WatchGuard Firewall - Setting up VPN IPSec

hello,

Does anyone know how to setup a vpn ipsec connection with watchguard x550e?
I've tried to call their tech support but really they don't know how. They kept on giving me do this, remove that and they ended up locking me out of my own firebox!

I think i am close, I am authenticating using Active Directory, I can see connection established just fine but I can't browse anything on the network

I am using SBS 2003 R2 and firmware 10.0

Any ideas or step by step examples on how to setup it up?
Thanks for your help
smaguireAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
So you wish to configure MUVPN, and you are locked out of firebox? Can you provide some details if you are able to get to policy manager if no then that is the first thing we would need to concentrate to; after that we can configure MUVPN for your remote clients.

Please update.

Thank you.
0
smaguireAuthor Commented:
I was able reset the firebox and get into my policy manager and I was able to configure the VPN connection for active directory but I don't think its the proper way, you can correct me if i am wrong:
I can connect using vpn and browse my company folders ONLY if I add my user name as an Active Directory users to the firebox!!! and this does NOT make sense to me.
If I remove my user name from the firebox (From Authorized User or Group) then I can't establish connection to the firebox, If i add it back on, I establish connection. Why is this?
The whole of AD authentication is I should be able to authenticate any user in my AD without the need to re-adding everyone in my AD to the firebox! and thats why I think i am doing this right because it does not make sense to me.
what do you think?
Thanks
0
dpk_walCommented:
That is the way authentication is configured; you need to add a user/group on the firebox specifying authentication server as AD; if you do not do this, there is no way the WG can know if it needs to send the request for user/group x to AD or serve it itself.

Please let know if you need more details.

Thank you.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

smaguireAuthor Commented:
Thanks dpk_wal fr your reply,
I am really having a hard time digesting this idea, so If I was to Add/Remove a user from our AD, it means I have to update the firebox with the same user? which means redundancy?
I thought the firebox would normally check with the AD and see if XXX user (which is being entered) exists in the AD, then grant permission, otherwise deny?
Thanks
0
dpk_walCommented:
There must be a way for the firebox to know if for a certain user/group it should contact AD [so we add a groups on firebox and provide the authentication server as AD]; I would suggest you to always use groups instead of users; you can have one single dedicated group say muvpn-group-for-FB on AD; this group can in turn have other groups/users. Now you would need to change anything on firebox configuration when you change access permissions for a single user/group; only on AD.

Hope this helps.

Thank you.
0
smaguireAuthor Commented:
Ok, so if I follow you correctly then when I first made the firebox VPN policy it set up with a group say VPN_AD.  If I leave this group on the policy instead of adding users then I need to add a group to AD on my server with the same name VPN_AD?  Then add this as a security group to those domain users I want to allow access to VPN?  I'm sure when adding the security group on AD I will run into more issues with the specific settings and permissions of the group any chance a canned document exists with step by step instructions for doing this?
Thanks
0
dpk_walCommented:
You are correct that is how you can implement; sorry but I am not the best of experts with server side configuration and would not be able to assist you with the same.

Here is one of the articles which can help WG relevant things on AD:
http://www.watchguard.com/support/faqs/fireware/90/howto_findadsearchbase.htm

Please note to view the above document you must have a active WG website login.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.