this portal item. Click Next.The subsequent pages that you see depend on the type of access rule that you selected.

5. Complete the subsequent pages for the access rule type you selected.6. To enable the resource in the Application Portal, select the Make resource available in Application

Portal check box.If you want to add the Application Portal item, but not enable it, clear this check box.

7. Select an Icon for the resource.8. Type the Link Text for the resource.9. Click Finish Wizard.

The resource appears in the Registered Application Portal Items list.

User Guide 141

Resource Access

Edit an Application Portal item1. Select Resource Access.



3. In the Registered Application Portal Items list, click the item you want to edit.The Edit Application Portal Item page appears.

4. Update the settings for the item.5. Click Save.

Delete an Application Portal item1. Select Resource Access.



3. In the Registered Application Portal Items list, click the item you want to delete.The Edit Application Portal Item page appears.


The Application Portal item is removed from the Registered Application Portal Items list.

Resource Access


About SSO domainsSingle Sign-On (SSO) is a session/user authentication process that allows users to authenticate with their user credentials one time to get access to several resources. When users authenticate with SSO, they have instant access to application portal items, and they do not have to authenticate again if they select a different item.

WatchGuard SSL SSO domains are configured to enable SSO for resources with the same user credentials. The SSO domain specifies how SSO is used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain.

When users first log on to the Application Portal with SSO, they are prompted for their credentials once for each SSO domain when they select a resource that is in that SSO domain. The user credentials are then stored indefinitely on the WatchGuard SSL user account in the Local User Database. You can also choose to cache user credentials, which then are only valid during the user session. After users authenticate successfully, they can select different internal applications that are part of a the SSO domain. They do not have to authenticate again each time they select a resource in the Application Portal.

Access rulesYou add Access Rules to the SSO domain to define how and when Single Sign-On is used. The access rules you specify for the SSO domain only apply to the SSO functionality, not to the resources in the SSO domain. For example, if a user successfully connects to a resource in the SSO domain but the SSO access rule fails, the user can select resources in the domain. However, the user must authenticate again for each resource.

Domain typesWatchGuard SSL SSO domains are available in these domain types:

Text (default)Cookie

You can associate different domain attributes with the SSO domain for each domain type.

TextThis domain type is used to send user credentials as text, with different attributes that define the authentication information.

Available domain attributes for this domain type:

User namePasswordDomain

The domain attributes you select to add to the domain type depend on the type of authentication method you select. Standard domain attributes for the authentication methods are:

NTLMAll domain attributes for the domain type text (user name, password, and domain) are added to the domain type.BasicThe user name and password attributes are added to the domain type. Basic is the most commonly used authentication method for web environments.Form-basedThe user name and password attributes are added to the domain type. To use form-based logon for an SSO domain, you must design a web form for access to each resource in the SSO domain. You do this when you add or edit a resource.

User Guide 143

Resource Access

CookieCookie authentication is used to send authentication information in HTTP headers. When the domain type Cookie is used, a cookie is set on the device before it sends a proxy request to the back-end server. Use Cookie SSO for back-end applications that only read the authentication information at the first request.

Available attributes are:

Cookie nameCookie valueCookie secureCookie domain

Manage SSO DomainsYou can add, edit, and delete the Single Sign-On (SSO) domains that are available for resource access with SSO.

Add an SSO domain1. Select Resource Access.


2. Select SSO Domains.The Manage SSO Domains page appears.

3. Click Add SSO Domain.The Add SSO Domain page appears.

Resource Access


4. Type a Display Name.5. Select a Domain Type from the drop-down list.6. Configure the settings for SSO Restrictions.

If you select Cache on session only, SSO credentials are kept in memory only during the user session. If you do not select this option, SSO credentials are stored in the user account.

7. Click Next.The Domain Attributes page appears.

8. To add an attribute, click Add Domain Attribute.The Add Domain Attribute page appears.

9. Configure the settings for the attribute. If you set Referenced By to User Input, do not add a setting in the Attribute Value field.The attribute appears in the Registered Domain Attributes list.

10. Click Next.The Manage Access Rules page appears.

11. Select the access rules for this SSO domain. To add a new access rule, click Add Access Rule.12. Click Next.

The Add SSO Domain Summary page appears.

13. Click Finish Wizard.The SSO Domain appears in the Registered SSO Domains list.

User Guide 145

Resource Access

Edit an SSO domain1. Select Resource Access.



3. In the Registered SSO Domains list, click the domain you want to change.The Edit SSO Domains page appears.

4. Update the rule settings.5. Click Save.

Delete an SSO domain1. Select Resource Access.



3. In the Registered SSO Domains list, click the domain you want to change.The Edit SSO Domains page appears.


The SSO Domain is deleted and is removed from the Registered SSO Domains list.

Resource Access


User Guide 147

5 Manage System

About Manage SystemTo see and manage the overall configuration of your WatchGuard SSL system, from the WatchGuard SSL Web UI top menu, select Manage System.

The Manage System submenu items are:

AuthenticationConfigure and manage the authentication methods and global authentication settings.For more information, see ”About authentication methods” on page 149.

CertificatesManage Certificate Authorities (CAs), Server Certificates, and Client Certificates.For more information, see ”About certificates” on page 171.

AbolishmentConfigure the settings for Abolishment (file removal, and Internet Explorer history and cache deletion).For more information, see ”About Abolishment” on page 176.

AssessmentConfigure settings for the client scans performed on clients that access a resource protected by an Assessment access rule. You can also configure other Assessment settings.For more information, see ”About Assessment” on page 181.

Notification SettingsConfigure the settings for email and SMS notifications.For more information, see ”About notification settings” on page 186.

Client DefinitionsConfigure the clients that can access resources. For more information, see ”Manage Client Definitions” on page 195.

Delegated ManagementCreate and edit administrative roles with different configuration and monitoring responsibilities.For more information, see ”About delegated management” on page 198.

Manage System


Administration ServiceConfigure all settings for the Administration Service, including the port, certificate, and other settings. You can also restart the Administration Service.For more information, see ”About the Administration Service” on page 203.

Device SettingsConfigure settings for the Application Portal, performance, cipher suites, security, and session control.For more information, see ”Manage Device settings” on page 207.

Device UpdateConfigure settings for the WatchGuard SSL device. From this page you can change time settings, upgrade the system software, reset the device to the factory default settings, and reboot the device.For more information, see ”Update the Device” on page 216.

Network ConfigurationConfigure the network type (single or dual interface mode), the network settings for the Eth0 interface, and the network routes.For more information, see ”Network Configuration” on page 219.

Restore ConfigurationRestore the most recently published system configuration, or a configuration from an earlier date.For more information, see ”Restore a saved configuration” on page 222.

Import/Export ConfigurationImport and export the configuration data to or from an archive file.For more information, see ”Import or export the configuration” on page 224.

User Guide 149

Manage System

About authentication methodsTo configure supported authentication methods:

1. Select Manage System > Authentication.The Authentication page appears.

2. Complete these tasks:”Add an authentication method” on page 152”Manage an Authentication Method” on page 154”Manage global authentication service settings” on page 161”Manage RADIUS configuration” on page 166

Supported authentication methodsWhen you create an authentication method access rule, you add one or more authentication methods to the access rule. There are 16 supported authentication methods.

WatchGuard authentication methods:

WatchGuard SSL Mobile TextWatchGuard SSL WebWatchGuard SSL ChallengeWatchGuard SSL PasswordWatchGuard SSL Synchronized

For more information, see ”About WatchGuard SSL authentication methods” on page 150.

Additional authentication methods:

General RADIUSSecurIDLDAPActive DirectoryNovel eDirectoryWindows Integrated LoginNTLMBasicUser CertificateForm-Based AuthenticationConfidence Online

For more information, see ”About other authentication methods” on page 151.

Manage System


About WatchGuard SSL authentication methodsThe WatchGuard SSL authentication methods are Web, Challenge, Synchronized, Mobile Text, and Password. All of these methods use the RADIUS protocol.

WatchGuard SSL WebYou can use this method for authentication in a web browser. Users type their user IDs and a Java applet or ActiveX component is launched. The client prompts the user to enter a password or PIN. The password or PIN is then hashed and encrypted before it is returned to the server.

WatchGuard SSL ChallengeYou can use this method for authentication in a web browser, WAP client, or with a PDA. Users type their user IDs, and are prompted (challenged) to provide private information (the response) before they are allowed access.

The challenge-response technique is most often used with a hardware token that generates the response. In WatchGuard SSL Challenge, the Mobile ID software client generates the response. Users type their PINs in the Mobile ID Challenge client and the Mobile ID software generates a one-time-password (OTP).

You can install the Mobile ID client on a mobile device such as a handheld PC or a cell phone, or on a laptop or desktop computer.

WatchGuard SSL SynchronizedYou can use this method for authentication in a Web browser, WAP client, or with a PDA. Users type their user IDs and are prompted for a one-time password (OTP). In WatchGuard SSL Synchronized, an integrated software client (Mobile ID) generates the OTP. Users type their PINs in the Mobile ID Challenge client and the Mobile ID software generates the one-time-password (OTP).

You can install the Mobile ID client on a mobile device, such as a handheld PC or a cell phone, or on your laptop or desktop computer.

WatchGuard SSL Mobile TextThis method is based on a combination of a PIN and one-time password (OTP) distributed through an SMS channel. For this method, users type the PIN on the web login page while an OTP is generated and distributed to the user’s cell phone. All authentication and notification messages are sent through mobile text to the cell phone number or email address registered to that specific user account. You can use the WatchGuard SSL Mobile Text authentication method on a mobile device such as a handheld PC or a cell phone, as well as on a desktop PC or Macintosh computer.

When you select Allow Two-step Authentication in the authentication method configuration, authentication is distributed over two sessions: the server sends the OTP to the mobile phone, and then the user logs on with the OTP.

WatchGuard SSL PasswordThe WatchGuard SSL Password authentication method is based on static password authentication. A static password is created and maintained to authenticate remote access with a RADIUS client.

Download Mobile ID clientsThe WatchGuard SSL authentication methods Challenge and Synchronized use the Mobile ID client to generate the OTP response that these methods use. The Mobile ID client is available on the WatchGuard web site software downloads page as a separate file. You can download this file and distribute the Mobile ID clients to your users to install on their mobile devices.

User Guide 151

Manage System

About other authentication methodsIn addition to the WatchGuard SSL authentication methods, WatchGuard SSL supports these authentication methods.

General RADIUSThis authentication method can be used with any RADIUS-compliant authentication server.

SecurIDThis method supports RSA SecurID tokens that generate a one-time-password (OTP).

LDAPThis method performs an LDAP bind.

Active DirectoryThis method is an LDAP bind authentication method with the ability to allow users to change their passwords. This functionality is only supported with Microsoft Active Directory (AD) servers. The External Directory Service (your AD server) must be configured for SSL communication since this functionality is only allowed over SSL.

