Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN + WAF + Authentication

Hi,

I have an SSL VPN set up to the WAN IP address of my XG device, and WAF is also on that same WAN IP.

My WAF paths look like this:

/app1 -> server1 - only allowed from LAN network

/app2 -> server2 - only allowed from LAN network

/app3 -> server3 - allowed from internet

/OWA -> exchange server - allowed from internet

I want to allow access to /app1 and /app2 when the user is connected via VPN. This isn't working though, because I can't route the WAN IP through the VPN, or else the VPN wouldn't work.

I also tried doing split DNS for the fqdn of the external hostname and then publishing WAF on an internal IP but the SSL VPN connected devices don't resolve it.

I can add authentication to /app1 and /app2, but for the best user experience I would want to exclude authentication for LAN network and only require it when accessing from WAN, but there is no mechanism to exclude authentication either.

I could purchase another WAN IP, but that is additional work and ongoing cost.

Can anyone make any suggestions?

Thanks

James



This thread was automatically locked due to age.
Parents
  • Hi  

    /app1 -> server1 - only allowed from LAN network

    /app2 -> server2 - only allowed from LAN network

    if they are allowed from the LAN network then WAF rule/module will not be a part of the communication.

    You can add domain public IP to SSL VPN configuration and can push the route with the public IP for SSL VPN users by re-importing the SSL VPN configuration file to user system so users will be able to access the /app1 and /app2 and add VPN zone in the allow tab in WAF configuration.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • Hi  

    /app1 -> server1 - only allowed from LAN network

    /app2 -> server2 - only allowed from LAN network

    if they are allowed from the LAN network then WAF rule/module will not be a part of the communication.

    You can add domain public IP to SSL VPN configuration and can push the route with the public IP for SSL VPN users by re-importing the SSL VPN configuration file to user system so users will be able to access the /app1 and /app2 and add VPN zone in the allow tab in WAF configuration.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
No Data