[Last Call] Learn how to a build a cloud-first strategyRegister Now


WatchGuard VPN Connection Setup

Posted on 2008-11-10
Medium Priority
Last Modified: 2013-11-16
This question is continuation of this question:

we created a group on our server "VPN_AD" and assigned some users to it, we can authenticate just fine however, even users outside this VPN_AD group and active directory users can still authenticate as well.

is there anyway to limit access to those users only in the VPN_AD group?

Question by:smaguire
  • 5
  • 3

Author Comment

ID: 22923786
There must be something easy to let the firebox know that if this user XXX is not part of VPN_AD group then simply reject him/her connection and don't let them authenticate
anyone knows?
LVL 32

Expert Comment

ID: 22929618

If the user you have configured is not part of the VPN group then he would not get authenticated; typically this is what should happen; let's say on AD you have group VPN_AD with users a and b as the only members.
Now a third user c connects to VPN; firebox sends details to AD for c'; and as c is not part of VPN_AD group, AD send reject, firebox would deny any more access to the user. The point here to understand is if for some reason AD sends allow or accept then FB would allow the user c.
Finally in the policy which is created to allow access to remote users, again if the AD says allow that policy would be used to grant access to remote users to the shared resources.

Please check what is the response sent by AD to FB; you can enable logging and you would be able to see the logs runtime in firebox system manager.

As already told to you, I would not be able to assist you with AD configuration or settings.

Thank you.

Author Comment

ID: 22930875
Thanks dpk_wal for your reply,
I understand your answer and its logical but the problem i am facing (I think) its within the firebox itself and not with the AD. The firebox is authenticating against all users in AD and not a group within AD, so this makes me to beleive that I am either missing something like adding a MemberOf string or something like that.
it looks to us that everytime we enter a user, the FB grabs its user name and password and passing them to AD saying "here is a user I have and I want to know if he/she is an active directory user or not?"
checking the logs, everything is being granted access within Active Directory regardless of its group.
Thanks again
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 32

Expert Comment

ID: 22930970
Did you upload the settings file on the client again after you made changes to firebox; please every time you make a change the client either needs to be updated manually or you need take the wgx file and reload it.

Normally if the user is not part of the group which should be same on both AD and firebox then the AD sends a deny.

Thank you.

Author Comment

ID: 22931209
yes, I did but the firebox still authenticate it, I think I have to talk to watch guard and see what they think

Author Comment

ID: 22931824
It seems the AD authentication checks to see if the user exists in AD for a successful authentication. What we want to do is to check to see if a user is a member of a security group in AD not if they exist. I'm not sure if this is possible with the AD interface in the Watchguard. We realize we can search a specific directory location in AD but this does not help us as our users already have a structure which we cannot modify to place users in a VPN ALLOWED folder. The Group String is interesting because what we really want to query is something like memberOf = Mobile Users.

Have you ever seen this type of configuration done?
LVL 32

Accepted Solution

dpk_wal earned 1500 total points
ID: 22932243
Sorry but not sure; I have never setup AD myself; I always had someone else who understood the working of AD set it up; my job always has been to configure the firewall. Systems have always been taken care by others.

May be some other expert with expertise in windows AD would be able to comment and help you further.


Author Closing Comment

ID: 31515117
Thank you for trying to help me out

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question