search

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

1 Jahrs vor
Kommentare: 0
Ansichten: 174

Before you configure Mobile VPN with SSL, see Plan Your Mobile VPN with SSL Configuration.

Show

In Fireware v12.3 or higher, you can use a wizard or manually configure Mobile VPN with SSL:

  • To use a wizard, see Use a Wizard to Configure the Firebox for Mobile VPN with SSL.
  • To configure Mobile VPN with SSL manually, follow the steps in this topic.

To configure Mobile VPN with SSL, you specify these settings:

  • Firebox IP address or domain name
  • Networking and IP address pool
  • Authentication servers
  • Users and groups
  • Advanced — Authentication, encryption, ports, timers, DNS, and WINS
  • Policies

In Fireware v12.2.1 or lower, you must manually configure Mobile VPN with SSL. A wizard is not available. To manually configure Mobile VPN with SSL in Fireware Web UI v12.2.1 or lower, select VPN > Mobile VPN with SSL. To manually configure Mobile VPN with SSL in Policy Manager v12.2.1 or lower, select VPN > Mobile VPN > SSL.

Configure Firebox IP Address or Domain Name Settings

Configure the IP address or domain name that users connect to.

To manually configure the connection settings, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select VPN > Mobile VPN.

  2. To configure a new Mobile VPN with SSL configuration, in the SSL section, click Manually Configure.

  3. To edit an existing configuration, in the SSL section, click Configure.
    The Mobile VPN with SSL Configuration page appears.

  4. Select the Activate Mobile VPN with SSL check box.

  5. In the Primary text box, type a public IP address or domain name.
    This is the IP address or domain name that Mobile VPN with SSL clients connect to by default. This can be an external IP address, secondary external IP address, or external VLAN. For a device in drop-in mode, use the IP address assigned to all interfaces.

You do not have to regenerate the SSL VPN certificate if you change this IP address later. For more information about certificates, see Use Mobile VPN with SSL with an OpenVPN Client.

  1. If your Firebox has more than one external address, in the Backup text box, type a different public IP address.
    This is the IP address that the Mobile VPN with SSL client connects to if it is unable to establish a connection with the primary IP address. If you add a secondary IP address, make sure it is an IP address assigned to a Firebox external interface or VLAN. If you want the Mobile VPN with SSL client to use a secondary IP address, you must also select the Auto reconnect after a connection is lost check box in the Authentication settings, as described in the Authentication section.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. To configure the networking and IP address pool settings, see the next section in this topic.

To manually configure the connection settings, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select VPN > Mobile VPN > Get Started.

  2. In the SSL section, click Manually Configure.
    The Mobile VPN with SSL Configuration dialog box appears.

  3. Select the Activate Mobile VPN with SSL check box.

  4. In the Primary text box, type or select a public IP address or domain name. This is the IP address or domain name that Mobile VPN with SSL clients connect to by default. This can be an external IP address, secondary external IP address, or external VLAN. For a device in drop-in mode, use the IP address assigned to all interfaces.

You do not have to regenerate the SSL VPN certificate if you change this IP address later. For more information about certificates, see Use Mobile VPN with SSL with an OpenVPN Client.

  1. If your Firebox has more than one external address, in the Backup text box, type or select a different public IP address.
    This is the IP address that the Mobile VPN with SSL client connects to if it is unable to establish a connection with the primary IP address. If you add a backup IP address, make sure it is an IP address assigned to a Firebox external interface or VLAN. If you want the Mobile VPN with SSL client to use a backup IP address, you must also select the Auto reconnect after a connection is lost check box in the Authentication settings.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

Configure Networking Settings

Configure the network resources that Mobile VPN with SSL clients can use.

To configure the networking settings, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. In the Networking and IP address pool section, from the drop-down list, select the method the Firebox uses to send traffic through the VPN tunnel:

    • Select Bridge VPN Traffic to bridge SSL VPN traffic to a network you specify. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to.
    • Select Routed VPN Traffic to route VPN traffic to specified networks and resources. This is the default for all Fireboxes.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select or clear the Force all client traffic through the tunnel check box.

