manualshive.com logo in svg

Watchguard Firebox Vclass V100, Administration Manual

The Watchguard Firebox Vclass V100 is a high-performance network security appliance. Simplify the setup and management of your device with the comprehensive Administration Manual. Download and explore this manual for free on our website, where you can find detailed instructions and configurations to optimize your network security.

Share
Download
background image

WatchGuard®Mobile VPN with 
IPSec Administrator Guide

WatchGuard Mobile VPN v10.0

 

Revised: November 28, 2007

 

Summary of Contents for Firebox Vclass V100

Page 1: ...WatchGuard Mobile VPN with IPSec Administrator Guide WatchGuard Mobile VPN v10 0 Revised November 28 2007 ...

Page 2: ...s with an initial LiveSecurity Service subscription to help customers stay on top of the security landscape with vulnerability alerts software updates expert security instruction and superior customer care For more information please call 206 613 6600 or visit www watchguard com Notice to Users Information in this guide is subject to change without notice Companies names and data used in examples ...

Page 3: ...esktop firewall software other than Microsoft firewall software from each remote computer If the Mobile VPN with IPsec client software is installed on a computer with Windows Vista and the Windows Vista Firewall is in use you must add a firewall exception Control Panel Security Windows Firewall Change Settings Exceptions for UDP port 4500 This will enable Mobile VPN keep alive packets from the Fir...

Page 4: ...Settings tab type an Account Name for the user Type the password for the user This is different from the shared secret you type in step 7 below The Full Name and Description fields are optional 4 Select the Allow access to VPN check box 5 Click the MUVPN tab 6 Select the Enable MUVPN for this account check box 7 Type a shared key in the related field The wgx file is encrypted with this shared key ...

Page 5: ... connect to Networks on the other side of a Branch Office VPN tunnel that the Edge has connected Computers on the Edge s optional network Networks that are behind a static route on the trusted or optional interface 13 Click Submit Get the user s wgx file The Firebox X Edge makes an encrypted Mobile VPN with IPSec client configuration wgx file for every Firebox User that you give access to To downl...

Page 6: ...er settings on this dialog box This setting applies only to Mobile User VPN versions prior to 10 0 For version 10 0 and later it does not matter what you use for this setting because the Mobile VPN with IPSec software version 10 0 and later always uses a virtual adapter See the Mobile User VPN Administrator s Guide for information about how this setting affects earlier versions of the Mobile User ...

Page 7: ...lation and Connection chapter in this user guide Shared key To import the end user profile the user is requested to type a shared key This key decrypts the file and imports the security policy into the Mobile VPN client The key is set when you enable the Firebox User account to use Mobile VPN with IPSec The shared key user name and password are highly sensitive information For security reasons we ...

Page 8: ...Distributing the Software and Profiles 6 Mobile User VPN ...

Page 9: ...tion levels You must make sure you download and use WatchGuard System Manager with strong encryption when you use Mobile VPN with IPSec because the IPSec standard requires 56 bit medium encryption at a minimum You can install the Mobile VPN with IPSec client software on any computer running Windows 2000 Professional Windows XP 32 bit or Windows Vista 32 bit and 64 bit Before you install the client...

Page 10: ...re to use After you use the Add Mobile User VPN wizard you can create or re create a wgx file at any time If you want to lock the profiles for mobile users by making them read only see Locking Down an End User Profile on page 18 Configuring the Firebox for Mobile VPN Use this procedure to enable Mobile VPN for an existing group of users or a new group you want to cre ate The users that are part of...

Page 11: ... select Setup Authentication Authentication Servers Type a group name in the Group Name field You can type the name of an existing Mobile VPN group or enter a group name for a new Mobile VPN group Make sure the name is unique among VPN group names as well as all interface and tunnel names See the Authentication chapter in the WatchGuard System Manager User Guide for more information 5 Select a tun...

Page 12: ... traffic use the VPN tunnel If you choose to force all Internet traffic to go through the tunnel more processing power and bandwidth on the Firebox is used However the configuration is more secure 7 Identify the resources accessible through the tunnel Enter the IP addresses that the Mobile VPN users need access to Click Add to add a host IP address or a network IP address Type an address and click...

Page 13: ...ox appears Click OK to close The Mobile VPN client profile is saved in Documents and Settings All Users Shared WatchGuard muvpn ip_address config_name wgx config_name wgx Configuring the external authentication server If you create a Mobile VPN user group that authenticates to a third party server make sure you create a group on the server that has the same name as the Mobile VPN group name entere...

