-
Watchguard V10.0 - page 1
W atchGuard®Mobile VPN with IPSec Administrator Guide W atchGuard Mobile VPN v10.0 R evised: November 28, 2007 ...
-
Watchguard V10.0 - page 2
ii Mobile User VPN ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, W A 98104 SUPPORT : www .w atchguard.com/suppor t U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 SALES: U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 ABOUT WA TCHGUARD WatchGuard is a leading provider of networ k security solutions for sma ...
-
Watchguard V10.0 - page 3
Administrator Guide 1 1 Configure the Firebox X Edge to use Mobile VPN with IPSec The W atchGuard® Mobi le VPN with IPSec clien t is a software applica tion that is ins talled on a r emote computer . The client makes a secur e connection from the remote c omputer to your pr otected network through an unsecured network. The Mobile VPN client uses I ...
-
Watchguard V10.0 - page 4
Enabling Mobil e VPN for a Firebox User Account 2 Mobile User VPN The F irebox X Edge creates a .wgx file for a user when a Fir ebox user ’ s account is configured for Mobile VPN, as described in this chapter . If you want to lock the profiles for mobile users by making them read- only , see “C onfiguring Global Mobile VPN Client Settings” on ...
-
Watchguard V10.0 - page 5
Administrator Guide 3 Configur ing Global Mobi le VPN Client Settings 10 Set MUVPN key exp iration in kilobytes and/or ho urs. The default val ues are 8192 KB and 24 hours. T o remov e a size and/or time ex piration, set the v alue to zer o (0). 11 Make su re the VPN Client T ype drop- down list i s set to Mobile User . This is true whether you use ...
-
Watchguard V10.0 - page 6
Distributing the Software and Profiles 4 Mobile User VPN 1 Y ou can choose to make the .wgx file read-only so that t he user cannot change the secu rity polic y file. T o do this, select the Make the MUVPN client security policy read- only check box. 2 Mobile VPN clients use shared Windows Internet Naming Service ( WINS) and Domain Name Syst em (DN ...
-
Watchguard V10.0 - page 7
Administrator Guide 5 Distributing the Softwar e and Profiles • The end-user p rofile This file contains the user name, shared key , and settings that enable a remote comput er to connect securely over the Internet to a protected, private computer network . F or information on how to get the profile fr om the Edge, see “ Get the user’ s .wgx ...
-
Watchguard V10.0 - page 8
Distributing the Software and Profiles 6 Mobile User VPN ...
-
Watchguard V10.0 - page 9
Administrator Guide 7 2 Using Fireware Policy Manager to Configure Mobile VPN with IPSec The W atchGuard® Mobi le VPN with IPSec clien t is a software applica tion that is ins talled on a r emote computer . The client makes a secur e connection from the remote c omputer to your pr otected network through an unsecured network. The Mobile VPN client ...
-
Watchguard V10.0 - page 10
About Mobile VPN Client Configuration Files 8 Mobile User VPN About Mobile VPN Client Configuration Files With Mobile VPN with IPSec, the network security administrator contr ols end-user profiles. P olicy Man- ager is used to set the name of the end user and create a client c onfiguration f ile, or pr ofile, with the file extension .wgx. The .wgx ...
-
Watchguard V10.0 - page 11
Administrator Guide 9 Configuring the Firebox for Mobile VPN 3 Use the instruc tions provided here to go through each screen of the wizard. Click Ne xt after each step . 4 Select a user aut hentica tion server Select an authentication ser ver from the Authentication Server drop-d own list. Y ou can authenticat e users with the internal F irebo x da ...
-
Watchguard V10.0 - page 12
Configuring the Firebox for Mobile VPN 10 Mobile User VPN 6 Direct the flow of Internet traffic: Select an option for Internet tr affic . Y ou can allow all Internet traffic between th e Mobile VPN client and the I nte rnet to use the ISP of the client, or you can make all Internet traffic use th e VPN tunnel. If you choose to force all Internet tr ...
-
Watchguard V10.0 - page 13
Administrator Guide 11 Configuring the Firebox for Mobile VPN 8 Create the virtual IP address pool: Click Add to add one IP address or an IP address r ange. Repeat this step to add more virtua l IP addresses. Mobile VPN users will be assigned one of these IP a d d re ss e s wh e n th e y co n n ec t to y ou r n et w o rk . The number of IP addresse ...
-
Watchguard V10.0 - page 14
Modifying an Existing Mobile VPN Profile 12 Mobile User VPN Adding Users to a Firebox Mobile VPN Group T o create an Mobile VPN tunnel with the Firebo x, remote users type t heir user name and p assword to authenticate. W atchGuard® Sy stem Mana ger soft ware uses this information to authenticate the user to the Fir ebox®. T o authenticate, users ...
