How do I set up a branch office VPN tunnel with the Management Server?



Similar documents
Fireware How To Network Configuration

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Fireware How To Logging and Notification

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

VPN Configuration Guide WatchGuard Fireware XTM

Global VPN Client Getting Started Guide

Fireware How To Authentication

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Firebox X550e, Firebox X750e, Firebox X1250e Firebox X5500e, Firebox X6500e, Firebox X8500e, Firebox X8500e-F

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

WatchGuard System Manager User Guide. WatchGuard System Manager v8.0

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Integration Guide. Swivel Secure Authentication

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Configuration Example

QUANTIFY INSTALLATION GUIDE

Integration Guide. LogicNow MAXfocus

How To Configure SSL VPN in Cyberoam

WatchGuard Mobile User VPN Guide

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

If you have questions or find errors in the guide, please, contact us under the following address:

How do I configure multi-wan in Routing Table mode?

Configuration Example

Defender EAP Agent Installation and Configuration Guide

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

VPNC Interoperability Profile

Setting Up SSL on IIS6 for MEGA Advisor

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

VPN Tracker for Mac OS X

Authentication Node Configuration. WatchGuard XTM

Configuring Network Load Balancing with Cerberus FTP Server

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Sophos UTM. Remote Access via IPsec Configuring Remote Client

Fireware XTM Traffic Management

Configuration Example

Configuring SonicOS for Microsoft Azure

University of Central Florida UCF VPN User Guide UCF Service Desk

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

GNAT Box VPN and VPN Client

Fireware Essentials Exam Study Guide

SSL SSL VPN

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Setting Up Scan to SMB on TaskALFA series MFP s.

Defender Token Deployment System Quick Start Guide

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Retail Deployment Guide. Microsoft Dynamics AX 2012 Feature Pack

BusinessObjects Enterprise XI Release 2

Hallpass Instructions for Connecting to Mac with a Mac

Sophos UTM. Remote Access via PPTP Configuring Remote Client

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Using Entrust certificates with Microsoft Office and Windows

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

7. Configuring IPSec VPNs

Aventail Connect Client with Smart Tunneling

Magaya Software Installation Guide

Configuration Example

Dynamic DNS How-To Guide

Cisco QuickVPN Installation Tips for Windows Operating Systems

Release Notes for XTM 2, 5, and 8 Series, XTM 1050, and Firebox X Peak, Core and Edge e-series Appliances

Watchguard Firebox X Edge e-series

How To Configure L2TP VPN Connection for MAC OS X client

Sophos Endpoint Security and Control standalone startup guide

RSA Security Analytics

Configuration Example

Securepoint Security Systems

StreamServe Persuasion SP5 Control Center

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Start Here. Installation Guide. Rosetta Stone Standalone License. This Guide Will Show You How To: Install the Student Management System...

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

CTERA Agent for Mac OS-X

Aspera Connect User Guide

Client applications are available for PC and Mac computers and ios and Android mobile devices. Internet

Scenario: IPsec Remote-Access VPN Configuration

Global VPN Client Getting Started Guide

Installing and Configuring vcloud Connector

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Connecting an Android to a FortiGate with SSL VPN

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

H3C SSL VPN RADIUS Authentication Configuration Example

How to set up Outlook Anywhere on your home system

Global VPN Client Getting Started Guide

App Orchestration 2.5

How to setup a VPN on Windows XP in Safari.

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Aspera Connect Linux 32/64-bit. Document Version: 1

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Integration with Active Directory

Infinity Web Viewer Reference Guide

SSL Certificate Based VPN

Transcription:

Fireware How To VPN How do I set up a branch office VPN tunnel with the Management Server? Introduction Using the WatchGuard Management Server, you can make fully authenticated and encrypted IPSec tunnels with a drag-and-drop or menu interface. The Management Server safely transmits IPSec VPN configuration information between Fireboxes and makes the task of creating IPSec VPN tunnels much easier. With WatchGuard System Manager and a Management Server, you configure, manage, and monitor all WatchGuard devices across a company. You can create and manage VPN tunnels between Firebox X Peak, Firebox X Core, Firebox, Firebox III, Firebox X Edge, and Firebox SOHO devices, even if the devices have dynamic IP addresses. The remote Fireboxes connect to the Management Server when they come online and download the VPN configuration information they need to configure their end of the VPN tunnel. If you use certificates for tunnel authentication, you can configure the Management Server as a certificate authority to create certificates automatically. Steps in creating a managed VPN Set up a Management Server (and Certificate Authority if needed) Add Fireboxes or Firebox X Edge or SOHO devices to the Management Server configuration Make policy templates to determine which networks have access through VPN tunnels Make security templates to set the encryption type and authentication type Create tunnels between the devices Is there anything I need to know before I start? Before you create a managed branch office VPN tunnel, you must make sure you have configured a Management Server and have added the VPN endpoints to the Management Server configuration as managed devices. For more information about this procedure, see http://www.watchguard.com/support/fireware_howto/ HowTo_SetupManagementServer.pdf. Configuring a Firebox with a Dynamic IP Address as a Managed Client To allow WatchGuard System Manager to manage a Firebox, Edge, or SOHO with a dynamic IP address, you must enable it as a managed Firebox client. There are separate instructions below to configure a Firebox III or Firebox X as a managed Firebox client, and to configure a Firebox X Edge or SOHO as a managed Firebox client. Make sure that the Management Server is configured and that you added the required devices. For more information, see http://www.watchguard.com/support/fireware_howto/howto_setupmanagementserver.pdf. Caution After you add a dynamically addressed Firebox to the Management Server, you must restart the Firebox so that it can connect to the Management Server to get its configuration. 1

