Watchguard For Mac Client

IPSec Mobile VPN Premium client powered by NCP Technology

Watchguard Mobile Vpn With Ssl Client
Watchguard For Mac Client Login
Watchguard Authentication Client
Watchguard Ssl Client
Watchguard For Mac Client Software

Talk to an expert. Vpn Steam Client And Watchguard Ipsec Vpn Client For Mac Os X. I'm struggling to make the SSL VPN client work on a MAC. It's working for Windows users but i cannot get the connection to complete on a MAC. It just says it is connecting but never finishes. I'm on Fireware 12.5.2 (B606155) in a HA cluster. I've installed MACOS client 12.5.2 (606431). I'm signed onto the Mac as a Administrator account.

Includes support for two-factor authentication, pre-login to Windows domains, FIPS 140-2 conformant IPsec algorithms, and a secure personal firewall

#WG019884
Our Price: $85.00

#WG019972
Our Price: $765.00

#WG019971
Our Price: $3,400.00

#WG019961
Our Price: $85.00

#WG019974
Our Price: $765.00

#WG019973
Our Price: $3,400.00

Overview:

Mobile VPN:

Secure connectivity to corporate headquarters is essential if your remote employees are going to achieve maximum productivity. Virtual Private Networks (VPNs) add a layer of security to private and public networks, allowing individuals and organizations to send and receive data safely over the Internet. A VPN creates secure connections between computers or networks in different locations back to the corporate network. Organizations rely on a VPN to offer secure connectivity to remote locations and users. Operating at the network layer, a client-based VPN provides users access to the entire network.

WatchGuard offers three choices for client-based VPN connectivity:

IPSec VPN client - A full-featured VPN client, powered by NCP, compatible with all versions of Fireware. Supports all WatchGuard Mobile VPNs with IPSec configuration settings.
Mobile VPN with IKEv2 - Mobile VPN with IKEv2 uses IPSec to provide superior encryption and authentication. Supports connections from a wide range of operating systems.
Mobile VPN with SSL - Mobile VPN with SSL uses Transport Layer Security (TLS) to secure connections between a remote computer and your protected network.

Features & Benefits:

While many VPN options are available on the market, not all offer the same level of protection and flexibility. The WatchGuard IPSec VPN Client is a premium service that gives both the organization and its remote employees a higher level of protection and a better VPN experience. Compatible with Windows and Mac OS X, the IPSec VPN is the ideal solution for employees who frequently work remotely or require remote access to sensitive resources.

Two-Factor Authentication – Fully compatible with WatchGuard AuthPoint, the IPSec VPN client adds another layer of security by requiring two types of credentials without the need for specialized hardware. Integration with other leading MFA vendors is also supported.
Always On – VPN client will reconnect automatically should a connection drop. Even when the user’s device goes to sleep, it will reconnect to the VPN once it’s back on.
Windows Pre-Logon – Users can log on to a Windows domain even if they are not in the network. For easy access, Windows and VPN login credentials can be configured to be the same.
Seamless Roaming – Users can change from one Internet communication medium (LAN/WLAN/3G/4G) to another without dropping the VPN connection. For example, connect with Wi-Fi at a coffee shop, then switch to an Ethernet connection at work, then switch to your Wi-Fi at home. The VPN connection does not drop.
Integrated Personal Firewall – Our Friendly Net Detection feature recognizes whether a network is secure or not and then applies the appropriate firewall settings. This is especially useful in businesses like retail stores and mall kiosks that want to offer their customers a specific application.

Features	IKEv2	Mobile VPN with SSL	IPSec VPN Client
Windows 8.1,10
Android	*	—
Mac OS
iOS	**	—
Cryptographic security	Best	Good	Better
Windows Pre-logon	—
Split Tunneling	*
IPSec Port access required	Yes	HTTPS only	Yes
MFA, including Authpoint
Seamless 4G Roaming	—	—
Integrated Personal Firewall	—	—
Customer Branding Option	—	—
Speed	Excellent	Good	Excellent

*Must be managed client side
**Requires OpenVPN client for SSL

Documentation:

Download the WatchGuard VPN Client Feature Brief (PDF).

