Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit NON MFA ssl vpn access to specific public ip

Hello everyone,

I searched the forum if there is a way to limit SSL VPN access to a specific Public Ip Address but it seems to me that You cannot do it.

I see that when You create a Group or a User there is a section called "Limit access" that lets You specify from wich nodes that user (or group) can gain access but, correct me if I am wrong, this is only for administrative purposes and it's not regarding the Source Public IP Address.

My problem is this: actually all the Remote SSL VPN Users are forced to use MFA auth. There are few users that belong to a specific outsource Company that need rendomly to get access to customer's network for technical assistance on one of their softwares. The External Company cannot set MFA on their phones because technicians may change.

I Thought that limiting 2 or 3 non-mfa users to gain remote ssl vpn access (with sophos connect) to a specific public ip address (the external Company public ip) would be a compromise but Im starting to think I canno t acheive this...

Can Anybody help please?

Thanks in advance



This thread was automatically locked due to age.
Parents
  • Hi Matteo,

    Thank you for reaching out to Sophos Community.

    Let me ensure I understand you correctly.  Do you want to create a set of non-MFA users to access a specific external site while not compromising security?

    Also, "Limit access" for SSL VPN users is primarily for administrative purposes, such as segregating access per profile.

    Have you tried to create a Non-MFA user group and set the permitted network resource?

    After that, create a Firewall rule on top of the policy to allow the SSL VPN Traffic from the specific external organization's public IP.

    In the firewall rule, set the non-MFA to match known users. This way, you can separate and restrict the traffic from a different group.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick, sort of but not exactly what I intended, let me explain my self better:

    My Customer (Company A) allready uses SSL VPN road warriors with MFA (Smart Working Employees).

    Then there is a Company B wich sold them a particular software and need to get access to their computers reandomly and we want to give them sophos connect as well (as all "anydesk like" software are blocked) but it is difficoult for them to have MFA

    so, in XGS, I have set OTP only for specific users/groups;

    I have then created then a new group wich is not included in OTP;

    I need to restrict access for this group only from the Company B public ip address.

    I hope I have explained better...

    Thanks

  • Hi Matteo,

    Thank you for the detailed explanation, please create a separate firewall rule to only allow Company B public IP address and set the match known user.

    You may also check this similar post 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick, unfortunately I think it is not what I need... My final goal is to NOT ask MFA for users coming from a certain Public Ip Address...

  • Hello Matteo,

    You can only select what users would need MFA to use or not. 

    This would be a Feature Request; I'd recommend you reach out to your Account Manager, Sales Engineer or Sales Representative so that they can enter this request into our system.
    Additionally, you can use the in-product feedback in the Sophos Firewall located in the Top Menu Bar.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • ok thanks, at least I know it is not possible to do it.... too bad :-(

Reply Children
No Data