Controlling Remote SSL Clients

Hi,


I am having an issue controlling remote SSL VPN clients with VNC or RDP. Users connect to our XG firewall (Version 17.5.8 MR 8) just fine and can access all services on the local LAN from home. I want to be able to VNC or RDP into their PCs from the local LAN but there seems like there is a block between the local LAN going back to the SSL VPN client network. I have tried every kind of firewall rule to connect these two networks. I used to use the Sophos IPSec VPN clients on V9 and this process worked just fine. Since upgrading to XG and SSL VPN clients it does not work. Does anyone know if this is blocked by design or I am doing something wrong? Any help would be appreciated. Thanks.


Jae

Local LAN 192.168.1.x
SSL VPN 10.10.10.x

  • Hi  

    Please enable "Use as default gateway" from SSL VPN remote access configuration and create VPN to VPN firewall rule and verify.

  • In reply to Keyur:

    Thank you for the info but this creates a full tunnel with all traffic going through our network.  This does not work for us as the traffic is too much and slows our entire network down.  We need a split tunnel to be productive.  Is there another way to configure this?  Thanks.

    Jae

  • In reply to Jae Lupo:

    Hi  

    Unfortunately, there is no alternative to this.

    You could create a separate SSL VPN policy for those specific users and enable full tunnel.

  • In reply to Keyur:

    Keyur,

    I tried your solution; enable "Use as default gateway"  and the connected clients could not see any network resources either by name or IP address  Does anyone else have a solution for this issue?  I know there is a setting missing here and I don't need a full tunnel for this to work as it worked on UTM 9 with an IPSec client with no problems.  Thanks.

  • In reply to Jae Lupo:

    Hi,

    Define the host (IP subnet because the IP range does not work), e.g. "sslVPN-IP IP subnet 10.10.10.0/255.255.255.0 IPv4". Add this subnet in the ssl VPN remote access definition as Permitted network resources (IPv4). Define the firewall network rule for VPN
    Source zone: LAN + VPN any any   Destination zone: VPN + LAN any any
    NAT & routing do not select.
    It should work as you wanted.

    Regards
    Jan

  • In reply to JanSadlik:

    Jan,

    You are brilliant!!  Thank you so much for this fix.  This works perfectly and I still have a split tunnel SSL VPN and I can control and help all my remote users safely and securely.  You are the best!

    Jae

  • In reply to Keyur:

    Keyur,

    I would read the solution to this thread so you can inform users properly in the future.  I knew this was possible without a full tunnel (which didn't work by the way) I just needed the right settings.

    Jae

  • In reply to Jae Lupo:

    Hi  

    Thank you for updating the thread with the solution.

    Thank you  for sharing tour expertise, much appreciated.

    I have tested the "Use Default Gateway" option in my local lab and able to achieve your requirements and suggested accordingly.

    Glad to know that the issue got resolved and community members are helping each other.