WatchGuard uses two built-in Firebox groups to identify currently active remote user virtual private network users.
When a user successfully connects to the Firebox using Remote User VPN, WatchGuard automatically adds the assigned IP address to one of these built-in aliases (depending on the VPN method). When the user shuts down the VPN session, WatchGuard automatically removes the address associated with that user from the alias.
When a Remote User VPN connection is made to the Firebox, WatchGuard checks the client's username and password against the Firebox domain. For this reason, Remote User VPN users must have an account in the Firebox domain and must be a member of the appropriate VPN group for access, regardless of any other authentication scheme in use.
When users authenticate using their account in the Firebox domain, WatchGuard automatically adds their IP address to all Firebox domain groups of which they are a member, including pptp_users or ipsec_users.
By default, Remote User VPN users (or any users) have no access privileges through a Firebox. To allow Remote User VPN users to access machines on the Trusted network, you must add their usernames (or the group alias) to service icons in the Services Arena.
A typical use of built-in groups is to allow incoming connections to certain Trusted servers from the pptp_users or ipsec_users group members. This is an easy way to provide outside access to critical machines inside your network, without compromising general security.
To allow outgoing Telnet but only allow incoming Telnet if the request comes from a Remote User VPN user, follow this procedure:
From Policy Manager: