P. 1
WGA 2-0 UserGuide

WGA 2-0 UserGuide

|Views: 45|Likes:
Published by Dimba KONATE

More info:

Published by: Dimba KONATE on Aug 01, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

08/01/2012

pdf

text

original

WatchGuard Administrator User Guide

Version: 2.0

Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revision: 08/27/2008

Copyright, Trademark, and Patent Information
Copyright © 1998 - 2008 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. This product is for indoor use only. WatchGuard, the WatchGuard logo, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners. Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT®, Windows® 2000, Windows® XP, and Windows® Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All right reserved. “OpenVPN” is a trademark of OpenVPN Solutions LLC.

Licensing
Some components of the WatchGuard SSL software are distributed with source code covered under one or more third party or open source licenses. We include below the full text of the licenses as required by the terms of each license. To get the source code covered by these licenses, contact WatchGuard Technical Support at: 877.232.3531 from the United States or Canada +1.360.482.1083 from all other countries You can download the source code at no charge. If you request a compact disc, there is a $35 charge for administration and shipping.

GNU Lesser General Public License (LGPL)
Specific copyright information for the above software can be found in the WatchGuard SSL Hardware Guide that accompanies the WatchGuard SSL device in shipment.

ii

WatchGuard SSL 500 & SSL 1000

Apache License (2.0)
Each of the following programs are wholly or partially licensed under version 2.0 of the Apache License: Apache ant, Apache web server, Apache FOP, Apache Commons, Apache POI. Specific copyright information for the above software, if any, can be found in subsequent pages of this Reference Guide. Apache License Version 2.0, January 2004 http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions. “License” shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. “Licensor” shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. “Legal Entity” shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. “You” (or “Your”) shall mean an individual or Legal Entity exercising permissions granted by this License. “Source” form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. “Object” form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. “Work” shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). “Derivative Works” shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. “Contribution” shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, “submitted” means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as “Not a Contribution.” “Contributor” shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

User Guide

iii

2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: a. You must give any other recipients of the Work or Derivative Works a copy of this License; and b. You must cause any modified files to carry prominent notices stating that You changed the files; and c. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and d. If the Work includes a “NOTICE” text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

iv

WatchGuard SSL 500 & SSL 1000

8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS

User Guide

v

vi

WatchGuard SSL 500 & SSL 1000

Table of Contents

Chapter 1

Introduction ............................................................................................................................... 1 Target audience................................................................................................................................................. Conventions used in this publication........................................................................................................ Special Fonts....................................................................................................................................................... Notes..................................................................................................................................................................... Contact WatchGuard documentation department.............................................................................. References ........................................................................................................................................................... 1 1 1 2 2 2

Chapter 2

Get started ................................................................................................................................. 3 Reading suggestions ....................................................................................................................................... 4 Customer support............................................................................................................................................. 4 Product Overview .................................................................................................................................................. 5 Assessment.......................................................................................................................................................... 5 Authentication ................................................................................................................................................... 6 Authorization...................................................................................................................................................... 6 Auditing................................................................................................................................................................ 7 Access.................................................................................................................................................................... 7 Abolishment ....................................................................................................................................................... 8 Technical overview................................................................................................................................................ 9 Administrative Service .................................................................................................................................... 9 Access Point ...................................................................................................................................................... 10 Policy Service.................................................................................................................................................... 11 Resources ...................................................................................................................................................... 11 Access Rules ................................................................................................................................................. 12 Single Sign On ............................................................................................................................................. 12 Authentication Service.................................................................................................................................. 13 WatchGuard Authentication.................................................................................................................. 13 WatchGuard Administrator Distribution Service................................................................................. 14 Planning .................................................................................................................................................................. 14 Define the Deployment Goals.................................................................................................................... 14 Security Audit/Planning ............................................................................................................................... 15 System Architecture Review .................................................................................................................. 15 Public Key Infrastructure ......................................................................................................................... 15 Securing your operating system .................................................................................................................... 16 Securing the file system........................................................................................................................... 16 Securing shared resources...................................................................................................................... 17

User Guide

vii

File auditing ................................................................................................................................................. 17 Securing disk resources ........................................................................................................................... 17 User management strategy ............................................................................................................................. 18 Analyze your environment ..................................................................................................................... 18 Directory service requirements............................................................................................................. 18 Password management........................................................................................................................... 19 Use of Foreign Characters....................................................................................................................... 19 Securing Microsoft Active Directory ................................................................................................... 19 User management recommendations .................................................................................................... 20 Recommendations for DNS Management........................................................................................ 20 Recommendations for the Active Directory installation ............................................................. 20 Recommendations for Domain and OU management ................................................................ 20 Recommendations for Tree and Forest management ................................................................. 20 Recommendations for Object Access Control Management .................................................... 20 Recommendations for Replication Management .......................................................................... 21 Recommendations for Operation Masters........................................................................................ 21 Recommendations for auditing............................................................................................................ 21 Resource access............................................................................................................................................... 21 Access strategies ........................................................................................................................................ 21 Pre-installation check list ............................................................................................................................. 22 Pre-Installation Check List....................................................................................................................... 22 WatchGuard Network......................................................................................................................................... 23 Network Layout .......................................................................................................................................... 23 Default listening ports................................................................................................................................... 24 Register your WatchGuard SSL User Pack with LiveSecurity Service................................................ 26 Chapter 3 Installation ............................................................................................................................... 27 Primary WatchGuard user................................................................................................................................. 28 Change the primary WatchGuard User password.......................................................................... 28 Preparation ............................................................................................................................................................ 29 Install on Windows.............................................................................................................................................. 30 Install administration service...................................................................................................................... 30 Install Authentication Service..................................................................................................................... 31 Install Policy Service....................................................................................................................................... 31 Install Distribution Service........................................................................................................................... 31 Install WatchGuard Mobile ID..................................................................................................................... 31 Install Access Client ........................................................................................................................................ 31 Upgrade overview ............................................................................................................................................... 32 Start and Stop WatchGuard Administrator Services............................................................................... 32 Uninstall WatchGuard Administrator ........................................................................................................... 32 Chapter 4 Setup System Wizard .............................................................................................................. 33 About the Setup System Wizard .................................................................................................................... 33 Requirements and preparation............................................................................................................. 34 What Setup System includes ................................................................................................................. 34 Start the Setup System Wizard ....................................................................................................................... 35 WatchGuard Administration Service Dashboard ........................................................................... 35 WatchGuard Administrator .................................................................................................................... 35 Upload license file ............................................................................................................................................... 36 License File ................................................................................................................................................... 36 Select directory service...................................................................................................................................... 36 Configure directory service.............................................................................................................................. 37 Common Settings for all Directory Service Types.......................................................................... 39 Specific Settings for Other or Customized Directory Service..................................................... 39

viii

WatchGuard SSL 500 & SSL 1000

Super Administrator credentials .................................................................................................................... 40 Set up administration service.......................................................................................................................... 40 Configure an Access Point in WatchGuard Administrator.................................................................... 40 Set up Policy Service........................................................................................................................................... 41 Policy Service Settings.............................................................................................................................. 41 Set up Authentication Service ........................................................................................................................ 41 Select WatchGuard Authentication Methods.................................................................................. 41 Authentication Service and Authentication Method Settings .................................................. 42 Select additional Authorization Methods ......................................................................................... 42 Configure Authentication Methods.............................................................................................................. 43 Novell eDirectory Settings ...................................................................................................................... 44 Confirm Authentication Methods.................................................................................................................. 44 Configure user storage ...................................................................................................................................... 45 Browse for root DN ......................................................................................................................................... 45 Search rules ....................................................................................................................................................... 46 Select additional Directory Service ............................................................................................................... 47 Configure additional Directory Service ....................................................................................................... 48 Additional Directory Service Settings................................................................................................. 48 Finish the Setup System Wizard ..................................................................................................................... 48 Chapter 5 Set up an Access Point ............................................................................................................ 49 WatchGuard SSL device software .................................................................................................................. 49 Connect your WatchGuard SSL Access Point device .............................................................................. 49 Select an Architecture Method....................................................................................................................... 50 One Interface Architecture ..................................................................................................................... 50 Two Interface Architecture ..................................................................................................................... 51 Configure your WatchGuard SSL device ..................................................................................................... 52 Reset your configuration.............................................................................................................................. 52 Set the Date and Time Zone for your WatchGuard SSL device........................................................... 53 Change the password for your WatchGuard SSL device....................................................................... 53 Use Log Viewer ..................................................................................................................................................... 54 View Logs ...................................................................................................................................................... 54 Clean Logs .................................................................................................................................................... 54 Update WatchGuard SSL device software .................................................................................................. 54 Chapter 6 Administration ........................................................................................................................ 55 About WatchGuard Administrator ................................................................................................................ 55 Top menu........................................................................................................................................................... 55 Online Help ....................................................................................................................................................... 56 Monitor system................................................................................................................................................ 57 Manage accounts and storage................................................................................................................... 57 Manage resource access............................................................................................................................... 58 Manage system................................................................................................................................................ 59 Chapter 7 Monitor System ....................................................................................................................... 61 About Monitor System....................................................................................................................................... 61 Status Overview.......................................................................................................................................... 61 Event Overview........................................................................................................................................... 61 Status overview .................................................................................................................................................... 62 Users ............................................................................................................................................................... 62 Resources ...................................................................................................................................................... 62 System information................................................................................................................................... 62 Administrators............................................................................................................................................. 62 Event overview ..................................................................................................................................................... 63 Manage settings................................................................................................................................................... 63

User Guide

ix

About system status ........................................................................................................................................... 64 General Status ............................................................................................................................................. 64 Access Points ............................................................................................................................................... 64 Policy Services ............................................................................................................................................. 64 Authentication Services........................................................................................................................... 64 About user sessions ............................................................................................................................................ 65 Logging ................................................................................................................................................................... 65 About Log Viewer ........................................................................................................................................... 65 Diagnostic file.............................................................................................................................................. 66 Log Viewer Settings .................................................................................................................................. 66 About logging.................................................................................................................................................. 67 Manage logging .............................................................................................................................................. 67 Log level filter .............................................................................................................................................. 68 Log file rotation .......................................................................................................................................... 68 Windows event log/Unix syslog ........................................................................................................... 68 Manage global logging settings................................................................................................................ 69 About the license file.......................................................................................................................................... 70 View license details ........................................................................................................................................ 70 Upload new license ........................................................................................................................................ 70 Alerts ........................................................................................................................................................................ 71 About alerts....................................................................................................................................................... 71 Alert events .................................................................................................................................................. 71 Manage alerts................................................................................................................................................... 71 Alert settings................................................................................................................................................ 71 Alert event settings ................................................................................................................................... 72 Settings.......................................................................................................................................................... 72 Alert notification receivers...................................................................................................................... 73 Manage global alert settings ...................................................................................................................... 74 Reports..................................................................................................................................................................... 76 About reports ................................................................................................................................................... 76 Time range.................................................................................................................................................... 76 Filters .............................................................................................................................................................. 77 Graphics......................................................................................................................................................... 77 Statistics.............................................................................................................................................................. 78 Data Retrieval .............................................................................................................................................. 78 About report database.................................................................................................................................. 79 Limitations.................................................................................................................................................... 79 Manage reports ............................................................................................................................................... 80 Set time range ............................................................................................................................................. 80 Set time range ............................................................................................................................................. 81 Assessment report settings .................................................................................................................... 83 Abolishment report settings.................................................................................................................. 83 Access report settings .............................................................................................................................. 84 Authentication report settings.............................................................................................................. 85 Authorization report settings ................................................................................................................ 86 Account statistics report settings......................................................................................................... 87 Session trend report settings................................................................................................................. 87 Communication report settings ........................................................................................................... 88 Alert report settings .................................................................................................................................. 88 System report settings ............................................................................................................................. 88 Performance report settings.................................................................................................................. 89 Tunnel report settings.............................................................................................................................. 89 Chapter 8 Manage accounts and storage ............................................................................................... 91

x

WatchGuard SSL 500 & SSL 1000

About accounts and storage ........................................................................................................................... 91 User accounts .............................................................................................................................................. 91 User Import and Linking.......................................................................................................................... 91 User groups .................................................................................................................................................. 92 User storage ................................................................................................................................................. 92 Global user account settings ........................................................................................................................... 93 About global user account settings ......................................................................................................... 93 About user linking ..................................................................................................................................... 93 About user link repair ............................................................................................................................... 93 Manage global user account settings ..................................................................................................... 94 General settings.......................................................................................................................................... 94 Manage user linking.................................................................................................................................. 95 General Settings ......................................................................................................................................... 95 User linking ............................................................................................................................................................ 99 About user linking .......................................................................................................................................... 99 Manage user linking....................................................................................................................................... 99 Manage user link repair ........................................................................................................................ 100 User import ......................................................................................................................................................... 101 About User Import....................................................................................................................................... 101 Manage User Import ................................................................................................................................... 101 User accounts..................................................................................................................................................... 104 About user accounts................................................................................................................................... 104 User Account Search Result List......................................................................................................... 104 Add user account .................................................................................................................................... 104 User Linking .............................................................................................................................................. 105 User Import................................................................................................................................................ 106 WatchGuard authentication ............................................................................................................... 106 Single Sign-On domain settings........................................................................................................ 106 User certificate ......................................................................................................................................... 106 Manage user accounts ............................................................................................................................... 107 General settings....................................................................................................................................... 108 General Settings ...................................................................................................................................... 108 Manage authentication settings ....................................................................................................... 108 Manage SSO settings............................................................................................................................. 114 User certificate ......................................................................................................................................... 115 User groups......................................................................................................................................................... 116 About user groups....................................................................................................................................... 116 About user location group .................................................................................................................. 116 About user property group ................................................................................................................. 116 About user group in directory service............................................................................................. 116 Manage user groups ................................................................................................................................... 116 Manage user property groups............................................................................................................ 117 Manage user location groups............................................................................................................. 117 User storage........................................................................................................................................................ 118 About user storage...................................................................................................................................... 118 Search rules ............................................................................................................................................... 118 Directory mapping ................................................................................................................................. 118 Manage User Storage ................................................................................................................................. 118 General settings....................................................................................................................................... 118 Manage search rules .............................................................................................................................. 119 Manage directory mapping................................................................................................................. 121 Chapter 9 Manage Resource Access ...................................................................................................... 123 About resource access .................................................................................................................................... 123

User Guide

xi

Access rules ............................................................................................................................................... Standard resources................................................................................................................................. Global Resource settings................................................................................................................................ About global resource settings............................................................................................................... About internal proxy.............................................................................................................................. About DNS name pool .......................................................................................................................... About filters............................................................................................................................................... About link translation............................................................................................................................ Manage Global Resource Settings .................................................................................................... Manage global resource settings........................................................................................................... General settings....................................................................................................................................... Filters ........................................................................................................................................................... Link translation ........................................................................................................................................ DNS Names for Access Point............................................................................................................... DNS Name Pool........................................................................................................................................ Standard resources .......................................................................................................................................... About standard resources ........................................................................................................................ Manage standard resources..................................................................................................................... Common Standard Resource Settings ............................................................................................ Access Rules .............................................................................................................................................. Citrix MetaFrame Presentation Server............................................................................................. Citrix MetaFrame Server ....................................................................................................................... Thinlinc Application Server ................................................................................................................. Domino Web Access 6.5 ....................................................................................................................... Terminal Server 2000/Terminal Server 2003 ................................................................................. Outlook Web Access 2000/Outlook Web Access2003/Outlook Web Access 5.5............. Microsoft Outlook Client 2000/2003/2007 .................................................................................... POP3/SMTP................................................................................................................................................ IMAP/SMTP................................................................................................................................................ Windows File Share ................................................................................................................................ Windows File Share ............................................................................................................................... Access to Home Directory.................................................................................................................... Secure Remote Access to Administrator ........................................................................................ SalesForce .................................................................................................................................................. Web Resources .................................................................................................................................................. About Web Resources ................................................................................................................................ Manage Web resource hosts ................................................................................................................... General settings....................................................................................................................................... Troubleshooting (FAQ) ......................................................................................................................... Application Portal Settings.................................................................................................................. Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. Encryption Level...................................................................................................................................... Manage web resource paths ................................................................................................................... General settings....................................................................................................................................... Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. Tunnel resources............................................................................................................................................... About tunnel resources ............................................................................................................................. Manage tunnel resources ......................................................................................................................... Tunnel resource settings ...................................................................................................................... Alternative Hosts..................................................................................................................................... Access rules ............................................................................................................................................... Advanced settings ..................................................................................................................................

123 123 124 124 124 124 125 125 126 126 126 127 128 129 130 131 131 131 131 132 133 133 134 135 135 136 137 137 138 138 138 139 139 140 140 140 141 141 144 145 145 146 148 149 149 150 151 153 153 153 153 154 154 154

xii

WatchGuard SSL 500 & SSL 1000

Tunnel resource networks............................................................................................................................. About tunnel resource networks ........................................................................................................... Manage tunnel resource networks........................................................................................................ Tunnel resources network settings .................................................................................................. Access Rules .............................................................................................................................................. Advanced settings .................................................................................................................................. Tunnel sets .......................................................................................................................................................... About tunnel sets......................................................................................................................................... Manage tunnels sets................................................................................................................................... Tunnel set settings ................................................................................................................................. Application Portal Settings.................................................................................................................. Static Tunnel Settings............................................................................................................................ Dynamic Tunnel Settings ..................................................................................................................... Startup settings........................................................................................................................................ Advanced tunnel settings.................................................................................................................... Mapped Drives......................................................................................................................................... Access Client Loader .............................................................................................................................. Additional Client Configuration ........................................................................................................ Specific Settings ...................................................................................................................................... Provide IP Address .................................................................................................................................. DNS Forwarding ...................................................................................................................................... Client Firewall........................................................................................................................................... Access Rules .............................................................................................................................................. Manage global tunnel set settings ........................................................................................................ External DHCP Settings......................................................................................................................... IP Address Pool ........................................................................................................................................ DNS Server................................................................................................................................................. Client firewalls.................................................................................................................................................... About client firewalls.................................................................................................................................. Prevent other network connections to be routed ...................................................................... Check integrity of connecting application .................................................................................... Firewall rules based on device ........................................................................................................... Manage client firewalls .............................................................................................................................. Incoming firewall rules.......................................................................................................................... Outgoing firewall rules ......................................................................................................................... Customized resources..................................................................................................................................... About customized resources................................................................................................................... Manage customized resource hosts ..................................................................................................... Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. Customized Resource Host Settings ................................................................................................ Manage customized resource paths..................................................................................................... Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. SSO domains ...................................................................................................................................................... About SSO domains .................................................................................................................................... Access rules ............................................................................................................................................... Domain types ........................................................................................................................................... Manage SSO domains ................................................................................................................................ SSO Domain Settings............................................................................................................................. Domain attributes................................................................................................................................... Domain Type Cookie.............................................................................................................................. Access Rules .............................................................................................................................................. Settings.......................................................................................................................................................

156 156 156 156 156 157 159 159 160 160 160 161 162 163 163 164 165 165 166 167 167 167 167 167 167 168 168 169 169 169 169 171 172 172 173 174 174 174 174 175 175 176 176 177 179 179 179 180 181 181 182 183 183 183

User Guide

xiii

Access rules......................................................................................................................................................... About access rules ....................................................................................................................................... Access rule types ..................................................................................................................................... About managing access rules ............................................................................................................ Manage access rules .............................................................................................................................. Manage global access rule................................................................................................................... Manage access rules for resource or SSO domains .................................................................... Access rule settings..................................................................................................................................... Microsoft Windows Client Data ......................................................................................................... Settings....................................................................................................................................................... Application portal............................................................................................................................................. About application portal........................................................................................................................... Access Client ............................................................................................................................................. Manage application portal ....................................................................................................................... Application portal item settings............................................................................................................. Identity Federation........................................................................................................................................... About Identity Federation ........................................................................................................................ Assertions................................................................................................................................................... Preconditions ........................................................................................................................................... Providers .................................................................................................................................................... Manage Identity Federation settings ................................................................................................... Global Identity Federation Settings ................................................................................................. Manage providers........................................................................................................................................ About Manage System ................................................................................................................................... Abolishment ....................................................................................................................................................... About Abolishment..................................................................................................................................... Manage abolishment.................................................................................................................................. General Settings ...................................................................................................................................... Cache Cleaner........................................................................................................................................... Advanced ................................................................................................................................................... Access Points...................................................................................................................................................... About Access Points.................................................................................................................................... Manage Access Points................................................................................................................................ Access Point settings ............................................................................................................................. Additional listeners ................................................................................................................................ Manage Global Access Point settings................................................................................................... Advanced settings .................................................................................................................................. Cipher Suites............................................................................................................................................. Performance.............................................................................................................................................. About load balancing................................................................................................................................. Manage load balancing ........................................................................................................................ Mirrored Access Points.......................................................................................................................... Settings....................................................................................................................................................... Administrative Service .................................................................................................................................... About Administrative Service.................................................................................................................. Configuration ........................................................................................................................................... Manage Administrative Service.............................................................................................................. Administration Service Settings ........................................................................................................ Assessment ......................................................................................................................................................... About Assessment....................................................................................................................................... Manage Assessment ................................................................................................................................... General Settings ......................................................................................................................................

185 185 185 186 187 187 188 189 191 193 196 196 196 196 197 199 199 199 199 200 200 200 201 203 204 204 205 205 206 207 208 208 210 210 210 212 212 213 214 214 215 215 215 220 220 220 221 221 222 222 222 223

Chapter 10 Manage system ...................................................................................................................... 203

xiv

WatchGuard SSL 500 & SSL 1000

Advanced Settings.................................................................................................................................. Plug-ins ....................................................................................................................................................... Authentication methods................................................................................................................................ About authentication methods.............................................................................................................. Authentication methods ...................................................................................................................... About WatchGuard SSL Mobile Text................................................................................................ About WatchGuard SSL Web .............................................................................................................. About WatchGuard SSL Challenge ................................................................................................... About WatchGuard SSL Password .................................................................................................... About WatchGuard SSL Synchronized............................................................................................ Additional authentication methods................................................................................................. Manage authentication methods .......................................................................................................... General settings....................................................................................................................................... Authentication method server........................................................................................................... RADIUS replies.......................................................................................................................................... Extended properties .............................................................................................................................. Authentication services ............................................................................................................................. About Authentication Service ............................................................................................................ Manage Authentication Services ...................................................................................................... Define RADIUS Authentication .......................................................................................................... Define password/PIN ............................................................................................................................. Email messages........................................................................................................................................ SMS/Screen messages........................................................................................................................... Certificates...................................................................................................................................................... About certificates.................................................................................................................................... Registered Server Certificates............................................................................................................. Registered Client Certificate ............................................................................................................... Manage certificates ................................................................................................................................ Certificate Authority settings.............................................................................................................. Server certificate settings..................................................................................................................... Client certificate settings...................................................................................................................... Settings....................................................................................................................................................... Device definitions............................................................................................................................................. About device definitions........................................................................................................................... Manage device definitions ....................................................................................................................... Delegated management................................................................................................................................ About delegated management.............................................................................................................. Manage delegated management .......................................................................................................... Role settings.............................................................................................................................................. Directory services.............................................................................................................................................. About directory services............................................................................................................................ Manage directory services........................................................................................................................ General Settings ...................................................................................................................................... Communication Settings ..................................................................................................................... Advanced Settings.................................................................................................................................. Notification settings ........................................................................................................................................ About notification settings....................................................................................................................... Manage notification settings................................................................................................................... Email channel settings .......................................................................................................................... SMS channel settings............................................................................................................................. Variables ..................................................................................................................................................... Policy Services.................................................................................................................................................... About Policy Services ................................................................................................................................. Manage Policy Services..............................................................................................................................

225 226 226 226 227 228 228 229 229 229 230 231 231 234 241 242 248 248 249 251 252 257 261 264 264 264 264 264 265 266 266 266 268 268 268 269 269 269 270 272 272 272 272 273 274 275 275 275 275 276 282 282 282 283

User Guide

xv

General settings....................................................................................................................................... XPI: Web services..................................................................................................................................... Manage global Policy Service settings................................................................................................. Communication Settings ..................................................................................................................... RADIUS Configuration..................................................................................................................................... About RADIUS configuration................................................................................................................... Manage RADIUS configuration ............................................................................................................... RADIUS Client Settings.......................................................................................................................... Manage RADIUS Back-End Servers ................................................................................................... Glossary 289 A .............................................................................................................................................................................. Access Rules .............................................................................................................................................. ASCII............................................................................................................................................................. ASN.1 ........................................................................................................................................................... Authentication ......................................................................................................................................... Authentication Method ........................................................................................................................ Authentication Server ........................................................................................................................... Authorization............................................................................................................................................ B .............................................................................................................................................................................. BankID ......................................................................................................................................................... Base64 ......................................................................................................................................................... Base DN....................................................................................................................................................... C .............................................................................................................................................................................. CA.................................................................................................................................................................. CA Certificate ............................................................................................................................................ Cipher .......................................................................................................................................................... Client Certificate ...................................................................................................................................... CDP............................................................................................................................................................... Client Device............................................................................................................................................. CRC ............................................................................................................................................................... CRL................................................................................................................................................................ CVC ............................................................................................................................................................... D.............................................................................................................................................................................. Delegated Management ...................................................................................................................... DER ............................................................................................................................................................... Device.......................................................................................................................................................... Digital Certificate..................................................................................................................................... Directory Service ..................................................................................................................................... Directory Service User Group ............................................................................................................. Display Name............................................................................................................................................ Distribution Channel.............................................................................................................................. DMZ.............................................................................................................................................................. DN ................................................................................................................................................................. DNS............................................................................................................................................................... E............................................................................................................................................................................... Encryption ................................................................................................................................................. F............................................................................................................................................................................... Firewall........................................................................................................................................................ FTP ................................................................................................................................................................ H.............................................................................................................................................................................. Host .............................................................................................................................................................. HTTP............................................................................................................................................................. HTTPS ..........................................................................................................................................................

283 284 285 285 286 286 287 287 288 289 289 289 289 289 289 289 290 290 290 290 290 290 290 290 290 290 290 291 291 291 291 291 291 291 291 291 291 292 292 292 292 292 292 292 292 292 292 292 293 293 293 293

xvi

WatchGuard SSL 500 & SSL 1000

L............................................................................................................................................................................... LDAP ............................................................................................................................................................ Log Levels .................................................................................................................................................. M ............................................................................................................................................................................. MIME ............................................................................................................................................................ N.............................................................................................................................................................................. NTLM............................................................................................................................................................ O.............................................................................................................................................................................. OpenSSL ..................................................................................................................................................... OU................................................................................................................................................................. P .............................................................................................................................................................................. PEM............................................................................................................................................................... PIN ................................................................................................................................................................ PKI ................................................................................................................................................................. Port ............................................................................................................................................................... Proxy ............................................................................................................................................................ R .............................................................................................................................................................................. RADIUS........................................................................................................................................................ Resource..................................................................................................................................................... Resource Host........................................................................................................................................... Resource Path........................................................................................................................................... S............................................................................................................................................................................... SAML............................................................................................................................................................ Seed ............................................................................................................................................................. Server Certificate ..................................................................................................................................... Shared Secret............................................................................................................................................ SMS............................................................................................................................................................... SMPP ............................................................................................................................................................ SSL ................................................................................................................................................................ SSO ............................................................................................................................................................... SSO Domain .............................................................................................................................................. T............................................................................................................................................................................... TCP................................................................................................................................................................ TLS ................................................................................................................................................................ Tunneling................................................................................................................................................... U.............................................................................................................................................................................. UDP .............................................................................................................................................................. URI................................................................................................................................................................. URL ............................................................................................................................................................... User Certificate......................................................................................................................................... User Group................................................................................................................................................. User Location Group .............................................................................................................................. User Property Group .............................................................................................................................. User Storage.............................................................................................................................................. W............................................................................................................................................................................. WAP.............................................................................................................................................................. X .............................................................................................................................................................................. X.509 ............................................................................................................................................................

293 293 293 293 293 293 293 294 294 294 294 294 294 294 294 294 294 294 294 294 295 295 295 295 295 295 295 295 295 295 295 296 296 296 296 296 296 296 296 296 296 296 296 296 297 297 297 297

User Guide

xvii

xviii

WatchGuard SSL 500 & SSL 1000

1

Introduction

Welcome to the WatchGuard Administrator User Guide – your reference guide to a secure and flexible solution for safe access to any and all of your internal and external resources and applications. Our aim has been to provide WatchGuard Administrator users with a comprehensive guide to all aspects of WatchGuard Administrator administration. In doing so, we have structured the WatchGuard Administrator User Guide in About… and Manage… sections, to enable readers to access in-depth information when they need it. Regardless if this is conceptual information to prepare for installation, to gain deeper understanding of complex topics, or instructions on how to administer specific functionality. The About… sections contain overview information of specific functionality in WatchGuard Administrator, presented in the same order as it is structured in the WatchGuard Administrator, so when you wish to learn more on a specific task in a conceptual point of view – this is where to look. Browse the Manage… sections when you are performing a task in the WatchGuard Administrator and do not find the information you need in the WatchGuard Administrator Online Help.

Target audience
This User Guide covers all aspects of WatchGuard Administrator and is intended for both administrators and system integrators. For more detailed information on essential reading, please see section Getting Started.

Conventions used in this publication
This publication uses various conventions to present information. Words that require special treatment appear in specific fonts or font styles. Certain information, such as command-line options, uses special formats so that you can scan it quickly.

Special Fonts
This publication uses several typographical conventions. All code listings, reserved words, and the names of actual data structures, constants, fields, parameters, and routines are shown in monospaced font (this is monospace). Words that appear in boldface are menu items and/or settings in the WatchGuard Administrator.

User Guide

1

Introduction

Notes
Notes contain information that is interesting but possibly not essential to an understanding of the main text.

Contact WatchGuard documentation department
WatchGuard is always interested in feedback from our users. Please direct comments or questions regarding any WatchGuard publication to the WatchGuard Documentation Department at documentation@watchguard.com. Please include the title of the document in your email.

References
Referenced documents, such as technical notes, are included with your product and can be located on the product distribution, or if the product is already installed, in the Documentation folder where the product was installed. It is also possible to access the documentation directly from the WatchGuard Administrator Administrator Dashboard.

2

WatchGuard SSL 500 & SSL 1000

2

Get started

The WatchGuard Administrator User Guide covers all areas related to WatchGuard Administrator. Below is an outline of the main parts and what each part covers.
The WatchGuard Administration Service, WatchGuard Administrator Access Point, WatchGuard Administrator Policy Service, and WatchGuard Authentication Service will be referred to as the Administration Service, Access Point, Policy Service, and Authentication Service respectively throughout the manual.

Introduction The User Guide starts with this introduction, outlining notation conventions, references, and presents a comprehensive road map. Planning This chapter deals with preparations that you need to perform before installing WatchGuard Administrator. It also contains recommendations for a successful WatchGuard Administrator deployment. Installation This chapter covers the installation and initial setup of your WatchGuard Administrator system. This chapter should be read in detail, and contains specific instructions on how to install WatchGuard Administrator. Setup System Wizard This chapter details all steps necessary to configure and set up your WatchGuard Administrator system. This section is most important, and should be read carefully. Set up an Access Point This chapter provides basic information to set up and configure your WatchGuard SSL device, and manage the device with the WatchGuard SSL VPN Web Manager. Administration This chapter is a general introductory overview of how to navigate in WatchGuard Administrator. Monitor System This chapter covers all aspect of the Monitor System section in the WatchGuard Administrator. Manage Accounts and Storage This chapter covers all aspects of the Manage Accounts and Storage section in the WatchGuard Administrator. Manage Resource Access This chapter covers all aspects of the Manage Resource Access section in the WatchGuard Administrator. Manage System This chapter covers all aspects of the Manage System section in the WatchGuard Administrator. Glossary This chapter presents a comprehensive glossary of terms.

User Guide

3

Get started

Reading suggestions
Be sure to read the following items. WatchGuard Administrator Release Notes Contains important information about the WatchGuard Administrator release. Available on the product distribution. WatchGuard Administrator Online Help Contains context sensitive help and in-depth conceptual information. Available in the WatchGuard Administrator.

Customer support
When you register your product, you may be entitled to technical support. Terms may vary depending on the country of residence. For more information, refer to technical support at http://watchguard.com, or contact your local sales representative.

4

WatchGuard SSL 500 & SSL 1000

Get started

Product Overview
Users today rely on access to applications and information from any location using any device, for maximum business productivity and return-on-investment. By implementing a security strategy immediately, organizations can ensure that customer trust is kept, profits are not lost, and the brand image is not damaged by malicious attacks. WatchGuard Administrator covers entry-to-exit security by following the six core principles of security, also known as the six A’s. The six A’s follows a holistic approach to security to ensure that users and organizations are completely protected using best of breed technologies: Assess Inspection of user device (laptops and desktop computers, PDAs, smart-phones) to ensure it complies with a corporate security policy Authenticate Identify that users are who they claim to be Authorize Determine which applications users gain access to Access Creates a secure encrypted network link between users’ devices and the desired application or information Audit Audits who accessed which application, when did they do it, and what did they download Abolish Removes all traces of access to the corporate network on completion of the session

Assessment
WatchGuard Administrator inspects, or assesses, client devices to ensure compliance with your corporate security policy. Requirements may include assessment of: Firewall and anti-virus software Operating systems and patches Spyware checking Device type Network configuration Non-compliant devices may be refused entry, or be referred to software update sites.

How Does It Work?
When activated, WatchGuard Administrator Assessment inspects the client computer and makes a security assessment before the user is granted access to a resource. This step complements the proceeding user authorization by verifying that the client computer is actually an authorized computer and has been properly protected. You create access rules on which the actual security assessment and policy verification is based. The security assessment can be configured and extended to support your security policy. The communication and data from the client computer is protected and an intruder cannot modify any evidence collected from the client computer. Please refer to the WatchGuard Administrator Online Help and the Manage Assessment section in the Manage System chapter, for detailed information on how to setup Assessment Client Scans.

User Guide

5

Get started

Authentication
Authentication in WatchGuard Administrator is a simple process for the user. All requests flow through a web of specialized servers: the Access Point, the Policy Service, the Authentication Service, and back again. But for the user, the single point of contact is a Web browser when accessing resources. To put it simply, the Access Point verifies the identity of the user by forwarding the user credentials via the Policy Service to the Authentication Service, which in turn compares the information with credentials stored in the user storage. When the control is completed, a Request Accept is sent to the Access Point which allows the user to enter. The Authentication Service supports five authentication methods relying on the RADIUS protocol: WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized Also supported are other RADIUS authentication methods such as SafeWord and SecurID. One feature in WatchGuard Administrator is the management of Certificate Authorities. It provides, among other things, the opportunity to specify several parameters concerning certificate revocation: Certificate Authority Revocation List and Certificate Revocation List retrieval. Access control is specified by means of roles that link user groups with resources. A number of authentication methods can be set for each resource and it is also possible to specify multiple authentication methods for a specific resource. Examples of authentication methods are client certificates, business rules, and RADIUS compliant methods. All authentication methods can be used in combination.

Authorization
Access rules are defined to allow users access to resources. All resources are associated with at least one access rule, consisting of requirements such as authentication methods, date or time restrictions, or user-group memberships. WatchGuard Administrator also provides access control in conjunction with firewalls and access control in the internal systems. The firewall access control is performed when users interact with the system. The access control is performed on the same level of security as the firewall, which is on both IP and port level. Behind the scene, a complex chain of events verifies the identity of the user, secure the protection of the resource, and log all activities surrounding its access. Resources are typically applications, either Web-enabled applications or files accessible from the Web, or client-server applications accessed through tunnels.

6

WatchGuard SSL 500 & SSL 1000

Get started

Auditing
Auditing in WatchGuard Administrator provides: Central capture of all access to corporate applications Real-time and historical reports covering all of the six A’s, plus system and performance reports Permanent record of application access The advanced auditing features in WatchGuard Administrator provide organizations with the tools to meet strict industry, government, and corporate compliance regulations.

How Does It Work?
The WatchGuard Administrator Log Viewer is used to filter and display the logging messages. The Report Generator then stores these messages in the report database. You then use different filters to create reports using different presentation formats, which also are configurable. Please refer to the WatchGuard Administrator Online Help and the Manage Logging section in the Monitor System chapter, for detailed information on how to search logs using special characters and quoted searches. Also see the Manage Alerts and Manage Reports sections in the same chapter for information on how logs are used in these features.

Access
Any kind of resource, usually an application, can be accessed through the Application Portal and the Access Client. Resources include Web, Client Server, Terminal Server, and File Server applications. By using the Application Portal the complexity of how access is granted is hidden from the user. The Access Client creates a secure encrypted network tunnel between the user device and the application. You may define possible limitations for user access. WatchGuard Administrator is designed for 24/7 access.

How does it work?
We recommend that systems administrators use this work flow to ensure secure application access: 1. Add a user account When creating WatchGuard Administrator user accounts, you can define specific levels of security for a group of or individual users regarding password management or authentication methods, and so on. See the User Management Strategy section in the chapter Planning below for recommendations regarding user management. 2. Add access rules Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, resource group, or communication channel. 3. Add a resource protected by the access rules With your user management strategy and access rules defined and in place, you simply add the applications your users will access. Resource hosts and specific paths are defined, and you choose how the application is presented in the Application Portal. Please refer to the WatchGuard Administrator Online Help and the Manage User Accounts section in the Manage Accounts and Storage chapter, for detailed information on how to add user accounts, and the Manage Access Rules and Manage Resources sections respectively in the Manage Resource Access chapter for information on access rules, and resources.

User Guide

7

Get started

Abolishment
WatchGuard Administrator can remove all traces of access to the corporate network on completion of the session. Browsers are renowned for creating a snail trail of information during an access session, including: Cookies URL history Cached Pages Registry Entries Downloadable Components All these objects can be eradicated. How Does It Work? When Abolishment is enabled, secure cleanup of a client computer removes all traces of the user session. For example: Cleaning of relevant Microsoft Internet Explorer cache entries All cache information is deleted after the session is ended. Cleaning of MS Internet Explorer History entries All contents in the History folder is deleted. Cleaning of downloaded files All files created and saved during the session are deleted. For more information about Abolishment, see the WatchGuard Administrator Online Help and Manage Abolishment.

8

WatchGuard SSL 500 & SSL 1000

Get started

Technical overview
This illustration outlines a complete installation of WatchGuard Administrator.

WatchGuard Architecture

For more information about the WatchGuard Administrator architecture, see the following topics: Administrative Service Access point Policy service Authentication Service

Administrative Service
From a systems administrator’s point of view, the WatchGuard Administrator Web user interface is WatchGuard Administrator, but as the illustration above clearly demonstrates, that is not the case. WatchGuard Administrator is a complete network of services, with the Administration Service as the natural connecting point, or hub, and the WatchGuard Administrator its interface. You publish all updates in the WatchGuard Administrator to the different services, and monitor and manage all user activity in real-time. Please refer to the WatchGuard Administrator Online Help for detailed information on how to configure and manage the different services, directory services, and resources.
You can only configure one Administration Service server per WatchGuard network. Regular backups of the configuration file are therefore strongly recommended.

User Guide

9

Get started

Access Point
As the gatekeeper for all resource and access requests, the Access Point is on constant alert, listening for incoming communication.

Default Listening Ports for the Access Point

All requests are logged, filtered, encrypted, and forwarded to the Policy Service or a resource host depending on the type of request.
It is recommended that you dimension the Access Point as it is subject to the heaviest load in the WatchGuard network.

Advanced Access Point Features
Load Balancing Load balancing is the distribution of client sessions between two or more Access Points to handle situations with large numbers of requests. WatchGuard Access Points can be load balanced with a third-party solution to gain redundancy and handle heavy activity. Load balancing enables Access Points to share sessions among each other, so that requests may be processed correctly no matter which server receives the request. Trusted Gateways A client connecting to the Access Point may not have a secure connection, but incoming traffic from the trusted gateway (a specified IP address and port) is assumed to have a specified level of security. Cipher Suites When an SSL connection is initialized, the client and server determine a common cipher value to be used for key exchange and encryption. Various cipher values offer different types of encryption algorithms and levels of security. Link Translation and DNS Mapping Link translation is used to ensure that all traffic to registered Web resource hosts are routed through the Access Point, which in turn enables the use of SSL and a secure connection. With link translation, Web resource hosts are as secure as a tunnel resource hosts. A link can sometimes be divided into subsets, for example by protocol, host, and path, and then dynamically put together to form a link by the browser. In that case, the Access Point cannot establish if it is a link and consequently cannot translate it. To solve this, DNS mapping is used. A DNS name or an IP address pointing to the Access Point is mapped to an internal host and protocol: a mapped DNS name. All mapped DNS names are added to a DNS name pool. From there, you map Web hosts to DNS names using one of two methods: Reserved DNS mapping The Web resource is mapped to a specific DNS name in the DNS name pool. Pooled DNS mapping The Web resource is assigned the first available DNS name from the DNS name pool.

10

WatchGuard SSL 500 & SSL 1000

Get started

Policy Service
An important part of WatchGuard Administrator is the authentication, authorization, and auditing server — the Policy Service. It provides for policy management, authentication, authorization, and log services regardless of service or communication channel.

Default Listening Ports for the Policy Service

All authentication methods are configured in the Policy Service, so when a request comes in, the Policy Service evaluates the appropriate access rules and forwards the request to its destination.

Resources
In WatchGuard Administrator, applications, folders and files, and URLs are registered as Web or tunnel resources. Web-enabled applications are registered as Web resources, and client-server applications that are not Web enabled are registered as tunnel resources. You then protect the resources with access rules, authorization settings, and encryption levels to create seamless, secure access control. Users access the resources through the Web-based WatchGuard Administrator Application Portal, the Access Client, or directly in a Web browser using shortcuts. In order for users to be able to access a resource, you need to configure a resource host and specify if it will be available in the Application Portal or not. A resource host can have one or several paths. There are three different types of resource hosts: Web Resources Tunnel Resources Tunnel Resources are collected into Tunnel Sets where each tunnel in the set points to a tunnel resource. Customized Resources

Standard Resources
We have collected several of the most frequently used resources as Standard Resources. The purpose of this is to minimize your configuration time. The standard resources are: Outlook Web Access 2003 Outlook Web Access 2000 Domino Web Access 6.5 Citrix MetaFrame Presentation Server Terminal Server 2003 Terminal Server 2000 MS Outlook Client 2000/2003 File Sharing Access to Home Directory

You can edit the standard resource settings just as easily as any other type of resource. Please refer to the WatchGuard Administrator Online Help and the Manage Standard Resources section in the Manage Resource Access chapter.

User Guide

11

Get started

Access Rules
WatchGuard Administrator authorization makes the access decisions using access rules. These rules rely on: who wants access what resource or service is requested what communication channel (or device) is used which authentication methods are most suitable Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, resource group, or communication channel. Additionally, business related conditions can be customized for services. For example, only customers who are allowed credit are able to use the ordering function. Access Control Lists (ACLs) stored in existing systems such as mainframes and databases can be reused by WatchGuard Administrator. ACL is a list of security protections that apply to an entire object, a set of the object’s properties, or an individual property of an object. In Microsoft Active Directory for example, there are two types of ACLs: discretionary and system. Please refer to the WatchGuard Administrator Online Help and the Manage Access Rules section in the Manage Resource Access chapter, for detailed information on how to add and use Access Rules.

Single Sign On
Single Sign-On (SSO) permits users to enter their credentials once, which then gives them access to several resources without the need to re-authenticate when accessing each resource. All resources using the same user credentials can be defined in a SSO domain. When user credentials are modified, the changes apply to all resources in the SSO domain. When using the system for the first time, users are prompted for SSO credentials (user ID and password). The SSO credentials are stored per user account and retrieved whenever the user accesses resources registered in a SSO domain. If credentials are changed, the user will be prompted for authentication. SSO domains are divided into two domain types: Cookie Text Depending on which type you choose, different domain attributes can be associated with the SSO domain. Both types can be protected by access rules. To use form based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO domain.

Cookie-based Authentication
Cookie-based authentication is used to send authentication information in HTTP headers. A common use of cookie SSO is when back-end applications only want to read the authentication information at the very first request.

Text-based Authentication
Text-based authentication is used to send authentication information as text, with different attributes defining the information needed. When adding all domain attributes for the domain type text (user name, password, and domain), the Microsoft authentication method NTLM is used. When the attributes user name and password are added, the Basic authentication method is used. It is the most commonly used authentication method for Web environments.

12

WatchGuard SSL 500 & SSL 1000

Get started

Authentication Service
The Authentication Service provides mobile users with strong authentication methods that can be used regardless of device and location. The Authentication Service can act as a RADIUS proxy, that is, proxy the authentication request to another RADIUS server.

Default Listening Ports for the Authentication Service

WatchGuard Authentication
WatchGuard authentication refers to the Authentication Service using the WatchGuard authentication methods Mobile Text, Web, Challenge, Password, and Synchronized. All methods can be used on your laptop or desktop computer. When using the Synchronized or Challenge methods, users install Mobile ID client applications on the device being used. When using the Web authentication method, the client is either an ActiveX component or a Java applet. All supported authentication methods are described in the chapter Manage System, in the Manage Authentication Methods section. To choose the authentication method, you need to consider your users’ needs: mobility, device flexibility, and level of security. Refer to each authentication method for more detailed information. All WatchGuard authentication methods can be used in combination or singularly to access any type of resource. Please refer to the WatchGuard Administrator Online Help and the Manage Authentication Methods section in the Manage System chapter for detailed information on how to configure and use the different authentication methods.

User Guide

13

Get started

WatchGuard Administrator Distribution Service
The Distribution Service is responsible for the distribution of Mobile ID clients to end-users, and for the injection of seed and mode into cell phone clients. The WatchGuard Administrator Distribution Service has no physical connection to the WatchGuard network, but it is recommended that it is placed on the DMZ behind the Access Point, or with an existing download server. The Distribution Service configuration settings include: Notification messages to simplify download of Mobile ID clients Seed injection with URL argument seed Mode injection with URL argument mode o Synchronized (s) o Challenge (c) Please refer to the WatchGuard Administrator Distribution Service Online Help for detailed information on how to setup the Distribution Service and for end-user assistance.

Planning
In this section, a few general security recommendations that should be considered are presented. The sections covered include: Define deployment goals Security planning Securing your operating system This section contains specific recommendations for environments using Windows 2000. User management strategy Resource access

Define the Deployment Goals
The major goals of the planning phase are to make sure that: User and administrator needs are addressed by the services you deploy Service prerequisites that affect installation and initial setup are identified Installation planning is especially important when you are preparing to set up multiple servers. Initial Questions What are the day-to-day requirements WatchGuard Administrator needs to address? What are the user management requirements WatchGuard Administrator needs to meet? What shape is your existing network in? Do you need to upgrade power supplies, switches, and other network components? Make sure the required hardware is available in time for the deployment.

14

WatchGuard SSL 500 & SSL 1000

Get started

Security Audit/Planning
You need to make decisions about your security architecture. This involves creating accounts in the operating system (or with other authentication providers), organizing your users into groups, and planning for access control. These are the phases in the security planning process: Define your security goals Make some preliminary decisions about your security architecture Determine which users need which permissions to which resources, and develop a strategy for creating access rules

System Architecture Review
Find potential security problems related to the system architecture. This includes going through existing design documentation and high-level descriptions of the system. Typical areas of investigation are: Where and how sensitive information is store Identify trusted components Communication paths and their protection Identify single-points of failure and components likely to hit Denial Of Service (DOS) attacks

Public Key Infrastructure
A well-defined public key infrastructure (PKI) enables your organization to secure critical internal and external processes. Deploying a PKI allows you to perform tasks such as: Digitally signing files such as documents and applications Securing email from unintended viewers Enabling secure connections between computers, even if they are connected over the public Internet or through a wireless network Enhancing user authentication through the use of smart cards If your organization does not currently have a public key infrastructure, begin the process of designing a new PKI by identifying the certificate requirements for your organization. If your organization already uses a PKI, you can manage all of your internal security requirements, as well as security requirements for business exchanges with external customers or business partners. Designing a PKI for your organization involves defining your certificate requirements, creating a design for your infrastructure, creating a certificate management plan, and deploying your PKI solution.

User Guide

15

Get started

A PKI consists of the following basic components: Digital certificates Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Digital certificates provide the foundation of a PKI. One or more certification authorities (CAs) Trusted entities or services that issue digital certificates. When multiple CAs are used, they are typically arranged in a carefully prescribed order and perform specialized tasks, such as issuing certificates to subordinate CAs or issuing certificates to users. Certificate policy and practice statements Two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on. Certificate repositories A directory service or other location where certificates are stored and published. In a Windows Server 2003 domain environment, the Active Directory® service is the most likely publication point for certificates issued by Windows Server 2003–based CAs. Certificate Revocation Lists (CRL) Lists of certificates that have been revoked before reaching the scheduled expiration date.

Securing your operating system
The following section outlines the steps necessary for securing your Windows 2000 operating system. It contains summaries from the NSA Central Security Service’s Security Configuration Guide, Guide to Securing Microsoft Windows 2000 File and Disk Resources, http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/ os/win2k/w2k_active_dir.pdf. NSA has developed and distributed configuration guidance for operating systems including Apple Mac OS X, Microsoft Windows XP, Microsoft Windows 2000, and Sun Solaris 8. Please refer to this page for configuration guides on how to secure different operating systems: http://www.nsa.gov/snac/ downloads_os.cfm?MenuID=scg10.3.1.1.

Securing the file system
It is strongly recommended that all volumes use NTFS (Windows 2000 New Technology File System) to achieve the highest level of security. When using Windows 2000, only NTFS supports Discretionary Access Control to directories and files. Non-NTFS volumes can be converted to NTFS by using the Convert.exe program. File and Folder Permissions: NTFS allows varying levels of file access permissions to users and user groups All new files and folders inherit the parent’s file access permissions by default File permissions can be set with high granularity To secure Access Control Lists (ACL), use the least privilege principle when deciding how to implement ACLs. That is, only allow access to users that absolutely require permission for certain levels. Data Remanence relates to images of data remaining on the platform after it should no longer be available. This includes data left in the system page file and the recycle bin.

