badabing1
asked on
Watchguard M400 VPN Connection?
Hi
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?
Thanks
I have to enable TLS 1.0, 1.1 and 1.2 in Internet Explorer on my laptop before a VPN can connect? how can I change this settings so I don't have to enable these in IE?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You access the watchguard via a web interface.
Are you using the SSL VPN client or the IPSec client?
Regardless, IE (or any other browser) will only come into play when accessing the web interface and not when you're establishing a VPN connection.
1. Why do you think you need to configure IE settings for the VPN?
2. In general, why don't you want those TLS versions enabled in IE? Ideally you would stay away from SSL 3.0 and TLS 1.0. Whenever possible you would want to use 1.2 and now 1.3. But this is dependant on the sites you're trying to access and if they support it. In IE you should be able to turn on support for all those versions except 1.3.
Regardless, IE (or any other browser) will only come into play when accessing the web interface and not when you're establishing a VPN connection.
1. Why do you think you need to configure IE settings for the VPN?
2. In general, why don't you want those TLS versions enabled in IE? Ideally you would stay away from SSL 3.0 and TLS 1.0. Whenever possible you would want to use 1.2 and now 1.3. But this is dependant on the sites you're trying to access and if they support it. In IE you should be able to turn on support for all those versions except 1.3.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi All
sorry, I should have made it clear I use SSL VPN and use SSL VPN client to connect.
I didn't know you can connect to watchguard via web interface for VPN?
sorry, I should have made it clear I use SSL VPN and use SSL VPN client to connect.
I didn't know you can connect to watchguard via web interface for VPN?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The VPN is not a website, but does use SSL to encrypt the traffic.
ASKER
Jeremy Weisinger - I need to know why I had to enable those TLS protocols for the SSL VPN Client to connect with watchguard.
User was adding his credentials and it did not connect until I enabled TLS on his laptop in IE? You say IE settings should not affect the SSL VPN client but it did and enabling TLS 1.1...x allowed it to connect successfully?
This is confusing me.
Thanks
User was adding his credentials and it did not connect until I enabled TLS on his laptop in IE? You say IE settings should not affect the SSL VPN client but it did and enabling TLS 1.1...x allowed it to connect successfully?
This is confusing me.
Thanks
Oh, interesting. It looks like the client does use the Window's TLS support and doesn't bring its own.
http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/mvpn/ssl/mvpn_ssl_client-install_c.html
So the reason is that the SSL VPN requires TLS 1.1 and 1.2 to make the connection more secure.
http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/mvpn/ssl/mvpn_ssl_client-install_c.html
So the reason is that the SSL VPN requires TLS 1.1 and 1.2 to make the connection more secure.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I believe that it is just setting it for Windows Schannel so anything that uses that will get the settings. Programs like Firefox bring along their own crypto binaries and so Internet Options have no effect on Firefox.
My guess was that the SSL VPN client was doing the same but it looks like it uses schannel.
My guess was that the SSL VPN client was doing the same but it looks like it uses schannel.
ASKER
Thanks