WatchGuard VPN Connection Setup

This question is continuation of this question:

we created a group on our server "VPN_AD" and assigned some users to it, we can authenticate just fine however, even users outside this VPN_AD group and active directory users can still authenticate as well.

is there anyway to limit access to those users only in the VPN_AD group?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

smaguireAuthor Commented:
There must be something easy to let the firebox know that if this user XXX is not part of VPN_AD group then simply reject him/her connection and don't let them authenticate
anyone knows?

If the user you have configured is not part of the VPN group then he would not get authenticated; typically this is what should happen; let's say on AD you have group VPN_AD with users a and b as the only members.
Now a third user c connects to VPN; firebox sends details to AD for c'; and as c is not part of VPN_AD group, AD send reject, firebox would deny any more access to the user. The point here to understand is if for some reason AD sends allow or accept then FB would allow the user c.
Finally in the policy which is created to allow access to remote users, again if the AD says allow that policy would be used to grant access to remote users to the shared resources.

Please check what is the response sent by AD to FB; you can enable logging and you would be able to see the logs runtime in firebox system manager.

As already told to you, I would not be able to assist you with AD configuration or settings.

Thank you.
smaguireAuthor Commented:
Thanks dpk_wal for your reply,
I understand your answer and its logical but the problem i am facing (I think) its within the firebox itself and not with the AD. The firebox is authenticating against all users in AD and not a group within AD, so this makes me to beleive that I am either missing something like adding a MemberOf string or something like that.
it looks to us that everytime we enter a user, the FB grabs its user name and password and passing them to AD saying "here is a user I have and I want to know if he/she is an active directory user or not?"
checking the logs, everything is being granted access within Active Directory regardless of its group.
Thanks again
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Did you upload the settings file on the client again after you made changes to firebox; please every time you make a change the client either needs to be updated manually or you need take the wgx file and reload it.

Normally if the user is not part of the group which should be same on both AD and firebox then the AD sends a deny.

Thank you.
smaguireAuthor Commented:
yes, I did but the firebox still authenticate it, I think I have to talk to watch guard and see what they think
smaguireAuthor Commented:
It seems the AD authentication checks to see if the user exists in AD for a successful authentication. What we want to do is to check to see if a user is a member of a security group in AD not if they exist. I'm not sure if this is possible with the AD interface in the Watchguard. We realize we can search a specific directory location in AD but this does not help us as our users already have a structure which we cannot modify to place users in a VPN ALLOWED folder. The Group String is interesting because what we really want to query is something like memberOf = Mobile Users.

Have you ever seen this type of configuration done?
Sorry but not sure; I have never setup AD myself; I always had someone else who understood the working of AD set it up; my job always has been to configure the firewall. Systems have always been taken care by others.

May be some other expert with expertise in windows AD would be able to comment and help you further.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
smaguireAuthor Commented:
Thank you for trying to help me out
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.