Link to home
Start Free TrialLog in
Avatar of underIce

asked on

Watchguard XTM PPTP VPN

I need to create a Firewall policy on a Watchguard VPN that allows access to an internal server.

There is a config right now that has users setup but there's a DC on the network I'd like to use for authentication.

Is there a step by step process I can use? I am familar with older Watchguards but this one has a lot more to it and I'd like a little guidence.
Avatar of chris_cox11
Flag of United Kingdom of Great Britain and Northern Ireland image

I look after Watchguaard Fireboxes across multiple sites from head offices to regional offices so i have experience with the VPN options.

How do the current VPN's work and how are they configured?
what are they using for authentication at the moment?
are the remote users all scattered about or from the same remote office?
Avatar of underIce


(This is a XTM23)

-There are no Mobile VPN policies set
-There's an SSLVPN which is set at any - any (I don't need this anymore)
-There's a BOVPN (in and out) It's set at BOVPN-Allow In [In: our company - any] BOVPN Allow Out  [out: any - our company]. I don't know what this does but I'm sure we don't need it

The RADIUS is not enabled (in the firewall's  authentication settings) but on the firewall there is a user group configured.

Let me know if there's anything else...Thanks!
Are you using WEBUI (web user interface) to see the watchguard setup or WSM (watchguard system manager) and if WSM what version are you runing on both WSM and XTM?

How many user do you require the VPN for?
Are they all from the same remote office or do they all work from different locations?

This is definatly something that I can help you configure correctly once we have the information as there are a couple of ways to achieve this.

I'm using the Web UI.

The firewall itself is a  XTM23 version 11.3.2

I'm guessing I'd need no mare than 10 users, at the moment I bet we'd need less than 5. The users are basically spread out and aren't working in a remote office together.
ok the first thing you need to do is log into with your details and go the the software downloads section and download the WSM 11.3.2 and insstall on the system you work from.

once you have done this let me know and i can talk you through setting the access up to the watchguard and you will have a clearer view of the firewall policies and you will be able to follow it a lot easier.

as this is not a simple set of instructions like click a tick box i may need to speak to you but we can sort this at the time.
I'm not able to access that account right now (after hours and the account holder is gone). I find the Web UI fairly clear though. I've used the System Manager though and it does seem a little easier to use.

But I think the WebUI should be fine...and in any case it's the only tool I have at the moment.

Can I not configure a Mobile VPN Policy and use the Windows 2008 server for network authentication?

One question I have it if I need to delete the SSLVPN in the firewall policy in order to do this.
Ok, here's where I'm at:

-I've activated the Mobile VPN with PPTP
-I've created a user and put it into the PPTP-Users group
-I Created a PPTP policy in the firewall policy section (any - any)

I'm using the firewall username to connect and it seems to connect ok. But the problem I'm having it that I don't seem to be picking up a gateway on the local VPN client connection. The IP is on the remote range but I can't access the network because I don't have a gatewat...

Must be something simple....ideas?
Now it's back to not doesn't appear to be accepting my login. The login screen pops back up after a few moments.

I get a error 619 after a couple attempts.

It worked once....
i dont use the WEBUI as it is not as informative and harder to see what policy is doing what but I will log into our WEBUI and try and find the right config for you.

Are the clients using windows VPN software to connect in?
just so that I can looking at the right settings can you please comfirm the following:-

1) you want user to use their network authentication (AD) to connect through the WG
2) with this authentication you want them to have access to the internal network and data

i have had a thought and we might be over thinking this slightly.

Do your users have accounts setup in AD?

If so, all we need is to make sure that your router is forwarding port 1723 to the external interface of the WG and there is a firewall policy on the WG for a packet filter for PPTP (1723) and is configured FROM=ANY TO=NAT x.x.x.x->x.x.x.x (WG external interface IP -> server internal ip)

this will then enable user to use Windows VPN software to connect to your External IP Address with their Network username and password.  once connected this will act the same as a VPN without the WG inplace so they will have access to company shares and exchange server.

does this sound like what you are wanting?
That's how I'd love to do it actually. It's how I've setup other VPNs into Windows networks.

