Operational Defect Database
BugZero found this defect 1791 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3SPSAY
Office 365 fails for Mobile VPN with SSL users
Last update date:
11/25/2020
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
v12.5.3
Description:
Issue
Users that connect to your network through Mobile VPN with SSL cannot connect to Office 365. This happens because the Mobile VPN with SSL TAP adapter does not set a default gateway when you connect to the VPN. Because Office365 cannot detect a gateway, Office 365 traffic does not go through the tunnel.
Workaround/Solution
To make sure that Office 365 traffic goes through the mobile VPN tunnel, use one of these options: Enable the default-route-client option in the Fireware CLI (Fireware v12.5.3 or higher)Manually configure a default gateway on the clientUse a different Fireware mobile VPN method Option 1—Enable the default-route-client CLI Option (Windows only) If you select the Force all client traffic through tunnel option in the Mobile VPN with SSL configuration, the Firebox pushes the routes 0.0.0.0/1 and 128.0.0.0/1 to the Windows computer. These routes are added instead of a more general route to avoid replacing existing routes. In Fireware v12.5.3 or higher, you can enable the default-route-client option in the CLI. When you enable this option, the Firebox pushes the general route 0.0.0.0/0.0.0.0 to Windows computers, and the default gateway of the TAP interface on each Windows computer is set to the VPN gateway IP address. The default-route-client command affects only Windows computers. Computers with other operating systems do not receive the 0.0.0.0/0.0.0.0 route. To enable this option, specify these commands from the Firebox CLI: WG#configWG(config)#policyWG(config/policy)#sslvpn resource default-route-client To disable this option, specify this command from the Firebox CLI: WG(config/policy)#no sslvpn resource default-route-client By default, the default-route-client option is disabled.Note: The default-route-client option is not included in the XML configuration file. If you enable this option, and you later reset your Firebox to factory-default settings or move the configuration to a new Firebox, you must enable this option again in the CLI. For more information about Firebox management through the command line interface, see the Fireware CLI Reference. Option 2—Manually Configure a Default Gateway on a Windows Client From Control Panel, open Network and Internet > View network status and tasks > Change adapter settings.Find the network adapter with TAP-Windows Adapter V9 in the description.Right-click the network adapter and select Properties.Double-click Internet Protocol Version 4 (TCP/IPv4). The properties dialog box appears.Click Advanced. The Advanced TCP/IP Settings dialog box appears.Below Default gateways, click Add.In the Gateway text box, type the Firebox IP address for the virtual IP address range. This is typically the first usable IP address of the virtual pool.Click Add.On each open dialog box, click OK. Option 3—Use a Different Mobile VPN Method This issue affects only Mobile VPN with SSL. If you do not want to enable the CLI option or manually configure a gateway on the client, you can avoid this issue by using a different mobile VPN method. Fireware supports three other mobile VPN methods: Mobile VPN with IKEv2, Mobile VPN with L2TP, and Mobile VPN with IPSec.
