When you activate Mobile VPN with SSL, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created to allow SSL VPN connections from the Internet to your external interface. You can use these groups, or you can create new groups that match the user group names on your authentication servers.
When you enable a Management Tunnel over SSL on your WatchGuard Management Server, some of the SSL configuration settings are the same settings used by Mobile VPN with SSL. When a Management Tunnel is enabled, you cannot change many of the settings in the Mobile VPN with SSL configuration. You must change these shared settings in the device properties on the management server.
Because Management Tunnel over SSL and Mobile VPN with SSL use the same OpenVPN server, if you enable a Management Tunnel over SSL, some of the settings that are shared by the Mobile VPN with SSL tunnels become managed by your Management Server. You cannot change these settings in the Mobile VPN with SSL configuration. These settings include the Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, and configuration channel. You also cannot disable the Firebox-DB authentication server, which is required for Management Tunnel authentication.
Before you configure Mobile VPN with SSL, decide how you want the XTM device to send traffic through the VPN tunnel. Based on the option you choose, you might need to make changes to your network configuration before you enable Mobile VPN with SSL.
You can configure Mobile VPN with SSL to use one of two methods to handle VPN traffic to your network:
Routed VPN Traffic
This is the default selection. With this option, the XTM device routes traffic from the VPN tunnel to all local networks or to specific network resources you specify.
If you select Routed VPN Traffic in the Mobile VPN with SSL configuration on an XTMv virtual machine, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware.
Bridge VPN Traffic
This option enables you to bridge SSL VPN traffic to a trusted or optional network. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to. When you bridge VPN traffic to a network, the SSL VPN users are in the same security zone as other users on the network that you bridge to, and the traffic for those mobile users is handled by the same security policies as traffic for other users on the bridged network. For example, if you bridge VPN traffic to a trusted interface, all policies that allow traffic for the "Any-Trusted" alias allow traffic for the users who connect to the network with Mobile VPN with SSL. The Bridge VPN Traffic option does not bridge SSL VPN traffic to any secondary networks on the selected network bridge.
The choice of interfaces you can bridge VPN traffic to depends on the version of Fireware XTM the device uses.
Do not change the interface that you used to log in to the Web UI to a bridge interface. This causes you to immediately lose the management connection to the device. If this happens, you must use a different configured interface to reconnect.
Use these steps to change the trusted or optional interface you use for management to a bridge interface:
For detailed instructions, see Create a Network Bridge Configuration.
In the Networking and IP Address Pool section, you configure the network resources that Mobile VPN with SSL clients can use.
Routed VPN traffic
For the Virtual IP Address Pool, keep the default setting of 192.168.113.0/24 or enter a different range. Type the IP address of the subnet in slash notation. IP addresses from this subnet are automatically assigned to Mobile VPN with SSL client connections. You cannot assign an IP address to a user.
The virtual IP addresses in this address pool cannot be part of a network protected by the XTM device, any network accessible through a route or BOVPN, assigned by DHCP to a device behind the XTM device, or used for Mobile VPN with IPSec or Mobile VPN with PPTP address pools.
Bridge VPN traffic
From the Bridge to interface drop-down list, select the name of the interface to bridge to. The choice of interfaces you can bridge VPN traffic to depends on the version of Fireware XTM the device uses.
For more information, see Before You Begin.
In the Start and End text boxes, type the first and last IP addresses in the range that you want to assign to Mobile VPN with SSL client connections. The Start and End IP addresses must be on the same subnet as the bridged interface.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
Next, you must configure the authentication settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if the user does not specify the authentication server or domain in the Mobile VPN with SSL client.
Make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with SSL.
From the Mobile VPN with SSL
If you configure Mobile VPN with SSL to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Install and Connect the Mobile VPN with SSL Client.
You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server.
The group SSLVPN-Users is added by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.
To add the users and groups to the Mobile VPN with SSL configuration:
To remove a user or group:
When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. Even though the group and user names you added do not appear in the From list, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings.
If you disable Mobile VPN with SSL, the Allow SSLVPN-Users policy and the SSLVPN-Users group are automatically removed.
Select an authentication method to use to establish the connection: MD5, SHA-1, SHA-256, and SHA-512.
On a device that uses Fireware XTM v11.8.x or lower, SHA authentication is also available.
Select an algorithm to use to encrypt the traffic: Blowfish, DES, 3DES, AES (128 bit), AES (192 bit), or AES (256 bit). The algorithms appear in order from weakest to strongest, with the exception of Blowfish, which uses a 128-bit key for strong encryption.
For best performance with a high level of encryption, we recommend that you choose MD5 authentication with Blowfish encryption.
Select the protocol and port Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. Then, select a port. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with SSL as long as the you do not use the same external IP address in an incoming HTTPS policy.
If you change the data channel to use a port other than 443, users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel to 444, and the XTM device IP address is 203.0.113.2, the user must type 203.0.113.2:444 instead of 203.0.113.2.
If the port is set to the default 443, the user must only type the XTM device’s IP address. It is not necessary to type :443 after the IP address.
For more information, see Choose the Port and Protocol for Mobile VPN with SSL.
Select the protocol and port Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel.
Specify how often the XTM device sends traffic through the tunnel to keep the tunnel active when there is no other traffic sent through the tunnel.
Specify how long the XTM device waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect.
Renegotiate Data Channel
If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes.
DNS and WINS Servers
You can use DNS or WINS to resolve the IP addresses of resources that are protected by the XTM device. If you want the Mobile VPN with SSL clients to use a DNS or WINS server behind the XTM device instead of the servers assigned by the remote network they are connected to, type the domain name and IP addresses of the DNS and WINS servers on your network. For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL.
When you enable Mobile VPN with SSL, an Allow SSLVPN-Users policy is added. It automatically includes all users and groups in your Mobile VPN with SSL configuration, and it has no restrictions on the traffic that it allows from SSL clients to network resources protected by the XTM device. To restrict Mobile VPN with SSL client access, disable the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your policies.
If you assign addresses from a trusted network to Mobile VPN with SSL users, the traffic from the Mobile VPN with SSL user is not considered trusted. All Mobile VPN with SSL traffic is untrusted by default. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources.
In this example, you use
For more information on policies, see Add Policies to Your Configuration.
To make a Mobile VPN with SSL connection, users must be members of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third-party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Authorized Users and Groups list in the Fireware XTM device configuration.
For more information, see Use Authorized Users and Groups in Policies.
After you add users or groups from the Mobile VPN with SSL configuration to the Authorized Users and Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a specific group or user. For example, if you want the Allow SSLVPN-Users policy to apply to only the user group LDAP-Users1:
Install and Connect the Mobile VPN with SSL Client
Uninstall the Mobile VPN with SSL Client
Video tutorial — Mobile VPN with SSL