WatchGuard Firewall - Setting up VPN IPSec
hello,
Does anyone know how to setup a vpn ipsec connection with watchguard x550e?
I've tried to call their tech support but really they don't know how. They kept on giving me do this, remove that and they ended up locking me out of my own firebox!
I think i am close, I am authenticating using Active Directory, I can see connection established just fine but I can't browse anything on the network
I am using SBS 2003 R2 and firmware 10.0
Any ideas or step by step examples on how to setup it up?
Thanks for your help
Does anyone know how to setup a vpn ipsec connection with watchguard x550e?
I've tried to call their tech support but really they don't know how. They kept on giving me do this, remove that and they ended up locking me out of my own firebox!
I think i am close, I am authenticating using Active Directory, I can see connection established just fine but I can't browse anything on the network
I am using SBS 2003 R2 and firmware 10.0
Any ideas or step by step examples on how to setup it up?
Thanks for your help
ASKER
I was able reset the firebox and get into my policy manager and I was able to configure the VPN connection for active directory but I don't think its the proper way, you can correct me if i am wrong:
I can connect using vpn and browse my company folders ONLY if I add my user name as an Active Directory users to the firebox!!! and this does NOT make sense to me.
If I remove my user name from the firebox (From Authorized User or Group) then I can't establish connection to the firebox, If i add it back on, I establish connection. Why is this?
The whole of AD authentication is I should be able to authenticate any user in my AD without the need to re-adding everyone in my AD to the firebox! and thats why I think i am doing this right because it does not make sense to me.
what do you think?
Thanks
I can connect using vpn and browse my company folders ONLY if I add my user name as an Active Directory users to the firebox!!! and this does NOT make sense to me.
If I remove my user name from the firebox (From Authorized User or Group) then I can't establish connection to the firebox, If i add it back on, I establish connection. Why is this?
The whole of AD authentication is I should be able to authenticate any user in my AD without the need to re-adding everyone in my AD to the firebox! and thats why I think i am doing this right because it does not make sense to me.
what do you think?
Thanks
That is the way authentication is configured; you need to add a user/group on the firebox specifying authentication server as AD; if you do not do this, there is no way the WG can know if it needs to send the request for user/group x to AD or serve it itself.
Please let know if you need more details.
Thank you.
Please let know if you need more details.
Thank you.
ASKER
Thanks dpk_wal fr your reply,
I am really having a hard time digesting this idea, so If I was to Add/Remove a user from our AD, it means I have to update the firebox with the same user? which means redundancy?
I thought the firebox would normally check with the AD and see if XXX user (which is being entered) exists in the AD, then grant permission, otherwise deny?
Thanks
I am really having a hard time digesting this idea, so If I was to Add/Remove a user from our AD, it means I have to update the firebox with the same user? which means redundancy?
I thought the firebox would normally check with the AD and see if XXX user (which is being entered) exists in the AD, then grant permission, otherwise deny?
Thanks
There must be a way for the firebox to know if for a certain user/group it should contact AD [so we add a groups on firebox and provide the authentication server as AD]; I would suggest you to always use groups instead of users; you can have one single dedicated group say muvpn-group-for-FB on AD; this group can in turn have other groups/users. Now you would need to change anything on firebox configuration when you change access permissions for a single user/group; only on AD.
Hope this helps.
Thank you.
Hope this helps.
Thank you.
ASKER
Ok, so if I follow you correctly then when I first made the firebox VPN policy it set up with a group say VPN_AD. If I leave this group on the policy instead of adding users then I need to add a group to AD on my server with the same name VPN_AD? Then add this as a security group to those domain users I want to allow access to VPN? I'm sure when adding the security group on AD I will run into more issues with the specific settings and permissions of the group any chance a canned document exists with step by step instructions for doing this?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please update.
Thank you.