Configure the Firebox or XTM Device for Mobile VPN with SSL

From Policy Manager, when you enable Mobile VPN with SSL, an "SSLVPN-Users" user group and a "WatchGuard SSLVPN" policy are created to allow SSL VPN connections from the Internet to your external interface.

Configure Authentication and Connection Settings

1. Select VPN > Mobile VPN > SSL.
   The Mobile VPN with SSL Configuration dialog box appears.

2. Select the Activate Mobile VPN with SSL check box.
3. Select an Authentication Server from the drop-down list. You can authenticate users with the internal Firebox or XTM device database (Firebox-DB) or with a RADIUS, VACMAN Middleware, SecurID, LDAP, or Active Directory server.
   Make sure that the method of authentication is enabled (select Setup > Authentication > Authentication Servers). For more information, see Configure user authentication for Mobile VPN with SSL.

4. If you select RADIUS or SecurID as your authentication server, you can select the Force users to authenticate after a connection is lost check box to require users to authenticate after a Mobile VPN with SSL connection is disconnected. We recommend you select this check box if you use two-factor authentication that uses a one-time password, such as SecurID or Vasco.
   If you do not force users to authenticate after a connection is lost, the automatic connection attempt can fail. The Mobile VPN with SSL client automatically tries to reconnect after a connection is lost with the one-time password the user originally entered, which is no longer correct.
5. From the Primary drop-down list, select or type a public IP address or domain name. Mobile VPN with SSL clients connect to this IP address or domain name by default.
6. If your Firebox or XTM device has more than one WAN connection, select a different public IP address from the Backup drop-down list. A Mobile VPN with SSL client connects to the backup IP address when it is unable to establish a connection with the primary IP address.

Configure the Networking and IP Address Pool Settings

In the Networking and IP address pool section, you configure the network resources Mobile VPN with SSL clients can use.

1. From the drop-down list in the Networking and IP Address Pool section, select the method the Firebox or XTM device uses to send traffic through the VPN tunnel.

• Select Bridge VPN Traffic to bridge SSL VPN traffic to a network you specify. This is the default setting for the Firebox X Edge. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to.
• Select Routed VPN Traffic to route VPN traffic to specified networks and resources. This is the default for the Firebox X Core or Peak e-Series and WatchGuard XTM devices.

2. Select or clear the Force all client traffic through the tunnel check box.

• Select Force all client traffic through tunnel to send all private network and Internet traffic through the tunnel. This option sends all external traffic through the Firebox or XTM device policies you create and offers consistent security for mobile users. However, because it requires more processing power on the Firebox or XTM device, access to Internet resources can be very slow for the mobile user. To allow clients to access the Internet when this option is selected, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.
• Clear the Force all client traffic through tunnel check box to send only private network information through the tunnel. This option gives your users better network speeds by routing only necessary traffic through the Firebox or XTM device, but access to Internet resources is not restricted by the policies on your Firebox or XTM device. To restrict Mobile VPN with SSL client access to only specified devices on your private network, select the Specify allowed resources radio button. Type the IP address of the network resource in slash notation and click Add.

3. Configure the IP addresses the Firebox or XTM device assigns to Mobile VPN with SSL client connections. The virtual IP addresses in this address pool cannot be part of a network protected by the Firebox or XTM device, any network accessed through a route or BOVPN, assigned by DHCP to a device behind the Firebox or XTM device, or used for Mobile VPN with IPSec or Mobile VPN with SSL address pools.

Routed VPN traffic

For the Virtual IP Address Pool, keep the default setting of 192.168.113.0/24, or enter a different range. Type the IP address of the subnet in slash notation. IP addresses from this subnet are automatically assigned to Mobile VPN with SSL client connections. You cannot assign an IP address to a user.

The virtual IP addresses in this address pool cannot be part of a network protected by the Firebox or XTM device, any network accessed through a route or BOVPN, assigned by DHCP to a device behind the Firebox or XTM device, or used for Mobile VPN with IPSec or Mobile VPN with PPTP address pools.

Bridge VPN traffic

From the Bridge to interface drop-down list, select the name of the interface to bridge to. In the Start and End fields, type the first and last IP addresses in the range that is assigned to the Mobile VPN with SSL client connections. The Start and End IP addresses must be on the same subnet as the bridged interface.

The Bridge to interface option does not bridge SSL VPN traffic to any secondary networks on the selected interface.

4. Click OK.

After you save the changes to your Firebox or XTM device, you must configure user authentication for Mobile VPN with SSL before users can download and install the software. Any changes you make are distributed to clients automatically the next time they connect using Mobile VPN with SSL.

For more information on using slash notation, see About Slash Notation.

Configure Advanced Settings for Mobile VPN with SSL

1. Select VPN > Mobile VPN > SSL.
   The Mobile VPN with SSL Configuration dialog box appears.

2. Click the Advanced tab.
   The options you can configure on this tab include:

Authentication

Authentication method used to establish the connection. The options are MD5, SHA, SHA-1, SHA-256, and SHA-512.

