Before you configure Mobile VPN with SSL, see Plan Your Mobile VPN with SSL Configuration. Show
In Fireware v12.3 or higher, you can use a wizard or manually configure Mobile VPN with SSL:
To configure Mobile VPN with SSL, you specify these settings:
In Fireware v12.2.1 or lower, you must manually configure Mobile VPN with SSL. A wizard is not available. To manually configure Mobile VPN with SSL in Fireware Web UI v12.2.1 or lower, select VPN > Mobile VPN with SSL. To manually configure Mobile VPN with SSL in Policy Manager v12.2.1 or lower, select VPN > Mobile VPN > SSL. Configure Firebox IP Address or Domain Name SettingsConfigure the IP address or domain name that users connect to. To manually configure the connection settings, from Fireware Web UI:
You do not have to regenerate the SSL VPN certificate if you change this IP address later. For more information about certificates, see Use Mobile VPN with SSL with an OpenVPN Client.
To manually configure the connection settings, from Policy Manager:
You do not have to regenerate the SSL VPN certificate if you change this IP address later. For more information about certificates, see Use Mobile VPN with SSL with an OpenVPN Client.
Configure Networking SettingsConfigure the network resources that Mobile VPN with SSL clients can use. To configure the networking settings, from Fireware Web UI:
To configure the networking settings, from Policy Manager:
Configure the Virtual IP Address PoolWhen you configure Mobile VPN with SSL, you must specify a virtual IP address pool for VPN clients. Follow these best practices:
By default, the BOVPN over TLS server assigns addresses in the 192.168.113.0/24 pool to BOVPN over TLS clients. Mobile VPN with SSL also uses the 192.168.113.0/24 pool by default. If BOVPN over TLS in Client mode and Mobile VPN with SSL are both enabled on the same Firebox, you must specify a different IP address pool for one of these features. If both features use the same IP address pool, BOVPN over TLS traffic is not sent through the tunnel correctly. To configure the virtual IP address pool, from Fireware Web UI: Routed VPN traffic
Bridge VPN traffic
For more information, see Plan Your Mobile VPN with SSL Configuration.
To configure the virtual IP address pool, from Policy Manager: Routed VPN traffic For the Virtual IP Address Pool, keep the default setting of 192.168.113.0/24 or enter a different range. Bridge VPN traffic
For more information, see Plan Your Mobile VPN with SSL Configuration.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs. Configure Authentication Server SettingsNext, you must configure the authentication server settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if users do not specify the authentication server or domain in the Mobile VPN with SSL client. In Fireware v12.7 or higher, you can configure the Firebox to forward authentication requests for SSL VPN users directly to AuthPoint. After you configure the required settings in AuthPoint, AuthPoint appears in the authentication server list on the Firebox. In the Mobile VPN with SSL configuration, you must select AuthPoint as an authentication server. This integration supports the WatchGuard Mobile VPN with SSL client (v12.7 or higher only) and the OpenVPN client. For more information, see Plan Your Mobile VPN with SSL Configuration and Firebox Mobile VPN with SSL Integration with AuthPoint. In Fireware v12.1.x, authentication server settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. In Fireware v12.2, the VPN Portal settings were moved to the Access Portal and Mobile VPN with SSL configurations. For Mobile VPN with SSL configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base. To select or add authentication servers, from Fireware Web UI:
If you configure Mobile VPN with SSL to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Download, Install, and Connect the Mobile VPN with SSL Client. To select or add authentication servers, from Policy Manager:
If you configure Mobile VPN with SSL to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Download, Install, and Connect the Mobile VPN with SSL Client. Add Users and GroupsYou can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server. The SSLVPN-Users group is added by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case-sensitive and must exactly match the name on your authentication server. Make sure you create a group on the server that has the same name as the name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with SSL. For more information, see Configure the External Authentication Server. When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. However, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings. If you disable Mobile VPN with SSL, the Allow SSLVPN-Users policy and the SSLVPN-Users group are automatically removed. To add users and groups to the Mobile VPN with SSL configuration, from Fireware Web UI:
To add users and groups to the Mobile VPN with SSL configuration, from Policy Manager:
Configure Advanced Settings for Mobile VPN with SSLYou can configure these settings on the Advanced tab:
The authentication and encryption settings changed to stronger defaults in Fireware v12.0. Settings for Blowfish, MD5, and DES were removed. To configure the advanced settings, from Fireware Web UI:
