Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 39 subscribers
  • Views 1103 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN + WAF + Authentication

jamesharper

Hi,

I have an SSL VPN set up to the WAN IP address of my XG device, and WAF is also on that same WAN IP.

My WAF paths look like this:

/app1 -> server1 - only allowed from LAN network

/app2 -> server2 - only allowed from LAN network

/app3 -> server3 - allowed from internet

/OWA -> exchange server - allowed from internet

I want to allow access to /app1 and /app2 when the user is connected via VPN. This isn't working though, because I can't route the WAN IP through the VPN, or else the VPN wouldn't work.

I also tried doing split DNS for the fqdn of the external hostname and then publishing WAF on an internal IP but the SSL VPN connected devices don't resolve it.

I can add authentication to /app1 and /app2, but for the best user experience I would want to exclude authentication for LAN network and only require it when accessing from WAN, but there is no mechanism to exclude authentication either.

I could purchase another WAN IP, but that is additional work and ongoing cost.

Can anyone make any suggestions?

Thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    /app1 -> server1 - only allowed from LAN network

    /app2 -> server2 - only allowed from LAN network

    if they are allowed from the LAN network then WAF rule/module will not be a part of the communication.

    You can add domain public IP to SSL VPN configuration and can push the route with the public IP for SSL VPN users by re-importing the SSL VPN configuration file to user system so users will be able to access the /app1 and /app2 and add VPN zone in the allow tab in WAF configuration.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • 0

    Hi  

    /app1 -> server1 - only allowed from LAN network

    /app2 -> server2 - only allowed from LAN network

    if they are allowed from the LAN network then WAF rule/module will not be a part of the communication.

    You can add domain public IP to SSL VPN configuration and can push the route with the public IP for SSL VPN users by re-importing the SSL VPN configuration file to user system so users will be able to access the /app1 and /app2 and add VPN zone in the allow tab in WAF configuration.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
No Data
Unfiltered HTML