SSO-principle for Windows domain using VPN is not complete?

Have found out that UTM is not supporting fully SSO is some situations for VPN connections for Windows 10.

The nearest I have come so far is using L2TP over IPsec, where the user on the Windows login screen can select to connect VPN and log on simultaneously. STAS on the DC catches the log on event and reports it to the UTM and you can then use user based fire wall rules.

One advantage using L2TP is that the method supports L2TP on the Windows log on screen which means that the Windows logon procedure is a domain logon connected to the DC from start.

The downside of using L2TP over IPsec is that it is not configurable which networks should use the tunnel, only routes for UTM local networks are forwarded to the client. Have found this thread where Sophos says that "PPTP and L2TP are not designed to be used in split tunnel setups." But later comments says that it is done elsewhere. So it is possible? If that worked I liked to configure ANY networks.

Since L2TP is not working for me I started to look for other solutions, like SSL VPN, where you can configure local networks. Here it works using ANY networks.

The downside of using SSL VPN is that is not supporting SSO. You have to use the authentication agent and configure your username and password a second time in order to use user based firewall rules.

Is there a solution to achieve truly SSO for VPN connection for Windows?

  • Erik, if the Windows 10 device is a member of the domain, and the user logs onto the device as a member of the domain, then SSO should work once the user connects via VPN to the UTM.  Full/split tunnel should have nothing to do with it in Standard mode in Web Filtering, but will affect browsing in Transparent mode.  PPTP and L2TP/IPsec can be used with Split or Full tunnels.

    Cheers - Bob

  • In reply to BAlfson:

    Yesterday I found that STAS(?) is catching the log in using SSL VPN (without installed authentication agent) which makes user based firewalls rules work. For comparison, this is not working when using Sophos commercial IPSec client.

    The disadvantage using SSL VPN client is that is connects after the user has logged on locally. And you also have to pass your credentials again.

    Using IP over L2TP at Windows log on screen means that the Windows domain log on process is made after the L2TP VPN has connected, letting the client talk to the DC doing the same things as when LAN connected to the DC. And you only need to pass you logon credentials once.

    My concern about L2TP is that you cannot specify which networks should be reachable over the VPN connection. The default non-configurable setting is only routes for UTM local networks. So for an example, you cannot specify all networks for IPsec over L2TP (which I want to achieve). This works for SSL VPN, but as said earlier, it connects after the user has logged on.


  • In reply to ErikFranzén:

    One clarification:

    I have two UTM's connect via site2site VPN. When I am L2TP connected I cannot ping any networks on the remote UTM. If I manually add a route in the Windows Client Computer for the remote networks using L2TP connected UTM as gateway it is working.

  • In reply to ErikFranzén:

    With L2TP/IPsec, the UTM should pass routes to the client for all subnets known to it (defined on an Interface).  You determine which subnets are available with firewall rules.  If the L2TP/IPsec client chooses to use the UTM as its default gateway, then there will be a full tunnel.

    Cheers - Bob

  • In reply to BAlfson:


    How do I define subnets on the interface for L2TP over IPSec? Using firewall rules???

    If the UTM A which I connect L2TP to has the following net:

    UTM A network:

    UTM B using has one VPN-site-2-site to UTM A

    How should I make one firewall rule to configure the L2TP connection to be full tunneled?

  • In reply to ErikFranzén:

    I found this thread: L2TP/IPsec: pushing routing table down to a VPN client which says that Sophos implementation of L2TP does not support what I want to achieve.

  • In reply to ErikFranzén:

    It wasn't clear initially that the other subnet wasn't "defined on an Interface" of the UTM serving L2TP/IPsec.  You are correct that the UTM cannot push routes to L2TP/IPsec clients that WebAdmin does not know automatically.

    Cheers - Bob

  • In reply to BAlfson:

    It's a pity, because it seems possible according to this proposal which Sophos rejected but in the following discussion it seems technically possible.

  • In reply to ErikFranzén:

    Interesting, Erik!

    That led me to do a Google where I found Pushing static routes to clients.  It appears that you can use Windows DHCP to push static routes to PPTP and L2TP/IPsec clients.

    Let us know if that works for you and what "tricks" you had to use.

    Cheers - Bob