Let me ask you this, do I need to enable routing and remote access on the Windows 2008 server? Or can they just login against the AD?
in order for the VPN to authenticate on the DC it will require the Routing and Remote Access service to be running.

On SBS 2008 there is a seperate VPN setting that needs to be set but you may have already done this.

open Windows SBS Console. Select NETWORK, connectivity tab, the 3rd from bottom option is VPN.
If this is OFF then on the right hand panel click 'Configure a Virtual private network', select 'Allow users to connect to the server using a VPN'
the wizard will complete and there may be a warning on the Internet Router stage but you can ignore this as it is just because the server can not re-configure the router, but you dont have to worry about this if you have set the port 1723 to forward.
click finish and bobs your uncle !!

with this enable, the only thing to check is in each users properties, under the Remote Access section, there is a tick in the box for 'Users can access VPN'

let me know how this goes.

PS.  are you ok with adding the packet filter for this in the WG firewall policy as mentioned in the comment above?
My server will only allow that sort config through the remote access wizard.

Yes, I'm fine with a packet filter.

I'd expect to enable Mobile VPN with PPTP and then add a Mobile VPN policy. When I try to do that I don't seen to be able to add any groups in the Mobile VPN policy properties box. It's blank or read only...not sure which. But I'm stopped there...

I can enable  Mobile VPN with PPTP ok so I have write access to the firewall. I'm hoping to get access to a system download manager but we'll see..
if you activeate the Mobile VPN with PPTP then all you can specify here is the IP Address Pool and the MTU/MRU settings, also if you want to allow a weaker encrytion.

this is worth doing as you know that your remote users will then be using a specified range of addresses (max of 50 to a pool) and not getting mixed up with local users IP addresses.
this also helps with the fault finding process if required.

the actual policy itself is controlled through the packet filter you created for PPTP(1723).
if you want tocompletely lock this policy down, you could create a security group in your AD called PPTPUSERS, add the users that you want the access to this group.

then add an Autherized Users/Groups (in the left panel, Authentication -> Users and Groups)
Select Group
NAME = *same as AD name ie PPTPUSERS*
DESCRIPTION = *optional*
AUTH SERVER = Active Directory

once this has been done, back in your packet filter for PPTP you could remove the FROM=ANY and make it FROM=PPTPUSERS (in the FROM field click ADD and then in the drop down list select group created)

is this the sort of security you need for the remote users?
If so give it a try and let me know what happens.
you mentioned at that you are hoping to get acces to system download manager?

do you mean WSM?

if so tell me what version you need and I will try and get this for you and try to get you access to my FTP to pull it from until you get the details.
Yes, you had mentioned WSM as a much better way to manage the interface. I've tried the WEB UI and it's a little lacking. I'm in the process of trying to get the login info for the site account but they are not sure where it is.

If there's a way to download it from you that'd be great...this is a XTM 23 Watchguard. I'm not sure which version I'm looking for. The latest I assume, but I don't know what that is.

It'll run on a Windows 2008 file server.

Regarding your instructions above, I'm assuming that if I enable Mobile VPN and configure an address range, and then create a packet filter, those connecting will be able to access network resources (dependant upon a AD login once they are attemption to access a file share).

So the sequence as I understand it is that a user would connect to the PPTP VPN on the firewall and once authenticated there would have PPTP VPN established to the firewall.

Once that occurs, they would have access to network resources as long as they have a valid AD login. They would be prompted with a login box when accessing a share and once logged in they would have access.

So there's 2 authentication steps, one to the Mobile PPTP VPN and one to the AD.

That seems simpler than configuring remote access on the Windows server...but maybe I need to do that as well.

I'm going to try and get a hold of WSM and do the config with that....the WEB UI seems a little flakey to me...
i will sort this out for you ready for tuesday as i am out of my office for a few days.

in the webui it will tell you what version you are running.
i would assume the xtm23 is 11.3.2 or 11.4
Thanks! It's 11.3.2
Avatar of chris_cox11
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the great help!