Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 1347 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Nur den SSL-Client für Ingternetzugriff zulassen, den restlichen Verkehr sperren

swirfel

Hallo zusammen,

 

ich setze bei uns 2 VPN-Lösungen ein. Zum Einen den PPTP-Client (Windows integriert) und den Sophos SSL-Client.

Beim PPTP-Client wird automatisch am Client der restliche Verkehr Richtung Internet geblockt, beim SSL-Client zugelassen.

Gibt es eine Möglichkeit den SSL-Client so zu konfigurieren dass der Verkehr wie bei PPTP-Client geblockt wird?

 

Gruß

swirfel



This thread was automatically locked due to age.
  • 0

    Hallo,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Please show a picture of the Edit of the SSL VPN Profile.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1

    If you want to completely block internet traffic for the SSL-VPN client you can include Internet IPv4 and/or IPv6 in your VPN local networks configuration so all traffic outside the local LAN from this VPN-client is sent to the UTM. Then you can make a firewall rule to allow what needs to be accessed and make sure auto firewall rule for the SSL VPN is not enabled. Also you might not want to have a masquerading rule for SSL pool => External. You would also leave SSL pool from the web filtering allowed networks so they also cannot use the proxy for web browsing. In that case all traffic is sent to UTM but internet traffic is dropped.

    If you do want internet access but you want it controlled and checked by the UTM also include Internet IPv4 and/or IPv6 in the VPN local networks so all traffic is again sent to the UTM. Then either use the VPN pool to the allowed networks for web filtering to allow usage of the web filter (and/or configure a masquerading rule for VPN pool => External for direct access to the internet through the UTM).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to BAlfson

    Hallo,

    hier ist meine Konfigurationsdatei:

    p-win32 dynamic
    client
    dev tun
    proto tcp
    remote XXX.XXX.XXX.XXX 43443
    tls-remote "C=de, L=XXXX, O=XXXX, CN=XXXX, emailAddress=test@tester.de"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    auth-user-pass
    cipher AES-128-CBC
    auth MD5
    comp-lzo
    route-delay 4
    verb 3
    reneg-sec 0
    <ca>
    Certificate:
        Data:

  • 0 in reply to apijnappels

    "you can include Internet IPv4 and/or IPv6 in your VPN local networks configuration"

    and how can i do that?

  • +1 in reply to swirfel

     See this picture, you can do this from the UTM.

    In my case I use a group to determine who gets this.

     

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Great it works.

    Thanks a lot.

Unfiltered HTML