Professional Documents
Culture Documents
Watchguard SSL Basics v3 2
Watchguard SSL Basics v3 2
Watchguard SSL Basics v3 2
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
TRAINING
www.watchguard.com/training
training@watchguard.com
ii
SUPPORT
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
Table of Contents
6
7
7
8
8
8
8
9
14
15
15
15
32
34
36
39
39
39
41
86
86
87
87
88
89
89
89
Assessment ............................................................................................................................... 89
Abolishment .............................................................................................................................. 90
End-Point Integrity Client .......................................................................................................... 90
vi
Course Introduction
About the WatchGuard SSL Device Solution
Devices
Device OS version
Training Options
Your WatchGuard SSL device is an affordable, easy-to-use, and secure remote access device that provides
reliable connectivity to your corporate data and resources. Its flexibility enables you to make your remote
connectivity deployment as simple or as sophisticated as your business requires.
If you use a WatchGuard SSL device, there are several training options available to you:
Getting Started Presentation
You can download and review the WatchGuard SSL Getting Started presentation. This PowerPoint
presentation provides an overview of the WatchGuard SSL device solution and its features.
WatchGuard SSL Basics Training Modules
Each training module available for the WatchGuard SSL device solution focuses on a specific feature
or function of configuration and management. For the most effective training path, we recommend
that you complete the training modules in the order they are presented.
To get access to the available training resources go to https://www.watchguard.com/training. You must
log in to the web site to get access to all the available training resources.
For more information, including configuration steps for advanced procedures, see the WatchGuard SSL
Web UI Help. or WatchGuard SSL Web UI User Guide.
Course Introduction
Training Scenario
Throughout the WatchGuard SSL Basics training modules, we use a fictional company called Successful
Company. The modules build on a story of configuring an SSL Application Portal and remote application
access for Successful Company, but you can complete many of the exercises using examples from your
own network, or a set of addresses and situations provided by your WatchGuard Certified Training
instructor. Any resemblance between the situations described for Successful Company and a real
company are purely coincidental.
Prerequisites
This course is intended for moderately experienced network administrators. A basic understanding of
TCP/IP networking is required. No previous experience with network security or WatchGuard devices is
required.
Certification
The WatchGuard Certified System Professional (WCSP) exam is available for all WatchGuard partners. The
exam is based on the contents of this course, and we recommend that you study these training modules
to prepare for the exam. If you are a WCSP, you can log in to your LiveSecurity Service account and
locate the exam on the training page.
For more information about how to become a WCSP, see the Technical Certification page at:
http://www.watchguard.com/training/cert.asp
Course Introduction
Additional Resources
For more information about how to install and configure your WatchGuard SSL device, see these
resources:
WatchGuard SSL Web UI v3.2 Help
You can launch the Help system from the WatchGuard SSL Web UI. For more information about the
features in a dialog box or application window, click
(the Help icon). A Help topic that describes
the features you see in the Web UI, and provides links to additional information, appears in your web
browser.
For the most up-to-date information, go to http://www.watchguard.com/help/documentation/ and
click the WatchGuard SSL Current documentation link to launch the WatchGuard SSL Web UI v3.2 Help.
You can also download the Help system for offline use.
WatchGuard SSL v3.2 User Guide
Go to http://www.watchguard.com/help/documentation/ and download the WatchGuard SSL Web UI
v3.2 User Guide.
WatchGuard Online Knowledge Base
Go to http://customers.watchguard.com
Student Guide
Course Introduction
Getting Started
Set up your WatchGuard SSL Device
What You Will Learn
To manage your WatchGuard SSL device, you use a Web-based user interface. In this training module you
learn how to:
Before you begin these exercises, make sure you read the Course Introduction module.
Getting Started
To enable all of the features on your WatchGuard SSL device, you must activate the device on the
WatchGuard LiveSecurity web site and retrieve your feature key file. You can upload your feature key in
the Quick Setup Wizard if you register your device before you start the wizard. Or, you can complete the
wizard without a feature key. The SSL device only allows one authenticated user until you upload a
feature key to the device.
To register your WatchGuard SSL device, go to https://www.watchguard.com/activate.
To register your device, you must have the device serial number. We recommend that you register the
device and save a copy of the feature key from the LiveSecurity web site to your computer before you
start the Quick Setup Wizard.
Configuration Modes
You can configure your WatchGuard SSL device in one of two network configuration modes:
Single Interface Mode
Select this mode if you want to connect the
WatchGuard SSL device to one network DMZ. In
single interface mode, only the Eth0 interface is
active.
Dual Interface Mode
Select this mode if you want to connect the
WatchGuard SSL device to two separate
networks (for example, two different DMZ
networks). In dual interface mode, both the Eth0
and Eth1 interfaces are active.
Single Interface Mode is most commonly used, and
is the network configuration mode we use in the
exercise in this module.
Getting Started
Monitor System
You can use the Monitor System menu to see information about system status, user sessions, log
files, reports, licenses, and alerts.
User Management
You can use the User Management menu to manage user accounts, user groups, and configure the
SSL device to use an External Directory Service.
Resource Access
You can use the Resource Access menu to create Application Portal items to give users access to
applications, folders and files, and URLs.
Manage System
You can use the Manage System menu to see and manage the overall configuration of your
WatchGuard SSL system.
Above the main menu there are two buttons:
Browse
Click Browse to see the files on your WatchGuard SSL device or upload a file. You use this feature for
specific tasks that require you to upload a file or reference a file location on the device.
Publish
Click Publish after you make any configuration change to save the changes to the WatchGuard SSL
device. The Publish button changes from white to blue when you make changes that must be saved.
Student Guide
Getting Started
Exercise 1:
There are two ways to reset your WatchGuard SSL device to factory default settings:
Use the WatchGuard SSL Web UI
If you can log into the WatchGuard SSL Web UI, you can restore the device to factory default settings
in the Web UI. This is the easiest method to restore the factory default settings.
Use Recovery Mode
If you cannot log into the WatchGuard SSL Web UI, you can start the device in recovery mode. When
the device is in recovery mode you can reinstall the software image and restart the device with
factory default settings.
1. Connect an Ethernet network cable between your computer and the Eth1 interface on the
WatchGuard SSL device.
2. Change the IP address of your computer to 10.0.1.2 (or to another IP address on the 10.0.1.0
network).
3. Open the command line interface of your computer. To do this: if you use Windows XP, select All
Programs > Accessories > Command Prompt from the Windows Start Menu.
4. Change your local working directory to the location where you saved the .sysa_dl file.
5. At the command prompt type:
ftp 10.0.1.1
6. Type admin as the user.
7. Type admin as the password.
8. At the ftp prompt, type:
bin
8
Getting Started
Next Steps
After you restore the software image and the device restarts with factory default settings, you can use
the Quick Setup Wizard to set up your configuration again.
Exercise 2:
The Successful Company has purchased a new WatchGuard SSL device, and the administrator is ready to
start the installation.
In this exercise, we complete the initial installation with the Quick Setup Wizard. In the Quick Setup
Wizard, you set up a network interface and administrator credentials that enable you to connect to
WatchGuard SSL Web UI for administration.
2. Use an Ethernet cable to connect the Ethernet interface on your computer to the Eth1 interface
(labeled 1) on the WatchGuard SSL device.
3. Attach the power cord to the AC receptacle on the rear of the WatchGuard SSL device and to a power
source.
4. Power on the WatchGuard SSL device.
5. Open a web browser and type: https://192.168.111.1:8443
The Quick Setup Wizard begins.
Student Guide
Getting Started
Note
Because the WatchGuard SSL device uses a self-signed certificate, you may see a certificate warning in
your browser. It is safe to ignore the warning (Internet Explorer) or add a certificate exception (Mozilla
Firefox).
Note
You get the feature key for your SSL device when you register it at the WatchGuard.com web site. You
then save the feature key to a text file that you can upload to the device.
10
Getting Started
8. Set the current Date and Time, and specify an NTP Server.
Though it is optional, we recommend that you specify an NTP Server. Accurate time stamps are important not
only for log file messages, but also for the SSL handshake.
9. Type the Super Administrator User Name and Password. This is a local account on the SSL device. It
does not correspond to any user object that exists in your organization.
The Super Administrator password must be at least six characters long and must include characters
from at least three of these four categories:
-
Student Guide
11
Getting Started
10. Select the Network Type. For this exercise, select Single Interface Mode.
In Single Interface Mode, only the Eth0 network interface is used.
