Professional Documents
Culture Documents
Version: 2.0
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revision: 08/27/2008
Licensing
Some components of the WatchGuard SSL software are distributed with source code covered under one or more third party or open source licenses. We include below the full text of the licenses as required by the terms of each license. To get the source code covered by these licenses, contact WatchGuard Technical Support at: 877.232.3531 from the United States or Canada +1.360.482.1083 from all other countries You can download the source code at no charge. If you request a compact disc, there is a $35 charge for administration and shipping.
ii
User Guide
iii
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: a. You must give any other recipients of the Work or Derivative Works a copy of this License; and b. You must cause any modified files to carry prominent notices stating that You changed the files; and c. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and d. If the Work includes a NOTICE text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
iv
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS
User Guide
vi
Table of Contents
Chapter 1
Introduction ............................................................................................................................... 1 Target audience................................................................................................................................................. Conventions used in this publication........................................................................................................ Special Fonts....................................................................................................................................................... Notes..................................................................................................................................................................... Contact WatchGuard documentation department.............................................................................. References ........................................................................................................................................................... 1 1 1 2 2 2
Chapter 2
Get started ................................................................................................................................. 3 Reading suggestions ....................................................................................................................................... 4 Customer support............................................................................................................................................. 4 Product Overview .................................................................................................................................................. 5 Assessment.......................................................................................................................................................... 5 Authentication ................................................................................................................................................... 6 Authorization...................................................................................................................................................... 6 Auditing................................................................................................................................................................ 7 Access.................................................................................................................................................................... 7 Abolishment ....................................................................................................................................................... 8 Technical overview................................................................................................................................................ 9 Administrative Service .................................................................................................................................... 9 Access Point ...................................................................................................................................................... 10 Policy Service.................................................................................................................................................... 11 Resources ...................................................................................................................................................... 11 Access Rules ................................................................................................................................................. 12 Single Sign On ............................................................................................................................................. 12 Authentication Service.................................................................................................................................. 13 WatchGuard Authentication.................................................................................................................. 13 WatchGuard Administrator Distribution Service................................................................................. 14 Planning .................................................................................................................................................................. 14 Define the Deployment Goals.................................................................................................................... 14 Security Audit/Planning ............................................................................................................................... 15 System Architecture Review .................................................................................................................. 15 Public Key Infrastructure ......................................................................................................................... 15 Securing your operating system .................................................................................................................... 16 Securing the file system........................................................................................................................... 16 Securing shared resources...................................................................................................................... 17
User Guide
vii
File auditing ................................................................................................................................................. 17 Securing disk resources ........................................................................................................................... 17 User management strategy ............................................................................................................................. 18 Analyze your environment ..................................................................................................................... 18 Directory service requirements............................................................................................................. 18 Password management........................................................................................................................... 19 Use of Foreign Characters....................................................................................................................... 19 Securing Microsoft Active Directory ................................................................................................... 19 User management recommendations .................................................................................................... 20 Recommendations for DNS Management........................................................................................ 20 Recommendations for the Active Directory installation ............................................................. 20 Recommendations for Domain and OU management ................................................................ 20 Recommendations for Tree and Forest management ................................................................. 20 Recommendations for Object Access Control Management .................................................... 20 Recommendations for Replication Management .......................................................................... 21 Recommendations for Operation Masters........................................................................................ 21 Recommendations for auditing............................................................................................................ 21 Resource access............................................................................................................................................... 21 Access strategies ........................................................................................................................................ 21 Pre-installation check list ............................................................................................................................. 22 Pre-Installation Check List....................................................................................................................... 22 WatchGuard Network......................................................................................................................................... 23 Network Layout .......................................................................................................................................... 23 Default listening ports................................................................................................................................... 24 Register your WatchGuard SSL User Pack with LiveSecurity Service................................................ 26 Chapter 3 Installation ............................................................................................................................... 27 Primary WatchGuard user................................................................................................................................. 28 Change the primary WatchGuard User password.......................................................................... 28 Preparation ............................................................................................................................................................ 29 Install on Windows.............................................................................................................................................. 30 Install administration service...................................................................................................................... 30 Install Authentication Service..................................................................................................................... 31 Install Policy Service....................................................................................................................................... 31 Install Distribution Service........................................................................................................................... 31 Install WatchGuard Mobile ID..................................................................................................................... 31 Install Access Client ........................................................................................................................................ 31 Upgrade overview ............................................................................................................................................... 32 Start and Stop WatchGuard Administrator Services............................................................................... 32 Uninstall WatchGuard Administrator ........................................................................................................... 32 Chapter 4 Setup System Wizard .............................................................................................................. 33 About the Setup System Wizard .................................................................................................................... 33 Requirements and preparation............................................................................................................. 34 What Setup System includes ................................................................................................................. 34 Start the Setup System Wizard ....................................................................................................................... 35 WatchGuard Administration Service Dashboard ........................................................................... 35 WatchGuard Administrator .................................................................................................................... 35 Upload license file ............................................................................................................................................... 36 License File ................................................................................................................................................... 36 Select directory service...................................................................................................................................... 36 Configure directory service.............................................................................................................................. 37 Common Settings for all Directory Service Types.......................................................................... 39 Specific Settings for Other or Customized Directory Service..................................................... 39
viii
Super Administrator credentials .................................................................................................................... 40 Set up administration service.......................................................................................................................... 40 Configure an Access Point in WatchGuard Administrator.................................................................... 40 Set up Policy Service........................................................................................................................................... 41 Policy Service Settings.............................................................................................................................. 41 Set up Authentication Service ........................................................................................................................ 41 Select WatchGuard Authentication Methods.................................................................................. 41 Authentication Service and Authentication Method Settings .................................................. 42 Select additional Authorization Methods ......................................................................................... 42 Configure Authentication Methods.............................................................................................................. 43 Novell eDirectory Settings ...................................................................................................................... 44 Confirm Authentication Methods.................................................................................................................. 44 Configure user storage ...................................................................................................................................... 45 Browse for root DN ......................................................................................................................................... 45 Search rules ....................................................................................................................................................... 46 Select additional Directory Service ............................................................................................................... 47 Configure additional Directory Service ....................................................................................................... 48 Additional Directory Service Settings................................................................................................. 48 Finish the Setup System Wizard ..................................................................................................................... 48 Chapter 5 Set up an Access Point ............................................................................................................ 49 WatchGuard SSL device software .................................................................................................................. 49 Connect your WatchGuard SSL Access Point device .............................................................................. 49 Select an Architecture Method....................................................................................................................... 50 One Interface Architecture ..................................................................................................................... 50 Two Interface Architecture ..................................................................................................................... 51 Configure your WatchGuard SSL device ..................................................................................................... 52 Reset your configuration.............................................................................................................................. 52 Set the Date and Time Zone for your WatchGuard SSL device........................................................... 53 Change the password for your WatchGuard SSL device....................................................................... 53 Use Log Viewer ..................................................................................................................................................... 54 View Logs ...................................................................................................................................................... 54 Clean Logs .................................................................................................................................................... 54 Update WatchGuard SSL device software .................................................................................................. 54 Chapter 6 Administration ........................................................................................................................ 55 About WatchGuard Administrator ................................................................................................................ 55 Top menu........................................................................................................................................................... 55 Online Help ....................................................................................................................................................... 56 Monitor system................................................................................................................................................ 57 Manage accounts and storage................................................................................................................... 57 Manage resource access............................................................................................................................... 58 Manage system................................................................................................................................................ 59 Chapter 7 Monitor System ....................................................................................................................... 61 About Monitor System....................................................................................................................................... 61 Status Overview.......................................................................................................................................... 61 Event Overview........................................................................................................................................... 61 Status overview .................................................................................................................................................... 62 Users ............................................................................................................................................................... 62 Resources ...................................................................................................................................................... 62 System information................................................................................................................................... 62 Administrators............................................................................................................................................. 62 Event overview ..................................................................................................................................................... 63 Manage settings................................................................................................................................................... 63
User Guide
ix
About system status ........................................................................................................................................... 64 General Status ............................................................................................................................................. 64 Access Points ............................................................................................................................................... 64 Policy Services ............................................................................................................................................. 64 Authentication Services........................................................................................................................... 64 About user sessions ............................................................................................................................................ 65 Logging ................................................................................................................................................................... 65 About Log Viewer ........................................................................................................................................... 65 Diagnostic file.............................................................................................................................................. 66 Log Viewer Settings .................................................................................................................................. 66 About logging.................................................................................................................................................. 67 Manage logging .............................................................................................................................................. 67 Log level filter .............................................................................................................................................. 68 Log file rotation .......................................................................................................................................... 68 Windows event log/Unix syslog ........................................................................................................... 68 Manage global logging settings................................................................................................................ 69 About the license file.......................................................................................................................................... 70 View license details ........................................................................................................................................ 70 Upload new license ........................................................................................................................................ 70 Alerts ........................................................................................................................................................................ 71 About alerts....................................................................................................................................................... 71 Alert events .................................................................................................................................................. 71 Manage alerts................................................................................................................................................... 71 Alert settings................................................................................................................................................ 71 Alert event settings ................................................................................................................................... 72 Settings.......................................................................................................................................................... 72 Alert notification receivers...................................................................................................................... 73 Manage global alert settings ...................................................................................................................... 74 Reports..................................................................................................................................................................... 76 About reports ................................................................................................................................................... 76 Time range.................................................................................................................................................... 76 Filters .............................................................................................................................................................. 77 Graphics......................................................................................................................................................... 77 Statistics.............................................................................................................................................................. 78 Data Retrieval .............................................................................................................................................. 78 About report database.................................................................................................................................. 79 Limitations.................................................................................................................................................... 79 Manage reports ............................................................................................................................................... 80 Set time range ............................................................................................................................................. 80 Set time range ............................................................................................................................................. 81 Assessment report settings .................................................................................................................... 83 Abolishment report settings.................................................................................................................. 83 Access report settings .............................................................................................................................. 84 Authentication report settings.............................................................................................................. 85 Authorization report settings ................................................................................................................ 86 Account statistics report settings......................................................................................................... 87 Session trend report settings................................................................................................................. 87 Communication report settings ........................................................................................................... 88 Alert report settings .................................................................................................................................. 88 System report settings ............................................................................................................................. 88 Performance report settings.................................................................................................................. 89 Tunnel report settings.............................................................................................................................. 89 Chapter 8 Manage accounts and storage ............................................................................................... 91
About accounts and storage ........................................................................................................................... 91 User accounts .............................................................................................................................................. 91 User Import and Linking.......................................................................................................................... 91 User groups .................................................................................................................................................. 92 User storage ................................................................................................................................................. 92 Global user account settings ........................................................................................................................... 93 About global user account settings ......................................................................................................... 93 About user linking ..................................................................................................................................... 93 About user link repair ............................................................................................................................... 93 Manage global user account settings ..................................................................................................... 94 General settings.......................................................................................................................................... 94 Manage user linking.................................................................................................................................. 95 General Settings ......................................................................................................................................... 95 User linking ............................................................................................................................................................ 99 About user linking .......................................................................................................................................... 99 Manage user linking....................................................................................................................................... 99 Manage user link repair ........................................................................................................................ 100 User import ......................................................................................................................................................... 101 About User Import....................................................................................................................................... 101 Manage User Import ................................................................................................................................... 101 User accounts..................................................................................................................................................... 104 About user accounts................................................................................................................................... 104 User Account Search Result List......................................................................................................... 104 Add user account .................................................................................................................................... 104 User Linking .............................................................................................................................................. 105 User Import................................................................................................................................................ 106 WatchGuard authentication ............................................................................................................... 106 Single Sign-On domain settings........................................................................................................ 106 User certificate ......................................................................................................................................... 106 Manage user accounts ............................................................................................................................... 107 General settings....................................................................................................................................... 108 General Settings ...................................................................................................................................... 108 Manage authentication settings ....................................................................................................... 108 Manage SSO settings............................................................................................................................. 114 User certificate ......................................................................................................................................... 115 User groups......................................................................................................................................................... 116 About user groups....................................................................................................................................... 116 About user location group .................................................................................................................. 116 About user property group ................................................................................................................. 116 About user group in directory service............................................................................................. 116 Manage user groups ................................................................................................................................... 116 Manage user property groups............................................................................................................ 117 Manage user location groups............................................................................................................. 117 User storage........................................................................................................................................................ 118 About user storage...................................................................................................................................... 118 Search rules ............................................................................................................................................... 118 Directory mapping ................................................................................................................................. 118 Manage User Storage ................................................................................................................................. 118 General settings....................................................................................................................................... 118 Manage search rules .............................................................................................................................. 119 Manage directory mapping................................................................................................................. 121 Chapter 9 Manage Resource Access ...................................................................................................... 123 About resource access .................................................................................................................................... 123
User Guide
xi
Access rules ............................................................................................................................................... Standard resources................................................................................................................................. Global Resource settings................................................................................................................................ About global resource settings............................................................................................................... About internal proxy.............................................................................................................................. About DNS name pool .......................................................................................................................... About filters............................................................................................................................................... About link translation............................................................................................................................ Manage Global Resource Settings .................................................................................................... Manage global resource settings........................................................................................................... General settings....................................................................................................................................... Filters ........................................................................................................................................................... Link translation ........................................................................................................................................ DNS Names for Access Point............................................................................................................... DNS Name Pool........................................................................................................................................ Standard resources .......................................................................................................................................... About standard resources ........................................................................................................................ Manage standard resources..................................................................................................................... Common Standard Resource Settings ............................................................................................ Access Rules .............................................................................................................................................. Citrix MetaFrame Presentation Server............................................................................................. Citrix MetaFrame Server ....................................................................................................................... Thinlinc Application Server ................................................................................................................. Domino Web Access 6.5 ....................................................................................................................... Terminal Server 2000/Terminal Server 2003 ................................................................................. Outlook Web Access 2000/Outlook Web Access2003/Outlook Web Access 5.5............. Microsoft Outlook Client 2000/2003/2007 .................................................................................... POP3/SMTP................................................................................................................................................ IMAP/SMTP................................................................................................................................................ Windows File Share ................................................................................................................................ Windows File Share ............................................................................................................................... Access to Home Directory.................................................................................................................... Secure Remote Access to Administrator ........................................................................................ SalesForce .................................................................................................................................................. Web Resources .................................................................................................................................................. About Web Resources ................................................................................................................................ Manage Web resource hosts ................................................................................................................... General settings....................................................................................................................................... Troubleshooting (FAQ) ......................................................................................................................... Application Portal Settings.................................................................................................................. Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. Encryption Level...................................................................................................................................... Manage web resource paths ................................................................................................................... General settings....................................................................................................................................... Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. Tunnel resources............................................................................................................................................... About tunnel resources ............................................................................................................................. Manage tunnel resources ......................................................................................................................... Tunnel resource settings ...................................................................................................................... Alternative Hosts..................................................................................................................................... Access rules ............................................................................................................................................... Advanced settings ..................................................................................................................................
123 123 124 124 124 124 125 125 126 126 126 127 128 129 130 131 131 131 131 132 133 133 134 135 135 136 137 137 138 138 138 139 139 140 140 140 141 141 144 145 145 146 148 149 149 150 151 153 153 153 153 154 154 154
xii
Tunnel resource networks............................................................................................................................. About tunnel resource networks ........................................................................................................... Manage tunnel resource networks........................................................................................................ Tunnel resources network settings .................................................................................................. Access Rules .............................................................................................................................................. Advanced settings .................................................................................................................................. Tunnel sets .......................................................................................................................................................... About tunnel sets......................................................................................................................................... Manage tunnels sets................................................................................................................................... Tunnel set settings ................................................................................................................................. Application Portal Settings.................................................................................................................. Static Tunnel Settings............................................................................................................................ Dynamic Tunnel Settings ..................................................................................................................... Startup settings........................................................................................................................................ Advanced tunnel settings.................................................................................................................... Mapped Drives......................................................................................................................................... Access Client Loader .............................................................................................................................. Additional Client Configuration ........................................................................................................ Specific Settings ...................................................................................................................................... Provide IP Address .................................................................................................................................. DNS Forwarding ...................................................................................................................................... Client Firewall........................................................................................................................................... Access Rules .............................................................................................................................................. Manage global tunnel set settings ........................................................................................................ External DHCP Settings......................................................................................................................... IP Address Pool ........................................................................................................................................ DNS Server................................................................................................................................................. Client firewalls.................................................................................................................................................... About client firewalls.................................................................................................................................. Prevent other network connections to be routed ...................................................................... Check integrity of connecting application .................................................................................... Firewall rules based on device ........................................................................................................... Manage client firewalls .............................................................................................................................. Incoming firewall rules.......................................................................................................................... Outgoing firewall rules ......................................................................................................................... Customized resources..................................................................................................................................... About customized resources................................................................................................................... Manage customized resource hosts ..................................................................................................... Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. Customized Resource Host Settings ................................................................................................ Manage customized resource paths..................................................................................................... Access rules ............................................................................................................................................... Advanced settings .................................................................................................................................. SSO domains ...................................................................................................................................................... About SSO domains .................................................................................................................................... Access rules ............................................................................................................................................... Domain types ........................................................................................................................................... Manage SSO domains ................................................................................................................................ SSO Domain Settings............................................................................................................................. Domain attributes................................................................................................................................... Domain Type Cookie.............................................................................................................................. Access Rules .............................................................................................................................................. Settings.......................................................................................................................................................
156 156 156 156 156 157 159 159 160 160 160 161 162 163 163 164 165 165 166 167 167 167 167 167 167 168 168 169 169 169 169 171 172 172 173 174 174 174 174 175 175 176 176 177 179 179 179 180 181 181 182 183 183 183
User Guide
xiii
Access rules......................................................................................................................................................... About access rules ....................................................................................................................................... Access rule types ..................................................................................................................................... About managing access rules ............................................................................................................ Manage access rules .............................................................................................................................. Manage global access rule................................................................................................................... Manage access rules for resource or SSO domains .................................................................... Access rule settings..................................................................................................................................... Microsoft Windows Client Data ......................................................................................................... Settings....................................................................................................................................................... Application portal............................................................................................................................................. About application portal........................................................................................................................... Access Client ............................................................................................................................................. Manage application portal ....................................................................................................................... Application portal item settings............................................................................................................. Identity Federation........................................................................................................................................... About Identity Federation ........................................................................................................................ Assertions................................................................................................................................................... Preconditions ........................................................................................................................................... Providers .................................................................................................................................................... Manage Identity Federation settings ................................................................................................... Global Identity Federation Settings ................................................................................................. Manage providers........................................................................................................................................ About Manage System ................................................................................................................................... Abolishment ....................................................................................................................................................... About Abolishment..................................................................................................................................... Manage abolishment.................................................................................................................................. General Settings ...................................................................................................................................... Cache Cleaner........................................................................................................................................... Advanced ................................................................................................................................................... Access Points...................................................................................................................................................... About Access Points.................................................................................................................................... Manage Access Points................................................................................................................................ Access Point settings ............................................................................................................................. Additional listeners ................................................................................................................................ Manage Global Access Point settings................................................................................................... Advanced settings .................................................................................................................................. Cipher Suites............................................................................................................................................. Performance.............................................................................................................................................. About load balancing................................................................................................................................. Manage load balancing ........................................................................................................................ Mirrored Access Points.......................................................................................................................... Settings....................................................................................................................................................... Administrative Service .................................................................................................................................... About Administrative Service.................................................................................................................. Configuration ........................................................................................................................................... Manage Administrative Service.............................................................................................................. Administration Service Settings ........................................................................................................ Assessment ......................................................................................................................................................... About Assessment....................................................................................................................................... Manage Assessment ................................................................................................................................... General Settings ......................................................................................................................................
185 185 185 186 187 187 188 189 191 193 196 196 196 196 197 199 199 199 199 200 200 200 201 203 204 204 205 205 206 207 208 208 210 210 210 212 212 213 214 214 215 215 215 220 220 220 221 221 222 222 222 223
xiv
Advanced Settings.................................................................................................................................. Plug-ins ....................................................................................................................................................... Authentication methods................................................................................................................................ About authentication methods.............................................................................................................. Authentication methods ...................................................................................................................... About WatchGuard SSL Mobile Text................................................................................................ About WatchGuard SSL Web .............................................................................................................. About WatchGuard SSL Challenge ................................................................................................... About WatchGuard SSL Password .................................................................................................... About WatchGuard SSL Synchronized............................................................................................ Additional authentication methods................................................................................................. Manage authentication methods .......................................................................................................... General settings....................................................................................................................................... Authentication method server........................................................................................................... RADIUS replies.......................................................................................................................................... Extended properties .............................................................................................................................. Authentication services ............................................................................................................................. About Authentication Service ............................................................................................................ Manage Authentication Services ...................................................................................................... Define RADIUS Authentication .......................................................................................................... Define password/PIN ............................................................................................................................. Email messages........................................................................................................................................ SMS/Screen messages........................................................................................................................... Certificates...................................................................................................................................................... About certificates.................................................................................................................................... Registered Server Certificates............................................................................................................. Registered Client Certificate ............................................................................................................... Manage certificates ................................................................................................................................ Certificate Authority settings.............................................................................................................. Server certificate settings..................................................................................................................... Client certificate settings...................................................................................................................... Settings....................................................................................................................................................... Device definitions............................................................................................................................................. About device definitions........................................................................................................................... Manage device definitions ....................................................................................................................... Delegated management................................................................................................................................ About delegated management.............................................................................................................. Manage delegated management .......................................................................................................... Role settings.............................................................................................................................................. Directory services.............................................................................................................................................. About directory services............................................................................................................................ Manage directory services........................................................................................................................ General Settings ...................................................................................................................................... Communication Settings ..................................................................................................................... Advanced Settings.................................................................................................................................. Notification settings ........................................................................................................................................ About notification settings....................................................................................................................... Manage notification settings................................................................................................................... Email channel settings .......................................................................................................................... SMS channel settings............................................................................................................................. Variables ..................................................................................................................................................... Policy Services.................................................................................................................................................... About Policy Services ................................................................................................................................. Manage Policy Services..............................................................................................................................
225 226 226 226 227 228 228 229 229 229 230 231 231 234 241 242 248 248 249 251 252 257 261 264 264 264 264 264 265 266 266 266 268 268 268 269 269 269 270 272 272 272 272 273 274 275 275 275 275 276 282 282 282 283
User Guide
xv
General settings....................................................................................................................................... XPI: Web services..................................................................................................................................... Manage global Policy Service settings................................................................................................. Communication Settings ..................................................................................................................... RADIUS Configuration..................................................................................................................................... About RADIUS configuration................................................................................................................... Manage RADIUS configuration ............................................................................................................... RADIUS Client Settings.......................................................................................................................... Manage RADIUS Back-End Servers ................................................................................................... Glossary 289 A .............................................................................................................................................................................. Access Rules .............................................................................................................................................. ASCII............................................................................................................................................................. ASN.1 ........................................................................................................................................................... Authentication ......................................................................................................................................... Authentication Method ........................................................................................................................ Authentication Server ........................................................................................................................... Authorization............................................................................................................................................ B .............................................................................................................................................................................. BankID ......................................................................................................................................................... Base64 ......................................................................................................................................................... Base DN....................................................................................................................................................... C .............................................................................................................................................................................. CA.................................................................................................................................................................. CA Certificate ............................................................................................................................................ Cipher .......................................................................................................................................................... Client Certificate ...................................................................................................................................... CDP............................................................................................................................................................... Client Device............................................................................................................................................. CRC ............................................................................................................................................................... CRL................................................................................................................................................................ CVC ............................................................................................................................................................... D.............................................................................................................................................................................. Delegated Management ...................................................................................................................... DER ............................................................................................................................................................... Device.......................................................................................................................................................... Digital Certificate..................................................................................................................................... Directory Service ..................................................................................................................................... Directory Service User Group ............................................................................................................. Display Name............................................................................................................................................ Distribution Channel.............................................................................................................................. DMZ.............................................................................................................................................................. DN ................................................................................................................................................................. DNS............................................................................................................................................................... E............................................................................................................................................................................... Encryption ................................................................................................................................................. F............................................................................................................................................................................... Firewall........................................................................................................................................................ FTP ................................................................................................................................................................ H.............................................................................................................................................................................. Host .............................................................................................................................................................. HTTP............................................................................................................................................................. HTTPS ..........................................................................................................................................................
283 284 285 285 286 286 287 287 288 289 289 289 289 289 289 289 290 290 290 290 290 290 290 290 290 290 290 291 291 291 291 291 291 291 291 291 291 292 292 292 292 292 292 292 292 292 292 292 293 293 293 293
xvi
L............................................................................................................................................................................... LDAP ............................................................................................................................................................ Log Levels .................................................................................................................................................. M ............................................................................................................................................................................. MIME ............................................................................................................................................................ N.............................................................................................................................................................................. NTLM............................................................................................................................................................ O.............................................................................................................................................................................. OpenSSL ..................................................................................................................................................... OU................................................................................................................................................................. P .............................................................................................................................................................................. PEM............................................................................................................................................................... PIN ................................................................................................................................................................ PKI ................................................................................................................................................................. Port ............................................................................................................................................................... Proxy ............................................................................................................................................................ R .............................................................................................................................................................................. RADIUS........................................................................................................................................................ Resource..................................................................................................................................................... Resource Host........................................................................................................................................... Resource Path........................................................................................................................................... S............................................................................................................................................................................... SAML............................................................................................................................................................ Seed ............................................................................................................................................................. Server Certificate ..................................................................................................................................... Shared Secret............................................................................................................................................ SMS............................................................................................................................................................... SMPP ............................................................................................................................................................ SSL ................................................................................................................................................................ SSO ............................................................................................................................................................... SSO Domain .............................................................................................................................................. T............................................................................................................................................................................... TCP................................................................................................................................................................ TLS ................................................................................................................................................................ Tunneling................................................................................................................................................... U.............................................................................................................................................................................. UDP .............................................................................................................................................................. URI................................................................................................................................................................. URL ............................................................................................................................................................... User Certificate......................................................................................................................................... User Group................................................................................................................................................. User Location Group .............................................................................................................................. User Property Group .............................................................................................................................. User Storage.............................................................................................................................................. W............................................................................................................................................................................. WAP.............................................................................................................................................................. X .............................................................................................................................................................................. X.509 ............................................................................................................................................................
293 293 293 293 293 293 293 294 294 294 294 294 294 294 294 294 294 294 294 294 295 295 295 295 295 295 295 295 295 295 295 296 296 296 296 296 296 296 296 296 296 296 296 296 297 297 297 297
User Guide
xvii
xviii
Introduction
Welcome to the WatchGuard Administrator User Guide your reference guide to a secure and flexible solution for safe access to any and all of your internal and external resources and applications. Our aim has been to provide WatchGuard Administrator users with a comprehensive guide to all aspects of WatchGuard Administrator administration. In doing so, we have structured the WatchGuard Administrator User Guide in About and Manage sections, to enable readers to access in-depth information when they need it. Regardless if this is conceptual information to prepare for installation, to gain deeper understanding of complex topics, or instructions on how to administer specific functionality. The About sections contain overview information of specific functionality in WatchGuard Administrator, presented in the same order as it is structured in the WatchGuard Administrator, so when you wish to learn more on a specific task in a conceptual point of view this is where to look. Browse the Manage sections when you are performing a task in the WatchGuard Administrator and do not find the information you need in the WatchGuard Administrator Online Help.
Target audience
This User Guide covers all aspects of WatchGuard Administrator and is intended for both administrators and system integrators. For more detailed information on essential reading, please see section Getting Started.
Special Fonts
This publication uses several typographical conventions. All code listings, reserved words, and the names of actual data structures, constants, fields, parameters, and routines are shown in monospaced font (this is monospace). Words that appear in boldface are menu items and/or settings in the WatchGuard Administrator.
User Guide
Introduction
Notes
Notes contain information that is interesting but possibly not essential to an understanding of the main text.
References
Referenced documents, such as technical notes, are included with your product and can be located on the product distribution, or if the product is already installed, in the Documentation folder where the product was installed. It is also possible to access the documentation directly from the WatchGuard Administrator Administrator Dashboard.
Get started
The WatchGuard Administrator User Guide covers all areas related to WatchGuard Administrator. Below is an outline of the main parts and what each part covers.
The WatchGuard Administration Service, WatchGuard Administrator Access Point, WatchGuard Administrator Policy Service, and WatchGuard Authentication Service will be referred to as the Administration Service, Access Point, Policy Service, and Authentication Service respectively throughout the manual.
