Update the Management Server with a New Gateway Firebox Address
When you use the WatchGuard Server Center Setup Wizard to set up your Management Server, you specify the IP address of the gateway Firebox that protects the Management Server from the Internet. When the Management Server Setup Wizard is complete, your managed devices connect to the Management Server at the gateway Firebox IP address. This IP address is also the Certificate Revocation List (CRL) Distribution IP address. If you change the IP address of your gateway Firebox, to enable your managed devices to connect to the Management Server at the new gateway Firebox IP address, you must change the CRL Distribution IP address on your Management Server, and update all managed devices with this information. If you do not do this, your managed devices cannot connect to the Management Server.
If you have managed Branch Office VPN (BOVPN) tunnels configured on your Management Server, and the gateway Firebox is the endpoint in any of these tunnels, you must remove those VPN tunnels before you start this procedure. When you complete this procedure, you must create the VPN tunnels again.
When you add a Firebox to your Management Server as a managed device, the WG-Mgmt-Server policy is automatically added to the configuration of the Firebox. This policy includes the IP address of the Management Server. The managed Firebox can then connect to the Management Server at this IP address.
If your Management Server has a private IP address, it is behind a gateway Firebox. The gateway Firebox also includes the WG-Mgmt-Server policy. This policy includes a WG-Mgmt-Server SNAT action to make sure that any connection from a managed Firebox to the Management Server is sent correctly through the external interface of the gateway Firebox. To change the IP address on your Management Server, you must edit the WG-Mgmt-Server SNAT action configuration from the WG-Mgmt-Server policy on the gateway Firebox, update your Management Server configuration, and update each managed Firebox.
The WG-Mgmt-Server policy must include an SNAT action with the name WG-Mgmt-Server. If you manually add the WG-Mgmt-Server policy to your gateway Firebox configuration, you must also manually create the WG-Mgmt-Server SNAT action and add it to the To list in the WG-Mgmt-Server policy.
If you change the IP address of your Management Server computer, you must also update the gateway Firebox and your managed devices with the new address. For instructions to complete this process, go to Change the IP Address of a Management Server.
Change the Gateway Firebox Configuration
To enable connections through your gateway Firebox to your Management Server, after you change the IP address of the gateway Firebox, you must edit the WG-Mgmt-Server SNAT action configuration from the WG-Mgmt-Server policy on the gateway Firebox to specify the new IP address.
- Start Policy Manager for the gateway Firebox.
- Select Network > Configuration and change the IP address of the external interface of the gateway Firebox to the new IP address.
- Double-click the WG-Mgmt-Server policy.
The Edit Policy Properties dialog box appears.
- In the To section of the WG-Mgmt-Server policy, select WG-Mgmt-Server (Static NAT) and click Edit.
The Edit SNAT dialog box appears. - From the SNAT Members list, select the static NAT member and click Edit.
The Edit Static NAT dialog box appears. - From the External/Optional IP Address drop-down list, select the new IP address for your gateway Firebox.
- In the Internal IP Address text box, make sure the correct IP address of your Management Server appears.
- Click OK to close each dialog box.
- Save the Configuration File.
Update the Management Server Configuration
From the Management Server computer:
- Right-click and select Open WatchGuard Server Center.
WatchGuard Server Center appears. - From the Servers tree, select Management Server.
The Management Server page appears.
- Select the Certificates tab.
- In the Certificate Revocation List section, in the Distribution IP Address list, remove the old IP address of the gateway Firebox and add the new IP address.
- Click Apply.
Update Your Managed Devices
After you change the IP address of the gateway Firebox in the gateway Firebox configuration and in the Management Server configuration, you must update each managed device to make sure they can connect to the Management Server at the new address.
From the Management Server computer:
- Open WatchGuard System Manager and connect to your Management Server.
- Select the Device Management tab.
- Right-click a managed device and select Update Device.
- In the Update Client Settings section, select these options:
- Reset Server Configuration
- Expire Lease
- Click OK.
- Repeat Steps 3–5 for each Firebox managed by your Management Server.
When the Fireboxes restart, connections between the Management Server and the managed Fireboxes start again. You can now create again any BOVPN tunnels for which the gateway Firebox is a VPN endpoint.