Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Match Identity for network protection over SSL VPN

Hello I would like to know if it is possibile to setup policy network to match Identity of the user connected through SSL VPN to permit only specifi service and not the whole remote network nor fullservice on remote server



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Sachin,

    So can we only pull the layer 8 functionality into the XG from the SSL VPN users if they're using the tunnel in Full mode?

    Regards,
    Emile

  • Good question.

    When you connect to SSL VPN, you authenticate as a User already present in XG. If full tunnel mode is used, XG will see the User identity and provide him the customized access as per the configurations.

    So yes, layer 8 functionality will be applicable, as XG will see the SSL VPN connected user as a Live User.

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

    That's a shame so I technically can't do Security Heartbeat unless I route all of their traffic to the XG but thank you for clarifying!

    Can this be a feature request or is it a technical issue of actually doing that with the way Sophos Cloud operates?

    Cheers,

    Emile

  • Hi Emile,

    Layer 8 and Security Heartbeat are two different features respectively, through Sophos.

    User identity takes enforcement to a whole new layer with our patented Layer-8 identity based policy technology enabling user level controls over applications, bandwidth and other network resources regardless of IP-address, location, network or device. It literally takes firewall policy to a whole new layer.

    Our Security Heartbeat links your endpoints and your firewall to combine their intelligence and identify systems compromised by previously unknown threats. The Heartbeat status is integrated into security policy settings to instantly trigger actions at both endpoint and network levels to isolate or limit access until systems are healthy again. This feature requires Sophos Cloud Endpoint Protection Advanced or Sophos Cloud Enduser Protection.

    So your post confuses me what exactly are you looking for.

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

    Currently the Security Heartbeat as you stated only shows the user with heartbeat technology if they're connected in Full Tunnel mode but in environments where doing full tunnel mode is not appropriate, ie. a company which doesn't have a fast link, this can cause undue pressure on the internet connection. So in this case it would be better to run the SSL VPN client in Split Tunnel mode so only traffic destined for the Head Office site will be routed.

    In both cases the identity of the user is known if they are using Active Directory logon so I guess my question is this:

    How does the Security Heartbeat feature of Sophos Cloud tell the SFOS unit that it is live and on the network? Can this communication method also be implemented to tell an SFOS unit across the SSL VPN that it is connected remotely and to check from the cloud dashboard whether I'm healthy?

    Basically the use case is this:

    I'm infected, and on the remote network I can hookup to the Sophos Appliance via SSL VPN and gain access to priviledged resources that if I were on the network I couldn't because my heartbeat status is amber or red.

    Additionally, I would like to use the SFOS appliance to be an onion layer between the wider network and the protected, sensitive resources so it is not an gateway device at all, it is a gatekeeper. Will the Security Heartbeat still work because this is a similar scenario as if I'm on the SSL VPN?

    Hope that makes sense :)

    Cheers,

    Emile