This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN UTM 9

Hi Guys,

 

Recently we've set up the SSL VPN Connection in our office. We just want to ask something cause right now we are completely puzzled out by configuring the Sophos UTM9 for SSL VPN. We configured it successfully and was able to install the SSL VPN through the User Portal, but we want to know is, is it possible to to implement the Web Filtering inside the SSL VPN? cause we want some users to access the SSL VPN at home at the same time they can use the network in our office when they are connected to the VPN. Please see screen shot below to help us.

 

 

 

 

 

 

 

Please help us understand and help us 

 

Thanks

 

-JSigz



This thread was automatically locked due to age.
Parents
  • Hi Justin,

    Apijnappels' suggestion should have done what you needed.  Please show a picture of what you see that makes you think things aren't working as you wish.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Justin,

    Apijnappels' suggestion should have done what you needed.  Please show a picture of what you see that makes you think things aren't working as you wish.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

     

    It's working now. So everytime they access the SSL VPN they will be blocked on some sites?

     

    check my config : 

     

     

     

     

    Ive putted the VPN SSL POOL Group to the policy i made.

  • First step:   ensure that the traffic flows to the web filter.   You indicate that this is working, as evidenced by the fact that you can block Facebook.   This can be verified or refuted by checking the webfilter logs.

    Next step:  Configure filter rules  by user.   This is where you seem to be frustrated, and the reason is probably because the VPN User is not detected as a webfilter user.   

    Your Filter Profile configuration is set to Authentication NONE.   Consequently, Web Filter will apply the same policy to every VPN user, because this is what you have told it to do.   

    The web filter behavior will be determined by the Policy attached to the Filter Profile and the Filter Action attached to the Policy.   If you have neither, the default policy will apply.   

    If you want to do user-specific filtering, you have to find out who the user is.   Active Directory is not likely to work -- the users would have to be on domain-joined work laptops using a domain account, but I doubt it would work even in that situation.   So you are stuck with the other options:   Client authentication, Basic Authentication, or Browser Authentication.  Browser Authentication is probably your best bet.

    Of course, you can have two groups:   

    • a base group of people that use your existing Authentication None profile, and receive a minimal set of allowed websites
    • one or more specialized groups of people that use a different authentication method and receive an enhanced set of allowed websites.

     

  • Actually, Doug, since the User is authenticated by the SSL VPN, Justin can create separate Web Filtering Profiles for the users instead of using "SSL VPN (Pool)" in Allowed Networks.

    Put, for example, "Justin (User Network)" in a Network Group with others that should be allowed similar sites and name it the "Remote Open" group.  Similarly, make a "Remote Restricted" group for those that should have less access.  Now, make a separate Web Filtering Profile with "Remote Open" in 'Allowed Networks'.  Etc.

    Alternatively, put user "Justin" in a User Group with others that should be allowed similar sites and name it the "Remote Open" group.  Similarly, make a "Remote Restricted" group for those that should have less access.  Now, make a separate Web Filtering Profile with "Remote Open (User Group Network)" in 'Allowed Networks'.  Etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Cool idea!

    You still keep the webfilter profile set to Authentication None, but In the Filter Profile, you filter on the User Network object, which represents the IP address of the currently logged in user.

    For auditing purposes, if you needed to match the webfilter logs to a user, it would be a little complicated, but surmountable:

    • The webfilter logs will provide the source IP address and a timestamp
    • Compare to the SSL VPN log which has id="2201" for login and id='2202" for logout.   Both entries contain a timestamp, username, VPN IP, and source IP.
    • Match the two files on time and IP address

    Or do you have an even simpler trick?

  • That looks good to me!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Guys it's working now