Authentication Select an authentication method for the connection: SHA-1, SHA-256, or SHA-512. We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1. Encryption Select an algorithm to encrypt the traffic: 3DES, AES (128-bit), AES (192-bit), or AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). We recommend AES encryption. For the best performance, choose a 128-bit AES variant. For the strongest encryption, choose a 256-bit AES variant. If you select 3DES, be aware of a potential, but unlikely, security attack. For more information, see Sweet32 Vulnerability in the WatchGuard Knowledge Base. Data channel Select the protocol and port that Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with SSL as long as you do not use the same external IP address in an incoming HTTPS policy. If you change the data channel to use a port other than 443, users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel port to 444, and the Firebox IP address is 203.0.113.2, users must type 203.0.113.2:444 instead of 203.0.113.2. If the port is set to the default 443, users must only type the IP address of the Firebox. It is not necessary to type :443 after the IP address. For more information, see Choose the Port and Protocol for Mobile VPN with SSL. Mobile VPN with SSL does not support a UDP data channel for VPN connections to a secondary external interface IP address. Configuration channel The Configuration Channel specifies the channel where Mobile VPN with SSL users can download SSL client software. Select the protocol and port that Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel. In Fireware v12.1.x, the Configuration Channel appears in the VPN Portal settings and is named the VPN Portal port. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base. Keep-Alive Interval Specify how often the Firebox sends traffic through the tunnel to keep the tunnel active when there is no other traffic sent through the tunnel. The default value is 10 seconds. Keep-Alive Timeout Specify how long the Firebox waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect. The default value is 60 seconds. Renegotiate Data Channel If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes. The default value is 480 minutes.
In Fireware v12.2.1 or higher, you can assign or not assign the Network (global) DNS/WINS settings to Mobile VPN with SSL clients. Assign the network DNS/WINS settings to mobile clients If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53 in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53 as a DNS server. By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations. Do not assign DNS or WINS settings to mobile clients If you select this option, mobile clients do not receive DNS or WINS settings from the Firebox. If your Mobile VPN with SSL configuration does not specify DNS settings, when you upgrade to Fireware v12.2.1, the Do not assign DNS or WINS settings to mobile clients option is selected. Assign these settings to mobile clients If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server. You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses. For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL. In Fireware v12.2 or lower, you can specify a domain name, DNS server settings, and WINS server settings, but you cannot select to assign or not assign the Network (global) DNS/WINS settings to Mobile VPN with SSL clients. To configure the advanced settings, from Policy Manager:
Authentication Select an authentication method for the connection: SHA-1, SHA-256, and SHA-512. We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1. Encryption Select an algorithm to encrypt the traffic: 3DES, AES (128-bit), AES (192-bit), or AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). We recommend AES encryption. For the best performance, choose a 128-bit AES variant. For the strongest encryption, choose a 256-bit AES variant. If you select 3DES, be aware of a potential, but unlikely, security attack. For more information, see Sweet32 Vulnerability in the WatchGuard Knowledge Base. Data channel Select the protocol and port that Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with SSL as long as you do not use the same external IP address in an incoming HTTPS policy. If you change the data channel to use a port other than 443, users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel port to 444, and the Firebox IP address is 203.0.113.2, users must type 203.0.113.2:444 instead of 203.0.113.2. If the port is set to the default 443, users must only type the IP address of the Firebox. It is not necessary to type :443 after the IP address. For more information, see Choose the Port and Protocol for Mobile VPN with SSL. Mobile VPN with SSL does not support a UDP data channel for VPN connections to a secondary external interface IP address. Configuration channel The Configuration Channel specifies the channel where Mobile VPN with SSL users can download SSL client software. Select the protocol and port that Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel. In Fireware v12.1.x, the Configuration Channel appears in the VPN Portal settings and is named the VPN Portal port. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base. Keep-alive Interval Specify how often the Firebox sends traffic through the tunnel to keep the tunnel active when there is no other traffic sent through the tunnel. Keep-alive Timeout Specify how long the Firebox waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect. Renegotiate Data Channel If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes. Restore Defaults Click to reset the Advanced tab settings to their default values. All DNS and WINS server information on the Advanced tab is deleted.