    • To route all traffic from the VPN client to your private network and to the Internet through the tunnel, select Force all client traffic through tunnel.
      This option sends all external traffic through the Firebox policies you create and offers consistent security for mobile users. However, because it requires more Firebox processing power, access to Internet resources can be very slow for mobile users.
      For information about how to allow clients to access the Internet when this option is selected, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.

    • To route only traffic from the VPN client to your private networks through the tunnel, clear the Force all client traffic through tunnel check box.
      This option gives your users better network speeds by only routing traffic to private network resources through the Firebox. Other traffic to the Internet does not go through the tunnel and is not restricted by the policies on your Firebox.

      1. To allow access to all internal networks, select Allow access to all Trusted, Optional, and Custom networks.
      2. To restrict Mobile VPN with SSL client access to only specified devices on your private network, select Specify allowed resources. To specify an allowed resource, type the IP address of the network resource in slash notation and click Add.

To configure the networking settings, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. In the Networking and IP Address Pool section, from the drop-down list, select one of these options:

    1. Routed VPN Traffic — To route VPN traffic to specified networks and resources. This is the default option.
    2. Bridge VPN Traffic — To bridge SSL VPN traffic to a network you specify. Tip!

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select one of these options:

    1. To route all traffic from the VPN client to your private network and to the Internet through the tunnel, select Force all client traffic through tunnel. Tip!
    2. To route only traffic from the VPN client to your private networks through the tunnel, clear the Force all client traffic through tunnel check box.

  2. If you cleared the Force all client traffic through tunnel check box, select one of these options:

    1. To allow access to all internal networks, select Allow access to all Trusted, Optional, and Custom networks.
    2. To restrict Mobile VPN with SSL client access to only specified devices on your private network, select Specify allowed resources. To specify an allowed resource, type the IP address of the network resource in slash notation and click Add.

Configure the Virtual IP Address Pool

When you configure Mobile VPN with SSL, you must specify a virtual IP address pool for VPN clients.

Follow these best practices:

  • Make sure that the virtual IP address pool does not overlap with any other IP addresses in the Firebox configuration.
  • Make that the virtual IP address pool does not overlap with networks protected by the Firebox, any network accessible through a route or BOVPN, or with IP addresses assigned by DHCP to a device behind the Firebox.
  • If your company has multiple sites with mobile VPN configurations, make sure each site has a virtual IP address pool for mobile VPN clients that does not overlap with pools at other sites.
  • Do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 for mobile VPN virtual IP address pools. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.
  • If FireCluster is enabled, the virtual IP address pool cannot be on the same subnet as a primary cluster IP address.

By default, the BOVPN over TLS server assigns addresses in the 192.168.113.0/24 pool to BOVPN over TLS clients. Mobile VPN with SSL also uses the 192.168.113.0/24 pool by default. If BOVPN over TLS in Client mode and Mobile VPN with SSL are both enabled on the same Firebox, you must specify a different IP address pool for one of these features. If both features use the same IP address pool, BOVPN over TLS traffic is not sent through the tunnel correctly.

To configure the virtual IP address pool, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

Routed VPN traffic

  1. For the virtual IP address pool, keep the default setting of 192.168.113.0/24 or enter a different range.
  2. Type the IP address of the subnet in slash notation. IP addresses from this subnet are automatically assigned to Mobile VPN with SSL client connections. You cannot assign an IP address to a specific user.

Bridge VPN traffic

  1. From the Bridge to interface drop-down list, select the name of the interface to bridge to. You can bridge VPN traffic only to a LAN bridge.

For more information, see Plan Your Mobile VPN with SSL Configuration.

