Note: Current Watchguard firewalls, for example the XTM 21 and the XTM 505 using OS 11.4.2, render this article obsolete, unless you really want to do this for some reason. This article was created to solve a problem wherein creating a NAT translation using the PPTP filter in Watchguard Core series firewalls did not work for passing PPTP through to a Windows RRAS server behind the firewall. Newer versions of the Watchguard software can do the PPTP translation, which is much simpler than what is described below. If, however, you have a flaky RRAS server that drops PPTP connections a lot, you may still wish to do the steps below so that your firewall is the VPN endpoint, but your authentication still comes from Active Directory.
Additional Note: PPTP VPN is blocked at many hotels, airports, etc. SSL VPN is preferable. Recent Watchguard products such as the ones listed above include one license for Mobile User SSL VPN. Upgrading to the “Pro” software, which is reasonably priced, gets you additional SSL VPN licenses. For instructions on setting up SSL VPN with Active Directory authentication, please see this blog post.
If you still want to to the steps below, have at it, and good luck!
This article covers the steps to configure a Watchguard Firebox to pass authentication traffic for PPTP VPN connections to a RADIUS server running on Windows Server. The first part of the document covers Fireware 10.2 and Windows 2008. Legacy technologies can be found at the bottom of the article.
Usage Scenario: You wish to have the Firebox terminate the VPN connection, but still pass the authentication through to your Active Directory server instead of using static Firebox user accounts.
Note: Fireware has Active Directory and LDAP authentication methods, but these cannot be used for PPTP VPN authentication as of version 10.2.12. These can be used with MUVPN, which requires IPSEC Client software to be loaded on the connecting workstation.
Benefits of having the firewall terminate a PPTP VPN:
· It is not necessary to have more than one IP address on the Firebox’s external interface.
· It is not necessary to set up 1:1 NAT, which would put your server on a different outgoing IP address from the rest of the network (this is a good thing from a “keep it simple” perspective).
· You can reboot the server without dropping your VPN connection – you cannot authenticate while it is rebooting, but if you are already connected, you will stay connected.
· PPTP tunnels terminated by the Firebox are generally faster and more reliable than when terminated by a Windows server.
· It is not necessary to load any software on the connecting workstation; it’s built into Windows.
Configure the Firewall:
1. Open the Policy Manager.
2. Configure RADIUS Authentication:
a. Click Setup -> Authentication -> Authentication Servers.
b. Click the RADIUS tab.
c. Check to enable the RADIUS server.
d. Type the IP address of the Windows 2008 server and set the port to 1812.
e. Type a “secret” and confirm it. Take note of this in your network documentation, as you will need it later to configure Windows 2008, and possibly even later still, when you change things on the network. Try to use a secure secret here.
f. Click OK to close the Authentication Servers dialog.
3. Create the PPTP VPN Policy:
a. Click VPN -> Mobile VPN -> PPTP.
b. Check the box to Activate Mobile VPN with PPTP.
c. Check the box to use RADIUS authentication.
d. Require 128-bit Encryption (I think this is optional, but why would you?).
e. Add an IP address pool.
Note: It would be a very good idea to create a DHCP exclusion matching this IP address pool, both to avoid IP conflicts due to DHCP, and to remind you that you have assigned these addresses when you go looking for an available static IP address later. If you have an IP address spreadsheet (hopefully you do), add it there as well. Documentation is key to an organized network.
f. Click OK.
4. Create an Access Rule to allow VPN traffic:
a. Click Edit -> Add Policy.
b. Expand Packet Filters and double-click the “Any” filter.
c. Change the name to “Any-RUVPN” (or something else that is descriptive to you).
d. Remove “Any-Trusted” from the “From” area.
e. Click Add-> Add User, select type “PPTP” and “Group”, double-click PPTP-Users, and click OK.
f. Click Add-> Add other -> Network IP, add your internal network subnet, and click OK -> OK.
g. Remove “Any-External” from the “To” area.
h. Click Add-> Add other -> Network IP, add your internal network subnet, and click OK -> OK.
i. Click Add-> Add User, select type “PPTP” and “Group”, double-click PPTP-Users, and click OK.
