Deploy AP Devices over a BOVPN with Gateway Wireless Controller
Configuration files created with — Policy Manager v11.12
A company wants to deploy the same wireless networks for internal employees and guests at the headquarters location and remote branch office locations using WatchGuard Access Points (AP).
You can use a Gateway Wireless Controller on a WatchGuard Firebox at each branch office and use the same configuration as the Firebox at your headquarters. This is useful for small deployments with few branch offices, but in this example, the company wants to use one Gateway Wireless Controller on the Firebox from the headquarters location to discover and manage all AP devices at headquarters and remote branch office locations through branch office VPNs (BOVPN).
This solution is intended for use with AP devices managed locally on a Gateway Wireless Controller on a Firebox. WatchGuard also provides a Wi-Fi Cloud management solution that allows you to manage your enterprise wireless networks in all company locations with cloud-based management. For more information, see WatchGuard Wi-Fi Cloud.
This configuration example is provided as a basic guide. Your actual network environment may require additional configuration.
You can use a Gateway Wireless Controller on a Firebox at the headquarters location to manage AP devices installed locally and also at remote branch office locations over a branch office VPN.
How It Works
All AP devices must be paired to the Gateway Wireless Controller from your headquarters location and then assigned appropriate static IP addresses for installation at the remote branch offices. When the remote AP devices are installed at the branch offices, the Gateway Wireless Controller at the headquarters location will be able to communicate with and manage the AP devices through the branch office VPN.
Example Configuration Files
For your reference, we have included example configuration files with this document. To examine the details of the example configuration files, you can open them with Policy Manager.
- Firebox M200 with Single SSID over a BOVPN — M200_ADV_WIFI_BOVPN_SINGLE SSID.xml.
- Firebox T50-W with Single SSID over a BOVPN — T50W_BO_ADV_BOVPN_SINGLE SSID.xml.
- Firebox M200 with Two SSIDs over a BOVPN — M200_WIFI_BOVPN_TWO SSID.xml.
- Firebox T50-W with Two SSIDs over a BOVPN — T50W_WIFI_BOVPN_TWO SSID.xml.
This configuration example has these requirements:
- Perform a wireless survey to optimize channel use and provide sufficient wireless coverage at the remote branch office.
- Make sure that the Firebox that hosts the Gateway Wireless Controller is properly sized to manage the amount of AP devices for the headquarters location and all branch offices.
- This configuration example is for a WatchGuard Firebox running Fireware v11.12 or higher. Remote branch offices may use third-party firewalls as BOVPN end points. Firewalls must allow TCP port 443 and UDP 2829 over the VPN for AP device management.
- WatchGuard Fireboxes must have a valid Live Security subscription.
Configuration for a Single SSID and Two SSIDs
In this example, the company has a head office with a Firebox M200 and a remote branch office with a Firebox T50W linked together with a branch office VPN.
The first example uses a single SSID for guest users broadcast from the headquarters location and the remote branch office location. The second example uses two SSIDs, one for internal users, and one for guest users, broadcast from the headquarters location and remote branch office location.
The Gateway Wireless Controller on the Firebox M200 manages a single AP device on the wireless network at the headquarters location. All AP devices to be installed at the remote branch office are paired to the Gateway Wireless Controller and then assigned a static IP address so that they can be discovered when installed at the remote location.
When you change the IP address of the AP after pairing, this might result in the AP being considered as untrusted by Gateway Wireless Controller if the Trust Store is enabled. We recommend you temporarily disable the Trust Store feature during the deployment of the remote APs with static IP addresses.
The Wi-Fi LAN zone across remote offices use: 10.x.y.0 where x is linked to the site, and y to the wireless zone.
- Headquarters trusted LAN: 10.220.1.0/24
- Headquarters Wi-Fi zone: 10.220.6.0/24
- Branch Office trusted LAN: 10.50.1.0/24
- Branch Office Wi-Fi zone: 10.50.6.0/24
- Headquarters trusted LAN: 10.220.1.0
- Headquarters Guest Wi-Fi network: 10.220.50.0
- Headquarters Internal Wi-Fi network: 10.220.55.0
- Branch Office trusted LAN : 10.50.1.0
- Branch Office Guest Wi-Fi network: 10.50.50.0
- Branch Office Internal Wi-Fi network: 10.50.55.0
All AP devices to be installed at the remote branch office are first paired to the Gateway Wireless Controller at your headquarters location. WatchGuard APs must be connected to a Trusted or Optional network on the Firebox that has DHCP enabled. For instructions on how to pair an AP to the Gateway Wireless Controller, see WatchGuard AP Discovery and Pairing.
After you discover and pair a WatchGuard AP with a Gateway Wireless Controller, you can then assign a static IP address instead of the default DHCP address to enable easier management of AP devices through the VPN. The static IP address must be configured in the same network defined at the remote branch office location.
In this example, we edit the paired AP device settings and change the name of the AP to reflect the new location, and change the network settings for the AP to use a static IP address for the remote wireless network.
When you save the configuration, you will lose connectivity to the AP device because the IP address assigned is for the remote branch office network.
You can now deliver the APs to their respective branch office locations for installation in their new network. When the APs are connected at the remote branch office network, you will be able to manage them from the Gateway Wireless Controller at the headquarters location.
If you use the Gateway Wireless Controller Trust Store feature, you can re-enable the Trust Store after the APs are successfully deployed to the remote locations.
If the AP has connectivity, it will appear as Online in the Gateway Wireless Controller on the Firebox at the headquarters location.
You can repeat these procedures for multiple APs that will be delivered to remote branch offices. You must deploy and pair the AP devices at the headquarters location, then assign static IP addresses for their intended destination networks.