Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 4361 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Remote Access SSL VPN for specific Services / specific Country

Sally

Hello,

i have setup remote SSL VPN on my Sophos UTM with Auto Firewall Rules activated.

When i check the Auto Firewall Rules, i see this created Rule:

ssluser - Any - Internet IPv4

 

I would like to define specific services an not allow Any.

I would like, that the VPN User can Surf over the UTMs WebProxy, Email over the UTM, Messaging, but cannot access the Internal LAN DEVICES.

 

Additionally i would like to know, if its possible with the UTM to allow the Remote SSL Connection just from a specific Country and not from Everywhere?

 

Thanks a Lot!

 

Best regards

Sally



This thread was automatically locked due to age.
Parents
  • 0

    Do you have just one user that accesses via SSL VPN Remote Access?  How many will connect from home?

    You already unchecked 'Automatic firewall rules', so you can make a rule just allowing the services you want.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

     

    thanks for the Update. I will have 2 different users connecting via SSL VPN Remote Access. 

    In the VPN Policy is Internet Ipv4 then correct? And only if a User would need to access the Internal LAN, then I would change there to Any ? 

    Can you please let me know, if its possible to allow the Remote Access SSL VPN just from specific Countries? As you can see in the VPN Settings 

    the Interface Address is Any as well. But if I have activated under Network Protection - Firewall - Country Blocking - and set value From,

    has this the highest Priority, means VPN Remote SSL Connections from the specified Countries will anyhow not be possible?

    Thanks

    Best regards

    Sally

     

     

     

  • 0 in reply to Sally

    Here's what I would do:

    1. Change the port from 443 to 1443.
    2. Create Host definitions for the users with their public IPs.  Put these objects in a Network Group named "SSL VPN Users."
    3. Create a NAT rule like 'NoNAT : SSL VPN Users -> {port 1443} -> External (Address)'.
    4. Create a "blackhole NAT" like 'DNAT : Internet IPv4 -> {port 1443} -> External (Address) : to (240.1.1.1}'.

    Does that do what you need?

    Another approach would be to configure One-Time Passwords for the users and that would prevent anyone else from gaining access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    thanks a lot for the information. Regarding Point 2. so I would have to create host definitions with every public ip or range? Thats a lot as the Ips for example of Cell Phone Providers, and Public Hotspots are frequently change. Is there not somehow an option to say for instance just allow ssl connections from Germany for example? 

    Best regards

    Sally

     

     

     

  • 0 in reply to Sally

    I thought this was a work-from-home situation, but, you're right, that approach wouldn't be practical for you.

    The way Country Blocking works, there's also no solution for you with it.

    The One-Time Password approach seems to be your best bet.

    Still, I would change the SSL VPN port to 1443.  I also like to set the User Portal to 2443.  Having those on 443 can create future difficulties with configuring.

    Cheers - Bob
    PS Ich habe ein Jahr bei IBM Deutschland in Berlin gearbeitet.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks a lot Bob for the Update on this. 

    I will test One-Tome Passwords to see how it goes:) 

    Thank You!

    Best regards

    Sally

    PS Na Berlin ist eine super coole Stadt:) 

Reply Children
No Data
Unfiltered HTML