WALLIX Bastion and Firebox Integration Guide

Deployment Overview

WALLIX offers privileged access management solutions for large and medium-sized enterprises, public organizations, and cloud service providers. WALLIX Bastion helps these customers to protect critical IT assets, such as data, servers, terminals and connected devices.

Integration Summary

The hardware and software used in this guide include:

  • WALLIX Bastion:
    • Version 8.0.1
  • WatchGuard T55-W:
    • Version 12.5.3.B616762
  • Windows Server:
    • 2016

Test Topology

This diagram shows the test topology for SSH:

Topy diagram

This diagram shows the test topology for the Web UI:

Topy diagram

Before You Begin

Before you begin these procedures, make sure that you:

  • Install and complete the initial configuration of WALLIX Bastion
  • Install and complete the initial configuration of your WatchGuard Firebox
  • Install Chrome, Active Directory Domain Services (AD DS), and Remote Desktop Services on your Windows Server
  • Allow the user who opens the RDP session on the server access to the collection
  • Get the AppDriver.exe and WABChromeLogonUIA.lua files from WALLIX support and save them to your jump server. In this guide we use these file locations:
    • C:\AppDriver\AppDriver.exe
    • C:\AppDriver\WABChromeLogonUIA.lua
  • Publish cmd.exe as a RemoteApp program in Remote Desktop Services and select Allow any command-line parameters in the properties

Screen shot of the RDS

Screen shot of the RDS

Configure Your Firebox for WALLIX Bastion

Add two user accounts, clilogin and weblogin, to the Firebox with the Device Administrator role. For instructions on how to add users to the Firebox, see Fireware Help.

Configure WALLIX Bastion with SSH Login

In this guide, we log in to the Firebox via the Trusted or Optional port. The Firebox IP address must be the Trusted or Optional port IP address.

Add a User Group

  1. Log in to the WALLIX Bastion Web UI.
  2. Select User > Groups.
  3. Click Add a group.
  4. In the Group name text box, type the group name.
  5. From the Available Users list, select your user, then click the arrow to move the user to the Selected Users list. If you did not configure other users, only the WALLIX Bastion Web UI login user appears in the list.
  6. Do not change the other default settings.

Screen shot of the Add user group page

  1. Click Apply.

Screen shot of the User groups page

Add an SSH Login Device

  1. Select Targets > Devices.
  2. Click + Device.
  3. In the Name text box, type the device name.
  4. In the IP address or FQDN text box, type the Firebox IP address.

Screen shot of the General tab

  1. Click Apply.
  2. Select the Services tab.
  3. Click + Service.
  4. From the drop-down list, select SSH.
  5. In the Service name text box, type the service name SSH.
  6. In the Port text box, type 4118.
  7. Select all Proxy options check boxes.
  8. Do not change the other default settings.

Screen shot of the New service dialog box

  1. Click Apply and close.

Screen shot of the Services tab

On the Targets page, Devices tab, the Firebox appears in the list of devices.

Screen shot of the Devices tab

Add an SSH Login Account

  1. Select Targets > Accounts > Device accounts.
  2. Click + Account.
  3. From the Device drop-down list, select the device you created previously.
  4. From the New local domain drop-down list, select local.
  5. In the Account name text box, type the name of a Firebox user account. In this example, we use the clilogin user account. You can also use the default Firebox admin account.
  6. In the Account login text box, type the same text you typed in the Account name text box.
  7. Do not change the other default settings.

Screen shot of the General tab

  1. Click Apply.
  2. Select the Password tab.
  3. In the New password and New password confirmation text boxes, type the password.
  4. Do not change the other default settings.

Screen shot of the Password tab

  1. Click Apply

Add an SSH Login Group

  1. Select Targets > Groups.
  2. Click + Group.
  3. In the Name text box, type the group name.

Screen shot of the General tab

  1. Click Apply.
  2. Select the Session management targets tab.
  3. Under Account, click + Target(s).
  4. From the From drop-down list, select A device and related local accounts.
  5. From the Device drop-down list, select the device you created in the Add an SSH Login Device section.
  6. From the Service drop-down list, select the service you created in Step 9 of the Add an SSH Login Device section.
  7. In the Local accounts section, select the name of the account you created in Step 5 of the Add an SSH Login Account section.

Screen shot of the Add Target Accounts for Session Management dialog box

  1. Click Add and close.
  2. Click Interactive login.
    Steps 12-17 are optional.
  3. Click + Target(s).
  4. From the From drop-down list, select A device and related services.
  5. From the Device drop-down list, select the device you created in the Add an SSH Login Device section.
  6. In the Services section, select the service you created in Step 9 of the Add an SSH Login Device section.

Screen shot of the Add Interactive Login Targets for Session Management dialog box

  1. Click Add and close.
  2. Select the Password management targets tab.
  3. Click + Target(s).
  4. From the From drop-down list, select A device and related local accounts.
  5. From the Device drop-down list, select the device you created in the Add an SSH Login Device section.
  6. In the Local accounts section, select the name of the account you created in Step 5 of the Add an SSH Login Account section.

