End-User Instructions for WatchGuard Mobile VPN with IPSec Client Installation

These instructions are written for Mobile VPN with IPSec client end users. They tell end users to contact their network administrator for instructions on how to install a desktop firewall or configure the firewall that is part of the client software, and for the settings to control the connection behavior if they do not use a .ini file. You can print these instructions or use them to create a set of instructions for your end users.

The WatchGuard Mobile VPN with IPSec client creates an encrypted connection between your computer and the Firebox with a standard Internet connection. The Mobile VPN client enables you to get access to protected network resources from any remote location with an Internet connection.

Before you install the client, make sure you understand these requirements and recommendations:

• You can install the Mobile VPN with IPSec client software on any computer with Windows 2000 Pro, Windows XP (32-bit and 64-bit), or Windows Vista (32-bit and 64-bit).
• Make sure the computer does not have any other IPSec mobile user VPN client software installed.
• Uninstall any desktop firewall software other than Microsoft firewall software from your computer.
• If the client computer uses Windows XP, to install the Mobile VPN client software and to import the .wgx configuration file, you must log on with an account that has administrator rights. Administrator rights are not required to connect after the client has been installed and configured.
• If the client computer uses Windows Vista, to install the Mobile VPN client software, you must log on with an account that has administrator rights. Administrator rights are not required to import a .wgx or .ini file or to connect after the client has been installed.
• We recommend that you check to make sure all available service packs are installed before you install the Mobile VPN client software.
• We recommend that you do not change the configuration of any Mobile VPN client setting not explicitly described in this documentation.

Before you start the installation, make sure you have the following installation components:

• Mobile VPN with IPSec software installation file
• End-user profile, with a .wgx or .ini file extension
• Passphrase (if the end-user profile is a .wgx file or the connection uses certificates for authentication)
• User name and password
• cacert.pem and .p12 certificate file (if the connection uses certificates for authentication)

Install the Client Software

1. Copy the Mobile VPN .zip file to the remote computer and extract the contents of the file to the root directory on the remote (client or user) computer. Do not run the installation software from a CD or other external drive.
2. Copy the end user profile (the .wgx or .ini file) to the root directory.
   If you use certificates to authenticate, copy the cacert.pem and .p12 files to the root directory as well.
   
3. Double-click the .exe file you extracted in Step 1. This starts the WatchGuard Mobile VPN Installation Wizard. You must restart your computer when the installation wizard completes.
   
4. Click through the wizard and accept all the default settings.
5. Restart your computer when the installation wizard completes.
6. When the computer restarts, the WatchGuard Mobile VPN Connection Monitor dialog box appears. When the software starts for the first time after you install it, you see this message: 

There is no profile for the VPN dial-up!
Do you want to use the configuration wizard for creating a profile now?

7. Click No.
8. Select View > Autostart > No Autostart so that the program does not run automatically.

After you install the client software, reinstall the original desktop firewall software or configure the firewall that is part of the client software. If you use a third-party desktop firewall, make sure you configure it to allow traffic to establish the VPN tunnel and the traffic that goes through the tunnel. Contact your network administrator for instructions.

Import the End User Profile

The end user profile file configures the Mobile VPN client with the settings required to create a VPN tunnel.

To import a Mobile VPN configuration .wgx or .ini file:

1. From your Windows desktop, select Start > All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor.
2. From the WatchGuard Mobile VPN Connection Monitor, select Configuration > Profile Import.
   The Profile Import Wizard starts.
3. On the Select User Profile screen, browse to the location of the .wgx or .ini configuration file.
4. Click Next.
5. If you use a .wgx file, on the Decrypt User Profile screen, type the passphrase. The passphrase is case-sensitive.
6. Click Next.
7. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same name. This is useful if your network administrator gives you a new .wgx file to import.
8. Click Next.
9. On the Authentication screen, you can select whether to type the user name and password that you use to authenticate the VPN tunnel.

If you keep these fields empty, you must enter your user name and password each time you connect.

If you type your user name and password, the Firebox stores them and you do not have to enter this information each time you connect. However, this is a security risk. You can also type just your user name and keep the Password field empty.

10. Click Next.
11. Click Finish.

Select a Certificate and Enter the Passphrase

Complete this section only if you have a cacert.pem and a .p12 file.

1. Select Configuration > Certificates.
2. Click Add.
3. On the User Certificate tab, select from PKS#12 file from the Certificate drop-down list.
4. Adjacent to the PKS#12 Filename text box, click the button and browse to the location of the .p12 file.
5. Click OK. Click Close.
6. Select Configuration > Profiles.
7. Select the profile name. Click Edit.
8. Click Identities.
9. From the Certificate configuration drop-down box, select the certificate configuration you added.
10. Select Connection > Enter PIN.
11. Type the passphrase and click OK.

Connect and Disconnect the Mobile VPN Client

Connect to the Internet through a Dial-Up Networking connection or a LAN connection. Then, use the instructions below to select your profile, connect, and disconnect.

To select your profile and connect the Mobile VPN client:

1. From your Windows desktop, select Start > All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor.
   The WatchGuard Mobile VPN dialog box appears.
2. From the Profile drop-down list, select the name of the profile you imported.

3. Click to connect.
   The Mobile User VPN client icon appears in the Windows system tray when you are connected.

To disconnect the Mobile VPN client:

1. Restore the Mobile VPN Monitor dialog box.
2. Click to disconnect.

Control the Connection Behavior

The connection behavior controls the action the Mobile VPN client software takes when the VPN tunnel becomes unavailable for any reason. By default, you must manually reconnect. You are not required to change the connection behavior, but you can select to automatically or variably reconnect. Contact your network administrator for the suggested setting.

If you import a .ini file to configure the client software, do not change any of the Line Management settings. The .ini file configures these settings for you.

To set the behavior of the Mobile VPN client when the VPN tunnel becomes unavailable: 

1. From the WatchGuard Mobile VPN Connection Monitor, select Configuration > Profiles.
2. Select the name of the profile and click Edit.

3. From the left pane, select Line Management.

4. Use the Connection Mode drop-down list to set a connection behavior for this profile.
   • Manual — When you select manual connection mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down.
     To restart the VPN tunnel, you must click the Connect button in Connection Monitor or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
   • Automatic — When you select automatic connection mode, the client tries to start the connection when your computer sends traffic to a destination that you can reach through the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel goes down.
   • Variable — When you select variable connection mode, the client tries to restart the VPN tunnel automatically until you click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel again until after the next time you click Connect.
5. Click OK.

Mobile User VPN Client Icon

The Mobile User VPN icon appears in the Windows system tray to show the VPN connection status. You can right-click the icon to reconnect and disconnect your Mobile VPN, and to see the profile in use.

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.