User guide

Migration Guide 15
Setting Up the Management Server
With WSM 8.0, we move the DVCP off the Firebox and on to a computer using the Windows operating
system. This gives increased scalability and flexibility for the network administrator. The Management
Server has the same functions as the DVCP/CA server from previous releases of WSM. These functions are:
Centralized management of VPN tunnel configurations
Certificate authority to make and to send out certificates for IPSec tunnels.
The installation software can install the Management Server on the same computer as the management
station. You can also install it on a different computer. You must install the Management Server software
on a computer that is behind a Firebox with a static external IP address. The Management Server does not
operate correctly if it is behind a Firebox with a dynamic IP address on its external interface.
Use the Management Server to do these tasks:
Start and stop the Management ServerManagement Server
Set Management Server passphrases
Enter a Management Server license key
Configure diagnostic log messages from the Management Server
Set the certificate authority properties such as domain name and publication period
Start WatchGuard System Manager to manage Firebox clients, VPN tunnels, and security templates
Start the Certificate Authority user interface
Passwords and the Key Files
The WatchGuard Management Server encrypts important information that it keeps on the Firebox and on
your local hard disk drive. It uses a number of passwords to protect sensitive information stored on disk or
to secure traffic with client systems. During configuration, you set two passwords and the system creates
system passwords:
Master password - The Management Server uses the master password to encrypt the password file.
This protects all of the other passwords. Select and save the master password carefully and safely.
Use best practices when you select the password. Do not use the same string for the master
password and the administrator password.
It is necessary to use the master password to:
- Migrate the Management Server data to a different computer
- Restore a lost or corrupt master key file
- Change the master password
Administrative password - You use the administrative password to connect to the WatchGuard
System Manager software. You use this password frequently. Use best practices when you select the
password.
System passwords - The Management Server automatically makes other passwords. It uses these
passwords to encrypt files, traffic on VPN tunnels, and for the Certificate Authority private keys.
You cannot see these passwords with the user interface.
The Management Server saves the administrative and system passwords in a password file. It encrypts the
data in the password file with the master password. The master password is not saved. The Management
Server makes an encryption key from the master password and the key is saved on the local disk of the
Management Server.
The default location for the password file and encryption key are:
C:\Documents and Settings\WatchGuard\wgauth\wgauth.ini
C:\Documents and Settings\WatchGuard\wgauth\wgauth.key
These files are only used by the Management Server software. It is not necessary to change these files.