Applies To: FireCloud Total Access
With FireCloud Total Access, you can set up a FireCloud Server Gateway to give users access to a specific Windows server and resources on that server. With a Windows Server Gateway, the server is the resource that you give users access to.
Unlike the FireCloud Virtual Gateway, the Server Gateway is deployed and managed with the WatchGuard Agent.
To deploy a FireCloud Server Gateway, you must:
- Install the WatchGuard Agent on a Windows Server (if it is not already installed)
- Add a Gateway in the FireCloud UI and get a verification code
- Use the verification code to complete the Windows Server Gateway installation on your server (the Gateway establishes a connection between FireCloud and your server)
- Configure private resources for each local resource on the Windows server that you want to allow remote FireCloud users to have access to
- Add your private resources to FireCloud access rules to give users access to those resources
When you deploy a FireCloud Gateway, you must have ports TCP 443 and UDP 4501 open for the Gateway to connect to FireCloud. The Gateway uses port 443 to authenticate to FireCloud and port 4501 to establish the tunnel that FireCloud uses to connect users to the private resources behind the Gateway.
If port 4501 is in use, you can change the port that the Gateway uses. For detailed information, go to Configure the Port Used for FireCloud Connections
The FireCloud Windows Server Gateway supports Windows Server 2022 and Windows Server 2025.
Configure a Server Gateway
To deploy a Server Gateway, you must:
- Log in to WatchGuard Cloud.
- From the navigation menu, select Configure > FireCloud. If you have a Service Provider account, you must select an account from Account Manager.
- On the Configuration page, click the Private Resources widget.
- Click Add FireCloud Gateway.
- Select Server Gateway.
- Click Next.
- Enter a name for your Gateway.
- Enter an FQDN for your server.
- Select which endpoint to install the Windows Server Gateway on. This list only shows endpoints with the WatchGuard Agent installed. If you want to install the Server Gateway on a Windows server that does not already have the WatchGuard Agent installed, click Add Endpoint and then download and install the agent on your server.
- Click Next.
- Copy the Verification Code generated for your Gateway. This code is required to complete the installation of your Gateway, and is valid for three days. If you do not install the Gateway in three days, you must edit your Gateway and generate a new verification code.
- Click Finish.
- When prompted for the verification code on your server, enter the copied code.
The WatchGuard Agent installs the Server Gateway.
After you install the Gateway, you can click the icon in the system tray to see the Gateway menu. From the menu, you can view log messages or you can pause the Gateway tunnel. When you pause the Gateway tunnel, users cannot connect to resources behind this Gateway until you resume the tunnel.
For detailed steps to add private resources for this Windows Server Gateway, go to Add Private Resources in FireCloud. Make sure that you add your private resources to access rules.
After you set up private resources and add them to access rules, you can connect to those resources through the FireCloud tunnel. For example, if you have a shared folder on the server where Windows Server Gateway is installed, to open the folder you can enter the FQDN you have configured in the explorer address bar. You can also click Win+R and enter the FQDN in the Run window.
About FireCloud Virtual Gateways