  1. In the Start and End text boxes, type the IP addresses in the range that you want to assign to Mobile VPN with SSL client connections. The Start and End IP addresses must be on the same subnet as the bridged interface.
    For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

To configure the virtual IP address pool, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

Routed VPN traffic

For the Virtual IP Address Pool, keep the default setting of 192.168.113.0/24 or enter a different range.

Bridge VPN traffic

  1. From the Bridge to interface drop-down list, select the name of the interface to bridge to. You can bridge VPN traffic only to a LAN bridge.

For more information, see Plan Your Mobile VPN with SSL Configuration.

  1. In the Start and End text boxes, type the first and last IP addresses in the range that you want to assign to Mobile VPN with SSL client connections. When you bridge VPN traffic to a LAN bridge, the Start and End IP addresses must be on the same subnet as the bridged interface.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

Configure Authentication Server Settings

Next, you must configure the authentication server settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if users do not specify the authentication server or domain in the Mobile VPN with SSL client.

In Fireware v12.7 or higher, you can configure the Firebox to forward authentication requests for SSL VPN users directly to AuthPoint. After you configure the required settings in AuthPoint, AuthPoint appears in the authentication server list on the Firebox. In the Mobile VPN with SSL configuration, you must select AuthPoint as an authentication server. This integration supports the WatchGuard Mobile VPN with SSL client (v12.7 or higher only) and the OpenVPN client. For more information, see Plan Your Mobile VPN with SSL Configuration and Firebox Mobile VPN with SSL Integration with AuthPoint.

In Fireware v12.1.x, authentication server settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. In Fireware v12.2, the VPN Portal settings were moved to the Access Portal and Mobile VPN with SSL configurations. For Mobile VPN with SSL configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

To select or add authentication servers, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. On the Mobile VPN with SSL page, select the Authentication tab.

  2. From the Authentication Server drop-down list, select an authentication server you want to use for Mobile VPN with SSL user authentication.
    Only enabled authentication method servers and domains are listed. For information about supported authentication methods, see Authentication Server Types.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Click Add.

  2. Repeat Steps 2–3 to add more authentication servers.

  3. If you add multiple authentication servers, select the server you want to be the default server. Click Move Up to move that server to the top of the list.
    Mobile VPN with SSL uses the default authentication server unless a user specifies an authentication server in the Username text box on the Mobile VPN with SSL client.

  4. To add users and groups, see the next section in this topic.

If you configure Mobile VPN with SSL to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Download, Install, and Connect the Mobile VPN with SSL Client.

To select or add authentication servers, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. In the Mobile VPN with SSL Configuration dialog box, select the Authentication tab.

  2. Click Configure.
    For information about supported authentication methods, see Authentication Server Types.

  3. To select an authentication server that is already configured on your Firebox, select the check box for that server.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. If you add multiple authentication servers, select the server you want to be the default server. Click Make Default to move that server to the top of the list.
    Mobile VPN with SSL uses the default authentication server unless a user specifies an authentication server in the Username text box on the Mobile VPN with SSL client.

  2. If you want the Mobile VPN with SSL client to be able to automatically reconnect, select Auto reconnect after a connection is lost.
    If you enable this option, mobile users can select a check box on the Mobile VPN with SSL client to control whether the client automatically reconnects. You must also enable this option if you want the client to automatically use the secondary IP address when it cannot connect to the primary IP address. By default, the keep-alive interval is 10 seconds, and the keep-alive timeout is 60 seconds.

  3. To require users to authenticate after a Mobile VPN with SSL connection is disconnected, select the Force users to authenticate after a connection is lost check box .
    We recommend that you select this check box if you use a two-factor authentication method with a one-time password, such as RADIUS or SecurID. If you do not force users to authenticate after a connection is lost, the automatic connection attempt can fail. This is because the Mobile VPN with SSL client tries to use the one-time password the user originally entered, which is no longer correct, to automatically reconnect after a connection is lost.

  4. If you want the Mobile VPN with SSL client to be able to remember the password, select the Allow the Mobile VPN with SSL client to remember password check box.
    If you enable this option, the mobile user can select a check box in the Mobile VPN with SSL client to control whether the client remembers the password.