Introduction The User Guide starts with this introduction, outlining notation conventions, references, and presents a comprehensive road map. Planning This chapter deals with preparations that you need to perform before installing WatchGuard Administrator. It also contains recommendations for a successful WatchGuard Administrator deployment. Installation This chapter covers the installation and initial setup of your WatchGuard Administrator system. This chapter should be read in detail, and contains specific instructions on how to install WatchGuard Administrator. Setup System Wizard This chapter details all steps necessary to configure and set up your WatchGuard Administrator system. This section is most important, and should be read carefully. Set up an Access Point This chapter provides basic information to set up and configure your WatchGuard SSL device, and manage the device with the WatchGuard SSL VPN Web Manager. Administration This chapter is a general introductory overview of how to navigate in WatchGuard Administrator. Monitor System This chapter covers all aspect of the Monitor System section in the WatchGuard Administrator. Manage Accounts and Storage This chapter covers all aspects of the Manage Accounts and Storage section in the WatchGuard Administrator. Manage Resource Access This chapter covers all aspects of the Manage Resource Access section in the WatchGuard Administrator. Manage System This chapter covers all aspects of the Manage System section in the WatchGuard Administrator. Glossary This chapter presents a comprehensive glossary of terms.
User Guide
Get started
Reading suggestions
Be sure to read the following items. WatchGuard Administrator Release Notes Contains important information about the WatchGuard Administrator release. Available on the product distribution. WatchGuard Administrator Online Help Contains context sensitive help and in-depth conceptual information. Available in the WatchGuard Administrator.
Customer support
When you register your product, you may be entitled to technical support. Terms may vary depending on the country of residence. For more information, refer to technical support at http://watchguard.com, or contact your local sales representative.
Get started
Product Overview
Users today rely on access to applications and information from any location using any device, for maximum business productivity and return-on-investment. By implementing a security strategy immediately, organizations can ensure that customer trust is kept, profits are not lost, and the brand image is not damaged by malicious attacks. WatchGuard Administrator covers entry-to-exit security by following the six core principles of security, also known as the six As. The six As follows a holistic approach to security to ensure that users and organizations are completely protected using best of breed technologies: Assess Inspection of user device (laptops and desktop computers, PDAs, smart-phones) to ensure it complies with a corporate security policy Authenticate Identify that users are who they claim to be Authorize Determine which applications users gain access to Access Creates a secure encrypted network link between users devices and the desired application or information Audit Audits who accessed which application, when did they do it, and what did they download Abolish Removes all traces of access to the corporate network on completion of the session
Assessment
WatchGuard Administrator inspects, or assesses, client devices to ensure compliance with your corporate security policy. Requirements may include assessment of: Firewall and anti-virus software Operating systems and patches Spyware checking Device type Network configuration Non-compliant devices may be refused entry, or be referred to software update sites.
User Guide
Get started
Authentication
Authentication in WatchGuard Administrator is a simple process for the user. All requests flow through a web of specialized servers: the Access Point, the Policy Service, the Authentication Service, and back again. But for the user, the single point of contact is a Web browser when accessing resources. To put it simply, the Access Point verifies the identity of the user by forwarding the user credentials via the Policy Service to the Authentication Service, which in turn compares the information with credentials stored in the user storage. When the control is completed, a Request Accept is sent to the Access Point which allows the user to enter. The Authentication Service supports five authentication methods relying on the RADIUS protocol: WatchGuard SSL Mobile Text WatchGuard SSL Web WatchGuard SSL Challenge WatchGuard SSL Password WatchGuard SSL Synchronized Also supported are other RADIUS authentication methods such as SafeWord and SecurID. One feature in WatchGuard Administrator is the management of Certificate Authorities. It provides, among other things, the opportunity to specify several parameters concerning certificate revocation: Certificate Authority Revocation List and Certificate Revocation List retrieval. Access control is specified by means of roles that link user groups with resources. A number of authentication methods can be set for each resource and it is also possible to specify multiple authentication methods for a specific resource. Examples of authentication methods are client certificates, business rules, and RADIUS compliant methods. All authentication methods can be used in combination.
Authorization
Access rules are defined to allow users access to resources. All resources are associated with at least one access rule, consisting of requirements such as authentication methods, date or time restrictions, or user-group memberships. WatchGuard Administrator also provides access control in conjunction with firewalls and access control in the internal systems. The firewall access control is performed when users interact with the system. The access control is performed on the same level of security as the firewall, which is on both IP and port level. Behind the scene, a complex chain of events verifies the identity of the user, secure the protection of the resource, and log all activities surrounding its access. Resources are typically applications, either Web-enabled applications or files accessible from the Web, or client-server applications accessed through tunnels.
Get started
Auditing
Auditing in WatchGuard Administrator provides: Central capture of all access to corporate applications Real-time and historical reports covering all of the six As, plus system and performance reports Permanent record of application access The advanced auditing features in WatchGuard Administrator provide organizations with the tools to meet strict industry, government, and corporate compliance regulations.
Access
Any kind of resource, usually an application, can be accessed through the Application Portal and the Access Client. Resources include Web, Client Server, Terminal Server, and File Server applications. By using the Application Portal the complexity of how access is granted is hidden from the user. The Access Client creates a secure encrypted network tunnel between the user device and the application. You may define possible limitations for user access. WatchGuard Administrator is designed for 24/7 access.
User Guide
Get started
Abolishment
WatchGuard Administrator can remove all traces of access to the corporate network on completion of the session. Browsers are renowned for creating a snail trail of information during an access session, including: Cookies URL history Cached Pages Registry Entries Downloadable Components All these objects can be eradicated. How Does It Work? When Abolishment is enabled, secure cleanup of a client computer removes all traces of the user session. For example: Cleaning of relevant Microsoft Internet Explorer cache entries All cache information is deleted after the session is ended. Cleaning of MS Internet Explorer History entries All contents in the History folder is deleted. Cleaning of downloaded files All files created and saved during the session are deleted. For more information about Abolishment, see the WatchGuard Administrator Online Help and Manage Abolishment.
Get started
Technical overview
This illustration outlines a complete installation of WatchGuard Administrator.
WatchGuard Architecture
For more information about the WatchGuard Administrator architecture, see the following topics: Administrative Service Access point Policy service Authentication Service
Administrative Service
From a systems administrators point of view, the WatchGuard Administrator Web user interface is WatchGuard Administrator, but as the illustration above clearly demonstrates, that is not the case. WatchGuard Administrator is a complete network of services, with the Administration Service as the natural connecting point, or hub, and the WatchGuard Administrator its interface. You publish all updates in the WatchGuard Administrator to the different services, and monitor and manage all user activity in real-time. Please refer to the WatchGuard Administrator Online Help for detailed information on how to configure and manage the different services, directory services, and resources.
You can only configure one Administration Service server per WatchGuard network. Regular backups of the configuration file are therefore strongly recommended.
User Guide
Get started
Access Point
As the gatekeeper for all resource and access requests, the Access Point is on constant alert, listening for incoming communication.
All requests are logged, filtered, encrypted, and forwarded to the Policy Service or a resource host depending on the type of request.
It is recommended that you dimension the Access Point as it is subject to the heaviest load in the WatchGuard network.
10
Get started
Policy Service
An important part of WatchGuard Administrator is the authentication, authorization, and auditing server the Policy Service. It provides for policy management, authentication, authorization, and log services regardless of service or communication channel.
All authentication methods are configured in the Policy Service, so when a request comes in, the Policy Service evaluates the appropriate access rules and forwards the request to its destination.
Resources
In WatchGuard Administrator, applications, folders and files, and URLs are registered as Web or tunnel resources. Web-enabled applications are registered as Web resources, and client-server applications that are not Web enabled are registered as tunnel resources. You then protect the resources with access rules, authorization settings, and encryption levels to create seamless, secure access control. Users access the resources through the Web-based WatchGuard Administrator Application Portal, the Access Client, or directly in a Web browser using shortcuts. In order for users to be able to access a resource, you need to configure a resource host and specify if it will be available in the Application Portal or not. A resource host can have one or several paths. There are three different types of resource hosts: Web Resources Tunnel Resources Tunnel Resources are collected into Tunnel Sets where each tunnel in the set points to a tunnel resource. Customized Resources
Standard Resources
We have collected several of the most frequently used resources as Standard Resources. The purpose of this is to minimize your configuration time. The standard resources are: Outlook Web Access 2003 Outlook Web Access 2000 Domino Web Access 6.5 Citrix MetaFrame Presentation Server Terminal Server 2003 Terminal Server 2000 MS Outlook Client 2000/2003 File Sharing Access to Home Directory
You can edit the standard resource settings just as easily as any other type of resource. Please refer to the WatchGuard Administrator Online Help and the Manage Standard Resources section in the Manage Resource Access chapter.
User Guide
11
Get started
Access Rules
WatchGuard Administrator authorization makes the access decisions using access rules. These rules rely on: who wants access what resource or service is requested what communication channel (or device) is used which authentication methods are most suitable Access rules protect resources by allowing or denying access, and specify the requirements for a particular user, resource group, or communication channel. Additionally, business related conditions can be customized for services. For example, only customers who are allowed credit are able to use the ordering function. Access Control Lists (ACLs) stored in existing systems such as mainframes and databases can be reused by WatchGuard Administrator. ACL is a list of security protections that apply to an entire object, a set of the objects properties, or an individual property of an object. In Microsoft Active Directory for example, there are two types of ACLs: discretionary and system. Please refer to the WatchGuard Administrator Online Help and the Manage Access Rules section in the Manage Resource Access chapter, for detailed information on how to add and use Access Rules.
Single Sign On
Single Sign-On (SSO) permits users to enter their credentials once, which then gives them access to several resources without the need to re-authenticate when accessing each resource. All resources using the same user credentials can be defined in a SSO domain. When user credentials are modified, the changes apply to all resources in the SSO domain. When using the system for the first time, users are prompted for SSO credentials (user ID and password). The SSO credentials are stored per user account and retrieved whenever the user accesses resources registered in a SSO domain. If credentials are changed, the user will be prompted for authentication. SSO domains are divided into two domain types: Cookie Text Depending on which type you choose, different domain attributes can be associated with the SSO domain. Both types can be protected by access rules. To use form based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO domain.
Cookie-based Authentication
Cookie-based authentication is used to send authentication information in HTTP headers. A common use of cookie SSO is when back-end applications only want to read the authentication information at the very first request.
Text-based Authentication
Text-based authentication is used to send authentication information as text, with different attributes defining the information needed. When adding all domain attributes for the domain type text (user name, password, and domain), the Microsoft authentication method NTLM is used. When the attributes user name and password are added, the Basic authentication method is used. It is the most commonly used authentication method for Web environments.
12
Get started
Authentication Service
The Authentication Service provides mobile users with strong authentication methods that can be used regardless of device and location. The Authentication Service can act as a RADIUS proxy, that is, proxy the authentication request to another RADIUS server.
WatchGuard Authentication
WatchGuard authentication refers to the Authentication Service using the WatchGuard authentication methods Mobile Text, Web, Challenge, Password, and Synchronized. All methods can be used on your laptop or desktop computer. When using the Synchronized or Challenge methods, users install Mobile ID client applications on the device being used. When using the Web authentication method, the client is either an ActiveX component or a Java applet. All supported authentication methods are described in the chapter Manage System, in the Manage Authentication Methods section. To choose the authentication method, you need to consider your users needs: mobility, device flexibility, and level of security. Refer to each authentication method for more detailed information. All WatchGuard authentication methods can be used in combination or singularly to access any type of resource. Please refer to the WatchGuard Administrator Online Help and the Manage Authentication Methods section in the Manage System chapter for detailed information on how to configure and use the different authentication methods.
User Guide
13
Get started
Planning
In this section, a few general security recommendations that should be considered are presented. The sections covered include: Define deployment goals Security planning Securing your operating system This section contains specific recommendations for environments using Windows 2000. User management strategy Resource access
14
Get started
Security Audit/Planning
You need to make decisions about your security architecture. This involves creating accounts in the operating system (or with other authentication providers), organizing your users into groups, and planning for access control. These are the phases in the security planning process: Define your security goals Make some preliminary decisions about your security architecture Determine which users need which permissions to which resources, and develop a strategy for creating access rules
User Guide
15
Get started
A PKI consists of the following basic components: Digital certificates Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Digital certificates provide the foundation of a PKI. One or more certification authorities (CAs) Trusted entities or services that issue digital certificates. When multiple CAs are used, they are typically arranged in a carefully prescribed order and perform specialized tasks, such as issuing certificates to subordinate CAs or issuing certificates to users. Certificate policy and practice statements Two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on. Certificate repositories A directory service or other location where certificates are stored and published. In a Windows Server 2003 domain environment, the Active Directory service is the most likely publication point for certificates issued by Windows Server 2003based CAs. Certificate Revocation Lists (CRL) Lists of certificates that have been revoked before reaching the scheduled expiration date.
16
Get started
File auditing
Auditing is not enabled by default, but set on a per-system basis. Each Windows 2000 system includes auditing with logs collecting information on applications, system, and security events. User Account auditing File System auditing System Registry auditing Auditing can consume large amounts of processor time and disk space. It is highly recommended to check, save, and clear audit logs daily/weekly to reduce the chances of system degradation or save audit logs to a separate machine. File Auditing Auditing specific directories or files can prove useful in identifying a system compromise or unauthorized use of resources.
User Guide
17
Get started
18
Get started
Password management
There are no default passwords or pre-configured encryption keys in WatchGuard Administrator. All encryption keys and passwords are set or generated by the systems administrator at installation. WatchGuard Administrator does not store passwords or encryption keys in unprotected configuration files, LDAP directories, or other system storages. It is not recommended that encryption keys be set by manual configuration. Encryption keys not derived from a password are automatically generated by the system. A minimum key length of 128 random bits is used for stream and block ciphers. For RSA, a minimum of 1024 bits is used. Block ciphers use cipher-block-chaining to avoid cut-and-paste attacks. Encryption keys that are not automatically generated use a secure encryption key generation function to derive the key from a password. Systems administrators are advised to implement a password policy: Password dictionary with banned passwords Password history saving already used passwords Password validity time (not before, not after) Password minimum length Constraints on characters, must contain a capital letter and a number for example
User Guide
19
Get started
20
Get started
Resource access
An authorization strategy enables you to effectively manage users access to different resources.
Access strategies
The first part of this process is identifying your users by workgroup, job function, or a combination of workgroup and job function. You can then identify the different types of resources that users access, such as departmental or job-specific data. You should consider policies that determine who is allowed to create user groups, how they are named, and how they are administered. In WatchGuard Administrator, the basic strategy for controlling access to resources is to create access rules. Based on the decisions you make regarding how to identify different users and resources, access rules are created to support these decisions.
Access Rules protect resources by combining requirements such as user group memberships or date and time ranges, and authentication methods such as WatchGuard SSL Web or Challenge.
Using Groups
Example: All users in the HR department might need access to privileged personnel records. To protect these, group every member of the HR department into a user group that is authorized to access those files and create access rules of the type User Group. The rule of thumb is to assign permissions to groups, rather than to individual accounts.
Naming Conventions
Without a naming convention, the potential for simple mistakes when adding or removing user accounts and selecting the correct group increases. The consequences of granting access to the wrong group can be serious, causing members to have access to restricted resources or to be denied access to resources that are necessary for job tasks. When establishing a security group naming convention for your organization, ensure that names: Differentiate each group from similar groups Allow group names to be sorted alphabetically into organized lists
User Guide
21
Get started
Ensure that existing network has necessary power supplies, switches, and other network components Perform time synchronization
22
Get started
WatchGuard Network
This section describes the recommended WatchGuard network layout and provides a summary of default ports used in the network.
Network Layout
An example of a WatchGuard network layout is illustrated below.
It is recommended that the WatchGuard Access Point device connect to the DMZ. It interacts with the Policy Service to validate queries and authorize access. The Access Point does not communicate directly with the Authentication Service. The Policy Service and the Authentication Service are placed on the internal LAN. A directory service (the user storage) is used for authorization and authentication purposes. For more information about network configuration, see Configure your WatchGuard SSL device.
User Guide
23
Get started
The table below describes default listening ports used for traffic to and from the services in the WatchGuard network.
All registered services must be able to communicate with the Administration Service.
24
Get started
Access Point
Any internal application Administration Service LDAP Server LDAP Server Policy Service
Access Point
N/A
Policy Service/ External RADIUS client Policy Service / External RADIUS client Policy Service / External RADIUS client Policy Service / External RADIUS client Policy Service / External RADIUS client Policy Service
Authentication Service Authentication Service Authentication Service Authentication Service Authentication Service Administration Service LDAP Server LDAP Server
UDP 18120
N/A
UDP 18121
N/A
UDP 18122
N/A
UDP 18123
N/A
UDP 18124
N/A
TCP 8300
N/A N/A
User Guide
25
Get started
Protocol and Comment Internal communication for load balancing between Authentication Services Internal communication between the Authentication Service and the Administration Service LDAP communication LDAPS communication (optional) HTTPS for administration RADIUS communication for accounting
N/A
TCP 8300
After you have registered your User Pack, you can use the same license file for all of your WatchGuard SSL devices.
26
Installation
This chapter provides detailed information regarding the installation of WatchGuard Administrator. It covers the entire installation process, from preparation to installation on a Windows platform. Before you install and use WatchGuard Administrator, be sure to set up your directory service and network security, and complete any other technical preparations. The following areas are described in detail below: Overview Preparation Install on Windows Upgrade WatchGuard Administrator Services and Clients Revert an Upgrade Start and Stop WatchGuard Administrator Services Uninstall WatchGuard Administrator A default installation of WatchGuard Administrator includes the following services: Administration Service Access Point Policy Service Authentication Service
User Guide
27
Installation
28
Installation
Preparation
The preparations we recommend that you make before installing WatchGuard Administrator are described below. Follow these recommendations to avoid installation problems. License Ensure that you have a valid WatchGuard Administrator license at hand. The license is uploaded in the WatchGuard Administrator in the first step of the Setup System wizard. IP Addresses Ensure that you have the IP addresses of the machines on which you install the different services at hand. Ports Ensure that ports used in the WatchGuard Network are available (refer to the Default Ports section for details). Time Synchronization It is recommended that you perform time synchronization between the different services, to avoid any future problems in WatchGuard Administrator caused by differing time stamps. Antivirus Programs Some antivirus programs may display warnings during installation of the WatchGuard Administrator services. For example, this can occur due to parameters being replaced in a file installed by the installation program. The antivirus program may interpret this activity as usage of a malicious script. If this occurs, allow the script or temporarily disable the antivirus program. Software Installers Make sure you have the most recent versions of all the necessary installers. Go to https:// www.watchguard.com/archive/softwarecenter.asp to download the most current versions of the WatchGuard software installers. Register with LiveSecurity Register your user pack with LiveSecurity before you begin installation.
User Guide
29
Installation
Install on Windows
If you are installing on Windows 2000, it is recommended that the Services window (Control Panel > Administrative Tools > Services) is closed during installation to avoid possible disruption.
WatchGuard Administrator installation on Microsoft Windows 2000/2003 Server includes the following procedures: Install Administration Service Run Setup System wizard Install Access Point Install Policy Service Install Authentication Service Install Distribution Service Start the services WatchGuard Administrator client installation includes the following procedures: Install WatchGuard Mobile ID Install Access Client All installation log files are placed in the %APPDATA% folder. %APPDATA% is usually located in the Application Data folder in your home directory.
A wizard in the Web based administration interface allows you to perform a basic configuration of the system. The Setup System wizard must be completed before remaining WatchGuard Administrator services can be used.
The WatchGuard Administration Service must be started to run the Setup System wizard.
If you install all services on a single machine, you must not use port 8080 or 8443 for the Access Point since they are used by default for the WatchGuard Administrator. The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. The DNS included in the license is set when you register with LiveSecurity. When defining the directory service, select a clean location (a location without LDAP objects) in the directory service to store user accounts.
30
Installation
User Guide
31
Installation
Upgrade overview
When you upgrade from a previous release, the installers automatically detect that an upgrade rather than installation is required and subsequently performed. These are the steps performed by the installers during upgrade: Backup of configuration files Previous version is uninstalled New version is installed Restore of configuration files Upgrade script is run (Administration Service only) To upgrade your WatchGuard Administrator installation, see the Release Notes available with your software download.
32
If you leave the Setup System wizard before finishing it, the information you have entered is saved in the system. This enables you to quit Setup System and resume setup at a later stage, if necessary, without the need to re-enter information.
User Guide
33
34
WatchGuard Administrator
At this point, the WatchGuard Administrator only consists of the Setup System wizard. When you access it from the Administration Service dashboard, the start page of the Setup System wizard is displayed. There you upload your license file to start the wizard.
User Guide
35
License File
Label Upload License File Uploaded Mandatory No No Description Name of your license file for upload Name of previously uploaded license file
36
User Guide
37
Other or Customized Directory Service If selected directory service type is Other or Customized, additional settings to those listed above are available. These settings are pre-configured for the individual directory services, but need to be specified when the system is unaware of which directory service you use. The additional advanced settings are: Name of the object class used to store objects in storage, for example: organizationUnit. Naming attribute is the relative name of the common object class. Holds the object ID that is automatically generated by the system. Storing attributes are specified used to store storage object attributes, property data of size less than 1024 bytes, for example: searchGuide for Active Directory. Unique naming attributes are used to store the unique storage object name (or unique ID), for example: l (for location). Super Administrator Password Policy When specifying the super administrator password in the Setup System wizard, you need to comply with a password policy that is enabled in the system by default. You can disable the policy or change the password in the WatchGuard Administrator after the Setup System wizard is completed. This is done in the Monitor System section using the Settings link at the bottom of the Monitor System page. The super administrator policy dictates that passwords must meet certain requirements. When enabled the policy requires passwords to meet the following characteristics: The password consists of at least six characters The password contains characters from at least three of the four following categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base 10 digits (from 0 through 9) o Non-alphanumeric characters (for example: !, $, #, or %) Browsing for Location DN When specifying a location in the directory service to store WatchGuard Administrator user account data, you can enter the full DN directly. You may also browse to select an existing (previously created) location or parent location in your directory service structure to retrieve a full or partial DN. If you choose to browse for the location DN, you first need to enter an account and password to access the directory service. You can enter part of the distinguished name before you browse or leave the field empty. If you have entered part of the DN, it is displayed in the browse window. If you have not entered a DN, the browse window displays the root DN of the directory service. You can also select root DN in a drop-down list. The DN is displayed with a + sign. If you click the + sign, you can navigate to the appropriate location in the directory service. When a location DN is selected the DN is automatically retrieved to the Configure Directory Service page.
If you have not previously created a dedicated organizational unit for the purpose of storing WatchGuard Administrator user data, it is possible to create a new OU by specifying the DN of a non-existing OU. The OU will be created when you click Next in the wizard.
38
No No Yes No No
User Guide
39
The host to be used for the external traffic to the Access Point must be specified as a DNS name in the license. The DNS included in the license is set when you register with LiveSecurity.
40
User Guide
41
42
LDAP Settings
Label Display Name Mandatory Yes Description Unique name used in the system to identify the authentication method. LDAP server used is the directory service specified in the previous step of the wizard. Administrato r DN User Password Yes Yes User ID to access the Active Directory. User password to the Active Directory.
Default values are retrieved from the General Settings for Directory Service page in the Setup system wizard.
User Guide
43
NTLM Settings
Label Path NTLM Domain Use SSL Mandatory Yes Yes Yes Description Address to the logon page. The format is: /%DIR%/pagename.html Windows domain name. Not selected by default.
44
The settings for the user storage include: Display name for the user storage location User search rules User root DN (see Browsing for Root DN ), object class name/class category, attribute name, search scope. See Search Rules for details. User group search rules User group root DN (see Browsing for Root DN), object class name/class category, attribute name, member attribute name and search scope. See Search Rules for details. Test connection Link to check that a connection to the user storage can be established. The nodes in the search rules are checked.
User Guide
45
Search rules
Search rules are designed to enable WatchGuard Administrator to locate your users and user groups in the directory service. The search rules you define depends on the directory structure of your organization, and which user objects you require. Search rules are created by combining the following settings: User Root DN The distinguished name of the search root from where the system will start to search for objects. If you want to use a specific sub-tree in your directory service, you can specify the sub-tree as the search root. Example:
ou=people,dc=thesecurecompany,dc=com
Object Category/Object Class Name The object category (Active Directory) or object class name (other directory services) that users belong to. Examples are user in Active Directory, and inetorgperson, the most common object class name. Refer to your directory service documentation for additional information. Attribute Name The attribute name to be used when searching for users. The values differ depending on directory service used: Active Directory uses samaccountname, other directory services use uid. Refer to your directory service documentation for additional information. Example:
cn
Set to samaccountname when using Active Directory. Member Attribute Name The member attribute name to use when searching for user groups. Example:
member
Search Scope Use the search scope when searching for users. Available options are: o Object Level, which only searches for objects located on base level. o One Level, which only searches for objects located directly below base not including the base. o Sub-tree level, which only searches for objects located below base not including the base. After Setup System wizard is completed you can also apply additional filters on the search rules. For example to specify that only users belonging to certain group are accepted when creating user accounts or that only users from a specific domain will be accepted.
General Settings
Label Display Name Mandatory Yes Description Unique name used in the system to identify the user storage location.
46
Yes
Yes
User Guide
47
48
You can set up one WatchGuard SSL Access Point, or multiple Access Points, to enable your users to connect through a secure tunnel to your network. After you Configure an Access Point in WatchGuard Administrator, you add the WatchGuard SSL Access Point device to your system, and then configure your device to allow users access to your network. Before you set up your Access Point, make sure you have the following: The latest WatchGuard SSL device software. Your selected domain name as registered with LiveSecurity. The location of your license file.
User Guide
49
50
After you have selected an architecture method, you can proceed and Configure your WatchGuard SSL device.
User Guide
51
3. If there is an update to your WatchGuard SSL device software, select Administration > Update and browse to the location where you saved the new software. 4. Connect your WatchGuard SSL device following either a One Interface Architecture or a Two Interface Architecture method. For more information about architecture methods, see Select an Architecture Method. To use a One Interface method: a. Select Network > External, and add the IP address you assigned to the Access Point in the WatchGuard Administrator Setup System wizard. b. Add the IP address of the default gateway for the Access Point. c. Add DNS server information for the WatchGuard SSL device. d. Click Submit. To use a Two Interface method: a. Select Network > External, and add the IP address you assigned to the Access Point in the WatchGuard Administrator Setup System wizard. b. Add the IP address of the default gateway for the Access Point. c. Select Network > Trusted, and add the IP address for the Eth1 port. d. Select Network > Routes, and add a static route for each network you want the WatchGuard SSL device to reach through the trusted interface. e. Click Submit. f. Reconnect to your WatchGuard SSL device with the new trusted IP address you assigned.
5. Select Network > Admin Service, and add the IP address of your Administration Service computer. The WatchGuard SSL device is now connected to WatchGuard Administrator.
52
Set the Date and Time Zone for your WatchGuard SSL device
You can select the date and time zone for your WatchGuard SSL device. The date and time zone information appears in all reports on the device, and communication with the WatchGuard Administrator. We recommend you set the date and time zone to match the date and time zone set on the computer where you installed WatchGuard Administrator, so that the date and time in your device log files match those of the Policy Service and Authentication Service log files. 1. Select Administration > System Time. 2. Use the Time Zone drop-down list to set your time zone. 3. Type the current hour, minute, and seconds in the Time fields and select AM or PM from the dropdown list. 4. Select the month and year from the Date drop-down lists, and click a date on the calendar to set the day. 5. Click Submit.
You can use the WatchGuard SSL Web Manager to change the password for your WatchGuard SSL device. 1. Select Administration > Change Password. The Change Password page appears. 2. Type and confirm your new password. 3. Click Submit.
User Guide
53
View Logs
You can view the log files available on your SSL device from the WatchGuard SSL VPN Web Manager. 1. Select Administration > Log Viewer. The Log Viewer page appears. 2. To view the available log files, click View Logs. 3. Select a link for the log file you want to view. The log file opens within the Log Viewer page. 4. To view another log, click the Back button on your browser, or repeat steps 13.
Clean Logs
You can also use Log Viewer to remove log files from the WatchGuard SSL device. After logs files are removed from the device, they cannot be sent to WatchGuard Administrator, so be sure to only remove log files when they are no longer necessary. 1. Select Administration > Log Viewer. The Log Viewer page appears. 2. To clean up log files, click Clean Logs. All log files are removed from the WatchGuard SSL device.
1. 2. 3. 4. 5.
Go to https://www.watchguard.com/archive/softwarecenter.asp. Select SSL_2.x.zip. Open the SSL_2.x.zip file and extract the update file to a location where you can access it later. Select Administration > Update and browse to the location where you saved the new software. Click Update. The new file is uploaded to the WatchGuard SSL device and your device is updated.
