Configure Mobile VPN with SSL for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

This topic explains how to configure Mobile VPN with SSL in WatchGuard Cloud for a cloud-managed Firebox. For an overview of Mobile VPN, see About Mobile VPN for a Cloud-Managed Firebox.

Before You Begin

Before you enable Mobile VPN with SSL, you must configure one or more user authentication methods. For more information, see Authentication Methods for Mobile VPN.

Enable Mobile VPN with SSL

To enable Mobile VPN with SSL, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select your cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the VPN section, click the Mobile VPN tile.
    The Select VPN page opens.

Screen shot of the Select VPN page

  1. Click SSL.
    The Mobile VPN with SSL Settings page opens. The Mobile VPN with SSL toggle is enabled by default.

Screen shot of the Mobile VPN with SSL toggle

  1. Configure the Settings and Advanced Settings.

Configure Settings

On the Settings tab, configure the general Mobile VPN with SSL settings:

Add Firebox Addresses

In the Firebox Addresses section, add an IP address or domain name for connections from SSL VPN clients to the Firebox. SSL VPN clients connect to this IP address or domain name by default.

Make sure the IP address is an external IP address, secondary external IP address, or external VLAN. If your Firebox is behind a NAT device, enter the public IP address or domain name of the NAT device.

Add Authentication Domains

By default, Mobile VPN with SSL uses the Firebox database (Firebox-DB) for user authentication. You can also use Active Directory, RADIUS, and AuthPoint.

Before you can add an authentication domain to the Mobile VPN with SSL configuration, you must first configure one or more user authentication methods. For more information about Mobile VPN authentication, see Authentication Methods for Mobile VPN.

To use AuthPoint for Mobile VPN user authentication on a cloud-managed Firebox, you must first add the Firebox as an AuthPoint resource, which requires Fireware v12.7 or higher.

Add Users and Groups

After you select the authentication domains, select users and groups that can use an SSL VPN client to connect to network resources protected by the Firebox. You can select these types of users and groups:

  • Firebox Database (Firebox-DB) users and groups
  • RADIUS authentication domain users and groups
  • Active Directory authentication domain users and groups
  • AuthPoint users and groups

When you enable Mobile VPN with SSL, the Firebox automatically creates a default user group named SSLVPN-Users. In the Mobile VPN with SSL configuration, you select from a list of users or groups on the authentication servers you previously added. Users and groups you select are automatically added to the SSLVPN-Users group.

When you save the Mobile VPN with SSL configuration, the Firebox creates or updates the Allow SSLVPN-Users policy to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. However, this policy does apply to all users and groups you added in the Mobile VPN with SSL configuration.

Edit the Virtual IP Address Pool

The virtual IP address pool is the group of private IP address the Firebox assigns to Mobile VPN with SSL users. The default virtual IP address pool is 192.168.113.0/24. To add a different pool, you must first remove the default pool. You can cannot configure more than one pool for Mobile VPN with SSL.

Follow these best practices:

  • Make sure that the virtual IP address pool does not overlap with any other IP addresses in the Firebox configuration.
  • Make that the virtual IP address pool does not overlap with networks protected by the Firebox, any network accessible through a route or BOVPN, or IP addresses assigned by DHCP to a device behind the Firebox.
  • If your company has multiple sites with mobile VPN configurations, make sure each site has a virtual IP address pool for mobile VPN clients that does not overlap with pools at other sites.
  • Do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 for mobile VPN virtual IP address pools. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you migrate to a new local network range.
  • If FireCluster is enabled, the virtual IP address pool cannot be on the same subnet as a primary cluster IP address.

Configure Advanced Settings

On the Advanced tab, you can configure these settings:

Deploy the Configuration

After you save changes to the Mobile VPN with SSL configuration, deploy the configuration. For more information, see Manage Device Configuration Deployment

Download the VPN Client

After you deploy the configuration, download the WatchGuard Mobile VPN with SSL client. For more information, see Download, Install, and Connect the Mobile VPN with SSL Client.

See Also

Mobile VPN and Firewall Policies

About Mobile VPN for a Cloud-Managed Firebox

Manage Device Configuration Deployment