Watchguard For Mac Client

The WatchGuard Mobile VPN with SSL client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network through an unsecured network, such as the Internet. The Mobile VPN client uses Transport Layer Security (TLS) to secure the connection. @Don't read #1 Shop for Low Price Watchguard Mobile Vpn With Ssl Client For Mac And Watchguard Open Ssl Vpn Client Mac. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour. From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.

Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to a Firebox. To use the native IPSec VPN client to make a connection to your Firebox, you must configure the VPN settings on your Firebox to match those on the iOS or macOS device.

For IPSec VPN connections from a macOS device, you can also use the WatchGuard IPSec VPN Client for macOS. For more information, see Install the IPSec Mobile VPN Client Software.

Supported Phase 1 and 2 Settings

For devices with iOS 9.3 and higher or macOS 10.11.4 and higher, these combinations of Phase 1 and 2 settings are supported.

If Diffie-Hellman Group 14 is selected in the Phase 1 settings:

Phase 1 Authentication — MD5, SHA1, SHA2-256, SHA2-512
Phase 1 Encryption — AES256
Phase 2 Authentication — MD5, SHA1
Phase 2 Encryption — 3DES, AES128, AES256
Perfect Forward Secrecy — No

If Diffie-Hellman Group 2 is selected in the Phase 1 settings:

Phase 1 Authentication — MD5, SHA1
Phase 1 Encryption — DES, 3DES, AES128, AES256
Phase 2 Authentication — SHA1, MD5
Phase 2 Encryption — 3DES, AES128, AES256
Phase 2 PFS — No

For devices with versions of iOS lower than 9.3, these Phase 1 and 2 settings are supported.

Diffie-Hellman Group 2
Phase 1 Authentication — MD5 , SHA1
Phase 1 Encryption — DES, 3DES, AES128, AES256
Phase 2 Authentication — MD5 , SHA1
Phase 2 Encryption — 3DES, AES128, AES256
Phase 2 PFS — No

Diffie-Hellman Group 5 is not supported on Apple devices for aggressive mode. Mobile VPN with IPSec only supports aggressive mode.

Configure the Firebox

Many of the VPN tunnel configuration settings in the VPN client on the macOS or iOS device are not configurable by the user. It is very important to configure the settings on your Firebox to match the settings required by the VPN client on the macOS or iOS device.

To configure the Firebox, from Fireware Web UI:

(Fireware v12.3 or higher) Select VPN > Mobile VPN.
In the IPSec section, select Configure.
The Mobile VPN with IPSec page appears.
(Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
Click Add.
The Mobile VPN with IPSec Settings page appears.

In the Name text box, type the name of the authentication group your macOS or iOS VPN users belong to.

You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

Type and confirm the Passphrase to use for this tunnel.
In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
Select the IPSec Tunnel tab.
The IPSec Tunnel settings appear.

Select Use the passphrase of the end user profile as the pre-shared key.
This is the default setting.
From the Authentication drop-down list, select an authentication method.
From the Encryption drop-down list, select an encryption method.
In the Phase 1 Settings section, click Advanced.
The Phase 1 Advanced Settings appear.

Set the SA Life to 1 hour.

The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.

To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.

From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.Tip!
Do not change any of the other Phase 1 advanced settings.
Click OK.
In the Phase 2 Settings section, clear the PFS check box.

In the Phase 2 Settings section, click Advanced.
The Phase 2 Advanced settings appear.

From the Authentication drop-down list, select SHA1.
SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
From the Encryption drop-down list, select an encryption method.
In the Force Key Expiration settings, set the expiration Time to 1 hours.
In the Force Key Expiration settings, clear the Traffic check box.
Click OK.
Select the Resources tab.
Select the Allow All Traffic Through Tunnel check box.
This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

Linux Debian (7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6), Linux Fedora (22, 23, 24), Linux Mint (17, 17.1, 17.2, 17.3, 18), Linux Red Hat Enterprise (6.0, 7.0), Linux SUSE (13.2, 42.1), Linux Ubuntu (12.04, 14.04, 15.10, 16.04, 16.10), OS Mac OS 10.12 Sierra, OS X 10.10 Yosemite, OS X 10.11 El Capitan, UNIX, Windows 10 all 32- & 64-bit editions (excluding RT OS for Tablets), Windows 7 all 32- & 64-bit editions, Windows 8/8.1 all 32- & 64-bit editions (excluding RT OS for Tablets), Windows XP all 32- & 64-bit editions (excluding RT OS for Tablets). Scanner for mac hp. 1 Scan speeds measured from ADF.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

Select the Advanced tab.
(Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

Click Save.