11. Configure the network settings for the Eth0 network interface. The first four are required.
- In the IP Address text box, type the IP address to use for Eth0.
- In the Subnet Mask text box, type the subnet mask. For example, 255.255.255.0.
- In the Default Gateway text box, type the IP address of the default gateway on the Eth0
network.
- In the Primary DNS text box, type the IP address of the primary DNS server on the Eth0
network.
- (Optional) In the Secondary DNS text box, type the IP address of the secondary DNS server.
- (Optional) In the Hostname text box, type the fully qualified host name of the device.
For example, ssl.mywatchguard.com or vpn.mycompany.com.
The hostname must be a publicly resolvable hostname or external IP. The Hostname setting is
optional, but because it is required for some types of connections, we recommend that you
specify it here.
- (Optional) In the DNS Search Order text box, type the domain names to include in DNS name
searches. The order in which you type the names specifies the search order. When you add
more than one domain name, separate each name with only a space. Do not add other
punctuation or separation marks.
12. Finish the wizard.
On the final wizard page you see:
- A summary of the configured interface settings and network type.
- The interface and IP address you must use to connect after the device reboots.
12
Getting Started
Exercise 3:
After the Quick Setup Wizard finishes, you can connect to the WatchGuard SSL Web UI to continue the
configuration, management, and monitoring tasks.
2. Connect your computer to your network. Make sure to reset the IP address of your computer to an IP
address on the network.
3. In a web browser, type https://<Eth0 IP Address>:8443. Use the IP address you configured for
Eth0 in the previous exercise. 8443 is the default HTTPS Administrator Port.
4. Use the Super Administrator credentials you configured in the Quick Setup Wizard to log in.
The WatchGuard SSL Web UI appears.
Student Guide
13
Getting Started
1. True or false? You must connect your computer to Eth1 to run the Quick Setup Wizard.
2. Which of these network settings are required in the Quick Setup Wizard? (Select all that apply.)
A)
Primary DNS
B)
Default Gateway
C)
Subnet Mask
D)
Interface name
E)
IP Address
3. True or false? You can complete the Quick Setup Wizard without a feature key.
4. When should you select Dual Interface Mode? (Select one.)
A)
B)
C)
D)
When you want to connect the device to more than one network
5. True or false? The WatchGuard SSL Application Portal is the Web-based administration application
you use to monitor and manage your WatchGuard SSL device.
ANSWERS
1. True
2. A, B, C, E
3. True
5. D
6. False
14
Before you begin these exercises, make sure you read the Course Introduction module.
About Authentication
Authentication is a central part of the configuration of your WatchGuard SSL device. You configure
authentication methods in the Manage System menu of WatchGuard SSL Web UI. This module focuses
on how to enable and configure the authentication methods you want to use, and how to enable one or
more authentication methods for your users.
You can also use authentication methods in access rules to control which authentication methods users
must use to connect to network resources. You learn about access rules and network resources in the
Resource Access training module.
Authentication Methods
WatchGuard SSL supports sixteen authentication methods. There are five WatchGuard SSL
authentication methods and eleven other authentication methods you can use to integrate with your
existing authentication services.
15
16
Windows Integrated Login This method uses Windows domain credentials for authentication.
NTLM This method uses the NTLM authentication protocol used in various Microsoft protocol
implementations.
Basic This method performs basic authentication according to RFC 2617, HTTP Authentication:
Basic and Digest Access Authentication.
User Certificate This method uses attribute mapping. The user is authenticated only if there is an
exact match between the configured User Attribute and the Certificate Attribute.
Form-Based Authentication This method uses HTML forms that you can edit.
Confidence Online This method uses the Confidence Online client for authentication.
RADIUS Replies
For the authentication methods that use the RADIUS networking protocol, the authentication method
configuration includes some pre-defined RADIUS replies. The pre-defined RADIUS replies are different
for each authentication method. You can add, edit, or delete RADIUS replies to customize the messages
users see during authentication.
Extended Properties
Extended Properties define what happens when a user authenticates with each authentication method.
The default and available Extended Properties are different for each authentication method. You can
add, edit, or delete Extended Properties to customize the behavior of the authentication method you
selected.
Student Guide
17
The User Management menu of WatchGuard SSL Web UI has these menu options:
User Accounts
Manage user accounts and global user account settings. You can add users to the Local User
Database or link to an External Directory Service, if you have one configured.
User Groups
Manage user groups. You can create user groups based on either the properties of a user account or
the location of a user in the directory structure you specified. You can use user groups in Access Rules
to determine which resources a user has access to in the Application Portal.
External Directory Service
Configure an External Directory Service location, such as Active Directory or LDAP, where user
accounts are stored. When you use an External Directory Service, you can link user accounts to
existing user accounts that are configured in the directory service.
Self Service
Configure Self-Service to enable your users to activate an account, reset a forgotten password, or
retrieve a forgotten user name. To configure Self Service, you must enable an External Directory
Service, and you must manage the user passwords in the Local User Database. To use self-service,
your users must authenticate with one of the five WatchGuard SSL authentication methods.
18
1. The user selects a WatchGuard SSL authentication method, and types the user account credentials.
2. The internal RADIUS server on the WatchGuard SSL device looks up the user account in the Local
User Database.
3. If the user account is not linked to an External Directory Service, the credentials the user typed are
compared to the credentials stored in the Local User Database.
If the user account is linked to an External Directory Service, the SSL device makes a read-only
connection to the External Directory Service to look up the user password.
4. If the credentials match, the user is redirected to the Application Portal page.
Student Guide
19
1. The user selects a supported authentication method, and types the account credentials.
2. The configured authentication server is used to check the user credentials.
If the user credentials are not correct, the user authentication fails at this step.
3. If the credentials are correct, authentication succeeds and the SSL device looks for the user in the
Local User Database.
- First the SSL device checks for a a matching user in the Local User Database.
- If the user does not exist in the Local User Database, the SSL device searches for the user in the
External Directory Service, if one is configured. If the user is found in the External Directory
Service, then the SSL device creates a user in the Local User Database.
- If the authentication method is configured with the Extended Property Allow user not listed
in any External Directory Service set to true, a user is created in the Local User Database
even if the user was not found in the External Directory Service.
4. If the user is found (or created) in the Local User Database in the previous step, the authentication
process is complete and the Application Portal appears.
If the user is not found, or was not created, the authentication process fails, and the user is not
allowed to connect to the Application Portal.
Exercise 1:
The Successful Company administrator wants to create a local user account for testing on the
WatchGuard SSL device. In this exercise you manually add a user to the Local User Database, and
configure the user to use one of the five WatchGuard SSL authentication methods.
20
5. Select the check box for each WatchGuard SSL authentication method to enable for this user.
For this exercise, select the Enable WatchGuard SSL Password for the user account check box.
6. In the Email Address text box, type the email address for this user.
In this example, the Email Address and SMS mobile phone number are not required. You should
type an email address or mobile phone number for SMS if you want the system to send notifications
to your users about changes to their authentication credentials (password, PIN, or seed).
If you select the WatchGuard SSL Mobile Text authentication method, you must type the users
mobile phone number in the SMS text box before you can continue.
Student Guide
21
7. Click Next.
The WatchGuard Authentication page appears with the settings for the authentication methods you selected.
Because we selected the WatchGuard SSL Password authentication method, we must specify the
password and properties for that authentication method. If we had selected other authentication
methods, the settings for those methods would also appear on this page.
8. In the WatchGuard SSL Password section, type and verify the password.
The password must be between six and sixteen characters and must include at least two numerals.
You can also select other Password Properties on this page. By default these properties are not
selected.
9. From the Notification drop-down list, select By Screen. This is the method the WatchGuard SSL
device uses to notify the administrator and user about changes to the user account.
The default notification method is By Screen, which displays the notification message about
updated authentication credentials to the administrator in the WatchGuard SSL Web UI after you
click Save.
You can customize the
content of the
notification messages in
the Global
Authentication Settings.
If the Email notification and SMS notification channels are enabled, you can also select these
notification options:
-
By Email Send notification of updated authentication credentials to the user through email.
By Screen and Email Use both the By Screen and By Email notification methods.
By SMS Send notification of updated authentication credentials to the user through SMS.
By Screen and SMS Use both the By Screen and By SMS notification methods.
