xcsv setup guide - watchguard.com · setup guide 1 watchguard xcsv ... for a vmware or microsoft...

WatchGuard XCSv

Setup Guide

All XCSv Editions

Copyright and Patent InformationCopyright© 2010–2015 WatchGuard Technologies, Inc. All rights reserved.

WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners.

Printed in the United States of America.

Revised: October 14, 2015

Notice to UsersInformation in this guide is subject to change without notice. Updates to this guide are posted at:

http://www.watchguard.com/wgrd-help/documentation/overview

Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Complete copyright, trademark, patent, and licensing information can be found in the WatchGuard product documentation. You can find this document online at: http://www.watchguard.com/help/documentation/

ii WatchGuard XCSv

ADDRESS505 Fifth Avenue SouthSuite 500Seattle, WA 98104

SUPPORTwww.watchguard.com/supportU.S. and Canada +877.232.3531All Other Countries +1.206.521.3575

SALESU.S. and Canada +1.800.734.9905All Other Countries +1.206.613.0895

ABOUT WATCHGUARDWatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer right-sized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit www.watchguard.com.

http://www.watchguard.com/help/documentation/

http://www.watchguard.com/help/documentation/

http://www.watchguard.com


WatchGuard XCSv Setup

The WatchGuard® XCS is an easy-to-use, all-inclusive email and web appliance that provides security and privacy of inbound and outbound traffic. The WatchGuard XCS provides content security that enables data loss prevention, encryption, and content filtering with integrated threat prevention for viruses, spam, spyware, phishing, and malware attacks, all in a secured appliance.

WatchGuard XCSv is a new email and web security solution that provides all the security features of our WatchGuard XCS technology optimized for a VMware or Microsoft Hyper-V virtual machine environment. You can use the WatchGuard XCS Web UI to manage an XCSv device just as you manage any other WatchGuard XCS device.

This guide introduces the WatchGuard XCSv and provides detailed information on how to configure your virtual environment and install the XCSv software.

WatchGuard XCSv Documentation

You can use the online help manual for the majority of your documentation needs. To access the online help, from the Web UI, select Support > Online Manual.

You can view and download the most current documentation for the WatchGuard XCS on the WatchGuard Product Documentation page:


Setup Guide 1



WatchGuard XCSv Licensing

XCSv devices are licensed in several editions that provide different levels of scalability and performance:

Small Office Edition Medium Office Edition Large Office Edition Large Office XC Edition

When you activate your XCSv device, you receive a feature key that enables the WatchGuard XCS capabilities for the XCSv edition you have licensed. You can upgrade from one XCSv edition to another.

NoteTo activate your device in the Setup Wizard, you must have the device serial number (V2C9xxxxx-xxxx). You cannot use the serial number V2C900000-DC79, which is the default serial number for an new unactivated device.

For a full description of the features and capabilities of each XCSv edition, see the Products section of the WatchGuard web site at www.watchguard.com.

Get a Feature Key from WatchGuard

A feature key is a license that enables you to activate your purchased feature set on your WatchGuard XCSv. You must register the device serial number on the WatchGuard web site and retrieve your feature key before adding it to the WatchGuard XCSv.

To retrieve a feature key from the LiveSecurity web site:

1. Open a web browser and go to: https://www.watchguard.com/activate.2. If you have not already logged in, the Log In page appears.

You can create an account if this is your first time logging in.

3. Enter your user name and password.4. The Activate Products page appears.5. Enter the serial number for the product, including the hyphens. For example, V2C9xxxxx-xxxx.6. Click Continue.7. Follow the prompts to activate your device.8. Copy the feature key to a text file and save it on your computer.9. Click Finish.

2 WatchGuard XCSv



https://www.watchguard.com/activate


Installation Prerequisites

These sections describe the installation prerequisites for XCSv on VMware and Microsoft Hyper-V.

VMware

You must install the XCSv virtual device in a VMware environment that meets these requirements.

VMware To install an XCSv virtual device, you must have a VMware vSphere Hypervisor/ESXi v4.1 Update 2 (or

later version) host installed on any supported server hardware.

NoteMake sure your VMware vSphere/ESXi software is updated to the latest patch level.

You must also install the VMware vSphere Client on a supported Windows computer to manage the virtual machines on your VMware host.

VMware Tools is installed by default with the XCSv virtual device. VMware Tools is a suite of utilities that enhances and improves the performance and management of the virtual machine, and includes the ability to cleanly power off or reset the guest operating system software from the host system.

Hardware The hardware requirements for XCSv are the same as the hardware requirements for VMware vSphere

Hypervisor/ESXi. For information about VMware hardware compatibility, see the VMware Compatibility Guide at: http://www.vmware.com/resources/compatibility/search.php

WatchGuard XCSv requires that your host hardware supports Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) and has these options enabled in the host system BIOS. For more information about Intel VT compatibility, see the Intel Virtualization Technology List at:

http://ark.intel.com/VTList.aspx AMD-V is supported in all K8 AMD (Athlon 64) processors from revision F, and all newer processors

support AMD-V technology.