54
Administration
Top menu
Use the Publish button to distribute changes in the configuration to the entire WatchGuard Network. When updates in the WatchGuard Administrator services are ready for publishing, the Publish button is highlighted. This includes added or edited resources, access rules, services and so on.
You do not need to publish updated user settings.
Use the Restore button to revert to a previous configuration. The last ten configurations are displayed, sorted by date. You can select any configuration but once restored, you cannot revert the process.
User Guide
55
Administration
Use the Browse button to browse the centrally stored files. In the Browse dialog, schema, templates, and applets stored in the Administration Service is displayed. A browser allows you to create directories, and create, move, and copy files in the WatchGuard Administrator directory structure. Use the Help button to access help topics by using a table of contents, or to search the entire WatchGuard Administrator Online Help. Each page in the WatchGuard Administrator has a corresponding help page. The following tabs are available in the online Help: Use the Glossary tab to browse terms used in WatchGuard Administrator. Use the Search tab to find specific topics, the help pages for specific Administrator pages, or terms in their context. Use the Index tab to search for key concepts in WatchGuard Administrator.
Online Help
You can access the information in the WatchGuard Administrator Online Help in different ways. If you click the question mark in WatchGuard Administrator, you access context-sensitive information concerning that specific page. There, you can choose to expand the Help window to use the Table of Contents and tabs. If you click the Help button in the top menu of the Administrator, you access the start page of the WatchGuard Administrator Online Help, with the Table of Contents and help tabs already visible. Below are brief descriptions of the contents of the different sections in the Table of Contents in the WatchGuard Administrator Online Help. Getting Started The Getting Started section of the WatchGuard Administrator Online Help contains instructions for how to complete a basic setup and an initial configuration of WatchGuard Administrator. The section also contains instructions for getting started with different features in WatchGuard Administrator. WatchGuard Administrator This section of the WatchGuard Administrator Online Help contains help topics describing the contents of the WatchGuard Administrator, and describing how to navigate in WatchGuard Administrator. The main part of this section consists of help topics connected to all the WatchGuard Administrator pages. Here, you will find conceptual information as well as detailed parameter information. How To The How To section of the WatchGuard Administrator Online Help contains help pages containing detailed instructions for various tasks performed in WatchGuard Administrator. The subjects cover common tasks as well as configuration that can be a bit tricky to achieve. The instructions are sorted in alphabetical order. Navigate in WatchGuard Administrator Here, you will find brief descriptions of the WatchGuard Administrator main menu and left-hand menu items.
56
Administration
Monitor system
Monitor system Use the Settings link to enable/disable Event Monitoring and to edit the Super Administrator logon credentials. In Status Overview, current user, resource, and system information is displayed. Event Overview lists events occurred since last logon. System Status System Status contains status information presented on four tabs: General Status, Access Points, Policy Services, and Authentication Services. User Sessions Search for sessions using all or specific authentication methods to view or delete current user sessions. Log Viewer Search for specific log events or download a diagnostics .zip file containing all logs and configuration files for all servers. Logging Manage settings for logging of all or specific servers in the WatchGuard Network. You can set log collection interval, debug mode, and which time zone to use for time stamps. License View contents of the current license. Alerts Create alerts used to notify administrators of different types of events. Reports Generate reports containing statistics and run-time information on access, authentication, authorization, accounts, and system.
Administration
58
Administration
Manage system
The main Manage System page does not contain any functionality. It describes what you can do in the Manage System section of the system: add, edit and delete services, certificates, authentication methods, RADIUS back-end servers and clients, as well as configure directory service settings. It is also possible to enter global settings which apply to all Access Points, Policy Services, and Authentication Services, and general settings for notifications and SMS distribution. Authentication Methods Add authentication methods using the Add Authentication Method wizard. To edit settings for extended properties and/or RADIUS replies for a specific authentication method, select authentication method in the list. Add Certificate Authorities and Server Certificates using the applicable wizard. To edit settings for a specific CA and/or server certificate, select item in the appropriate list. Abolishment Define actions performed on a client computer when using an abolishment access rule. Actions include the monitoring of downloaded files and deleting of Internet browser history and browser cache. Assessment Define user client computer assessment activities. Activities include: client scan, setup of reference machines, and use of plug-ins in assessment access rules. RADIUS Configuration Add RADIUS clients using the Add RADIUS Client wizard. To edit settings for a specific RADIUS client, select client in the list. Click the Manage RADIUS Back-end Servers link to add and edit RADIUS back-end servers. These RADIUS clients and back-ends servers are used by the Authentication Service. Notification Settings Manage settings for notification message channels: SMS, email, and/or email/Screen. The notification channel setting are also used for alerts. Device Definitions Manage definitions of how HTTP headers in requests are interpreted to identify devices by the Access Point. Add definitions using the Add Device Definition wizard. To edit the definition of a specific device, select device in the list. Delegated Management Manage administrative roles with different privileges and responsibilities. Access Points Add Access Points using the Add Access Point wizard. To edit settings for a specific Access Point, select Access Point in the list. Click the Manage Global Access Point Settings link to display Client Access, Performance, Trusted Gateways, Cipher Suites, and Advanced settings. Furthermore, use the Configure Load Balancing link to enter settings for load balancing and to manage mirrored Access Points.
User Guide
59
Administration
Policy Services Add Policy Services using the Add Policy Service wizard. To edit settings for a specific Policy Service, select Policy Service in the list. Click the Manage Global Policy Service Settings link to edit default global communication settings. Authentication Services Add Authentication Services using the Add Authentication Service wizard. To edit settings for a specific Authentication Service, select Authentication Service in the list. Click the Manage Global Authentication Service Settings link to display global default RADIUS authentication and password and/or PIN settings. Administration Service Manage internal (in the WatchGuard Network) and external (with the client) communication settings. Directory Service Manage general settings for the directory service. You can change type of directory service here, and also enable SSL communication.
60
Monitor System
Status Overview
In the Status Overview section, you view status of the registered number of concurrent users and user accounts. Also listed are the number of registered resource hosts and Single Sign-On (SSO) domains. System information includes the WatchGuard Administrator release and build number and the license type. Administrators lists the Display Name of the user currently logged on to WatchGuard Administrator. Also listed is the number of administrators logged on to the WatchGuard Administrator.
Event Overview
Event Overview provides you with a snapshot of the WatchGuard network status. It is updated in real time every 15 seconds. Listed events include: Failed connection to the directory service or any of the configured user storage locations Restored connection to the directory service or any of the configured user storage locations Failed connection to any of the services included in the WatchGuard network Restored connection to any of the services included in the WatchGuard network Activated or deactivated debug logging Enable Event Monitoring for polling of your directory service and user storage on the Monitor System page.
User Guide
61
Monitor System
Status overview
Users
The following user information is displayed: Concurrent Users Number of concurrent users is displayed. Registered User Accounts Number of registered user accounts is displayed. Logged-on Users Number of logged-on unique users is displayed. Active Users Number of users that have made a request within the last 15 minutes is displayed. This time-out value is configured in Manage Global Account Settings.
Resources
The following resource information is displayed: Registered Resources Number of registered resources is displayed. Only resource hosts are counted, not paths. Registered SSO Domains Number of registered SSO domains is displayed.
System information
The following system information is displayed: Software Version WatchGuard Administrator release number is displayed. License Version License version is displayed. License Type License type is displayed.
Administrators
The following administrator information is displayed: Display name of the currently logged in administrator Number of logged on administrators Follow the View Administrator Activities link to view a list of time and date for the last logon per administrator, as well as time and date for the last action taken. Note that action is any action performed in the WatchGuard Administrator by the administrator: clicked links as well as saved updates or completed wizards.
62
Monitor System
Event overview
Each WatchGuard network event is listed with the date and time according to the browser locale setting. Events that have occurred since the last time you were logged on are listed. If new events occur while you are logged on, they are added to the list in real time. The Event Overview list is updated every 15 seconds. The following events can be listed: Lost connection to the directory service or any of the configured user storage locations Restored connection to the directory service or any of the configured user storage locations Lost connection to any of the WatchGuard network services Restored connection to any of the WatchGuard network services Activated debug logging Deactivated debug logging
Manage settings
Enables event monitoring of the directory service and user storage to check the connection to the directory service every 15 seconds. Since each check results in an event in the directory service log, unselecting this option may enhance performance.
If you disable event monitoring, the Alert and Reporting events concerning Directory Service and User Storages will not function properly.
You can enable the WatchGuard Password policy to ensure that passwords are used to log on to WatchGuard Administrator following certain requirements. The following requirements must be met if the WatchGuard Password policy is enabled: The password is at least six characters long The password contains characters from at least three of the following four categories: o English uppercase characters (from A through Z) o English lowercase characters (from a through z) o Base 10 digits (from 0 through 9) o Non-alphanumeric characters (for example: !, $, #, or %) The current password for logon to the WatchGuard Administrator is not shown in clear text. This password was set during the Setup System wizard. Enter a new password for the Super Administrator to change the password. The new password is not shown in clear text. If the Enable password policy option is selected, the password must meet the password policy requirements.
User Guide
63
Monitor System
Event Monitoring
Label Enable event monitoring of directory service and user storage Mandatory No Description Selected by default. This option can be disabled to enhance performance.
Access Points
On the Access Points tab, all registered Access Points are listed displaying Display Name and Host.
Policy Services
On the Policy Services tab, all registered Policy Services are listed displaying Display Name and Host.
Authentication Services
On the Authentication Services tab, all registered Authentication Services are listed displaying Display Name and Host.
64
Monitor System
Logging
About Log Viewer
You can use the WatchGuard Administrator Log Viewer (in the Monitor System section), to filter and display log messages. To view logs, select Filter settings and click View Log. The logs appear in A separate browser window. You can use Search Criteria to trace specific log events such as user activity through selected servers. Here are examples: logon userA This example will list all logons made by the user userA. logon and userA Both types will display all log entries containing the words logon and userA. Searches are not case sensitive and search criteria can consist of several words. For an exact match, all entered words must exist. Searches can be time consuming if there are a large number of log files to filter. For an OR search, use the special word or. OR operations have precedence over AND operations. Here are examples: fatal or warning Displays all lines with the FATAL or WARNING severity levels. fatal or warning and sql Displays all messages with the FATAL or WARNING severity levels containing the word SQL.
User Guide
65
Monitor System
Negations can be obtained using the minus sign -. Here are examples: -info Displays all severity levels except the INFO level (i.e. only the FATAL and WARNING levels). fatal or warning -sql Displays all lines with the FATAL or WARNING severity levels, except for SQL messages. The wildcard characters * and ? are allowed. * signifies any number of characters, and ? signifies exactly one character. Here are examples: abc*def Displays all lines where the text abc can be found before the text def. abc?def Displays all lines where the text abc can be found, followed by exactly one character, and then followed by the text def. Quoted searches can be used to search for whole sentences or for the wildcard characters. Here are examples: fatal or warning -lcp -tc5 system Displays all lines that have the FATAL or WARNING severity levels, but does not contain any LCP messages or the string tc5 system. info Displays lines with the string info with spaces on each side (as a separate word).
Diagnostic file
You can download a .zip file containing all System, Audit, Billing, HTTP, and RADIUS logs for the selected servers. The diagnostics file also contains all configuration files and message logs, as well as the debug logs (including the Access Point raw external and internal logs, raw proxy interchange log, form based log, and hyperlinks log). By selecting Enable debug logging on the Manage General Logging Settings page, the debug logs are automatically enabled.
66
Monitor System
About logging
All registered servers in the WatchGuard Administrator network generate several individual logs. You can manage each servers log settings individually. Another important factor of logging is that both the Report and Alert functionality depend on the log collecting. If the Log Collection Interval is set too high (this is done on the Manage Global Logging Settings page), the ability to view real-time reports diminishes. Alerts are not sent until logs with this information are collected. For more information see, Manage logging.and Manage global logging settings. WatchGuard Administrator includes five types of logs: Log Type System Logs Log Level Fatal Warning Info Audit Logs Billing Logs HTTP Logs RADIUS Logs Warning Info Info Info Info Logs user activity, such as log on, log out, and session events. All WatchGuard Administrator user activities are also logged here Logs events required for billing Logs HTTP server requests Logs RADIUS server requests Description Logs run-time events
In WatchGuard Administrator, it is possible to filter the severity level of the logged messages. It is also possible to turn logging off. The following table shows the available log level filtering: Log Level Filter Off Fatal Warning Info Description Logs nothing, the log is disabled Logs only fatal messages Logs warning and fatal messages Logs info and above messages
Manage logging
You manage logging settings for each registered service on individual tabs representing each log type. The different services generate separate log types: Administration Service Log types: System, Audit, Billing, and HTTP logs Access Point Log types: System, Audit, and HTTP logs Policy Service Log types: System, Audit, Billing, and HTTP logs Authentication Service Log types: System, Audit, Billing, and RADIUS logs You can configure the same kind of settings for all log types, these are described below.
Note that the Access Point audit log includes more settings than the other services audit logs. You can enable settings on the accessing client, session, and access request settings such as requested path and resource, protocol used, and response information.
User Guide
67
Monitor System
68
Monitor System
Select the Enable debug logging option to automatically enable the debug logs including the Policy Service End-Point Security log, the Access Point raw external log, raw internal log, raw proxy interchange log, hyperlinks log, and form-based log.
Log Directory
Label Log Directory Mandatory Yes Description Set to logs by default.
Time Zone
Label Local time GMT Mandatory No No Description Selected by default. Not selected by default.
Interval
Label Log collection interval Mandatory No Description Set to 5 by default.
Debug Logging
Label Enable debug logging Mandatory No Description Not selected by default.
User Guide
69
Monitor System
70
Monitor System
Alerts
About alerts
Alert notifications are messages sent to selected receivers when specified events have occurred in the system. Selected receivers can either be a selection of roles, managed in the Delegated Management section, or listed email addresses or cell phone numbers. Alert notification messages are distributed by email and/or SMS. You need to configure the appropriate channels for each service respectively. This is done in the Manage System section on the Notification Settings pages. You can select and combine a number of pre-defined alert events. Alert events include lost and restored connections to the directory service or services in the WatchGuard network, or user activity such as exceeded number of access requests. One example is if the Administration Service is unable to communicate with the directory service an alert event is triggered. An alert is created and configured to notify selected alert receivers of the Lost connection to Directory Service event. An alert message containing event specific information is created and distributed using SMS, email, or both.
Alert events
A number of pre-defined alert events are configured for you to select from: User accounts Alerts can be triggered when accounts are locked and unlocked for access, authentication, and timelocks. Resources Alerts can be triggered when resources are offline and online. WatchGuard network Alerts can be triggered when the connection to services in the WatchGuard network are lost and restored. Directory service Alerts can be triggered when the connection to the directory service is lost and restored. Authentication method server Alerts can be triggered when the connection to the authentication method server is lost and restored. For more information, see Manage alerts and Manage global alert settings.
Manage alerts
Registered alerts are listed on the Manage Alerts page in the Monitor System section of WatchGuard Administrator. You can add, edit, and delete alerts.
Alert settings
All alerts consist of an alert event that triggers an alert notification. You specify which type of notification channel to use for the alert notification messages. You can specify an SMS channel, an email channel, or both. You can only specify channels that have been configured. Notification channels are configured on the Notification Settings pages in the Manage System section of WatchGuard Administrator.
User Guide
71
Monitor System
Settings
General Settings
Label Enable alert Display Name Description Mandatory No Yes No Description Selected by default. Unique name used in the system to identify the alert.
Notification Settings
Label SMS email Mandatory (Yes) (Yes) Description Either SMS, email, or both are mandatory. Either SMS, email, or both are mandatory.
72
Monitor System
Alert Receivers
Label Available Roles Selected Roles Mandatory No No Description List with all available registered roles.
User Guide
73
Monitor System
2005-09-01 09:11:31: User Joe Smith has been locked for authentication.
You cannot change any formatting (such as bold or italic text) in alert messages.
Messages
Label Subject Mandatory Yes Description Set to An alert has been triggered by default.
User Accounts
Label Locked for Access Unlocked for Access Locked for Authentication Unlocked for Authentication Time-lock Locked Time-lock Unlocked Mandatory Yes Yes Yes Yes Yes Yes Description Set to {0}: User {1} has been locked for access by default. Set to {0}: User {1} has been unlocked for access by default. Set to {0}: User {1} has been locked for authentication by default. Set to {0}: User {1} has been unlocked for authentication by default. Set to {0}: User {1} has been Time-lock locked until {2} by default. Set to {0}: User {1} has been Time-lock unlocked by default.
Resource Hosts
Label Lost Connection Restored Connection Mandatory Yes Yes Description Set to {0}: Lost connection to Resource Host {1} by default. Set to {0}: Restored connection to Resource Host {1} by default.
74
Monitor System
WatchGuard Network
Label Lost Connection Restored Connection Mandatory Yes Yes Description Set to {0}: Lost connection to {1} by default. Set to {0}: Restored connection to {1} by default.
Directory Service
Label Lost Connection Restored Connection Mandatory Yes Yes Description Set to {0}: Lost connection to Directory Service by default. Set to {0}: Restored connection to Directory Service by default.
Restored Connection
Yes
User Guide
75
Monitor System
Reports
About reports
In addition to the Log Viewer, you also have the ability to generate reports in WatchGuard Administrator. The reports can be snapshots of activity at any given time, or statistics showing for example the behavior of users or usage of resources. You can select to generate reports from seven report groups: Abolishment reports Assessment reports Access reports Authentication reports Authorization reports Account Statistics reports System reports The option Complete Report generates a complete report containing statistics from all available report types. Each report group consists of one or several reports, and each report contains one or several charts. Reports are divided in three information parts: Time range Filters Graphics
Time range
You can specify three types of time ranges: Last When you specify a time range of the type Last, time is counted from the current time, when generating the report, to the specified time (in hours, days, weeks, months, or years). For example, if you select Last 2 Days at 02:15 PM, data is collected for 24 hours + 02:15 hours from now. From - To date When you specify a time range of the type From - To date, time is collected from and to a specific date. For each day, a 24-hour period starting at 00:00 and ending at 24:00 is calculated. All Available When you specify time range of the type All Available, time is collected from the time when the database was created. If there is not any data from this start time, the time gap (from no data to data) will show in the reports. When selecting large ranges the time to generate reports increases drastically.
76
Monitor System
Filters
You can specify filters to select the data included in different reports. Report groups have different available filters. These filters are available for most reports: Access Points Specifies one or several Access Points. You make the selection from all registered Access Points. Policy Services Specifies one or several Policy Services. Authentication Services Specifies one or several Authentication Services. Client IP Specifies one or a range of IP addresses. You make the selection from all client IP addresses. User ID Specifies users and user accounts. You make the selection from all registered users, both WatchGuard Administrator user accounts and users stored in user storage. Devices You make the selection from all registered devices. Web resource hosts You make the selection from all registered Web resource hosts. Tunnel resource hosts You make the selection from all registered Tunnel resource hosts. Tunnel Protocol Select UDP, TCP or both. Tunnel IP Specify the IP range for the tunnels. Tunnel Port Specify the port range for the tunnels.
Graphics
You specify two types of graphics: Chart Types and Styles. Each report can be presented using different chart types. For example, when you select to generate an Assessment report, you can select the chart types Failed over Time, Succeeded over Time, Failed by Reason, and Failed by User. You need to select at least one chart type to generate the report. Each chart type is then presented using different styles: Bar, Line, or Pie in 2D or 3D. WatchGuard Administrator suggests a chart type and style by default per report, but you can change and combine any report with any chart type and style.
User Guide
77
Monitor System
Statistics
Statistics are presented in reports in WatchGuard Administrator. The reports are available in real time and historically. WatchGuard Administrator reports the following statistics: Response Time (after workload) Device Usage User resource usage Session trend Current Workload Bandwidth Usage Free memory space Free Disk Space
Free disk space information is not available from Access Points.
Event statistics include: Access Authentication Assessment Abolishment The statistics are available in different formats at the current status, averages, etc. The reporting format will also support third-party products. WatchGuard Administrator can provide reports that can be used in Microsoft Excel and Crystal Reports.
Data Retrieval
All reporting information is collected and stored in a database. Queries are run both to the database and the directory service. The result is then graphically presented in WatchGuard Administrator with the possibility to store the result in a text file or export it to a .zip file.
78
Monitor System
Limitations
The HSQLDB database is allowed to grow to a maximum size of 250 MB. This is a limitation enforced by WatchGuard Administrator to ensure acceptable startup and shutdown times for the Administration Service. If statistics data needs to be stored for a longer time period, it is recommended to use another database. The HSQLDB database is suitable when having up to 5000 authentication attempts per day; this would allow statistics for up to a period of 50 days. If the workload exceeds 5000 authentications per day, it is recommended to use another high-performing database, for example MySQL. It is possible to change the database to any kind that supports JDBC and the dialect of SQL defined by SQL standards 92. Backup and Restore To create a backup of the database, stop Administration Service and create a copy of the \database\ folder. To restore a backup from file, stop the Administration Service and replace the \database\ folder with the backup. Schedule Cleanup Scheduled cleanup is not enabled by default to ensure no loss of report statistics data. If you enable scheduled cleanup, you need to specify how old events need to be in order for them to be removed. When selected, scheduled cleanup is performed once every midnight. If enabled, and the HSQLDB database grows to its limit before cleanup is executed, it is recommended to decrease number of logged days in the system log file. Forced Cleanup Forced cleanup is performed once every midnight. The cleanup is performed when the database is greater than 250 MB. Forced cleanup removes all events from the oldest date in the database; this process is then repeated until the database is equal to, or less than 250 MB. Database Growth When the database size is 250 MB it holds approximately 1,750,000 events, each event takes an average of 150 bytes. If we assume that each successful authentication attempt generates a total of 7 events, the following is true: 1 Authentication event 1 Assessment event 1 Abolish event 1 Session Created event 3 Authorization request (assuming request is cached in Access Point) One authentication event will generate 7 events, 150 * 7 = 1,050 bytes. Each authentication event takes 1,050 bytes, so 5,000 authentication event takes 5 MB; this workload allows report statistics data for a period of 50 days.
User Guide
79
Monitor System
Manage reports
Available report types are listed on the Manage Reports page in the Monitor System section of WatchGuard Administrator. You can generate several types of reports using different filters and graphics. All reports can be generated using the default configuration.
Time Ranges
Filter Selection 16 hours 718 hours 1924 hours 1 day 2-7 days 1 week 2-4 weeks 1 month 2-12 months 1 year 2-29 years Any date range Overall Time Unit Minutes Hours Hours Hours Hours Weekdays Date Date Months Months Year Month/Year Month/Year X-axis Every (h*60/12) minutes Every hour Every second hour Every second hour Every weekday Every weekday Every day Every day Every month Every month Every year Example: 2005 Allowed years: 1-29 Example: April 2005 Allowed months: 1-12 Example: April 24 Allowed weeks: 1-4 Allowed days: 1-7 Allowed hours: 1-24 Comment
80
Monitor System
You can specify the following time ranges: Last The system collects data from the exact date and time when the report is generated, to a selected value according to below. For example, if last two weeks are selected and the time for report creation is 12:15, the system collects data for the previous 336 (24 x 14) hours. Time Intervals Input Hours Days Weeks Months Years Value Entered value must be in the range 1 to 24. Entered value must be in the range 1 to 7. Entered value must be in the range 1 to 4. Entered value must be in the range 1 to 12. Entered value must be in the range 1 to 30.
From To dates The time range to collect data is defined by a from and to date. For each day, the system calculates a 24-hour period starting at 00:00 and ending at 24:00. All available The time range depends on the available data stored in the database. You specify a time range to be able to compare statistics over time, or to see progress over time, or to view status for specific events at an exact time. See the following for report types: Assessment Report settings Abolishment Report settings Access Report settings Authentication Report settings Authorization Report settings Account Statistics Report settings Session Trend Report settings Communications Report settings Alert Report settings System Report settings Performance Report settings Tunnel Report settings
User Guide
81
Monitor System
Time Ranges
Filter Selection 16 hours 718 hours 1924 hours 1 day 2-7 days 1 week 2-4 weeks 1 month 2-12 months 1 year 2-29 years Any date range Overall Time Unit Minutes Hours Hours Hours Hours Weekdays Date Date Months Months Year Month/Year Month/Year X-axis Every (h*60/12) minutes Every hour Every second hour Every second hour Every weekday Every weekday Every day Every day Every month Every month Every year Example: 2005 Allowed years: 1-29 Example: April 2005 Allowed months: 1-12 Example: April 24 Allowed weeks: 1-4 Allowed days: 1-7 Allowed hours: 1-24 Comment
You can specify the following time ranges: Last The system collects data from the exact date and time when the report is generated, to a selected value according to below. For example, if last two weeks are selected and the time for report creation is 12:15, the system collects data for the previous 336 (24 x 14) hours. Time Intervals Input Hours Days Weeks Months Years Value Entered value must be in the range 1 to 24. Entered value must be in the range 1 to 7. Entered value must be in the range 1 to 4. Entered value must be in the range 1 to 12. Entered value must be in the range 1 to 30.
From To dates The time range to collect data is defined by a from and to date. For each day, the system calculates a 24-hour period starting at 00:00 and ending at 24:00. All available The time range depends on the available data stored in the database.
82
Monitor System
User Guide
83
Monitor System
84
Monitor System
All authentication requests for the time range are presented for each hour of the day (0..23). The value for each hour is divided with number of days set in Time Range. Time range must be equal to or greater than one day for any values to be presented on the report.
User Guide
85
Monitor System
86
Monitor System
User Guide
87
Monitor System
88
Monitor System
Filter Settings
Label All Selection Available Selected Mandatory No No No No Description All registered filter data is displayed. A search is performed and a selection can be made. List of available filter data. Selected from the Available list.
User Guide
89
Monitor System
90
User accounts
In the WatchGuard vernacular, users and user accounts are separate terms. WatchGuard Administrator user accounts are required for access to registered resources, and the accounts are connected to actual users. But not all users in your directory service need to have registered WatchGuard Administrator user accounts. WatchGuard Administrator user accounts are linked to user information already stored in your directory service. A user storage link establishes a connection to your local user information. User accounts are managed in the Manage User Accounts section. In the Global User Account Settings section, you manage global default settings used in authentication, for time-outs, when using user linking (described below), and to setup automatic repair of user links. Please refer to the Add User Account section for detailed information on different methods of creating user accounts.
User Guide
91
User groups
There are three types of user groups available in WatchGuard Administrator: User groups defined in directory service User location groups User property groups User groups are managed in the Manage User Groups section.
User storage
The user storage is the external location where users are stored and used by the Policy Service as part of the authorization process. To automatically add references (when authenticating a user, for example) to existing users and user groups in the directory service, you need to configure user storage. It is recommended that the user accounts are linked to the user storage, to enable reuse of user information. When configuring user storage, you specify the host for the directory service and define a set of search rules to find users and user groups. You can specify several user storage locations in directory services of different brands and different vendors. For information on supported directory services, please see the WatchGuard Administrator Release Notes. A user storage location was added to the system during the Setup System wizard. User storage locations are managed in the Manage User Storage section.
92
User Guide
93
General settings
You configure the default number of maximum retries for user access for all accounts. You can, however, reconfigure this number for specific user accounts, using the Number of retries setting. When set to 0, the user account is never locked. This setting is used for both default account configuration and for WatchGuard authentication. You specify the number of days a user account is valid. This is used as default when a new user account is created. When set to 0, the user account never expires. Optional default account settings for WatchGuard authentication include: Use groups When selected, user group names are supported. If supported, a group name can be connected to a user when managing user accounts. This group information is sent to the RADIUS client. The RADIUS client can then be configured to use this attribute for authorization. Framed IP When a framed IP address has been configured, this IP address is sent to a network access point from the Authentication Service upon successful authentication. This information can be used in authorization decisions made by the access point. Time-lock You can set a time-out time for authentication time-lock, meaning the length of time users are locked out from attempting logon after failed logon the number of times set in Time-lock Interval. Time-out settings are used as default values when a Web resource is created. To edit or specify any or all of these settings for a specific resource, go to the Web Resource Host Advanced Settings page. You set the maximum user inactivity time before re-authentication is required, validity time for a session in the system, time since the user was last authenticated with required authentication method before reauthentication is required, and time before users are warned and prompted to re-authenticate.
94
General Settings
Default Account Settings
Label Max Retries Mandatory Yes Description Maximum number of invalid login attempts allowed (1999) before the user account is locked for authentication. Set to 10 by default. Number of days a user account with enabled WatchGuard Mobile ID authentication is valid. Set to 0 by default.
