Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 10714 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mirgating from TMG to Sophos auth question

HelpDesk2

Hi everyone. By now our company is using TMG as a primary solution and a standalone Sophos as a dummy VPN proxy to give access for non domain computers to specific internal resources. But as the time goes the TMG show itself badly as a solution for big company and we understood that we need to migrate from TMG to Sophos. A new Sophos has already been installed and now the authentication problem occured. We need to separate users by 2 groups :

1) Users who are using companys Windows PC's have domain certificate installed on the machine. We want to authenticate these users via Radius server (to check domain cert.). These users will further have access to most internal resources.

2) Users who are using Linux and Mac will be able to authenticate via AD server using their domain login and password (they will be added to ACL group). These users will have limited access to internal resources.

My question is - is this possible to achieve such scheme with Sophos (especially by dividing users in 2 groups and further divide to which resources the will have acccess), and maybe some further help and advices from colleagues can be given.

Thank you in advance.



This thread was automatically locked due to age.
  • 0
    Not as you've laid them out. UTM is not a NAC and cannot filter access from VPN to different authentication types based on the OS of the client system they are using.

    If you want to limit access to internal hosts for VPN users, here's how to do it simply with SSL VPN.

    Let's say we have two remote users, Fred and Barney. Fred should have remote access to a machine on the LAN with IP 192.168.50.7 only. Barney gets access to anything on the LAN.

    Go to Remote Access>>SSL>>Profiles, and create a new profile.

    In Users and Groups, add the account for Fred. In Local Networks, add a host definition for 192.168.50.7. Keep the auto firewall rule checked.

    Now create a new Profile for Barney. The only difference here is you'll add Internal (Network) to Local Networks,

    Done.

    For Win machines, the UTM comes with the SSL VPN client software, which users can download from the user portal, once they are added to a VPN profile. OSX and Linux users can get the config from the user portal and install an applicable OpenVPN client.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    But it will be a little difficult to make user profile for each 1k users we have to join UTM. I just thought that it is possible to divide users by authentication method (something like make 2 pools for those who joined via radius and those who joined using AD) and then divide resources each pool can access.
  • 0
    I would take a look at Network Policy Server on one of you DC's. I am using that now to filter what users can make a connection through the UTM Vpn. Maybe something there that could address your specific scenario.
  • 0
    "But it will be a little difficult to make user profile for each 1k users we have to join UTM" You wouldn't need 1k profiles, unless all 1k employees had different parameters for what they get access to.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Scot, then how will be users automatically divided in 2 groups? Or i will have to put all the autocreated users in needed security groups by myself? Just trying to build an automated scheme where no assistance from the Administrator is needed on the UTM side.
Unfiltered HTML