  5. To add users and groups, see the next section in this topic.

If you configure Mobile VPN with SSL to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Download, Install, and Connect the Mobile VPN with SSL Client.

Add Users and Groups

You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server.

The SSLVPN-Users group is added by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case-sensitive and must exactly match the name on your authentication server.

Make sure you create a group on the server that has the same name as the name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with SSL. For more information, see Configure the External Authentication Server.

When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. However, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings.

If you disable Mobile VPN with SSL, the Allow SSLVPN-Users policy and the SSLVPN-Users group are automatically removed.

To add users and groups to the Mobile VPN with SSL configuration, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. In the Mobile VPN with SSL page, select the Authentication tab.
    The Authentication settings appear.

  2. In the Users and Groups section, from the Create new drop-down list, select an authentication server.

  3. From the adjacent drop-down list, select User or Group.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Click Add.
    If you selected Firebox-DB, the Firebox User or Firebox Group dialog box appears.
    If you selected Any, the Add User or Group dialog box appears.

  2. To add a new Firebox-DB user, follow Steps 6–14 in the Define a New User for Firebox Authentication topic.

  3. To add a new Firebox-DB group, follow Steps 4–9 in the Define a New Group for Firebox Authentication topic.

  4. To add new users and groups for third-party authentication, follow Steps 4–9 in the Use Users and Groups in Policies topic.

  5. (Optional) In Fireware v12.5.4 or higher, to enable Host Sensor Enforcement for a group, select the check box for that group and then select Yes.
    To disable Host Sensor Enforcement for a group, select the check box for that group and then select No. For more information, see About TDR Host Sensor Enforcement.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. If you want the Mobile VPN with SSL client to be able to automatically reconnect, select Auto reconnect after a connection is lost. If you enable this option, mobile users can select a check box on the Mobile VPN with SSL client to control whether the client automatically reconnects. You must also enable this option if you want the client to automatically use the secondary IP address when it cannot connect to the primary IP address.

  2. To require users to authenticate after a Mobile VPN with SSL connection is disconnected, select the Force users to authenticate after a connection is lost check box . We recommend that you select this check box if you use a two-factor authentication method with a one-time password, such as RADIUS or SecurID. If you do not force users to authenticate after a connection is lost, the automatic connection attempt can fail. This is because the Mobile VPN with SSL client tries to use the one-time password the user originally entered, which is no longer correct, to automatically reconnect after a connection is lost.

  3. If you want the Mobile VPN with SSL client to be able to remember the password, select the Allow the Mobile VPN with SSL client to remember password check box. If you enable this option, the mobile user can select a check box in the Mobile VPN with SSL client to control whether the client remembers the password.

To add users and groups to the Mobile VPN with SSL configuration, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select Setup > Authentication >Users and Groups.

  2. Click New.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select Firebox-DB User/Group or External User/Group.
    If you selected Firebox-DB User/Group, the Authentication Servers dialog box Firebox-DB tab appears.
    If you selected External User/Group, the Add User or Group dialog box appears.

  2. To add a new Firebox-DB user, follow Steps 5–14 in the Define a New User for Firebox Authentication topic.

  3. To add a new Firebox-DB group, follow Steps 4–9 in the Define a New Group for Firebox Authentication topic.

  4. To add new users and groups for third-party authentication, follow Steps 4–11 in the Use Users and Groups in Policies topic.

  5. (Optional) In Fireware v12.5.4 or higher, to enable Host Sensor Enforcement for a group, select the check box for that group and then select the Host Sensor Enforcement check box. To disable Host Sensor Enforcement for a group, select the check box for that group and then clear the Host Sensor Enforcement check box. For more information, see About TDR Host Sensor Enforcement.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

Configure Advanced Settings for Mobile VPN with SSL

You can configure these settings on the Advanced tab:

  • Authentication and encryption
  • Ports
  • Timers
  • DNS and WINS

The authentication and encryption settings changed to stronger defaults in Fireware v12.0. Settings for Blowfish, MD5, and DES were removed.