Page 14: ...the Users list The Setup Firebox User dialog box appears 4 Type a user name and passphrase for the new user Type the passphrase again to confirm it Description is not required Do not change the values for Session Timeout and Idle Timeout unless the change is necessary 5 In the Firebox Authentication Groups area use the horizontal arrows to make the new user a member of the group you created in the...

Page 15: ...nfirm Type the passphrase again Primary Select or type the primary external IP address to which Mobile VPN users in this group can connect Backup Select or type a backup external IP address to which Mobile VPN users in this group can connect This backup IP address is optional If you add a backup IP address make sure it an IP address assigned to a Firebox external interface Session Type the maximum...

Page 16: ... Select this setting to use a certificate for tunnel authentication You must start the WatchGuard Certificate Authority if you select certificate based authentication You must also use the WatchGuard Log Server for log messages and the Firebox must be a managed client of a WatchGuard Management Server The WatchGuard Certificate Authority is installed by default as part of the Management Server ins...

Page 17: ...VPN user Internet traffic is not sent safely but users can browse the Internet more quickly Allowed Resources list This list shows the resources that users in the Mobile VPN authentication group can get access to on the network Click Add to add an IP address or IP address range to the network resources list Click Remove to clear the selected IP address or IP address range from the network resource...

Page 18: ... behind a NAT device select the NAT Traversal check box NAT Traversal or UDP Encapsulation allows traffic to get to the correct destinations To set the Keep alive interval type the number of seconds or use the value control to select the number of seconds you want 5 You must select the IKE Keep alive check box to have the Firebox send messages to its IKE peer to keep the tunnel open If you disable...

Page 19: ...piration time of 8 hours You can set the time up to one year 6 Click OK Allowing Internet access through Mobile VPN tunnels You can give remote users access to the Internet through a Mobile VPN tunnel when you use the MUVPN wizard and select the Yes force all Internet traffic to flow through the tunnel radio button on the Direct the flow of Internet traffic screen This option adds Any External as ...

Page 20: ...own all profiles so that users cannot make changes to their profile 1 On the Mobile User VPN tab click Advanced The Advanced Export File Preferences dialog box appears 2 To give mobile users only read only access to their profiles select the Make the security policy read only in the MUVPN Client check box The Mobile VPN client always uses a virtual adapter so you should not change the virtual adap...

Page 21: ...dd individual policies 1 In Policy Manager click the MUVPN tab 2 From the Show drop down list select the name of the Mobile VPN group for which you are adding a policy You must select a group before you add a policy 3 Add edit and delete policies as described in the Policies chapter in the WatchGuard System Manager User Guide Make sure you save your configuration file to the Firebox after you make...

Page 22: ...atchGuard Mobile VPN with IPSec configuration gives you the ability to re create end user pro files for your existing Mobile VPN users Use this procedure to create new end user profiles with the same settings for the current MUVPN users Mobile VPN configuration files or profiles are located in Documents and Settings All Users Shared Watchguard muvpn ip_address config_name wgx config_name wgx If th...

Page 23: ...hared key To import the end user profile the user is requested to type a shared key This key decrypts the file and imports the security policy into the MUVPN client The key is set during the creation of the file in Policy Manager The shared key user name and password are highly sensitive information For security reasons we recommend that you do not provide this information by email message Because...

Page 24: ...column This is the number of installed Mobile VPN licenses Purchasing additional Mobile VPN licenses WatchGuard Mobile VPN with IPSec is an optional feature Each Firebox X device includes a number of Mobile VPN licenses You can purchase more licenses for Mobile VPN Licenses are available through your local reseller or at http www watchguard com sales Adding feature keys For information on adding f...

Page 25: ...d these requirements and recommendations You can install the Mobile VPN with IPSec client software on any computer running Windows 2000 Professional Windows XP 32 bit or Windows Vista 32 bit and 64 bit Before you install the client software make sure the remote computer does not have any other IPSec mobile user VPN client software installed You must also uninstall any desktop firewall software oth...

Page 26: ...ke sure you have the following installation components which you should get from your network administrator The Mobile VPN installation file An end user profile with a file extension of wgx Shared Key A p12 certificate file if you are connecting to a Firebox X Core or Peak and use certificates to authenticate User name and password if you are connecting to a Firebox X Core or Peak and use Extended...

Page 27: ... User Profile screen type the shared key or passphrase supplied by your network administrator The shared key is case sensitive Click Next 4 On the Overwrite or add Profile screen you can select to overwrite a profile of the same name This is useful if your network administrator gives you a new wgx file and you must reimport it Click Next 5 If you connect to a Firebox X Edge click Finish If you con...