Encryption

Algorithm that is used to encrypt the traffic. The options are Blowfish, DES, 3DES, AES (128 bit), AES (192 bit), or AES (256 bit). The algorithms are shown in order from weakest to strongest, with the exception of Blowfish, which uses a 128-bit key for strong encryption.

For best performance with a high level of encryption, we recommend that you choose MD5 authentication with Blowfish encryption.

Data channel

The protocol and port Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. Then, select a port. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. Mobile VPN with SSL can share port 443 with HTTPS.

If you change the data channel to use a port other than 443,users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel to 444, and the Firebox IP address is 50.50.50.50, the user must type 50.50.50.50:444 instead of 50.50.50.50.

If the port is set to the default 443, the user must type only the Firebox or XTM device’s IP address. It is not necessary to type :443 after the IP address.

For more information, see Choose the Port and Protocol for Mobile VPN with SSL.

Configuration channel

The protocol and port Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel.

Keep-alive

Defines how often the Firebox or XTM device sends traffic through the tunnel to keep the tunnel active when no other traffic is being sent through the tunnel.

Timeout

Defines how long the Firebox or XTM device waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect.

Renegotiate Data Channel

If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes.

DNS and WINS Servers

You can use DNS or WINS to resolve the IP addresses of resources that are protected by the Firebox or XTM device. If you want the Mobile VPN with SSL clients to use a DNS or WINS server behind the Firebox or XTM device instead of the servers assigned by the remote network they are connected to, type the domain name and IP addresses of the DNS and WINS servers on your network. For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL.

Restore Defaults

Click to reset the Advanced tab settings to their default values. All DNS and WINS server information on the Advanced tab is deleted.

Configure User Authentication for Mobile VPN with SSL

To allow users to authenticate to the Firebox or XTM device and connect with Mobile VPN with SSL, you must configure user authentication on the Firebox or XTM device. You can configure your Firebox or XTM device as an authentication server or use a third-party authentication server. When you enable Mobile VPN with SSL, an SSLVPN-Users group is created automatically.

Users must be a member of the SSLVPN-Users group to make a Mobile VPN with SSL connection. Users cannot connect if they are a member of a group that is part of the SSLVPN-Users group. The user must be a direct member of the SSLVPN-Users group.

For more information, see Configure Your Firebox or XTM Device as an Authentication Server and About Using Third-Party Authentication Servers.

Configure Policies to Control Mobile VPN with SSL Client Access

When you enable Mobile VPN with SSL, an Allow SSLVPN-Users policy is added. It is has no restrictions on the traffic that it allows from SSL clients to network resources protected by the Firebox or XTM device. To restrict Mobile VPN with SSL client access, disable the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of existing policies.

If you assign addresses from a trusted network to Mobile VPN with SSL users, the traffic from the Mobile VPN with SSL user is not considered trusted. All Mobile VPN with SSL traffic is untrusted by default. Regardless of assigned IP address, policies must be created to allow Mobile VPN with SSL users access to network resources.

Allow Mobile VPN with SSL Users to Access a Trusted Network

In this example, you use Policy Manager to add an Any policy which gives all members of the SSLVPN-Users group full access to resources on all trusted networks.

1. Click .
   Or, select Edit > Add Policies.
   The Add Policies dialog box appears.

2. Expand the Packet Filters folder.
   A list of templates for packet filters appears.
3. Select Any and click Add.
   The New Policy Properties dialog box opens.
   
4. Type a name for the policy in the Name text box. Choose a name that will help you identify this policy in your configuration.
5. On the Policy tab, in the From section, select Any-Trusted and click Remove.
6. In the From section, click Add.
   The Add Address dialog box appears.
7. Click Add User. From the two Type drop-down lists, select SSL VPN for the first and Group for the second.
8. Select SSLVPN-Users and click Select.
   After SSLVPN-Users is the name of the authentication method in parenthesis.
9. Click OK to close the Add Address dialog box.
10. In the To section, select Any-External and click Remove.
11. In the To section, click Add.
    The Add Address dialog box appears.
12. In the Available Members list, select Any-Trusted and click Add.
13. Click OK twice. Click Close.
14. Save the changes to the Firebox or XTM device.

For more information on policies, see Add Policies to Your Configuration.

Use Other Groups or Users in a Mobile VPN with SSL Policy

Users must be a member of the SSLVPN-Users group to make a Mobile VPN with SSL connection. You can use policies with other groups to restrict access to resources after the user connects. You can use Policy Manager to select a user or group other than SSLVPN-Users.

1. Double-click the policy to which you want to add the user or group.
2. On the Policy tab, in the From section, click Add.
   The Add Address dialog box opens.
3. Click Add User.
   The Add Authorized Users or Groups dialog box opens.
4. For the two Type drop-down lists, select Firewall for the first and either User or Group for the second.
5. Select the user or group you want to add, then click Select.
6. Click OK twice.

For more information on how to use users and groups in policies, see Use Authorized Users and Groups in Policies.

See Also

Uninstall the Mobile VPN with SSL Client

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.