To configure the advanced settings, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select VPN > Mobile VPN with SSL.
    The Mobile VPN with SSL Configuration page appears.

  2. Select the Advanced tab.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Configure the authentication, encryption, port, and timeout settings:

Authentication

Select an authentication method for the connection: SHA-1, SHA-256, or SHA-512. We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.

Encryption

Select an algorithm to encrypt the traffic: 3DES, AES (128-bit), AES (192-bit), or AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). We recommend AES encryption. For the best performance, choose a 128-bit AES variant. For the strongest encryption, choose a 256-bit AES variant.

If you select 3DES, be aware of a potential, but unlikely, security attack. For more information, see Sweet32 Vulnerability in the WatchGuard Knowledge Base.

Data channel

Select the protocol and port that Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with SSL as long as you do not use the same external IP address in an incoming HTTPS policy.

If you change the data channel to use a port other than 443, users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel port to 444, and the Firebox IP address is 203.0.113.2, users must type 203.0.113.2:444 instead of 203.0.113.2.

If the port is set to the default 443, users must only type the IP address of the Firebox. It is not necessary to type :443 after the IP address.

For more information, see Choose the Port and Protocol for Mobile VPN with SSL.

Mobile VPN with SSL does not support a UDP data channel for VPN connections to a secondary external interface IP address.

Configuration channel

The Configuration Channel specifies the channel where Mobile VPN with SSL users can download SSL client software.

Select the protocol and port that Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel.

In Fireware v12.1.x, the Configuration Channel appears in the VPN Portal settings and is named the VPN Portal port. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

Keep-Alive Interval

Specify how often the Firebox sends traffic through the tunnel to keep the tunnel active when there is no other traffic sent through the tunnel. The default value is 10 seconds.

Keep-Alive Timeout

Specify how long the Firebox waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect. The default value is 60 seconds.

Renegotiate Data Channel

If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes. The default value is 480 minutes.

  1. Configure the DNS settings:

In Fireware v12.2.1 or higher, you can assign or not assign the Network (global) DNS/WINS settings to Mobile VPN with SSL clients.

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53 in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53 as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, mobile clients do not receive DNS or WINS settings from the Firebox.

If your Mobile VPN with SSL configuration does not specify DNS settings, when you upgrade to Fireware v12.2.1, the Do not assign DNS or WINS settings to mobile clients option is selected.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL.

In Fireware v12.2 or lower, you can specify a domain name, DNS server settings, and WINS server settings, but you cannot select to assign or not assign the Network (global) DNS/WINS settings to Mobile VPN with SSL clients.

To configure the advanced settings, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select VPN > Mobile VPN > SSL.

    The Mobile VPN with SSL Configuration dialog box appears.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select the Advanced tab.
  2. Configure the authentication, encryption, port, and timeout settings:

Authentication

Select an authentication method for the connection: SHA-1, SHA-256, and SHA-512. We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.

Encryption

Select an algorithm to encrypt the traffic: 3DES, AES (128-bit), AES (192-bit), or AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). We recommend AES encryption. For the best performance, choose a 128-bit AES variant. For the strongest encryption, choose a 256-bit AES variant.

If you select 3DES, be aware of a potential, but unlikely, security attack. For more information, see Sweet32 Vulnerability in the WatchGuard Knowledge Base.

Data channel

Select the protocol and port that Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with SSL as long as you do not use the same external IP address in an incoming HTTPS policy.

If you change the data channel to use a port other than 443, users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel port to 444, and the Firebox IP address is 203.0.113.2, users must type 203.0.113.2:444 instead of 203.0.113.2.

If the port is set to the default 443, users must only type the IP address of the Firebox. It is not necessary to type :443 after the IP address.

