Issue
During the TDR to Endpoint Security upgrade process, previously configured TDR settings are not migrated to WatchGuard Endpoint Security. This includes network access enforcement settings.If Network Access Enforcement is not configured in your WatchGuard Endpoint Security product (Settings > Network Services) before you start the Upgrade TDR to Endpoint Security wizard, VPN enforcement fails with this error message:
2023-02-02 16:59:58 vpn_enforcer Failed to connect to 192.168.113.2 due to err=111:Connection refused Debug
2023-02-02 16:59:59 vpn_enforcer VPN (SSL) connection by user username@Firebox-DB failed to meet TDR Host Sensor Enforcement requirement: Host Sensor connection failed
Workaround/Solution
Customers who use network access enforcement must manually configure the Network Access Enforcement feature in WatchGuard Endpoint Security to continue to use endpoint enforcement. You can generate a random Account UUID and authentication key. For information on how to configure network access enforcement, go to Configure Network Access Enforcement in Help Center.We recommend you review your Windows Defender firewall rules. The TDR Host Sensor automatically added a rule to the Windows Defender firewall to allow the TCP port 33000 connection required to validate the endpoint. This rule is not recreated by the WatchGuard Endpoint Agent, so you must add the rule manually if the Windows Defender firewall is configured to deny incoming connections.Open Windows Defender Firewall with Advanced Security and create a new inbound rule with these settings:
Rule Type: PortProtocol and Ports: TCP and add the specific local port 33000Action: Allow the ConnectionProfile: Domain, Private, and PublicName: WatchGuard Secure VPN