Make sure that you add all VPN users to the authentication group you selected.

For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.

To configure the Firebox, from Policy Manager:

First, use the Mobile VPN with IPSec Wizard to configure the basic settings:

Select VPN > Mobile VPN > IPSec.
The Mobile VPN with IPSec Configuration dialog box appears.
Click Add.
The Add Mobile VPN with IPSec Wizard appears.
Click Next.
The Select a user authentication server page appears.

From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

In the Group Name text box, type the name of the authentication group your macOS or iOS device users belong to.

You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

Click Next.
The Select a tunnel authentication method page appears.

Select Use this passphrase. Type and confirm the passphrase.
Click Next.
The Direct the flow of Internet traffic page appears.

Select Yes, force all Internet traffic to flow through the tunnel..
This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
Click Next.
The Identify the resources accessible through the tunnel page appears.

For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.

Click Next.
The Create the virtual IP address pool page appears.

To add one IP address or an IP address range, click Add.
To add more virtual IP addresses, repeat this step.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

Click Next.
To add users to the new Mobile VPN with IPSec group, select the Add users check box.
Click Finish.
The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.

Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the VPN client on the macOS or iOS device.

In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
Click Edit.
The Edit Mobile VPN with IPSec dialog box appears.
Select the IPsec Tunnel tab.

From the Authentication drop-down list, select an authentication method.
From the Encryption drop-down list, select an encryption method.
Click the Advanced button in the Phase 1 Settings section.
The Phase1 Advanced Settings dialog box appears.

Set the SA Life to 1 hour.

From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.
Do not change any of the other Phase 1 Advanced Settings.
Click OK.
In the Phase 2 Settings section, click Proposal.

From the Authentication drop-down list, select MD5 or SHA1.
SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
From the Encryption drop-down list, select an encryption method.
Set the Force Key Expiration to 1 hour and 0 kilobytes.
In the Force Key Expiration settings, set the expiration Time to 1 hours.
In the Force Key Expiration settings, clear the Traffic check box.
Click OK.
In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
Perfect Forward Secrecy is not supported by the VPN client on the iOS device.

Click the Advanced tab.
(Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

Click OK.
Save the configuration file to your Firebox.

Make sure that the macOS or iOS users are members of the authentication group you selected.

Next, you add the settings you configured on your Firebox to the VPN client settings on the macOS or iOS device.

Configure the VPN Client on an iOS Device

To manually configure the VPN client settings on the iOS device:

Select Settings > General > VPN > Add VPN Configuration.
Configure these settings in the VPN client:
- Type — IPSec
- Server — The external IP address of the Firebox
- Account — The user name on the authentication server
  Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
- Password — The password for the user on the authentication server
- Use Certificate — Set this option to OFF
- Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
- Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration

After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.

To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.

The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.

The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.

Configure the VPN Client on a macOS Device

The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.

To configure the VPN settings on the macOS device:

Open System Preferences and select Network.
Click + at the bottom of the list to add a new interface. Configure these settings:
- Interface — VPN
- VPN Type — Cisco IPSec
- Service Name — Type the name to use for this connection
Click Create.
The new VPN interface appears in the list of network interfaces.
Select the new interface in the list. Edit these settings:
- Server Address — The external IP address of the Firebox
- Account Name — The user name on the authentication server
  Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
- Password — The password for the user on the authentication server
Click Authentication Settings. Configure these settings:
- Shared Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
- Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
To add the VPN status icon to the macOS menu bar, select the Show VPN status in menu bar check box .
Click Connect to start the VPN tunnel.

After you apply these settings, a VPN status icon appears in the menu bar of the macOS device.

To start or stop the VPN client connection, click the VPN status icon.

Client Computer Requirements

For information about which operating systems are compatible with your Mobile VPN with SSL Client, see the Operating System Compatibility list in the Fireware Release Notes.

In Fireware v12.5.4 or higher, the Firebox requires the SSL VPN client to support TLS 1.2 or higher. In Fireware v12.4.1 or lower, the Firebox requires the SSL VPN client to support TLS 1.1 or higher.