-
Watchguard V10.0 - page 15
Administrator Guide 13 Modifying an Existing Mobile VPN Profile 3 Click Edit . The Edit MUVPN Extended Authentication Group dialog box appears. Use the following fields to edit the gr oup profile: Authentication Server Select the authentication ser ver to use for this Mobile VPN group . T o configure y our authentication ser ver , selec t Setup > ...
-
Watchguard V10.0 - page 16
Modifying an Existing Mobile VPN Profile 14 Mobile User VPN timeouts for the Mobile VPN group are always ignored because you set timeouts in the individual F irebox user ac counts. The session and idle timeouts cannot be longer than the value in th e SA Life field. T o se t this field, from the IPSec T unnel tab of the Edit MUVPN Extended Authentic ...
-
Watchguard V10.0 - page 17
Administrator Guide 15 Modifying an Existing Mobile VPN Profile Phase2 Settings Select the proposal and key expiration sett ings for the Mobile VPN tunnel. Y o u can also enable P er fect Forward Secrecy (PFS) or set the Diffie -Hellman group. T o change other proposal settings, click the Proposal button, and see the procedure de scribed in “Defi ...
-
Watchguard V10.0 - page 18
Modifying an Existing Mobile VPN Profile 16 Mobile User VPN Defining advanced Phase 1 settings T o define advanced Phase 1 set tings for an Mobile VPN user profile: 1 Fro m t h e IPS ec T unnel ta b of the Edit MUVPN Ex tended Authent ication Group dialog box, select Adva nced . The Phase1 Advanced Settings dialog box appears. 2 T o change the SA ( ...
-
Watchguard V10.0 - page 19
Administrator Guide 17 Configuring WINS and DNS Servers 2 Fro m t h e Ty p e drop- down list, select ESP or AH as the proposal method. Only ESP is supported at this time. 3 Fro m t h e Authentication drop-down list, selec t SHA1 or MD5 for t he authentication method . 4 Fro m t h e Encr yption drop- down list, select the encryption method. The opti ...
-
Watchguard V10.0 - page 20
Locking Down an End-User Profile 18 Mobile User VPN Locking Down an End-User Profile Y ou can use the advanced se ttings to lock down th e end-user profile so that users can see some set- tings but not change them, and hide other settings so that users cannot change them. W e recommend that you lock down all pr ofiles so that users cannot make chan ...
-
Watchguard V10.0 - page 21
Administrator Guide 19 Configuring Policies to Filter Mobile VPN T raffic Configuring Policies to Filter Mobile VPN T raffic In a default configuration, Mobile VPN with I PSec users have full access privileges through a F irebox®, with the Any policy . T o put limits on Mobile VPN users, you must add policies to the MUVPN tab in Po l i c y M an a ...
-
Watchguard V10.0 - page 22
Re-creating E nd-User Profiles 20 Mobile User VPN Under MUVPN Group , Po lic y Manager display s the authentication se r ver , in parentheses , for the Mobil e VPN g roup . Using the Any Policy The Any policy i s added to all Mobi le VPN user groups by def ault. The Any polic y allows traffic on all por ts and protocols between the Mobile VPN user ...
-
Watchguard V10.0 - page 23
Administrator Guide 21 Distributing the Softwar e and Profiles Distributing the Sof tware and Profiles W atchGuard® r ecommends distrib uting end-user profiles by encrypted email or with som e other secure method. Each client computer must hav e: • Soft ware installation pack age The packages are locat ed on the W atchGuard LiveSecurity® Ser vi ...
-
Watchguard V10.0 - page 24
Additional Mobile VPN T opics 22 Mobile User VPN T erminating IPSec connections T o fully stop VPN connections, the F irebo x must be restarted. Removing the IPSec polic y does not stop current connections. Global VPN settings Global VPN settings on your F irebo x apply to al l manual BOVPN tunnels, managed tunnels, and Mobile VPN tunnels. Y ou can ...
-
Watchguard V10.0 - page 25
Administrator Guide 23 3 Mobile VPN Client Inst allation and Connection The W at chGuard® Mobile VPN with IPSec client is installed on an em ployee computer , whether the employee travels or works from home. The employee uses a standard Internet connectio n and acti- vates the Mobil e VPN client. The Mobile VP N client then creates an encr ypted t ...
