This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO-principle for Windows domain using VPN is not complete?

Have found out that UTM is not supporting fully SSO is some situations for VPN connections for Windows 10.

The nearest I have come so far is using L2TP over IPsec, where the user on the Windows login screen can select to connect VPN and log on simultaneously. STAS on the DC catches the log on event and reports it to the UTM and you can then use user based fire wall rules.

One advantage using L2TP is that the method supports L2TP on the Windows log on screen which means that the Windows logon procedure is a domain logon connected to the DC from start.

The downside of using L2TP over IPsec is that it is not configurable which networks should use the tunnel, only routes for UTM local networks are forwarded to the client. Have found this thread where Sophos says that "PPTP and L2TP are not designed to be used in split tunnel setups." But later comments says that it is done elsewhere. So it is possible? If that worked I liked to configure ANY networks.

Since L2TP is not working for me I started to look for other solutions, like SSL VPN, where you can configure local networks. Here it works using ANY networks.

The downside of using SSL VPN is that is not supporting SSO. You have to use the authentication agent and configure your username and password a second time in order to use user based firewall rules.

Is there a solution to achieve truly SSO for VPN connection for Windows?



This thread was automatically locked due to age.
Parents
  • Erik, if the Windows 10 device is a member of the domain, and the user logs onto the device as a member of the domain, then SSO should work once the user connects via VPN to the UTM.  Full/split tunnel should have nothing to do with it in Standard mode in Web Filtering, but will affect browsing in Transparent mode.  PPTP and L2TP/IPsec can be used with Split or Full tunnels.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yesterday I found that STAS(?) is catching the log in using SSL VPN (without installed authentication agent) which makes user based firewalls rules work. For comparison, this is not working when using Sophos commercial IPSec client.

    The disadvantage using SSL VPN client is that is connects after the user has logged on locally. And you also have to pass your credentials again.

    Using IP over L2TP at Windows log on screen means that the Windows domain log on process is made after the L2TP VPN has connected, letting the client talk to the DC doing the same things as when LAN connected to the DC. And you only need to pass you logon credentials once.

    My concern about L2TP is that you cannot specify which networks should be reachable over the VPN connection. The default non-configurable setting is only routes for UTM local networks. So for an example, you cannot specify all networks for IPsec over L2TP (which I want to achieve). This works for SSL VPN, but as said earlier, it connects after the user has logged on.

    BR
    /Erik

  • One clarification:

    I have two UTM's connect via site2site VPN. When I am L2TP connected I cannot ping any networks on the remote UTM. If I manually add a route in the Windows Client Computer for the remote networks using L2TP connected UTM as gateway it is working.

  • With L2TP/IPsec, the UTM should pass routes to the client for all subnets known to it (defined on an Interface).  You determine which subnets are available with firewall rules.  If the L2TP/IPsec client chooses to use the UTM as its default gateway, then there will be a full tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Okay?

    How do I define subnets on the interface for L2TP over IPSec? Using firewall rules???

    If the UTM A which I connect L2TP to has the following net:

    UTM A network: 192.168.1.0/24

    UTM B using 192.168.2.0/24 has one VPN-site-2-site to UTM A

    How should I make one firewall rule to configure the L2TP connection to be full tunneled?

Reply
  • Okay?

    How do I define subnets on the interface for L2TP over IPSec? Using firewall rules???

    If the UTM A which I connect L2TP to has the following net:

    UTM A network: 192.168.1.0/24

    UTM B using 192.168.2.0/24 has one VPN-site-2-site to UTM A

    How should I make one firewall rule to configure the L2TP connection to be full tunneled?

Children