Features Not Supported

These features are not supported for use with WatchGuard XCSv on VMware:

Network storage disks for the virtual host are not supported. XCSv does not support vMotion for virtual device migration between VMware hosts. XCSv console options: Serial console — This feature is redundant with the physical host system serial console. UPS configuration — UPS communications must be configured on the physical host system.

Setup Guide 3

http://www.vmware.com/resources/compatibility/search.php

http://ark.intel.com/VTList.aspx


Microsoft Hyper-V

You must install the XCSv virtual device in a Hyper-V environment that meets these requirements.

Hyper-V Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V

Server 2008 R2 or Hyper-V Server 2012. Make sure your Windows Server or Hyper-V Server software is updated to the latest patch level. You can use the Hyper-V Manager on Windows Server 2012 to deploy, configure , and provision the

XCSv virtual machine in the Hyper-V environment. You can also use System Center Virtual Machine Manager (VMM) interface, or a Hyper-V role on a client computer instead of Hyper-V Manager.

Hardware The hardware requirements for XCSv are the same as the hardware requirements for Hyper-V on

Windows Server 2008 R2 or Windows Server 2012.

Network You can configure a maximum of 8 interfaces.

Features Not Supported

These features are not supported for use with WatchGuard XCSv on Hyper-V:

XCSv does not support the dynamic memory setting on Hyper-V. The Data Exchange and Volume Backup features are not supported. Time synchronization is not supported. We recommend you use an NTP server in the XCSv network

configuration. XCSv console options: Serial console — This feature is redundant with the physical host system serial console. UPS configuration — UPS communications must be configured on the physical host system.

4 WatchGuard XCSv


Recommended Resource Allocation

WatchGuard XCSv performance is heavily dependent on CPU, memory, and disk resources. Resources are shared between all virtual machines on a virtual host, and you must make sure that enough resources are available to the XCSv virtual machine. To enable all functionality and provide optimal performance for your XCSv edition, you must allocate these resources to the XCSv virtual machine:

For information about how to add resources for a VMware virtual machine, see “VMware Virtual Machine Resource Allocation” on page 12.

For information on monitoring VMware resource usage, see “Resource Monitoring on VMware” on page 43.

For information about how to add resources for a Hyper-V virtual machine, see “Hyper-V Virtual Machine Resource Allocation” on page 20.

For information on monitoring Hyper-V resource usage, see “Resource Monitoring on Hyper-V” on page 45.

Small Office Edition

Medium Office Edition

Large Office Edition

Large Office XCEdition

Virtual CPUs 1 2 4 8

Memory 2 GB 2 GB 4 GB 8 GB

Network Adapters

2 3 4 4

OS Disk space (Fixed)

24 GB 24 GB 24 GB 24 GB

Data Disk Space

40 GB 80 GB 160 GB 256 GB

Setup Guide 5


Deployment

The WatchGuard XCSv is designed to be situated between internal email servers and clients, and external servers on the Internet so that there are no direct connections between external and internal systems.

The WatchGuard XCSv is typically installed in one of these locations:

On the DMZ (Demilitarized Zone) of a network firewall Behind the existing firewall on the internal network In parallel with a network firewall

Messaging traffic is redirected from either the external interface of the network firewall or from the external router to the WatchGuard XCSv. When the WatchGuard XCSv accepts and processes a message, the device initiates a connection to the internal mail servers to deliver the messages.

WatchGuard XCSv deployed on the DMZ of the network firewall

The secure architecture of the hardware appliance-based WatchGuard XCS eliminates the risk associated with deploying a physical appliance on the perimeter of a network. Because the WatchGuard XCSv is installed as a virtual machine on a host where the host operating system can be vulnerable to security issues, we recommend you install the virtual host and XCSv virtual machine on the DMZ of your network firewall or behind your network firewall for greater security.

See the WatchGuard XCS User Guide for detailed information on the advantages and disadvantages of each type of deployment.

Cluster Support

Clustering provides a scalable, redundant messaging security infrastructure that enables two or more XCSv devices to act as a single logical unit for processing messages for redundancy and high availability benefits. You can use multiple instances of XCSv in a cluster.

To provide proper hardware redundancy, we recommend you run clustered XCSv devices on separate virtual host systems. If you run multiple XCSv devices on the same virtual host hardware, you can provide software redundancy in the event a specific XCSv device is unavailable, but this does not provide redundancy if the virtual host hardware or software fails.

For more information on configuring XCSv clustering with a virtual host, see “Cluster Configuration” on page 36.

6 WatchGuard XCSv


VMware Installation

Before You Begin

To prepare for your installation, make sure you have these items:

VMware vSphere Hypervisor/ESXi 4.1 Update 2 (or later version) host installed on a supported server platform.

