Use Mobile VPN with IPSec with Active Directory Groups

Many organizations want to allow different levels of access to internal network resources for different groups of remote users. To restrict network access for specific users or groups, you must first set up user authentication. You can then set up different Mobile VPN with IPSec profiles for each group of users. This example shows the steps to configure Mobile VPN with IPSec profiles for different groups that are defined on an Active Directory server.

At a high level, the steps are:

  • Enable and configure Active Directory authentication.
  • Create Mobile VPN with IPSec Group Profiles that match the user group names on your Active Directory server.

Example Scenario

To show how to set up this configuration, we use a school that wants to set different levels of web access for three groups:

  • Students (more restricted access)
  • Teachers (less restricted access)
  • IT team members (unrestricted access)

Configure User Authentication

Before you configure Mobile VPN with IPSec profiles, you must set up user authentication. You can use any authentication method, such as Active Directory, local authentication, Radius, or LDAP. For more information about the supported authentication methods, see Authentication Server Types. In this example, the school wants to use Active Directory authentication.

Enable Active Directory Authentication

You can use an Active Directory authentication server so that users can authenticate to your Firebox with their current network credentials. Before you configure your device to use Active Directory authentication, make sure your users can successfully authenticate to the Active Directory server.

When you enable Active Directory authentication, you must specify the search base. You set a search base to put limits on the directories on the authentication server that the Firebox uses to search for an authentication match. We recommend that you set the search base to the root of the domain. This enables you to find all users and all groups to which those users belong. The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.

For more information about how to find your search base on the Active Directory server, see Find Your Active Directory Search Base.

For this example, the school's Active Directory server uses the IP address

Create a Group Profile for the Students

The school only wants the students to have access to the internal DNS, FTP, and web servers.

Create a Group Profile for the Teachers

The Teachers group needs to have access to both the trusted and optional networks.

Create a Group Profile for the IT Group

The IT group has unlimited access to the network, and also needs to connect to several sites which connect to the network by Branch Office VPN tunnels.


The VPN profiles described in this example enable students, teachers, and IT team members to use the Mobile VPN with IPSec client to authenticate to the Active Directory server and connect to different resources on the school network. The IT team is set up with a default-route VPN. The teachers and students are set up with a split tunnel VPN. For more information about these two options, see Internet Access Options for Mobile VPN Users.

The administrator can now distribute the end-user configuration files to the students, teachers, and IT team members, along with the VPN client. If the configuration uses a tunnel passphrase, the users must also know the tunnel passphrase to install the end-user profile in the WatchGuard IPSec Mobile VPN client. To start a VPN connection, each user must specify their credentials as they are defined on the Active Directory server.

For more information about client setup see Install the IPSec Mobile VPN Client Software.

See Also

Configure the Firebox for Mobile VPN with IPSec