If you select an Email or SMS notification option, you must also configure an email address in the
notification settings for this user account.
22
Exercise 2:
The Successful Company wants to use their existing Active Directory Server to authenticate users to the
WatchGuard SSL Application Portal. In this exercise you configure Active Directory with LDAP over SSL.
Note
LDAP over SSL is also known as LDAP/S, LDAPS, and LDAP over TLS. LDAP over SSL simply means that
the LDAP connection between the LDAP client (in this case, the WatchGuard SSL device) and LDAP
server (the Active Directory server) is authenticated by TLS (Transportation Layer Security), and the
data exchanges are encrypted by the different cipher suites supported by the TLS protocol.
To complete this exercise you must have access to a Microsoft Active Directory server that is configured
to accept LDAP connections.
Student Guide
23
24
4. In the Display Name text box, type a name for this Active Directory authentication method.
This is the name that appears in the Registered Authentication Methods list.
6. In the Host text box, type the IP address or DNS name of your AD server.
7. If necessary, change the Port and Timeout settings.
In most cases you do not need to change these settings.
8. In the Account text box, type the user name for an account on the AD server. This can be a
Distinguished Name, User Principal Name. or NetBIOS name. Make sure you type the user name in the
correct form.
For example:
- username@myexample.com
- CN=username,OU=myexample,OU=com
- myexample\username
9. In the Password text box, type the password for the user name you specified.
10. In the Root DN text box, type the Root DN information for the AD server where user accounts are
stored. Make sure you use the correct Root DN form.
For example, dc=myexample,dc=com
Student Guide
25
26
Exercise 3:
The Successful Company administrator wants to reuse the existing user account information on the
Active Directory server for accounts for the WatchGuard SSL device. In this exercise you configure the
Active Directory server as an External Directory Service Location and then link to it to create user
accounts.
Student Guide
27
3. Click Next.
4. In the Display Name text box, type the name of this External Directory Service as you want it to
appear in the WatchGuard SSL Web UI. In this example, we use the domain of our Active Directory
Server, wgtraining.local, as the Display Name.
5. In the Host text box, type the IP address of your Active Directory server.
6. The Port is automatically set to 389. Verify that this is correct for your AD server.
7. Type the Account and Password of a user account you want the SSL device to use to contact your
AD server. For security reasons, this should be a read-only account, not the AD administrator
account.
8. Click Test Connection to test the connection to your AD server.
If your configuration is correct, a Connection test is successful message appears.
If the connection test fails, review the settings for your AD Server External Directory Service Location,
and correct any errors in the configuration.
28
9. Click Next.
The External Directory Service Location Search Rules settings appear.
The WatchGuard SSL Local User Database uses search rules to match users and user groups. You
must add search rules so that the users and groups can be found in the External Directory Service.
When you add search rules, make sure you define them based on the directory structure of your
organization and the user objects you want to use in your rules.
10. To add a User Search Rule, click Add User Search Rule.
The Add User Search Rule page appears.
11. In the User Root DN text box, type the location of the user (distinguished name) on your AD server.
Or, click Show Tree to select it.
Note
In this example, we use the Root DN. In a real deployment we recommend that you specify the
container on the AD server where the users are actually located. This provides added security, and
increases performance in large AD environments that have a large number of users and groups.
Student Guide
29
13. To add a Group Search Rule, click Add User Group Search Rule.
The Add User Group Search Rule page appears.
14. In the User Root DN text box, type the location of the group on your AD server.
Or, click Show Tree to select it.
15. Click Next.
The Group Search Rule you added appears in the Registered User Search Rules list.
The Registered External Directory Service Locations list now includes the External Directory
Service you added and shows the connection status. Make sure the status is Connected.
30
3. In the User ID text box, type the user name for the user you want to add as it appears in the External
Directory Service.
4. Click Link User.
A message appears that says the user account information was successfully saved.
6. After you add all linked users, select User Accounts to return to the list of users.
When you create a user account by linking, account information is automatically populated. You can
see in this example that the Display Name and Email address of the linked user account appear in
the User Accounts list.
Note
If the linked user account is later moved in the External Directory Service, the link is broken between
the Local User Database and the External Directory Service. On the User Accounts page, click Repair
Linked User Account to detect and fix broken links.
Student Guide
31
Exercise 4:
In this exercise, you connect to the WatchGuard SSL Application Portal as one of the users you created in
the previous exercises.
1. Open a web browser and type the address of the Application Portal domain name. You can also type
the IP address of the SSL device and the Application Portal port number.
For example, type https://50.50.50.106:443
A list of enabled authentication methods appears.
32
Note
No resources will appear in your WatchGuard SSL Application Portal until you add them. We discuss
how to do that in the Resource Access training module.
Student Guide
33
Exercise 5:
If a linked user account is moved in the External Directory Service, the link is broken between the Local
User Database and the External Directory Service. The Successful Company administrator wants the
system to automatically repair user links, when possible. In this exercise you edit the Global User Account
Settings to make this change.
On the General Settings tab, the administrator can change the default settings for user account
access, WatchGuard authentication, and timeouts. The administrator reviews the settings, but does
not see a need to make any changes here.
34
Student Guide
35
1. Which WatchGuard SSL authentication methods require that users install the Mobile ID client to
generate a one-time password? (Select two.)
A)
B)
C)
D)
E)
2. Which authentication method setting controls the appearance of the authentication page?
(Select one.)
A)
Authentication Server
B)
C)
Template Specification
D)
Layout Specification
E)
Extended Properties
3. Which of these tasks must you complete before you can enable Active Directory over TLS on the
WatchGuard SSL device? (Select all that apply.)
A)
Issue the CA Certificate from the Windows Certificate Server on the Active
Directory server computer.
B)
C)
D)
4. Which of these options are methods to add user accounts to the Local User Database?
(Select all that apply.)
A)
B)
C)
D)
5. If a linked user account is moved in the External Directory Service, the link is broken between the
Local User Database and the External Directory Service. Which of these methods could you use to
repair the broken link? (Select all that apply.)
A)
B)
Enable Self Service so that users can fix their own broken account links.
C)
D)
Edit the user account and click Link User to repair the link.
6. True or false? You must enable an External Directory Service to use the Self Service feature.
36
Student Guide
37
ANSWERS
1. C, D
2. C
3. A, C, D
4. A, B, D
52. A, C, D
6.True
38
Resource Access
Enable Access to Network Resources
What You Will Learn
The WatchGuard SSL Application Portal enables you to give your users secure access to your network
resources. In this training module you learn how to:
Before you begin these exercises, make sure you read the Course Introduction module.
Introduction
The Application Portal is a web site on the WatchGuard SSL device where users can connect to your
corporate applications and resources from remote locations. After a user authenticates to the
Application Portal, the applications and resources available to that user appear as icons the user can
select.
The applications and resources that appear in the Application Portal are called Application Portal items.
In this module you learn how to configure and control access to Application Portal items.
39
Resource Access
In the Resource Access section of the Web UI Main Menu, you define and manage the applications and
resources available to users in your Application Portal.
40
Resource Access
Resource Types
You define a resource for each network resource or application that you enable for your users. There are
two types of resources Web Resources and Tunnel Resources.
Web Resources
You can create Web Resources to give your users access to any files that you can connect to with a web
browser, or applications with a web interface such as Microsoft Outlook Web Access. Users can connect
to a Web Resource with just a web browser. The WatchGuard SSL Access Client is not required.
The WatchGuard SSL device includes Web Resource templates for several popular applications to help
you set them up quickly. Available Web Resources include:
Select the default template, Web Resource to create a resource for access to other web-enabled
applications.
Tunnel Resources
You can create a Tunnel Resource to give your users access to client-server applications, intranet sites, or
network resources that are not web-enabled. To connect to Tunnel Resources, the user must use the
WatchGuard SSL Access Client. You can create a file share resource to enable users to open, copy,
rename, delete, upload, and download files. You can create a Full Tunnel resource to enable users to get
access to a set of network resources at the IP level, similar to traditional IP VPN solutions. Examples of
Tunnel Resources include Microsoft Outlook, Remote Desktop, or a Windows file share.
The WatchGuard SSL device includes Tunnel Resource templates with partial configurations for several
common resource types to help you set them up quickly.
Student Guide
41
Resource Access
Select the default template, Tunnel Resource, to create a resource for access to other applications or
network resources that are not web-enabled.
