Hello fellow forum users, I have currently set up a SSL VPN remote access in Sophos UTM9 and its working without any issues, i can access all the services on all ports in the local network without issues. The problem is i want to restrict port usage to specific users, so for example lets say users Tom and Jerry have access to all ports and all machines, but users Joe and John would have access only to RDP protocols and only for certain machines. Since i can't assign static IPs to users in SSL VPN, how can i restrict access to Joe and John with firewall rules (or some other way) if the SSL VPN IPs are dynamic only? If I use know IPs of a user for the firewall or NAT rules like proposed in the community.sophos.com/.../115930 I t doesn't work because IPs are assigned incrementally for users coming to the network so lets say Tom and Jerry logged in, got IPs 10.41.0.1 and 10.41.0.2, while they are logged in Joe would get 10.41.0.3, but if Tom or Jerry log out, Joe would get 10.41.0.2 which is a known IP of users Tom or Jerry so he would inherit their permissions (this is what happened to me where the test user inherited admin permissions because an admin was previously using the IP assigned to the test user) Any input is appreciated Regards, Edo

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Granular access for SSL VPN remote access

edo terzic over 7 years ago

Hello fellow forum users,

I have currently set up a SSL VPN remote access in Sophos UTM9 and its working without any issues, i can access all the services on all ports in the local network without issues.

The problem is i want to restrict port usage to specific users, so for example lets say users Tom and Jerry have access to all ports and all machines, but users Joe and John would have access only to RDP protocols and only for certain machines.

Since i can't assign static IPs to users in SSL VPN, how can i restrict access to Joe and John with firewall rules (or some other way) if the SSL VPN IPs are dynamic only?
If I use know IPs of a user for the firewall or NAT rules like proposed in the community.sophos.com/.../115930

It doesn't work because IPs are assigned incrementally for users coming to the network so lets say Tom and Jerry logged in, got IPs 10.41.0.1 and 10.41.0.2, while they are logged in Joe would get 10.41.0.3, but if Tom or Jerry log out, Joe would get 10.41.0.2 which is a known IP of users Tom or Jerry so he would inherit their permissions (this is what happened to me where the test user inherited admin permissions because an admin was previously using the IP assigned to the test user)

Any input is appreciated

Regards, Edo

This thread was automatically locked due to age.

Parents

0 dirkkotte over 7 years ago

tom, jerry and Joe have it's own "user network"-Object.

You can use these within FW Rules.

Also using a user-group is possible.

The "user network"-Object for the group contains all IP's used currently by members.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 edo terzic over 7 years ago in reply to dirkkotte

Hey Dirk,

Ty for the input, I have tried using these network objects but for some reason while using the test_user network object he inherited all the permission of the user who was using his current IP before him.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to edo terzic

Edo, see #2 in Rulz. This means that you can make two SSL VPN Profiles, one with automatic firewall rules and one with a manual firewall rule that Allows only limited access to "VPN Pool (SSL)." If you need to have more than two classes of remote users, you will need to use an additional Remote Access method.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 7 years ago in reply to BAlfson

Bob, you helped and confused me at the same time.

The Help:

I checked my primary SSL VPN profile. It had automatic rules enabled, and I had tried to create a manual rule to restrict it to only a few protocols. It did not work, and is worth explaining for the benefit of others:

The "Automatic Firewall" rules created a simple rule that matched the profile definition. UserList allowed to NetworksList, all protocols, and it had a low sequence number, so it would take effect before my manual rule could do any restricting. I needed to turn off automatic firewall to allow the more restrictive rule to take effect.

The confusion:

However, I should be able to create any number of SSL VPN profiles for different user groups, with any level of granularity based on the firewall rules applied to that user or group. Why did you say that it would only work to make one automatic and one manual group?

Other thoughts:

We should be able to create a manual firewall rule based on the VPN Pool IP address as source, as an alternative to using the user network object.

I wanted a rule to limit the ability for an infected VPN client from attacking the internal network. To do this, it seemed reasonable to restrict all vpn users to only a few protocols, specifically RDP, HTTP(S), and ICMP. (RDP would need a separate policy on the server level to block client drive and usb mapping.) To make this apply to all SSL VPN Profiles, I added a manual rule of the form: "from VPN POOL IP object, using (specific protocols) to ANY". Any reason why this will not work? Now that the automatic firewall rules are off, I intend to test.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DouglasFoster over 7 years ago in reply to BAlfson

Bob, you helped and confused me at the same time.

The Help:

I checked my primary SSL VPN profile. It had automatic rules enabled, and I had tried to create a manual rule to restrict it to only a few protocols. It did not work, and is worth explaining for the benefit of others:

The "Automatic Firewall" rules created a simple rule that matched the profile definition. UserList allowed to NetworksList, all protocols, and it had a low sequence number, so it would take effect before my manual rule could do any restricting. I needed to turn off automatic firewall to allow the more restrictive rule to take effect.

The confusion:

However, I should be able to create any number of SSL VPN profiles for different user groups, with any level of granularity based on the firewall rules applied to that user or group. Why did you say that it would only work to make one automatic and one manual group?

Other thoughts:

We should be able to create a manual firewall rule based on the VPN Pool IP address as source, as an alternative to using the user network object.

I wanted a rule to limit the ability for an infected VPN client from attacking the internal network. To do this, it seemed reasonable to restrict all vpn users to only a few protocols, specifically RDP, HTTP(S), and ICMP. (RDP would need a separate policy on the server level to block client drive and usb mapping.) To make this apply to all SSL VPN Profiles, I added a manual rule of the form: "from VPN POOL IP object, using (specific protocols) to ANY". Any reason why this will not work? Now that the automatic firewall rules are off, I intend to test.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data