Block SSL VPN user accessing internet

Question

Hello, 
 
 Scenario: I have a number of users connecting via ssl vpn. I want to prevent them having internet access on my end. I just want to let them access my internal network. 
 
 I have scoured hard for an answer to this, and have found many topics discussing the reverse of this (allowing vpn to access the internet). I have tried to do the opposite of those instructions (deleting rules etc) but vpn members are still able to break out to the internet whilst on my vpn. 
 
 Please could you help me block all vpn users from accessing the internet?

BAlfson · Accepted Answer

Hi and welcome to the UTM Community! 
 I'd do this a little differently, but it's essentially the same answer as Doug's... 
 SSL VPN Profiles are additive, so you can do the following with automatic firewall rules. Make one with only "Internal (Networks)" in 'Local Networks' and have everyone in 'Users and Groups'. In the second one, put "Internet" in 'Local Networks' and just the few users you want to connect to the Internet via the VPN. 
 If you have anyone that should connect to the Internet via the VPN, I would add their "Username (User Network)" object to 'Allowed Networks' in your Web Filtering Profile and in DNS. 
 I actually prefer having all remote users be forced through the tunnel to the Internet as it gives me the assurance that they won't simultaneously access internal resources and some possibly-infected site on the internet. If you have Sophos Endpoint Protection (UTM or Cloud-based), you don't need to force internet access through the tunnel because their local EPP will enforce your policies and keep them safe. 
 Cheers - Bob