Using authentication to define remote user VPN access
7If you are using a backup server, enable the Specify backup SecurID server checkbox. Enter the IP address and port number for the backup server.
8Click OK.
Using authentication to define remote user VPN access
WatchGuard uses two
• pptp_users – Names authorized to use Remove User VPN with PPTP
For more information, see “Adding remote access users” on page 134.
• ipsec_users – Names authorized to use Mobile User VPN with IPSec
When a user successfully connects to the Firebox using Remote User VPN, WatchGuard automatically adds the assigned IP address to one of these
When a Remote User VPN connection is made to the Firebox, WatchGuard checks the client’s username and password against the Firebox domain. For this reason, Remote User VPN users must have an account in the Firebox domain and must be a member of the appropriate VPN group for access, regardless of any other authentication scheme in use.
When users authenticate using their account in the Firebox domain, WatchGuard automatically adds their IP address to all Firebox domain groups of which they are a member, including pptp_users or ipsec_users.
By default, Remote User VPN users (or any users) have no access privileges through a Firebox. To allow Remote User VPN users to access machines on the Trusted network, you must add their usernames (or the group alias) to service icons in the Services Arena.
A typical use of
Example: Configuring a service for Remote User VPN
To allow outgoing Telnet but only allow incoming Telnet if the request comes from a Remote User VPN user, follow this procedure:
From Policy Manager:
1Add a Telnet icon to the Services Arena if one does not already exist.
For information on how to add services, see “Adding an existing service” on page 47.
2Configure the Outgoing tab to allow from Any to Any.
3Configure the Incoming tab to allow from pptp_users to Any.
4 Click OK.
92
