Wednesday, January 3, 2018

WatchGuard FireBox Phone VPN Configuration

We recently migrated from a very old Cisco ASA firewall to a couple of WatchGuard FireBox M200 devices.  So far my assessment is that they are very capable devices with lots of features, but inadequately documented and the company has poor support.

Part of my negative experience in regards to support may be from buying through a third party re-seller.  WatchGuard does not want to talk to you directly, they want to talk to your re-seller.

Most of the configuration and setup went fairly smoothly.  Due to poor documentation there were some gotcha's when setting up active directory authentication in regards to case sensitivity.  The little documentation WatchGuard does have is well formatted and reads nicely.  Unfortunately, due to there being so little of it you end up trying to reference the wrong documentation to help fill in the blanks for missing documentation.  Many companies try and fill this gap by providing help forums that they monitor and respond to questions on which then fills in all the missing information.  WatchGuard seems to be missing a good implementation of this, and they do not seem to respond when people reach out to them.

You can see a perfect example of all of WatchGuard's issues by looking at their android vpn app in the Google Play store.  The app is poorly written, functions horribly, and they ignore all the people providing negative feedback who are essentially begging for help.

Towards the end of my own WatchGuard configuration I intended to setup an IPSec configuration for phones to connect to as indicated in their documentation.  Unfortunately their own phone vpn client is utterly worthless leaving you to try and find something else.

I did use WatchGuard's iPhone configuration instructions to get the native Android VPN client to connect.  Unfortunately it ended up having two major issues that caused me to dump it.  The first is that WatchGuard has a limitation or perhaps a bug in it's IPSec implementation for Active Directory authentication.  As near as I can tell, either SSL or IPSec can authenticate via Active Directory but not both.  It is possible that by deleting the SSL config, setting up IPSec, then re-creating the SSL config I could get around this bug, but it was not worth attempting at the moment.  When using AD authentication in the configuration I had setup, it would connect for a few seconds, then disconnect.  Which tells me there must me some sort of timing mismatch.  You would think that would be simple to adjust and overcome, but again the lack of documentation means I either have to pay for support or just deal with it for now.

The second problem, is that even when using the WatchGuard database native authentication, the native client on android does not seem to hold in a connection when the phone goes to sleep.  So if I set my phone down for a few minutes and come back to it I have to re-connect every time.

Fortunately WatchGuard does support OpenVPN.  So I was able to download a third party client that works with the existing SSL configuration successfully.  Not ideal, but it works for now.

- 1: download the client.ovpn attachment to your phone.  You can find this by going to the ip address of your firewall in a browser, authenticate, and download the "Mobile VPN with SSL client profile".
- 2: Open up the App store on your respective device and find the app OpenVPN Connect (not just OpenVPN, it has to say Connect).
    o Install the app and open it.
- 3: Click on the menu in the upper right, the three dots.
- 4: Click the menu item Import Profile from SD card.
- 5: navigate to the folder containing the client.ovpn attachment that you downloaded in step 1.  For me it was in my Download folder.
- 6: Click on the client.ovpn file and click the Select button.  It may be confusing because the client.ovpn line you selected will not highlight.
- 7: If you chose the correct file you should now see an IP address in the OpenVPN Profile area.
    o Enter your Active Directory username and password into the provided fields.
    o Click Connect

No comments: