Beruflich Dokumente
Kultur Dokumente
XCSv
Setup Guide
Notice to Users
Information in this guide is subject to change without notice. Updates to this guide are posted at:
http://www.watchguard.com/help/documentation/
Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
ABOUT WATCHGUARD
WatchGuard offers affordable, all-in-one network and content security solutions that ADDRESS
provide defense-in-depth and help meet regulatory compliance requirements. The 505 Fifth Avenue South
WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL Suite 500
filtering to protect your network from spam, viruses, malware, and intrusions. The new Seattle, WA 98104
XCS line offers email and web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized security ranging from small
SUPPORT
www.watchguard.com/support
businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable,
U.S. and Canada +877.232.3531
and robust security appliances featuring fast implementation and comprehensive All Other Countries +1.206.521.3575
management and reporting tools. Enterprises throughout the world rely on our
signature red boxes to maximize security without sacrificing efficiency and SALES
productivity. U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
For more information, please call 206.613.6600 or visit www.watchguard.com.
ii WatchGuard XCSv
WatchGuard XCSv Setup
The WatchGuard XCS is an easy-to-use, all-inclusive email and web appliance that provides security and
privacy of inbound and outbound traffic. The WatchGuard XCS provides content security that enables data
loss prevention, encryption, and content filtering with integrated threat prevention for viruses, spam,
spyware, phishing, and malware attacks, all in a secured appliance.
WatchGuard XCSv is a new email and web security solution that provides all the security features of our
WatchGuard XCS technology optimized for a VMware or Microsoft Hyper-V virtual machine environment.
You can use the WatchGuard XCS Web UI to manage an XCSv device just as you manage any other
WatchGuard XCS device.
This guide introduces the WatchGuard XCSv and provides detailed information on how to configure your
virtual environment and install the XCSv software.
Setup Guide 1
WatchGuard XCSv Setup
For a full description of the features and capabilities of each XCSv edition, see the Products & Services section
of the WatchGuard web site at www.watchguard.com.
2 WatchGuard XCSv
WatchGuard XCSv Setup
Installation Prerequisites
These sections describe the installation prerequisites for XCSv on VMware and Microsoft Hyper-V.
VMware
You must install the XCSv virtual device in a VMware environment that meets these requirements.
VMware
To install an XCSv virtual device, you must have a VMware vSphere Hypervisor/ESXi v4.1 Update 2 (or
later version) host installed on any supported server hardware.
Note
Make sure your VMware vSphere/ESXi software is updated to the latest patch level.
You must also install the VMware vSphere Client on a supported Windows computer to manage the
virtual machines on your VMware host.
VMware Tools is installed by default with the XCSv virtual device. VMware Tools is a suite of utilities that
enhances and improves the performance and management of the virtual machine, and includes the
ability to cleanly power off or reset the guest operating system software from the host system.
Hardware
The hardware requirements for XCSv are the same as the hardware requirements for VMware vSphere
Hypervisor/ESXi. For information about VMware hardware compatibility, see the VMware
Compatibility Guide at: http://www.vmware.com/resources/compatibility/search.php
WatchGuard XCSv requires that your host hardware supports Intel Virtualization Technology (Intel VT)
or AMD Virtualization (AMD-V) and has these options enabled in the host system BIOS.
For more information about Intel VT compatibility, see the Intel Virtualization Technology List at:
http://ark.intel.com/VTList.aspx
AMD-V is supported in all K8 AMD (Athlon 64) processors from revision F, and all newer processors
support AMD-V technology.
Setup Guide 3
WatchGuard XCSv Setup
Microsoft Hyper-V
You must install the XCSv virtual device in a Hyper-V environment that meets these requirements.
Hyper-V
Hyper-V role on Windows Server 2008 R2 or Windows Server 2012, or stand-alone version of Hyper-V
Server 2008 R2 or Hyper-V Server 2012.
Make sure your Windows Server or Hyper-V Server software is updated to the latest patch level.