-
Watchguard V10.0 - page 26
Installing the Mobile VPN with IPSec Client 24 Mobile User VPN > W indows F irewall > Change Settings > Exceptions ) for UDP port 4500. This will enable Mobile VPN keep -alive packets from the F irebo x® to reach your client and keep the VPN tunnel up. • W e recommend that you check to make sure all available ser vice packs are installe ...
-
Watchguard V10.0 - page 27
Administrator Guide 25 Installing the Mobile VPN with IPSec Client Importing the end-user profile When the co mputer restarts, the W at chGuard Mobile VPN C onnection Monitor dialog box opens. When the soft ware starts for the first time after you install it, you get this message: There is no profile for the VPN dial-up! Do you want to use the Conf ...
-
Watchguard V10.0 - page 28
Connecting the Mobile VPN Client 26 Mobile User VPN If the password you use is y our password on an Active Directory or LDAP server and you choose to store it, the password becomes inv alid when it changes on the authentic ation server . 7 Click Fin is h . The computer is now r eady to use Mobile VPN with IPSec. Selecting a certificate and entering ...
-
Watchguard V10.0 - page 29
Administrator Guide 27 Connecting the Mobile VPN Client Star t your connection to the I nternet through a Dial-Up Net working connection or LAN connection. Then, use the instructions below or select your prof ile, c onnect, and disconnec t by right-click ing the Mobile VPN icon on your W indows toolbar . 1 F rom your Wi ndows desktop , select Start ...
-
Watchguard V10.0 - page 30
Seeing Mobile VPN Log Messages 28 Mobile User VPN 4 Use the Connection Mode drop- down list to set the connec tion behavior you want f or this profile. - Manual - When you select manual connection mode, the cl ient does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. T o restart the VPN tunnel, you must click the Con n ...
-
Watchguard V10.0 - page 31
Administrator Guide 29 Securing Y our Computer with the Mobile VPN Firewall Securing Y our Computer with the Mobile VPN Firewall The W at chGuard® Mobile VPN with IPSec cl ient in cludes two fir ewall compone nts: Link firew all The link firewall is not enabled b y default. When the link firewall is enabled, your computer will discard any packets ...
-
Watchguard V10.0 - page 32
Securing Y our Computer with the Mobile VPN Firewall 30 Mobile User VPN 4 Fro m t h e Stateful Inspection drop-down list, select when connected or always . If y ou s ele ct when connected , the link fir ewall operat es only when the VPN tunnel is active f or this profile. If y ou s ele ct alway s , the link firewall is always active , whether the V ...
-
Watchguard V10.0 - page 33
Administrator Guide 31 Securing Y our Computer with the Mobile VPN Firewall 3 Define friendly net works and create firewall rules as descr ibed in the subse quent sec tions. Defining friendly networks Use the Friendly Netw orks tab to define sp ecific k nown networks for which you want to generate a firewall r ule set. For ex ample, if you want to ...
-
Watchguard V10.0 - page 34
Securing Y our Computer with the Mobile VPN Firewall 32 Mobile User VPN T o create a rule, click New . Use the four tabs in the Fir ew a l l R u l e En t r y dialog box to define the traffi c you want to control. Each tab is described below. General tab On the Gener al tab, you define the basic proper ties of your rule. Rule Name T ype a descriptiv ...
-
Watchguard V10.0 - page 35
Administrator Guide 33 Securing Y our Computer with the Mobile VPN Firewall Loc al t ab Use the Local tab to define the local IP address and ports that are controlled by this rule, if any . We rec- ommend that, in any rule, you configure the Local IP Addr esses setting to enable the Any IP address radio button. If you are configur ing an incoming p ...
-
Watchguard V10.0 - page 36
Securing Y our Computer with the Mobile VPN Firewall 34 Mobile User VPN Remote tab Use the Remote tab to define the remote IP address or addr esses and ports that are controlled by this rule, if any . For example, if your firewa ll is set to deny all traffic and you want to create a rule to allow outgoing POP3 con nections, you would add th e IP ad ...
-
Watchguard V10.0 - page 37
Administrator Guide 35 Securing Y our Computer with the Mobile VPN Firewall ...
-
Watchguard V10.0 - page 38
Securing Y our Computer with the Mobile VPN Firewall 36 Mobile User VPN ...
Watchguard V10.0についてご質問がありますか?
次のフォームを使用してください
見つけた説明書を読んでもWatchguard V10.0の問題を解決できない場合、下記のフォームを使用して質問をしましょう。ユーザーのどなたかがWatchguard V10.0で同様の問題を抱えていた場合、その解決方法を共有したいと考えるかもしれません。