Pricing Notes:

Pricing and product availability subject to change without notice.

IPSec Mobile VPN Premium client powered by NCP Technology

Includes support for two-factor authentication, pre-login to Windows domains, FIPS 140-2 conformant IPsec algorithms, and a secure personal firewall

#WG019884
Our Price: $85.00

#WG019972
Our Price: $765.00

#WG019971
Our Price: $3,400.00

#WG019961
Our Price: $85.00

#WG019974
Our Price: $765.00

#WG019973
Our Price: $3,400.00

Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to a Firebox. To use the native IPSec VPN client to make a connection to your Firebox, you must configure the VPN settings on your Firebox to match those on the iOS or macOS device.

For IPSec VPN connections from a macOS device, you can also use the WatchGuard IPSec VPN Client for macOS. For more information, see Install the IPSec Mobile VPN Client Software.

Supported Phase 1 and 2 Settings

For devices with iOS 9.3 and higher or macOS 10.11.4 and higher, these combinations of Phase 1 and 2 settings are supported.

If Diffie-Hellman Group 14 is selected in the Phase 1 settings:

Phase 1 Authentication — MD5, SHA1, SHA2-256, SHA2-512
Phase 1 Encryption — AES256
Phase 2 Authentication — MD5, SHA1
Phase 2 Encryption — 3DES, AES128, AES256
Perfect Forward Secrecy — No

If Diffie-Hellman Group 2 is selected in the Phase 1 settings:

Phase 1 Authentication — MD5, SHA1
Phase 1 Encryption — DES, 3DES, AES128, AES256
Phase 2 Authentication — SHA1, MD5
Phase 2 Encryption — 3DES, AES128, AES256
Phase 2 PFS — No

For devices with versions of iOS lower than 9.3, these Phase 1 and 2 settings are supported.

Diffie-Hellman Group 2
Phase 1 Authentication — MD5 , SHA1
Phase 1 Encryption — DES, 3DES, AES128, AES256
Phase 2 Authentication — MD5 , SHA1
Phase 2 Encryption — 3DES, AES128, AES256
Phase 2 PFS — No

Diffie-Hellman Group 5 is not supported on Apple devices for aggressive mode. Mobile VPN with IPSec only supports aggressive mode.

Configure the Firebox

Many of the VPN tunnel configuration settings in the VPN client on the macOS or iOS device are not configurable by the user. It is very important to configure the settings on your Firebox to match the settings required by the VPN client on the macOS or iOS device.

To configure the Firebox, from Fireware Web UI:

(Fireware v12.3 or higher) Select VPN > Mobile VPN.
In the IPSec section, select Configure.
The Mobile VPN with IPSec page appears.
(Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
Click Add.
The Mobile VPN with IPSec Settings page appears.

In the Name text box, type the name of the authentication group your macOS or iOS VPN users belong to.

You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

Type and confirm the Passphrase to use for this tunnel.
In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
Select the IPSec Tunnel tab.
The IPSec Tunnel settings appear.

Select Use the passphrase of the end user profile as the pre-shared key.
This is the default setting.
From the Authentication drop-down list, select an authentication method.
From the Encryption drop-down list, select an encryption method.
In the Phase 1 Settings section, click Advanced.
The Phase 1 Advanced Settings appear.

Set the SA Life to 1 hour.

The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.

To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.

From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.Tip!
Do not change any of the other Phase 1 advanced settings.
Click OK.
In the Phase 2 Settings section, clear the PFS check box.

In the Phase 2 Settings section, click Advanced.
The Phase 2 Advanced settings appear.

From the Authentication drop-down list, select SHA1.
SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
From the Encryption drop-down list, select an encryption method.
In the Force Key Expiration settings, set the expiration Time to 1 hours.
In the Force Key Expiration settings, clear the Traffic check box.
Click OK.
Select the Resources tab.
Select the Allow All Traffic Through Tunnel check box.
This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

Select the Advanced tab.
(Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

Watchguard Mobile Vpn With Ssl Client

Click Save.

