Start Websessions via USC
Last adaptation to the version: Portal v1.30 (09.2024) / UTM v12.5.2 (10.2023)
New:
- Layout slightly adapted
- It is possible to memorise the PIN for the current session
Last updated:
- 06.2025
- Arrangement of the web session adapted
- All versions older than v12.5.1 are classified as significantly outdated. 02.2025
- Note on VPN configurations with an upcoming portal version 02.2025
This article refers to a Beta version
Requirements
USC after update
The Unified Security Console must be enabled in the UTM
UTM Settings and permissions for the Unified Security Report
| The Unified Security Report provides a good overview of battery devices directly on the Unified Security Portal. For a UTM to be included there, the function must be activated on the UTM. To activate the Unified Security Report on a UTM, the USR must first be activated for the selected license. More information can be found in the Article on the Unified Security Reporting | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdn 
|
|---|---|---|---|
| Status: | Service is synchronized | Synchronization status with the Unified Security Portal | |
| Privacy policy: | Yes | Consent to the privacy policy of Unified Security Reports | |
| Activated: | Yes | Activating the connection to the Unified Security Portal | |
| Interval: | WeeklyMonthly | Interval at which emails are sent in the report and thus also the reporting period in each case | |
| Recipient: | »support@anyideas.de»geschaeftsfuehrung@ttt-point.de | Email address for reports | |
Settings and authorizations of the UTM for the Unified Security Console
|
notempty Note for cluster licenses In order for both cluster members to be assigned to each other, special new licenses must be registered on both devices. Menu Button To do this, two licenses must be downloaded from the reseller portal. If no license is marked as xynnnnn-SPARE in the reseller portal (matching licenses have an identical color marking on the left side of the table), please send an email to lizenzen@securepoint.de with customer name, customer number and the serial numbers of the devices or, in the case of VMs, with the license ID. Access by then Unified Security Console must first be enabled in the UTM itself in the menu . Attention: It usually takes a few minutes, in unfavorable cases up to an hour, before the menu is displayed for the first time. The process can be shortened by executing the command on the CLI after a few minutes of runtime (the UTM must have had the opportunity to report to the license server!). system restrictions update |
UTMuser@firewall.name.fqdn 
| ||
| Caption | Value | Description |  |
|---|---|---|---|
| Privacy Policy: | Yes | The privacy policy must be accepted | |
| Activated: | Yes | This activates the Unified Security Console - and thus the display, configuration and access via the Securepoint Unified Security portal. | |
| Authentication method: | Authentication method for a web session | ||
| PIN: | •••••••• | As authentication for a web session, a 6-digit PIN can be selected instead of the login mask with access data.
| |
| Displays the Websession PIN | |||
| Creates a new PIN | |||
| The entered PIN is incorrect | After 5 (default value value can be changed in the CLI with the extc variable SESSIONAUTH_MAXRETRY extc value set application ‘spcloudpuppet’ variable ‘SESSIONAUTH_MAXRETRY’ value ‘5’ The PIN can be unblocked again when logging in to the UTM itself. | ||
Actions that can only be executed with a PIN:
| |||
Detailed authorizations
| On the UTM under Authorizations, the authorizations of the Unified Security Console for the UTM can be activated On or deactivated Off in detail: | ||
| USC authorization | Description |  |
|---|---|---|
| Status | Allow insight into system and memory utilization via the USC | |
| PIN-protected actions | Allow PIN-protected actions from the USC. These include:
| |
| One-time update | Allow configuration of one-off updates from the USC | |
| Websession | Allow opening a web session to access the UTM configuration interface from the USC | |
| Security Scan | Security Scan zur Aufdeckung von Fehlkonfigurationen aus der USC zulassen | |
| UTM profiles | Allow the use of UTM profiles from the USC. Can be configured more precisely using the following authorizations: | |
| Open | This icon next to UTM-Profile displays the individual UTM profiles tabs, which can then be activated On or deactivated Off
| |
| Cloud-Backup | Allow configuration of cloud backups via the USC | |
| Systemmeldungen | Festlegung des Empfängers von Systemmeldungen über die USC zulassen | |
| DNS-Server | Konfiguration der externen DNS-Server über die USC zulassen | |
| Zeit-Einstellungen | Einstellung von NTP-Server und Zeitzone über die USC zulassen | |
| Administration | Allow aconfiguration of dministrative access via the USC Host name, IP addresses or networks from which the admin station interface of the UTM may be accessed. Configuration on the UTM in the menu Area Adminstration | |