Note
Tunnel resources support all TCP and UDP ports. Other protocols such as ICMP (ping), ESP, and GRE are
not supported.
The operating systems on the users computers that will use the resource.
- Only computers that use Windows can use dynamic tunnels.
- Any computer that has a browser and Java can use static tunnels.
The number of IP addresses to include in the resource.
- Use a dynamic tunnel for access to a tunnel resource with many IP addresses.
- Use a static tunnel for access to a tunnel resource with only one IP address.
The number of TCP or UDP ports to include in the resource.
- A dynamic tunnel enables access to many TCP and UDP ports on the Tunnel Resource.
- A static tunnel enables access to only one TCP or UDP port on the Tunnel Resource host.
42
Resource Access
1. The users computer sends the traffic to its own loopback interface.
2. The Access Client software intercepts the traffic sent to the loopback address, encrypts it, and sends
it to the SSL device.
3. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination
port, as defined in this static tunnel.
1. The Windows network driver installed by the Access Client intercepts the traffic.
2. The Access Client dynamically translates the traffic to the loopback interface on the users computer,
and dynamically selects a source port for the traffic.
3. The Access Client encrypts the traffic and sends it to the SSL device.
4. The SSL device decrypts the traffic and sends it to the correct destination IP address and destination
port.
When you use one of the pre-defined Tunnel Resource templates to create a resource, the Add Tunnel
Resource Wizard automatically uses the required tunnel type. If a Tunnel Resource can be configured as
either a static or a dynamic tunnel, the Add Tunnel Resource Wizard enables you to set the Tunnel Type
to Windows (to configure the resource as a dynamic tunnel) or All Platforms (to configure the resource
as a static tunnel).
To see the static or dynamic tunnel settings that the Add Tunnel Resource Wizard configured, edit the
Tunnel Resource and select the Tunnel Settings tab.
If you use the default Tunnel Resource template, you must manually select and configure a static or
dynamic tunnel.
Student Guide
43
Resource Access
1. Select Resource Access and edit a Tunnel Resource that uses a static tunnel.
The Edit Tunnel Resource page appears.
44
Resource Access
Internal proxy
DNS name and DNS name pool
Filters
Link translation
Client access
Trusted gateways
Cookies and cache control
Student Guide
45
Resource Access
Assessment and
Abolishment are only
supported on Windows
clients. For information
about Assessment and
Abolishment settings,
see the Assessment and
Abolishment module.
Assessment
Allow access only if the client meets specified criteria. An Assessment client runs on the client
computer to make sure the client computer meets the Assessment criteria you specify. For example,
you could use Assessment to check whether the client has anti-virus software running.
Abolishment
Allow access only if the Abolishment client is running on the client. Abolishment is a feature that
monitors the files and stored browser data on a client during a user session, and then automatically
deletes the browser data and files that were downloaded or created during the user session. You can
configure the types of files and browser data that Abolishment deletes when the session ends.
Custom-defined
A custom-defined access rule can be tailored to meet specific needs. It must be imported from an xml
file. This type of rule is not commonly used.
1. Users provide their Active Directory credentials when they authenticate to the Application Portal.
2. The Application Portal securely stores those credentials for the user account.
3. When a user selects a resource in the SSO domain, the Application Portal automatically uses the
stored credentials instead of prompting the user for additional authentication to the resource.
46
Resource Access
Exercise 1:
The Successful Company administrator wants the ability to monitor and manage the WatchGuard SSL
device remotely. In this exercise you add a Web Resource to enable remote access to WatchGuard SSL
Web UI.
The Resources page has two tabs, one for Tunnel Resources and one for Web Resources.
Student Guide
47
Resource Access
5. Click Next.
The settings for the Secure Remote Web UI Access resource appear.
6. In the General Settings section, type a Display Name and Description for this resource.
The Display Name and Description only appear in the Web UI.
7. In the Special Settings section, make sure that the Enable resource check box is selected.
This controls whether the resource appears in the Application Portal.
The HTTP Port and HTTPS Port settings control what ports are used to connect to this resource. For
the Secure Remote Web UI Access resource, do not change these settings.
8. In the Host text box, type the IP address of the WatchGuard SSL device.
48
Resource Access
9. In the Application Portal Settings section select the icon that appears in the Application Portal for
this resource:
To select a custom icon, click Browse.
To select a system icon, click Select Icon in Icon Library.
The Select Icon page appears.
11. In the Link Text text box, type the name you want to appear with the resource icon in the
Application Portal.
12. Make sure the Make resource available in Application Portal check box is selected.
Student Guide
49
Resource Access
50
Resource Access
16. Click Publish to update your configuration with the change and make this resource available in the
Application Portal.
1. Open a web browser and type https://<IP address of your Application Portal> to go to the
Application Portal authentication page.
2. Select an authentication method.
3. Type the user authentication credentials.
The WatchGuard SSL Application Portal appears, with the resource you configured.
Student Guide
51
Resource Access
The WatchGuard SSL Web UI resource enables the authenticated user to get to the WatchGuard SSL
Web UI log in page, but the user must still know the administrative credentials to log in and use the
Web UI.
52
Resource Access
Exercise 2:
The Successful Company administrator wants the Secure Remote Web UI Access resource to be available
only for users who authenticate with the WatchGuard SSL Web authentication method.
In this exercise you create an authentication method access rule and apply this access rule to the Secure
Remote Web UI Access resource.
Note
You can modify this exercise to create an access rule that uses any enabled authentication method.
Student Guide
53
Resource Access
5. In the Available Authentication Methods list, select WatchGuard SSL Web. Click Add.
WatchGuard SSL Web is moved to the Selected Authentication Methods list.
6. Click Next.
A summary page appears with the access rules you have added to this rule.
54
Resource Access
7. Click Next.
The rule you added appears in the Allow user access when list. You can add other rules to this access rule before
you continue.
You can combine different types of rules in the same access rule. For this exercise, we only need to
include one rule.
8. Click Next.
A list of resources that you can apply this rule to appears.
Student Guide
55
Resource Access
56
Resource Access
The Web UI Access resource now has multiple authentication access rules applied.
The Selected Access Rules list includes two authentication methods. Because we only want to allow
access by users who authenticate with the SSL Web Authentication method, we need to remove the
Any Authentication rule.
5. In the Selected Access Rules list, select Any Authentication. Click Remove.
The Any Authentication access rule is moved to the Available Access Rules list.
Student Guide
57
Resource Access
1. Open a web browser and type https://<IP address of your Application Portal> to go to the
Application Portal authentication page.
2. Select the WatchGuard SSL Password authentication method.
Or, select any authentication method other than WatchGuard SSL Web.
3. Type the user authentication credentials
The WatchGuard SSL Application Portal appears, but the Admin Web UI resource is not visible.
Next, you can verify that the resource is available to users who use the WatchGuard SSL Web
authentication method. To do this, you must enable the WatchGuard SSL Web authentication method for
a user account. Then use that user account to log in to the Application Portal.
4. Select the Enable WatchGuard SSL Web for the user account check box.
The settings for the WatchGuard SSL Web authentication method appear.
Now you can use the WatchGuard SSL Web authentication method to log in to the Application Portal as
this user and verify that the user can see the Admin Web UI resource.
1. Open a web browser and type https://<IP address of your Application Portal> to go to the
Application Portal authentication page.
2. Select the WatchGuard SSL Web authentication method.
The WatchGuard SSL Web authentication page appears.
58
Resource Access
3. Type the User Name of the user who has WatchGuard SSL Web authentication enabled. Click
Submit.
The WatchGuard SSL Web authentication keypad appears.
Note
When you use the WatchGuard SSL Web authentication method, if the user password contains letters
and numbers, the user must use the keyboard to type the letters and the on-screen keypad to select
the numbers.
4. Use your keyboard and the on-screen keypad to type the numbers.
For this example, type Password on the keyboard and then click the numbers 1, 2, and 3 on the onscreen keypad.
5. Press Enter.
The WatchGuard SSL Application Portal appears, and the Admin Web UI resource is now visible.
Student Guide
59
Resource Access
Exercise 3:
The Successful Company wants to allow users to connect to their email remotely through the
Application Portal. In this exercise you add a Microsoft Outlook Web Access resource to the Application
Portal.
Note
To complete this exercise, you must have a Microsoft Exchange Server with Outlook Web Access
enabled.
