Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assigning static ip to SSL VPN users

Romanek

Hi !

Is there a way that Sophos XG firewall can give a specific IP for an specific SSL vpn client?

 

Sometimes when working with SSL VPN it is nice to have a way to tell the SSL VPN server that you’d like to get the same IP address each time you connect to it, or in other words you’d like to get a static IP address instead a dynamic one from the IP pool.

 

One example is that I have an old ERP that must send documents to the vpn clients printer using an IP. (That ERP  doesn't accept RDP printer redirection)

 

I am moving from pfsense to Sophos.

 

In Pfsense I just have to override the client setting .... like  ifconfig-push 20.0.0.16 255.255.255.0;

 

Is that possible ? Do I have to try another VPN solution in sophos XG ? (L2TP/Ipsec ? )

 

Why am I trying to use SSL VPN ? It can use UDP . UDP connections are usually faster than TCP (my clients have poor links). Some of my clients are behind a 3rd firewall that I don't have control and the UDP 8443 are open).

 

Best Regards

 

Romanek



This thread was automatically locked due to age.
    • 0 in reply to lferrara

      One way would be possible quite easily. 

      SNAT via policy. Using a User in Zone VPN, SNAT to a specific IP. So the Client will always access all internal resources via IP X. (One Way). 

      Maybe thats enough for your setup? 

      __________________________________________________________________________________________________________________

      • 0 in reply to LuCar Toni

        Hi Lucar,

         

        Thank for your reply

        It must be  an internal server accessing an VPN user IP.

        The internal server must know the vpn user IP, but the way that SSL VPN works, the VPN user IP change a lot (dhcp pool), the server can`t send the document to the client.

        So I think it is not SNAT, but DNAT. I saw DNAT rules ...  but the destination box is an static IP and not an user VPN

        • 0 in reply to Romanek

          My workaround only works with SNAT (from SSLVPN to Server). 

          Maybe you can rework the need for this access? Why does the server need a static IP to a certain user? What is the use case? Sometimes, there is a better solution for this? 

          Maybe you could move to Sophos Connect (IPsec). IPsec is able to use Static IPs. 

           

          __________________________________________________________________________________________________________________

          • 0 in reply to LuCar Toni

            LuCar Toni ,

             

            The server needs a static IP because it is an old ERP systems that uses static ip to send some reports to that static ip printer in  client vpn.

             

            If I use sophos connect (to have a static IP), What will happen when that vpn user use a Web browser to navigate to Internet ? Will that traffic go to the local link or through to vpn and then to Internet using the main office link ? I would like that web browser traffic to go using the local link (in this case).

             

             

            Thank you

            • 0 in reply to Romanek

              Since the SSL VPN is passing the configuration to the client, static IP should not require so much effort for Sophos team. This is another workaround on XG to deal with and to be honest, customers are not happy with that.