| Systemweite GeoIP Sperrungen | Blockierung von IPs auf Länderbasis über die USC zulassen | |
| Firmware-Updates | Konfiguration von regelmäßigen automatischen Updates über die USC zulassen | |
| TIF (Cyber Defense Cloud) | IP-Zugriffe auf potentiell gefährliche Gegenstelle protokollieren oder blocken über die USC zulassen | |
| Data protection | Allow configuration of the anonymization of UTM applications via the USC | |
| Fail2Ban | Allow configuration of Fail2Ban via the USC | |
| Cloud Shield | Allow configuration of Cloud Shield via the USC | |
Deletes the local Cloud Shield configuration The configuration is normally carried out via the USC to ensure synchronization and should only be carried out here in exceptional cases. If Cloud Shield is to be reactivated, it must be ensured that the authorization is set on the UTM side. A new transfer of the configuration to the UTM must then be triggered in the USC by changing the Cloud Shield or UTM profile. | ||
| VPN configuration (ASC) | Allow the use of VPN configuration profiles from the USC | |
| All VPN configurations for this UTM can be deleted using this button | ||
IP address
notempty
Note
Section Other IPv6 routers in the home network
Also allow IPv6 prefixes to be advertised by other IPv6 routers on the home network ➏
Section DHCPv6 server in home network
Enable DHCPv6 server in FRITZ!Box for the home network: ➐
Save details with button OK ➒ 
Choose option Port sharing
Application Other application
Description Meaningful name
Protocol TCP
Port to device 11115 through Port 11115
Adjust port if necessary under Area Server Settings section web server Administration Web Interface Port: a different port has been configured.
In the Enable sharing section, select the
Internet access via IPv6 option
Finish input with
In the overview confirm entries with OK (see Fig.4 No.⓮) 
The UTM can now be reached via a public IPv6.
After a few minutes, this address is displayed in the selection box for IP addresses in the USC.
An update is strongly recommended for these versions, as they are significantly outdated.
- UTM up to v.12.2.2.8: Update required
The UTM uses an older procedure for the Websession, which is only available until 30.11.2023- The UTM is directly accessible via a local network
- Access data (user name and password) are required
or - The UTM has a public IP If no public IPv4 is available because the UTM is behind a NAT router, a public IPv6 can be assigned via IPv6 prefix delegation.
- UTM up to v12.4.4.1 An update to the latest version is recommended
- The UTM is directly accessible via a local network
- Access data (user name and password) are required
or - The UTM has a public IP If no public IPv4 is available because the UTM is behind a NAT router, a public IPv6 can be assigned via IPv6 prefix delegation.
- UTM v12.5.0
- The UTM is directly accessible via a local network
- Access data (user name and password) are required
or - The UTM has a public IP If no public IPv4 is available because the UTM is behind a NAT router, a public IPv6 can be assigned via IPv6 prefix delegation.
- A PIN is additionally required Deposited on the UTM in the menu USC / box Unified Security Console
Example configuration with a Fritzbox
This section includes descriptions of third-party software and is based on the status at the time this page was created.
Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.
- Login to the configuration interface (in the default settings at https://192.168.178.1)
- In the network settings for IPv6, the option Enable DHCPv6 server in FRITZ!Box for home network must be selected
- Select suboption Assign DNS server, prefix (IA_PD) and IPv6 address (IA_NA)
Fig.1
USC reaches the UTM with IPv6 via the Fritzbox on LAN1
Fig.2
- Menu Home network ➊ / Network ➋ / Tab Network settings ➍
- at the bottom of the page dropdown menu: More Settings ➍
- Section IP addresses / Button IPv6 settings ➎ (not in picture)
or also IPv6 configuration
Fig.3
Also allow IPv6 prefixes to be advertised by other IPv6 routers on the home network ➏
Enable DHCPv6 server in FRITZ!Box for the home network: ➐
- Activate Assign DNS server, prefix (IA_PD) and IPv6 address (IA_NA). ➑
Fig.4
Required if the UTM and, if necessary, other devices in the local network are to be accessible from outside via IPv6Select device from dropdown menu ➓
Select 'Enter IP address manually' if it is not assigned via DHCP
If desired: enable ping for IPv6 ⓫
Enable Open firewall for delegated IPv6 prefixes of this device option ⓬
Click on the button ⓭
Another dialog opens
Menu 
drPermit AccessPort sharing
Select 'Enter IP address manually' if it is not assigned via DHCP
Another dialog opens
Fig.5
Adjust port if necessary under Area Server Settings section web server Administration Web Interface Port: a different port has been configured.
