Watchguard SSL 100 / SSL 560 - SSL VPN
-How to configure MAC client to access VPN through SSL 100/ SSL 560
Watchguard still did not published any access clients for MAC operation systems such as snow leopard or latest versions. When we consider windows operating system, watchguard has separate access client for each main application.But for MAC operating system, they have no proper solution. .
MAC users can access the VPN on JAVA platform. We have confirm that we can implement RDP and other major access clients based on JAVA platform. But we have tested with lotus - domino server, but this function is not working for lotus - dominos. As you aware of the configuration, SSL box can provide resources to its clients. To provide relevant features for mac users, you can create resources as follows.
Creating RDP for MAC Users
Basically , MAC users can access VPN based on JAVA platform. Mainly what we can do is we can create a static tunnel as follows.
Step 1 - Log as the administrator
Step 2 - Select Resource Access Tab
Step 3 - Select Add resource from bottom icon
Step 4 - Select Tunnel Resource and Next >
Step 5 - Put the name which relevant to the service
Step 6 - Insert image for the icon
Step 7 - Select Static Tunnel
Step 8 - Add Static Tunnel
Step 9 - Fill the relevant fields
Step 10- Then we can configure loopback IP address to connect with RDP service and relevant port
Step 11- Considering relevant users , you can allow certain privileges to certain user levels,
Step 12 - Save
Step 13 - Publish
------------------------------------------------------------------------------------------------------------------------------
How to add user to SSL VPN XTM 5
Most of the time you may need to configure VPN tunnels to external users who need to access local resources. These external users can be from any where. eg- If the company director went to another country and he need to access company ERP soution. In such scenario, you have to have configure a VPN tunnel between company network and the external party.
1. First of all you need to log as the administrator to the SSL box.
2. Select User Management TAB
3. Select "Add User" icon from the bottom
4. Then you have to give the user name
5. If the user is in the AD, you can link user with the AD and if not you can create the user as a out sideuser
6. Enter Display name
7. Click "Next"
8. You must select the appropriate user Authentication method from several options
9. Notification details must be enter from here
10. you have to give a valid email address and phone number
11. Select "Finish Wizard"
12. Then you will get another menue and you can give the pin number here
13. You can manually enter the pin number and then you must confirm that.
14. Then you need to get a seed for created user
15. Select "finis wizard"
--------------------------------------------------------------------------
How it works......
we already discussed how to create a resource under watchguard XCS appliance. There are two methods available such as Web resources or Terminal resources.
e.g. http://firewalltip.blogspot.com/
First of all, you need to create a resource in resource access tab. Once you create a new resource, then you can see navigation menue in your left hand side. There are few options such as client firewall , Access rules , Application portal , SSO domains and log off option.
When you create a user , you can add that user to user group. you can give permission according to the user groups and that is the best practise. After you have created new user and add that user account to any user group, you can create an access rule which can give more control on that. Access rule can map each user group with the resource access.
After you complete this process you should save the configuration and then need to publish the configuration. Then only this chanages appear on the dashboard.
NAT (Network Address Translation )
NAT Types
1. Dynamic NATs
2. One to One NATs
3. Static NATs
Dynamic NAT (we normally use for traffic that goes out to the Internet from the Firewall)
Once Dynamic NAT is configured, your firewall box changes the source IP address of each outgoing connection to match the IP address of the device interface that the connection goes out through. Normally that is the external interface. For traffic that goes to an external network, packets go out through the device External interface, so Dynamic NAT changes the source IP address to the device External interface IP address. The XTM device tracks the private source IP address and destination address, as well as other IP header information such as source and destination ports, and protocol.
With Fireware XTM, Dynamic NAT is enabled by default in the NAT Setup dialog box. By default,Dynamic NAT is applied to any connection that starts from one of the three reserved private address ranges and goes to an external network.
One to One NAT ()
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses.
1. Static STATIC NAT - Static one to one
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets
sent from one range of addresses to a different range of addresses.
One
How to reset WatchGuard X550e firebox ?
Most of the cases we have seen that because the licenses are almost expired , people reluctant to use this. They did not have re-new the licenses and further they don't have the user name and password too.