Account Expires In
No
User Guide
95
Time-lock Interval
Yes
No
Time-Out Settings
Label Max Inactivity Time Mandatory Yes Description Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Validity time in minutes (0-1440) for a session in the system. Set to 30 by default. Time in minutes (0-1440) since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default. Time in seconds (0-3600) before user is warned and prompted to re-authenticate. Set to 60 by default.
Session Time-out
Yes
Absolute Time-out
Yes
Time-out Warning
Yes
Auto Repair
Label Auto repair user links when the users access the system Mandatory No Description Selected by default.
96
User Linking
Label Enable WatchGuard Authentication when manually linking the user Enable WatchGuard Authentication when automatically linking the user Notification Mandatory No Description Not selected by default.
No
No
User Guide
97
WatchGuard Password
Label Enable authentication method after user linking Generate password Password never expires User cannot change password User must change password on next logon Use password from directory service Mandatory No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.
98
User linking
About user linking
User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. You add user accounts according to your default settings in Global User Account Settings with links to the appropriate user storage. To enable WatchGuard authentication with User Linking, you need to enable the User Linking option. This is done on the User Linking tab in the Manage global user account settings topic. WatchGuard authentication refers to the Authentication Service and the WatchGuard authentication methods Web, Mobile Text, Challenge, Synchronized, and Password. Default settings for WatchGuard authentication for user accounts are retrieved from the General Settings tab on the Global User Account Settings page. For more information on managing user linking, see Manage user linking.
User Guide
99
No
No No
No
No
100
User import
About User Import
Use User Import to create multiple user accounts simultaneously by importing an external file containing user information to the Administration Service. The import file is separated by a comma, semicolon, or tab. There can only be one entry per line in the import file. The file to import must be formatted according to specific rules, detailed in Manage User Import.
User Guide
101
102
Heading PasswordEnabled PasswordPwd PasswordPwdNeverExpires PasswordPwdCannotChange PasswordPwdMustChange PasswordPwdGenerate PasswordPwdUseDirectory MobileTextEnabled MobileTextPwd MobileTextPwdNeverExpires MobileTextPwdCannotChange MobileTextPwdMustChange MobileTextPwdGenerate MobileTextPwdUseDirectory NotifyByMail NotifyBySMS NotifyToAddress
Value Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Password Boolean Boolean Boolean Boolean Boolean Boolean Boolean email address
Comment
User Guide
103
User accounts
About user accounts
In WatchGuard Administrator, there are three different ways to create user accounts: Add User Account User Linking User Import These three options are designed to meet different administrative requirements, but all result in user accounts. The only difference in the end result can be the level of detail in account settings. In edit mode, applicable account settings are available for configuration regardless of how the user account was created. Using the Add User Account wizard is the standard way to create user accounts, and the way that presents you with the largest number of options. It is suitable when the majority of user accounts are already registered in the Administrator. User Linking is used when you quickly want to create a basic user account based on an existing user in user storage. If you want to create user accounts for users not stored in user storage, or if you want to create multiple user accounts simultaneously, use User Import to create user accounts by importing a file containing user information. For more information see, Add user account, User Linking, and User Import.
104
The following account settings can be specified during the wizard: Link to User Storage You can link the user account to an existing user in user storage. A link to the correct location (DN) to the user in the user storage is created. The users display name, email address, and cell phone number is retrieved when available. Custom-defined User Attributes You can define attributes that are specific for the user account. These attributes can for example be used when creating user property groups. WatchGuard Authentication Settings You can enable available WatchGuard authentication methods and enter corresponding password or PIN settings. Also included are user account specific notification settings, which refer to what email address and SMS to use, and message set. You have the option to specify a message set. A message set is a set of all WatchGuard authentication notification messages. The Default message set includes all messages specified on the Global Authentication Service Settings page. SSO Settings You can connect the user account to available SSO domains and enter credentials for each domain attribute. User Certificates You can connect specific user certificates to the user account. This option is only available when the authentication method User Certificate is configured.
User Linking
Creating a user account through User Linking requires a user storage location, since the user account is created by linking to an existing user in user storage. User linking can be performed manually or automatically. Manual user linking is performed on the Manage User Linking page. Automatic user linking is enabled on the User Linking tab in Manage Global User Account Settings. The accounts are then created automatically when users who are located in user storage but do not have corresponding user accounts in WatchGuard Administrator attempt to log on to the system. Regardless of whether the user linking is manual or automatic, the following settings are automatically created for the user account: Max Retries for Access (default value is set according to Manage Global User Account Settings) Max Retries for WatchGuard Authentication (default value is set according to Manage Global User Account Settings) Account Expires Within (default value is set according to Manage Global User Account Settings) Authentication methods enabled on the User Linking tab in Manage Global User Account Settings and their corresponding settings (only if Enable WatchGuard Authentication when manually linking the user on the same tab is selected)
User Guide
105
User Import
Creating a user account through User Import on the Manage User Import page does not require user storage. Multiple user accounts are created simultaneously by importing a file containing user information separated by commas, semi-colons, or tabs. The minimum user information in the file required to create a user account is user ID and display name. The following settings are automatically created for the user accounts (only if the corresponding information is not specified in the imported file): Max Retries for Access (default value is set according to Manage Global User Account Settings) Max Retries for WatchGuard Authentication (default value is set according to Manage Global User Account Settings) Account Expires Within (default value is set according to Manage Global User Account Settings) As opposed to User Linking, authentication methods enabled on the User Linking tab in Manage Global User Account Settings and their corresponding settings are not retrieved when creating user accounts through user import.
WatchGuard authentication
WatchGuard Authentication includes use of the WatchGuard authentication methods Web, Mobile Text, Challenge, Synchronized, and Password. To disable WatchGuard authentication for a user account, you need to disable all WatchGuard authentication methods for that user account.
User certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certificate.
106
User Guide
107
General settings
On the General Settings page, you specify general configuration settings for the user account. Display Name can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section. You can link the user account to an existing user in user storage. A link to the correct location (DN) to the user in the user storage is created. The users display name, email address, and cell phone number is retrieved when available. You can also define attributes that are specific for the user account. These attributes can for example be used when creating user property groups. You can select to temporarily disable a user account, or to specify a time period for the user accounts validity. The default value here is retrieved from the Global User Account Settings page.
Format complies with your browsers language settings.
When WatchGuard authentication has been enabled on the WatchGuard Authentication tab, you can specify the users notification settings. Both email Address and SMS can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section.
General Settings
Label User ID Display Name User Location in Directory Last Logged In Mandatory Yes Yes No No Description User ID connects the actual user with the user account. Name used in the system to identify the user account. Distinguished Name for the user in the user storage. It is not possible to edit the link manually. This setting is only available when editing a user account.
108
You also select how the new password or PIN used for WatchGuard authentication will be distributed to the user when the user account has been created. Available options depend on the system configuration for notification and SMS distribution configuration. Available notification options are: By email By screen By SMS By email and screen By SMS and screen To email address configured on the Global Authentication Service Settings page, on the Email Messages tab. You have the option to specify a message set. A message set is a set of all WatchGuard authentication notification messages. The Default message set includes all messages specified on the Global Authentication Service Settings page. Specify Group Name when Use Groups is selected as default for user accounts on the Global User Account Settings page. When a group name is entered, only that group can be associated with that specific user. The group information is then sent to the RADIUS client and the RADIUS client can be configured to use this information (managed as an attribute) for authentication. Group Name can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section. Edit the setting Framed IP when Use Framed IP is selected as default for user accounts on the Global User Account Settings page. See that section for more information. Framed IP can be retrieved automatically if a user storage attribute has been specified on the Directory Mapping tab in the Manage User Storage section.
Message Set
WatchGuard Authentication
Label Number of Retries Mandatory No Description Counter keeping track of the number of incorrect logon attempts. Default value is retrieved from the Global User Account General Settings page. Used to manually reset Number of Retries. Not selected by default. Not selected by default. If locked, the user will not be able to log on until the time defined in Time Lock Time-out on the Global User Account General Settings page is reached, or until you unlock the user account.
No No No
User Guide
109
(Yes)
Verify Password
(Yes)
No
Only displayed if the password has been manually entered or generated (not if the directory service password is used or if the password is set through directory mapping). Not selected by default. Not selected by default.
(Yes)
Verify Password
(Yes)
110
No
Only displayed if the password has been manually entered or generated (not if the directory service password is used or if the password is set through directory mapping). Not selected by default.
Verify PIN
(Yes)
User Guide
111
WatchGuard Password
Label Enable WatchGuard Password for the user account Password Mandatory No Description Only available when editing a user account. Not selected by default. Mandatory when WatchGuard Password is enabled, Generate Password is not selected, and the users linked password cannot be found in the directory service. Select Generate Password for an automatically created password. Password password must contain a minimum of 2 letters Verification of Password.
(Yes)
Verify Password
(Yes)
No
Only displayed if the password has been manually entered or generated (not if the directory service password is used or if the password is set through directory mapping). Not selected by default. Not selected by default.
Verify PIN
(Yes)
112
Notification
Label Label Notification Mandatory Mandatory No Description Description The displayed options depend on the system notification configuration and the SMS distribution configuration. Set to Screen by default. This setting is only displayed when Use Groups is selected as default for user accounts on the Global User Account Settings page. Framed IP is only displayed when Use Framed IP is selected as default for user accounts on the Global User Account Settings page.
Group Name
No
Framed IP
No
User Guide
113
114
User certificate
Certificates can be bound to specific users to be used for authentication with the authentication method User Certificate. You can replace or remove the certificate bound to the user account. To search for certificates, you can use one of two methods: Browse for the certificate in a file system, using the Browse button Enter the user attribute that holds the users certificate and search for the certificate in the user storage location
User Certificate
Label Upload from File System Locate in Directory Mandatory No No Description The file path to a user certificate to bind to the user. The attribute in storage where to get the user certificate to bind to the user.
User Guide
115
User groups
About user groups
User groups are used to categorize users. This categorization controls what a user can access, or what actions users must perform to enable certain access rights.
116
General Settings
Label Display Name Mandatory Yes Description Unique name used to identify the user group inside the system.
Attribute Value
Yes
User Guide
117
User storage
About user storage
User storage is the external location where users are stored and used by the Policy Service as part of the authorization process. It is recommended that user accounts are linked to the user storage, to enable reuse of user information. To automatically add references (when authenticating a user, for example) to existing users and user groups in the directory service, you need to configure user storage. To setup user storage you need to specify the host for the directory service and define a set of search rules that enables the system to find users and user groups. You can specify several user storage locations in directory services of different brands and different vendors.
Search rules
Define the search rules that your directory service uses to match users and user groups. What rules that are the best for your organization depend on the directory structure your organization has selected and what user objects you want to use in your rules.
Directory mapping
Directory mapping is used to retrieve existing information in user storage using specified attributes. When used, you can reuse information such as passwords or email addresses without specifying them in the WatchGuard Administrator when creating or linking user accounts, for example. For more information, see Manage user storage.
118
Member attribute name The member attribute name to use when searching for user groups. Example: member Search Scope Use the search scope when searching for users. Available options are: Object Level Searches for objects located on base level only One Level Searches for objects located directly below base, not including the base Sub-tree level Searches for objects located below base, not including the base
User Guide
119
120
Directory Mapping
Label Display Name Group Name Framed IP Notification email Address Notification SMS Mobile Text Authentication Password Web Authentication Password Challenge Authentication PIN Synchronized Authentication PIN Password Authentication password Mandatory No No No No No No No No No No Set to the standard LDAP attribute mail by default. Set to the standard LDAP attribute mobile by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Set to the standard LDAP attribute userPassword by default. Description Set to the standard LDAP attribute displayName by default. Set to the standard LDAP attribute sn by default.
User Guide
121
122
Access rules
Access rules consist of detailed requirements that users must conform to in order to be allowed access to resources. Available access rules range from authentication methods, user group membership, and date period, to client IP address, client assessment, and client device. You can specify general access rules available for all resources or SSO domains, access rules that apply to individual resources, as well as a global access rule that automatically applies to all resources and SSO domains.
Standard resources
In WatchGuard Administrator, a number of applications are available as pre-configured standard resources. The purpose of the standard resources is to facilitate registration. You create a standard resource using a wizard, which creates the applicable Web and/or tunnel resources for you.
User Guide
123
When a user makes a request using a registered mapped DNS name, the Access Point looks up which server to connect to and which protocol to use and sends the request towards this server. WatchGuard Administrator supports three methods of DNS mapping: URL mapping The resource is mapped to a path instead of using a mapped DNS name Reserved DNS mapping The resource is mapped to a specific DNS name Pooled DNS mapping The resource is assigned a DNS name on first Access Point request towards an internal server You specify which method of DNS mapping to use when adding or editing a resource.
124
About filters
You can use filters to change content in specific pages or in requests for resources. You can apply a filter to a specific resource host or to all resource hosts. You apply the filter to requests or responses and to content or headers. For general filters, you can use variables instead of hard-coded values. You can add one or several variables, specified using name-value pairs, to each filter. The filters are written using scripts in a proprietary script language called WASCR and have the file suffix .wascr. Scripts are located in <WatchGuard installation folder>\Access Point\built-in files\scripts\ An example of how filters with variables can be used is displayed below. Example:
User Guide
125
All mapped DNS names are added to a DNS name pool. From there, you select to map Web hosts to DNS names using one of two methods: Reserved DNS mapping When using Reserved DNS mapping, the Web resource is mapped to a specific DNS name in the DNS name pool. Pooled DNS mapping When using Pooled DNS mapping, the Web resource is assigned the first available DNS name from the DNS name pool. This is performed once per session.
General settings
General settings include the addresses used for internal proxies. These are defined by specifying host and port. Internal proxies available for configuration are: Internal HTTP proxy HTTPS proxy TCP proxy
126
Filters
Define which script to use in the filter by specifying the applicable script name, excluding the file ending .wascr. Note that the file must be stored in one of the following folders: <WatchGuard installation folder>/files/access-point/built-in-files/scripts <WatchGuard installation folder>/files/access-point/custom-files/scripts The filter can be applied to individual resources, or all resource hosts. Optionally, you can define if the filter should be applied to requests or responses, as well as if it should be applied to content or headers. Path When specifying path to the files to be filtered, the wildcard character * can be used. Example: /exchange/* /index.html * Content Type When defining which content type to filter, the wildcard character * can be used. Example: text/html application/x-javascript text/* *
General Settings
Label Script Name Mandatory Yes Description The name of the filter file, stored in the folder files/customfiles/scripts or files/built-in-files/scripts or files/customfiles/scripts or files/custom-files/scripts Available options are: Request and Response. Set to Request by default. Set to All Resource Hosts by default. Path to the files to be filtered. The wildcard character * is supported. Set to * by default. Filtered content type. The wildcard character * is supported. Available options are: Headers and Content. Set to Content by default.
No Yes Yes
Yes No
Variables
Label Name Value Mandatory Yes Yes Description Name of the variable Value of the variable
User Guide
127
Link translation
In the Link Translation section of the global resource settings, you specify which headers and content types that will be filtered and checked for link translation. Available headers and content types are: Request headers Response headers Request content types Response content types Request Headers Defines the request headers that should be filtered and checked for link translation before sending the request to the internal host. Headers listed must be one-valued. If not, the first value is translated and the second is deleted. Set to the following headers by default: Destination Referrer Response Headers Defines the response headers that should be filtered and checked for link translation before sending the request to the client. Headers listed must be one-valued. If not, the first value is translated and the second is deleted. Set to the following headers by default: Location Content-Base Content-Location Content Location Request Content Types Specify request content types that should be link translated. The string NOT_DEFINED can be entered, defining that if no content type is sent it should be translated anyway. Request content types are set to the following content types by default: text/html application/x-javascript text/vnd.wap.wml text/xml text/css Response Content Types Specify response content types that should be link translated. The string NOT_DEFINED can be entered, defining that if no content type is sent it should be URL translated anyway. Response content types are set to the following content types by default: text/html application/x-javascript text/vnd.wap.wml text/xml text/css
128
Link Translation
Label Request Headers Mandatory No Description Request headers that are filtered and checked for link translation if the destination host is configured to translate request headers. Set to Destination and Referrer by default. Response headers that are filtered and checked for link translation if the host sending the response is configured to translate response headers. Set to Location, Content-Base, and Content-Location by default. Defines the content types filtered for requests. Set to text/html, application/x-javascript, text/ vnd.wap.wml, text/wml, and text/css by default. Defines the content types filtered for responses. Set to text/html, application/x-javascript, text/ vnd.wap.wml, text/xml, and text/css by default.
Response Headers
No
No
No
The first DNS name in the example above is pre-configured in the system and available by default. It cannot be edited or deleted.
User Guide
129
130
Standard resources
About standard resources
In WatchGuard Administrator, a number of commonly used applications are available as partly pre-configured standard resources. Standard resources are provided for your convenience, to facilitate registration. Instead of creating ordinary Web or tunnel resource hosts for these applications, you use a wizard to create the resources with a minimum of manual configuration. Different settings as well as applicable Web and/or tunnel resources are created automatically when the wizard is completed. The following applications are available as standard resources: File Sharing Resources Microsoft Windows File Share Access to Home Directory Mail IMAP/SMTP POP3/SMTP Outlook Web Access 5.5 Outlook Web Access 2000 Outlook Web Access 2003 Outlook Web Access 2007 MS Outlook Client 2000/2003/2007 Portal Resources Citrix Metaframe Presentation Server Microsoft SharePoint Portal Server 2003 ThinLinc WatchGuard Resources Secure Remote Access to Administrator Remote Controlling Resources Microsoft Terminal Server 2000 Microsoft Terminal Server 2003 Other Web Resources SalesForce For more information, see Manage standard resources.
User Guide
131
Special Settings
These are the settings that differ between the Standard Resources. For information on how to define each Standard Resource Type, see Standard Resources Settings.
Access Rules
See Manage Access Rules.
Common Settings
Label Enable Resource Make resource available in Application Portal Icon Mandatory No No Description Selected by default. Selected by default.
(Yes)
Path to the image file that symbolizes the standard resource in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Standard Resource in the Application Portal. Mandatory when Make resource available in Application Portal is selected.
Link Text
(Yes)
132
HTTP Port Citrix MetaFrame Server 1 Citrix MetaFrame Server 2 Citrix MetaFrame Server 3
Yes Yes
No No
User Guide
133
HTTP Port Thinlinc Application Server 1 Thinlinc Application Server 2 Thinlinc Application Server 3
Yes Yes No No
134
General Settings
You specify host and HTTP or HTTPS ports for Domino Web Access. Host defines the IP address or DNS name of the Domino Web Access host. HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: www.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: www.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.
Special Settings
You specify host and port for the Terminal Server 2000 or 2003. Host defines the IP address or DNS name of the Terminal Server host. Port defines the port for Terminal Server TCP. Several port numbers or a range of port numbers can be entered, separated with a comma sign. Default port is 3389. You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further information on the difference between Dynamic and Static Tunnels.
User Guide
135
Special Settings
You specify host and HTTP or HTTPS ports for Outlook Web Access. Host defines the IP address or DNS name of the Outlook Web Access host. HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: mail.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: mail.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.
136
Special Settings
You specify host and port for the Microsoft Outlook Client 2000/2003/2007. Host defines the IP address or DNS name of the Exchange Server host. Port defines the port for the MAPI Exchange. Several port numbers or a range of port numbers can be entered, separated with a comma sign. Set to 1-65535 by default.
POP3/SMTP
Configuration of a standard resource for a POP3/SMTP mail server includes the settings described below.
Special Settings
You specify host and port for the POP3/SMTP mail server. Mail Server Address defines the IP address or DNS name of the POP3/SMTP mail server. Startup command is the command used to start the local mail client. You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further information on the difference between Dynamic and Static Tunnels
POP3/SMTP
Label Mail Server Address Startup Command Tunnel Type Mandatory Yes No Yes Description Host address to the Mail Server host. Startup Command used to start the client Use Dynamic or Static tunnels, Dynamic by default
User Guide
137
IMAP/SMTP
Configuration of a standard resource for a IMAP/SMTP mail server includes the settings described below.
Special Settings
You specify host and port for the IMAP/SMTP mail server. Mail Server Address defines the IP address or DNS name of the IMAP/SMTP mail server. Startup command is the command used to start the local mail client. You can also select to use Dynamic or Static tunnels. Please see the Tunnel Configuration Settings for further information on the difference between Dynamic and Static Tunnels
IMAP/SMTP
Label Mail Server Address Startup Command Tunnel Type Mandatory Yes No Yes Description Host address to the Mail Server host. Startup Command used to start the client Use Dynamic or Static tunnels, Dynamic by default
Special Settings
You specify host, share, and drive letter for the standard resource. Host defines the IP address or DNS name of the host. Share defines the share to connect to on the file server. Drive letter (optional) defines the preferred drive to map on to the client.
138
Special Settings
You specify the host for the standard resource. The host defines the IP address or DNS name of the host.
Special Settings
You specify host and HTTP or HTTPS ports for Secure Remote Access to Administrator. Host defines the IP address or DNS name of the Administration Service host. HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts. Example: www.watchguard.com:8080 If the default port is used, make sure the alternative host contains the server name without port. Example: www.watchguard.com The alternative host is registered as an IP address or DNS name on the General Settings tab on the Edit Resource Host page.
Description IP address to the Administration Service host Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.
139
SalesForce
Configuration of a standard resource for SalesForce includes the settings described below.
Special Settings
No special settings are required for this Standard Resource. It will use the default HTTP connection towards the SalesForce servers.
SalesForce
Label Host HTTP Port HTTPS Port Mandatory Yes (Yes) (Yes) Description IP address to the Administration Service host Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.
Web Resources
About Web Resources
Web resources are applications with a Web interface, or any files accessible in a Web browser. A Web resource has a resource host (or root) which may have one or several paths connected to it. A resource host defines a HTTP or HTTPS server based on a URL. A resource path defines a subset of a Web server, if you want to restrict user access for that subset only. Example: Host: https://www.watchguard.com Path: https://www.watchguard.com/securefolder/securepage.htm When using Web resource paths, you can set your own security levels with access rules for specific applications and files. You can also choose to allow Web resource paths to derive its authorization settings (consisting of access rules and advanced settings) from the parent Web resource host or path.
Single Sign-On
When SSO is enabled and used, it performs a POST or a GET request to a URL. The form data usually contains a user name and a password together with some static fields. The variables [$username], [$password], and [$domain] are replaced by the stored user name, password and NTLM domain from the SSO database. If the back-end server requires the logon request to contain specific headers, these can be supplied as additional headers. Example: User-Agent: Mozilla/4.6 Enterprise Edition (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Accept: */*
140
General settings
Configuration of a Web resource host includes settings described below.
The Web resource host Display Name is also used for link translation in the Access Point, that is as part of the translated, or rewritten, link. Because of this, Display Name cannot contain characters such as commas or semi-colons, for example. Supported characters in display names are: A-Z, a-z, 0-9, and non-alphanumeric characters (for example: !, $, #, or %).
Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain types of the registered SSO domains, you can select SSO domain type text, cookie (text is selected by default) or Adaptive SSO and then select which SSO domain to use. If you select Adaptive SSO you can also select to create a new SSO Domain that will be used for this Resource. See more Information about Adaptive SSO below. If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the resource host and the form response message is required. The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent to the server. A form response message can be used to determine whether a logon was successful or not. Configuration of the form response message, that will appear when the user has logged on or failed to log on, includes a URL to which the response from the form should be sent, and a text string form response used to decide if the authentication is successful or unsuccessful.
User Guide
141
General Settings
Label Enable resource Display Name Description Host HTTP Port HTTPS Port Mandatory No Yes No Yes (Yes) (Yes) Description Selected by default Unique name used in the system to identify the Web resource host. Describes the Web resource host. IP-address or a DNS name for the host. Either HTTP Port or HTTPS Port is mandatory. Set to 80 by default. Either HTTP Port or HTTPS Port is mandatory.
Adaptive Single-Sign On
Adaptive SSO does not need to be configured because it configures itself. You only need to apply it on a resource and choose a SSO-domain to use - exactly the same way as you do with text based SSO. The functionality of Adaptive SSO differs from the old Form Based SSO in the following ways: The first time a user accesses the resource, the system will learn the configuration of it. The user will never be presented the WatchGuard standard form Additional Authentication Required, as with Text and old Form Based. Instead, the user will see the original HTML form as if there where no SSO configured. The second time the same user accesses the resource, he or she will not see the login page but be forwarded directly as if he/she had filled in the user name/password and pressed Submit. When another user that lacks SSO credentials accesses the resource he/she will also see the back end servers form, as if no SSO was configured, but when he/she has filled in the credentials on the page, they will be stored in his/her SSO-domain in the directory. The first time a user is timed out or presented a relogin page, the system learns the new URL that is likely to present a relogin page. The second time a user is timed out, he will not see it but be automatically re-logged in. The detailed configuration is automatically detected by the Access Point as the first user accesses the resource. This information is collected in a file located at the Access Point: config/ FormBasedLearning.txt. In load balanced mode, this file is synched between the Access Points in the system, using the native load balancing protocol that Access Point uses to mirror sessions. The file is not synched with the Administration Service. If a user is timed out from the back end server, Access Point will hide the re-authentication form from the user and automatically relogin the user. If the form contains hidden state parameters, Access Point will merge those state parameters into the POST request. This is not possible with the old Form Based SSO. For example, if a user tries to access a perl-desk URL targetting a special PD ticket, Perldesk redirects the user to a login page with a hidden parameter telling where the user where about to go before login was requested. With Adaptive SSO, this information will be taken care of in the auto-generated POST request so that the user gets redirected to the requested PD ticket.
142
SSO Settings
Label Enable Single Sign-On SSO Type Mandatory No (Yes) Description Not selected by default. Available options are: Text Cookie Form Based Adaptive SSO Mandatory when Enable Single Sign-On is selected. Set to Text by default. Lists registered SSO Domains in the system. Mandatory when Enable Single Sign-On is selected. If Adaptive SSO is selected there is also an option create new domain which will give the opportunity to create a new domain. Name of new SSO Domain created for Adaptive SSO.
SSO Domain
(Yes)
(Yes)
Limitations
Access Point makes the best effort to find out which parameter is user name, password and eventually domain, and stores the autoconfigurated parameters in the FormBasedLearning.txt file. However, some HTML pages uses javascripts to copy contents from one form to another or from a password field into a hidden field before the actual submit is performed. In those cases, Access Points autoconfigurated FormBasedLearning will be incorrect and the SSO will only work for one single user, or for no user at all. It is therefore recommended to test the SSO by logging in with two different accounts before being certain that the autoconfiguration is correct. If not correct, the FormBasedLearning.txt file can be altered manually. Se below how to do that. Sometimes a login form got hidden fields that is filled by a javascript with client-specific information such as screen resolution etc. These parameters will be defined by the user that learns the system the first time. So if the screen resolution of the first user is 1600x1200, all users will seem to have this resolution. There is no simple work around for this. The old Form Based SSO has the same limitation. If the user has an empty password at the back end system, Adaptive SSO will be unable to learn the credentials.
User Guide
143
Troubleshooting (FAQ)
I have enabled Adaptive SSO on a resource, but I dont get SSO to work? When you test it with a browser, make sure that the resource is always accessed through WatchGuard Administrator - i.e. that your browser is never redirected outside WatchGuard Administrator while accessing the resource. If your browser is redirected, the resources are not correctly configured. You may have to add more resource hosts to the system or you may add addresses to the additional host names. There is a debug log called hyperlinks.log under access-point/logs/debug, in which you can see which hosts are resolved and which are foreign. You may have to add a new resource host based on the information of a foreign host in hyperlinks.log. Make sure that the login page is part of the resource that you have enabled SSO for. If you are not certain, you may try to enable Adaptive SSO on the resource host (the root) rather than on the resource path. SSO works but when Im timed out from the resource I do not get re-authenticated automatically. Make sure the relogin page is delivered from a URL whose resource is set to use Adaptive SSO. If not certain, use Adaptive SSO on the resource root rather than on the resource path. SSO works, but sometimes when I log out from the back end server, I come to the login page and sometimes the login page is hidden for me and I just get relogged in automatically directly after a logout. This works as designed. However, You can hide the logout link using a filter script to prevent this behavior. The reason why the relogin page is sometimes shown and sometimes not, is due to the time it takes from you logging on to the resource and logging off. If you click the resource, wait for 30 seconds and then logout, you will be automatically logged in back again. But if you wait less than 30 minutes, you will see the login page after logging out. The reason for this is to prevent the SSO from getting stuck in the vinkelvolt - Adaptive SSO never knows whether your credentials are correct or not, so if they are not correct, the user must be able to see the login page and enter the new valid credentials. I have manually changed the FormBasedLearning.txt file as described. It worked fine for a while. But after some time, it seems to have forgotten my manual settings. Users no more get access to the back end system. Access Point will reset the learning for a resource if it stops working correctly. This will happen in one of the following scenarios: the back end server responds with a HTTP 404, or a HTTP 405, as a response to the POST the resource host pointed out by formActionURL has been removed from the resource list in RemoteConfiguration. The reason why your manual changes disappeared was thereby due to a change on the back end server or due to a change in the resource configuration. You will have to redo the manual changes in FormBasedLearning.txt.
