Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 7 subscribers
  • Views 13161 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting SSL VPN

mcepok

Hello Sophos-Community,

 

my problem is the following:

I am trying to set the following permissions for our ssl vpn:

access to 192.168.13.0

access to 192.168.13.11, but just a specific port.

It shouldnt be a firewall deny or discard rule because the other traffic should be handled over the clients external internet and not over the vpn.

It has to be handled with our Firewall and not via clientside routing.

 

To explain: we've got an exchange server and published autodiscover recently, now I want my vpn users to still connect their mail-postboxes via their internet and not over vpn, they should only use vpn for network data exchanging. Our Exchange is used as Mail Server but is also used for data our workers need to work with.

 

I hope someone can help me.

Thanks in advance.

 

Greetings

Marcel



This thread was automatically locked due to age.
Parents
  • 0

    Hi Marcel,

     

    you need to create Firewall rules for the VPN Users as Source.

    Since the Firwall rules are processed from top to bottom you have to start with the

    specific port rule.

     

    Rule1. access to 192.168.13.11 + Port

    Rule2  access to 192.168.13.0

     

    Regards

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • 0 in reply to Jason Klein

    Does that work? I mean if I restrict the traffic, does the vpn client know that the remaining traffic that cant be forwarded via vpn, has to be forwarded external?

    My thoughts are that the client will still try to forward it over the vpn and the remaining traffic will get discarded.

  • 0 in reply to mcepok

    Hi Marcel,

     

    i read your question again now i get it ;=) i missunderstood sorry.Since the client is deciding where the traffic is going i dont know any solution via Firewall.

     

    Regards

     

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • 0 in reply to Jason Klein

    Thanks anyway, I don't think that there is a possible solution for the way I want our VPN and autodiscover to work without clientsided routing

  • 0 in reply to mcepok

    Hi,

    yeah im almost certain its not possible The Client just decides where the traffic needs to go, if the Client sees your Exchange Server he will forward the traffic most likely over VPN.

     

     

    Regards

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

Reply
  • 0 in reply to mcepok

    Hi,

    yeah im almost certain its not possible The Client just decides where the traffic needs to go, if the Client sees your Exchange Server he will forward the traffic most likely over VPN.

     

     

    Regards

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

Children
No Data
Unfiltered HTML