Internet access via IPv6 option
Fig.6
Check all entries and confirm with .
Configuration on the UTM:
Edit interfaces
UTMuser@firewall.name.fqdnNetzwerkNetzwerkkonfiguration 
External interface
connected to the Internet via NAT router
Typically A0, LAN1 or eth0 - depending on the hardware used
connected to the Internet via NAT router
Menu Area Network Interfaces / Edit External Interface / Tab General
DHCP Client
Router Advertisement: Off
IPv6 Prefix Delegation On
UTMuser@firewall.name.fqdnNetzwerkNetzwerkkonfiguration 
Internal interface
(must be configured for all internal interfaces that are to distribute a public IPv6 address to clients (and thus also receive one themselves).
E.g. A1, LAN2 or eth1 - depending on the used hardware
(must be configured for all internal interfaces that are to distribute a public IPv6 address to clients (and thus also receive one themselves).
Menu Area Network Interfaces / Edit Internal Interface / Tab General
DHCP Client
Router Advertisement: On
IPv6-Adressen vergeben: Ja
IPv6 Prefix Delegation: Off
UTMuser@firewall.name.fqdnNetzwerkNetzwerkkonfiguration 
Add default route
Gateway Type:
Gateway: LAN1
IPv6: On
In order for the IPv6 addresses to be routed, a default route must be added under Area Routing button .
UTMuser@firewall.name.fqdnNetzwerk 
Network configuration with IPv6 prefix delegation
- The external interface should get a dynamic after a short moment. .../64 IPv6 address If there is a 128 address here, the settings in the Fritzbox must be verified
Create network objects and packet filter rules
UTMuser@firewall.name.fqdnFirewallNetzwerkobjekte 
Network object internal_v6
button
Name: internal_network_v6
Type:
Adresse:
Zone:
UTMuser@firewall.name.fqdnFirewallNetzwerkobjekte 
Network object Internet_v6
Name: Internet_v6
Type:
Adresse:
Zone:
For systems set up before v12.4:
UTMuser@firewall.name.fqdnFirewallPaketfilter 
Possible packet filter rule
Source: 
internal_network_v6
Target: internet_v6
Service: 
default-internet
Action:
NAT
After a few minutes, this address is displayed in the selection box for IP addresses in the USC.
- UTM from v.12.5.1:
- The UTM is directly accessible via a local network
- Access data (user name and password) are required
or - A Websession from remote networks is also possible if the UTM does not have a public IP
- The connection is established via the interface on which the default route of the UTM is set up.
- Login with PIN or access data possible Deposited on the UTM in the menu USC / box Unified Security Console
Websession
Websession
| Action: | Description | 
| |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Start new websession | Opens the dialog to start the administrative web interface of the UTM | ||||||||||||||
Websession with PINnotemptyWebsession with PIN (UTM from v12.5.1) | |||||||||||||||
| admin | If there is no user with the name admin, a user with admin rights can be selected here with whom the Websession connection is to be started. |  | |||||||||||||
| _ _ _ _ _ _ | Websession PIN (Configured on the UTM in the menu in the Unified Security Console section After entering the PIN, the Websession can be started directly using ↵ Enter. | ||||||||||||||
| notempty New as of: 1.27 | |||||||||||||||
| Remember PIN for the current session notempty New as of 1.30 |
In this dialogue window it is possible to remember the PIN for this session. If this is activated , the PIN is automatically entered in other dialogues and the slider is no longer displayed. If the PIN is entered incorrectly, it will not be saved. | ||||||||||||||
| The entered PIN is incorrect | After 5 (default value value can be changed in the CLI with the extc variable SESSIONAUTH_MAXRETRY extc value set application ‘spcloudpuppet’ variable ‘SESSIONAUTH_MAXRETRY’ value ‘5’ The PIN can be unblocked again when logging in to the UTM itself. | ||||||||||||||
| Start new websession | Opens the admin interface of the UTM in a new tab of the used browser | ||||||||||||||
Websession with login screennotemptyWebsession with login screen (UTM from v12.5.1) | |||||||||||||||
| The connection is established via the interface on which the default route of the UTM is set up. |  | ||||||||||||||
| As the Websession PIN is deactivated, no automatic login can take place. Access data (user name and password) are required. | |||||||||||||||
| Start new websession | Opens the admin interface of the UTM in a new tab of the used browser | ||||||||||||||
Websession with UTM up to v12.5.0notempty An update to the latest version is recommended
| |||||||||||||||
