Download, Install, and Connect the Mobile VPN with SSL Client

Applies To: Locally-managed Fireboxes

The Mobile VPN with SSL software enables users to connect, disconnect, gather more information about the connection, and to exit or quit the client. The Mobile VPN with SSL client adds an icon to the system tray on the Windows operating system, or an icon in the menu bar on macOS. You can use this icon to control the client software.

To use Mobile VPN with SSL, you must:

  1. Verify system requirements
  2. Download the client software
  3. Install the client software
  4. Connect to your private network

The WatchGuard Mobile VPN with SSL client v11.10.4 or higher is a 64-bit application.

If you are unable to connect to the Firebox, or cannot download the installer from the Firebox, you can Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

Client Computer Requirements

For information about which operating systems are compatible with Mobile VPN with SSL, see the Operating System Compatibility list in the Fireware Release Notes. For information about changes to the WatchGuard Mobile VPN with SSL client, see the Enhancements and Resolved Issues section in the Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page.

TLS Requirements

The Firebox and SSL VPN clients negotiate which TLS version to use for tunnel security. In Fireware v12.5.4 or higher, the minimum accepted TLS version is TLS 1.2, which means SSL VPN clients must use TLS 1.2 or higher to connect to the Firebox.

Windows Requirements

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

  • If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
  • If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

In Fireware v12.5.3 or higher, if the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message appears that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not appear if a major version update is available.

In Fireware v12.5.2 or lower, if the client automatically detects that an upgrade is available, a message appears that asks you to upgrade. However, if you do not have administrator privileges, you cannot upgrade the client.

macOS Requirements

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

macOS Ventura 13.0 and higher no longer accepts SSL connections to untrusted self-signed certificates. macOS Ventura users who connect to WatchGuard Mobile VPN with SSL servers by IP address or who use a self-signed certificate receive a connection error and cannot connect. For more information and workarounds for the issue, go to the WatchGuard Knowledge Base.

Download the Client Software

You can download the client from the WatchGuard Software Downloads page. If your Firebox is cloud-managed, you can download the client from WatchGuard Cloud.

In Fireware v12.11 and higher, the Mobile VPN with SSL client download page is removed from the Firebox. To download the Mobile VPN with SSL client, go to the Software Downloads page and select your Firebox model.

In Fireware v12.11 and higher, the Mobile VPN with SSL client no longer prompts users when an update is available.

In Fireware v12.5.5 or higher, your web browser must support TLS 1.2 or higher to download the client from the Firebox.

In Fireware v12.7 or higher, you can configure Mobile VPN with SSL to use AuthPoint as an authentication server. AuthPoint is the cloud-based multi-factor authentication solution from WatchGuard. If you configure Mobile VPN with SSL to use AuthPoint, users can authenticate through AuthPoint to log on to Mobile VPN with SSL software downloads page. For more information, go to Plan Your Mobile VPN with SSL Configuration.

In Fireware v12.11 or higher, you can configure Mobile VPN with SSL to use a Security Assertion Markup Language (SAML) identity provider as an authentication server. You can use SAML to authenticate users with your Firebox. With SAML, you can exchange data between an identity provider (IdP) and a service provider. For more information, go to Configure SAML Single Sign-On.

Install the Client Software

After you download and install the client software, the Mobile VPN client software automatically connects to the Firebox. Each time you connect to the Firebox, the client software verifies whether any configuration updates are available.

To perform a silent installation so users do not see message boxes or prompts, see Mobile VPN with SSL client silent installation in the WatchGuard Knowledge Base.

Connect to Your Private Network

Specify the Client Connection Settings

After you start the Mobile VPN with SSL Client, to start the VPN connection, you must specify the authentication server and user account credentials.

In Fireware v12.11 and higher, Mobile VPN with SSL supports SAML Single Sign-On (SSO).

The Server is the IP address of the primary external interface of a Firebox, or an FQDN that resolves to that IP address. If Mobile VPN with SSL on the Firebox is configured to use a port other than the default port 443, in the Server text box, you must type the IP address or FQDN followed by a colon and the port number. For example, if Mobile VPN with SSL is configured to use port 444, and the primary external IP address is 203.0.113.2, the Server is 203.0.113.2:444.

The User name format depends on which authentication server the user authenticates to:

  • If the Firebox configuration includes multiple authentication servers, and you want to authenticate to an authentication server that is not the default authentication server, you must specify the authentication server in the User name text box.
  • If the Firebox configuration includes multiple authentication servers, and you want to authenticate to the default authentication server, you do not need to specify the authentication server in the User name text box.

