Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restrict User Portal Access to specific FQDN

Hey there,

 

currently, I need to configure my XG to accept connections to the VPN User Portal over WAN only through the configured hostname. At the moment, the firewall accepts all connections from every possible subdomain on my registered address (like domain.com:Port / test.domain.com:port / xyz.domain.com:Port)

Is there any way to restrict the accessibility only to the FQDN which I have configured in the setup assistant (gateway.domain.com:Port)?

 

Thanks,

daxfox2172



This thread was automatically locked due to age.
Parents
  • Hi  

    Do you want to allow specific VPN users to connect an FQDN/Domain/URL?

    You may configure VPN to that domain/IP rule to allow specific VPN users to access.

    Please share more information on packet flow to understand the scenario

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi,

     

    well, I want to configure my Firewall that way that it won't answer on any accessible subdomain which I have enabled on my DNS zone file on my hosting provider. The allowed VPN users are not the problem, only that the firewall answers on every domain / subdomain I've assigned my public IP address on. As mentioned before, the User Portal Login comes up every time I access my domain and subdomain trough Port 443 or every other port I configure for the User Portal Access. 

     

    My scenario:

    The clients must access the User Portal Page like this:

    Client -> gateway.domain.xyz -> User Portal Login

    The client should be able to login to the User Portal only over gateway.domain.xyz

     

    At the moment, the firewall responds to every possible address:

    Client -> *.domain.xyz -> User Portal Login

     

    I had the same situation with my Apache Webserver before I've configured the server to block any access to "unconfigured" subdomains. On Apache, I was able to configure an "catchall"-Vhost which sends all "unwanted" connection attempts to some 403 page, only my configured domains / subdomains would allow access to my website.

    I want to realize the same solution on my XG User Portal, so when you access gateway.domain.xyz, the user portal shows up. When you connect to gateway2.domain.xyz, the browser shows something like 

    Forbidden
    You don't have permission to access / on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

     

    I thought about that maybe I can call the User Portal Login through my Apache Reverse Proxy.

     

    Thanks,

    Lucas

  • Hi  

    As per my understanding from provided details, you want to publish User Portal on Specific URL and no similar URL can able to access user portal, please correct me if I am wrong or misunderstood.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Keyur,

     

    sorry for my late response, I was really busy the last days.

    You have understood that correctly. Do you have any ideas how I can realize this? I haven't tried out my plan with the Reverse Proxy at the moment.

     

    Thanks,

    Lucas

  • Hi  

    Currently it is not possible to restrict the XG to listen on a certain URL/FQDN.  The XG listens on all ports configured in the zone where the ACL has been enabled for that particular service.

    If you have FQDNs that all resolve to 1 IP address, then that wont be possible.

    Thanks.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply Children
  • Hi KingChris,

     

    thank you for your answer. Too bad that this does not work at the moment, but I think I will find another solution for provisioning my VPN profiles and allow access to the user portal only on local clients or VPN.

     

    Thank you anyway ;)