This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block SSL VPN user accessing internet

Hello,

 

Scenario: I have a number of users connecting via ssl vpn. I want to prevent them having internet access on my end. I just want to let them access my internal network.

 

I have scoured hard for an answer to this, and have found many topics discussing the reverse of this (allowing vpn to access the internet). I have tried to do the opposite of those instructions (deleting rules etc) but vpn members are still able to break out to the internet whilst on my vpn.

 

Please could you help me block all vpn users from accessing the internet?

 



This thread was automatically locked due to age.
Parents
  • Seems like you have two options:

    - Firewall rules with VPN pool, specific user object, or group object as source.   First rule(s) grant Allow to some or all destinaion internal addresses and related ports.  Final rule grants Deny to all addresses and ports for tjose sources.  Transparent and Standard web proxy must not be enabled. (No filter profile for the VPN pool IP addresses.)

    - Transparent web proxy with a Filter Action that blocks all categories, including uncategorized, with an override inside the filter action to allow all internal I.P addresses and DNS Names.

    Transparent web proxy does not use VPN user information, so you would need a second authentication step if you need user-specific filtering.   Makes the firewall approach more attractive.  Web proxy is mostly to protect users from hostile websites, so it is not needed for your scenario.

Reply
  • Seems like you have two options:

    - Firewall rules with VPN pool, specific user object, or group object as source.   First rule(s) grant Allow to some or all destinaion internal addresses and related ports.  Final rule grants Deny to all addresses and ports for tjose sources.  Transparent and Standard web proxy must not be enabled. (No filter profile for the VPN pool IP addresses.)

    - Transparent web proxy with a Filter Action that blocks all categories, including uncategorized, with an override inside the filter action to allow all internal I.P addresses and DNS Names.

    Transparent web proxy does not use VPN user information, so you would need a second authentication step if you need user-specific filtering.   Makes the firewall approach more attractive.  Web proxy is mostly to protect users from hostile websites, so it is not needed for your scenario.

Children
  • Thanks for reply.

    Seems as though transparent filtering always causes some compromise with utm.

    Afraid these solutions are no good as I require Web filtering for internal hosts when accessing the Internet.

    Does anyone know if there is another way?

  • The third option is a split tunnel, where the VPN profile only accepts traffic for internal addtesses..  As Bob indicated, that has other risks to consider, since the user might browse the web with less protection using his home is.

    I do not understand your reply, though.  Internal users and VPN users can be configured independently in the web proxy.    The allowed networks parameter on the filter profile determines the rest of the configuration sequence.  For internal users, I recommend Standard Proxy as primary, and Transparent Proxy as backup for machines that do not receive, or do not honor, the standard proxy settings.