Configure Mobile VPN with SSL for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

Your mobile users can connect to your company network through a secure WatchGuard VPN.

On a cloud-managed Firebox, you can configure Mobile VPN with SSL, which provides good performance and security. This VPN type uses Transport Layer Security (TLS) to secure the VPN connection and a default port (TCP 443) that is usually open on most networks.

To connect to the VPN, your users must have a VPN client. Users can download the WatchGuard SSL VPN client from software.watchguard.com or from the Firebox. As an administrator, you can also download the client from WatchGuard Cloud. The WatchGuard VPN client runs on Windows and macOS computers. To connect from Android or iOS, your users can download an OpenVPN client from an app store.

This topic explains how to:

Before You Begin

Before you enable Mobile VPN with SSL in WatchGuard Cloud, make sure to configure a way for users to authenticate to the VPN. Mobile VPN with SSL supports these authentication methods:

  • Firebox authentication database (Firebox-DB)
  • RADIUS
  • AuthPoint
  • SAML

For information about how to configure authentication, see Authentication Methods for Mobile VPN.

Enable Mobile VPN with SSL

To enable Mobile VPN with SSL, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select your cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the VPN section, click the Mobile VPN tile.
    The Select VPN page opens.

Screen shot of a page that describes each Mobile VPN type

  1. Click SSL.
    The Mobile VPN with SSL page opens.
  2. Enable Mobile VPN with SSL.

Screen shot of the toggle that enables Mobile VPN with SSL

Add Firebox Addresses

In the Firebox Addresses section, add an IP address or domain name for connections from SSL VPN clients to your Firebox.

If you enter an IP address, make sure it is one of these:

If your Firebox is located behind a NAT device, enter the public IP address or domain name of the NAT device. For information about NAT, see About Network Address Translation (NAT).

  1. In the Mobile VPN with SSL configuration, go to the Firebox Addresses section.
  2. In the Primary text box, enter the IP address or domain name.
  3. (Optional) If your Firebox has more than one external address, enter a Backup IP address or domain name.

Screen shot of the Firebox Addresses section in the Mobile VPN configuration

If you enter a backup IP address or domain name, the VPN client automatically tries to connect to that IP address or domain after a failed connection attempt. To use these backup connection settings, you must also select Auto reconnect after a connection is lost on the Advanced tab.

Add Authentication Domains

By default, Mobile VPN with SSL uses the Firebox database (Firebox-DB) for user authentication. You can also use Active Directory, RADIUS, SAML, and AuthPoint.

Before you can add an authentication domain to the Mobile VPN with SSL configuration, you must first configure one or more user authentication methods. For more information about Mobile VPN authentication, see Authentication Methods for Mobile VPN.

To use AuthPoint for Mobile VPN user authentication on a cloud-managed Firebox, you must first add the Firebox as an AuthPoint resource, which requires Fireware v12.7 or higher.

  1. In the Mobile VPN with SSL configuration, go to the Authentication Domains section.

Screen shot of the default Authentication Domain settings

  1. Click Add Authentication Domains.
    The Add Authentication Domains page opens.

Screen shot of the Select Authentication Domains page

  1. Select the authentication domains for user authentication.
    The authentication domains that you select appear at the end of the Authentication Domains list.
  2. The first server in the list is the default authentication domain. To change the order, click the move handle and drag the domain up or down.
  3. Click Add.

Add Users and Groups

After you select the authentication domains, select users and groups that can use the VPN to connect to network resources protected by the Firebox. You can select these types of users and groups:

  • Firebox Database (Firebox-DB) users and groups
  • RADIUS authentication domain users and groups
  • SAML authentication domain users and groups
  • Active Directory authentication domain users and groups
  • AuthPoint users and groups

When you enable Mobile VPN with SSL, the Firebox automatically creates a default user group named SSLVPN-Users. In the Mobile VPN with SSL configuration, you select from a list of users or groups on the authentication servers you previously added. Users and groups you select are automatically added to the SSLVPN-Users group.