VMware vSphere 4.1 (or later version) client installed on a Windows computer WatchGuard XCSv device serial number

You receive the serial number when you purchase the XCSv virtual device.

Your WatchGuard XCSv feature keyYou receive the feature key when you activate your device on the LiveSecurity web site.

WatchGuard XCSv OVF templateThe file name is xcsv-<version>.ova, where <version> is the XCS version.

Download the XCSv OVF template file from http://software.watchguard.com.

Installation Overview

To complete initial installation you must perform these procedures described in the subsequent sections:

1. In the VMware vSphere client, deploy the XCSv OVF template file to the VMware host.2. Perform any resource allocation (CPU, memory, disk, network) modifications on the VMware host

based on your XCSv edition.3. Power on the XCSv virtual device. 4. Connect to the XCSv device to run the Setup Wizard.

Network Considerations

When you deploy the XCSv OVF template to the VMware virtual device, it is initially configured for the Medium Office Edition with three active interfaces. You must map each of these interfaces to a physical destination network on your VMware host. After you configure the XCSv device, you can enable and configure additional XCSv device interfaces or remove interfaces if you need fewer interfaces. The maximum number of interfaces you can enable in VMware is 10. For information about how to add resources to the device, see “VMware Virtual Machine Resource Allocation” on page 12.

Time Synchronization Considerations

The WatchGuard XCSv OVF template automatically installs the VMware Tools utility software. VMware Tools is a suite of utilities for managing your virtual device, and includes a time synchronization service that synchronizes with the host system time. This service is disabled by default.

We recommend that you use the WatchGuard XCSv NTP settings to configure an NTP server, and keep the VMware Tools time synchronization service disabled. These services must not be enabled and running at the same time.

NoteThe WatchGuard XCSv NTP settings must be configured if you are setting up an XCSv cluster.

Setup Guide 7

http://software.watchguard.com


Installation

Perform the following steps to install WatchGuard XCSv on a VMware host

Install the VMware vSphere Client

To install the vSphere client:

1. Launch a web browser on your computer and type the IP address or host name of the VMware host server as the URL in the location bar.

2. To download and install the vSphere Client, click Download vSphere Client.

Connect to the VMware Host

To connect to the VMware host:

1. Launch the VMware vSphere Client.

2. Type the IP address, User name, and Password for the VMware host, then click Login.

8 WatchGuard XCSv


Deploy the XCSv OVF File

To create the XCSv virtual device, you must deploy the XCSv OVF template in the vSphere client.

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. In the vSphere client, select File > Deploy OVF Template.

3. Browse to the location where you saved the WatchGuard XCSv OVF template file, xcsv-<version>.ova. Click Next.The XCSv OVF Template Details page appears.

4. Click Next.The End User License Agreement appears.

5. Review the End-User License Agreement. Click Accept. Click Next.The Name and Location page appears.

6. In the Name text box, type a name for this virtual device.

Setup Guide 9


7. Select a resource pool within which to deploy this template. Click Next.The Disk Format page appears.

8. Select the format to store the virtual disks. We recommend that you select Thick provisioned format to allocate all storage immediately.

9. Click Next.The Network Mapping page appears.

10 WatchGuard XCSv


10. In the Destination Networks column, select the networks to map to each network interface.

11. Click Next.The Ready to Complete page appears.

12. Review the settings. Click Back to change any settings, if necessary.13. Click Finish to deploy the template.

The virtual appliance is deployed. This can take a few minutes.

The deployed virtual device appears in the vSphere Inventory in the selected resource pool.

Setup Guide 11


VMware Virtual Machine Resource Allocation

The default WatchGuard XCSv OVF template installation is configured for a “Medium Office Edition” resource environment with two virtual CPUs, 2 GB memory, three network adapters, and 80 GB data disk space.

If your feature key is for a different edition, such as Small or Large edition, you must modify your VMware host resources for virtual processors, memory, and disk space to properly support your licensed software edition.

For information on recommended resource settings for each XCSv edition, see “Recommended Resource Allocation” on page 5.

Configure Virtual CPUs

By default, the XCSv virtual machine is allocated two virtual CPUs. For optimal performance, configure the virtual machine to use the recommended number of CPUs for your XCSv edition.

To configure CPU resources:

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. Make sure your XCSv virtual machine is powered off.3. In the vSphere inventory tree, right click the XCSv virtual machine.4. Select Edit Settings.5. In the Hardware list, select CPUs.6. From the Number of virtual sockets drop-down list, select the number of virtual processors

recommended for your XCSv edition.7. Click OK.

Configure Memory Resources

By default the XCSv virtual machine is allocated 2 GB of memory. For optimal performance, configure the virtual machine to use the recommended amount of memory for your XCSv edition.

To configure memory resources:

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. Make sure your XCSv virtual machine is powered off.3. In the vSphere inventory tree, right click the XCSv virtual machine.4. Select Edit Settings.5. In the Hardware list, select Memory.6. In the Memory Size text box, type or select the memory size recommended for your XCSv edition.7. Click OK.