Make sure that you add all VPN users to the authentication group you selected.

For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.

To configure the Firebox, from Policy Manager:

First, use the Mobile VPN with IPSec Wizard to configure the basic settings:

Select VPN > Mobile VPN > IPSec.
The Mobile VPN with IPSec Configuration dialog box appears.
Click Add.
The Add Mobile VPN with IPSec Wizard appears.
Click Next.
The Select a user authentication server page appears.

From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

In the Group Name text box, type the name of the authentication group your macOS or iOS device users belong to.

You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

Click Next.
The Select a tunnel authentication method page appears.

Select Use this passphrase. Type and confirm the passphrase.
Click Next.
The Direct the flow of Internet traffic page appears.

Select Yes, force all Internet traffic to flow through the tunnel..
This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
Click Next.
The Identify the resources accessible through the tunnel page appears.

For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.

Click Next.
The Create the virtual IP address pool page appears.

To add one IP address or an IP address range, click Add.
To add more virtual IP addresses, repeat this step.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

Click Next.
To add users to the new Mobile VPN with IPSec group, select the Add users check box.
Click Finish.
The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.

Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the VPN client on the macOS or iOS device.

In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
Click Edit.
The Edit Mobile VPN with IPSec dialog box appears.
Select the IPsec Tunnel tab.

From the Authentication drop-down list, select an authentication method.
From the Encryption drop-down list, select an encryption method.
Click the Advanced button in the Phase 1 Settings section.
The Phase1 Advanced Settings dialog box appears.

Set the SA Life to 1 hour.

Watchguard Authentication Client

From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.
Do not change any of the other Phase 1 Advanced Settings.
Click OK.
In the Phase 2 Settings section, click Proposal.

From the Authentication drop-down list, select MD5 or SHA1.
SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
From the Encryption drop-down list, select an encryption method.
Set the Force Key Expiration to 1 hour and 0 kilobytes.
In the Force Key Expiration settings, set the expiration Time to 1 hours.
In the Force Key Expiration settings, clear the Traffic check box.
Click OK.
In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
Perfect Forward Secrecy is not supported by the VPN client on the iOS device.

Click the Advanced tab.
(Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

Click OK.
Save the configuration file to your Firebox.

Watchguard Ssl Client

Make sure that the macOS or iOS users are members of the authentication group you selected.

Next, you add the settings you configured on your Firebox to the VPN client settings on the macOS or iOS device.

Configure the VPN Client on an iOS Device

To manually configure the VPN client settings on the iOS device:

Select Settings > General > VPN > Add VPN Configuration.
Configure these settings in the VPN client:
- Type — IPSec
- Server — The external IP address of the Firebox
- Account — The user name on the authentication server
  Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
- Password — The password for the user on the authentication server
- Use Certificate — Set this option to OFF
- Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
- Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration

After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.

To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.

The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.

The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.

Configure the VPN Client on a macOS Device

The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.

To configure the VPN settings on the macOS device:

Open System Preferences and select Network.
Click + at the bottom of the list to add a new interface. Configure these settings:
- Interface — VPN
- VPN Type — Cisco IPSec
- Service Name — Type the name to use for this connection
Click Create.
The new VPN interface appears in the list of network interfaces.
Select the new interface in the list. Edit these settings:
- Server Address — The external IP address of the Firebox
- Account Name — The user name on the authentication server
  Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
- Password — The password for the user on the authentication server
Click Authentication Settings. Configure these settings:
- Shared Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
- Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
To add the VPN status icon to the macOS menu bar, select the Show VPN status in menu bar check box .
Click Connect to start the VPN tunnel.

After you apply these settings, a VPN status icon appears in the menu bar of the macOS device.

To start or stop the VPN client connection, click the VPN status icon.

Newshunter844

Watchguard For Mac Client