Download, Install, and Connect the Mobile VPN with SSL Client

Applies To: Cloud-managed Fireboxes

Before you download the WatchGuard Mobile VPN with SSL client from WatchGuard Cloud, you must:

After you configure Mobile VPN with SSL in WatchGuard Cloud and deploy the configuration:

  1. Verify client computer requirements
  2. Download the client software
  3. Install the client software
  4. Connect to your private network

Verify Client Computer Requirements

For information about which operating systems are compatible with Mobile VPN with SSL, see the Operating System Compatibility list in the Fireware Release Notes. For information about changes to the WatchGuard Mobile VPN with SSL client, see the Enhancements and Resolved Issues section in the Release Notes.You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page.

TLS Requirements

SSL VPN clients must use TLS 1.2 or higher to connect to the Firebox.

Windows Requirements

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

  • If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
  • If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

If the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message appears that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not appear if a major version update is available.

macOS Requirements

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

macOS Ventura 13.0 and higher no longer accepts SSL connections to untrusted self-signed certificates. macOS Ventura users who connect to WatchGuard Mobile VPN with SSL servers by IP address or who use a self-signed certificate receive a connection error and cannot connect. For more information and workarounds for the issue, see the WatchGuard Knowledge Base.

Download the Client Software

Administrators can download the WatchGuard Mobile VPN with SSL client from WatchGuard Cloud. Users can download the client from software.watchguard.com or from the Firebox.

In Fireware v12.11 and higher, the Mobile VPN with SSL client download page is removed from the Firebox. To download the Mobile VPN with SSL client, go to the Software Downloads page and select your Firebox model.

In Fireware v12.11 and higher, the Mobile VPN with SSL client no longer prompts users when an update is available.

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the VPN section, click the Mobile VPN tile.
    The Select Mobile VPN page opens.
  5. Click Mobile VPN with SSL.
  6. Click the Advanced tab.
  7. In the upper-right corner, click Download Client.
  8. From the Download Client list, select Apple OS or Windows.
    The installation file downloads to your computer. The Apple OS installer is a .DMG file. The Windows installer is an .EXE file.

Screen shot of the Download Client drop-down list

  1. Go to software.watchguard.com.
  2. Do one of the following:
    1. From the Select a device drop-down list, select the hardware model of the Firebox.
    2. In the text box, type the first four digits of the Firebox serial number.
  3. In the WatchGuard Mobile VPN with SSL Software section, click the Mobile VPN with SSL for Windows link or the Mobile VPN with SSL for macOS link.
    The installation file downloads to your computer.
  1. Authenticate to the Firebox with an HTTPS connection over the port specified in the Mobile VPN with SSL configuration. The default port is 443.

Over port 443

https://<Firebox IP address>/sslvpn.html

https://<Firebox host name>/sslvpn.html

Over a custom port number

https://<Firebox IP address>:<custom port number>/sslvpn.html

https://<Firebox host name>:<custom port number>/sslvpn.html

The authentication web page appears.

  1. Type your Username and Password.
  2. If Mobile VPN with SSL is configured to use more than one authentication method, select the authentication server from the Domain drop-down list.
    The Mobile VPN with SSL download page appears.

Screen shot of the SSL VPN client download page

  1. Click the Download button for the correct installer for your operating system: Windows (WG-MVPN-SSL.exe) or macOS (WG-MVPN-SSL.dmg).

  2. Save the file to your computer.

From this page, you can also download the Mobile VPN with SSL client profile for connections from any SSL VPN client that supports .OVPN configuration files. For more information about the Mobile VPN with SSL client profile, see Use Mobile VPN with SSL with an OpenVPN Client.

Install the Client Software

  1. Double-click WG-MVPN-SSL.exe.
    The Mobile VPN with SSL client Setup Wizard starts.
  2. Accept the default settings on each screen of the wizard.
  3. (Optional) To add a desktop icon or a Quick Launch icon, select the check box in the wizard that matches the option.
  4. Finish and exit the wizard.
  1. Make sure that the System Preferences > Security and Privacy settings on your Mac allow apps downloaded from Mac App Store and identified developers. This is the default setting.
  2. Double-click WG-MVPN-SSL.dmg.
    A volume named WatchGuard Mobile VPN is created on your desktop.
  3. In the WatchGuard Mobile VPN volume, double-click WatchGuard Mobile VPN with SSL Installer <version>.mpkg.
    The client installer starts.
  4. Accept the default settings on each screen of the installer.
  5. Finish and exit the installer.

After you download and install the client software, the Mobile VPN client software automatically connects to the Firebox. Each time you connect to the Firebox, the client software verifies whether any configuration updates are available.

To perform a silent installation so users do not see message boxes or prompts, see Mobile VPN with SSL client silent installation in the WatchGuard Knowledge Base.

Connect to Your Private Network

  • From the Start Menu, select All Programs > WatchGuard > Mobile VPN with SSL client > Mobile VPN with SSL client.
  • Double-click the Mobile VPN with SSL shortcut on your desktop.
  • Click the Mobile VPN with SSL icon in the Quick Launch toolbar.

Screen shot of the WatchGuard Mobile VPN with SSL dialog box

  1. Open a Finder window.
  2. Select Applications > WatchGuard.
  3. Double-click the WatchGuard Mobile VPN with SSL application.

Specify the Client Connection Settings

After you start the Mobile VPN with SSL Client, to start the VPN connection, you must specify the authentication server and user account credentials.

In Fireware v12.11 and higher, Mobile VPN with SSL supports SAML Single Sign-On (SSO).