Windows Requirements

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

In Fireware v12.5.3 or higher, if the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message appears that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not appear if a major version update is available.

In Fireware v12.5.2 or lower, if the client automatically detects that an upgrade is available, a message appears that asks you to upgrade. However, if you do not have administrator privileges, you cannot upgrade the client.

macOS Requirements

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

In macOS 10.15 (Catalina) or higher, you must install v12.5.2 or higher of the WatchGuard Mobile VPN with SSL client. For more compatibility information, see the Fireware Release Notes.

Download the Client Software

You can download the client from the WatchGuard Software Downloads page or from the Firebox.

In Fireware v12.5.5 or higher, your web browser must support TLS 1.2 or higher to download the client from the Firebox. In Fireware v12.4.1 or lower, your web browser must support TLS 1.1 or higher to download the client from the Firebox.

To download the client from the Software Downloads page:

Go to the Software Downloads page.
Do one of the following:
1. From the Select a device drop-down list, select the hardware model of the Firebox.
2. In the text box, type the first four digits of the Firebox serial number.
In the WatchGuard Mobile VPN with SSL Software section, click the Mobile VPN with SSL for Windows link or the Mobile VPN with SSL for macOS link.
The installation file downloads to your computer.

To download the client from the Firebox:

Authenticate to the Firebox with an HTTPS connection over the port specified by the administrator. The default port is 443.

Over port 443

To share your Mac with someone else, download a remote Virtual Network Computing (VNC) app like Jump Desktop. With full remote access and Mac remote control, the other person — or yourself connecting to another Mac — can have the same level of control as the person using that device. Except for Admin level access, since it's password protected. Use Remote Management in Sharing preferences to allow others to access your computer using Apple Remote Desktop. On your Mac, choose Apple menu System Preferences, click Sharing, then select the Remote Management checkbox. Manage Mac computers on your network with Apple Remote Desktop (ARD). Learn more with these resources. Mac for remote desktop.

https://<Firebox interface IP address>/sslvpn.html

https://<Firebox host name>/sslvpn.html

Over a custom port number

https://<Firebox interface IP address>:<custom port number>/sslvpn.html

https://<Firebox host name>:<custom port number>/sslvpn.html

The authentication web page appears.

Type your Username and Password.
If Mobile VPN with SSL is configured to use more than one authentication method, select the authentication server from the Domain drop-down list.
The Mobile VPN with SSL download page appears.

Click the Download button for the correct installer for your operating system: Windows (WG-MVPN-SSL.exe) or macOS (WG-MVPN-SSL.dmg).
Save the file to your computer.

From this page, you can also download the Mobile VPN with SSL client profile for connections from any SSL VPN client that supports .OVPN configuration files. For more information about the Mobile VPN with SSL client profile, see Use Mobile VPN with SSL with an OpenVPN Client.

In Fireware v12.5.4 or higher, you can disable the software downloads page hosted by the Firebox. If you disable this page, users cannot download the Mobile VPN with SSL client from the Firebox. Users can download the client from the WatchGuard website, or you can manually distribute the client to your users. For more information, see Plan Your Mobile VPN with SSL Configuration.

Install the Client Software

To install the client in Windows:

Double-click WG-MVPN-SSL.exe.
The Mobile VPN with SSL client Setup Wizard starts.
Accept the default settings on each screen of the wizard.
(Optional) To add a desktop icon or a Quick Launch icon, select the check box in the wizard that matches the option.
Finish and exit the wizard.

To install the client in macOS:

Make sure that the System Preferences > Security and Privacy settings on your Mac allow apps downloaded from Mac App Store and identified developers. This is the default setting.
Double-click WG-MVPN-SSL.dmg.
A volume named WatchGuard Mobile VPN is created on your desktop.
In the WatchGuard Mobile VPN volume, double-click WatchGuard Mobile VPN with SSL Installer <version>.mpkg.
The client installer starts.
Accept the default settings on each screen of the installer.
Finish and exit the installer.

After you download and install the client software, the Mobile VPN client software automatically connects to the Firebox. Each time you connect to the Firebox, the client software verifies whether any configuration updates are available.

