Republished with permission from
WatchGuard Technologies, Inc.
Navigating WatchGuard's New MUVPN Client
by David M. Piscitello, President, Core Competence, Inc.
With WatchGuard Firebox System (WFS) version 5.0, WatchGuard released an entirely new mobile user VPN client, a customized version of the widely used and broadly compatible SoftRemote™ VPN client from SafeNet. This article gives you some background on, and a quick tour of, the new MUVPN client.
What's So Cool About SoftRemote™
I live in NASCAR country. Motor-heads here crack open the hood of a new car, then jabber about compression ratios, horsepower, overhead cams, gear ratios, and the like. I suppose networking software junkies obsess over features, too. New software? Kewl!
SoftRemote™ is chock full of useful features for administrators and end users. It runs on every Win32 platform (and will soon on the Palm OS). It supports virtually every IKE and IPSec security option. SafeNet has done a commendable job testing the software on every OS platform, against a long list of VPN products, so it's very stable. It's also the most widely used VPN client in the industry. This "ubiquity" is especially important if your work force engages in business-to-business activities over IPSec VPNs run by organizations other than your own, operating equipment other than Fireboxes and SOHOs. It's important to you as well: who needs the headache of supporting two VPN software packages, much less the helpdesk horror of teaching users how to use both? I've used a SoftRemote client since WFS version 4.6 because (a) it worked fine with Firebox MUVPN, and (b) I use so many IPSec products I can't afford down time from wrestling with software and adapters that won't play nice together.
SoftRemote also works well with all the personal firewall software I've used. If you haven't insisted on personal firewalls for remote access clients until now, I recommend when you download the MUVPN client from WatchGuard's site, you choose the version that comes bundled with ZoneAlarm from Zone Labs.
The new client has an outstanding logging facility and a connection monitor, invaluable tools for debugging IPSec configuration problems.
I can almost hear the skeptical network administrators ask, "New software? Ugh! How painful will this be to incorporate into my network?" After more than a year deploying SoftRemote at various locations, my experience is that it can be nearly antacid and pain reliever free.
WatchGuard's version feels familiar. You'll still use the Mobile User VPN Wizard from the Policy Manager to create new IPSec mobile users. How you configure Allowed Resources, Virtual IP address rules, and tunnel (IPSec) policy is unchanged. You can continue to use the same method to export the mobile user configuration files (.EXP and .WGX) and to distribute configuration files, client software and documentation to your mobile work force. You'll find that the information about planning, deploying, and debugging MUVPN from my earlier columns still applies.
The biggest changes (really, improvements) are on the client. I've had few problems installing the new MUVPN client on several desktops and laptops, including a laptop that has USB, PC card, and Sony iLink™ network adapters. (I mention this because my painful past experience was that the likelihood of a successful IPSec client installation seemed to decrease commensurately with each adapter previously installed.)
The SafeNet MUVPN client has many more bells and whistles than its predecessor. You should plan to introduce at least the following tools and features to your MUVPN users. These are accessed via the System Tray or the Start Menu:
Features to toy with…
You might find the MUVPN client's Certificate Manager helpful in pulling together the concepts of digital certificates, Certificate Authorities, and Registration Authorities (if these terms are unfamiliar to you, they're explained in my article on PKI). Use this application to request, import, and store certificates and certificate revocation lists. It's good practice for when you eventually incorporate digital certificates into your IPSec VPNs.
Clever MUVPN Tricks
Since the new MUVPN client supports so much of the IKE and IPSec standard, you can also experiment with more secure VPN tunnel policies for certain applications. The default MUVPN IKE policy uses Aggressive Mode with DES encryption, and no perfect forward secrecy (PFS). Using the new client's Security Policy Editor, if you have a DSL-based teleworker blessed with a permanent IP address, you can create a VPN tunnel that uses the stronger Main Mode authentication (which brings Triple DES encryption to Phase 1 of establishing your VPN tunnel), Perfect Forward Secrecy and the required Diffie Hellman Group (2) for PFS. You'll have to manually create a Branch Office VPN tunnel at the Firebox for this unique application. Combined with the ZoneAlarm personal firewall, this configuration is far stronger than using one of those "thrown-in" Cable/DSL NAT boxes, and perfect for individual user sites where you simply can't afford a SOHO.
WatchGuard's new SafeNet client is quite an upgrade from the previous MUVPN client. It installs more cleanly, and has proven interoperable with just about every IPSec security gateway left on the market. It has many features that can help a busy administrator diagnose IPSec remote access problems quickly. You can even tinker with its configuration flexibility and advanced authentication features (certificates) in your copious spare time. I give it a nine. ##
Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2002
WatchGuard Technologies, Inc. All rights reserved.