This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Special VPN User: Only allow access to an internal URL

Hello everyone,

For me this is unique, but I'm probably sure someone else has done this.     Sophos UTM 9

We have a software vendor that needs access to the software server they have provided.  The software is administered through an internal web browser connection.  We don't want to have to screenshare when ever this vendor needs to access the administrator account.

I would like to give them a VPN account, but restrict it to only the URL.

Is this possible or is there a more efficient way to do this?

 

Thank you for your help!



This thread was automatically locked due to age.
Parents
  • I can think of multiple ways to handle this.   

    • All of the methods support 2-factor authentication with OTP (or third-party alternatives).  You should use 2-factor authentication on all remote access (Also, PCI DSS requires it)
    • All of the methods support source filtering using Country Blocking rules.

    HTML VPN to a Web Resource (as previously proposed)

    • Nothing to install on the client device
    • Uses a web session inside a web session, so you lose some screen space
    • Inside session uses a very old very of Firefox, so you may have compatibility issues or ciphersuite issues (if using https)
    • The entire HTML VPN subsystem seems to be frozen code.   I had a minor bug report in HTML VPN with an RDP object, and they forced me to put it in as a feature request.

    WAF

    • The normal way to handle external web traffic to an internal website
    • Nothing to install on client device
    • Can restrict on user with Reverse Authentication
    • Can restrict on source IP with Access Restrictions under Source Path Routing
    • Not included in some UTM licenses

    SSL VPN to Transparent Web Proxy

    • Requires SSL VPN Client code to be installed on client device.
    • Particularly attractive if user should only connect using a company-issued laptop.
    • Create a filter profile and add the User Network Object to the Allowed Networks list.
    • Link the Filter Profile to a Policy object that has "use for unauthenticated users" checked.
    • Link the Policy to a Filter Action that blocks everything except the desired URL.
    • In Firewall Rules, block all traffic with that User Network Object as the source (because Web Proxy traffic bypasses the Firewall Rules)
  • All,

    Thank you for the suggestions.  The HTML5 Portal sounds interesting.  I like the idea that the user does not have to install anything.  No history with it, but onward!

  • The HTML5 VPN Portal worked like a charm!

     

    thanks again!

Reply Children