5. In the General Settings section, type a Display Name and Description for this resource.
The Display Name and Description only appear in the Web UI.
7. In the Host text box, type the valid DNS name or IP address of the email server for this resource.
8. Click Select Icon in Icon Library and select the icon that appears in the Application Portal for this
resource.
60
Resource Access
9. In the Link Text text box, type the text that appears in the Application Portal for this resource.
Student Guide
61
Resource Access
62
Resource Access
The Add Resource wizard automatically added three Web Resource paths for the OWA 2003 resource.
Each resource path describes a location on the Microsoft Exchange Server that is accessible from this
Web Resource.
13. Click Publish to update your configuration with this change and make this resource available in the
Application Portal.
1. Open a web browser and type https://<IP address of your Application Portal> to go to the
Application Portal authentication page.
For example, type https://50.50.50.106.
A list of authentication methods appears.
Student Guide
63
Resource Access
5. In the Password text box, type the Active Directory password for this user.
6. In the Domain text box, type the domain.
For example, type wgtraining.
7. Click Submit.
Microsoft Outlook Web Access appears.
In this example, the user had to log in twice, and had to type the domain. In the next exercise we use
Single Sign-On so the user does not have to authenticate twice.
64
Resource Access
Exercise 4:
The Successful Company uses an Active Directory server to store user credentials for authentication with
the Application Portal and for Outlook Web Access. The administrator wants to avoid the need for users
to type in their password and domain when they connect to the OWA 2003 resource from the
Application Portal.
In this exercise you configure an SSO Domain to avoid the need for authenticated users to type their
credentials a second time when they launch the OWA 2003 resource.
Student Guide
65
Resource Access
5. Click Next.
The Domain Attributes page appears.
The User name and Password domain attributes are registered by default. You must add a third
attribute for the domain information.
66
Resource Access
11. To select which resources use this SSO domain, click Apply SSO Domains To Resources.
The Select SSO Type page appears.
12. From the SSO Type drop-down list, select Text. This is the default value.
13. From the Available Resources list, select OWA 2003. Click Add >.
The resource is moved to the Selected Resources list.
14. Click Add at the bottom of the page to add your selected resources to this SSO domain.
Student Guide
67
Resource Access
68
Resource Access
2. In the Registered Authentication Methods list, select the Active Directory authentication
method.
The Edit Authentication Method page appears.
5. From the Key drop-down list, select Save credentials for SSO domain.
6. In the Value text box, type the name of the SSO domain you just created.
Student Guide
69
Resource Access
7. Click Add.
The Extended Property appears in the Registered Extended Properties list.
8. Click Save.
9. Click Publish to update your configuration with this change.
1. Open a web browser and type https://<IP address of your Application Portal> to go to the
Application Portal authentication page.
For example, type https://50.50.50.106.
A list of authentication methods appears.
70
Resource Access
Exercise 5:
Successful Company wants to enable remote users to get access to all network resources when they are
not physically in the office. In this exercise, you set up a Full Network Access Tunnel Resource.
Student Guide
71
Resource Access
8. From the Tunnel Mode drop-down list, select Network Range to use a range of IP addresses for this
resource. This is the default setting.
9. In the IP Range text boxes, type the range of IP addresses to which you want to enable access.
For example, to enable access to all IP addresses on the 192.168.54.0/24 network, type
192.168.54.1192.168.54.254.
10. To restrict access to TCP and UDP ports, edit the TCP Port Set and UDP Port Set.
The default settings for a Full Tunnel resource enable access to all TCP and UDP ports.
11. Select an Icon and Link Text for this resource.
12. Click Next.
The Access Rules settings for this resource appear.
13. To use the default Any Authentication access rule, click Next.
The Summary page appears.
72
Resource Access
To use this resource, authenticate to the Application Portal as any user. Because this is a Tunnel
Resource, the Access Client is automatically installed the first time a user starts the resource.
For more information about the Access Client, see the Use the Access Client module.
Student Guide
73
Resource Access
Exercise 6:
If a resource has a single IP address and uses a single port, you can configure it to use either a dynamic
tunnel or a static tunnel. In this exercise you use the Add Tunnel Resource Wizard to configure an RDP
resource, first with a dynamic tunnel, and then with a static tunnel. Then you compare the settings the
wizard creates for these two resources.
Note
For this exercise, you can use any IP address because you will not actually connect to the resource. The
purpose of this exercise is to compare the settings for a static tunnel and a dynamic tunnel.
4. In the Display Name text box, type a name for this resource.
For example, Dynamic RDP Access.
5. In the IP address text box, type the IP address for this resource.
This can be any IP address for the purpose of this exercise.
74
Resource Access
4. In the Display Name text box, type a display name for this resource.
For example, Static RDP Access.
5. In the IP Address text box, type the same IP address for this resource that you used for the RDP
resource with a dynamic tunnel.
6. From the Tunnel Type drop-down list, select All Platform.
This setting configures this resource with a static tunnel.
Student Guide
75
Resource Access
Resource IP Address The IP address of the host accessible through this tunnel.
TCP Port Set The TCP ports of the host accessible through this tunnel.
UDP Port Set The UDP ports of the host accessible through this tunnel.
Confirm connections This setting determines whether users are prompted to accept or
deny the connection to this resource.
76
Resource Access
Now, we can compare the configuration of this resource to the other Tunnel Resource that was
configured with a static tunnel.
1. On the Resources page, click the Display Name of the resource with the static tunnel.
For example, Static RDP Access.
The Tunnel Resource Settings page appears.
Student Guide
77
Resource Access
1. Which of these options are examples of Web Resources? (Select all that apply.)
A)
B)
Full Tunnel
C)
D)
E)
2. True or false? A single access rule can combine rules for authentication, assessment, and user group
membership.
3. What example best describes what you can do with an access rule? (Select one.)
A)
Assign the access rule to a user to control the users access level.
B)
Assign the access rule to a resources to control requirements for user access
to the resource.
C)
Assign the access rule to an SSO domain to control which applications can
be accessed in that domain.
4. True or false? WatchGuard SSL SSO domains are configured to enable SSO for resources that use the
same user credentials.
5. True or false? If a resource is configured to use an access rule that requires the WatchGuard SSL
Password authentication method, the resource is still visible in the Application Portal to all users. But,
a user who uses another method to authenticate must authenticate again to use the resource.
ANSWERS
1. A, C, E
2. True
3. B
4. True
5. False. The resource is only visible in the Application Portal to users who use the authentication method
specified in the access rule for that resource.
78
Before you begin these exercises, make sure you read the Course Introduction module.
Preferences
Configure client preferences. These settings mostly apply to the Installed Access Client. From the
Access Client Preferences dialog box, you can configure the client update server, enable the Access
Client to start automatically when you start Windows, define trusted Access Points and commands,
change diagnostic logging settings, and configure settings and favorites synchronization.
History
When a tunnel is loaded successfully, the details of the tunnel configuration are automatically saved
in the History. This allows you to easily open a recently accessed tunnel resource. The History menu
can contain a maximum of 15 items.
Favorites
Save and manage favorite Application Portal resources. After you add favorite resources, you can
select the resource from the Favorites menu to start the resource. Administrators can also add
favorites on the SSL device that are synchronized to the Access Client.
Status
See the status of your SSL connection.
About
See the Access Client version and copyright information.
Close Tunnels
Close the connection to a Tunnel Resource.
Exit
Close the Access Client. The connections to all Tunnel Resources are also closed.
80
Student Guide
81
Exercise 1:
The Successful Company has installed the WatchGuard SSL device and has configured some Tunnel
Resources in the Application Portal. In this exercise, you connect to the Application Portal and
automatically launch the On-demand Access Client to start the tunnel to that resource.
The Application Portal automatically downloads and launches the Access Client to create a connection to the
Tunnel Resource. Actions associated with this resource, such as Assessment, also occur at this time.
4. If this is the first time you selected a Tunnel Resource, the web browser prompts you to download
either a Java Applet loader (Firefox) or an ActiveX control (Internet Explorer). Accept the download to
get the Access Client software that enables you to use the Tunnel Resource.
The Access Client is loaded and the Access Client icon
82
1. Click
2. Click Status.
The Access Client Status dialog box appears.
To see a brief status, you
can also move the
mouse pointer over the
Access Client icon in the
Windows system tray.