144
Link Text
Yes
Access rules
See Manage Access Rules.
User Guide
145
Advanced settings
The following advanced settings are available for the Web resource host. All advanced settings are optional.Link Translation.
Access Settings
Link Translation You set link translation type used: URL mapping, Pooled DNS Mapping or Reserved DNS Mapping. By default, a Web resource is set to not use a mapped DNS name. You can only assign reserved mapped DNS names that are not used for any other Web resource. When selecting Pooled DNS Mapping, the resource is automatically assigned a DNS name when it is used. When selecting Reserved DNS Mapping, you select among available DNS names displayed in a list to specify a DNS name for a resource. Server DNS Name You can specify a host header used in the communication with the internal server. If a specific server DNS name is not defined, the host address (the connect address) is used. Cookies You have the option to forward cookies between client and resource. When the option is selected, cookies are allowed to pass through from the client to the resource and back. When not selected, all cookies are stopped at the Access Point. When forwarding cookies, you need to specify a list of cookies to either allow or block (or use the wildcard character * to allow or block all). If allowed, the cookies pass through from the client to the resource and back. If blocked, cookies are stopped at the Access Point. NTLM v2 Use NTLM v2 if possible.
(Yes)
(Yes)
No No
146
Mandatory No
(Yes)
Lists name of the cookies that the system checks. Mandatory when Forward cookies between client and resource is selected. Available options are: Allow and Block. When set to Allow, only cookies listed in Cookies to check are allowed. Other cookies are blocked. Selected by default.
Action
No
Use NTLM v2
Yes
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific Web resource will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path apply for this path only and not for all paths beginning with this one. When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the Web resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Expression of Will When expression of will is used, re-authentication is required for each request. MIME Types You can also define which MIME types that should be allowed to be cached on the client browser. Required format is text/html. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the opposite specific resources may not need the same level of security or you may accept a longer time-out period.
The setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.
User Guide
147
No
Use Expression of Will Use Time-out Max Inactivity TimeOut Absolute Time-out
No No No
No
Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default, SSL is required in the traffic between the client and the system. Options for encryption level are: Strong encryption level: 128 bits (default) Weak encryption level: 56 bits Other encryption level (specify desired bits level)
(Yes)
148
General settings
Configuration of a path to a Web resource host includes settings described below. Path When configuring a Web resource path you specify its path, i.e. the path to the subset of the Web resource host. The path you specify is added to the path of the parent host or path to form the complete path. When registering a sub path, i.e. a path added to an existing Web resource path, the path to the parent Web resource path is displayed for your convenience. Authorization If you do not want to set specific authorization (Access Rules and advanced settings) for the Web resource path, you have the option to reuse the authorization specified for the parent Web resource host or path. Using this option, the authorization set for the parent host or path is inherited to the Web resource path and the Access Rules and Advanced Settings sections of the configuration are not displayed. Single-Sign On If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain types of the registered SSO domains, you can select SSO domain type text or cookie (text is selected by default) and then select which SSO domain to use. If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the resource host and the form response message is required. The logon form is added to the resource host to enable form-based SSO. Configuration of the logon form includes whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent to the server. A form response message can be used to determine whether a logon was successful or not. Configuration of the form response message, that will appear when the user has logged on or failed to log on, includes a URL to which the response from the form should be sent, and a text string form response used to decide if the authentication is successful or unsuccessful. For information about Adaptive SSO please see the Adaptive Single Sign-On section in Manage Web Resource Hosts Application Portal Settings You can select to make the Web resource host available in the Application Portal. You then specify an icon to represent the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size. In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented. For each Web resource specified to be displayed in the Application Portal, a corresponding Application Portal item is automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application Portal page in the Manage Resource Access section.
User Guide
149
General Settings
Label Enable resource Parent Path Mandatory No No Description Selected by default. Available when adding a child resource path (a sub-path to another resource path). Displays the path to the parent resource path. Not editable. Path to the resource. Available when adding a resource path. Selected by default
Yes No
SSO Settings
Label Enable Single Sign-On SSO Type Mandatory No (Yes) Description Not selected by default. Available options are: Text Cookie Form Based Adaptive SSO Mandatory when Enable Single Sign-On is selected. Set to Text by default. Lists registered SSO Domains in the system. Mandatory when Enable Single Sign-On is selected. If Adaptive SSO is selected there is also an option create new domain which will give the opportunity to create a new domain. Name of new SSO Domain created for Adaptive SSO.
SSO Domain
(Yes)
(Yes)
Yes
Path to the image file that symbolizes the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected.
Link Text
Yes
Access rules
See Manage Access Rules.
For resource paths, access rules are not available for configuration if you have selected to use the authorization of the parent path.
150
Advanced settings
The following advanced settings are available for the Web resource path. All advanced settings are optional.
Advanced settings are not available for configuration if you have selected to use the authorization of the parent path.
Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific Web resource path will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this Web resource path apply for this path only and not for all paths beginning with this one. When not selected, the access rules apply to this Web resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the Web resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. MIME Types You can also define which MIME types that should be allowed to be cached on the client browser. Required format is text/html. Expression of Will When expression of will is used, re-authentication is required for each request. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level, or the opposite specific resource paths may not need the same level of security or you may accept a longer time-out period.
The setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.
Encryption Level
You have the option to specify the encryption level required for clients to be allowed access to the resource. By default, SSL is required in the traffic between the client and the system. Options for encryption level are: Strong encryption level: 128 bits (default) Weak encryption level: 56 bits Other encryption level (specify desired bits level)
User Guide
151
No No No
Absolute Time-out
No
(Yes)
152
Tunnel resources
About tunnel resources
In WatchGuard Administrator, you configure tunnel resource hosts for client-server applications that are not Web enabled. An examples of such applications is Remote Desktop. The tunnel allows any TCP/UDP traffic between the client and the server to be channeled over a protected SSL connection. A tunnel is an intermediary program acting as a blind relay between two connections. Once active, a tunnel is not considered a party to the HTTP communication, though the tunnel may have been initiated by an HTTP request. The tunnel ceases to exist when both ends of the relayed connections are closed. In order to make a tunnel resource accessible to the user, you configure a tunnel set to include static and/or dynamic tunnels for the resource. When using tunnel resources, you can set your own security levels with access rules for specific client applications and servers. Use the Application Portal for tunnel resource access when authenticating with the authentication methods WatchGuard SSL Web and End-Point Security Client Scan, since the Access Client cannot be used stand-alone for tunnel resource access with Web based authentication. For more information, see Manage tunnel resources.
Fileshare: 137-139,445 Remote Desktop 3389 Citrix 1494 Exchange 1-65535 (*) SSH 22 SMTP 25 Telnet 23 POP3 110 IMAP 143
Examples of common UDP ports:
User Guide
153
Alternative Hosts
Alternative hosts are used to map a tunnel resource to a Scripted Resource in the associated tunnel set. When Scripted Resource is selected, no registered resource is selected but a filter on the Access Point decides which resource to use. One common example is the Citrix nFuse server that sends a properties file through the Access Point specifying which Citrix MetaFrame server to use in the current session. You need to configure the filter script on the Filters tab on the Global Resource Settings page. The alternative host is specified as an IP address or a DNS name. When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port must be added as an alternative host. Example: www.watchguard.com:8080 If the default port is used, the alternative host must contain the server name without port. Example: www.watchguard.com
Access rules
See Manage Access Rules.
Advanced settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel resource will be accessed. Automatic Access You can configure the tunnel resource to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Time-out You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute time-out. These settings are also available, and specified by default, for user accounts. By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the opposite specific resources may not need the same level of security or you may accept a longer time-out period for certain resources.
The setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.
154
General Settings
Label Enable resource Display Name Host TCP Port Set Yes Yes (Yes) Mandatory Description Selected by default. Unique name used in the system to identify the tunnel resource. IP address or DNS name of the resource host. This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535). Either TCP Port or UDP Port is mandatory. This can be either a single port, a range of ports, or the wildcard character * for all ports. Either TCP Port or UDP Port is mandatory. Selected if Single Sign-On for File Shares should be enabled for this Resource Host. If selected File Share SSO Domain will be enabled and an SSO Domain must be selected. This checkbox will be disabled if no SSO Domains have been registered in the system. (Yes) The SSO Domain that should be used for File Share SSO. Only available if File Share SSO is enabled for this Tunnel Resource. Selected if Single Sign-On for Remote Desktop (RDP protocol) should be enabled for this Resource Host. If selected Remote Desktop SSO Domain will be enabled and an SSO Domain must be selected. This checkbox will be disabled if no SSO Domains have been registered in the system. (Yes) The SSO Domain that should be used for Remote Desktop SSO. Only available if Remote Desktop SSO is enabled for this Tunnel Resource.
(Yes)
Absolute Time-out
User Guide
155
Access Rules
See Manage access rules.
156
Advanced settings
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource network through a proxy server.
Authorization Settings
There are a number of advanced authorization settings available, enabling you to specify in detail how a specific tunnel resource network will be accessed. Automatic Access You can configure the tunnel resource network to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out Timeout configurations. TIme-out You can configure resource-specific time-out settings for authentication time-out, max inactivity time and absolute time-out. These settings are also available, and specified by default, for user accounts. By configuring time-out settings on the resource, you can ensure the security of the resource on a higher level, or the opposite specific resources may not need the same level of security or you may accept a longer time-out period for certain resources.
Note that the setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.
General Settings
Label Enable Resource Display Name Description IP Range TCP Port Set Yes (Yes) Mandatory No Yes Description Not selected by default. Unique name used in the system to identify the tunnel resource network. Description of the tunnel resource network. IP address to the first and last host for the range of tunnel resources in the network. One, several, or a range of port numbers can be entered separated with a comma sign. Either TCP Port Set or UDP Port Set is mandatory. One, several, or a range of port numbers can be entered separated with a comma sign. Either TCP Port Set or UDP Port Set is mandatory.
(Yes)
Access Settings
Label Connect via proxy Mandatory Description Not selected by default.
User Guide
157
Authorization Settings
Label Automatic access Use Time-out Max Inactivity Time Mandatory Description Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.
Absolute Time-out
158
Tunnel sets
About tunnel sets
In WatchGuard Administrator, you configure tunnel sets to enable users to access configured tunnel resources. The tunnel set can include one or several tunnel resources. It contains static and/or dynamic tunnels, at least one for each resource included in the set. The tunnel set is displayed as an icon in the Application Portal, providing users with access to all tunnel resources in the tunnel set through the use of WatchGuard Administrator Access Client. The Access Client is either a Win32 application or a Java application, that are loaded either using an ActiveX Web loader or a Java Applet Web loader.
The ActiveX loader requires administrator rights on the client the first time it is used. In addition, local lookups and DNS forwarding require administrator rights on the client every time they are used. When using the installable WatchGuard Administrator Access Client, administrator rights are not required on the client for local lookups.
Apart from configuring static and/or dynamic tunnels for the resources in the set, there are a number of advanced settings available for the tunnel set. The advanced settings include local lookups used to define host addresses that should be resolvable on the client if no external DNS record is found. Local lookups are checked before any external DNS, so the external DNS can be overridden. Advanced settings also include mapped drives, and client configuration involving for example startup and shutdown commands. Static tunnels Static tunnels are configured to tunnel resources on the local interface using a single port, and can be used on all platforms. Dynamic tunnels Dynamic tunnels are configured to tunnel resources using any IP address on one or a range of ports, and can only be used on Windows platforms. Access rules The tunnel resources you collect in a tunnel set are normally protected by access rules. In addition, you can apply access rules to the tunnel set itself, to control how and when users should be able to access the tunnel set. A tunnel resource can be included in several tunnel sets. This enables you to associate tunnel sets with different levels of access control, for example for different user groups.
Access control of a specific tunnel resource is always done using the access rules configured for that tunnel resource. The only use of access rules on a tunnel set is to make the associated icon in the Application Portal subject to access control as well.
Access client When a user clicks an icon for a tunnel set in the Application Portal, the Access Client attempts to load an ActiveX Web loader or a Java applet loader. The order of this is configured on the tab. For more information, see Manage tunnel sets, Advanced tunnel settings and Manage global tunnel set settings.
User Guide
159
General Settings
Label Enable tunnel set Display Name Mandatory No Yes Description Selected by default. Unique name used in the system and by the Access Client to identify the tunnel set
Yes
Path to the image file that symbolizes the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Text that represents the Web resource path in the Application Portal. Mandatory when Make resource available in Application Portal is selected.
Link Text
Yes
160
General Settings
Label Resource Protocol Mandatory Yes No Description List of available registered tunnel resources. This option is only available if both TCP ports and UDP ports have been set for the specified tunnel resource host. Set to TCP by default. IP address must be in the range 127.x.x.x Set to 127.0.0.1 by default. Only one port number can be entered. If the entered port is occupied, the next available port is used. It is recommended that the same port as Resource Port is used. Only one port number can be entered. If the entered port is occupied, the next available port is used. It is recommended that the same port as Client Port is used. Not selected by default.
Yes Yes
Resource Port
Yes
Confirm connections
No
User Guide
161
Advanced Settings
Label No delay for TCP traffic Mandatory No Description When selected, Nagles algorithm (use TCP_NO_DELAY) is disabled. Selected by default.
Confirm Connections For both static and dynamic tunnels, you have the option to enable Confirm Connections. When enabled, the user must confirm all tunnel resource host connections before they are established, either in the Application Portal or in the Access Client.
General Settings
Label Resource Virtual IP Address Resource Port Confirm connections Mandatory Yes Yes Yes No Description Tunneled resource host. This can be an arbitrary IP address, it is recommended to not use the selected resource hosts IP address. This can be either a single port, a range of ports, or the wildcard character * for all ports (1-65535). Not selected by default.
162
Startup settings
You can specify startup commands to start a specific client to use the tunneled resource. You can also enter an URL that is displayed when the tunnel has been successfully started.
mailserver.*
Use the virtual IP address entered for the dynamic tunnel, when applicable. For static tunnels, use 127.0.0.1.
User Guide
163
Mapped Drives
You can add mapped drives to the tunnel set drives to map network resources (printers or drives) to drive letters on the clientnetwork. Mapped drives are specified by entering the path to mapped network resource: Example:
You also have the option to specify a drive letter for the drive or printer that the resource host is mapped to. Example:
M:
If the selected drive is occupied, the next available drive letter is used. You can specify a drive letter here and combine it with a a Startup Command defined in the Advanced section. Another option is to use cached credentials. When enabled, cached credentials (Windows domain credentials) are used when mapping a drive. This option is selected by default.
164
No
User Guide
165
Error Codes to Suppress You can configure a list of specific error codes to suppress pop-up messages. The error codes are entered as a comma separated list of 7-digit error codes. Redirect URL URL opened in a browser window after the tunnel has started successfully. Example: /http/citrix/ Fallback Tunnel Set The fallback tunnel set is used if the client computer is not able to load the ActiveX component. The fallback tunnel set is also supported if the Windows native client with configured dynamic tunnels fails to load.
Specific Settings
When one of the applications tunneled with the tunnel set is MS Outlook, it is recommended that you enable support for the MS Outlook patch. The patch solves a problem with the Windows 2000 client authentication. When the option is selected, the patch is supported when the client is based on Windows 2000 and is part of a domain.
166
Provide IP Address
Select Provide IP Address to assign an unique IP address to the client from the IP Address Pool. You manage the IP Address Pool on the Manage Global Tunnel Set Settings page. This also enables configured resources to establish connections towards the client. If IP addresses from the IP Address Pool are added as a tunnel resource, it makes it possible for clients to connect to each other when connected.
DNS Forwarding
Select Enable DNS Forwarding to temporarily redirect the clients DNS server to the DNS server specified on the Manage Global Tunnel Set page. When DNS Forwarding is selected, all DNS requests on the client are tunneled over the encrypted tunnel to the Access Point where it is proxied to the configured DNS server set on the Manage Global Tunnel Set page.
Client Firewall
Select which Internet firewall configuration that should be associated with the tunnel set. Internet Firewall configurations are managed on the Manage Client Firewall page.
Access Rules
See Manage access rules.
User Guide
167
IP Address Pool
Specify a range of IP addresses in the IP address pool. The IP address pool is used to define a set of IP addresses which are assigned to connecting clients, thus enabling the Access Point to route traffic from the backend systems to the clients. You configure a time-out in milliseconds, which define how long the Access Point will wait for responses while detecting possible IP conflicts on the internal network. IP Address Pool (Optional) Range of IP addresses used in the IP address pool. Disabled if External DHCP is defined. Time-out (Optional) Time-out in milliseconds, specifying how long the Access Client will wait to timeout when failing to acquire an IP address from the IP address pool. Set to 100 by default.
DNS Server
Specify IP address of DNS name of the DNS server used for DNS forwarding. When Enable DNS forwarding has been selected on the Manage Tunnel Set page, on the Advanced tab, the clients DNS server is temporarily redirected to the DNS Server specified here. Local lookups are checked before any external DNS, so the external DNS can be overridden. DNS Server IP address of DNS name of the DNS server used for DNS forwarding. Mandatory when DNS Forwarding has been enabled.
168
Client firewalls
About client firewalls
Client firewalls consist of Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the Access Client. Each configuration is connected to a corresponding tunnel set. The WatchGuard Client solution is divided in two different parts: Prevent other network connections to be routed Check the integrity of connecting application
When adding a new Internet Firewall Configuration, the rule lists will have default entries showing that all connections will be blocked unless you add a rule above the default rule that accepts a specific connection.
User Guide
169
When active, the firewall will check each connection from and to the client computer that they match the client firewall configuration. For each connection going through the WatchGuard Access Client, information about application path and check sum is added. This information is taken into consideration when doing the authorization decision. Valid application information in WatchGuard Administrator is configured and maintained on the Device Definitions page in the Manage System section. Incoming Rules Once a connection comes in to the computer, the firewall will go through the list of Incoming Firewall rules. Each rule is checked against the incoming connection to see if they match. If they do not match, the firewall will continue to look at the next rule in the list. If they match, the connection will be accepted or denied depending on the rules configuration and the firewall will not continue to check further rules in the list. If the rule denies the connection, it will be dropped. If the rule accepts the connection, it will be let through to the client computer. Outgoing Rules Once an application on the client computer tries to connect to the Internet, the firewall will go through the list of Outgoing Firewall rules. Each rule is checked in the same way as for incoming connections. If the rule denies the connection, it will be rejected. If the rule accepts the connection, it will be let through to the Internet. Exceptions The client firewall checks all TCP and UDP connections except the following: Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel). Connections towards Access Point Connections towards an IP address of a configured resource on the intranet through the tunnel. Instead of checking the firewall rules, the access rules of the configured resource will apply
170
To add Internet Explorer as a Device Definition, you should add a Device Definition with the following settings: Example:
will be valid on all clients whatever language the operating system has. It is also possible to have a stricter rule that is based on the MD5 checksum of the executable. To define a device based on the checksum, use a hexadecimal representation of the MD5 checksum. Example:
clientfirewall-checksum=<checksum1> | clientfirewallchecksum=<checksum2> |
Note that all entries between the | (OR) operator must be on the same line. The Device Definitions made for Client Firewalls can also be used in Access Rules for tunnel resources. Please refer to the How To section in the Online Help for example configurations. For more information, see Manage client firewalls.
User Guide
171
General Settings
Label Display Name Mandatory Yes Description Unique name used in the system to identify the internet firewall configuration.
General Settings
Label IP Range Port Set Protocol Rule Mandatory Yes Yes Yes Yes Description IP address for the first and last tunnel resources hosts. One, several, or a range of port numbers can be entered separated with a comma sign. Available options are: TCP and UDP. Set to TCP by default. Available options are: Accept and Deny. Set to Deny by default.
Devices
Label Devices Mandatory No Description When selected, the Rule is applied to the selected device (when Rule is set to Accept). Devices are defined in Manage System, on the Device Definitions page.
Comment
Label Comment Mandatory No Description Description of the incoming rule.
172
General Settings
Label IP Range Port Set Mandatory Yes Yes Description IP address for the first and last tunnel resources hosts. One, several, or a range of port numbers can be entered separated with a comma sign. Available options are: TCP and UDP. Set to TCP by default. Available options are: Accept and Deny. Set to Deny by default.
Protocol Rule
Yes Yes
Devices
Label Devices Mandatory No Description When selected, the Rule is applied to the selected device (when Rule is set to Accept). Devices are defined in Manage System, on the Device Definitions page.
Comment
Label Comment Mandatory No Description Description of the outgoing rule
User Guide
173
Customized resources
About customized resources
You can register and perform access control on resources that do not belong to either of the categories Web resources or tunnel resources, and are not displayed in the Application Portal. These kinds of resources, for example bank accounts, are registered as customized resources. Use customized resources when you wish to protect resources outside the Application Portal using access rules. A customized resource has a resource host (or root) which may have one or several paths connected to it. When using customized resource paths, you can set your own security levels with access rules for specific applications and files. You can also choose to allow customized resource paths to derive its authorization settings (consisting of access rules and advanced settings) from the parent resource path.
Access rules
See Manage Access Rules.
174
Advanced settings
A number of advanced settings are available for configuration of the customized resource host.
Access Settings
You can select to connect via proxy, directing the connection to the tunnel resource through a proxy server.
Authorization Settings
There are a number of authorization settings available, enabling you to specify in detail how the specific customized resource host will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this customized resource path apply for this path only, and not for all paths beginning with this one. When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the customized resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Expression of Will When expression of will is used, re-authentication is required for each request. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level, or the opposite specific resource paths may not need the same level of security or you may accept a longer time-out period.
Note that the setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.
User Guide
175
Advanced Settings
Label Connect via proxy Require exact path match Automatic access Mandatory No No No Description Not selected by default Not selected by default. For resources where Automatic access is activated, the user session time-outs are not affected when the resource is requested automatically. Not selected by default. Only available when editing a Web resource. Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.
No No No
Absolute Time-out
No
Access rules
See Manage Access Rules.
For resource paths, access rules are not available for configuration if you have selected to use the authorization of the parent path.
176
Advanced settings
A number of advanced settings are available for configuration of the customized resource path.
Advanced settings are not available for configuration if you have selected to use the authorization of the parent path.
Access Settings You can select to connect via proxy, directing the connection to the resource through a proxy server. Authorization Settings There are a number of authorization settings available, enabling you to specify in detail how the specific customized resource path will be accessed. Path Match You have the option to require an exact path match. When enabled, the defined access rules for this customized resource path apply for this path only, and not for all paths beginning with this one. When not selected, the access rules apply to this customized resource path and all paths beginning with this one, unless a more significant resource is found under this path. Automatic Access You can configure the customized resource path to be accessed automatically. For resources where automatic access is activated, the user session time-outs are not affected. For example, a script can automatically request a resource, but the user is still regarded as inactive according to time-out configurations. Expression of Will When expression of will is used, re-authentication is required for each request. Time-out You can configure resource-specific time-out settings for max inactivity time and absolute time-out. These settings are specified globally for user accounts, to 15 by default for max inactivity time and to 720 by default for absolute time-out. By configuring time-out settings on the resource path, you can ensure the security of the resource path on a higher level, or the opposite specific resource paths may not need the same level of security or you may accept a longer time-out period.
Note that the setting Session Time-Out (on the Global User Account Settings page) ultimately controls the validity time for a session.
User Guide
177
General Settings
Label Enable resource Parent Path Mandatory No No Description Selected by default. Available when adding a child resource path (a sub-path to another resource path). Displays the path to the parent resource path. Not editable. Path to the resource. Available when adding a resource path (a path to another resource host, or a sub-path to another path). Selected by default
Yes No
Advanced Settings
Label Connect via proxy Require exact path match Automatic access Mandatory No No No Description Not selected by default Not selected by default. For resources where Automatic access is activated, the user session time-outs are not affected when the resource is requested automatically. Not selected by default. Only available when editing a Web resource. Not selected by default. Selected by default. Maximum user inactivity time in minutes (0-1440) before re-authentication is required. Set to 15 by default. Time in minutes (0-1440), since the user was last authenticated with required authentication method, before re-authentication is required, independent of user activity. Set to 720 by default.
No No No
Absolute Time-out
No
178
SSO domains
About SSO domains
Single Sign-On (SSO) is a session/user authentication process, allowing users to enter their user credentials once to access several resources. Single Sign-On authenticates users, offering instant access to applications, and eliminates future authentication prompts when the user switches applications. In WatchGuard Administrator, SSO domains are configured to enable Single Sign-On for resources using the same user credentials. The SSO domain specifies how SSO will be used for the resources included in the domain. When user credentials are modified, the changes are automatically applied to all resources in the SSO domain. The SSO functionality in WatchGuard Administrator is based on adaptive learning. When using SSO initially, the user is prompted for user credentials once for each SSO domain, when first accessing a resource in the SSO domain. The user credentials are then stored on the WatchGuard Administrator user account in the directory service, indefinitely or until changed. (You can also choose to cache user credentials, which then are only valid during the session). After authentication, the user can access different internal applications that are part of a Single Sign-On domain without the need for re-authentication. For more information, see Manage SSO domains. WatchGuard Administrator supports two methods of using SSO: Persistent SSO Access to several resources without the need to re-authenticate for each resource Session-based SSO Enables one-time-logon: users do not have to re-authenticate for each request
Access rules
You define how and when Single Sign-On should be used by protecting the SSO domain with access rules. The access rules specified for the SSO domain apply to the SSO functionality only, not to the resources in the SSO domain. For example, if a user successfully access a resource in the SSO domain but the SSO access rule fails, the user is still free to access resources in the domain. The user will be required to enter credentials for each resource, as if SSO was not applied.
User Guide
179
Domain types
In WatchGuard Administrator, SSO domains are available in two domain types: Text (default) Cookie Depending on domain type, different domain attributes can be associated with the SSO domain. Text The domain type Text is used to send user credentials as text, with different attributes defining the information needed for authentication. Available domain attributes for the domain type Text are: User name Password Domain Which domain attributes you add to the domain type depends on the authentication method used. The domain attributes normally used for the different authentication methods are described below. NTLM When using the Microsoft authentication method NTLM, all domain attributes for the domain type text (user name, password, and domain) are added to the domain type. Basic When using the authentication method Basic, the attributes user name and password are added to the domain type. Basic is the most commonly used authentication method for Web environments. Form-based When using form-based logon for an SSO domain, the attributes user name and password are added to the domain type. To use form-based logon for an SSO domain, you need to design a Web form for access to each resource in the SSO domain. This is done when adding or editing a resource: selecting form-based SSO will provide the logon form and form response configuration. Cookie Cookie authentication is used to send authentication information in HTTP headers. When the domain type Cookie is used, a cookie is set on the Access Point before proxying the request to the backend server. A common use of cookie SSO is when back-end applications only want to read the authentication information at the very first request. Available attributes are: Cookie name Cookie value Cookie secure Cookie domain
180
You have the option to enable a user inactivity check on the SSO domain. Specify a period of time (set in number of days, weeks, or months) during which users are allowed to be inactive, i.e. not access the domain. When the period has passed, credentials must be re-entered for access to the domain to be granted. This option is not available when Cache on session only has been selected. You also have the option to enable an absolute time limit check on the SSO domain. Specify a period of time (set in number of days, weeks, or months) during which users SSO credentials are valid. When the period has passed, credentials must be re-entered for access to the domain to be granted. This setting is independent of user inactivity. This option is not available when Cache on session only has been selected.
User Guide
181
Domain attributes
The domain attributes you can add to the SSO domain differ depending on SSO domain type. The domain attributes refers to the user authentication settings, the settings that characterize the SSO domain. Domain attribute settings for both SSO domain types are described below.
182
Access Rules
See Manage Access Rules.
Settings
General Settings
Label Display Name Domain Type Mandatory Yes No Description Unique name used in the system to identify the SSO domain. Available options are: Text and Cookie. Set to Text by default, it is used for domains of the type NTLM, Basic, and Form-based. Not selected by default.