Page 28: ...ndows Add Remove Programs tool to uninstall the Mobile VPN client After the Mobile VPN client software is installed the first time it is not necessary to uninstall the Mobile VPN client software before you apply any upgrades to the client software Before you start disconnect all tunnels and close the Mobile VPN Connection Monitor Then from the Windows desktop 1 Click Start Settings Control Panel T...

Page 29: ...st select the name of the profile you created for your Mobile VPN connections to the Firebox Click Connect Disconnecting the Mobile VPN client From the Mobile VPN Monitor click Disconnect Controlling connection behavior For each profile you import you can control the action the Mobile VPN client software takes when the VPN tunnel goes down for any reason To set the behavior of the Mobile VPN clien...

Page 30: ...start the VPN tunnel automatically if the VPN tunnel goes down Variable When you select variable connection mode the client tries to restart the VPN tunnel automatically until you click Disconnect The client does not try to restart the VPN tunnel again until after the next time you click Connect 5 Click OK Mobile User VPN client icon The Mobile User VPN icon which is in the Windows desktop system ...

Page 31: ...ndly networks and set access rules separately for friendly and unknown networks Enabling the link firewall When the link firewall is enabled the Mobile VPN client software drops any packets sent to your com puter from other hosts It allows only packets sent to your computer in response to packets your com puter sends For example if you send a request to an HTTP server through the tunnel from your ...

Page 32: ...ed for the client in the client profile they import Unknown networks Any network not specified in the firewall Friendly networks Any network specified in the firewall as a known network Enabling the desktop firewall To enable the full featured desktop firewall 1 From the WatchGuard Mobile VPN Connection Monitor select Configuration Firewall Settings The firewall is disabled by default 2 When you e...

Page 33: ... rules you cre ate for connections to the Internet and to remote VPN networks 1 On the Firewall Settings dialog box click the Friendly Networks tab 2 Click New to add a new friendly network The Automatic Friendly Network detection feature does not work in this release of the Mobile VPN with IPSec client software Creating firewall rules Use the Firewall Rules tab to create exceptions to the firewal...

Page 34: ... rule called Web surfing that includes traffic on TCP ports 80 HTTP 8080 alternate HTTP and 443 HTTPS State To make a rule inactive select Disabled New rules are enabled by default Direction To apply the rule to traffic that comes from your computer select outgoing To apply the rule to traffic that is sent to your computer select incoming To apply the rule to all traffic select bidirectional Assig...

Page 35: ...ocal IP Addresses setting to enable the Any IP address radio button If you are configuring an incoming policy you can add the ports to control with this pol icy in the Local Ports settings If you want to control more than one port in the same policy select Several Ports or Ranges Click New to add each port If you select the Explicit IP Address radio button make sure you specify an IP address Do no...

Page 36: ...P3 server as an Explicit IP Address in the Remote IP Addresses section Then in the Remote Ports section specify port 110 as an Explicit Port for this rule If you select the Explicit IP Address radio button make sure you specify an IP address Do not keep the IP address set to 0 0 0 0 Applications tab Use the Applications tab if you want to put a limit on your rule so it applies on the Firewall Sett...

Page 37: ...Administrator Guide 35 Securing Your Computer with the Mobile VPN Firewall ...

Page 38: ...Securing Your Computer with the Mobile VPN Firewall 36 Mobile User VPN ...

Reviews:

No comments

Related manuals for Firebox Vclass V100

Watchguard Firebox M200 Quick Start Manual preview
Firebox M200
Brand: Watchguard Pages: 38
H3C H3C SECPATH F100-A Installation Manual preview
H3C SECPATH F100-A
Brand: H3C Pages: 59
8e6 Technologies Enterprise Filter Authentication R3000 User Manual preview
Enterprise Filter Authentication R3000
Brand: 8e6 Technologies Pages: 594
Stonesoft StoneGate SG-200 Quick Start Manual preview
StoneGate SG-200
Brand: Stonesoft Pages: 25
Stonesoft FW-1030 Appliance Installation Manual preview
FW-1030
Brand: Stonesoft Pages: 27
Stonesoft StoneGate FW-5105 Installation Manual preview
StoneGate FW-5105
Brand: Stonesoft Pages: 35
Check Point MAESTRO R80.20SP Administration Manual preview
MAESTRO R80.20SP
Brand: Check Point Pages: 228
Blue Coat MC-S400 Series Quick Start Manual preview
MC-S400 Series
Brand: Blue Coat Pages: 2

Brands by name

Popular brands

Load more brands