Manually Configure the Firebox for Mobile VPN with SSL

Before you configure Mobile VPN with SSL, we recommend that you review the topic, Plan Your Mobile VPN with SSL Configuration.

In Fireware v12.3 or higher, you can use a wizard or manually configure Mobile VPN with SSL:

To configure Mobile VPN with SSL, you specify these settings:

In Fireware v12.2.1 or lower, you must manually configure Mobile VPN with SSL. A wizard is not available. To manually configure Mobile VPN with SSL in Fireware Web UI v12.2.1 or lower, select VPN > Mobile VPN with SSL. To manually configure Mobile VPN with SSL in Policy Manager v12.2.1 or lower, select VPN > Mobile VPN > SSL.

Configure Firebox IP Address or Domain Name Settings

Configure the IP address or domain name that users connect to.

Configure Networking Settings

Configure the network resources that Mobile VPN with SSL clients can use.

Configure the Virtual IP Address Pool

When you configure Mobile VPN with SSL, you must specify a virtual IP address pool for VPN clients.

Follow these best practices:

  • Make sure that the virtual IP address pool does not overlap with any other IP addresses in the Firebox configuration.
  • Make that the virtual IP address pool does not overlap with networks protected by the Firebox, any network accessible through a route or BOVPN, or with IP addresses assigned by DHCP to a device behind the Firebox.
  • If your company has multiple sites with mobile VPN configurations, make sure each site has a virtual IP address pool for mobile VPN clients that does not overlap with pools at other sites.
  • Do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 for mobile VPN virtual IP address pools. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.
  • If FireCluster is enabled, the virtual IP address pool cannot be on the same subnet as a primary cluster IP address.

By default, the BOVPN over TLS server assigns addresses in the 192.168.113.0/24 pool to BOVPN over TLS clients. Mobile VPN with SSL also uses the 192.168.113.0/24 pool by default. If BOVPN over TLS in Client mode and Mobile VPN with SSL are both enabled on the same Firebox, you must specify a different IP address pool for one of these features. If both features use the same IP address pool, BOVPN over TLS traffic is not sent through the tunnel correctly.

Configure Authentication Server Settings

Next, you must configure the authentication server settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if users do not specify the authentication server or domain in the Mobile VPN with SSL client.

In Fireware v12.7 or higher, you can configure the Firebox to forward authentication requests for SSL VPN users directly to AuthPoint. After you configure the required settings in AuthPoint, AuthPoint shows in the authentication server list on the Firebox. In the Mobile VPN with SSL configuration, you must select AuthPoint as an authentication server. This integration supports the WatchGuard Mobile VPN with SSL client (v12.7 or higher only) and the OpenVPN client. For more information, go to Plan Your Mobile VPN with SSL Configuration and Firebox Mobile VPN with SSL Integration with AuthPoint.

Do not select the option to Auto reconnect after a connection is lost if you require multi-factor authentication for Mobile VPN with SSL.

In Fireware v12.1.x, authentication server settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. In Fireware v12.2, the VPN Portal settings were moved to the Access Portal and Mobile VPN with SSL configurations. For Mobile VPN with SSL configuration instructions that apply to Fireware v12.1.x, go to Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

Add Users and Groups

You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server.

The SSLVPN-Users group is added by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case-sensitive and must exactly match the name on your authentication server.

Make sure you create a group on the server that has the same name as the name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with SSL. For more information, go to Configure the External Authentication Server.

To limit mobile VPN connections to devices that follow corporate policy, you can use network access enforcement. Before you enable network access enforcement for groups specified in the Mobile VPN with SSL configuration, enable and configure Endpoint Enforcement at Subscription Services > Network Access Enforcement (Fireware v12.9 or higher). For more information, go to Network Access Enforcement Overview.

When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users opens. However, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings.

If you disable Mobile VPN with SSL, the Allow SSLVPN-Users policy and the SSLVPN-Users group are automatically removed.

Configure Advanced Settings for Mobile VPN with SSL

You can configure these settings on the Advanced tab:

  • Authentication and encryption
  • Ports
  • Timers
  • DNS and WINS

Configure Policies to Control Mobile VPN with SSL Client Access

When you enable Mobile VPN with SSL, policies to allow Mobile VPN with SSL client access are automatically created. You can change these policies to control Mobile VPN with SSL client access.

WatchGuard SSLVPN policy

This SSLVPN policy allows connections from a Mobile VPN with SSL client to the Firebox. This policy allows traffic from any host on the specified interfaces to any configured primary or secondary interface IP address of your Firebox on TCP port 443 (the port and protocol the Firebox uses for Mobile VPN with SSL).

The Any-External interface is included in the WatchGuard SSLVPN policy by default.

If you want this policy to allow TCP port 443 connections only to a specific interface IP address, edit the To section of the policy to remove the Firebox alias and add the external IP address that your Mobile VPN with SSL clients use to connect.

In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, go to WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base.

In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP.

Allow SSLVPN-Users policy

This Any policy allows the groups and users you configure for SSL authentication to access resources on your network. This policy automatically includes all users and groups in your Mobile VPN with SSL configuration. It has no restrictions on the traffic that it allows from SSL clients to network resources protected by the Firebox.

To restrict VPN user traffic by port and protocol, you can disable or delete the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your existing policies.

All Mobile VPN with SSL traffic is untrusted by default. Even if you assign Mobile VPN with SSL users IP addresses on the same subnet as a trusted network, the traffic from the Mobile VPN with SSL user is not considered trusted. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources.

WatchGuard Authentication policy

This policy is not created automatically when you enable Mobile VPN with SSL. For more information about this policy, go to About the WatchGuard Authentication (WG-Auth) Policy.

To download the Mobile VPN with SSL client software, users authenticate with the Firebox on port 443, or on a custom port that you specify.

Allow Mobile VPN with SSL Users to Access a Trusted Network

In this example, you add an Any policy that allows members in the SSLVPN-Users group to get full access to resources on all trusted networks.

For more information on policies, go to Add Policies to Your Configuration.

Use Other Groups or Users in a Mobile VPN with SSL Policy

To make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third-party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Users and Groups list in the Firebox configuration.

Related Topics

Download, Install, and Connect the Mobile VPN with SSL Client

Uninstall the Mobile VPN with SSL Client

SSL/TLS Settings Precedence and Inheritance

DNS and Mobile VPNs

Troubleshoot Mobile VPN with SSL