16

WatchGuard SSL 500 & SSL 1000

Get started

Securing shared resources
Share permissions are granted independent of NTSF permissions but can be used in close cooperation. When accessing a remote share, the more restrictive of the two apply. Default share permission is set to Full Control for Everyone. You must explicitly set security permissions for all shares. Share Security Recommendations: Ensure that the Everyone group is not given permissions on any shares Use the Authenticated Users or Users group in place of the Everyone group Give users and/or groups the minimum amount of permissions needed on a share Use hidden shares by adding a $ after the share name. The full path including the $ must be entered to access the share

File auditing
Auditing is not enabled by default, but set on a per-system basis. Each Windows 2000 system includes auditing with logs collecting information on applications, system, and security events. User Account auditing File System auditing System Registry auditing Auditing can consume large amounts of processor time and disk space. It is highly recommended to check, save, and clear audit logs daily/weekly to reduce the chances of system degradation or save audit logs to a separate machine. File Auditing Auditing specific directories or files can prove useful in identifying a system compromise or unauthorized use of resources.

Securing disk resources
Recommended physical security management: Keep servers in a locked room Disable the removable media based boot option if available Remove removable media drives if not required or install a locking device The CPU case should be secured by a key stored safely away from the computer Secured Disk resources at System Boot Set boot options to prevent booting from removable media Prevent booting into other operating systems

User Guide

17

Get started

User management strategy
The best security plans and designs cannot protect an organization if security is not an essential part of their operating procedures. In this section, a few general security recommendations regarding user management that should be considered are presented. The Securing Microsoft Active Directory section contains specific recommendations for environments using Microsoft Active Directory.

Analyze your environment
Your user management settings need to complement your particular environment, including: The size and distribution of your network The number of users who will access your network The kind of clients users will employ Which clients are mobile Which users should have administrator privileges Which users should have access to particular computers What services and resources users need How you might divide users into groups Define a password strategy

Directory service requirements
Identify the directories that will be used for user storage: user and group information used for authorization. If you have an Active Directory or LDAP server already set up, you might be able to take advantage of existing records. Use the following guidelines: If you are using Microsoft Active Directory, manage users and computers across domains and forests. Active Directory uses the Kerberos version 5 protocol for authentication. This provides a high level of security. If you are using UNIX, you can use a UNIX Kerberos Key Distribution Centre (KDC) to provide authentication services for a realm. It is as secure as an Active Directory environment. You can also use the Security Accounts Manager (SAM) and NTLM to authenticate local users. This option is not as secure as the first two.

18

WatchGuard SSL 500 & SSL 1000

Get started

Password management
There are no default passwords or pre-configured encryption keys in WatchGuard Administrator. All encryption keys and passwords are set or generated by the systems administrator at installation. WatchGuard Administrator does not store passwords or encryption keys in unprotected configuration files, LDAP directories, or other system storages. It is not recommended that encryption keys be set by manual configuration. Encryption keys not derived from a password are automatically generated by the system. A minimum key length of 128 random bits is used for stream and block ciphers. For RSA, a minimum of 1024 bits is used. Block ciphers use cipher-block-chaining to avoid cut-and-paste attacks. Encryption keys that are not automatically generated use a secure encryption key generation function to derive the key from a password. Systems administrators are advised to implement a password policy: Password dictionary with banned passwords Password history saving already used passwords Password validity time (not before, not after) Password minimum length Constraints on characters, must contain a capital letter and a number for example

Use of Foreign Characters
Avoid foreign characters (å, ä, ö, ^, ¨, ~, and so on) in user names and/or passwords. Since Active Directory equals å, ä, and ö to a and o, we recommend that these characters are not used for samaccountname. The user Åke for example may otherwise be able to log on using Ake, Äke, or Åke. WatchGuard Administrator creates separate WatchGuard Administrator user accounts for all three examples, and subsequently no common SSO data. As to other directory services, you need to investigate how foreign characters, and lower and upper case is handled. The WatchGuard Administrator log on page uses UTF-8 by default, to use special characters the templates need to be edited to use UTF-8.

Securing Microsoft Active Directory
The following section contains summaries from the NSA Central Security Service’s Security Configuration Guide, Guide to Securing Microsoft Windows 2000® Active Directory, http://www.nsa.gov/notices/ notic00004.cfm?Address=/snac/os/win2k/w2k_active_dir.pdf. Please note that these guidelines do not include hands-on instructions for securing your Active Directory. You are advised to use the Microsoft help documentation for detailed information.

User Guide

19

Get started

User management recommendations
Recommendations for DNS Management
Active Directory uses the Domain Name System (DNS) for name resolution, to locate services, and to establish the domain namespace for the Active Directory hierarchy. Implement Active Directory integrated zones Use or create Active Directory DNS administrator groups and users to manage DNS Link only the designated DNS administrator groups and users, and configure permissions through the DNS server properties security tab Place the DNS administrators and users into a designated OU and apply the appropriate Group Policy.

Recommendations for the Active Directory installation
Set permissions compatible only with Windows 2000 servers, if possible. Use robust password guidelines when setting the Directory Service Restore Mode Administrator’s password. Consider using SYSKEY for additional security.

Recommendations for Domain and OU management
Active Directory domains represent a security boundary or partition because permissions and authority do not flow in or out of a domain. Permissions can, however, flow in and out of sites and Organizational Units. Create separate domains as needed to partition or compartment portions of Active Directory requiring different security or administrative policies. Physically secure domain controllers. As soon as possible, move default user and computer objects into OUs within the target OU structure. Members of the domain administrators group should generally not be placed in OUs to manage subdomain elements of the directory tree. Take steps to ensure that unauthorized hidden OU objects do not exist within the directory structure. Use SYSKEY to augment the physical protection of domain controllers. At least one sub-domain or replica domain controller should be installed shortly after the first domain

Recommendations for Tree and Forest management
Significant planning must be done before creating the DNS namespace, trees, and forests because many aspects of these structures cannot be later modified. Maintain separate domains as needed to block administrative authority from one part of a system to another. Bulk imported accounts should be inactive; a secure method to create or change the account password as each account is activated should be locally devised.

Recommendations for Object Access Control Management
Use groups and group nesting to manage user permissions and to manage and audit access to Active Directory objects. Do not grant Modify Permissions or Modify Ownership permissions. Apply templates from the Security Configuration Toolset. Establish a policy to use system security tools to monitor and manage access control and security settings. Move printers into a single OU (or central OUs) to simplify security management and to apply a GPO. Use DACLs on published resources to manage access. Do not assign NTFS Write permission to a custom MMC console .msc file if it is to remain unchanged. Distribute custom MMC consoles via a shared folder with only Read & Execute NTFS permissions for users.

20

WatchGuard SSL 500 & SSL 1000

Get started

Recommendations for Replication Management
Manually initiate NTDS replication to increase the certainty that security settings begin replication in a timely manner. If lack of network bandwidth is a security concern, minimize membership in and use of Universal Groups to reduce replication overhead. Use SMTP for replication between sites where replication crosses a firewall boundary.

Recommendations for Operation Masters
Permanently remove from the network a disabled domain controller that held a schema master, domain-naming master, or RID master whose role has been seized. Take measures to hide the identity of domain controllers from external networks.

Recommendations for auditing
Identify and audit specific user, computer, group and other objects that have security significance. Formulate a plan to test major changes to audit settings.

Resource access
An authorization strategy enables you to effectively manage users’ access to different resources.

Access strategies
The first part of this process is identifying your users by workgroup, job function, or a combination of workgroup and job function. You can then identify the different types of resources that users access, such as departmental or job-specific data. You should consider policies that determine who is allowed to create user groups, how they are named, and how they are administered. In WatchGuard Administrator, the basic strategy for controlling access to resources is to create access rules. Based on the decisions you make regarding how to identify different users and resources, access rules are created to support these decisions.
Access Rules protect resources by combining requirements such as user group memberships or date and time ranges, and authentication methods such as WatchGuard SSL Web or Challenge.

Using Groups
Example: All users in the HR department might need access to privileged personnel records. To protect these, group every member of the HR department into a user group that is authorized to access those files and create access rules of the type User Group. The rule of thumb is to assign permissions to groups, rather than to individual accounts.

Naming Conventions
Without a naming convention, the potential for simple mistakes when adding or removing user accounts and selecting the correct group increases. The consequences of granting access to the wrong group can be serious, causing members to have access to restricted resources or to be denied access to resources that are necessary for job tasks. When establishing a security group naming convention for your organization, ensure that names: Differentiate each group from similar groups Allow group names to be sorted alphabetically into organized lists

User Guide

21

Get started

Select Authorization methods
Some resources require a stable set of common permissions, for example a file share, which typically requires full permissions for very few people, read-write permission for more people, and read-only permission for most people. In this situation, you might create three user groups, one for each of the three common access levels. The different user groups may also have different requirements on mobility, which demands different authentication methods. A user belonging to a group with full permission for file share, may also need a strong authentication method enabling mobile access from different clients. The combinations are more or less infinite, which further emphasizes the need for thorough planning.

Pre-installation check list
The following list is by no means exhaustive, meaning that every organization must establish their own check list for necessary steps for their deployment. As always, use this list as inspiration and a starting point, not as something absolute.

Pre-Installation Check List
Check x Activity Identify and resolve user management issues Comment Environment analyzed Directory service secured Password strategy in place Public Key Infrastructure Operating system secured File system secured Shared resources secured Physical environment secured Auditing strategy in place Backups and recovery strategies in place

x

Identify and resolve security issues

x

Ensure that existing network has necessary power supplies, switches, and other network components Perform time synchronization

x

22

WatchGuard SSL 500 & SSL 1000

Get started

WatchGuard Network
This section describes the recommended WatchGuard network layout and provides a summary of default ports used in the network.

Network Layout
An example of a WatchGuard network layout is illustrated below.

It is recommended that the WatchGuard Access Point device connect to the DMZ. It interacts with the Policy Service to validate queries and authorize access. The Access Point does not communicate directly with the Authentication Service. The Policy Service and the Authentication Service are placed on the internal LAN. A directory service (the user storage) is used for authorization and authentication purposes. For more information about network configuration, see Configure your WatchGuard SSL device.

User Guide

23

Get started

Default listening ports
Before installing WatchGuard Administrator, it is necessary to ensure that communication between the Access Point and the Policy Service is allowed. In addition, the Access Point must be able to access internal applications, as well as be made accessible to external traffic. Communication between the Authentication Service and the Policy Service also has to be enabled.

WatchGuard Network with Default Ports

The table below describes default listening ports used for traffic to and from the services in the WatchGuard network.
All registered services must be able to communicate with the Administration Service.

24

WatchGuard SSL 500 & SSL 1000

Get started

Default Listening Ports
Firewall Interface External Interface External Interface N/A Internal Interface Internal Interface Internal Interface N/A N/A N/A From All All Access Point Access Point To Access Point Access Point Access Point Policy Service Listening Port TCP 80 TCP 443 TCP 16972 TCP 8301 Protocol and Comment HTTP (for redirection to HTTPS) HTTPS (SSL) Internal communication for load balancing between Access Points Internal communication between the Access Point and the Policy Service Communication between Access Point and internal applications Internal communication between the Access Point and the Administration Service LDAP communication LDAPS communication (optional) Internal communication for load balancing between Policy Services RADIUS communication for WatchGuard SSL Mobile Text RADIUS communication for WatchGuard SSL Web RADIUS communication for WatchGuard SSL Challenge RADIUS communication for WatchGuard SSL Password RADIUS communication for WatchGuard SSL Synchronized Internal communication between the Policy Service and the Administration Service LDAP communication LDAPS communication (optional)

Access Point

Any internal application Administration Service LDAP Server LDAP Server Policy Service

Port used by internal application TCP 8300

Access Point

Policy Service Policy Service Policy Service

TCP 389 TCP 636 TCP 8301

N/A

Policy Service/ External RADIUS client Policy Service / External RADIUS client Policy Service / External RADIUS client Policy Service / External RADIUS client Policy Service / External RADIUS client Policy Service

Authentication Service Authentication Service Authentication Service Authentication Service Authentication Service Administration Service LDAP Server LDAP Server

UDP 18120

N/A

UDP 18121

N/A

UDP 18122

N/A

UDP 18123

N/A

UDP 18124

N/A

TCP 8300

N/A N/A

Authentication Service Authentication Service

TCP 389 TCP 636

User Guide

25

Get started

Firewall Interface N/A

From Authentication Service Authentication Service

To Authentication Service Administration Service

Listening Port TCP 8302

Protocol and Comment Internal communication for load balancing between Authentication Services Internal communication between the Authentication Service and the Administration Service LDAP communication LDAPS communication (optional) HTTPS for administration RADIUS communication for accounting

N/A

TCP 8300

N/A N/A N/A Internal, external or none

Administration Service Administration Service Administrator client External RADIUS client

LDAP Server LDAP Server Administration Service Authentication Service

TCP 389 TCP 636 TCP 8443 UDP 18119

Register your WatchGuard SSL User Pack with LiveSecurity Service
Before you can install WatchGuard Administrator and your WatchGuard SSL device, you must register your user pack with LiveSecurity. 1. 2. 3. 4. 5. 6. 7. Find the license that came with your WatchGuard SSL User Pack. Go to http://www.watchguard.com/activate. Log in. If you are new to WatchGuard, follow the instructions to create a profile. Follow the instructions on the screen. Record your selected domain name for later use. Download the compressed file License.zip and extract the license. You will need the license when you set up WatchGuard Administrator.

After you have registered your User Pack, you can use the same license file for all of your WatchGuard SSL devices.

26

WatchGuard SSL 500 & SSL 1000

3

Installation

This chapter provides detailed information regarding the installation of WatchGuard Administrator. It covers the entire installation process, from preparation to installation on a Windows platform. Before you install and use WatchGuard Administrator, be sure to set up your directory service and network security, and complete any other technical preparations. The following areas are described in detail below: Overview Preparation Install on Windows Upgrade WatchGuard Administrator Services and Clients Revert an Upgrade Start and Stop WatchGuard Administrator Services Uninstall WatchGuard Administrator A default installation of WatchGuard Administrator includes the following services: Administration Service Access Point Policy Service Authentication Service

User Guide

27

Installation

Primary WatchGuard user
In WatchGuard Administrator, services are executed as the primary WatchGuard user (pwuser), who has limited privileges. When installing/upgrading one of the following services: Access Point, Administration Service, Authentication Service, Policy Service, or Distribution Service, the pwuser is created automatically (if it does not already exist). All these services, except for the Access Point, are executed as pwuser. The Access Point is executed as Local System by default, to make Full Network Access available out of the box. The primary WatchGuard user (pwuser) is part of the Users group on Windows, which has limited rights. To view executing users, open the Services window or the Processes tab in the Windows Task Manager.
The pwuser is created according to the server’s user account policy. One possible side effect of this is, for example, if the Maximum password age option is set to a limited value, that the pwuser password will expire. For more information search for net accounts at http://microsoft.com.

Change the primary WatchGuard User password
It is not possible to logon as pwuser, but it is recommended to change the default password for pwuser which is set at installation. When changing the pwuser password, do not forget to enter the new password in the Log On tab of each service running as pwuser on Windows.

28

WatchGuard SSL 500 & SSL 1000

Installation

Preparation
The preparations we recommend that you make before installing WatchGuard Administrator are described below. Follow these recommendations to avoid installation problems. License Ensure that you have a valid WatchGuard Administrator license at hand. The license is uploaded in the WatchGuard Administrator in the first step of the Setup System wizard. IP Addresses Ensure that you have the IP addresses of the machines on which you install the different services at hand. Ports Ensure that ports used in the WatchGuard Network are available (refer to the Default Ports section for details). Time Synchronization It is recommended that you perform time synchronization between the different services, to avoid any future problems in WatchGuard Administrator caused by differing time stamps. Antivirus Programs Some antivirus programs may display warnings during installation of the WatchGuard Administrator services. For example, this can occur due to parameters being replaced in a file installed by the installation program. The antivirus program may interpret this activity as usage of a malicious script. If this occurs, allow the script or temporarily disable the antivirus program. Software Installers Make sure you have the most recent versions of all the necessary installers. Go to https:// www.watchguard.com/archive/softwarecenter.asp to download the most current versions of the WatchGuard software installers. Register with LiveSecurity Register your user pack with LiveSecurity® before you begin installation.

User Guide

29

Installation

Install on Windows
If you are installing on Windows 2000, it is recommended that the Services window (Control Panel > Administrative Tools > Services) is closed during installation to avoid possible disruption.

WatchGuard Administrator installation on Microsoft Windows 2000/2003 Server includes the following procedures: Install Administration Service Run Setup System wizard Install Access Point Install Policy Service Install Authentication Service Install Distribution Service Start the services WatchGuard Administrator client installation includes the following procedures: Install WatchGuard Mobile ID Install Access Client All installation log files are placed in the %APPDATA% folder. %APPDATA% is usually located in the Application Data folder in your home directory.

Install administration service
Double-click the file AdministrationService.exe and follow the instructions in the installation wizard. By default, the WatchGuard Administrator will listen to port 8443 (HTTPS). It will also redirect from port 8080 (HTTP). For communication within the network, it will listen to port 8300. In the Setup System wizard, described below, you can change the host and port the WatchGuard Administrator listens to.
Setup System

A wizard in the Web based administration interface allows you to perform a basic configuration of the system. The Setup System wizard must be completed before remaining WatchGuard Administrator services can be used.
The WatchGuard Administration Service must be started to run the Setup System wizard.

If you install all services on a single machine, you must not use port 8080 or 8443 for the Access Point since they are used by default for the WatchGuard Administrator. The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. The DNS included in the license is set when you register with LiveSecurity®. When defining the directory service, select a clean location (a location without LDAP objects) in the directory service to store user accounts.

30

WatchGuard SSL 500 & SSL 1000

Installation

Install Authentication Service
Double-click the file Authentication Service.exe and follow the instructions in the installation wizard. When prompted to enter the host and port for the WatchGuard Administration Service, use host 127.0.0.1 and port 8300 (if you have not changed the settings for the Administration Service).
You need to enter the server ID (default for the Authentication Service is 4) during the installation process.

Install Policy Service
Double-click the file Policy Service.exe and follow the instructions. When prompted to enter the host and port for the Administration Service, use host 127.0.0.1 and port 8300 if you have not changed the settings for the Administration Service.
You need to enter the server ID (default for the Policy Service is 3) during the installation process.

Install Distribution Service
Install Distribution Service if you need to distribute Mobile ID to your end users, for use with authentication methods WatchGuard SSL Synchronized and/or WatchGuard SSL Challenge. Double-click the file Distribution Service.exe and follow the instructions in the installation wizard. During the installation, you will be prompted for the HTTP and HTTPS port numbers that the Distribution Service will use. When installation is completed, you can connect to the Distribution Service at:
http://<your host>:<HTTP port>/. A self-signed test certificate used for HTTPS is supplied with the Distribution Service. The certificate is located at conf/servercert.p12. For instructions regarding replacing the test certificate, please refer to Technical Note Replacing Distribution Service Test Certificate.

Install WatchGuard Mobile ID
Install Mobile ID on the client computer if you will use authentication methods WatchGuard SSL Synchronized and/or WatchGuard SSL Challenge. If you have installed the Distribution Service, download Mobile ID from the Distribution Service. Double-click the file Install WatchGuardMobileID.exe and follow the instructions in the installation wizard. When installation is completed, you can start Mobile ID from Start > All Programs > WatchGuard >SSL > Mobile ID > WatchGuard Mobile ID.

Install Access Client
Install the Access Client on the client computer if your users do not have administrator privileges. You need administrator privileges to install the Access Client, but not to run it. Please refer to the WatchGuard Administrator Online Help FAQ for further information on the Access Client and required privileges. Double-click the file Access Client.exe and follow the instructions in the installation wizard. When installation is completed, you can start the Access Client from Start > All Programs > WatchGuard > SSL > Access Client > WatchGuard Access Client.

User Guide

31

Installation

Upgrade overview
When you upgrade from a previous release, the installers automatically detect that an upgrade rather than installation is required and subsequently performed. These are the steps performed by the installers during upgrade: Backup of configuration files Previous version is uninstalled New version is installed Restore of configuration files Upgrade script is run (Administration Service only) To upgrade your WatchGuard Administrator installation, see the Release Notes available with your software download.

Start and Stop WatchGuard Administrator Services
You can use the Services window (Control Panel > Administrative Tools > Services) to start and stop the WatchGuard Administrator services. Select the applicable service in the list and click the Start or Stop link respectively to start and stop the services. To start the WatchGuard Administrator services, enter the following:

/etc/init.d/admin service start /etc/init.d/policy-service start /etc/init.d/authentication-service start /etc/init.d/distribution-service start
To stop the WatchGuard Administrator services, enter the following:

/etc/init.d/admin service stop /etc/init.d/policy-service stop /etc/init.d/authentication-service stop /etc/init.d/distribution-service stop

Uninstall WatchGuard Administrator
To uninstall WatchGuard Administrator: 1. Stop the WatchGuard Administrator services in the Services window (Control Panel > Administrative Tools > Services). 2. Use Add or Remove Programs in the Control Panel to remove the services from Windows Services as well as to remove installed files
Some files, including log files, will remain after uninstalling WatchGuard Administrator.

32

WatchGuard SSL 500 & SSL 1000

4

Setup System Wizard

About the Setup System Wizard
Setup System is a Web-based wizard providing step-by-step configuration of a basic WatchGuard Administrator installation. Setup System constitutes the second step of installing WatchGuard Administrator, following the installation of the Administration Service. It results in a basic system configuration, including a connection to the directory service where WatchGuard Administrator user accounts will be stored as well, as search rules for locating existing users and user groups in the directory service. Setup System is performed in the Web-based WatchGuard Administrator administration interface, the WatchGuard Administrator. After having installed Administration Service, you can access the Setup System wizard from any type of Web browser. The first step of the Setup System wizard is to upload your WatchGuard Administrator license.
This topic describes all available steps in the Setup System wizard. Please refer to the Getting Started with Setup System in the WatchGuard Administrator Online Help for detailed information including examples on how to run the Setup System wizard.

If you leave the Setup System wizard before finishing it, the information you have entered is saved in the system. This enables you to quit Setup System and resume setup at a later stage, if necessary, without the need to re-enter information.

User Guide

33

Setup System Wizard

Requirements and preparation
The following is required for Setup System: Administration Service In order to run Setup System, you must have successfully installed the Administration Service. Valid license for WatchGuard Administrator Your WatchGuard Administrator license is received from WatchGuard or a WatchGuard partner. You need to know the location of your license to be able to upload it. Directory service location for storing WatchGuard Administrator user accounts It is possible to create a new organizational unit (OU) in your directory service for this purpose via the wizard. You can also create the OU in your directory service in advance. We recommend that the location does not contain existing users or user groups. WatchGuard Administrator requires read and write permissions to this location. See Directory service account below. Directory service account or accounts for WatchGuard Administrator access During Setup System you specify an account for WatchGuard Administrator to use for accessing the directory service. WatchGuard Administrator will store user accounts as well as read information about existing users and user groups. For that reason, the account must have read and write permission in the directory service location where WatchGuard Administrator user accounts will be stored, as well as read permissions in directory service locations where existing users and user groups are stored. If you use different directory services for these purposes, you need to specify accounts for each directory service used.

What Setup System includes
These are the steps included in the Setup System wizard: Upload license file Configure directory service (for the purpose of storing WatchGuard Administrator user accounts) Set up Administration Service Set up Access Point Set up Policy Service Set up Authentication Service Select and configure WatchGuard authentication methods Select and configure other authentication methods Configure user storage (for the purpose of locating existing users) See Start the Setup System Wizard for more information on the configuration options set during the Setup System wizard.

34

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

Start the Setup System Wizard
You access the WatchGuard Administrator and the Setup System wizard from the Administration Service dashboard.
The WatchGuard Administration Service must be running to access the WatchGuard Administration Service dashboard. If you did not select to start the WatchGuard Administration Service during installation, start it from the Windows Services window (Control Panel > Administrative Tools > Services).

WatchGuard Administration Service Dashboard
To access the Administration Service dashboard after installing the Administration Service, go to https://127.0.0.1:8443. When accessing the Administration Service dashboard, a security alert dialog is displayed. This dialog enables you to view the server certificate associated with the WatchGuard Administrator. The information listed includes Certificate Authority (CA), the issuer of the certificate, validity, and associated DNS name. The Administration Service dashboard contains the following sections: WatchGuard Administrator This section contains a link for logon to the Web based administration system. WatchGuard Administrator Documentation This section contains links to available documentation for this release of WatchGuard Administrator. WatchGuard Administrator Online This section contains links to corporate Web sites.

WatchGuard Administrator
At this point, the WatchGuard Administrator only consists of the Setup System wizard. When you access it from the Administration Service dashboard, the start page of the Setup System wizard is displayed. There you upload your license file to start the wizard.

User Guide

35

Setup System Wizard

Upload license file
The first step of the Setup System wizard is to upload the WatchGuard Administrator license file to adapt the WatchGuard Administrator to the contents of your license. Once uploaded you can return to this page at a later stage. For example, if you have quit the wizard before finishing it and log back on.

License File
Label Upload License File Uploaded Mandatory No No Description Name of your license file for upload Name of previously uploaded license file

Select directory service
The next step in the Setup System wizard is to select your directory service. It is possible to choose not to use a directory service with WatchGuard Administrator, but this results in great limitations to WatchGuard Administrator functionality since it eliminates features associated with the use of user storage and user accounts. Available options are: Microsoft Active Directory OpenLDAP Sun Java System Directory Server Novell eDirectory Other or customized directory service No directory service The directory service is configured in the following step in the Setup System wizard. If you select not to use a directory service, super administrator credentials are configured in the following step.

36

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

Configure directory service
This step of the Setup System wizard is displayed when you have selected a type of directory service. During this step you specify which directory service to store WatchGuard Administrator user accounts. You also specify where in the directory service the WatchGuard Administrator user accounts will be stored, which account WatchGuard Administrator will use to access the directory service, and whether SSL is to be used in the communication with the directory service. In addition, you create a super administrator account for the WatchGuard Administrator. During Setup System you perform a basic configuration of the directory service. You can configure the directory service in detail when the Setup System wizard is completed. The settings for the directory service include: Directory Service Host (IP address or DNS name) for the directory service and port for the directory service. This is set to port 389 by default. When SSL is selected it is recommended to use port 639, which is the default port for LDAP/S. Distinguished name (DN) of the location in the directory service where WatchGuard Administrator user accounts will be stored (see Browsing for Location DN below). Account, DN, ID or similar depending on type of directory service (user name and password) with read and write permissions in the OU where WatchGuard Administrator user accounts will be stored. A DN is a string of entries, or collected attribute types with values. Such as ou for organizational unit or dc for domain control. Example: ou=nnw,dc=thesecurecompany,dc=com An ID can be an account name, for example admin. Location DN The full DN of the location in the Directory Service where WatchGuard Administrator user accounts will be stored. This does not have to be an existing OU. When a new OU is entered in the Location DN this is automatically created. An example of this could be ou=test,ou=watchguard,dc=thecurecompany,dc=com. SSL Option to use SSL in communication with the directory service. This can be used to support the user change of an Active Directory password when logging on to the Application Portal using the Active Directory authentication method. Option to upload CA certificate to validate the server certificate presented by the directory service. Super Administrator User name and password (see Super Administrator Password Policy below) to create a super administrator account. The super administrator has full privileges in the WatchGuard Administrator. Super administrator credentials do not need to correspond to existing user credentials in your directory service. It is possible to change the password of the super administrator in WatchGuard Administrator (in the Monitor System section using the Settings link at the bottom of the Monitor System page) after completing the Setup System wizard. Test Connection Link to check whether a connection to the specified directory service can be established. Host, port, and credentials for the account are checked.

User Guide

37

Setup System Wizard

Other or Customized Directory Service If selected directory service type is Other or Customized, additional settings to those listed above are available. These settings are pre-configured for the individual directory services, but need to be specified when the system is unaware of which directory service you use. The additional advanced settings are: Name of the object class used to store objects in storage, for example: organizationUnit. Naming attribute is the relative name of the common object class. Holds the object ID that is automatically generated by the system. Storing attributes are specified used to store storage object attributes, property data of size less than 1024 bytes, for example: searchGuide for Active Directory. Unique naming attributes are used to store the unique storage object name (or unique ID), for example: l (for location). Super Administrator Password Policy When specifying the super administrator password in the Setup System wizard, you need to comply with a password policy that is enabled in the system by default. You can disable the policy or change the password in the WatchGuard Administrator after the Setup System wizard is completed. This is done in the Monitor System section using the Settings link at the bottom of the Monitor System page. The super administrator policy dictates that passwords must meet certain requirements. When enabled the policy requires passwords to meet the following characteristics: The password consists of at least six characters The password contains characters from at least three of the four following categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base 10 digits (from 0 through 9) o Non-alphanumeric characters (for example: !, $, #, or %) Browsing for Location DN When specifying a location in the directory service to store WatchGuard Administrator user account data, you can enter the full DN directly. You may also browse to select an existing (previously created) location or parent location in your directory service structure to retrieve a full or partial DN. If you choose to browse for the location DN, you first need to enter an account and password to access the directory service. You can enter part of the distinguished name before you browse or leave the field empty. If you have entered part of the DN, it is displayed in the browse window. If you have not entered a DN, the browse window displays the root DN of the directory service. You can also select root DN in a drop-down list. The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory service. When a location DN is selected the DN is automatically retrieved to the Configure Directory Service page.
If you have not previously created a dedicated organizational unit for the purpose of storing WatchGuard Administrator user data, it is possible to create a new OU by specifying the DN of a non-existing OU. The OU will be created when you click Next in the wizard.

38

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

Common Settings for all Directory Service Types
Label Host Port Account Password Location DN Mandatory Yes Yes Yes Yes Yes Description IP address or DNS name of the directory service. Listening port. DN, ID or similar (depending on type of directory service). Directory service password. The full distinguished name (DN) of the location in the Directory Service where WatchGuard Administrator user accounts will be stored. Not selected by default. Certificate Authority certificate. Logon name for the WatchGuard Administrator Super Administrator. Logon password to the WatchGuard Administrator. Verification of Password.

Use SSL CA Certificate User Name Password Verify Password

No No Yes No No

Specific Settings for Other or Customized Directory Service
Label Object Class Naming Attribute Storing Attribute Unique Naming Attribute Mandatory No No No No Description Name of the object class used to store objects in storage. Relative name of the common object class Common object class attribute name used to store storage object attributes. Common object class attribute name used to store the unique storage object name (or unique ID).

User Guide

39

Setup System Wizard

Super Administrator credentials
This step of the Setup System wizard is displayed instead of the Configure Directory Service step if you have selected not to use a directory service. Here you specify the user name and password to create a super administrator account.

Super Administrator Credential Settings
Label User Name Password Verify Password Mandatory Yes Yes Yes Description Logon name for the WatchGuard Administrator Super Administrator. User logon password. Verification of password.

Set up administration service
Administration Service Settings
Label Internal Host Mandatory Yes Description IP address or DNS name of the Administration Service.

Configure an Access Point in WatchGuard Administrator
During the Setup System wizard, you perform a basic configuration of one single Access Point. You can configure the Access Point in detail or configure additional Access Points when the Setup System wizard is completed. The basic configuration of the Access Point consists of display name, host, and HTTP as well as HTTPS port.
If you install all services on a single machine, you must not use ports 8080 or 8443 for the Access Point since they are used by default for the WatchGuard Administrator.

The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. The DNS included in the license is set when you register with LiveSecurity.

Access Point Settings
Label Display Name Host HTTP Port HTTPS Port Mandatory Yes Yes No Yes Description Unique name used in the system to identify the Access Point. IP address or DNS name of the Access Point. Listening port for HTTP traffic. This is set to port 80 by default. Listening port for HTTPS traffic. This is set to port 443 by default.

40

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

Set up Policy Service
During Setup System you perform a basic configuration of one single Policy Service. You can configure the Policy Service in detail or configure additional Policy Services when the Setup System wizard is completed. The basic configuration of the Policy Service consists of display name and host.
Extensible Programming Interface (XPI) is automatically initialized for the Policy Service when configuring the Policy Service in the Setup System wizard.

Policy Service Settings
Label Display Name Host Mandatory Yes Yes Description Unique name used in the system to identify the Policy Service. IP address or DNS name of the Policy Service.

Set up Authentication Service
During Setup System you perform a basic configuration of one single Authentication Service. You can configure the Authentication Service in detail or configure additional Authentication Services when the Setup System wizard is completed. The basic configuration of the Authentication Service consists of display name and host.

Select WatchGuard Authentication Methods
When configuring the Authentication Service you also select which of the WatchGuard authentication methods to use. You can also enable (or disable) WatchGuard authentication methods after finishing the Setup System wizard. Available WatchGuard authentication methods are: WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized

User Guide

41

Setup System Wizard

Authentication Service and Authentication Method Settings
Label Display Name Host WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized Mandatory Yes Yes Yes No No No No Description Unique name used in the system to identify the Authentication Service. IP address or DNS name of the Authentication Service. Selected by default. Selected by default. Selected by default. Selected by default. Selected by default.

Select additional Authorization Methods
The next step in the Setup System wizard is to select which authentication methods (other than WatchGuard authentication methods) to use. In Setup System only the most commonly used authentication methods are available for configuration. You can configure other types of authentication methods or configure selected authentication methods in detail after the Setup System wizard is completed. Authentication methods available in Setup System are: RSA SecurID Secure Computing SafeWord LDAP Microsoft Active Directory Windows Integrated Login NTLM Basic User Certificate Selected authentication methods are configured in the following steps of the Setup System wizard. For reference, additional authentication methods available in WatchGuard Administrator are: General RADIUS Extended User Bind Form-based Authentication E-ID E-ID Signer Custom-defined authentication method

42

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

Configure Authentication Methods
This step in the Setup System wizard is displayed if you have selected an authentication method (other than the WatchGuard authentication methods). During Setup System you perform a basic configuration of the authentication method. You can configure the authentication method in detail after the Setup System wizard is completed. Apart from authentication methods Secure Computing SafeWord and RSA SecurID (RADIUS authentication) that have identical configuration settings, the settings differ depending on the type of authentication method selected.

Common Authentication Method Settings
Label Display Name Host Port Mandatory Yes Yes Yes Description Unique name used in the system to identify the authentication method. IP address or DNS name of the Authentication Service. Port of the Authentication Service.

LDAP Settings
Label Display Name Mandatory Yes Description Unique name used in the system to identify the authentication method. LDAP server used is the directory service specified in the previous step of the wizard. Administrato r DN User Password Yes Yes User ID to access the Active Directory. User password to the Active Directory.

Default values are retrieved from the General Settings for Directory Service page in the Setup system wizard.

Microsoft Active Directory Settings
Label Root DN Mandatory No Description DN for the root node in the Active Directory.

Windows Integrated Login Settings
Label Path Use SSL Mandatory Yes No Description Address to the logon page. Format: /%DIR%/pagename.html Not selected by default

User Guide

43

Setup System Wizard

NTLM Settings
Label Path NTLM Domain Use SSL Mandatory Yes Yes Yes Description Address to the logon page. The format is: /%DIR%/pagename.html Windows domain name. Not selected by default.

Specific Basic Settings
Label Path Use SSL Mandatory Yes Yes Description Address to the logon page. The format is: /%DIR%/pagename.html Not selected by default.

User Certificate Settings
Label Certificate Authority Mandatory No Description CA used to validate the identity of the individual holding the user certificate.

IBM Tivoli Settings
Label Users Root DN Password Policy DN Mandatory Yes Yes Description Root DN in IBM Tivoli where the system will search for users. Password Policy DN specifies the location of the IBM Tivoli Password Policy object.

IBM RACF Settings
Label Users Root DN Expiration message (regexp) Mandatory Yes Yes Description Root DN in IBM RACF where the system will search for users. When user logs in the IBM RACF will return an error message when password is expired, specify the error code here if other than the default.

Novell eDirectory Settings
Label Users Root DN Mandatory Yes Description Root DN in Novell eDirectory where the system will search for users.

Confirm Authentication Methods
In this step, the Setup System wizard lists the authentication methods you have selected. You can use the Previous link to go back in the wizard to remove or add authentication methods before you proceed. You can also add or remove authentication methods after completing the Setup System wizard.

44

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

Configure user storage
Here you specify the user storage location that WatchGuard Administrator will use to locate existing users and user groups. You also specify search rules to enable WatchGuard Administrator to locate the users and groups. The user storage is configured for the purpose of using your local user administration. For example, WatchGuard Administrator can use existing user data such as phone numbers and passwords when creating user accounts, or leverage existing user groups when you create access rules based on these groups. To facilitate Setup System it is assumed that your users and user groups are stored in the same directory service that you specified for maintaining WatchGuard Administrator user accounts (in the Configure Directory Service step). When this is the case, you only need to enter display name and specify search rules for the user storage. If you use a different directory service for user storage, however, you need to specify that additional directory service first. See Configure Additional Directory Service below for details. You specify one single user storage location in the Setup System wizard and one single set of search rules. If your user information is stored in several different locations, you can specify multiple levels of search rules for the user storage after finishing the Setup System wizard. If your users are stored on several different directory services, you can specify additional user storage locations with corresponding search rules after finishing the Setup System wizard.
This step in the wizard is not mandatory. You can configure the user storage after completing Setup System wizard. If you choose to configure the user storage in the wizard, all fields are mandatory.

The settings for the user storage include: Display name for the user storage location User search rules User root DN (see Browsing for Root DN ), object class name/class category, attribute name, search scope. See Search Rules for details. User group search rules User group root DN (see Browsing for Root DN), object class name/class category, attribute name, member attribute name and search scope. See Search Rules for details. Test connection Link to check that a connection to the user storage can be established. The nodes in the search rules are checked.

Browse for root DN
When specifying a root DN as a start base for user or user group searches in the directory service, you can enter the full distinguished name directly or browse to select an existing location or parent location in your directory service structure to retrieve a full or partial DN. If you browse for the location DN, the root DN of the directory service is displayed in the browse window. You can also select root DN in a drop-down list. The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory service. When a location DN is selected the DN is automatically populated to the Configure Directory Service page.

User Guide

45

Setup System Wizard

Search rules
Search rules are designed to enable WatchGuard Administrator to locate your users and user groups in the directory service. The search rules you define depends on the directory structure of your organization, and which user objects you require. Search rules are created by combining the following settings: User Root DN The distinguished name of the search root from where the system will start to search for objects. If you want to use a specific sub-tree in your directory service, you can specify the sub-tree as the search root. Example:
ou=people,dc=thesecurecompany,dc=com

Object Category/Object Class Name The object category (Active Directory) or object class name (other directory services) that users belong to. Examples are user in Active Directory, and inetorgperson, the most common object class name. Refer to your directory service documentation for additional information. Attribute Name The attribute name to be used when searching for users. The values differ depending on directory service used: Active Directory uses samaccountname, other directory services use uid. Refer to your directory service documentation for additional information. Example:
cn

Set to samaccountname when using Active Directory. Member Attribute Name The member attribute name to use when searching for user groups. Example:
member

Search Scope Use the search scope when searching for users. Available options are: o Object Level, which only searches for objects located on base level. o One Level, which only searches for objects located directly below base not including the base. o Sub-tree level, which only searches for objects located below base not including the base. After Setup System wizard is completed you can also apply additional filters on the search rules. For example to specify that only users belonging to certain group are accepted when creating user accounts or that only users from a specific domain will be accepted.

General Settings
Label Display Name Mandatory Yes Description Unique name used in the system to identify the user storage location.

46

WatchGuard SSL 500 & SSL 1000

Setup System Wizard

User Search Settings
Label User Root DN Object Class Name Object Category Attribute Name Search Scope Mandatory Yes Yes Yes Yes Yes Description Start base for searches in the user storage. Object Class users belong to when using another directory service than Microsoft Active Directory. Set to inetOrgPerson by default. Object Class users belong to when using Microsoft Active Directory for user storage. Set to user by default. Unique user attribute. Set to samaccountname when using Microsoft Active Directory. Set to Sub-tree Level by default.

User Group Search Settings
Label User Group Root DN Object Class Name Object Category Attribute Name Member Attribute Name Search Scope Mandatory Yes Yes No Yes Description Start base for searches in the user storage. Object Class users belong to when using another directory service than Microsoft Active Directory. Set to groupOfNames by default. Object Class users belong to when using Microsoft Active Directory for user storage. Set to group by default. Unique user attribute. Set to samaccountname when using Microsoft Active Directory. When using other directory service it is set to cn. Unique directory service member attribute.

Yes

Yes

Set to Sub-tree Level by default.

Select additional Directory Service
This step in the Setup System wizard is displayed if you have selected to use another directory service for user storage than the directory service specified for storing WatchGuard Administrator user accounts (in the Configure Directory Service step). In this step you select which type of directory service to use. Available directory services are: Microsoft Active Directory OpenLDAP Sun Java System Directory Server Novell eDirectory Other or customized directory service The directory service is configured in the following step in the Setup System wizard.

User Guide

47

Setup System Wizard

Configure additional Directory Service
This step in the Setup System wizard is displayed if you have selected a type of directory service to use for user storage, different from the directory service specified for storing WatchGuard Administrator user accounts (in the Configure Directory Service step). The settings for the additional directory service include: Directory service o Host and port for the directory service o Account with read permissions in the directory service where existing users and groups are located SSL o Option to use SSL in communication with the directory service o Option to upload CA certificate to validate the server certificate presented by the directory service After having configured the additional directory service used for user storage, you return to the Configure User Storage step to continue by specifying the display name for the user storage and defining the search rules.

Additional Directory Service Settings
Label Host Port Account Password Use SSL Upload CA Certificate Mandatory Yes Yes Yes Yes No No Defines the Password for the directory server Administrator. Not selected by default. CA certificate used to validate the server certificate presented by the directory server. Description IP address or DNS name of the directory service. Listening port for the directory service. This is set to port 389 by default.

Finish the Setup System Wizard
In the last step of the Setup System wizard a confirmation page is displayed. The configured services are listed with unique Service IDs. Make a note of these IDs, which you will need to enter when installing the services. It is also possible to look up the IDs in the WatchGuard Administrator after finishing the Setup System wizard (select Manage System > Access Points > Policy Services > Authentication Services).

48

WatchGuard SSL 500 & SSL 1000

5

Set up an Access Point

You can set up one WatchGuard SSL Access Point, or multiple Access Points, to enable your users to connect through a secure tunnel to your network. After you Configure an Access Point in WatchGuard Administrator, you add the WatchGuard SSL Access Point device to your system, and then configure your device to allow users access to your network. Before you set up your Access Point, make sure you have the following: The latest WatchGuard SSL device software. Your selected domain name as registered with LiveSecurity®. The location of your license file.

WatchGuard SSL device software
Before you set up your WatchGuard SSL Access Point device, be sure you have the most recent software version. If there is a version of the Access Point software available for your WatchGuard SSL device on the web site, it is a new version that you must install when you configure your Access Point. 1. Go to https://www.watchguard.com/archive/softwarecenter.asp. 2. Download the most current version of the WatchGuard SSL device software installer: SSL_2.x.zip. 3. Open the SSL_2.x.zip file and extract the update file to a location where you can access it later.

Connect your WatchGuard SSL Access Point device
After you have added your WatchGuard SSL Access Point device to WatchGuard Administrator you must add it to your network before you can configure the device and enable user access to your network. 1. Connect the power cable to the WatchGuard SSL device power input and to a power source. 2. Connect Eth1 on your WatchGuard SSL Access Point device to the Ethernet interface of a computer configured with an IP address on the 192.168.111.0/24 network. The default IP address of Eth1 on the WatchGuard SSL device is 192.168.111.1.

User Guide

49

Set up an Access Point

Select an Architecture Method
Before you configure your Access Point you must decide how the Access Point best fits your network needs. Because the WatchGuard SSL device has two Ethernet ports, you can select either a One Interface Architecture or a Two Interface Architecture setup. To help you make the decision about how to configure your Access Point, it is helpful to understand that all connections to the Access Point are received on the Eth0 (External) interface. All incoming connections are routed through the Eth0 interface. In the One Interface Architecture method, the Eth0 interface also routes outgoing connections. If you want to distribute the outbound routing load, we suggest you select the Two Interface Architecture and configure your Access Point so both the Eth0 and Eth1 interfaces active. In this case, you must add routes for any device that the Access Point must send traffic to through Eth1 that are not on the same subnet as Eth1.

One Interface Architecture
Configure your WatchGuard SSL Access Point with the one-interface method if the device the Access Point connects to will route all connections initiated by the Access Point.

50

WatchGuard SSL 500 & SSL 1000

Set up an Access Point

Two Interface Architecture
Use the two-interface method when some routing occurs through another device that the Access Point can get to through the Eth1 (Trusted) interface.

After you have selected an architecture method, you can proceed and Configure your WatchGuard SSL device.

User Guide

51

Set up an Access Point

Configure your WatchGuard SSL device
After you have added your WatchGuard SSL Access Point device to WatchGuard Administrator and to your network, you can configure the settings for the WatchGuard SSL device to allow traffic through the device to your network. 1. Go to http://192.168.111.1:8080. The WatchGuard SSL Web Manager appears. 2. When prompted, log on with the default credentials: User Name: admin Password: admin

3. If there is an update to your WatchGuard SSL device software, select Administration > Update and browse to the location where you saved the new software. 4. Connect your WatchGuard SSL device following either a One Interface Architecture or a Two Interface Architecture method. For more information about architecture methods, see Select an Architecture Method. To use a One Interface method: a. Select Network > External, and add the IP address you assigned to the Access Point in the WatchGuard Administrator Setup System wizard. b. Add the IP address of the default gateway for the Access Point. c. Add DNS server information for the WatchGuard SSL device. d. Click Submit. To use a Two Interface method: a. Select Network > External, and add the IP address you assigned to the Access Point in the WatchGuard Administrator Setup System wizard. b. Add the IP address of the default gateway for the Access Point. c. Select Network > Trusted, and add the IP address for the Eth1 port. d. Select Network > Routes, and add a static route for each network you want the WatchGuard SSL device to reach through the trusted interface. e. Click Submit. f. Reconnect to your WatchGuard SSL device with the new trusted IP address you assigned.

5. Select Network > Admin Service, and add the IP address of your Administration Service computer. The WatchGuard SSL device is now connected to WatchGuard Administrator.

Reset your configuration
You can return your WatchGuard SSL device settings to the default configuration. When you reset your configuration, all settings configured in the Network and Administration menus return to the original default values. 1. Select Administration > Reset Configuration. 2. Click RESET. All settings return to default values.

52

WatchGuard SSL 500 & SSL 1000

Set up an Access Point

Set the Date and Time Zone for your WatchGuard SSL device
You can select the date and time zone for your WatchGuard SSL device. The date and time zone information appears in all reports on the device, and communication with the WatchGuard Administrator. We recommend you set the date and time zone to match the date and time zone set on the computer where you installed WatchGuard Administrator, so that the date and time in your device log files match those of the Policy Service and Authentication Service log files. 1. Select Administration > System Time. 2. Use the Time Zone drop-down list to set your time zone. 3. Type the current hour, minute, and seconds in the Time fields and select AM or PM from the dropdown list. 4. Select the month and year from the Date drop-down lists, and click a date on the calendar to set the day. 5. Click Submit.

Change the password for your WatchGuard SSL device
The default user name and password for your WatchGuard SSL device: User Name: admin Password: admin

You can use the WatchGuard SSL Web Manager to change the password for your WatchGuard SSL device. 1. Select Administration > Change Password. The Change Password page appears. 2. Type and confirm your new password. 3. Click Submit.

User Guide

53

Set up an Access Point

Use Log Viewer
An important feature of a good network security system is to gather information about activity on your system, and to keep that information in an archive or log. You can use these log files to monitor your network security and activity, identify any security risks, and address them. Log files include a list of events and details about those events. An example of an event is when the WatchGuard SSL device denies a log in. The WatchGuard SSL device collects log data for events that occur on the device. Information about each event is stored in a separate log file which is then sent to WatchGuard Administrator, where you can review the log data and run reports on the data for one or many WatchGuard SSL devices. You can also view the data from individual log files for one device from the WatchGuard SSL VPN Web Manager.

View Logs
You can view the log files available on your SSL device from the WatchGuard SSL VPN Web Manager. 1. Select Administration > Log Viewer. The Log Viewer page appears. 2. To view the available log files, click View Logs. 3. Select a link for the log file you want to view. The log file opens within the Log Viewer page. 4. To view another log, click the Back button on your browser, or repeat steps 1–3.

Clean Logs
You can also use Log Viewer to remove log files from the WatchGuard SSL device. After logs files are removed from the device, they cannot be sent to WatchGuard Administrator, so be sure to only remove log files when they are no longer necessary. 1. Select Administration > Log Viewer. The Log Viewer page appears. 2. To clean up log files, click Clean Logs. All log files are removed from the WatchGuard SSL device.

Update WatchGuard SSL device software
From time to time, a new version of the WatchGuard SSL device software may be available. When a new version of the WatchGuard SSL device software is available, you can download it from the WatchGuard web site and install it on your device. Before you set up, or update, a WatchGuard SSL device, make sure you have the most recent version of the installer.
If there is a version of the Access Point software available for your WatchGuard SSL device on the web site, it is a new version that you must install when you configure your Access Point.

1. 2. 3. 4. 5.

Go to https://www.watchguard.com/archive/softwarecenter.asp. Select SSL_2.x.zip. Open the SSL_2.x.zip file and extract the update file to a location where you can access it later. Select Administration > Update and browse to the location where you saved the new software. Click Update. The new file is uploaded to the WatchGuard SSL device and your device is updated.

54

WatchGuard SSL 500 & SSL 1000

6

Administration

About WatchGuard Administrator
The basic features in WatchGuard Administrator include: Web-based administration interface Task-oriented approach Wizards for common tasks Context-sensitive online user assistance WatchGuard Administrator has three types of menus: Top menu Main menu Left-hand menu The Main menu is divided into four sections: Monitor System, Manage Accounts and Storage, Manage Resource Access, and Manage System. Each section has a left-hand menu, allowing you to manage your configuration in a flexible and structured environment. Use the Navigate in WatchGuard Administrator section to acquaint yourself with WatchGuard Administrator. WatchGuard Administrator is task oriented. When you click an Add… link, a wizard guides you through the process of adding user accounts, resources, and so on. You can always cancel a wizard by selecting a different menu item or by simply closing your browser. No changes are saved until you click Finish Wizard. You can always step backwards in a wizard, using the Previous link.

