Configure the XTM Device for Mobile VPN with SSL

Xavier Mustin

Administrator
Staff member
#1
When you activate Mobile VPN with SSL, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created to allow SSL VPN connections from the Internet to your external interface. You can use these groups or you can create new groups that match the user group names on your authentication servers.

Configure Connection Settings

  1. Select VPN > Mobile VPN > SSL.
    The Mobile VPN with SSL Configuration dialog box appears.

  1. Select the Activate Mobile VPN with SSL check box.
  2. In the Primary text box, type or select a public IP address or domain name.
    This is the IP address or domain name that Mobile VPN with SSL clients connect to by default. This can be an external IP address, secondary external IP address, or external VLAN. For a device is drop-in mode, use the IP address assigned to all interfaces.
  3. If your XTM device has more than one external address, in the Backup text box, type or select a different public IP address.
    This is the IP address that the Mobile VPN with SSL client connects to if it is unable to establish a connection with the primary IP address. If you add a Backup IP address, make sure it is an IP address assigned to an XTM device external interface or VLAN.
Configure the Networking and IP Address Pool Settings

In the Networking and IP Address Pool section, you configure the network resources that Mobile VPN with SSL clients can use.
    1. In the Networking and IP Address Pool section, from the drop-down list, select the method the XTM device uses to send traffic through the VPN tunnel.
      • Select Bridge VPN Traffic to bridge SSL VPN traffic to a network you specify. When you select this option, you cannot filter traffic between the SSL VPN users and the network that the SSL VPN traffic is bridged to.
      • Select Routed VPN Traffic to route VPN traffic to specified networks and resources. This is the default for all WatchGuard XTM devices.
      If you select Routed VPN Traffic in the Mobile VPN with SSL configuration on an XTMv virtual machine, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware.
    2. Select or clear the Force all client traffic through the tunnel check box.
      • To send all private network and Internet traffic through the tunnel, select Force all client traffic through tunnel.
        This option sends all external traffic through the XTM device policies you create and offers consistent security for mobile users. However, because it requires more processing power on the XTM device, access to Internet resources can be very slow for the mobile user.
        For information about how to allow clients to access the Internet when this option is selected, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.
      • To send only private network information through the tunnel, clear the Force all client traffic through tunnel check box.
        This option gives your users better network speeds by routing only necessary traffic through the XTM device, but access to Internet resources is not restricted by the policies on your XTM device.
        1. To restrict Mobile VPN with SSL client access to only specified devices on your private network, select Specify allowed resources.
        2. Type the IP address of the network resource in slash notation and click Add.
    3. Configure the IP addresses the XTM device assigns to Mobile VPN with SSL client connections. The virtual IP addresses in this address pool cannot be part of a network protected by the XTM device, any network accessed through a route or BOVPN, assigned by DHCP to a device behind the XTM device, or used for Mobile VPN with IPSec or Mobile VPN with PPTP address pools. If FireCluster is enabled, the virtual IP address pool cannot be on the same subnet as a primary cluster IP address.
Routed VPN traffic
For the Virtual IP Address Pool, keep the default setting of 192.168.113.0/24, or enter a different range. Type the IP address of the subnet in slash notation. IP addresses from this subnet are automatically assigned to Mobile VPN with SSL client connections. You cannot assign an IP address to a user.
The virtual IP addresses in this address pool cannot be part of a network protected by the XTM device, any network accessible through a route or BOVPN, assigned by DHCP to a device behind the XTM device, or used for Mobile VPN with IPSec or Mobile VPN with PPTP address pools.
Bridge VPN traffic
From the Bridge to interface drop-down list, select the name of the interface to bridge to. In the Start and End text boxes, type the first and last IP addresses in the range that is assigned to the Mobile VPN with SSL client connections. The Start and End IP addresses must be on the same subnet as the bridged interface.
The Bridge to interface option does not bridge Mobile VPN with SSL traffic to any secondary networks on the selected interface.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
Configure Authentication Settings

Next, you must configure the authentication settings. You can select one or more configured authentication servers to use. The server at the top of the list is the default server. The default server is used for authentication if the user does not specify the authentication server or domain in the Mobile VPN with SSL client.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
Select Authentication Servers

From the Mobile VPN with SSL Configuration dialog box:
  1. Select the Authentication tab.
    A list of configured Authentication Servers appears.

  1. Select the check box for each authentication server you want to use for Mobile VPN with SSL user authentication. You can select any enabled authentication server: the internal XTM device database (Firebox-DB) or a RADIUS, VACMAN Middleware, SecurID, LDAP, or an Active Directory server domain.
    Only enabled authentication method servers and domains are listed. For information about supported authentication methods, see Authentication Server Types.
  2. If you selected more than one server to use for authentication, select the server you want to be the default server. ClickMake Default to move that server to the top of the list.
    If a user does not specify the authentication server in the Username text box when they use the Mobile VPN with SSL client to authenticate, Mobile VPN with SSL uses the default authentication server.
  3. You can select the Force users to authenticate after a connection is lost check box to require users to authenticate after a Mobile VPN with SSL connection is disconnected. We recommend you select this check box if you use two-factor authentication method with a one-time password, such as RADIUS, SecurID or VASCO. If you do not force users to authenticate after a connection is lost, the automatic connection attempt can fail. This is because the Mobile VPN with SSL client tries to use the one-time password the user originally entered, which is no longer correct, to automatically reconnect after a connection is lost.
If you configure Mobile VPN with SSL to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Install and Connect the Mobile VPN with SSL Client.
Add Users and Groups

If you use the Firebox-DB for authentication you must use the default SSLVPN-Users group. If you use an authentication server other than Firebox-DB, you can use the default SSLVPN-Users group (if you also add that group on your authentication server) or you can add the name of users and groups that exist on your other authentication server.
The group SSLVPN-Users is created by default. You can add the names of other groups and users that use Mobile VPN with SSL. For each group or user, you can select a specific authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.
To add the users and groups to the Mobile VPN with SSL configuration:
  1. Select Group or User to add a group or user.
  2. In the Name text box, type the name of the group or user in the adjacent text box. The name must match the name of a group or user in your authentication server.

  1. From the Authentication Server drop-down list, select the authentication server where the user or group exists. Or, select All if the group can be used with all selected authentication servers.
  2. Click Add.
    The user or group is added to the Users and Groups list.
  3. Click OK to save the configuration settings.
To remove a user or group:
  1. Select the group or user in the list.
  2. Click Remove.
The Allow SSLVPN-Users Policy and Mobile VPN with SSL Groups and Users

When you save the Mobile VPN with SSL configuration, the Allow SSLVPN-Users policy is created or updated to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in theAllow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. Even though the group and user names you added do not appear in the From list, this policy does apply to all users and groups you configured in the Mobile VPN with SSL authentication settings.
Configure Advanced Settings for Mobile VPN with SSL

  1. Select VPN > Mobile VPN > SSL.
    The Mobile VPN with SSL Configuration dialog box appears.

  1. Select the Advanced tab.
  2. Configure the advanced settings:
Authentication
Select an authentication method to use to establish the connection: MD5, SHA, SHA-1, SHA-256, and SHA-512.
Encryption
Select an algorithm to use to encrypt the traffic: Blowfish, DES, 3DES, AES (128 bit), AES (192 bit), or AES (256 bit). The algorithms appear in order from weakest to strongest, with the exception of Blowfish, which uses a 128-bit key for strong encryption.
For best performance with a high level of encryption, we recommend that you choose MD5 authentication with Blowfish encryption.
Data channel
Select the protocol and port Mobile VPN with SSL uses to send data after a VPN connection is established. You can use the TCP or UDP protocol. Then, select a port. The default protocol and port for Mobile VPN with SSL is TCP port 443. This is also the standard protocol and port for HTTPS traffic. You can use port 443 for Mobile VPN with SSL as long as the you do not use the same external IP address in an incoming HTTPS policy.
If you change the data channel to use a port other than 443, users must manually type this port in the Mobile VPN with SSL connection dialog box. For example, if you change the data channel to 444, and the XTM device IP address is 203.0.113.2, the user must type 203.0.113.2:444 instead of 203.0.113.2.
If the port is set to the default 443, the user must only type the XTM device’s IP address. It is not necessary to type:443 after the IP address.
For more information, see Choose the Port and Protocol for Mobile VPN with SSL.
Configuration channel
Select the protocol and port Mobile VPN with SSL uses to negotiate the data channel and to download configuration files. If you set the data channel protocol to TCP, the configuration channel automatically uses the same port and protocol. If you set the data channel protocol to UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel.
Keep-alive
Specify how often the XTM device sends traffic through the tunnel to keep the tunnel active when there is no other traffic sent through the tunnel.
Timeout
Specify how long the XTM device waits for a response. If there is no response before the timeout value, the tunnel is closed and the client must reconnect.
Renegotiate Data Channel
If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The minimum value is 60 minutes.
DNS and WINS Servers
You can use DNS or WINS to resolve the IP addresses of resources that are protected by the XTM device. If you want the Mobile VPN with SSL clients to use a DNS or WINS server behind the XTM device instead of the servers assigned by the remote network they are connected to, type the domain name and IP addresses of the DNS and WINS servers on your network. For more information on DNS and WINS, see Name Resolution for Mobile VPN with SSL.
Restore Defaults
Click to reset the Advanced tab settings to their default values. All DNS and WINS server information on theAdvanced tab is deleted.
Configure Policies to Control Mobile VPN with SSL Client Access