2. To close all tunnels and close the Access Client, select Exit.
Student Guide
83
Exercise 2:
The Successful Company has some remote users who always use the SSL VPN. To help streamline VPN
access for these users, the administrator wants to install the Access Client on the users computers. In this
exercise you install the Access Client on a users workstation.
To do this exercise, you must have the Access Client installer for your Windows version. Access Client
installer files for Windows 32-bit and Windows 64-bit are available on the WatchGuard software center at:
www.watchguard.com/archive/softwarecenter.asp
For this example, we use the WatchGuard SSL Access Client Installer for Win32 installation file,
wgssl31aci_win32.exe.
84
1. Click
2. Select Preferences.
The Access Client Preferences dialog box appears.
3. Verify that the Update server is set to the URL or IP address of your WatchGuard SSL device. This is
automatically set the first time the Access Client connects to a resource.
If you did not connect to a Tunnel Resource in the Application Portal at least once before you
installed the Access Client, you must manually add the address of your Application Portal.
If the Update server text box is empty, type the address of the WatchGuard SSL Application Portal.
Do not include https://.
4. To automatically launch the Access Client when Windows starts, select the Launch Access Client on
startup check box.
The Access Client is added to the Windows Startup folder.
5. Click OK.
Student Guide
85
Exercise 3:
The Successful Company has created a Full Tunnel resource that gives full access to their local network.
The administrator wants to create this as a local favorite on the client so remote users can quickly access
the full local network, but not have to connect to the Application Portal.
See the Resource Access
module for an exercise
to create a Full Tunnel
network resource.
6. Type a Display name for this favorite. This can be different from the name of this resource on the
Application Portal.
For this example, type Full Network Access.
7. The Server and Configuration text boxes are automatically configured. Do not change these
settings.
8. To automatically start this resource when the client is launched, select the Load on startup check
box.
9. Click OK.
10. Click Close to exit the Access Client Favorites window.
11. Click
1. Select Start > All Programs > WatchGuard SSL > Access Client > WatchGuard Access Client.
The Access Client starts and the Authentication dialog box appears.
Note
For information about
how to replace the selfsigned certificate on the
device to avoid these
security warnings, see
the Administration
module .
Because the WatchGuard SSL device uses a self-signed certificate, the Access Client displays a series of
security warnings. You must click Yes several times to acknowledge the security warnings.
If you have configured the Access Client to launch when Windows starts, the resource is automatically
started. This is a great efficiency for remote users who use the Access Client to connect to your network,
because the VPN client and Tunnel Resources are loaded automatically when Windows starts.
86
Close and Start Favorite Resources from the Access Client Menu
1. Click
2. To close an active tunnel, select Close Tunnels and select the active tunnel from the list.
3. To start a favorite resource, select Favorites and select the name of the favorite resouce from the list.
Student Guide
87
1. You must use the Access Client to connect to which types of resources? (Select all that apply.)
A)
B)
C)
Web Resource
D)
Tunnel Resource
2. True or false? You can configure the On-demand Access Client to automatically start and launch
Tunnel Resources when you start Windows.
3. Why does the Access Client display a series of security warnings? (Select one.)
A)
B)
C)
4. How can you see status information about your Access Client connection? (Select all that apply.)
A)
Move the mouse pointer over the Access Client icon in the Windows system
tray.
B)
Select Start > All Programs > WatchGuard SSL > Access Client > Status.
C)
Select Status from the Access Client menu in the Windows system tray.
ANSWERS
1. A, B, D
2. False. You must use the installed Access Client to do this.
3. B
4. A, C
88
Assessment
Assessment is an end-point security feature that scans the client computer to examine whether the
client meets certain criteria. You can configure the Assessment criteria that a client computer must meet
in order to get access to a resource protected by an Assessment access rule.
You can define an Assessment access rule to check for these criteria:
After a user authenticates, but before the user connects to a network resource, you can require an
assessment of their computers to find whether the computer meets your security requirements. This is
the Client Assessment process, which is performed by the WatchGuard SSL Assessment Agent. The
Assessment Agent automatically launches in a client web browser.
89
If the client computer meets the criteria, the user is allowed to access the protected resource. If you have
a current LiveSecurity subscription, updates to your Assessment criteria data occur automatically at the
time interval you specify in Monitor System > Live Update. If your LiveSecurity subscription expires, the
Assessment definition file is no longer updated, but Assessment continues to operate with the criteria
available at the time of expiration.
WatchGuard SSL supports Assessment on Microsoft Windows clients.
Abolishment
When a remote user connects to sensitive resources on your network from a computer that is not in your
control (such as a home computer or kiosk), confidential information can remain on the computer after
the VPN session is terminated. You can use Abolishment to erase all traces of the session from the client
device (for example, URL history, cache, cookies, and downloaded files).
Abolishment is an end-point security feature that monitors the files and stored browser data on a client
throughout a user session. When the user disconnects, the Abolishment agent requests the user to
delete the files that were downloaded or created during the user session. Monitored files include those
that a user downloads, edits, or creates during the user session. Administrators can also configure the
SSL device to automatically delete these files when the user session is complete.
When you protect a resource with an Abolishment access rule, the Abolishment settings specify what
type of files are monitored for changes and deleted from the client after the session is completed. By
default, the Abolishment client monitors these file types:
.htm
.pdf
.txt
.exe
.doc
.html
.gif
.jpg
When a user tries to connect to the resource, access is allowed only if the Abolishment client is running.
This makes sure that Abolishment can be performed when the session is completed. For your users of
Microsoft Internet Explorer 7 or later, make sure the HTTPS IP address of the SSL device is added to the
Internet Explorer Trusted Sites list.
WatchGuard SSL supports Abolishment on Microsoft Windows clients.
90
By default, the Assessment Client Loader and Abolishment Client Loader try to use ActiveX first, and if it
is not available, they use a Java applet. You can change this in the Advanced Settings for Assessment and
Abolishment.
Exercise 1:
The Successful Company wants to make sure that computers that use the Application Portal meet the
defined security requirements before users can get access to certain internal resources through the
Application Portal.
The Successful Company standard corporate computer configuration includes a file that contains the
asset tag number of the computer. If this file is not present, the computer might not be a corporate
computer and should be denied access.
In this exercise you configure an Assessment Access rule to enable access to a resource only if the assettag.txt file is present on the client computer.
Student Guide
91
3. In the Display Name text box, type a name for this Access Rule. Click Next.
A list of Access Rule types appears.
5. In the Display Name text box, type a name for this rule.
6. From the Information Type drop-down list, select File information. Click Next.
The Specify Requirements page appears. This is where you specify the requirements for this rule.
92
12. To configure the Assessment client to check for the presence of other files, or to check for file
attributes, repeat Steps 711 to add other requirements to this rule.
Student Guide
93
14. In the Feedback Message text box, type a message that you want users to see if their computer
does not meet the criteria specified in this access rule. Click Next.
A summary of this Access Rule appears.
This access rule now has one rule in it. A single access rule can contain more than one type of rule.
You can add others. For this example, we do not need to add more rules.
94
Student Guide
95
1. In a browser, authenticate to the Application Portal as any user who can get access to the resource
you protected with the Assessment access rule.
2. In the Application Portal, click the resource that you protected with the Assessment access rule.
The End-Point Integrity dialog appears in a separate browser window or tab.
This notifies the user that their computer must be scanned before the resource can be accessed.
3. Click Continue.
The Assessment client loads and scans for the Assessment criteria.
Note
The first time an Assessment scan runs, a browser warning appears that asks whether you want to
allow the ActiveX or Java client loader component. This warning looks different depending on your
browser. You must allow the client loader, or the Assessment scan cannot run.
96
If the assessment criteria is not met, the End-Point Integrity scan failed page appears.
The text on this page is the Feedback text you configured for the Assessment access rule.
4. Use a text editor to create the asset-tag.txt file in the C:\ folder.
5. Click Try Again in the End-Point Integrity scan failed page.
The End-Point Integrity page appears again.
6. Click Continue.
This time, the Assessment access rule finds the file and the resource opens.
Student Guide
97
Exercise 2:
The Successful Company requires that all computers that connect to the Full Network resource in the
Application Portal must use anti-virus software. In this exercise, you create an Assessment rule that
checks for a running anti-virus client, and then apply this rule to the Full Network resource.
98
7. From the Information Type drop-down list, select Antivirus information. Click Next.
The Specify Requirements page appears.
9. From the Product Vendor drop-down list, select the name of the anti-virus vendor for the anti-virus
product you want to check for.
