Contents

Related Topics

Configure the Access Portal

To configure the Access Portal, you must:

  • Enable the Access Portal
  • Add application groups
  • Add applications
  • Configure the user connection settings
  • Configure the VPN Portal settings — Interface, port, authentication server, portal design customization (optional), and SAML single sign-on (optional)

You can add custom icons for web applications, Remote Desktop Protocol (RDP) hosts, and Secure Shell (SSH) hosts. We recommend that image files for icons have a maximum size of 64 x 64 pixels.

When you activate the Access Portal, the WatchGuard SSLVPN policy is automatically created. This policy specifies the alias WG-VPN-Portal in the From field. By default, the alias WG-VPN-Portal includes only the Any-External interface.

The WatchGuard SSLVPN policy is shared by the Access Portal, BOVPN over TLS, and Mobile VPN with SSL. For more information about this policy, see SSL/TLS Settings Precedence and Inheritance.

Enable the Access Portal

To enable the Access Portal, from Fireware Web UI or Policy Manager:

  1. Select Subscription Services > Access Portal.
  2. Select Enable Access Portal.

Add an Application Group

To add an application group to the Access Portal, from Fireware Web UI:Closed
  1. Select Subscription Services > Access Portal.
  2. Select Add > Application Group.
    The Add Application Group dialog box appears.
  3. In the Name text box, type a name for the application group.

Screen shot of the Add Application Group dialog box

  1. Click OK.
  2. To add an application to the application group, select the application.

Screen shot of of the Access Portal page

  1. To move the application into an application group, click Move Up or Move Down to move the application into an application group.

Screen shot of the app move option

To add an application group to the Access Portal, from Policy Manager:Closed
  1. Select Add.
    The Web Application or Application Group dialog box appears.
  2. From the Type drop-down list, select Application Group.
  3. In the Name text box, type a name for the application group.
  4. Select applications to move into this application group.

Screen shot of the Web Application or Application Group dialog box

Add a Web Application

You can add external web applications to the Access Portal. Internal web applications are not supported.

To add a web application to the Access Portal, from Fireware Web UI:Closed
  1. Select Add > Web Application.
  2. In the Name text box, type a name for the web application.
  3. In the Description text box, type a description of the web application.
  4. To select a custom icon for the application, select Custom Icon > Choose File.
  5. To remove a custom image that you added, select Reset Image.
  6. In the URL text box, type the URL for the web application.

Screen shot of the Add Web Application page

To add a web application to the Access Portal, from Policy Manager:Closed
  1. Click Add.
    The Web Application or Application Group dialog box appears.
  2. In the Name text box, type a name for the web application.
  3. In the Description text box, type a description of the web application.
  4. To select a custom icon for the application, select Custom Icon > Upload Custom Icon.
  5. In the URL text box, type the URL for the web application.

Screen shot of the Web Application or Application Group tab

Add an RDP Host

The Access Portal supports the Any, NLA, TLS, and RDP security types for connections to RDP hosts. We recommend the default setting Any which works for most connections. When Any is selected, the Firebox negotiates the security protocol with the remote host.

If you change the security type to a setting other than Any, make sure the RDP host has the same security type configured.

Security Settings for Windows RDP Hosts

The guidelines in this section describe which Access Portal RDP security types are compatible with Remote Desktop and Security Layer settings on the Windows RDP host.

These guidelines assume the Windows operating system on the RDP host uses default Security Layer settings. The default Security Layer settings in Windows vary by operating system, and can only be changed through registry edits in some Windows operating systems. We do not support changes to Windows settings that require registry edits.

For all Windows operating systems:

  • We recommend that you select Trust Certificate in the Access Portal RDP settings.
  • If you do not select Trust Certificate, you must import the CA chain for the RDP host into the Firebox. For general certificate import instructions, see Manage Device Certificates (Web UI) or Manage Device Certificates (WSM). When you import the CA chain, you must select the IPSec, Web Server, other certificate function.
  • If the option Allows connections only from computers running Remote Desktop with Network Level Authentication is selected in the Remote Settings in Windows, that host only allows connections that use NLA. In the Access Portal RDP settings, you must select the NLA security type.
Windows 10 and Windows Server 2016 (without the Terminal Server role)Closed
  • You must select the Any, NLA, or TLS security types.
  • If you select TLS, you must change the Remote Settings in Windows so Allows connections only from computers running Remote Desktop with Network Level Authentication is not selected.
  • We do not support the RDP security type because it requires a registry edit to change the security layer value. In Windows 10 and Windows Server 2016 or higher, the default security layer value is TLS.
Windows Server 2016 (with the Terminal Server role)Closed
  • You can select the Any, NLA, TLS, or RDP security types.
  • If you select the RDP security type, you must change the security layer value. When the Terminal Server role is installed, you can change the security layer value in the Windows GUI.

To change the security layer value, from Windows Server 2016:

  1. Open Server Manager.
  2. Select Roles > Remote Desktop Services > RD Session Host Configuration > RDP-Tcp Properties.
  3. Select the General tab.
  4. From the Security layer drop-down list, select Negotiate.
Windows 7, 8, Server 2008 R2, Server 2012 R2 (without the Terminal Server role)Closed

You can select the Any, NLA, TLS, or RDP security types.

Certificate Requirements for macOS and iOS Devices

To connect to an RDP host from a macOS or iOS device with Safari, you must import a certificate on the macOS or iOS device. For information about certificate requirements and the import process, see Install a Certificate on a macOS or iOS Device for RDP or SSH.

To add an RDP host to the Access Portal, from Fireware Web UI:Closed
  1. Click Add.
    The Web Application or Application Group page appears.
  2. From the Type drop-down list, select Host Desktop Access (RDP).
  3. In the Name text box, type a name for the RDP connection.
  4. In the Description text box, type a description of the RDP connection.
  5. To select a custom icon for the application, select Custom Icon > Choose File.
  6. To remove a custom image that you added, select Reset Image.
  7. In the Host text box, type the IP address or domain name of the host to connect to.
  8. To use a port other than 3389, type the number in the Port text box.
  9. From the Security drop-down list, select Any, NLA, RDP, or TLS as the security protocol for the connection. Tip!When Any is selected, the Firebox negotiates the security protocol with the remote host.
  10. If you select RDP or TLS:
    • To require users to specify a user name and password on the RDP login page, select Require users to specify credentials.
    • To specify and save a user name and password for the RDP connection, select Use these credentials.
  11. If the RDP host has a self-signed certificate, and you trust the connection and the RDP host, select Trust certificate.
    For RDP connections to a computer with Windows 10 Enterprise, you must select Trust certificate.

Screen shot of the Add RDP Application page

  1. To require the Firebox to verify the certificate, clear the Trust Certificate check box. You must import the CA chain of the RDP server into the Firebox. For information about how to import CA certificates, see Import and Install a Third-Party Web Server Certificate.
  2. Click the Session tab.

  1. (Optional) Specify the name for the RDP host to use to identify the RDP client.
  2. (Optional) To automatically launch a program when Windows starts, type the file path in the Initial Program text box.
  3. To connect to the console session, select Console Session. You must log in with an account that is a member of the Administrators group.Tip!When you connect to a console session, you see what would appear on a physical monitor attached to the server. In most cases, a console session is not required.

Windows Server 2003

The Console Session option connects you to the physical console session (session 0) on the Windows server. This option is the same as the /console switch in Windows. You can only connect to one console session at a time.

For more information about console connections in Windows Server 2003, see How to Connect to and Shadow the Console Session with Windows Server 2003 Terminal Services.

Windows Server 2008 and higher

The Console Session option connects you to the physical console session on the server. This option is the same as the /admin switch in Windows which replaced the deprecated /console switch. A maximum of two console sessions are allowed at the same time unless you have a Terminal Service license that allows additional concurrent console sessions.

  • If Terminal Server is installed on your Windows server, but you do not have a valid Client Access license, you must select Console Session to remotely administer the server.
  • If Terminal Server is not installed, you do not need to select this option to remotely administer the server.

For more information about console connections in Windows Server 2008 and higher, see Changes to remote administration in Windows Server 2008.

  1. To change the keyboard language, select an option from the Keyboard Language drop-down list.
  2. Click the Display tab.

  1. To change the color depth settings, select an option from the Color Depth drop-down list.
  2. To change the resize method, select one of these options from the Resize Method drop-down list:

Display Update

The server automatically changes the session display size if the client display size changes.

Reconnect

Automatically disconnect if the client display size changes and reconnect with the new display size.