When you enable Mobile VPN with SSL, an Allow SSLVPN-Users policy is added. It automatically includes all users and groups in your Mobile VPN with SSL configuration, and it has no restrictions on the traffic that it allows from SSL clients to network resources protected by the XTM device. To restrict Mobile VPN with SSL client access, disable the Allow SSLVPN-Users policy. Then, add new policies to your configuration or add the group with Mobile VPN with SSL access to the From section of your policies.
If you assign addresses from a trusted network to Mobile VPN with SSL users, the traffic from the Mobile VPN with SSL user is not considered trusted. All Mobile VPN with SSL traffic is untrusted by default. Regardless of assigned IP address, you must create policies to allow Mobile VPN with SSL users access to network resources.
Allow Mobile VPN with SSL Users to Access a Trusted Network

In this example, you use Policy Manager to add an Any policy which gives all members of the SSLVPN-Users group full access to resources on all trusted networks.
  1. Click
    .
    Or, select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder.
    A list of templates for packet filters appears.
  3. Select Any.
  4. Click Add.
    The New Policy Properties dialog box opens.
  5. In the Name text box, type a name for the policy. Choose a name that will help you identify this policy in your configuration.
  6. On the Policy tab, in the From section, select Any-Trusted and click Remove.
  7. In the From section, click Add.
    The Add Address dialog box appears.
  8. Click Add User. From the two Type drop-down lists, select SSL VPN for the first and Group for the second.
  9. Select SSLVPN-Users and click Select.
    After SSLVPN-Users is the name of the authentication method in parenthesis.
  10. Click OK to close the Add Address dialog box.
  11. In the To section, select Any-External and click Remove.
  12. In the To section, click Add.
    The Add Address dialog box appears.
  13. From the Available Members list, select Any-Trusted and click Add.
  14. Click OK twice. Click Close.
  15. Save the changes to the XTM device.
For more information on policies, see Add Policies to Your Configuration.
Use Other Groups or Users in a Mobile VPN with SSL Policy

To make a Mobile VPN with SSL connection, users must be a member of the SSLVPN-Users group or any group you added to the Mobile VPN with SSL configuration. You can use policies with other groups to restrict access to resources after the user connects. If you added groups from a third party authentication server in your Mobile VPN with SSL configuration, and you want to use those group names in policies to restrict access, you must also add those groups to the Authorized Users and Groupslist in the Fireware XTM device configuration. To do this, select Setup > Authentication > Authorized Users/Groups.
For more information, see Use Authorized Users and Groups in Policies.
After you add users or groups from the Mobile VPN with SSL configuration to the Authorized Users and Groups list, you can edit the automatically generated Allow SSLVPN-Users policy to apply to a specific group or user. For example, if you want the Allow SSLVPN-Users policy to apply to only the user group LDAP-Users1:
  1. Select Setup > Authentication > Authorized Users/Groups.
  2. Add the LDAP-Users1 group that you added to the Mobile VPN with SSL configuration. When you add the group, make sure you set the Auth Server to LDAP.
  3. Edit the Allow SSLVPN-Users policy.
  4. In the From section, remove the SSLVPN-Users group
  5. In the From section, select Add.
    The Add Address dialog box appears.
  6. Select Add Other.
    The Add Member dialog box appears.

  1. From the Choose Type drop-down list, select Custom Address.
  2. From the User/Group drop-down list, select and add the LDAP-Users1 group.
  3. Click OK.
    The Allow SSLVPN-Users policy now applies only to the LDAP-Users1 group.
 
Haut