Earlier I posted my steps for getting the Watchguard SSL VPN Client to work on Vista Business x64. Now we have a few test users upgraded to Windows 7 Professional 64-bit and once again SSL VPN is a problem child. Actually, that’s a little unfair – the problems with installation are result of Microsoft’s increased “security measures” in Win7. As you might guess, this article outlines and advocates disabling these some of these measures, so think about it before try it. And if you do try it, be sure to go all the way to the bottom of the article to see some of the other “fixes” you need to do. (**UPDATED 11/25/09 – check it out…)
For the most part, the steps are the same as those required for Vista. You need the lastest RC release of OpenVpn (currently 2.1 RC 20), and you need to NOT install the Tap driver that comes with the WG SSL VPN. The changes in the process are the changes to Windows 7 that you need to make because the OpenVPN Tap driver is not digitally signed. Windows 7 x64, by default, does not allow the installation of unsigned drivers. Now, there are a couple ways to disable this limitation – one is provided by MS at boot time, another is more “permanent” and the one I chose. Here we go:
- Turn off User Access Control: From the Start Menu type “UAC Control” in the search bar and select “Change User Account Control settings”. Take the slider to the bottom, click OK, and then restart your computer.
- Disable Driver Signing: Once you are back in, from the Start Menu, select All Programs, then Accessories. Right click on the Command Prompt and select ‘Run as administrator’. At the command prompt, type the following and reboot your computer afterward:
bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON
- Install the OpenVPN Tap Driver: If you haven’t already, download the latest OpenVPN from here: http://www.openvpn.net/index.php/open-source/downloads.html (currently c2.1_RC20). Run the installer as Administrator (by right clicking the OpenVPN executable and selecting “Run as administrator”), but UNCHECK all items except the Tap Driver and complete the installation. Note: I rebooted here, but you may not need to.
- Install the Watchguard SSL VPN Client: Download and run the SSL VPN installer (as administrator).
At this point, it should work. You can go back and turn UAC back on if you need to and while I think it’s a complete pain in the butt, I have to recommend that you do. Leaving it off can cause unexpected problems with other programs (such as GotoAssist Express which is service I used to use but will be ditching as soon as the contract is up).
If you are still having problems connecting, here are some other tips based on my experience. These are in no particular order:
- Turn off Windows Firewall completely and reboot. With version 10.2.9 of the SSL VPN client, you still need access to port 4100 and 443.
- If you already tried to install the Tap driver without first disabling the driver signing, Windows will permanently tag it as having an unsigned driver. SO you need to open the Device Manager, look under Network Adapters, and uninstall the Tap driver and reboot. If you have disabled the driver signing, go ahead and reinstall the OpenVPN Tap driver.
- If you don’t want to permanently disable driver signing, you can TRY temporarily disabling it by pressing F8 at boot time (like you are booting to Safe Mode) and selecting ‘Disable Driver Signing Enforcement’. **UPDATE 11/25/09** I had few opportunities recently to try this one and it works like a charm. So if you just have to install the VPN client on someone else’s computer, this method is the quickest.
Once you have all that squared away, you may notice that you have a watermark in the lower left of your screen stating “Test Mode Windows 7 Build 7600”. Since you have turned off Driver Signing, Windows has decided you are obviously in some temporary “test mode”. To rid yourself of the watermark, go HERE and to download the RemoveWatermark patch.
Since I wrote this article originally, I found this website which offers more information on bypassing Driver Signing and links to some cool free tools for managing it on the fly. Swing by and take a look.
Good luck and feel free to log into the Watchguard forums and request that they fix this!