Configure Hard Disk Resources

By default the XCSv virtual device is allocated two hard drives, a primary fixed OS system disk (Hard Disk 1, 24 GB), and a data disk for messages, logs, reports, and any other data (Hard Disk 2, 80 GB for default XCSv Medium Edition).

For optimal disk space allocation, configure the virtual machine to use the recommended amount of disk space for your specific XCSv edition and allow for any requirements for additional data disk space for logs and reports.

CautionDo not modify the Hard Disk 1. This disk is a fixed size and contains the OS for the XCSv.

12 WatchGuard XCSv


To increase the size of the Hard Disk 2 data disk for other XCSv editions (160 GB Large and 256 GB Large XC):

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. Make sure your XCSv virtual machine is powered off.3. In the vSphere inventory tree, right click the XCSv virtual machine.4. Select Edit Settings.5. In the Hardware list, select Hard disk 2.6. In the Disk Provisioning section, modify the Provisioned Size setting to the required value (160 GB

Large or 256 GB Large XC).7. Click OK.

To decrease the size of the Hard Disk 2 data disk for the XCSv Small Edition, you must remove Hard Disk 2 and add a new hard disk with a recommended size of 40 GB.

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. Make sure your XCSv virtual machine is powered off.3. In the vSphere inventory tree, right click the XCSv virtual machine.4. Select Edit Settings.5. In the Hardware list, select Hard disk 2.6. Click Remove.7. Select Remove from virtual machine and delete files from disk.8. Click OK.9. Right click the virtual machine, select Edit Settings.10. Click Add.11. Select Hard Disk and click Next.12. Select Create a new virtual disk and click Next.13. Set the Disk Size to 40 GB.14. In the Disk Provisioning section, select Thick Provisioned Lazy Zeroed.15. Select Store with the virtual machine and click Next.16. In the Advanced Options, leave the default settings and click Next.17. Click Finish.18. Click OK.

Add Network Adapters

When you deployed the XCSv OVF template, you selected networks to map to the XCSv device interfaces that are active by default. To enable other interfaces, you must add network adapters to the XCSv device.

To add a network adapter:

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. Make sure your XCSv virtual machine is powered off.3. In the vSphere inventory tree, right click the XCSv virtual machine.4. Select Edit Settings.5. In the Hardware tab, click Add.6. Select Ethernet Adapter as the type of device you want to add. Click Next. 7. From the Type drop-down list, select the type of virtual network adapter to use. The recommended

type, E1000, is selected by default.8. From the Network label drop-down list, select the name of the virtual network to add.9. Click Next.

Setup Guide 13


10. Review the selected options. Click Finish.

Repeat these steps for each network adapter you want to add.

When you power on the XCSv device the additional network adapter is connected.

Start your XCSv Virtual Device

1. In the vSphere Client Inventory tree, select the virtual device.2. Click the Summary tab.3. In the Commands section, select Power on.

The WatchGuard XCSv virtual device is powered on with factory default settings.

4. Click the Console tab to view the installation process.

NoteThe WatchGuard XCSv performs an automatic installation. Do not interrupt the installation process.

14 WatchGuard XCSv


Microsoft Hyper-V Installation

Before You Begin

To prepare for your installation, make sure you have these items:

Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V Server 2008 R2 or Hyper-V Server 2012.

WatchGuard XCSv device serial numberYou receive the serial number when you purchase the XCSv virtual device.

Your WatchGuard XCSv feature keyYou receive the feature key when you activate your device on the LiveSecurity web site.

WatchGuard XCSv Hyper-V packageThe file name is XCSv-<version>-HyperV.zip where <version> is the XCS version. The file contains a EULA, a README file, and two virtual hard disk (.vhd) files, xcs-1.vhd (system) and xcs-2.vhd (data).

Download the XCSv Hyper-V package from http://software.watchguard.com.

Installation Overview

To complete initial installation you must perform these procedures described in the subsequent sections:

1. In Hyper-V, create your virtual machine for the XCSv software.2. Perform any resource allocation (Processors, memory, disk, network) modifications on the Hyper-V

host based on your XCSv edition.3. Power on the XCSv virtual machine. 4. Connect to the XCSv virtual machine to run the Setup Wizard.

Network Considerations

When you deploy the XCSv software to the Hyper-V virtual device, it is initially configured with a single network interface. You must add a network adapter for each XCSv network interface you require.

You must map each of these interfaces to a physical destination network on your Hyper-V virtual host. After you configure the XCSv device, you can enable and configure additional XCSv device interfaces or remove interfaces if you need fewer interfaces. The maximum number of interfaces you can enable in Hyper-V is 8.

Time Synchronization Considerations

The use of the Hyper-V Time synchronization feature is not supported. We recommend you use an NTP server in the XCSv network configuration. WatchGuard XCSv NTP settings must be configured if you are setting up an XCSv cluster.

Setup Guide 15

http://software.watchguard.com


Installation

Perform the following steps to install WatchGuard XCSv on a Hyper-V host.

Create the XCSv Virtual Machine

To create the XCSv virtual machine on the Hyper-V host:

1. Extract the contents of the Hyper-V zip file to a suitable location on your Hyper-V host where your virtual hard disks are stored.

2. In Hyper-V Manager, select Action > New > Virtual Machine.3. Type a Name for your virtual machine and specify a Location.

You can use the default location, or select a new location for the virtual machine on your Hyper-V host.

16 WatchGuard XCSv


4. Specify the amount of Startup memory to assign to the virtual machine.This value must be a minimum of 2GB (2000 MB) and depends on which XCSv edition you want to install and your available resources. (Small - 2GB, Medium - 2GB, Large - 4GB, Large XC - 8GB).

CautionDo not enable the Use Dynamic Memory for this virtual machine option. This option is not supported for XCSv.

Setup Guide 17


5. From the Connection drop-down list, select “Not Connected”.Later in the installation you will configure virtual network adapters and map them to the network interfaces on your Hyper-V host.

6. Select the Use an existing virtual hard disk option.Click Browse, then select the location of the xcs-1.vhd file.

18 WatchGuard XCSv


7. Click Finish to complete the wizard.

Setup Guide 19


Hyper-V Virtual Machine Resource Allocation

You must now edit the settings of your XCSv virtual machine to configure the resources based on your XCSv edition.

1. In Hyper-V Manager, select your virtual machine, then select Settings.2. Select Processor, and configure the number of processors based on your XCSv edition.

(Small - 1, Medium - 2, Large - 4, Large XC - 8).

3. Select the IDE Controller 0 where the xcs-1.vhd hard drive is located.

20 WatchGuard XCSv


4. Select Hard Drive then click Add.

Setup Guide 21


5. If you want to use the default 80GB size as a data drive for XCSv Medium edition, select Virtual Hard Disk, click Browse, then select the location of the xcs-2.vhd file.You can also define a new drive with the proper size for your specific XCSv edition (Small - 40GB, Medium - 80GB, Large - 160GB, Large XC - 256GB).

CautionDo not adjust or delete the xcs-1.vhd hard drive as this is the system disk.

22 WatchGuard XCSv


6. Select the default Network Adapter and edit the settings.Connect the adapter to the required network on your virtual host.

7. Click Add Hardware.

Setup Guide 23


8. Add additional Network Adaptors connected to the required networks on your virtual host.

9. Click OK to apply the settings to the virtual machine.10. Power on the XCSv virtual machine.

For instructions on how to install XCSv, see “Install WatchGuard XCSv” on page 25.

24 WatchGuard XCSv


Install WatchGuard XCSv

Default Network Settings

The default network settings for the WatchGuard XCSv after installation are:

IP address: 10.0.0.1 Netmask: 255.255.255.0 Gateway: 10.0.0.2

If you want to connect to the XCSv device with the default IP address, go to “Connect to the Setup Wizard” on page 27.

You can change the default IP address of the XCSv and assign the IP addresses of your additional network interfaces before you connect to the Setup Wizard. This allows you to assign IP addresses to the XCSv based on the networks already available on your virtual host system.

NoteThe Setup Wizard will skip the first three steps (Introduction, Regional Settings, and Network Configuration) if you modify the default network settings and IP address from the XCSv console.

To modify the default IP address of your XCSv before running the Setup Wizard:

1. In the vSphere Client Inventory tree, select the XCSv virtual device.2. Click the Console tab.3. Press Enter to display the login screen.

4. Type the default Username and Password.When you access the system for the first time after installation, the default settings are admin for the username, and admin for the password.

Setup Guide 25


5. On the XCSv console menu, select Admin > Configure Interfaces.

You can configure these options:

Hostname — Type the hostname for the device.For example, if your fully qualified domain name is hostname.example.com, type hostname.

Domain — Type your domain.For this example, type example.com.

Gateway — Type the gateway (typically the router) for your network.For this example, type 10.0.0.2.

DNS Server — Type the IP address of your primary and secondary DNS Name Servers.For this example, type 10.0.2.53.

NTP Server — Type the IP address or hostname of your primary and secondary NTP servers.For this example, type 10.0.2.123.

6. Select OK.7. For each network interface, you can configure these options:

IP Address — Type IP address for this interface.For this example, type 10.0.0.1.

Subnet Mask — Type the netmask.For this example, type 255.255.255.0.

Admin Login — Allow administrative access on this interface. You must set this option to ON for the interface you will use to access the Setup Wizard.

8. Select OK.9. Select Yes to reboot the system.10. Select Yes to confirm.

26 WatchGuard XCSv


Connect to the Setup Wizard

Wait at least five minutes for the system to initialize before you try to connect to the WatchGuard XCSv with a web browser. Ping is enabled on the configured network interface. You can ping the IP address of the XCSv to check connectivity before you connect with a web browser.

NoteWe recommend that you clear your web browser cache before you start the Setup Wizard.

1. Launch a web browser on your computer and type the IP address of the WatchGuard XCSv as the URL in the location bar. For example, http://10.0.0.1The login page appears.

NoteA security certificate notification appears in the browser because the system uses a self-signed certificate. It is safe to ignore the warning (Internet Explorer) or to add a certificate exception (Mozilla Firefox).

2. Type the default Username and Password.When you access the system for the first time after installation, the default settings are admin for the username, and admin for the password.

Setup Guide 27


3. The Setup Wizard introduction page appears. Click Continue to start the installation.Make sure you register your device serial number with the WatchGuard® LiveSecurity® web site and receive a feature key before you proceed with the installation process.

4. In the Regional Settings page, configure these options: Time Settings — Type the current Time and Date. For the time, use 24-hour format hh:mm:ss.

For the date, use this format, YYYY-MM-DD. Time Zone — Select the closest city to your location and time zone. Keyboard — Select the keyboard layout for your location.

5. Click Continue.

28 WatchGuard XCSv


6. On the Networks Settings page, configure the first network interface.

You can configure these options:

Hostname — Type the hostname for the device.For example, if your fully qualified domain name is hostname.example.com, type hostname.

Domain — Type your domain.For this example, type example.com.

Gateway — Type the gateway (typically the router) for your network.For this example, type 10.0.0.2.

Name Server — Type the IP address of your DNS Name Server.For this example, type 10.0.2.53.

Name Server 2 — Type the IP address of a secondary DNS name server.For this example, type 10.0.3.53.

NTP Server — Type the IP address or hostname of your NTP server.For this example, type 10.0.2.123.

IP Address — Type the IP address for this interface.For this example, type 10.0.0.1.

Netmask — Type the netmask.For this example, type 255.255.255.0.

External Proxy Server — If your network uses a proxy server to access the Internet, you must set this option to Enabled and enter your external proxy server configuration. The WatchGuard XCSv requires access to the Internet through the proxy server to retrieve licensing information and software updates. If you do not use an external proxy server, leave this option set to Disabled.

Setup Guide 29


Server Address — Type the IP address of your external proxy server. Server Port — Type the server port used by the external proxy server. The default is TCP port 80. User Name — If your proxy server requires authentication, type the user name to login to the

proxy server. Password — Type and confirm a password.

7. Click Continue.If you make any network changes, you must restart the device and reconnect to the WatchGuard XCSv with the new IP address you assigned to the network interface.

NoteMake sure your computer is configured to access the new IP address settings on the WatchGuard XCSv.

8. On the Customer Information page, type the Organization Name and Server Admin Email.Device alerts and notifications are sent to the Server Admin Email address.

9. Click Continue.10. On the Change Password page, type and confirm a new admin password.

We recommend that you choose a secure password of at least 8 characters in length and include a mixture of upper and lowercase letters, numbers, and special characters.

11. Click Continue.

30 WatchGuard XCSv


12. On the Product Serial page, type your XCSv serial number.

NoteThe serial number cannot be changed after it has been entered and saved. If you enter the wrong serial number or need to enter a different one, you must reinstall the XCSv from the OVF template file.

13. On the Feature Key page, select one of these options to add your feature key: Click Manual Update to manually add a feature key. You must paste your feature key into the text

box and click Apply. Click Download to automatically download and apply your feature key from the WatchGuard

LiveSecurity service. This option requires an Internet connection and an existing LiveSecurity account. Make sure you can access the Internet if the device is installed behind a network firewall or connects through an external proxy server.

Click Enter Feature Key Later to manually add the feature key after the installation. To enter the feature key manually, from the Web UI, select Administration > System > Feature Key.

If you encounter errors when you add your feature key, check the following:

For Automatic Update:

Make sure you have a valid LiveSecurity account and you have registered your device serial number

You must have an Internet connection to retrieve your feature key Make sure communications are not blocked by a network firewall

For Manual Update:

Make sure you cut and paste the entire feature key text The first line must be “Serial Number: V2C9xxxxx-xxxx” The last line is a long line starting with “Signature: “

Setup Guide 31


14. On the Mail Configuration page, enter your mail domain and server details, and the initial status of the WatchGuard XCSv security scanning features.

In the Email Domain text box, type the domain for which the WatchGuard XCSv processes messages. For example, example.com.

In the Internal Mail Server text box, type the IP address of the internal mail server that receives and sends mail through the WatchGuard XCSv.

The WatchGuard XCSv automatically configures a mail route for the domain and internal mail server you enter on this page. To configure additional domains for mail routing after the installation is complete, from the Web UI, select Configuration > Mail > Routing.

The WatchGuard XCSv also automatically configures a Specific Access Pattern to trust your internal mail server address to allow the mail server to relay mail outbound through the WatchGuard XCSv. Mail originating from the internal mail server is also trusted for Anti-Spam processing. To configure Specific Access Patterns after the installation is complete, from the Web UI, select Configuration > Mail > Access.

15. Click Continue.

32 WatchGuard XCSv


16. In the Security Settings section of the Mail Configuration page, you can enable or disable Intercept Anti-Spam, Anti-Virus, and the Attachment Control features.If you enable these features in the setup wizard, mail scanning is active when the installation is complete and mail processing is started.

This table describes the default Intercept settings when you enable Intercept Anti-Spam:

This table describes the default settings for the Intercept Anti-Spam features:

17. Click Continue.

Feature Default Setting

Reject on ReputationAuthority Reputation Enabled(Threshold: 90)

Reject on infection (ReputationAuthority) Enabled

Reject connections from dial-ups (ReputationAuthority)

Reject on DNSBL

Threat Prevention Enabled

Reject on unknown sender domain Enabled

Reject on missing sender MX

Reject on non FQDN sender Enabled

Reject on unauth pipelining Enabled

Reject on missing addresses

Reject on missing reverse DNS

Intercept Option Default Setting

Certainly Spam Reject(Threshold: 99)

Probably Spam Modify Subject Header: [SPAM](Threshold: 90)

Maybe Spam Just Log(Threshold: 60)

Decision Strategy Heuristic 1

Spam Rules Enabled

Spam Words Enabled

Mail Anomalies Enabled

DNS/URL Block List Enabled

ReputationAuthority Enabled

Token Analysis Enabled

SPF Enabled

DKIM Disabled

DomainKeys Enabled

Backscatter Disabled

Setup Guide 33


18. If you have purchased the Web Scanning option, a Web Configuration page appears.

From the HTTP/HTTPS drop-down list, enable or disable HTTP/HTTPS scanning. In the Internal Mail Server text box, type the IP address of the internal mail server that receives

and sends mail through the WatchGuard XCS.

NoteThe Internal Mail Server field only appears if you did not configure a mail server in the previous step.

In the Security Settings section of the Web Configuration page, you can enable or disable URL Categorization, Reputation Enabled Defense, and the Anti-Virus features.

If you enable these features in the Installation Wizard, web scanning is active when the installation is complete and message processing is started.

If you enable URL Categorization, the feature will not be enabled until after the initial control list is downloaded.

19. Click Continue.20. From the Messaging System drop-down list, select Enabled to start message traffic processing after

the installation is complete.If you select Disabled, you can start message processing manually from Activity > Status > Status/Utility after the installation is complete.

21. Click Continue.

34 WatchGuard XCSv


22. Click Done to complete the installation.This process can take up to a minute to complete.

XCSv CPU Performance Settings

To make sure the XCSv software is configured properly for the number of CPU cores you have allocated to your virtual machine, you must reboot the system after you complete the setup wizard.

This reboot is required to allow the XCSv to adjust its CPU performance settings according to your configuration to provide optimal performance.

To reboot the XCSv, from the Web UI, select Administration > System > Reboot & Shutdown, then click Reboot.

Update Anti-Virus Pattern Files

If licensed, the Anti-Virus service is automatically enabled and started.

After the initial installation of the WatchGuard XCSv, it may take up to the default of one hour to update your Anti-Virus pattern files to the most recent version. We recommend you update your pattern files immediately after installation.

To update your pattern files:

1. Select Security > Anti-Virus > Anti-Virus.2. Go to the Virus Pattern Files section.3. Click Get Pattern Now.

Setup Guide 35


Cluster Configuration

Clustering provides a highly scalable, redundant messaging security infrastructure that enables two or more WatchGuard XCSv virtual devices to act as a single logical unit for processing messages for redundancy and high availability benefits. When you configure multiple XCSv virtual devices in a cluster, message traffic flow is never interrupted because of individual device failures.

Cluster Network

The XCSv virtual devices participating in the cluster communicate through a network interface connected to a separate network called the Cluster Network. The Cluster Network is a dedicated, secure subnet, and the devices communicate clustering information with each other through this network. You can add or remove devices from the cluster network without interruption to message processing.

XCSv Cluster Deployment

To set up multiple XCSv virtual devices in a cluster, you must configure a dedicated virtual network switch on the virtual host system to ensure that no data can leak to other virtual machines running on your virtual host.

This virtual switch must be mapped to actual physical network interfaces on the virtual host system if you are clustering with XCSv devices on another physical virtual host.

We recommend that if you set up multiple XCSv devices in a cluster, you should install your XCSv virtual devices on separate virtual hosts for hardware and software redundancy in the event an issue affects the virtual host.

36 WatchGuard XCSv


If your clustered XCSv devices are hosted on the same virtual host system, the virtual switch does not have to be mapped to physical network interfaces and you can configure the switch as an internal logical switch.

NoteIf you install clustered XCSv devices on the same virtual host, this configuration only provides software redundancy in the event one of the XCSv virtual devices fails. If a hardware or software issue affects the virtual host, your entire XCSv cluster will be affected.

