Configure Mobile VPN with SSL for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

Your mobile users can connect to your company network through a secure WatchGuard VPN.

On a cloud-managed Firebox, you can configure Mobile VPN with SSL, which provides good performance and security. This VPN type uses Transport Layer Security (TLS) to secure the VPN connection and a default port (TCP 443) that is usually open on most networks.

To connect to the VPN, your users must have a VPN client. Users can download the WatchGuard SSL VPN client from software.watchguard.com or from the Firebox. As an administrator, you can also download the client from WatchGuard Cloud. The WatchGuard VPN client runs on Windows and macOS computers. To connect from Android or iOS, your users can download an OpenVPN client from an app store.

This topic explains how to:

Before You Begin

Before you enable Mobile VPN with SSL in WatchGuard Cloud, make sure to configure a way for users to authenticate to the VPN. Mobile VPN with SSL supports these authentication methods:

  • Firebox authentication database (Firebox-DB)
  • RADIUS
  • AuthPoint

For information about how to configure authentication, see Authentication Methods for Mobile VPN.

Enable Mobile VPN with SSL

To enable Mobile VPN with SSL, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select your cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the VPN section, click the Mobile VPN tile.
    The Select VPN page opens.

Screen shot of a page that describes each Mobile VPN type

  1. Click SSL.
    The Mobile VPN with SSL page opens.
  2. Enable Mobile VPN with SSL.

Screen shot of the toggle that enables Mobile VPN with SSL

Add Firebox Addresses

In the Firebox Addresses section, add an IP address or domain name for connections from SSL VPN clients to your Firebox.

If you enter an IP address, make sure it is one of these:

If your Firebox is located behind a NAT device, enter the public IP address or domain name of the NAT device. For information about NAT, see About Network Address Translation (NAT).

Add Authentication Domains

By default, Mobile VPN with SSL uses the Firebox database (Firebox-DB) for user authentication. You can also use Active Directory, RADIUS, and AuthPoint.

Before you can add an authentication domain to the Mobile VPN with SSL configuration, you must first configure one or more user authentication methods. For more information about Mobile VPN authentication, see Authentication Methods for Mobile VPN.

To use AuthPoint for Mobile VPN user authentication on a cloud-managed Firebox, you must first add the Firebox as an AuthPoint resource, which requires Fireware v12.7 or higher.

Add Users and Groups

After you select the authentication domains, select users and groups that can use the VPN to connect to network resources protected by the Firebox. You can select these types of users and groups:

  • Firebox Database (Firebox-DB) users and groups
  • RADIUS authentication domain users and groups
  • Active Directory authentication domain users and groups
  • AuthPoint users and groups

When you enable Mobile VPN with SSL, the Firebox automatically creates a default user group named SSLVPN-Users. In the Mobile VPN with SSL configuration, you select from a list of users or groups on the authentication servers you previously added. Users and groups you select are automatically added to the SSLVPN-Users group.

When you save the Mobile VPN with SSL configuration, the Firebox creates or updates the Allow SSLVPN-Users policy to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. However, this policy does apply to all users and groups you added in the Mobile VPN with SSL configuration.

Edit the Virtual IP Address Pool

The virtual IP address pool is the group of private IP address the Firebox assigns to Mobile VPN with SSL users. The default virtual IP address pool is 192.168.113.0/24. To add a different pool, you must first remove the default pool. You can cannot configure more than one pool for Mobile VPN with SSL.

Follow these best practices:

  • Make sure that the virtual IP address pool does not overlap with any other IP addresses in the Firebox configuration.
  • Make sure that the virtual IP address pool does not overlap with networks protected by the Firebox, any network accessible through a route or BOVPN, or IP addresses assigned by DHCP to a device behind the Firebox.
  • If your company has multiple sites with mobile VPN configurations, make sure each site has a virtual IP address pool for mobile VPN clients that does not overlap with pools at other sites.
  • Do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 for mobile VPN virtual IP address pools. These ranges are often used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you migrate to a new local network range.
  • A virtual IP address pool cannot be on the same subnet as a primary FireCluster IP address.

Configure Advanced Settings

On the Advanced tab, you can configure these settings:

Deploy the Configuration

After you save changes to the Mobile VPN with SSL configuration, deploy the configuration. For more information, see Manage Device Configuration Deployment

Download the VPN Client

After you deploy the configuration, download the WatchGuard Mobile VPN with SSL client. For more information, see Download, Install, and Connect the Mobile VPN with SSL Client.

Related Topics

Mobile VPN and Firewall Policies

About Mobile VPN for a Cloud-Managed Firebox

Manage Device Configuration Deployment