This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - w/o local access

Hi All,

UTM 9.414-2 Home License.

I use SSL VPN to provide secure access to the home network and external browsing.  Some of my kids are away from home now and I want to continue to provide the SSL tunnel for them but don't want them to have access to the local network (Who knows where those devices have been...;) 

The SSL Access Profile provides for allowed networks, but not denied networks.  

So the question is, how do I setup a profile to allow access to "the world" but not my local network?

Am I missing something stupid simple here?

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • My experience is that SSL VPN and standard proxy do not work well together, since they both manipulare SSL.  VPN will not be active with enough consistency to achieve your goals anyway.

    It sounds like what you really want is standard web proxy.  It could be on all the time.  It requires you to have a static ip or dyndns for home so their PCs can find your UTM, but apparently hou already do so.

    To keep the proxy from giving accesz to stuff inside your house, you need a firewall between your home network and UTM, to block all web ports from the outside.

    To limit acccess to just your kids, you will want to put SAA on their PCs as well as configuring standard proxy script or proxy settings.  Then create a filter profile for some set of internet IPs with SAA as the authentication type and all unuathenticated traffic blocked.  Use UTM local accounts for this purpose and ensure that the accounts can only do web proxy, so it will not matter much if the passwords are guessed by bad guys.  The risk of bad guys is why you need the inside firewall.

    Use a different filter profile and ip range for your home network web browsing, especially since you may not want authentication enforced on the home network.

    You may have difficulty anticupating all of the source IPs that will need to be allowed, since laptops float from campus to off campus housing to coffee shops to cell phone hotspots etc.  

    They may find the delay objectionable, especially if your ISP connection has asymmetrical speeds.  Try itand see.

Reply
  • My experience is that SSL VPN and standard proxy do not work well together, since they both manipulare SSL.  VPN will not be active with enough consistency to achieve your goals anyway.

    It sounds like what you really want is standard web proxy.  It could be on all the time.  It requires you to have a static ip or dyndns for home so their PCs can find your UTM, but apparently hou already do so.

    To keep the proxy from giving accesz to stuff inside your house, you need a firewall between your home network and UTM, to block all web ports from the outside.

    To limit acccess to just your kids, you will want to put SAA on their PCs as well as configuring standard proxy script or proxy settings.  Then create a filter profile for some set of internet IPs with SAA as the authentication type and all unuathenticated traffic blocked.  Use UTM local accounts for this purpose and ensure that the accounts can only do web proxy, so it will not matter much if the passwords are guessed by bad guys.  The risk of bad guys is why you need the inside firewall.

    Use a different filter profile and ip range for your home network web browsing, especially since you may not want authentication enforced on the home network.

    You may have difficulty anticupating all of the source IPs that will need to be allowed, since laptops float from campus to off campus housing to coffee shops to cell phone hotspots etc.  

    They may find the delay objectionable, especially if your ISP connection has asymmetrical speeds.  Try itand see.

Children
  • I have not found an expllanafion if how SAA finds tj UTM, do I do not know for sure that it would work in this scenario,  what port it used, or whether this is a risk of credential disclosure.

    I do think that college kids will stream so much video and music that your configuration will have problems.   Your ISzp will object to the traffic volume, especially upstream .  The kids will probably find skips in tne video due to delays.  And all of this only works if the campus does not interfere with your connection

    For cell phones, I do like Sophos Moobile Security.  I use it on my cell phone instead of the one that came with my phone. Uou need to protect both phone and laptop.