Plan Your Mobile VPN with SSL Configuration
Before you configure Mobile VPN with SSL, it is important to understand these elements of the Mobile VPN with SSL configuration:
- Dynamic IP address
- Authentication
- Policies
- Port and protocol
- Shared settings
- Tunnel traffic options — Routed or Bridged
- Name resolution
- Client downloads
To configure Mobile VPN with SSL, go to Use a Wizard to Configure the Firebox for Mobile VPN with SSL or Manually Configure the Firebox for Mobile VPN with SSL.
Dynamic IP Address
If your Firebox has a dynamic IP address, you can specify a domain name for client connections instead of an IP address. To connect to the mobile VPN, users specify the domain name in the mobile VPN client settings. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, go to About the Dynamic DNS Service.
Authentication
Mobile VPN with SSL supports every authentication type supported by the Firebox. For more information about supported authentication types, go to Authentication Server Types. For information about external authentication servers for Mobile VPN with SSL, go to Configure the External Authentication Server.
For information about how to specify the authentication server in the SSL VPN client, go to Download, Install, and Connect the Mobile VPN with SSL Client.
Multi-Factor Authentication (MFA)
You can use AuthPoint, the cloud-based MFA solution from WatchGuard, to provide multi-factor authentication for SSL VPN users. You can use one of two methods:
Fireware v12.7 or higher
You can configure the Firebox to forward authentication requests for SSL VPN users directly to AuthPoint. After you configure the required settings in AuthPoint, AuthPoint appears in the authentication server list on the Firebox. In the Mobile VPN with SSL configuration, you must select AuthPoint as an authentication server. This integration supports the WatchGuard Mobile VPN with SSL client (v12.7 or higher only) and the OpenVPN client.
For a configuration example, see the section for Fireware v12.7 or higher in the Firebox Mobile VPN with SSL Integration with AuthPoint integration guide.
If you configured Mobile VPN with SSL for AuthPoint MFA in Fireware v12.6.x or lower, you can keep that integration in place while you configure an updated integration in Fireware v12.7 or higher. For configuration conversion information, see the "Convert Configurations from Fireware 12.6.x or Lower" section in Configure MFA for a Firebox.
Fireware v12.6.4 or lower
On the Firebox, you must specify a RADIUS server in the Mobile VPN with SSL configuration. AuthPoint does not appear in the list of authentication servers on the Firebox.
For a configuration example, see the section for Fireware v12.6.x or lower in the Firebox Mobile VPN with SSL Integration with AuthPoint integration guide.
For general information about the AuthPoint MFA workflow for Mobile VPN with SSL, go to Configure MFA for a Firebox.
You can also use third-party MFA solutions if your RADIUS server supports multi-factor or two-factor authentication. For information about third-party MFA implementation, go to Use Multi-Factor Authentication (MFA) with Mobile VPNs.
User Groups
When you configure Mobile VPN with SSL, the Firebox automatically creates an SSLVPN-Users user group. You can use the default group or you can create new groups that have the same names as the user group names on your authentication servers. For more information about user groups, go to Manually Configure the Firebox for Mobile VPN with SSL.
Policies
When you activate Mobile VPN with SSL, the Firebox automatically creates two policies: WatchGuard SSLVPN and Allow SSLVPN-Users.
The Allow SSLVPN-Users policy allows the groups and users you configured for SSL authentication to get access to resources on your network. By default, the To list in the policy includes only the alias Any, which means this policy allows Mobile VPN with SSL users to access to all network resources.
We recommend that you limit which network resources that Mobile VPN with SSL users can access through the VPN. To do this, you can replace the Allow SSL-Users policy. For instructions that explain how to replace the SSL policy, and for more information about SSL policies, go to About Mobile VPN with SSL Policies.
Port and Protocol
The default protocol and port for Mobile VPN with SSL is TCP port 443, which is usually open on most networks. To specify a different port or protocol, go to Choose the Port and Protocol for Mobile VPN with SSL.
Shared Settings
The WatchGuard SSLVPN policy is shared by Management Tunnel over SSL, BOVPN over TLS in Server mode, Mobile VPN with SSL, and the Access Portal. For more information about this policy, go to SSL/TLS Settings Precedence and Inheritance.
Several Firebox features use SSL/TLS for secure communication. In order of precedence from highest to lowest, those features are:
- Management Tunnel over SSL on hub devices
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.
