SSL or IPSEC Mobile VPN... but WITHOUT Radius?

Is it possible to configure Authpoint MFA for VPN access via my Watchguard Firebox M370... without using any additional Gateway or server (such as a Radius server)?

We're currently using the Firebox SSL VPN with passwords... and I'd really like to upgrade to a MFA system. We don't have a local AD anymore (we exclusively use Azure AD)... and I don't want to setup a separate Gateway.

I'm happy to manage my users in Authpoint or as I do today via the Firebox-DB.

Is this a potential configuration?




  • No.

    You need to setup the authpoint gateway somewhere (not necessarily on a DC, any windows will work). the authpoint gateway services will function as a radius server and connect to the authpoint cloud services.

    you can manage all users in authpoint only without having an AD, but watchGuard will use the radius component of the authpoint gateway to authenticate. the firebox will always use that radius, and whether that radius will always use authpoint as a user database.

    if you have an AD, the ad users may be synced to auhtpoint by an ldap component of the authpoint gateway. but this is not mandatory.

    the configuration of the authpoint gateway is quite straight forward.


  • Thanks for the reply.

    Sigh! It’s unfortunate that the Gateway is required, and the firewall can’t talk directly to Authpoint in the cloud. We’ve just spent the last year getting RID of on prem servers of all types, to the point where we have no critical infrastructure on prem at all. No ADs, no email, nothing.

    So, I’m unlikely to install a new server just to serve as a relay for Authpoint. It’d be the only server at our site!

    I sure wish there was some way to further lock-down our mobile VPN access that talks directly to the cloud, and that didn’t involve having to install a relay server.

    If anybody is aware of such a solution, I’d very much appreciate knowing about it.

    Thank you again,


  • @PeterGV , We have the exact same scenario for us and a number of our customers. It's frustrating!

  • Yes it is possible - sort of - but not using the Firebox-DB as the source of the user/passwords.
    "SSLVPN would connect via RADIUS (The Authpoint Gateway acts as the local radius server.)"

    Review the replies from James, in this post:

    Utilize AuthPoint with Firebox-DB

  • I’m confused. Can somebody PLEASE explain a bit more if this is possible or not, and if so how. And, yes... I DID read the thread cited and the doc page that thread cites. I still don’t get how this gets us 2FA on Authpoint.

    I’m sure I’m being dumb... but I’m no expert on Authpoint. I’d really appreciate the help. I’m stuck with SSL VPN using passwords alone at this point, and that’s terrible for security.


  • MartijnNMartijnN WatchGuard Representative

    At present for IPSec and SSL VPN the Firebox has to be a RADIUS client and needs to talk to an AuthPoint Gateway acting as RADIUS server, it's best to have the AuthPoint Gateway locally to the Firebox. If you have many Fireboxes in theory you can do RADIUS over a BoVPN to a centralized AuthPoint Gateway, preventing you need to run the Gateway on every location. For the Access Portal with clientless VPN, it's different, that implementation supports SAML and can therefore be integrated directly with AuthPoint IdP eliminating the need for the Gateway.

  • Sorry... what does that mean? My goal is 2FA VPN through my Firebox with no local server or relaying client.

    Is there a configuration that’ll let me do this? I’ve been in search of an answer for months, and was told “no”. But if the answer is “yes” I’ll be very happy.


  • The Firebox will support AuthPoint directly from the box soon, stay tuned! You won't need the AuthPoint Gateway, unless you want to authenticate or synchronize your users with a local AD Server.

  • @Alexandre_Cagnoni Thank you! Yay! :D

    Exactly what I was hoping for.


  • I see the comment from Alexandre_Cagnoni. Did this get implemented?

  • Not as far as I've been able to tell... and I've been eagerly awaiting this.


  • It's already under work, planned for Q4

  • Will somebody post something here, please... when this feature ships?

    I’ve been looking for a long while....


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PeterGV

    We don't have a system to run notifications like that in the forums, but if you create a case and mention that you'd like a notification when an feature is ready, a case can be set up that way, and you'll be contacted when your feature is available.

    If you'd like to open a case, I'd suggest mentioning "AAAS-1450" somewhere in the description. (it'll help the tech find the issue much more quickly.)

    -James Carson
    WatchGuard Customer Support

  • Thank you, Mr. Carson.


  • @PeterGV Has this feature been released or have you identified a solution to this configuration?

  • Has this feature been released or have you identified a solution to this configuration?

    Not the best of my knowledge. And no... no solution so far.



  • @PeterGV this feature will be on Fireware 12.7 and is entering Beta in the next couple of weeks, please keep an eye on that!

  • @Alexandre_Cagnoni ... that's great news, thanks.


  • To close the loop on this: We finally configured and got this working a couple of weeks back... "this" being AuthPoint 2FA and our VPNs, with users specified in the cloud.

    Not only does it work, but it works GREAT.

    Not to winge too much, but it'd be even greatER if you could use a "standard Authenticator" (like Google Authenticator or Microsoft Authenticator). But even using the required Authpoint App is "just fine" at this point.

    Yay and thank you WatchGuard.

  • Hello, Peter!

    How does "with users specified in the cloud" work with user passwords? Are the passwords different than any other password they use? Or do they have to match an Azure AD password?

    Gregg Hill

  • @greggmh123 said:
    Hello, Peter!

    How does "with users specified in the cloud" work with user passwords? Are the passwords different than any other password they use? Or do they have to match an Azure AD password?

    That is a great question.

  • I would just sync users with AD or Azure AD, the password authentication request is sent to AD/Azure AD, and if it works, a Push is sent to the user. This is the easiest way to do it.

  • Hello, Peter!

    How does "with users specified in the cloud" work

    I apologize for not answering sooner... I was sick the past couple of days.

    Unfortunately, in my case I'm not synch'ing my VPN users with AAD... JUST to WatchGuard Cloud. So, I've issued unique username/password pairs to users in WatchGuard Cloud (who may or may not have an account in AAD) and then require the second factor using "push".

    Sorry for not being more clear in my initial post.


  • Thank you for the clarification.

    Gregg Hill

Sign In to comment.