This Document is to set up the Firebox with local Users on AuthPoint for SSL VPN client where there isn’t a local Active Directory or Radius server available, both the SSL VPN and the IKEv2 Clients methods are included in the guide for user flexibility.

Prerequisites:

• The Firebox needs to be on at least 12.7 Fireware firmware.
• The device is enabled for Watchguard Cloud for local admin.
• The Authpoint Licenses are registered in the same WatchGuard account as the Firebox.
• The SSL VPN is configured on the Firebox.
• You have downloaded and installed the AuthPoint App from the relevant App store to your mobile device.
• Hardware Tokens will only work with the SSL VPN Clients when using Local Users on Authpoint.

Setup Firebox via the GUI method for SSL VPN Clients

 
1. Go to Authentication/Users and Groups

2. Click on the lock at the top of the page to enable changes.  Next, select Add and enter details like below then Select ok then, back on the main page, click Save.

3. Go to VPN/Mobile VPN and Select configure on the SSL section

4. Ensure ‘Active Mobile VPN with SSL’ is already ticked.

5. Select the Authentication Tab at the top

6. Now select AuthPoint from the dropdown on the Authentication Server and select ADD

 7. Now Select AuthPoint on the Authentication Server Menu to highlight it and select ‘Move Up’

8. On the Users and Group section further down the page tick the group created earlier then select Save at the bottom.

That’s the set up for SSL VPN.

Setup Firebox via the GUI method for IKEv2 VPN Clients

N.B. When using AuthPoint for IKEv2 Clients the only Authentication methods are Password and Push Notification.

1. Go to Mobile VPN/IKEv2/ and select Launch Wizard.

2. Select Next and then enter your FQDN or IP address and then Add, then click Next.

3. In the Authentication Servers section select and Add AuthPoint from the Drop down list then move it to the top of the list and then click Next.

4. In the Add Users and Groups, section tick the group you created earlier and then click Next.

5. Either leave Network as default or, if it conflicts with another assigned network, amend as necessary. Then click Next.

6. Select Finish

7. From 12.9 Fireware onwards, you can now choose to use ‘Split Tunnelling’ rather than ‘Route All’ through the IKEv2 VPN Client.  To configure this, go to Mobile VPN and select Configure on the IKEv2 settings.

8. Under the Networking section, change to Specify allowed networks and add your required networks.  Then, if needed, also change the DNS settings at the bottom of the page then select save.

 9. Now, navigate back to Mobile VPN, and in the IKEv2 section, click on Client Profile to download the settings to use on your device.

10. You will need to extract these using your preferred archiving tool (e.g. 7-Zip).  All Instructions to install the VPN are in the extracted folders provided in the Readme.txt file.

AuthPoint Portal Set up

1. Login to your WatchGuard Cloud portal and select configure AuthPoint

2. Select Resources and add the Firebox as a resource then select Save.

It should now show as below:

3. Now select Groups from the left menu and add a group.  NOTE: This has to be the identical name as the group setup on the Firebox earlier.

4. Next select Users from the left menu
5. Now Select add to add a User and select the Group as below then click Save.

N.B. Username are case-sensitive

6. You should now see the user added as below.  Now, check your email inbox.  You should have received two emails.  First, in the “Set Password” email, click to create your password.  The move onto the activation email and follow prompts on screen to activate token and add to the AuthPoint app on your device.

7. Once you have activated the token and set your password, you should see your user changed from Pending to showing the Token ID as below:

8. Now we need to set up a Authentication Policy.  Select Authentication Policies and add a new policy selecting the required Authentication options, the Group and the Resource as below then click Save.

That’s it all done!  If you now login to your SSL VPN portal or via the Client, the login will now be enforced with AuthPoint Multifactor Authentication.

Copyright NetThreat Ltd