Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 1921 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to exclude tightvnc from Risk or High Risk application list

Søren Jensen

Hello All,

I have added the "Block high risk (Risk level 4 and 5) apps" to the "Identify and control applications (App control)" part of Lan-To-Wan Firewall rule.

With this in the La-To-Wan firewall rule, I can not connect to a remote computer, using TightVnc and a specifik IP no. As soon as I remove "Block high risk (.." from the firewall rule, I can access the external computer with TightVnc.

I have tried to create an Application Filter, based on the "Block high risk (Risk Level 4 and 5) apps" application list, and wanted to add an exclusion for TightVnc to allow that, but TightVnc do not exist as a named application, and consequently have not succeded.

Could anybody help me with this ? How do I create an Application list, blocking all Risk and High Risk applications, but allowing only TightVnc ?

Best regards

Soren Jensen



This thread was automatically locked due to age.
Parents
  • +1

    Hi  ,

    Thank you for reaching out to the community, you can try adding an exception - ^https?://([A-Za-z0-9.-]*\.)?www\.tightvnc\.com/

    tightvnc  runs on ports 5900 and 5800 by default. verify with the command in the client machine:
    netstat -an | find "ESTABLISHED" | find ":5900 " 

    If this two ports are open and not filtered, you'll be able to make it work. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek Jagad,

    Thanks for your reply and suggestion. I've tried the solution you suggest, but it do not work. Maybe because I'm not doing it correctly or maybe because TightVnc, as I use it, is an EXE file local to my workstation, and I'm trying to connect to an IP no nnn.nnn.nnn.nnn:5902, where the nnn's is the external IP no of a firewall allowing request to port 5902 come in, when it is coming from my fixed external Ip no. 

    Anyway, I have changed the "Block high risk (Risk Level 4 and 5) apps" application filter and added a category "Remote Access", using smart filter to only include "VNC Remote Access" (filtering out VNC WEB Remote Access), allowing it, all the time. It means I can now use TightVnc to access the external computer I want, but I guess it also means any of the internal  workstations can use any application categorized as VNC Remote Access, to connect to any IP no in the world. 

    So to allow me to connect with TightVnc to a specific IP no., I have had to open up for a lot of other VNC programs connecting to an unlimited number of Ip adresses. How do I limit the VNC Remote Access category further ? If possible I would like to limit only to TightVnc, and further, only to a fixed number of IP adresses.

    I can't see any further options under Application Filter (or Application Lists for that matter), so where should I look ?

    Best Regards

    Soren

  • +1 in reply to Søren Jensen

    Hello,

    You may create the destination-based rule to with the destination FQDN/IP addresses of TightVNC and the ports used and keep the existing rule to block the High Risk application.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data
Unfiltered HTML