Options

vsslvpn-client.wgssl for o365 saml authentication

asking_for_a_friendasking_for_a_friend
in Firebox - VPN Mobile User

Good morning,
I would like to create a vsslvpn-client.wgssl configuration file for my users to enable them to use office 365 SAML authentication. Does anyone have an example file?
Thanks

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @asking_for_a_friend

    Generally the SSLVPN client will download and cache profile information on first connection. The client.wgssl file is generally used for troubleshooting in situations where the client can't download the profile data from the firewall.
    Using SAML requires we pull profile data from the SAML server (specifically group information and potentially a MFA challenge status.)

    Using the client.wgssl file doesn't copy the profile to the user's roaming profile -- preventing use of items like the SSLVPN checking/notifying for certificate changes as well as the user of a backup FQDN/IP.

    What specifically are you trying to solve by using the client.wgssl file? If you are not actively troubleshooting a problem, I'd suggest having the users log in normally.

    -James Carson
    WatchGuard Customer Support

  • asking_for_a_friendasking_for_a_friend

    Good evening,
    thank you for your reply. I have 60 windows 11 clients with Intune. I deploy the mobile ssl vpn application with Intune but would also like to deploy the connection profile via file. As long as it's about onbording 1 device it's not a problem, but when the change affects 11 or 12 notebooks at the same time, which also work remotely I would like to have the client ready with the VPN address already entered and the tick on SAML connection already selected.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @asking_for_a_friend

    The client profile is downloaded when the user connects for the first time. There really isn't a need to deploy the profile separately. If you change something in the profile (like an SSLVPN setting,) it automatically updates via that same mechanism.

    The way you want to do this, you will need to re-deploy the client.wgssl file every time, manually (or via intune.) The client.wgssl file overrides the profile the user has, even if it has wrong info in it.

    If you must do it this way, you can generate a new client.wgssl file here:

    (Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_manual-distribution_c.html

    With the new client.wgssl file, the user will need to check "Use SAML Authentication" each time they do this, since profile data is not being stored to the user's roaming profile.

    Again, strongly recommend you don't do this. This feature is intended for troubleshooting, and will cause you issues when something in that profile inventively changes.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.