Tristan.Colo

About

Display Name
Tristan.Colo
Joined
Visits
76
Last Active
Roles
No Roles
Points
19
Badges
1

Comments

  • RD Web works with this. I advise using RD Web to Authenticate and then just using Logon App to lock down the RDP files that the RD Web console downloads if they are using Chrome (if in Edge have clients open this in IE mode and then the client won't download) Their RD Web integration is much more Geo friendly :-) This has…
  • Correct, OTP and QR Code are methods for offline MFA. QR Code is technically the "Preferred" method if you are to go "anti-OTP" one day (good luck with that mantra...)
  • > @TestingTester said: > We had put them into one of our staff members homes. He has four between the main house and one in a horse barn area. So far, I guess they are working great. I do worry a bit about Fast Roam without a WLC, not like the WG one ever worked very well. > > In smaller environments the MerakiGo APs seem…
  • It will not use Microsoft tokens. If you want it to be used as OTP for 365 you have to tell 365 to use a third-party (Usually they have Google as an option) and then you can scan with AuthPoint (or other MFA Tools). Microsoft tokens are usually managed by Microsoft and are not transferrable to 3rd party unless they are…
  • https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/Office365-AuthPoint.html
  • It can hold tokens but if you want it to do PUSH you need to use the SAML integration.
  • What issues have you ran into with .local domains? All ".local" domains I have ever used have worked fine with less issues than ".com" ones or even sub-domains.
  • The cause is just a public DNS conflict. I never have issues with .local domains. There are 3 fixes: 1st fix (Recommended if you have bandwidth for it): Turn off split tunneling and fully route through VPN. This will force your users to use the internal servers before routing out. 2nd fix: ** is to manually update the…
  • Is there a roadmap showing what features ARE being worked on? Haven’t seen much changes to the portal other than giving us the ability to do basic troubleshooting lately…
  • I recommend MFAing a VPN connection that then will connect MFA to term server and having the remote users do that since controlling their personal machines is more difficult to control. RD Web is a decent solution for this.
  • Requirements are in the documentation: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/logon-app_about.html
  • Nope. The only way around this is to add usernames to the bypass list in the config. Logon app will lockdown all accounts with MFA and doesn’t work fully with Azure login. It’s not recommended for personal computers unless you want your users to go to you when they decide to add another profile (like their kids) to their…
  • I personally don't user TDR anymore. I use EDR (or better yet EPDR) since it is a nicer product and is not nearly as resource intensive
  • It is cloud only. All new WG WAPs are cloud only and won't be managed by Gateway Wireless Controller. All new WAPs (Models that come out October 2021 and onward) are managed in cloud.watchguard.com. The GWC/ original wireless cloud WAPs are Arista models (Arista bought mojo networks)... the new models are made by WG and…
  • Sounds like something that you’d want an endpoint solution to do (especially as OneDrive and such don’t need vpn to sync )… but I’d be fascinated to see if WG can do this from a security edge appliance. EPDR can kind of do this… but it has a focus on Cybersecurity not productivity monitoring… but if it’s productivity…
  • I am hoping that soon they are going to enable "WatchGuard EndPoint" enforcement (which has agents that work fine on Linux!)
  • I will be surprised if WG will be able to do this... all vpn providers I am aware of don't have this as a feature so! I imagine it has to do with how the default route is programmed. Full tunnel sticks a default route to the VPN, whereas split tunneling as a list of routes to the VPN... to do the 365 piece would require…
  • You mean like this? I would also advise throttling your bandwidth (download/upload) to 95 % on your Inbound (Download speed, internal interface) and outbound (Upload speed, Outgoing interface) interfaces. This will allow you to use QoS markings to prioritize specific traffic like VOIP and such. Have used this trick for…
  • Idk what the use for this would be as you can disable the interface the way James Carson said... If you have management server you can make the change and then roll back after you confirm it is off...
  • I like how current policies work... LOL the easiest thing for this case would be to consolidate the Proxies to the TCP-UDP Proxy. I've began switching to that myself and it helps consolidate a lot of rules while keeping Auto-Order mode in tacked so that policies aren't in the wrong place. The onlything that proxy doesn't…
  • If you are fully worried you can always switch AuthPoint to RADIUS and then shut down the cloud integration. That said your portal can be protected with MFA and all data sent there is over 443.... WatchGuard Cloud (specifically Visibility) was created so that servers didn't need to be spun up all the time for firewall logs…
  • It's also advised to open ticket so that they have a bug feature request on their official system too
  • Apparently (according to a long winded explanation here) if Static NAT works correctly then devices are supposed to receive packets from the firewall: https://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat I couldn't find a way on the firewall to bypass this... have…
  • For the RADIUS (For those who find this post and wonder what to do) you have to use the Authentication Domain Use this article to understand what they are: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/authentication/auth_domains_manage.html?cshid=15061 Use this article to apply to firewall:…
  • That's why I usually use SSLVPN-Users in AD, and when I sync to AuthPoint I make an AuthPoint group called AuthPoint-Sync that doesn't do anything but Anchor my LDAP groups to AuthPoint and then I use the "Create Group" checkbox in the LDAP group sync configuration. Then you can use your old SSLVPN-Users group and it not…
  • My Advice would be to make two Groups in your LDAP sync something like: AuthPoint-LogonApp AuthPoint-NoLogonApp Then you build two Authentication policies: One for "AuthPoint-NoLogonApp" that just has the password box checked (This tells AuthPoint to only require password) For the other policy (For AuthPoint-LogonApp) do…
  • All newer devices do the same thing (T40 and bigger that is) it depends on the size you want. Use this tool to help: https://www.watchguard.com/wgrd-resource-center/watchguard-appliance-sizing-tool Once there you'll be able to open a ticket with WG where they will be able to actually do remote support since the device…
  • I would update to 12.7.2 U2 for all of the random bugs it fixes and to make sure the security hole that was recently disclosed is closed up: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SOCGSA4&lang=en_US