Comments
-
Checkout the 12.5.4 Beta. It has a feature that may help.
-
Yes you will need a switch. You can certainly use an existing switch and use VLAN's. That's what I do and it works well (as long as you have enough open ports).
-
Right. I recently came across your Spiceworks Post (https://community.spiceworks.com/how_to/110660-watchguard-bovpn-tunnels-policies-explained) and am wondering why you use a BOVPN policy vs. a normal policy?
-
Automatically using the currently logged on users credentials would be for connecting to the VPN, not installing. Installing apps will also require admin permissions.
-
There already is a silent install option with the exe "/S" that works well enough. An option to specify the server would be nice. And automatically using the current windows credentials would be even better! GUI updates are low priority (as they are never seen) IMHO.
-
I've thought about that but with 3x HTTPS Proxy Rules (Full Internet, Standard Internet, Servers Internet) per firewall and 3x firewalls, that's 9 changes instead of 3.
-
That's a expected problem to run into. The WatchGuard SSLVPN app does NOT have the ability to to tunnel all with exceptions. You can either add routes on your clients or revert back to Split Tunnel. See this Microsoft Article: https://docs.microsoft.com/en-us/office365/enterprise/office-365-vpn-implement-split-tunnel
-
You should also be able to exclude all the VOIP traffic between your sites from the additional Security Services so they just pass through the firewalls.
-
Can you show the affected traffic logs and your policy? Make sure the to/from and packet/policy all match the affected traffic...
-
Will do. Thanks James!
-
@Juan_Nakasone, any update on this feature?
-
Good request. I do this now with PRTG and SNMP which works well.
-
Thanks for that info Ryan!
-
WG Support has created a bug for this and is investigating.
-
The current exclusions are limited to the Program Files (x86)\Webroot folder, not the users temp folder.
-
When you ping the computer name withOUT the domain name, does it show it's pinging the computer name with the domain name?
-
Are you not using a public RootCA signed cert for your Firebox?
-
Saw that as well. TESTING is highly recommended if you are considering this change as outbound UDP 443 may (should) be blocked. The HTTPS Proxy does NOT include UDP. I'll be testing this change in my own environment this week.
-
Moving away from 3DES (to AES) should have previously been done for security reasons. Users can change from AES-128/192/256 to AES-GCM for performance reasons.
-
With your main network on the 192.168.1.x range and many home users on that range, you may need to implement some NAT. WatchGuard has some existing education material on how to do this in the BOVPN scenario. The SSL-VPN scenario may be similar. Recommend opening a WG Support ticket.
-
You are looking for reporting on the duration of your users VPN sessions?
-
I'm on 12.5.2 firebox and 12.2 SSLVPN client and it works for me as well. I am tunneling all traffic (not split-tunnel)
-
There is not...I have been wanting that for awhile. No luck
-
I wouldn't go lower than AES128.
-
I'm not aware of Azure AD being an option. You can use Active Directory (or any LDAP compatible directory) however.
-
Another simpler solution that WG could implement: Require Client side Certificate (where the CA cert needs to be loaded on the Firebox).
-
ACL's won't stop an authorized user from using their personal computer. Besides Policy, i'm not aware of any current technical means of preventing that. Maybe 802.1x requiring Computer and User authentication over the vpn?
-
A better mitigation strategy would be to require MFA for user authentication and setup ACL's for the VPN network traffic.
-
So the SSLVPN software isn't specific to your firewall or company. You are using the same software that we are (and every WG SSLVPN user out there is). Limiting the software isn't feasible.
-
I'm not sure if you can disable that page AND use the SSLVPN. I would recommend opening a case with WG Support (or let them pip in here). @Bruce_Briggs @Greggmh123 @James_Carson