SSL VPN UTM 9

Hi Justin,

Apijnappels' suggestion should have done what you needed.  Please show a picture of what you see that makes you think things aren't working as you wish.

Cheers - Bob

Hi Bob,

It's working now. So everytime they access the SSL VPN they will be blocked on some sites?

check my config : 

Ive putted the VPN SSL POOL Group to the policy i made.

First step:   ensure that the traffic flows to the web filter.   You indicate that this is working, as evidenced by the fact that you can block Facebook.   This can be verified or refuted by checking the webfilter logs.

Next step:  Configure filter rules  by user.   This is where you seem to be frustrated, and the reason is probably because the VPN User is not detected as a webfilter user.   

Your Filter Profile configuration is set to Authentication NONE.   Consequently, Web Filter will apply the same policy to every VPN user, because this is what you have told it to do.   

The web filter behavior will be determined by the Policy attached to the Filter Profile and the Filter Action attached to the Policy.   If you have neither, the default policy will apply.   

If you want to do user-specific filtering, you have to find out who the user is.   Active Directory is not likely to work -- the users would have to be on domain-joined work laptops using a domain account, but I doubt it would work even in that situation.   So you are stuck with the other options:   Client authentication, Basic Authentication, or Browser Authentication.  Browser Authentication is probably your best bet.

Of course, you can have two groups:   

• a base group of people that use your existing Authentication None profile, and receive a minimal set of allowed websites
• one or more specialized groups of people that use a different authentication method and receive an enhanced set of allowed websites.

Actually, Doug, since the User is authenticated by the SSL VPN, Justin can create separate Web Filtering Profiles for the users instead of using "SSL VPN (Pool)" in Allowed Networks.

Put, for example, "Justin (User Network)" in a Network Group with others that should be allowed similar sites and name it the "Remote Open" group.  Similarly, make a "Remote Restricted" group for those that should have less access.  Now, make a separate Web Filtering Profile with "Remote Open" in 'Allowed Networks'.  Etc.

Alternatively, put user "Justin" in a User Group with others that should be allowed similar sites and name it the "Remote Open" group.  Similarly, make a "Remote Restricted" group for those that should have less access.  Now, make a separate Web Filtering Profile with "Remote Open (User Group Network)" in 'Allowed Networks'.  Etc.

Cheers - Bob

Cool idea!

You still keep the webfilter profile set to Authentication None, but In the Filter Profile, you filter on the User Network object, which represents the IP address of the currently logged in user.

For auditing purposes, if you needed to match the webfilter logs to a user, it would be a little complicated, but surmountable:

• The webfilter logs will provide the source IP address and a timestamp
• Compare to the SSL VPN log which has id="2201" for login and id='2202" for logout.   Both entries contain a timestamp, username, VPN IP, and source IP.
• Match the two files on time and IP address

Or do you have an even simpler trick?

That looks good to me!

Cheers - Bob

Thanks Guys it's working now

Thanks Guys it's working now