This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting SSL VPN

Hello Sophos-Community,

 

my problem is the following:

I am trying to set the following permissions for our ssl vpn:

access to 192.168.13.0

access to 192.168.13.11, but just a specific port.

It shouldnt be a firewall deny or discard rule because the other traffic should be handled over the clients external internet and not over the vpn.

It has to be handled with our Firewall and not via clientside routing.

 

To explain: we've got an exchange server and published autodiscover recently, now I want my vpn users to still connect their mail-postboxes via their internet and not over vpn, they should only use vpn for network data exchanging. Our Exchange is used as Mail Server but is also used for data our workers need to work with.

 

I hope someone can help me.

Thanks in advance.

 

Greetings

Marcel



This thread was automatically locked due to age.
Parents
  • Hallo Marcel,

    If this is a site-to-site, this seems like a DNS issue.  If an FQDN resolves to an IP in 192.168.13.0/24, the traffic goes through the tunnel.  If it resolves to a public IP, the traffic goes out the interface with a default gateway (External).  Isn't this that simple?

    If this is remote access, then you would want to not select 'Automatic firewall rules' in the SSL VPN Profile and make three firewall rules, in order, like:

    1. VPN Pool (SSL) -> {special port} -> {192.168.13.11} : Allow
    2. VPN Pool (SSL) -> Any -> {192.168.13.11} : Drop
    3. VPN Pool (SSL) -> Any -> Any : Allow

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

     

    I think you've understood my Question wrong.

    I want the traffic sent to the IP 192.168.13.11 (exchange) on a specific port, to be sent over vpn and the traffic of the other ports to be sent over the clients connection of his/her internet provider (that was meant by external). The rest of the 192.168.13.0/24 network should be accessible as well on any port over the vpn.

  • It's still not clear if this is site-to-site or remote access, Marcel.  Assuming the latter, use my suggestion above with an SSL VPN Profile that only contains {192.168.13.0/24} in 'Local Networks'.  With that, all ports are open to all other local IPs and the caller will have all traffic to public IPs leave directly from his PC.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

     

    well what Balfson said is basicly exactly what i said:

     

    1. VPN Pool (SSL) -> {special port} -> {192.168.13.11} : Allow
    2. VPN Pool (SSL) -> Any -> {192.168.13.11} : Drop
    3. VPN Pool (SSL) -> Any -> Any : Allow

     

    Yes the client will know to push not internal network traffic out via the WAN connection of the PC/Notebook and not via VPN. It is a Split Tunneling method.

    Regards

    Jason

    Sophos Certified Architect - UTM

  • Bob Alfson is right.   Autodiscover looks up "Autodiscover.<yourdomain.com> in DNS to get a number.   It either gets an internal address or an external address, depending whether the DNS is resolved externally or internally.   If your DNS returns an address you don't want to allow, then the traffic will be blocked; it will not find another DNS result.

    This does raise some questions that I have about DNS split horizon with remote access.   Does the SSL VPN client do split DNS horizon at all, or does it send all DNS traffic through the VPN session?  If it supports split horizon, how do I predict and control where the split will occur?

     

  • Hello - Bob,

     

    it's not the site-to-site vpn. Well i want to use the ssl vpn for file data servers, our users want to access them via \\hostname, the problem at the same time is, that one of these servers is our Exchange Server. So I want them even if they are connected to our vpn, to use our vpn for the file data and there own internet connection for everything else. Is it possible to realize that without client-based-routing?

Reply
  • Hello - Bob,

     

    it's not the site-to-site vpn. Well i want to use the ssl vpn for file data servers, our users want to access them via \\hostname, the problem at the same time is, that one of these servers is our Exchange Server. So I want them even if they are connected to our vpn, to use our vpn for the file data and there own internet connection for everything else. Is it possible to realize that without client-based-routing?

Children
No Data