This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block SSL VPN user accessing internet

Hello,

 

Scenario: I have a number of users connecting via ssl vpn. I want to prevent them having internet access on my end. I just want to let them access my internal network.

 

I have scoured hard for an answer to this, and have found many topics discussing the reverse of this (allowing vpn to access the internet). I have tried to do the opposite of those instructions (deleting rules etc) but vpn members are still able to break out to the internet whilst on my vpn.

 

Please could you help me block all vpn users from accessing the internet?

 



This thread was automatically locked due to age.
  • Seems like you have two options:

    - Firewall rules with VPN pool, specific user object, or group object as source.   First rule(s) grant Allow to some or all destinaion internal addresses and related ports.  Final rule grants Deny to all addresses and ports for tjose sources.  Transparent and Standard web proxy must not be enabled. (No filter profile for the VPN pool IP addresses.)

    - Transparent web proxy with a Filter Action that blocks all categories, including uncategorized, with an override inside the filter action to allow all internal I.P addresses and DNS Names.

    Transparent web proxy does not use VPN user information, so you would need a second authentication step if you need user-specific filtering.   Makes the firewall approach more attractive.  Web proxy is mostly to protect users from hostile websites, so it is not needed for your scenario.

  • Thanks for reply.

    Seems as though transparent filtering always causes some compromise with utm.

    Afraid these solutions are no good as I require Web filtering for internal hosts when accessing the Internet.

    Does anyone know if there is another way?

  • Hi and welcome to the UTM Community!

    I'd do this a little differently, but it's essentially the same answer as Doug's...

    SSL VPN Profiles are additive, so you can do the following with automatic firewall rules.  Make one with only "Internal (Networks)" in 'Local Networks' and have everyone in 'Users and Groups'.  In the second one, put "Internet" in 'Local Networks' and just the few users you want to connect to the Internet via the VPN.

    If you have anyone that should connect to the Internet via the VPN, I would add their "Username (User Network)" object to 'Allowed Networks' in your Web Filtering Profile and in DNS.

    I actually prefer having all remote users be forced through the tunnel to the Internet as it gives me the assurance that they won't simultaneously access internal resources and some possibly-infected site on the internet.  If you have Sophos Endpoint Protection (UTM or Cloud-based), you don't need to force internet access through the tunnel because their local EPP will enforce your policies and keep them safe.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The third option is a split tunnel, where the VPN profile only accepts traffic for internal addtesses..  As Bob indicated, that has other risks to consider, since the user might browse the web with less protection using his home is.

    I do not understand your reply, though.  Internal users and VPN users can be configured independently in the web proxy.    The allowed networks parameter on the filter profile determines the rest of the configuration sequence.  For internal users, I recommend Standard Proxy as primary, and Transparent Proxy as backup for machines that do not receive, or do not honor, the standard proxy settings.