For more information, see Choose the Port and Protocol for Mobile VPN with SSL.

Mobile VPN with SSL does not support a UDP data channel for VPN connections to a secondary external interface IP address.

Configuration channel

The Configuration Channel specifies the channel where Mobile VPN with SSL users can download SSL client software.

Select the protocol and port that Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel.

In Fireware v12.1.x, the Configuration Channel appears in the VPN Portal settings and is named the VPN Portal port. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

Keep-alive Interval

Specify how often the Firebox sends traffic through the tunnel to keep the tunnel active when there is no other traffic sent through the tunnel.

Keep-alive Timeout

Specify how long the Firebox waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect.

Renegotiate Data Channel

If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes.

Restore Defaults

Click to reset the Advanced tab settings to their default values. All DNS and WINS server information on the Advanced tab is deleted.

  1. Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53 in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53 as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, mobile clients do not receive DNS or WINS settings from the Firebox.

If your Mobile VPN with SSL configuration does not specify DNS settings, when you upgrade to Fireware v12.2.1, the Do not assign DNS or WINS settings to mobile clients option is selected.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL.

In Fireware v12.2 or lower, you can specify a domain name, DNS server settings, and WINS server settings, but you cannot select to assign or not assign the Network (global) DNS/WINS settings to Mobile VPN with SSL clients.

Configure Policies to Control Mobile VPN with SSL Client Access

When you enable Mobile VPN with SSL, policies to allow Mobile VPN with SSL client access are automatically created. You can change these policies to control Mobile VPN with SSL client access.

WatchGuard SSLVPN policy

This SSLVPN policy allows connections from a Mobile VPN with SSL client to the Firebox. This policy allows traffic from any host on the specified interfaces to any configured primary or secondary interface IP address of your Firebox on TCP port 443 (the port and protocol the Firebox uses for Mobile VPN with SSL).

These interfaces are included in the WatchGuard SSLVPN policy by default:

  • In Fireware v12.1 and higher, the WatchGuard SSLVPN policy includes only the Any-External interface by default.
  • In Fireware v12.0.2 and lower, the WatchGuard SSLVPN policy includes the Any-External, Any-Optional, and Any-Trusted interfaces by default.

If you want this policy to allow TCP port 443 connections only to a specific interface IP address, edit the To section of the policy to remove the Firebox alias and add the external IP address that your Mobile VPN with SSL clients use to connect.

In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, see WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base.

In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP.

Allow SSLVPN-Users policy

This Any policy allows the groups and users you configure for SSL authentication to access resources on your network. This policy automatically includes all users and groups in your Mobile VPN with SSL configuration. It has no restrictions on the traffic that it allows from SSL clients to network resources protected by the Firebox.

To restrict VPN user traffic by port and protocol, you can disable or delete the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your existing policies.

All Mobile VPN with SSL traffic is untrusted by default. Even if you assign Mobile VPN with SSL users IP addresses on the same subnet as a trusted network, the traffic from the Mobile VPN with SSL user is not considered trusted. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources.

WatchGuard Authentication policy

This policy is not created automatically when you enable Mobile VPN with SSL. For more information about this policy, see About the WatchGuard Authentication (WG-Auth) Policy.

To download the Mobile VPN with SSL client software, users authenticate with the Firebox on port 443, or on a custom port that you specify.

Allow Mobile VPN with SSL Users to Access a Trusted Network

In this example, you add an Any policy that allows members in the SSLVPN-Users group to get full access to resources on all trusted networks.

From Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select Firewall > Firewall Policies.
    The Policies page appears.