Note: We have just created a bi-directional rule that allow traffic both directions over the PPTP VPN. Your rule should have “PPTP-Users” and your internal subnet in both the “From” and the “To” areas.
j. Click OK to close the policy properties dialog.
5. (Important!) Configure DNS on the Firebox:
a. Click Network -> Configuration and go to the WINS/DNS tab.
b. Enter the DNS servers for your network.
Note: The DNS settings are important for your VPN client to obtain the DNS server automatically from the firewall when the VPN connects. Unfortunately, as of Fireware 10.2, the DNS suffix is not passed to the VPN client, so you will need to include that in the VPN connection’s advanced properties on the workstation.
6. Upload your config to your firewall.
Configure Windows 2008:
a. Network Policy and Access Services
b. Windows Firewall disabled or configured to allow RADIUS traffic on port 1812.
2. Ensure that NPS is installed and started.
3. Create a Security Group:
a. Create a security Group on your AD domain controller with a name that is descriptive to you (VPNUsers, for example) and populate it with users who will have VPN access.
4. Open the Server Manager.
5. Tell Windows about the RADIUS Client:
a. Expand Roles -> Network Policy and Access Services -> NPS (Local) -> RADIUS Clients and Servers, and select RADIUS Clients.
b. Right-Click RADIUS Clients and select New RADIUS Client.
c. Check the box to enable the RADIUS Client.
d. Type a friendly name (Firebox) for the RADIUS Client.
e. Add the IP address of the Firebox.
f. Select RADIUS Standard from the Vendor Name list.
g. Choose the “Manual” radio button.
h. Type and confirm the “secret” you entered into the Firebox config in the “Configure the Firebox” section.
i. Make sure both checkboxes at the bottom o the dialog are unchecked and click OK.
6. Configure a RADIUS Authentication Policy:
a. Expand Roles -> Network Policy and Access Services -> NPS (Local) -> Policies -> Network Policies.
b. Right-Click Network Policies and select New.
c. Type a Policy name that will be descriptive to you (RUVPN Connections, for example).
d. Leave the “Type of network access server” set to “Unspecified” and click Next.
e. Click the Add button and double-click “Windows Groups” in the Conditions list.
f. Click the Add Groups button and type or search for the VPN users group you created earlier.
g. Click OK -> OK, which should bring you back to the Specify Conditions dialog.
h. Click the Next button to get to the Specify Access Permission dialog.
i. Leave “Access granted” selected and click Next.
j. Ensure that MS-CHAP-v2 and MS-CHAP are selected, and click Next.
k. Click Next again without configuring any constraints.
l. In the left Windows pane, select Standard under RADIUS Attributes.
m. Remove any existing attributes and click Add.
n. Double-click Filter-ID.
o. Click the Add button.
p. Type “PPTP-Users” (case sensitive) into the “String” field and click OK.
q. Click OK and Close to get back to the Configure Settings dialog.
r. Select Encryption under Routing and Remote Access, and uncheck “No Encryption”.
s. Click Next -> Finish.
t. Right-click you new policy and select “Move Up” repeatedly until it is first in the list.
Test your configuration:
1. Set up a workstation outside the firewall with PPTP VPN.
2. Connect to the VPN with a user who exists in the VPN users group you created in AD.
3. Once the VPN is running, test access to network resources.
Note: It is possible to be connected to the VPN, but still have no resource access if you did not configure the access policy properly, so be sure to test this.
If you have an older Firebox running WSM 7.x, and wish to use PPTP terminated by the firewall, with RADIUS authenticated by a Windows 2008 server, use these instructions for the firewall side:
Note: You will need to adjust the policy in NPS on the Windows 2008 server to use “pptp_users” instead of “PPTP-Users”. This changed between WSM and Fireware.
Configure a legacy Firebox (WSM 7.x) for Remote User PPTP:
1. Open Policy Manager and select Setup -> Firewall Authentication.
2. Select the radio button for RADIUS Server -> OK -> OK.
3. Enter the IP address of the Windows 2000 server running IAS.
4. Change the Port number to 1812 and enter your shared secret -> OK
5. Click Network -> Remote User -> PPTP tab.
6. Check the checkboxes for Activate Remote User and Use Radius Authentication.
7. Click the Add button, select Host IP Address and enter the first IP address you allocated for use by the Firebox -> OK.
