Endpoint Security Software or Device Policies Block Mobile VPN with SSL Traffic

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

Third-party security software installed on the same computer as the Mobile VPN with SSL client can sometimes block or disrupt VPN traffic. Common examples of third-party security software include antivirus or endpoint protection software, zero‑trust agents, and web content filters.

Third-party security software might inspect, filter, or block encrypted VPN traffic or install network drivers into the system. This can prevent the Mobile VPN with SSL client from establishing or maintaining an SSL VPN tunnel, which can cause Mobile VPN with SSL connection attempts to fail.

Symptoms

When local security software interferes with Mobile VPN with SSL traffic, you might experience these symptoms:

• Mobile VPN with SSL connection attempts fail until users disable or bypass the security software.
• The same Mobile VPN with SSL user can connect successfully from another device.
• Other users can connect to the VPN without any issues.

Diagnostic Steps

To diagnose the issue on the affected computer, perform these steps:

1. Identify all installed third-party security software, including antivirus products, endpoint protection software, zero‑trust agents, and web content filters.
2. Temporarily disable individual security components, then try to connect with the Mobile VPN with SSL client.
3. Review any firewall rules, TLS inspection settings, intrusion prevention controls, and traffic control policies that the third-party security software enforces.

Possible Causes and Solutions

Possible Cause	Solution
Some third-party endpoint security products inspect encrypted traffic or install network drivers that conflict with VPN adapters.	Configure the third-party endpoint security software to trust the Mobile VPN with SSL client: Add exclusions for the Mobile VPN with SSL client executable. Add exclusions for VPN services and TAP adapter drivers. Temporarily disable TLS inspection and web content filter controls for VPN traffic.
Third-party endpoint policy blocks VPN traffic.	Some third-party endpoint security products block outbound VPN traffic by default. To allow Mobile VPN with SSL connections: Allow outbound connections on the TCP port that the configuration channel uses (default: TCP 443). Allow outbound connections on the TCP or UDP port that the data channel uses (default: TCP 443). For more information, go to Choose the Port and Protocol for Mobile VPN with SSL.

Related Log Messages

These Mobile VPN with SSL client log entries might indicate that endpoint security software blocks Mobile VPN with SSL traffic:

• Certificate validation errors.
• VPN driver or adapter initialization errors.
• Repeated VPN connection attempts after traffic blocks occur.

Windows Event Viewer can show additional evidence of interference, such as:

• Errors related to the TAP adapter or VPN services.
• Warnings from third‑party endpoint protection.
• Network stack messages that report packet loss or blocked connections.

Related Topics

About Mobile VPN with SSL

Troubleshoot Mobile VPN with SSL