SSL/TLS Settings Precedence and Inheritance

Several Firebox features use SSL/TLS for secure communication. In order of precedence from highest to lowest, those features are:

  • Management Tunnel over SSL on hub devices
  • BOVPN over TLS in Server mode
  • Mobile VPN with SSL
  • Access Portal

Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.

When you enable more than one of these features, informational messages appear that explain some settings are inherited from another feature.

Shared Policy

When you enable Management Tunnel over SSL, BOVPN over TLS, Mobile VPN with SSL, or the Access Portal, the WatchGuard SSLVPN policy is created automatically. All of these features share the WatchGuard SSLVPN policy.

In Fireware v12.1 or higher, by default, the WatchGuard SSLVPN policy includes only the Any-External interface.

We recommend that you keep the WatchGuard SSLVPN policy in your configuration. In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP.

In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, go to WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base.

Example Configurations

The example configurations in this topic show how settings for these features are related and how the WatchGuard SSLVPN policy is affected. These examples also show the messages that appear when a feature takes precedence over another feature.

In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, go to Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

In this example, these features are enabled on your Firebox:

  • Management Tunnel over SSL on a hub device
  • BOVPN over TLS in Server mode
  • Mobile VPN with SSL
  • Access Portal

These settings are not configurable:

  • BOVPN over TLS in Server mode — Firebox IP addresses, virtual IP address pool, data channel protocol and port, and renegotiate data channel
  • Mobile VPN with SSL — Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, configuration channel authentication, encryption, and timers.
  • Access Portal — Access Portal port

These messages appear for BOVPN over TLS in Server mode, Mobile VPN with SSL, and the Access Portal:

Screen shot of a message on the BOVPN over TLS Server page

Screen shot of a message on the Mobile VPN with SSL page

Screen shot of a message on Access Portal page

In this example, these features are enabled on your Firebox:

  • BOVPN over TLS in Server mode
  • Mobile VPN with SSL
  • Access Portal

These settings are not configurable:

  • Mobile VPN with SSL — Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, configuration channel, authentication, encryption, and timers
  • Access Portal — Access Portal port

In the BOVPN over TLS settings, you can configure the Data Channel for TCP or UDP. The Data Channel setting for BOVPN over TLS affects the Data Channel setting for Mobile VPN with SSL.

TCP Data Channel

When TCP is selected in the BOVPN over TLS settings, you cannot specify a port other than 443. The Data Channel and Configuration Channel for Mobile VPN with SSL are TCP 443 and cannot be configured. The Access Portal port is 443 and cannot be configured.

These messages appear for Mobile VPN with SSL and the Access Portal:

Screen shot of an informational message in the Mobile VPN with SSL settings

Screen shot of a message on the VPN Portal page

UDP Data Channel

In the BOVPN over TLS Server mode configuration, when UDP is selected in the Data Channel settings, you can specify a port other than 443.

In the Mobile VPN with SSL configuration, the Data Channel for changes to UDP, and the Data Channel port changes to the port you specified for the BOVPN over TLS Data Channel. The Configuration Channel is 443 and cannot be configured.

If you enable BOVPN over TLS in Server mode and Mobile VPN with SSL is already enabled, this message appears if you configured Mobile VPN with SSL to use UDP for the Data Channel:

Screen shot of a message on the BOVPN over TLS Mode dialog box

In this example, these features are enabled on your Firebox:

  • Mobile VPN with SSL
  • Access Portal

In the Mobile VPN with SSL settings, you can configure the Data Channel for TCP or UDP. The Data Channel setting affects the Access Portal port.

TCP Data Channel

In the Mobile VPN with SSL settings, if the Data Channel setting is set to TCP, the Access Portal port setting changes to the specified port and is not configurable. For example, if you specify TCP 444 for the Data Channel, the Access Portal port becomes 444 and is not configurable.

This message appears in the Access Portal configuration:

Screen shot of an informational message in the VPN Portal

UDP Data Channel

In the Mobile VPN with SSL settings, if the Data Channel setting is configured for UDP, the Access Portal port setting does not change and can be configured.

For example, if the Data Channel is configured for UDP 444, you can specify port 443 or another port for the Access Portal. The WatchGuard SSLVPN policy includes the UDP and TCP ports:

Screen shot of the SSL-VPN policy

In this example, these features are enabled on your Firebox:

  • BOVPN over TLS in Server mode
  • Access Portal

TCP Data Channel

If the Data Channel setting for BOVPN over TLS is configured for TCP, you cannot specify a port other than 443. The Access Portal port remains 443 and cannot be configured.

This message appears in the Access Portal configuration:

Screen shot of a message on the VPN Portal page

UDP Data Channel

If the Data Channel setting for BOVPN over TLS is configured for UDP, you can specify a port other than 443. The Access Portal port remains 443 and cannot be configured.

For example, if the BOVPN over TLS Data Channel is configured for UDP 444, the WatchGuard SSLVPN policy includes UDP 444 and TCP 443:

Screen shot of the SSL-VPN policy

In this example, these features are enabled on your Firebox:

  • BOVPN over TLS in Server mode
  • Mobile VPN with SSL

These Mobile VPN with SSL settings are not configurable: Firebox IP addresses, networking method, virtual IP address pool, VPN resources, data channel, configuration channel, authentication, encryption, and timers

TCP Data Channel

If the Data Channel setting for BOVPN over TLS is configured for TCP, you cannot specify a port other than 443. The Configuration Channel port is 443 and cannot be configured.

This message appears in the Mobile VPN with SSL configuration:

Screen shot of an informational message in the Mobile VPN with SSL settings

UDP Data Channel

In the BOVPN over TLS Server mode configuration, if the Data Channel setting is configured for UDP, you can specify a port other than 443.

In the Mobile VPN with SSL configuration, the Data Channel changes to the port you specified for BOVPN over TLS and cannot be configured. The Configuration Channel remains 443 and cannot be configured.

For example, if the Data Channel for BOVPN over TLS is configured for UDP 444:

  • The Data Channel for Mobile VPN with SSL changes to 444 and cannot be configured.
  • The Configuration Channel remains 443 and cannot be configured.

In this example, these features are enabled on your Firebox:

  • Management Tunnel over SSL on a hub device
  • BOVPN over TLS in Server mode

These settings for BOVPN over TLS are not configurable:

  • Primary Server
  • Backup Server
  • Advanced settings — Virtual IP address pool, Authentication, Encryption, Data Channel, Keep-Alive Interval, Keep-Alive Timeout, Renegotiate Data Channel

This message appears for BOVPN over TLS:

Screen shot of a message in the BOVPN over TLS settings

In this example, these features are enabled on your Firebox:

  • Management Tunnel over SSL on a hub device
  • Mobile VPN with SSL

These settings for Mobile VPN with SSL are not configurable:

  • Firebox IP addresses
  • Networking method
  • Virtual IP address pool
  • VPN resources
  • Advanced settings — Authentication, Encryption, Data channel, Configuration channel, Keep-alive, and Renegotiate data channel

This message appears for Mobile VPN with SSL:

Screen shot of a message in the Mobile VPN with SSL settings

In this example, these features are enabled on your Firebox:

  • Management Tunnel over SSL on a hub device
  • Access Portal

The Access Portal port setting cannot be configured.

Related Topics

Configure Management Tunnels

Configure BOVPN over TLS in Server Mode

Manually Configure the Firebox for Mobile VPN with SSL

Configure the Access Portal