Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 7 subscribers
  • Views 13157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting SSL VPN

mcepok

Hello Sophos-Community,

 

my problem is the following:

I am trying to set the following permissions for our ssl vpn:

access to 192.168.13.0

access to 192.168.13.11, but just a specific port.

It shouldnt be a firewall deny or discard rule because the other traffic should be handled over the clients external internet and not over the vpn.

It has to be handled with our Firewall and not via clientside routing.

 

To explain: we've got an exchange server and published autodiscover recently, now I want my vpn users to still connect their mail-postboxes via their internet and not over vpn, they should only use vpn for network data exchanging. Our Exchange is used as Mail Server but is also used for data our workers need to work with.

 

I hope someone can help me.

Thanks in advance.

 

Greetings

Marcel



This thread was automatically locked due to age.
  • 0

    I would question the eisdom of publishing an autdiscover entry on the internet ar all.

  • 0 in reply to BAlfson

    Hello - Bob,

     

    it's not the site-to-site vpn. Well i want to use the ssl vpn for file data servers, our users want to access them via \\hostname, the problem at the same time is, that one of these servers is our Exchange Server. So I want them even if they are connected to our vpn, to use our vpn for the file data and there own internet connection for everything else. Is it possible to realize that without client-based-routing?

  • 0 in reply to DouglasFoster

    It actually is, but if the client find's the entry locally via vpn it will use that one, am I right?

    We've got an .de for internal and external usage as well, wasn't working here when this was done. 

  • 0 in reply to BAlfson

    Hello Bob,

     

    I've tried the settings above, but my client keep trying to connect via vpn to our exchange and now it fails cause the traffic of the Exchange Connection sent to 192.168.13.11 is dropped 

  • 0 in reply to mcepok

    What application are we talking about?   Outlook?  Outlook Anywhere?   Phone ActiveSync?

    Is there a WAF site in front  of Exchange in any configuration?

    Autodiscover is used for setup of Outlook and ActiveSync.   Once it is done, the hostname is stored.   So we need to figure out which name is not resolving the way you want.   

    But I also do not understand what security problem you are trying to solve, and why.

  • 0 in reply to mcepok

    This is a DNS design issue, Marcel.  If you can't use a public name server as the first DNS server on the 'Advanced' tab of 'Remote Access' and you can't use a permanent entry in the Hosts list in the PC/client and you don't want to have the employee use a different host name when remoting in, then there's no solution.

    Just saw your PM.  Instead of blocking access to an IP, you could leave it out of the tunnel  replacing "Internal (Network)" with a group of subnets that covers the entire network save the one IP.  You would still have the same problem because it's a name resolution problem, not a networking problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML