Some of the features described in this section are only available to participants in the WatchGuard Beta program. If a feature described in this section is not available in your version of Fireware, it is a beta-only feature.
Before you configure Mobile VPN with SSL, it is important to understand these elements of the Mobile VPN with SSL configuration:
- Dynamic IP address
- Port and protocol
- Shared settings
- Tunnel traffic options — Routed or Bridged
- Name resolution
- Client downloads
To configure Mobile VPN with SSL, see Use a Wizard to Configure the Firebox for Mobile VPN with SSL or Manually Configure the Firebox for Mobile VPN with SSL.
If your Firebox has a dynamic IP address, you can specify a domain name for client connections instead of an IP address. To connect to the mobile VPN, users specify the domain name in the mobile VPN client settings. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, see About the Dynamic DNS Service.
Mobile VPN with SSL supports every authentication type supported by the Firebox. For more information about supported authentication types, see Authentication Server Types. For information about external authentication servers for Mobile VPN with SSL, see Configure the External Authentication Server.
For information about how to specify the authentication server in the SSL VPN client, see Download, Install, and Connect the Mobile VPN with SSL Client.
Multi-Factor Authentication (MFA)
You can use AuthPoint, the cloud-based MFA solution from WatchGuard, to provide multi-factor authentication for SSL VPN users. You can use one of two methods:
- Fireware v12.7 or higher — You can configure the Firebox to forward authentication requests for SSL VPN users directly to AuthPoint. After you configure the required settings in AuthPoint, AuthPoint appears in the authentication server list on the Firebox. In the Mobile VPN with SSL configuration, you must select AuthPoint as an authentication server. For a configuration example, see the Firebox Mobile VPN with SSL Integration with AuthPoint integration guide.
- Fireware v12.6.4 or lower — On the Firebox, you must specify a RADIUS server in the Mobile VPN with SSL configuration. AuthPoint does not appear in the list of authentication servers on the Firebox. For a configuration example, see the Firebox Mobile VPN with SSL Integration with AuthPoint integration guide.
For general information about the AuthPoint MFA workflow for Mobile VPN with SSL, see Configure MFA for a Firebox.
You can also use third-party MFA solutions if your RADIUS server supports multi-factor or two-factor authentication. For information about third-party MFA implementation, see Use Multi-Factor Authentication (MFA) with Mobile VPNs.
When you configure Mobile VPN with SSL, the Firebox automatically creates an SSLVPN-Users user group. You can use the default group or you can create new groups that have the same names as the user group names on your authentication servers. For more information about user groups, see Manually Configure the Firebox for Mobile VPN with SSL.
When you activate Mobile VPN with SSL, the Firebox automatically creates two policies: WatchGuard SSLVPN and Allow SSLVPN-Users.
The Allow SSLVPN-Users policy allows the groups and users you configured for SSL authentication to get access to resources on your network. By default, the To list in the policy includes only the alias Any, which means this policy allows Mobile VPN with SSL users to access to all network resources.
We recommend that you limit which network resources that Mobile VPN with SSL users can access through the VPN. To do this, you can replace the Allow SSL-Users policy. For instructions that explain how to replace the SSL policy, and for more information about SSL policies, see About Mobile VPN with SSL Policies.
The default protocol and port for Mobile VPN with SSL is TCP port 443, which is usually open on most networks. To specify a different port or protocol, see Choose the Port and Protocol for Mobile VPN with SSL.
The WatchGuard SSLVPN policy is shared by Management Tunnel over SSL, BOVPN over TLS in Server mode, Mobile VPN with SSL, and the Access Portal. For more information about this policy, see SSL/TLS Settings Precedence and Inheritance.
Several Firebox features use SSL/TLS for secure communication and share the same OpenVPN server. The features that share the OpenVPN server, in order of precedence from highest to lowest, are:
- Management Tunnel over SSL on hub devices
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.