Novel eDirectoryThis method is an LDAP bind authentication method with the ability to allow users to change their passwords.

Windows Integrated LoginThis method allows the Windows domain credentials to be used automatically for authentication. When the application portal is protected by Windows integrated login authentication, Windows users do not have to type their credentials to log on to the Application Portal. Instead, the system gets user credentials from the client.

NTLMThe NTLM authentication method uses the NTLM authentication protocol used in various Microsoft network protocol implementations.

BasicThis method performs a basic authentication according to RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.

User CertificateThis method uses attribute mapping. The user is authenticated only if there is an exact match between the configured User Attribute and the Certificate Attribute.

Form-Based AuthenticationThis authentication method uses HTML forms that you can edit. You can also add new HTML forms. The credentials submitted to the device are posted in the form for authentication. When the credentials are accepted, the user is authenticated and allowed access to the network.

Confidence OnlineThis method uses the Confidence Online client for authentication.

Manage System


Add an authentication methodYou can add, edit, and delete authentication methods. By default, the five WatchGuard SSL authentication methods are enabled. You can add other supported authentication methods to the Registered Authentication Methods list.

To add an authentication method:


2. Select Add Authentication Method.The Add Authentication Method page appears.

3. Select an authentication method in the list. Click Next.

User Guide 153

Manage System

4. Configure the settings for the selected authentication method. Some of these settings do not apply to all authentication methods.

Enable Authentication MethodSelect this check box to enable the new authentication method. To add this method but not enable it, clear this check box.

Display NameThe Display Name is the name that appears in the application portal for this authentication method.

Template NameThe Template Name is the name of the template that defines the appearance of the logon page when users log on with this authentication method. The name of the default template is automatically filled in.

Template SpecificationFor most authentication methods, you can select Manage Default Template Specification to customize the appearance of the Application Portal authentication page.

Authentication Method ServerFor most authentication methods you must specify an authentication method server to use for the authentication method.

RADIUS repliesThe authentication methods that use RADIUS include some pre-defined RADIUS replies. You can edit these replies or you can add new ones.

Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a RADIUS Template Specification. The template specification controls how the reply appears to the user.

Extended PropertiesYou can define extended properties for some authentication methods to customize what happens when a user authenticates. You can edit the extended properties or you can add new ones. Each extended property includes a Key and a Value.

5. Click Finish Wizard to save the new authentication method.

Manage System


Manage an Authentication MethodYou can edit or delete the registered authentication methods.

To edit an authentication method:


2. In the Registered Authentication Methods list, click the authentication method you want to edit.The Edit Authentication Method page appears.

3. Click the tabs to edit the authentication method configuration settings. For more information about the settings on each tab, see:

”Edit general settings” on page 155”Manage RADIUS replies” on page 156”Manage extended properties” on page 159

4. Click Save.

User Guide 155

Manage System

To delete an authentication method:




The authentication method is removed from the Registered Authentication Methods list.

Edit general settingsTo edit the general settings for an authentication method:

1. On the Authentication page, click an authentication method to edit it.The Edit Authentication Method page appears.

2. Click the General Settings tab.3. To disable the authentication method, clear the Enable Authentication Method check box.4. Update the settings:

Display NameThe name that appears in the application portal for this authentication method.

Template NameThe name of the template that defines the appearance of the logon page when users logon with this authentication method.

Template SpecificationFor most authentication methods, you can click Manage Default Template Specification to customize the appearance of the login page.

Authentication Method ServerFor most authentication methods, you must specify an authentication method server to use for the authentication method.

5. Click Save.

Manage System


Manage RADIUS repliesThe authentication methods that use RADIUS include some pre-defined RADIUS replies. You can add, edit, or delete RADIUS replies.

Each RADIUS reply consists of a Name, a RADIUS Reply Matching String, and a Template Specification.

Add a RADIUS reply


2. In the Registered Authentication Method list, click the method you want to edit.If the authentication method uses RADIUS replies, there is a RADIUS Replies tab.

3. Click the RADIUS Replies tab.The list of configured RADIUS replies appears.

User Guide 157

Manage System

4. Click Add RADIUS Reply.The Add RADIUS Reply page appears.

5. In the Display Name field, type the name of the RADIUS reply.6. In the RADIUS Reply Matching String field, type the message to show the user for this RADIUS reply.7. In the RADIUS Template Specification text box, type or paste the template for this RADIUS reply.8. Click Add.

The reply appears in the Registered RADIUS Replies list.

9. Click Save.

Edit a RADIUS reply




Manage System


4. In the Registered RADIUS Reply list, click the reply you want to edit.The Edit RADIUS Reply page appears.

5. Edit the reply information.6. Click Update.

The updated reply appears in the Registered RADIUS Replies list.

7. Click Save.

Delete a RADIUS reply




4. In the Registered RADIUS Reply list, click the reply you want to edit.The Edit RADIUS Reply page appears.

5. Edit the reply information.6. Click Update.

The updated reply appears in the Registered RADIUS Replies list.

7. Click Save.

User Guide 159

Manage System

Manage extended propertiesYou can add, edit, or delete extended properties for some authentication methods. Extended Properties define what happens when a user authenticates with each method.

When adding authentication methods, you can specify settings using extended properties. These include, for example, Save credentials for SSO domain, Allow unknown user ID, Lock user ID for session, and many more depending on the authentication method you choose.

Each extended property consists of a Key and a Value. When you edit an extended property, you can only change the Value field. If you want to change the Key field, you must delete the Extended Property and add a new one with the correct Key–Value pair.

Add an extended property



3. Click the Extended Properties tab.4. Click Add Extended Property.

The Add Extended Property page appears.

5. Select a Key in the drop-down list.6. In the Value drop-down list, select whether the Key is true or false.7. Click Add.

The Extended Property appears in the Registered Extended Properties list.

8. Click Save.

Edit an extended property



Manage System


3. Click the Extended Properties tab.The list of registered Extended Properties appears.

4. In the Registered Extended Properties list, click the extended property you want to edit. The Edit Extended Property page appears.

5. Update the Value.6. Click Update.7. Click Save.

Delete an extended property



3. Click the Extended Properties tab.4. In the Registered Extended Properties list, click the extended property you want to edit.

The Edit Extended Property page appears.


User Guide 161

Manage System

Manage global authentication service settingsYou can manage the authentication settings that apply to all authentication methods.

1. Select Manage System > Authentication.The Registered Authentication Methods page appears.

2. Click Manage Global Authentication Settings. The Global Authentication Service Settings page appears.

3. Click a tab to configure the settings:”Manage global RADIUS authentication settings” on page 162”Manage password and PIN requirements” on page 163”Manage email authentication settings” on page 164”Manage SMS and screen message settings” on page 164

4. Click Save.

Manage System


Manage global RADIUS authentication settingsYou can configure the settings for RADIUS authentication.



3. Click the RADIUS Authentication tab and configure the settings.The RADIUS Authentication page appears.

For more information about the settings, see the subsequent sections.

4. Click Save.

RADIUS Authentication settings

Drop unknown sessions When selected, access requests by unknown RADIUS sessions are dropped without notification. If this option is not selected, the server sends the reply Access Denied.

Drop unknown users When selected, access requests by unknown users are dropped without notification.

If this option is not selected, the request is accepted, but the authentication fails. The server sends an access reject message. This setting can be useful for chained authentication.

Proxy unknown users When selected, unknown users are authenticated with another RADIUS server. The server tries to proxy the request to the configured RADIUS back-end server. If the request is not serviced, the server responds with the action set for Drop unknown users. Proxy unknown users takes precedence over Drop unknown users if both are selected.

Reveal reject reason When selected, the reason why a request is rejected is sent to the RADIUS client.

Session Timeout This setting defines the number of seconds before the RADIUS session times out. If a RADIUS session is not used before this amount of time passes, the session ends and this value is reset. The default value is 180 seconds.

RADIUS Encoding When the system receives a RADIUS package, it changes the data to strings that match the UTF-8 standard. Some RADIUS clients do not support the UTF-8 standard. For these RADIUS clients, you can specify another standard. The default value is UTF-8.

User Guide 163

Manage System

Manage password and PIN requirementsYou can configure the global password and PIN settings for WatchGuard authentication methods.



3. Click the Password/PIN Settings tab and configure the settings.For more information about these settings, see the subsequent sections.

4. Click Save.

Password/PIN Settings

For each setting, the default values appear in parentheses.

WatchGuard SSL Mobile TextThe minimum (6) and maximum (16) number of characters.The minimum number of letters (2) and numbers (2).The password expiration period in days (90). When set to zero, the password does not expire.The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history.The OTP (one-time password) length in number of characters (6).The alphabet base for OTP. The default value excludes characters and numbers that can easily be confused, such as:o 0/o/Oo 1/i/I/l/L.(23456789abcdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ)The notification message the user sees for the OTP.Allow two-step authentication. When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile phone, and one to login with the OTP.

WatchGuard SSL WebThe minimum (6) and maximum (16) number of characters.The minimum number of letters (2) and numbers (2).The password expiration period in days (90). When set to zero, the password does not expire.The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history.Keyboard appearance — Fixed, Shift, or Random (random).Allow use of desktop keyboard for numbers (off).

WatchGuard SSL ChallengeThe PIN expiration period in days (90). When set to zero, the PIN does not expire.The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history.Support value signing (off).Direct PIN change (off).

WatchGuard SSL PasswordThe minimum (6) and maximum (16) number of characters.The minimum number of letters (2) and numbers (2) .The password expiration period in days (90). When set to 0, the password does not expire.The password history size (5). When users change their passwords, they cannot use any of the passwords saved in the password history.The OTP (one-time password) length in number of characters (6).

Manage System


WatchGuard SSL SynchronizedThe PIN expiration period in days (90). When set to 0, the PIN does not expire.The PIN history size in number of PINs (5). When users change their PINs, they cannot reuse any of the PINs saved in the PIN history.Offset before prompt — The number of login attempts allowed before the user is prompted for a new OTP (3).Offset before access denied — The number of login attempts allowed before the user is denied access. (10)Direct PIN change.

Manage email authentication settingsYou can configure the settings for the notification messages that are sent to users when they get new passwords, PINs, or seeds on the tab.



3. Click the Email Messages tab and configure the settings. For more information about the settings, see the subsequent sections.

4. Click Save.

Email Settings

Email AddressesType the email addresses of any additional recipients you want to get notifications sent about new or changed passwords, PINs, or seeds.

Email MessagesModify the message used to notify users about changes to their authentication credentials. You can change the text used in the email message to notify users about each type of password, PIN, or seed change.

WatchGuard Authentication Method Messages

For each WatchGuard authentication method, you can set messages that users see when they get a new password, PIN, or seed in an email message.

Manage SMS and screen message settingsYou can configure the SMS/Screen messages that users get for new or changed passwords, PINS, or seeds. General settings include header and footer of the SMS/Screen message. You can also specify different password, PIN, or seed messages for each authentication method.



User Guide 165

Manage System

3. Click the SMS/Screen Messages tab and configure the settings.

4. Click Save.

Manage System


Manage RADIUS configurationYou configure RADIUS settings for each available authentication method to accept, reject, or challenge the request.

You can also select to send authentication requests to an authentication server that uses third-party authentication methods such as RSA SecurID. To do this, you must add a RADIUS back-end server as an authentication server. You can use one or several RADIUS back-end servers simultaneously.

To add the RADIUS configuration methods:


2. Click RADIUS Configuration. The Manage RADIUS Configuration page appears.

3. Configure the RADIUS client settings:Add a RADIUS client Edit or delete a RADIUS client Add a RADIUS Back-End Server Edit or delete a RADIUS Back-End Server

User Guide 167

Manage System

Add a RADIUS clientOn the Manage RADIUS Configuration page, you can add a RADIUS client.

1. Click Add RADIUS Client.The Add RADIUS Client page appears.

2. In the IP Address field, type the IP address for this RADIUS client.3. Type and verify the Shared Secret.4. If your RADIUS client requires attributes, configure them in the Attributes section. You can configure

three types of attributes:Accept AttributesChallenge AttributesReject Attributes

5. Click Save.

Manage System


Edit or delete a RADIUS clientOn the Manage RADIUS Configuration page, you can edit or delete a RADIUS client.

To edit a RADIUS client:

1. In the Registered RADIUS Clients list, click the IP address of a client.The Edit RADIUS Client page appears.

2. Configure the settings for the client.3. Click Save.

To delete a RADIUS client:

1. In the Registered RADIUS Clients list, click the IP address of a client.The Edit RADIUS Client page appears.


The client you selected is deleted and removed from the Registered RADIUS Clients list.

User Guide 169

Manage System

Add a RADIUS Back-End ServerOn the Manage RADIUS Configuration page, you can add a RADIUS server.

1. Click Add RADIUS Back-End Server.The Add RADIUS Back-End Server page appears.

2. In the Display Name field, type the name of this server.3. In the Host field, type the IP address of the RADIUS back-end server.4. If necessary, change the default values in the Port and Timeout fields.5. Type and verify the Shared Secret for this RADIUS server. 6. Click Save.

The server you added appears in the Registered RADIUS Back-End Servers list.

Edit or delete a RADIUS Back-End ServerOn the Manage RADIUS Configuration page, you can edit or delete a RADIUS back-end server.

To edit a RADIUS back-end server:

1. In the Registered RADIUS Back-End Server list, click the display name of a server.

2. Configure the settings for the back-end server.3. Click Save.

Manage System


To delete a RADIUS back-end server:

1. In the Registered RADIUS Back-End Servers list, click the IP address of a back-end server.The Edit RADIUS Back-End Servers page appears.


The server you selected is deleted and removed from the Registered RADIUS Back-End Servers list.

User Guide 171

Manage System

About certificatesCertificates are a type of digital signature that matches the identity of a person or organization with an encryption method. This method is a security component called a key pair, or two mathematically related numbers called the private key and the public key. A certificate includes both a statement of identity and a public key, and is signed by a private key.

The private key used to sign a certificate request can be from the same person or organization that originally created the certificate, or from a certificate authority. If the private key is from the same person or organization that created the certificate, the result is called a self-signed certificate. If the private key is from a certificate authority (CA), the result is called a CA certificate. A certificate authority is an organization or application that creates, signs, and disables certificates. Most applications and devices have a list of trusted CAs whose certificates are automatically accepted.

Certificate lifetimes and CRLs When a certificate is created, it has a set lifetime. At the end date of the certificate lifetime, the certificate expires and can no longer be used. Sometimes, certificates are revoked, or disabled by the CA,before the expiration. To cancel a client certificate that has already been issued, the client certificate validation routine checks against a list of canceled client certificates. This list is called a Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP). The supported CDP protocols are HTTP and LDAP. You configure whether to use the CRL when you add a Certificate Authority.

Certificate authorities and signing requestsTo create a third-party certificate, you put part of a cryptographic key pair in a certificate signing request (CSR) and send the request to a CA. It is important that you use a new key pair for each CSR you create. The CA issues a certificate after it receives the CSR and verifies your identity. You can also use tools such as OpenSSL or the Microsoft CA Server that comes with most Windows Server operating systems to create a CSR.

If you do not have a PKI (public key infrastructure) set up in your organization, we recommend that you choose a prominent CA to sign your CSR. If a prominent CA signs your certificate, your certificate is automatically trusted by most users. WatchGuard has tested certificates signed by VeriSign, Microsoft CA Server, Entrust, and RSA KEON.

Manage CertificatesIn the WatchGuard SSL Web UI, you manage Certificate Authorities, server certificates and client certificates.


”Add a Certificate Authority” on page 171”Add a server certificate” on page 174”Edit or delete a Server Certificate” on page 175”Manage client certificate settings” on page 176

Add a Certificate AuthorityA certificate authority (CA) issues client certificates used for authentication. For the WatchGuard SSL device to authenticate a user, you must upload a CA certificate.

You register certificate authorities (CA) to be used for validation of certificates. You type a Display Name for the CA and specify a CA certificate file. You then select whether to use a certificate revocation list (CRL) or to perform no revocation checks at all. If you choose to enable CRL checking, the Add Certificate Authority wizard includes an additional step to configure a Control Distribution Point for the CRL.

Manage System


Configure CA general settings1. Select Manage System > Certificates.

The Manage Certificates page appears.

2. Click Add Certificate Authority.The Add Certificate Authority General Settings page appears.

3. Select the Enable Certificate Authority check box.4. Type a Display Name for this Certificate Authority.5. In the CA Certificate field, select the location of the certificate for your CA.

The certificate must be in a PEM or DER format.

6. In the Revocation Control section, select the CRL radio button to enable certificate revocation checking. CRL checking is enabled by default. If you do not want to do CRL checking, select the No certificate revocation checking should be performed radio button.

User Guide 173

Manage System

7. If you did not enable CRL checking, skip to Step 8.If you enabled CRL checking, click Next to specify at least one control distribution point (CDP). For more information, see the subsequent section.


Configure Control Distribution PointsIf you enable CRL checking for your CA, you must specify at least one Control Distribution Point (CDP). The CDP verifies the certificates issued by the CA.

To add a CDP, click Add Control Distribution Point on the second page of the Add Certificate Authority wizard.

Specify settings for these fields:

AddressThe address can be an LDAP address (RFC2255) or an HTTP address.

Example LDAP address:

ldap://192.168.96.52/CN=win2k%20root%20CA,CN=test-win2kad, CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2kad, DC=examplecompany,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

Example HTTP address:

http://www.example.com:80/ldap/crl.cer

Fetch Time AdjustmentAdjusted time in seconds when revocation information is retrieved, compared to the time when revocation information is set to be retrieved. The allowed interval is 0–86400. This option is useful when there is latency when the CA issues a new CRL. Latency can occur if there are replicated directories involved. This option is set to zero (0) by default.

Update TimeSelect this option to configure a custom update time. When not selected, the attribute Next Update Time from the CRL is used. This option is not selected by default.

Retry IntervalInterval in seconds before the system tries to contact the CRL again, if the CRL cannot be accessed. The allowed interval is 0–31536000 seconds, or a maximum of 365 days. The Retry Interval is set to 300 seconds by default.

You must also specify the action to take if the CRL cannot be retrieved from the CDP. In the CRL Invalid Action section, select one of these options:

Authentication is deniedIf a valid CRL cannot be retrieved, deny authentication for all users.

Authentication is allowed, previous CRL is usedIf a valid CRL cannot be retrieved, use the previously retrieved CRL for certificate revocation control. If a user authenticates with an invalid CRL, this event is written to the log file.

Manage System


Add a server certificateYou must add at least one server certificate to use when the device communicates with end users.

To add a server certificate:

1. Select Manage System > Certificates.The Manage Certificates page appears.

2. Click Add Server Certificate.The Add Server Certificate General Settings page appears.

3. Type a Display Name for this server certificate.4. In the Certificate field, select the location of the certificate for your server.

The certificate must be in PEM format.

5. In the Key field, select the location of the private key for the server certificate. The key must be a PKCS#8 key in either DER or PEM format.

6. In the Password field, if the key is encrypted, specify a password to use.7. Click Save to save the server certificate.

The certificate you added appears on the Registered Server Certificates list.

To see details about a server certificate:

1. In the Registered Server Certificates list, click the certificate. 2. Click View Certificate Details.

For more information about how to edit certificates, see ”Edit or delete a Server Certificate” on page 175.

PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format, surrounded by ASCII headers, suitable for text mode transfers between systems. DER format can contain private keys, public keys, and certificates. It stores data according to the ASN1 DER format. PEM format includes a text header wrapped around the headerless DER format. This is the default format for most browsers.

User Guide 175

Manage System

Edit or delete a Server CertificateYou can edit or delete the server certificate that the device uses when it communicates with end users.

To edit a server certificate:


2. In the Registered Server Certificates list, click the display name of the server certificate you want to edit.The Edit Server Certificates General Settings page appears.

3. To see details about the certificate, click View Certificate Details.4. Update the settings for the server certificate.5. Click Save.

To delete a server certificate:


2. In the Registered Server Certificates list, click the display name of the server certificate you want to edit.The Edit Server Certificates General Settings page appears.


Manage System


Manage client certificate settingsYou can add and edit the PEM formatted client certificates that clients use to communicate with resources. You can specify only one client certificate.

To add or edit a client certificate:


2. Click Manage Client Certificate Settings.The Add Client Certificate page appears.

3. Type a Display Name for this client certificate.4. In the Certificate field, select the location of the client certificate.

The certificate must be in PEM format.

5. In the Key field, select the location of the private key for the client certificate. The key must be a PKCS#8 key in either DER or PEM format.

6. In the Password field, specify a password to use if the private key is encrypted.7. Click Save.

About AbolishmentAbolishment is an End-Point Security feature that monitors the files and stored browser data on a client during a user session, and then automatically deletes the browser data and files that were downloaded or created during the user session. You can configure the types of files and browser data that Abolishment deletes when the session ends. You can configure Abolishment to automatically delete the changed files or to notify the user and let the user choose which items to delete.

You can use Abolishment for access control. When you protect a resource with an Abolishment Access Rule, the Abolishment settings specify what type of files are deleted on the client after the session is completed. When a user attempts to connect to the resource, access is allowed only if the Abolishment client is running. This ensures that Abolishment can be performed when the session is completed.

WatchGuard SSL supports Abolishment on Microsoft Windows clients.

When the user is notified about Abolishment, the Abolishment client is called the End-Point Integrity client.

User Guide 177

Manage System

To manage Abolishment settings:

1. Select Manage System > Abolishment. The Manage Abolishment page appears.

2. Configure Abolishment settings on these tabs:General Settings Cache Cleaner settings Advanced Settings

3. Click Save.

Manage System


Configure General SettingsYou can configure the settings used by Abolishment Access Rules to determine which file types to monitor on the client. You also configure whether to notify the user at the completion of the session about all monitored files that were downloaded or created. If you select to notify the user, the user can choose which files to delete. If you do not notify the user, at the end of the session the abolishment client automatically deletes the monitored files that were downloaded or created during the session.


2. Select the General Settings tab.The General Settings page appears.

3. Configure the settings to monitor and delete downloaded files.For more information about these settings, see the subsequent section.

4. Click Save.

General SettingsMonitor Downloaded Files

Specify the file types to monitor during a user session. You can only monitor files on Windows clients. By default, the file types that are monitored for abolishment are htm, pdf, txt, doc, xls, ppt, exe, and zip.

Delete Downloaded FilesSpecify whether to delete monitored files that have been created or downloaded during the session when the session ends, and whether to notify the user and let the user select which files to delete. You can configure these settings:

Enable Delete — To delete monitored files that have changed at the end of the session, select this check box.

User Guide 179

Manage System

Notify User — To show the user a message at the end of the session, select this check box. This message includes information about which files have been downloaded or created, and allows the user to select which files to delete.Notification Message — If you select the Notify User check box, type the message that users see with the list of files to delete.

Configure Cache Cleaner settingsYou can configure settings that control the deletion of cached Internet Explorer web content and the browser history created during the user session.


2. Select the Cache Cleaner tab.The Cache Cleaner page appears.

3. Configure the settings to delete cached Internet content and browser history.For more information about these settings, see the subsequent section.

4. Click Save.

Cache Cleaner settingsDelete the Internet Explorer history and typed URLs

Select this check box to delete the Internet Explorer browser history and the web site addresses that the user created during the session. This is not selected by default.

Delete the browser cache entriesSelect this check box to delete the cached pages in the Internet Explorer browser. You can use the URL filter to specify which cached pages to delete. This is not selected by default.

URL FilterType the URL pattern of the files to remove from the browser cache. The Abolishment client monitors the cached files in the Windows Temporary Internet Files folder. At the end of the session, the Abolishment client deletes all cached files that match the URL filter and that were created during the session.

You can use a wildcard (*). If you use the * wildcard character alone, the Abolishment client deletes all cache entries created during the user session. This is the default setting. Here are some other examples of URL filters:

https* — Removes all cache entries downloaded from a secure server during the user session.http://www.example.com/* — Removes all cache entries from the specified server during the user session.

Manage System


Configure Advanced settingsYou can configure the settings that control how Abolishment works.


2. Select the Advanced Settings tab.The Advanced Settings page appears.

3. Configure the Abolishment settings for resource display, whether to automatically start Abolishment, and choose how to load the Abolishment client.For more information about these settings, see the subsequent section.

4. Click Save.

Advanced SettingsDisplay resources

Select the Display resource in Application Portal check box if you want the icons for all resources to appear in the Application Portal before Abolishment starts to monitor the client.

Automatically start AbolishmentWhen the user selects a resource protected by an Abolishment access rule, a notification message appears that tells the user that the End-Point Integrity client is required.

If you do not select the Automatically start Abolishment check box, the user must click a button on the notification page to start the abolishment client. If you select this check box, the notification message appears briefly and the Abolishment client starts automatically.

User Guide 181

Manage System

Abolishment Client LoaderSelect which type of loader to use for the Abolishment client.

ActiveX - Java Applet — Use the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting.ActiveX — Use the ActiveX client loader only.Java Applet — Use the Java applet client loader only.

About AssessmentAssessment is an End-Point Security feature that scans the client computer to assess whether the client meets certain criteria. You can configure the assessment criteria that a client computer must meet in order to get access to a resource protected by an Assessment Access Rule. Access Rules for Assessment can complete these checks:

If a process is running (for example, antivirus program or firewall)If a registry value existsIf a file exists

At the start of a user session, the Assessment client scans the client computer to make sure it meets the Assessment criteria you specify. If the client computer meets the criteria, the user is allowed to access the protected resource. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the assessment definition file is no longer updated, but continues to operate with the criteria available at the time of expiration.

WatchGuard SSL supports Assessment on Microsoft Windows clients.

When the user is notified about Assessment, the Assessment scan is called the End-Point Integrity scan.

Manage System


To manage Assessment settings:

1. Select Manage System > Assessment.The Manage Assessment page appears.

2. Configure Assessment on these tabs:General Settings Advanced Settings

3. Click Save.

User Guide 183

Manage System

General SettingsYou can configure the client scan settings the Assessment Access Rules use when a user selects a protected resource.



3. Configure the Real-time Scan and Client Scan Path settings.For more information about these settings, see the subsequent sections.

4. Click Save.

Real-time ScanThe client scan is always performed the first time a user requests a resource that is protected by an Assessment Access Rule. If you want the client scan to continue assessment during the session, select the Enable Real-time Scan check box. Real-time Scan is disabled by default.

If you enable Real-time Scan, type the number of seconds between scans in the Interval field. The default interval is to scan every 120 seconds.

Manage System


Client Scan PathClick Add Client Scan Path to select the paths that you want the Assessment client to scan on the client. You can specify one or more client scan paths. For each client scan path you must set this information:

Operating System The client operating system to scan. Windows is the only option.

TypeThe type of client data the client scan looks for. The client can search for four types of data:

File — file attributes, file name, file digest, file time created, and file time last writtenDirectory — directory name and attributesRegistry Key — registry name, registry type, and registry valueRegistry Sub Key — registry name, registry type, and registry valuePath — the path on the client computer to scan for the selected client data type

Advanced SettingsYou can configure the settings that control how Assessment works.


2. Select the Advanced Settings tab.The Advanced Settings page appears.

3. Configure the Display Resources, Assessment Client Scan, and Abolishment Client Loader settings.For more information about these settings, see the subsequent sections.

4. Click Save.

User Guide 185

Manage System

Display ResourcesSelect the Display resource in Application Portal check box if you want the icons for all resources to appear in the Application Portal before the Assessment client scan is completed. Users may see resources that they cannot access.

Automatically start the Assessment client scanWhen the user selects a resource protected by an Assessment access rule, a notification message appears that tells the user that the End-Point Integrity client is required.

If you do not select the Automatically start the Assessment client scan check box, the user must click a button on the notification page to start the client scan. If you select this check box, the notification message appears and the Assessment client scan starts automatically.

Abolishment Client LoaderSelect which type of loader to use for the Assessment client.

ActiveX - Java AppletUse the ActiveX client loader first. If the ActiveX client loader is not available, use the Java applet. This is the default setting.

ActiveXUse the ActiveX client loader only.

Java AppletUse the Java applet client loader only.

Manage System


About notification settingsYou can configure the email and SMS notification channel to send notification messages. These notification channels are used to send alerts and for distribution of one-time-passwords (OTPs), passwords and PINs, and seed notifications.

To configure notification settings:

1. Select Manage System > Notification Settings.The Manage Notification Settings page appears.

2. Configure these settings for notification:Email channel SMS channel SMS plug-ins

3. Click Save.

Configure the email notification channelYou can enable and configure email settings and the email address of the sender.

You must configure the email channel if you select email notification in any of these areas:

For a user accountIn the Global User Account SettingsFor an alert

User Guide 187

Manage System

To configure the email channel:


2. Select the Email Channel tab.The Email Channel page appears.

3. Select the Enable email channel check box.4. In the Host field, type the IP address or DNS name of the server that sends the PIN, password, and seed

to users. The default is localhost.

5. In the Port field, type the port number. The default port is 25.6. In the Sender’s Email Address field, type the email address that you want to appear in the From field

of the notification messages. For example, [email protected]..

7. Click Save.

Configure the SMS notification channelYou can add one or more SMS channels. You must define an SMS channel when you enable SMS notification in these places:

For a user accountIn the Global User Account Settings User Linking tabFor alerts

You can configure multiple SMS channels. Each channel is handled by an SMS plug-in.

Add an SMS channel1. Select Manage System > Notification Settings.

The Manage Notification Settings page appears.

2. Select the SMS Channel tab.

Make sure you save your changes before you select another page in the UI. If you do not save your changes before you go to another page, all your changes are lost.

Manage System


3. Click Add SMS Channel.The Add SMS Channel page appears.

4. Type a Display Name for this channel.5. From the Plug-in drop-down list, select the SMS plug-in for the SMS protocol you want to use.6. Click Next. 7. Configure the settings for the selected SMS channel. The configuration settings are different for each

SMS protocol. The number of tabs with SMS settings to configure depends on the plug-in you selected.For information about settings for each of the default SMS plug-ins, see:

”SMTP channel settings” on page 189”SMPP channel settings” on page 190”Netsize channel settings” on page 191”HTTP channel settings” on page 192”CIMD channel settings” on page 193

8. Click Finish Wizard.9. Click Save.

To add a plug-in,click the SMS Plug-in tab.For more information, see ”Add or remove SMS plug-ins” on page 194.

Reorder the Registered SMS Channels listYou can change the order of the channels in the Registered SMS Channels list to change the order in which the channels are used.

1. Select the SMS Channel tab.2. In the Registered SMS Channels list, in the Move column, click Up or Down for the channel you want

to move.The channel moves up or down in the list.

3. Click Save.

Edit an SMS channel1. Select the SMS Channel tab.2. In the Registered SMS Channels list, click the channel you want to change.

The Edit SMS Channel page appears.

3. Update the settings for the SMS channel.4. Click Finish Wizard.

User Guide 189

Manage System

Delete an SMS channel1. Select the SMS Channel tab. 2. In the Registered SMS Channels list, click the channel you want to remove.

The Edit SMS Channel page appears.


SMTP channel settingsConfigure these settings if you select the SMTP SMS plug-in when you add an SMS channel.

SMTP channel settings on the Connection tab

SMTP channel settings on the Mobile Number Format tab

SMTP channel settings on the Message tab

Channel Setting Description

Host Address The IP address or DNS name of the SMTP server. Set to localhost by default.

Port The port of the SMTP server. Set to 25 by default.

Account The service account to use to log into the SMTP service.

Password The service account password to use to log into the SMTP service.

Start TLS Select this check box to use TLS (Transport Layer Security). This is not enabled by default.

Timeout The length of time (in milliseconds) to wait for a response from the SMTP server. Set to 10000 by default.

Connection Timeout The length of time (in milliseconds) for a socket connection timeout.

Close Socket Select the Close Socket check box to close the socket after communication.

