WatchGuard Technologies V10.0 manual Additional Mobile VPN Topics

Page 23

Distributing the Software and Profiles

Distributing the Software and Profiles

WatchGuard® recommends distributing end-user profiles by encrypted email or with some other secure method. Each client computer must have:

Software installation package

The packages are located on the WatchGuard LiveSecurity® Service web site at: http://www.watchguard.com/support

Log in to the site using your LiveSecurity Service user name and password. Click the

Latest Software link, click Add-ons/Upgradeson the left side, and then click the link for Mobile VPN with IPSec.

The end-user profile

This file contains the group name, shared key, and settings that enable a remote computer to connect securely over the Internet to a protected, private computer network. The end-user profile has the file name groupname.wgx.

Two certificate files—if you are authenticating with certificates

These are the .p12 file, which is an encrypted file containing the certificate; and cacert.pem, which contains the root (CA) certificate.

User documentation

Documentation to help the remote user install the Mobile VPN client and import their Mobile VPN configuration file can be found in the “Mobile VPN Client Installation and Connection” chapter in this user guide.

Shared key

To import the end-user profile, the user is requested to type a shared key. This key decrypts the file and imports the security policy into the MUVPN client. The key is set during the creation of the file in Policy Manager.

The shared key, user name, and password are highly sensitive information. For security reasons, we recommend that you do not provide this information by email message. Because email is not secure, an unauthorized user can get the information and gain access to your internal network.

Give the user the information by telling it to the user, or by some other method that does not allow an unauthorized person to intercept it.

Additional Mobile VPN Topics

This section describes special topics for Mobile VPN with IPSec.

Making outbound IPSec connections from behind a Firebox

A user might have to make IPSec connections to a Firebox® from behind another Firebox. For example, if a mobile employee travels to a customer site that has a Firebox, that user can make IPSec connections to their network using IPSec. For the local Firebox to correctly handle the outgoing IPSec connection, you must set up an IPSec policy that includes the IPSec packet filter. For information on enabling poli- cies, see the Policies chapter in the WatchGuard® System Manager User Guide.

Because the IPSec policy enables a tunnel to the IPSec server and does not do any security checks at the firewall, add to this policy only the users that you trust.

Administrator Guide

21

Image 23
Contents WatchGuardMobile VPN with IPSec Administrator Guide Address Before You Begin About Mobile VPN Client Configuration FilesEnabling Mobile VPN for a Firebox User Account Select the Enable Muvpn for this account check boxGet the user’s .wgx file Configuring Global Mobile VPN Client SettingsDistributing the Software and Profiles Distributing the Software and ProfilesEnd-user profile Distributing the Software and Profiles Mobile User VPN Before You Begin Configuring the Firebox for Mobile VPN Select a user authentication server Configuring the Firebox for Mobile VPN Configuring the external authentication server Adding Users to a Firebox Mobile VPN Group Modifying an Existing Mobile VPN ProfileConfirm Use a certificate Phase2 Settings Defining advanced Phase 1 settings Allowing Internet access through Mobile VPN tunnels Configuring Wins and DNS ServersOn the Mobile User VPN tab, click Advanced Locking Down an End-User ProfileSeeing details on an Mobile VPN policy Configuring Policies to Filter Mobile VPN TrafficAdd individual policies Saving the Profile to a Firebox Using the Any PolicyRe-creating End-User Profiles Making outbound IPSec connections from behind a Firebox Additional Mobile VPN TopicsSeeing the number of Mobile VPN licenses Global VPN settingsAdding feature keys Terminating IPSec connectionsMobile VPN Client Installation and Connection Installing the Mobile VPN with IPSec Client Window AutoStart No Autostart Select Configuration Profile ImportImporting the end-user profile Selecting a certificate and entering the PIN Connecting the Mobile VPN ClientUninstalling the Mobile VPN client Start All Programs WatchGuard Mobile VPN Mobile VPN Monitor Disconnecting the Mobile VPN clientControlling connection behavior Mobile User VPN client icon Seeing Mobile VPN Log MessagesEnabling the link firewall Securing Your Computer with the Mobile VPN FirewallEnabling the desktop firewall Configuration Firewall SettingsAbout the desktop firewall Creating firewall rules Defining friendly networksGeneral tab Local tab Remote tab