You can use the Hyper-V Manager on Windows Server 2012 to deploy, configure , and provision the
XCSv virtual machine in the Hyper-V environment. You can also use System Center Virtual Machine
Manager (VMM) interface, or a Hyper-V role on a client computer instead of Hyper-V Manager.
Hardware
The hardware requirements for XCSv are the same as the hardware requirements for Hyper-V on
Windows Server 2008 R2 or Windows Server 2012.
Network
You can configure a maximum of 8 interfaces.
4 WatchGuard XCSv
WatchGuard XCSv Setup
For information about how to add resources for a VMware virtual machine, see VMware Virtual Machine
Resource Allocation on page 12.
For information on monitoring VMware resource usage, see Resource Monitoring on VMware on page 43.
For information about how to add resources for a Hyper-V virtual machine, see Hyper-V Virtual Machine
Resource Allocation on page 20.
For information on monitoring Hyper-V resource usage, see Resource Monitoring on Hyper-V on page 45.
Setup Guide 5
WatchGuard XCSv Setup
Deployment
The WatchGuard XCSv is designed to be situated between internal email servers and clients, and external
servers on the Internet so that there are no direct connections between external and internal systems.
The WatchGuard XCSv is typically installed in one of these locations:
On the DMZ (Demilitarized Zone) of a network firewall
Behind the existing firewall on the internal network
In parallel with a network firewall
Messaging traffic is redirected from either the external interface of the network firewall or from the external
router to the WatchGuard XCSv. When the WatchGuard XCSv accepts and processes a message, the device
initiates a connection to the internal mail servers to deliver the messages.
Cluster Support
Clustering provides a scalable, redundant messaging security infrastructure that enables two or more XCSv
devices to act as a single logical unit for processing messages for redundancy and high availability benefits.
You can use multiple instances of XCSv in a cluster.
To provide proper hardware redundancy, we recommend you run clustered XCSv devices on separate virtual
host systems. If you run multiple XCSv devices on the same virtual host hardware, you can provide software
redundancy in the event a specific XCSv device is unavailable, but this does not provide redundancy if the
virtual host hardware or software fails.
For more information on configuring XCSv clustering with a virtual host, see Cluster Configuration on
page 36.
6 WatchGuard XCSv
WatchGuard XCSv Setup
VMware Installation
Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections:
1. In the VMware vSphere client, deploy the XCSv OVF template file to the VMware host.
2. Perform any resource allocation (CPU, memory, disk, network) modifications on the VMware host
based on your XCSv edition.
3. Power on the XCSv virtual device.
4. Connect to the XCSv device to run the Setup Wizard.
Network Considerations
When you deploy the XCSv OVF template to the VMware virtual device, it is initially configured for the Medium
Office Edition with three active interfaces. You must map each of these interfaces to a physical destination
network on your VMware host. After you configure the XCSv device, you can enable and configure additional
XCSv device interfaces or remove interfaces if you need fewer interfaces. The maximum number of interfaces
you can enable in VMware is 10. For information about how to add resources to the device, see VMware
Virtual Machine Resource Allocation on page 12.
Setup Guide 7
WatchGuard XCSv Setup
Installation
Perform the following steps to install WatchGuard XCSv on a VMware host
1. Launch a web browser on your computer and type the IP address or host name of the VMware host
server as the URL in the location bar.
2. To download and install the vSphere Client, click Download vSphere Client.
2. Type the IP address, User name, and Password for the VMware host, then click Login.
8 WatchGuard XCSv
WatchGuard XCSv Setup
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. In the vSphere client, select File > Deploy OVF Template.
3. Browse to the location where you saved the WatchGuard XCSv OVF template file, xcsv-<version>.ova.
Click Next.
The XCSv OVF Template Details page appears.
4. Click Next.
The End User License Agreement appears.
5. Review the End-User License Agreement. Click Accept. Click Next.
The Name and Location page appears.
6. In the Name text box, type a name for this virtual device.
Setup Guide 9
WatchGuard XCSv Setup
7. Select a resource pool within which to deploy this template. Click Next.
The Disk Format page appears.
8. Select the format to store the virtual disks. We recommend that you select Thick provisioned format
to allocate all storage immediately.
9. Click Next.
The Network Mapping page appears.
10 WatchGuard XCSv
WatchGuard XCSv Setup
10. In the Destination Networks column, select the networks to map to each network interface.
Setup Guide 11
WatchGuard XCSv Setup
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select CPUs.
6. From the Number of virtual sockets drop-down list, select the number of virtual processors
recommended for your XCSv edition.
7. Click OK.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select Memory.
6. In the Memory Size text box, type or select the memory size recommended for your XCSv edition.
7. Click OK.
Caution
Do not modify the Hard Disk 1. This disk is a fixed size and contains the OS for the XCSv.
12 WatchGuard XCSv
WatchGuard XCSv Setup
To increase the size of the Hard Disk 2 data disk for other XCSv editions (160 GB Large and 256 GB Large XC):
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select Hard disk 2.
6. In the Disk Provisioning section, modify the Provisioned Size setting to the required value (160 GB
Large or 256 GB Large XC).
7. Click OK.
To decrease the size of the Hard Disk 2 data disk for the XCSv Small Edition, you must remove Hard Disk 2 and
add a new hard disk with a recommended size of 40 GB.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware list, select Hard disk 2.
6. Click Remove.
7. Select Remove from virtual machine and delete files from disk.
8. Click OK.
9. Right click the virtual machine, select Edit Settings.
10. Click Add.
11. Select Hard Disk and click Next.
12. Select Create a new virtual disk and click Next.
13. Set the Disk Size to 40 GB.
14. In the Disk Provisioning section, select Thick Provisioned Lazy Zeroed.
15. Select Store with the virtual machine and click Next.
16. In the Advanced Options, leave the default settings and click Next.
17. Click Finish.
18. Click OK.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, right click the XCSv virtual machine.
4. Select Edit Settings.
5. In the Hardware tab, click Add.
6. Select Ethernet Adapter as the type of device you want to add. Click Next.
7. From the Type drop-down list, select the type of virtual network adapter to use. The recommended
type, E1000, is selected by default.
8. From the Network label drop-down list, select the name of the virtual network to add.
9. Click Next.
Setup Guide 13
WatchGuard XCSv Setup
14 WatchGuard XCSv
WatchGuard XCSv Setup
Installation Overview
To complete initial installation you must perform these procedures described in the subsequent sections:
Network Considerations
When you deploy the XCSv software to the Hyper-V virtual device, it is initially configured with a single
network interface. You must add a network adapter for each XCSv network interface you require.
You must map each of these interfaces to a physical destination network on your Hyper-V virtual host.
After you configure the XCSv device, you can enable and configure additional XCSv device interfaces or
remove interfaces if you need fewer interfaces. The maximum number of interfaces you can enable in Hyper-
V is 8.
Setup Guide 15
WatchGuard XCSv Setup
Installation
Perform the following steps to install WatchGuard XCSv on a Hyper-V host.
1. Extract the contents of the Hyper-V zip file to a suitable location on your Hyper-V host where your
virtual hard disks are stored.
2. In Hyper-V Manager, select Action > New > Virtual Machine.
3. Type a Name for your virtual machine and specify a Location.
You can use the default location, or select a new location for the virtual machine on your Hyper-V host.
16 WatchGuard XCSv
WatchGuard XCSv Setup
Caution
Do not enable the Use Dynamic Memory for this virtual machine option. This option is not
supported for XCSv.
Setup Guide 17
WatchGuard XCSv Setup
18 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 19
WatchGuard XCSv Setup
3. Select the IDE Controller 0 where the xcs-1.vhd hard drive is located.
20 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 21
WatchGuard XCSv Setup
5. If you want to use the default 80GB size as a data drive for XCSv Medium edition, select Virtual Hard
Disk, click Browse, then select the location of the xcs-2.vhd file.
You can also define a new drive with the proper size for your specific XCSv edition (Small - 40GB,
Medium - 80GB, Large - 160GB, Large XC - 256GB).
Caution
Do not adjust or delete the xcs-1.vhd hard drive as this is the system disk.
