Controlling VPN Access with TDR

One of the questions we have gotten a lot over the years is how to control the devices allowed to connect with mobile VPNs.  Certain VPNs like IPSec and IKEv2 can be a little easier to control, because they require a profile.  However, with the wide utilization of the SSLVPN, this has presented a serious problem for many organizations.  Anyone can download the SSLVPN profile, and then they simply need to know the IP and credentials needed to connect.  This means that a somewhat-savvy user could easily set up their home computer with access to the organization’s VPN.  This of course presents a huge security risk, because personal devices cannot be properly controlled or monitored.

The good news is that the release of firmware version 12.5.4 offers an easy solution.  Now you can set your mobile VPNs to require TDR Host Sensor Enforcement.  What this means is that, in order to connect to your organization’s mobile VPN, TDR has to be installed on the device.  Since this has to be rolled out by a network administrator because it requires an agent and account information specific to your WatchGuard, you can now eliminate personal devices from VPN access.

Setting up the TDR Host Sensor Enforcement is very simple.  You can go ahead and implement this on any current VPNs, instead of having to start from scratch.

1. First, you must make sure that you have set up TDR and rolled out host sensors.  Once this is done, log into your TDR portal at https://watchguard.com > My WatchGuard > Manage TDR.

If you need assistance with setting up TDR, contact us!

2. Select Settings > Host Sensor.  Turn on Enable Host Sensor Enforcement for VPN connections

Host Sensor Enforcement for VPN connections Status Button

3. Specify a TDR Authentication Key

TDR Authentication Key Text box

4. In Policy Manager, select Subscription Services > TDR.  Check the box for Enable Host Sensor Enforcement, and paste in the authentication key from step 3.  You can also dictate the minimum OS versions for connected devices.

Host Sensor Enforcement form

5. Next is to enable on the VPN.  Select VPN > Mobile VPN > and the mobile VPN you would like to apply to.  For this example, we are setting the enforcement on the IKEv2 VPN.  On the Authentication tab, we check the box for the groups we would like to apply this to.

NOTE: This can only be applied to groups, not individual users.

Mobile VPN with IKEv2 Configuration with Authentication tab selected