Frequently Asked Questions
Firebox® SSL Core™ VPN Gateway
Background
Functionality and Deployment
Purchasing
LiveSecurity® Service
Citrix® and WatchGuard® Partnership
Background
Q: What are the specific trends for the small and medium sized enterprise (SME) driving the need for an SSL VPN product?
A: As a new technology, SSL VPN has been primarily designed for larger organizations. Now with this product, SSL VPN technology can be utilized easily and cost effectively by SMEs. Workforces, including those in small businesses, are increasingly mobile and able to benefit from remote access solutions. SMEs will be investing more on their IT infrastructure, but will do so conservatively, focusing on products that are proven and reliable. Secure remote access over SSL is one such technology.
Q: How does the SSL VPN product tie into WatchGuard's Unified Threat Management security strategy?
A: In addition to providing its brand of simple and strong security through Unified Threat Management security appliances, WatchGuard has identified a need among its SME customer base for specialized security appliances. By quickly deploying software on the robust Firebox® X Core™ platform, WatchGuard is expanding the breadth of offerings for its install base, as well as reaching new customers with these stand-alone products. Now, you can enjoy the best secure remote access solutions including IPSec and SSL VPN from WatchGuard.
Functionality and Deployment
Q: What does the Firebox SSL Core do?
A: Firebox® SSL Core VPN Gateway ensures hassle-free, universal access to network applications and resources - with enterprise-class security and dependability. Its full-featured Secure Access client mode provides mobile users with an in-office experience. Your IT department gets the strong security and administrative control demanded by today's security conscious organizations, including built-in endpoint enforcement and two-factor authentication support. You'll be up and running fast with streamlined deployment and management. No application connectors, no network reconfiguration, no extras to buy. No client hassles.
Q: Is this a firewall appliance?
A: No, it's a VPN gateway appliance that facilitates secure access to a network utilizing SSL-encrypted tunnels. The Firebox SSL Core can work with a WatchGuard Unified Threat Management solution to provide the best security for the SME.
Q: What is the version number of the latest software release for the Firebox SSL Core?
A: The version number for the latest Firebox SSL Core software release is v 5.0. Our documentation and the software application should reflect this version number. Note that our technology partner, Citrix, has designated this software release as v 4.2. This 4.2 version number might also appear in the documentation and in the software application.
Q: How can current Firebox SSL Core customers get the latest software release?
A: Firebox SSL Core customers who have a current LiveSecurity® Service subscription can visit the LiveSecurity Service Software Downloads page at www.watchguard.com/archive/softwarecenter.asp to download this latest update.
Q: Where should this appliance be deployed on the network?
A: The Firebox SSL Core is ideally deployed in the following configurations:
- Connected to a LAN behind a firewall
- Straddling a firewall
- Connected to a LAN behind a server load balancer
Q: Can I deploy the Firebox SSL Core behind most firewalls?
A: The Firebox SSL Core can be deployed behind most firewalls, but ideally, it should be deployed behind a WatchGuard Firebox® X Unified Threat Management security appliance. When connected to the Firebox X through the DMZ, additional content filtering, behavioral analysis, intrusion prevention, and malware protection can be applied to traffic running through the Firebox X.
Q: What applications and network resources can be accessed using the Firebox SSL Core?
A: Most applications or network resources can be accessed through the Firebox SSL Core, without having to modify the application or DNS. Firebox SSL Core is application-agnostic, protocol-agnostic, and offers access to most resources on the network. These include:
- Distributed Windows® and UNIX® applications
- Network file shares
- Data and collaboration services
- SSH
- Telnet
Applications can be accessed in their native form; there's no need for any custom development or "webification."
Q: How can applications and network resources be accessed using the Firebox SSL Core?
A: Firebox SSL Core provides two powerful modes of access out of the box:
- Secure Access client mode utilizes a Web-deployed, auto-updated client that enables access to applications and information resources in their native interface over an SSL-encrypted tunnel.
- Kiosk mode offers one-click access from Microsoft® Windows® and Java™-enabled Web browsers to Web-based applications, an integrated Citrix® ICA client, Remote Desktop, SSH, Telnet 3270 emulator, VNC servers, and shared network drives over an SSL-encrypted tunnel.
Q: How many concurrent tunnels will be available?
A: Firebox SSL Core supports up to 205 concurrent tunnels, and ships with 5 tunnels enabled. Additional tunnels are available in packs of 5, 10, 20, and 50. 3 Kiosk mode tunnels are supported.
Q: Is a tunnel the same as a user?
A: Yes, a tunnel is a concurrent, end-to-end connection for a user. If a Firebox SSL Core has 10 activated tunnels, 10 users can access the network simultaneously. If the 11th user tries to access the Firebox SSL Core, that user will not be able to do so until one of the first 10 users disconnects.
If 100 users need access to 3 different networks behind the Firebox SSL Core, only 100 tunnel licenses are needed.
Q: What devices can be used to access the Firebox SSL Core?