22 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 23
WatchGuard XCSv Setup
8. Add additional Network Adaptors connected to the required networks on your virtual host.
24 WatchGuard XCSv
WatchGuard XCSv Setup
To modify the default IP address of your XCSv before running the Setup Wizard:
1. In the vSphere Client Inventory tree, select the XCSv virtual device.
2. Click the Console tab.
3. Press Enter to display the login screen.
Setup Guide 25
WatchGuard XCSv Setup
26 WatchGuard XCSv
WatchGuard XCSv Setup
1. Launch a web browser on your computer and type the IP address of the WatchGuard XCSv as the URL
in the location bar. For example, http://10.0.0.1
The login page appears.
Note
A security certificate notification appears in the browser because the system uses a self-signed
certificate. It is safe to ignore the warning (Internet Explorer) or to add a certificate exception (Mozilla
Firefox).
Setup Guide 27
WatchGuard XCSv Setup
3. The Setup Wizard introduction page appears. Click Continue to start the installation.
Make sure you register your device serial number with the WatchGuard LiveSecurity web site and
receive a feature key before you proceed with the installation process.
5. Click Continue.
28 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 29
WatchGuard XCSv Setup
8. On the Customer Information page, type the Organization Name and Server Admin Email.
Device alerts and notifications are sent to the Server Admin Email address.
9. Click Continue.
10. On the Change Password page, type and confirm a new admin password.
We recommend that you choose a secure password of at least 8 characters in length and include a mixture of
upper and lowercase letters, numbers, and special characters.
30 WatchGuard XCSv
WatchGuard XCSv Setup
12. On the Product Serial page, type your XCSv serial number.
Note
The serial number cannot be changed after it has been entered and saved. If you enter the wrong
serial number or need to enter a different one, you must reinstall the XCSv from the OVF template file.
13. On the Feature Key page, select one of these options to add your feature key:
Click Manual Update to manually add a feature key. You must paste your feature key into the text
box and click Apply.
Click Download to automatically download and apply your feature key from the WatchGuard
LiveSecurity service. This option requires an Internet connection and an existing LiveSecurity
account. Make sure you can access the Internet if the device is installed behind a network firewall
or connects through an external proxy server.
Click Enter Feature Key Later to manually add the feature key after the installation. To enter the
feature key manually, from the Web UI, select Administration > System > Feature Key.
If you encounter errors when you add your feature key, check the following:
For Automatic Update:
Make sure you have a valid LiveSecurity account and you have registered your device serial
number
You must have an Internet connection to retrieve your feature key
Make sure communications are not blocked by a network firewall
For Manual Update:
Make sure you cut and paste the entire feature key text
The first line must be Serial Number: V2C9xxxxx-xxxx
The last line is a long line starting with Signature:
Setup Guide 31
WatchGuard XCSv Setup
14. On the Mail Configuration page, enter your mail domain and server details, and the initial status of
the WatchGuard XCSv security scanning features.
In the Email Domain text box, type the domain for which the WatchGuard XCSv processes
messages. For example, example.com.
In the Internal Mail Server text box, type the IP address of the internal mail server that receives
and sends mail through the WatchGuard XCSv.
The WatchGuard XCSv automatically configures a mail route for the domain and internal mail server
you enter on this page. To configure additional domains for mail routing after the installation is
complete, from the Web UI, select Configuration > Mail > Routing.
The WatchGuard XCSv also automatically configures a Specific Access Pattern to trust your internal
mail server address to allow the mail server to relay mail outbound through the WatchGuard XCSv.
Mail originating from the internal mail server is also trusted for Anti-Spam processing. To configure
Specific Access Patterns after the installation is complete, from the Web UI, select Configuration >
Mail > Access.
15. Click Continue.
32 WatchGuard XCSv
WatchGuard XCSv Setup
16. In the Security Settings section of the Mail Configuration page, you can enable or disable Intercept
Anti-Spam, Anti-Virus, and the Attachment Control features.
If you enable these features in the setup wizard, mail scanning is active when the installation is
complete and mail processing is started.
