Starting with SSL Mobile VPN

Hello.
With actual Corona-pandemy we have the task to enable Mobile VPN. I want to use SSL here.
The basic config is ready for testing, but not enabled.
On our firebox (12.5.2) we use several IP-addresses. When I enable Mobile VPN SSL there comes a warning, that other policies are used before the MobileVPN was used
The autonumber function ist on.
Like many others I'm in homeoffice, using Citrix. I don't know, what's happens, when I activate the new policies. I not interested in, to drive to the office to revert this policy...

For the moment I started with authentifaction to an intern RADIUS service. With this I be able to add several groups. Admins and user should have different permissions here.
For using Citrix we have configured MFA with Authpoint. Is it possible to use several group here?

In the SSL Advanced settings, there are several options for encryption. Here want to start with the defaults first. In case of performance problems, what is a good combination of security and performance?

Thanks in advance for your answers.

Take care and stay healthy.

Regards from Homeoffice

Dirk Emmermacher.

Comments

  • Review this recent video:
    Optimize Mobile VPN with SSL
    https://www.watchguard.com/help/video-tutorials/Optimize_Mobile_VPN_with_SSL/index.html

    The warning will happen if you have an incoming policy which uses the same port as is used in SSLVPN. The default port is TCP 443 - which is HTTPS.
    If you have multiple public IP addrs and the one being used by SSLVPN is not also used for some other policy, you can ignore the warning.

  • Hello Bruce.
    Thanks for your answer. I sawn the video, its very interesting. So I will play around with settings, if necessary.

    Take care for you and stay healthy.

    Regards

    Dirk

  • Hello Bruce.
    I saved my config to the box. There are some things, that I must fix here.
    1. With my credentials I are not valid. In System Manager I can see traffic to my Radius server. I will search for the problem.

    1. My Citrix login page was replaced by Watchguard's login page. Horrible, when my users can't login. Here I use a packed filter using Snat.

    So I'll be back next week.

    Have a nice weekend and stay healthy.

    Dirk

  • "My Citrix login page was replaced by Watchguard's login page."

    You mentioned having several IPs, so I assume that you mean that you have the typical block of 5 usable static IPs (or more) from your ISP. If you have one of those IPs that is not in use, use that one for the SSLVPN. That will get rid of the SSL warning when saving and get rid of the SSLVPN login page answering where the Citrix should be answering, because they will both have their own IP now.

    Gregg Hill

  • Hello Greg.

    Thanks for your answer. My citrix ADC runs on another ip than SSL VPN.
    The address I used here, is not in use with https, but with SMTP and some other ports.
    The old http/https proxies are present in ruleset, but not active.

    Regards

    Dirk

  • If your Citrix ADC runs on another IP than SSL VPN and the SSLVPN page took over the Citrix login, then I am really confused! The only way the SSLVPN page should be able to answer where Citrix had been answering is if they use the SAME IP. I had this issue when I ran my own Exchange server with OWA and I had only one IP address.

    Gregg Hill

  • @Catweazle30169 are you sure that your incoming SSLVPN policy on port 443 does not say From: any external, and instead says from some other public IP address.

  • edited April 2020

    In this case, the From: IP addr should be the public IP addr of your SMTP server.

  • "The old http/https proxies are present in ruleset, but not active" may be why you are seeing the SSL warning if you are not using one IP with two targets with SSL.

    Gregg Hill

  • Hello.
    I'll check it tomorrow.

    Stay healthy :)

    Dirk

  • Hello.
    We found the problem and solved it. We modified the default Watchguard SSLVPN policy. The "To" was changed from Firebox to ip-address we're using for SSLVPN.

    Have a nice day and stay healthy ;)

    Dirk

  • edited April 2020

    I almost mentioned changing the To target but when I tried to remember a config from five years ago, I thought I had changed it to be the Firebox, so I didn't say anything. I am probably thinking of my own OLD config from my Core X550e. I am going to look for a copy of that config.

    EDIT: so far, all I have found is mine pointing To at Firebox.

    Gregg Hill

  • Hello Greg.
    Yesterday I made some changes on my config. Now the WG-SSL login page is back. For the moment I'll be back on the old config - without SSLVPN. I will search for a solution.

    Stay healthy

    Dirk

  • Firebox is an alias for all firewall interfaces
    Make sure that the SSLVPN policy is still your desired public IP addr and not Firebox

  • Hi Bruce.
    We corrected this. The WSM created a new Default policy for SSL-VPN after we renamed it. We didn't see see this. Now the default policy ist deactivated.
    The auto number function is also disabed.
    For the moment all looks fine.

    Have a nice day - and stay healthy in this crazy times :)

    Dirk

  • Disable is the way to deal with an auto-created policy that you want to not be used.
    As you found out, rename is not a good method for them - as the default policy will get auto-created again.

  • Hi Bruce.
    That's what I learned here.

    Stay healthy!

    Dirk

Sign In to comment.