Watchguard M400 VPN Connection?

Hi
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?

Thanks
badabing1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William MillerIT SpecialistCommented:
Unfortunately these are security protocols and you're trying to connect to a secure VPN on a Firebox. You'll likely only need TLS 1.2 enabled, though, as that's the latest of the 3.
badabing1Author Commented:
so I have to have these enabled in IE to connect to VPN? am confused as I use VPN client to establish VPN connection so where does IE come into this?

Thanks
William MillerIT SpecialistCommented:
You access the watchguard via a web interface.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Are you using the SSL VPN client or the IPSec client?

Regardless, IE (or any other browser) will only come into play when accessing the web interface and not when you're establishing a VPN connection.

1. Why do you think you need to configure IE settings for the VPN?
2. In general, why don't you want those TLS versions enabled in IE? Ideally you would stay away from SSL 3.0 and TLS 1.0. Whenever possible you would want to use 1.2 and now 1.3. But this is dependant on the sites you're trying to access and if they support it. In IE you should be able to turn on support for all those versions except 1.3.
serialbandCommented:
I believe those are Internet Option settings, not solely IE settings.  You need to enable those fol SSL VPN connections.  You really should stop using TLS 1.0 and 1.1.  TLS 1.0 is over 18 years old and no longer acceptable for PCI compliance because of unpatched vulnerabilities.  TLS 1.1 is also 11 years old now and should have been turned off soon after TLS 1.2 came out 9 years ago.  Dont wait for hacks to happen as they did with SSL 2.0 and SSL 3.0 before turning them off.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
badabing1Author Commented:
Hi All

sorry, I should have made it clear I use SSL VPN and use SSL VPN client to connect.

I didn't know you can connect to watchguard via web interface for VPN?
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You can't use the web interface to establish a VPN.

There are 3 different "sites" on a Watchguard (depending on the version); Management interface (:8080), Authentication (:4100), and the SSL VPN client download portal (whatever port the SSL VPN is listening on).

Are you having any issues or do you just have questions about the SSL/TLS version support and how it interacts with the SSL VPN client. In short the IE settings should not affect the SSL VPN client.
serialbandCommented:
The VPN is not a website, but does use SSL to encrypt the traffic.
badabing1Author Commented:
Jeremy Weisinger - I need to know why I had to enable those TLS protocols for the SSL VPN Client to connect with watchguard.

User was adding his credentials and it did not connect until I enabled TLS on his laptop in IE? You say IE settings should not affect the SSL VPN client but it did and enabling TLS 1.1...x allowed it to connect successfully?

This is confusing me.

Thanks
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Oh, interesting. It looks like the client does use the Window's TLS support and doesn't bring its own.

http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/mvpn/ssl/mvpn_ssl_client-install_c.html

So the reason is that the SSL VPN requires TLS 1.1 and 1.2 to make the connection more secure.
serialbandCommented:
The Internet Options configuration dialog box is for all internet options.  It isn't only for IE.  You do need to enable TLS there for connection.  If the Watchguard uses TLS 1.2, then only enable that.  Disable TLS 1.0 and 1.1.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I believe that it is just setting it for Windows Schannel so anything that uses that will get the settings. Programs like Firefox bring along their own crypto binaries and so Internet Options have no effect on Firefox.

My guess was that the SSL VPN client was doing the same but it looks like it uses schannel.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.