Mobile VPN Access with Active Directory

Mobile VPN SSL access with AD is being setup on a WG m370. AD was setup in WatchGuard and tested the setup via Fireware Web UI successfully. The VPN client was downloaded and installed but VPN connection failed. Logging was enabled for the VPN policy, but I don't see anything in the monitor. Why would the connection fail being logged?

Comments

  • What AD group name have you set up in the firewall SSLVPN config ?
    Have you added users to that AD group?

    You can turn on diagnostic logging for authentication which may show something to help:
    . Policy Manager: Setup -> Logging -> Diagnostic Log Level -> Authentication
    or
    . Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • An AD group called Office VPN was created. I added myself to the group. Office VPN was added to the FROM in the SSLVPN policy. Additional logging was added for Authentication and the level was set to debug. The connection fails and no additional logging is occurring. The VPN client never getting past the message "contacting server". I am using the WG's external IP as the server.

  • edited February 2020

    If testing from behind the firewall:
    . Check the WatchGuard SSLVPN policy From: field- make sure that includes the interface name or interface type (ie. Any-trusted)
    . Try using the IP addr of the firewall interface to which the client is connected
    You can turn on Logging on this policy to see packets allowed by it in Traffic Monitor.

    You can also turn on diagnostic logging for SSLVPN which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

    You can check the SSLVPN client logs - right click on the client icon in the Windows System Tray - select View Logs

  • The client reported "Failed to get domain name".

  • Nothing in Traffic Monitor to help?

  • The mobile VPN wizard must have set it up to use 8443 instead of 443. I added this to the client serer name. IP:8443 and it worked. Thanks for your help.

Sign In to comment.