The Server is the IP address of the primary external interface of a Firebox, or an FQDN that resolves to that IP address. If Mobile VPN with SSL on the Firebox is configured to use a port other than the default port 443, in the Server text box, you must type the IP address or FQDN followed by a colon and the port number. For example, if Mobile VPN with SSL is configured to use port 444, and the primary external IP address is 203.0.113.2, the Server is 203.0.113.2:444.

The User name format depends on which authentication server the user authenticates to:

  • If the Firebox configuration includes multiple authentication servers, and you want to authenticate to an authentication server that is not the default authentication server, you must specify the authentication server in the User name text box.
  • If the Firebox configuration includes multiple authentication servers, and you want to authenticate to the default authentication server, you do not need to specify the authentication server in the User name text box.

For example, the User name must be formatted in one of these ways:

To use the default authentication server

Type the user name. Example: j_smith

To use another authentication server

Type the authentication server name or domain name, and then type a backlash (\) followed by the user name.

Active Directory or RADIUS example: server.example.com\j_smith

AuthPoint (Fireware v12.7 or higher) — authpoint\jsmith

Firebox-DB example:  Firebox-DB\j_smith

To connect to your private network from the Mobile VPN with SSL client:

  1. In the Server text box, type or select the IP address or name of the Firebox to connect to.
    The IP address or name of the server you most recently connected to is selected by default.
  2. In the User name text box, type the user name.
    If Mobile VPN with SSL on the Firebox is configured to use multiple authentication methods, specify the authentication server or domain name before the user name. For example, ad1_example.com\j_smith.
  3. In the Password text box, type the password for your user account.
    The client remembers the password if the administrator configured the authentication settings to allow it.
  4. Click Connect.

If the connection between the SSL client and the Firebox is temporarily lost, the SSL client tries to establish the connection again.

To troubleshoot connection issues, see Troubleshoot Mobile VPN with SSL.

Other Connection Options

Two other connection options are available in the client only if the administrator has enabled them on the device you connect to.

Automatically reconnect

Select the Automatically reconnect check box if you want the Mobile VPN with SSL client to automatically reconnect when the connection is lost.

Remember password

Select the Remember password check box if you want the Mobile VPN with SSL client to remember the password you typed for the next time you connect.

Mobile VPN with SSL Client Controls

When the Mobile VPN with SSL client runs, the WatchGuard Mobile VPN with SSL icon appears in the system tray (Windows) or on the right side of the menu bar (macOS). The type of magnifying glass icon that appears shows the VPN connection status.

Windows:

  • — The VPN connection is not established.
  • — The VPN connection is established. You can securely connect to resources behind the Firebox.
  • — The client is in the process of connecting or disconnecting. The "W" letter in the icon pulsates.
  • Warning icon for Mobile VPN with SSL — The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

macOS:

  • — The VPN connection is not established.
  • Connected icon for Mobile VPN with SSL (Mac OS X) — The VPN connection is established. You can securely connect to resources behind the Firebox.
  • Connecting icon for Mobile VPN with SSL (Mac OS X) — The client is in the process of connecting or disconnecting. The "W" letter in the icon pulsates.
  • Warning icon for Mobile VPN with SSL (Mac OS X) — The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

macOS (Dark Mode):

  • Not connected icon for Mobile VPN with SSL (Mac OS X dark mode) — The VPN connection is not established.
  • Connected icon for Mobile VPN with SSL (Mac OS X dark mode) — The VPN connection is established. You can securely connect to resources behind the Firebox.
  • Connecting icon for Mobile VPN with SSL (Mac OS X dark mode) — The client is in the process of connecting or disconnecting. The "W" letter in the icon pulsates.
  • Warning icon for Mobile VPN with SSL (Mac OS X dark mode) — The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

To see the client controls list, right-click the Mobile VPN with SSL icon in the system tray (Windows), or click the Mobile VPN with SSL icon in the menu bar (macOS). You can select from these actions:

Connect/Disconnect

Start or stop the Mobile VPN with SSL connection.

Status

See the status of the Mobile VPN with SSL connection.

View Logs

Open the connection log file.

Properties

Windows — Select Launch program on startup to start the client when Windows starts. Type a number for Log level to change the level of detail included in the logs.

macOS — Shows detailed information about the Mobile VPN with SSL connection. You can also set the log level.

Show Time Connected (macOS only)

Select to show the elapsed connection time on the macOS menu bar.

Screen shot of Mobile VPN with SSL client menu (Mac OS X)

Show Status While Connecting (macOS only)

Select to show the connection status on the macOS menu bar.

Screen shot of Connecting status Mac OS X tray

About

The WatchGuard Mobile VPN dialog box opens with information about the client software.

Exit (Windows) or Quit (macOS)

Disconnect from the Firebox and shut down the client.

Uninstall the Mobile VPN with SSL Client

Microsoft Windows 10

To uninstall the Mobile VPN with SSL client, go to C:\Program Files (x86)\WatchGuard\WatchGuard Mobile VPN with SSL and run unins000.exe. This is the uninstaller for Mobile VPN with SSL.

After you run the uninstaller, some files and registry entries remain. To manually remove these items, see How Do I Uninstall Mobile VPN with SSL and Remove All Related Files? in the WatchGuard Knowledge Base.

macOS

  1. In a Finder window, go to the Applications > WatchGuard folder.
  2. Double-click the Uninstall WG SSL VPN application to start the uninstall program.
    The Mobile VPN with SSL client uninstall program starts.
  3. Click OK on the Warning dialog box.
  4. Click OK on the Done dialog box.
  5. In a Finder window, go to the Applications folder.
  6. Drag the WatchGuard folder to the Trash.

Related Topics

About Mobile VPN for a Cloud-Managed Firebox