Example — Management Tunnel and Mobile VPN with SSL enabled
When you enable a Management Tunnel over SSL on your WSM Management Server, some of the settings that are shared by the Mobile VPN with SSL tunnels become managed by your Management Server. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, and configuration channel. You also cannot disable the Firebox-DB authentication server, which is required for Management Tunnel authentication. You must change these shared settings in the Device Properties on the Management Server.
Example — BOVPN over TLS Server and Mobile VPN with SSL enabled
When you enable your Firebox as a BOVPN over TLS server, some Mobile VPN with SSL settings are inherited from the BOVPN over TLS Server settings. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, authentication and encryption settings, and timeout settings.
In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, go to Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.
Tunnel Traffic Options
Before you configure Mobile VPN with SSL, decide how you want the Firebox to send traffic through the VPN tunnel. Based on the option you choose, you might have to change your network configuration before you enable Mobile VPN with SSL.
You can configure Mobile VPN with SSL to use one of these methods to handle VPN traffic to your network:
Routed VPN Traffic
This is the default selection. With this option, the Firebox sends traffic from the VPN tunnel to all local trusted, optional, and custom networks, or to the specific network resources you specify.
Bridge VPN Traffic
This option enables you to bridge SSL VPN traffic to a trusted, optional, or custom network. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to. When you bridge VPN traffic to a network, the SSL VPN users are in the same security zone as other users on the network that you bridge to. The traffic for those mobile users is managed by the same security policies as traffic for other users on the bridged network.
For example, if you bridge VPN traffic to a trusted interface, all policies that allow traffic for the Any-Trusted alias also allow traffic for the users who connect to the network with Mobile VPN with SSL. The Bridge VPN Traffic option does not bridge SSL VPN traffic to any secondary networks on the selected network bridge.
For information about how to configure a bridge interface, go to Create a Network Bridge Configuration.
If you select Bridge VPN Traffic in the Mobile VPN with SSL configuration on a FireboxV virtual machine, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware.
WARNING: If you configure Mobile VPN with SSL from the Web UI, do not change the interface that you used to log in to the Web UI to a bridge interface. This causes you to immediately lose the management connection to the device. If this happens, you must use a different configured interface to reconnect to Fireware Web UI.
If you want to change the interface that you use to manage the device to a bridge interface, we recommend that you make this change from Policy Manager. You can complete all interface configuration changes before you save the updated configuration file to the device.
To change the trusted or optional interface you use for management to a bridge interface, from Fireware Web UI:
- Configure another trusted or optional interface to use as a temporary management interface.
- Connect the management computer to the new interface, and log in to the Web UI.
- Change the original management interface to a bridge interface, and configure a LAN bridge that includes this interface.
- Connect the management computer to the original management interface.
- Disable the temporary management interface.
For detailed instructions, go to Create a Network Bridge Configuration.
For more information about how DNS is used for lookups over a mobile VPN connection, go to DNS and Mobile VPNs.
Name Resolution
You must decide how to provide name resolution for mobile VPN users. For more information, go to Name Resolution for Mobile VPN with SSL.
Client Downloads
Decide how your users should obtain the Mobile VPN with SSL client software:
- Software downloads page hosted by the Firebox
- Software downloads page on the WatchGuard website
- Manual distribution
Software Downloads Page Hosted by the Firebox
By default, users can download the client from the Mobile VPN with SSL software downloads page at https://[Firebox IP address]:[port]/sslvpn.html. For more information about this page, go to Download, Install, and Connect the Mobile VPN with SSL Client.
In Fireware v12.5.4 or higher, you can disable the Mobile VPN with SSL software downloads page. For example, you might disable this page to comply with a corporate security policy. To disable the software downloads page, you must specify these CLI commands:
WG#config
WG(config)#policy
WG(config/policy)#no sslvpn web-download enable
To enable the page, specify:
WG#config
WG(config)#policy
WG(config/policy)#sslvpn web-download enable
This option is not available in Fireware Web UI or Policy Manager. You must specify these commands again when you use a trade-up device or an RMA (Return Merchandise Authorization) replacement device.
For a FireCluster, you must independently specify the CLI commands for both Fireboxes configured as cluster members.
For detailed information about how to enter commands in the CLI, go to Fireware CLI Reference.
Software Downloads Page on the WatchGuard Website
Users can download the latest version of the Mobile VPN with SSL software on the WatchGuard website.
Manual Distribution
You can manually install the client on a user's device. For more information, go to Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.
Use a Wizard to Configure the Firebox for Mobile VPN with SSL