Connect to Your Private Network

To start the Mobile VPN with SSL client in Windows, do one of the following:

From the Start Menu, select All Programs > WatchGuard > Mobile VPN with SSL client > Mobile VPN with SSL client.
Double-click the Mobile VPN with SSL shortcut on your desktop.
Click the Mobile VPN with SSL icon in the Quick Launch toolbar.

To start the Mobile VPN with SSL client on macOS:

Open a Finder window.
Select Applications > WatchGuard.
Double-click the WatchGuard Mobile VPN with SSL application.

Specify the Client Connection Settings

After you start the Mobile VPN with SSL Client, to start the VPN connection, you must specify the authentication server and user account credentials. Mobile VPN with SSL does not support Single Sign-On (SSO).

The Server is the IP address of the primary external interface of a Firebox, or an FQDN that resolves to that IP address. If Mobile VPN with SSL on the Firebox is configured to use a port other than the default port 443, in the Server text box, you must type the IP address or FQDN followed by a colon and the port number. For example, if Mobile VPN with SSL is configured to use port 444, and the primary external IP address is 203.0.113.2, the Server is 203.0.113.2:444.

The User name format depends on which authentication server the user authenticates to. For example, if the Firebox configuration includes multiple authentication servers, you must specify the authentication server in the User name text box. The User name must be formatted in one of these ways:

To use the default authentication server

Type the user name. Example: j_smith

To use another authentication server

Type the authentication server name or domain name, and then type a backlash () followed by the user name. Example: <server.example.com><j_smith>.

Active Directory — ad1_example.comj_smith

Firebox-DB — Firebox-DBj_smith

RADIUS (Fireware v12.5 or higher) — rad1.example.comj_smith or RADIUSj_smith. You must type the domain name specified in the RADIUS settings on Firebox.

Watchguard Ssl Client For Mac

RADIUS (Fireware v12.4.1 or lower) — RADIUSj_smith. You must always type RADIUS.

If your configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, you must type RADIUS as the domain name. In this case, if you type a domain name other than RADIUS, authentication fails.

To connect to your private network from the Mobile VPN with SSL client:

In the Server text box, type or select the IP address or name of the Firebox to connect to.
The IP address or name of the server you most recently connected to is selected by default.
In the User name text box, type the user name.
If Mobile VPN with SSL on the Firebox is configured to use multiple authentication methods, specify the authentication server or domain name before the user name. For example, ad1_example.comj_smith.
In the Password text box, type the password for your user account.
The client remembers the password if the administrator configured the authentication settings to allow it.
Click Connect.

If the connection between the SSL client and the Firebox is temporarily lost, the SSL client tries to establish the connection again.

To troubleshoot connection issues, see Troubleshoot Mobile VPN with SSL.

Other Connection Options

Two other connection options are available in the client only if the administrator has enabled them on the device you connect to.

Automatically reconnect

Select the Automatically reconnect check box if you want the Mobile VPN with SSL client to automatically reconnect when the connection is lost.

Remember password

Select the Remember password check box if you want the Mobile VPN with SSL client to remember the password you typed for the next time you connect.

Mobile VPN with SSL Client Controls

When the Mobile VPN with SSL client runs, the WatchGuard Mobile VPN with SSL icon appears in the system tray (Windows) or on the right side of the menu bar (macOS). The type of magnifying glass icon that appears shows the VPN connection status.

Windows:

— The VPN connection is not established.
— The VPN connection is established. You can securely connect to resources behind the Firebox.
— The client is in the process of connecting or disconnecting. The 'W' letter in the icon pulsates.
— The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

macOS:

— The VPN connection is not established.
— The VPN connection is established. You can securely connect to resources behind the Firebox.
— The client is in the process of connecting or disconnecting. The 'W' letter in the icon pulsates.
— The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

macOS (Dark Mode):

— The VPN connection is not established.
— The VPN connection is established. You can securely connect to resources behind the Firebox.
— The client is in the process of connecting or disconnecting. The 'W' letter in the icon pulsates.
— The client cannot connect to the server. Verify that the server IP address, user name, and password are correct. To troubleshoot further, check the client logs for Mobile VPN with SSL.

To see the client controls list, right-click the Mobile VPN with SSL icon in the system tray (Windows), or click the Mobile VPN with SSL icon in the menu bar (macOS). You can select from these actions:

Connect/Disconnect

Start or stop the Mobile VPN with SSL connection.

Status

See the status of the Mobile VPN with SSL connection.

View Logs