Filter
Top Products
Administrator Guide 21
Distributing the Software and Profiles
Distributing the Software and Profiles
WatchGuard® recommends distributing end-user profiles by encrypted email or with some other
secure method. Each client computer must have:
• Software installation package
The packages are located on the WatchGuard LiveSecurity® Service web site at:
http://www.watchguard.com/support
Log in to the site using your LiveSecurity Service user name and password. Click the
Latest Software link, click Add-ons/Upgrades on the left side, and then click the link for Mobile
VPN with IPSec.
• The end-user profile
This file contains the group name, shared key, and settings that enable a remote computer to
connect securely over the Internet to a protected, private computer network. The end-user
profile has the file name groupname.wgx.
• Two certificate files—if you are authenticating with certificates
These are the .p12 file, which is an encrypted file containing the certificate; and cacert.pem,
which contains the root (CA) certificate.
• User documentation
Documentation to help the remote user install the Mobile VPN client and import their Mobile
VPN configuration file can be found in the “Mobile VPN Client Installation and Connection”
chapter in this user guide.
• Shared key
To import the end-user profile, the user is requested to type a shared key. This key decrypts the
file and imports the security policy into the MUVPN client. The key is set during the creation of
the file in Policy Manager.
The shared key, user name, and password are highly sensitive information. For security reasons, we
recommend that you do not provide this information by email message. Because email is not
secure, an unauthorized user can get the information and gain access to your internal network.
Give the user the information by telling it to the user, or by some other method that does not allow an
unauthorized person to intercept it.
Additional Mobile VPN Topics
This section describes special topics for Mobile VPN with IPSec.
Making outbound IPSec connections from behind a Firebox
A user might have to make IPSec connections to a Firebox® from behind another Firebox. For example,
if a mobile employee travels to a customer site that has a Firebox, that user can make IPSec connections
to their network using IPSec. For the local Firebox to correctly handle the outgoing IPSec connection,
you must set up an IPSec policy that includes the IPSec packet filter. For information on enabling poli-
cies, see the Policies chapter in the WatchGuard® System Manager User Guide.
Because the IPSec policy enables a tunnel to the IPSec server and does not do any security checks at
the firewall, add to this policy only the users that you trust.