  2. Click Add Policy.

  3. From the Packet Filter drop-down list, select Any.

  4. In the Name text box, type a descriptive name for the policy.

  5. Click Add Policy.

  6. On the Settings tab, in the From section, select Any-Trusted. Click Remove.

  7. In the From section, click Add.
    The Add Member dialog box appears.

  8. From the Member Type drop-down list, select SSLVPN Group.

  9. Select SSLVPN-Users.

  10. To close the Add Member dialog box, click OK.

  11. In the To section, select Any-External. Click Remove.

  12. In the To section, click Add.
    The Add Member dialog box appears.

  13. From the member list, select Any-Trusted.

  14. Click OK.

  15. Click Save.

From Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Click

    For domain-joined computers, what is the simplest way to configure vpn connections automatically?
    .
    Or, select Edit > Add Policies.
    The Add Policies dialog box appears.

  2. Expand the Packet Filters folder.
    A list of templates for packet filters appears.

  3. Select Any.

  4. Click Add.
    The New Policy Properties dialog box opens.

  5. In the Name text box, type a descriptive name for the policy.

  6. On the Policy tab, in the From section, select Any-Trusted. Click Remove.

  7. In the From section, click Add.
    The Add Address dialog box appears.

  8. Click Add User.

  9. From the two Type drop-down lists, select SSL VPN for the first list and Group for the second list.

  10. Select SSLVPN-Users. Click Select.
    The name of the authentication method appears in parentheses after SSLVPN-Users.

  11. To close the Add Address dialog box, click OK.

  12. In the To section, select Any-External. Click Remove.

  13. In the To section, click Add.
    The Add Address dialog box appears.

  14. From the Available Members list, select Any-Trusted. Click Add.

  15. Click OK twice. Click Close.

  16. Save the changes to the Firebox.

For more information on policies, see Add Policies to Your Configuration.

Use Other Groups or Users in a Mobile VPN with SSL Policy

To make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third-party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Users and Groups list in the Firebox configuration.

To set up Users and Groups, from Fireware Web UI:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select Authentication > Users and Groups.
  2. Add users and groups, as described in Use Users and Groups in Policies.

After you add users or groups from the Mobile VPN with SSL configuration to the Users and Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a specific group or user.

In this example, we modify the Allow SSLVPN-Users policy to apply to only the user group LDAP-Users1:

  1. Select Authentication > Users and Groups.

  2. Add the LDAP-Users1 group that you added to the Mobile VPN with SSL configuration.
    Make sure to set the Auth Server to LDAP.

  3. Edit the Allow SSLVPN-Users policy.

  4. In the From section, select the SSLVPN-Users group. Click Remove.

  5. In the From section, click Add.
    The Add Member dialog box appears.

  6. From the Member Type drop-down list, select SSLVPN Group.
    A list of groups appears.

  7. Select the LDAP-Users1 group. Click OK.
    The LDAP-Users1 group appears in the From list.

  8. Click OK.
    The Allow SSLVPN-Users policy now applies only to the LDAP-Users1 group.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

To set up Users and Groups, from Policy Manager:

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. Select Setup > Authentication > Users and Groups.
  2. Add users and groups, as described in Use Users and Groups in Policies.

After you add users or groups from the Mobile VPN with SSL configuration to the Users and Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a specific group or user.

In this example, we modify the Allow SSLVPN-Users policy to apply to only the user group LDAP-Users1:

  1. Select Setup > Authentication > Users and Groups.

  2. Add the LDAP-Users1 group that you added to the Mobile VPN with SSL configuration.
    Make sure you set the Auth Server to LDAP.

  3. Edit the Allow SSLVPN-Users policy.

  4. In the From section, select the SSLVPN-Users group. Click Remove.

  5. In the From section, click Add.
    The Add Address dialog box appears.

  6. Select Add Other.
    The Add Member dialog box appears.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

  1. From the Choose Type drop-down list, select Custom Address.

  2. From the User/Group drop-down list, select the LDAP-Users1 group. Click OK.
    The LDAP-Users1 group appears in the Selected Members and Addresses list.

  3. Click OK.
    The Allow SSLVPN-Users policy now applies only to the LDAP-Users1 group.

For domain-joined computers, what is the simplest way to configure vpn connections automatically?

