Sophos UTM Remote Access SSL VPN for specific Services / specific Country

Hello,

i have setup remote SSL VPN on my Sophos UTM with Auto Firewall Rules activated.

When i check the Auto Firewall Rules, i see this created Rule:

ssluser - Any - Internet IPv4

 

I would like to define specific services an not allow Any.

I would like, that the VPN User can Surf over the UTMs WebProxy, Email over the UTM, Messaging, but cannot access the Internal LAN DEVICES.

 

Additionally i would like to know, if its possible with the UTM to allow the Remote SSL Connection just from a specific Country and not from Everywhere?

 

Thanks a Lot!

 

Best regards

Sally

  • Hallo Sally,

    Please show a picture of the Edit of your SSL VPN Profile.  Also, a picture of the 'Allowed Networks' in the Web Filtering Profile.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    thanks a Lot for your reply. Please see here the information:

     

     

     

    Best regards

    Sally

  • Do you have just one user that accesses via SSL VPN Remote Access?  How many will connect from home?

    You already unchecked 'Automatic firewall rules', so you can make a rule just allowing the services you want.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

     

    thanks for the Update. I will have 2 different users connecting via SSL VPN Remote Access. 

    In the VPN Policy is Internet Ipv4 then correct? And only if a User would need to access the Internal LAN, then I would change there to Any ? 

    Can you please let me know, if its possible to allow the Remote Access SSL VPN just from specific Countries? As you can see in the VPN Settings 

    the Interface Address is Any as well. But if I have activated under Network Protection - Firewall - Country Blocking - and set value From,

    has this the highest Priority, means VPN Remote SSL Connections from the specified Countries will anyhow not be possible?

    Thanks

    Best regards

    Sally

     

     

     

  • In reply to Sally:

    Here's what I would do:

    1. Change the port from 443 to 1443.
    2. Create Host definitions for the users with their public IPs.  Put these objects in a Network Group named "SSL VPN Users."
    3. Create a NAT rule like 'NoNAT : SSL VPN Users -> {port 1443} -> External (Address)'.
    4. Create a "blackhole NAT" like 'DNAT : Internet IPv4 -> {port 1443} -> External (Address) : to (240.1.1.1}'.

    Does that do what you need?

    Another approach would be to configure One-Time Passwords for the users and that would prevent anyone else from gaining access.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    thanks a lot for the information. Regarding Point 2. so I would have to create host definitions with every public ip or range? Thats a lot as the Ips for example of Cell Phone Providers, and Public Hotspots are frequently change. Is there not somehow an option to say for instance just allow ssl connections from Germany for example? 

    Best regards

    Sally

     

     

     

  • In reply to Sally:

    I thought this was a work-from-home situation, but, you're right, that approach wouldn't be practical for you.

    The way Country Blocking works, there's also no solution for you with it.

    The One-Time Password approach seems to be your best bet.

    Still, I would change the SSL VPN port to 1443.  I also like to set the User Portal to 2443.  Having those on 443 can create future difficulties with configuring.

    Cheers - Bob
    PS Ich habe ein Jahr bei IBM Deutschland in Berlin gearbeitet.

  • In reply to BAlfson:

    Thanks a lot Bob for the Update on this. 

    I will test One-Tome Passwords to see how it goes:) 

    Thank You!

    Best regards

    Sally

    PS Na Berlin ist eine super coole Stadt:) 

  • In reply to BAlfson:

    Hello Bob,

    I created now for testing the host definitions with the public IPs, and added them to a Network Group

    Created NAT Rule NoNat and DNAT Blackhole NAT

    Please see here

     

    When I enable both NAT Rules and trying to connect from the SSL Client (Checked the created Hosts IP) I don't get connected, get this in the FW Log:

    Default DROP TCP                 

    84.x.x.x:18719  →  240.1.1.1:1443

    When I disable the DNAT Blackhole NAT Rule the SSL connection works again, but also other IPs can then connect again..

    Im not sure if Action for DNAT is correct? Or did I miss something else?

     

    Thx

    Sally

  • In reply to Sally:

    Those look good.  Do you have this?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Do I need here really Any or could I use also External WAN Interface ??

    Best regards

    Sally

  • In reply to Sally:

    I like "Any" here.

    Cheers - Bob

  • In reply to BAlfson:

    Any it is :) And working now!

     

    Thanks Bob

    Best regards

    Sally