A: When accessing the network using Secure Access client mode, devices must be running Windows 2000, Windows 2000 Professional, Windows 2000 Server, Windows XP, XP Home, XP Professional, and all Linux 2.4 platforms.
When accessing the network using Kiosk mode, devices must be running a Windows browser or Java-enabled browser (JVM v1.4.2 or higher).
Q: With built-in endpoint security, what kinds of attributes can be verified on the access device before it is allowed to access the network?
A: Before a remote device can establish a connection to the network, its security posture can be verified using the integrated configurable host-checking capabilities. Device attributes that can be verified include:
- Registry checks
- Check corporate asset tags
- Confirm that key security software is installed
- File checks
- Verify the proper antivirus definition files version/dates are present
- Confirm appropriate OS patches and security updates are installed on the device
- Process checks
- Verify that antivirus applications, personal firewalls, or other security software is running
- Check for unwanted processes, such as keyloggers
If any processes designated as required for access should be disabled or stop during a VPN session, the VPN session will be suspended.
Q: What encryption and certificates are employed with the Firebox SSL Core?
A: The Firebox SSL Core supports most authorized SSL digital certificates and utilizes SSL v3 and TLS v1 for packet encryption. It supports 128- and 168-bit encryption based on the certificate in use. Firebox SSL supports most OpenSSL ciphers: CAST, CAST5, DES, 3DES, IDEA, RC2, RC4, and RC5, utilizing MD5 and SHA1 hashes.
Q: What authentication servers/processes are supported?
A: The Firebox SSL Core supports multiple authentication schemes including:
- HTTP 401 Basic
- Windows® Active Directory
- RADIUS - one or more
- LDAP
- Local user group authorization
- Two factor authentication: RSA SecurID® (RSA ACE/Server) - one, Next Token Mode
- Double-source and realm-based authentication - multiple authentication servers
- Single sign-on: automatic drive mapping and installation scripts
Q: What advanced networking features are available with the Firebox SSL Core?
A: The Firebox SSL Core includes a variety of networking capabilities that offer flexibility for today's evolving networks. Some of these features include:
- Ability to enable/disable split tunneling
- Support for load balancers
- Dynamic routing using RIP/RIP2
- Static routing
- Split DNS for DNS failover
- Round robin client connection failover
- IP pooling
- Configurable session timeout
- License pooling
- Ability to manage multiple Firebox SSL VPN Gateways from the single Administration Tool
Purchasing
Q: How much does the Firebox SSL Core cost and what is delivered?
A: The Firebox SSL Core comes with a hardened Linux appliance - including a hard disk drive - SSL VPN software, five concurrent tunnels, and 90 days of LiveSecurity® Service.
Additional tunnels can be purchased in increments of 5, 10, 20 and 50 as your organization's secure access needs grow. Tunnel packs are stackable.
Pricing for the Firebox SSL Core and additional tunnels is available from your reseller.
Q: Where can the Firebox SSL Core be purchased?
A: The Firebox SSL Core is available through WatchGuard resellers.
Q: How are additional tunnels obtained?
A: Additional concurrent tunnels can be purchased in stackable tunnel packs via a license key.
LiveSecurity® Service
Q: Is any support included with this product?
A: Yes, 90 days of LiveSecurity will be included with this product, and you will then have the option to purchase a 12- or 24-month LiveSecurity Service subscription. This support subscription provides:
- Software maintenance - hot fixes, patches, and software upgrades - for the term of the subscription
- WatchGuard technical support - by phone and Web-based; plus access to the WatchGuard knowledge base
- Hardware warranty for the term of the subscription
- LiveSecurity email alerts, broadcasts, and other related editorial content
Note: WatchGuard provides technical support to its customers through its subscription-based LiveSecurity Service. Technical support services may also be provided by qualified WatchGuard Security Partners (WSPs), as well.
Q: How is LiveSecurity Service renewed?
A: You must purchase and activate two separate license keys in order to renew LiveSecurity on your Firebox SSL Core. The first key is for the appliance itself and the second key is for the tunnels active on the appliance. You will need both renewal keys in order to renew LiveSecurity; otherwise the LiveSecurity activation will not be able to be completed.
Example: A Firebox SSL Core with 25 activated tunnel licenses needs to have its LiveSecurity subscription renewed. You will need two LiveSecurity renewal keys to complete your renewal activation.
The two keys needed in this example:
Firebox SSL Core 1-Year LiveSecurity Renewal
Firebox® SSL 25 Tunnel 1-Year LiveSecurity Renewal
Citrix® and WatchGuard® Partnership
Q: Why did WatchGuard® and Citrix® decide to form this OEM relationship? Why now? What are the benefits for each company?
A: WatchGuard has been providing mobile user VPN functionality using IPSec for years and was evaluating SSL technology to determine the best path into this market. The OEM agreement with Citrix was logical as it allowed WatchGuard to implement what the company has determined to be the best SSL VPN solution available on the market today. WatchGuard benefits by joining forces with the leader in access platform solutions to enter the SSL market, and Citrix benefits from WatchGuard's security expertise, go-to-market model, and support services for the SME market.
|
United States
