What’s New in
WatchGuard SSL v3.2
WatchGuard SSL v3.2









Windows 8 and 64-bit Internet Explorer Support
Outlook Anywhere Support
Nested Group Support
Access Client Settings Synchronization
Access Client History Menu
Optimized Assessment Scan
Confirmation for Startup Commands
DNS Suffix Assignment
Log File Rotation Deletion
WatchGuard Training
2
Windows 8 and 64-bit Internet Explorer Support
 The SSL device now fully supports the Windows 8 operating
system (32-bit and 64-bit).
 64-bit Internet Explorer is now supported with new ActiveX loaders
for Assessment, Abolishment, and the Access Client.
WatchGuard Training
3
Outlook Anywhere Support
 With Microsoft Outlook Anywhere (also known as RPC over HTTP),
end users with the Outlook client can get access to corporate email
and calendars over the Internet from outside the corporate domain
without having to log into a VPN.
WatchGuard Training
4
Outlook Anywhere Support
 The SSL device now supports Outlook Anywhere
•
•
•
•
The Exchange server does not need to be exposed externally.
The processing burden of SSL encryption/decryption is offloaded to the
SSL device instead of the Exchange server.
Minimal impact on your current network topology.
Provides a web resource-based solution (no additional client) and has
no impact to the end user Outlook experience.
WatchGuard Training
5
Outlook Anywhere Support — Configuration
 To enable Outlook Anywhere on your Exchange Server:
•
http://technet.microsoft.com/en-us/library/bb123542.aspx
 To enable Outlook Anywhere on the Outlook Client:
•
http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-toconnect-to-your-exchange-server-without-vpn-HP010102444.aspx
WatchGuard Training
6
Outlook Anywhere Support — Configuration
 Create client definition for Outlook Anywhere
•
•
Select Manage System > Client Definition.
Add Client Definition.
 uri=*/rpc/*
WatchGuard Training
7
Outlook Anywhere Support — Configuration
 Define Client Access settings
•
Select Resource Access > Manage Global Resource Settings >
Client Access
 Enable these options:
– The client does not support cookies
– The client cannot authenticate using HTML or WML forms
WatchGuard Training
8
Outlook Anywhere Support — Configuration
 Create an OWA Web Resource
•
•
Create a path “rpc/” for Outlook Anywhere
“Microsoft-Server-ActiveSync” for ActiveSync
 Create an Authentication Method access rule
•
•
•
Outlook cannot select an authentication method, so you must determine
the authentication method.
Apply the access rule on the “rpc/” path
If there is only one enabled Authentication Method, this step is not
necessary.
 Enable SSO
•
•
•
•
Create an SSO for Outlook Anywhere
Apply on the “rpc/” path
Enable the Authentication Method to save login credentials for the SSO
Outlook Anywhere and ActiveSync can share one SSO, but OWA
cannot because it requires Domain\User name as user name by default.
WatchGuard Training
9
Outlook Anywhere Support — Configuration
 Create a Listener (Optional)
•
•
This step is necessary only if you require separate services for Outlook
Anywhere, ActiveSync, Outlook Web Access, and regular VPN access.
Import a certificate (Manage System > Certificates)
WatchGuard Training
10
Outlook Anywhere Support — Configuration
 Create a Listener (Optional)
•
Create a listener (Manage System > Device Settings)
WatchGuard Training
11
Outlook Anywhere Support — Configuration
 Create a Listener (Optional)
•
Apply NAT for the listener to the external Internet interface on your
firewall
WatchGuard Training
12
Outlook Anywhere Support — Configuration
 Create a DNS name for device
•
Link the DNS name to the OWA Web Resource
 In this example, the Access Point will load this web resource when
the client request contains “owa2.watchguard.com”
WatchGuard Training
13
Nested Group Support
 The SSL device now correctly supports nested groups (a ‘child’
user group that belongs to another group) within directory services.
 Nested groups are now processed correctly when:
• Access rules are applied
• Viewed within reports
• Viewed in the group display in the admin Web UI
WatchGuard Training
14
Access Client Settings Synchronization
 You can store and synchronize individual Access Client
preferences, history, and favorite resources on the SSL device.
 Synchronization is enabled by default on the SSL device.
 On the SSL device, select User Management > Global User
Account Settings, then select the new User Client Settings Sync
tab.
WatchGuard Training
15
Access Client — Synchronization Settings
 New Synchronization tab on the
Access Client preferences page:
•
•
•
Sync Server — Enter or select your sync
server, which is the address of the SSL
device.
Enable automatic synchronization —
Automatically perform a sync when you
are connected to the SSL device through
a VPN tunnel.
Synchronize Now — Perform a manual
sync. If you are not connected to the SSL
device through a VPN tunnel, you are
prompted to authenticate.
WatchGuard Training
16
Favorites — Add Favorite for All New Users
 You can add favorites globally for new users, or for a specific user,
that can be synchronized to their Access Client settings.
 To add favorites that will be synchronized to new users:
•
•
•
Click User Management > Global User Account Settings.
Select the User Client Settings Sync tab.
Click Add Favorite Resource.
WatchGuard Training
17
Favorites — Add Favorite for Specific User
 To manage favorites for a specific user:
•
•
•
Select User Management > User Accounts.
Select a specific user.
Select the Favorites tab.
 Click Add Favorite Resource.
WatchGuard Training
18
Access Client — History Menu
 When a user loads a tunnel
successfully, the details of the
tunnel configuration are
automatically saved in the
Access Client History.
 Users can easily open a recently
accessed tunnel resource.
 The History menu can contain a
maximum of 15 items.
WatchGuard Training
19
Optimized Assessment Scan
 Caches the results of assessment
access rules to improve the
efficiency of assessing connections
where multiple access rules are
applied globally or applied to many
resources.
 To configure the behavior of
assessment results caching:
•
•
Select Manage System
> Assessment.
Select the General Settings tab.
WatchGuard Training
20
Optimized Assessment Scan
 These options are enabled when you create a corresponding
assessment access rule, and enable you to collect and cache this
information:
•
•
•
•
•
•
Windows
Process
Network
Anti-virus
Firewall
Anti-spyware
 If you remove the original access rules, these options remain
enabled for caching purposes.
 Disable these options to improve client scanning efficiency during
assessment when you no longer require these assessment options.
WatchGuard Training
21
Confirmation for Startup Commands
 A Confirm Command option has been added to the Startup tab of a tunnel
resource.
•
•
•
When enabled, the end user is prompted to confirm the command before it is run.
If this option is disabled, the command is run automatically without confirmation.
By default, this option is enabled for all resource wizards except RDP Access and
SSH Access, where the command text is not readable.
WatchGuard Training
22
DNS Suffix Assignment
 The DNS suffix for a connection is now always applied, even if an
IP address assignment fails.
 The DNS suffix is assigned automatically if DNS forwarding is
enabled in the advanced settings of the Tunnel resource.
 The DNS suffix is assigned based on your configured DNS Search
Order field on the Manage System > Network Configuration page.
WatchGuard Training
23
Log File Rotation Deletion
 You can now configure how many log files to keep on the system
before they are deleted.
 This prevents excessive log files from filling up your disk space.
 For each type of log, in the Log File Rotation section you can
configure the Max Files in Rotation. The default is 90.
WatchGuard Training
24
Thank You!