Setup Guide 37


Add a Virtual Switch on the Virtual Host

These sections describe how to add a virtual switch to a VMware or Hyper-V virtual host.

Add a Virtual Switch on the VMware Host

To add a virtual switch on your VMware host:

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. In the vSphere inventory tree, select your XCSv virtual machine.3. Select the Configuration tab.4. In the Hardware section, click Networking.5. Click Add Networking....

The Add Network wizard appears.

6. Select Virtual Machine, then click Next.7. Select a physical network adapter to use with the virtual switch, or deselect all adapters to create a

logical virtual switch.8. Click Next.9. In the Network Label text box, type a name for this switch network.

For example, type “Cluster Network”.

10. Click Next, then click Finish.

38 WatchGuard XCSv


Add a Virtual Switch on Hyper-V

To add a virtual switch on your Hyper-V host:

1. Launch Hyper-V Manager.2. Select Virtual Switch Manager.3. Select New Virtual Network Switch.4. Select Private , then click Create Virtual Switch.

5. Type a name for the virtual switch. For example, type “Cluster”.

6. Click OK to apply the settings to virtual machine.

Setup Guide 39


Assign an XCSv Network Interface to the Virtual Cluster Switch

You must now map a network interface from the XCSv to the virtual cluster switch you created in the previous step.

Assign a Cluster Interface on VMware

To assign a cluster interface to a virtual switch on VMware:

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. Make sure your XCSv virtual machine is powered off.3. In the vSphere inventory tree, select your XCSv virtual machine.4. Select Edit Settings.5. Select the Hardware tab.6. Select the network adapter you want to use for the cluster.7. From the Network Label: drop-down list, select Cluster Network, or the name you assigned to the

cluster network in the previous section.

8. Click OK to apply the settings to the virtual machine.

40 WatchGuard XCSv


Assign a Cluster Interface on Hyper-V

To assign a cluster interface to a virtual switch on Hyper-V:

1. Launch Hyper-V Manager.2. Select your virtual machine, and click Settings.3. Select the Network Adapter that you want to connect to the cluster switch.4. From the Virtual Switch drop-down list, select the cluster virtual switch you created in the previous

step.

5. Click OK to apply the settings to the virtual machine.

Setup Guide 41


Configure Clustering on an XCSv Virtual Device

When you have setup the virtual switch for use with your cluster network, you can now enable clustering and configure a network interface on each XCSv virtual device to connect to this cluster network.

To configure clustering on each XCSv device participating in the cluster:

1. Log in to the XCSv Web UI.2. Select Configuration > Network > Interfaces.3. Select the network interface connected to the cluster network.

This interface must not be configured with an IP address. The interface is automatically configured for exclusive use on the cluster network.

4. From the Interface Mode drop-down list, select Cluster.

NoteMake sure that an NTP time server is configured on each device, and add additional NTP servers for redundancy. You cannot enable clustering until you configure an NTP server. The time server synchronizes all cluster devices from a common time source.

5. Click Apply.You must restart the system.

More more details on cluster configuration, see the current WatchGuard XCS Help or User Guide.

42 WatchGuard XCSv


Resource Monitoring

Your virtual host system may host other virtual machines in addition to the WatchGuard XCSv. To ensure that your virtual host resources are properly allocated, you must regularly monitor the resource usage and performance of your virtual host system and your XCSv virtual machine.

Resource Monitoring on VMware

To monitor the resource usage of your VMware host and virtual machines:

1. Launch the vSphere client and log in to the VMware host with administrator credentials.2. In the vSphere inventory tree, select your VMware host system at the top of the list.3. Select the Virtual Machines tab.

You can view the disk space, CPU usage, and memory utilization of each virtual machine hosted on your VMware system.

4. Select the Resource Allocation tab.5. You can switch between CPU, Memory, and Storage view for a more detailed examination of the

resources used by your virtual machines on the VMware host.

Setup Guide 43


6. Select the Performance tab for a customized chart view of the VMware host performance.

7. In the vSphere inventory tree, select your XCSv virtual machine.8. Select the Resource Allocation tab.

You can examine the resources in use specifically by the XCSv virtual machine.

9. Select the Performance tab for a customized chart view of the XCSv virtual machine performance.

44 WatchGuard XCSv


Resource Monitoring on Hyper-V

To monitor the resource usage of your Hyper-V host and virtual machines:

1. Launch Hyper-V Manager.2. From the Virtual Machines list, you can view the current status of the virtual machine, the CPU usage,

assigned memory, and system uptime.

3. Select a specific virtual machine.In the Summary section, you can view information including an overall summary of the virtual machine, the original and assigned memory usage, and networking status.

Setup Guide 45


46 WatchGuard XCSv

xcsv setup guide - watchguard.com · setup guide 1 watchguard xcsv ... for a vmware or microsoft...

Documents