Top menu
Use the Publish button to distribute changes in the configuration to the entire WatchGuard Network. When updates in the WatchGuard Administrator services are ready for publishing, the Publish button is highlighted. This includes added or edited resources, access rules, services and so on.
You do not need to publish updated user settings.

Use the Restore button to revert to a previous configuration. The last ten configurations are displayed, sorted by date. You can select any configuration but once restored, you cannot revert the process.

User Guide

55

Administration

Use the Browse button to browse the centrally stored files. In the Browse dialog, schema, templates, and applets stored in the Administration Service is displayed. A browser allows you to create directories, and create, move, and copy files in the WatchGuard Administrator directory structure. Use the Help button to access help topics by using a table of contents, or to search the entire WatchGuard Administrator Online Help. Each page in the WatchGuard Administrator has a corresponding help page. The following tabs are available in the online Help: Use the Glossary tab to browse terms used in WatchGuard Administrator. Use the Search tab to find specific topics, the help pages for specific Administrator pages, or terms in their context. Use the Index tab to search for key concepts in WatchGuard Administrator.

Online Help
You can access the information in the WatchGuard Administrator Online Help in different ways. If you click the question mark in WatchGuard Administrator, you access context-sensitive information concerning that specific page. There, you can choose to expand the Help window to use the Table of Contents and tabs. If you click the Help button in the top menu of the Administrator, you access the start page of the WatchGuard Administrator Online Help, with the Table of Contents and help tabs already visible. Below are brief descriptions of the contents of the different sections in the Table of Contents in the WatchGuard Administrator Online Help. Getting Started The Getting Started section of the WatchGuard Administrator Online Help contains instructions for how to complete a basic setup and an initial configuration of WatchGuard Administrator. The section also contains instructions for getting started with different features in WatchGuard Administrator. WatchGuard Administrator This section of the WatchGuard Administrator Online Help contains help topics describing the contents of the WatchGuard Administrator, and describing how to navigate in WatchGuard Administrator. The main part of this section consists of help topics connected to all the WatchGuard Administrator pages. Here, you will find conceptual information as well as detailed parameter information. How To The How To section of the WatchGuard Administrator Online Help contains help pages containing detailed instructions for various tasks performed in WatchGuard Administrator. The subjects cover common tasks as well as configuration that can be a bit tricky to achieve. The instructions are sorted in alphabetical order. Navigate in WatchGuard Administrator Here, you will find brief descriptions of the WatchGuard Administrator main menu and left-hand menu items.

56

WatchGuard SSL 500 & SSL 1000

Administration

Monitor system
Monitor system Use the Settings link to enable/disable Event Monitoring and to edit the Super Administrator logon credentials. In Status Overview, current user, resource, and system information is displayed. Event Overview lists events occurred since last logon. System Status System Status contains status information presented on four tabs: General Status, Access Points, Policy Services, and Authentication Services. User Sessions Search for sessions using all or specific authentication methods to view or delete current user sessions. Log Viewer Search for specific log events or download a diagnostics .zip file containing all logs and configuration files for all servers. Logging Manage settings for logging of all or specific servers in the WatchGuard Network. You can set log collection interval, debug mode, and which time zone to use for time stamps. License View contents of the current license. Alerts Create alerts used to notify administrators of different types of events. Reports Generate reports containing statistics and run-time information on access, authentication, authorization, accounts, and system.

Manage accounts and storage
In User Accounts, the number of registered users is displayed. The User Groups section lists the number of registered user groups, sorted by type. In User Storage, registered user storage locations are displayed. User Accounts Add user accounts using the Add User Account wizard. To edit settings for a specific user account, you can search for registered user accounts and users. User Linking Create user accounts by linking from user storage. User Link Repair Repair broken links used in User Linking. User Import Create user accounts by importing a file with existing user information. User Groups Add user groups using the Add User Group wizard. To edit settings for a specific user group, you can search for registered user groups. User Storage Add user storage locations using the Add User Storage Location wizard. To edit settings for a specific user storage, you can search for registered user storage locations. Global User Account Settings Manage global default settings for all registered user accounts. The General Settings tab contain default account settings for logon to the Application Portal and WatchGuard authentication settings. Enable automatic and/or manual linking on the User Linking tab. Enable auto repair to update links to the directory service in the Auto Repair tab.
User Guide 57

Administration

Manage resource access
Use the add resource wizards to add Web and tunnel resources. All registered resource hosts and paths can be edited or deleted here. Standard Resources Use the Standard Resource wizard to add standard resources. Web Resources Add Web resources using the Add Web Resource wizard. To manage settings for a specific Web resource host or path, use the + sign to display detailed resource information. Tunnel Resources Add tunnel resources using the Add Tunnel Resource wizard. To manage settings for a specific tunnel resource host or path, use the + sign to display detailed resource information. Tunnel Sets Add tunnel sets using the Add Tunnel Set wizard. To edit settings for a tunnel set, select tunnel set in the list. Client Firewalls Add client firewalls consisting of Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the Access Client. Each configuration is connected to a corresponding tunnel set. Customized Resources Add customized resources using the Add Customized Resource Host wizard. To manage settings for a specific customized resource host or, use the + sign to display detailed resource information. Access Rules Add access rules available for several resources and/or SSO domains using the Add Access Rule wizard. To edit settings for an access rule, select access rule in the list. Application Portal Add Application Portal items using the Add Application Portal Item wizard. To edit settings for a specific item, select item in the list. SSO Domains Add SSO domains using the Add SSO Domain wizard. To edit settings for a specific SSO domain, select SSO domain in the list. Identity Federation Add SAML 2.0 identity and service providers. Global Resource Settings Manage global default settings for all registered resources. Global resource settings are managed on the following tabs: Specify internal proxy hosts on the Internal Proxy tab Manage DNS names on the Mapped DNS Names tab On the Filters tab, you manage filters used to filter specific pages or requests to specific resources Edit headers used for filtering on the Link Translation tab.

58

WatchGuard SSL 500 & SSL 1000

Administration

Manage system
The main Manage System page does not contain any functionality. It describes what you can do in the Manage System section of the system: add, edit and delete services, certificates, authentication methods, RADIUS back-end servers and clients, as well as configure directory service settings. It is also possible to enter global settings which apply to all Access Points, Policy Services, and Authentication Services, and general settings for notifications and SMS distribution. Authentication Methods Add authentication methods using the Add Authentication Method wizard. To edit settings for extended properties and/or RADIUS replies for a specific authentication method, select authentication method in the list. Add Certificate Authorities and Server Certificates using the applicable wizard. To edit settings for a specific CA and/or server certificate, select item in the appropriate list. Abolishment Define actions performed on a client computer when using an abolishment access rule. Actions include the monitoring of downloaded files and deleting of Internet browser history and browser cache. Assessment Define user client computer assessment activities. Activities include: client scan, setup of reference machines, and use of plug-ins in assessment access rules. RADIUS Configuration Add RADIUS clients using the Add RADIUS Client wizard. To edit settings for a specific RADIUS client, select client in the list. Click the Manage RADIUS Back-end Servers link to add and edit RADIUS back-end servers. These RADIUS clients and back-ends servers are used by the Authentication Service. Notification Settings Manage settings for notification message channels: SMS, email, and/or email/Screen. The notification channel setting are also used for alerts. Device Definitions Manage definitions of how HTTP headers in requests are interpreted to identify devices by the Access Point. Add definitions using the Add Device Definition wizard. To edit the definition of a specific device, select device in the list. Delegated Management Manage administrative roles with different privileges and responsibilities. Access Points Add Access Points using the Add Access Point wizard. To edit settings for a specific Access Point, select Access Point in the list. Click the Manage Global Access Point Settings link to display Client Access, Performance, Trusted Gateways, Cipher Suites, and Advanced settings. Furthermore, use the Configure Load Balancing link to enter settings for load balancing and to manage mirrored Access Points.

User Guide

59

Administration

Policy Services Add Policy Services using the Add Policy Service wizard. To edit settings for a specific Policy Service, select Policy Service in the list. Click the Manage Global Policy Service Settings link to edit default global communication settings. Authentication Services Add Authentication Services using the Add Authentication Service wizard. To edit settings for a specific Authentication Service, select Authentication Service in the list. Click the Manage Global Authentication Service Settings link to display global default RADIUS authentication and password and/or PIN settings. Administration Service Manage internal (in the WatchGuard Network) and external (with the client) communication settings. Directory Service Manage general settings for the directory service. You can change type of directory service here, and also enable SSL communication.

60

WatchGuard SSL 500 & SSL 1000

7

Monitor System

About Monitor System
In this section, general status of the system and status for each specific service registered in the WatchGuard network is presented.

Status Overview
In the Status Overview section, you view status of the registered number of concurrent users and user accounts. Also listed are the number of registered resource hosts and Single Sign-On (SSO) domains. System information includes the WatchGuard Administrator release and build number and the license type. Administrators lists the Display Name of the user currently logged on to WatchGuard Administrator. Also listed is the number of administrators logged on to the WatchGuard Administrator.

Event Overview
Event Overview provides you with a snapshot of the WatchGuard network status. It is updated in real time every 15 seconds. Listed events include: Failed connection to the directory service or any of the configured user storage locations Restored connection to the directory service or any of the configured user storage locations Failed connection to any of the services included in the WatchGuard network Restored connection to any of the services included in the WatchGuard network Activated or deactivated debug logging Enable Event Monitoring for polling of your directory service and user storage on the Monitor System page.

User Guide

61

Monitor System

Status overview
Users
The following user information is displayed: Concurrent Users Number of concurrent users is displayed. Registered User Accounts Number of registered user accounts is displayed. Logged-on Users Number of logged-on unique users is displayed. Active Users Number of users that have made a request within the last 15 minutes is displayed. This time-out value is configured in Manage Global Account Settings.

Resources
The following resource information is displayed: Registered Resources Number of registered resources is displayed. Only resource hosts are counted, not paths. Registered SSO Domains Number of registered SSO domains is displayed.

System information
The following system information is displayed: Software Version WatchGuard Administrator release number is displayed. License Version License version is displayed. License Type License type is displayed.

Administrators
The following administrator information is displayed: Display name of the currently logged in administrator Number of logged on administrators Follow the View Administrator Activities link to view a list of time and date for the last logon per administrator, as well as time and date for the last action taken. Note that action is any action performed in the WatchGuard Administrator by the administrator: clicked links as well as saved updates or completed wizards.

62

WatchGuard SSL 500 & SSL 1000

Monitor System

Event overview
Each WatchGuard network event is listed with the date and time according to the browser locale setting. Events that have occurred since the last time you were logged on are listed. If new events occur while you are logged on, they are added to the list in real time. The Event Overview list is updated every 15 seconds. The following events can be listed: Lost connection to the directory service or any of the configured user storage locations Restored connection to the directory service or any of the configured user storage locations Lost connection to any of the WatchGuard network services Restored connection to any of the WatchGuard network services Activated debug logging Deactivated debug logging

Manage settings
Enables event monitoring of the directory service and user storage to check the connection to the directory service every 15 seconds. Since each check results in an event in the directory service log, unselecting this option may enhance performance.
If you disable event monitoring, the Alert and Reporting events concerning Directory Service and User Storages will not function properly.

You can enable the WatchGuard Password policy to ensure that passwords are used to log on to WatchGuard Administrator following certain requirements. The following requirements must be met if the WatchGuard Password policy is enabled: The password is at least six characters long The password contains characters from at least three of the following four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base 10 digits (from 0 through 9) o Non-alphanumeric characters (for example: !, $, #, or %) The current password for logon to the WatchGuard Administrator is not shown in clear text. This password was set during the Setup System wizard. Enter a new password for the Super Administrator to change the password. The new password is not shown in clear text. If the Enable password policy option is selected, the password must meet the password policy requirements.

User Guide

63

Monitor System

Event Monitoring
Label Enable event monitoring of directory service and user storage Mandatory No Description Selected by default. This option can be disabled to enhance performance.

Super Administrator Password
Label Enable password policy Current Password New Password Verify New Password Mandatory No No (Yes) (Yes) Mandatory when Current Password is entered. Mandatory when New Password is entered. Description Selected by default.

About system status
General Status
On the General Status tab, all registered services in the WatchGuard Network, Directory Services, user storage locations, and RADIUS clients are listed with Display Name and DNS name or IP address. Furthermore, host, current server time, and version of the Administration Service is presented. Configured notification channels are listed as enabled and/or disabled.

Access Points
On the Access Points tab, all registered Access Points are listed displaying Display Name and Host.

Policy Services
On the Policy Services tab, all registered Policy Services are listed displaying Display Name and Host.

Authentication Services
On the Authentication Services tab, all registered Authentication Services are listed displaying Display Name and Host.

64

WatchGuard SSL 500 & SSL 1000

Monitor System

About user sessions
In this section, you search and view all ongoing user sessions. You can search for current sessions by entering a User ID, or part of a User ID and the wildcard character *, and select one or all authentication methods used. In the search result list, you can delete active user sessions. Note that you do not delete the user account.

Search User Session
Label User ID Authentication Method Mandatory No No Description N/A N/A

View Active User Sessions
Label Session ID User ID Client IP Address Authentication Method Mandatory No No No No Description N/A N/A N/A N/A

Logging
About Log Viewer
You can use the WatchGuard Administrator Log Viewer (in the Monitor System section), to filter and display log messages. To view logs, select Filter settings and click View Log. The logs appear in A separate browser window. You can use Search Criteria to trace specific log events such as user activity through selected servers. Here are examples: logon userA This example will list all logons made by the user userA. logon and userA Both types will display all log entries containing the words logon and userA. Searches are not case sensitive and search criteria can consist of several words. For an exact match, all entered words must exist. Searches can be time consuming if there are a large number of log files to filter. For an OR search, use the special word or’. OR operations have precedence over AND operations. Here are examples: fatal or warning Displays all lines with the FATAL or WARNING severity levels. fatal or warning and sql Displays all messages with the FATAL or WARNING severity levels containing the word SQL.

User Guide

65

Monitor System

Negations can be obtained using the minus sign -. Here are examples: -info Displays all severity levels except the INFO level (i.e. only the FATAL and WARNING levels). fatal or warning -sql Displays all lines with the FATAL or WARNING severity levels, except for SQL messages. The wildcard characters *’ and ?’ are allowed. * signifies any number of characters, and ? signifies exactly one character. Here are examples: abc*def Displays all lines where the text abc can be found before the text def. abc?def Displays all lines where the text abc can be found, followed by exactly one character, and then followed by the text def. Quoted searches can be used to search for whole sentences or for the wildcard characters. Here are examples: fatal or warning -lcp -tc5 system Displays all lines that have the FATAL or WARNING severity levels, but does not contain any LCP messages or the string tc5 system. info Displays lines with the string info with spaces on each side (as a separate word).

Diagnostic file
You can download a .zip file containing all System, Audit, Billing, HTTP, and RADIUS logs for the selected servers. The diagnostics file also contains all configuration files and message logs, as well as the debug logs (including the Access Point raw external and internal logs, raw proxy interchange log, form based log, and hyperlinks log). By selecting Enable debug logging on the Manage General Logging Settings page, the debug logs are automatically enabled.

Log Viewer Settings
You can select one, several, or all the registered servers in the WatchGuard network in the Log Viewer. The messages displayed in the log viewer are restricted to selected servers. There are two time range options available: Last number of hours or days, and to and from dates (format depending on browser locale). Label Log Type Servers Search Criteria Mandatory No Yes No Description Set to System log by default. Set to All servers by default. Searches are not case sensitive and the search criteria can consist of several words. For an exact match, all entered words must exist. Time Range No Set to Last 1 hour by default.

66

WatchGuard SSL 500 & SSL 1000

Monitor System

About logging
All registered servers in the WatchGuard Administrator network generate several individual logs. You can manage each server’s log settings individually. Another important factor of logging is that both the Report and Alert functionality depend on the log collecting. If the Log Collection Interval is set too high (this is done on the Manage Global Logging Settings page), the ability to view real-time reports diminishes. Alerts are not sent until logs with this information are collected. For more information see, Manage logging.and Manage global logging settings. WatchGuard Administrator includes five types of logs: Log Type System Logs Log Level Fatal Warning Info Audit Logs Billing Logs HTTP Logs RADIUS Logs Warning Info Info Info Info Logs user activity, such as log on, log out, and session events. All WatchGuard Administrator user activities are also logged here Logs events required for billing Logs HTTP server requests Logs RADIUS server requests Description Logs run-time events

In WatchGuard Administrator, it is possible to filter the severity level of the logged messages. It is also possible to turn logging off. The following table shows the available log level filtering: Log Level Filter Off Fatal Warning Info Description Logs nothing, the log is disabled Logs only fatal messages Logs warning and fatal messages Logs info and above messages

Manage logging
You manage logging settings for each registered service on individual tabs representing each log type. The different services generate separate log types: Administration Service Log types: System, Audit, Billing, and HTTP logs Access Point Log types: System, Audit, and HTTP logs Policy Service Log types: System, Audit, Billing, and HTTP logs Authentication Service Log types: System, Audit, Billing, and RADIUS logs You can configure the same kind of settings for all log types, these are described below.
Note that the Access Point audit log includes more settings than the other services’ audit logs. You can enable settings on the accessing client, session, and access request settings such as requested path and resource, protocol used, and response information.

User Guide

67

Monitor System

Log level filter
You can select a log level filter and define what severity levels should be logged for each log type on each registered service. Available log level filters are: Off When Off is selected, the log type for that specific service is disabled. No log messages are generated. Fatal Logs only fatal messages Warning Logs only fatal and warning messages Info (default) Logs all levels

Log file rotation
When log file rotation is enabled, log files are rotated such as a new file created every day or based on file size. When file size is used, a max file size is set and when this is reached the current log file is closed and a new log file is created. Using file size rotation, a max number is also configured, deciding the number of allowed concurrent log files. When the max number is reached, the system removes the oldest log file and creates a new log file. When log file rotation is disabled, all logging messages are registered in the same log file.

Windows event log/Unix syslog
You can select a log level filter for Windows Event logs or Unix syslog, depending on operating system, on system logs for each registered service. Available log level filters are: Off When Off is selected, the log type for that specific service is disabled. No log messages are generated. Fatal Logs only fatal messages Warning Logs only fatal and warning messages Info (default) Logs all levels
Note that log level filter is set to Off by default.

68

WatchGuard SSL 500 & SSL 1000

Monitor System

Manage global logging settings
You specify the path to the directory where all logs are stored. This is set to the folder logs in each service’s installation folder by default. You also select to show timestamps in local time or GMT time. You enter a log collection interval in seconds. Log collection includes collection of all the logs from the WatchGuard network services to the Administration Service. This is set to 5 seconds by default.
If the Log Collection Interval option is set to high, the ability to view real-time reports diminishes. Alerts are not sent until logs with this information are collected.

Select the Enable debug logging option to automatically enable the debug logs including the Policy Service End-Point Security log, the Access Point raw external log, raw internal log, raw proxy interchange log, hyperlinks log, and form-based log.

Log Directory
Label Log Directory Mandatory Yes Description Set to logs by default.

Time Zone
Label Local time GMT Mandatory No No Description Selected by default. Not selected by default.

Interval
Label Log collection interval Mandatory No Description Set to 5 by default.

Debug Logging
Label Enable debug logging Mandatory No Description Not selected by default.

User Guide

69

Monitor System

About the license file
WatchGuard Administrator scans the license file when you upload it to the Setup Wizard. The license format supports both concurrent users and named users. You decide which type of users the license should be based on when requesting the license. You can upload a new license file if your license file has expired or if it is corrupt.

View license details
These are the contents of a full WatchGuard Administrator license: License Number A sequential number that uniquely identifies the license License Version License Type Evaluation or Production Issued Issue date Issued To Name, company, and email address for the person to whom the license was issued Issued By Name, company, email address for the issuer of the license Validity WatchGuard Administrator Start and end date of the validity period for the license. If an asterisk is used for the end date, the license does not expire. The date format complies to your browser’s language settings. Max Concurrent Users The maximum number of users allowed to simultaneously use the system. The number of users currently using the system is displayed in parenthesis. Max Named Users The maximum number of named users allowed to use the system. The number of registered named users is displayed in parenthesis. Validity Authentication Service Start and end date of the validity period for the Authentication Service. If the wildcard character * is used for the end date, the license does not expire. Max WatchGuard Authentication Users The maximum number of named users allowed to use WatchGuard authentication methods. The number of registered users with WatchGuard authentication methods is displayed in parenthesis. Max RADIUS Clients The maximum number of RADIUS clients allowed Max Resources The maximum number of allowed resources Max Authentication Methods The maximum number of allowed authentication methods

Upload new license
To upload a new license, click Browse to locate the license, and then click Upload License to replace the current license. Remember to click Publish after you upload a new license file, for distribution of changes to your network.

70

WatchGuard SSL 500 & SSL 1000

Monitor System

Alerts
About alerts
Alert notifications are messages sent to selected receivers when specified events have occurred in the system. Selected receivers can either be a selection of roles, managed in the Delegated Management section, or listed email addresses or cell phone numbers. Alert notification messages are distributed by email and/or SMS. You need to configure the appropriate channels for each service respectively. This is done in the Manage System section on the Notification Settings pages. You can select and combine a number of pre-defined alert events. Alert events include lost and restored connections to the directory service or services in the WatchGuard network, or user activity such as exceeded number of access requests. One example is if the Administration Service is unable to communicate with the directory service an alert event is triggered. An alert is created and configured to notify selected alert receivers of the Lost connection to Directory Service event. An alert message containing event specific information is created and distributed using SMS, email, or both.

Alert events
A number of pre-defined alert events are configured for you to select from: User accounts Alerts can be triggered when accounts are locked and unlocked for access, authentication, and timelocks. Resources Alerts can be triggered when resources are offline and online. WatchGuard network Alerts can be triggered when the connection to services in the WatchGuard network are lost and restored. Directory service Alerts can be triggered when the connection to the directory service is lost and restored. Authentication method server Alerts can be triggered when the connection to the authentication method server is lost and restored. For more information, see Manage alerts and Manage global alert settings.

Manage alerts
Registered alerts are listed on the Manage Alerts page in the Monitor System section of WatchGuard Administrator. You can add, edit, and delete alerts.

Alert settings
All alerts consist of an alert event that triggers an alert notification. You specify which type of notification channel to use for the alert notification messages. You can specify an SMS channel, an email channel, or both. You can only specify channels that have been configured. Notification channels are configured on the Notification Settings pages in the Manage System section of WatchGuard Administrator.

User Guide

71

Monitor System

Alert event settings
For alerts, you specify which type of alert events that will trigger an alert notification message. At least one alert event must be selected. You select alert events from a number of pre-configured alert event groups: User account events Specify if alert notifications are triggered for locked and unlocked access, authentication, and time lock. Resource host events Specify if alert notifications are triggered when resource hosts are offline and/ or online. Services in WatchGuard network events Specify if alert notifications are triggered when connections are lost and/or restored to services in the WatchGuard network Directory service events Specify if alert notifications are triggered when connections are lost and/or restored to the directory service. Authentication method server events Specify if alert notifications are triggered when connections are lost and/or restored to the authentication method server.

Settings
General Settings
Label Enable alert Display Name Description Mandatory No Yes No Description Selected by default. Unique name used in the system to identify the alert.

Notification Settings
Label SMS email Mandatory (Yes) (Yes) Description Either SMS, email, or both are mandatory. Either SMS, email, or both are mandatory.

Alert Events for User Accounts
Label Locked for access Unlocked for access Locked for authentication Unlocked for authentication Time-lock locked Time-lock unlocked Mandatory No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.

Alert Events Resource Hosts
Label Offline Online Mandatory No No Description Not selected by default. Not selected by default.

72

WatchGuard SSL 500 & SSL 1000

Monitor System

Alert Events Directory Service
Label Lost connection Restored connection Mandatory No No Description Not selected by default. Not selected by default.

Alert Events WatchGuard Network
Label Lost connection to service Restored connection to service Mandatory No No Description Not selected by default. Not selected by default.

Alert Events Authentication Method Server
Label Lost connection Restored connection Mandatory No No Description Not selected by default. Not selected by default.

Alert notification receivers
You specify which delegated roles that will receive alert notification messages about selected events. Registered email addresses and/or cell phone numbers are retrieved automatically for each selected role. You add other roles than the ones listed as available here in the Manage System section on the Delegated Management page. Alert email notifications can also be distributed to other receivers than to delegated roles, or to delegated roles with no registered email address. You can specify add email addresses with no connection to registered users or WatchGuard Administrator user accounts as receivers. Alert SMS notifications can also be distributed to other receivers than to delegated roles or to delegated roles with no registered cell phone number. You can specify add cell phone numbers with no connection to registered users or WatchGuard Administrator user accounts as receivers.

Alert Receivers
Label Available Roles Selected Roles Mandatory No No Description List with all available registered roles.

Add email Address
Label email Address Mandatory Yes Description email address that will receive alert notifications.

Add Cell Phone Number
Label Cell Phone Number Mandatory Yes Description Cell phone number that will receive alert notifications.

User Guide

73

Monitor System

Manage global alert settings
All alert messages correspond to alert events, but you can edit the default messages or even create your own specific messages on the Manage Global Alert Settings page. By default, all messages include a variable for the exact date and time of the event. Note that the presentation of date and time is decided by your browser’s locale settings. There are no logical constraints or limitations of how an alert message is designed, but a recommendation is to keep in mind the selected receiving method: SMS messages for example can usually only display a limited number of characters. When editing or designing alert messages regarding user accounts, resources, and WatchGuard Administrator services, another variable is used to indicate the specific event trigger. Example:

{0}: User {1} has been locked for authentication.
In this example alert message, {0} will be replaced with the exact date and time of the event, and {1} will be replaced with an actual user ID. The resulting alert message that will be received will be presented like this:

2005-09-01 09:11:31: User Joe Smith has been locked for authentication.
You cannot change any formatting (such as bold or italic text) in alert messages.

Messages
Label Subject Mandatory Yes Description Set to An alert has been triggered by default.

User Accounts
Label Locked for Access Unlocked for Access Locked for Authentication Unlocked for Authentication Time-lock Locked Time-lock Unlocked Mandatory Yes Yes Yes Yes Yes Yes Description Set to {0}: User {1} has been locked for access by default. Set to {0}: User {1} has been unlocked for access by default. Set to {0}: User {1} has been locked for authentication by default. Set to {0}: User {1} has been unlocked for authentication by default. Set to {0}: User {1} has been Time-lock locked until {2} by default. Set to {0}: User {1} has been Time-lock unlocked by default.

Resource Hosts
Label Lost Connection Restored Connection Mandatory Yes Yes Description Set to {0}: Lost connection to Resource Host {1} by default. Set to {0}: Restored connection to Resource Host {1} by default.

74

WatchGuard SSL 500 & SSL 1000

Monitor System

WatchGuard Network
Label Lost Connection Restored Connection Mandatory Yes Yes Description Set to {0}: Lost connection to {1} by default. Set to {0}: Restored connection to {1} by default.

Directory Service
Label Lost Connection Restored Connection Mandatory Yes Yes Description Set to {0}: Lost connection to Directory Service by default. Set to {0}: Restored connection to Directory Service by default.

Authentication Method Servers
Label Lost Connection Mandatory Yes Description Set to {0}: Lost connection to Authentication Method Server used by Authentication Method {1} by default. Set to {0}: Restored connection to Authentication Method Server used by Authentication Method {1} by default.

Restored Connection

Yes

User Guide

75

Monitor System

Reports
About reports
In addition to the Log Viewer, you also have the ability to generate reports in WatchGuard Administrator. The reports can be snapshots of activity at any given time, or statistics showing for example the behavior of users or usage of resources. You can select to generate reports from seven report groups: Abolishment reports Assessment reports Access reports Authentication reports Authorization reports Account Statistics reports System reports The option Complete Report generates a complete report containing statistics from all available report types. Each report group consists of one or several reports, and each report contains one or several charts. Reports are divided in three information parts: Time range Filters Graphics

Time range
You can specify three types of time ranges: Last When you specify a time range of the type Last, time is counted from the current time, when generating the report, to the specified time (in hours, days, weeks, months, or years). For example, if you select Last 2 Days at 02:15 PM, data is collected for 24 hours + 02:15 hours from now. From - To date When you specify a time range of the type From - To date, time is collected from and to a specific date. For each day, a 24-hour period starting at 00:00 and ending at 24:00 is calculated. All Available When you specify time range of the type All Available, time is collected from the time when the database was created. If there is not any data from this start time, the time gap (from no data to data) will show in the reports. When selecting large ranges the time to generate reports increases drastically.

76

WatchGuard SSL 500 & SSL 1000

Monitor System

Filters
You can specify filters to select the data included in different reports. Report groups have different available filters. These filters are available for most reports: Access Points Specifies one or several Access Points. You make the selection from all registered Access Points. Policy Services Specifies one or several Policy Services. Authentication Services Specifies one or several Authentication Services. Client IP Specifies one or a range of IP addresses. You make the selection from all client IP addresses. User ID Specifies users and user accounts. You make the selection from all registered users, both WatchGuard Administrator user accounts and users stored in user storage. Devices You make the selection from all registered devices. Web resource hosts You make the selection from all registered Web resource hosts. Tunnel resource hosts You make the selection from all registered Tunnel resource hosts. Tunnel Protocol Select UDP, TCP or both. Tunnel IP Specify the IP range for the tunnels. Tunnel Port Specify the port range for the tunnels.

Graphics
You specify two types of graphics: Chart Types and Styles. Each report can be presented using different chart types. For example, when you select to generate an Assessment report, you can select the chart types Failed over Time, Succeeded over Time, Failed by Reason, and Failed by User. You need to select at least one chart type to generate the report. Each chart type is then presented using different styles: Bar, Line, or Pie in 2D or 3D. WatchGuard Administrator suggests a chart type and style by default per report, but you can change and combine any report with any chart type and style.

User Guide

77

Monitor System

Statistics
Statistics are presented in reports in WatchGuard Administrator. The reports are available in real time and historically. WatchGuard Administrator reports the following statistics: Response Time (after workload) Device Usage User resource usage Session trend Current Workload Bandwidth Usage Free memory space Free Disk Space
Free disk space information is not available from Access Points.

Event statistics include: Access Authentication Assessment Abolishment The statistics are available in different formats at the current status, averages, etc. The reporting format will also support third-party products. WatchGuard Administrator can provide reports that can be used in Microsoft Excel and Crystal Reports.

Data Retrieval
All reporting information is collected and stored in a database. Queries are run both to the database and the directory service. The result is then graphically presented in WatchGuard Administrator with the possibility to store the result in a text file or export it to a .zip file.

78

WatchGuard SSL 500 & SSL 1000

Monitor System

About report database
The database used for storage of the report statistics is HSQLDB (previously called Hypersonic) and is a well established Open Source database. It runs embedded in the Administration Service process. For more specific information about the database, please refer to http://www.hsqldb.org/.

Limitations
The HSQLDB database is allowed to grow to a maximum size of 250 MB. This is a limitation enforced by WatchGuard Administrator to ensure acceptable startup and shutdown times for the Administration Service. If statistics data needs to be stored for a longer time period, it is recommended to use another database. The HSQLDB database is suitable when having up to 5000 authentication attempts per day; this would allow statistics for up to a period of 50 days. If the workload exceeds 5000 authentications per day, it is recommended to use another high-performing database, for example MySQL. It is possible to change the database to any kind that supports JDBC and the dialect of SQL defined by SQL standards 92. Backup and Restore To create a backup of the database, stop Administration Service and create a copy of the \database\ folder. To restore a backup from file, stop the Administration Service and replace the \database\ folder with the backup. Schedule Cleanup Scheduled cleanup is not enabled by default to ensure no loss of report statistics data. If you enable scheduled cleanup, you need to specify how old events need to be in order for them to be removed. When selected, scheduled cleanup is performed once every midnight. If enabled, and the HSQLDB database grows to its limit before cleanup is executed, it is recommended to decrease number of logged days in the system log file. Forced Cleanup Forced cleanup is performed once every midnight. The cleanup is performed when the database is greater than 250 MB. Forced cleanup removes all events from the oldest date in the database; this process is then repeated until the database is equal to, or less than 250 MB. Database Growth When the database size is 250 MB it holds approximately 1,750,000 events, each event takes an average of 150 bytes. If we assume that each successful authentication attempt generates a total of 7 events, the following is true: 1 Authentication event 1 Assessment event 1 Abolish event 1 Session Created event 3 Authorization request (assuming request is cached in Access Point) One authentication event will generate 7 events, 150 * 7 = 1,050 bytes. Each authentication event takes 1,050 bytes, so 5,000 authentication event takes 5 MB; this workload allows report statistics data for a period of 50 days.

User Guide

79

Monitor System

Manage reports
Available report types are listed on the Manage Reports page in the Monitor System section of WatchGuard Administrator. You can generate several types of reports using different filters and graphics. All reports can be generated using the default configuration.

Set time range
You specify a time range to be able to compare statistics over time, or to see progress over time, or to view status for specific events at an exact time. Time ranges are presented differently depending on selected chart type.

Time Ranges
Filter Selection 1–6 hours 7–18 hours 19–24 hours 1 day 2-7 days 1 week 2-4 weeks 1 month 2-12 months 1 year 2-29 years Any date range Overall Time Unit Minutes Hours Hours Hours Hours Weekdays Date Date Months Months Year Month/Year Month/Year X-axis Every (h*60/12) minutes Every hour Every second hour Every second hour Every weekday Every weekday Every day Every day Every month Every month Every year Example: 2005 Allowed years: 1-29 Example: April 2005 Allowed months: 1-12 Example: April 24 Allowed weeks: 1-4 Allowed days: 1-7 Allowed hours: 1-24 Comment

80

WatchGuard SSL 500 & SSL 1000

Monitor System

You can specify the following time ranges: Last The system collects data from the exact date and time when the report is generated, to a selected value according to below. For example, if last two weeks are selected and the time for report creation is 12:15, the system collects data for the previous 336 (24 x 14) hours. Time Intervals Input Hours Days Weeks Months Years Value Entered value must be in the range 1 to 24. Entered value must be in the range 1 to 7. Entered value must be in the range 1 to 4. Entered value must be in the range 1 to 12. Entered value must be in the range 1 to 30.

From – To dates The time range to collect data is defined by a from and to date. For each day, the system calculates a 24-hour period starting at 00:00 and ending at 24:00. All available The time range depends on the available data stored in the database. You specify a time range to be able to compare statistics over time, or to see progress over time, or to view status for specific events at an exact time. See the following for report types: Assessment Report settings Abolishment Report settings Access Report settings Authentication Report settings Authorization Report settings Account Statistics Report settings Session Trend Report settings Communications Report settings Alert Report settings System Report settings Performance Report settings Tunnel Report settings

Set time range
You specify a time range to be able to compare statistics over time, or to see progress over time, or to view status for specific events at an exact time. Time ranges are presented differently depending on selected chart type.

User Guide

81

Monitor System

Time Ranges
Filter Selection 1–6 hours 7–18 hours 19–24 hours 1 day 2-7 days 1 week 2-4 weeks 1 month 2-12 months 1 year 2-29 years Any date range Overall Time Unit Minutes Hours Hours Hours Hours Weekdays Date Date Months Months Year Month/Year Month/Year X-axis Every (h*60/12) minutes Every hour Every second hour Every second hour Every weekday Every weekday Every day Every day Every month Every month Every year Example: 2005 Allowed years: 1-29 Example: April 2005 Allowed months: 1-12 Example: April 24 Allowed weeks: 1-4 Allowed days: 1-7 Allowed hours: 1-24 Comment

You can specify the following time ranges: Last The system collects data from the exact date and time when the report is generated, to a selected value according to below. For example, if last two weeks are selected and the time for report creation is 12:15, the system collects data for the previous 336 (24 x 14) hours. Time Intervals Input Hours Days Weeks Months Years Value Entered value must be in the range 1 to 24. Entered value must be in the range 1 to 7. Entered value must be in the range 1 to 4. Entered value must be in the range 1 to 12. Entered value must be in the range 1 to 30.

From – To dates The time range to collect data is defined by a from and to date. For each day, the system calculates a 24-hour period starting at 00:00 and ending at 24:00. All available The time range depends on the available data stored in the database.

82

WatchGuard SSL 500 & SSL 1000

Monitor System

Assessment report settings
The following filters are available for assessment reports: Access Points Client IP User ID Devices For an assessment report, you can also specify the report specific filter Assessment Access Rule, which defines if all or a selection of assessment access rules will be included in the report. For assessment reports, you can select one, several, or all of the following chart types: Failed assessment attempts over time By default presented as a bar chart Succeeded assessment attempts over time By default presented as a bar chart Failed assessment attempts sorted by reasons By default presented as a bar chart Failed assessment attempts sorted by users By default presented as a bar chart

Abolishment report settings
The following filters are available for abolishment reports: Access Points Client IP User ID Devices For an abolishment report, you can also specify the report specific filter Abolishment Access Rule, which defines if all or a selection of abolishment access rules will be included in the report. You can select one, several, or all of the following chart types: Failed abolishment attempts over time By default presented as a bar chart Succeeded abolishment attempts over time By default presented as a bar chart Failed abolishment attempts sorted by users By default presented as a bar chart

User Guide

83

Monitor System

Access report settings
The following filters are available for access reports: Access Points Client IP User ID Devices You can select one, several, or all of the following chart types: Access Requests by User By default presented as a bar chart. The number of access requests is calculated once per user session. Access Requests Over Time By default presented as a bar chart. The number of access requests is calculated once per resource request and not per user. Access Requests by Web Resource Host By default presented as a pie chart. The number of access requests is calculated once per resource request and summarized for each host. The report also includes the name of the most frequently accessed resource host. Access Requests by Tunnel Resource Host By default presented as a pie chart. The number of access requests is calculated once per resource request and summarized for each tunnel resource host. The report also includes the name of the most frequently accessed tunnel resource host.

84

WatchGuard SSL 500 & SSL 1000

Monitor System

Authentication report settings
The following filters are available for access reports: Access Points Client IP User ID Devices Authentication Method For an authentication report, you can also specify the report specific filter Authentication Method, which defines if all or a selection of authentication methods will be included in the report. You can select one, several, or all of the following chart types: Failed Authentication Attempts over Time By default presented as a bar chart. Succeeded Authentication Attempts over Time By default presented as a bar chart. Failed Authentication Attempts by Reason By default presented as a bar chart. Failed Authentication Attempts by User By default presented as a bar chart. Authentication Method Usage By default presented as a bar chart. This chart displays the most frequently used authentication methods. Day Trend By default presented as a bar chart. This chart displays the average number of authentication attempts at specific hours in a specified period of time.
The number is calculated once per resource request and not per user.

All authentication requests for the time range are presented for each hour of the day (0..23). The value for each hour is divided with number of days set in Time Range. Time range must be equal to or greater than one day for any values to be presented on the report.

User Guide

85

Monitor System

Authorization report settings
The following filters are available for authorization reports: Access Points Client IP User ID Devices Resources For an authorization report, you can also specify the report specific filter Web Resource Hosts, which defines if all or a selection of Web resource hosts will be included in the report. You can select one, several, or all of the following chart types: Failed Authorization Attempts over Time By default presented as a bar chart. Succeeded Authorization Attempts over Time By default presented as a bar chart. Failed Authorization Attempts by Reason By default presented as a bar chart. Failed Authorization Attempts by User By default presented as a bar chart. Day Trend By default presented as a bar chart. The number of authorization requests is calculated once per resource request and not per user. All authorization requests for the time range is presented for each hour of the day (0..23). The value for each hour is divided with number of days set in Time Range. Time range must be equal to or greater than one day for any values to be presented on the report.

86

WatchGuard SSL 500 & SSL 1000

Monitor System

Account statistics report settings
For an account statistics report, you only specify the filters User ID, Web Resource Host, Tunnel resource hosts, Tunnel Protocol, Tunnel IP and Tunnel Port. By default, the following information is included in the account statistics report: Name of the most frequently accessed resource host Total number of WatchGuard Administrator user accounts, regardless of selected User ID filter User account with last failed authentication attempt User account with last succeeded authentication attempt User account with last changed password User account with last locked access User account with last locked authentication You can select one, several, or all of the following chart types: User Access Attempts by Web Resource Host By default presented as a pie chart. For each web host, the number of users is presented both as an actual amount and as a percentage of the total number of users. The number is calculated once per user ID. User Access Attempts by Tunnel Resource Host By default presented as a pie chart. For each tunnel host, the number of users is presented both as an actual amount and as a percentage of the total number of users. The number is calculated once per user ID.

Session trend report settings
The following filters are available for session trend reports: Access Points Client IP User ID Devices By default, the following information is included in the session trend report: Concurrent Sessions over Time By default presented as a bar chart. The report also includes the peak value of concurrent sessions. Ongoing Sessions per User By default presented as a bar chart. Since the chart displays ongoing sessions, a specified time range is ignored. Duration By default presented as a bar chart. All sessions with an end time inside the specified time range are included in the selection regardless of the session start time. All session times are summarized, and then an average is calculated and presented as well as organized in minutes and days.

User Guide

87

Monitor System

Communication report settings
No filters are specified for communication reports. By default, the following information is included in the communication report: Lost Connections over Time By default presented as a bar chart. All failed connections for different WatchGuard Administrator services over time are displayed. The report also includes lost connections to registered user storage locations and to the directory service.

Alert report settings
The following filters are available for alert reports: Access Points Client IP User ID Devices By default, the following information is included in the alert report: Alerts By default presented as a pie chart. For each alert type, the number of alert notifications are presented both as an actual amount and as a percentage of the total number of alert notifications.
All alert events are listed in the report, regardless your configuration of alert notifications.

System report settings
The following filters are available for system reports: Access Points Client IP User ID Devices By default, the following information is included in the system report: Client Server Connections By default presented as a line chart. The report also includes peak and average values for client and server connections. Used Memory over Time By default presented as a line chart. The report also includes the peak value of memory usage. Used Disk Space over Time By default presented as a line chart. The report also includes the peak value of disk space usage. SSL Sessions over Time By default presented as a line chart. The report also includes the peak value and average number of SSL sessions.

88

WatchGuard SSL 500 & SSL 1000

Monitor System

Performance report settings
For a performance report, you only specify the filters Access Points and Web resource hosts, which defines if all or a selection of Access Points and Web resource hosts will be included in the report. By default, the following information is included in the performance report: Request Rate over Time By default presented as a line chart. The report also includes the average request rate. Response Time by Host By default presented as a bar chart. The report also includes the average response time. Transfer Rate over Time By default presented as a line chart. The report also includes the average transfer rate. Client to Server By default presented as a line chart. The report also includes the average transfer rate to server. Client to Server By default presented as a line chart. The report also includes the average transfer rate to client.

Tunnel report settings
For a tunnel report, you only specify the filters Access Points, Tunnel resource hosts, Tunnel Protocol, Tunnel IP and Tunnel Port that will be included in the report. By default, the following information is included in the tunnel report: Client to Tunnel Resource Host By default presented as a line chart. The report also includes the average transfer rate to server. Tunnel Resource Host to Client By default presented as a line chart. The report also includes the average transfer rate to client.

Filter Settings
Label All Selection Available Selected Mandatory No No No No Description All registered filter data is displayed. A search is performed and a selection can be made. List of available filter data. Selected from the Available list.

Time Range Settings
Label Time Range Mandatory Yes Description Last — Set to Last 1 Weeks are set by default. From — Mandatory when To is specified. To — Mandatory when From is specified. All

User Guide

89

Monitor System

90

WatchGuard SSL 500 & SSL 1000

8

Manage accounts and storage

About accounts and storage
The WatchGuard Administrator solution provides enhanced identity and user management. Using a combination of user groups, user storage, directory service configuration, and identity management, WatchGuard Administrator enables system administrators to control which users access what applications and how. On the Manage Accounts and Storage page, all user accounts, user groups, and user storage locations are listed for easy overview of your system’s user management status.

User accounts
In the WatchGuard vernacular, users and user accounts are separate terms. WatchGuard Administrator user accounts are required for access to registered resources, and the accounts are connected to actual users. But not all users in your directory service need to have registered WatchGuard Administrator user accounts. WatchGuard Administrator user accounts are linked to user information already stored in your directory service. A user storage link establishes a connection to your local user information. User accounts are managed in the Manage User Accounts section. In the Global User Account Settings section, you manage global default settings used in authentication, for time-outs, when using user linking (described below), and to setup automatic repair of user links. Please refer to the Add User Account section for detailed information on different methods of creating user accounts.

User Import and Linking
User import and user linking are both alternatives to using the Add User Account wizard to create user accounts. To create a number of user accounts simultaneously, with a minimum of manual intervention, you can import a file containing user information. The file needs to be formatted according to certain rules. When using user linking, user accounts are added according to default settings, configured in the Global User Account Settings section, with links to the appropriate user storage. This is an alternative to the Add User Account wizard. All default settings for user accounts created through import or linking are retrieved from the Global User Account Settings section.

User Guide

91

Manage accounts and storage

User groups
There are three types of user groups available in WatchGuard Administrator: User groups defined in directory service User location groups User property groups User groups are managed in the Manage User Groups section.

User storage
The user storage is the external location where users are stored and used by the Policy Service as part of the authorization process. To automatically add references (when authenticating a user, for example) to existing users and user groups in the directory service, you need to configure user storage. It is recommended that the user accounts are linked to the user storage, to enable reuse of user information. When configuring user storage, you specify the host for the directory service and define a set of search rules to find users and user groups. You can specify several user storage locations in directory services of different brands and different vendors. For information on supported directory services, please see the WatchGuard Administrator Release Notes. A user storage location was added to the system during the Setup System wizard. User storage locations are managed in the Manage User Storage section.

92

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Global user account settings
About global user account settings
All global user account settings are used by default for new user accounts created with the Add User Account wizard or through User Linking. When a user account is created through User Import, these settings are used by default if not otherwise specified in the file used for import. All default values are documented in the online Help if you wish to revert to the default system configuration. On the General Settings tab, you configure default account validity, WatchGuard authentication, and timeout settings. Additional tabs concern user linking and link repair are described below.
Changes made in settings for specific user accounts override the global default configuration.

About user linking
When a user tries to access a resource using WatchGuard authentication, and no matching user account exists, a WatchGuard user account is created and the user information is linked from the user storage location to the new user account. When other authentication methods are used, the user must exists in the user storage in order for a user account to be created. There are two methods of user linking: manual and automatic. Automatic linking is used when authenticating users (as described above). Manual linking is performed by the WatchGuard Administrator system administrator, using user linking to create user accounts in WatchGuard Administrator. Default global settings for user linking are configured per WatchGuard authentication method. These settings are described in detail in the Manage global user account settings topic.

About user link repair
If users are moved in or deleted from the user storage location, established links between WatchGuard Administrator user accounts and the directory service will be broken. When this occurs, these users cannot be authenticated. To repair broken links, missing users are searched for in the user storage location and when found the link is re-established. Link repair can be performed using two methods: Use the User Link Repair wizard to check directory links, and repair or delete user accounts with broken links. Use the default global setting Auto Repair to repair user links automatically when users access the system. When Auto Repair is used, the directory link is automatically updated when the user attempts to access the system using.

User Guide

93

Manage accounts and storage

Manage global user account settings
In WatchGuard Administrator, a number of default settings can be configured on the Global User Account Settings page. This page contains three tabs: General Settings Includes default settings for user account validity, WatchGuard authentication, and time-outs. User Linking Includes default settings link repair methods, and for each applicable authentication method. Auto Repair Includes the option to enable auto repair.

General settings
You configure the default number of maximum retries for user access for all accounts. You can, however, reconfigure this number for specific user accounts, using the Number of retries setting. When set to 0, the user account is never locked. This setting is used for both default account configuration and for WatchGuard authentication. You specify the number of days a user account is valid. This is used as default when a new user account is created. When set to 0, the user account never expires. Optional default account settings for WatchGuard authentication include: Use groups When selected, user group names are supported. If supported, a group name can be connected to a user when managing user accounts. This group information is sent to the RADIUS client. The RADIUS client can then be configured to use this attribute for authorization. Framed IP When a framed IP address has been configured, this IP address is sent to a network access point from the Authentication Service upon successful authentication. This information can be used in authorization decisions made by the access point. Time-lock You can set a time-out time for authentication time-lock, meaning the length of time users are locked out from attempting logon after failed logon the number of times set in Time-lock Interval. Time-out settings are used as default values when a Web resource is created. To edit or specify any or all of these settings for a specific resource, go to the Web Resource Host Advanced Settings page. You set the maximum user inactivity time before re-authentication is required, validity time for a session in the system, time since the user was last authenticated with required authentication method before reauthentication is required, and time before users are warned and prompted to re-authenticate.

94

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Manage user linking
User linking can be performed manually or automatically. These default settings apply to both methods of user linking. You specify if WatchGuard authentication should be enabled when a user account is linked to a user in the directory service. When WatchGuard authentication is enabled for automatic user linking, you are also required to select notification method. Available options are: By email (default) By SMS Default global settings for user linking per WatchGuard authentication method are configured. These default settings include: o Enable authentication method after user linking o Generate password/PIN When selected, the password/PIN is created automatically when user linking is used| Password/PIN can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section. Select Generate Password for an automatically created password. When selected, directory mapping is not performed. o Password/PIN never expires When selected, the password/PIN does not expire when user linking is used o User cannot change password/PIN When selected, users cannot change the password/PIN when user linking is used o User must change password/PIN at next logon When selected, users are required to change password/PIN at next logon when user linking is used o Use password from directory service This option is only available for the authentication methods: WatchGuard Mobile Text and WatchGuard Password. When selected, the password used in the applicable directory service is used for authentication when user linking is used
Password and PIN can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section.