Configuring a Firebox X Core or X Peak running Fireware as a managed VPN client 1 From Policy Manager, select VPN > Managed Client. The Managed Client Setup dialog box appears. 2 To set up a Firebox as a managed device, select the Enable this Firebox as a Managed Client check box. 3 In the Client Name box, type the name you want to give the Firebox. 4 To enable the managed client to send log messages to the log server, select the Enable diagnostic logs check box. (We recommend this option only to perform troubleshooting.) 5 In the Management Server address box, type the IP address of the Management Server if it has a public IP address. Or, type the public IP address of the Firebox that protects the Management Server. The Firebox protecting the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server. The Firebox protecting the Management Server is configured to do this when you run the Management Server Setup Wizard. If you did not use the Management Server Setup Wizard on the Management Server, or, if you skipped the Gateway Firebox step in the wizard, configure the gateway Firebox to forward TCP ports 4110, 4112, and 4113 to the private IP address of the Management Server. 6 In the Shared Secret box, type the shared secret. 7 Click OK. 8 Start the Firebox again. The Firebox connects to the Management Server. Configuring a dynamic Firebox III or Firebox X Core running WFS as a managed client 1 From Policy Manager, select VPN > Managed Client. 2 Select the check box Enable this Firebox as a Managed Client. 3 In the Firebox Name field, give the name of the Firebox. 4 To log messages for the Managed Client, select the check box Enable diagnostic log messages for the Managed Client. (WatchGuard recommends this option only to do troubleshooting.) 5 To add management servers that the client can connect to, click Add. 6 Type the IP address. Type the shared secret. Click OK. 7 Start the Firebox again. The Firebox connects to the Management Server. 2

Configuring a Firebox with a Dynamic IP Address as a Managed Client Configuring a Firebox X Edge as a managed client 1 To connect to the Firebox X Edge System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 2 From the navigation bar, select Administration > WSM Access. The WatchGuard System Manager Access page appears. 3 Select the Enable remote management check box. 4 From the Management Type drop-down list, select WatchGuard Management System. 5 To put the Firebox X Edge into the control of WatchGuard System Manager centralized Edge management, click the Use Centralized Management check box. Do not select the Use Centralized Management check box if you are using WatchGuard System Manager only to manage VPN tunnels. When the Firebox X Edge is under centralized management, access to the Firebox X Edge configuration pages is set to readonly. The only exception is access to the WSM Access configuration page. If you disable the remote management feature, you get read-write access to the Firebox X Edge configuration pages again. 6 Type a status passphrase for your Firebox X Edge and then type it again to confirm in the correct fields. 7 Type a configuration passphrase for your Firebox X Edge and then type it again to confirm in the correct fields. Caution These passphrases must match the passphrases you use when you add the device to WatchGuard System Manager or the connection will fail. 8 In the Management Server Address text box, type the IP address of the Management Server if it has a public IP address. If the Management Server has a private IP address, type the public IP address of the Firebox protecting the Management Server. The Firebox protecting the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server. No special configuration is necessary for this to occur. 9 Type the Client Name to give your Firebox X Edge. This is the name used to identify the Edge in the Management Server. 10 Type the Shared Key. The shared key is used to encrypt the connection between the Management Server and the Firebox X Edge. This shared key must be the same on the Edge and the Management Server. You must get the shared key from your VPN administrator. 11 Click Submit. 12 Start the Firebox again. The Firebox connects to the Management Server. Configuring a dynamic Firebox SOHO6 as a managed client 1 Start your web browser. Type the IP address of the SOHO6. 2 If the SOHO6 must have a login and passphrase, type the login and passphrase.

