This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting SSL VPN

Hello Sophos-Community,

 

my problem is the following:

I am trying to set the following permissions for our ssl vpn:

access to 192.168.13.0

access to 192.168.13.11, but just a specific port.

It shouldnt be a firewall deny or discard rule because the other traffic should be handled over the clients external internet and not over the vpn.

It has to be handled with our Firewall and not via clientside routing.

 

To explain: we've got an exchange server and published autodiscover recently, now I want my vpn users to still connect their mail-postboxes via their internet and not over vpn, they should only use vpn for network data exchanging. Our Exchange is used as Mail Server but is also used for data our workers need to work with.

 

I hope someone can help me.

Thanks in advance.

 

Greetings

Marcel



This thread was automatically locked due to age.
Parents
  • Hallo Marcel,

    If this is a site-to-site, this seems like a DNS issue.  If an FQDN resolves to an IP in 192.168.13.0/24, the traffic goes through the tunnel.  If it resolves to a public IP, the traffic goes out the interface with a default gateway (External).  Isn't this that simple?

    If this is remote access, then you would want to not select 'Automatic firewall rules' in the SSL VPN Profile and make three firewall rules, in order, like:

    1. VPN Pool (SSL) -> {special port} -> {192.168.13.11} : Allow
    2. VPN Pool (SSL) -> Any -> {192.168.13.11} : Drop
    3. VPN Pool (SSL) -> Any -> Any : Allow

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

     

    I've tried the settings above, but my client keep trying to connect via vpn to our exchange and now it fails cause the traffic of the Exchange Connection sent to 192.168.13.11 is dropped 

  • This is a DNS design issue, Marcel.  If you can't use a public name server as the first DNS server on the 'Advanced' tab of 'Remote Access' and you can't use a permanent entry in the Hosts list in the PC/client and you don't want to have the employee use a different host name when remoting in, then there's no solution.

    Just saw your PM.  Instead of blocking access to an IP, you could leave it out of the tunnel  replacing "Internal (Network)" with a group of subnets that covers the entire network save the one IP.  You would still have the same problem because it's a name resolution problem, not a networking problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • This is a DNS design issue, Marcel.  If you can't use a public name server as the first DNS server on the 'Advanced' tab of 'Remote Access' and you can't use a permanent entry in the Hosts list in the PC/client and you don't want to have the employee use a different host name when remoting in, then there's no solution.

    Just saw your PM.  Instead of blocking access to an IP, you could leave it out of the tunnel  replacing "Internal (Network)" with a group of subnets that covers the entire network save the one IP.  You would still have the same problem because it's a name resolution problem, not a networking problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data