General Settings
Default Account Settings
Label Max Retries Mandatory Yes Description Maximum number of invalid login attempts allowed (1–999) before the user account is locked for authentication. Set to 10 by default. Number of days a user account with enabled WatchGuard Mobile ID authentication is valid. Set to 0 by default.

Account Expires In

No

User Guide

95

Manage accounts and storage

Default Account Settings for WatchGuard Authentication
Label Max Retries Mandatory Yes Description Maximum number of invalid login attempts allowed (1–999) before the user account is locked for WatchGuard authentication. Set to 9 by default.

Account Settings for WatchGuard Authentication
Label Use Groups Use Framed IP Time-lock Time-out Mandatory No No Yes Description Not selected by default. Not selected by default. Number of minutes (1–999) the user account is locked from the system after the number of incorrect logon attempts set in Time-lock Interval. Set to 120 by default. Number of consecutive incorrect logon attempts allowed before the user account is time-locked. Set to 3 by default. Number of passed days (1–19) before users are asked to change password/PIN. Set to 7 by default.

Time-lock Interval

Yes

Change Password/PIN Notification

No

Time-Out Settings
Label Max Inactivity Time Mandatory Yes Description Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Validity time in minutes (0-1440) for a session in the system. Set to 30 by default. Time in minutes (0-1440) since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default. Time in seconds (0-3600) before user is warned and prompted to re-authenticate. Set to 60 by default.

Session Time-out

Yes

Absolute Time-out

Yes

Time-out Warning

Yes

Auto Repair
Label Auto repair user links when the users access the system Mandatory No Description Selected by default.

96

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

User Linking
Label Enable WatchGuard Authentication when manually linking the user Enable WatchGuard Authentication when automatically linking the user Notification Mandatory No Description Not selected by default.

No

Not selected by default.

No

Available options are: By E-mail and By SMS. Set to By SMS by default.

WatchGuard SSL Mobile Text
Label Enable authentication method after user linking Generate password Password never expires User cannot change password User must change password on next logon Use password from directory service Mandatory No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.

WatchGuard SSL Web
Label Enable authentication method after user linking Generate password Password never expires User cannot change password User must change password on next logon Mandatory No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.

WatchGuard SSL Challenge
Label Enable authentication method after user linking Generate PIN PIN never expires User cannot change PIN User must change on next logon Generate seed Mandatory No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not editable. Selected by default.

User Guide

97

Manage accounts and storage

WatchGuard Password
Label Enable authentication method after user linking Generate password Password never expires User cannot change password User must change password on next logon Use password from directory service Mandatory No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.

WatchGuard SSL Synchronized
Label Enable authentication method after user linking Generate PIN PIN never expires User cannot change PIN User must change on next logon Generate seed Mandatory No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not editable. Selected by default.

98

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

User linking
About user linking
User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. You add user accounts according to your default settings in Global User Account Settings with links to the appropriate user storage. To enable WatchGuard authentication with User Linking, you need to enable the User Linking option. This is done on the User Linking tab in the Manage global user account settings topic. WatchGuard authentication refers to the Authentication Service and the WatchGuard authentication methods Web, Mobile Text, Challenge, Synchronized, and Password. Default settings for WatchGuard authentication for user accounts are retrieved from the General Settings tab on the Global User Account Settings page. For more information on managing user linking, see Manage user linking.

Manage user linking
When you use user linking, you create user accounts and links to user storage for one user at a time. You specify a User ID to link the user to the user account. When the user account has been created, you cannot change the User ID. You also select how the new password or PIN used for WatchGuard authentication will be distributed to the user when the user account has been created. Available options depend on the system configuration for notification and SMS distribution configuration. Available notification options are: By email By screen By SMS By email and screen By SMS and screen To email address configured on the Global Authentication Service Settings page, on the Email Messages tab. You have the option to specify a message set. A message set is a set of all WatchGuard authentication notification messages. The default message set includes all messages specified on the Global Authentication Service Settings page.

User Guide

99

Manage accounts and storage

Manage user link repair
Use the User Link Repair wizard to check directory links, and repair or delete user accounts with broken links. Depending on type of link error, a number of repair options are provided: Update user link and check next user account Update user link and repair all remaining user accounts automatically Remove user account and remove all remaining user accounts automatically Remove user account and check next user account Ignore user account and check next user account Cancel the wizard When the wizard is completed, a repair result is displayed. The user accounts included in the link repair are listed according to applicable repair result: Link Repaired User Accounts Removed User Accounts Ignored User Accounts

User Link Repair
Label Update user link and repair all remaining user accounts automatically Update user link and check next user account Remove user account and check next user account Remove user account and remove all remaining user accounts Ignore user account and check next user account Cancel Mandatory No Description If the user has been moved or modified, the user storage location and directory link information are updated. When selected, the system updates the user storage location and directory link information with the new link information. When selected, the system removes the user account. When selected, the system controls and removes all remaining user accounts with broken links. When selected, the system does not update the user storage location and directory link information. When selected, the repair is cancelled.

No

No No

No

No

100

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

User import
About User Import
Use User Import to create multiple user accounts simultaneously by importing an external file containing user information to the Administration Service. The import file is separated by a comma, semicolon, or tab. There can only be one entry per line in the import file. The file to import must be formatted according to specific rules, detailed in Manage User Import.

Manage User Import
The file used for import must be formatted according to the following format rules:. The first row in the import file must contain the column headings, specifying the fields in the import file. The headings cannot contain any spaces and they are not case-sensitive. Each row contains data for one and only one user. Empty rows and rows beginning with a comment sign (#) are ignored during import.

Import File Items
Item String Integer Boolean Password Date Description A string containing any character Non-negative numeral True or false Password in clear text or {SHA}+ [base64-encoded SHA hashed password] Date format complies to your browser’s language settings Make sure the date format in the file matches your browser settings Comment

User Guide

101

Manage accounts and storage

Import File Contents
Heading UID RealName Comments DirectoryLink UserStorage GroupName FramedIP MailAddress MobileNumber AccountDisabled AccountValidFrom AccountExpires AccountNeverExpires AccessMaxRetries AuthenticationMaxRetries ChallengeEnabled ChallengePIN ChallengePINNeverExpires ChallengePINCannotChange ChallengePINMustChange ChallengePINGenerate ChallengeSeed ChallengeSeedGenerate SynchronizedEnabled SynchronizedPIN SynchronizedPINNeverExpires SynchronizedPINCannotChange SynchronizedPINMustChange SynchronizedPINGenerate SynchronizedSeed SynchronizedSeedGenerate WebEnabled WebPwd WebPwdNeverExpires WebPwdCannotChange WebPwdMustChange WebPwdGenerate String String String String String String Boolean Date Date Boolean Integer Integer Boolean Password Boolean Boolean Boolean Boolean String Boolean Boolean Password Boolean Boolean Boolean Boolean String Boolean Boolean Password Boolean Boolean Boolean Boolean Value String String Comment Mandatory Mandatory Column you may use for comments. It is ignored during import.

102

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Heading PasswordEnabled PasswordPwd PasswordPwdNeverExpires PasswordPwdCannotChange PasswordPwdMustChange PasswordPwdGenerate PasswordPwdUseDirectory MobileTextEnabled MobileTextPwd MobileTextPwdNeverExpires MobileTextPwdCannotChange MobileTextPwdMustChange MobileTextPwdGenerate MobileTextPwdUseDirectory NotifyByMail NotifyBySMS NotifyToAddress

Value Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Boolean email address

Comment

User Import settings
Label Separator in File Import File Mandatory No No Description Available options are: Comma, Semicolon, and Tab. Set to Comma by default. Imported file.

User Guide

103

Manage accounts and storage

User accounts
About user accounts
In WatchGuard Administrator, there are three different ways to create user accounts: Add User Account User Linking User Import These three options are designed to meet different administrative requirements, but all result in user accounts. The only difference in the end result can be the level of detail in account settings. In edit mode, applicable account settings are available for configuration regardless of how the user account was created. Using the Add User Account wizard is the standard way to create user accounts, and the way that presents you with the largest number of options. It is suitable when the majority of user accounts are already registered in the Administrator. User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. If you want to create user accounts for users not stored in user storage, or if you want to create multiple user accounts simultaneously, use User Import to create user accounts by importing a file containing user information. For more information see, Add user account, User Linking, and User Import.

User Account Search Result List
On the Manage User Accounts page, you can search for and subsequently manage users and user accounts. The following user account activities can be performed in the list directly: Disabled When selected, the user account has been manually locked from access to the WatchGuard Network and its resources. You can enable and disable user accounts here in this list. Locked Access When selected, the system has locked the user account from access to the WatchGuard Network and its resources. You can un-lock user accounts here in this list. Locked Authentication When selected, the system has locked the user account from use of WatchGuard authentication methods. You can un-lock user accounts here in this list. Time-Lock Authentication When selected, the system has time-locked the user account from access to the WatchGuard network and its resources according to the time configured on the Global User Account Settings page. You can un-lock user accounts here in this list.

Add user account
Creating a user account through the Add User Account wizard on the Manage User Accounts page enables you to specify almost all available user account functionality. These settings are automatically created for the user account: Max Retries for Access (default value is set in Manage Global User Account Settings) Max Retries for WatchGuard Authentication (default value is set in Manage Global User Account Settings) Account Expires Within is set to 0 to never expire (default value is set in Manage Global User Account Settings).

104

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

The following account settings can be specified during the wizard: Link to User Storage You can link the user account to an existing user in user storage. A link to the correct location (DN) to the user in the user storage is created. The user’s display name, email address, and cell phone number is retrieved when available. Custom-defined User Attributes You can define attributes that are specific for the user account. These attributes can for example be used when creating user property groups. WatchGuard Authentication Settings You can enable available WatchGuard authentication methods and enter corresponding password or PIN settings. Also included are user account specific notification settings, which refer to what email address and SMS to use, and message set. You have the option to specify a message set. A message set is a set of all WatchGuard authentication notification messages. The Default message set includes all messages specified on the Global Authentication Service Settings page. SSO Settings You can connect the user account to available SSO domains and enter credentials for each domain attribute. User Certificates You can connect specific user certificates to the user account. This option is only available when the authentication method User Certificate is configured.

User Linking
Creating a user account through User Linking requires a user storage location, since the user account is created by linking to an existing user in user storage. User linking can be performed manually or automatically. Manual user linking is performed on the Manage User Linking page. Automatic user linking is enabled on the User Linking tab in Manage Global User Account Settings. The accounts are then created automatically when users who are located in user storage but do not have corresponding user accounts in WatchGuard Administrator attempt to log on to the system. Regardless of whether the user linking is manual or automatic, the following settings are automatically created for the user account: Max Retries for Access (default value is set according to Manage Global User Account Settings) Max Retries for WatchGuard Authentication (default value is set according to Manage Global User Account Settings) Account Expires Within (default value is set according to Manage Global User Account Settings) Authentication methods enabled on the User Linking tab in Manage Global User Account Settings and their corresponding settings (only if Enable WatchGuard Authentication when manually linking the user on the same tab is selected)

User Guide

105

Manage accounts and storage

User Import
Creating a user account through User Import on the Manage User Import page does not require user storage. Multiple user accounts are created simultaneously by importing a file containing user information separated by commas, semi-colons, or tabs. The minimum user information in the file required to create a user account is user ID and display name. The following settings are automatically created for the user accounts (only if the corresponding information is not specified in the imported file): Max Retries for Access (default value is set according to Manage Global User Account Settings) Max Retries for WatchGuard Authentication (default value is set according to Manage Global User Account Settings) Account Expires Within (default value is set according to Manage Global User Account Settings) As opposed to User Linking, authentication methods enabled on the User Linking tab in Manage Global User Account Settings and their corresponding settings are not retrieved when creating user accounts through user import.

WatchGuard authentication
WatchGuard Authentication includes use of the WatchGuard authentication methods Web, Mobile Text, Challenge, Synchronized, and Password. To disable WatchGuard authentication for a user account, you need to disable all WatchGuard authentication methods for that user account.

Single Sign-On domain settings
In WatchGuard Administrator, you can configure Single Sign-On (SSO) domains where several resources using the same credentials are collected. Thus enabling users to enter their credentials when logging on to the domain only and not to the resources individually, easing user convenience. When configuring SSO domain settings for user accounts, all Domain Attributes associated with a specific SSO domain are automatically retrieved. There are two types of SSO domains: Text and Cookie. For detailed information on SSO domains, please refer to About SSO Domains.

User certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certificate.

106

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Manage user accounts
On the Manage User Accounts page, you have the possibility to perform a number of management activities in the Search Result list. You conduct a search using one of the following search criteria: All users The system searches among all users. If you find and select a user that does not have a user account, you will be redirected to the Add User Account wizard. All user accounts The system searches only for users with a user account registered. Enabled The system searches for all user accounts that are enabled for WatchGuard Administrator access. You can disable user accounts using applicable checkbox in the list. Disabled The system searches for all user accounts that are disabled for WatchGuard Administrator access. You can enable user accounts using applicable checkbox in the list. Locked authentication The system searches for all user accounts where WatchGuard authentication is locked. You can un-lock user accounts using applicable checkbox in the list. Locked access The system searches for all user accounts where access is locked. You can un-lock user accounts using applicable checkbox in the list. Search Criteria is set to All user accounts by default.

Search User Accounts
Label User ID Search Criteria Mandatory Yes No Description User account in WatchGuard Administrator. Set to All user accounts by default.

User Account Settings
Label Disable User Account User Account Validity Mandatory No Yes Description Not selected by default. Corresponds to Account Expires In on the Global User Account Settings page.

WatchGuard Administrator Access Settings
Label Number of Retries Reset Locked for the user account Mandatory No No No Description Number of tries according to limit set in Max retries on the Global User Account Settings page. Use to reset number of invalid login attempts (Number of Retries). Not selected by default.

User Guide

107

Manage accounts and storage

General settings
On the General Settings page, you specify general configuration settings for the user account. Display Name can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section. You can link the user account to an existing user in user storage. A link to the correct location (DN) to the user in the user storage is created. The user’s display name, email address, and cell phone number is retrieved when available. You can also define attributes that are specific for the user account. These attributes can for example be used when creating user property groups. You can select to temporarily disable a user account, or to specify a time period for the user account’s validity. The default value here is retrieved from the Global User Account Settings page.
Format complies with your browser’s language settings.

When WatchGuard authentication has been enabled on the WatchGuard Authentication tab, you can specify the user’s notification settings. Both email Address and SMS can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section.

General Settings
Label User ID Display Name User Location in Directory Last Logged In Mandatory Yes Yes No No Description User ID connects the actual user with the user account. Name used in the system to identify the user account. Distinguished Name for the user in the user storage. It is not possible to edit the link manually. This setting is only available when editing a user account.

Manage authentication settings
On the WatchGuard Authentication Settings page, you configure the number of retries allowed for users, lock and un-lock settings, and time-lock of WatchGuard authentication. Notification settings include configuration of email and SMS channels. Password/PIN settings for each enabled authentication method include: Generate password/PIN Password never expires User cannot change password/PIN User must change password/PIN on next logon Use password from directory service This option is only available for the authentication methods: WatchGuard SSL Mobile Text and WatchGuard Password. Generate seed Clear password/PIN
Password and PIN can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section.

108

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

You also select how the new password or PIN used for WatchGuard authentication will be distributed to the user when the user account has been created. Available options depend on the system configuration for notification and SMS distribution configuration. Available notification options are: By email By screen By SMS By email and screen By SMS and screen To email address configured on the Global Authentication Service Settings page, on the Email Messages tab. You have the option to specify a message set. A message set is a set of all WatchGuard authentication notification messages. The Default message set includes all messages specified on the Global Authentication Service Settings page. Specify Group Name when Use Groups is selected as default for user accounts on the Global User Account Settings page. When a group name is entered, only that group can be associated with that specific user. The group information is then sent to the RADIUS client and the RADIUS client can be configured to use this information (managed as an attribute) for authentication. Group Name can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section. Edit the setting Framed IP when Use Framed IP is selected as default for user accounts on the Global User Account Settings page. See that section for more information. Framed IP can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section.

Account Notification Settings
Label Email Address SMS Mandatory No No Description Receiving email address of password/PIN messages. Receiving phone number (or email address, if configuring to send SSL Mobile Text OTP to user email addresses) of the OTP and the password/PIN messages. Set to Default by default.

Message Set

WatchGuard Authentication
Label Number of Retries Mandatory No Description Counter keeping track of the number of incorrect logon attempts. Default value is retrieved from the Global User Account General Settings page. Used to manually reset Number of Retries. Not selected by default. Not selected by default. If locked, the user will not be able to log on until the time defined in Time Lock Time-out on the Global User Account General Settings page is reached, or until you unlock the user account.

Reset Locked for the user account Time-lock activated

No No No

User Guide

109

Manage accounts and storage

WatchGuard SSL Mobile Text
Label Enable WatchGuard SSL Mobile Text for the user account Password Mandatory No Description Only available when editing a user account. Note selected by default. Mandatory when WatchGuard SSL Mobile Text is enabled, Generate Password is not selected, and the user’s linked SSL Mobile Text password cannot be found in the directory service. Verification of Password.

(Yes)

Verify Password

(Yes)

WatchGuard SSL Mobile Text Password Properties
Label Generate password Password never expires User cannot change password User must change password on next login Clear Password Mandatory No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default.

No

Only displayed if the password has been manually entered or generated (not if the directory service password is used or if the password is set through directory mapping). Not selected by default. Not selected by default.

Use password from directory service

WatchGuard SSL Web
Label Enable WatchGuard SSL Web for the user account Password Mandatory No Description Only available when editing a user account. Not selected by default. Mandatory when WatchGuard SSL Web is enabled, Generate Password is not selected, and the user’s linked Web password cannot be found in the directory service. Verification of Password.

(Yes)

Verify Password

(Yes)

110

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

WatchGuard SSL Web Password Properties
Label Generate password Password never expires User cannot change password User must change password on next login Clear Password Mandatory No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default.

No

Only displayed if the password has been manually entered or generated (not if the directory service password is used or if the password is set through directory mapping). Not selected by default.

WatchGuard SSL Challenge
Label Enable WatchGuard SSL Challenge PIN Mandatory Not selected by default. (Yes) Description Only available when editing a user account. Not selected by default. Mandatory when Challenge is enabled, Generate PIN is not selected, and the user’s linked Synchronized PIN cannot be found in the directory service. PIN must be 6 numerals. Verification of PIN.

Verify PIN

(Yes)

WatchGuard SSL Challenge PIN Properties
Label Generate PIN PIN never expires User cannot change PIN User must change PIN on next login Generate Seed Clear PIN Mandatory No No No No (Yes) No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Mandatory when Synchronized is enabled. Selected by default. Only displayed if the PIN has been manually entered or generated (not if the PIN is set through directory mapping). Not selected by default.

User Guide

111

Manage accounts and storage

WatchGuard Password
Label Enable WatchGuard Password for the user account Password Mandatory No Description Only available when editing a user account. Not selected by default. Mandatory when WatchGuard Password is enabled, Generate Password is not selected, and the user’s linked password cannot be found in the directory service. Select Generate Password for an automatically created password. Password password must contain a minimum of 2 letters Verification of Password.

(Yes)

Verify Password

(Yes)

WatchGuard Password Properties
Label Generate password Password never expires User cannot change password User must change password on next login Clear Password Mandatory No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default.

No

Only displayed if the password has been manually entered or generated (not if the directory service password is used or if the password is set through directory mapping). Not selected by default. Not selected by default.

Use password from directory service

WatchGuard SSL Synchronized
Label Enable WatchGuard SSL Synchronized PIN Mandatory Not selected by default. (Yes) Description Only available when editing a user account. Not selected by default. Mandatory when Synchronized is enabled, Generate PIN is not selected, and the user’s linked Synchronized PIN cannot be found in the directory service. PIN must be 6 numerals. Verification of PIN.

Verify PIN

(Yes)

112

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

WatchGuard SSL Synchronized PIN Properties
Label Generate PIN PIN never expires User cannot change PIN User must change PIN on next login Generate Seed Clear PIN Mandatory No No No No (Yes) No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Mandatory when Synchronized is enabled. Selected by default. Only displayed if the PIN has been manually entered or generated (not if the PIN is set through directory mapping). Not selected by default.

Notification
Label Label Notification Mandatory Mandatory No Description Description The displayed options depend on the system notification configuration and the SMS distribution configuration. Set to Screen by default. This setting is only displayed when Use Groups is selected as default for user accounts on the Global User Account Settings page. Framed IP is only displayed when Use Framed IP is selected as default for user accounts on the Global User Account Settings page.

Group Name

No

Framed IP

No

User Guide

113

Manage accounts and storage

Manage SSO settings
Depending on domain type attributes specified, different options are available for the specific user account. For the domain type text: User name used in the SSO Domain is an SSO Domain attribute A non-entered field results in a prompt for User Name when users access resources in the SSO domain. When Set to blank is selected, User Name is set intentionally blank and users are not prompted to enter credentials to access resources in the SSO domain. Password indicate password used in the SSO Domain. Note that a non-entered field results in a prompt for User Name when users access resources in the SSO domain. When Set to blank is selected, Password is set intentionally blank and users are not prompted to enter credentials to access resources in the SSO domain. For the domain type cookie: Cookie name and value Secure Domain

SSO Domain of the Type Text
Label Settings Last Saved Settings Last Used User Name Set to blank Referenced by Restriction Password Set to blank Referenced by Restriction Domain Set to blank Referenced by Restriction Mandatory No No No No No No No No No No No No No No Description Date and time when settings were last saved. Date and time when settings were last used. User name used in the SSO Domain. Only available when Referenced by is set to User Input. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Password used in the SSO Domain. Only available when Referenced by is set to User Input. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Domain used in the SSO Domain. Only available when Referenced by is set to User Input. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section.

114

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

SSO Domain of the Type Cookie
Label Settings Last Saved Settings Last Used Cookie Name Referenced by Restriction Cookie Value Referenced by Restriction Cookie secure Referenced by Restriction Cookie domain Referenced by Restriction Mandatory No No No No No No No No No No No No No No Description Date and time when settings were last saved. Date and time when settings were last used. Cookie name used in the SSO Domain. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Cookie value used in the SSO Domain. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Cookie secure used in the SSO Domain. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Cookie domain used in the SSO Domain. Automatically retrieved from the Domain Attributes tab in the SSO Domain section. Automatically retrieved from the Domain Attributes tab in the SSO Domain section.

User certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certificate. You can replace or remove the certificate bound to the user account. To search for certificates, you can use one of two methods: Browse for the certificate in a file system, using the Browse button Enter the user attribute that holds the user’s certificate and search for the certificate in the user storage location

User Certificate
Label Upload from File System Locate in Directory Mandatory No No Description The file path to a user certificate to bind to the user. The attribute in storage where to get the user certificate to bind to the user.

User Guide

115

Manage accounts and storage

User groups
About user groups
User groups are used to categorize users. This categorization controls what a user can access, or what actions users must perform to enable certain access rights.

About user location group
User location groups contain all users existing under a specified node in the directory service structure. Use this type when users are stored in a location with structural significance. Example: ou=sweden,dc=thesecurecompany,dc=com The advantage of using User Location Groups is high performance, since no additional catalogue control is performed, however with decreased flexibility.

About user property group
User property groups contain user accounts with specified properties. Use this type when users have common properties that can be used for categorization, such as job function. In WatchGuard Administrator, these properties are managed as attributes. Each attribute contains a source, name, and value, and together they constitute a property. Available attribute sources are: User storage, Custom-defined, and RADIUS Session. The specified attribute value must match the attribute name returned from specified source type. When Custom-defined is selected, you can use the user attributes specified on the General Settings page for user accounts. The advantage of using User Property Groups is high performance with low administration.

About user group in directory service
Directory service groups contain all users belonging to a certain user group defined in your user storage. Use this type to integrate existing local user groups. The advantage of this approach is high flexibility with low administration, however with decreased performance compared with the other types.
This type cannot be added or modified.

For more information, see Manage user groups.

Manage user groups
To search for user groups, you enter the registered Display Name, or part of the name using the wildcard character *, and click Search. Max 50 user groups can be listed. If the search generates more than 50 user groups, a message is displayed advising you to perform a more specific search. When adding user groups, you first select which type of user group to add: User Property Groups or User Location Groups. The Add User Group wizard is adjusted to the type selected.

116

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Manage user property groups
A User Property Group is defined by its attributes. You select the Attribute Source from a list containing User Storage Location, Custom-defined, and RADIUS session. Once the source is selected, you specify the Attribute Name and Value.

Manage user location groups
A User Location Group is defined by its location in the directory service structure. You specify the User Location DN which is the start base for user or user group searches in the directory service. You can enter the full distinguished name directly, or use the Show Tree link to browse to an existing location or parent location in your directory service structure to retrieve a full or partial DN. If you browse for the location DN, the root DN of the directory service is displayed in the browse window. You can also select root DN in a drop-down list. The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory service. Use the View Users link to view a list of all registered users in the selected location. In the list displayed, all registered users are listed with a WatchGuard Administrator user account Display Name when available. No Display Name indicates that the particular user does not have a corresponding user account. To register a user account, simply click the User ID to automatically launch the Add User Account wizard.

General Settings
Label Display Name Mandatory Yes Description Unique name used to identify the user group inside the system.

User Location Groups
Label Display Name Description User Location DN Mandatory Yes No No Description Unique name used to identify the user group inside the system. Describes the user group. Node in the directory structure where the users are located.

User Property Group
Label Display Name Description Attribute Source Attribute Name Mandatory Yes No No (Yes) Description Unique name used to identify the user group inside the system. Describes the user group. Type of attribute. Set to Directory Service by default. Attribute name defined in the directory service schema. Mandatory if Attribute Source is set to Directory Service or Custom-defined. All members of the group must have this attribute value.

Attribute Value

Yes

User Guide

117

Manage accounts and storage

User storage
About user storage
User storage is the external location where users are stored and used by the Policy Service as part of the authorization process. It is recommended that user accounts are linked to the user storage, to enable reuse of user information. To automatically add references (when authenticating a user, for example) to existing users and user groups in the directory service, you need to configure user storage. To setup user storage you need to specify the host for the directory service and define a set of search rules that enables the system to find users and user groups. You can specify several user storage locations in directory services of different brands and different vendors.

Search rules
Define the search rules that your directory service uses to match users and user groups. What rules that are the best for your organization depend on the directory structure your organization has selected and what user objects you want to use in your rules.

Directory mapping
Directory mapping is used to retrieve existing information in user storage using specified attributes. When used, you can reuse information such as passwords or email addresses without specifying them in the WatchGuard Administrator when creating or linking user accounts, for example. For more information, see Manage user storage.

Manage User Storage
General settings
You specify a host and secondary host, and an account (Distinguished Name (DN), ID or similar, depending on type of directory service) to an administrative account with read- and write permissions on the user storage. A DN is a string of entries, collected attribute types with values. Such as cn for common name or dc for domain controller. Example: cn=admin,dc=thesecurecompany,dc=com An ID can be an account name. Example: admin When SSL is enabled, you can select a CA Certificate from a list of registered CA Certificates. You can specify the time in seconds before the request to user storage is time-outed. Enter number of retries allowed. When Follow referrals is selected, referrals, i.e. links between different directory services or within the same directory service are followed.

118

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Manage search rules
Which search rules to use depends on the directory structure of your organization, and on which user objects you want to use. Search rules are created by combining the following settings: Root DN The distinguished name of the search root from where the system will start to search for objects (users or user groups). If you want to use a specific sub-tree in your directory service, you can specify the sub-tree as the search root. Example: ou=people,dc=thesecurecompany,dc=com Use the Show Tree link to browse for the location DN, the root DN of the directory service is displayed in the browse window. You can also select root DN in a drop-down list. The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory service. Object Category/Object Class Name The object category (Active Directory) or object class name (other directory services) that users belong to. Please refer to your directory service documentation for additional information. Attribute Name The attribute name to be used when searching for users. The values differ depending on directory service used: Active Directory uses samaccountname, other directory services use uid. Refer to your directory service documentation for additional information. Example:
cn set to samaccountname when using Active Directory.

Member attribute name The member attribute name to use when searching for user groups. Example: member Search Scope Use the search scope when searching for users. Available options are: Object Level Searches for objects located on base level only One Level Searches for objects located directly below base, not including the base Sub-tree level Searches for objects located below base, not including the base

User Search Rule
Label User Root DN Mandatory Yes Description Distinguished Name of the start base, when searching for objects in the user storage.

User Guide

119

Manage accounts and storage

User Search Rule when Using MS Active Directory
Label Object Category Attribute Name Additional Filter Search Scope Mandatory Yes Yes No No Description Object Category users belong to. Set to user by default. Unique user attribute. Set to samaccountname by default. Filter used on the user search rule to specify what users to find. Search scope used when searching for objects in the selected user storage location. Set to Sub-tree Level by default.

User Search Rule when Using Other Directory Service
Label Object Category Attribute Name Additional Filter Search Scope Mandatory Yes Yes No No Description Object Class users belong to. Set to inetOrgPerson by default. Unique user attribute. Set to uid by default. Filter used on the user search rule to specify what users to find. Search scope used when searching for objects in the selected user storage location. Set to Sub-tree Level by default.

120

WatchGuard SSL 500 & SSL 1000

Manage accounts and storage

Manage directory mapping
Directory mapping is useful when creating or linking user accounts, for example. By specifying attributes used in your directory service, the information can be reused automatically. For example, by specifying the user storage attribute userPassword for the WatchGuard attribute Web Authentication Password, you are not required to specify or generate a password used for authenticating with the WatchGuard SSL Web authentication method. The user’s password is retrieved from the directory service and subsequently mapped.
All default mapping attributes are standard LDAP attributes.

Directory Mapping
Label Display Name Group Name Framed IP Notification email Address Notification SMS Mobile Text Authentication Password Web Authentication Password Challenge Authentication PIN Synchronized Authentication PIN Password Authentication password Mandatory No No No No No No No No No No Set to the standard LDAP attribute mail by default. Set to the standard LDAP attribute mobile by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Description Set to the standard LDAP attribute displayName by default. Set to the standard LDAP attribute sn by default.

User Guide

121

Manage accounts and storage

122

WatchGuard SSL 500 & SSL 1000

9

Manage Resource Access

About resource access
The WatchGuard Administrator solution provides secure application access. Using a complex combination of resource management, identity management, and access control, WatchGuard Administrator enables users to access corporate applications from remote locations without compromising security. In WatchGuard Administrator, you register applications, folders and files, URLs – everything users need remote access to – as Web or tunnel resources. Web enabled applications are registered as Web resources, and clientserver applications that are not Web enabled are registered as tunnel resources. You then protect the resources with access rules, authorization settings and encryption levels to create seamless, secure access control. Users access the resources through the Access Point via the Web based WatchGuard Administrator Application Portal, or directly in a Web browser using shortcuts. You can collect resources that share logon credentials in Single Sign-On (SSO) domains, allowing users to enter their credentials once to access several resources. For added security, you can place the SSO functionality itself under access control. Access rules are also used to enforce the end-point security feature abolishment, enabling file deletion as well as cleaning of client cache and browser history on completion of the user session.

Access rules
Access rules consist of detailed requirements that users must conform to in order to be allowed access to resources. Available access rules range from authentication methods, user group membership, and date period, to client IP address, client assessment, and client device. You can specify general access rules available for all resources or SSO domains, access rules that apply to individual resources, as well as a global access rule that automatically applies to all resources and SSO domains.

Standard resources
In WatchGuard Administrator, a number of applications are available as pre-configured standard resources. The purpose of the standard resources is to facilitate registration. You create a standard resource using a wizard, which creates the applicable Web and/or tunnel resources for you.

User Guide

123

Manage Resource Access

Global Resource settings
About global resource settings
Global resource settings apply automatically to all resources in the system. The global settings are grouped in four categories: Internal proxy DNS name pool Filters Link translation For more information, see Manage global resource settings.

About internal proxy
You can specify addresses for internal proxies. The addresses are used when a resource is accessed via a cache or an ordinary proxy server. You can select to use NTLM v2 for HTTP and HTTPS proxies. If you experience authentication problems you may try to uncheck the use of NTLM v2. Proxies available for configuration are: Internal HTTP proxy HTTPS proxy TCP proxy The TCP proxy is used for the WatchGuard Access Client.

About DNS name pool
You configure the DNS name pool for the purpose of improving link translation, and for using multiple DNS domains. Multiple DNS domains allow several customers to be hosted on the same WatchGuard Administrator platform, and a single Access Point to serve multiple designs of logon pages as well as of the Application Portal. This feature is mainly useful for ASP solutions. The registered DNS names define the pool of available DNS names. To use multiple DNS domains, you define several DNS names for the Access Point.
All DNS names must also be registered in a public DNS server, or written to the hosts file on the client machine that uses the system.

When a user makes a request using a registered mapped DNS name, the Access Point looks up which server to connect to and which protocol to use and sends the request towards this server. WatchGuard Administrator supports three methods of DNS mapping: URL mapping The resource is mapped to a path instead of using a mapped DNS name Reserved DNS mapping The resource is mapped to a specific DNS name Pooled DNS mapping The resource is assigned a DNS name on first Access Point request towards an internal server You specify which method of DNS mapping to use when adding or editing a resource.

124

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

About filters
You can use filters to change content in specific pages or in requests for resources. You can apply a filter to a specific resource host or to all resource hosts. You apply the filter to requests or responses and to content or headers. For general filters, you can use variables instead of hard-coded values. You can add one or several variables, specified using name-value pairs, to each filter. The filters are written using scripts in a proprietary script language called WASCR and have the file suffix .wascr. Scripts are located in <WatchGuard installation folder>\Access Point\built-in files\scripts\ An example of how filters with variables can be used is displayed below. Example:

<APPLET code=com.function.class archive=applet.jar> <param name=address value=1.2.3.4> </APPLET>
In the example above, the value of the parameter address should be replaced with another value, depending on what path this page is downloaded from. If it is downloaded from the path /telnet.html, the parameter value should be replaced with 192.168.0.7. If the page is downloaded from the path /ftp.html, the value should be 192.168.0.23. Follow the steps below to set up your WASCR script to handle this. 1. Use a script that replaces the value with a variable called ip_address. 2. Add a filter and configure the path to /telnet.html. Add a variable to the filter, with variable name ip_address and value 192.168.0.7. 3. Add another filter with the path /fpt.html, and add a variable with variable name ip_address and value 192.168.0.23. As a result, when accessing the /telnet.html the address parameter is replaced with 192.168.0.7, and when accessing the /ftp.html page the address parameter is replaced with 92.168.0.23.

About link translation
Link translation is used to ensure that all traffic to registered Web resource hosts are routed through the Access Point, which in turn enables use of SSL and a secure connection. With link translation, Web resource host are as secure as a tunnel resource host. When a user connects to a page on a server via the Access Point, all absolute and (depending on link translation type) semi-relative links to other servers are translated to point to the Access Point. Translated, or re-written, links contain information about the original server and what protocol to use. For example, when users enter a URL to a registered Web resource, for example http://www.aWebPage.com/ start.asp, the Access Point recognizes the link and automatically rewrites, or translates, the URL to https:/ /<AccessPoint>/http://www.aWebPage.com/start.asp. A link can sometimes be divided into subsets, for example by protocol, host, and URI, and then dynamically put together to form a link by the browser. In that case, the Access Point cannot establish if it is a link or not and consequently cannot translate it. To solve this issue, DNS mapping is used. A DNS name or an IP address pointing to the Access Point is mapped to an internal host and protocol: a mapped DNS name.

User Guide

125

Manage Resource Access

All mapped DNS names are added to a DNS name pool. From there, you select to map Web hosts to DNS names using one of two methods: Reserved DNS mapping When using Reserved DNS mapping, the Web resource is mapped to a specific DNS name in the DNS name pool. Pooled DNS mapping When using Pooled DNS mapping, the Web resource is assigned the first available DNS name from the DNS name pool. This is performed once per session.

Manage Global Resource Settings
Global resource settings are managed on the Manage Global Resource Settings page in the Manage Resource Access section of WatchGuard Administrator.

Manage global resource settings
Global resource settings are managed on the Manage Global Resource Settings page in the Manage Resource Access section of WatchGuard Administrator.

General settings
General settings include the addresses used for internal proxies. These are defined by specifying host and port. Internal proxies available for configuration are: Internal HTTP proxy HTTPS proxy TCP proxy

Internal HTTP Proxy
Label Host Port Mandatory No No Description IP address or the DNS name of the HTTP proxy or cache Proxy port connection via the HTTP protocol

Internal HTTPS Proxy
Label Host Port Mandatory No No Description IP address or DNS name of the HTTPS proxy or cache Proxy port connection via the HTTPS protocol

Internal TCP Proxy
Label Host Port Mandatory No No Description IP address or DNS name of the proxy for Access Clients Proxy port connection for Access Client traffic

126

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Filters
Define which script to use in the filter by specifying the applicable script name, excluding the file ending .wascr. Note that the file must be stored in one of the following folders: <WatchGuard installation folder>/files/access-point/built-in-files/scripts <WatchGuard installation folder>/files/access-point/custom-files/scripts The filter can be applied to individual resources, or all resource hosts. Optionally, you can define if the filter should be applied to requests or responses, as well as if it should be applied to content or headers. Path When specifying path to the files to be filtered, the wildcard character * can be used. Example: /exchange/* /index.html * Content Type When defining which content type to filter, the wildcard character * can be used. Example: text/html application/x-javascript text/* *

General Settings
Label Script Name Mandatory Yes Description The name of the filter file, stored in the folder files/customfiles/scripts or files/built-in-files/scripts or files/customfiles/scripts or files/custom-files/scripts Available options are: Request and Response. Set to Request by default. Set to All Resource Hosts by default. Path to the files to be filtered. The wildcard character * is supported. Set to * by default. Filtered content type. The wildcard character * is supported. Available options are: Headers and Content. Set to Content by default.

Type of filter Resource Host Path

No Yes Yes

Content Type Apply Filter To

Yes No

Variables
Label Name Value Mandatory Yes Yes Description Name of the variable Value of the variable

User Guide

127

Manage Resource Access

Link translation
In the Link Translation section of the global resource settings, you specify which headers and content types that will be filtered and checked for link translation. Available headers and content types are: Request headers Response headers Request content types Response content types Request Headers Defines the request headers that should be filtered and checked for link translation before sending the request to the internal host. Headers listed must be one-valued. If not, the first value is translated and the second is deleted. Set to the following headers by default: Destination Referrer Response Headers Defines the response headers that should be filtered and checked for link translation before sending the request to the client. Headers listed must be one-valued. If not, the first value is translated and the second is deleted. Set to the following headers by default: Location Content-Base Content-Location Content Location Request Content Types Specify request content types that should be link translated. The string NOT_DEFINED can be entered, defining that if no content type is sent it should be translated anyway. Request content types are set to the following content types by default: text/html application/x-javascript text/vnd.wap.wml text/xml text/css Response Content Types Specify response content types that should be link translated. The string NOT_DEFINED can be entered, defining that if no content type is sent it should be URL translated anyway. Response content types are set to the following content types by default: text/html application/x-javascript text/vnd.wap.wml text/xml text/css

128

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Link Translation
Label Request Headers Mandatory No Description Request headers that are filtered and checked for link translation if the destination host is configured to translate request headers. Set to Destination and Referrer by default. Response headers that are filtered and checked for link translation if the host sending the response is configured to translate response headers. Set to Location, Content-Base, and Content-Location by default. Defines the content types filtered for requests. Set to text/html, application/x-javascript, text/ vnd.wap.wml, text/wml, and text/css by default. Defines the content types filtered for responses. Set to text/html, application/x-javascript, text/ vnd.wap.wml, text/xml, and text/css by default.

Response Headers

No

Request Content Types Response Content Types

No

No

DNS Names for Access Point
A DNS name for the Access Point is defined by a host name and relative file path towards the content of the wwwroot (the HTML interface) that should be displayed when using the corresponding DNS name. It is strongly recommended that the host name is defined as a DNS name, but for testing purposes the host name can also be defined as an IP address. Example: DNS Name for WatchGuard Access Point (default) access.thesecurecompany.com www.vpn.company.com WWWRoot wwwroot wwwroots/thesecurecompany wwwroots/company

The first DNS name in the example above is pre-configured in the system and available by default. It cannot be edited or deleted.

User Guide

129

Manage Resource Access

DNS Name Pool
In previous releases, the first name in the DNS name pool was used as the Access Point DNS name. This is no longer the case, DNS name for Access Point now replaces the need to use the first name in the pool. Entries in the DNS Name Pool must end with the same string as an entry in DNS Names for Access Point. If not, the pooled DNS name will never be used. For example, there is little use to add www1.company.com to the DNS Name Pool if you do not have a corresponding entry that ends with .company.com in DNS Name for WatchGuard Access Point. Example: vpn1.thesecurecompany.com vpn2.thesecurecompany.com www1.company.com www2.company.com

Add DNS Name for Access Point
Label DNS Name WWW Root Mandatory No No Description Not available for editing

Add DNS Name to Pool
Label DNS Name Mandatory No Description DNS name added to the pool.

130

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Standard resources
About standard resources
In WatchGuard Administrator, a number of commonly used applications are available as partly pre-configured standard resources. Standard resources are provided for your convenience, to facilitate registration. Instead of creating ordinary Web or tunnel resource hosts for these applications, you use a wizard to create the resources with a minimum of manual configuration. Different settings as well as applicable Web and/or tunnel resources are created automatically when the wizard is completed. The following applications are available as standard resources: File Sharing Resources Microsoft Windows File Share Access to Home Directory Mail IMAP/SMTP POP3/SMTP Outlook Web Access 5.5 Outlook Web Access 2000 Outlook Web Access 2003 Outlook Web Access 2007 MS Outlook Client 2000/2003/2007 Portal Resources Citrix Metaframe Presentation Server Microsoft SharePoint Portal Server 2003 ThinLinc WatchGuard Resources Secure Remote Access to Administrator Remote Controlling Resources Microsoft Terminal Server 2000 Microsoft Terminal Server 2003 Other Web Resources SalesForce For more information, see Manage standard resources.

Manage standard resources
Standard resources are created on the Standard Resources page in the Manage Resource Access section of the WatchGuard Administrator. You create a standard resource by using an Add Standard Resource wizard. After completing the wizard, applicable Web and/or tunnel resources are created. Consequently, once a resource has been registered as a standard resource, it is added to and managed in the Manage Web Resources versus Manage Tunnel Resources sections of the WatchGuard Administrator.

Common Standard Resource Settings
All resources require a Display Name. The display name is the name used to identify the resource in the WatchGuard network. You may also specify a Description for the Standard Resource which can be used as reference description if there are several Resources defined of the same type.

User Guide

131

Manage Resource Access

Special Settings
These are the settings that differ between the Standard Resources. For information on how to define each Standard Resource Type, see Standard Resources Settings.

Application Portal Settings
You can select to make the standard resource host available in the Application Portal. You then specify an icon to represent the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size. In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented. For each resource specified to be displayed in the Application Portal, a corresponding Application Portal item is automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application Portal page in the Manage Resource Access section of the WatchGuard Administrator.

Access Rules
See Manage Access Rules.

Common Settings
Label Enable Resource Make resource available in Application Portal Icon Mandatory No No Description Selected by default. Selected by default.

(Yes)

Path to the image file that symbolizes the standard resource in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Standard Resource in the Application Portal. Mandatory when Make resource available in Application Portal is selected.

Link Text

(Yes)

132

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Citrix MetaFrame Presentation Server
Configuration of a standard resource for Citrix MetaFrame Presentation Server includes the settings described below.

Citrix Web Server
You configure host and HTTP port for the Citrix Web Server. Host is specified as an IP address. When used in tunnel sets, Virtual IP Address is set to this address by default. HTTP port defines the HTTP port for the Citrix MSAM Web server traffic. When the standard resource uses a non-default HTTP port (other than 80), the port must be added to registered alternative hosts. Example: citrixweb.watchguard.com:8080 If the default port (80) is used, make sure the alternative host contains the server name without port. Example: citrixweb.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.

Citrix MetaFrame Server
You can configure up to three Citrix MetaFrame servers. For each server, you specify host (IP address). Dynamic Tunnels will be added to each server using ports 1494 and 2598.

Automatically Configured Settings
When the standard resource Citrix MetaFrame Presentation Server is registered, the following settings are automatically configured: Web resource host for the Citrix Web server Display name for the Web resource host One or several tunnel resource hosts for the Citrix MetaFrame Server(s) Display name(s) for the tunnel resource host(s) The setting Forward cookie between client and resource is enabled Tunnel set including the tunnel resources with ports 1494 and 2598 predefined Display name Host: host=tcp:host address:port Redirect URL: redirect=/wa/http/nfuse Label Host Mandatory Yes Description Citrix MetaFrame server IP address. When used in tunnel sets, Virtual IP Address is set to this address by default. HTTP port for the Citrix MSAM Web server traffic. Set to 80 by default. Citrix MetaFrame server IP address. When used in tunnel sets, Virtual IP Address is set to this address by default. When used in tunnel sets, Virtual IP Address is set to this address by default. When used in tunnel sets, Virtual IP Address is set to this address by default.

HTTP Port Citrix MetaFrame Server 1 Citrix MetaFrame Server 2 Citrix MetaFrame Server 3

Yes Yes

No No

User Guide

133

Manage Resource Access

Thinlinc Application Server
Configuration of a standard resource for Thinlinc Application Server includes the settings described below.

Thinlinc Web Server
You configure host and HTTPS port for the Thinlinc Web Server. Host is specified as an IP address. HTTPS port defines the HTTPS port for the Thinlinc Web server traffic. When the standard resource uses a non-default HTTPS port (other than 443), the port must be added to registered alternative hosts. Example: thinlincweb.watchguard.com:443 If the default port (443) is used, make sure the alternative host contains the server name without port. Example: thinlinc.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.

Thinlinc Application Server
You can configure up to three Thinlinc Application servers. For each server, you specify host (IP address). Dynamic Tunnels will be added to each server using port 22.

Automatically Configured Settings
When the standard resource Thinlinc Application Server is registered, the following settings are automatically configured: Web resource host for the Thinlinc Web server Display name for the Web resource host One or several tunnel resource hosts for the Thinlinc Application Server(s) Display name(s) for the tunnel resource host(s) Tunnel set including the tunnel resources with port 22 predefined Display name Host: host=tcp:host address:port Label Host Mandatory Yes Description Thinlinc Web server IP address. When used in tunnel sets, Virtual IP Address is set to this address by default. HTTPS port for the Thinlinc Web server traffic. Set to 443 by default. Thinlinc Application server IP address. Thinlinc Application server IP address.. Thinlinc Application server IP address.

HTTP Port Thinlinc Application Server 1 Thinlinc Application Server 2 Thinlinc Application Server 3

Yes Yes No No

134

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Domino Web Access 6.5
Configuration of a standard resource for Domino Web Access 6.5 includes the settings described below.

General Settings
You specify host and HTTP or HTTPS ports for Domino Web Access. Host defines the IP address or DNS name of the Domino Web Access host. HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: www.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: www.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.

Automatically Configured Settings
When the standard resource Domino Web Access 6.5 is registered, the following settings are automatically configured: Web resource host for the Domino server Display name for the Web resource host

Domino Web Access 6.5
Label HTTP Port HTTPS Port Mandatory (Yes) (Yes) Description Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.

Terminal Server 2000/Terminal Server 2003
Configuration of a standard resource for Terminal Server 2000 and 2003 includes the settings described below.

Special Settings
You specify host and port for the Terminal Server 2000 or 2003. Host defines the IP address or DNS name of the Terminal Server host. Port defines the port for Terminal Server TCP. Several port numbers or a range of port numbers can be entered, separated with a comma sign. Default port is 3389. You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further information on the difference between Dynamic and Static Tunnels.

Automatically Configured Settings
When the standard resource Terminal Server 2000 or 2003 is registered, the following settings are automatically configured: Tunnel resource for the Terminal Server Display name for the tunnel resource Tunnel set including the tunnel resource

User Guide

135

Manage Resource Access

Terminal Server 2000/2003
Label Host Port Tunnel Type Mandatory Yes Yes Yes Description IP address to the Terminal Server host Port for Terminal Server TCP. Set to 3389 by default. Use Dynamic or Static tunnels

Outlook Web Access 2000/Outlook Web Access2003/Outlook Web Access 5.5
Configuration of standard resources for Microsoft Outlook Web Access 2000, Microsoft Outlook Web Access 2003, Microsoft Outlook Web Access 2007, and Microsoft Outlook Web Access 5.5 includes the settings described below.

Special Settings
You specify host and HTTP or HTTPS ports for Outlook Web Access. Host defines the IP address or DNS name of the Outlook Web Access host. HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: mail.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: mail.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.

Automatically Configured Settings
When the standard resources Microsoft Outlook Web Access 2000, Microsoft Outlook Web Access 2003, Microsoft Outlook Web Access 2007, Microsoft Outlook Web Access 5.5 are registered, the following settings are automatically configured: Resource host for the Exchange Server Display name for the resource host

Outlook Web Access 2000/2003/2007
Label Host HTTP Port HTTPS Port Mandatory Yes (Yes) (Yes) Description IP address or DNS name of the Outlook Web Access host. Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default Either HTTP Port or HTTPS Port is mandatory.

136

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Microsoft Outlook Client 2000/2003/2007
Configuration of a standard resource for Microsoft Outlook Client 2000/2003/2007 includes the settings described below.

Special Settings
You specify host and port for the Microsoft Outlook Client 2000/2003/2007. Host defines the IP address or DNS name of the Exchange Server host. Port defines the port for the MAPI Exchange. Several port numbers or a range of port numbers can be entered, separated with a comma sign. Set to 1-65535 by default.

Automatically Configured Settings
When the standard resource Microsoft Outlook Client 2000/2003/2007 is registered, the following settings are automatically configured: Tunnel resource for the Exchange server Display name for the tunnel resource Support for all TCP and UDP ports for the range 1-65535 Tunnel set including the tunnel resource

MS Outlook Client 2000/2003/2007
Label Host TCP Port Set UDP Port Set Mandatory Yes Yes No Description IP address to the Exchange Server host. Port for the MAPI Exchange. Set to 1-65535 by default. Port for the MAPI Exchange. Set to 1-65535 by default.