Debug Mode Select the Debug Mode check box to enable debug mode.


Remove Type any characters you want to automatically remove from the mobile number. For example, ()+.

Replace Prefix If the prefix of the mobile number is incorrect for the service you can automatically replace it. Type the prefix to replace in the Replace Prefix field.

New Prefix The new prefix to use in place of the prefix in the Replace Prefix field.


To email address The email address to put in the To field.

To friendly name The friendly name to put in the To field.

From email address The email address to put in the From field.

From friendly name The friendly name to put in the From field.

Subject The content of the Subject field.

Message Body The content of the message body.

Manage System


SMPP channel settingsConfigure these settings if you select the SMPP SMS plug-in when you add an SMS channel.

SMPP channel settings on the Connection tab

SMPP channel settings on the Mobile Number Format tab

SMPP channel settings on the Submission Parameters tab

For information about the settings on this tab, see the documentation for your SMPP server.


Host Address The IP address or DNS name of the SMPP server. Set to localhost by default.

Port The port of the SMPP server. Set to 25 by default.

Timeout The length of time (in milliseconds) to wait for a response from the SMPP server. Set to 10000 by default.

Keep Alive Select this to keep the connection alive. This is not selected by default.

System ID The service account to use to log into the SMPP service.

Password The service account password that should be used to log in to the SMPP service.

System Type The SMPP System Type. See your SMPP server documentation for more Information.

Interface Version The Interface version. Set to 52 by default.

Address TON See your SMPP server documentation for more Information.

Address NPI See your SMPP server documentation for more Information.

Address Range See your SMPP server documentation for more Information.






Service Type See your SMPP server documentation for information.

Source Address TON See your SMPP server documentation for information.

Source Address NPI See your SMPP server documentation for information.

Source Address See your SMPP server documentation for information.

Destination Address TON See your SMPP server documentation for information.

Destination Address See your SMPP server documentation for information.The destination address is required.

ESM Class See your SMPP server documentation for information.

Protocol ID See your SMPP server documentation for information.

Priority Flag See your SMPP server documentation for information.

User Guide 191

Manage System

Netsize channel settingsConfigure these settings if you select the Netsize SMS plug-in when you add an SMS channel.

Netsize channel settings on the General tab

Netsize channel settings on the Mobile Number Format tab

Registered Delivery See your SMPP server documentation for information.

Replace if present See your SMPP server documentation for information.

Data Coding See your SMPP server documentation for information.

Character Set See your SMPP server documentation for information.

Default Message ID See your SMPP server documentation for information.

Message Class See your SMPP server documentation for information.


Host Address The IP address or DNS name of the Netsize server.

Port The port of the Netsize server. Set to 25 by default.

Client The client account to use to log into the Netsize service.

Account The service account to use to log into the Netsize service.

Password The service account password to use to log into the Netsize service.

Timeout The length of time (in milliseconds) to wait for a response from the Netsize server. Set to 10000 by default.

Message Class The Message Class for this message. Valid entries are: Default, Immediate Display (Flash), Store on Mobile Phone, Store on SIM, Store on Terminal Equipment. Contact your Netsize vendor for more information about these settings.






Manage System


HTTP channel settingsConfigure these settings if you select the HTTP SMS plug-in when you add an SMS channel.

HTTP channel settings for the General tab

HTTP channel settings on the Mobile Number Format tab

HTTP channel settings on the Response Parsing Format tab


URL The URL or DNS name of the HTTP server. Set to http://localhost by default.

Account The service account to use to log into the HTTP service.

Password The service account password to use to log into the HTTP service.

Use Basic Authentication Select this check box to use basic authentication for this HTTP service.

Post Data The POST data that must be present in the HTTP post.

Follow Redirects Select this check box to consider redirects when parsing responses.

Use HTTP 1.1 Select this check box to use HTTP version 1.1. This is selected by default.

User Agent Specify the user agent if the HTTP Services requires a specific user agent.

Additional Headers Specify the content of any additional headers that the HTTP service requires in the request.

Timeout The length of time (in milliseconds) to wait for a response from the HTTP server. Set to 10000 by default.

Connection Timeout






Success Response Codes The HTTP Response Codes that will indicate success. 200, 201, and 202 are selected by default.

Failure Response Codes The HTTP Response Codes that indicate failure. 400, 401, and 402 are selected by default.

Success Response Body Contents in the HTTP Response Body that indicate success.

Failure Response Body Contents in the HTTP Response Body that indicate failure.

Default State Select whether the default state is Success or Failure. This is set to Failure by default.

User Guide 193

Manage System

CIMD channel settingsConfigure these settings if you select the CIMD SMS plug-in when you add an SMS channel.

CIMD channel settings on the Connection tab

CIMD channel settings on the Mobile Number Format tab


Host Address The IP address or DNS name of the CIMD server. Set to localhost by default.

Port The port of the CIMD Server. Set to 3000 by default.

Account The service account that to use to log into the CIMD service.

Password The service account password that should be used to log in to the CIMD service.

Timeout The length of time (in milliseconds) to wait for a response from the CIMD server. Set to 15000 by default.





Manage System


Add or remove SMS plug-insPlug-ins are used to communicate with different SMS vendors. You select plug-ins when you configure an SMS channel.

The default plug-ins available are:

SMTP (1.0)SMPP (1.10)Netsize (1.0)HTTP (1.12)CIMD (1.10)

You can write additional plug-ins for compatibility with other SMS protocols.

To add an SMS plug-in:


2. Select the SMS Plug-ins tab.A list of installed SMS plug-ins appears.

3. To add a plug-in, click Browse to locate the plug-in file.4. Click Upload Plug-in.

The plug-in is added to the list, and is available when you add an SMS Channel.

5. Click Save.

To remove an SMS plug-in:

1. Select the Remove check box for the plug-in you want to delete.2. Click Remove. 3. Click Save.

User Guide 195

Manage System

Manage Client DefinitionsYou can use client definitions to create an Access Rule that allows access to a resource only if the client is of a specified type. By default, the WatchGuard SSL device includes these client definitions:

Internet Explorer 6Internet Explorer 7Netscape 7Netscape 9OperaMozilla FirefoxSafariWAP PhoneAccess ClientMicrosoft-AirSyncJavaMac OSWindowsUnixLinuxWindows CEPDA

The WatchGuard SSL device identifies a client based on the content of its HTTP headers. Client definitions define what values the WatchGuard SSL device looks for in the HTTP header to identify specific clients.

When you create an Access Rule of the type Client Definition, the Available Clients you can select are those you define on the Client Definitions page. After you add a client definition, you can select that client when you create an Access Rule.

Manage System


To manage client definitions:

1. Select Manage System > Client Definitions.The Manage Client Definitions page appears.

2. Configure client definitions:Add a client definition Edit or delete a client definition

Add a client definitionTo add a client definition:

1. Select Manage System > Client Definitions.The Manage Client Definitions page appears.

2. Click Add Client DefinitionThe Add Client Definition page appears.

User Guide 197

Manage System

3. Type the Display Name for this client. 4. In the Definition field, type the "name=value" pair that appears in the HTTP header of the client.

You can use the * wildcard character in the value.You can include more than one "name=value" pair.To use an AND operator, add the pairs on the same line, separated by a space.To use an OR operator, add the pairs on the same line, separated by the pipe (|) symbol.To specify a NOT operator, add an exclamation mark (!) before the pair.

5. Click Save.The client definition you added appears in the Registered Client Definitions list.

Edit or delete a client definition

Edit a client definition1. Select Manage System > Client Definitions.

The Manage Client Definitions page appears.

2. In the Registered Client Definitions list, click the display name of the client.The Edit Client Definition page appears.

3. Edit the Display Name and Definition.4. Click Save.

Delete a client definition1. Select Manage System > Client Definitions.

The Manage Client Definitions page appears.

2. In the Registered Client Definitions list, click the display name of the client. 3. Click Delete.4. Click Yes.

The client definition is removed from the Registered Client Definitions list.

For examples of how the client definition should look, click on an existing client definition to view it.

Manage System


About delegated managementAfter you configure an External Directory Service, you can use delegated management to create administrative roles with different configuration and monitoring responsibilities. You can then assign each role to one or more users in the registered External Directory Service.

When you create an alert on the Manage Alerts page, you can assign which alerts are sent to the various administrative roles. The users you assign to each of these roles then receive the alert notification messages about alert events. If you plan to use an administrative role for alerts, make sure that the users you assign to that role have email addresses and/or cell phone numbers defined in their user accounts.

By default the WatchGuard SSL has two built-in administrative roles:

Help DeskSuper Administrator

For each role, you can assign different administrative privileges. For a description of the privileges you can assign to a role, see ”About administrative privileges” on page 199.

To add or edit administrative roles:

1. Select Manage System > Delegated Management. The Delegated Management page appears.

2. Add, edit, or delete an administrative role.

Delegated Management is only available in the Web UI if you have configured an External Directory Service and published the configuration change.

User Guide 199

Manage System

About administrative privilegesFor the administrative roles that you create, you can assign one or more of these privileges to each role.

Help desk administration Allows users to add, edit, and delete all settings saved for a user account.

User account management Allows users to get access to all functionality available in the User Management menu.

Resource management Allows users to add, edit, and delete resources (resource hosts and resource paths) and to manage Application Portal items.

Resource path management Allows users to add, edit, and delete resource paths for selected resource hosts.

View logs Allows users to use the Log Viewer to see log files.

Publish Allows users to publish an updated configuration.

Privileges for the default administrative rolesYou cannot see or edit privileges for the default administrative roles. These roles have privileges permanently assigned.

The Super Administrator role has all privileges enabled.The Help Desk role has the Help desk administration privilege enabled.

Manage System


Manage administrative rolesYou can add, edit, or delete administrative roles.

Add an administrative role1. Select Manage System > Delegated Management.

The Delegated Management page appears.

2. Click Add Role.The Add Role page appears.

3. Type a Display Name for this role. 4. Type a Description for this role. 5. In the Privileges section, select the check box for each privilege you want to assign to this role:

Help desk administrationUser account managementResource managementResource path managementView logsPublish

For more information, see ”About administrative privileges” on page 199.

6. Click Next.

User Guide 201

Manage System

7. Complete the next pages of the wizard for the privileges you selected.

Select User AccountsFrom the Select User Group drop-down list, select a user group that this role can manage and click Add Group. Repeat to add each user group this role can manage.

Select AdministratorsClick Add Administrator to assign a user to this role.In the User ID field, type a full or partial user name to search for. You can use the * wildcard character in your search. For example, type *smith* to find all user IDs that contain "smith".The user names that match your search criteria appear in the Search Result list.

In the Search Result list, select the Assign Role check box for each user you want to assign to this role.Click Update.To search for other users to assign to this role, repeat these steps.

