Firebox Mobile VPN with IPSec Integration with Microsoft Entra ID Users

This document describes how to set up Microsoft Entra ID authentication for Mobile VPN with IPSec.

Integration Summary

The hardware and software used in this guide include:

  • Microsoft Azure
  • Firebox with Fireware v12.10.2

Topology

This topology diagram shows the data flow for Microsoft Entra ID authentication with a WatchGuard Firebox and Microsoft Entra Domain Services.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Microsoft Azure global administrator account within the Microsoft Entra ID tenant.
  • You have an active Microsoft Azure subscription.
  • You have created and configured Microsoft Entra Domain Services.

Additional charges might apply for the use of Microsoft Azure. To learn more about Microsoft Azure, go to What is Microsoft Entra Domain Services.

Configure Microsoft Azure

To configure a Microsoft Entra Domain Services managed domain, complete these steps:

  1. Configure Secure LDAP
  2. Configure a Security Rule in Microsoft Azure
  3. Add a Microsoft Entra ID Group and User

Configure Secure LDAP

To configure Secure LDAP:

  1. Log in to the Microsoft Azure portal with your Microsoft Azure account credentials.
  2. Click Resource Groups.
  3. Select your Microsoft Entra Domain Services resource group. The resource group is connected with the Microsoft Entra Domain Services managed domain you created.
  4. From the Resources list, click a resource with the Microsoft Entra Domain Services resource type.
    The Microsoft Entra Domain Services page opens for the domain name you created.

Screenshot of Azure, picture1

  1. Select Settings > Secure LDAP.
    The Secure LDAP settings page opens.

Screenshot of Azure, picture2

  1. Enable the Secure LDAP toggle.
  2. Enable the Allow Secure LDAP Access Over the Internet toggle.
  3. Next to the .PFX File with Secure LDAP Certificate text box, click the folder icon and upload your certificate. For information about how to create and export the certificate, go to Configure Secure LDAP in the Microsoft documentation.
  4. In the Password To Decrypt .PFX File text box, type the password.
  1. Click Save. It might take some time to save the changes.
    The status of the Secure LDAP parameter changes to Enabled.

Screenshot of Azure, picture3

  1. Select Properties.
    The Properties page opens.

Screenshot of Azure, picture4

  1. Copy the value of the Secure LDAP External IP Addresses parameter. You need this information when you configure the Firebox.

Configure a Security Rule in Microsoft Azure

To configure a security rule in Microsoft Azure:

  1. In the Microsoft Azure portal, click Resource Groups.
  2. Select your Microsoft Entra Domain Services resource group.
    The Resource Group page opens.

Screenshot of Azure, picture5

  1. From the Resources list, click a resource with the Network Security Group resource type.
    The Network Security Group page opens.
  2. Select Settings > Inbound Security Rules > Add.
    The Add Inbound Security Rules page opens.

Screenshot of Azure, picture6

  1. From the Source drop-down list, select IP Addresses.
  2. In the Source IP Addresses/CIDR Ranges text box, type the public IP address or range for your environment.
  3. From the Destination drop-down list, select Any.
  4. From the Service drop-down list, select Custom.
  5. In the Destination Port Ranges text box, type 636.
  6. For Protocol, select TCP.
  7. In the Priority text box, type a number from 100 through 4096. In our example, we type 311.
  8. In the Name text box, type a name.
  9. Keep the default values for all other settings.
  10. Click Add.
    The new security rule saves in Microsoft Azure.

Add a Microsoft Entra ID Group and User

To add a Microsoft Entra ID group and user:

  1. On the Microsoft Azure Home page, in the search box, type Microsoft Entra ID.
  2. Select Microsoft Entra ID.
  3. Select Manage > Groups.
  4. Click + New Group.
    The New Group page opens.

Screenshot of Azure, picture7

  1. From the Group Type drop-down list, select Security.
  2. In the Group Name text box, type a group name.
  3. From the Membership Type drop-down list, select Assigned.
  4. Click Create.
  5. To add a user, select Manage > Users.
  6. Click + New user.
    The Create New User page opens.

