Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 2769 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit NON MFA ssl vpn access to specific public ip

Matteo Vinti

Hello everyone,

I searched the forum if there is a way to limit SSL VPN access to a specific Public Ip Address but it seems to me that You cannot do it.

I see that when You create a Group or a User there is a section called "Limit access" that lets You specify from wich nodes that user (or group) can gain access but, correct me if I am wrong, this is only for administrative purposes and it's not regarding the Source Public IP Address.

My problem is this: actually all the Remote SSL VPN Users are forced to use MFA auth. There are few users that belong to a specific outsource Company that need rendomly to get access to customer's network for technical assistance on one of their softwares. The External Company cannot set MFA on their phones because technicians may change.

I Thought that limiting 2 or 3 non-mfa users to gain remote ssl vpn access (with sophos connect) to a specific public ip address (the external Company public ip) would be a compromise but Im starting to think I canno t acheive this...

Can Anybody help please?

Thanks in advance



This thread was automatically locked due to age.
Parents
  • 0

    Hi Matteo,

    Thank you for reaching out to Sophos Community.

    Let me ensure I understand you correctly.  Do you want to create a set of non-MFA users to access a specific external site while not compromising security?

    Also, "Limit access" for SSL VPN users is primarily for administrative purposes, such as segregating access per profile.

    Have you tried to create a Non-MFA user group and set the permitted network resource?

    After that, create a Firewall rule on top of the policy to allow the SSL VPN Traffic from the specific external organization's public IP.

    In the firewall rule, set the non-MFA to match known users. This way, you can separate and restrict the traffic from a different group.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hi Erick, sort of but not exactly what I intended, let me explain my self better:

    My Customer (Company A) allready uses SSL VPN road warriors with MFA (Smart Working Employees).

    Then there is a Company B wich sold them a particular software and need to get access to their computers reandomly and we want to give them sophos connect as well (as all "anydesk like" software are blocked) but it is difficoult for them to have MFA

    so, in XGS, I have set OTP only for specific users/groups;

    I have then created then a new group wich is not included in OTP;

    I need to restrict access for this group only from the Company B public ip address.

    I hope I have explained better...

    Thanks

Reply
  • 0 in reply to Erick Jan

    Hi Erick, sort of but not exactly what I intended, let me explain my self better:

    My Customer (Company A) allready uses SSL VPN road warriors with MFA (Smart Working Employees).

    Then there is a Company B wich sold them a particular software and need to get access to their computers reandomly and we want to give them sophos connect as well (as all "anydesk like" software are blocked) but it is difficoult for them to have MFA

    so, in XGS, I have set OTP only for specific users/groups;

    I have then created then a new group wich is not included in OTP;

    I need to restrict access for this group only from the Company B public ip address.

    I hope I have explained better...

    Thanks

Children
Unfiltered HTML