WatchGuard Technologies FireboxTM System 4.6 User Manual

Using authentication to define remote user VPN access

92

7

If you are using a backup server, enable the Specify backup SecurID server
checkbox. Enter the IP address and port number for the backup server.

8

Click OK.

Using authentication to define remote user VPN access

WatchGuard uses two built-in Firebox groups to identify currently active remote user
virtual private network users.

• pptp_users – Names authorized to use Remove User VPN with PPTP

For more information, see “Adding remote access users” on page 134.

• ipsec_users – Names authorized to use Mobile User VPN with IPSec

When a user successfully connects to the Firebox using Remote User VPN,
WatchGuard automatically adds the assigned IP address to one of these built-in
aliases (depending on the VPN method). When the user shuts down the VPN session,
WatchGuard automatically removes the address associated with that user from the
alias.

When a Remote User VPN connection is made to the Firebox, WatchGuard checks the
client’s username and password against the Firebox domain. For this reason, Remote
User VPN users must have an account in the Firebox domain and must be a member
of the appropriate VPN group for access, regardless of any other authentication
scheme in use.

When users authenticate using their account in the Firebox domain, WatchGuard
automatically adds their IP address to all Firebox domain groups of which they are a
member, including pptp_users or ipsec_users.

By default, Remote User VPN users (or any users) have no access privileges through a
Firebox. To allow Remote User VPN users to access machines on the Trusted
network, you must add their usernames (or the group alias) to service icons in the
Services Arena.

A typical use of built-in groups is to allow incoming connections to certain Trusted
servers from the pptp_users or ipsec_users group members. This is an easy way to
provide outside access to critical machines inside your network, without
compromising general security.

Example: Configuring a service for Remote User VPN

To allow outgoing Telnet but only allow incoming Telnet if the request comes from a
Remote User VPN user, follow this procedure:

From Policy Manager:

1

Add a Telnet icon to the Services Arena if one does not already exist.

For information on how to add services, see “Adding an existing service” on page 47.

2

Configure the Outgoing tab to allow from Any to Any.

3

Configure the Incoming tab to allow from pptp_users to Any.

4

Click OK.