Related Topics
SSL/TLS Settings Precedence and Inheritance
Several Firebox features use SSL/TLS for secure communication and share the same OpenVPN server. The features that share the OpenVPN server, in order of precedence from highest to lowest, are:
- Management Tunnel over SSL on hub devices
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.
When you enable more than one of these features, informational messages appear that explain some settings are inherited from another feature.
The VPN Portal settings include shared settings for Mobile VPN with SSL and the Access Portal. In Fireware v12.1, the Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port. The VPN Portal port appears in the VPN Portal settings. The VPN Portal port is also used by the Access Portal. For more information about VPN Portal settings, see Configure the VPN Portal Settings.
Shared Policy
When you enable Management Tunnel over SSL, BOVPN over TLS, Mobile VPN with SSL, or the Access Portal, the WatchGuard SSLVPN policy is created automatically. In Fireware v12.1 and higher, this policy includes the alias WG-VPN-Portal. By default, the alias WG-VPN-Portal includes only the Any-External interface.
The WatchGuard SSLVPN policy is shared by Management Tunnel over SSL, BOVPN over TLS, Mobile VPN with SSL, and the Access Portal.
Upgrade to Fireware v12.1
If the WatchGuard SSLVPN policy is part of your configuration in Fireware v12.0.2 or lower, and you upgrade to Fireware v12.1, the WatchGuard SSLVPN policy does not immediately change. However, if you save the settings for BOVPN over TLS or Mobile VPN with SSL, even if you make no changes, the WatchGuard SSLVPN policy changes:
- The alias WG-VPN-Portal appears in the From field of the WatchGuard SSLVPN policy.
- Interfaces in the WatchGuard SSLVPN policy are moved to the WG-VPN-Portal alias.
- Aliases that are not interfaces, such as IP addresses or users, are not moved to the WG-VPN-Portal alias, but are included in From field.
To edit the interfaces in the WG-VPN-Portal alias, you must edit the Interfaces setting in the VPN Portal settings. For more information about VPN Portal settings, see Configure the VPN Portal Settings.
In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP.
Example Configurations
The example configurations in this topic show how settings for these features are related and how the WatchGuard SSLVPN policy is affected. These examples also show the messages that appear when a feature takes precedence over another feature.
In this example, these features are enabled on your Firebox:
- Management Tunnel over SSL on a hub device
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
These settings are not configurable:
- BOVPN over TLS in Server mode — Firebox IP addresses, virtual IP address pool, data channel protocol and port, and renegotiate data channel
- Mobile VPN with SSL — Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, authentication, encryption, and timers
- Access Portal — VPN Portal port
These messages appear for BOVPN over TLS in Server mode, Mobile VPN with SSL, and the Access Portal:
In this example, these features are enabled on your Firebox:
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
These settings are not configurable:
- Mobile VPN with SSL — Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, authentication, encryption, and timers
- Access Portal — VPN Portal port
In the BOVPN over TLS settings, you can configure the Data Channel for TCP or UDP. The Data Channel setting for BOVPN over TLS affects the Data Channel setting for Mobile VPN with SSL.
TCP Data Channel
When TCP is selected in the BOVPN over TLS settings, you cannot specify a port other than 443. The Data Channel for Mobile VPN with SSL is TCP 443 and cannot be configured. The VPN Portal port is 443 and cannot be configured.
These messages appear for Mobile VPN with SSL and the Access Portal:
UDP Data Channel
When UDP is selected in the BOVPN over TLS Data Channel settings, you can specify a port other than 443. The Data Channel for Mobile VPN with SSL changes to UDP, and the port changes to the port you specified for the BOVPN over TLS Data Channel.
If you enable BOVPN over TLS in Server mode and Mobile VPN with SSL is already enabled, this message appears if UDP is selected for the BOVPN over TLS Data Channel:
In this example, these features are enabled on your Firebox:
- Mobile VPN with SSL
- Access Portal
In the Mobile VPN with SSL settings, you can configure the Data Channel for TCP or UDP. The Data Channel setting affects the VPN Portal port.
TCP Data Channel
In the Mobile VPN with SSL settings, if the Data Channel setting is set to TCP, the VPN Portal port setting changes to the specified port and is not configurable. For example, if you specify TCP 444 for the Data Channel, the VPN Portal port becomes 444 and is not configurable.
This message appears on the VPN Portal page:
UDP Data Channel
In the Mobile VPN with SSL settings, if the Data Channel setting is configured for UDP, the VPN Portal port setting does not change and can be configured.
For example, if the Data Channel is configured for UDP 444, you can specify port 443 or another port for the VPN Portal. The WatchGuard SSLVPN policy includes the UDP and TCP ports:
In this example, these features are enabled on your Firebox:
- BOVPN over TLS in Server mode
- Access Portal
TCP Data Channel
If the Data Channel setting for BOVPN over TLS is configured for TCP, you cannot specify a port other than 443. The VPN Portal port remains 443 and cannot be configured.
This message appears for the VPN Portal:
UDP Data Channel
If the Data Channel setting for BOVPN over TLS is configured for UDP, you can specify a port other than 443. The VPN Portal port remains 443 and cannot be configured.
For example, if the BOVPN over TLS Data Channel is configured for UDP 444, the WatchGuard SSLVPN policy includes UDP 444 and TCP 443:
In this example, these features are enabled on your Firebox:
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
These settings are not configurable:
- Mobile VPN with SSL — Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, authentication, encryption, and timers
- VPN Portal port
The VPN Portal port is the configuration channel for Mobile VPN with SSL.
TCP Data Channel
If the Data Channel setting for BOVPN over TLS is configured for TCP, you cannot specify a port other than 443. The VPN Portal port is 443 and cannot be configured.
These messages appear for Mobile VPN with SSL and the VPN Portal settings:
UDP Data Channel
If the Data Channel setting for BOVPN over TLS is configured for UDP, you can specify a port other than 443. The Data Channel for Mobile VPN with SSL changes to the port you specified for BOVPN over TLS and cannot be configured. The VPN Portal port remains 443 and cannot be configured.
For example, if the Data Channel for BOVPN over TLS is configured for UDP 444:
- The Data Channel for Mobile VPN with SSL changes to 444 and cannot be configured.
- The VPN Portal port remains 443 and cannot be configured.
In this example, these features are enabled on your Firebox:
- Management Tunnel over SSL on a hub device
- BOVPN over TLS in Server mode
These settings for BOVPN over TLS are not configurable:
- Firebox IP addresses
- Virtual IP address pool
- Data channel protocol and port
- Renegotiate data channel
This message appears for BOVPN over TLS:
In this example, these features are enabled on your Firebox:
- Management Tunnel over SSL on a hub device
- Mobile VPN with SSL
These settings for Mobile VPN with SSL are not configurable:
- Firebox IP addresses
- Networking method
- Virtual IP address pool
- VPN resources
- Data channel
- Configuration channel.
This message appears for Mobile VPN with SSL:
In this example, these features are enabled on your Firebox:
- Management Tunnel over SSL on a hub device
- Access Portal
The VPN Portal port setting cannot be configured.
See Also
Configure BOVPN over TLS in Server Mode