Several Firebox features use SSL/TLS for secure communication. In order of precedence from highest to lowest, those features are:
- Management Tunnel over SSL on hub devices
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.
These elements of the Access Portal configuration are shared:
Access Portal Port
The Access Portal Port specifies the channel where the Access Portal listens for user connections.
If Management Tunnel over SSL or BOVPN over TLS in Server mode are enabled, the Access Portal Port is automatically set to 443 and cannot be configured.
The Data Channel setting in the Mobile VPN with SSL configuration and the Access Portal Port setting affect each other. In the Mobile VPN with SSL configuration:
- If the Data Channel uses TCP, the Configuration Channel is set to the same port as the Data Channel and cannot be configured. The Access Portal Port is set to the same port as the Configuration Channel and cannot be configured.
- If the Data Channel uses UDP, you can configure the Configuration Channel. The Access Portal Port is set to the same value as the Configuration Channel.
If you change the Access Portal Port, the Configuration Channel in the Mobile VPN with SSL configuration is changed to the same port. If you specify an Access Portal Port other than 443, users must specify the port number to connect to the Access Portal or Mobile VPN with SSL. For example, if you specify 444, and the Firebox IP address is 203.0.113.2:
- To connect to the Access Portal, users must connect to https://203.0.113.2:444.
- To start a Mobile VPN with SSL connection, users must manually type port 444 in the Mobile VPN with SSL connection dialog box. For example, users must type 203.0.113.2:444.
- To download Mobile VPN with SSL client software, users must connect to https://203.0.113.2:444/sslvpn.html.
WatchGuard SSLVPN policy
When you activate the Access Portal, the WatchGuard SSLVPN policy is automatically created. This policy is shared by Management Tunnels over SSL, BOVPN over TLS, Mobile VPN with SSL, and the Access Portal.
To add or remove interfaces for the Access Portal, edit the WatchGuard SSLVPN policy.
In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the alias WG-VPN-Portal. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic.
Authentication servers you specify in the Access Portal configuration also apply to Mobile VPN with SSL.
In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. In Fireware v12.2, VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For Access Portal instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.