Before you configure Mobile VPN with SSL, it is important to understand these elements of the Mobile VPN with SSL configuration:
To configure Mobile VPN with SSL, see Use a Wizard to Configure the Firebox for Mobile VPN with SSL or Manually Configure the Firebox for Mobile VPN with SSL.
Dynamic IP Address
If your Firebox has a dynamic IP address, you can specify a domain name for client connections instead of an IP address. To connect to the mobile VPN, users specify the domain name in the mobile VPN client settings. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, see About the Dynamic DNS Service.
When you configure Mobile VPN with SSL, the Firebox automatically creates an SSLVPN-Users user group and a WatchGuard SSLVPN policy to allow SSL VPN connections from the Internet to the Firebox. You can use the default group or you can create new groups that have the same names as the user group names on your authentication servers.
The WatchGuard SSLVPN policy is shared by Management Tunnel over SSL, BOVPN over TLS in Server mode, Mobile VPN with SSL, and the Access Portal. For more information about this policy, see SSL/TLS Settings Precedence and Inheritance.
Several Firebox features use SSL/TLS for secure communication and share the same OpenVPN server. The features that share the OpenVPN server, in order of precedence from highest to lowest, are:
- Management Tunnel over SSL on hub devices
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.
Example — Management Tunnel and Mobile VPN with SSL enabled
When you enable a Management Tunnel over SSL on your WSM Management Server, some of the settings that are shared by the Mobile VPN with SSL tunnels become managed by your Management Server. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, and configuration channel. You also cannot disable the Firebox-DB authentication server, which is required for Management Tunnel authentication. You must change these shared settings in the Device Properties on the Management Server.
Example — BOVPN over TLS Server and Mobile VPN with SSL enabled
When you enable your Firebox as a BOVPN over TLS server, some Mobile VPN with SSL settings are inherited from the BOVPN over TLS Server settings. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, authentication and encryption settings, and timeout settings.
In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.
Before you configure Mobile VPN with SSL, decide how you want the Firebox to send traffic through the VPN tunnel. Based on the option you choose, you might have to change your network configuration before you enable Mobile VPN with SSL.
You can configure Mobile VPN with SSL to use one of these methods to handle VPN traffic to your network:
Routed VPN Traffic
This is the default selection. With this option, the Firebox sends traffic from the VPN tunnel to all local trusted, optional, and custom networks, or to the specific network resources you specify.
Bridge VPN Traffic
This option enables you to bridge SSL VPN traffic to a trusted, optional, or custom network. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to. When you bridge VPN traffic to a network, the SSL VPN users are in the same security zone as other users on the network that you bridge to. The traffic for those mobile users is managed by the same security policies as traffic for other users on the bridged network.
For example, if you bridge VPN traffic to a trusted interface, all policies that allow traffic for the Any-Trusted alias also allow traffic for the users who connect to the network with Mobile VPN with SSL. The Bridge VPN Traffic option does not bridge SSL VPN traffic to any secondary networks on the selected network bridge.
For information about how to configure a bridge interface, see Create a Network Bridge Configuration.
If you select Bridge VPN Traffic in the Mobile VPN with SSL configuration on a FireboxV or XTMv virtual machine, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware.
If you configure Mobile VPN with SSL from the Web UI, do not change the interface that you used to log in to the Web UI to a bridge interface. This causes you to immediately lose the management connection to the device. If this happens, you must use a different configured interface to reconnect to Fireware Web UI.
If you want to change the interface that you use to manage the device to a bridge interface, we recommend that you make this change from Policy Manager. You can complete all interface configuration changes before you save the updated configuration file to the device.
To change the trusted or optional interface you use for management to a bridge interface, from Fireware Web UI:
- Configure another trusted or optional interface to use as a temporary management interface.
- Connect the management computer to the new interface, and log in to the Web UI.
- Change the original management interface to a bridge interface, and configure a LAN bridge that includes this interface.
- Connect the management computer to the original management interface.
- Disable the temporary management interface.
For detailed instructions, see Create a Network Bridge Configuration.
For more information about how DNS is used for lookups over a mobile VPN connection, see DNS and Mobile VPNs.
Decide how your users should obtain the Mobile VPN with SSL client software.
Software downloads page hosted by the Firebox
By default, users can download the client from the Mobile VPN with SSL software downloads page at https://[Firebox IP address]:[port]/sslvpn.html. For more information about this page, see Download, Install, and Connect the Mobile VPN with SSL Client.
In Fireware v12.5.4 or higher, you can disable the Mobile VPN with SSL software downloads page. For example, you might disable this page to comply with a corporate security policy. To disable the software downloads page, you must specify these CLI commands:
WG(config/policy)#no sslvpn web-download enable
To enable the page, specify:
WG(config/policy)#sslvpn web-download enable
This option is not available in Fireware Web UI or Policy Manager.
For detailed information about how to enter commands in the CLI, see Fireware CLI Reference.
Software downloads page on the WatchGuard website
Users can download the latest version of the Mobile VPN with SSL software on the WatchGuard website.
You can manually install the client on a user's device. For more information, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.