POP3/SMTP
Configuration of a standard resource for a POP3/SMTP mail server includes the settings described below.

Special Settings
You specify host and port for the POP3/SMTP mail server. Mail Server Address defines the IP address or DNS name of the POP3/SMTP mail server. Startup command is the command used to start the local mail client. You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further information on the difference between Dynamic and Static Tunnels

Automatically Configured Settings
When the standard resource POP3/SMTP is registered, the following settings are automatically configured: Tunnel resource for the POP3/SMTP server Display name for the tunnel resource Support for all TCP ports 25 and 110 Tunnel set including the tunnel resource

POP3/SMTP
Label Mail Server Address Startup Command Tunnel Type Mandatory Yes No Yes Description Host address to the Mail Server host. Startup Command used to start the client Use Dynamic or Static tunnels, Dynamic by default

User Guide

137

Manage Resource Access

IMAP/SMTP
Configuration of a standard resource for a IMAP/SMTP mail server includes the settings described below.

Special Settings
You specify host and port for the IMAP/SMTP mail server. Mail Server Address defines the IP address or DNS name of the IMAP/SMTP mail server. Startup command is the command used to start the local mail client. You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further information on the difference between Dynamic and Static Tunnels

Automatically Configured Settings
When the standard resource IMAP/SMTP is registered, the following settings are automatically configured: Tunnel resource for the IMAP/SMTP server Display name for the tunnel resource Support for all TCP ports 25,143,993 Tunnel set including the tunnel resource

IMAP/SMTP
Label Mail Server Address Startup Command Tunnel Type Mandatory Yes No Yes Description Host address to the Mail Server host. Startup Command used to start the client Use Dynamic or Static tunnels, Dynamic by default

Windows File Share
Configuration of a standard resource for Windows File Share includes the settings described below.

Special Settings
You specify host, share, and drive letter for the standard resource. Host defines the IP address or DNS name of the host. Share defines the share to connect to on the file server. Drive letter (optional) defines the preferred drive to map on to the client.

Automatically Configured Settings
When the standard resource Windows File Share is registered, the following settings are automatically configured: Tunnel resource for the file share server Support for TCP and UDP ports for the range 137-139, 445 Tunnel set including a dynamic tunnel to the tunnel resource, mapped drive, and startup command

Windows File Share
Label Host Share Drive Letter Mandatory Yes Yes No Description IP address or DNS name of the host. Share to connect to on the file server. Preferred drive to map on to the client. From A: to Z: Set to None by default

138

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Access to Home Directory
Configuration of a standard resource for Access to Home Directory includes the settings described below.

Special Settings
You specify the host for the standard resource. The host defines the IP address or DNS name of the host.

Automatically Configured Settings
When the standard resource Access to Home Directory is registered, the following settings are automatically configured: Tunnel resource for the file share server Support for TCP and UDP ports for the range 137-139, 445 Tunnel set including a dynamic tunnel to the tunnel resource, mapped drive, and startup command

Access to Home Directory
Label Host Mandatory Yes Description IP address or DNS name of the host.

Secure Remote Access to Administrator
Configuration of a standard resource for Secure Remote Access to Administrator includes the settings described below.

Special Settings
You specify host and HTTP or HTTPS ports for Secure Remote Access to Administrator. Host defines the IP address or DNS name of the Administration Service host. HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: www.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: www.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.

Automatically Configured Settings
When the standard resource Secure Remote Administrator Access is registered, the following settings are automatically configured: Web resource host for the Administration Service Display name for the Web resource host

Secure Remote Access to Administrator
Label Host HTTP Port HTTPS Port
User Guide

Mandatory Yes (Yes) (Yes)

Description IP address to the Administration Service host Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.
139

Manage Resource Access

SalesForce
Configuration of a standard resource for SalesForce includes the settings described below.

Special Settings
No special settings are required for this Standard Resource. It will use the default HTTP connection towards the SalesForce servers.

Automatically Configured Settings
When the standard resource SalesForce is registered, the following settings are automatically configured: Web resource host for www.salesforce.com

SalesForce
Label Host HTTP Port HTTPS Port Mandatory Yes (Yes) (Yes) Description IP address to the Administration Service host Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.

Web Resources
About Web Resources
Web resources are applications with a Web interface, or any files accessible in a Web browser. A Web resource has a resource host (or root) which may have one or several paths connected to it. A resource host defines a HTTP or HTTPS server based on a URL. A resource path defines a subset of a Web server, if you want to restrict user access for that subset only. Example: Host: https://www.watchguard.com Path: https://www.watchguard.com/securefolder/securepage.htm When using Web resource paths, you can set your own security levels with access rules for specific applications and files. You can also choose to allow Web resource paths to derive its authorization settings (consisting of access rules and advanced settings) from the parent Web resource host or path.

Single Sign-On
When SSO is enabled and used, it performs a POST or a GET request to a URL. The form data usually contains a user name and a password together with some static fields. The variables [$username], [$password], and [$domain] are replaced by the stored user name, password and NTLM domain from the SSO database. If the back-end server requires the logon request to contain specific headers, these can be supplied as additional headers. Example: User-Agent: Mozilla/4.6 Enterprise Edition (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Accept: */*

140

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Manage Web resource hosts
Registered Web resource hosts and paths are listed on the Manage Web Resources page in the Manage Resource Access section of the WatchGuard Administrator. You can add, edit, and delete Web resource hosts and paths. A first Web resource, the Access Point root path, was added to the Manage Web Resources section of the system during the Setup System wizard, when the Access Point resource host was registered. The Access Point root path cannot be deleted. In addition, a number of settings can be specified globally to apply to all Web resources as well as tunnel resources. This is configured in the Manage Global Resource Settings section of Manage Resource Access. Global resource settings cover internal proxy settings, mapped DNS names, filters, and link translation.

General settings
Configuration of a Web resource host includes settings described below.
The Web resource host Display Name is also used for link translation in the Access Point, that is as part of the translated, or rewritten, link. Because of this, Display Name cannot contain characters such as commas or semi-colons, for example. Supported characters in display names are: A-Z, a-z, 0-9, and non-alphanumeric characters (for example: !, $, #, or %).

HTTP Port/HTTPS Port and Alternative Hosts
HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: www.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: www.watchguard.com The alternative host is registered as an IP address or DNS name.

Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain types of the registered SSO domains, you can select SSO domain type text, cookie (text is selected by default) or Adaptive SSO and then select which SSO domain to use. If you select Adaptive SSO you can also select to create a new SSO Domain that will be used for this Resource. See more Information about Adaptive SSO below. If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the resource host and the form response message is required. The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent to the server. A form response message can be used to determine whether a logon was successful or not. Configuration of the form response message, that will appear when the user has logged on or failed to log on, includes a URL to which the response from the form should be sent, and a text string form response used to decide if the authentication is successful or unsuccessful.

User Guide

141

Manage Resource Access

General Settings
Label Enable resource Display Name Description Host HTTP Port HTTPS Port Mandatory No Yes No Yes (Yes) (Yes) Description Selected by default Unique name used in the system to identify the Web resource host. Describes the Web resource host. IP-address or a DNS name for the host. Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.

Adaptive Single-Sign On
Adaptive SSO does not need to be configured because it configures itself. You only need to apply it on a resource and choose a SSO-domain to use - exactly the same way as you do with text based SSO. The functionality of Adaptive SSO differs from the old Form Based SSO in the following ways: The first time a user accesses the resource, the system will learn the configuration of it. The user will never be presented the WatchGuard standard form Additional Authentication Required, as with Text and old Form Based. Instead, the user will see the original HTML form as if there where no SSO configured. The second time the same user accesses the resource, he or she will not see the login page but be forwarded directly as if he/she had filled in the user name/password and pressed Submit. When another user that lacks SSO credentials accesses the resource he/she will also see the back end server’s form, as if no SSO was configured, but when he/she has filled in the credentials on the page, they will be stored in his/her SSO-domain in the directory. The first time a user is timed out or presented a relogin page, the system learns the new URL that is likely to present a relogin page. The second time a user is timed out, he will not see it but be automatically re-logged in. The detailed configuration is automatically detected by the Access Point as the first user accesses the resource. This information is collected in a file located at the Access Point: config/ FormBasedLearning.txt. In load balanced mode, this file is synched between the Access Points in the system, using the native load balancing protocol that Access Point uses to mirror sessions. The file is not synched with the Administration Service. If a user is timed out from the back end server, Access Point will hide the re-authentication form from the user and automatically relogin the user. If the form contains hidden state parameters, Access Point will merge those state parameters into the POST request. This is not possible with the old Form Based SSO. For example, if a user tries to access a perl-desk URL targetting a special PD ticket, Perldesk redirects the user to a login page with a hidden parameter telling where the user where about to go before login was requested. With Adaptive SSO, this information will be taken care of in the auto-generated POST request so that the user gets redirected to the requested PD ticket.

142

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

SSO Settings
Label Enable Single Sign-On SSO Type Mandatory No (Yes) Description Not selected by default. Available options are: Text Cookie Form Based Adaptive SSO Mandatory when Enable Single Sign-On is selected. Set to Text by default. Lists registered SSO Domains in the system. Mandatory when Enable Single Sign-On is selected. If Adaptive SSO is selected there is also an option create new domain which will give the opportunity to create a new domain. Name of new SSO Domain created for Adaptive SSO.

SSO Domain

(Yes)

New SSO Domain Name

(Yes)

Limitations
Access Point makes the best effort to find out which parameter is user name, password and eventually domain, and stores the autoconfigurated parameters in the FormBasedLearning.txt file. However, some HTML pages uses javascripts to copy contents from one form to another or from a password field into a hidden field before the actual submit is performed. In those cases, Access Point’s autoconfigurated FormBasedLearning will be incorrect and the SSO will only work for one single user, or for no user at all. It is therefore recommended to test the SSO by logging in with two different accounts before being certain that the autoconfiguration is correct. If not correct, the FormBasedLearning.txt file can be altered manually. Se below how to do that. Sometimes a login form got hidden fields that is filled by a javascript with client-specific information such as screen resolution etc. These parameters will be defined by the user that learns the system the first time. So if the screen resolution of the first user is 1600x1200, all users will seem to have this resolution. There is no simple work around for this. The old Form Based SSO has the same limitation. If the user has an empty password at the back end system, Adaptive SSO will be unable to learn the credentials.

User Guide

143

Manage Resource Access

Troubleshooting (FAQ)
I have enabled Adaptive SSO on a resource, but I don’t get SSO to work? When you test it with a browser, make sure that the resource is always accessed through WatchGuard Administrator - i.e. that your browser is never redirected outside WatchGuard Administrator while accessing the resource. If your browser is redirected, the resources are not correctly configured. You may have to add more resource hosts to the system or you may add addresses to the additional host names. There is a debug log called hyperlinks.log under access-point/logs/debug, in which you can see which hosts are resolved and which are foreign. You may have to add a new resource host based on the information of a foreign host in hyperlinks.log. Make sure that the login page is part of the resource that you have enabled SSO for. If you are not certain, you may try to enable Adaptive SSO on the resource host (the root) rather than on the resource path. SSO works but when I’m timed out from the resource I do not get re-authenticated automatically. Make sure the relogin page is delivered from a URL whose resource is set to use Adaptive SSO. If not certain, use Adaptive SSO on the resource root rather than on the resource path. SSO works, but sometimes when I log out from the back end server, I come to the login page and sometimes the login page is hidden for me and I just get relogged in automatically directly after a logout. This works as designed. However, You can hide the logout link using a filter script to prevent this behavior. The reason why the relogin page is sometimes shown and sometimes not, is due to the time it takes from you logging on to the resource and logging off. If you click the resource, wait for 30 seconds and then logout, you will be automatically logged in back again. But if you wait less than 30 minutes, you will see the login page after logging out. The reason for this is to prevent the SSO from getting stuck in the vinkelvolt - Adaptive SSO never knows whether your credentials are correct or not, so if they are not correct, the user must be able to see the login page and enter the new valid credentials. I have manually changed the FormBasedLearning.txt file as described. It worked fine for a while. But after some time, it seems to have forgotten my manual settings. Users no more get access to the back end system. Access Point will reset the learning for a resource if it stops working correctly. This will happen in one of the following scenarios: the back end server responds with a HTTP 404, or a HTTP 405, as a response to the POST the resource host pointed out by formActionURL has been removed from the resource list in RemoteConfiguration. The reason why your manual changes disappeared was thereby due to a change on the back end server or due to a change in the resource configuration. You will have to redo the manual changes in FormBasedLearning.txt.

144

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Application Portal Settings
You can select to make the Web resource host available in the Application Portal. You then specify an icon to represent the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size. In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented. For each Web resource specified to be displayed in the Application Portal, a corresponding Application Portal item is automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application Portal page in the Manage Resource Access section of the WatchGuard Administrator. Alternative Hosts Alternative hosts are required for link translation to function properly. You can define one or several alternative hosts for the Web resource host. The alternative host is specified as an IP address or a DNS name. When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port must be added as an alternative host. Example: www.watchguard.com:8080 If the default port is used, the alternative host must contain the server name without port. Example: www.watchguard.com Label Make resource available in Application Portal Icon Mandatory No Yes Description Selected by default. Path to the image file that symbolizes the Web resource host in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Web resource host in the Application Portal. Mandatory when Make resource available in Application Portal is selected.

Link Text

Yes

Access rules
See Manage Access Rules.

User Guide

145

Manage Resource Access

Advanced settings
The following advanced settings are available for the Web resource host. All advanced settings are optional.Link Translation.

Access Settings
Link Translation You set link translation type used: URL mapping, Pooled DNS Mapping or Reserved DNS Mapping. By default, a Web resource is set to not use a mapped DNS name. You can only assign reserved mapped DNS names that are not used for any other Web resource. When selecting Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used. When selecting Reserved DNS Mapping, you select among available DNS names displayed in a list to specify a DNS name for a resource. Server DNS Name You can specify a host header used in the communication with the internal server. If a specific server DNS name is not defined, the host address (the connect address) is used. Cookies You have the option to forward cookies between client and resource. When the option is selected, cookies are allowed to pass through from the client to the resource and back. When not selected, all cookies are stopped at the Access Point. When forwarding cookies, you need to specify a list of cookies to either allow or block (or use the wildcard character * to allow or block all). If allowed, the cookies pass through from the client to the resource and back. If blocked, cookies are stopped at the Access Point. NTLM v2 Use NTLM v2 if possible.

Advanced Access Settings
Label Link Translation Type Mandatory No Description Available options are: URL Mapping Pooled DNS Mapping Reserved DNS Mapping Set to URL Mapping by default. Only available when editing a Web resource. Specified DNS name for the resource when applicable. Mandatory when HTTP Port is entered on the General Settings page, and Reserved DNS Mapping is selected in Link Translation Type. Only available when editing a Web resource. Specified DNS name for the resource when applicable. Mandatory when HTTPS Port is entered on the General Settings page, and Reserved DNS Mapping is selected in Link Translation Type. Host header used in the communication with the internal server. Not selected by default.

Mapped DNS name for HTTP

(Yes)

Mapped DNS name for HTTPS

(Yes)

Server DNS name Connect via proxy

No No

146

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Label Forward cookies between client and resource Cookies to check

Mandatory No

Description Not selected by deafult.

(Yes)

Lists name of the cookies that the system checks. Mandatory when Forward cookies between client and resource is selected. Available options are: Allow and Block. When set to Allow, only cookies listed in Cookies to check are allowed. Other cookies are blocked. Selected by default.

Action

No

Use NTLM v2

Yes

Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific Web resource will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path apply for this path only and not for all paths beginning with this one. When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the Web resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Expression of Will When expression of will is used, re-authentication is required for each request. MIME Types You can also define which MIME types that should be allowed to be cached on the client browser. Required format is text/html. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the opposite – specific resources may not need the same level of security or you may accept a longer time-out period.
The setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.

User Guide

147

Manage Resource Access

Advanced Authorization Settings
Label Require exact path match Automatic access Mandatory No No Description Only available when editing a Web resource. Not selected by default. For resources where Automatic access is activated, the user session time-outs are not affected when the resource is requested automatically. Not selected by default. Only available when editing a Web resource. Several MIME types are allowed. No MIME types are allowed by default. Only available when editing a Web resource. Not selected by default. Only available when editing a Web resource. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.

Cache MIME Types

No

Use Expression of Will Use Time-out Max Inactivity TimeOut Absolute Time-out

No No No

No

Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default, SSL is required in the traffic between the client and the system. Options for encryption level are: Strong encryption level: 128 bits (default) Weak encryption level: 56 bits Other encryption level (specify desired bits level)

Advanced Encryption Level
Label Require SSL Encryption Level Mandatory No No Description Selected by default. Available options are: 128 bits 56 bits Other encryption level When set to Other encryption level, you manually enter the bits level. Set to 128 bits by default. Encryption level in bits. Mandatory when Encryption Level is set to Other encryption level.

Other Encryption Level

(Yes)

148

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Manage web resource paths
Registered Web resource hosts and paths are listed on the Manage Web Resources page in the Manage Resource Access section. You can add, edit, and delete Web resource hosts and paths. You can specify one or several paths for each registered Web resource host. Each path can also have one or several sub paths added to it.

General settings
Configuration of a path to a Web resource host includes settings described below. Path When configuring a Web resource path you specify its path, i.e. the path to the subset of the Web resource host. The path you specify is added to the path of the parent host or path to form the complete path. When registering a sub path, i.e. a path added to an existing Web resource path, the path to the parent Web resource path is displayed for your convenience. Authorization If you do not want to set specific authorization (Access Rules and advanced settings) for the Web resource path, you have the option to reuse the authorization specified for the parent Web resource host or path. Using this option, the authorization set for the parent host or path is inherited to the Web resource path and the Access Rules and Advanced Settings sections of the configuration are not displayed. Single-Sign On If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain types of the registered SSO domains, you can select SSO domain type text or cookie (text is selected by default) and then select which SSO domain to use. If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the resource host and the form response message is required. The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent to the server. A form response message can be used to determine whether a logon was successful or not. Configuration of the form response message, that will appear when the user has logged on or failed to log on, includes a URL to which the response from the form should be sent, and a text string form response used to decide if the authentication is successful or unsuccessful. For information about Adaptive SSO please see the Adaptive Single Sign-On section in Manage Web Resource Hosts Application Portal Settings You can select to make the Web resource host available in the Application Portal. You then specify an icon to represent the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size. In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented. For each Web resource specified to be displayed in the Application Portal, a corresponding Application Portal item is automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application Portal page in the Manage Resource Access section.

User Guide

149

Manage Resource Access

General Settings
Label Enable resource Parent Path Mandatory No No Description Selected by default. Available when adding a child resource path (a sub-path to another resource path). Displays the path to the parent resource path. Not editable. Path to the resource. Available when adding a resource path. Selected by default

Path Use Parent Authorization

Yes No

SSO Settings
Label Enable Single Sign-On SSO Type Mandatory No (Yes) Description Not selected by default. Available options are: Text Cookie Form Based Adaptive SSO Mandatory when Enable Single Sign-On is selected. Set to Text by default. Lists registered SSO Domains in the system. Mandatory when Enable Single Sign-On is selected. If Adaptive SSO is selected there is also an option create new domain which will give the opportunity to create a new domain. Name of new SSO Domain created for Adaptive SSO.

SSO Domain

(Yes)

New SSO Domain Name

(Yes)

Application Portal Settings
Label Make resource available in Application Portal Icon Mandatory No Description Selected by default.

Yes

Path to the image file that symbolizes the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected.

Link Text

Yes

Access rules
See Manage Access Rules.
For resource paths, access rules are not available for configuration if you have selected to use the authorization of the parent path.

150

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Advanced settings
The following advanced settings are available for the Web resource path. All advanced settings are optional.
Advanced settings are not available for configuration if you have selected to use the authorization of the parent path.

Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific Web resource path will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path apply for this path only and not for all paths beginning with this one. When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the Web resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. MIME Types You can also define which MIME types that should be allowed to be cached on the client browser. Required format is text/html. Expression of Will When expression of will is used, re-authentication is required for each request. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer time-out period.
The setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.

Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default, SSL is required in the traffic between the client and the system. Options for encryption level are: Strong encryption level: 128 bits (default) Weak encryption level: 56 bits Other encryption level (specify desired bits level)

User Guide

151

Manage Resource Access

Advanced Authorization Settings
Label Require exact path match Automatic access Cache MIME Types Mandatory No No No Description Not selected by default. Not selected by default. Defines all resource MIME types that allowed to be cached on the client browser. Required format: text/html. Several MIME types are allowed. No MIME types are allowed by default. Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.

Use Expression of Will Use Time-out Max Inactivity Time

No No No

Absolute Time-out

No

Advanced Settings Encryption Level
Label Require SSL Encryption Level Mandatory No No Description Selected by default. Available options are: 128 bits 56 bits Other encryption level When set to Other encryption level, you manually enter the bits level. Set to 128 bits by default. Encryption level in bits. Mandatory when Encryption Level is set to Other encryption level.

Other Encryption Level

(Yes)

152

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Tunnel resources
About tunnel resources
In WatchGuard Administrator, you configure tunnel resource hosts for client-server applications that are not Web enabled. An examples of such applications is Remote Desktop. The tunnel allows any TCP/UDP traffic between the client and the server to be channeled over a protected SSL connection. A tunnel is an intermediary program acting as a blind relay between two connections. Once active, a tunnel is not considered a party to the HTTP communication, though the tunnel may have been initiated by an HTTP request. The tunnel ceases to exist when both ends of the relayed connections are closed. In order to make a tunnel resource accessible to the user, you configure a tunnel set to include static and/or dynamic tunnels for the resource. When using tunnel resources, you can set your own security levels with access rules for specific client applications and servers. Use the Application Portal for tunnel resource access when authenticating with the authentication methods WatchGuard SSL Web and End-Point Security Client Scan, since the Access Client cannot be used stand-alone for tunnel resource access with Web based authentication. For more information, see Manage tunnel resources.

Manage tunnel resources
Registered tunnel resources are listed on the Manage Tunnel Resources page in the Manage Resource Access section. You can add, edit, and delete tunnel resources. To make a tunnel resource accessible to the user, you create a static or dynamic tunnel for the resource in a tunnel set and configure it to be displayed in the Application Portal. In addition, a number of settings can be specified globally to apply to all resources, including tunnel resources. This is configured in the Manage Global Resource Settings section of Manage Resource Access.

Tunnel resource settings
For a tunnel resource, you specify ports for TCP or UDP traffic. You can specify a single port, a range of ports, or the wildcard character * for all ports (1-65535). Examples of common TCP ports:

Fileshare: 137-139,445 Remote Desktop 3389 Citrix 1494 Exchange 1-65535 (*) SSH 22 SMTP 25 Telnet 23 POP3 110 IMAP 143
Examples of common UDP ports:

Fileshare 137-139,445 Exchange 1-65535 (*)

User Guide

153

Manage Resource Access

Alternative Hosts
Alternative hosts are used to map a tunnel resource to a Scripted Resource in the associated tunnel set. When Scripted Resource is selected, no registered resource is selected but a filter on the Access Point decides which resource to use. One common example is the Citrix nFuse server that sends a properties file through the Access Point specifying which Citrix MetaFrame server to use in the current session. You need to configure the filter script on the Filters tab on the Global Resource Settings page. The alternative host is specified as an IP address or a DNS name. When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port must be added as an alternative host. Example: www.watchguard.com:8080 If the default port is used, the alternative host must contain the server name without port. Example: www.watchguard.com

Access rules
See Manage Access Rules.

Advanced settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.

Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel resource will be accessed. Automatic Access You can configure the tunnel resource to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Time-out You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute time-out. These settings are also available, and specified by default, for user accounts. By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the opposite – specific resources may not need the same level of security or you may accept a longer time-out period for certain resources.
The setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.

154

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

General Settings
Label Enable resource Display Name Host TCP Port Set Yes Yes (Yes) Mandatory Description Selected by default. Unique name used in the system to identify the tunnel resource. IP address or DNS name of the resource host. This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535). Either TCP Port or UDP Port is mandatory. This can be either a single port, a range of ports, or the wildcard character * for all ports. Either TCP Port or UDP Port is mandatory. Selected if Single Sign-On for File Shares should be enabled for this Resource Host. If selected File Share SSO Domain will be enabled and an SSO Domain must be selected. This checkbox will be disabled if no SSO Domains have been registered in the system. (Yes) The SSO Domain that should be used for File Share SSO. Only available if File Share SSO is enabled for this Tunnel Resource. Selected if Single Sign-On for Remote Desktop (RDP protocol) should be enabled for this Resource Host. If selected Remote Desktop SSO Domain will be enabled and an SSO Domain must be selected. This checkbox will be disabled if no SSO Domains have been registered in the system. (Yes) The SSO Domain that should be used for Remote Desktop SSO. Only available if Remote Desktop SSO is enabled for this Tunnel Resource.

UDP Port Set

(Yes)

Use File Share SSO

File Share SSO Domain

Use Remote Desktop SSO

Remote Desktop SSO Domain

Advanced Access Settings
Label Connect via proxy Mandatory No Description Not selected by default.

Advanced Authorization Settings
Label Automatic access Use Time-out Max Inactivity Time Mandatory Description Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.

Absolute Time-out

User Guide

155

Manage Resource Access

Tunnel resource networks
About tunnel resource networks
Tunnel resource networks are basically a collection of IP addresses and ports, or a range of IP addresses and ports, which include tunnel resource hosts. When adding a tunnel resource host with an IP address inside a tunnel resource network span, it is automatically included in the network. If you wish to add tunnel resource hosts outside the tunnel resource network, use the Add Tunnel Resource Host wizard. When using tunnel resource networks, you can set your own security levels with access rules for specific client applications and servers. You can specify tunnel resources with different access control than the networks’. These are called exceptions.

Manage tunnel resource networks
Registered tunnel resource networks are listed on the Manage Tunnel Resources page in the Manage Resource Access section. You can add, edit, and delete tunnel resource networks. In addition, a number of settings can be specified globally to apply to all resources, including tunnel resources. This is configured in the Manage Global Resource Settings section of Manage Resource Access.

Tunnel resources network settings
For a tunnel resource network, addresses to the first and last host for the range of tunnel resources in the network. You also specify port sets for TCP or UDP traffic. You can specify a single port or a range of ports.

Access Rules
See Manage access rules.

156

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Advanced settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource network through a proxy server.

Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel resource network will be accessed. Automatic Access You can configure the tunnel resource network to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out Timeout configurations. TIme-out You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute time-out. These settings are also available, and specified by default, for user accounts. By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the opposite – specific resources may not need the same level of security or you may accept a longer time-out period for certain resources.
Note that the setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.

General Settings
Label Enable Resource Display Name Description IP Range TCP Port Set Yes (Yes) Mandatory No Yes Description Not selected by default. Unique name used in the system to identify the tunnel resource network. Description of the tunnel resource network. IP address to the first and last host for the range of tunnel resources in the network. One, several, or a range of port numbers can be entered separated with a comma sign. Either TCP Port Set or UDP Port Set is mandatory. One, several, or a range of port numbers can be entered separated with a comma sign. Either TCP Port Set or UDP Port Set is mandatory.

UDP Port Set

(Yes)

Access Settings
Label Connect via proxy Mandatory Description Not selected by default.

User Guide

157

Manage Resource Access

Authorization Settings
Label Automatic access Use Time-out Max Inactivity Time Mandatory Description Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.

Absolute Time-out

158

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Tunnel sets
About tunnel sets
In WatchGuard Administrator, you configure tunnel sets to enable users to access configured tunnel resources. The tunnel set can include one or several tunnel resources. It contains static and/or dynamic tunnels, at least one for each resource included in the set. The tunnel set is displayed as an icon in the Application Portal, providing users with access to all tunnel resources in the tunnel set through the use of WatchGuard Administrator Access Client. The Access Client is either a Win32 application or a Java application, that are loaded either using an ActiveX Web loader or a Java Applet Web loader.
The ActiveX loader requires administrator rights on the client the first time it is used. In addition, local lookups and DNS forwarding require administrator rights on the client every time they are used. When using the installable WatchGuard Administrator Access Client, administrator rights are not required on the client for local lookups.

Apart from configuring static and/or dynamic tunnels for the resources in the set, there are a number of advanced settings available for the tunnel set. The advanced settings include local lookups used to define host addresses that should be resolvable on the client if no external DNS record is found. Local lookups are checked before any external DNS, so the external DNS can be overridden. Advanced settings also include mapped drives, and client configuration involving for example startup and shutdown commands. Static tunnels Static tunnels are configured to tunnel resources on the local interface using a single port, and can be used on all platforms. Dynamic tunnels Dynamic tunnels are configured to tunnel resources using any IP address on one or a range of ports, and can only be used on Windows platforms. Access rules The tunnel resources you collect in a tunnel set are normally protected by access rules. In addition, you can apply access rules to the tunnel set itself, to control how and when users should be able to access the tunnel set. A tunnel resource can be included in several tunnel sets. This enables you to associate tunnel sets with different levels of access control, for example for different user groups.
Access control of a specific tunnel resource is always done using the access rules configured for that tunnel resource. The only use of access rules on a tunnel set is to make the associated icon in the Application Portal subject to access control as well.

Access client When a user clicks an icon for a tunnel set in the Application Portal, the Access Client attempts to load an ActiveX Web loader or a Java applet loader. The order of this is configured on the tab. For more information, see Manage tunnel sets, Advanced tunnel settings and Manage global tunnel set settings.

User Guide

159

Manage Resource Access

Manage tunnels sets
Registered tunnel sets are listed on the Manage Tunnel Sets page in the Manage Resource Access section. You can add, edit, and delete tunnel sets. Tunnel sets contain static and/or dynamic tunnels for each tunnel resource included in the set.

Tunnel set settings
Configuration of a tunnel set include specifying static or dynamic tunnels per resource included in the tunnel set, application portal settings for the tunnel set, as well as advanced settings.

Application Portal Settings
You can select to make the tunnel set available in the Application Portal. You then specify an icon to represent the tunnel set. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size. In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented. For each tunnel set specified to be displayed in the Application Portal, a corresponding Application Portal item is automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application Portal page in the Manage Resource Access section.

General Settings
Label Enable tunnel set Display Name Mandatory No Yes Description Selected by default. Unique name used in the system and by the Access Client to identify the tunnel set

Application Portal Settings
Label Make resource available in Application Portal Icon Mandatory No Description Selected by default.

Yes

Path to the image file that symbolizes the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected.

Link Text

Yes

160

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Static Tunnel Settings
Resource For each static tunnel, you select which of the available registered tunnel resources to tunnel, or select Scripted resource to allow a user session parameter (set by a script executed on the Access Point) to specify which resource to access. To use this option, you need to specify the filter script on the Filters tab on the Global Resource Settings page. One common example of an application that can be used as a scripted resource is the Citrix nFuse server that sends a properties file through the Access Point specifying which Citrix MetaFrame server to use in the current session. Protocol You can specify whether to use the TCP or UDP protocol. Client IP Address You also specify the client IP address, i.e. the IP address that the client listens to. The IP address must be in the range 127.x.x.x, and is set to 127.0.0.1 by default. Client Port In addition, you specify which port the client listens to, as well as which port should be used by the system to contact the internal resource host. Only one port can be specified per client and per resource. If the entered port is occupied, the next available port is used. It is recommended that the same port is entered for client and resource host. Confirm Connections For both static and dynamic tunnels, you have the option to confirm connections. When enabled, the user must confirm all tunnel resource host connections before they are established. Advanced Settings The advanced setting available for static tunnels is No delay for TCP traffic. When this option is selected, Nagle’s algorithm (use TCP_NO_DELAY) is disabled. When using devices with limited bandwidth (such as cell phones), you can choose to enable Nagle’s algorithm to favor less packetoverhead over response-time. When using a broadband connection or a LAN you will want to disable Nagle’s algorithm to favor response-time at the cost of sending more packets (more overhead).

General Settings
Label Resource Protocol Mandatory Yes No Description List of available registered tunnel resources. This option is only available if both TCP ports and UDP ports have been set for the specified tunnel resource host. Set to TCP by default. IP address must be in the range 127.x.x.x Set to 127.0.0.1 by default. Only one port number can be entered. If the entered port is occupied, the next available port is used. It is recommended that the same port as Resource Port is used. Only one port number can be entered. If the entered port is occupied, the next available port is used. It is recommended that the same port as Client Port is used. Not selected by default.

Client IP Address Client Port

Yes Yes

Resource Port

Yes

Confirm connections

No

User Guide

161

Manage Resource Access

Advanced Settings
Label No delay for TCP traffic Mandatory No Description When selected, Nagle’s algorithm (use TCP_NO_DELAY) is disabled. Selected by default.

Dynamic Tunnel Settings
Resource For each dynamic tunnel, you select which of the available registered tunnel resources to tunnel. For a tunnel-type resource you can specify the host’s TCP Port set and/or UDP Port set. You can also select to Confirm Connections and Use Virtual IP. If Virtual IP is not selected, the tunnel resource’s host address is used. If the resource is a Tunnel resource network then you can specify IP set, TCP Port set, UDP Port set, and Confirm Connections. Virtual IP Address You also specify a virtual IP address used to forward traffic to the resource. This can be an arbitrary IP address, but it is recommended that you use the IP address of the selected resource host. Resource Port A resource port is specified to capture traffic on the client, and the same port that will be used for the resource host. This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535). Example:
9010, 9011-9022, 9030

Confirm Connections For both static and dynamic tunnels, you have the option to enable Confirm Connections. When enabled, the user must confirm all tunnel resource host connections before they are established, either in the Application Portal or in the Access Client.

General Settings
Label Resource Virtual IP Address Resource Port Confirm connections Mandatory Yes Yes Yes No Description Tunneled resource host. This can be an arbitrary IP address, it is recommended to not use the selected resource host’s IP address. This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535). Not selected by default.

162

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Startup settings
You can specify startup commands to start a specific client to use the tunneled resource. You can also enter an URL that is displayed when the tunnel has been successfully started.

Tunnel Set Startup Settings
Label Startup Command Redirect URL Mandatory Description Trusted commands executed when the client is started and the tunnels are set up. URL opened in a browser window after the tunnel has been successfully started.

Advanced tunnel settings
Local Lookups
You can add local lookups to define host addresses that should be resolvable on the client if no external DNS record is found. Local lookups and DNS forwarding require administrator rights on the client, every time they are used. When using the installable Access Client, administrator rights are not required. Lookups are specified by entering a fully qualified domain name, or domain name using the wildcard character *, as well as an IP address. Example:

mailserver.*
Use the virtual IP address entered for the dynamic tunnel, when applicable. For static tunnels, use 127.0.0.1.

Tunnel Set Advanced Local Lookups
Label Domain Name IP Address Mandatory Yes Yes Description A fully qualified domain name, or domain name using the wildcard character *. IP address the domain name is translated to.

User Guide

163

Manage Resource Access

Mapped Drives
You can add mapped drives to the tunnel set drives to map network resources (printers or drives) to drive letters on the clientnetwork. Mapped drives are specified by entering the path to mapped network resource: Example:

\\192.168.12.55\[$uid] Supported Path Variables
Supported Variables [$ehost] [$eprot] [$uid] [$iuid] Description The Access Point server name including port number HTTP or HTTPS External user name Internal user name, usually [$uid]

You also have the option to specify a drive letter for the drive or printer that the resource host is mapped to. Example:
M:

If the selected drive is occupied, the next available drive letter is used. You can specify a drive letter here and combine it with a a Startup Command defined in the Advanced section. Another option is to use cached credentials. When enabled, cached credentials (Windows domain credentials) are used when mapping a drive. This option is selected by default.

Tunnel Set Advanced Map Drives
Label Network Resource Drive Letter Use cached credentials Mandatory Yes No No Description Path to mapped network resource. Drive letter the resource host is mapped to. This can be a drive or a printer. Select by default.

164

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Access Client Loader
You specify how the Access Client is loaded for the client. You can select from three options: ActiveX / Java Applet The ActiveX loader is the first choice, and if it does not work the Java Applet is loaded ActiveX Only the ActiveX loader is loaded Java Applet Only the Java Applet loader is loaded If any of the Java Applet options is selected, you also have the option to use pure Java.

Tunnel Set Advanced Access Client Loader
Label Access Client Loader Mandatory Yes Description Available option are: ActiveX/Java Applet ActiveX Java Applet Set to ActiveX by default When selected, pure Java is used.

Use pure Java

No

Additional Client Configuration
Shutdown Commands
Use startup commands to automatically execute commands, for example displaying a mapped drive to the user, on startup of the tunnel set. Shutdown commands are corresponding commands executed when the tunnel set is shut down. One or several startup and shutdown commands can be defined for each tunnel set. The following default trusted commands are executed without user interaction (other commands prompt the user for confirmation): outlook explorer explorer /e explorer /e, A: to Z: Users are allowed to edit the list of trusted commands in the Access Client.

User Guide

165

Manage Resource Access

Supported Variables in Commands
Supported Variables [$ehost] [$eprot] [$uid] [$iuid] Description The Access Point server name including port number HTTP or HTTPS External user name Internal user name, usually [$uid]

Error Codes to Suppress You can configure a list of specific error codes to suppress pop-up messages. The error codes are entered as a comma separated list of 7-digit error codes. Redirect URL URL opened in a browser window after the tunnel has started successfully. Example: /http/citrix/ Fallback Tunnel Set The fallback tunnel set is used if the client computer is not able to load the ActiveX component. The fallback tunnel set is also supported if the Windows native client with configured dynamic tunnels fails to load.

Tunnel Set Advanced Client Configuration
Label Shutdown command Error Codes to suppress Fallback Tunnel Set Mandatory No No No Description Trusted commands executed when the client and all tunnels are shut down. Enter as comma separated list of 7-digit error codes. Tunnel set used if the client computer is not able to load the ActiveX component. The fallback tunnel set is also supported if the Windows native client with configured dynamic tunnels fails to load.

Specific Settings
When one of the applications tunneled with the tunnel set is MS Outlook, it is recommended that you enable support for the MS Outlook patch. The patch solves a problem with the Windows 2000 client authentication. When the option is selected, the patch is supported when the client is based on Windows 2000 and is part of a domain.

Tunnel Set Advanced Specific Settings
Label Support MS Outlook patch for Windows 2000 Mandatory No Description When one of the applications tunneled with the tunnel set is MS Outlook, it is recommended that you enable support for the MS outlook patch. Not selected by default.

166

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Provide IP Address
Select Provide IP Address to assign an unique IP address to the client from the IP Address Pool. You manage the IP Address Pool on the Manage Global Tunnel Set Settings page. This also enables configured resources to establish connections towards the client. If IP addresses from the IP Address Pool are added as a tunnel resource, it makes it possible for clients to connect to each other when connected.

Tunnel Set Advanced Provide IP Address
Label Provide IP Address Mandatory No Description WShen selected, the client is assigned an IP address from the IP address pool. The IP Address Pool is managed under Manage Global Tunnel Set Settings.

DNS Forwarding
Select Enable DNS Forwarding to temporarily redirect the client’s DNS server to the DNS server specified on the Manage Global Tunnel Set page. When DNS Forwarding is selected, all DNS requests on the client are tunneled over the encrypted tunnel to the Access Point where it is proxied to the configured DNS server set on the Manage Global Tunnel Set page.

Client Firewall
Select which Internet firewall configuration that should be associated with the tunnel set. Internet Firewall configurations are managed on the Manage Client Firewall page.

Tunnel Set Advanced Client Firewall Configuration
Label Internet Firewall Configuration Mandatory No Description Client firewall configuration to be applied to the tunnel set. Registered client firewall configurations are available for selection.

Access Rules
See Manage access rules.

Manage global tunnel set settings
External DHCP Settings
This is used to assign IP addresses from an existing DHCP Server to the connecting Access Clients. Use External DHCP (Optional) Select this to Use an External DHCP Server to assign addresses to the Access Client. Select this if DHCP relay should be used by the Access Client to assign an IP address from the network. If selected the address of a DHCP Server must be specified in the corresponding field below. To use this setting Provide IP Address must be checked in the Tunnel Set where DHCP should be used. DHCP Server The Host Address of the DHCP Server to use. Enter the host address of the DHCP Server

User Guide

167

Manage Resource Access

IP Address Pool
Specify a range of IP addresses in the IP address pool. The IP address pool is used to define a set of IP addresses which are assigned to connecting clients, thus enabling the Access Point to route traffic from the backend systems to the clients. You configure a time-out in milliseconds, which define how long the Access Point will wait for responses while detecting possible IP conflicts on the internal network. IP Address Pool (Optional) Range of IP addresses used in the IP address pool. Disabled if External DHCP is defined. Time-out (Optional) Time-out in milliseconds, specifying how long the Access Client will wait to timeout when failing to acquire an IP address from the IP address pool. Set to 100 by default.

DNS Server
Specify IP address of DNS name of the DNS server used for DNS forwarding. When Enable DNS forwarding has been selected on the Manage Tunnel Set page, on the Advanced tab, the client’s DNS server is temporarily redirected to the DNS Server specified here. Local lookups are checked before any external DNS, so the external DNS can be overridden. DNS Server IP address of DNS name of the DNS server used for DNS forwarding. Mandatory when DNS Forwarding has been enabled.

168

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Client firewalls
About client firewalls
Client firewalls consist of Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the Access Client. Each configuration is connected to a corresponding tunnel set. The WatchGuard Client solution is divided in two different parts: Prevent other network connections to be routed Check the integrity of connecting application

Prevent other network connections to be routed
You can configure rules based on the following parameters: Network Incoming or outgoing traffic Ports Allow or block traffic The rules are downloaded to the client computer when downloading the tunnel set. The rules are then applied to prevent network traffic to be routed at the client.

Check integrity of connecting application
For each connection that goes through the WatchGuard Access Client, information about application path and check sum is added. This information is taken into consideration when doing the authorization decision. Valid application information in WatchGuard Administrator is configured and maintained on the Device Definitions page in the Manage System section. You can configure rules based on the following parameters: Network Incoming or outgoing traffic Ports Allow or block traffic The rules are downloaded to the client computer when downloading the tunnel set configuration. The rules are then applied to prevent network traffic to be routed at the client.
The order of the rules is significant since the firewall starts in the top of the list and stops as soon as a match between the rule and the connection is found.

When adding a new Internet Firewall Configuration, the rule lists will have default entries showing that all connections will be blocked unless you add a rule above the default rule that accepts a specific connection.

User Guide

169

Manage Resource Access

How Does It Work?
The client firewall is used locally on the user’s computers while they are connected to Access Point using the Access Client. Its rules are configured on the server and cannot be overridden by the user. One Internet firewall configuration per tunnel set can be used. The firewall is typically activated when the user clicks an icon in the Application Portal pointing to a tunnel set configured to use the Client Firewall. The firewall is deactivated as soon as the user closes down the Access Client or logs off the portal. The firewall will be active as long as the associated Tunnel Set is used.
If several Tunnel Sets are used simultaneously by the same user, the firewall configurations of all the Tunnel Sets will be active and the most restrictive rules will apply.

When active, the firewall will check each connection from and to the client computer that they match the client firewall configuration. For each connection going through the WatchGuard Access Client, information about application path and check sum is added. This information is taken into consideration when doing the authorization decision. Valid application information in WatchGuard Administrator is configured and maintained on the Device Definitions page in the Manage System section. Incoming Rules Once a connection comes in to the computer, the firewall will go through the list of Incoming Firewall rules. Each rule is checked against the incoming connection to see if they match. If they do not match, the firewall will continue to look at the next rule in the list. If they match, the connection will be accepted or denied depending on the rule’s configuration and the firewall will not continue to check further rules in the list. If the rule denies the connection, it will be dropped. If the rule accepts the connection, it will be let through to the client computer. Outgoing Rules Once an application on the client computer tries to connect to the Internet, the firewall will go through the list of Outgoing Firewall rules. Each rule is checked in the same way as for incoming connections. If the rule denies the connection, it will be rejected. If the rule accepts the connection, it will be let through to the Internet. Exceptions The client firewall checks all TCP and UDP connections except the following: Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel). Connections towards Access Point Connections towards an IP address of a configured resource on the intranet through the tunnel. Instead of checking the firewall rules, the access rules of the configured resource will apply

170

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Firewall rules based on device
Client firewall can be used to specify rules based on the path or checksum of the process that is trying to connect to the Internet. To make this possible, you must first add a Device Definition that specifies the values of the path, and/or checksum of the process. There are two variables that can be used in Device Definitions that is used by Client Firewall. These are: clientfirewall-path clientfirewall-checksum
Only Device Definitions containing these variables can be used in the Client Firewall Rules.

To add Internet Explorer as a Device Definition, you should add a Device Definition with the following settings: Example:

Display Name: Internet Explorer Process Definition: clientfirewall-path=%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles% is an environment variable that will be parsed on Access Client so that the device definition

will be valid on all clients whatever language the operating system has. It is also possible to have a stricter rule that is based on the MD5 checksum of the executable. To define a device based on the checksum, use a hexadecimal representation of the MD5 checksum. Example:

Display Name: Internet Explorer Process Definition: clientfirewallchecksum=e7484514c0464642be7b4dc2689354c8
When using clientfirewall-checksum, the device will only be valid for a specific version of Internet Explorer. It is also possible to combine both checksum and path using AND/OR between expressions. For example, you may specify a list of valid checksums, using the pipe character | (OR): Example:

clientfirewall-checksum=<checksum1> | clientfirewallchecksum=<checksum2> | …
Note that all entries between the | (OR) operator must be on the same line. The Device Definitions made for Client Firewalls can also be used in Access Rules for tunnel resources. Please refer to the How To section in the Online Help for example configurations. For more information, see Manage client firewalls.

User Guide

171

Manage Resource Access

Manage client firewalls
You manage client firewall settings on the Manage Client Firewall page in the Manage Resource Access section. The Internet firewall configuration is manually connected to applicable tunnel sets. This is done on the Manage Tunnel Set page, on the Advanced tab. You specify rules based on incoming or outgoing traffic. In both cases, you also specify an IP address or range of IP addresses and ports, what protocol to use, and select accepted devices. A rule can Accept or Deny traffic.

General Settings
Label Display Name Mandatory Yes Description Unique name used in the system to identify the internet firewall configuration.

Incoming firewall rules
You specify a remote IP address or range of IP addresses for incoming traffic. That is, allowed remote IP addresses. To specify the port set, you enter a single port, several ports, and/or range of ports. Use a comma sign to separate port numbers. Select whether to use TCP or UDP, and if the firewall rule will accept or deny incoming traffic from specified IP addresses and ports. Furthermore, you can select a specific device the rule applies to, or it can be set to Any device which results in that all connecting devices are accepted. A device can be a hardware device as well as an application. Devices are registered in the Manage System section, on the Manage Global Access Point Settings page, using the Add Device Settings link.

General Settings
Label IP Range Port Set Protocol Rule Mandatory Yes Yes Yes Yes Description IP address for the first and last tunnel resources hosts. One, several, or a range of port numbers can be entered separated with a comma sign. Available options are: TCP and UDP. Set to TCP by default. Available options are: Accept and Deny. Set to Deny by default.

Devices
Label Devices Mandatory No Description When selected, the Rule is applied to the selected device (when Rule is set to Accept). Devices are defined in Manage System, on the Device Definitions page.

Comment
Label Comment Mandatory No Description Description of the incoming rule.

172

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Outgoing firewall rules
You specify a remote IP address or range of IP addresses for outgoing traffic. That is, allowed destination IP addresses. To specify the port set, you enter a single port, several ports, and/or range of ports. Use a comma sign to separate port numbers. Select whether to use TCP or UDP, and if the firewall rule will accept or deny outgoing traffic from specified IP addresses and ports. Furthermore, you can select specific allowed devices the rule applies to. A device can be a hardware device as well as an application. Devices are registered in the Manage System section, on the Manage Global Access Point Settings page, using the Add Device Settings link.

General Settings
Label IP Range Port Set Mandatory Yes Yes Description IP address for the first and last tunnel resources hosts. One, several, or a range of port numbers can be entered separated with a comma sign. Available options are: TCP and UDP. Set to TCP by default. Available options are: Accept and Deny. Set to Deny by default.

Protocol Rule

Yes Yes

Devices
Label Devices Mandatory No Description When selected, the Rule is applied to the selected device (when Rule is set to Accept). Devices are defined in Manage System, on the Device Definitions page.

Comment
Label Comment Mandatory No Description Description of the outgoing rule

User Guide

173

Manage Resource Access

Customized resources
About customized resources
You can register and perform access control on resources that do not belong to either of the categories Web resources or tunnel resources, and are not displayed in the Application Portal. These kinds of resources, for example bank accounts, are registered as customized resources. Use customized resources when you wish to protect resources outside the Application Portal using access rules. A customized resource has a resource host (or root) which may have one or several paths connected to it. When using customized resource paths, you can set your own security levels with access rules for specific applications and files. You can also choose to allow customized resource paths to derive its authorization settings (consisting of access rules and advanced settings) from the parent resource path.

Manage customized resource hosts
Registered customized resource hosts and paths are listed on the Manage Customized Resources page in the Manage Resource Access section. You can add, edit, and delete customized resource hosts and paths. You can specify one or several paths for each registered customized resource host. Each path can also have one or several sub paths added to it. Customized resource host settings Configuration of a customized resource hosts includes the following settings: URI You define a Uniform Resource Identifier (URI) for the customized resource host, specifying the IP address or DNS name of the resource host. Example:
bean://<hostname>/account

Access rules
See Manage Access Rules.

174

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Advanced settings
A number of advanced settings are available for configuration of the customized resource host.

Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.

Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific customized resource host will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this customized resource path apply for this path only, and not for all paths beginning with this one. When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the customized resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Expression of Will When expression of will is used, re-authentication is required for each request. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer time-out period.
Note that the setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.

Customized Resource Host Settings
General Settings
Label Enable resource Display Name Description URI Mandatory No Yes No Yes Description Selected by default. Unique name used in the system to identify the customized resource host. Describes the customized resource host. IP address or the DNS name of the resource host.

