Use Authentication to Restrict Incoming Connections

One function of the authentication settings on your Firebox is to restrict outgoing connections. You can also use authentication to restrict incoming network connections. When you have a user account on the Firebox, and the Firebox has a public external IP address, you can authenticate to the Firebox from a computer external to the Firebox network. For example, you can type this address in your web browser to authenticate: https://<IP address of the Firebox external interface>:4100/.

For greater security, we recommend these settings in the WatchGuard Authentication policy:

After you authenticate, you can connect to the network behind the Firebox, based on the access rules defined in the policies that are configured on the Firebox. For more information about authenticated access, see the Use Authentication for Connections to Internal Resources section.

Use Authentication for Connections to Internal Resources

A VPN is the most secure way for users to connect to internal resources. If you cannot connect with a VPN, you can provide authenticated access to internal resources. For example, you can configure an RDP policy that applies only to authenticated users.

Before you begin, make sure the WatchGuard Authentication (WG-Auth) policy allows incoming connections from external users. To enable a remote user to authenticate from an external network, see the previous section.

You now have two polices:

  • A WatchGuard Authentication (WG-Auth) policy that allows users to authenticate to the Firebox at https://[external IP address or domain name]:4100
  • An RDP policy that allows only User1 to get access the computer at 10.0.1.2 with RDP.

This is just one example of authenticated access. You can add more users, configure policies for different services, and configure access to different networks.

Use Authentication Through a Gateway Firebox

The gateway Firebox is the WatchGuard Firebox that you place in your network to protect your Management Server from the Internet.

For more information, go to About the Gateway Firebox.

To send an authentication request through a gateway Firebox to a different device, you must have a policy that allows the authentication connections on the gateway device. If authentication connections are denied on the gateway device, you can add the WG-Auth policy. This policy controls connections on TCP port 4100. You must configure the policy to allow connections to the IP address of the destination device.

Related Topics

About User Authentication

Add Policies to Your Configuration