No
User Guide
183
SSO Restrictions
Label Enable inactivity check User Inactivity Mandatory No No Description Not selected by default. Time (in days, weeks, or months) users can choose not to access a specific domain, before needing to provide credentials before access can be granted. Not selected by default. Time in days, weeks, or months the users SSO credentials are valid, before re-authentication is required, independent of user activity regarding the SSO domain.
No No
Attribute Restriction
No
Referenced By
No
Attribute Value
(Yes)
No Yes
184
Access rules
About access rules
Access rules are the basis of the WatchGuard Administrator access control. Access rules define the specific requirements for access control that you apply to a resource or SSO domain. You can create general access rules that can be applied for any resource or SSO domain, as well as access rules that are applied to specific resources or SSO domains only. In addition, you can define global access rules that are automatically applied to all resources and SSO domains. A number of different areas of requirements, or access rule types, are available in WatchGuard Administrator. You can use access rules of different types in combination. When adding access rules to a resource you can use the general access rules in combination with resource and SSO domain specific access rules, combined with AND. You can only use OR for resource and SSO domain specific access rules.
User Guide
185
User Storage An access rule of the type User storage allows access to a resource protected by the access rule if the user is stored in a specified user storage location. Note that the access rule is dependent on user authentication: the user must be authenticated for the Policy Service to be able to determine whether the user is located in the allowed user storage. As a result, the access rule must be combined with an access rule of the type Authentication method if it is to be used pre-authentication (for example in a global access rule). It can be used on its own for example when applied to resources accessed through the Application Portal. Assessment An access rule of the type Assessment can be plug-in-based or customized. It allows or denies access to a resource protected by the access rule if the result of a scan of the client computer matches specified client data requirements. Abolishment An access rule of the type Abolishment allows access to a resource protected by the access rule if the listener that will be collecting information about the client is active. When the session ends, abolishment as specified in the abolishment configuration is performed on the client.
Abolishment can be configured to allow the user to decide whether created, changed, or downloaded files should be deleted or not.
Access Point An access rule of the type Access Point allows access to a resource protected by the access rule if the request comes through a specified Access Point. Identity Provider An access rule of the type Identity Provider allows access to a resource protected by the access rule Custom-defined Access Rule A custom-defined access rule is tailored to meet specific needs. The custom-defined access rules are specified in separate XML files. Custom-defined access rules can only be updated by editing the corresponding XML file.
186
Access rules included in the global access rule can be of different access rule types. For details regarding settings for the different access rule types, see Access Rule Settings below. Once access rules have been created for and/or included in the global access rule and the configuration has been published, these access rules are automatically applied to all resources and SSO domains in the system. All access rules included in the global access rule are displayed in the access rules step of the add resource versus SSO domain wizard, and on the Access Rules tab when editing a resource or SSO domain. Selecting Registered Access Rules Registered access rules are available for selection, but not for editing, when configuring the global access rule. When you select several registered access rules, they must all be fulfilled in order for access to be allowed: i.e. they are combined with an implicit AND statement.
If you select several registered access rules, they are used for authorization in the order they are selected.
Creating New Access Rules The access rules you create for the global access rule are specific for the global access rule, and cannot be applied to individual resources or SSO domains. The access rules you create are by default separated by an OR statement, i.e. only one of the access rules must be fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can select to combine the access rules with an AND statement.
User Guide
187
Access rules applied to the resource or SSO domain can be of different access rule types. For details regarding settings for the different access rule types, see Access Rule Settings below. Selecting Registered Access rules Registered access rules are available for selection, but not for editing, on the resource or SSO domain. When you select several registered access rules, they must all be fulfilled in order for access to be allowed: i.e. they are combined with an implicit AND statement.
If you select several registered access rules, they are used for authorization in the order they are selected.
Creating New Access Rules The access rules you create for the resource or SSO domain are specific for the individual resource or SSO domain, and cannot be applied to other resources or SSO domains. The access rules you create are by default separated by an OR statement, i.e. only one of the access rules must be fulfilled for access to be allowed. To define that several access rules must be fulfilled for access to be allowed, you can select to combine the access rules with an AND statement. Global Access Rule If a global access rule has been configured in the system, the access rules included in the global access rule are automatically applied to the resource or SSO domain and displayed for reference. It is not possible to edit or delete the access rules included in the global access rule on individual resources or SSO domains.
188
User Guide
189
Date, Day, and/or Time When creating an access rule of the type Date, day, and/or time, you specify during which date period, weekdays, and/or time the user is allowed to access a resource protected by the access rule. You can select whether to specify date period, weekdays, time period, or a combination. The date period can be one specific date or a period between two given dates. You specify start date and end date for the period. Year, month, and date are formatted according to your browsers language settings (for example, m/d/yy). Example: 12/1/06 12/31/06 One or several weekdays can be specified by selecting Monday through Sunday. You specify start time and end time for the time period (hour and minute formatted according to your browsers language settings). Example: 12:00 AM 8:00 PM User Storage When creating an access rule of the type User storage, you specify in which user storage the user must be stored to be allowed to access a resource protected by the access rule. All registered user storages are available for selection. Assessment When creating an access rule of the type Assessment, you either specify a plug-in to use or manually specify assessment requirements. The client computer is assessed through a client scan performed to match the client data with specified requirements. Plug-In When using a plug-in, you select which plug-in to use and configure it according to its requirements. If the plug-in you would like to use is not available in the drop-down list, you can upload the plug-in. Custom When not using a plug-in, you specify one or several information paths and requirements for client data per operating system. Currently, you can create client data requirements for Windows only. Future versions of WatchGuard Administrator will support other operating systems. You also select whether an assessment result matching this client data should result in that access to a resource protected by the access rule is allowed or denied. You specify the requirements for client data by defining values to be matched on the client computer. Example: Allow access when a process name matches yourantivirussoftware.exe Client data is collected in a number of information types, i.e. areas of client data. Available information types and corresponding client data that you can specify requirements for are listed below.
190
Directory information
Information path of the type Directory Can not be automatically created if Wildcard match is used
Information path of the type Registry Sub Key Can not be automatically created if Wildcard match is used
Information path of the type Registry Sub Key Can not be automatically created if Wildcard match is used
User Guide
191
Matching Rules Process name: *Mozilla.exe Process digest: 84885f9b82f4d55c6146ebf6065d75d2 Process ID: 1184 Windows logon domain: WATCHGUARD Windows alternative domains: WATCHGUARD1, WATCHGUARD 2 Windows user name: userid Windows logon server: SRV-EXCHANG
Windows logon domain Windows logon server Windows alternative domains Windows user name Computer name LAN group Major version Minor version Platform ID
Computer name: USERDEV LAN group: WATCHGUARD Major version: 3 Minor version: 1 Platform ID: 100 Physical address: 00502239056e Name: N/A Description: MS TCP Loopback interface
Local address Local port Local address Local port Remote address Remote port State
Enable collection of process information Enable collection of process information Local address: 127.0.0.1 Local port: 8300 Remote address: 127.0.0.1 Remote port: 3662 State: Established
192
Settings
Authentication Methods
Label Available Authentication Methods Selected Authentication Methods Combine with OR Combine with AND Mandatory No Description Lists authentication methods enabled in the system.
Yes
Lists authentication methods selected to be included in the access rule. Selected by default. Not selected by default.
No No
Group Membership
Label User Group Criteria Available User Groups Selected User Groups Combine with OR Combine with AND Mandatory No No Yes No No Description The wildcard character * is supported, and can be entered anywhere in the search string. Lists available user groups according to your configuration, or filtered after a search. Lists user groups selected in the Available User Groups list. Selected by default. Not selected by default.
Client Device
Label Available Devices Selected Devices Mandatory No Yes Description Lists available supported devices. To access the resource, the user must use one of the listed devices.
User Guide
193
Time Period
No
User Storage
Label User Storage Mandatory No Description All registered user storage locations are available for selection.
Assessment Type
Label Plug-in Custom Mandatory No No Description The first plug-in in the list is selected by default. Not selected by default.
Assessment Criteria
Label Display Name Operating System Information Type Mandatory Yes Yes Yes Description Name used in the system to identify the access rule. The operating system the access rule applies to. Available option is Windows. Available options for Windows are: File information Directory information Registry information Process information Windows user information Windows domain information Network interface information UDP port information TCP port information Set to File information by default. Not selected by default.
Deny access
No
194
Assessment Requirement
Label Client Data Matching Restriction Matching Rules Mandatory Yes Yes Yes Description Lists available client data according to the information type defined on the Select Criteria page. Available options are: Match and Wildcard match. Set to Match by default. Value matching Client Data according to restriction set in Matching Restriction. Environment variables can be used.
Assessment Feedback
Label Feedback Message Mandatory No Description Feedback message displayed to users when access is denied due to failed assessment.
Access Point
Label Available Access Points Selected Access Points Mandatory No No Description Lists available registered access points. Lists access points selected in the Available Access Points box. To access the resource, the request must come through one of the listed Access Points.
Identity Provider
Label Identity Provider Mandatory No Description Lists registered identity providers.
Custom-defined
Label Available Access Rules Selected Access Rules Combine with OR Combine with AND Custom-defined access rule Mandatory No Yes No No No Description Lists uploaded custom-defined access rules. Lists uploaded custom-defined access rules selected to be included in the access rule. Selected by default. Not selected by default. Display name of custom-defined access rule to be uploaded.
User Guide
195
Application portal
About application portal
The Application Portal is the WatchGuard SSL Web portal that users log on to in order to access corporate applications from remote locations. In the Application Portal, the applications - registered resources - are displayed as icons with link texts. In WatchGuard Administrator, these icons and link texts that form the graphical representation of the resources are called Application Portal items. Application Portal items can be created for the following resource types: Web resources Tunnel sets External sites All Web resources and tunnel sets configured to be displayed in the Application Portal are automatically associated with an Application Portal item. Application Portal items can also be manually created for Web resources or tunnel sets. Note that for Web resources, it is possible to configure a shortcut. The shortcut enables users to access the resource directly in a Web browser, without the need to log on to the Application Portal. You can also create Application Portal items for external sites, i.e. external URLs not registered as Web resources.
Access Client
Users access the Application Portal through the use of WatchGuard Access Client. The Access Client is available as a Microsoft Windows executable (loaded over the Application Portal by either an ActiveX component or a Java applet) and as a pure Java applet. The Windows version of the Access Client is also available on an installation CD, for installations on client computers using Windows. When using the installable Access Client, users do not need to use the Application Portal but are able to access resources directly from their PC. They also have the opportunity to edit preferences in as well as add favorites (frequently visited applications) to their Access Client. Foir more information, see Manage application portal and Application Portal item settings.
196
Shortcut For Web resources, you can define a shortcut allowing users to access the resource without accessing the Application Portal. The users enter the address to the Access Point and the shortcut in a browser window to access the resource directly. Example: http://www.AccessPoint.com/Shortcut URL Query String For Web resources, you can also define a URL query string. The string is added to the Web resource address when it is selected in the Application Portal. Use queries to retrieve data, or to ask for additional operations such as inserting, updating, or deleting data. Example: http://www.watchguard.com/index.php?id=2&page=1 Protocol For Web resources, you can also configure what protocol to use between the Access Point and the Web resource back-end server. This setting is only available if both HTTP and HTTPS can be used to access the resource.
Tunnel Set
Label Make resource available in Application Portal Icon Mandatory No Description Not selected by default.
(Yes)
Path to the image file that symbolizes the tunnel set in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Link text that represents the tunnel set in the Application Portal.
Link Text
(Yes)
User Guide
197
Web Resource
Label Make resource available in Application Portal Icon Mandatory No Description Not selected by default.
(Yes)
Path to the image file that symbolizes the external site in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Link text that represents the external site in the Application Portal. Query string added to the Web resource address when item is selected in the Application Portal. Mandatory when Hide Resource in URL is selected. When selected, Shortcut is mandatory. Not selected by default. This setting is only available if both HTTP and HTTPS can be used to access the resource, according to the Web resource configuration. Set to HTTP by default.
(Yes) No (Yes) No No
External Site
Label Make resource available in Application Portal Icon Mandatory No Description Not selected by default.
(Yes)
Path to the image file that symbolizes the external site in the Application Portal. Mandatory when Make resource available in Application Portal is selected. Link text that represents the external site in the Application Portal. Mandatory when Hide Resource in URL is selected. When selected, Shortcut is mandatory. Not selected by default. URL to the external site the Application Portal item refer to.
(Yes) (Yes) No No
198
Identity Federation
About Identity Federation
Here, you manage all Identity Federation settings, including the internal SAML 2.0 settings which include selecting certificates to enable WatchGuard Administrator to act as a Service Provider or an Identity Provider. A federated environment involves at least three roles: Service Provider Decides what requests to allow Identity Provider Provides the security information Subject The user associated with the Identity Information SAML 2.0 (Security Assertion Markup Language) is an XML standard for using SSO between online business partners, that is, between an identity provider and a service provider. SAML 2.0 relies on assertions and defines three kinds of attribute statements that can be carried within an assertion: Authentication statements Authentication statements are issued by the identity provider. They define who issued the assertion, the authenticated subject, validity period, plus other authentication related information. Attribute statement Authorization decision statements These identify what users are entitled to do (for example permissions to buy a specified item).
Assertions
WatchGuard Administrator only exposes one assertion attribute per assertion. Attributes are mapped against existing attributes in user storage and the Directory service. The key concept of SAML 2.0 assertions is a subject (a principal, someone who can be authenticated, within the context of a particular security domain) about which something is being asserted. A trust is set up between the service provider and the identity provider using certificates. The Identity Provider uses server certificates to sign the SAML 2.0 responses, and the Service Providers use server certificates to validate their SAML 2.0 responses. WatchGuard Administrator can be configured to act as either a Service Provider or an Identity Provider.
Preconditions
Before starting to configure your Identity Federation settings, make sure you have completed the following tasks: Server Certificates used when creating service providers are added using the Add Server Certificate wizard in the Manage Certificates section Hosts used as Service Providers are added using the Add Web Resource Host wizard in the Manage Resource Access section CA Certificates used when creating Identity Providers are added using the Add CA Certificate wizard in the Manage Certificates section Depending on how you use WatchGuard Administrator, as identity or service provider, you select appropriate certificates, add Web resource hosts, and specify exact paths to these Web resources.
User Guide
199
Providers
Service Provider Typically there are a number of service providers that use assertions about users in order to control access and provide customized service, and subsequently become an asserting party: the identity provider. Service providers use this information, depending on its access policies, to grant access to local resources. Identity Provider Identity providers assert users identities to relying parties, the service providers. For more information, see Manage Identity Federation settings.
Service Provider
Label Enable Service Provider Display Name Web Resource Host Path CA Certificate Mandatory No Yes Yes No Yes Description Selected by default. Unique name used in the system to identify the service provider. List of available Web resource hosts. Exact path to the selected Web Resource Host used as service provider. List of available CA certificates.
Assertion Settings
Label Validity Subject Add Client IP Mandatory No No No Description Length of the SAML 2.0 session. Set to 15 by default. Available options are: User ID and email. Set to User ID by default. Not selected by default.
200
Identity Provider
Label Enable Identity Provider Display Name CA Certificate Mandatory No Yes Yes Description Not selected by default. Unique name used in the system to identify the identity provider. List of available CA certificates.
Attribute Mapping
Label Attribute Mandatory Yes Description Directory service attribute name for a user that contain the SAML subject attribute value.
Manage providers
Service Providers You specify a registered Web resource host as service provider. You can also specify an exact path to Web resource. On the Assertion tab, you can edit the time in minutes to specify the length of the SAML 2.0 session. By default, the session time is set to 15 minutes. You specify which subject is being asserted by selecting either User ID or email as the unique identifier. SAML 2.0 Attributes are mapped against existing user attributes in user storage and the directory service. Identity Providers When adding an identity provider, you select a CA certificate and specify an attribute to map against existing user attributes in user storage and the directory service.
User Guide
201
202
10
Manage system
User Guide
203
Manage system
Abolishment
About Abolishment
The end-point protection solution in WatchGuard Administrator consists of the concept Abolishment, which focuses on client clean upon completion of the session. Web browsers leave traces such as browser history and browser cache after a session has ended. Abolishment simplifies the secure cleanup of a client computer through removing cached content on the client, browser history, as well as downloaded, created, or edited files. Abolishment is used as a basis for access control. A resource is protected by an abolishment access rule based on abolishment settings specifying what should be cleaned on the client after the session is completed. When a user attempts to access the resource, access is allowed only if the abolishment client is running, ensuring that abolishment will be performed when the session is completed. When abolishment is performed, cache and Web browser history is deleted according to the abolishment configuration. As to files downloaded, created, or edited during the session, you can configure whether or not the user should be notified and able to choose which files to delete.
In the dialog box, the Abolishment client is called the End-Point Protection client.
204
Manage system
Manage abolishment
Abolishment settings are managed on the Manage Abolishment page in the Manage System section of WatchGuard Administrator. Abolishment settings are available on three tabs: General Settings, Cache Cleaner, and Advanced.
General Settings
On this tab, you specify which file types should be monitored on the client. You also define whether a user should receive a notification message regarding downloaded, created, or edited files of these types upon completion of the session, allowing the user to decide which if any files should be deleted. If you select not to notify the user, downloaded, created, or edited files of the specified file types will be deleted automatically the session is completed. Monitor Files Specify which file types should be monitored on the client, and deleted automatically when the session is ended or as a result of the notification message to the user. The file types are specified per operating system in comma-separated lists. The example below displays the file types specified for Windows by default. Example: htm, pdf, txt, doc, xls, ppt, exe, zip Notification When the options Enable delete and Notify user are selected, the WatchGuard Abolishment dialog will be displayed when users log off the Application Portal. The WatchGuard Abolishment dialog contains a list of downloaded and/or created files, with the option to select which files to delete. The user may select not to delete any files. You can customize the notify message displayed in the WatchGuard Abolishment dialog. The default message is Abolishment is requested. Select the files you want to delete is provided.
If if the option to notify user is not selected, all downloaded, created, or edited files of the specified file types will be deleted automatically when the session is completed.
General Settings
Label Windows Enable delete Notify user Notify message Mandatory (Yes) No No (Yes) Description Files types to be deleted when the session is ended. Selected by default. Selected by default. Message used in the Abolishment dialog when users can select which files to delete. Set to Abolishment is requested. Select the files you want to delete by default.
User Guide
205
Manage system
Cache Cleaner
On this tab, you specify per operating system what the cache cleaning should include. Available options are: Microsoft Windows Internet Explorer history and typed URLs Internet Explorer cache entries When you select to clean cache entries, you specify a URL filter to define which cache entries to delete. The URL filter is matched to the cache entries. The wildcard character * is supported. When used alone, all cache entries are deleted. The URL filter is mapped to cache entries in the Windows folder Temporary Internet Files, in the Internet Address column. The cache cleaner removes all cached session information in this column from the start of the session until it is ended. Examples:
* removes all cache entries https* removes all cache entries downloaded from a secure server http://www.thesecurecompany.com/* removes all entries from that particular server
URL Filter is set to * by default.
No
(Yes)
Set to * by default.
206
Manage system
Advanced
On this tab, you manage advanced abolishment settings. Display Resources in Application Portal Select this option to display resources protected by an abolishment access rule in the Application Portal prior to the client scan. When selected, resources are displayed even though the user may not have access to them. When not selected, only resources that the user is allowed access to are displayed. Abolishment Client Loader You specify which type of loader to use for the abolishment client. The options are: ActiveX - Java Applet ActiveX Java Applet When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java Applet.
Advanced Settings
Label Display resources in Application Portal Mandatory No Description Resources protected by an Abolishment access rule are displayed in the Application Portal, regardless if the listener collecting information about the client is active or not. Selected by default. Set to ActiveX - Java Applet by default.
Yes
User Guide
207
Manage system
Access Points
About Access Points
Access Points handle access between users connecting from external networks and the applications on the internal network, usually from the Internet to an intranet, both for corporate and commercial use. The Access Point functionality can be divided into Web access, WAP access, and access via the Access Client. The Web and WAP access supports a secure connection to information that is presented in HTML and WML formats in standard Web and WAP browsers. By using the Access Client, secure access is enabled from more advanced TCP/IP clients such as Telnet. See the sections Manage Tunnel Resources and Manage Tunnel Sets for more information.
WatchGuard Network
Web and WAP Access Users can connect to the Access Point through any standard browser supporting SSL 3.0. WAP device users can connect to the Access Point via the WAP gateway and then receive WML pages. Internet Channels Access Points can operate in any network that supports TCP/IP with ports open for both HTTP and SSL. OpenSSL algorithms are supported, with no limitation of key lengths. Authentication The Access Point supports a number of authentication methods used to identify and verify identification of users. Authentication methods range from static passwords to one-time passwords generated by WatchGuard SSL Mobile ID or by third party products.
208
Manage system
Access Control Advanced access control is implemented in the Access Point. Access control can be based on group membership, for example, and is performed on both incoming and outbound traffic. The Access Point provides access control in conjunction with a firewall and the access control in internal systems. The firewall access control is performed when users interact with the system. The access control is performed on the same level of security as the firewall, i.e. on both IP level and port level. Access control capabilities can be expanded by using the Policy Service, which adds advanced authorization rules to the solution. Encryption Encryption is supported from the client and when connecting to internal systems. The Access Point supports OpenSSL algorithms, with no limitations of key lengths. Digital Signatures Access Points provide for validation of digital signatures when integrated with a Public Key Infrastructure (PKI) solution. Session Handling The session to the client is handled by the use of cookies. The Access Point communicates with internal systems using normal HTTP or SSL session. Cookies generated from internal systems are never passed on from the Access Point to the client. Session handling is important for security reasons, as the normal Web client is a silent client. Using advanced security solutions, a security context will also exist apart from the cookie or variable. The Access Client The Access Client allows for tunneling of raw TCP and UDP data from and to an internal server. The traffic is encrypted with the same strength as used in the Web browser. The Access Client is available in two versions. One is a native Windows application that can be installed as a desktop application, or downloaded from the WatchGuard Application Portal using either an ActiveX component (Internet Explorer only) or a Java Applet. The other is a pure Java version, used for Mac and Linux. When using the ActiveX component to download the Access Client, the user is required to have administrator rights on the client.The native Windows Access Client will try to load a fallback tunnel set if a dynamic tunnel fails to load due to insufficient user rights.
User Guide
209
Manage system
Additional listeners
It is possible to add one or several additional listeners to an Access Point, for Web traffic or load balancing purposes. Additional listeners are additional ports or IP addresses the Access Point listens to. The configuration will not be distributed to other proxies in a load balanced environment. It is possible to specify separate SSL certificates for each additional listener. When HTTPS listeners are set up, you need to specify a server certificate.
210
Manage system
Settings
Label Service ID Display Name Internal Host Application Portal Host Application Portal Port Sandbox Port Mandatory No Yes Yes Yes Yes No Description Identification number automatically assigned to the Access Point when it is created. Unique name used in the system to identify the Access Point. IP address used in the internal communication between the Access Point and the Policy Service. IP address or DNS name where to bind all incoming external traffic to the Application Portal. HTTPS port for incoming traffic to the Application Portal. Set to 443 by default. Additional port for redirecting request from the Application Portal Port. Set to 443 by default. List of server certificates that the Access Point uses in the external communication. Specifies what interfaces the service listens to. Not selected by default. Not selected by default. Selected by default.
Server Certificate Listen on all interfaces Support crypto cards Distribute key files automatically
Yes No No No
Additional Listener
Label Host Port Sandbox Port Server Certificate Mandatory Yes Yes No (Yes) Description IP address or DNS name of the additional listener. Port for incoming HTTP or HTTPS traffic. Set to 80 by default. Additional port for redirecting request from the Application Portal Port. List of server certificates that the Access Point uses in the external communication. Mandatory if HTTPS is used. Type Listen on all interfaces No No Available options are: Web and Load Balance. Set to Web by default. Not selected by default.
User Guide
211
Manage system
212
Manage system
Bad URIs Lists URIs to be handled as forbidden requests. The purpose of the URIs is to detect when a user makes an attempt to access a URL that would normally be protected with access rules. It is strongly recommended to keep the default URIs. Example: *\* A URI can not contain backslash *%5c* A URI can not contain the URL encoding of backslash *%2f* A URI can not contain the URL encoding of slash */../* A URI can not contain /../ */%2e%2e/* A URI can not contain /../ where both dots are URL encoded */.%2e/* A URI can not contain /../ where the second dot is URL encoded */%2e./* A URI can not contain /../ where the first dot is URL encoded */./* A URI can not contain /./ */%2e/* A URI can not contain /./ where the dot is URL encoded *//* A URI can not contain double slash
Cipher Suites
When an SSL connection is initialized, the client and server determine a common cipher value to be used for key exchange and encryption. Various cipher values offer different types of encryption algorithms and levels of security. You can select which protocols for cipher suites to support, as well as define which types of cipher suites to support. Available protocols are TLS v1.0, SSL v3.0, and SSL v2.0.
Client access
Client Access Settings/WAP Client Settings Define Web versus WAP default pages displayed when accessing the /root, as well as welcome pages displayed after successful logon.
You can specify default and welcome pages for specific devices using device control.
Device Control Specify stricter control over, for example, client browsers connecting to the Access Point using device access restrictions. You can warn users using a certain browser, or disallow others to enter. To exercise device control, you register device settings and device access restrictions. When registering device settings, you specify which type of session handling the Access Point will use for a specific device. This can be useful for devices that, for example, cannot handle cookies. Available options are URL session, WAP agent, and/or Basic authentication. Use device access restrictions to map devices with permissions Deny, Warn or Accept. Device access restrictions are controlled in the order they are listed. On first match the restriction takes effect, independent of whether it is a Deny, Warn or Accept restriction.
User Guide
213
Manage system
Performance
Performance Settings Enhance the performance of your Access Points by configuring Access Point performance settings. Performance settings include the possibility to set time-outs for idle connections. You can also limit the number of TCP connections that the operating system is able to queue, and allow the Access Point to cache SSL sessions for communication with internal servers. Data Compression Settings Use data compression to represent dynamic and static Web files as accurately as possible using the fewest number of bits. Dynamic files are Web files located on the Access Point that contains user variables. You can also list what file types to compress, for example html/txt, or use the wildcard character * to compress all file types. Trusted Gateways Register trusted IP addresses, for example WAP gateways or HTTP proxies, as trusted gateways. Trusted in this context means that even though a client connecting to the Access Point may not have secure connection, incoming traffic from the specified IP address and the specified port is automatically assumed to have a specified level of security (128 bit encryption) added. Users are not redirected to HTTPS when coming from a trusted gateway.
214
Manage system
Settings
Internal Cookies
Label User ID Client IP Server Port SSL Strength Last used authentication method Max inactivity time in seconds Session ID cookie System Session ID Mandatory No No No No No No No No Description Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default. Not selected by default.
Session Control
Label Web access authentication key (WAAK) is secure Strength of WAAK Mandatory No Yes Description Selected by default. Strength in bits of the secure authentication cookie. Set to 128 by default. Number of bits in the random value. Set to 64 by default. Not selected by default. Selected by default. Not selected by default. Not selected by default.
Random Value of WASID Bind session to client IP Allow duplicate user name logon Duplicate user name logon reverse action Show shutdown message
Yes No No No No
User Guide
215
Manage system
Cookie Persistence
Label Enable secure use of persistent cookies Mandatory No Description Not selected by default.
Cache Control
Label Use Cache-Control: no store to disallow browser cache on HTTP/1.1 clients Mandatory No Description Method for HTTP/1.1 clients to disallow browser cache. Selected by default.
Client Access
Label Show error on SSL v2.0 access Hide server header Default authentication method Mandatory No No No Description Not selected by default. Selected by default. Authentication method used when user accesses /wa/auth without the parameter authmech specified. Not selected by default.
Bad URI
Label Bad URIs Mandatory No Description Important: It is recommended that you keep the listed URIs.
216
Manage system
No
No
Client Access
Label Default Page Mandatory Yes Description Path to the main page for the Application Portal where applicable authentication methods are listed. Set to /wa/auth by default. Path to the Application Portal or page configured as start page after a successful logon. Set to /wa/_welcome.html by default.
Welcome Page
Yes
User Guide
217
Manage system
Device Settings
Label Device Device does not support cookies Device cannot authenticate using HTML or WML forms File Extension Default Page Welcome Page GUI Constant GUI Constant Value Mandatory No No No No No No No No Description Set to Any device by default. Not selected by default. Not selected by default. When no additional file extension is entered, only HTML is used. Main page for the device. Welcome page after a successful logon. Name of a constant that can be used in the HTML or WML pages. GUI Constant Value
218
Manage system
Performance Settings
Label Max Working Threads Connection time-out Mandatory Yes Yes Description Number of threads handling requests. Set to 200 by default. Time, in seconds, a connection can be idle before it is closed. Set to 60 by default. Time, in seconds, a UDP tunnel connection can be idle before it is closed. Set to 120 by default. Time, in minutes, between Garbage Collection, or session objects. Set to 1 by default. Number of TCP connections that the operating system is able to queue. Set to 25 by default. Maximum number of concurrent TCP tunnel connections towards the internal servers. Set to 1500 by default. Selected by default. Selected by default.