User Guide

175

Manage Resource Access

Advanced Settings
Label Connect via proxy Require exact path match Automatic access Mandatory No No No Description Not selected by default Not selected by default. For resources where Automatic access is activated, the user session time-outs are not affected when the resource is requested automatically. Not selected by default. Only available when editing a Web resource. Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.

Use Expression of Will Use Time-out Max Inactivity Time

No No No

Absolute Time-out

No

Manage customized resource paths
Registered customized resource hosts and paths are listed on the Manage Customized Resources page in the Manage Resource Access section. You can add, edit, and delete customized resource hosts and paths. Customized resource path settings Configuration of a path to a customized resource host includes the following settings. Path When configuring a customized resource path you specify its path, i.e. the path to the subset of the customized resource host. The path you specify is added to the path of the parent host or path to form the complete path. When registering a sub path, i.e. a path added to an existing customized resource path, the path to the parent resource path is displayed for your convenience. Authorization If you do not want to set specific authorization (Access Rules and advanced settings) for the customized resource path, you have the option to reuse the authorization specified for the parent resource host or path. Using this option, the authorization set for the parent host or path is inherited to the customized resource path and the Access Rules and Advanced Settings sections of the configuration are not displayed.

Access rules
See Manage Access Rules.
For resource paths, access rules are not available for configuration if you have selected to use the authorization of the parent path.

176

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Advanced settings
A number of advanced settings are available for configuration of the customized resource path.
Advanced settings are not available for configuration if you have selected to use the authorization of the parent path.

Access Settings You can select to connect via proxy, directing the connection to the resource through a proxy server. Authorization Settings There are a number of authorization settings available, enabling you to specify in detail how the specific customized resource path will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this customized resource path apply for this path only, and not for all paths beginning with this one. When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the customized resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Expression of Will When expression of will is used, re-authentication is required for each request. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level, or the opposite – specific resource paths may not need the same level of security or you may accept a longer time-out period.
Note that the setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.

User Guide

177

Manage Resource Access

General Settings
Label Enable resource Parent Path Mandatory No No Description Selected by default. Available when adding a child resource path (a sub-path to another resource path). Displays the path to the parent resource path. Not editable. Path to the resource. Available when adding a resource path (a path to another resource host, or a sub-path to another path). Selected by default

Path Use Parent Authorization

Yes No

Advanced Settings
Label Connect via proxy Require exact path match Automatic access Mandatory No No No Description Not selected by default Not selected by default. For resources where Automatic access is activated, the user session time-outs are not affected when the resource is requested automatically. Not selected by default. Only available when editing a Web resource. Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.

Use Expression of Will Use Time-out Max Inactivity Time

No No No

Absolute Time-out

No

178

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

SSO domains
About SSO domains
Single Sign-On (SSO) is a session/user authentication process, allowing users to enter their user credentials once to access several resources. Single Sign-On authenticates users, offering instant access to applications, and eliminates future authentication prompts when the user switches applications. In WatchGuard Administrator, SSO domains are configured to enable Single Sign-On for resources using the same user credentials. The SSO domain specifies how SSO will be used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. The SSO functionality in WatchGuard Administrator is based on adaptive learning. When using SSO initially, the user is prompted for user credentials once for each SSO domain, when first accessing a resource in the SSO domain. The user credentials are then stored on the WatchGuard Administrator user account in the directory service, indefinitely or until changed. (You can also choose to cache user credentials, which then are only valid during the session). After authentication, the user can access different internal applications that are part of a Single Sign-On domain without the need for re-authentication. For more information, see Manage SSO domains. WatchGuard Administrator supports two methods of using SSO: Persistent SSO Access to several resources without the need to re-authenticate for each resource Session-based SSO Enables one-time-logon: users do not have to re-authenticate for each request

Access rules
You define how and when Single Sign-On should be used by protecting the SSO domain with access rules. The access rules specified for the SSO domain apply to the SSO functionality only, not to the resources in the SSO domain. For example, if a user successfully access a resource in the SSO domain but the SSO access rule fails, the user is still free to access resources in the domain. The user will be required to enter credentials for each resource, as if SSO was not applied.

User Guide

179

Manage Resource Access

Domain types
In WatchGuard Administrator, SSO domains are available in two domain types: Text (default) Cookie Depending on domain type, different domain attributes can be associated with the SSO domain. Text The domain type Text is used to send user credentials as text, with different attributes defining the information needed for authentication. Available domain attributes for the domain type Text are: User name Password Domain Which domain attributes you add to the domain type depends on the authentication method used. The domain attributes normally used for the different authentication methods are described below. NTLM When using the Microsoft authentication method NTLM, all domain attributes for the domain type text (user name, password, and domain) are added to the domain type. Basic When using the authentication method Basic, the attributes user name and password are added to the domain type. Basic is the most commonly used authentication method for Web environments. Form-based When using form-based logon for an SSO domain, the attributes user name and password are added to the domain type. To use form-based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO domain. This is done when adding or editing a resource: selecting form-based SSO will provide the logon form and form response configuration. Cookie Cookie authentication is used to send authentication information in HTTP headers. When the domain type Cookie is used, a cookie is set on the Access Point before proxying the request to the backend server. A common use of cookie SSO is when back-end applications only want to read the authentication information at the very first request. Available attributes are: Cookie name Cookie value Cookie secure Cookie domain

180

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Manage SSO domains
Registered SSO domains are listed on the Manage SSO Domains page in the Manage Resource Access section. You can add, edit, and delete SSO domains.

SSO Domain Settings
Configuration of a path to a Web resource host includes settings described below. Domain Type For each SSO domain, you select domain type. Available options are: Text (default) Cookie Domain type Text is used for domains of the type NTLM, Basic, and Form-based. Domain type Cookie is used for domains of the type Cookie. SSO Restrictions You have the option to choose how SSO credentials should be handled. When Cache on session only is selected, SSO credentials are cached (kept in memory) and only valid during the user session. When the option is not selected (default), the SSO credentials are stored persistently on the user account.
When Domain Type is set to Cookie, this option is not available.

You have the option to enable a user inactivity check on the SSO domain. Specify a period of time (set in number of days, weeks, or months) during which users are allowed to be inactive, i.e. not access the domain. When the period has passed, credentials must be re-entered for access to the domain to be granted. This option is not available when Cache on session only has been selected. You also have the option to enable an absolute time limit check on the SSO domain. Specify a period of time (set in number of days, weeks, or months) during which users’ SSO credentials are valid. When the period has passed, credentials must be re-entered for access to the domain to be granted. This setting is independent of user inactivity. This option is not available when Cache on session only has been selected.

User Guide

181

Manage Resource Access

Domain attributes
The domain attributes you can add to the SSO domain differ depending on SSO domain type. The domain attributes refers to the user authentication settings, the settings that characterize the SSO domain. Domain attribute settings for both SSO domain types are described below.

Domain Type Text
You can use all available attributes, but only add one of each (i.e. you can register a maximum of three domain attributes for a domain of the type Text). Attribute Name For each domain attribute, you define the type of attribute you specify. Available options are: User name (default) Password Domain Attribute Restriction Select how the attribute is presented on the HTML page the first time the user accesses the resource and needs to enter SSO credentials. Available options are: Editable The attribute is presented as a text field in the logon form Hidden The attribute and the attribute value are hidden in the logon form and is not visible for users Locked The attribute and the value are locked in the logon form and cannot be edited by users Referenced By You configure whether SSO credentials are entered manually or retrieved automatically. This is specified for both types of domain attributes. Available options are: User Attribute The SSO credentials are retrieved from the user object in the directory service. Example: samAccountName theCompanyCookie User Input (default) The SSO credentials are entered by the user Static The information entered in Attribute Value is displayed Example: watchguard.com Attribute Value When you have configured the Referenced By setting to User Attribute or Static, you need to define the value for the domain attribute.

182

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Domain Type Cookie
You can use all available attributes, but only add one of each (i.e. you can register a maximum of four domain attributes for a domain of the type Cookie). Attribute Name For each domain attribute, you define the type of attribute you specify. Available options are: Cookie name (default) Cookie value Cookie secure Cookie domain Referenced By You configure whether SSO credentials are entered manually or retrieved automatically. This is specified for both types of domain attributes. Available options are: User Attribute The SSO credentials are retrieved from the user object in the directory service. Example: samAccountName theCompanyCookie Static The information entered in Attribute Value is displayed Example: watchguard.com Attribute Value Finally you define the value for the domain attribute.

Access Rules
See Manage Access Rules.

Settings
General Settings
Label Display Name Domain Type Mandatory Yes No Description Unique name used in the system to identify the SSO domain. Available options are: Text and Cookie. Set to Text by default, it is used for domains of the type NTLM, Basic, and Form-based. Not selected by default.

Cache on session only

No

User Guide

183

Manage Resource Access

SSO Restrictions
Label Enable inactivity check User Inactivity Mandatory No No Description Not selected by default. Time (in days, weeks, or months) users can choose not to access a specific domain, before needing to provide credentials before access can be granted. Not selected by default. Time in days, weeks, or months the user’s SSO credentials are valid, before re-authentication is required, independent of user activity regarding the SSO domain.

Enable time limit check Absolute Time Limit

No No

Domain Attribute Text
Label Attribute Name Mandatory No Description Available options are: User name Password Domain Set to User name by default. Available options are: Editable Hidden Locked Set to Editable by default. Available options are: User Attribute User Input Static Set to User Input by default. Mandatory when User Attribute or Static is selected for Referenced by.

Attribute Restriction

No

Referenced By

No

Attribute Value

(Yes)

Domain Attribute Cookie
Label Attribute Name Mandatory No Description Available options are: Cookie name Cookie value Cookie secure Cookie domain Set to Cookie name by default. Available options are: User Attribute and Static. Set to Static by default. Domain attribute value.

Referenced By Attribute Value

No Yes

184

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Access rules
About access rules
Access rules are the basis of the WatchGuard Administrator access control. Access rules define the specific requirements for access control that you apply to a resource or SSO domain. You can create general access rules that can be applied for any resource or SSO domain, as well as access rules that are applied to specific resources or SSO domains only. In addition, you can define global access rules that are automatically applied to all resources and SSO domains. A number of different areas of requirements, or access rule types, are available in WatchGuard Administrator. You can use access rules of different types in combination. When adding access rules to a resource you can use the general access rules in combination with resource and SSO domain specific access rules, combined with AND. You can only use OR for resource and SSO domain specific access rules.

Access rule types
Available access rule types are listed below. Authentication Method An access rule of the type Authentication Method allows access to the resource protected by the access rule if the user is authenticated with the defined authentication methods. Several authentication methods can be used in combination, using arguments AND and/or OR. User Group Membership An access rule of the type User group membership allows access to the resource protected by the access rule if the user is member in a defined user group. Note that the access rule is dependent on user authentication: the user must be authenticated for the Policy Service to be able to determine whether the user is a member of the allowed user group. As a result, the access rule must be combined with an access rule of the type Authentication Method if it is to be used pre-authentication (for example in a global access rule). It can be used on its own for example when applied to resources accessed through the Application Portal. Several user groups can be used in combination, using arguments AND and/or OR. IP Address of Incoming Client An access rule of the type IP address of incoming client allows access to a resource protected by the access rule if the incoming client comes from a specified IP address (or range of IP addresses). Client Devices An access rule of the type Client Devices allows access to a resource protected by the access rule if the user uses a specified device, for example Web or WAP. Date, Day, and/or Time An access rule of the type Date, day, and/or time allows access to a resource protected by the access rule if the access occurs during a specified time.

User Guide

185

Manage Resource Access

User Storage An access rule of the type User storage allows access to a resource protected by the access rule if the user is stored in a specified user storage location. Note that the access rule is dependent on user authentication: the user must be authenticated for the Policy Service to be able to determine whether the user is located in the allowed user storage. As a result, the access rule must be combined with an access rule of the type Authentication method if it is to be used pre-authentication (for example in a global access rule). It can be used on its own for example when applied to resources accessed through the Application Portal. Assessment An access rule of the type Assessment can be plug-in-based or customized. It allows or denies access to a resource protected by the access rule if the result of a scan of the client computer matches specified client data requirements. Abolishment An access rule of the type Abolishment allows access to a resource protected by the access rule if the listener that will be collecting information about the client is active. When the session ends, abolishment as specified in the abolishment configuration is performed on the client.
Abolishment can be configured to allow the user to decide whether created, changed, or downloaded files should be deleted or not.

Access Point An access rule of the type Access Point allows access to a resource protected by the access rule if the request comes through a specified Access Point. Identity Provider An access rule of the type Identity Provider allows access to a resource protected by the access rule Custom-defined Access Rule A custom-defined access rule is tailored to meet specific needs. The custom-defined access rules are specified in separate XML files. Custom-defined access rules can only be updated by editing the corresponding XML file.

About managing access rules
In WatchGuard Administrator, you manage access rules in three different ways depending on the purpose of the rules: Manage access rules You add, edit, and delete access rules to be available for all resources on the Manage Access Rules page in Manage Resource Access. Manage global access rule You add, edit, and delete access rules that should be included in a global access rule, and consequently be applied to all resources, on the Manage Global Access Rule page in Manage Resource Access. Manage access rules for resource or SSO domain You add, edit, and delete access rules for specific resources in connection with the resource: in the Access Rules step of the add resource wizard, and on the Access Rules tab when editing the resource. The different ways of managing access rules are described in the following sections.

186

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Manage access rules
You add, edit, and delete access rules to be available for all resources on the Manage Access Rules page in Manage Resource Access section. The access rules you create here can be applied to resources, SSO domains or the global access rule. Registered access rules are also listed and available for selection when adding or editing a resource, an SSO domain or the global access rule. When you create an access rule in Manage Access Rules, you specify a display name for the access rule. You then add one or several access rules to the access rule. If you create several access rules to be included in the rule, the access rules are by default separated by an OR statement, i.e. only one of the access rules must be fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can select to combine the access rules with an AND statement. Included rules can be of different access rule types. For details regarding settings for the different access rule types, see Access Rule Settings.

Manage global access rule
You add, edit, and delete access rules included in the global access rule on the Manage Global Access Rules page in Manage Resource Access section. When configuring the global access rule, you can select one or several registered access rules to include in the global access rule, create one or several new access rules specifically for the global access rule, or use registered and new access rules in combination.
If you select registered as well as create new access rules for the global access rule, they are all required for access to resources and SSO domains to be allowed: they are combined with an implicit AND statement.

Access rules included in the global access rule can be of different access rule types. For details regarding settings for the different access rule types, see Access Rule Settings below. Once access rules have been created for and/or included in the global access rule and the configuration has been published, these access rules are automatically applied to all resources and SSO domains in the system. All access rules included in the global access rule are displayed in the access rules step of the add resource versus SSO domain wizard, and on the Access Rules tab when editing a resource or SSO domain. Selecting Registered Access Rules Registered access rules are available for selection, but not for editing, when configuring the global access rule. When you select several registered access rules, they must all be fulfilled in order for access to be allowed: i.e. they are combined with an implicit AND statement.
If you select several registered access rules, they are used for authorization in the order they are selected.

Creating New Access Rules The access rules you create for the global access rule are specific for the global access rule, and cannot be applied to individual resources or SSO domains. The access rules you create are by default separated by an OR statement, i.e. only one of the access rules must be fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can select to combine the access rules with an AND statement.

User Guide

187

Manage Resource Access

Manage access rules for resource or SSO domains
Access rules are applied to resources and SSO domains as a part of the authorization configuration, to implement resource access control. The access rules are managed in the access rules step of the add resource or SSO domain wizard, and on the Access Rules tab when editing the resource or SSO domain. Applying access rules to resources or SSO domains is not mandatory. When applying access rules to a resource or SSO domain you can select one or several registered access rules, create one or several new access rules specifically for the resource or SSO domain, or use registered and new access rules in combination.
If you select registered as well as create new access rules for the resource or SSO domain, they are all required for access to be allowed: i.e. they are combined with an implicit AND statement.

Access rules applied to the resource or SSO domain can be of different access rule types. For details regarding settings for the different access rule types, see Access Rule Settings below. Selecting Registered Access rules Registered access rules are available for selection, but not for editing, on the resource or SSO domain. When you select several registered access rules, they must all be fulfilled in order for access to be allowed: i.e. they are combined with an implicit AND statement.
If you select several registered access rules, they are used for authorization in the order they are selected.

Creating New Access Rules The access rules you create for the resource or SSO domain are specific for the individual resource or SSO domain, and cannot be applied to other resources or SSO domains. The access rules you create are by default separated by an OR statement, i.e. only one of the access rules must be fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can select to combine the access rules with an AND statement. Global Access Rule If a global access rule has been configured in the system, the access rules included in the global access rule are automatically applied to the resource or SSO domain and displayed for reference. It is not possible to edit or delete the access rules included in the global access rule on individual resources or SSO domains.

188

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Access rule settings
Authentication Method When creating an access rule of the type Authentication Method, you select one or several authentication methods that the user must use to access a resource protected by the access rule. All registered and enabled authentication methods are available for selection. You can select several authentication methods for the access rule. You then specify if the authentication methods are to be combined in a logical AND or OR statement. OR is selected by default. Select OR if the user should be able to choose which of the listed authentication methods to use for authentication. Select AND if all listed authentication methods are to be used to authenticate the user. If you select AND, note that the order in which the methods are selected will correspond to the order in which the authentication methods will be used to authenticate the user. User Group Membership When creating an access rule of the type User group membership, you define one or several user groups that the user must belong to in order to access a resource protected by the access rule. You start by searching for user group names. The wildcard character * is supported, and can be entered anywhere in the search string. User groups that match the search are displayed in a list. You can select several user groups for the access rule. You then specify if the user groups are to be combined in a logical AND or OR statement. OR is selected by default. Select OR if the user has to be a member of at least one of the listed user groups. Select AND if the user has to be a member of all listed user groups. IP Address When creating an access rule of the type IP address, you specify an IP address, several IP addresses, or a range of IP addresses that the incoming client must have to access a resource protected by the access rule. Several IP addresses are separated with a comma sign. A range of IP addresses is specified using a hyphen. Example: 192.168.12.12 – 192.168.12.98. Client Device When creating an access rule of the type Client device, you specify one or several devices that the user must use to access a resource protected by the access rule. Devices available for selection are the devices specified on the Manage Device Definitions page in the Manage System section. Note that you can also specify restrictions for the individual devices. The device restrictions (with Deny, Warn, and Accept permissions) are managed on the Client Access tab on the Manage Global Access Point Settings page in the Manage System section.

User Guide

189

Manage Resource Access

Date, Day, and/or Time When creating an access rule of the type Date, day, and/or time, you specify during which date period, weekdays, and/or time the user is allowed to access a resource protected by the access rule. You can select whether to specify date period, weekdays, time period, or a combination. The date period can be one specific date or a period between two given dates. You specify start date and end date for the period. Year, month, and date are formatted according to your browser’s language settings (for example, m/d/yy). Example: 12/1/06 – 12/31/06 One or several weekdays can be specified by selecting Monday through Sunday. You specify start time and end time for the time period (hour and minute formatted according to your browser’s language settings). Example: 12:00 AM – 8:00 PM User Storage When creating an access rule of the type User storage, you specify in which user storage the user must be stored to be allowed to access a resource protected by the access rule. All registered user storages are available for selection. Assessment When creating an access rule of the type Assessment, you either specify a plug-in to use or manually specify assessment requirements. The client computer is assessed through a client scan performed to match the client data with specified requirements. Plug-In When using a plug-in, you select which plug-in to use and configure it according to its requirements. If the plug-in you would like to use is not available in the drop-down list, you can upload the plug-in. Custom When not using a plug-in, you specify one or several information paths and requirements for client data per operating system. Currently, you can create client data requirements for Windows only. Future versions of WatchGuard Administrator will support other operating systems. You also select whether an assessment result matching this client data should result in that access to a resource protected by the access rule is allowed or denied. You specify the requirements for client data by defining values to be matched on the client computer. Example: Allow access when a process name matches yourantivirussoftware.exe Client data is collected in a number of information types, i.e. areas of client data. Available information types and corresponding client data that you can specify requirements for are listed below.

190

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Microsoft Windows Client Data
When Wildcard match is selected, a first and last * is applied by default to the Matching Rule. Only use wildcard characters inside the matching rule: Example: C:\note*.exe Client Data File Information Information Type File attributes File digest File name File time created File time last written Client Scan Settings Information path of the type File Can not be automatically created if Wildcard match is used Matching Rules File attributes: r (read-only) d (directory) e (encrypted) h (hidden) s (system file) t (temporary) File name: \SystemRoot\System32\smss.exe File digest: 08d26906c74805bee8deca4c7be8c7f5 File time created: 01/16/2004 22:38 File time last written: 09/07/2004 15:21 File time last accessed: 03/03/2005 06:04 Attributes: r (read-only) d (directory) Directory digest: 08d26906c74805bee8deca4c7be8c7f5 Directory name: \SystemRoot\System32\ Registry name: HKEY_LOCAL_MACHINE\SOFTWARE\M icrosoft\Cryptography\MachineGuid Registry type: value or subkey Registry value: 87e4d320-ee1a-4321-93eb34db24ae5ec6 Registry name: HKEY_LOCAL_MACHINE\SOFTWARE\M icrosoft\Cryptography\MachineGuid Registry type: value or subkey Registry value: 87e4d320-ee1a-4321-93eb34db24ae5ec6

Directory information

Attributes Directory digest Directory name

Information path of the type Directory Can not be automatically created if Wildcard match is used

Registry key information

Registry name Registry type Registry value

Information path of the type Registry Sub Key Can not be automatically created if Wildcard match is used

Registry subkey information

Registry name Registry type Registry value

Information path of the type Registry Sub Key Can not be automatically created if Wildcard match is used

User Guide

191

Manage Resource Access

Client Data Process information

Information Type Process digest Process name Process ID

Client Scan Settings Enable collection of process information

Matching Rules Process name: *Mozilla.exe Process digest: 84885f9b82f4d55c6146ebf6065d75d2 Process ID: 1184 Windows logon domain: WATCHGUARD Windows alternative domains: WATCHGUARD1, WATCHGUARD 2 Windows user name: userid Windows logon server: SRV-EXCHANG

Windows user information

Windows logon domain Windows logon server Windows alternative domains Windows user name Computer name LAN group Major version Minor version Platform ID

Enable collection of process information

Windows domain information

Enable collection of process information

Computer name: USERDEV LAN group: WATCHGUARD Major version: 3 Minor version: 1 Platform ID: 100 Physical address: 00502239056e Name: N/A Description: MS TCP Loopback interface

Network interface information

Description Name Physical address

Enable collection of process information

UDP port information TCP port information

Local address Local port Local address Local port Remote address Remote port State

Enable collection of process information Enable collection of process information Local address: 127.0.0.1 Local port: 8300 Remote address: 127.0.0.1 Remote port: 3662 State: Established

192

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Settings
Authentication Methods
Label Available Authentication Methods Selected Authentication Methods Combine with OR Combine with AND Mandatory No Description Lists authentication methods enabled in the system.

Yes

Lists authentication methods selected to be included in the access rule. Selected by default. Not selected by default.

No No

Group Membership
Label User Group Criteria Available User Groups Selected User Groups Combine with OR Combine with AND Mandatory No No Yes No No Description The wildcard character * is supported, and can be entered anywhere in the search string. Lists available user groups according to your configuration, or filtered after a search. Lists user groups selected in the Available User Groups list. Selected by default. Not selected by default.

IP Address of Incoming Client
Label IP Address Mandatory Yes Description When several IP addresses have been entered, the incoming client must be within the range to access the resource.

Client Device
Label Available Devices Selected Devices Mandatory No Yes Description Lists available supported devices. To access the resource, the user must use one of the listed devices.

User Guide

193

Manage Resource Access

Date, Day, and/or Time
Label Specify date period Specify days Specify time period Date Period Monday-Friday Mandatory No No No No No Description Can be combined with one or all of the available options. Can be combined with one or both of the available options. Can be combined with one or both of the available options. Format is defined according to your browser’s language settings. All weekdays are available for selection, to specify weekday or weekdays when access to the resource is allowed. Start and end time of the specified Time Period. Format complies to your browser’s language settings.

Time Period

No

User Storage
Label User Storage Mandatory No Description All registered user storage locations are available for selection.

Assessment Type
Label Plug-in Custom Mandatory No No Description The first plug-in in the list is selected by default. Not selected by default.

Assessment Criteria
Label Display Name Operating System Information Type Mandatory Yes Yes Yes Description Name used in the system to identify the access rule. The operating system the access rule applies to. Available option is Windows. Available options for Windows are: File information Directory information Registry information Process information Windows user information Windows domain information Network interface information UDP port information TCP port information Set to File information by default. Not selected by default.

Deny access

No

194

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Assessment Requirement
Label Client Data Matching Restriction Matching Rules Mandatory Yes Yes Yes Description Lists available client data according to the information type defined on the Select Criteria page. Available options are: Match and Wildcard match. Set to Match by default. Value matching Client Data according to restriction set in Matching Restriction. Environment variables can be used.

Assessment Feedback
Label Feedback Message Mandatory No Description Feedback message displayed to users when access is denied due to failed assessment.

Assessment Upload Plug-in
Label Upload Plug-in Mandatory No Description Name of the plug-in to be uploaded for use with the access rule.

Access Point
Label Available Access Points Selected Access Points Mandatory No No Description Lists available registered access points. Lists access points selected in the Available Access Points box. To access the resource, the request must come through one of the listed Access Points.

Identity Provider
Label Identity Provider Mandatory No Description Lists registered identity providers.

Custom-defined
Label Available Access Rules Selected Access Rules Combine with OR Combine with AND Custom-defined access rule Mandatory No Yes No No No Description Lists uploaded custom-defined access rules. Lists uploaded custom-defined access rules selected to be included in the access rule. Selected by default. Not selected by default. Display name of custom-defined access rule to be uploaded.

User Guide

195

Manage Resource Access

Application portal
About application portal
The Application Portal is the WatchGuard SSL Web portal that users log on to in order to access corporate applications from remote locations. In the Application Portal, the applications - registered resources - are displayed as icons with link texts. In WatchGuard Administrator, these icons and link texts that form the graphical representation of the resources are called Application Portal items. Application Portal items can be created for the following resource types: Web resources Tunnel sets External sites All Web resources and tunnel sets configured to be displayed in the Application Portal are automatically associated with an Application Portal item. Application Portal items can also be manually created for Web resources or tunnel sets. Note that for Web resources, it is possible to configure a shortcut. The shortcut enables users to access the resource directly in a Web browser, without the need to log on to the Application Portal. You can also create Application Portal items for external sites, i.e. external URLs not registered as Web resources.

Access Client
Users access the Application Portal through the use of WatchGuard Access Client. The Access Client is available as a Microsoft Windows executable (loaded over the Application Portal by either an ActiveX component or a Java applet) and as a pure Java applet. The Windows version of the Access Client is also available on an installation CD, for installations on client computers using Windows. When using the installable Access Client, users do not need to use the Application Portal but are able to access resources directly from their PC. They also have the opportunity to edit preferences in as well as add favorites (frequently visited applications) to their Access Client. Foir more information, see Manage application portal and Application Portal item settings.

Manage application portal
Registered Application Portal items are listed on the Manage Application Portal page in the Manage Resource Access. You can add, edit, and delete Application Portal items. An Application Portal item can be created in two different ways: automatically or manually. When you configure a resource to be displayed in the Application Portal, an Application Portal item is automatically created and added to the Manage Application Portal page. You can also manually create Application Portal items on the Manage Application Portal page. You then associate the items with the corresponding Web resource or tunnel set. You can also register Application Portal items not associated with a registered resource, for example an external Web site.

196

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Application portal item settings
When you create an Application Portal item manually, you select which registered Web resource or tunnel set to display in the Application Portal. For external sites, you specify the external URL instead. Icon You select which icon that should represent the resource in the Application Portal. You can browse for an icon in an icon library, or upload an icon of your choice. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size. Link Text You enter a link text to be displayed below the icon. The link texts are sorted in alphabetical order in the Application Portal, providing you with an opportunity to affect how the resources are displayed.
Note that in the Registered Application Portal Items list on the Manage Application Portal page, the link text is displayed in the Display Name column.

Shortcut For Web resources, you can define a shortcut allowing users to access the resource without accessing the Application Portal. The users enter the address to the Access Point and the shortcut in a browser window to access the resource directly. Example: http://www.AccessPoint.com/Shortcut URL Query String For Web resources, you can also define a URL query string. The string is added to the Web resource address when it is selected in the Application Portal. Use queries to retrieve data, or to ask for additional operations such as inserting, updating, or deleting data. Example: http://www.watchguard.com/index.php?id=2&page=1 Protocol For Web resources, you can also configure what protocol to use between the Access Point and the Web resource back-end server. This setting is only available if both HTTP and HTTPS can be used to access the resource.

Tunnel Set
Label Make resource available in Application Portal Icon Mandatory No Description Not selected by default.

(Yes)

Path to the image file that symbolizes the tunnel set in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Link text that represents the tunnel set in the Application Portal.

Link Text

(Yes)

User Guide

197

Manage Resource Access

Application Portal Item
Label Web Resource Tunnel Set External Site Mandatory No No No Description Selected by default. Type of resource for the Application Portal item. Type of resource for the Application Portal item.

Web Resource
Label Make resource available in Application Portal Icon Mandatory No Description Not selected by default.

(Yes)

Path to the image file that symbolizes the external site in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Link text that represents the external site in the Application Portal. Query string added to the Web resource address when item is selected in the Application Portal. Mandatory when Hide Resource in URL is selected. When selected, Shortcut is mandatory. Not selected by default. This setting is only available if both HTTP and HTTPS can be used to access the resource, according to the Web resource configuration. Set to HTTP by default.

Link Text URL Query Shortcut Hide Resource in URL Protocol

(Yes) No (Yes) No No

External Site
Label Make resource available in Application Portal Icon Mandatory No Description Not selected by default.

(Yes)

Path to the image file that symbolizes the external site in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Link text that represents the external site in the Application Portal. Mandatory when Hide Resource in URL is selected. When selected, Shortcut is mandatory. Not selected by default. URL to the external site the Application Portal item refer to.

Link Text Shortcut Hide Resource in URL External URL

(Yes) (Yes) No No

198

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Identity Federation
About Identity Federation
Here, you manage all Identity Federation settings, including the internal SAML 2.0 settings which include selecting certificates to enable WatchGuard Administrator to act as a Service Provider or an Identity Provider. A federated environment involves at least three roles: Service Provider Decides what requests to allow Identity Provider Provides the security information Subject The user associated with the Identity Information SAML 2.0 (Security Assertion Markup Language) is an XML standard for using SSO between online business partners, that is, between an identity provider and a service provider. SAML 2.0 relies on assertions and defines three kinds of attribute statements that can be carried within an assertion: Authentication statements Authentication statements are issued by the identity provider. They define who issued the assertion, the authenticated subject, validity period, plus other authentication related information. Attribute statement Authorization decision statements These identify what users are entitled to do (for example permissions to buy a specified item).

Assertions
WatchGuard Administrator only exposes one assertion attribute per assertion. Attributes are mapped against existing attributes in user storage and the Directory service. The key concept of SAML 2.0 assertions is a subject (a principal, someone who can be authenticated, within the context of a particular security domain) about which something is being asserted. A trust is set up between the service provider and the identity provider using certificates. The Identity Provider uses server certificates to sign the SAML 2.0 responses, and the Service Providers use server certificates to validate their SAML 2.0 responses. WatchGuard Administrator can be configured to act as either a Service Provider or an Identity Provider.

Preconditions
Before starting to configure your Identity Federation settings, make sure you have completed the following tasks: Server Certificates used when creating service providers are added using the Add Server Certificate wizard in the Manage Certificates section Hosts used as Service Providers are added using the Add Web Resource Host wizard in the Manage Resource Access section CA Certificates used when creating Identity Providers are added using the Add CA Certificate wizard in the Manage Certificates section Depending on how you use WatchGuard Administrator, as identity or service provider, you select appropriate certificates, add Web resource hosts, and specify exact paths to these Web resources.

User Guide

199

Manage Resource Access

Providers
Service Provider Typically there are a number of service providers that use assertions about users in order to control access and provide customized service, and subsequently become an asserting party: the identity provider. Service providers use this information, depending on its access policies, to grant access to local resources. Identity Provider Identity providers assert users’ identities to relying parties, the service providers. For more information, see Manage Identity Federation settings.

Manage Identity Federation settings
Global Identity Federation Settings
You can specify which server certificate to use for signing and validation of assertions. To add server certificates, use the Add Server Certificate wizard on the Manage Certificates page.

Service Provider
Label Enable Service Provider Display Name Web Resource Host Path CA Certificate Mandatory No Yes Yes No Yes Description Selected by default. Unique name used in the system to identify the service provider. List of available Web resource hosts. Exact path to the selected Web Resource Host used as service provider. List of available CA certificates.

Attribute Statement Settings
Label SAML Attribute User Attribute Mandatory Yes Yes Description Name of the SAML 2.0 attribute statement. Directory service attribute name for the user that is to be added as the SAML 2.0 attribute statement value.

Assertion Settings
Label Validity Subject Add Client IP Mandatory No No No Description Length of the SAML 2.0 session. Set to 15 by default. Available options are: User ID and email. Set to User ID by default. Not selected by default.

200

WatchGuard SSL 500 & SSL 1000

Manage Resource Access

Identity Provider
Label Enable Identity Provider Display Name CA Certificate Mandatory No Yes Yes Description Not selected by default. Unique name used in the system to identify the identity provider. List of available CA certificates.

Attribute Mapping
Label Attribute Mandatory Yes Description Directory service attribute name for a user that contain the SAML subject attribute value.

Manage providers
Service Providers You specify a registered Web resource host as service provider. You can also specify an exact path to Web resource. On the Assertion tab, you can edit the time in minutes to specify the length of the SAML 2.0 session. By default, the session time is set to 15 minutes. You specify which subject is being asserted by selecting either User ID or email as the unique identifier. SAML 2.0 Attributes are mapped against existing user attributes in user storage and the directory service. Identity Providers When adding an identity provider, you select a CA certificate and specify an attribute to map against existing user attributes in user storage and the directory service.

User Guide

201

Manage Resource Access

202

WatchGuard SSL 500 & SSL 1000

10

Manage system

About Manage System
In the Manage System section, you manage the system properties and global settings for the different services in the WatchGuard network: the Access Point, Policy Service, Authentication Service, and Administration Service. This section also contains the End-Point Integrity feature Assessment and End-Point Protection feature Abolishment, as well as the identity management with configuration of Delegated Management and the Directory Service used. You manage the global Notification Settings here, in effect the SMS and email channels, which are used for Alerts, and for distribution of SMS and email messages. Device Definition management allows adding, editing, and deleting of device definitions which are used for access rules of the type Device and Device Control in the Access Point, for example.

User Guide

203

Manage system

Abolishment
About Abolishment
The end-point protection solution in WatchGuard Administrator consists of the concept Abolishment, which focuses on client clean upon completion of the session. Web browsers leave traces such as browser history and browser cache after a session has ended. Abolishment simplifies the secure cleanup of a client computer through removing cached content on the client, browser history, as well as downloaded, created, or edited files. Abolishment is used as a basis for access control. A resource is protected by an abolishment access rule based on abolishment settings specifying what should be cleaned on the client after the session is completed. When a user attempts to access the resource, access is allowed only if the abolishment client is running, ensuring that abolishment will be performed when the session is completed. When abolishment is performed, cache and Web browser history is deleted according to the abolishment configuration. As to files downloaded, created, or edited during the session, you can configure whether or not the user should be notified and able to choose which files to delete.
In the dialog box, the Abolishment client is called the End-Point Protection client.

See Manage Abolishment for more information.

204

WatchGuard SSL 500 & SSL 1000

Manage system

Manage abolishment
Abolishment settings are managed on the Manage Abolishment page in the Manage System section of WatchGuard Administrator. Abolishment settings are available on three tabs: General Settings, Cache Cleaner, and Advanced.

General Settings
On this tab, you specify which file types should be monitored on the client. You also define whether a user should receive a notification message regarding downloaded, created, or edited files of these types upon completion of the session, allowing the user to decide which – if any – files should be deleted. If you select not to notify the user, downloaded, created, or edited files of the specified file types will be deleted automatically the session is completed. Monitor Files Specify which file types should be monitored on the client, and deleted automatically when the session is ended or as a result of the notification message to the user. The file types are specified per operating system in comma-separated lists. The example below displays the file types specified for Windows by default. Example: htm, pdf, txt, doc, xls, ppt, exe, zip Notification When the options Enable delete and Notify user are selected, the WatchGuard Abolishment dialog will be displayed when users log off the Application Portal. The WatchGuard Abolishment dialog contains a list of downloaded and/or created files, with the option to select which files to delete. The user may select not to delete any files. You can customize the notify message displayed in the WatchGuard Abolishment dialog. The default message is Abolishment is requested. Select the files you want to delete is provided.
If if the option to notify user is not selected, all downloaded, created, or edited files of the specified file types will be deleted automatically when the session is completed.

General Settings
Label Windows Enable delete Notify user Notify message Mandatory (Yes) No No (Yes) Description Files types to be deleted when the session is ended. Selected by default. Selected by default. Message used in the Abolishment dialog when users can select which files to delete. Set to Abolishment is requested. Select the files you want to delete by default.

User Guide

205

Manage system

Cache Cleaner
On this tab, you specify per operating system what the cache cleaning should include. Available options are: Microsoft Windows Internet Explorer history and typed URLs Internet Explorer cache entries When you select to clean cache entries, you specify a URL filter to define which cache entries to delete. The URL filter is matched to the cache entries. The wildcard character * is supported. When used alone, all cache entries are deleted. The URL filter is mapped to cache entries in the Windows folder Temporary Internet Files, in the Internet Address column. The cache cleaner removes all cached session information in this column from the start of the session until it is ended. Examples:

* removes all cache entries https* removes all cache entries downloaded from a secure server http://www.thesecurecompany.com/* removes all entries from that particular server
URL Filter is set to * by default.

Cache Cleaner Windows Settings
Label Enable clean of Internet Explorer history and typed URLs Enable clean of Internet Explorer cache entries URL Filter Mandatory No Description Not selected by default.

No

Not selected by default.

(Yes)

Set to * by default.

206

WatchGuard SSL 500 & SSL 1000

Manage system

Advanced
On this tab, you manage advanced abolishment settings. Display Resources in Application Portal Select this option to display resources protected by an abolishment access rule in the Application Portal prior to the client scan. When selected, resources are displayed even though the user may not have access to them. When not selected, only resources that the user is allowed access to are displayed. Abolishment Client Loader You specify which type of loader to use for the abolishment client. The options are: ActiveX - Java Applet ActiveX Java Applet When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java Applet.

Advanced Settings
Label Display resources in Application Portal Mandatory No Description Resources protected by an Abolishment access rule are displayed in the Application Portal, regardless if the listener collecting information about the client is active or not. Selected by default. Set to ActiveX - Java Applet by default.

Abolishment Client Loader

Yes

User Guide

207

Manage system

Access Points
About Access Points
Access Points handle access between users connecting from external networks and the applications on the internal network, usually from the Internet to an intranet, both for corporate and commercial use. The Access Point functionality can be divided into Web access, WAP access, and access via the Access Client. The Web and WAP access supports a secure connection to information that is presented in HTML and WML formats in standard Web and WAP browsers. By using the Access Client, secure access is enabled from more advanced TCP/IP clients such as Telnet. See the sections Manage Tunnel Resources and Manage Tunnel Sets for more information.

WatchGuard Network

Web and WAP Access Users can connect to the Access Point through any standard browser supporting SSL 3.0. WAP device users can connect to the Access Point via the WAP gateway and then receive WML pages. Internet Channels Access Points can operate in any network that supports TCP/IP with ports open for both HTTP and SSL. OpenSSL algorithms are supported, with no limitation of key lengths. Authentication The Access Point supports a number of authentication methods used to identify and verify identification of users. Authentication methods range from static passwords to one-time passwords generated by WatchGuard SSL Mobile ID or by third party products.

208

WatchGuard SSL 500 & SSL 1000

Manage system

Access Control Advanced access control is implemented in the Access Point. Access control can be based on group membership, for example, and is performed on both incoming and outbound traffic. The Access Point provides access control in conjunction with a firewall and the access control in internal systems. The firewall access control is performed when users interact with the system. The access control is performed on the same level of security as the firewall, i.e. on both IP level and port level. Access control capabilities can be expanded by using the Policy Service, which adds advanced authorization rules to the solution. Encryption Encryption is supported from the client and when connecting to internal systems. The Access Point supports OpenSSL algorithms, with no limitations of key lengths. Digital Signatures Access Points provide for validation of digital signatures when integrated with a Public Key Infrastructure (PKI) solution. Session Handling The session to the client is handled by the use of cookies. The Access Point communicates with internal systems using normal HTTP or SSL session. Cookies generated from internal systems are never passed on from the Access Point to the client. Session handling is important for security reasons, as the normal Web client is a silent client. Using advanced security solutions, a security context will also exist apart from the cookie or variable. The Access Client The Access Client allows for tunneling of raw TCP and UDP data from and to an internal server. The traffic is encrypted with the same strength as used in the Web browser. The Access Client is available in two versions. One is a native Windows application that can be installed as a desktop application, or downloaded from the WatchGuard Application Portal using either an ActiveX component (Internet Explorer only) or a Java Applet. The other is a pure Java version, used for Mac and Linux. When using the ActiveX component to download the Access Client, the user is required to have administrator rights on the client.The native Windows Access Client will try to load a fallback tunnel set if a dynamic tunnel fails to load due to insufficient user rights.

User Guide

209

Manage system

Manage Access Points
A first Access Point was added to the system during the Setup System wizard. This Access Point resource host and its corresponding paths are added as a Web resource in the Manage Resources section. Consequently, you can protect specific parts of the Access Point with access rules as well as configure authorization settings and set encryption levels. The authorization setting and encryption level set for that Access Point is valid for all Access Points. Authorization for other Access Points can be controlled through path and device definitions. Registered Access Points are listed on the Manage Access Points page in the WatchGuard Administrator. You can add, edit, and delete Access Points. A number of settings can be specified globally, to apply to all Access Points. Examples are settings for client access, performance, trusted gateways, and cipher suites. If you have an external load balancing product installed, you can manage load balancing between Access Points.

Access Point settings
Configuration of an Access Point includes the settings described below. Internal Host The internal host of the Access Point is the IP address used in the internal communication between the Access Point and the Policy Service. To verify the identity of a connecting Access Point, the Policy Service uses this address with the Access Point service ID. It is not recommended to use the IP address 0.0.0.0. To listen to all local IP addresses, use the Listen on all interfaces option. When selected, the services listens to all specified IP addresses and not only to the specified IP address. Sandbox Port The sandbox port is an additional port for redirecting requests from the Application Portal port.

Additional listeners
It is possible to add one or several additional listeners to an Access Point, for Web traffic or load balancing purposes. Additional listeners are additional ports or IP addresses the Access Point listens to. The configuration will not be distributed to other proxies in a load balanced environment. It is possible to specify separate SSL certificates for each additional listener. When HTTPS listeners are set up, you need to specify a server certificate.

210

WatchGuard SSL 500 & SSL 1000

Manage system

Settings
Label Service ID Display Name Internal Host Application Portal Host Application Portal Port Sandbox Port Mandatory No Yes Yes Yes Yes No Description Identification number automatically assigned to the Access Point when it is created. Unique name used in the system to identify the Access Point. IP address used in the internal communication between the Access Point and the Policy Service. IP address or DNS name where to bind all incoming external traffic to the Application Portal. HTTPS port for incoming traffic to the Application Portal. Set to 443 by default. Additional port for redirecting request from the Application Portal Port. Set to 443 by default. List of server certificates that the Access Point uses in the external communication. Specifies what interfaces the service listens to. Not selected by default. Not selected by default. Selected by default.

Server Certificate Listen on all interfaces Support crypto cards Distribute key files automatically

Yes No No No

Additional Listener
Label Host Port Sandbox Port Server Certificate Mandatory Yes Yes No (Yes) Description IP address or DNS name of the additional listener. Port for incoming HTTP or HTTPS traffic. Set to 80 by default. Additional port for redirecting request from the Application Portal Port. List of server certificates that the Access Point uses in the external communication. Mandatory if HTTPS is used. Type Listen on all interfaces No No Available options are: Web and Load Balance. Set to Web by default. Not selected by default.

User Guide

211

Manage system

Manage Global Access Point settings
Advanced settings
Internal Cookies You can define what kind of client data that will be sent as cookies in internal requests. Client data includes user ID, client IP, session ID and session ID cookie. This is an example of what an internal cookie can look like in the HTTP request: Example: Cookie: WA_T=45; WA_UID=test; WA_WASID=0c351d862cea55cc; WA_AM=WatchGuard Password; WA_CLIP=192.168.139.1; WA_SEPO=443; WA_SSL=256; WA_INTERNAL_ID=3.0.259121969733801860.14762743034494641120710727875 Session Control You can configure client session control using the WAAK (Web access authentication key) option. Plain HTTP only is not as secure as WAAK. It is also possible to set the strength of the secure authentication cookie. The Web access session ID (WASID) is a random hexadecimal value generated by the Access Point. When the Bind session to client IP option is selected, the client session is allowed to move from one computer to another if the client does not change the source IP during the session. Use the Duplicate user name login reverse action to ensure that two users cannot log on with the same user name until the first session is logged out or timed out. Cookie Persistence You have the option to select if all session cookies are transformed to persistent cookies. Note that this only apply to resources protected by Abolishment and for Internet Explorer users. When selected, two parts of the system are affected: The Abolishment client will make sure all persistent cookies are removed from the client when performing the abolishment. The Access Point will transform the session cookies to persistent cookies in runtime as soon as the user client is successfully authenticated using Abolish. Cache Control It is possible to select whether to use Cache-Control: no store to disallow browser cache on HTTP/ 1.1 clients. When selected, the header Cache-Control: no store is used, and Internet Explorer users are able to view Word documents, Excel files, PowerPoint files and PDF files and still not cache data. When not selected, the header Pragma:no_cache is used. Internal Host Address Control the internal host access by requiring that every internal host contacting the access point over SSL have a valid certificate. Client Access Settings for communication between clients and Access Points include whether error messages should be displayed to the user in SSL v2 communication, if server headers should be hidden, and an option to select which authentication method should be used when a user accesses /wa/auth without the parameter authmech specified.

212

WatchGuard SSL 500 & SSL 1000

Manage system

Bad URIs Lists URIs to be handled as forbidden requests. The purpose of the URIs is to detect when a user makes an attempt to access a URL that would normally be protected with access rules. It is strongly recommended to keep the default URIs. Example: *\* A URI can not contain backslash *%5c* A URI can not contain the URL encoding of backslash *%2f* A URI can not contain the URL encoding of slash */../* A URI can not contain /../ */%2e%2e/* A URI can not contain /../ where both dots are URL encoded */.%2e/* A URI can not contain /../ where the second dot is URL encoded */%2e./* A URI can not contain /../ where the first dot is URL encoded */./* A URI can not contain /./ */%2e/* A URI can not contain /./ where the dot is URL encoded *//* A URI can not contain double slash

Cipher Suites
When an SSL connection is initialized, the client and server determine a common cipher value to be used for key exchange and encryption. Various cipher values offer different types of encryption algorithms and levels of security. You can select which protocols for cipher suites to support, as well as define which types of cipher suites to support. Available protocols are TLS v1.0, SSL v3.0, and SSL v2.0.

Client access
Client Access Settings/WAP Client Settings Define Web versus WAP default pages displayed when accessing the /root, as well as welcome pages displayed after successful logon.
You can specify default and welcome pages for specific devices using device control.

Device Control Specify stricter control over, for example, client browsers connecting to the Access Point using device access restrictions. You can warn users using a certain browser, or disallow others to enter. To exercise device control, you register device settings and device access restrictions. When registering device settings, you specify which type of session handling the Access Point will use for a specific device. This can be useful for devices that, for example, cannot handle cookies. Available options are URL session, WAP agent, and/or Basic authentication. Use device access restrictions to map devices with permissions Deny, Warn or Accept. Device access restrictions are controlled in the order they are listed. On first match the restriction takes effect, independent of whether it is a Deny, Warn or Accept restriction.

User Guide

213

Manage system

Performance
Performance Settings Enhance the performance of your Access Points by configuring Access Point performance settings. Performance settings include the possibility to set time-outs for idle connections. You can also limit the number of TCP connections that the operating system is able to queue, and allow the Access Point to cache SSL sessions for communication with internal servers. Data Compression Settings Use data compression to represent dynamic and static Web files as accurately as possible using the fewest number of bits. Dynamic files are Web files located on the Access Point that contains user variables. You can also list what file types to compress, for example html/txt, or use the wildcard character * to compress all file types. Trusted Gateways Register trusted IP addresses, for example WAP gateways or HTTP proxies, as trusted gateways. Trusted in this context means that even though a client connecting to the Access Point may not have secure connection, incoming traffic from the specified IP address and the specified port is automatically assumed to have a specified level of security (128 bit encryption) added. Users are not redirected to HTTPS when coming from a trusted gateway.

About load balancing
Load balancing entails distribution of client sessions between two or more Access Points to handle situations with a large number of requests. Access Points can be load balanced with an external load-balancing product to gain redundancy and handle heavy loads. Load balancing enables Access Points to share sessions among each other, so that requests may be processed correctly no matter which server receives the request. Load balancing in the Access Point provides for the following benefits: Compatibility with third part load balancing products Session sharing Fail-over functionality Session mirroring Central administration The load-balancing product needs to support SSL session resistance. When not supported, unnecessary traffic between the Access Points is created, and the SSL handshakes are heavier. Access Points use a specific TCP port for the interchange of session data. The default port is set to 16972. The Access Point uses a specific TCP port for the interchange of session data. The default port is set to 1697. The traffic can be either in plain data or SSL. SSL is recommended unless the network is totally private. Optionally the servers may have two or three network cards each: Network card 1: Client communication Network card 2: Proxy session interchange communication Network card 3: Intranet communication To achieve full redundancy, set up the servers in pairs, where each Access Point shares the session with another Access Point. For more information, see Manage load balancing.