Screen shot of the Add Target Accounts for Password Management dialog box

  1. Click Add and close.

Configure WALLIX Bastion with Web UI Login

In this guide, we log in to the Firebox via the Trusted or Optional port. The Firebox IP address must be the Trusted or Optional port IP address.

Add an RDP Jump Server Device

  1. Select Targets > Devices.
  2. Click + Device.
  3. In the Name text box, type the device name.
  4. In the IP address or FQDN text box, type the jump server IP address.

Screen shot of the RDP jump service device IP address

  1. Click Apply.
  2. Select the Services tab.
  3. Click + Service.
  4. From the drop-down list, select RDP.
  5. In the Service name text box, type RDP.
  6. In the Port text box, type 3389.
  7. Select all the Proxy options check boxes.
  8. Do not change the other default settings.

Screen shot of the New Service RDP dialog box

  1. Click Apply and close.

Add a Jump Server Device Account

  1. Select Targets > Accounts > Device accounts.
  2. Click + Account.
  3. From the Device drop-down list, select the device you created previously.
  4. From the New local domain drop-down list, select local.
  5. In the Account name text box, type the account name. This account must exist on your jump server.
  6. In the Account login text box, type the same text you typed in the Account name text box.
  7. Do not change the other default settings.

Screen shot of the General tab

  1. Click Apply.
  2. Select the Password tab.
  3. In the New password and New password confirmation text boxes, type the password.
  4. Do not change the other default settings.

Screen shot of the Password tab

  1. Click Apply.

Add Applications

  1. Select Targets > Applications.
  2. Click Add an application.
  3. In the Name text box, type the application name.
  4. In the Parameters text box, type /lua_file:C:\AppDriver\WABChromeLogonUIA.lua /e:URL=https://Firebox IP Address:8080/ /e:IgnoreCertificateErrors=Yes.
  5. From the Connection policy drop-down list, select RDP.
  6. From the Target/Cluster name drop-down list, select [email protected]@JumpServer:RDP.
  7. In the Application path text box, type C:\AppDriver\AppDriver.exe.
  8. In the Application path text box, type C:\AppDriver.
  9. Do not change the other default settings.

Screen shot of the Applications tab

  1. Click Apply.

Add an Application Account

  1. Select Targets > Accounts > Application accounts.
  2. Click + Account.
  3. From the Application drop-down list, select the application you created previously.
  4. From the New local domain drop-down list, select local.
  5. In the Account name text box, type the name of a Firebox user account. In this example, we use the weblogin user account. You can also use the default Firebox admin user account.
  6. In the Account login text box, type the same text you typed in the Account name text box.
  7. Do not change the other default settings.

Screen shot of the application account

  1. Click Apply.
  2. Select the Password tab.
  3. In the New password and New password confirmation text boxes, type the password.
  4. Do not change the other default settings.

Screen shot of the Password tab

  1. Click Apply.

Add a Web UI Login Group

  1. Select Targets > Groups.
  2. Click + Group.
  3. In the Name text box, type the group name.

Screen shot of the General tab

  1. Click Apply.
  2. Select the Session management targets tab.
  3. Below Account, click + Target(s).
  4. From the From drop-down list, select A application and related local accounts.
  5. From the Application drop-down list, select the application you created in the Add Applications section.
    The Service drop-down list value is selected automatically.
  6. In the Local accounts section, select the name of the account you created in the Add an Application Account section.

Screen shot of the Add Target Accounts for Session Management dialog box

  1. Click Add and close.
  2. Click Interactive login.
    Steps 12-16 are optional.
  3. Click + Target(s).
  4. From the From drop-down list, select Applications.
  5. From the Applications drop-down list, select the application you created in the Add Applications section.

Screen shot of the Add Interactive Login Targets for Session Management dialog box

  1. Click Add and close.
  2. Select the Password management targets tab.
  3. Click + Target(s).
  4. From the From drop-down list, select An application and related local accounts.
  5. From the Application drop-down list, select the application you created in the Add Applications section.
  6. In the Local accounts section, select the name of the account you created in the Add an Application Account section.

Screen shot of the Add Target Accounts for Password Management dialog box

  1. Click Add and close.

Test the Integration

SSH Login

  1. Open Putty
  2. In the Host Name (or IP Address) and Port text boxes, type the WALLIX Bastion IP address and port number.

Screen shot of Putty

  1. Click Open.

Screen shot of the SSH login

  1. Type your WALLIX Bastion Web UI login user name and password.

  1. Select 1.
    You are logged in to the Firebox Command Line Interface (CLI).

To manually enter the Firebox user name and password in Step 4, select 0.

Web UI Login

  1. RDP to WALLIX Bastion.
  2. Log in with your WALLIX Bastion Web UI user name and password.

Screen shot of the Web UI login

  1. Select [email protected]@Application_WebLogin:APP. Click Connect.

Screen shot of the Web UI login

  1. Click OK.
    WALLIX Bastion starts Chrome, opens the Firebox Web UI, enters the user name and password, and logs in automatically.

Screen shot of the Fireware Web UI

To manually enter the Firebox user name and password in Step 3, select [email protected]_WebLogin:APP, and click Connect.

Screen shot of the Web UI login