This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit a single SSL VPN user to three servers

We need to give a contractor access to his three servers behind our UTM. If we allow him to connect using the SSL VPN, how do we limit his access to the three servers?



This thread was automatically locked due to age.
Parents
  • Hi Steven,

    just create an SSL-VPN profile for the specific user und put under allowed networks the three servers.
    Untick automatic firewall rule and create a firewall rule under network prtection where you use the user network object the threee servers and the desired ports that are needed.

    Best Regards
    DKKDG

  • Agreed with apijnappels - I once checked with iptables and found that the automatic rules were limited as he says.  Today, you can check that by looking at "All" rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That is correct but an automatic firewall rule open all ports to the defined hosts/networks.

    If i want that an user just have a web access i cannot just work with automatic firewall rule.

    E.G. my server is a linux server with an apache where an cms system runs and an ssh access for the admin

    With automatic firewall rule the user have the oppertunity to login via ssh. I know he needs the credentials but the access is there.

    If I use the manual firewall rule I can restrict this access only to http/s.

    Best Regards
    DKKKDG 

Reply
  • That is correct but an automatic firewall rule open all ports to the defined hosts/networks.

    If i want that an user just have a web access i cannot just work with automatic firewall rule.

    E.G. my server is a linux server with an apache where an cms system runs and an ssh access for the admin

    With automatic firewall rule the user have the oppertunity to login via ssh. I know he needs the credentials but the access is there.

    If I use the manual firewall rule I can restrict this access only to http/s.

    Best Regards
    DKKKDG 

Children
No Data