You can reset the Watchguard box as follows.
Step 1-
Switch ON your Watchguard Fire box.
Step 2-
Press (10 Sec) down arrow button
Step 3-
After booted up, you can see "Safemode" on your LCD panel
Step 4-
Verify the firmware version which is installed in the box
Step 5-
You can use relevant firebox quick setup wizard to reset the firebox.
Step 6-
You have to connect the firebox with a notebook by using cross cable
Step 7-
Select "Yes,My firebox is ready to be discovered"
Step 8-
After connect to the firebox, you can assign IP addresses to each port.
Step 9-
Then you have to give the Read only password and Read Write password.
Step 10-
Save to frebox and restart the firebox.
-------------------------------------------------------------------------------------------------------------------------
How to user Dynamic IP Address for external Interface
Most of the time I have seen this problem has occurred during the fire box installation and therefore I have decided to discuss this matter.
More.. http://firewalltip.blogspot.com
Why we need dynamic IP address for external interfaces ?
Some medium size companies , they use DHCP or Point-to-point protocol over Ethernet (Simply we call it PPPoE) for their external link. In such cases we need to configure our fire box accordingly. Therefore we have to use dynamic IP addresses for our external interface of the fire box.
Configure DHCP for external interface
For this purpose , we can use policy manager and following steps will be needed.
1. Network -> Configuration
Then you will get following screen.
2. You can select the external interface from above screen and then select configure button from your top right hand end. (Interface 0)
3. After that you have to key in necessary fields such as Interface Name , Interface Description and then make sure that connection type should be "External".
4. Then you have to select Use DHCP Client
5. Select Obtain an IP Automatically
6. Click OK
more details -http://firewalltip.blogspot.com
VLAN (Virtual Local Area Network / Networks )
More than two networks grouped together to work as a single broadcasting domain can identify as a VLAN.
Terms
VLAN trunk interface
The physical interface (switch interface or XTM device interface) that connects a
VLAN device to another VLAN device. Some vendors use this term only for a
switch interface that carries traffic for more than one VLAN. We use this as a
general term to indicate an Ethernet interface on a VLAN-capable device that
connects the device to another VLAN-capable device.
VLAN IDA number from 1 to 4094 associated with the VLAN. Every VLAN you use has a
unique number.
Tag
This term has two meanings: one for the verb usage, and one for the noun
usage.
[noun] Information that is added to the header of an Ethernet frame. The format
of the tag is defined by the IEEE 802.1Q standard.
[verb] To add a VLAN tag to a data frame’s Ethernet header. The tag is added by
an 802.1Q-compliant device such as an 802.1Q switch or router, or the XTM
device.
Because the physical segment between two 802.1Q devices normally carries
only tagged data packets, we call it the tagged data segment.
Untag
To remove a VLAN tag from a frame’s Ethernet header. When an 802.1Q device
sends data to a network device that cannot understand 802.1Q VLAN tags, the
device untags the data frames.
Band width Management for individual users or user groups - Web Access
Lets look at how to assign band width for user groups or individual users. Most of the cases we use user groups to assign band width to each user. Further we use this feature to manage internet access by according to the user privileges.
As the first step, you have to create http and https proxy rules in your policy manager scheme. After you create the http proxy rule, select the advanced tab.
Then you have to select Traffic Management rule.
First time you have to create a new rule.
in here, you can assign the link or connectivity which you going to use and what is the guaranteed band width and the maximum band width.
--------------------------------------------------------------------------------------------------------------
Application Control in Watchguard
Another very important feature which the Watchguard XTM has , Application control. Early days most of people did this application blocker using their proxy servers and that was not that much efficiency. Not only that this application blocker supports to block web pages according to the categories which includes all the applications such as youtube, facebook applications and other bandwidth hungry applications.
Not only that , you can easily block relevant application portals such as facebook chatting , dating like sub categories.
MAC users can access the VPN on JAVA platform. We have confirm that we can implement RDP and other major access clients based on JAVA platform. But we have tested with lotus - domino server, but this function is not working for lotus - dominos. As you aware of the configuration, SSL box can provide resources to its clients. To provide relevant features for mac users, you can create resources as follows.
Creating RDP for MAC Users
Basically , MAC users can access VPN based on JAVA platform. Mainly what we can do is we can create a static tunnel as follows.
Step 1 - Log as the administrator
Step 2 - Select Resource Access Tab
Step 3 - Select Add resource from bottom icon
Step 4 - Select Tunnel Resource and Next >
Step 5 - Put the name which relevant to the service
Step 6 - Insert image for the icon
Step 7 - Select Static Tunnel
Step 8 - Add Static Tunnel
Step 9 - Fill the relevant fields
Step 10- Then we can configure loopback IP address to connect with RDP service and relevant port
Step 11- Considering relevant users , you can allow certain privileges to certain user levels,
Step 12 - Save
Step 13 - Publish
------------------------------------------------------------------------------------------------------------------------------
How to add user to SSL VPN XTM 5
Most of the time you may need to configure VPN tunnels to external users who need to access local resources. These external users can be from any where. eg- If the company director went to another country and he need to access company ERP soution. In such scenario, you have to have configure a VPN tunnel between company network and the external party.
1. First of all you need to log as the administrator to the SSL box.
2. Select User Management TAB
3. Select "Add User" icon from the bottom
4. Then you have to give the user name
5. If the user is in the AD, you can link user with the AD and if not you can create the user as a out sideuser
6. Enter Display name
7. Click "Next"
8. You must select the appropriate user Authentication method from several options
9. Notification details must be enter from here
10. you have to give a valid email address and phone number
11. Select "Finish Wizard"
12. Then you will get another menue and you can give the pin number here
13. You can manually enter the pin number and then you must confirm that.
14. Then you need to get a seed for created user
15. Select "finis wizard"
--------------------------------------------------------------------------
How it works......
we already discussed how to create a resource under watchguard XCS appliance. There are two methods available such as Web resources or Terminal resources.
e.g. http://firewalltip.blogspot.com/
First of all, you need to create a resource in resource access tab. Once you create a new resource, then you can see navigation menue in your left hand side. There are few options such as client firewall , Access rules , Application portal , SSO domains and log off option.
When you create a user , you can add that user to user group. you can give permission according to the user groups and that is the best practise. After you have created new user and add that user account to any user group, you can create an access rule which can give more control on that. Access rule can map each user group with the resource access.
After you complete this process you should save the configuration and then need to publish the configuration. Then only this chanages appear on the dashboard.
NAT (Network Address Translation )
NAT Types
1. Dynamic NATs
2. One to One NATs
3. Static NATs
Dynamic NAT (we normally use for traffic that goes out to the Internet from the Firewall)
Once Dynamic NAT is configured, your firewall box changes the source IP address of each outgoing connection to match the IP address of the device interface that the connection goes out through. Normally that is the external interface. For traffic that goes to an external network, packets go out through the device External interface, so Dynamic NAT changes the source IP address to the device External interface IP address. The XTM device tracks the private source IP address and destination address, as well as other IP header information such as source and destination ports, and protocol.
With Fireware XTM, Dynamic NAT is enabled by default in the NAT Setup dialog box. By default,Dynamic NAT is applied to any connection that starts from one of the three reserved private address ranges and goes to an external network.
One to One NAT ()
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses.
1. Static STATIC NAT - Static one to one
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets
sent from one range of addresses to a different range of addresses.
One
How to reset WatchGuard X550e firebox ?
Most of the cases we have seen that because the licenses are almost expired , people reluctant to use this. They did not have re-new the licenses and further they don't have the user name and password too.
You can reset the Watchguard box as follows.
Step 1-
Switch ON your Watchguard Fire box.
Step 2-
Press (10 Sec) down arrow button
Step 3-
After booted up, you can see "Safemode" on your LCD panel
Step 4-
Verify the firmware version which is installed in the box
Step 5-
You can use relevant firebox quick setup wizard to reset the firebox.