Screenshot of Azure, picture8

  1. Enter the user details.

    The user you create must be a member of the Microsoft Entra ID group that you created.

  2. Click Create.

For cloud-only user accounts, users must change their passwords before they can use Microsoft Entra Domain Services. The password change process generates the password hashes for Kerberos and NTLM authentication and stores them in Microsoft Entra ID. The account is not synced from Microsoft Entra ID to Microsoft Entra Domain Service until the user changes the password. It might take a few minutes after the password change before the new password can be used in Microsoft Domain Services.

Configure the Firebox

To configure the Firebox, complete these steps:

  1. Configure Active Directory Authentication
  2. Configure Secure LDAP

Configure Active Directory Authentication

To configure Active Directory authentication, from Fireware Web UI:

  1. Log in to Fireware Web UI (https://<your Firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page opens.

Screenshot of Firebox, diagram1

  1. From the Authentication Servers list, click Active Directory.
    The Active Directory page opens.
  2. Click Add.
  3. Click Next.
    The Domain Name page opens.

Screenshot of Firebox, diagram2

  1. In the Domain Name text box, type the domain name for this Active Directory server. You cannot change the domain name after you save the settings.
  2. Click Next.
    The Active Directory Server page opens.

Screenshot of Firebox, picture3

  1. In the Server Address text box, type or paste the secure LDAP external IP address you copied in the previous section.
  2. Select the Enable Secure SSL Connections to Your Active Directory Server (LDAPS) check box.
  3. Click Next.
  4. Click Finish.

Configure Mobile VPN with IPSec

To configure Mobile VPN with IPSec, from Fireware Web UI:

  1. Select VPN > Mobile VPN.
  2. From the IPSec section, click Configure.

Screenshot of Firebox, diagram4

  1. To add a new group, click Add.
    The Add Mobile VPN with IPSec page opens.

Screenshot of Firebox, diagram5

  1. In the Name text box, type a group name that matches the name of the Microsoft Entra ID group you configured in the Add a Microsoft Entra ID Group and User section.
  2. From the Authentication Server drop-down list, select your authentication server. In this example, we select ecocdc.solutions.
  3. In the Passphrase and Confirm text boxes, type a passphrase to encrypt the mobile VPN profile (.wgx file) you distribute to users in this group. The passphrase can only use standard ASCII characters. If you use a certificate for authentication, this passphrase is also used to encrypt the exported certificate file you send to users.
  4. In the Primary text box, type the external IP address of the Firebox that the VPN client connects to.
  5. Select the Resources tab.
    The Resources page opens.

Screenshot of Firebox, diagram6

  1. Select the Allow All Traffic Through Tunnel check box.
  2. From the Virtual IP Address Pool section, click Add.
    The Add Address Pool page opens.

Screenshot of Firebox, diagram7

  1. From the Choose Type drop-down list, select Host Range IPv4.
  2. In the From and To text boxes, type a range for your virtual IP addresses. The range should not be in your interface range. The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
  3. Click OK.
  4. Click Save.
    The Mobile VPN with IPSec page opens.

Screenshot of Firebox, diagram8

  1. From the Groups list, select your group.
  2. From the Client drop-down list, select WatchGuard Mobile VPN.
  3. Click Generate, then save the group name.ini file.
  4. Click Save.

Test the Integration

To test the integration of Microsoft Entra ID users and the WatchGuard Mobile VPN with IPSec.

  1. Open your WatchGuard Mobile VPN with IPSec client.
  2. Select Configuration > Profiles.
  3. Click Add / Import.
  4. Select Profile Import.
  5. Click Next.
  6. Browse to the group name.ini file you generated in the Configure Secure LDAP section.
  7. Click Next twice.
  8. Type your Microsoft Entra ID user name and password.
  9. Click Next.
  10. Click Finish.
  11. To close the profile page, click Cancel.
  12. Click the Connection toggle.
    You are connected successfully.

Screenshot of WatchGuard IPSec client