Yes
Yes
Yes
Yes
No No
Trusted Gateways
Label IP Address Port Mandatory Yes Yes Description Trusted IP address to the gateway. Set to 80 by default.
User Guide
219
Manage system
Administrative Service
About Administrative Service
You manage all administration and configuration of WatchGuard Administrator on the Administration Service. It distributes your user account settings to the user storages and configuration changes to the WatchGuard network: the Access Point, Policy Service, and Authentication Service. The WatchGuard Administration Service is the hub of the WatchGuard network, and the WatchGuard Administrator its interface.
Only one Administration Service can be configured per WatchGuard network.
WatchGuard Network
Configuration
The main configuration file (RemoteConfiguration.xml) is stored on the Administration Service. Local configuration files stored on the different WatchGuard services are only used initially to contact the Administration Service. The current configuration is pushed to the different services in runtime through the publish functionality in the WatchGuard Administrator. The services do not need to be restarted to retrieve the configuration. A history of the ten latest configurations is saved. A previous configuration can be retrieved by using the restore functionality in the WatchGuard Administration Service. For more information see Manage Administrative Service.
220
Manage system
Yes Yes
Yes Yes
User Guide
221
Manage system
Assessment
About Assessment
The end-point integrity solution in WatchGuard Administrator consists of the Assessment concept, which focuses on access control based on client restrictions. Assessment is used to define how a client must be constituted, and to allow or deny access to resources accordingly. A resource or SSO domain is protected by an assessment access rule, detailing client scan paths per operating system. Client scan paths define the information that will be scanned during the client scan. When a user attempts to access the resource, a client scan is performed and a subsequent assessment of the client constitutes the basis of the access decision.
The client scan is called the End-Point Integrity scan in the dialog box.
An alternative to registering client scan paths is to use the plug-ins available for specific client scans. WatchGuard Administrator supports assessment on Microsoft Windows. Future releases will support additional operating systems. Client data paths can be specified for the following areas: File information Registry information Process information Windows user information Windows domain information Network interface information UDP port information TCP port information For more information see Manage Assessment.
Manage Assessment
You manage assessment settings on the Manage Assessment page in the Manage System section. Manage Assessment consists of three tabs: General Settings Advanced Settings Plug-ins
222
Manage system
General Settings
On this tab, you configure the client scan settings which include settings for a real time scan as well as the client scan path. Note that you need to add an assessment access rule in order for these settings to take effect. Access rules are managed on the Manage Access Rules page in the Manage Resource Access section. Real Time Scan The client scan is performed the first time a resource protected by an assessment access rule is requested. To allow the client scan to continue to assess the client computer during the session, you can enable a real time scan. When the real time scan is enabled, the client will be scanned at the specified interval (default is set to 120 seconds) after the initial scan.
The real time scan is a global setting: when enabled, it applies to all resources protected by an assessment access rule.
Client Scan Paths There are several plug-ins available for use in assessment access rules, defining the client data required. When not using a plug-in, you specify one or several client scan paths. Client scan paths are used to specify paths to information types to collect during client scans. You define the information paths per operating system. For Windows, you can define file, directory, registry key, or registry subkey paths.
The client scan paths you add when creating assessment access rules are added to the list on this tab.
You can select several check boxes to scan for different information, even if only part of the information is used as a basis for assessment in accordance with specified access rules.
If you create client scan paths (that require collection of information) when creating an assessment access rule, the corresponding check boxes are selected automatically on this page.
Available information types and corresponding client data that you can specify requirements for are displayed in the table below.
User Guide
223
Manage system
Information path of the type Directory Information path of the type Registry Key Information path of the type Registry Subkey Enable collection of process information Enable collection of Windows information
Process information
224
Manage system
Information Path
Yes
Windows
Label Enable collection of network information Enable collection of process information Enable collection of Windows information Mandatory No No No Description Not selected by default. Not selected by default. Not selected by default.
Advanced Settings
On this tab, you manage advanced assessment settings. Display Resources in Application Portal Select this option to display resources protected by assessment access rules in the Application Portal before the client scan has been performed. Resources are then displayed even though the user may not have access to them. When the option is not selected, only resources that the user is allowed access to are displayed. This is applicable when an assessment access rule is included in the global access rule, resulting in the client scan being performed before the user enters the Application Portal. Assessment Client Loader You specify which type of loader to use for the assessment client. The options are: ActiveX - Java Applet ActiveX Java Applet When the ActiveX - Java Applet option is selected, the loader uses ActiveX when available. If not it uses the Java Applet.
Advanced Settings
Label Display resources in Application portal Mandatory No Description Resources protected by an Assessment access rule are displayed in the Application Portal before the client scan has been performed. Selected by default. Set to ActiveX- Java Applet by default.
Yes
User Guide
225
Manage system
Plug-ins
On this tab, you add or delete plug-ins to be used in assessment access rules, as a basis for the client scan. The plug-ins displayed here are located in the following folder: <WatchGuard installation folder>/files/policyservice/ep/plugins. File names, version numbers, and descriptions of the plug-ins are displayed. You can add a plug-in to this list by uploading it to the correct folder location. Use the Browse button to locate the plug-in. The plug-in is uploaded when you click Save.
Upload Plug-in
Label Plug-in Mandatory No Description The name of the plug-in to upload.
Authentication methods
About authentication methods
Authentication methods are used as requirements in access rules for authentication. An access rule can combine several authentication methods and other requirements. Different authentication methods provide various levels of security. The rule of thumb is: the more complex an authentication method, the more certain the identification of the individual. When adding authentication methods, you are allowed to specify settings using extended properties. These include, for example, Save credentials for SSO domain, Allow user not listed in any User Storage, or Lock user ID for session and many more depending on which authentication method you choose. The following authentication methods are supported: WatchGuard SSL authentication: Web, Challenge, Synchronized, Mobile Text, and Password RADIUS authentication: SecurID, SafeWord, and General RADIUS User Certificate LDAP authentication Active Directory authentication IBM authentication: Tivoli and RACF Novell eDirectory authentication Basic authentication NTLM authentication Extended User Bind authentication E-ID authentication E-ID Signer authentication Form-based authentication Windows integrated login Custom-defined authentication method You can configure a total of 15 authentication methods. For more information see Authentication methods, Additional authentication methods and Manage authentication methods.
226
Manage system
Authentication methods
The WatchGuard authentication methods are Password, Web, Synchronized, Challenge, and Mobile Text. They are all based on the RADIUS protocol. All WatchGuard authentication methods can be used on your laptop or desktop computer. When using the Synchronized or Challenge methods, users install client applications on the device being used. When using the Web authentication method, the installed client is either an ActiveX component or a Java applet. Which authentication method to choose depends on your users needs. Consider the importance of mobility, device flexibility, and level of security. Refer to each authentication method for more detailed information. All authentication methods use various levels of security, based on complexity. For information on additional authentication methods, see Additional Authentication methods.
User Guide
227
Manage system
You can configure several channels. Configure more than one SMS channel to be used in case the primary fails. All authentication and notification messages are sent via mobile text to the cell phone number or email address registered to that specific user account. This is done on the User Account WatchGuard Authentication Settings page. When Allow Two-step Authentication is selected, the authentication is distributed over two sessions: the first one to make the server send the OTP to the mobile phone; and the second one to logon with the OTP. The authentication method Mobile Text relies on the RADIUS protocol.
When a new WatchGuard Administrator user account is registered and the WatchGuard SSL Web authentication method is enabled, the password or PIN is created and distributed to the user.
WatchGuard SSL Web authentication method only can be used with the Access Point.
WatchGuard SSL Web can be used for authentication on your laptop or desktop computer. The Web authentication method relies on the RADIUS protocol.
228
Manage system
User Guide
229
Manage system
230
Manage system
General settings
All authentication methods have a display name and the option to enable the authentication method. All authentication methods are enabled by default. For the WatchGuard authentication methods, the display name is used as display name in the Select Authentication Method dialog when logging on to the Application Portal. Some authentication methods (listed below) have a template specification, which defines the physical appearance of the authentication method logon dialog. The specified Template Name is sent to the Policy Service enabled application which has a corresponding template file on the local server. All WatchGuard Mobile ID authentication methods, and most of the supported additional authentication methods (listed below), need one or several authentication method servers. The authentication method server settings include: Host and port Different search methods to locate users in the directory service structure for authentication
Basic Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.
Challenge Authentication
Label Template Name Mandatory No Description Template presented to the user.
User Guide
231
Manage system
Customer-defined Authentication
Label Template Name Template Specification Class Name Certificate Authority Mandatory No Yes Yes No Description Template presented to the user. Set of values used by the template. Executable authentication method implementation. CA used to validate the identity of the individual holding of the user certificate.
Form-Based Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.
LDAP Authentication
Label Template Name Template Specification Mandatory No Yes Description Template presented to the user. Set of values used by the template.
NTLM Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.
Password Authentication
Label Label Template Name Mandatory Mandatory Yes Description Description Template presented to the user.
SafeWord Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.
232
Manage system
SecurID Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.
Synchronized Authentication
Label Template Name Template Specification Mandatory Yes Yes Description Template presented to the user. Set of values used by the template.
Web Authentication
Label Template Name Mandatory Yes Description Template presented to the user.
User Guide
233
Manage system
Password Root DN
Yes Yes
E-ID Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Set to 8899 by default. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Parameter that is identical to the service identifier configured in the Nexus MultiID core server. Maximum time for a server connection to be established. Set to 1000 by default. Number of connection retries for servers which are not responding.
Yes No No
234
Manage system
E-ID Signer
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Set to 8899 by default. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Parameter that is identical to the service identifier configured in the Nexus MultiID core server. Maximum time for a server connection to be established. Set to 1000 by default. Number of connection retries for servers which are not responding.
Yes No No
Basic Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Set to 8899 by default. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Path to the logon page that is accessed by the authentication method server during the authentication process. Path must start with an /. Protocol to use in the communication. Server certificate used to validate the certificates presented by other servers.
Path
Yes
No No
Challenge Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.
No
User Guide
235
Manage system
Customer-defined Authentication
Label Port Listen to all interfaces Mandatory Yes No Description Port for the authentication method server. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.
Yes Yes
Form-based Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 5000 by default. Protocol used in the communication. Server certificate used to validate the certificates presented by other servers.
No No
236
Manage system
No
No
NTLM Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time the client waits for an authentication method server reply before trying to connect to the next authentication server in the list. Set to 5000 by default. Path to the logon page that is accessed by the authentication method server during the authentication process. Domain the authentication method server belongs to. Protocol used in the communication. Server certificate used to validate the certificates presented by other servers.
Path
Yes
Yes No No
User Guide
237
Manage system
Password Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.
No
SafeWord Authentication
Label Port Time-out Mandatory Yes Yes Description Port for the authentication method server. Time the client waits for an authentication method server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Secret shared between the RADIUS client and the RADIUS server. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.
Yes No
Synchronized Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.
No
238
Manage system
Web Authentication
Label Enable authentication method Display Name Port Time-out Mandatory No Yes Yes Yes Description Selected by default. Lists Display Names of registered Authentication Services. Port for the authentication method server. Time the client waits for an authentication server reply before trying to connect to the next authentication method server in the list. Set to 15000 by default. Refers to internal traffic between the Policy Service and the authentication method server. Not selected by default.
No
User Guide
239
Manage system
Yes Yes
Path
Yes
No No
240
Manage system
RADIUS replies
All authentication methods using RADIUS have a number of pre-configured RADIUS replies associated. These replies can be edited, and it is also possible to add new ones. Each RADIUS reply consists of a name and a so called matching string, which is the actual reply presented to users. When the name and string match, the authentication method responds using the appropriate template specification, set in Template Name on the General Settings page. Example: Name: WebCurrentPwd Matching String: Enter current password. Challenge %. Configuration %
Only WatchGuard Mobile ID authentication methods and General RADIUS, SafeWord, and SecurID support RADIUS replies.
SafeWord Authentication
Label Template Specification Mandatory Yes Description Set of values used by the template.
SecurID Authentication
Label Template Specification Mandatory Yes Description Set of values used by the template.
User Guide
241
Manage system
Extended properties
Authentication methods may also have a number of extended properties, allowing you to further customize how authentication should be handled. Some extended properties are used uniquely for specific authentication methods; others are global Policy Service settings that does not affect the authentication method behavior. To facilitate administration however, they are managed on each applicable authentication method. The global Policy Service settings used as extended properties are: User attribute When specified, only users associated with the specified user ID attribute are allowed authentication. Applicable when the authentication method uses a different attribute name than the default attribute name for authentication. Example:
mail (As opposed to default attribute names cn or samAccountName.)
User name may not change during session This extended property is added to the authentication method by default. When set to true, only the user ID associated with a user account is allowed authentication. Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the user ID has a WatchGuard Administrator account (or a WatchGuard Administrator account can be created), and the user ID exactly matches the WatchGuard Administrator account the user is allowed for authentication. If the user ID cannot be found, or if the user ID used for authentication does not match the WatchGuard Administrator account, the user is not allowed for authentication. Applicable when you want to restrict the use of different user IDs, to eliminate the possibility for several different users to authenticate during one session. Set to true by default. Allow user not listed in any User Storage When set to true, users can be authenticated without a WatchGuard Administrator user account. All access rules of the type user group membership are ignored. When using this extended property with the authentication method E-ID: When set to true, and the BankID certificate attribute and BankID user attribute are not specified, the user ID is set to Subject DN from the certificate. When set to true, and the BankID certificate attribute is specified as for example cn, the user ID is set to the certificates cn. Set to false by default.
242
Manage system
WatchGuard account required prior authentication When set to true, only user IDs associated with a user account are allowed for authentication. Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. If the user ID has a WatchGuard Administrator account (or a WatchGuard Administrator account can be created), the user is allowed for authentication. If the user ID cannot be found in the directory service, the user is not allowed for authentication.
It is not recommended to add this extended property to authentication methods where user ID only is used initially for authentication. This can be considered a security threat, since it will entail a possibility to identify which user IDs are known versus unknown.
Set to true by default. Save credentials for SSO domain When specified, the Policy Service performs an SSO credential update after successful authentication using the credentials provided by the user. Lock User ID to Session When set to true, the user ID is locked for this session to ensure that the user ID is not used for several requests simultaneously. This will result in a two-step challenge, performed for user ID and password respectively. All extended properties for each authentication method are listed below.
Extended Properties
Extended Property User attribute User attribute User name may not change during session Allow user not listed in any User Storage WatchGuard Administrator account required before authentication Save credentials for SSO Domain Used In All User Certificate All Comment This is a global Policy Service setting. User storage attribute that is mapped to the certificate attribute. This is a global Policy Service setting, added to the authentication method by default. Set to true by default. This is a global Policy Service setting. Set to false by default This is a global Policy Service setting. Set to false by default This is a global Policy Service setting.
All All
Active Directory Basic Customdefined Form-based LDAP NTLM Password General RADIUS SafeWord SecurID
User Guide
243
Manage system
Used In Active Directory General RADIUS Active Directory General RADIUS E-ID
Comment This extended property is added to the Active Directory authentication method by default. Set to 7 by default. This extended property is added to the authentication method by default. Set to US (American English) by default. Mandatory. LDAP user attribute used to map user to user in directory service. Mandatory when BankID certificate attribute mapping is specified for mapping. The IBM CBT client. This extended property is added to the E-ID authentication methods by default. Set to false by default. The Nexus Personal client. This extended property is added to the E-ID authentication methods by default. Set to false by default. The Netmaker NetID client. This extended property is added to the E-ID authentication methods by default. Set to false by default. CA Certificate Display Name of the issuer of the user certificates used for the Nexus Personal client. If not specified, a list of all certificates available for the user is presented at logon. CA Certificate Display Name of the issuer of the user certificates used for the Netmaker NetID client. If not specified, a list of all certificates available for the user is presented at logon. LDAP certificate attribute used to map user to correct certificate. Mandatory when BankID user attribute is specified for mapping. When set to true, the signature is attached to the sign result sent to the resource. Mandatory. Additional extended properties. (UBA) Actual value of the user attribute to be bound to. Integer (0-4) that contains the user attributes used in the pattern below. One or several UBAX, concatenated by the sign + and any character within quotation marks.
Locale
E-ID
Return signature
E-ID Signer
Keys for additional extended properties User bind attribute UBAX UBA pattern
Customdefined Extended User Bind Extended User Bind Extended User Bind
244
Manage system
Extended Property Certificate bind attribute CBAX CBA pattern Method Form action Form data
Used In Extended User Bind Extended User Bind Extended User Bind Form-based Form-based Form-based
Comment (CBA) Actual certificate attribute to be bound to. Integer (0-4) that contains the user attributes used in the pattern below. One or several CBAX, concatenated by the sign + and any character within quotation marks. Set to POST by default. Mandatory. Path that defines the URL to GET or POST data to. Mandatory. Definition of data sent to the server. The variables [$username], [$password] and [$domain] can be used for dynamic replacement with internal user name, password and NTLM domain. Mandatory. Path that defines the URL to where the response from the form action is sent to verify if the log on has succeeded or not. Must be an absolute URL. If no path is entered, the response of the POST or GET is evaluated. Text string included in the response and is used to decide if the authentication is successful or unsuccessful. Mandatory. When set to Success, the authentication is treated as successful if the text specified in Form Response is included in the response. When set to another value, the authentication is treated as not successful if the text specified in Form Response is included in the response. Defines additional headers that is added to the internal request and sent to the resource. Several additional headers can be added, containing a name and a value. Certificate attribute to map to the user attribute in user storage. Note that you need to enter both a certificate attribute and a user attribute for a successful mapping. If this extended property is enabled then an OCSP request will be performed to verify the revocation status of the client certificate. The OCSP Provider URL will be retrieved from the Authority Information Access extension (AIA) in the client certificate. Set to false by default.
Verification URL
Form-based
Form response
Form-based
Form-based
Additional headers
Form-based
User Certificate
OCSP AIA
User Certificate
User Guide
245
Manage system
Comment Specifies the OCSP Responder URL. Set this extended property when client certificates dont have the AIA extension. If this extended property is specified then an OCSP request will be performed to verify the revocation status of the client certificate. This setting overrides the OCSP AIA extended property. For example: http://ocsp.example.net:80 This extended property specifies the OCSP Certificate to use when performing OCSP requests. The OCSP server may require another certificate than the CA certificate associated with this method then set value to the CA Certificates display name. If this extended property is enabled the system will log to a dedicated certificate log file. The name of the method is used as filename and the log format is (all log-elements are separated by space): Date (yyyy-mm-dd) Time (hh:mm:ss) Level (INFO|WARNING) Certificate method name Issuer-DN Subject-DN Not before date (yyyy-mm-dd) Not after date (yyyy-mm-dd) Set to false by default This extended property specifies in which folder to place the certificate log file. Set to logs by default. This extended property specifies max number of rotated certificate log files. Set to 3 by default. This extended property specifies max size of each certificate log file. Set to 1000 by default. If this extended property is disabled then the system will log also when certificate authentication fails. Set to true by default. Enabled this extended property when using ActiveSync. When enabled, the system will lock the device ID to the user. The device ID is registered automatically when performing the first synch. To register a new phone or PDA, simply remove the users custom defined attribute DeviceID and re-synch. Set to false by default.
User Certificate
User Certificate
Certificate log rotation max files Certificate log rotation max size (kB) Certificate logging on successful authentication only
246
Manage system
Used In All
Comment If this extended property is enabled then the WatchGuard Administrator account will be created on successful login. When disabled, the WatchGuard Administrator account is only created and linked if the user is found in any User Storage. Set to false by default. If this extended property is enabled then the WatchGuard Administrator account will be created on failed logon. It is recommended to enable this when the back-end authentication service is unable to lock user after a number of invalid authentication attempts. Set to false by default. If this extended property is enabled then the reject reason will be displayed to the client. Set to false by default.
All
Password Web Synchronized Mobile Text Challenge Password Web Synchronized Mobile Text Challenge IBM RACF
This extended property specifies the character encoding that will be used when formatting all RADIUS attribute values. Set to UTF-8 by default. If this extended property is enabled then the password-change is performed using the administrators credentials from the mechanism server. Set to false by default.
User Guide
247
Manage system
Authentication services
About Authentication Service
The Authentication Service handles authentication of users accessing resources. The Authentication Service supports the WatchGuard RADIUS authentication methods: Mobile Text, Web, Challenge, Password, and Synchronized. You configure the Authentication Service to handle access requests through available authentication methods using the RADIUS protocol. Depending on which authentication methods you use, the Authentication Service is set up to respond to the access requests accordingly: by accepting, rejecting, or challenging the request. The Authentication Service may also proxy authentication requests to an authentication server using thirdparty authentication methods, for example RSA SecurID, or Secure Computing SafeWord. In this scenario, you configure a RADIUS back-end server as an authentication server. You can use one or several Authentication Services and RADIUS back-end servers simultaneously. For more information, see Manage Authentication Services.
WatchGuard Network
248
Manage system
User Guide
249
Manage system
General Settings
Label Service ID Display Name Internal Host Internal Communication Port Listen on all interfaces Distribute key files automatically Mandatory No Yes Yes No Description Identification number automatically assigned to the Authentication Service when it is created. Unique name used in the system to identify the Authentication Service. IP address or DNS name of the Authentication Service, used for communication in the WatchGuard Network. Port used for internal communication in the WatchGuard Network. Set to 8302 by default. Specifies what interfaces the service listens to. Not selected by default. Defines whether or not key files should be automatically distributed from the Administration Service to the Authentication Service after the Authentication Service has been installed. Selected by default.
No No
Port
(Yes)
No
250
Manage system
User Guide
251
Manage system
Define password/PIN
On this tab, you define global password and PIN restrictions for WatchGuard authentication methods. WatchGuard SSL Mobile Text Available global password settings for WatchGuard SSL Mobile Text are listed below. Default values are displayed in parenthesis. Available global password settings: Minimum (6) and maximum (16) number of characters Minimum number of letters (2) and numbers (2) Password validity period in days (90) When set to 0, the password does not expire. Password history size in number of saved passwords not eligible for reuse (5) The user cannot reuse any of the passwords saved in the password history when changing password. OTP length in number of characters (6) Alphabet base for OTP. Tip: exclude characters and numbers that can easily be confused, such as 0/o/O, and 1/i/I/l/L. (23456789abcdefghjkmnpqrstuvxyzABCDEFGHJKMNPQRSTUVXYZ) Notification message (Your OTP is {0}. Enter it to login with Mobile Text) Allow two-step authentication. When selected, authentication is split in two sessions: one to make the server send the OTP to the mobile phone, and one to login with the OTP (off). WatchGuard SSL Web Available global password settings for WatchGuard SSL Web are listed below. Default values are displayed in parenthesis. Available global password settings: Minimum (6) and maximum (16) number of characters Minimum number of letters (2) and numbers (2) Password validity period in days (90) When set to 0, the password does not expire. Password history size in number of saved passwords not eligible for reuse (5) The user cannot reuse any of the passwords saved in the password history when changing password. Keyboard appearance: fixed, shift, or random (random) Allow use of desktop keyboard for numbers (off) WatchGuard SSL Challenge Available global PIN settings for WatchGuard SSL Challenge are listed below. Default values are displayed in parenthesis. Available global PIN settings: PIN validity period in days (90) When set to 0, the PIN does not expire. PIN history size in number of PINs (5) The user cannot reuse any of the PINs saved in the PIN history when changing PIN. Support value signing (off)
252
Manage system
WatchGuard SSL Password Available global password settings for WatchGuard SSL Password are listed below. Default values are displayed in parenthesis. Available global password settings: Minimum (6) and maximum (16) number of characters Minimum number of letters (2) and numbers (2) Password validity period in days (90) When set to 0, the password does not expire. Password history size in number of saved passwords not eligible for reuse (5) The user cannot reuse any of the passwords saved in the password history when changing password. WatchGuard SSL Synchronized Available global PIN settings for WatchGuard SSL Synchronized are listed below. Default values are displayed in parenthesis. Available global PIN settings: PIN validity period in days (90) When set to 0, the PIN does not expire. PIN history size in number of PINs (5) The user cannot reuse any of the PINs saved in the PIN history when changing PIN. Number of logon attempts allowed before user is prompted for new OTP (3) Number of logon attempts allowed before user is denied access (10)
User Guide
253
Manage system
Maximum
Yes
Minimum
No
Minimum
No
Password expires in
No
No
Keyboard Appearance
No
No
No
No
254
Manage system
No
No
No
Maximum
Yes
Minimum
No
Minimum
No
Password expires in
No
No
OTP Length Generate OTP from Notification Message Allow two-step authentication
Yes No No No
User Guide
255
Manage system
Maximum
Yes
Minimum
No
Minimum
No
Password expires in
No
No
256
Manage system
Email messages
On this tab, you define the email messages sent to users to notify them of new or changed passwords, PINs, or seeds.
There is no limitation as to allowed number of characters for email messages.
General settings include email recipients, as well as message subject line, header, and footer. In addition, you can specify different password/PIN/seed messages per authentication method. Email Addresses In addition to sending email notifications to the users whose accounts have changed due to new or changed passwords, PINS, or seeds, you have the option to specify additional recipients. Enter email addresses for one or several (use semicolon to separate several addresses) recipients who will receive email notifications of such events. Email Messages Specify the message subject line, header and footer. Default values are listed below: Subject line Your Authentication Service account has changed Header {0} your account {1} has changed (The variable {0} is replaced with the users name, {1} with the user ID.) Footer Changed by {2}, WatchGuard Administrator (The variable {2} is replaced with the name of the administrator.) New Password Entered/New PIN Entered You can specify, per WatchGuard authentication method, the message used to notify users (and any additional recipients) of new passwords or PINs to use when authenticating. The message is available for all WatchGuard authentication methods. The default text is, according to respective authentication method:
Your new PIN/password for Mobile Text/Web/Challenge/Synchronized/Password Authentication is {0}.
The {0} variable will be replaced with generated password or PIN. Use Directory Password For WatchGuard SSL Mobile Text and WatchGuard SSL Password, you can specify the message used to notify users (and any additional recipients) to use the password specified in the directory service when authenticating. The default text is:
Your password has changed.
If the directory service passwords are used instead of the password generated by WatchGuard Administrator, it is strongly recommended that you change the default text provided here to texts that describe which password should be used.
User Guide
257
Manage system
Use Mapped Password/Use Mapped PIN You can specify, per authentication method, the message used to notify users (and any additional recipients) to use their mapped password or PIN when authenticating. The message is available for all WatchGuard authentication methods. The default text is:
Your password has changed.
If the directory service passwords, or mapped passwords, are used, it is strongly recommended that you change the default texts to texts that describe which password should be used. Seed For WatchGuard SSL Synchronized and WatchGuard SSL Challenge, you can specify the message used to notify users (and any additional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge. The default text is, according to respective authentication method:
Your new seed for Challenge/Synchronized Authentication is {0}.
The {0} variable will be replaced with generated seed. It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured Mobile ID Challenge or Synchronized client with injected seed. To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized. In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable which is used to pre-configure the client with WatchGuard SSL Challenge. Example: Download your Mobile ID client from http://<distribution service host>:<distribution service port>/?seed={0}&mode=c This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive the seed displayed on screen.
Header Footer
No No
258
Manage system
No
No
No
No
Seed
No
User Guide
259
Manage system
No
Seed
No
No
No
260
Manage system
SMS/Screen messages
On this tab, you define the SMS/Screen messages sent and displayed respectively to users to notify them of new or changed passwords, PINS, or seeds. General settings include header and footer of the SMS/Screen message. In addition, you can specify different password/PIN/seed messages per authentication method. New Password Entered/New PIN Entered You can specify, per WatchGuard authentication method, the message used to notify users (and any additional recipients) of new passwords or PINs to use when authenticating. The message is available for all WatchGuard authentication methods. The default text is, according to respective authentication method:
Mobile Text/Web/Challenge/Synchronized/Password PIN/password: {0}.