3 Below Administration, click VPN Manager Access. The VPN Manager Access page appears. 4 Select the Enable VPN Manager Access check box. 5 Type the status passphrase for VPN Manager access. Type the status passphrase again to confirm the passphrase. 6 Type the configuration passphrase for VPN Manager access. Type the configuration passphrase again to confirm the passphrase. 7 Click Submit. The SOHO6 device is configured for management by the Management Server. 8 Start the Firebox again. The Firebox connects to the Management Server. Adding Policy Templates For a VPN, you can configure (and put a limit to) the networks that have access through the tunnel. You can make a VPN between two hosts or between more networks. To configure the networks that are available through a given VPN device, you make policy templates. By default, WatchGuard System Manager (WSM) adds and applies a network policy template that gives access to the network behind the VPN device, if the device has a static IP address. Get the current templates from a device Before you add more policy templates, get the current templates from the device. This is most important for dynamic devices because the Firebox automatically adds a network policy template for static devices. Before you update a device, make sure that it is configured as a managed Firebox client. 1 In WatchGuard System Manager on the Device Management tab, select a managed client, and then select Edit > Update Device. The Update Device dialog box appears. 2 Select the Download Trusted and Optional Network Policies check box. 3 Click OK. Make a new policy template To make a policy template, on the Device Management tab: 1 Select the device for which you want to configure a policy template. 4

Adding Security Templates 2 Right-click and select Insert VPN Resource or click the Insert VPN Resource icon. The VPN Resource dialog box for that device appears. 3 In the Policy Name box, type the policy name you want. 4 Add, edit, or delete resources from the tunnel policy. Click Add to add an IP address or a network address to the tunnel policy. Click Edit to edit a resource that you have selected in the list. Select a resource in the Resources list and click Remove to delete a resource. 5 Click OK. The policy template is configured and is available in the VPN configuration area. Adding resources to a policy template 1 From the VPN Resource dialog box, click Add. The Resource dialog box appears. 2 From the Allow to/from drop-down list, select the resource type, and then type the IP address or network address in the adjacent address box. 3 Click OK. Adding Security Templates A security template gives the encryption type and authentication type for a tunnel. Default security templates are supplied for the available encryption types. You can also make new templates. Security templates make it easy to set the encryption type and authentication type with the tunnel from the Configuration Wizard. To make a policy template, on the Device Management tab: 1 Right-click in the window, and select Insert Security Template or click the Insert Security Template icon (shown at the left side). The Security Template dialog box appears.

2 In the Template Name box, type the template name you want to use. From the Authentication and Encryption drop-down lists, select the authentication method and encryption method. 3 To set the end date for a key, select the Force key expiration check box, and then select the kilobytes or hours until the expiration. If you give two values, the key stops at the event that comes first. The security template is configured. You can select it in the VPN Wizard when you make a VPN tunnel with that device. 4 Click OK. Making Tunnels Between Devices You can configure a tunnel with the drag-and-drop procedure or the Add VPN wizard. Using the drag-and-drop procedure To use the drag-and-drop tunnel procedure, dynamic Fireboxes and Firebox X Edge or SOHO devices must have networks that are configured before you can use this procedure. You must also get the policies from any new dynamic devices before you configure drag-and-drop tunnels. On the Device Management tab: 1 On one of the tunnel endpoints, click the device name. Drag-and-drop the name to the device name at the other tunnel endpoint. The Add VPN wizard starts. 2 Click Next. 3 The gateway devices screen shows the two endpoint devices you selected with drag-and-drop, and the policy templates that the tunnel uses. If the endpoints are not shown, select them on this screen. 4 From the drop-down list, select a policy template for each device. The policy template configures the resources available through the tunnel. Resources can be a network or a host. The drop-down list shows the policy templates that you added to WatchGuard System Manager. 5 Click Next. The wizard shows the Security Policy dialog box. 6 Select the security template applicable for the type of security and type of authentication to use for this tunnel. The list shows the templates you added to the Management Server. 7 Click Next. The wizard shows the configuration. 8 Select the Restart devices now to download VPN configuration check box. Click Finish to start the devices again and deploy the VPN tunnel. Using the Add VPN wizard without drag-and-drop To create tunnels using the Add VPN wizard without drag-and-drop: 1 From the Device Management tab, select Edit > Create a new VPN or click the Create New VPN icon. This starts the Add VPN wizard. 2 Click Next. The wizard shows two lists that each show all the devices registered in the Management Server. 6

3 Select a device from each list box to be the endpoints of the tunnel you make. 4 Select the policy templates for the end of the tunnel of each device. The list shows the templates added to the Management Server. 5 Click Next. The wizard shows the Security Template dialog box. 6 Select the applicable security template for this VPN and click Next. The wizard shows the configuration. 7 Select the Restart devices now to download VPN configuration check box. Click Finish to start the devices again and deploy the VPN tunnel. Frequently Asked Questions About This Procedure Can I restrict the traffic through the managed VPN tunnel to allow only specified ports? No. The Management Server automatically adds an Any service to the configuration of a Firebox III or Firebox X using WFS appliance software. It automatically adds an Any policy to the configuration of a Firebox X running Fireware appliance software. You cannot delete the Any service or policy when you use managed VPN tunnels. The Firebox X Edge and Firebox SOHO6 have a hidden policy that opens all ports through a managed VPN tunnel. You cannot change this hidden policy. If you want to restrict the ports that are open in a VPN tunnel, you must use a manual IPSec branch office VPN tunnel, instead of a managed BOVPN tunnel. SUPPORT: www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 COPYRIGHT 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. 7

8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information