WSM User Guide - WatchGuard Technologies

Configuring the Firebox as an Authentication Server• Virtual IP address on the user’s computer if the user is connected with RUVPN.Firewall authenticationTo create a Firebox user account, from Policy Manager, select Setup > Authentication Servers. Afteryou create the user account, you can make a Firebox group and put the user in that Firebox User group.Next, create a policy that allows traffic only to or from a list of Firebox user names or a list of Fireboxgroups. This policy is applied only if a packet comes from or goes to the authenticated user’s IP address.A user authenticates with an HTTPS connection to the Firebox over port 4100 by typing:https://IP address of a Firebox interface:4100/If the user name and password are valid, the user is authenticated.When a user is authenticated, the user credentials and IP address of their computer are both used to findif a policy applies to the traffic starting from or going to that user’s computer.PPTP connectionsTo configure the Firebox to host PPTP VPN sessions, select VPN > Remote Users and click the PPTP tab.If you do not select the check box Use RADIUS Authentication to authenticate remote users, thenthe Firebox authenticates the PPTP session. The Firebox checks to see if the user name and passwordthe user enters into the VPN connection box matches the user name and password in the Firebox Userdatabase. If the credentials supplied by the user match an account in the Firebox User database, the useris authenticated for a PPTP session.Next, create a policy that allows traffic only from or to a list of Firebox user names, or a list of Fireboxgroups. The Firebox does not look at this policy unless traffic comes from or goes to the authenticateduser’s virtual IP address.The user makes the PPTP connection using the PPTP feature included in their computer operating system.Because the Firebox allows the PPTP connection from any Firebox user that gives the correct credentials,it is important that you make a policy for PPTP sessions that includes only users you want toallow to send traffic over the PPTP session. Or, put these users into a Firebox User group and make a policythat allows traffic only from this group. The Firebox has a pre-configured group for this called “PPTP-Users”.MUVPN connectionsYou can configure the Firebox to host Mobile User VPN (MUVPN) IPSec sessions. To do this, select VPN >Remote Users and click the Mobile User VPN tab. You make the MUVPN group using the Add MobileUser VPN wizard. When the wizard is finished, Policy Manager does two things:• Makes a client configuration profile (called a .wgx file) and puts it on the management stationcomputer that created the MUVPN account. The user must have this .wgx file to configure theMUVPN client computer.• Automatically adds an “Any” policy to the Mobile User VPN tab that allows traffic to pass to andfrom the authenticated MUVPN user.When the user’s computer is correctly configured, the user makes the MUVPN connection. If the username and password the user enters into the MUVPN authentication dialog box match an entry in theFirebox User database, and if the user is in the MUVPN group you create, the MUVPN session is authenticated.Policy Manager automatically makes a policy that allows any traffic from the authenticated user.To restrict the ports the MUVPN client can access, delete the Any policy and add policies for those portsto the Mobile User VPN tab. To learn how to add policies, see “Adding Policies” on page 146.124 WatchGuard System Manager