8. Repeat this until all of your allocated IP addresses have been entered.
Note: You can copy/paste into the IP address field.
Note: You may wish to enable logging here if you have any difficulty getting this to work.
9. Click OK.
Configure a legacy Firebox Access Rule for RUVPN:
1. Add a service to allow traffic from VPN Users:
a. Click Edit -> Add Service. Expand Packet Filters and select “Any”.
b. Click the Add button. Change the name to “Any-RUVPN”.
Note: If you change this name, I recommend against using spaces.
c. On the Incoming tab, select “Enabled and Allowed” from the selection list.
d. Click the Add button in the “From” area and add the “pptp_users” group.
Note: If the “pptp_users” group is not available to be selected here, you can click “Add other”, drop down and select “Radius User or Group” and type pptp_users in. I had to do this with a Firebox. Once I had uploaded the config and firmware to the firebox, then pulled down a fresh config file from the firebox, the pptp_users that I had typed in became the special Firebox group and took on the icon with the two head with a red thing behind them, indicating that it recognized the special group. Your mileage may vary.
e. Click the Add button in the “To” area and add “Trusted”.
f. Go to the Outgoing tab.
g. Add “Trusted” to the “From” area and “pptp_users” to the “To” area.
h. Finish the rule and upload the configuration to the Firebox.
If you have a Windows 2003 server and wish to use IAS for RADIUS authentication for a Watchguard Firebox, here are the steps:
Install and Configure IAS on Windows 2003:
Note: You must either disable SMB Signing or use Firebox Software version 7.30-B2938 or later!
1. In Add/Remove programs -> Windows Components -> Networking Services, check “Internet Authentication Service” and finish the wizard.
2. Open the Services applet and stop, then restart the IAS service. Refresh the screen and ensure that the service continues to show “running” status. Some applications (the Symantec antivirus management console, for example) interfere with IAS by using port 1812. If this is the case you will need to configure IAS on a different server.
3. Open Administrative Tools -> Internet Authentication Service and select Radius Clients in the left pane.
4. Click Action -> New Radius Client. Enter “Firebox” for the friendly name.
Note: If you change this name, I recommend against using spaces or non-alpha characters.
5. Enter the Trusted IP address of the Firebox for the Client Address and click Next.
6. Verify that RADIUS Standard is the selected protocol.
7. Enter and confirm a “shared secret” of your choice.
Note: I recommend Uppercase, Lowercase, and Numbers – but not non-alpha characters.
8. Verify that RADIUS Standard is the selected Client-Vendor.
9. Verify that the box for “Request must contain the Message Authenticator attribute” is NOT checked, and click Finish.
10. Select Remote Access Policies and click Action -> New Remote Access Policy.
11. Select the option for “Set up a custom policy”.
12. Enter VPNUsers for the friendly name of the policy.
Note: If you change this name, I recommend against using spaces or non-alpha characters.
13. Click Next -> Add -> select Windows-Groups -> Add -> Add -> select your VPNUsers group -> OK -> OK -> Next.
14. Select the radio button for “Grant remote access permission” -> Next.
15. Click the Edit Profile button -> Authentication tab.
16. Verify that the checkboxes for “Microsoft Encrypted Authentication version 2 (MS-CHAP v2)” and MS-CHAP are checked.
17. Go to the Encryption Tab and clear the check box next to “No Encryption”.
18. Click the Advanced tab and remove “Framed-Protocol” and “Service-Type”.
19. Click Add -> Filter-Id -> Add -> verify that “string” is selected and type “pptp_users” into the attribute field.
Note: For Fireware Pro 8.2 the string must be set to “PPTP-Users” (case sensitive).
Note: Other documentation may suggest that you type something else here, like your group name. DON’T. The Firebox wants to see “pptp_users” or “PPTP-Users” in this attribute, just as it is typed here – lowercase, underscore or hyphen and all.
20. Click whatever combination of OK, Next, and/or Finish is required to complete the config. If it prompts you to view help topics, say no.