SSL VPN Client GUI Update/Modernization

The WatchGuard SSL VPN Client (Windows/Mac) desperately requires a GUI update/modernization. The GUI has remained unchanged for the 5 years I have been using WatchGuard hardware, and is extremely dated. The SSL VPN client is behind the market by a longshot in terms of UI and feature set compared to Juniper, Cisco, SonicWall, FortiGate, etc.

Additional Details:
-Dated Windows Forms UI
-Poor graphical rendering on modern high resolution/DPI displays
-No client customization possible
-No ability to add 3rd party 2FA/TFA
-No pre-deployment package/setting/configuration options

Comments

  • None of what you mention bothers me on my small networks, although I can see that pre-deployment package/setting/configuration options would be nice to have for bigger networks.

    I use Duo Security with RADIUS on my server for my SSLVPN 2FA.

    Gregg Hill

  • I agree the SSL VPN Client needs plenty of attention. Spcifically:
    A silent install option preferably with and MSI version for easier deployments in large environments.

  • There already is a silent install option with the exe "/S" that works well enough. An option to specify the server would be nice. And automatically using the current windows credentials would be even better! GUI updates are low priority (as they are never seen) IMHO.

  • "And automatically using the current windows credentials would be even better!" does not work for me. Unless I run the installer as admin, it won't install the TAP adapter properly.

    Gregg Hill

  • Automatically using the currently logged on users credentials would be for connecting to the VPN, not installing. Installing apps will also require admin permissions.

  • @BrianSteingraber said:
    Automatically using the currently logged on users credentials would be for connecting to the VPN, not installing. Installing apps will also require admin permissions.

    Ah, I see your point now.

    Gregg Hill

  • In addition to being able to specify the server at deployment time, I'd really like to see some support for pre-login connection so that group policies can be applied to the user. Although, knowing openVPN, i'm not sure that's realistic without compromising security.

    As far as deployments go, I use the following switches to install the client silently, with TAP driver, and a desktop icon:

    /silent /verysilent /Components=main,tapdriver /tasks=desktopicon

  • There is also a kind of pre deployment option.
    it is a bit tricky to get the config file (which is somewhere in the support.tgz).
    (I don't mean the client.ovpn. I am referring to the client.wgssl file).

    using the client.wgssl file you just can click on that file for starting the VPN, without any need to enter server name/ip.

    see the documentation for more:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_manual-distribution_c.html

    --
    Werner

  • It would be useful for clients to detect that they are running an older client version and be forced to update as a policy setting from firebox.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @HealthyPC
    This actually used to be an automatic option, but was removed because it required that the users be local admins on their machines in order for it to work.

    While ensuring the most up to date client can be helpful, causing it to force an install like that would get customers without admin rights stuck in a failed install loop.

    -James Carson
    WatchGuard Customer Support

  • Thanks James, can it be done as an option now or could a consideration be made to just provide a notification that an upgrade should be run for some those sites that have users with localadmin?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @HealthyPC
    I looked into this, and it was actually a bug that it wasn't asking. The bug was fixed in 12.5.3 client forward. The VPN client should pop up and ask /if/ the user is an admin and they connect to a firewall that hosts a higher version of the SSLVPN client.

    Keep in mind that the SSLVPN client version does not always rev with firmware versions. If there isn't there won't be a prompt. The easiest way to check is to log into your firewall's SSLVPN page and download the installer there.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.