This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting SSL VPN

mcepok over 6 years ago

Hello Sophos-Community,

my problem is the following:

I am trying to set the following permissions for our ssl vpn:

access to 192.168.13.0

access to 192.168.13.11, but just a specific port.

It shouldnt be a firewall deny or discard rule because the other traffic should be handled over the clients external internet and not over the vpn.

It has to be handled with our Firewall and not via clientside routing.

To explain: we've got an exchange server and published autodiscover recently, now I want my vpn users to still connect their mail-postboxes via their internet and not over vpn, they should only use vpn for network data exchanging. Our Exchange is used as Mail Server but is also used for data our workers need to work with.

I hope someone can help me.

Thanks in advance.

Greetings

Marcel

This thread was automatically locked due to age.

Parents

0 Jason Klein over 6 years ago

Hi Marcel,

you need to create Firewall rules for the VPN Users as Source.

Since the Firwall rules are processed from top to bottom you have to start with the

specific port rule.

Rule1. access to 192.168.13.11 + Port

Rule2 access to 192.168.13.0

Regards

Jason

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel
0 mcepok over 6 years ago in reply to Jason Klein

Does that work? I mean if I restrict the traffic, does the vpn client know that the remaining traffic that cant be forwarded via vpn, has to be forwarded external?

My thoughts are that the client will still try to forward it over the vpn and the remaining traffic will get discarded.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jason Klein over 6 years ago in reply to mcepok

Hi Marcel,

i read your question again now i get it ;=) i missunderstood sorry.Since the client is deciding where the traffic is going i dont know any solution via Firewall.

Regards

Jason

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel
0 mcepok over 6 years ago in reply to Jason Klein

Thanks anyway, I don't think that there is a possible solution for the way I want our VPN and autodiscover to work without clientsided routing
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 mcepok over 6 years ago in reply to Jason Klein

Thanks anyway, I don't think that there is a possible solution for the way I want our VPN and autodiscover to work without clientsided routing
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jason Klein over 6 years ago in reply to mcepok

Hi,

yeah im almost certain its not possible The Client just decides where the traffic needs to go, if the Client sees your Exchange Server he will forward the traffic most likely over VPN.

Regards

Jason

Regards

Jason

Sophos Certified Architect - UTM
Cancel
Vote Up 0 Vote Down

Cancel