See Also

Download, Install, and Connect the Mobile VPN with SSL Client

Uninstall the Mobile VPN with SSL Client

Video tutorial — Mobile VPN with SSL

SSL/TLS Settings Precedence and Inheritance

DNS and Mobile VPNs

Troubleshoot Mobile VPN with SSL

Which automated method for VPN connection deployment would work best for users who are not domain joined?

Which automated method for VPN connection deployment would work best for users that are not domain joined? EAP is a framework for implementing authentication protocols rather than an authentication protocol.

What is the preferred method to configure clients to use work folders?

There are several ways to configure clients for accessing Work Folders. Automatic discovery is the most preferred method because it supports devices that are not domain joined. Automatic discovery of the Work Folders URL is based on the email address of the user.

What is used to prevent users to connecting to remote desktop?

Restrict access using firewalls Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below).

Which VPN protocol supports the VPN Reconnect feature?

VPN Reconnect works by using the following protocols: IPsec tunnel mode using Encapsulating Security Payload (ESP) for secure transmission. IKEv2 for key negotiation and MOBIKE for switching the tunnel endpoints when interfaces change.

domain-joined computers simplest configure vpn connections automatically

zusammenhängende Posts

Organizations are typically joined because of some tangible benefit which people expect to receive.
Organizations are typically joined because of some tangible benefit which people expect to receive.

Which part of the computers IP address configuration indicates the portion of the address that specifies the network ID?
Which part of the computers IP address configuration indicates the portion of the address that specifies the network ID?

What is designed to connect a group of computers and proximity to each other such as an office building a school or home quizlet?
What is designed to connect a group of computers and proximity to each other such as an office building a school or home quizlet?

What is designed to connect a group of computers in close proximity to each other such as in an office building a school or a home?
What is designed to connect a group of computers in close proximity to each other such as in an office building a school or a home?

In the context of domain theory, moral rules are widely accepted, somewhat impersonal, and
In the context of domain theory, moral rules are widely accepted, somewhat impersonal, and

Which of the following is a Windows programming interface that allows computers to communicate across a local area network?
Which of the following is a Windows programming interface that allows computers to communicate across a local area network?

In the dns hierarchy, which portion of the web address below denotes the top-level domain?
In the dns hierarchy, which portion of the web address below denotes the top-level domain?

What type of network is defined by two computers that can both send and receive requests for resources Enterprise peer
What type of network is defined by two computers that can both send and receive requests for resources Enterprise peer

What is the name given to hardware devices that can be connected to the computer but are not essential to a computers function?
What is the name given to hardware devices that can be connected to the computer but are not essential to a computers function?

How would the demand for computer software be affected by an increase in price of computers?
How would the demand for computer software be affected by an increase in price of computers?

Werbung

NEUESTEN NACHRICHTEN

What delivers applications over the cloud using a pay-per-use revenue model?
1 Jahrs vor . durch AsceticTranslation
What processes convert data into information and information into knowledge?
1 Jahrs vor . durch CorruptSolicitation
Fuß umgeknickt keine Schwellung aber Schmerzen was tun
1 Jahrs vor . durch TraceableMeasurement
What can decrease the effectiveness of an mbo (management by objectives) system?
1 Jahrs vor . durch HomesickDumps
Wie viel kostet ein normales Ohrloch stechen?
1 Jahrs vor . durch PitchedContents
Ein Colt für alle Fälle Klingelton Android
1 Jahrs vor . durch MonumentalShaving
Gemeinschaft entwässerung wer ist für zuständig
1 Jahrs vor . durch BarbaricCorrelation
Was ist der unterschied zwischen einem boot und einem schiff
1 Jahrs vor . durch HelluvaNuisance
Wann geht es weiter mit Outpost?
1 Jahrs vor . durch TumblingVariation
Wer ist bei lets danz faisal
1 Jahrs vor . durch SkilledStoryteller

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrkoptzhitthjphi
Urheberrechte © © 2024 nguoilontuoi Inc.