Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 2179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN user only allowing to a specific URL (which points to intern IP)

Gerbrand Hop

My goal: Have a usergroup in Windows active Directory Users and Computers which can connect via SSL VPN but only access one specific (git) server we host via a url, not via an IP.

What I have achieved so far; the user can connect via VPN, it can access the server via the IP but if the user pings the url (subdomain.domain.com) it forwards to an external IP instead of the internal (192.168.1.4) IP. I cannot ping any other server on the network.

For other Network(and VPN) users we made a forward LookupZone(on the windows server) so the URL works as desired, but for this new VPN group it somehow doesn't use this forward lookup zone.

I only want the URL to be pointing to that internal IP when you are connected via VPN.
Attached some pictures of the setup now:

Remote Acces SSL Profile:

Network Protection-Firewall:(only copied the relevant rule for this group)

Network Definition of GIT repo


Preferably we stick with SSL VPN since the user will be using the vpn connection for pushing/pulling of code.
So how can we make that subdomain.domain.com points to 192.168.1.4 for the new vpn group?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Gerbrand Hop

    See point 3 in Rule #2 in Rulz (last updated 2020-11-12).  If you want the users in the AD group to only be able to ping 192.168.1.2, you will need a firewall rule for that.  If you also needed a firewall rule to allow the AD users to get DNS from 192.168.1.2, please let us know.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Balfson, thanks for your support.
    The domain they need to reach is indeed defined in the DNS of the 192.168.1.2 server.
    the VPN user just needs access to the 192.168.1.2 server for the DNS, not for anything else.
    The 192.168.1.2 is a Windows server if it's relevant.

  • 0 in reply to Gerbrand Hop

    If I edit the firewall to allow access to 192.168.1.2 the DNS is picked up, but the user can also Remote desktop and access the server via windows explorer. This should not be the case, It should just use the DNS that is defined on 192.168.1.2 and have no other rights in our network, except reaching 192.168.1.4 via the URL.

Unfiltered HTML