This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Special VPN User: Only allow access to an internal URL

Hello everyone,

For me this is unique, but I'm probably sure someone else has done this.     Sophos UTM 9

We have a software vendor that needs access to the software server they have provided.  The software is administered through an internal web browser connection.  We don't want to have to screenshare when ever this vendor needs to access the administrator account.

I would like to give them a VPN account, but restrict it to only the URL.

Is this possible or is there a more efficient way to do this?

 

Thank you for your help!



This thread was automatically locked due to age.
  • I forgot to mention, we do not want to make this URL published to the world.  Restrict only to the VPN user.

  • Hello,

    You can do this using HTML5 VPN Portal under Remote Access.

    Good Luck

  • ... or you unselect "automatic packetfilter rules" within VPN configuration and creates some firewall rules using "XYZ (User Network)".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Agreed with PatrickLee - this is the ideal use case for the HTML5 VPN.  You can even use OTP with the User Portal with it required only for specific users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I can think of multiple ways to handle this.   

    • All of the methods support 2-factor authentication with OTP (or third-party alternatives).  You should use 2-factor authentication on all remote access (Also, PCI DSS requires it)
    • All of the methods support source filtering using Country Blocking rules.

    HTML VPN to a Web Resource (as previously proposed)

    • Nothing to install on the client device
    • Uses a web session inside a web session, so you lose some screen space
    • Inside session uses a very old very of Firefox, so you may have compatibility issues or ciphersuite issues (if using https)
    • The entire HTML VPN subsystem seems to be frozen code.   I had a minor bug report in HTML VPN with an RDP object, and they forced me to put it in as a feature request.

    WAF

    • The normal way to handle external web traffic to an internal website
    • Nothing to install on client device
    • Can restrict on user with Reverse Authentication
    • Can restrict on source IP with Access Restrictions under Source Path Routing
    • Not included in some UTM licenses

    SSL VPN to Transparent Web Proxy

    • Requires SSL VPN Client code to be installed on client device.
    • Particularly attractive if user should only connect using a company-issued laptop.
    • Create a filter profile and add the User Network Object to the Allowed Networks list.
    • Link the Filter Profile to a Policy object that has "use for unauthenticated users" checked.
    • Link the Policy to a Filter Action that blocks everything except the desired URL.
    • In Firewall Rules, block all traffic with that User Network Object as the source (because Web Proxy traffic bypasses the Firewall Rules)
  • All,

    Thank you for the suggestions.  The HTML5 Portal sounds interesting.  I like the idea that the user does not have to install anything.  No history with it, but onward!

  • The HTML5 VPN Portal worked like a charm!

     

    thanks again!

  • Folks, our external client has access to the internal website. 

     

    However, when they click on a function to upload a file, it will not point to their local machine.  Is there an option somewhere to give that throughput?

  • Don't think so.  Remember that you are running a browser inside a browser.   That would be a reason to use one of the other configurations.