Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.
We'd love to hear about it! Click here to go to the product suggestion community
i have setup remote SSL VPN on my Sophos UTM with Auto Firewall Rules activated.
When i check the Auto Firewall Rules, i see this created Rule:
ssluser - Any - Internet IPv4
I would like to define specific services an not allow Any.
I would like, that the VPN User can Surf over the UTMs WebProxy, Email over the UTM, Messaging, but cannot access the Internal LAN DEVICES.
Additionally i would like to know, if its possible with the UTM to allow the Remote SSL Connection just from a specific Country and not from Everywhere?
Thanks a Lot!
Please show a picture of the Edit of your SSL VPN Profile. Also, a picture of the 'Allowed Networks' in the Web Filtering Profile.
Cheers - Bob
In reply to BAlfson:
thanks a Lot for your reply. Please see here the information:
Do you have just one user that accesses via SSL VPN Remote Access? How many will connect from home?
You already unchecked 'Automatic firewall rules', so you can make a rule just allowing the services you want.
You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.
thanks for the Update. I will have 2 different users connecting via SSL VPN Remote Access.
In the VPN Policy is Internet Ipv4 then correct? And only if a User would need to access the Internal LAN, then I would change there to Any ?
Can you please let me know, if its possible to allow the Remote Access SSL VPN just from specific Countries? As you can see in the VPN Settings
the Interface Address is Any as well. But if I have activated under Network Protection - Firewall - Country Blocking - and set value From,
has this the highest Priority, means VPN Remote SSL Connections from the specified Countries will anyhow not be possible?
In reply to Sally:
Here's what I would do:
Does that do what you need?
Another approach would be to configure One-Time Passwords for the users and that would prevent anyone else from gaining access.
thanks a lot for the information. Regarding Point 2. so I would have to create host definitions with every public ip or range? Thats a lot as the Ips for example of Cell Phone Providers, and Public Hotspots are frequently change. Is there not somehow an option to say for instance just allow ssl connections from Germany for example?
I thought this was a work-from-home situation, but, you're right, that approach wouldn't be practical for you.
The way Country Blocking works, there's also no solution for you with it.
The One-Time Password approach seems to be your best bet.
Still, I would change the SSL VPN port to 1443. I also like to set the User Portal to 2443. Having those on 443 can create future difficulties with configuring.
Cheers - BobPS Ich habe ein Jahr bei IBM Deutschland in Berlin gearbeitet.
Thanks a lot Bob for the Update on this.
I will test One-Tome Passwords to see how it goes:)
PS Na Berlin ist eine super coole Stadt:)
I created now for testing the host definitions with the public IPs, and added them to a Network Group
Created NAT Rule NoNat and DNAT Blackhole NAT
Please see here
When I enable both NAT Rules and trying to connect from the SSL Client (Checked the created Hosts IP) I don't get connected, get this in the FW Log:
Default DROP TCP
84.x.x.x:18719 → 240.1.1.1:1443
When I disable the DNAT Blackhole NAT Rule the SSL connection works again, but also other IPs can then connect again..
Im not sure if Action for DNAT is correct? Or did I miss something else?
Those look good. Do you have this?
Do I need here really Any or could I use also External WAN Interface ??
I like "Any" here.
Any it is :) And working now!