The {0} variable will be replaced with generated password or PIN. Use Directory Password For WatchGuard SSL Mobile Text and WatchGuard SSL Password, you can specify the message used to notify users (and any additional recipients) to use the password specified in the directory service when authenticating. The default text is:
Your password for Mobile Text/Web/Challenge/Synchronized/Password has changed
If the users will use their directory service passwords instead of the password generated by WatchGuard Administrator, it is strongly recommended that you change the default text provided here to texts that describe which password should be used. Use Mapped Password/Use Mapped PIN You can specify, per authentication method, the message used to notify users (and any additional recipients) to use their mapped password or PIN when authenticating. The message is available for all WatchGuard authentication methods. The default text is:
Your password for Mobile Text/Web/Challenge/Synchronized/Password has changed
If the users should use their directory service passwords, or mapped passwords, it is strongly recommended that you change the default texts to texts that describe which password should be used.
User Guide
261
Manage system
Seed For WatchGuard SSL Synchronized and WatchGuard SSL Challenge, you can specify the message used to notify users (and any additional recipients) of new seeds to use in the Mobile ID clients Synchronized and Challenge. The default text is, according to respective authentication method:
Your new seed for Challenge/Synchronized Authentication is {0}.
The {0} variable will be replaced with generated seed. It is possible to distribute the mode Challenge or Synchronized together with the seed, resulting in a pre-configured Mobile ID Challenge or Synchronized client with injected seed. To achieve this, use the variables mode=c for Challenge and mode=s for Synchronized. In the example below, the seed notification includes instructions for Mobile ID client download, a seed, and a variable which is used to pre-configure the client with WatchGuard SSL Challenge. Example: Download your Mobile ID client from http://<distribution service host>:<distribution service port>/?seed={0}&mode=c This renders a Mobile ID client with a pre-configured seed when using a supported mobile phone. Other devices receive the seed displayed on screen.
No
262
Manage system
Seed
No
Seed
No
No
No
User Guide
263
Manage system
Certificates
About certificates
A Certificate Authority (CA) issues client certificates used in authentication. In order to authenticate a user, a CA certificate is needed. Some client certificates issued by a CA may be stolen, or in some other way be subject to unintended usage. To cancel an already issued client certificate the client certificate validation routine checks against a list of cancelled client certificates. This list is called Certificate Revocation List (CRL). The CRL is distributed through a CRL Distribution Point (CDP). Supported CDP Protocols are HTTP and LDAP. Rooted at the root CA, every subordinate CA depends on a chain of trust between the issuers up to the root point. If a CA is compromised, the whole CA and its subordinate CAs are invalid. To check weather a CA is valid or not, the CA issuers produces an Authority Revocation Lists (ARL) stating which subordinate CAs that are not to be trusted. If you want to use PKI you have to configure each CA you wish to use. You can then use the configured CA when you add authentication methods of the type User Certificate. Each CA requires a new authentication method, a feature which makes it possible to have several CAs configured and enabled and then be able to configure which CAs that are valid for a specific resource. This is a powerful feature since the trustworthiness of a CA can vary. There are two prerequisites for managing Certificate Authorities: A X.509 v3 certificate must be stored in some persistent form on the application host. A CA Root in your user storage in order to create CA objects.
Manage certificates
In WatchGuard Administrator, you manage three types of certificates: Certificate authorities Server certificates Client certificates
264
Manage system
User Guide
265
Manage system
You can specify server certificates for specific IP addresses and ports, which is useful when managing additional listeners. You specify a display name for the server certificate and connect a certificate to it. Use the View Certificate Details link for certificate details. You need to save a private key for the certificate. The key needs to be a PKCS#8 key in either DER or PEM format. You can also specify a password to be used if the information is encrypted. A CA is required to complete the entire certificate chain. A specific CA certificate for the server certificate can be selected if the browser does not have the root or intermediate CA used to verify the server certificate.
You specify a display name for the client certificate and connect a certificate to it. Use the View Certificate Details link for certificate details. You need to save a private key for the certificate. The key need to be a PKCS#8 key in either DER or PEM format. You can also specify a password to be used if the information is encrypted.
Settings
Certificate Authority Settings
Label Enable Certificate Authority Mandatory No Description Not selected by default
266
Manage system
No (Yes)
Retry Interval
No
You should use OCSP as certificate revocation control when possible. If you specify both CRL and OCSP, then the CRL checked is performed first and if certificate not found a OCSP request is performed as a secondary control.
User Guide
267
Manage system
Device definitions
About device definitions
Devices are used in numerous settings such as in access rules for examples or in the global Access Point setting Device Control which controls access for specific devices. Devices are defined using device definitions which define how HTTP headers in requests are interpreted to identify specific devices. Access Points detect a device based on its HTTP headers. When creating access rules of the type Client Device, device definitions are used to protect a resource. Device definitions are also used for Client Firewalls when creating incoming firewall rules. For more information, see Manage device definitions.
268
Manage system
Delegated management
About delegated management
WatchGuard Administrator supports delegated management enabling you to create different administrative roles with different privileges and responsibilities. Each role can be assigned to one or several users stored in the registered user storage location.
The roles Help Desk and Super Administrator are predefined roles, and they cannot be deleted. Roles are used as alert receivers in the Monitor System section, Manage Alerts page.
Selected roles receive notification messages about selected alert events. If you plan to use the new role for alerts, you need to ensure that selected users have registered email addresses and/or cell phone numbers A role can be assigned to Administrators. For more information, see Manage delegated management.
User Guide
269
Manage system
Role settings
Role settings are displayed in tabs representing the privileges selected. Each privilege has a separate set of settings available. The Add Role wizard is adjusted accordingly. The privileges View logs and Publish is not editable, they allow for use of the functionality View logs and Publish respectively. General settings and Administrators are common settings for all roles, and described below: Help Desk Settings available for the predefined role Help Desk include: General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. User accounts This tab includes the option to select user groups containing specific user accounts which the role will be allowed to manage. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search. Super Administrator Settings available for the predefined role Super Administrator also include: General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search. User Account Management Settings available for the role User Accounts include: General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. User accounts This tab includes the option to select user groups containing specific user accounts which the role will be allowed to manage. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search. Resources General Settings This tab includes display name and description of the role as well as the option to add available privileges to the role. Resources This tab includes the option to select registered resources which the role will be allowed to manage. Administrators This tab includes the option to assign the role to existing administrators in user storage. You search for administrators by entering a user ID, the wildcard character * is allowed for a complete search.
270 WatchGuard SSL 500 & SSL 1000
Manage system
General Settings
Label Display Name Description Mandatory Yes No Description Unique name used in the system to identify the role. Can be used to give a more detailed description about the role.
Privileges
Label Help desk administration User account management Resource management Resource path management View logs Mandatory No Description This privilege entitles the role to add, edit, and delete all settings saved for a user account. Not selected by default. This privilege entitles the role access to all functionality available in the Manage Accounts and Storages section. Not selected by default. This privilege entitles the role to add, edit, and delete resources, both resource hosts and resource paths. Not selected by default. This privilege entitles the role to add, edit, and delete resource paths for selected resource hosts. Not selected by default. This privilege entitles the role to view logs using the Log Viewer for all servers in the WatchGuard Network. Not selected by default. This privilege entitles the role to publish the updated configuration. Not selected by default.
No
No
No
No
Publish
No
User Accounts
Label Select User Group Mandatory Yes Description Select user group in registered groups to make a selection of user accounts the role is entitled to manage.
Administrator
Label User ID Mandatory Yes Description The wildcard character are * is supported, representing any number of characters (including none). Select one or several users in the Search Result list.
User Guide
271
Manage system
Directory services
About directory services
WatchGuard Administrator supports these directory services: Microsoft Active Directory OpenLDAP Sun Java System Directory Server Novell eDirectory Other or Customized configuration of listed directory services
You can choose not to use a directory service, but this eliminates user storage and user accounts features, and limits the functionality of WatchGuard Administrator.
WatchGuard Administrator uses the directory service for user account storage and credentials for authorization and authentication. A directory service supporting LDAP for storing for example user information is recommended when using WatchGuard Administrator. A directory service was initially configured during the Setup System wizard. Please refer to Manage Accounts and Storage for further information on how WatchGuard Administrator uses the directory service. For more information, see Manage directory services.
General Settings
You need to specify at least one IP address to or DNS name of to the primary host, but you also have the option to setup a secondary host. A listening port is also required, usually this is set to 389 for LDAP and 636 for secure LDAP. Directory service administrator credentials are also specified, for example as an DN, ID, or similar to an account with read-and-write permissions on the directory service from the specified location. This is to enable WatchGuard Administrator to read and store user information on the directory service. To specify the Location DN, you can use the Show Tree functionality. This allows you to browse your directory service structure to the exact applicable locations. Furthermore, you specify the number of seconds, allowed range is 1-300, the Authentication Service waits for a connection, before the Secondary Host is connected. This is set 15 seconds by default.
272
Manage system
The number of allowed retries for the Primary Host is set to 0 by default, When set to 0, each failed connection attempt to the Primary Host result in that the Secondary Host is connected, when a secondary host has been configured. You do not have to re-install or re-configure WatchGuard Administrator to change the directory service. Label Primary Host Secondary Host Port Account Mandatory Yes No Yes Yes Description IP address or DNS name of the primary directory service. IP address or DNS name of the secondary directory service. Listening port for the directory service. DN, ID or similar (depending on type of directory service) to an administrative account with read- and write permissions on the directory service. Password for Account. Location where WatchGuard Administrator users are stored. Number of seconds (1-300) the Authentication Service waits for a connection, before the Secondary Host is connected. Set to 15 by default. Number of retries for the Primary Host. Set to 0 by default. Not selected by default. It is strongly recommended that you do not change directory type if you have active accounts registered. Available options are: Microsoft Active Directory OpenLDAP Sun Java System Directory Server Novell eDirectory Other or Customized configuration of listed directory services.
Yes No
Yes
Communication Settings
You setup the communication between the directory service and WatchGuard Administrator by using the host and port specified in the General Settings section. To secure this communication, you have the option to use SSL and a associated CA certificate. When SSL is used, the CA certificate is required. This is not configured by default. Label Use SSL CA Certificate Mandatory No No Description Protocol used for communication with user storage. Not selected by default. Available when Use SSL is selected.
User Guide
273
Manage system
Advanced Settings
Advanced settings are only available if you have selected Other or Customized configuration of listed directory services. You have the option to specify an Object Class which is used to store user accounts. Object classes allow you to control which attributes are required and allowed in an entry. Example: organizationUnit An Object Class has three attributes: Naming This attribute is the relative name of the object class, it holds the object ID that is automatically generated by the system. Storing This attribute is the common object class attribute name used to store the attributes of the storage objects. Example: searchGuide (for Active Directory) It specifies the attribute name used for storing all property data. It is recommended that the LDAP attribute size is at least 5 kb or larger. Unique name This attribute is the common object class attribute name used to store the unique name (or a unique ID) of the storage object. Example: l (for locality) Label Object Class Naming Attribute Storing Attribute Unique Name Attribute Mandatory No No No No Description Name of the object class used to store WatchGuard Administrator users. Relative name of the object class. Common object class attribute name used to store the attributes of the storage objects. Common object class attribute name used to store the unique name (or a unique ID) of the storage object.
274
Manage system
Notification settings
About notification settings
Notification settings are the required SMS and email configuration to be able to distribute messages and information. The notification settings are the communication channels used for alert, OTP, password and PIN distribution, and seed notifications. You configure channels for SMS and email. For more information, see Manage Notification settings.
Yes Yes
User Guide
275
Manage system
276
Manage system
Connection Timeout
Yes
Replace prefix
No
New prefix Response Parsing tab Success Response Codes Failure Response Codes Success Response Body Failure Response Body
No
User Guide
277
Manage system
Message Class
Replace prefix
No
New prefix
No
278
Manage system
Mobile Number Format tab Remove No Characters that should be removed from the mobile number. E.g. +() If the prefix of the mobile number is incorrect for the service it can be replaced with a new prefix. E.g. replace 00 with +. In this case enter 00 as Replace Prefix and + below as New Prefix The new prefix that shall replace the one triggered above.
Replace prefix
No
New prefix
No
User Guide
279
Manage system
Replace prefix
No
New prefix Message tab To To Personal From From Personal Subject Message Body
No No No No No No No
280
Manage system
Keep Alive System ID Password System Type Interface Version Address TON Address NPI Address Range
No Yes Yes
Replace prefix
No
New prefix
No
User Guide
281
Manage system
Variables
The following variables can be used in all texts, which will be replaced with the corresponding content from the user account. Variables are used surrounded with brackets and preceded with a dollar sign. For example, [$user-mobile] Variable Name message user-id user-display-name user-mobile user-mobile-raw user-mail-address administrator-id Description The notification message that should be sent The id of the user The display name of the user The mobile-number of the user (processed) The mobile-number of the user (unprocessed). The mail address of the user. The ID of the Administrator.
Policy Services
About Policy Services
The Policy Service makes access decisions, authenticates, audits, and validates certificates as well as digital signatures. Clients communicating with Policy Service interact via different access channels such as the Web or WAP.
WatchGuard Network
The Policy Service makes the access decisions depending on access policies. These policies rely on who wants to have access, which resource or service the user is requesting, which communication channel the request comes through, and which authentication method that is needed. These policies are called Access Rules.
282
Manage system
Access rules protect resources by allowing or denying access, and by specifying the requirements for a particular user, resource, or communication channel. Additionally, business related conditions can be customized for different services. For example, only customers who are allowed credit are able to use the ordering function. The Policy Service provides complete control over authentication, and supports several authentication methods, such as static and dynamic passwords, PKI, and challenge-response. A number of systems for authentication can be integrated, and products not managed directly by the Policy Service can be integrated using the Extension Programming Interface (XPI). The Policy Service can connect to multiple authentication systems and CAs. By using caching technology, the solution can scale to serve a large amount of users while sustaining high performance. In a traditional solution, the user is first authenticated and then the user information is connected followed by the log information. The Policy Service works with the requested service or communication channel as a starting point. Thus, the resource and channel constitute the requirements for access, regarding authentication method and its associated roles for that particular resource or service. For more information, see Manage Policy Services and Manage global Policy Services settings.
General settings
Policy Service configuration includes display name as well as the following general settings. Service ID When a Policy Service is added to the system, a service ID is automatically generated. The service ID is displayed for the Policy Service in the Registered Policy Services list on the Manage Policy Service page, as well as when editing the Policy Service. The service ID must be entered when the service is installed. Internal Host IP address or DNS name of the Policy Service, used for communication in the WatchGuard Network. Avoid using the IP address 0.0.0.0 to listen to all local IP addresses. Instead, select the Listen on all interfaces check box. Internal Port Incoming port for the Policy Service. Set to 8301 by default. Listen to All Interfaces Specifies what interfaces the service listens to. When selected, the services listens to all specified IP addresses. When not selected, the services only listens to the specified IP address. Not selected by default. Distribute Key Files Automatically Defines whether or not key files should be automatically distributed from the Administration Service to the Policy Service after the Policy Service has been installed. Deselecting this option will keep the system more secure, but the administrator is then required to copy key files manually. Selected by default.
User Guide
283
Manage system
General Settings
Label Service ID Display Name Internal Host Internal Port Listen to all interfaces Distribute key files automatically Mandatory No Yes Yes Yes No No Description Identification number automatically assigned to the Policy Service when it is created. Unique name used in the system to identify the Policy Service. IP address or DNS name of the Policy Service, used for communication in the WatchGuard Network. Incoming port for the Policy Service. Set to 8301 by default. Specifies what interfaces the service listens to. Not selected by default. Selected by default.
XPI Settings
Label Enable XPI: Web Services Host Port Server Certificate Mandatory No Yes (Yes) (Yes) Description Not selected by default. IP address or DNS name of XPI: Web Services. Set to 127.0.0.1 by default. Defines the incoming port for XPI: Web Services. Set to 443 by default. Lists registered server certificates. Mandatory when Enable XPI: Web Services is selected.
284
Manage system
Limit for number of missing heartbeats before the Policy Service re-connects to the network, if the server has not answered the status request Missing Heartbeat Limit and Heartbeat Interval creates a default time of 2 minutes (12x10 seconds). Option for the Policy Service to send cache specification to the Access Point, for the Access Point to cache authorization decisions
Yes
Yes
Yes
No
User Guide
285
Manage system
RADIUS Configuration
About RADIUS configuration
The RADIUS protocol is supported by the WatchGuard authentication methods. Mobile ID authentication refers to the Authentication Service and the WatchGuard authentication methods Web, Mobile Text, Challenge, Synchronized, and Password. A RADIUS client is the client connecting to a RADIUS server for authentication. Usually, the RADIUS server is the Authentication Service, but it can proxy the access request to another authentication server, depending on which authentication method being used. The WatchGuard authentication methods support the RADIUS protocol. A RADIUS client can be the Policy Service, a firewall, or the RADIUS plug-in for the Policy Service. The Policy Service is a RADIUS client with pre-configured settings. You can configure other RADIUS clients to connect to the Authentication Service for authentication. If the Authentication Service is used with the Policy Service as a RADIUS client, you need to configure WatchGuard authentication methods in the Policy Service. User groups are sent as an RADIUS attribute. Based on access rules of the type user group membership, the RADIUS client will perform the access control. RADIUS Back-end Servers RADIUS back-end servers refer to authentication servers handling third-party authentication methods. The Authentication Service can proxy access requests to one or several back-end servers. A back-end server can be a RSA SecurID Server, for example. For more information, see Manage RADIUS configuration.
286
Manage system
General Settings
Label Client IP Shared Secret Verify Shared Secret Mandatory Yes Yes Yes Description IP address for the RADIUS client. Shared secret between the RADIUS client and the Authentication Service. Verification of Shared Secret.
Attributes
Label Accept Attributes Challenge Attributes Reject Attributes Mandatory No No No Description Attributes sent to the RADIUS client as a response together with Accept. Attributes sent to the RADIUS client as a response together with Challenge. Attributes sent to the RADIUS client as a response together with Reject.
User Guide
287
Manage system
The RADIUS back-end server general settings include host (IP address or DNS name) port and a display name for the back-end server. You are required to specify the time in milliseconds (1000-99000) the Authentication Service waits for a backend server reply, before trying to connect next back-end server in the list. You also need to specify a shared secret between the RADIUS back-end server and the Authentication Service.
General Settings
Label Display Name Host Port Time-out Mandatory Yes Yes Yes Yes Description Unique name used in the system to identify the back-end server. IP address or DNS name of the back-end server. Port for the back-end server. Set to 1812 by default. Time in milliseconds (1000-99000) the Authentication Service waits for a back-end server reply, before trying to connect next back-end server in the list. Set to 5000 by default. Secret shared between the Authentication Service and the back-end server. Verification of Shared Secret.
Yes Yes
288
Glossary
A
Access Rules
Define specific requirements for access to resources and SSO domains. The access rules can be used in combination for more detailed access control. Example: (access rule A AND access rule B) AND (Access rule C OR access rule D).
ASCII
American Standard Code for Information Interchange. Standard 8 bit code used in data communications. Many files interchanged from one software program to another and from IBM to Mac formats go through translation into ASCII.
ASN.1
Abbreviation for Abstract Syntax Notation one, a standard notation describing data structures for representing, encoding, transmitting, and decoding data. ASN.1 provides a set of formal rules for describing the structure of objects that are independent of machine-specific encoding techniques.
Authentication
The process of verifying the identity of an individual connecting to a system. Identities are verified through different authentication methods. See also: Authentication Method, Access Rules
Authentication Method
A procedure used to perform authentication. Different authentication methods provide different levels of proof when identifying a user connecting to a system: from verifying basic static passwords to handling complex combinations of challenges, encryption keys, and passwords. See also: Authentication
Authentication Server
A server used in application access control. For access to specific network resources, the server may itself store user permissions and company policies or provide access to directories that contain the information. Examples of authentication servers are WatchGuard Authentication Service, SecurID and SafeWord. See also: Authentication
User Guide
289
Authorization
The process of granting or denying access to a system resource. See also: Authentication Method, Access Rules
B
BankID
BankID is a service that offers secure electronic identification and signature on the Internet, which is now legally binding in the EU. The service has been developed by a number of large banks for use by members of the public, authorities, companies, and other organizations.
Base64
A method of encoding binary data sent as an attachment through email. Base64 encoding divides three bytes of data into four bytes of ASCII text, making the resulting file size approximately 33% larger.
Base DN
Identifies the root node of the LDAP data store pointing to the directory containing user data.
C
CA
Abbreviation for Certificate Authority, a trusted third-party organization or company that issues digital certificates. The role of the CA is to validate the identity of the individual holding the certificate and to sign the certificate so that it cannot be forged.
CA Certificate
Abbreviation for Certificate Authority Certificate, a certificate that identifies a certification authority. CA certificates are used to decide whether to trust certificates issued by the CA, for example when a Web browser validates a server certificate.
Cipher
A cryptographic algorithm used to encrypt and decrypt files and messages.
Client Certificate
An attachment to an electronic message used for security purposes. The client certificates are associated with user accounts to authenticate users and give access to protected resources.
CDP
Abbreviation for Control Distribution Point.
290
Client Device
The software of a client that communicates with the server. The client device may include operating system, plug-ins, specific configurations and the proxies/gateways that the client communicates through. Examples of client devices are: Netscape 7, Windows, Macintosh, Internet Explorer and WAP-phone. A client device may be combination of entities. For example, this combination may be present for a single device: Windows, Internet Explorer and Internet Explorer 6.
CRC
Abbreviation for Certificate Revocation Control. A control performed by the system to make sure that the user certificate is not revoked.
CRL
Abbreviation for Certificate Revocation List. A document maintained and published by a certification authority that lists certificates that have been revoked.
CVC
Abbreviation for Certificate Authority Validity Control, a control performed by the system on the user certificate to verify that a trusted CA has issued the User Certificate.
D
Delegated Management
A featured used to delegate administration of user accounts and resources to multiple administrators with different privileges and responsibilities.
DER
Abbreviation for Distinguished Encoding Rules, used to encode ASN.1 objects for a consistent encoding using a binary format. Microsoft Internet Explorer understands certificates downloaded in this format. See also: ASN.1
Device
See Client Device
Digital Certificate
Digital certificates are used to identify people and resources over networks such as the Internet. Digital certificates enable secure communication between two parties. A trusted third-party organization or company, Certificate Authority, issues certificates. The certificate contains the public key and the name of its owner. The user certificate also carries the digital signature of a Certification Authority to verify its integrity. See also: CA
Directory Service
A directory of names, profile information and machine addresses of every user and resource on the network. It is used to manage user accounts and network permissions. When sent a user name, it returns the attributes of that individual, which may include a telephone number as well as an email address. Directory services use highly specialized databases that are typically hierarchical in design and provide fast lookups.
User Guide
291
Display Name
Defines the unique name used in the system to identify an object.
Distribution Channel
The media channel through which information is sent. For example, MobileID can send information via SMS or SMTP.
DMZ
Abbreviation for Demilitarized Zone, a middle ground between an organizations trusted internal network and an untrusted, external network such as the Internet. It is recommended that the Access Point is placed in the DMZ.
DN
Abbreviation for Distinguished Name, used as primary key to entries in directory services. For example, a DN for where users reside in the directory service could be cn=users,dc=mycompany,dc=com.
DNS
Abbreviation for Domain Name System, a name resolution system that allows users locate computers on a Unix network or the Internet (TCP/IP network) by domain name. The DNS server maintains a database of domain names (host names) and their corresponding IP addresses. For example, if www.mycompany.com was presented to a DNS server, the IP address 204.0.8.51 would be returned.
E
Encryption
Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent anyone except the intended recipient from reading that data.
F
Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. The firewall is normally installed at the point where network connections enter a site, normally named DMZ.
FTP
Abbreviation for File Transfer Protocol, a protocol used to transmit files between computers on the Internet. See also: TCP
292
H
Host
A computer, for example a server, that acts as a source of information or signals. It is connected to a TCP/IP network, including the Internet. A host has a specific local or host number that, together with the network number, forms its unique IP address.
HTTP
Abbreviation for Hypertext Transfer Protocol, a protocol used to transmit files over the World Wide Web.
HTTPS
Abbreviation for HTTP with SSL encryption for security. See also: HTTP, SSL
L
LDAP
Acronym for Lightweight Directory Access Protocol, a client-server protocol for accessing and managing directory information.
Log Levels
Indicate the severity of a message stored in a log: fatal, warning, info, or debug.
M
MIME
Abbreviation for Multipurpose Internet Mail Extensions. A protocol for Internet email that enables the transmission of non-text data such as graphics, audio, video and other binary types of files.
N
NTLM
Abbreviation for NT LAN Manager, a protocol used for authentication.
User Guide
293
O
OpenSSL
An open source implementation of the SSL and TLS protocols. See also: SSL, TLS
OU
Abbreviation for Organizational Unit, a standard naming attribute used in LDAP. See also: LDAP
P
PEM
Acronym for Privacy Enhanced Mail, a standard for secure email on the Internet. It supports encryption, digital signatures and digital certificates as well as both private and public key methods.
PIN
Acronym for Personal Identification Number. A private code used for identification of an individual.
PKI
Abbreviation for Public Key Infrastructure, a framework for creating a secure method for exchanging information based on public key cryptography.
Port
A port is usually an interface through which data are sent and received.
Proxy
A server that is placed between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.
R
RADIUS
Acronym for Remote Authentication Dial-In User Service, the de facto standard protocol for authentication servers. RADIUS uses a challenge/response method for authentication.
Resource
A corporate application users can access from a remote location. Available resource types in WatchGuard Administrator are Web resources, tunnel resources, file share resources and customized resources.
Resource Host
Defines the computer where the resource is deployed. A resource host is identified through its unique IP address. A Web resource host or customized resource host can have one or several paths connected to it.
294
Resource Path
Defines the route to a specific part of the web resource host or customized resource host, for example http:// www.resourcehost.com/path/, where the resource path defines a subset of the resource host. Resource paths are defined when user access should be restricted to that specific subset only.
S
SAML
Acronym for Security Assertion Markup Language, an XML standard for exchanging authentication and authorization data between an identity provider and a service provider. WatchGuard Administrator supports SAML 2.0.
Seed
An initial value used to generate pseudorandom numbers. Used when authenticating with WatchGuard SSL Challenge for example.
Server Certificate
Server certificates ensure that communication between clients and application servers is secure and private. The clients use the server certificate to authenticate the identity of the server and to encrypt information for the server, using SSL.
Shared Secret
A shared secret is used, for example, between the Authentication Service and a RADIUS client to mask passwords used in authentication. The shared secret is set manually by the Administrator.
SMS
Abbreviation for Short Message Service, a service for sending messages of up to 160 characters (224 characters if using a 5-bit mode) to cell phones that use Global System for Mobile (GSM) communication.
SMPP
Abbreviation for Short Message Peer-to-Peer protocol. SMPP is a telecommunications industry protocol for exchanging SMS messages between SMS peer entities such as short message service centers.
SSL
Acronym for Secure Sockets Layer, a commonly used protocol for managing the security of a message transmission on the Internet. SSL uses the public- and private-key encryption system, which includes the use of a digital certificate.
SSO
Abbreviation for Single Sign-On, the ability for users to log on once to a network and be able to access all authorized resources. A single sign-on program accepts the users name and password and automatically logs on to all appropriate servers.
SSO Domain
A collection of resources that share the same logon credentials. A user can have logon credentials for several SSO domains.
User Guide
295
T
TCP
Abbreviation for Transport Control Protocol, a transport layer protocol that moves multiple packet data between applications. See also: FTP
TLS
Abbreviation for Transport Layer Security, a protocol intended to secure and authenticate communications across a public networks by using data encryption. See also: SSL
Tunneling
A technology that enables a network to send its data via another networks connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. Tunnels are often used to transmit non-IP protocols across IP networks.
U
UDP
Abbreviation for User Datagram Protocol, a transport layer protocol for the Internet. It is a datagram protocol which adds a level of reliability and multiplexing to IP datagrams. It is defined in RFC 768.
URI
Abbreviation for Uniform Resource Identifier, a formatted string that serves as an identifier for a resource, typically on the Internet. URIs are used in HTML to identify the anchors of hyperlinks. URIs in common practice include URLs. See also: URL
URL
Abbreviation for Uniform Resource Locator, a unique, identifying address of any particular page on the Web. See also: URI
User Certificate
See Client Certificate
User Group
A collection of users which share the same properties regarding access rights. There are three types of user groups: User Location Group, User Property Group and Directory Service User Group.
User Storage
A directory service containing information about users, user groups, and user certificates
296
W
WAP
Acronym for Wireless Application Protocol. A set of communication protocol standards to enable access of online services from a cell phone.
X
X.509
A specification for digital certificates published by the ITU-T (International Telecommunications Union Telecommunication). It specifies information and attributes required for the identification of a person or system.
User Guide
297
298