WatchGuard VPN Round-Up

Watchguard Security Logo

VPN Round-Up – Pros and Cons

Previously I have covered the different types of VPN technology and how to configure them. Today I will be weighing up the pros and cons of each providing different use cases for each one.

SSL VPN using WatchGuard Access Portal via a web browser for RDP or specific applications


  • Extremely quick and easy to set up with no configuration required client-side
  • For those that need access to a high compute workstation without needing to open RDP or rely on other screen sharing services this provides the most elegant solution without performance issues
  • Lightweight so no performance issues and full-featured via the use of HTML 5 allowing you to publish specific applications to specific groups of users
  • Can be accessed from anywhere on any device without the risk of a virus or malware infecting the remote station from the users own device
  • Integrates with Active Directory, RADIUS and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service


  • Does require a Terminal Server or each individual workstation to have a Static / DHCP reservation
  • If you close your browser window you will be logged out of the remote session
  • Not compatible with all applications

Use Case

Perfect for those who need a high compute workstation or to access a specific application on the go meaning you could perform work from a tablet without security or performance issues or without needing to install a VPN client or configure one

To see how to configure the Access Portal click here.

IKEv2 VPN Using the inbuilt Windows, MAC and IOS VPN Client


  • By far the most robust VPN utilising multi-layer security with IPSec and certificates to ensure the user is whom they say they are
  • Lightweight so performance is not compromised resulting in low CPU usage
  • Widely supported by Windows, macOS, IOS and Windows Mobile so there is no application to install client-side
  • Integrates with RADIUS and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service
  • The configuration files cannot be pushed out by Group Policy yet


  • Doesn’t support Active Directory authentication so requires a RADIUS server with Certificate Authority
  • Requires IPSec to be allowed outbound

Use Case

Perfect for any application especially if Voice is a requirement due to the lightweight protocols in use although RADIUS can be a requirement most enterprises are starting to shift towards using RADIUS / 802.1x infrastructures.

To see how to configure IKEv2 click here.

SSL VPN Using the WatchGuard VPN Client


  • Uses TLS encryption on port 443 which is typically not restricted
  • The client can be pushed out via Group Policy without the end-user needing to install anything as such
  • Integrates with RADIUS, Active Directory and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service


  • Relies on TCP resulting in it having the most overhead impacting on performance
  • It is the most CPU intensive out of all three
  • Not suitable for latency-sensitive applications such as VoIP or if you need to transfer large files in a hurry

Use Case

Perfect for those who need to push out a VPN client quickly without the user needing to do anything or those that do not have a RADIUS/Certificate authority.

To see how to configure SSL-VPN click here.

If you would like to get in touch with any further questions about this article or any other technical enquiry, please contact us on +44 (0) 1488 647 647

Author: Alex Claro – Solutions Architect Team Lead at Purdicom (CCNP, CWNA). To read this article and more by Alex on LinkedIn check here: