[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1671
  • Last Modified:

WatchGuard Firewall - Setting up VPN IPSec

hello,

Does anyone know how to setup a vpn ipsec connection with watchguard x550e?
I've tried to call their tech support but really they don't know how. They kept on giving me do this, remove that and they ended up locking me out of my own firebox!

I think i am close, I am authenticating using Active Directory, I can see connection established just fine but I can't browse anything on the network

I am using SBS 2003 R2 and firmware 10.0

Any ideas or step by step examples on how to setup it up?
Thanks for your help
0
smaguire
Asked:
smaguire
  • 4
  • 3
1 Solution
 
dpk_walCommented:
So you wish to configure MUVPN, and you are locked out of firebox? Can you provide some details if you are able to get to policy manager if no then that is the first thing we would need to concentrate to; after that we can configure MUVPN for your remote clients.

Please update.

Thank you.
0
 
smaguireAuthor Commented:
I was able reset the firebox and get into my policy manager and I was able to configure the VPN connection for active directory but I don't think its the proper way, you can correct me if i am wrong:
I can connect using vpn and browse my company folders ONLY if I add my user name as an Active Directory users to the firebox!!! and this does NOT make sense to me.
If I remove my user name from the firebox (From Authorized User or Group) then I can't establish connection to the firebox, If i add it back on, I establish connection. Why is this?
The whole of AD authentication is I should be able to authenticate any user in my AD without the need to re-adding everyone in my AD to the firebox! and thats why I think i am doing this right because it does not make sense to me.
what do you think?
Thanks
0
 
dpk_walCommented:
That is the way authentication is configured; you need to add a user/group on the firebox specifying authentication server as AD; if you do not do this, there is no way the WG can know if it needs to send the request for user/group x to AD or serve it itself.

Please let know if you need more details.

Thank you.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
smaguireAuthor Commented:
Thanks dpk_wal fr your reply,
I am really having a hard time digesting this idea, so If I was to Add/Remove a user from our AD, it means I have to update the firebox with the same user? which means redundancy?
I thought the firebox would normally check with the AD and see if XXX user (which is being entered) exists in the AD, then grant permission, otherwise deny?
Thanks
0
 
dpk_walCommented:
There must be a way for the firebox to know if for a certain user/group it should contact AD [so we add a groups on firebox and provide the authentication server as AD]; I would suggest you to always use groups instead of users; you can have one single dedicated group say muvpn-group-for-FB on AD; this group can in turn have other groups/users. Now you would need to change anything on firebox configuration when you change access permissions for a single user/group; only on AD.

Hope this helps.

Thank you.
0
 
smaguireAuthor Commented:
Ok, so if I follow you correctly then when I first made the firebox VPN policy it set up with a group say VPN_AD.  If I leave this group on the policy instead of adding users then I need to add a group to AD on my server with the same name VPN_AD?  Then add this as a security group to those domain users I want to allow access to VPN?  I'm sure when adding the security group on AD I will run into more issues with the specific settings and permissions of the group any chance a canned document exists with step by step instructions for doing this?
Thanks
0
 
dpk_walCommented:
You are correct that is how you can implement; sorry but I am not the best of experts with server side configuration and would not be able to assist you with the same.

Here is one of the articles which can help WG relevant things on AD:
http://www.watchguard.com/support/faqs/fireware/90/howto_findadsearchbase.htm

Please note to view the above document you must have a active WG website login.

Thank you.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now