Assign the network DNS/WINS settings to mobile clients If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53 in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53 as a DNS server. By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations. Do not assign DNS or WINS settings to mobile clients If you select this option, mobile clients do not receive DNS or WINS settings from the Firebox. If your Mobile VPN with SSL configuration does not specify DNS settings, when you upgrade to Fireware v12.2.1, the Do not assign DNS or WINS settings to mobile clients option is selected. Assign these settings to mobile clients If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server. You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses. For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL. In Fireware v12.2 or lower, you can specify a domain name, DNS server settings, and WINS server settings, but you cannot select to assign or not assign the Network (global) DNS/WINS settings to Mobile VPN with SSL clients. Configure Policies to Control Mobile VPN with SSL Client AccessWhen you enable Mobile VPN with SSL, policies to allow Mobile VPN with SSL client access are automatically created. You can change these policies to control Mobile VPN with SSL client access. WatchGuard SSLVPN policy This SSLVPN policy allows connections from a Mobile VPN with SSL client to the Firebox. This policy allows traffic from any host on the specified interfaces to any configured primary or secondary interface IP address of your Firebox on TCP port 443 (the port and protocol the Firebox uses for Mobile VPN with SSL). These interfaces are included in the WatchGuard SSLVPN policy by default:
If you want this policy to allow TCP port 443 connections only to a specific interface IP address, edit the To section of the policy to remove the Firebox alias and add the external IP address that your Mobile VPN with SSL clients use to connect. In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, see WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base. In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP. Allow SSLVPN-Users policy This Any policy allows the groups and users you configure for SSL authentication to access resources on your network. This policy automatically includes all users and groups in your Mobile VPN with SSL configuration. It has no restrictions on the traffic that it allows from SSL clients to network resources protected by the Firebox. To restrict VPN user traffic by port and protocol, you can disable or delete the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your existing policies. All Mobile VPN with SSL traffic is untrusted by default. Even if you assign Mobile VPN with SSL users IP addresses on the same subnet as a trusted network, the traffic from the Mobile VPN with SSL user is not considered trusted. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources. WatchGuard Authentication policy This policy is not created automatically when you enable Mobile VPN with SSL. For more information about this policy, see About the WatchGuard Authentication (WG-Auth) Policy. To download the Mobile VPN with SSL client software, users authenticate with the Firebox on port 443, or on a custom port that you specify. Allow Mobile VPN with SSL Users to Access a Trusted NetworkIn this example, you add an Any policy that allows members in the SSLVPN-Users group to get full access to resources on all trusted networks. From Fireware Web UI:
From Policy Manager:
For more information on policies, see Add Policies to Your Configuration. Use Other Groups or Users in a Mobile VPN with SSL PolicyTo make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third-party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Users and Groups list in the Firebox configuration. To set up Users and Groups, from Fireware Web UI:
After you add users or groups from the Mobile VPN with SSL configuration to the Users and Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a specific group or user. In this example, we modify the Allow SSLVPN-Users policy to apply to only the user group LDAP-Users1:
To set up Users and Groups, from Policy Manager:
After you add users or groups from the Mobile VPN with SSL configuration to the Users and Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a specific group or user. In this example, we modify the Allow SSLVPN-Users policy to apply to only the user group LDAP-Users1:
See AlsoDownload, Install, and Connect the Mobile VPN with SSL Client Uninstall the Mobile VPN with SSL Client Video tutorial — Mobile VPN with SSL SSL/TLS Settings Precedence and Inheritance DNS and Mobile VPNs Troubleshoot Mobile VPN with SSL Which automated method for VPN connection deployment would work best for users who are not domain joined?Which automated method for VPN connection deployment would work best for users that are not domain joined? EAP is a framework for implementing authentication protocols rather than an authentication protocol.
What is the preferred method to configure clients to use work folders?There are several ways to configure clients for accessing Work Folders. Automatic discovery is the most preferred method because it supports devices that are not domain joined. Automatic discovery of the Work Folders URL is based on the email address of the user.
What is used to prevent users to connecting to remote desktop?Restrict access using firewalls
Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below).
Which VPN protocol supports the VPN Reconnect feature?VPN Reconnect works by using the following protocols: IPsec tunnel mode using Encapsulating Security Payload (ESP) for secure transmission. IKEv2 for key negotiation and MOBIKE for switching the tunnel endpoints when interfaces change.
|