So, we tend to use Firebox (http://www.watchguard.com) firewall appliances quite a bit at the company I work for. When I first started this job, I was very skeptical of their abilities, but I focused more on the server side of things and not routing or advanced firewalling. Lately, though, I have been forced to become more familiar with them and I must say, I like them more and more all the time. One of the most used features of the Watchguards is their Mobile User VPN. Well, I never before messed with AD authentication in the Firebox, I always just set up users in the FireboxDB. I also foudn out that licensing for SSL VPN users is 20:1 to MUVPN users… way more bang for your buck. SSL VPN only works(to my knowledge) with 750 or higher models. Basically anything using WSM. Here’s a quick little tutorial:
Once connected to your Firebox, open the Policy Manager.
First, we need to setup AD authentication. Go to Setup>Authentication>Authentication Servers. Go to Active Directory tab and check Enable Active Directory server. Put in the IP of a domain controller in your environment. This DC MUST be a global catalog server. Set the port to 3286(GC port). Search Base must be in format: dc=business,dc=local (for AD domain business.local). You should be done here, there are other optional settings and you can configure a secondary DC to use, but this will work for now, just copy these settings over for the secondary. Click OK and go back to the Policy Manager.
At the top, go to the VPN menu > Mobile > SSL
Select the box to Activate SSL VPN, then choose authentication type. For this snippet, I am only doing Active Directory authentication because I find it the most useful for my clients.
Next, put in your public IP/domain name in the box that says “Please type or select IP or domain name for SSL VPN users to connect to”. If you have multiple external IPs assigned to this device, you can do a backup, but that’s personal preference and I don’t see too much of an advantage since they are most likely the same WAN block from the same ISP.
Then, just select the resources they will have access to and the IPs they will be using. The VPN users’ IPs should not be on the same subnet as your internal networks(trusted, optional, or any others).
In the Advanced tab, choose your encryption (I use SHA1-3DES since it is the most secure, but a litlle lower speed).
Here is one thing to note. I always change the Port to 444. No matter where I go, port 443(default SSL) is already in use. Changing this helps prevent conflicts. I can’t think of anything that uses 444 by default off the top of my head and I haven’t seen any conflicts, yet.
For DNS and WINS servers, be sure you use your AD domain name(i.e. business.local) and at least one DC for the DNS(preferably the same as the one from authentication).
Click OK. Go ahead and save the configuration changes to the Firebox and you’re done as far as configuration goes. For users to connect, they will need to download a small client(don’t worry it’s tiny and it’s easier for an idiot to get than google toolbar) from https://yourpublicipordomain.com:4100/sslvpn.html. They will need to use their AD information to log into this site. They will be prompted to download a windows client or mac client. Yes, this works with Windows 2000, XP, Vista, 7 beta, OS X 10.x. At least, it has for me; I’m not sure what Watchguard is claiming. Anyway, once it’s downloaded, the client sits in the task bar and, when clicked, will pop up a username/password screen. AD information will log them in and you don’t have to worry. If it ever starts having issues or Watchguard updates the firmware for your Firebox(which they’re always doing) and it causes an issue, the client is designed to be able to simply go back and re-download/install. No unistalls or tweaks.
Hope this helps someone out there.
updated 4/16: FYI, the SSL VPN client is not compatible with any 64-bit OS’s
updated 5/14 CRITICAL NOTE:
I forgot to put an absolutely critical key step into this and I apologize to all. Watchguard, by default looks for a security group in AD to approve users. in AD, go to security groups and add a group “SSLVPN-Users”. Then add whoever will be using the VPN to the group, if it is everyone, then just add domain users.