For example, the User name must be formatted in one of these ways:

To use the default authentication server

Type the user name. Example: j_smith

To use another authentication server

Type the authentication server name or domain name, and then type a backlash (\) followed by the user name.

Active Directory — ad1_example.com\j_smith

Firebox-DB —  Firebox-DB\j_smith

AuthPoint (Fireware v12.7 or higher) — AuthPoint\jsmith

RADIUS (Fireware v12.5 or higher) — rad1.example.com\j_smith or RADIUS\j_smith. You must type the domain name specified in the RADIUS settings on Firebox.

RADIUS (Fireware v12.4.1 or lower) — RADIUS\j_smith. You must always type RADIUS.

If your configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, you must type RADIUS as the domain name. In this case, if you type a domain name other than RADIUS, authentication fails.

To connect to your private network from the Mobile VPN with SSL client:

  1. In the Server text box, type or select the IP address or name of the Firebox to connect to.
    The IP address or name of the server you most recently connected to is selected by default.
  2. In the User name text box, type the user name.
    If Mobile VPN with SSL on the Firebox is configured to use multiple authentication methods, specify the authentication server or domain name before the user name. For example, ad1_example.com\j_smith.
  3. In the Password text box, type the password for your user account.
    The client remembers the password if the administrator configured the authentication settings to allow it.
  4. Click Connect.

If the connection between the SSL client and the Firebox is temporarily lost, the SSL client tries to establish the connection again.

To troubleshoot connection issues, see Troubleshoot Mobile VPN with SSL.

Other Connection Options

Two other connection options are available in the client only if the administrator has enabled them on the device you connect to.

Automatically reconnect

Select the Automatically reconnect check box if you want the Mobile VPN with SSL client to automatically reconnect when the connection is lost.

Remember password

Select the Remember password check box if you want the Mobile VPN with SSL client to remember the password you typed for the next time you connect.

Mobile VPN with SSL Client Controls

When the Mobile VPN with SSL client runs, the WatchGuard Mobile VPN with SSL icon appears in the system tray (Windows) or on the right side of the menu bar (macOS). The type of magnifying glass icon that appears shows the VPN connection status.

Windows:

  • — The VPN connection is not established.
  • — The VPN connection is established. You can securely connect to resources behind the Firebox.
  • — The client is in the process of connecting or disconnecting. The "W" letter in the icon pulsates.
  • Warning icon for Mobile VPN with SSL — The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

macOS:

  • — The VPN connection is not established.
  • Connected icon for Mobile VPN with SSL (Mac OS X) — The VPN connection is established. You can securely connect to resources behind the Firebox.
  • Connecting icon for Mobile VPN with SSL (Mac OS X) — The client is in the process of connecting or disconnecting. The "W" letter in the icon pulsates.
  • Warning icon for Mobile VPN with SSL (Mac OS X) — The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

macOS (Dark Mode):

  • Not connected icon for Mobile VPN with SSL (Mac OS X dark mode) — The VPN connection is not established.
  • Connected icon for Mobile VPN with SSL (Mac OS X dark mode) — The VPN connection is established. You can securely connect to resources behind the Firebox.
  • Connecting icon for Mobile VPN with SSL (Mac OS X dark mode) — The client is in the process of connecting or disconnecting. The "W" letter in the icon pulsates.
  • Warning icon for Mobile VPN with SSL (Mac OS X dark mode) — The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

To see the client controls list, right-click the Mobile VPN with SSL icon in the system tray (Windows), or click the Mobile VPN with SSL icon in the menu bar (macOS). You can select from these actions:

Connect/Disconnect

Start or stop the Mobile VPN with SSL connection.

Status

See the status of the Mobile VPN with SSL connection.

View Logs

Open the connection log file.

Properties

Windows — Select Launch program on startup to start the client when Windows starts. Type a number for Log level to change the level of detail included in the logs.

macOS — Shows detailed information about the Mobile VPN with SSL connection. You can also set the log level.

Show Time Connected (macOS only)

Select to show the elapsed connection time on the macOS menu bar.

Screen shot of Mobile VPN with SSL client menu (Mac OS X)

Show Status While Connecting (macOS only)

Select to show the connection status on the macOS menu bar.

Screen shot of Connecting status Mac OS X tray

About

The WatchGuard Mobile VPN dialog box opens with information about the client software.

Exit (Windows) or Quit (macOS)

Disconnect from the Firebox and shut down the client.

Related Topics

Uninstall the Mobile VPN with SSL Client

Troubleshoot Mobile VPN with SSL

Mobile VPN with SSL client silent installation