Example — Management Tunnel and Mobile VPN with SSL enabled
When you enable a Management Tunnel over SSL on your WSM Management Server, some of the settings that are shared by the Mobile VPN with SSL tunnels become managed by your Management Server. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, and configuration channel. You also cannot disable the Firebox-DB authentication server, which is required for Management Tunnel authentication. You must change these shared settings in the Device Properties on the Management Server.
Example — BOVPN over TLS Server and Mobile VPN with SSL enabled
When you enable your Firebox as a BOVPN over TLS server, some Mobile VPN with SSL settings are inherited from the BOVPN over TLS Server settings. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, authentication and encryption settings, and timeout settings.
In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.
Before you configure Mobile VPN with SSL, decide how you want the Firebox to send traffic through the VPN tunnel. Based on the option you choose, you might have to change your network configuration before you enable Mobile VPN with SSL.
You can configure Mobile VPN with SSL to use one of these methods to handle VPN traffic to your network:
Routed VPN Traffic
This is the default selection. With this option, the Firebox sends traffic from the VPN tunnel to all local trusted, optional, and custom networks, or to the specific network resources you specify.
Bridge VPN Traffic
This option enables you to bridge SSL VPN traffic to a trusted, optional, or custom network. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to. When you bridge VPN traffic to a network, the SSL VPN users are in the same security zone as other users on the network that you bridge to. The traffic for those mobile users is managed by the same security policies as traffic for other users on the bridged network.
For example, if you bridge VPN traffic to a trusted interface, all policies that allow traffic for the Any-Trusted alias also allow traffic for the users who connect to the network with Mobile VPN with SSL. The Bridge VPN Traffic option does not bridge SSL VPN traffic to any secondary networks on the selected network bridge.
For information about how to configure a bridge interface, see Create a Network Bridge Configuration.
If you select Bridge VPN Traffic in the Mobile VPN with SSL configuration on a FireboxV or XTMv virtual machine, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware.
If you configure Mobile VPN with SSL from the Web UI, do not change the interface that you used to log in to the Web UI to a bridge interface. This causes you to immediately lose the management connection to the device. If this happens, you must use a different configured interface to reconnect to Fireware Web UI.
If you want to change the interface that you use to manage the device to a bridge interface, we recommend that you make this change from Policy Manager. You can complete all interface configuration changes before you save the updated configuration file to the device.
To change the trusted or optional interface you use for management to a bridge interface, from Fireware Web UI:
- Configure another trusted or optional interface to use as a temporary management interface.
- Connect the management computer to the new interface, and log in to the Web UI.
- Change the original management interface to a bridge interface, and configure a LAN bridge that includes this interface.
- Connect the management computer to the original management interface.
- Disable the temporary management interface.
For detailed instructions, see Create a Network Bridge Configuration.
For more information about how DNS is used for lookups over a mobile VPN connection, see DNS and Mobile VPNs.
You must decide how to provide name resolution for mobile VPN users. For more information, see Name Resolution for Mobile VPN with SSL.
Decide how your users should obtain the Mobile VPN with SSL client software:
- Software downloads page hosted by the Firebox
- Software downloads page on the WatchGuard website
- Manual distribution
Software Downloads Page Hosted by the Firebox
By default, users can download the client from the Mobile VPN with SSL software downloads page at https://[Firebox IP address]:[port]/sslvpn.html. For more information about this page, see Download, Install, and Connect the Mobile VPN with SSL Client.
In Fireware v12.5.4 or higher, you can disable the Mobile VPN with SSL software downloads page. For example, you might disable this page to comply with a corporate security policy. To disable the software downloads page, you must specify these CLI commands:
WG(config/policy)#no sslvpn web-download enable
To enable the page, specify:
WG(config/policy)#sslvpn web-download enable
This option is not available in Fireware Web UI or Policy Manager.
For detailed information about how to enter commands in the CLI, see Fireware CLI Reference.
Software Downloads Page on the WatchGuard Website
Users can download the latest version of the Mobile VPN with SSL software on the WatchGuard website.
You can manually install the client on a user's device. For more information, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.