Limit NON MFA ssl vpn access to specific public ip

Hi Matteo,

Thank you for reaching out to Sophos Community.

Let me ensure I understand you correctly.  Do you want to create a set of non-MFA users to access a specific external site while not compromising security?

Also, "Limit access" for SSL VPN users is primarily for administrative purposes, such as segregating access per profile.

Have you tried to create a Non-MFA user group and set the permitted network resource?

After that, create a Firewall rule on top of the policy to allow the SSL VPN Traffic from the specific external organization's public IP.

In the firewall rule, set the non-MFA to match known users. This way, you can separate and restrict the traffic from a different group.

Hi Erick, sort of but not exactly what I intended, let me explain my self better:

My Customer (Company A) allready uses SSL VPN road warriors with MFA (Smart Working Employees).

Then there is a Company B wich sold them a particular software and need to get access to their computers reandomly and we want to give them sophos connect as well (as all "anydesk like" software are blocked) but it is difficoult for them to have MFA

so, in XGS, I have set OTP only for specific users/groups;

I have then created then a new group wich is not included in OTP;

I need to restrict access for this group only from the Company B public ip address.

I hope I have explained better...

Thanks

Hi Matteo,

Thank you for the detailed explanation, please create a separate firewall rule to only allow Company B public IP address and set the match known user.

You may also check this similar post 

•  SSL VPN - Different Groups 

Hi Erick, unfortunately I think it is not what I need... My final goal is to NOT ask MFA for users coming from a certain Public Ip Address...

Hello Matteo,

You can only select what users would need MFA to use or not. 

This would be a Feature Request; I'd recommend you reach out to your Account Manager, Sales Engineer or Sales Representative so that they can enter this request into our system.
Additionally, you can use the in-product feedback in the Sophos Firewall located in the Top Menu Bar.

Regards,

ok thanks, at least I know it is not possible to do it.... too bad :-(

Just another Question: is it right to say that, at this point, my only solution could be setting up ZTNA ?

Just another Question: is it right to say that, at this point, my only solution could be setting up ZTNA ?