Contents

Manually Configure the Firebox for Mobile VPN with SSL

Before you configure Mobile VPN with SSL, see Plan Your Mobile VPN with SSL Configuration.

In Fireware v12.3 or higher, you can use a wizard or manually configure Mobile VPN with SSL:

To configure Mobile VPN with SSL, you specify these settings:

In Fireware v12.2.1 or lower, you must manually configure Mobile VPN with SSL. A wizard is not available. To manually configure Mobile VPN with SSL in Fireware Web UI v12.2.1 or lower, select VPN > Mobile VPN with SSL. To manually configure Mobile VPN with SSL in Policy Manager v12.2.1 or lower, select VPN > Mobile VPN > SSL.

Configure Firebox IP Address or Domain Name Settings

Configure the IP address or domain name that users connect to.

Configure Networking Settings

Configure the network resources that Mobile VPN with SSL clients can use.

Configure the IP Address Pool Settings

You must configure the virtual IP address pool the Firebox assigns to Mobile VPN with SSL client connections. If FireCluster is enabled, the virtual IP address pool cannot be on the same subnet as a primary cluster IP address.

By default, the BOVPN over TLS server assigns addresses in the 192.168.113.0/24 pool to BOVPN over TLS clients. Mobile VPN with SSL also uses the 192.168.113.0/24 pool by default. If BOVPN over TLS in Client mode and Mobile VPN with SSL are both enabled on the same Firebox, you must specify a different IP address pool for one of these features. If both features use the same IP address pool, BOVPN over TLS traffic is not sent through the tunnel correctly.

Configure Authentication Server Settings

Next, you must configure the authentication server settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if users do not specify the authentication server or domain in the Mobile VPN with SSL client.

In Fireware v12.1.x, authentication server settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. In Fireware v12.2, the VPN Portal settings were moved to the Access Portal and Mobile VPN with SSL configurations. For Mobile VPN with SSL configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

Add Users and Groups

You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server.

The SSLVPN-Users group is added by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case-sensitive and must exactly match the name on your authentication server.

Make sure you create a group on the server that has the same name as the name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with SSL. For more information, see Configure the External Authentication Server.

When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. However, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings.

If you disable Mobile VPN with SSL, the Allow SSLVPN-Users policy and the SSLVPN-Users group are automatically removed.

Configure Advanced Settings for Mobile VPN with SSL

You can configure these settings on the Advanced tab:

  • Authentication and encryption
  • Ports
  • Timers
  • DNS and WINS

The authentication and encryption settings changed to stronger defaults in Fireware v12.0. Settings for Blowfish, MD5, and DES were removed.

Configure Policies to Control Mobile VPN with SSL Client Access

When you enable Mobile VPN with SSL, policies to allow Mobile VPN with SSL client access are automatically created. You can change these policies to control Mobile VPN with SSL client access.

WatchGuard SSLVPN policy

This SSLVPN policy allows connections from a Mobile VPN with SSL client to the Firebox. This policy allows traffic from any host on the specified interfaces to any configured primary or secondary interface IP address of your Firebox on TCP port 443 (the port and protocol the Firebox uses for Mobile VPN with SSL).

These interfaces are included in the WatchGuard SSLVPN policy by default:

  • In Fireware v12.1 and higher, the WatchGuard SSLVPN policy includes only the Any-External interface by default.
  • In Fireware v12.0.2 and lower, the WatchGuard SSLVPN policy includes the Any-External, Any-Optional, and Any-Trusted interfaces by default.

If you want this policy to allow TCP port 443 connections only to a specific interface IP address, edit the To section of the policy to remove the Firebox alias and add the external IP address that your Mobile VPN with SSL clients use to connect.

In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, see WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base.

In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP.

Allow SSLVPN-Users policy

This Any policy allows the groups and users you configure for SSL authentication to access resources on your network. This policy automatically includes all users and groups in your Mobile VPN with SSL configuration. It has no restrictions on the traffic that it allows from SSL clients to network resources protected by the Firebox.

To restrict VPN user traffic by port and protocol, you can disable or delete the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your existing policies.

All Mobile VPN with SSL traffic is untrusted by default. Even if you assign Mobile VPN with SSL users IP addresses on the same subnet as a trusted network, the traffic from the Mobile VPN with SSL user is not considered trusted. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources.

WatchGuard Authentication policy

This policy is not created automatically when you enable Mobile VPN with SSL. For more information about this policy, see About the WatchGuard Authentication (WG-Auth) Policy.

To download the Mobile VPN with SSL client software, users authenticate with the Firebox on port 443, or on a custom port that you specify.

Allow Mobile VPN with SSL Users to Access a Trusted Network

In this example, you add an Any policy that allows members in the SSLVPN-Users group to get full access to resources on all trusted networks.

For more information on policies, see Add Policies to Your Configuration.

Use Other Groups or Users in a Mobile VPN with SSL Policy

To make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third-party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Users and Groups list in the Firebox configuration.

See Also

Install and Connect the Mobile VPN with SSL Client

Uninstall the Mobile VPN with SSL Client

Video tutorial — Mobile VPN with SSL

SSL/TLS Settings Precedence and Inheritance

DNS and Mobile VPNs

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search