To add an RDP host to the Access Portal, from Policy Manager:Closed
  1. Click Add.
    The Web Application or Application Group page appears.
  2. From the Type drop-down list, select Host Desktop Access (RDP).
  3. In the Name text box, type a name for the RDP connection.
  4. In the Description text box, type a description of the RDP connection.
  5. To select a custom icon for the application, select Custom Icon > Upload Custom Icon.
  6. In the Host text box, type the IP address or domain name for the host to connect to.
  7. To use a port other than 3389, type the number in the Port text box.

Screen shot of the Web Application page in the Access Portal

  1. Click the User Authentication tab.

Screen shot of the authentication settings for RDP

  1. From the Security drop-down list, select Any, RDP, TLS, or NLA as the security protocol for the connection. Tip!When Any is selected, the Firebox negotiates the security protocol with the remote host.
  2. To require users to specify a user name and password on the RDP login page, select Require users to specify credentials.
  3. To specify and save a user name and password for the RDP connection, select Use these credentials.
  4. If the RDP host has a self-signed certificate, and you trust the connection and the RDP host, you can select Trust Certificate.
  5. select View > Certificates > Import Certificate and select IPSec, Web Server, Other.
  6. Click the Session tab.

Screen shot of the RDP session settings

  1. (Optional) In the Client Name text box, specify the name for the RDP host to use to identify the RDP client.
  2. (Optional) To automatically launch a program when Windows starts, type the file path in the Initial Program text box.
  3. To connect to the console session, select Console Session. You must log in with an account that is a member of the Administrators group.Tip!When you connect to a console session, you see what would appear on a physical monitor attached to the server. In most cases, a console session is not required.

Windows Server 2003

The Console Session option connects you to the physical console session (session 0) on the Windows server. This option is the same as the /console switch in Windows. You can only connect to one console session at a time.

For more information about console connections in Windows Server 2003, see How to Connect to and Shadow the Console Session with Windows Server 2003 Terminal Services.

Windows Server 2008 and higher

The Console Session option connects you to the physical console session on the server. This option is the same as the /admin switch in Windows that replaced the deprecated /console switch. A maximum of two console sessions are allowed at the same time unless you have a Terminal Service license that allows additional concurrent console sessions.

  • If Terminal Server is installed on your Windows server, but you do not have a valid Client Access license, you must select Console Session to remotely administer the server.
  • If Terminal Server is not installed, you do not need to select this option to remotely administer the server.

For more information about console connections in Windows Server 2008 and higher, see Changes to remote administration in Windows Server 2008.

  1. To change the keyboard language, select an option from the Keyboard Language drop-down list.
  2. Click the Display tab.

Screen shot of the RDP display settings

  1. To change the color depth settings, select an option from the Color Depth drop-down list.
  2. To change the resize method, select one of these options from the Resize Method drop-down list:

Display Update

The server automatically changes the session display size if the client display size changes.

Reconnect

Automatically disconnect if the client display size changes and reconnect with the new display size.

Add an SSH host

To connect to an SSH host from a macOS or iOS device with Safari, you must import a certificate on the macOS or iOS device. For information about certificate requirements and the import process, see Install a Certificate on a macOS or iOS Device for RDP or SSH.

To add an SSH host to the Access Portal, from Fireware Web UI:Closed
  1. Click Add and select Host Shell Access (SSH).
    The Add SSH Application page appears.
  2. In the Name text box, type a name for the SSH connection.
  3. In the Description text box, type a description of the SSH connection.
  4. To select a custom icon for the application, select Custom Icon > Choose File.
  5. To remove a custom image that you added, select Reset Image.
  6. In the Host text box, type the IP address or domain name for the host you connect to.
  7. To use a port other than 22, type the number in the Port text box.
  8. To require users to specify a user name and password on the RDP login page, select Require users to specify credentials.

Screen shot of the Add SSH application page

  1. To specify and save user credentials for the RDP connection, select Use these credentials.
    1. In the User Name text box, type a user name.
    2. To specify a passphrase, select Use this passphrase.

    Screen shot of the passphrase option

    1. To specify a private key, select Use this private key.
    2. (Optional) In the Decryption Passphrase text box, type a decryption passphrase for the private key.

    Screen shot of the private key option

  2. To change the display settings, select the Display tab.
  3. From the Color Scheme drop-down list, select Black and white, Gray and black, Green and black, or White and black.
  4. To change the font size, type a number in the Font Size text box.
To add an SSH host to the Access Portal, from Policy Manager:Closed
  1. Click Add.