To check for the presence of anti-virus software from any vendor in the list, select Any product.
Note
If your training computer uses anti-virus software, you can select that vendor. Or, if you want the
Assessment scan to deny access, select an anti-virus vendor that is different than the anti-virus
software on your computer.
Student Guide
99
10. The Action to take if the product requirements are not met is automatically set to Deny access.
For this exercise, do not change this setting.
13. In the Feedback Message text box, type the message that you want users to see if their computer
does not have the required anti-virus software.
14. Click Next.
The Summary page for this access rule appears.
100
Student Guide
101
Exercise 3:
The Successful Company wants to enable access to some Application Portal resources to users from any
computer, such as a kiosk. The administrator wants to create an Abolishment rule to make sure that files
that contain potentially confidential information are not left behind on the computer after the user ends
the connection to the resource. In this exercise, you create an Abolishment access rule and apply it to a
resource.
5. Click Next.
The Add Access Rule page appears.
You can click Add Rule to add more rules to this access rule. For this exercise, we will not add more
rules.
102
6. Click Next.
The Select Resources page appears.
7. From the Available Resources list, select a resource. Click Add >.
The resources is moved to the Selected Resources list.
8. Click Next.
The Summary page for this access rule appears.
Student Guide
103
3. Click Continue.
The selected resource appears.
104
7. Select the check box for each file to delete, or click Select All.
The Delete Files button is enabled.
Student Guide
105
Exercise 4:
The Successful Company uses Microsoft Word 2007 for document creation. In addition to the default file
types, the Successful Company also wants the Assessment client to perform Abolishment for .docx files.
In this exercise, you change the Abolishment General Settings to add the .docx file type to the list of file
types to monitor.
2. In the Windows text box, add the .docx file type. Make sure to separate each file type with a comma
and a space.
3. Click Save.
The Abolishment settings are saved.
106
1. Which of these options is not a check that an Assessment access rule can perform?
(Select all that apply.)
A)
B)
C)
D)
E)
2. True or false? You can create an access rule that contains multiple Assessment rules.
3. True or false? When a user connects to a resource protected by an Abolishment access rule, by
default, at the end of the user session, the Abolishment client automatically deletes all files that a
user downloaded, edited, or created during the user session.
4. If you have a current LiveSecurity subscription, updates to your Assessment criteria data occur
automatically at the time interval you specify in Monitor System > Live Update. What happens if
your LiveSecurity subscription expires? (Select all that apply.)
A)
B)
Assessment continues to operate with the criteria available at the time the
LiveSecurity subscription expired.
C)
Assessment does not continue to operate because the criteria is not current.
5. True or false? You can create multiple Abolishment rules that monitor different file types.
Student Guide
107
108
Administration
Manage and Customize your WatchGuard SSL Device
What You Will Learn
In the Getting Started module, you learned how to set up your WatchGuard SSL device. In this training
module you learn about:
Before you begin these exercises, make sure you read the Course Introduction module.
Introduction
You used the Quick Setup Wizard to create your initial device configuration. You can manage many of
those initial configuration settings, and many other system settings, in the Manage System section of
WatchGuard SSL Web UI.
In the other training modules, you learned about many of these system settings, such as Authentication,
Assessment, Abolishment, and Notification. In this training module, we focus on some of the other
system management settings used to maintain your WatchGuard SSL device.
109
Administration
By default, the WatchGuard SSL device saves the 20 most recent configuration files. If you have reached
the maximum allowed number of saved configuration files, each time you publish a new configuration,
the oldest saved configuration file is removed to make room for the newest one, unless the configuration
file is locked.
To see the saved configuration files:
On the Publish Summary page, click Restore Configuration.
Or, select Manage System > Restore Configuration.
On the Restore Configuration page, you can:
The saved configuration files are stored on the WatchGuard SSL device. To save a backup of your
configuration to a location other than the SSL device, you must export the configuration as described in
the next section.
110
Administration
WatchGuard posts
Release Notes with each
software update. We
strongly recommend
you read the Release
Notes before you update
the OS. The Release
Notes include a
description of what is
new in the OS update,
any special upgrade
instructions, and a list of
resolved and known
issues.
Student Guide
111
Administration
The basic process you must use to request and use a signed certificate includes these steps:
1. Create a private key and certificate signing request (CSR). You can use OpenSSL, a free command line
utility, to do this.
For a list of sites from which you can download OpenSSL, see http://www.openssl.org/related/
binaries.html.
2. Use the CSR to request a certificate from Thawte, Verisign, or another well-known certificate
authority (CA). Use the instructions from your CA to submit the CSR. The CA returns a signed
certificate to you.
3. Convert the private key to PKCS#8 format with a program such as OpenSSL.
4. On the Manage Certificates page, add the new CA certificate and the new server certificate to the
WatchGuard SSL device.
5. On the Manage System > Device Settings page, configure the SSL device to use the new server
certificate.
6. Save the configuration, and publish it to update your configuration with the change.
For a detailed description of these steps, including the OpenSSL commands, see the WatchGuard SSL
Web UI Help or User Guide.
112
Administration
From WatchGuard SSL Web UI you can easily customize many parts of this page:
Company Name The name that appears in the About and Contact links.
Company URL The URL associated with the About link.
Company Contact URL The URL associated with the Contact link.
Portal Name The large text heading at the top of the Application Portal page.
Portal Information Text The welcome text that appears above the Resources on the
Application Portal page.
- Client Portal Header Image The grey background image at the top of the page.
- Website Icon The icon that appears in the browser tab for the Application Portal.
-
Student Guide
113
Administration
In the default configuration, the Application Portal authentication page looks like this:
The red and grey borders of this page are a background image. To change the look of this page, in
WatchGuard SSL Web UI, replace the Client authentication portal background image with a different
image.
114
Administration
Exercise 1:
The Successful Company administrator wants to use an earlier saved configuration saved to the device.
In this exercise, you restore a saved configuration on the device.
Student Guide
115
Administration
Exercise 2:
The Successful Company is required to maintain periodic off site backups of their key systems and to test
the recovery process to verify the backup process is successful.
In this exercise, you export the device configuration to an archive file and then import it.
The file name has the date and time the export file was created as a part of the file name.
116
Administration
2. In the Import Configuration section, click Browse to select the configuration file to import.
3. Click Import Configuration.
The configuration is imported and your WatchGuard SSL device reboots. This can take several minutes.
Student Guide
117
Administration
Exercise 3:
The Successful Company wants to update the Application Portal page to use their own company name
and information. In this exercise you learn how to customize the Application Portal page from
WatchGuard SSL Web UI.
3. Change the text and URLs that appear in the Application Portal.
4. Click Save.
5. Click Publish to update your configuration with this change and update the Application Portal.
6. Authenticate to the Application Portal.
The updated text and URLs appear on the Application Portal page.
118
Administration
You can change the background images and the website icon.
This page also displays the maximum image size for each background image:
- Client Authentication Portal Background Image: 456 x 360 pixels.
- Client Portal Header Image: 799 x 70 pixels.
3. In the Client Portal Header Image section, click Browse to locate the GIF file to use.
4. Click Save.
5. Click Publish to update your configuration with this change.
Student Guide
119
Administration
You can use similar steps to replace the background image on the authentication page. On the
Customize Application Portal page, this image is called the Client Authentication Portal Background
Image.
The size of the Client Authentication Portal Background Image is 456 x 360 pixels.
120
Administration
1. True or false? To restore a recent configuration, you must import the configuration from a backup
file.
2. By default, how many recent published device configurations does the WatchGuard SSL device save
locally? (Select one.)
A)
10
B)
20
C)
40
D)
There is no limit
3. Which of these option require the WatchGuard SSL device to restart? (Select all that apply.)
A)
B)
C)
D)
E)
4. True or false? To eliminate browser warnings about a mismatched or untrusted certificate when a
user connects to the Application Portal, you can install a server certificate signed by a trusted CA.
5. Which of these changes can you make from WatchGuard SSL Web UI? (Select all that apply.)
A)
B)
C)
D)
Student Guide
121
122
Administration
Before you begin these exercises, make sure you read the Course Introduction module.
Introduction
When you log in to WatchGuard SSL Web UI you can immediately see key information regarding the
status of your system. The Monitor System section of the Main Menu contains all the management
features you use to monitor the status and events on your WatchGuard SSL device. The System Status
page, in the sub-menu below Monitor System is automatically selected when you log in.
