Conditional Firewall rules for remote access users/devices

Hi Chris,

ChrisSoukup said:

Now I would like to use two AD groups where members of the one group have firewall rules which give them full access (all services). Those users for example have a company notebook which has trustful security software, etc. Users of the other group should be only allowed to access RDP (Remote Desktop) because they connect from a private/home workstation where I can not verify which security standards are used and I only want to allow them RDP.

For this Requirement you can use "User Network" Objects or "User Group Network" Objects.

ChrisSoukup said:

The next level I could imagine would be conditional fw rules for certain devices. Is it possible to identify remotely accessing notebooks and giving them different fw rules?

 

One solution is to use Authentication agents on that notebooks. You could create one local user account for every notebook.  The User Network" Object for this accounts could identify the remote notebooks.

regards

mod

I like mod's suggestions, Chris, but wanted to add another, possible direction.

This requires syncing the second group (call them "RDP Only") to the UTM and creating a second SSL VPN Profile without automatic firewall rules for the "RDP Only" Backend Group.  You then make a firewall rule like 'RDP Only (User Group Network) -> RDP -> Internal (Network) : Allow'.  You might instead have to create a separate Network group containing the "User Network)" objects for the users, but try the User Group Network first and confirm here whether it worked in your firewall rule.

Cheers - Bob

Also consider that the rdp users could be switched from SSL VPN to HTML5 VPN with an RDP resource option.  The objection may  be that it does not provide a print-to-session solution.