Special VPN User: Only allow access to an internal URL

Hello everyone,

For me this is unique, but I'm probably sure someone else has done this.     Sophos UTM 9

We have a software vendor that needs access to the software server they have provided.  The software is administered through an internal web browser connection.  We don't want to have to screenshare when ever this vendor needs to access the administrator account.

I would like to give them a VPN account, but restrict it to only the URL.

Is this possible or is there a more efficient way to do this?

 

Thank you for your help!

  • I forgot to mention, we do not want to make this URL published to the world.  Restrict only to the VPN user.

  • In reply to GoJoeGo:

    Hello,

    You can do this using HTML5 VPN Portal under Remote Access.

    Good Luck

  • In reply to PatrickLee:

    ... or you unselect "automatic packetfilter rules" within VPN configuration and creates some firewall rules using "XYZ (User Network)".

  • In reply to GoJoeGo:

    Agreed with PatrickLee - this is the ideal use case for the HTML5 VPN.  You can even use OTP with the User Portal with it required only for specific users.

    Cheers - Bob

  • I can think of multiple ways to handle this.   

    • All of the methods support 2-factor authentication with OTP (or third-party alternatives).  You should use 2-factor authentication on all remote access (Also, PCI DSS requires it)
    • All of the methods support source filtering using Country Blocking rules.

    HTML VPN to a Web Resource (as previously proposed)

    • Nothing to install on the client device
    • Uses a web session inside a web session, so you lose some screen space
    • Inside session uses a very old very of Firefox, so you may have compatibility issues or ciphersuite issues (if using https)
    • The entire HTML VPN subsystem seems to be frozen code.   I had a minor bug report in HTML VPN with an RDP object, and they forced me to put it in as a feature request.

    WAF

    • The normal way to handle external web traffic to an internal website
    • Nothing to install on client device
    • Can restrict on user with Reverse Authentication
    • Can restrict on source IP with Access Restrictions under Source Path Routing
    • Not included in some UTM licenses

    SSL VPN to Transparent Web Proxy

    • Requires SSL VPN Client code to be installed on client device.
    • Particularly attractive if user should only connect using a company-issued laptop.
    • Create a filter profile and add the User Network Object to the Allowed Networks list.
    • Link the Filter Profile to a Policy object that has "use for unauthenticated users" checked.
    • Link the Policy to a Filter Action that blocks everything except the desired URL.
    • In Firewall Rules, block all traffic with that User Network Object as the source (because Web Proxy traffic bypasses the Firewall Rules)
  • In reply to DouglasFoster:

    All,

    Thank you for the suggestions.  The HTML5 Portal sounds interesting.  I like the idea that the user does not have to install anything.  No history with it, but onward!

  • In reply to GoJoeGo:

    The HTML5 VPN Portal worked like a charm!

     

    thanks again!

  • In reply to GoJoeGo:

    Folks, our external client has access to the internal website. 

     

    However, when they click on a function to upload a file, it will not point to their local machine.  Is there an option somewhere to give that throughput?

  • In reply to GoJoeGo:

    Don't think so.  Remember that you are running a browser inside a browser.   That would be a reason to use one of the other configurations.