When you save the Mobile VPN with SSL configuration, the Firebox creates or updates the Allow SSLVPN-Users policy to apply to the groups and users you configured for authentication. The group and user names you added do not appear in the From list in the Allow SSLVPN-Users policy. Instead, the single group name SSLVPN-Users appears. However, this policy does apply to all users and groups you added in the Mobile VPN with SSL configuration.

  1. In the Mobile VPN with SSL configuration, go to the Users and Groups section.

Screen shot of the default Users and Groups settings

  1. To add a Firebox Database user:
    1. Click Add Users > Add Firebox Database Users.
      The Add Users page opens.
    2. Enter the Name of the user.
    3. (Optional) Enter a Description for the user.
    4. Enter a Password for the user. The password length must be 8 to 32 characters.
    5. Enter the Timeout value, in seconds. The default value is 28880 seconds (8 hours). This is the maximum amount of time a user can remain connected to the VPN.
    6. Enter the Idle Timeout value, in seconds. The default value is 1800 seconds (30 minutes). This is length of time a user can remain connected to the VPN when idle.
  2. To add authentication domain users, from the Users and Groups section:
    1. Click Add Users.
    2. Select the check box for each user to add to Mobile VPN with SSL.
    3. Click Add.
      The users that you selected appear in the Users list.
  3. To add an authentication domain group, from the Users and Groups section:
    1. Click Add Groups.
    1. Select the check box for each group to add.
    2. To remove a user or group from the mobile VPN configuration, in the row for that user or group, click .

Screen shot of the Add Groups page

  1. Click Add.
    The groups that you selected appear in the groups list.

Edit the Virtual IP Address Pool

The virtual IP address pool is the group of private IP address the Firebox assigns to Mobile VPN with SSL users. The default virtual IP address pool is 192.168.113.0/24. To add a different pool, you must first remove the default pool. You can cannot configure more than one pool for Mobile VPN with SSL.

Follow these best practices:

  • Make sure that the virtual IP address pool does not overlap with any other IP addresses in the Firebox configuration.
  • Make sure that the virtual IP address pool does not overlap with networks protected by the Firebox, any network accessible through a route or BOVPN, or IP addresses assigned by DHCP to a device behind the Firebox.
  • If your company has multiple sites with mobile VPN configurations, make sure each site has a virtual IP address pool for mobile VPN clients that does not overlap with pools at other sites.
  • Do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 for mobile VPN virtual IP address pools. These ranges are often used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you migrate to a new local network range.
  • A virtual IP address pool cannot be on the same subnet as a primary FireCluster IP address.
  1. In the Mobile VPN with SSL configuration, go to the Virtual IP Address Pool section.
  2. Click the IP address of the pool.
    The Add Virtual IP Address Pool dialog box opens.

    Screen shot of the Add Virtual IP Address Pool dialog box

  3. Type a different IP address and netmask.
  4. Click Update.
  1. In the Mobile VPN with SSL configuration, go to the Virtual IP Address Pool section.
  2. In the Virtual IP Address Pool section, click .
  3. To add IP addresses to the pool, click Add Virtual IP Address Pool
    The Add Virtual IP Address Pool dialog box opens.

    Screen shot of the Add Virtual IP Address Pool dialog box

  4. Type an IP address and netmask.
  5. Click Add.

Configure Advanced Settings

On the Advanced tab, you can configure these settings:

  1. In the Networking section, select the method the Firebox uses to send traffic through the VPN tunnel.

    Force all client traffic through the tunnel

    Select this option to route all traffic from the VPN client to your private network and to the Internet through the tunnel. This option sends all external traffic through the Firebox policies you create and offers consistent security for mobile users. This option requires more Firebox processing power, which can affect performance. This is the default setting. This option is also known as full tunneling or default route.

    Allow access to all Internal and Guest networks

    This option routes only traffic to private network resources through the Firebox. Other traffic to the Internet does not go through the tunnel and is not restricted by the policies on your Firebox. This option is also known as split tunneling.

    Specify allowed resources

    Select this option to restrict Mobile VPN with SSL client access to only specified devices on your private network. This option is also known as split tunneling.

If you select this option, click Add Network, select the network, and click Add.