This table describes the default Intercept settings when you enable Intercept Anti-Spam:
This table describes the default settings for the Intercept Anti-Spam features:
Setup Guide 33
WatchGuard XCSv Setup
18. If you have purchased the Web Scanning option, a Web Configuration page appears.
In the Security Settings section of the Web Configuration page, you can enable or disable URL
Categorization, Reputation Enabled Defense, and the Anti-Virus features.
If you enable these features in the Installation Wizard, web scanning is active when the installation is
complete and message processing is started.
If you enable URL Categorization, the feature will not be enabled until after the initial control list is
downloaded.
19. Click Continue.
20. From the Messaging System drop-down list, select Enabled to start message traffic processing after
the installation is complete.
If you select Disabled, you can start message processing manually from Activity > Status > Status/
Utility after the installation is complete.
34 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 35
WatchGuard XCSv Setup
Cluster Configuration
Clustering provides a highly scalable, redundant messaging security infrastructure that enables two or more
WatchGuard XCSv virtual devices to act as a single logical unit for processing messages for redundancy and
high availability benefits. When you configure multiple XCSv virtual devices in a cluster, message traffic flow
is never interrupted because of individual device failures.
Cluster Network
The XCSv virtual devices participating in the cluster communicate through a network interface connected to
a separate network called the Cluster Network. The Cluster Network is a dedicated, secure subnet, and the
devices communicate clustering information with each other through this network. You can add or remove
devices from the cluster network without interruption to message processing.
36 WatchGuard XCSv
WatchGuard XCSv Setup
If your clustered XCSv devices are hosted on the same virtual host system, the virtual switch does not have to
be mapped to physical network interfaces and you can configure the switch as an internal logical switch.
Note
If you install clustered XCSv devices on the same virtual host, this configuration only provides software
redundancy in the event one of the XCSv virtual devices fails. If a hardware or software issue affects
the virtual host, your entire XCSv cluster will be affected.
Setup Guide 37
WatchGuard XCSv Setup
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. In the vSphere inventory tree, select your XCSv virtual machine.
3. Select the Configuration tab.
4. In the Hardware section, click Networking.
5. Click Add Networking....
The Add Network wizard appears.
6. Select Virtual Machine, then click Next.
7. Select a physical network adapter to use with the virtual switch, or deselect all adapters to create a
logical virtual switch.
8. Click Next.
9. In the Network Label text box, type a name for this switch network.
For example, type Cluster Network.
10. Click Next, then click Finish.
38 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 39
WatchGuard XCSv Setup
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. Make sure your XCSv virtual machine is powered off.
3. In the vSphere inventory tree, select your XCSv virtual machine.
4. Select Edit Settings.
5. Select the Hardware tab.
6. Select the network adapter you want to use for the cluster.
7. From the Network Label: drop-down list, select Cluster Network, or the name you assigned to the
cluster network in the previous section.
40 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 41
WatchGuard XCSv Setup
Note
Make sure that an NTP time server is configured on each device, and add additional NTP servers for
redundancy. You cannot enable clustering until you configure an NTP server. The time server
synchronizes all cluster devices from a common time source.
5. Click Apply.
You must restart the system.
More more details on cluster configuration, see the current WatchGuard XCS Help or User Guide.
42 WatchGuard XCSv
WatchGuard XCSv Setup
Resource Monitoring
Your virtual host system may host other virtual machines in addition to the WatchGuard XCSv. To ensure that
your virtual host resources are properly allocated, you must regularly monitor the resource usage and
performance of your virtual host system and your XCSv virtual machine.
1. Launch the vSphere client and log in to the VMware host with administrator credentials.
2. In the vSphere inventory tree, select your VMware host system at the top of the list.
3. Select the Virtual Machines tab.
You can view the disk space, CPU usage, and memory utilization of each virtual machine hosted on
your VMware system.
Setup Guide 43
WatchGuard XCSv Setup
6. Select the Performance tab for a customized chart view of the VMware host performance.
9. Select the Performance tab for a customized chart view of the XCSv virtual machine performance.
44 WatchGuard XCSv
WatchGuard XCSv Setup
Setup Guide 45
WatchGuard XCSv Setup
46 WatchGuard XCSv