Print topic

Mobile VPN for Windows Mobile Setup

WatchGuard Mobile VPN for Windows Mobile uses the data connection on a device running the Windows Mobile operating system to establish a secure VPN connection to networks protected by a Firebox or XTM device that supports Mobile VPN with IPSec. Mobile VPN for Windows Mobile has two components: 

Mobile VPN for Windows Mobile uses the same .wgx end-user profile files that are used to configure Mobile VPN with IPSec. To create the end-user profile, see Configure the Firebox or XTM Device for Mobile VPN with IPSec.

Mobile VPN WM Configurator and Windows Mobile IPSec Client Requirements

Before you install the client, make sure you understand these requirements and recommendations to work with Mobile VPN with IPsec. If you have not, see the topics that describe how to configure your Firebox or XTM device to use Mobile VPN.

You must Configure the Firebox or XTM Device for Mobile VPN with IPSec. This process creates the end user profile used to configure the Windows Mobile client software.

The Mobile VPN WM Configurator system requirements are:

Operating System Microsoft ActiveSync Version
Windows 2000 4.5 or higher
Windows XP (32-bit and 64-bit) 4.5 or higher
Windows Vista 6.1

The Windows Mobile IPSec client device requirements are:

Supported devices include:

The devices in this list have been tested with WatchGuard Mobile VPN for Windows Mobile. A good way to learn if other users have successfully configured other device is to check the WatchGuard user forum, at http://forum.watchguard.com/.

To install the Windows Mobile VPN WM Configurator on some operating systems, you must log on to the computer with an account that has administrator rights and import the .wgx configuration file. Administrator rights are not required to upload the client and configuration to the Windows Mobile device.

Install the Mobile VPN WM Configurator Software

The Mobile VPN WM Configurator software must be installed on a computer that can connect to the Windows Mobile device through ActiveSync. Before you start the installation, make sure you have these installation components:

Write the shared key down and keep it in a secure location. You must use it when you import the end-user profile.

To install the Configurator:

  1. Copy the Mobile VPN WM Configurator .zip file to the computer and extract the contents of the file.
  2. Copy the end user profile (the .wgx file) to the root directory on the remote computer.
  3. Double-click the .exe file you extracted in Step 1. This starts the WatchGuard Mobile VPN WM Installation Wizard.
  4. Follow the steps in the wizard. In the InstallShield Wizard Complete dialog box keep the Start PDA Installation check box selected only if the Windows Mobile device is currently connected through ActiveSync.

Select a Certificate and Enter the PIN

If the VPN uses a certificate to authenticate, you must: 

  1. Save the .p12 file to the \certs\ directory. The default location is C:\Program Files\WatchGuard\Mobile VPN WM\certs\.
  2. Select Start > All Programs > WatchGuard Mobile VPN > WatchGuard Mobile VPN WM to start the Configurator.
  3. Select Configuration > Certificates.
  4. On the User Certificate tab, select from PKS#12 file from the Certificate drop-down list.
  5. Adjacent to the PKS#12 Filename text box, type %installdir%\certs\mycert.p12. Replace mycert.p12 with the name of your .p12 file. Click OK.
  6. Select Connection > Enter PIN.
  7. Type the PIN and click OK.
    The PIN is the shared key entered to encrypt the file in the Add Mobile User VPN Wizard.

Import an End-User Profile

 To import a Mobile VPN configuration .wgx file:

  1. Select Start > All Programs > WatchGuard Mobile VPN > WatchGuard Mobile VPN WM to start the Configurator.
  2. Select Configuration > Profile Import.

    The Profile Import Wizard starts.
  3. On the Select User Profile screen, browse to the location of the .wgx configuration file supplied by your network administrator. Click Next.
  4. On the Decrypt User Profile screen, type the shared key or passphrase supplied by your network administrator. The shared key is case-sensitive. Click Next.
  5. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same name. This is useful if your network administrator gives you a new .wgx file and you must reimport it. Click Next.
  6. On the Authentication screen, you can type the user name and password that you use to authenticate the VPN tunnel. If you type your user name and password here, the Firebox or XTM device stores it and you do not have to type this information each time you connect. However, this is a security risk. You can type just your user name and keep the Password field empty. This can minimize the amount of data required for the VPN connection.

If you keep the fields empty, you must type your user name and password the first time you connect the VPN. The next time you connect, the user name field is automatically filled with the last user name entered.

  1. Click Next.

If the password you use is your password on an Active Directory or LDAP server and you choose to store it, the password becomes invalid when it changes on the authentication server.

  1. Click Finish.

Install the Windows Mobile Client Software on the Windows Mobile Device

 After you import the end user profile to the Configurator, connect the Configurator to the Windows Mobile device. The computer and the Windows Mobile device must have an ActiveSync connection when you start the Configurator.

After the WatchGuard Mobile VPN software is installed on your Windows Mobile device you must reboot it.

  1. Connect your Windows Mobile device to your computer with Microsoft ActiveSync.

Screen shot of the ActiveSync dialog box showing device connected

  1. To start the Configurator, select Start > All Programs > WatchGuard Mobile VPN > WatchGuard Mobile VPN WM.
  2. If the WatchGuard Mobile VPN WM software has not been installed on the Windows Mobile device, a Confirmation dialog box opens. Click Yes.

Screen shot of the Confirmation dialog box. WatchGuard Mobile VPN WM not found on the mobile device, Install it now?

  1. An Information dialog box opens. Click OK.

Screen shot of the Information dialog box that tells the user to restart the program after installation

  1. The WatchGuard Mobile VPN WM software is installed on the Windows Mobile device. Click OK.

Screen shot of the Application Downloading Complete dialog box

  1. Reboot the Windows Mobile device.

Upload the End-User Profile to the Windows Mobile Device

After the Windows Mobile software is installed, you can upload the end-user profile to the Windows Mobile device. 

  1. Connect your Windows Mobile device to your computer with Microsoft ActiveSync.

  2. Select Start > All Programs > WatchGuard Mobile VPN > WatchGuard Mobile VPN WM to start the Configurator.
  3. From the Profile drop-down list, select the profile you want to upload to the Windows Mobile device.

Screen shot of the Configurator showing it is connected and has a profile

  1. Click Upload.
  2. When the upload is complete, the Configurator status area shows Upload completed successfully!

Screen shot of the Configurator showing upload successful

If the VPN uses a certificate to authenticate, you must upload the certificate to the Windows Mobile device. Before you upload the certificate, the Configurator must be set up to use the certificate.

For more information, see select a certificate and enter the PIN.

To upload a certificate:

  1. In the Configurator, select Configuration > Upload PKS#12 File.
  2. Browse to the PKS#12 file and select it. Click Open.

Connect and Disconnect the Mobile VPN for Windows Mobile Client

The WatchGuard Mobile VPN for Windows Mobile client software uses the data connection of a Windows Mobile device to make a secure connection to networks protected by a Firebox or XTM device. The Windows Mobile device must be able to make a data connection to the Internet. 

  1. On your Windows Mobile device, select Start > Programs > WatchGuard Mobile VPN Monitor.
    If the WatchGuard Mobile VPN Service is not running, a dialog box opens. Click Yes to start the service.

Screen shot of the Windows Mobile Monitor program icon in Programs on WM device

  1. The WatchGuard Mobile VPN dialog box opens. Select the end user profile from the drop-down list at the top of the WatchGuard Mobile VPN dialog box.

Screen shot of the WatchGuard Mobile VPN Monitor, not connected.

  1. Click Connect and type your user name and password. Click OK.

Screen shot of the VPN Password dialog box

After the first successful VPN connection, the client saves the user name and only asks for a password. To change the user name, click OK with the password area clear. A dialog box opens in which you can enter a different user name and password.

  1. A yellow line with the word Connecting appears between the phone and computer in the WatchGuard Mobile VPN dialog box. The line turns green when the VPN tunnel is ready.

Screen shot of the WatchGuard Mobile VPN Monitor, connecting

To disconnect the Mobile VPN client:

  1. On your Windows Mobile device, select Start > Programs > WatchGuard Mobile VPN Monitor.
  2. Click Disconnect. The green line changes to yellow.

Screen shot of the WatchGuard Mobile VPN Monitor, disconnecting

When there is no line between the phone and computer, the VPN is disconnected.

Screen shot of the WatchGuard Mobile VPN Monitor, not connected

See Also 

Secure Your Windows Mobile Device with the Mobile VPN Firewall

Stop the WatchGuard Mobile VPN Service

Uninstall the Configurator, Service, and Monitor

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.