214

WatchGuard SSL 500 & SSL 1000

Manage system

Manage load balancing
You can enable multi-host sessions for Access Point load balancing. When enabled, Access Points can communicate sessions and enable central configuration. You specify a sticky cookie to be used by the load balancing machine to identify which Access Point to load balance the client to. It is also possible to configure the number of communication worker threads dealing with the message queue for session communication between the proxies.

Mirrored Access Points
Two Access Points can be configured to mirror each other’s sessions. Upon each change in a session, the change is synchronized with the mirror server to make redundancy possible. In order to register a pair of mirrored Access Points, the Access Points must be configured with additional listeners of the type load balancing. The pair of mirrored Access Points are configured by specifying primary and secondary servers versus listeners.

Settings
Internal Cookies
Label User ID Client IP Server Port SSL Strength Last used authentication method Max inactivity time in seconds Session ID cookie System Session ID Mandatory No No No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.

Session Control
Label Web access authentication key (WAAK) is secure Strength of WAAK Mandatory No Yes Description Selected by default. Strength in bits of the secure authentication cookie. Set to 128 by default. Number of bits in the random value. Set to 64 by default. Not selected by default. Selected by default. Not selected by default. Not selected by default.

Random Value of WASID Bind session to client IP Allow duplicate user name logon Duplicate user name logon reverse action Show shutdown message

Yes No No No No

User Guide

215

Manage system

Cookie Persistence
Label Enable secure use of persistent cookies Mandatory No Description Not selected by default.

Cache Control
Label Use Cache-Control: no store to disallow browser cache on HTTP/1.1 clients Mandatory No Description Method for HTTP/1.1 clients to disallow browser cache. Selected by default.

Internal Host Access
Label Validate server certificate Mandatory No Description Not selected by default.

Client Access
Label Show error on SSL v2.0 access Hide server header Default authentication method Mandatory No No No Description Not selected by default. Selected by default. Authentication method used when user accesses /wa/auth without the parameter authmech specified. Not selected by default.

Bad URI
Label Bad URIs Mandatory No Description Important: It is recommended that you keep the listed URIs.

Supported Cipher Suites Protocols
Label TLS v1.0 SSL v3.0 SSL v2.0 Mandatory No No No Description Selected by default. Selected by default. Selected by default.

216

WatchGuard SSL 500 & SSL 1000

Manage system

TLS v1.0 and SSL v3.0 Cipher Suites
Label Cipher Suites Supported Mandatory No Description Supported by default: TLS_RSA_WITH_AES_256_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Not supported by default: TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5

Cipher Suites Not Supported

No

SSL v2.0 Cipher Suites
Label Cipher Suites Supported Mandatory No Description Supported by default: SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5 Not supported by default; SSL_CK_RC4_64_WITH_MD5 SSL_CK_DES_64_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5

Cipher Suites Not Supported

No

Client Access
Label Default Page Mandatory Yes Description Path to the main page for the Application Portal where applicable authentication methods are listed. Set to /wa/auth by default. Path to the Application Portal or page configured as start page after a successful logon. Set to /wa/_welcome.html by default.

Welcome Page

Yes

User Guide

217

Manage system

Device Settings
Label Device Device does not support cookies Device cannot authenticate using HTML or WML forms File Extension Default Page Welcome Page GUI Constant GUI Constant Value Mandatory No No No No No No No No Description Set to Any device by default. Not selected by default. Not selected by default. When no additional file extension is entered, only HTML is used. Main page for the device. Welcome page after a successful logon. Name of a constant that can be used in the HTML or WML pages. GUI Constant Value

Pre-configured WAP Settings
Label Device Device does not support cookies File Extension Default Page Welcome Page Mandatory No No No No Description WAP phone Selected .wml /wa/auth /wa/_welcome.wml

Pre-configured PDA Settings
Label Device File Extension Default Page Welcome Page Mandatory No No No Description PDA .pda.html /wa/auth /wa/_welcome.pda.html

218

WatchGuard SSL 500 & SSL 1000

Manage system

Performance Settings
Label Max Working Threads Connection time-out Mandatory Yes Yes Description Number of threads handling requests. Set to 200 by default. Time, in seconds, a connection can be idle before it is closed. Set to 60 by default. Time, in seconds, a UDP tunnel connection can be idle before it is closed. Set to 120 by default. Time, in minutes, between Garbage Collection, or session objects. Set to 1 by default. Number of TCP connections that the operating system is able to queue. Set to 25 by default. Maximum number of concurrent TCP tunnel connections towards the internal servers. Set to 1500 by default. Selected by default. Selected by default.

UDP Tunnel time-out

Yes

Garbage Collection Interval

Yes

Size of Socket Listening Backlog Max Tunnel Connections

Yes

Yes

Cache Internal SSL Sessions No Delay on Tunnel Connections

No No

Data Compression Settings
Label Compress Static Web Files Compress Dynamic Web Files File Types to Compress Mandatory (Yes) No (Yes) Description Selected by default. Not selected by default. Mandatory when Compress Static Web Files or Compress Dynamic Web Files are selected.

Trusted Gateways
Label IP Address Port Mandatory Yes Yes Description Trusted IP address to the gateway. Set to 80 by default.

User Guide

219

Manage system

Administrative Service
About Administrative Service
You manage all administration and configuration of WatchGuard Administrator on the Administration Service. It distributes your user account settings to the user storages and configuration changes to the WatchGuard network: the Access Point, Policy Service, and Authentication Service. The WatchGuard Administration Service is the hub of the WatchGuard network, and the WatchGuard Administrator its interface.
Only one Administration Service can be configured per WatchGuard network.

WatchGuard Network

Configuration
The main configuration file (RemoteConfiguration.xml) is stored on the Administration Service. Local configuration files stored on the different WatchGuard services are only used initially to contact the Administration Service. The current configuration is pushed to the different services in runtime through the publish functionality in the WatchGuard Administrator. The services do not need to be restarted to retrieve the configuration. A history of the ten latest configurations is saved. A previous configuration can be retrieved by using the restore functionality in the WatchGuard Administration Service. For more information see Manage Administrative Service.

220

WatchGuard SSL 500 & SSL 1000

Manage system

Manage Administrative Service
Configuration of the Administration Service includes specifying the internal communication, that is the communication between the Administration Service and the WatchGuard network, as well as specifying the external communication, that is the communication between clients and the Administration Service. The server certificate that the Administration Service uses in HTTPS communication is also specified.

Administration Service Settings
When initially setting up WatchGuard Administrator through Setup System, the WatchGuard Administrator by default listens to host 127.0.0.1 and port 8300 for communication within the WatchGuard network. If WatchGuard Administrator services are installed on different machines, or if external IP addresses are used for other reasons, the default settings for Internal Host, Administrator HTTP Host, and Administrator HTTPS Host should be changed.

Internal Communication Settings
Label Internal Host Internal Communication Port Mandatory Yes Yes Description IP address or DNS name of the host for internal traffic in the WatchGuard network. Set to 8300 by default.

External Communication Settings
Label Administrator HTTP Host Mandatory Yes Description IP address or DNS name of the host for HTTP traffic. Set to 127.0.0.1 by default. Port for the HTTP Host. Set to 8080 by default. IP address or DNS name of the host for HTTPS traffic. Set to 127.0.0.1 by default. Port for the HTTPS Host. Set to 8443 by default. Server certificate the Administration Service uses in HTTPS communication.

Administrator HTTP Port Administrator HTTPS Host

Yes Yes

Administrator HTTPS Port Server Certificate

Yes Yes

User Guide

221

Manage system

Assessment
About Assessment
The end-point integrity solution in WatchGuard Administrator consists of the Assessment concept, which focuses on access control based on client restrictions. Assessment is used to define how a client must be constituted, and to allow or deny access to resources accordingly. A resource or SSO domain is protected by an assessment access rule, detailing client scan paths per operating system. Client scan paths define the information that will be scanned during the client scan. When a user attempts to access the resource, a client scan is performed and a subsequent assessment of the client constitutes the basis of the access decision.
The client scan is called the End-Point Integrity scan in the dialog box.

An alternative to registering client scan paths is to use the plug-ins available for specific client scans. WatchGuard Administrator supports assessment on Microsoft Windows. Future releases will support additional operating systems. Client data paths can be specified for the following areas: File information Registry information Process information Windows user information Windows domain information Network interface information UDP port information TCP port information For more information see Manage Assessment.

Manage Assessment
You manage assessment settings on the Manage Assessment page in the Manage System section. Manage Assessment consists of three tabs: General Settings Advanced Settings Plug-ins

222

WatchGuard SSL 500 & SSL 1000

Manage system

General Settings
On this tab, you configure the client scan settings which include settings for a real time scan as well as the client scan path. Note that you need to add an assessment access rule in order for these settings to take effect. Access rules are managed on the Manage Access Rules page in the Manage Resource Access section. Real Time Scan The client scan is performed the first time a resource protected by an assessment access rule is requested. To allow the client scan to continue to assess the client computer during the session, you can enable a real time scan. When the real time scan is enabled, the client will be scanned at the specified interval (default is set to 120 seconds) after the initial scan.
The real time scan is a global setting: when enabled, it applies to all resources protected by an assessment access rule.

Client Scan Paths There are several plug-ins available for use in assessment access rules, defining the client data required. When not using a plug-in, you specify one or several client scan paths. Client scan paths are used to specify paths to information types to collect during client scans. You define the information paths per operating system. For Windows, you can define file, directory, registry key, or registry subkey paths.
The client scan paths you add when creating assessment access rules are added to the list on this tab.

You can select several check boxes to scan for different information, even if only part of the information is used as a basis for assessment in accordance with specified access rules.
If you create client scan paths (that require collection of information) when creating an assessment access rule, the corresponding check boxes are selected automatically on this page.

Available information types and corresponding client data that you can specify requirements for are displayed in the table below.

User Guide

223

Manage system

Windows Information Types
Information type File information Client Data File attributes File name File digest File time created File time last written Directory Name Attributes Registry name Registry type Registry value Registry name Registry type Registry value Process digest Process name Process ID Windows logon domain Windows alternative domains Windows user name Windows logon server Computer name LAN group Major version Minor version Platform ID Network interface address TCP local address TCP remote address TCP status Local address Local port Remote address Remote port State Local address Local port Client Scan Settings Information path of the type File

Directory information Registry key information

Information path of the type Directory Information path of the type Registry Key Information path of the type Registry Subkey Enable collection of process information Enable collection of Windows information

Registry subkey information

Process information

Windows user information

Windows domain information

Enable collection of Windows information

Network interface information

Enable collection of network information

TCP port information

Enable collection of network information

UDP local address

Enable collection of network information

Real Time Scan
Label Enable real time scan Interval Mandatory No (Yes) Description Not selected by default. Mandatory if Enable real time scan is selected. Set to 120 by default.

224

WatchGuard SSL 500 & SSL 1000

Manage system

Client Scan Path
Label Operating System Information Type Mandatory Yes Yes Description Available option is: Windows Available options are: For Windows: File Directory Registry Key Registry Subkey. Set to File by default. Address to the selected information type.

Information Path

Yes

Windows
Label Enable collection of network information Enable collection of process information Enable collection of Windows information Mandatory No No No Description Not selected by default. Not selected by default. Not selected by default.

Advanced Settings
On this tab, you manage advanced assessment settings. Display Resources in Application Portal Select this option to display resources protected by assessment access rules in the Application Portal before the client scan has been performed. Resources are then displayed even though the user may not have access to them. When the option is not selected, only resources that the user is allowed access to are displayed. This is applicable when an assessment access rule is included in the global access rule, resulting in the client scan being performed before the user enters the Application Portal. Assessment Client Loader You specify which type of loader to use for the assessment client. The options are: ActiveX - Java Applet ActiveX Java Applet When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java Applet.

Advanced Settings
Label Display resources in Application portal Mandatory No Description Resources protected by an Assessment access rule are displayed in the Application Portal before the client scan has been performed. Selected by default. Set to ActiveX- Java Applet by default.

Abolishment Client Loader

Yes

User Guide

225

Manage system

Plug-ins
On this tab, you add or delete plug-ins to be used in assessment access rules, as a basis for the client scan. The plug-ins displayed here are located in the following folder: <WatchGuard installation folder>/files/policyservice/ep/plugins. File names, version numbers, and descriptions of the plug-ins are displayed. You can add a plug-in to this list by uploading it to the correct folder location. Use the Browse button to locate the plug-in. The plug-in is uploaded when you click Save.

Upload Plug-in
Label Plug-in Mandatory No Description The name of the plug-in to upload.

Authentication methods
About authentication methods
Authentication methods are used as requirements in access rules for authentication. An access rule can combine several authentication methods and other requirements. Different authentication methods provide various levels of security. The rule of thumb is: the more complex an authentication method, the more certain the identification of the individual. When adding authentication methods, you are allowed to specify settings using extended properties. These include, for example, Save credentials for SSO domain, Allow user not listed in any User Storage, or Lock user ID for session and many more depending on which authentication method you choose. The following authentication methods are supported: WatchGuard SSL authentication: Web, Challenge, Synchronized, Mobile Text, and Password RADIUS authentication: SecurID, SafeWord, and General RADIUS User Certificate LDAP authentication Active Directory authentication IBM authentication: Tivoli and RACF Novell eDirectory authentication Basic authentication NTLM authentication Extended User Bind authentication E-ID authentication E-ID Signer authentication Form-based authentication Windows integrated login Custom-defined authentication method You can configure a total of 15 authentication methods. For more information see Authentication methods, Additional authentication methods and Manage authentication methods.

226

WatchGuard SSL 500 & SSL 1000

Manage system

Authentication methods
The WatchGuard authentication methods are Password, Web, Synchronized, Challenge, and Mobile Text. They are all based on the RADIUS protocol. All WatchGuard authentication methods can be used on your laptop or desktop computer. When using the Synchronized or Challenge methods, users install client applications on the device being used. When using the Web authentication method, the installed client is either an ActiveX component or a Java applet. Which authentication method to choose depends on your users’ needs. Consider the importance of mobility, device flexibility, and level of security. Refer to each authentication method for more detailed information. All authentication methods use various levels of security, based on complexity. For information on additional authentication methods, see Additional Authentication methods.

WatchGuard Authentication RADIUS Activity
Authentication Method WatchGuard SSL Mobile Text WatchGuard SSL Password WatchGuard SSL Challenge WatchGuard SSL Synchronized WatchGuard SSL Web Device Type PC PDA Cell Phone PC PC PDA Cell Phone PC PDA Cell Phone PC RADIUS Client Activity User ID + Password User ID + OTP User ID + Password User ID User ID + OTP (OTP: Seed+PIN+Challenge) User ID + OTP (OTP synchronized between client and server) User ID RADIUS Server Activity Challenge: One-Time Password (OTP) by SMS Accept or Reject Accept or Reject Challenge Accept or Reject Accept or Reject

RADIUS package: Configuration Encryption Key Challenge Accept or Reject

Password RADIUS package

User Guide

227

Manage system

About WatchGuard SSL Mobile Text
The WatchGuard SSL Mobile Text authentication method is based on a combination of a PIN and one-time password (OTP) distributed via a SMS channel. When using Mobile Text authentication, users enter the PIN code on the Web logon page while an OTP is generated and distributed to the user’s cell phone. The WatchGuard SSL Mobile Text authentication method can be used on a mobile device such as a handheld PC or a cell phone, as well as on an ordinary desktop PC or Macintosh computer.

Mobile Text Distribution Channels
Protocol SMTP CIMD SMPP Native SMS Distributors Telia HTTPS Netsize Verisign HTTPS Server Instances Kannel

You can configure several channels. Configure more than one SMS channel to be used in case the primary fails. All authentication and notification messages are sent via mobile text to the cell phone number or email address registered to that specific user account. This is done on the User Account WatchGuard Authentication Settings page. When Allow Two-step Authentication is selected, the authentication is distributed over two sessions: the first one to make the server send the OTP to the mobile phone; and the second one to logon with the OTP. The authentication method Mobile Text relies on the RADIUS protocol.

About WatchGuard SSL Web
When using the authentication method WatchGuard SSL Web, users enter their user ID and a Java applet or ActiveX component is launched, prompting the users to enter a password or PIN. The password or PIN is then hashed and encrypted before it is returned to the server.
WatchGuard SSL Web can not be used for tunnel resource access when using the installable Access Client stand-alone.

When a new WatchGuard Administrator user account is registered and the WatchGuard SSL Web authentication method is enabled, the password or PIN is created and distributed to the user.
WatchGuard SSL Web authentication method only can be used with the Access Point.

WatchGuard SSL Web can be used for authentication on your laptop or desktop computer. The Web authentication method relies on the RADIUS protocol.

228

WatchGuard SSL 500 & SSL 1000

Manage system

About WatchGuard SSL Challenge
The WatchGuard authentication method Challenge can be used for authentication in a Web browser, WAP client, or with a PDA. Users enter their user ID, and are prompted (challenged) to provide private information (the response) to be allowed access. The challenge-response technique is most often used with a hardware token that generates the response. In WatchGuard SSL Challenge, however, the Mobile ID software client generates the response. Users enter their PIN in the Mobile ID Challenge client and the OTP is created instantaneously. Mobile ID clients can be installed and stored on a mobile device such as a handheld PC or a cell phone, as well as on your laptop or desktop computer. The WatchGuard SSL Challenge authentication method relies on the RADIUS protocol.

About WatchGuard SSL Password
The authentication method WatchGuard SSL Password is based on static password authentication. A static password is created and maintained for authenticating remote access with a RADIUS client. The WatchGuard SSL Password authentication method relies on the RADIUS protocol.

About WatchGuard SSL Synchronized
The authentication method WatchGuard SSL Synchronized can be used for authentication in a Web browser, WAP client, or with a PDA. Users enter their user ID and are prompted to enter a one-time password (OTP) to be allowed access. In WatchGuard SSL Synchronized, a software client (Mobile ID) is integrated, generating the OTP. Users enter their PIN in the Mobile ID client and the OTP is created instantaneously. The Mobile ID client can be installed and stored on a mobile device, such as a handheld PC or a cell phone, as well as on your laptop or desktop computer. The authentication method WatchGuard SSL Synchronized relies on the RADIUS protocol.

User Guide

229

Manage system

Additional authentication methods
These are the supported additional authentication methods: SafeWord This authentication method supports Secure Computing SafeWord hardware tokens, which generates an OTP. SecurID This authentication method supports RSA SecurID tokens that generate an OTP. LDAP This authentication method performs normal LDAP bind. Active Directory The Active Directory authentication method is an LDAP bind authentication method with the possibility to offer the user to change password. This functionality is only supported with Microsoft Active Directory (AD) servers. The directory service must be configured for SSL communication since this functionality is only allowed over SSL. IBM Tivoli and IBM RACF The IBM authentication methods are LDAP bind authentication method with the possibility to offer the user to change password. Novell eDirectory The Novell eDirectory authentication method is an LDAP bind authentication method with the possibility to offer the user to change password. User Certificate The User Certificate authentication method leverages user/certificate attribute mapping. If and only if there is an exact, unique match between the configured certificate attribute and the user attribute, the user is authenticated. NTLM The NTLM authentication method is an authentication protocol used in various Microsoft network protocol implementations. Basic This authentication method performs a basic authentication according to RFC 2617, HTTP Authentication: Basic and Digest Access Authentication. General RADIUS The general RADIUS authentication method is an authentication protocol that can be used with any RADIUS-compliant authentication server. Extended User Bind The Extended User Bind authentication method adds an extended form of user data retrieval, parsing and matching with user presented certificate and the LDAP user object. Form Based Authentication Windows Integrated Login Windows Integrated Login authentication enables Windows domain credentials to be reused. For example, users do not have to log on to the Application Portal when it is protected by Windows Integrated Login authentication. User credentials are retrieved from the client, and not entered by the user. E-ID A consortium of Scandinavian banks has agreed on a standard service for electronic authorization and signing over the Internet. E-ID Signer Using E-ID, the client can authorize an order or a document by signing.

230

WatchGuard SSL 500 & SSL 1000

Manage system

Manage authentication methods
You add authentication methods using the Add Authentication Method wizard. Each step of the wizard is represented by a tab when editing a specific authentication method. The steps and tabs are: General settings RADIUS replies Extended properties For more information see, General settings and Authentication Method server, RADIUS replies, or Extended properties.

General settings
All authentication methods have a display name and the option to enable the authentication method. All authentication methods are enabled by default. For the WatchGuard authentication methods, the display name is used as display name in the Select Authentication Method dialog when logging on to the Application Portal. Some authentication methods (listed below) have a template specification, which defines the physical appearance of the authentication method logon dialog. The specified Template Name is sent to the Policy Service enabled application which has a corresponding template file on the local server. All WatchGuard Mobile ID authentication methods, and most of the supported additional authentication methods (listed below), need one or several authentication method servers. The authentication method server settings include: Host and port Different search methods to locate users in the directory service structure for authentication

Common General Settings
Label Enable authentication method Display Name Mandatory No Yes Description Selected by default. Unique name used in the system to identify the authentication method.

Active Directory Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.

Basic Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.

Challenge Authentication
Label Template Name Mandatory No Description Template presented to the user.

User Guide

231

Manage system

Customer-defined Authentication
Label Template Name Template Specification Class Name Certificate Authority Mandatory No Yes Yes No Description Template presented to the user. Set of values used by the template. Executable authentication method implementation. CA used to validate the identity of the individual holding of the user certificate.

Form-Based Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.

General RADIUS Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.

LDAP Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.

Mobile Text Authentication
Label Template Name Allow Two-Step Authentication Mandatory Yes No Description Template presented to the user. Not selected by default.

NTLM Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.

Password Authentication
Label Label Template Name Mandatory Mandatory Yes Description Description Template presented to the user.

SafeWord Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.

232

WatchGuard SSL 500 & SSL 1000

Manage system

SecurID Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.

Synchronized Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.

User Certificate Authentication
Label Certificate Authority Mandatory Yes Description CA used to validate the identity of the individual holding the user certificate.

Web Authentication
Label Template Name Mandatory Yes Description Template presented to the user.

Windows Integrated Logon Authentication
Label Template Name Mandatory Yes Description Template presented to the user.

IBM Tivoli Authentication
Label Template Name Mandatory No Description Template presented to the user.

IBM RACF Authentication
Label Template Name Mandatory No Description Template presented to the user.

Novell eDirectory Authentication
Label Template Name Mandatory No Description Template presented to the user.

User Guide

233

Manage system

Authentication method server
You need to register at least one Authentication method server for authentication methods using RADIUS. You specify host, port, and time-out interval in milliseconds. You also need to specify a shared secret, used when authenticating users with this authentication method.
Only the WatchGuard authentication methods and the additional methods Active Directory, Bank ID, Bank ID Signer, Custom-defined, Extended User Bind, Form Based, General RADIUS, NTLM, SafeWord, and Windows Integrated Login require a registered authentication method server.

Common Authentication Method Server Settings
Label Host Mandatory Yes Description IP address or the DNS name of the authentication method server.

Active Directory Authentication
Label Port Account Time-out Mandatory Yes Yes Yes Description Port for the authentication method server. Set to 636 by default. Distinguished Name or Principal Name of the administrator for the Active Directory server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Password used when binding to the Active Directory server. Root DN in Active Directory where the system searches for the user.

Password Root DN

Yes Yes

E-ID Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Set to 8899 by default. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Parameter that is identical to the service identifier configured in the Nexus MultiID core server. Maximum time for a server connection to be established. Set to 1000 by default. Number of connection retries for servers which are not responding.

Service Identifier Service Connection Time-out Server Unavailable Interval

Yes No No

234

WatchGuard SSL 500 & SSL 1000

Manage system

E-ID Signer
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Set to 8899 by default. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Parameter that is identical to the service identifier configured in the Nexus MultiID core server. Maximum time for a server connection to be established. Set to 1000 by default. Number of connection retries for servers which are not responding.

Service Identifier Service Connection Time-out Server Unavailable Interval

Yes No No

Basic Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Set to 8899 by default. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Path to the logon page that is accessed by the authentication method server during the authentication process. Path must start with an /. Protocol to use in the communication. Server certificate used to validate the certificates presented by other servers.

Path

Yes

Use SSL Server Certificate

No No

Challenge Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Listen to all interfaces

No

User Guide

235

Manage system

Customer-defined Authentication
Label Port Listen to all interfaces Mandatory Yes No Description Port for the authentication method server. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Extended User Bind Authentication
Label Port User Root DN Attribute Name Attribute Value Search Scope Mandatory Yes Yes Yes Yes Yes Description Port for the authentication method server. Set to 389 by default. Defines the directory service root, where to start to search for users. Name for user objects in the directory service, usually object class. Object class for user objects in the directory service. Search scope used when searching for objects in the directory service. Available options are: Sub-tree Object Level One Level Set to Sub-tree by default. User DN used when performing the search. User password used when performing the search.

User DN User Password

Yes Yes

Form-based Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Protocol used in the communication. Server certificate used to validate the certificates presented by other servers.

Use SSL Server Certificate

No No

236

WatchGuard SSL 500 & SSL 1000

Manage system

General RADIUS Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Listen to all interfaces

No

Mobile Text Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Listen to all interfaces

No

NTLM Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time the client waits for an authentication method server reply before trying to connect to the next authentication server in the list. Set to 5000 by default. Path to the logon page that is accessed by the authentication method server during the authentication process. Domain the authentication method server belongs to. Protocol used in the communication. Server certificate used to validate the certificates presented by other servers.

Path

Yes

Domain Use SSL Server Certificate

Yes No No

User Guide

237

Manage system

Password Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Listen to all interfaces

No

SafeWord Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Secret shared between the RADIUS client and the RADIUS server. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Shared Secret Listen to all interfaces

Yes No

Synchronized Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Listen to all interfaces

No

238

WatchGuard SSL 500 & SSL 1000

Manage system

Web Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.

Listen to all interfaces

No

IBM Tivoli Authentication
Label Port Account Time-out Mandatory Yes Yes Yes Description Port for the authentication method server. Set to 636 by default. Distinguished Name or Principal Name of the administrator for the directory server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Password used when binding to the directory server. Root DN in IBM Tivoli where the system will search for users. Password Policy DN specifies the location of the IBM Tivoli Password Policy object.

Password Users Root DN Password Policy DN

Yes Yes Yes

IBM RACF Authentication
Label Port Account Time-out Mandatory Yes Yes Yes Description Port for the authentication method server. Set to 636 by default. Distinguished Name or Principal Name of the administrator for the directory server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Password used when binding to the directory server. Root DN in IBM RACF where the system will search for users. When user logs in the IBM RACF will return an error message when password is expired, specify the error code here if other than the default.

Password Users Root DN Expiration message (reg-exp)

Yes Yes Yes

User Guide

239

Manage system

Novell eDirectory Authentication
Label Port Account Time-out Mandatory Yes Yes Yes Description Port for the authentication method server. Set to 636 by default. Distinguished Name or Principal Name of the administrator for the directory server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Password used when binding to the directory server. Root DN in Novell eDirectory where the system will search for users.

Password Users Root DN

Yes Yes

Windows Integrated Login Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time in milliseconds the client waits for an authentication method server reply before trying to connect to the next authentication server in the list. Set to 5000 by default. Path to the logon page that is accessed by the authentication method server during the authentication process. Protocol used in the communication. Server certificate used to validate the certificates presented by other servers.

Path

Yes

Use SSL Server Certificate

No No

240

WatchGuard SSL 500 & SSL 1000

Manage system

RADIUS replies
All authentication methods using RADIUS have a number of pre-configured RADIUS replies associated. These replies can be edited, and it is also possible to add new ones. Each RADIUS reply consists of a name and a so called matching string, which is the actual reply presented to users. When the name and string match, the authentication method responds using the appropriate template specification, set in Template Name on the General Settings page. Example: Name: WebCurrentPwd Matching String: Enter current password. Challenge %. Configuration %
Only WatchGuard Mobile ID authentication methods and General RADIUS, SafeWord, and SecurID support RADIUS replies.

Common RADIUS Replies Settings
Label Name RADIUS Reply Matching String Mandatory Yes Yes Description Name of the RADIUS reply. Textual string used by the authentication method to match the RADIUS server challenge text.

General RADIUS Authentication
Label Template Specification Mandatory Yes Description Set of values used by the template.

SafeWord Authentication
Label Template Specification Mandatory Yes Description Set of values used by the template.

SecurID Authentication
Label Template Specification Mandatory Yes Description Set of values used by the template.

User Guide

241

Manage system

Extended properties
Authentication methods may also have a number of extended properties, allowing you to further customize how authentication should be handled. Some extended properties are used uniquely for specific authentication methods; others are global Policy Service settings that does not affect the authentication method behavior. To facilitate administration however, they are managed on each applicable authentication method. The global Policy Service settings used as extended properties are: User attribute When specified, only users associated with the specified user ID attribute are allowed authentication. Applicable when the authentication method uses a different attribute name than the default attribute name for authentication. Example:
mail (As opposed to default attribute names cn or samAccountName.)

User name may not change during session This extended property is added to the authentication method by default. When set to true, only the user ID associated with a user account is allowed authentication. Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the user ID has a WatchGuard Administrator account (or a WatchGuard Administrator account can be created), and the user ID exactly matches the WatchGuard Administrator account the user is allowed for authentication. If the user ID cannot be found, or if the user ID used for authentication does not match the WatchGuard Administrator account, the user is not allowed for authentication. Applicable when you want to restrict the use of different user IDs, to eliminate the possibility for several different users to authenticate during one session. Set to true by default. Allow user not listed in any User Storage When set to true, users can be authenticated without a WatchGuard Administrator user account. All access rules of the type user group membership are ignored. When using this extended property with the authentication method E-ID: When set to true, and the BankID certificate attribute and BankID user attribute are not specified, the user ID is set to Subject DN from the certificate. When set to true, and the BankID certificate attribute is specified as for example cn, the user ID is set to the certificate’s cn. Set to false by default.

242

WatchGuard SSL 500 & SSL 1000

Manage system

WatchGuard account required prior authentication When set to true, only user IDs associated with a user account are allowed for authentication. Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the user ID has a WatchGuard Administrator account (or a WatchGuard Administrator account can be created), the user is allowed for authentication. If the user ID cannot be found in the directory service, the user is not allowed for authentication.
It is not recommended to add this extended property to authentication methods where user ID only is used initially for authentication. This can be considered a security threat, since it will entail a possibility to identify which user IDs are known versus unknown.

Set to true by default. Save credentials for SSO domain When specified, the Policy Service performs an SSO credential update after successful authentication using the credentials provided by the user. Lock User ID to Session When set to true, the user ID is locked for this session to ensure that the user ID is not used for several requests simultaneously. This will result in a two-step challenge, performed for user ID and password respectively. All extended properties for each authentication method are listed below.

Extended Properties
Extended Property User attribute User attribute User name may not change during session Allow user not listed in any User Storage WatchGuard Administrator account required before authentication Save credentials for SSO Domain Used In All User Certificate All Comment This is a global Policy Service setting. User storage attribute that is mapped to the certificate attribute. This is a global Policy Service setting, added to the authentication method by default. Set to true by default. This is a global Policy Service setting. Set to false by default This is a global Policy Service setting. Set to false by default This is a global Policy Service setting.

All All

Active Directory Basic Customdefined Form-based LDAP NTLM Password General RADIUS SafeWord SecurID

Lock User ID to Session

This is a global Policy Service setting. Set to true by default

User Guide

243

Manage system

Extended Property Warning before password expires

Used In Active Directory General RADIUS Active Directory General RADIUS E-ID

Comment This extended property is added to the Active Directory authentication method by default. Set to 7 by default. This extended property is added to the authentication method by default. Set to US (American English) by default. Mandatory. LDAP user attribute used to map user to user in directory service. Mandatory when BankID certificate attribute mapping is specified for mapping. The IBM CBT client. This extended property is added to the E-ID authentication methods by default. Set to false by default. The Nexus Personal client. This extended property is added to the E-ID authentication methods by default. Set to false by default. The Netmaker NetID client. This extended property is added to the E-ID authentication methods by default. Set to false by default. CA Certificate Display Name of the issuer of the user certificates used for the Nexus Personal client. If not specified, a list of all certificates available for the user is presented at logon. CA Certificate Display Name of the issuer of the user certificates used for the Netmaker NetID client. If not specified, a list of all certificates available for the user is presented at logon. LDAP certificate attribute used to map user to correct certificate. Mandatory when BankID user attribute is specified for mapping. When set to true, the signature is attached to the sign result sent to the resource. Mandatory. Additional extended properties. (UBA) Actual value of the user attribute to be bound to. Integer (0-4) that contains the user attributes used in the pattern below. One or several UBAX, concatenated by the sign +’ and any character within quotation marks.

Locale

BankID user attribute

Enable IBM CBT

E-ID E-ID Signer

Enable Nexus Personal

E-ID E-ID Signer

Enable Netmaker NetID

E-ID E-ID Signer

Nexus Personal CA Name

E-ID E-ID Signer

Netmaker NetID CA Name

E-ID E-ID Signer

BankID certificate attribute mapping

E-ID

Return signature

E-ID Signer

Keys for additional extended properties User bind attribute UBAX UBA pattern

Customdefined Extended User Bind Extended User Bind Extended User Bind

244

WatchGuard SSL 500 & SSL 1000

Manage system

Extended Property Certificate bind attribute CBAX CBA pattern Method Form action Form data

Used In Extended User Bind Extended User Bind Extended User Bind Form-based Form-based Form-based

Comment (CBA) Actual certificate attribute to be bound to. Integer (0-4) that contains the user attributes used in the pattern below. One or several CBAX, concatenated by the sign +’ and any character within quotation marks. Set to POST by default. Mandatory. Path that defines the URL to GET or POST data to. Mandatory. Definition of data sent to the server. The variables [$username], [$password] and [$domain] can be used for dynamic replacement with internal user name, password and NTLM domain. Mandatory. Path that defines the URL to where the response from the form action is sent to verify if the log on has succeeded or not. Must be an absolute URL. If no path is entered, the response of the POST or GET is evaluated. Text string included in the response and is used to decide if the authentication is successful or unsuccessful. Mandatory. When set to Success, the authentication is treated as successful if the text specified in Form Response is included in the response. When set to another value, the authentication is treated as not successful if the text specified in Form Response is included in the response. Defines additional headers that is added to the internal request and sent to the resource. Several additional headers can be added, containing a name and a value. Certificate attribute to map to the user attribute in user storage. Note that you need to enter both a certificate attribute and a user attribute for a successful mapping. If this extended property is enabled then an OCSP request will be performed to verify the revocation status of the client certificate. The OCSP Provider URL will be retrieved from the Authority Information Access extension (AIA) in the client certificate. Set to false by default.

Verification URL

Form-based

Form response

Form-based

Form response interpretation

Form-based

Additional headers

Form-based

Certificate attribute mapping

User Certificate

OCSP AIA

User Certificate

User Guide

245

Manage system

Extended Property OCSP Responder URL

Used In User Certificate

Comment Specifies the OCSP Responder URL. Set this extended property when client certificates don’t have the AIA extension. If this extended property is specified then an OCSP request will be performed to verify the revocation status of the client certificate. This setting overrides the OCSP AIA extended property. For example: http://ocsp.example.net:80 This extended property specifies the OCSP Certificate to use when performing OCSP requests. The OCSP server may require another certificate than the CA certificate associated with this method then set value to the CA Certificate’s display name. If this extended property is enabled the system will log to a dedicated certificate log file. The name of the method is used as filename and the log format is (all log-elements are separated by space): Date (yyyy-mm-dd) Time (hh:mm:ss) Level (INFO|WARNING) Certificate method name Issuer-DN Subject-DN Not before date (yyyy-mm-dd) Not after date (yyyy-mm-dd) Set to false by default This extended property specifies in which folder to place the certificate log file. Set to logs by default. This extended property specifies max number of rotated certificate log files. Set to 3 by default. This extended property specifies max size of each certificate log file. Set to 1000 by default. If this extended property is disabled then the system will log also when certificate authentication fails. Set to true by default. Enabled this extended property when using ActiveSync. When enabled, the system will lock the device ID to the user. The device ID is registered automatically when performing the first synch. To register a new phone or PDA, simply remove the user’s custom defined attribute DeviceID and re-synch. Set to false by default.

OCSP Certificate Name

User Certificate

Enable certificate logging

User Certificate

Certificate log folder

User Certificate User Certificate User Certificate User Certificate

Certificate log rotation max files Certificate log rotation max size (kB) Certificate logging on successful authentication only

ActiveSync DeviceID Locking

Active Directory Password LDAP General RADIUS Form-based Challenge

246

WatchGuard SSL 500 & SSL 1000

Manage system

Extended Property Force create user

Used In All

Comment If this extended property is enabled then the WatchGuard Administrator account will be created on successful login. When disabled, the WatchGuard Administrator account is only created and linked if the user is found in any User Storage. Set to false by default. If this extended property is enabled then the WatchGuard Administrator account will be created on failed logon. It is recommended to enable this when the back-end authentication service is unable to lock user after a number of invalid authentication attempts. Set to false by default. If this extended property is enabled then the reject reason will be displayed to the client. Set to false by default.

Create user on failed logon

All

Reveal RADIUS reject reason

Password Web Synchronized Mobile Text Challenge Password Web Synchronized Mobile Text Challenge IBM RACF

RADIUS character encoding

This extended property specifies the character encoding that will be used when formatting all RADIUS attribute values. Set to UTF-8 by default. If this extended property is enabled then the password-change is performed using the administrator’s credentials from the mechanism server. Set to false by default.

Use Admin for password change

User Guide

247

Manage system

Authentication services
About Authentication Service
The Authentication Service handles authentication of users accessing resources. The Authentication Service supports the WatchGuard RADIUS authentication methods: Mobile Text, Web, Challenge, Password, and Synchronized. You configure the Authentication Service to handle access requests through available authentication methods using the RADIUS protocol. Depending on which authentication methods you use, the Authentication Service is set up to respond to the access requests accordingly: by accepting, rejecting, or challenging the request. The Authentication Service may also proxy authentication requests to an authentication server using thirdparty authentication methods, for example RSA SecurID, or Secure Computing SafeWord. In this scenario, you configure a RADIUS back-end server as an authentication server. You can use one or several Authentication Services and RADIUS back-end servers simultaneously. For more information, see Manage Authentication Services.

WatchGuard Network

248

WatchGuard SSL 500 & SSL 1000

Manage system

Manage Authentication Services
Registered Authentication Services are listed on the Manage Authentication Services page. You can add, edit, and delete Authentication Services. A number of settings can be specified globally, to apply to all Authentication Services. The global settings include RADIUS authentication and password/PIN settings. For more information see, Authentication Server settings, Define RADIUS Authentication, Define password/ PIN, Email messages, SMS/Screen messages.

Authentication Service settings
Internal Communication Authentication Service settings include internal host, which defines the IP address or DNS name of the Authentication Service, and internal port, both used for communication in the WatchGuard Network. For internal host, avoid using the IP address 0.0.0.0 to listen to all local IP addresses. Instead, use the Listen on all interfaces option that specifies what interfaces the service listens to. When selected, the service listens to all specified IP addresses. When not selected, the services only listens to the IP address specified as internal host. Key Files You can define that key files should be distributed automatically. Using this option, key files are automatically distributed from the Administration Service to the Authentication Service after the Authentication Service has been installed. Not selecting this option will keep the system more secure, but the administrator will be required to copy key files manually. Server Certificate The Server Certificate defines the certificate used when the authentication service performs TLS handshaking (for example authenticating with the PEAP-MSCHAPv2 protocol). If PEAP-MSCHAPv2 authentication protocol is used, you need to assign a server certificate. If not, PEAP-MSCHAPv2 authentication will fail. All available server certificates are available for selection. Server certificates are managed in the Manage Certificates section of WatchGuard Administrator. Additional Listeners You can register additional listeners for the Authentication Service, i.e. additional IP addresses or DNS names that the Authentication Service listens to. The listeners you add are added to the list of hosts available in the RADIUS accounting section. RADIUS Accounting When RADIUS accounting is enabled, the system responds to RADIUS accounting packets sent from RADIUS clients. The system logs the incoming RADIUS packet and replies with an accounting response packet. Accounting packets can also contain information about when a user logs in and out of a system. You select host (internal host or registered additional listener) and specify port for the system that sends the accounting response message. You can also select if the system should be listening on all interfaces or not regarding RADIUS accounting traffic.

User Guide

249

Manage system

General Settings
Label Service ID Display Name Internal Host Internal Communication Port Listen on all interfaces Distribute key files automatically Mandatory No Yes Yes No Description Identification number automatically assigned to the Authentication Service when it is created. Unique name used in the system to identify the Authentication Service. IP address or DNS name of the Authentication Service, used for communication in the WatchGuard Network. Port used for internal communication in the WatchGuard Network. Set to 8302 by default. Specifies what interfaces the service listens to. Not selected by default. Defines whether or not key files should be automatically distributed from the Administration Service to the Authentication Service after the Authentication Service has been installed. Selected by default.

No No

Server Certificate Settings
Label Server Certificate Mandatory No Description Lists all registered server certificates.

RADIUS Accounting Settings
Label Enable RADIUS accounting Host Mandatory No (Yes) Description Not selected by default. IP address or DNS name of the system that sends the accounting response message. Mandatory when Enable RADIUS accounting is selected. Port for the system that sends the accounting response message. Mandatory when Enable RADIUS accounting is selected. Not selected by default.

Port

(Yes)

Listen on all interfaces

No

Additional Listener Settings
Label Listener Mandatory Yes Description IP address or DNS name of the additional listener.

250

WatchGuard SSL 500 & SSL 1000

Manage system

Define RADIUS Authentication
A number of settings are available for RADIUS authentication. Drop unknown sessions When selected, an access request by an unknown RADIUS session is dropped. If not, the server sends the reply Access Denied. Drop unknown users When selected, an access request by an unknown user is dropped and the Authentication Service ignores the request without reply. When not selected, the Authentication Service accepts the request, but the authentication will fail resulting in an access reject message. This setting can be useful for chained authentication. Proxy unknown users When selected, unknown users are authenticated using another RADIUS server. The Authentication Service tries to proxy the request to the configured RADIUS back-end server. If the request is not serviced, the Authentication Service will handle the request according to Drop Unknown Users. This setting takes precedence over Drop Unknown users if both are selected. Reveal reject reason When selected, the reason why a request has been rejected is revealed to the RADIUS client. Session Time-out You define a number of seconds that the state attribute is valid. The RADIUS session times out after this time limit. Set to 180 seconds by default. The server will discard a RADIUS session after this time span (if not used, then the time is reset) RADIUS Encoding When the system receives a RADIUS package, it normally transforms the data to strings according to the UTF-8 standard. Some RADIUS clients do not support the UTF-8 standard. If this is the case another standard needs to be specified. Set to UTF-8 by default.

RADIUS Authentication Settings
Label Drop unknown sessions Drop unknown users Proxy unknown users Reveal reject reason Session time-out RADIUS encoding Mandatory No No No No Yes No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Number of seconds (1-999) the state attribute is valid. Set to 180 by default. Set to UTF-8 by default.

User Guide

251

Manage system

Define password/PIN
On this tab, you define global password and PIN restrictions for WatchGuard authentication methods. WatchGuard SSL Mobile Text Available global password settings for WatchGuard SSL Mobile Text are listed below. Default values are displayed in parenthesis. Available global password settings: Minimum (6) and maximum (16) number of characters Minimum number of letters (2) and numbers (2) Password validity period in days (90) When set to 0, the password does not expire. Password history size in number of saved passwords not eligible for reuse (5) The user cannot reuse any of the passwords saved in the password history when changing password. OTP length in number of characters (6) Alphabet base for OTP. Tip: exclude characters and numbers that can easily be confused, such as 0/o/O, and 1/i/I/l/L. (23456789abcdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ) Notification message (Your OTP is {0}. Enter it to login with Mobile Text) Allow two-step authentication. When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile phone, and one to login with the OTP (off). WatchGuard SSL Web Available global password settings for WatchGuard SSL Web are listed below. Default values are displayed in parenthesis. Available global password settings: Minimum (6) and maximum (16) number of characters Minimum number of letters (2) and numbers (2) Password validity period in days (90) When set to 0, the password does not expire. Password history size in number of saved passwords not eligible for reuse (5) The user cannot reuse any of the passwords saved in the password history when changing password. Keyboard appearance: fixed, shift, or random (random) Allow use of desktop keyboard for numbers (off) WatchGuard SSL Challenge Available global PIN settings for WatchGuard SSL Challenge are listed below. Default values are displayed in parenthesis. Available global PIN settings: PIN validity period in days (90) When set to 0, the PIN does not expire. PIN history size in number of PINs (5) The user cannot reuse any of the PINs saved in the PIN history when changing PIN. Support value signing (off)

252

WatchGuard SSL 500 & SSL 1000

Manage system

WatchGuard SSL Password Available global password settings for WatchGuard SSL Password are listed below. Default values are displayed in parenthesis. Available global password settings: Minimum (6) and maximum (16) number of characters Minimum number of letters (2) and numbers (2) Password validity period in days (90) When set to 0, the password does not expire. Password history size in number of saved passwords not eligible for reuse (5) The user cannot reuse any of the passwords saved in the password history when changing password. WatchGuard SSL Synchronized Available global PIN settings for WatchGuard SSL Synchronized are listed below. Default values are displayed in parenthesis. Available global PIN settings: PIN validity period in days (90) When set to 0, the PIN does not expire. PIN history size in number of PINs (5) The user cannot reuse any of the PINs saved in the PIN history when changing PIN. Number of logon attempts allowed before user is prompted for new OTP (3) Number of logon attempts allowed before user is denied access (10)

User Guide

253

Manage system

WatchGuard SSL Web Authentication Settings
Label Minimum Mandatory Yes Description Minimum number of characters (1-64) for the WatchGuard SSL Web password. Set to 6 by default. Maximum number of characters (1-64) for the WatchGuard SSL Web password. Set to 16 by default. Minimum amount of numbers (0-64) the WatchGuard SSL Web password must contain. Set to 2 by default. Minimum amount of letters (0-64) the Web client password must contain. Set to 2 by default. Number of days (0-999) the WatchGuard SSL Web password lasts before it must be changed. Set to 90 by default. Number of saved passwords (0-19) used by a specific user account for the authentication method Web. Set to 5 by default. Password generator keyboard appearance. Available options are: Fixed Shift Random Set to Random by default. Not selected by default.

Maximum

Yes

Minimum

No

Minimum

No

Password expires in

No

Password history size

No

Keyboard Appearance

No

Allow use of desktop keyboard for numbers

No

WatchGuard SSL Challenge Authentication Settings
Label PIN expires in Mandatory No Description Number of days (0-999) before Challenge PIN must be changed. Set to 90 by default. Number of saved PINs (0-19) used by a specific user account for the authentication method Challenge. Set to 5 by default. Not selected by default.

PIN history size

No

Support value signing

No

254

WatchGuard SSL 500 & SSL 1000

Manage system

WatchGuard SSL Synchronized Authentication Settings
Label PIN expires in Mandatory No Description Number of days (0-999) before Challenge PIN must be changed. Set to 90 by default. Number of saved PINs (0-19) used by a specific user account for the authentication method Challenge. Set to 5 by default. Number of tries allowed (0-99) before the user is prompted to generate next one-time-password, OTP. Set to 3 by default. Number of tries allowed (0-99) before the user is denied access to requested resource. Set to 10 by default.

PIN history size

No

Offset before prompt

No

Offset before access denied

No

WatchGuard SSL Mobile Text Authentication Settings
Label Minimum Mandatory Yes Description Minimum number of characters (1-64) for the WatchGuard SSL Web password. Set to 6 by default. Maximum number of characters (1-64) for the WatchGuard SSL Web password. Set to 16 by default. Minimum amount of numbers (0-64) the WatchGuard SSL Web password must contain. Set to 2 by default. Minimum amount of letters (0-64) the Web client password must contain. Set to 2 by default. Number of days (0-999) the WatchGuard SSL Web password lasts before it must be changed. Set to 90 by default. Number of saved passwords (0-19) used by a specific user account for the authentication method Web. Set to 5 by default. Number of characters (4-32) of the generated OTP. Set to 6 by default. Alphabet generating OTP. Body of the OTP message. Not selected by default.

Maximum

Yes

Minimum

No

Minimum

No

Password expires in

No

Password history size

No

OTP Length Generate OTP from Notification Message Allow two-step authentication

Yes No No No

User Guide

255

Manage system

WatchGuard SSL Password Authentication Settings
Label Minimum Mandatory Yes Description Minimum number of characters (1-64) for the WatchGuard SSL Web password. Set to 6 by default. Maximum number of characters (1-64) for the WatchGuard SSL Web password. Set to 16 by default. Minimum amount of numbers (0-64) the WatchGuard SSL Web password must contain. Set to 2 by default. Minimum amount of letters (0-64) the Web client password must contain. Set to 2 by default. Number of days (0-999) the WatchGuard SSL Web password lasts before it must be changed. Set to 90 by default. Number of saved passwords (0-19) used by a specific user account for the authentication method Web. Set to 5 by default.

Maximum

Yes

Minimum

No

Minimum

No

Password expires in

No

Password history size

No

256

WatchGuard SSL 500 & SSL 1000

Manage system

Email messages
On this tab, you define the email messages sent to users to notify them of new or changed passwords, PINs, or seeds.
There is no limitation as to allowed number of characters for email messages.

General settings include email recipients, as well as message subject line, header, and footer. In addition, you can specify different password/PIN/seed messages per authentication method. Email Addresses In addition to sending email notifications to the users whose accounts have changed due to new or changed passwords, PINS, or seeds, you have the option to specify additional recipients. Enter email addresses for one or several (use semicolon to separate several addresses) recipients who will receive email notifications of such events. Email Messages Specify the message subject line, header and footer. Default values are listed below: Subject line Your Authentication Service account has changed Header {0} your account {1} has changed (The variable {0} is replaced with the user’s name, {1} with the user ID.) Footer Changed by {2}, WatchGuard Administrator (The variable {2} is replaced with the name of the administrator.) New Password Entered/New PIN Entered You can specify, per WatchGuard authentication method, the message used to notify users (and any additional recipients) of new passwords or PINs to use when authenticating. The message is available for all WatchGuard authentication methods. The default text is, according to respective authentication method:
Your new PIN/password for Mobile Text/Web/Challenge/Synchronized/Password Authentication is {0}.

