SSL or IPSEC Mobile VPN... but WITHOUT Radius?

Is it possible to configure Authpoint MFA for VPN access via my Watchguard Firebox M370... without using any additional Gateway or server (such as a Radius server)?

We're currently using the Firebox SSL VPN with passwords... and I'd really like to upgrade to a MFA system. We don't have a local AD anymore (we exclusively use Azure AD)... and I don't want to setup a separate Gateway.

I'm happy to manage my users in Authpoint or as I do today via the Firebox-DB.

Is this a potential configuration?

Thanks!

Peter

Comments

  • Bump?

  • No.

    You need to setup the authpoint gateway somewhere (not necessarily on a DC, any windows will work). the authpoint gateway services will function as a radius server and connect to the authpoint cloud services.

    you can manage all users in authpoint only without having an AD, but watchGuard will use the radius component of the authpoint gateway to authenticate. the firebox will always use that radius, and whether that radius will always use authpoint as a user database.

    if you have an AD, the ad users may be synced to auhtpoint by an ldap component of the authpoint gateway. but this is not mandatory.

    the configuration of the authpoint gateway is quite straight forward.

    Cheers
    Werner

  • Thanks for the reply.

    Sigh! It’s unfortunate that the Gateway is required, and the firewall can’t talk directly to Authpoint in the cloud. We’ve just spent the last year getting RID of on prem servers of all types, to the point where we have no critical infrastructure on prem at all. No ADs, no email, nothing.

    So, I’m unlikely to install a new server just to serve as a relay for Authpoint. It’d be the only server at our site!

    I sure wish there was some way to further lock-down our mobile VPN access that talks directly to the cloud, and that didn’t involve having to install a relay server.

    If anybody is aware of such a solution, I’d very much appreciate knowing about it.

    Thank you again,

    Peter

  • @PeterGV , We have the exact same scenario for us and a number of our customers. It's frustrating!

  • Yes it is possible - sort of - but not using the Firebox-DB as the source of the user/passwords.
    "SSLVPN would connect via RADIUS (The Authpoint Gateway acts as the local radius server.)"

    Review the replies from James, in this post:

    Utilize AuthPoint with Firebox-DB
    https://community.watchguard.com/watchguard-community/discussion/372/utilize-authpoint-with-firebox-db

  • I’m confused. Can somebody PLEASE explain a bit more if this is possible or not, and if so how. And, yes... I DID read the thread cited and the doc page that thread cites. I still don’t get how this gets us 2FA on Authpoint.

    I’m sure I’m being dumb... but I’m no expert on Authpoint. I’d really appreciate the help. I’m stuck with SSL VPN using passwords alone at this point, and that’s terrible for security.

    Peter

  • MartijnNMartijnN WatchGuard Representative

    At present for IPSec and SSL VPN the Firebox has to be a RADIUS client and needs to talk to an AuthPoint Gateway acting as RADIUS server, it's best to have the AuthPoint Gateway locally to the Firebox. If you have many Fireboxes in theory you can do RADIUS over a BoVPN to a centralized AuthPoint Gateway, preventing you need to run the Gateway on every location. For the Access Portal with clientless VPN, it's different, that implementation supports SAML and can therefore be integrated directly with AuthPoint IdP eliminating the need for the Gateway.

  • Sorry... what does that mean? My goal is 2FA VPN through my Firebox with no local server or relaying client.

    Is there a configuration that’ll let me do this? I’ve been in search of an answer for months, and was told “no”. But if the answer is “yes” I’ll be very happy.

    Peter

  • The Firebox will support AuthPoint directly from the box soon, stay tuned! You won't need the AuthPoint Gateway, unless you want to authenticate or synchronize your users with a local AD Server.

  • @Alexandre_Cagnoni Thank you! Yay! :D

    Exactly what I was hoping for.

    Eter

Sign In to comment.