Select ResourcesSelect a resource in the Available Resources list and click Add.The resource appears in the Selected Resources list.

8. Click Next.9. Click Finish Wizard.

Edit an administrative role1. Select Manage System > Delegated Management.


2. In the Registered Roles list, click a role.The Edit Role page appears.

3. Click the General Settings tab to edit these settings:Display Name Description Privileges (cannot be changed for the two default roles)Select the check box for each privilege to assign to this role.

For more information, see ”About administrative privileges” on page 199.

4. To edit the User Groups this role can manage, click the User Accounts tab.5. To change the resources this role can manage, click the Resources tab.6. To change which users are assigned to this role, click the Administrators tab.7. Click Save.

Manage System


Delete an administrative role1. Select Manage System > Delegated Management.


2. In the Registered Roles list, click a role.The Edit Role page appears.


The role is removed from the Registered Roles list.

User Guide 203

Manage System

About the Administration ServiceThe Administration Service includes all the services and settings related to administration of your device. On the Manage Administration Service page you can configure the HTTP and HTTPS ports and server certificate to use for communication between the WatchGuard SSL Web UI and the client.

Manage Administration Service Settings1. Select Manage System > Administration Service.

The External Communication Settings page appears.

2. Configure these settings for external communication:

Administrator HostSelect which interface to use when you connect to the WatchGuard SSL Web UI to manage the device. If your device is in single interface mode, this is always set to Eth0. If your device is in dual interface mode, you can select Eth0 or Eth1. In dual interface mode, this is set to Eth1 by default.

Administrator HTTP PortThe HTTP port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 80 by default.

Administrator HTTPS PortThe HTTPS port to use when you connect to the WatchGuard SSL Web UI to manage the device. This is set to 8443 by default.

Server CertificateThe server certificate the Administration Service uses in HTTPS communication. You add the server certificate on the Certificates page.

For more information, see ”Add a server certificate” on page 174.

3. Click Save.

From the Manage Administration Service page you can also:

Manage global settings Restart the Administration service

Manage System


Manage Global Service SettingsYou can manage the settings for all services from the Administration Service page. We recommend that you do not change these settings unless you are asked by a WatchGuard technical support representative to change a setting to help troubleshoot a specific problem.

To configure the global settings for the services:

1. Select Manage System > Administration Service.The Manage Administration Service page appears.

2. Click Manage Global Settings.The Manage Global Service Settings page appears.

3. Configure the global settings for the services.For more information about these settings, see the subsequent sections.

4. Click Save.

User Guide 205

Manage System

Communication settingsTo control the communication between the Administration service and the Device service, configure these settings:

Timeout Check IntervalNumber of seconds (0-3600) between checks for sessions that have timed out. This is set to 1 second by default.

User Lifetime in CacheNumber of seconds (0–31,536,000) to keep user account information in the cache before the Administration service reloads it from the Internal User Database or External Directory Service. This setting is not related to user activity. This is set to 900 seconds by default. The maximum value is equal to 365 days.

Heartbeat IntervalNumber of seconds (1–30) between status checks on services on the device. This is set to 10 seconds by default.

Missing Heartbeat LimitNumber of missing heartbeats, or status checks, that are allowed (1–100) before the services reconnect to each other if a service does not respond. This is set to 12 heartbeats by default.

Send cache specificationSelect this check box if you want the Administration service to send the cache specification to the Device service that controls the Application Portal. This is selected by default.

Heap size settingsTo control the amount of memory that the Administration service uses, configure these settings.

Minimum MemoryDefault is set to 64 MB.

Maximum MemoryDefault is set to 256 MB.

Save Heap Size specificationSelect this check box to save the Heap Size specification.

Manage System


Restart the Administration serviceYou can restart the Administration service without an interruption for any current client SSL sessions.

To restart the Administration service:

1. Select Manage System > Administration Service.The Manage Administration Service page appears.

2. Click Restart Service.3. Click Yes.

User Guide 207

Manage System

Manage Device settingsYou can configure the settings for the Application Portal to which your users connect. These settings enable you to select the settings for available ports, connection times, encryption protocols, session controls, cookie persistence, and client access.

To configure device settings for the Application Portal:

1. Select Manage System > Device Settings.The Manage Device page appears.

2. Click each tab and configure the settings:General settings Performance settings Cipher Suite settings Advanced settings

3. Click Save.

Manage System


General settings for the application portalYou can configure the basic settings for the Application Portal. These settings control on which interfaces, ports, and IP addresses the Application Portal is available. By default, the application portal listens on one IP addresses on the Eth0 port.

1. Select Manage System > Device Settings.The Manage Device Settings page appears.


3. Configure the General Settings and Add additional listeners.For more information about these settings, see the subsequent sections.

4. Click Save.

General SettingsDisplay Name

The name used to identify this device. This is automatically set to accesspoint. You cannot change this setting.

Application Portal HostThe IP address or DNS name to bind all incoming external traffic to the Application Portal. This is automatically set to the IP address configured for Eth0. To change this IP address you must change the Eth0 IP address on the Network Configuration page.

Application Portal PortThe HTTPS port for incoming traffic to the Application Portal. Set to 443 by default.

Server CertificateThe server certificate that the Application Portal uses for external communication. For HTTPS connections, you must specify a server certificate.

Listen on all interfacesSelect this check box to set the device to listen on all active interfaces. If the device is in dual interface mode, select this check box to make the Application Portal available on both Eth0 and Eth1.

User Guide 209

Manage System

Add additional listenersAdditional listeners are additional ports or IP addresses on which the Application Portal accepts connections. You can add, edit, and delete additional listeners.

To add a listener:

1. On the Manage Device Settings page, click Add Additional Listener.The Add Additional Listener page appears.

2. The Host field is automatically set to the Eth0 IP address. You cannot change this field on this page.3. In the Port field, set the port for incoming HTTP or HTTPS traffic. Set to 80 by default.4. In the Server Certificate drop-down list, select the certificate to use for this listener. For

HTTPS connections, you must specify a server certificate.5. The Type is automatically set to Web.6. If your device is configured in Dual Interface mode, select the Listen on all interfaces check box for

this listener to listen on Eth0 and Eth1 interfaces.

7. Click Add.The listener appears in the Registered Additional Listeners list.

To edit an additional listener:

1. On the Manage Device Settings page, in the Registered Additional Listeners list, click the listener you want to edit.The Edit Additional Listener page appears.

2. Update the settings for the additional listener.3. Click Update.

The Listen on all interfaces setting does not have any effect if the device is configured in single interface mode. Eth0 is the only active interface in single interface mode.

Manage System


To delete an additional listener:

1. On the Manage Device Settings page, in the Registered Additional Listeners list, click the listener you want to delete.The Edit Additional Listener page appears.


The Manage Device Settings page appears.

4. Click Save.

Performance settingsYou can change settings that affect the performance of the Application Portal.


2. Select the Performance tab.The Performance Settings page appears.

3. Configure the Performance Settings and Data Compression Settings.For more information about these settings, see the subsequent sections.

4. Click Save.

User Guide 211

Manage System

Performance SettingsPerformance settings include timeout settings for idle connections. You can also limit the number of TCP connections that the operating system is able to queue, and allow the WatchGuard SSL device to cache SSL sessions for communication with internal servers.

Max Worker ThreadsSet to 200 threads by default.

Connection TimeoutSet to 60 seconds by default.

UDP Tunnel TimeoutSet to 120 seconds by default.

Garbage Collection IntervalSet to 1 minute by default.

Size of Socket Listening BacklogSet to 25 connections by default.

Max Tunnel ConnectionsSet to 1500 connections by default.

Cache internal SSL sessionsEnabled by default.

No delay on tunnel connectionsEnabled by default.

Data Compression SettingsThese settings allow you to control how web files are stored.

Compress static Web filesNot enabled by default.

Compress dynamic Web filesDynamic files are Web files on the device that contain user variables. Not enabled by default.

File types to compressThe types of files to compress. You can use the wildcard character * to compress all file types. The default setting is text/html, text/xml.

Manage System


Cipher Suite settingsYou can change the Application Portal settings related to encryption. When the client and server negotiate an SSL connection, they agree on a common cipher value to use for key exchange and encryption. You can select which protocols and cipher suites the Application Portal supports.


2. Select the Cipher Suites tab.The Cipher Suites page appears.

3. Configure the Protocols and Cipher Suites settings.For more information about these settings, see the subsequent sections.

4. Click Save.

ProtocolsIn the Protocols Supported section, select one or more protocols to enable. You can select from these protocols:

TLS v1.0SSL v3.0SSL v2.0

TLS v1.0 and SSL v3.0 are enabled by default.

User Guide 213

Manage System

Cipher SuitesIn the TLS v1.0 and SSL v3.0 Cipher Suites section, select which cipher suites to support for these protocols. By default, these cipher suites are supported:

TLS_RSA_WITH_AES_256_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5

In the SSL v2.0 Cipher Suites section, select which cipher suites to support for this protocol. By default, these cipher suites are supported:

SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5

Manage System


Advanced settingsYou can change advanced settings related to session control, cookie persistence, client access, and bad URIs.


2. Select the Advanced tab.The Advanced Settings page appears.

3. Configure the advanced settings.For more information about these settings, see the subsequent sections.

4. Click Save.

User Guide 215

Manage System

Session Control settingsIn the Session Control section, you can configure client session control using the WAAK (Web access authentication key) option. WAAK is more secure than HTTP. If you enable WAAK, you can also set the strength of the secure authentication cookie.

Secure Web access authentication by key cookie (WAAK)Select this check box to use the WAAK secure authentication cookie. This is selected by default.

Strength of WAAKThe strength of the WAAK secure authentication cookie. The default value is 128 bits.

Random Value of WASIDThe number of bits in the Web Access Session ID (WASID). The WASID is a random hexadecimal value generated by the device. The default value is 64 bits.

Bind session to client IPSelect this check box to allow the client session to move from one computer to another if the client source IP address does not change during the session. This is not selected by default.

Allow duplicate user name logonThis is selected by default.

Duplicate user name logon reverse actionThis is not selected by default.

Show shutdown messageThis is not selected by default.

Cookie Persistence settingsSelect this check box to change session cookies to persistent cookies. This setting only applies to resources protected by Abolishment and to Internet Explorer users.

When you select this option, abolishment behavior changes in two ways:

The Abolishment client makes sure all persistent cookies are removed from the client.When an Abolish access rule is in effect, the WatchGuard SSL device transforms the session cookies to persistent cookies in runtime as soon as the client successfully authenticates.

Client Access settingsThese settings control communication between the clients and the Application Portal.

Show error on SSL v2 accessSelect this check box if you want to include error messages in SSL v2 communication sent to users. This is not selected by default.

Hide server headerSelect this check box if you want to hide server headers from the client. This is selected by default.