The {0} variable will be replaced with generated password or PIN. Use Directory Password For WatchGuard SSL Mobile Text and WatchGuard SSL Password, you can specify the message used to notify users (and any additional recipients) to use the password specified in the directory service when authenticating. The default text is:
Your password has changed.

If the directory service passwords are used instead of the password generated by WatchGuard Administrator, it is strongly recommended that you change the default text provided here to texts that describe which password should be used.

User Guide

257

Manage system

Use Mapped Password/Use Mapped PIN You can specify, per authentication method, the message used to notify users (and any additional recipients) to use their mapped password or PIN when authenticating. The message is available for all WatchGuard authentication methods. The default text is:
Your password has changed.

If the directory service passwords, or mapped passwords, are used, it is strongly recommended that you change the default texts to texts that describe which password should be used. Seed For WatchGuard SSL Synchronized and WatchGuard SSL Challenge, you can specify the message used to notify users (and any additional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge. The default text is, according to respective authentication method:
Your new seed for Challenge/Synchronized Authentication is {0}.

The {0} variable will be replaced with generated seed. It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured Mobile ID Challenge or Synchronized client with injected seed. To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized. In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable which is used to pre-configure the client with WatchGuard SSL Challenge. Example: Download your Mobile ID client from http://<distribution service host>:<distribution service port>/?seed={0}&mode=c This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive the seed displayed on screen.

Additional Email Address
Label email Addresses to Notify Mandatory Yes Description Additional email addresses (separated by an ; character) the notification message is sent to.

Email Messages Settings
Label Subject Mandatory No Description Message subject line. Set to Your Authentication Service Account has changed by default. Message header. Set to {0} your account ({1}) has changed by default. Message footer. Set to Changed by {2}, Authentication Service Administrator by default.

Header Footer

No No

258

WatchGuard SSL 500 & SSL 1000

Manage system

WatchGuard SSL Mobile Text Authentication Settings
Label New Password Entered Mandatory No Description Message for new Mobile Text passwords. Set to Your new password for Mobile Text Authentication is {0} by default. Message sent when the user uses the directory password for logon with Mobile Text. Set to Your password for Mobile Text Authentication has changed by default. Message sent when the mapped password is used for logon with Mobile Text. Set to Your password for Mobile Text Authentication has changed by default.

Use Directory Password

No

Use Mapped Password

No

WatchGuard SSL Web Authentication Settings
Label New Password Entered Use Mapped Password Mandatory No Description Message for new Web passwords. Set to Your new password for Web Authentication is {0} by default. Message sent when the mapped password is used for logon with Web authentication. Set to Your password for Web Authentication has changed by default.

No

WatchGuard SSL Challenge Authentication Settings
Label New PIN Entered Mandatory No Description Message for new Challenge PINs. Set to Your new PIN for Challenge Authentication is {0} by default. Message sent when the mapped password is used for logon with Challenge. Set to Your PIN for Challenge Authentication has changed by default. Message for new Challenge seeds. Set to Your new seed for Challenge Authentication is {0} by default.

Use Mapped PIN

No

Seed

No

User Guide

259

Manage system

WatchGuard SSL Synchronized Authentication Settings
Label New PIN Entered Mandatory No Description Message for new Synchronized PINs. Set to Your new PIN for Synchronized Authentication is {0} by default. Message sent when the mapped password is used for logon with Synchronized. Set to Your PIN for Synchronized Authentication has changed by default. Message for new Synchronized seeds. Set to Your new seed for Synchronized Authentication is {0} by default.

Use Mapped PIN

No

Seed

No

Password Authentication Settings
Label New Password Entered Use Directory Password Mandatory No Description Message for new Passwords. Set to Your new password for Password Authentication is {0} by default. Message sent when the user uses the directory password for logon with Password authentication. Set to Your password for Password Authentication has changed by default. Message sent when the mapped password is used for logon with Password authentication. Set to Your password for Password Authentication has changed by default.

No

Use Mapped Password

No

260

WatchGuard SSL 500 & SSL 1000

Manage system

SMS/Screen messages
On this tab, you define the SMS/Screen messages sent and displayed respectively to users to notify them of new or changed passwords, PINS, or seeds. General settings include header and footer of the SMS/Screen message. In addition, you can specify different password/PIN/seed messages per authentication method. New Password Entered/New PIN Entered You can specify, per WatchGuard authentication method, the message used to notify users (and any additional recipients) of new passwords or PINs to use when authenticating. The message is available for all WatchGuard authentication methods. The default text is, according to respective authentication method:
Mobile Text/Web/Challenge/Synchronized/Password PIN/password: {0}.

The {0} variable will be replaced with generated password or PIN. Use Directory Password For WatchGuard SSL Mobile Text and WatchGuard SSL Password, you can specify the message used to notify users (and any additional recipients) to use the password specified in the directory service when authenticating. The default text is:
Your password for Mobile Text/Web/Challenge/Synchronized/Password has changed

If the users will use their directory service passwords instead of the password generated by WatchGuard Administrator, it is strongly recommended that you change the default text provided here to texts that describe which password should be used. Use Mapped Password/Use Mapped PIN You can specify, per authentication method, the message used to notify users (and any additional recipients) to use their mapped password or PIN when authenticating. The message is available for all WatchGuard authentication methods. The default text is:
Your password for Mobile Text/Web/Challenge/Synchronized/Password has changed

If the users should use their directory service passwords, or mapped passwords, it is strongly recommended that you change the default texts to texts that describe which password should be used.

User Guide

261

Manage system

Seed For WatchGuard SSL Synchronized and WatchGuard SSL Challenge, you can specify the message used to notify users (and any additional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge. The default text is, according to respective authentication method:
Your new seed for Challenge/Synchronized Authentication is {0}.

The {0} variable will be replaced with generated seed. It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured Mobile ID Challenge or Synchronized client with injected seed. To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized. In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable which is used to pre-configure the client with WatchGuard SSL Challenge. Example: Download your Mobile ID client from http://<distribution service host>:<distribution service port>/?seed={0}&mode=c This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive the seed displayed on screen.

SMS/Screen Messages Settings
Label Header Footer Mandatory No No Description Start of the message. Set to Account Changed by default. End of the message.

WatchGuard SSL Mobile Text Authentication Settings
Label New Password Entered Use Directory Password Mandatory No No Description Message for new Mobile Text passwords. Set to Mobile Text password: {0} by default. Message sent when the user uses the directory password for logon with Mobile Text. Set to Your password for Mobile Text Authentication has changed by default. Message sent when the mapped password is used for logon with Mobile Text. Set to Your password for Mobile Text Authentication has changed by default.

Use Mapped Password

No

WatchGuard SSL Web Authentication Settings
Label New Password Entered Use Mapped Password Mandatory No No Description Message for new Web passwords. Set to Web password: {0} by default. Message sent when the mapped password is used for logon with Web authentication. Set to Your password for Web Authentication has changed by default.

262

WatchGuard SSL 500 & SSL 1000

Manage system

WatchGuard SSL Challenge Authentication Settings
Label New PIN Entered Use Mapped PIN Mandatory No No Description Message for new Challenge PINs. Set to Challenge PIN: {0} by default. Message sent when the mapped password is used for logon with Challenge. Set to Your PIN for Challenge Authentication has changed by default. Message for new Challenge seeds. Set to Challenge seed: {0} by default.

Seed

No

WatchGuard SSL Synchronized Authentication Settings
Label New PIN Entered Use Mapped PIN Mandatory No No Description Message for new Synchronized PINs. Set to Synchronized PIN: {0} by default. Message sent when the mapped password is used for logon with Synchronized. Set to Your PIN for Synchronized Authentication has changed by default. Message for new Synchronized seeds. Set to Synchronized seed: {0} by default.

Seed

No

WatchGuard SSL Password Authentication Settings
Label New Password Entered Use Directory Password Mandatory No Description Message for new passwords for Password authentication. Set to Password Authentication password: {0} by default. Message sent when the user uses the directory password for logon with Password authentication. Set to Your password for Password Authentication has changed by default. Message sent when the mapped password is used for logon with Password authentication. Set to Your password for Password Authentication has changed by default.

No

Use Mapped Password

No

User Guide

263

Manage system

Certificates
About certificates
A Certificate Authority (CA) issues client certificates used in authentication. In order to authenticate a user, a CA certificate is needed. Some client certificates issued by a CA may be stolen, or in some other way be subject to unintended usage. To cancel an already issued client certificate the client certificate validation routine checks against a list of cancelled client certificates. This list is called Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP). Supported CDP Protocols are HTTP and LDAP. Rooted at the root CA, every subordinate CA depends on a chain of trust between the issuers up to the root point. If a CA is compromised, the whole CA and its subordinate CAs are invalid. To check weather a CA is valid or not, the CA issuers produces an Authority Revocation Lists (ARL) stating which subordinate CAs that are not to be trusted. If you want to use PKI you have to configure each CA you wish to use. You can then use the configured CA when you add authentication methods of the type User Certificate. Each CA requires a new authentication method, a feature which makes it possible to have several CAs configured and enabled and then be able to configure which CAs that are valid for a specific resource. This is a powerful feature since the trustworthiness of a CA can vary. There are two prerequisites for managing Certificate Authorities: A X.509 v3 certificate must be stored in some persistent form on the application host. A CA Root in your user storage in order to create CA objects.

Registered Server Certificates
Manage server certificates when establishing communication with users. It is possible to specify a server certificate for each additional listener for the Access Point which enables you to have specific certificates for each IP address or port.

Registered Client Certificate
When SSL is selected, the client certificate is used when communicating with the resources. Only one client certificate can be specified. For more information, see Manage certificates.

Manage certificates
In WatchGuard Administrator, you manage three types of certificates: Certificate authorities Server certificates Client certificates

264

WatchGuard SSL 500 & SSL 1000

Manage system

Certificate Authority settings
You register certificate authorities (CA) to be used for validation of certificates. You specify a display name for the CA and connect a CA certificate to it. You then select to use a control revocation list (CRL) or to perform no revocation checks at all. When use of CRL is selected, an additional step of the Add Certificate Authority wizard is displayed. With CRLs, you need to specify at least one control distribution point (CDP) which verifies the certificates issued by the CA. CRL settings include: Address This can either be an LDAP address (RFC2255): Example: ldap://192.168.96.52/CN=win2k%20root%20CA,CN=test-win2kad,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=win2kad,DC=thesecurecompany,DC=com?certificateRevocationList?base?objectclass=cRLDistributio nPoint Or an HTTP address: Example: http://www.posten.se:80/ldap/crl.cer Fetch time adjustment Adjusted time in seconds, allowed interval is 86,400-86,400, when revocation information is retrieved, compared to the set time for revocation information fetching. Useful when there is latency when the CA issues a new CRL, this can occur if there are replicated directories involved. This option is set to 0 by default. Update time When this option is selected, a custom update time is enabled and the defined update time stored in the system is used. When not selected, the attribute Next Update Time from the CRL is used. This setting is not selected by default. Retry interval Interval in seconds, allowed interval is 0 – 31536000, for CRL retrieving if it cannot be obtained. This option is set to 300 by default. You also specify an Invalid Action for the CA to determine how users authenticated with a user certificate should be handled if the required and requested CRLs cannot be obtained. Available Invalid Action options are: Denied Authentication is denied for all users authenticated by user certificate. Allowed Certificate revocation control is performed using the previous retrieved CRL. The system will log that an invalid CRL is used. When a required and requested CRL cannot be obtained, this defines how to handle users, authenticated by user certificate.

User Guide

265

Manage system

Server certificate settings
You register PEM formatted server certificates to be used when establishing communication with end users.
PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format, surrounded by ASCII headers, suitable for text mode transfers between systems. DER on the other hand can contain all of private keys, public keys and certificates. It stores data according to the ASN1 DER format. It is headerless, whereas PEM is a text header wrapped DER. This is the default format for most browsers.

You can specify server certificates for specific IP addresses and ports, which is useful when managing additional listeners. You specify a display name for the server certificate and connect a certificate to it. Use the View Certificate Details link for certificate details. You need to save a private key for the certificate. The key needs to be a PKCS#8 key in either DER or PEM format. You can also specify a password to be used if the information is encrypted. A CA is required to complete the entire certificate chain. A specific CA certificate for the server certificate can be selected if the browser does not have the root or intermediate CA used to verify the server certificate.

Client certificate settings
You register PEM formatted client certificates to be used in resource communication using SSL.
You can only specify one client certificate per WatchGuard Administrator installation.

You specify a display name for the client certificate and connect a certificate to it. Use the View Certificate Details link for certificate details. You need to save a private key for the certificate. The key need to be a PKCS#8 key in either DER or PEM format. You can also specify a password to be used if the information is encrypted.

Settings
Certificate Authority Settings
Label Enable Certificate Authority Mandatory No Description Not selected by default

Certificate Revocation Control
Label CRL Invalid Action Mandatory No Description Set to Denied by default.

266

WatchGuard SSL 500 & SSL 1000

Manage system

Control Distribution Point Settings
Label Address Fetch Time Adjustment Mandatory Yes No Description Address to the CDP, entered in URL format. Adjusted time in seconds (86,400-86,400), when revocation information is retrieved, compared to the set time for revocation information fetching. Set to 0 by default. Not selected by default. Interval in seconds (0 - 31536000) for the CRL retrieving. Mandatory when Update Time is selected. Set to 3600 by default. Interval in seconds (0 - 31536000) for the CRL retrieving if it cannot be obtained. Set to 300 by default.

Update Time Define interval for CRL retrieving

No (Yes)

Retry Interval

No

You should use OCSP as certificate revocation control when possible. If you specify both CRL and OCSP, then the CRL checked is performed first and if certificate not found a OCSP request is performed as a secondary control.

Server Certificate Settings
Label Display Name Certificate information Key Password CA Certificate Mandatory Yes Yes Yes No No Description Unique name used in the system to identify the server certificate. PEM formatted certificate. Private key for the certificate. Password to use if the information is encrypted. One or several CA certificates used to complete the entire certificate chain.

Client Certificate Settings
Label Display Name Certificate Key Password Mandatory Yes Yes No No Description Unique name used in the system to identify the client certificate. PEM formatted certificate. Private key for the certificate. Password used when the information is encrypted.

User Guide

267

Manage system

Device definitions
About device definitions
Devices are used in numerous settings such as in access rules for examples or in the global Access Point setting Device Control which controls access for specific devices. Devices are defined using device definitions which define how HTTP headers in requests are interpreted to identify specific devices. Access Points detect a device based on its HTTP headers. When creating access rules of the type Client Device, device definitions are used to protect a resource. Device definitions are also used for Client Firewalls when creating incoming firewall rules. For more information, see Manage device definitions.

Manage device definitions
You define a device by entering name=value pairs, where the name refers to the HTTP header and the value to the value of the HTTP header. The wildcard character * can be used. One or several definitions can be defined. When several definitions are listed, the logical operation AND is applied automatically. If you want to use the logical operator OR to separate the definitions, enter a pipe symbol |’ as a divider. When started with an exclamation mark, !’, the logical operator NOT applies to the entire row. Example:

User-Agent=*MSIE* !User-Agent=*opera* | User-Agent=*safari* User-Agent=*netscape* | User-Agent=*mozilla* General Settings
Label Display Name Definition Mandatory Yes Yes Description Name used in the system to identify the device definition. Prerequisites the device must fulfill in order to be identified correctly.

268

WatchGuard SSL 500 & SSL 1000

Manage system

Delegated management
About delegated management
WatchGuard Administrator supports delegated management enabling you to create different administrative roles with different privileges and responsibilities. Each role can be assigned to one or several users stored in the registered user storage location.
The roles Help Desk and Super Administrator are predefined roles, and they cannot be deleted. Roles are used as alert receivers in the Monitor System section, Manage Alerts page.

Selected roles receive notification messages about selected alert events. If you plan to use the new role for alerts, you need to ensure that selected users have registered email addresses and/or cell phone numbers A role can be assigned to Administrators. For more information, see Manage delegated management.

Manage delegated management
Delegated management is managed through roles. You can add any number of roles and assign them one or several of the pre-configured privileges available. All privileges can be combined. No privileges are selected by default. Available privileges include: Help desk administration Entitles the role to add, edit, and delete all settings saved for a user account User account management Entitles the role access to all functionality available in the Manage Accounts and Storages section Resource management Entitles the role to add, edit, and delete resources, both resource hosts and resource paths and to manage Application Portal items Resource path management Entitles the role to add, edit, and delete resource paths for selected resource hosts View logs Entitles the role to view logs using the Log Viewer for all servers in the WatchGuard Network Publish Entitles the role to publish the updated configuration

User Guide

269

Manage system

Role settings
Role settings are displayed in tabs representing the privileges selected. Each privilege has a separate set of settings available. The Add Role wizard is adjusted accordingly. The privileges View logs and Publish is not editable, they allow for use of the functionality View logs and Publish respectively. General settings and Administrators are common settings for all roles, and described below: Help Desk Settings available for the predefined role Help Desk include: General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. User accounts This tab includes the option to select user groups containing specific user accounts which the role will be allowed to manage. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search. Super Administrator Settings available for the predefined role Super Administrator also include: General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search. User Account Management Settings available for the role User Accounts include: General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. User accounts This tab includes the option to select user groups containing specific user accounts which the role will be allowed to manage. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search. Resources General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. Resources This tab includes the option to select registered resources which the role will be allowed to manage. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search.
270 WatchGuard SSL 500 & SSL 1000

Manage system

General Settings
Label Display Name Description Mandatory Yes No Description Unique name used in the system to identify the role. Can be used to give a more detailed description about the role.

Privileges
Label Help desk administration User account management Resource management Resource path management View logs Mandatory No Description This privilege entitles the role to add, edit, and delete all settings saved for a user account. Not selected by default. This privilege entitles the role access to all functionality available in the Manage Accounts and Storages section. Not selected by default. This privilege entitles the role to add, edit, and delete resources, both resource hosts and resource paths. Not selected by default. This privilege entitles the role to add, edit, and delete resource paths for selected resource hosts. Not selected by default. This privilege entitles the role to view logs using the Log Viewer for all servers in the WatchGuard Network. Not selected by default. This privilege entitles the role to publish the updated configuration. Not selected by default.

No

No

No

No

Publish

No

User Accounts
Label Select User Group Mandatory Yes Description Select user group in registered groups to make a selection of user accounts the role is entitled to manage.

Administrator
Label User ID Mandatory Yes Description The wildcard character are * is supported, representing any number of characters (including none). Select one or several users in the Search Result list.

User Guide

271

Manage system

Directory services
About directory services
WatchGuard Administrator supports these directory services: Microsoft Active Directory OpenLDAP Sun Java System Directory Server Novell eDirectory Other or Customized configuration of listed directory services
You can choose not to use a directory service, but this eliminates user storage and user accounts features, and limits the functionality of WatchGuard Administrator.

WatchGuard Administrator uses the directory service for user account storage and credentials for authorization and authentication. A directory service supporting LDAP for storing for example user information is recommended when using WatchGuard Administrator. A directory service was initially configured during the Setup System wizard. Please refer to Manage Accounts and Storage for further information on how WatchGuard Administrator uses the directory service. For more information, see Manage directory services.

Manage directory services
On the Manage Directory Service page, you setup global settings for the directory service. These settings include host and port, directory service administrator credentials, location DN, and time-out and retry options. You also configure how the directory service communicates with WatchGuard Administrator. When SSL is selected, the CA certificate used is required. Please refer to your directory service manufacturer’s user manuals for details on your directory service management.

General Settings
You need to specify at least one IP address to or DNS name of to the primary host, but you also have the option to setup a secondary host. A listening port is also required, usually this is set to 389 for LDAP and 636 for secure LDAP. Directory service administrator credentials are also specified, for example as an DN, ID, or similar to an account with read-and-write permissions on the directory service from the specified location. This is to enable WatchGuard Administrator to read and store user information on the directory service. To specify the Location DN, you can use the Show Tree functionality. This allows you to browse your directory service structure to the exact applicable locations. Furthermore, you specify the number of seconds, allowed range is 1-300, the Authentication Service waits for a connection, before the Secondary Host is connected. This is set 15 seconds by default.

272

WatchGuard SSL 500 & SSL 1000

Manage system

The number of allowed retries for the Primary Host is set to 0 by default, When set to 0, each failed connection attempt to the Primary Host result in that the Secondary Host is connected, when a secondary host has been configured. You do not have to re-install or re-configure WatchGuard Administrator to change the directory service. Label Primary Host Secondary Host Port Account Mandatory Yes No Yes Yes Description IP address or DNS name of the primary directory service. IP address or DNS name of the secondary directory service. Listening port for the directory service. DN, ID or similar (depending on type of directory service) to an administrative account with read- and write permissions on the directory service. Password for Account. Location where WatchGuard Administrator users are stored. Number of seconds (1-300) the Authentication Service waits for a connection, before the Secondary Host is connected. Set to 15 by default. Number of retries for the Primary Host. Set to 0 by default. Not selected by default. It is strongly recommended that you do not change directory type if you have active accounts registered. Available options are: Microsoft Active Directory OpenLDAP Sun Java System Directory Server Novell eDirectory Other or Customized configuration of listed directory services.

Password Location DN Time-out

Yes Yes Yes

Retries Enable change of directory service type Directory Service Type

Yes No

Yes

Communication Settings
You setup the communication between the directory service and WatchGuard Administrator by using the host and port specified in the General Settings section. To secure this communication, you have the option to use SSL and a associated CA certificate. When SSL is used, the CA certificate is required. This is not configured by default. Label Use SSL CA Certificate Mandatory No No Description Protocol used for communication with user storage. Not selected by default. Available when Use SSL is selected.

User Guide

273

Manage system

Advanced Settings
Advanced settings are only available if you have selected Other or Customized configuration of listed directory services. You have the option to specify an Object Class which is used to store user accounts. Object classes allow you to control which attributes are required and allowed in an entry. Example: organizationUnit An Object Class has three attributes: Naming This attribute is the relative name of the object class, it holds the object ID that is automatically generated by the system. Storing This attribute is the common object class attribute name used to store the attributes of the storage objects. Example: searchGuide (for Active Directory) It specifies the attribute name used for storing all property data. It is recommended that the LDAP attribute size is at least 5 kb or larger. Unique name This attribute is the common object class attribute name used to store the unique name (or a unique ID) of the storage object. Example: l (for locality) Label Object Class Naming Attribute Storing Attribute Unique Name Attribute Mandatory No No No No Description Name of the object class used to store WatchGuard Administrator users. Relative name of the object class. Common object class attribute name used to store the attributes of the storage objects. Common object class attribute name used to store the unique name (or a unique ID) of the storage object.

274

WatchGuard SSL 500 & SSL 1000

Manage system

Notification settings
About notification settings
Notification settings are the required SMS and email configuration to be able to distribute messages and information. The notification settings are the communication channels used for alert, OTP, password and PIN distribution, and seed notifications. You configure channels for SMS and email. For more information, see Manage Notification settings.

Manage notification settings
Email channel settings
You need to specify an email channel in three cases: When the setting Notification is set to Email or Email and Screen on the user account As a global user account setting When Email has been selected as Notification Channel for alerts in Manage Alerts A host and a port for the email server are required, with default set to localhost and 25 respectively. You also specify a sender’s email address. Example: admin@watchguard.com

Email Channel Settings
Label Enable email channel Host Mandatory No Yes Description Not selected by default. IP address or DNS name of the server that sends PIN, password and seed to the receiver if Notification is set to Email for the user. Set to localhost by default. Port for the server. Set to 25 by default. Sender’s email address for the PIN/password message.

Port Sender’s email Address

Yes Yes

User Guide

275

Manage system

SMS channel settings
You need to specify an SMS channel in three cases: When the setting Notification is set to SMS or SMS and Screen on the user account As a global user account setting When SMS has been selected as Notification Channel for alerts in Manage Alerts It is possible to configure as many SMS channels as wished. Each channel is handled by a plug-in (configured on the SMS plug-ins tab) Default delivered plugins are: HTTP Netsize SMTP CIMD SMPP Each one of these plug-ins have different settings depending on the requirements of that specific protocol. It is also possible to write new plugins for integration with other gateway protocols.

276

WatchGuard SSL 500 & SSL 1000

Manage system

HTTP channel settings
Label URL Account Password Use Basic Authentication POST Data Follow Redirects Use HTTP 1.1 User Agent Additional Headers Timeout No No No No No Yes Mandatory Yes Yes Yes Description The URL of the HTTP Service. The service account that should be used to login to the HTTP Service. The service account password that should be used to login to the HTTP Service. If Basic Authentication should be used for this HTTP Service. The POST data that should be present in the HTTP Post. If Redirects should be considered in the response parsing. If HTTP version 1.1 shall be used for the Request. Selected by default. Specify a User Agent if the HTTP Service require a particular User Agent. Specify Additional Headers if the HTTP Service require any headers present in the request. The timeout defined in milliseconds that will be used to wait for a response from the HTTP Server. Set to 10000 by default. The timeout defined in milliseconds that will be used to wait for a connection to the HTTP Server. Set to 10000 by default. Characters that should be removed from the mobile number. E.g. +() If the prefix of the mobile number is incorrect for the service it can be replaced with a new prefix. E.g. replace 00 with +. In this case enter 00 as Replace Prefix and + below as New Prefix The new prefix that shall replace the one triggered above. The HTTP Response Codes that will indicate success, 200,201,202 selected by default. The HTTP Response Codes that will indicate failure, 400,401,402 selected by default. Contents in the HTTP Response Body that will indicate success Contents in the HTTP Response Body that will indicate failure

Connection Timeout

Yes

Mobile Number Format tab Remove No

Replace prefix

No

New prefix Response Parsing tab Success Response Codes Failure Response Codes Success Response Body Failure Response Body

No

User Guide

277

Manage system

Netsize channel settings
Label Host Address Port Client Account Password Timeout Mandatory Yes Yes Yes Yes Yes Yes Description The IP address or DNS name of the Netsize Server. The port of the Netsize Server. Set to 2775 by default. The client account that should be used for the Netsize Service The service account that should be used to login to the Netsize Service. The service account password that should be used to login to the Netsize Service. The timeout defined in milliseconds that will be used to wait for a response from the Netsize Server. Set to 15000 by default. The Message Class for this message. Valid entries are: Default, Immediate Display (Flash), Store on Mobile Phone, Store on SIM, Store on Terminal Equipment. Please contact your Netsize Vendor for further information about these settings. No Characters that should be removed from the mobile number. E.g. +() If the prefix of the mobile number is incorrect for the service it can be replaced with a new prefix. E.g. replace 00 with +. In this case enter 00 as Replace Prefix and + below as New Prefix The new prefix that shall replace the one triggered above.

Message Class

Mobile Number Format tab Remove

Replace prefix

No

New prefix

No

278

WatchGuard SSL 500 & SSL 1000

Manage system

CIMD channel settings
Label Host Address Port Account Password Timeout Mandatory Yes Yes Yes Yes Yes Description The IP address or DNS name of the CIMD Server. The port of the CIMD Server. Set to 3000 by default. The service account that should be used to login to the CIMD Service. The service account password that should be used to login to the Netsize Service. The timeout defined in milliseconds that will be used to wait for a response from the Netsize Server. Set to 15000 by default.

Mobile Number Format tab Remove No Characters that should be removed from the mobile number. E.g. +() If the prefix of the mobile number is incorrect for the service it can be replaced with a new prefix. E.g. replace 00 with +. In this case enter 00 as Replace Prefix and + below as New Prefix The new prefix that shall replace the one triggered above.

Replace prefix

No

New prefix

No

User Guide

279

Manage system

SMTP channel settings
Label Host Address Port Account Password Start TLS Timeout Yes Mandatory Yes Yes Yes Yes Description The IP address or DNS name of the SMTP Server. Set to localhost by default. The port of the CIMD Server. Set to 25 by default. The service account that should be used to login to the SMTP Service. The service account password that should be used to login to the SMTP Service. Select this if TLS (Transport Layer Security) should be used. The timeout defined in milliseconds that will be used to wait for a response from the SMTP Server. Set to 10000 by default. Select this if the socket should be closed after communication Select this if debug mode should be enabled. No Characters that should be removed from the mobile number. E.g. +() If the prefix of the mobile number is incorrect for the service it can be replaced with a new prefix. E.g. replace 00 with +. In this case enter 00 as Replace Prefix and + below as New Prefix The new prefix that shall replace the one triggered above. The email address that should be used. The friendly name that should be placed in the to field The email address that should be used as the sender address. The friendly name that should be placed in the from field The content of the Subject field The content of the Message Body

Close Socket Debug mode Mobile Number Format tab Remove

Replace prefix

No

New prefix Message tab To To Personal From From Personal Subject Message Body

No No No No No No No

280

WatchGuard SSL 500 & SSL 1000

Manage system

SMPP channel settings
Label Host Address Port Timeout Mandatory Yes Yes Yes Description The IP address or DNS name of the SMPP Server. The port of the SMPP Server. Set to 2775 by default. The timeout defined in milliseconds that will be used to wait for a response from the SMPP Server. Set to 15000 by default. Select this to keep the connection alive The service account that should be used to login to the SMPP Service. The service account password that should be used to login to the SMPP Service. Defines the System Type. Please see SMPP Server documentation for more Information. Yes The Interface version. Set to 52 by default. Please see SMPP Server documentation for more Information. Please see SMPP Server documentation for more Information. Please see SMPP Server documentation for more Information. No Characters that should be removed from the mobile number. E.g. +() If the prefix of the mobile number is incorrect for the service it can be replaced with a new prefix. E.g. replace 00 with +. In this case enter 00 as Replace Prefix and + below as New Prefix The new prefix that shall replace the one triggered above. Please see SMPP Server Documentation for information on settings on this tab.

Keep Alive System ID Password System Type Interface Version Address TON Address NPI Address Range

No Yes Yes

Mobile Number Format tab Remove

Replace prefix

No

New prefix

No

Submission Parameters tab

User Guide

281

Manage system

Variables
The following variables can be used in all texts, which will be replaced with the corresponding content from the user account. Variables are used surrounded with brackets and preceded with a dollar sign. For example, [$user-mobile] Variable Name message user-id user-display-name user-mobile user-mobile-raw user-mail-address administrator-id Description The notification message that should be sent The id of the user The display name of the user The mobile-number of the user (processed) The mobile-number of the user (unprocessed). The mail address of the user. The ID of the Administrator.

Policy Services
About Policy Services
The Policy Service makes access decisions, authenticates, audits, and validates certificates as well as digital signatures. Clients communicating with Policy Service interact via different access channels such as the Web or WAP.

WatchGuard Network

The Policy Service makes the access decisions depending on access policies. These policies rely on who wants to have access, which resource or service the user is requesting, which communication channel the request comes through, and which authentication method that is needed. These policies are called Access Rules.

282

WatchGuard SSL 500 & SSL 1000

Manage system

Access rules protect resources by allowing or denying access, and by specifying the requirements for a particular user, resource, or communication channel. Additionally, business related conditions can be customized for different services. For example, only customers who are allowed credit are able to use the ordering function. The Policy Service provides complete control over authentication, and supports several authentication methods, such as static and dynamic passwords, PKI, and challenge-response. A number of systems for authentication can be integrated, and products not managed directly by the Policy Service can be integrated using the Extension Programming Interface (XPI). The Policy Service can connect to multiple authentication systems and CAs. By using caching technology, the solution can scale to serve a large amount of users while sustaining high performance. In a traditional solution, the user is first authenticated and then the user information is connected followed by the log information. The Policy Service works with the requested service or communication channel as a starting point. Thus, the resource and channel constitute the requirements for access, regarding authentication method and its associated roles for that particular resource or service. For more information, see Manage Policy Services and Manage global Policy Services settings.

Manage Policy Services
You add, edit, and delete Policy Services on the Manage Policy Services page in Manage System.

General settings
Policy Service configuration includes display name as well as the following general settings. Service ID When a Policy Service is added to the system, a service ID is automatically generated. The service ID is displayed for the Policy Service in the Registered Policy Services list on the Manage Policy Service page, as well as when editing the Policy Service. The service ID must be entered when the service is installed. Internal Host IP address or DNS name of the Policy Service, used for communication in the WatchGuard Network. Avoid using the IP address 0.0.0.0 to listen to all local IP addresses. Instead, select the Listen on all interfaces check box. Internal Port Incoming port for the Policy Service. Set to 8301 by default. Listen to All Interfaces Specifies what interfaces the service listens to. When selected, the services listens to all specified IP addresses. When not selected, the services only listens to the specified IP address. Not selected by default. Distribute Key Files Automatically Defines whether or not key files should be automatically distributed from the Administration Service to the Policy Service after the Policy Service has been installed. Deselecting this option will keep the system more secure, but the administrator is then required to copy key files manually. Selected by default.

User Guide

283

Manage system

General Settings
Label Service ID Display Name Internal Host Internal Port Listen to all interfaces Distribute key files automatically Mandatory No Yes Yes Yes No No Description Identification number automatically assigned to the Policy Service when it is created. Unique name used in the system to identify the Policy Service. IP address or DNS name of the Policy Service, used for communication in the WatchGuard Network. Incoming port for the Policy Service. Set to 8301 by default. Specifies what interfaces the service listens to. Not selected by default. Selected by default.

XPI: Web services
XPI (Extension Programming Interface) is the generic term for all WatchGuard Administrator public APIs. Currently WatchGuard Administrator offers four different APIs: XPI: Web Services A set of web services for authentication, authorization, user account and single sign-on value management. XPI: Authentication Methods A framework for the development of custom authentication method plug-ins. XPI: End-Point Integrity A framework for the development of custom End-Point Integrity plug-ins. XPI: Access Clients A framework that enables third-party applications to use the WatchGuard Access Client functionality. Please refer to the WatchGuard Extension Programming Interface (XPI) available documentation on the WatchGuard Administrator dashboard. The XPI: Web Services settings include specifying host and incoming port. If XPI: Web Services is enabled, you define which server certificate to use.

XPI Settings
Label Enable XPI: Web Services Host Port Server Certificate Mandatory No Yes (Yes) (Yes) Description Not selected by default. IP address or DNS name of XPI: Web Services. Set to 127.0.0.1 by default. Defines the incoming port for XPI: Web Services. Set to 443 by default. Lists registered server certificates. Mandatory when Enable XPI: Web Services is selected.

284

WatchGuard SSL 500 & SSL 1000

Manage system

Manage global Policy Service settings
Communication Settings
The global settings for Policy Services include: Interval for checks for timed-out sessions Life-time in cache for a user Heartbeat interval for status checks
This setting applies to the entire WatchGuard Network.

Limit for number of missing heartbeats before the Policy Service re-connects to the network, if the server has not answered the status request Missing Heartbeat Limit and Heartbeat Interval creates a default time of 2 minutes (12x10 seconds). Option for the Policy Service to send cache specification to the Access Point, for the Access Point to cache authorization decisions

Global Policy Service Settings
Label Time-out Check Interval User Life Time in Cache Heartbeat Interval Mandatory Yes Description Number of seconds (0-3600) checks for sessions that have timed-out are performed. Set to 1 by default. Number of seconds (0-31536000) a user is cached before reloaded from storage (despite user activity). Set to 900 by default. Interval in seconds (1-30) for when status checks are performed. Set to 10 by default. Number of missing heartbeats allowed (1-100) before the Policy Service re-connects to the network, if the server has not answered the status request. Set to 12 by default. Selected by default.

Yes

Yes

Missing Heartbeat Limit

Yes

Send cache specification

No

User Guide

285

Manage system

RADIUS Configuration
About RADIUS configuration
The RADIUS protocol is supported by the WatchGuard authentication methods. Mobile ID authentication refers to the Authentication Service and the WatchGuard authentication methods Web, Mobile Text, Challenge, Synchronized, and Password. A RADIUS client is the client connecting to a RADIUS server for authentication. Usually, the RADIUS server is the Authentication Service, but it can proxy the access request to another authentication server, depending on which authentication method being used. The WatchGuard authentication methods support the RADIUS protocol. A RADIUS client can be the Policy Service, a firewall, or the RADIUS plug-in for the Policy Service. The Policy Service is a RADIUS client with pre-configured settings. You can configure other RADIUS clients to connect to the Authentication Service for authentication. If the Authentication Service is used with the Policy Service as a RADIUS client, you need to configure WatchGuard authentication methods in the Policy Service. User groups are sent as an RADIUS attribute. Based on access rules of the type user group membership, the RADIUS client will perform the access control. RADIUS Back-end Servers RADIUS back-end servers refer to authentication servers handling third-party authentication methods. The Authentication Service can proxy access requests to one or several back-end servers. A back-end server can be a RSA SecurID Server, for example. For more information, see Manage RADIUS configuration.

286

WatchGuard SSL 500 & SSL 1000

Manage system

Manage RADIUS configuration
You can view, add, edit, and delete RADIUS clients that connect to the Authentication Service for authentication, as well as to RADIUS back-end servers. Use the Manage RADIUS Back-End Servers page to add, edit, or delete back-end servers used when the Authentication Services proxy authentication requests from unidentified users to other RADIUS servers.

RADIUS Client Settings
The General Settings for the RADIUS client include IP address and a shared secret between the RADIUS client and the Authentication Service. You can also specify three different attributes: Accept These attributes are sent to the RADIUS client as a response together with the Accept. Accept Attributes must be specified in key-value pairs connected with an equal sign =. Integer values can be entered either in decimal form (8192) or in hexadecimal form (0x2000). Challenge These attributes are sent to the RADIUS client as a response together with Challenge. Challenge attributes must be specified in key-value pairs connected with an equal sign =. Integer values can be entered either in decimal form (8192) or in hexadecimal form (0x2000). Reject These attributes are sent to the RADIUS client as a response together with Reject. Reject Attributes must be specified in key-value pairs connected with an equal sign =. Example: User-Name=John Smith NAS-IP-Address=127.0.0.3 NAS-Port=8192 Integer values can be entered either in decimal form (8192) or in hexadecimal form (0x2000).

General Settings
Label Client IP Shared Secret Verify Shared Secret Mandatory Yes Yes Yes Description IP address for the RADIUS client. Shared secret between the RADIUS client and the Authentication Service. Verification of Shared Secret.

Attributes
Label Accept Attributes Challenge Attributes Reject Attributes Mandatory No No No Description Attributes sent to the RADIUS client as a response together with Accept. Attributes sent to the RADIUS client as a response together with Challenge. Attributes sent to the RADIUS client as a response together with Reject.

User Guide

287

Manage system

Manage RADIUS Back-End Servers
RADIUS back-end servers refer to authentication servers handling third-party authentication methods. The Authentication Service can proxy access requests to one or several back-end servers. A back-end server can be a RSA SecurID Server, for example.
Remember to select the Proxy unknown users check box on the Manage RADIUS Authentication Settings page.

The RADIUS back-end server general settings include host (IP address or DNS name) port and a display name for the back-end server. You are required to specify the time in milliseconds (1000-99000) the Authentication Service waits for a backend server reply, before trying to connect next back-end server in the list. You also need to specify a shared secret between the RADIUS back-end server and the Authentication Service.

General Settings
Label Display Name Host Port Time-out Mandatory Yes Yes Yes Yes Description Unique name used in the system to identify the back-end server. IP address or DNS name of the back-end server. Port for the back-end server. Set to 1812 by default. Time in milliseconds (1000-99000) the Authentication Service waits for a back-end server reply, before trying to connect next back-end server in the list. Set to 5000 by default. Secret shared between the Authentication Service and the back-end server. Verification of Shared Secret.

Shared Secret Verify Shared Secret

Yes Yes

288

WatchGuard SSL 500 & SSL 1000

Glossary

A
Access Rules
Define specific requirements for access to resources and SSO domains. The access rules can be used in combination for more detailed access control. Example: (access rule A AND access rule B) AND (Access rule C OR access rule D).

ASCII
American Standard Code for Information Interchange. Standard 8 bit code used in data communications. Many files interchanged from one software program to another and from IBM to Mac formats go through translation into ASCII.

ASN.1
Abbreviation for Abstract Syntax Notation one, a standard notation describing data structures for representing, encoding, transmitting, and decoding data. ASN.1 provides a set of formal rules for describing the structure of objects that are independent of machine-specific encoding techniques.

Authentication
The process of verifying the identity of an individual connecting to a system. Identities are verified through different authentication methods. See also: Authentication Method, Access Rules

Authentication Method
A procedure used to perform authentication. Different authentication methods provide different levels of proof when identifying a user connecting to a system: from verifying basic static passwords to handling complex combinations of challenges, encryption keys, and passwords. See also: Authentication

Authentication Server
A server used in application access control. For access to specific network resources, the server may itself store user permissions and company policies or provide access to directories that contain the information. Examples of authentication servers are WatchGuard Authentication Service, SecurID and SafeWord. See also: Authentication

User Guide

289

Authorization
The process of granting or denying access to a system resource. See also: Authentication Method, Access Rules

B
BankID
BankID is a service that offers secure electronic identification and signature on the Internet, which is now legally binding in the EU. The service has been developed by a number of large banks for use by members of the public, authorities, companies, and other organizations.

Base64
A method of encoding binary data sent as an attachment through email. Base64 encoding divides three bytes of data into four bytes of ASCII text, making the resulting file size approximately 33% larger.

Base DN
Identifies the root node of the LDAP data store pointing to the directory containing user data.

C
CA
Abbreviation for Certificate Authority, a trusted third-party organization or company that issues digital certificates. The role of the CA is to validate the identity of the individual holding the certificate and to sign the certificate so that it cannot be forged.

CA Certificate
Abbreviation for Certificate Authority Certificate, a certificate that identifies a certification authority. CA certificates are used to decide whether to trust certificates issued by the CA, for example when a Web browser validates a server certificate.

Cipher
A cryptographic algorithm used to encrypt and decrypt files and messages.

Client Certificate
An attachment to an electronic message used for security purposes. The client certificates are associated with user accounts to authenticate users and give access to protected resources.

CDP
Abbreviation for Control Distribution Point.

290

WatchGuard SSL 500 & SSL 1000

Client Device
The software of a client that communicates with the server. The client device may include operating system, plug-ins, specific configurations and the proxies/gateways that the client communicates through. Examples of client devices are: Netscape 7, Windows, Macintosh, Internet Explorer and WAP-phone. A client device may be combination of entities. For example, this combination may be present for a single device: Windows, Internet Explorer and Internet Explorer 6.

CRC
Abbreviation for Certificate Revocation Control. A control performed by the system to make sure that the user certificate is not revoked.

CRL
Abbreviation for Certificate Revocation List. A document maintained and published by a certification authority that lists certificates that have been revoked.

CVC
Abbreviation for Certificate Authority Validity Control, a control performed by the system on the user certificate to verify that a trusted CA has issued the User Certificate.

D
Delegated Management
A featured used to delegate administration of user accounts and resources to multiple administrators with different privileges and responsibilities.

DER
Abbreviation for Distinguished Encoding Rules, used to encode ASN.1 objects for a consistent encoding using a binary format. Microsoft Internet Explorer understands certificates downloaded in this format. See also: ASN.1

Device
See Client Device

Digital Certificate
Digital certificates are used to identify people and resources over networks such as the Internet. Digital certificates enable secure communication between two parties. A trusted third-party organization or company, Certificate Authority, issues certificates. The certificate contains the public key and the name of its owner. The user certificate also carries the digital signature of a Certification Authority to verify its integrity. See also: CA

Directory Service
A directory of names, profile information and machine addresses of every user and resource on the network. It is used to manage user accounts and network permissions. When sent a user name, it returns the attributes of that individual, which may include a telephone number as well as an email address. Directory services use highly specialized databases that are typically hierarchical in design and provide fast lookups.

User Guide

291

Directory Service User Group
A user group containing all users belonging to a certain user group defined in an existing directory service.

Display Name
Defines the unique name used in the system to identify an object.

Distribution Channel
The media channel through which information is sent. For example, MobileID can send information via SMS or SMTP.

DMZ
Abbreviation for Demilitarized Zone, a middle ground between an organization’s trusted internal network and an untrusted, external network such as the Internet. It is recommended that the Access Point is placed in the DMZ.

DN
Abbreviation for Distinguished Name, used as primary key to entries in directory services. For example, a DN for where users reside in the directory service could be cn=users,dc=mycompany,dc=com.

DNS
Abbreviation for Domain Name System, a name resolution system that allows users locate computers on a Unix network or the Internet (TCP/IP network) by domain name. The DNS server maintains a database of domain names (host names) and their corresponding IP addresses. For example, if www.mycompany.com was presented to a DNS server, the IP address 204.0.8.51 would be returned.

E
Encryption
Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent anyone except the intended recipient from reading that data.

F
Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. The firewall is normally installed at the point where network connections enter a site, normally named DMZ.

FTP
Abbreviation for File Transfer Protocol, a protocol used to transmit files between computers on the Internet. See also: TCP

292

WatchGuard SSL 500 & SSL 1000

H
Host
A computer, for example a server, that acts as a source of information or signals. It is connected to a TCP/IP network, including the Internet. A host has a specific local or host number that, together with the network number, forms its unique IP address.

HTTP
Abbreviation for Hypertext Transfer Protocol, a protocol used to transmit files over the World Wide Web.

HTTPS
Abbreviation for HTTP with SSL encryption for security. See also: HTTP, SSL

L
LDAP
Acronym for Lightweight Directory Access Protocol, a client-server protocol for accessing and managing directory information.

Log Levels
Indicate the severity of a message stored in a log: fatal, warning, info, or debug.

M
MIME
Abbreviation for Multipurpose Internet Mail Extensions. A protocol for Internet email that enables the transmission of non-text data such as graphics, audio, video and other binary types of files.

N
NTLM
Abbreviation for NT LAN Manager, a protocol used for authentication.

User Guide

293

O
OpenSSL
An open source implementation of the SSL and TLS protocols. See also: SSL, TLS

OU
Abbreviation for Organizational Unit, a standard naming attribute used in LDAP. See also: LDAP

P
PEM
Acronym for Privacy Enhanced Mail, a standard for secure email on the Internet. It supports encryption, digital signatures and digital certificates as well as both private and public key methods.

PIN
Acronym for Personal Identification Number. A private code used for identification of an individual.

PKI
Abbreviation for Public Key Infrastructure, a framework for creating a secure method for exchanging information based on public key cryptography.

Port
A port is usually an interface through which data are sent and received.

Proxy
A server that is placed between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

R
RADIUS
Acronym for Remote Authentication Dial-In User Service, the de facto standard protocol for authentication servers. RADIUS uses a challenge/response method for authentication.

Resource
A corporate application users can access from a remote location. Available resource types in WatchGuard Administrator are Web resources, tunnel resources, file share resources and customized resources.

Resource Host
Defines the computer where the resource is deployed. A resource host is identified through its unique IP address. A Web resource host or customized resource host can have one or several paths connected to it.

294

WatchGuard SSL 500 & SSL 1000

Resource Path
Defines the route to a specific part of the web resource host or customized resource host, for example http:// www.resourcehost.com/path/, where the resource path defines a subset of the resource host. Resource paths are defined when user access should be restricted to that specific subset only.

S
SAML
Acronym for Security Assertion Markup Language, an XML standard for exchanging authentication and authorization data between an identity provider and a service provider. WatchGuard Administrator supports SAML 2.0.

Seed
An initial value used to generate pseudorandom numbers. Used when authenticating with WatchGuard SSL Challenge for example.

Server Certificate
Server certificates ensure that communication between clients and application servers is secure and private. The clients use the server certificate to authenticate the identity of the server and to encrypt information for the server, using SSL.

Shared Secret
A shared secret is used, for example, between the Authentication Service and a RADIUS client to mask passwords used in authentication. The shared secret is set manually by the Administrator.

SMS
Abbreviation for Short Message Service, a service for sending messages of up to 160 characters (224 characters if using a 5-bit mode) to cell phones that use Global System for Mobile (GSM) communication.

SMPP
Abbreviation for Short Message Peer-to-Peer protocol. SMPP is a telecommunications industry protocol for exchanging SMS messages between SMS peer entities such as short message service centers.

SSL
Acronym for Secure Sockets Layer, a commonly used protocol for managing the security of a message transmission on the Internet. SSL uses the public- and private-key encryption system, which includes the use of a digital certificate.

SSO
Abbreviation for Single Sign-On, the ability for users to log on once to a network and be able to access all authorized resources. A single sign-on program accepts the user’s name and password and automatically logs on to all appropriate servers.

SSO Domain
A collection of resources that share the same logon credentials. A user can have logon credentials for several SSO domains.

User Guide

295

T
TCP
Abbreviation for Transport Control Protocol, a transport layer protocol that moves multiple packet data between applications. See also: FTP

TLS
Abbreviation for Transport Layer Security, a protocol intended to secure and authenticate communications across a public networks by using data encryption. See also: SSL

Tunneling
A technology that enables a network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. Tunnels are often used to transmit non-IP protocols across IP networks.

U
UDP
Abbreviation for User Datagram Protocol, a transport layer protocol for the Internet. It is a datagram protocol which adds a level of reliability and multiplexing to IP datagrams. It is defined in RFC 768.

URI
Abbreviation for Uniform Resource Identifier, a formatted string that serves as an identifier for a resource, typically on the Internet. URIs are used in HTML to identify the anchors of hyperlinks. URIs in common practice include URLs. See also: URL

URL
Abbreviation for Uniform Resource Locator, a unique, identifying address of any particular page on the Web. See also: URI

User Certificate
See Client Certificate

User Group
A collection of users which share the same properties regarding access rights. There are three types of user groups: User Location Group, User Property Group and Directory Service User Group.

User Location Group
A user group which contains all users located under a specific node in the directory tree.

User Property Group
A user group which contains all users with a specific user attribute.

User Storage
A directory service containing information about users, user groups, and user certificates

296

WatchGuard SSL 500 & SSL 1000

W
WAP
Acronym for Wireless Application Protocol. A set of communication protocol standards to enable access of online services from a cell phone.

X
X.509
A specification for digital certificates published by the ITU-T (International Telecommunications Union Telecommunication). It specifies information and attributes required for the identification of a person or system.

User Guide

297

298

WatchGuard SSL 500 & SSL 1000

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->