Contents

Related Topics

Configure the Firebox for Mobile VPN with SSL

When you activate Mobile VPN with SSL, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created to allow SSL VPN connections from the Internet to the external interface on your Firebox. You can use these groups, or you can create new groups that have the same names as the user group names on your authentication servers.

When you enable a Management Tunnel over SSL on your WSM Management Server, some of the SSL configuration settings are the same settings used by Mobile VPN with SSL. When a Management Tunnel is enabled, you cannot change many of the settings in the Mobile VPN with SSL configuration. You must change these shared settings in the Device Properties on the Management Server.

Because both a Management Tunnel over SSL and Mobile VPN with SSL use the same OpenVPN server, if you enable a Management Tunnel over SSL, some of the settings that are shared by the Mobile VPN with SSL tunnels become managed by your Management Server. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, and configuration channel. You also cannot disable the Firebox-DB authentication server, which is required for Management Tunnel authentication.

Before You Begin

Before you configure Mobile VPN with SSL, decide how you want the Firebox to send traffic through the VPN tunnel. Based on the option you choose, you might have to make changes to your network configuration before you enable Mobile VPN with SSL.

You can configure Mobile VPN with SSL to use one of two methods to handle VPN traffic to your network: 

Routed VPN Traffic

This is the default selection. With this option, the Firebox sends traffic from the VPN tunnel to all local trusted, optional, and custom networks or to specific network resources you specify.

Bridge VPN Traffic

This option enables you to bridge SSL VPN traffic to a trusted, optional, or custom network. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to. When you bridge VPN traffic to a network, the SSL VPN users are in the same security zone as other users on the network that you bridge to, and the traffic for those mobile users is managed by the same security policies as traffic for other users on the bridged network.

For example, if you bridge VPN traffic to a trusted interface, all policies that allow traffic for the Any-Trusted alias also allow traffic for the users who connect to the network with Mobile VPN with SSL. The Bridge VPN Traffic option does not bridge SSL VPN traffic to any secondary networks on the selected network bridge.

If you select Bridge VPN Traffic in the Mobile VPN with SSL configuration on a FireboxV or XTMv virtual machine, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware.

The choice of interfaces you can bridge VPN traffic to depends on the version of Fireware installed on the device:

  • Fireware v11.8.x and lower — You can bridge VPN traffic to any interface that is not a LAN bridge.
  • Fireware v11.9 and higher — You can bridge VPN traffic only to a LAN bridge.

For information about how to configure a bridge interface, see Create a Network Bridge Configuration.

If you configure Mobile VPN with SSL from the Web UI, do not change the interface that you used to log in to the Web UI to a bridge interface. This causes you to immediately lose the management connection to the device. If this happens, you must use a different configured interface to reconnect.

If you want to change the interface that you use to manage the device to a bridge interface, we recommend that you make this change from Policy Manager. You can complete all interface configuration changes before you save the updated configuration file to the device.

To change the trusted or optional interface you use for management to a bridge interface, from Fireware Web UI:

  1. Configure another trusted or optional interface to use as a temporary management interface.
  2. Connect the management computer to the new interface, and log in to the Web UI.
  3. Change the original management interface to a bridge interface, and configure a LAN bridge that includes this interface.
  4. Connect the management computer to the original management interface.
  5. Disable the temporary management interface.

For detailed instructions, see Create a Network Bridge Configuration.

Configure Connection Settings

Configure the Networking and IP Address Pool Settings

In the Networking and IP Address Pool section, you configure the network resources that Mobile VPN with SSL clients can use.

Configure Authentication Settings

Next, you must configure the authentication settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if the user does not specify the authentication server or domain in the Mobile VPN with SSL client.

Make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with SSL. For more information, see Configure the External Authentication Server.

Select Authentication Servers

Add Users and Groups

You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server.

The group SSLVPN-Users is added by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case-sensitive and must exactly match the name on your authentication server.

The Allow SSLVPN-Users Policy and Mobile VPN with SSL Groups and Users

When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. The group and user names you added do not appear in the From list, however, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings.

If you disable Mobile VPN with SSL, the Allow SSLVPN-Users policy and the SSLVPN-Users group are automatically removed.

Configure Advanced Settings for Mobile VPN with SSL

Configure Policies to Control Mobile VPN with SSL Client Access

When you enable Mobile VPN with SSL, policies to allow Mobile VPN with SSL client access are automatically created. You can change these policies to control Mobile VPN with SSL client access.

WatchGuard SSLVPN

This SSLVPN policy allows connections from a Mobile VPN with SSL client to the Firebox. This policy allows traffic from any host on the external, trusted, or optional networks to any configured primary or secondary interface IP address of your Firebox on TCP port 443, the port and protocol the Firebox uses for Mobile VPN with SSL.

If you want this policy to allow TCP port 443 connections only to a specific interface IP address, edit the To section of the policy to remove the Firebox alias and add the external IP address that your Mobile VPN with SSL clients use to connect.

Allow SSLVPN-Users

This Any policy allows the groups and users you configure for SSL authentication to get access to resources on your network. This policy automatically includes all users and groups in your Mobile VPN with SSL configuration. It has no restrictions on the traffic that it allows from SSL clients to network resources protected by the Firebox.

To restrict VPN user traffic by port and protocol, you can disable or delete the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your existing policies.

All Mobile VPN with SSL traffic is untrusted by default. Even if you assign Mobile VPN with SSL users IP addresses on the same subnet as a trusted network, the traffic from the Mobile VPN with SSL user is not considered trusted. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources.

WatchGuard Authentication

In Fireware v11.11.4 and lower, this WG-Auth policy allows users to authenticate with the Firebox on port 4100 to download the Mobile VPN with SSL client software. If the WatchGuard Authentication policy is not already included in your Firebox configuration, it is created automatically when you enable Mobile VPN with SSL. The WatchGuard Authentication policy must allow traffic from Any-External to the Firebox to enable users to connect to the Firebox from an external network.

For more information about this policy, see About the WatchGuard Authentication (WG-Auth) Policy.

In Fireware v11.12 and higher, this policy is not created automatically when you enable Mobile VPN with SSL. Users authenticate with the Firebox on port 443, or on a custom port that you specify, to download the Mobile VPN with SSL client software.

After you upgrade your Firebox to Fireware OS v11.12, if your configuration file includes a WatchGuard Authentication policy, the alias Any-External is automatically removed. If you upgrade with Policy Manager, to make sure the alias is not automatically added to the configuration again when you subsequently save the configuration to your Firebox, you must manually reload the configuration from the Firebox after the upgrade completes. The alias Any-External is automatically removed from the WatchGuard Authentication policy, regardless of whether you manually added the alias, or whether Mobile VPN with SSL is enabled.

Allow Mobile VPN with SSL Users to Access a Trusted Network

In this example, you add an Any policy that allows members in the SSLVPN-Users group to get full access to resources on all trusted networks.

For more information on policies, see Add Policies to Your Configuration.

Use Other Groups or Users in a Mobile VPN with SSL Policy

To make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third-party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Authorized Users and Groups list in the Firebox configuration.

See Also

Install and Connect the Mobile VPN with SSL Client

Uninstall the Mobile VPN with SSL Client

Video tutorial — Mobile VPN with SSL

Give Us Feedback     Get Support     All Product Documentation     Technical Search