Step 6-
You have to connect the firebox with a notebook by using cross cable
Step 7-
Select "Yes,My firebox is ready to be discovered"
Step 8-
After connect to the firebox, you can assign IP addresses to each port.
Step 9-
Then you have to give the Read only password and Read Write password.
Step 10-
Save to frebox and restart the firebox.
-------------------------------------------------------------------------------------------------------------------------
How to user Dynamic IP Address for external Interface
Most of the time I have seen this problem has occurred during the fire box installation and therefore I have decided to discuss this matter.
More.. http://firewalltip.blogspot.com
Why we need dynamic IP address for external interfaces ?
Some medium size companies , they use DHCP or Point-to-point protocol over Ethernet (Simply we call it PPPoE) for their external link. In such cases we need to configure our fire box accordingly. Therefore we have to use dynamic IP addresses for our external interface of the fire box.
Configure DHCP for external interface
For this purpose , we can use policy manager and following steps will be needed.
1. Network -> Configuration
Then you will get following screen.
3. After that you have to key in necessary fields such as Interface Name , Interface Description and then make sure that connection type should be "External".
4. Then you have to select Use DHCP Client
5. Select Obtain an IP Automatically
6. Click OK
more details -http://firewalltip.blogspot.com
VLAN (Virtual Local Area Network / Networks )
More than two networks grouped together to work as a single broadcasting domain can identify as a VLAN.
Terms
VLAN trunk interface
The physical interface (switch interface or XTM device interface) that connects a
VLAN device to another VLAN device. Some vendors use this term only for a
switch interface that carries traffic for more than one VLAN. We use this as a
general term to indicate an Ethernet interface on a VLAN-capable device that
connects the device to another VLAN-capable device.
VLAN IDA number from 1 to 4094 associated with the VLAN. Every VLAN you use has a
unique number.
Tag
This term has two meanings: one for the verb usage, and one for the noun
usage.
[noun] Information that is added to the header of an Ethernet frame. The format
of the tag is defined by the IEEE 802.1Q standard.
[verb] To add a VLAN tag to a data frame’s Ethernet header. The tag is added by
an 802.1Q-compliant device such as an 802.1Q switch or router, or the XTM
device.
Because the physical segment between two 802.1Q devices normally carries
only tagged data packets, we call it the tagged data segment.
Untag
To remove a VLAN tag from a frame’s Ethernet header. When an 802.1Q device
sends data to a network device that cannot understand 802.1Q VLAN tags, the
device untags the data frames.
Band width Management for individual users or user groups - Web Access
Lets look at how to assign band width for user groups or individual users. Most of the cases we use user groups to assign band width to each user. Further we use this feature to manage internet access by according to the user privileges.
As the first step, you have to create http and https proxy rules in your policy manager scheme. After you create the http proxy rule, select the advanced tab.
Then you have to select Traffic Management rule.
First time you have to create a new rule.
in here, you can assign the link or connectivity which you going to use and what is the guaranteed band width and the maximum band width.
Single sign-on with Watchguard XTM Box
Most of the time users having problems with fire wall authentication
process. Sometimes they may need to use the login credentials for authentication
process in each and every web browsing process. That is really time wasting
procedure and to overcome mentioned disadvantage, watchguard provides a brilliant
feature call “Single Sign On”.
Basically, there is an agent running on the AD server and it
will manage all the user credentials which relevant to user sessions. Once the
user log in to the domain, mentioned server agent maintain necessary user
credentials for future requirements.
--------------------------------------------------------------------------------------------------------------
Application Control in Watchguard
Another very important feature which the Watchguard XTM has , Application control. Early days most of people did this application blocker using their proxy servers and that was not that much efficiency. Not only that this application blocker supports to block web pages according to the categories which includes all the applications such as youtube, facebook applications and other bandwidth hungry applications.
Not only that , you can easily block relevant application portals such as facebook chatting , dating like sub categories.
Thank you.Awesome article about Watchguard for application control and security.Check this link.
ReplyDeletetop10-bestvpn.com
Thank a lot for cool article.
ReplyDeleteNice application for control and security.
Awesome configuration.
Cool blog.
10webhostingservice