Screen shot of the Network settings in the Mobile VPN configuration

Screen shot of the Allowed Resources list

  1. In the Reconnection section, select one or more options.

    Auto reconnect after a connection is lost

    If you select this option, users can select a check box on the Mobile VPN with SSL client to control whether the client automatically reconnects. This option is selected by default.

    Force users to authenticate after a connection is lost

    We recommend that you select this option if you use a multi-factor authentication method with a one-time password. After a lost connection, auto reconnect might fail if users do not enter a new one-time password.

    Allow the Mobile VPN with SSL client to remember the password

    If you select this option, users can select a check box in the Mobile VPN with SSL client to control whether the client remembers the password. This option is selected by default.

Screen shot of the Reconnection settings in the Mobile VPN configuration

  1. In the Data Channel section, configure the channel settings.

    Data Channel

    Mobile VPN with SSL uses the data channel to send data after the VPN connection establishes. The default protocol and port is TCP 443. If you enter a different port, users must manually type the port in the Mobile VPN with SSL connection dialog box (example: 203.0.113.2:444).

    If you select TCP, the configuration channel automatically uses the same port and protocol. If you select UDP, you can set the configuration channel protocol to TCP or UDP, and you can use a different port than the data channel.

    Configuration Channel

    The Configuration Channel determines how users download the Mobile VPN with SSL client software from the Firebox.

    The default Configuration Channel is TCP 443. If you keep the default setting, users download the Mobile VPN with SSL client software from
    https://[Firebox IP address or FQDN]/sslvpn.html.

    If you change the default Configuration Channel, users must specify the port number in the URL (https://[Firebox IP address or FQDN]:<444>/sslvpn.html).

Screen shot of the Data Channel settings in the Mobile VPN configuration

  1. (Optional) In the Tunnel Security section, select Use Custom Settings. You can configure these options:

    Authentication method

    Select the authentication method for the connection. Authentication settings specify the authentication algorithm and hash size. You can select SHA2-256 or SHA2-512. The default setting is SHA2-256.

    Encryption method

    Select an encryption method to encrypt the traffic. Encryption settings specify the encryption algorithm and key length. You can select AES-CBS or AES-GCM algorithms that are 128-, 192-, or 256-bit strength.

    We recommend AES-GCM algorithms, which typically provide the best performance for most Firebox models. GCM includes built-in authentication, which means a separate authentication algorithm does not have to be calculated. The default setting is AES-CBC (256-bit).

    Keep-Alive Interval

    Enter a Keep-Alive Interval value (in seconds). This setting controls how often the Firebox sends traffic through the tunnel to keep the tunnel active when no other tunnel traffic exists. The default value is 10 seconds.

    Enter a Keep-Alive Timeout

    Enter a Keep-Alive Timeout value (in seconds). This setting controls how long the Firebox waits for a response. If no response arrives before the timeout value, the Firebox closes the tunnel, and the VPN client must reconnect. The default value is 60 seconds.

    Renegotiate Data Channel

    Enter a Renegotiate Data Channel value (in minutes). If a Mobile VPN with SSL connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the Mobile VPN with SSL client must create a new tunnel. The default value is 480 minutes (8 hours). The minimum value is 60 minutes.

Screen shot of the Tunnel Security settings in the Mobile VPN configuration

  1. (Optional) To use an internal DNS server, in the DNS section, select an option:

Use Network DNS settings

If you select this option, mobile clients use the internal DNS server that you configured on your cloud-managed Firebox. For information about internal DNS servers, see Configure Firebox DNS Settings.

Assign Network DNS settings

If you select this option, mobile clients use the domain name suffix, DNS servers, and WINS servers that you enter in this section. For example, if you specify example.com as the domain name and 10.0.1.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.1.53 as the DNS server.
Screen shot of the assigned DNS settings in the Mobile VPN configuration

Deploy the Configuration

After you save changes to the Mobile VPN with SSL configuration, deploy the configuration. For more information, see Manage Device Configuration Deployment

Download the VPN Client

After you deploy the configuration, download the WatchGuard Mobile VPN with SSL client. For more information, see Download, Install, and Connect the Mobile VPN with SSL Client.

Related Topics

Mobile VPN and Firewall Policies

About Mobile VPN for a Cloud-Managed Firebox

Manage Device Configuration Deployment