Default authentication methodSelect the default authentication method to use when a user accesses the main page of the Application Portal without the parameter authmech specified.

Bad URIsIn the Bad URIs text box you can edit the locations or files on the device that clients are not allowed to use or view by default. We recommend you do not remove any of the default items in the Bad URIs list.

Manage System


Update the DeviceYou can use the Device Update pages to update, restore, reboot, or set the time for your WatchGuard SSL device.

1. Select Manage System > Device Update.The Update the OS page appears.

2. Configure the device:Update the OS Set the time zone, system time, and configure an NTP server Restore the configuration to factory default settings Reboot the device

Update the OSWatchGuard provides software updates in a file that you can use to update the software on the device.

To update the OS for your device:

1. Select Manage System > Device Update.The Update OS page appears.

2. In the Update the OS section, click Browse to locate the software update file.3. Click Update.

The OS is updated and the device reboots. This can take several minutes. 4. After the device update is complete, log in to the WatchGuard SSL Web UI again.

User Guide 217

Manage System

Configure the system time and set the time zoneThe system date and time is primarily used in log file messages. You can manually set the system time, or you can enable NTP so the device automatically gets time updates from an NTP server. You can also configure the time zone for your device.

To configure the system time settings:


2. Click System Time Settings.The System Time Setting page appears.

3. Select Enable NTP and configure the NTP server.Or, set the system Date and Time.

4. Click Save.

To configure the time zone:


2. Click Time Zone Setting.The Time Zone Setting page appears.

3. In the Time Zone drop-down list, select the time zone.4. Click Save.

Manage System


Restore factory default settingsYou can reset your WatchGuard SSL device to its factory default settings. After you reset your device, you can use the Quick Setup Wizard to build your configuration again. When you restore the factory default settings, the software version does not change, but any configuration changes you have previously made are removed.

To restore the factory default settings:


2. Click Restore factory defaults. The Restore factory defaults page appears.

3. Click Yes.The device reboots and the default configuration is restored.

Reinitialize the Local User DatabaseIf the data in the Local User Database for your WatchGuard SSL device is corrupted, you can either restore the factory default settings for your device, or you can reinitialize the Local User Database. If you choose to restore the factory default settings, all of your network and configuration settings are lost with the database configuration. You must run the Quick Setup Wizard to configure your WatchGuard SSL device again. If you choose to reinitialize your Local User Database, only the data in your Local User Database tables is cleared. All of your network settings are saved. You can then restore a previous configuration to recover your Local User Database information.

To reinitialize your Local User Database:


2. Click Reinitialize Local User Database.The Reinitialize Local User Database page appears.

3. Click Yes.The data in the tables of your Local User Database is cleared and the WatchGuard SSL device reboots.

To restore a previous configuration to recover the data in your Local User Database, see ”Restore a saved configuration” on page 222.

User Guide 219

Manage System

Reboot the deviceYou can reboot your WatchGuard SSL device from the WatchGuard SSL Web UI.

To reboot the system:


2. Click Reboot.The Reboot page appears.

3. Click Yes.The device reboots.

4. Log in to the WatchGuard SSL Web UI again.

Network ConfigurationYou can select the network type and specify network address information for your WatchGuard SSL network. This is the same network information that you configured in the Quick Setup Wizard.

1. Select Manage System > Network Configuration.The Network Configuration page appears.

2. Select a Network Type.If you select Single Interface Mode, only Eth0 is active.If you select Dual Interface Mode, both Eth0 and Eth1 are active.

3. Configure the network settings.For more information, see the subsequent sections.

4. Click Save.

Manage System


Network TypeYou can configure the WatchGuard SSL device in one of two network types:

Single Interface Mode (default)Select this mode if you want to connect the WatchGuard SSL device to one network. In single interface mode, only the Eth0 interface is active.

Dual Interface ModeSelect this mode if you want to connect the WatchGuard SSL device to two networks. In dual interface mode, the Eth0 and Eth1 interfaces are both active.

These diagrams illustrate the two network types:

Configure network settings for Eth01. In the IP Address text box, type the IP address you want to use for Eth0.2. In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0.3. In the Default Gateway text box, type the IP address of the default gateway on the Eth0 network.4. In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0 network.5. (Optional) In the Secondary DNS text box, type the name of a secondary DNS server.6. (Optional) In the DNS Name text box, type the domain name for your organization. 7. Click Save.

Configure network settings for Eth1If you select Dual Interface Mode, you can also configure the network settings for the Eth1 interface. You can only configure the settings for Eth1.

1. In the IP Address text box, type the IP address you want to use for Eth1.2. In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0.3. Click Save.

User Guide 221

Manage System

Configure network routesYou can add a static route to each computer that you want the WatchGuard SSL device to send traffic to. This is particularly important if you configure your WatchGuard SSL device in Dual Interface mode, because resources could be on a different network than the client. If you do not define a default route, packets are routed based on the default gateway for the device.

After you create a route, you cannot edit it. If you want to change a route, you must delete the route you want to change and add a new route.

To add a network route:

1. Select Manage System > Network Configuration.The Network Configuration page appears.

2. Click Route Configuration.The Route Configuration page appears with a list of all the current network routes.

3. To add a route, click Add New Route.The Add Route page appears.

4. Type the Destination IP Address, Subnet Mask, and Gateway.5. Click Save.

The network route you added appears in the table on the Route Configuration page.

To delete a network route:

1. On the Route Configuration page, select the Delete check box for each network route you want to delete.

2. Click Delete.The route is deleted.

Manage System


Restore a saved configurationEach time you publish a configuration update to the device, a copy of that configuration is saved.

You can use the WatchGuard SSL Web UI to:

Restore the most recent configuration (remove all unpublished changes)Restore an older saved configurationAdd comments to describe the changes in a saved configurationDelete a saved configurationSet the maximum number of saved configurations and the number you see per page

To restore the current configuration:

1. Select Manage System > Restore Configuration.The Restore Configuration page appears.

2. In the top section, click Restore.The selected configuration is restored and the System Status page appears.

To restore a saved configuration:


2. In the bottom section, select the radio button adjacent to the configuration you want to restore.3. Click Restore.

The selected configuration is restored and the System Status page appears.

User Guide 223

Manage System

To add comments to a saved configuration:


2. In the bottom section, select the radio button for the configuration you want to change.3. Click Modify Comments.

The Add/Modify User Comments page appears.

4. In the Comment field, type your comments.5. Click Save.

The comment appears in the Comments column for the configuration you selected.

To delete a saved configuration:


2. In the bottom section, select the radio button for the configuration you want to delete.3. Click Delete.

The selected configuration is deleted.

Manage saved configuration settingsYou can set the maximum number of configurations you want to save. When you reach that limit, the next time you save a configuration, the system deletes the oldest saved configuration and saves the new one. You can also set the number of configurations you want to see on a page.


2. Click Manage Settings.The Manage Published Configurations page appears.

3. In the Maximum Saved field, set the maximum number of published configurations you want to keep.4. In the Configurations per Page field, set the number of configuration files you want to appear on each

page.5. Click Save.

Manage System


Import or export the configurationYou can export the configuration data from your WatchGuard SSL device to a file, and you can import configuration data from a saved configuration file.

If you have a WatchGuard SSL v2.x device, you can also export the configuration from your WatchGuard SSL v2.x device. To export from a WatchGuard SSL v2.x system, you must connect to the v3.x Web UI from the computer that runs the v 2.x Administration Service.

You can import a saved v3.x or v2.x configuration file to your WatchGuard SSL v3.x device.

To export a configuration:

1. Select Manage System > Import/Export Configuration.The Configuration Import/Export page appears.

2. Click Export 3.x Configuration or Export 2.x Configuration.The Download Exported Configuration File page appears.

3. Click the Download link.The configuration files are exported to a zip file.

4. Select Save File.5. Click OK.6. Select a location to save the file where you can get access to import it later.7. Click Save.

User Guide 225

Manage System

To import a configuration:

1. Select Manage System > Import/Export Configuration.The Configuration Import/Export page appears.

2. In the Import Configuration section, click Browse to select a configuration file to import.3. Click Import Configuration.

The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes.

4. After the device reboots, log in to the WatchGuard SSL Web UI again.

Manage System


User Guide 227

6 Access Client

About the Access ClientThe WatchGuard SSL Access Client enables you to securely connect to tunnel resources in the WatchGuard SSL Application Portal. There are two versions of the Access Client:

On-demand Access ClientWhen you authenticate to the Application Portal and select a resource other than a Web resource, the on-demand Access Client launches to load the tunnel. When your session ends, the on-demand Access Client closes. The client software is not installed on your computer.

Installed Access ClientYou can also select to install the Access Client on your client computer. The installed Access Client is available when you are not authenticated to the Application Portal. You can configure the installed Access Client to automatically start when Windows starts and to automatically connect to resources.

For information about how to install the Access Client, see ”Install the Access Client” on page 234.

For information about how to configure the Access Client, see ”About the Access Client menu” on page 228.

Launch the Access ClientWhen you log on to the WatchGuard SSL Application Portal, you can click on resources to start them. Some resources require that your computer run the Access Client. The Access Client is a Windows client that sets up the SSL VPN tunnel between your computer and the network resources. The Access Client is not required for access to online applications.

Launch the Access Client on demandWhen you click a resource in the WatchGuard SSL Application Portal that requires the Access Client, the Application Portal automatically downloads and launches the Access Client.

Access Client


Launch the installed Access ClientIf you have installed the Access Client software on your computer, you can also start the client from the Windows Start menu.

For instructions to install the Access Client, see ”Install the Access Client” on page 234.

To launch the installed Access Client on a computer with Windows XP:

Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client.

The Access Client launches and appears in the Windows system tray.

About the Access Client menu

When the Access Client starts, the Access Client icon appears in the Windows system tray.

To configure your Access Client, click .The Access Client menu appears, with these options:

Preferences Set preferences for the Access Client.

For more information, see ”Edit Access Client preferences” on page 229.

FavoritesAdd and manage favorite Application Portal resources. After you add favorite resources, you can select a resource from the favorites menu to start the resource.

For more information, see ”Manage Access Client favorites” on page 231.

StatusSee the status of your SSL connection.

For more information , see ”Check Access Client status” on page 233.

About See Access Client version and copyright information.

Close tunnelsThis feature is not implemented in this release.

For information about how to close tunnels, see ”End your SSL VPN session” on page 233.

Exit Close the Access Client. The connections to all tunnel resources are also closed.

If you have a complicated network setup, or use some third-party software (for example, certain versions of OpenVPN client), you could see a "Cannot Acquire IP" error message when the Access Client initializes. You can safely ignore this error message. This does not affect your ability to use network resources through the secure VPN tunnel.

User Guide 229

Access Client

Edit Access Client preferencesYou can configure some settings for the Access Client to customize the way the client operates on your computer.

Configure general preferences1. Launch the Access Client.

2. Click in the Windows system tray and select Preferences.The Access Client Preferences dialog box appears.

3. Click the General tab.4. Select the Launch Access Client on startup check box if you want the Access Client to launch

automatically when Windows starts up.When you select this check box, the Access Client is added to the Windows Startup folder.

5. Select the Register essp:// protocol handler check box if you want the ability to create shortcuts or launch commands that connect directly to a resource.For more information, see ”Use ESSP to link directly to a resource” on page 236.

6. Clear the Enable automatic update check box if you do not want the client to automatically check for available client updates. We recommend you do not clear this check box.

7. If the Update server field includes an address, we recommend you do not change this setting. This is the URL of the WatchGuard SSL device that hosts the client updates. This is usually set automatically the first time the Access Client connects to a resource.If the Update server field is blank, type the address of the WatchGuard SSL Application Portal. Do not include https:// .

8. Click Update Now to check for an updated client. 9. Click OK.

Access Client


Edit Trusted CommandsIf your network administrator has set up commands that run automatically when you start a resource, the Access Client prompts you before it runs each command.

To disable the pop-up notification for a command:

Select the Always trust this command check box in the notification dialog box.

The Trusted Commands tab in the Access Client Preferences dialog box shows the list of commands you have selected to trust. To see and delete this list of trusted commands:

1. Launch the Access Client.

2. Click in the Windows system tray and select Preferences.3. Click the Trusted Commands tab.

The list of trusted commands appears.

4. To remove a command from the trusted list, select the command and click Delete. The command is removed from the list. The next time you connect to a resource that uses the command you removed, the Access Client prompts you before it runs the command.

5. Click OK.

Edit Trusted Access PointsWhen you use the Access Client to connect to a resource, and a resource host on the intranet tries to connect to your computer, an Access Client Connection Alert appears. You can then choose whether to trust connections from this Access Point, or deny them. Access Point is another name for your WatchGuard SSL device.

To add a device to the Trusted Access Points list:

1. In the Access Client Connection Alert dialog box, select the Always trust connections from this Access Point check box.

2. Click OK.The device is added to the Trusted Access Points tab in the Access Client Preferences dialog box.

After the device is added to the Trusted Access Points list, connection alerts do not appear again for computers behind that WatchGuard SSL device. You only see connection alerts if your connection is assigned a virtual IP address, which is required for a resource host to start a connection to your computer.

You can use the Access Client Preferences dialog box to see and delete devices in the Trusted Access Points list.

To see and delete trusted devices:


2. Click in the Windows system tray and select Preferences.3. Click the Trusted Access Points tab.

The Trusted Access Points list appears.

4. To remove a device from the list, select the IP address of the device, and click Delete.5. Click OK.

User Guide 231

Access Client

Manage Access Client favoritesYou can add network resources to the Access Client Favorites list. When you add a favorite, you can start that resource from the Access Client menu in the Windows system tray. You can also configure favorite resources to automatically start when you launch the Access Client.

Add a favorite resourceTo add a favorite, you start the resource from the WatchGuard Application Portal and then add it as a favorite.

1. Authenticate to the WatchGuard SSL Application Portal.2. Click a tunnel resource.

3. Click in the Windows system tray and select Favorite > Add.4. Select the name for the resource you want to add as a favorite. The name can be different from the

name you see for this resource in the Application Portal. The Edit Favorite dialog box appears.

5. To change the name that appears in the Access Client Favorites menu for this favorite, type a new Display Name.

6. The Server and Configuration fields are automatically configured. Do not change these settings.7. If you want the Access Client to start this resource each time you start the Access Client, select the

Load on startup check box.8. Click OK.

The favorite is added to the Access Client Favorites list.

You can only add a favorite resource for a tunnel resource. Web resources do not use the Access Client.

Access Client


See and edit Access Client favorites1. Launch the Access Client.

2. Click in the Windows system tray and select Favorites > Manage.The Access Client Favorites list appears.

3. To edit an existing favorite, click the item in the list and click Edit.The Edit Favorite dialog box appears.

For more information, see the subsequent Steps 6–8 and the previous Add a favorite resource section.

4. To remove an existing favorite, click the item in the list and click Delete.5. To add a new favorite, click New.

The Add Favorite dialog box appears. All the fields are blank.

6. In the Display name field, type the name for this favorite as you want it to appear in the Access Client favorites list.

7. In the Server field, type the URL of the WatchGuard SSL Application Portal.8. In the Configuration field, type the configuration tag that identifies this tunnel resource in the portal.

To find the configuration tag for a tunnel resource:Authenticate to the WatchGuard SSL Application Portal.Right click the resource you want to make a favorite.Select Copy link location (Firefox) or Copy shortcut (Internet Explorer).Paste the link into the Configuration field of the Add Favorite dialog box.For example, javascript:openMessageWindow(’/wa/webclient/26gp52085p1c’); The number near the end is the tunnel tag that identifies this resource.Edit the link to remove all characters except the number.For example, 26gp52085p1c.

9. If you want the Access Client to start this resource each time you start the Access Client, select the Load on startup check box.

10. Click OK.The favorite is added to the Access Client Favorites list.

User Guide 233

Access Client

Start a favorite resourceIf you selected the Load on startup check box when you added the favorite, the resource automatically loads when you start the client.

If you did not select the Load on startup check box:

1. Click in the Windows system tray.2. Select Favorites and click the name of the resource you want to load.

Check Access Client statusYou can check the status of the Access Client from the Access Client menu. The Access Client Status dialog shows the number of active connections, the acquired IP address (if any), the amount of data transferred, and the throughput.

To see the status of the Access Client:

1. Click in the Windows system tray.The Access Client menu appears.

2. Select Status.The Access Client Status dialog box appears.

End your SSL VPN sessionAs a good security practice, we recommend that you close your SSL VPN session when you are finished with the network resources. There are several ways to do this. The method you choose depends on how you started the connection to the network resources.

If you connected to a resource from the Application Portal, there are two methods to close the connection:

In the Application Portal, click Log out.Your connections to resources are closed, and the client automatically exits. Close the web browser that is connected to the Application Portal.You are logged out of the application portal, your resource connections are closed, and the client exits.

If you used an ESSP link or command to start the connection to a resource, you must exit the Access Client to close the connections to all resources.

Click in the Windows system tray and select Exit.All resource connections are closed.

For information about how to use ESSP with the installed Access Client, see ”Use ESSP to link directly to a resource” on page 236.

Access Client


Install the Access ClientYou can use this procedure to install the Access Client on your Windows computer.

Before you beginGet the Access Client installer (AccessClientInstall.exe) from your network administrator.Connect to the WatchGuard SSL Application Portal and select a resource with the on-demand version of the Access Client before you install the Access Client. This automatically captures some of the configuration information for the installation.

Run the installer1. Run AccessClientInstall.exe.

A security warning appears. You can safely ignore this warning. 2. Click Run to continue the installation. 3. On the License Agreement page, review and accept the License Agreement.4. On the Select Destination Location page, select a location to install the Access Client.

The default location is C:\Program Files\WatchGuard\SSL\Access Client.5. On the last page of the installation wizard, click Finish.

The Access Client is now available in the Windows Start menu.

Launch the installed Access ClientSelect Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client.

After you installAfter you install, verify that the server address is correct in the Access Client Preferences dialog box. If you did not connect to a tunnel resource in the Application Portal at least once before you installed the Access Client, you have to manually add the address of your Application Portal.


User Guide 235

Access Client

2. If the Update server field includes an address, we recommend you do not change this setting. This is the URL of the WatchGuard SSL device that hosts the client updates. This is usually set automatically the first time the Access Client connects to a resource.If the Update server field is blank, type the address of the WatchGuard SSL Application Portal. Do not include https:// .

3. Click OK.

Connect to the Application PortalTo start a resource, authenticate to the Application Portal with a web browser and click on a resource. If you want the Access Client to automatically connect to certain resources, you can configure favorites in the Access Client, as described in ”Manage Access Client favorites” on page 231.

Uninstall the Access ClientBefore you uninstall the Access Client, we recommend that you delete any favorite resources. When you uninstall the Access Client, the favorites you have configured are not automatically removed.

To delete your resource favorites:

1. Click in the Windows system tray.2. Select Favorites > Manage.3. Click each favorite to select it and click Delete.

To uninstall the Access Client:

1. Open the Windows Control Panel.2. Select Add or Remove Programs.3. Click the WatchGuard Access Client program.4. Click Remove.

If you do not remove the favorites before you uninstall, the old favorites are still available in the Access Client favorites list when you reinstall the Access Client, or if you use the on-demand Access Client.

Access Client


Use ESSP to link directly to a resource

ESSP (Extended Security Session Protocol) is the protocol used for communication between the Access Client and the WatchGuard SSL device. You can use the ESSP protocol to connect directly to a Tunnel Resource without going to the Application Portal. A Tunnel Resource is any resource that does not use a web browser. For example, when you connect to a network drive, you use a Tunnel Resource.

When you use ESSP to launch a tunnel resource, you are prompted to authenticate before you can connect to the resource.

Register the ESSP protocol handlerESSP is the protocol used to build an SSL VPN tunnel to a Tunnel Resource. If you install the Access Client, you can configure the Access Client preferences to register the ESSP protocol handler.



3. On the General tab, select the Register essp:// protocol handler check box.

4. Click OK.

Use ESSP to connect to a resourceAfter you register the ESSP protocol handler, you can use a web browser or the Windows Start menu to launch the Access Client and automatically connect to a resource.

To use ESSP to start a resource in a browser, type or select a URI that looks like this:

essp://<address of Application Portal>/<resource configuration tag>

To directly start a resource from the Windows Start menu, select Start > Run. In the Run dialog, type:

essp://<address of Application Portal>/<resource configuration tag>

You must install the Access Client on your Windows computer to use this feature. This feature is not available when you use the on-demand Access Client.

User Guide 237

Access Client

ExampleThis example shows how to find the resource configuration tag for a resource, and how to construct the ESSP command.

For this example, the URI for the Application Portal is:

sslvpn.example.com

To find the resource configuration tag for a tunnel resource:

1. Authenticate to the Application Portal.The Application Portal page appears.

2. Right-click a tunnel resource.3. Select Copy link location (Firefox) or Copy shortcut (Internet Explorer).4. Paste the link into a text editor, such as Notepad.

For example:javascript:openMessageWindow(’/wa/webclient/26gp52085p1c’); The number near the end is the resource configuration tag. For this example resource the configuration tag is:

26gp52085p1c

To start the example resource in a web browser, type this in the browser address bar:

essp://sslvpn.example.com/26gp52085p1c

To start this resource from the Windows Start menu, select Start > Run, then type:

essp://sslvpn.example.com/26gp52085p1c

Access Client


watchguard ssl 100 user guide

Documents