Restricting SSL VPN

Hi Marcel,

you need to create Firewall rules for the VPN Users as Source.

Since the Firwall rules are processed from top to bottom you have to start with the

specific port rule.

Rule1. access to 192.168.13.11 + Port

Rule2  access to 192.168.13.0

Regards

Jason

Does that work? I mean if I restrict the traffic, does the vpn client know that the remaining traffic that cant be forwarded via vpn, has to be forwarded external?

My thoughts are that the client will still try to forward it over the vpn and the remaining traffic will get discarded.

Hi Marcel,

i read your question again now i get it ;=) i missunderstood sorry.Since the client is deciding where the traffic is going i dont know any solution via Firewall.

Regards

Jason

Thanks anyway, I don't think that there is a possible solution for the way I want our VPN and autodiscover to work without clientsided routing

Hi,

yeah im almost certain its not possible The Client just decides where the traffic needs to go, if the Client sees your Exchange Server he will forward the traffic most likely over VPN.

Regards

Jason

Hallo Marcel,

If this is a site-to-site, this seems like a DNS issue.  If an FQDN resolves to an IP in 192.168.13.0/24, the traffic goes through the tunnel.  If it resolves to a public IP, the traffic goes out the interface with a default gateway (External).  Isn't this that simple?

If this is remote access, then you would want to not select 'Automatic firewall rules' in the SSL VPN Profile and make three firewall rules, in order, like:

1. VPN Pool (SSL) -> {special port} -> {192.168.13.11} : Allow
2. VPN Pool (SSL) -> Any -> {192.168.13.11} : Drop
3. VPN Pool (SSL) -> Any -> Any : Allow

Cheers - Bob

Hello Bob,

I think you've understood my Question wrong.

I want the traffic sent to the IP 192.168.13.11 (exchange) on a specific port, to be sent over vpn and the traffic of the other ports to be sent over the clients connection of his/her internet provider (that was meant by external). The rest of the 192.168.13.0/24 network should be accessible as well on any port over the vpn.

It's still not clear if this is site-to-site or remote access, Marcel.  Assuming the latter, use my suggestion above with an SSL VPN Profile that only contains {192.168.13.0/24} in 'Local Networks'.  With that, all ports are open to all other local IPs and the caller will have all traffic to public IPs leave directly from his PC.

Cheers - Bob

Hi,

well what Balfson said is basicly exactly what i said:

1. VPN Pool (SSL) -> {special port} -> {192.168.13.11} : Allow
2. VPN Pool (SSL) -> Any -> {192.168.13.11} : Drop
3. VPN Pool (SSL) -> Any -> Any : Allow

Yes the client will know to push not internal network traffic out via the WAN connection of the PC/Notebook and not via VPN. It is a Split Tunneling method.

Bob Alfson is right.   Autodiscover looks up "Autodiscover.<yourdomain.com> in DNS to get a number.   It either gets an internal address or an external address, depending whether the DNS is resolved externally or internally.   If your DNS returns an address you don't want to allow, then the traffic will be blocked; it will not find another DNS result.

This does raise some questions that I have about DNS split horizon with remote access.   Does the SSL VPN client do split DNS horizon at all, or does it send all DNS traffic through the VPN session?  If it supports split horizon, how do I predict and control where the split will occur?