Screen shot of the SSH settings dialog box

  1. From the Type drop-down list, select Host Shell Access (SSH).
  2. In the Name text box, type a name for the SSH connection.
  3. In the Description text box, type a description of the SSH connection.
  4. To select a custom icon for the application, select Custom Icon > Upload Custom Icon.
  5. In the Host text box, type the IP address or domain name for the host to connect to.
  6. To use a port other than 22, type the number in the Port text box.
  7. Click the User Authentication tab.
  8. To require users to specify a user name and password on the RDP login page, select Require users to specify credentials.

Screen shot of the SSH authentication tab

  1. To specify and save user credentials for the RDP connection, select Use these credentials.
    1. In the User Name text box, type a user name. 
    2. To specify a passphrase, select Use this passphrase
    3. To specify a private key, select Use this private key.  
    4. (Optional) In the Decryption Passphrase text box, type a decryption passphrase for the private key. 
  2. To change the display settings, click the Display tab.
  3. From the Color Scheme drop-down list, select Black and white, Gray and black, Green and black, or White and black.
  4. To change the font size, type a number in the Font Size text box.

Screen shot of the Display tab

Install a Certificate on a macOS or iOS Device for RDP or SSH

To connect to an RDP or SSH host from a macOS or iOS device with the Safari web browser, you must configure one of these certificates on the Firebox:

  • Trusted third-party web server certificate signed by a trusted CA
  • Custom web server certificate that specifies the domain name or IP address of the Access Portal

If you install a trusted third-party web server certificate on your Firebox, you do not have to install the certificate on your macOS or iOS device.

If you install a custom web server certificate on the Firebox, you must install the certificate on the macOS or iOS device. The RDP or SSH connection does not work if you only accept the certificate in the Safari web browser.

To install the certificate on an iOS device:Closed
  1. On the Firebox, install a custom web server certificate.
  2. Send the certificate file to the iOS device.
  3. To install the certificate, open the file on the iOS device.
  4. Select Settings > General > About > Certificate Trust Settings to make sure the certificate was installed.
  5. Enable the certificate as a trusted root certificate.

To install the certificate on a macOS device, see Keychain for Mac: Add certificates to a keychain on the Apple website.

Configure the User Connection Settings

You can specify the users and groups that can connect to applications or application groups.

To configure the user connection settings, from Fireware Web UI:Closed
  1. On the Access Portal page, click the User Connection Settings tab.
  2. To give all users and groups permission to connect to all applications, keep the default option selected, All applications are available to all users and groups authenticated with the VPN Portal.
  3. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
  4. Click Add.
    The Add User or Group page appears.
  5. In the Authentication Server drop-down list, select the authentication server where the user or group exists. Tip!You can specify a user defined in the local Firebox-DB authentication server on the Firebox. Or, you can specify a user that already exists on your third-party authentication server.
  6. In the Type drop-down list, specify User or Group.
  7. To specify a user or group that already exists, type the name of the user or group in the Name text box.
  8. To add a new user or group, click Add.
    The Add User or Group dialog box appears.
    1. To add the user or group, follow the instructions in the Use Authorized Users and Groups in Policies topic.
    2. On the Access Portal, on the Add User or Group page, type the name of the user or group in the Name text box.
  9. Select one or more application groups or applications.

Screen shot of the Add User or Group page in the Access Portal

  1. Click OK.
    The User Connection Settings tab appears.

Screen shot of the User Connection Settings page

To configure the user connection settings, from Policy Manager:Closed
  1. In the Access Portal settings, click the User Connection Settings tab.
  2. To give all users and groups permission to connect to all applications, keep the default option selected, All applications are available to all users and groups authenticated with the VPN Portal.
  3. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
  4. Click Add.
    The Add User or Group dialog box appears.
  5. To add a new user or group, click Add and follow the instructions in the Use Authorized Users and Groups in Policies topic.
  6. On the Access Portal, on the Add a User or Group page, select a user or group name from the Name drop-down list.
  7. Select one or more application groups or applications.

Screen shot of the Add a User or Group dialog box

  1. Click OK.

Screen shot of the User Connection Settings tab

To complete the Access Portal setup, you must specify the interface, port, and authentication servers for user connections to the Access Portal. These settings are in the VPN Portal settings on your Firebox. To configure the VPN Portal settings, see Configure the VPN Portal Settings.

See Also

About the Access Portal

Configure the VPN Portal Settings

Customize the Access Portal Design

Customize Access Portal Page Elements with CSS

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.