Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Assigning a Static IP to a Specific User

We are new to NetExtender. It was installed at a location we acquired and we are looking at expanding it's use in our company.

We have a couple of individuals that need customized connections. For increased security, access to specific internal processes are locked to access from a specific IP address assigned to the individual. The current NetExtender setup appears to be using DHCP. We don't want to open the processes to the whole NetExtender Range so we were wondering if it was possible to assign a static IP to a user. When they log into NetExtender, they are automatically given a static IP address specifically reserved for them. Then when they login, they always have that specific IP address to access the processes.

The site is using a TZ400. Is this possible and if yes, can you point me to a resource I can use as a reference in attempting to modify our device?

Any assistance would be greatly appreciated.

Douglas

Category: SSL VPN
Reply
Tagged:

Best Answer

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @DMoody007

    you can't assign static IP addresses for the SSL-VPN connection on your Firewall, but you can restrict your SSLVPN -> LAN rules to specific users.

    I did this a while ago, can't remember exactly but I guess I left the SSLVPN access for the user empty and created a custom access rule bound to that user.

    Just give it a try, if it's not working I'll taking all the blame.

    --Michael@BWC

  • if I understand correctly, the SSLVPN doesn't allow for a static assignment but you basically created a rule that pigeon holed the specific user to a specific IP address through maybe an address object?

    It's an interesting idea. Never tried to create a rule based on a specific user.

    Do you get the beer on success?

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited November 2020

    Hi @DMoody007

    time took it's toll and I was not 100% correct. You have to put the destinations in the VPN Access tab of the user/group. Just have a look at the screenshot, I recreated the scenario for you on my TZ 400 at home.

    My SSLVPN Clients Network (SSLVPN_N) will not be able to access the LAN (N_CLIENTS), except for the user michael who can do the ping. The trick here is to have the priority of the rules in mind and put a drop all rule above the default rules which allow all access.

    Hope this helps a little.

    --Michael@BWC

  • VanguardVanguard Newbie ✭

    We use NetExtender. On the client side, you can assign a Static IP address in the settings of the client.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    HI @Vanguard

    but any user can assign a static IP and therefore should not be trusted, IMHO. But of course a valid technical possibility.

    --Michael@BWC

  • [Deleted User][Deleted User] Cybersecurity Overlord ✭✭✭

    Hi @DMoody007 ,

    Were we able to assist you in answering your question?

  • DMoody007DMoody007 Newbie ✭

    Chris,

    Sorry - Been out on Medical and just got back yesterday. I didn't see the alerts for the other responses until your comment prompted a look. I want to try BWC's suggestion this week. We don't have GVC currently(Saravanan's comment) and I don't know what kind of Rabbit hole I would go down to see if we want the additional cost/complexity of adding a product option.

    It sounds like in general not suggested but maybe possible, in the queue for possible add in the future, try at your own risk. If you agree, we can close this out and I will uptick BWC for his input.

    Douglas

  • DMoody007DMoody007 Newbie ✭
    edited January 13

    For all concerned,

    I experimented with both proposed solutions.

    BWC's solution I was not able to get it to work. I think there were some steps or parts I may have been missing and could not resolve.

    Saravanan's solution was interesting but I feared we did not have licensing. By chance, we had two that were not being used and I only had two users that needed this. I was able to find documentation that supported the solution and worked my way through the process and it worked.

    From a security standpoint, I think we are good. It is limited to a single Mac Address assigned by the adapter on the workstation and required a user ID and Password (we made it complex). There was also the capability to prompt for the phase 1 passcode to ensure the individual attempt required more hoops to jump through and stop would be hackers.

    So, I want to thank everyone for the input. You helped us solve our issue.

    Douglas

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @DMoody007

    sorry to hear that my approach did not worked for you, I'am using it on several deployments, probably some minor thing that was missed here. If you ever feel the need to give it another shot just lemme know.

    Stay safe.

    --Michael@BWC

  • DMoody007DMoody007 Newbie ✭

    Michael,

    Your choice was the one I was excited about trying. I'm sure there is some little thing buried someplace that is causing it to fail. Getting one option to work got me past the immediate need so I can breathe a little. Will keep your offer in mind when I have a few minutes to try again. I really do appreciate the input and offer. You stay safe as well.

    Douglas

Sign In or Register to comment.