123
The Monitor System section of the Web UI has these left menu options:
System Status
In this section you can see an overview of information about your system, check the status of your
network, review current authentication settings, identify events that have occurred on your system,
verify the status of your device, and run basic debug tools to help you troubleshoot issues on your
network. You can also manage settings for event monitoring, change the Super Administrator
password, and see information about the date and time of administrator activities.
User Sessions
Search for and manage all current user sessions to see which users are active in the system and
information about their sessions. You can also stop active user sessions.
Alerts
Add, edit, and delete the alerts the system sends when specified events occur, and manage global
alert settings. You can configure the system to send alerts by email or as an SMS message.
Logging
Configure logging settings, such as log level, log file rotation, and the types of information to include
in the log messages for each registered service.
Log Viewer
See log messages from the configured services. You can specify search criteria to filter search results
by severity level or search for specific messages.
Reports
Generate reports about the current status of the device or service, or select a time range.
Diagnostics File
Create a compressed diagnostics log file that contains log file events from all log files for a specified
time range. WatchGuard technical support may ask you to generate this file to help troubleshoot
issues with your system and resolve issues with your configuration.
Feature Key
See information about the current feature key and upload a new feature key.
Live Update
Check the status of updates to the engine and definition files used for End-Point Security Assessment
access rules. Live Update settings are preconfigured to the recommended settings. We recommend
that you do not change these settings unless instructed to do so by WatchGuard technical support.
At the bottom of the Monitor System page, there are two links that enable you to change some
additional global monitoring settings:
Manage Settings
Select whether to monitor the connection to the Local User Database or External Directory Service,
change the Super Administrator password, and enable password policy.
View Administrator Activities
See a list of all the administrators logged on to the Web UI, as well as the date and time of recent
actions for each administrator.
124
Exercise 1:
A new network administrator has joined Successful Company and wants to learn about the configuration
of the installed WatchGuard SSL device. In this exercise you explore the System Status section of the Web
UI to learn about the system.
Some of the information you can learn immediately from this page includes:
- Which Software Version is installed.
- The Feature Key Type (Production or Evaluation) installed on this device.
- Status information about registered and connected users.
Concurrent Users The current number of users logged in to the Application Portal. The
maximum number of allowed concurrent users is shown in parentheses.
Registered User Accounts The number of user accounts on this system. The maximum
number of user accounts is shown in parentheses; (*) indicates there is no limit.
Logged on Users The number of users logged in to the Application Portal. This includes
all logged in users, whether or not the users are actively connected to a resource.
Active Users The number of users logged in and actively connected to a resource.
An evaluation feature
key allows a maximum
of one authenticated
user. The evaluation
feature key does not
include LiveSecurity, so
you cannot update the
software or use the Live
Update feature.
At the bottom of the page, you can see the number of Registered Resources configured for the
Application Portal and the number of Registered SSO Domains configured for Single Sign-On.
Student Guide
125
From this tab, you can see the status of the network configuration for this device. At a glance, you
can see that this device is configured in Single Interface Mode, because there is only one interface
(Eth0) configured. If the device was configured in Dual Interface Mode, you would also see status
information for Eth1.
You can also see the Routing Table configured for this device.
126
This page includes a summary of configured authentication methods and directory services, as well
as information about RADIUS clients and configured email notification and SMS distribution
channels.
In this example, on this page you can learn:
-
Student Guide
127
The Device Overview section shows information about the installed software, current connections,
and resource use, which includes:
- Current Server Time Shows the current date and time for the SSL device (this also appears
on the System Overview page).
- Server Started Shows the date and time the system was last started.
- Version Shows the software version (this also appears on the System Overview page).
The SSL Status section shows information about SSL Listeners. Listeners are additional ports or
IP addresses on which the Application Portal accepts connections. By default, the Application Portal
listens on one IP address on the Eth0 port. If you added additional listeners, their status would also
appear in this section. In this example, only one SSL Listener is enabled.
128
Exercise 2:
The administrator wants to see more information about the current user sessions. In this exercise you
look at user session information and learn how to end a user session.
Student Guide
129
Exercise 3:
Alerts are messages the system sends to notify administrators when specified events occur. Alert events
include lost and restored connections between services, lost and restored connections to the Local User
Database, or user account activity. You can configure alerts to be sent by email or as an SMS message.
The Successful Company administrator wants the help desk to receive an alert as an email when a user
account is locked.
2. On the Email Channel tab, select the Enable email channel check box.
3. In the Host text box, type the IP address or domain name of your local email server.
4. In the Senders E-mail Address text box, type the email address that you want to use to send the
administrative alerts. You can use an email address that is not on your mail server.
5. Click Save.
Add Alerts
1. Select Monitor System > Alerts.
The Manage Alerts page appears.
130
5. Click Next.
The next page of the Add Alert wizard appears.
Student Guide
131
7. Click Next.
8. Click Add Email address. Type an email address to receive notification for this alert.
9. Click Finish Wizard.
The Manage Alerts page appears, with the new alert added to the Registered Alerts list.
132
Exercise 4:
The new administrator at Successful Company also monitors the system log files as another way to learn
about the system status and activity.
In this exercise you learn about the default logging settings, which are a good starting point for most
environments. You also learn how to use the Log Viewer to search for information in the log files.
You can configure logging settings, such as the log level, log file rotation, and the types of
information to include in the log messages for each registered service.
You can configure logging for two registered services:
- accesspoint This includes all services related to the operation of the Application Portal.
- Administrator The WatchGuard Administration Service includes all the services and
settings related to administration of your device.
You can also select Manage Global Logging Settings on this page to change logging settings that
apply to all registered services.
Student Guide
133
2. Click accesspoint.
The Edit Logging Settings page for the accesspoint service appears, with a separate tab for each log type.
134
For the Audit Log, in addition to the Log Level Filter and Log File Rotation settings, you can also
see and change which types of information are included in log messages. The Log File Information
settings are only available for the accesspoint service. You can also configure a similar group of
settings on the HTTP Log tab.
The default logging settings are a good starting point for most environments. You can select other
types of information to include in your log files if you want to see that information in the Log Viewer
for monitoring.
Student Guide
135
By default, the Log Viewer is set to show the System log messages for all services for the last hour.
You can select a different Log Type or select a specific service from the Services list.
You can use Search Criteria to trace specific log events, such as user activity, through your services.
Searches are not case sensitive and search criteria can include multiple text strings. For example, if
you want to see only warnings, you could type WARNING in the Search Criteria text box.
For details about how to use the Search Criteria for sophisticated searches, see the WatchGuard SSL
Web UI Help or WatchGuard SSL User Guide.
Note
You might need to allow the pop-up in your browser to see the View Log window.
136
Exercise 5:
Create Reports
The Successful Company administrator realizes that, while searching the log files might be good for
troubleshooting, the built-in reports provide a better way to get an overall view of system activity in a
format that is prefiltered and easier to read.
In this exercise you generate an Authentication Report of all system activity, and you learn how to
generate a Complete Report of all system activity.
The Manage Reports page includes a list of all available reports, grouped based on the type of
events they report about. At the bottom is a Complete Report, which includes all of the others.
Student Guide
137
By default, the report is generated for all data for the past week.
Each report type has different data filters, based on the input data for that report type. You can click
a data filter to edit it for this report. For this exercise, leave the filters set to All.
For this exercise, you can change the chart styles, or use the default Bar settings.
138
6. Select each report tab to see the other charts for this report.
Student Guide
139
You can save the report as a PDF, data file, or image file. PDF is the default setting.
- The PDF includes all pages of the report.
- Data files are stored as plain text, with one text file for each report tab.
- Image files are stored as PNG image files, with one file for each chart.
8. Click Download.
The selected report file is generated.
140
1. True or false? The date and time the system was last started appears on the System Overview tab of
the System Status page.
2. Which notification methods can you select for Alerts? (Select all that apply.)
A)
IM
B)
SMS
C)
D)
3. True or false? If you set the Log Level for a service to Info, the log file includes all levels of messages.
4. You can save Reports in which of these formats? (Select all that apply.)
A)
B)
.csv
C)
D)
Student Guide
141
ANSWERS
1. False. It appears on the Device Status tab of the System Status page.
2. B, C
4. True
5. A, C, D
TRAINING
www.watchguard.com/training
training@watchguard.com