You want to setup a mobile VPN on the WatchGuard Firebox XTM firewall. This will allow mobile users to connect with a VPN client.
You have 3 options for this: IPSEC, SSL, or PPTP. Let’s ignore PPTP completely since PPTP is not really secure. IPSEC and SSL are left. IPSEC works at the network layer and is generally considered to be fast. However, some firewalls still cause issues with IPSEC VPNs. SSL is going to be slower, but generally works everywhere. (This goes for any VPN, not just WatchGuard’s.)
For this article, we’ll go the SSL VPN route. This walk-through was done by actually performing these steps, but you can also read through the WatchGuard docs on the SSL VPN process.
- Log into the web admin UI for your XTM firewall. (I’m using a 5-series in this article.)
- Click on VPN.
- You’ll see several options below VPN. Choose Mobile VPN with SSL.
- SSL VPN will probably be disabled. Enable it by clicking on “Activate Mobile VPN with SSL”.
- Next, you need to set the Primary IP in the “Type a Firebox IP Address or domain name..” field. This is just the external (public) IP of the Firebox. So if your public IP was 188.8.131.52, then you would use that.
- Set the Virtual IP address pool to an unused subnet, 192.168.113.0/24 in this case.
- Click Save.
- Click on the Advanced tab. Here, we’ll set the information that the VPN gives the client for access to the local network (DHCP).
- For Domain Name, set the LAN domain name (e.g., example.com).
- For DNS Servers, set the IPs to be your primary and secondary internal DNS.
- For WINS, generally you’ll leave blank.
- Click Save.
Okay, the VPN is setup now. Next, ensure you have the right Firebox user group defined to have access to the VPN.
- In the Mobile VPN with SSL configuration screen, click on the Authentication tab.
- The default is to use the Firebox-DB (an internal DB of users). You can authenticate against a directory, etc., but the internal DB is fine generally.
Next, you’ll want to add users to the WatchGuard Firebox XTM SSLVPN-Users group.