Assigning a Static IP to a Specific User
We are new to NetExtender. It was installed at a location we acquired and we are looking at expanding it's use in our company.
We have a couple of individuals that need customized connections. For increased security, access to specific internal processes are locked to access from a specific IP address assigned to the individual. The current NetExtender setup appears to be using DHCP. We don't want to open the processes to the whole NetExtender Range so we were wondering if it was possible to assign a static IP to a user. When they log into NetExtender, they are automatically given a static IP address specifically reserved for them. Then when they login, they always have that specific IP address to access the processes.
The site is using a TZ400. Is this possible and if yes, can you point me to a resource I can use as a reference in attempting to modify our device?
Any assistance would be greatly appreciated.
Douglas
Best Answer
-
Saravanan Moderator
Hi @DMOODY007,
Unfortunately, SSLVPN users cannot be assigned with static IP addresses and there is an existing RFE reported for this. The static IP assignment feature is available for GVC clients.
Hope this helps if you have sufficient GVC licenses.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
0
Answers
Hi @DMoody007
you can't assign static IP addresses for the SSL-VPN connection on your Firewall, but you can restrict your SSLVPN -> LAN rules to specific users.
I did this a while ago, can't remember exactly but I guess I left the SSLVPN access for the user empty and created a custom access rule bound to that user.
Just give it a try, if it's not working I'll taking all the blame.
--Michael@BWC
if I understand correctly, the SSLVPN doesn't allow for a static assignment but you basically created a rule that pigeon holed the specific user to a specific IP address through maybe an address object?
It's an interesting idea. Never tried to create a rule based on a specific user.
Do you get the beer on success?
Hi @DMoody007
time took it's toll and I was not 100% correct. You have to put the destinations in the VPN Access tab of the user/group. Just have a look at the screenshot, I recreated the scenario for you on my TZ 400 at home.
My SSLVPN Clients Network (SSLVPN_N) will not be able to access the LAN (N_CLIENTS), except for the user michael who can do the ping. The trick here is to have the priority of the rules in mind and put a drop all rule above the default rules which allow all access.
Hope this helps a little.
--Michael@BWC
We use NetExtender. On the client side, you can assign a Static IP address in the settings of the client.
HI @Vanguard
but any user can assign a static IP and therefore should not be trusted, IMHO. But of course a valid technical possibility.
--Michael@BWC
Hi @DMoody007 ,
Were we able to assist you in answering your question?
Chris,
Sorry - Been out on Medical and just got back yesterday. I didn't see the alerts for the other responses until your comment prompted a look. I want to try BWC's suggestion this week. We don't have GVC currently(Saravanan's comment) and I don't know what kind of Rabbit hole I would go down to see if we want the additional cost/complexity of adding a product option.
It sounds like in general not suggested but maybe possible, in the queue for possible add in the future, try at your own risk. If you agree, we can close this out and I will uptick BWC for his input.
Douglas
For all concerned,
I experimented with both proposed solutions.
BWC's solution I was not able to get it to work. I think there were some steps or parts I may have been missing and could not resolve.
Saravanan's solution was interesting but I feared we did not have licensing. By chance, we had two that were not being used and I only had two users that needed this. I was able to find documentation that supported the solution and worked my way through the process and it worked.
From a security standpoint, I think we are good. It is limited to a single Mac Address assigned by the adapter on the workstation and required a user ID and Password (we made it complex). There was also the capability to prompt for the phase 1 passcode to ensure the individual attempt required more hoops to jump through and stop would be hackers.
So, I want to thank everyone for the input. You helped us solve our issue.
Douglas
Hi @DMoody007
sorry to hear that my approach did not worked for you, I'am using it on several deployments, probably some minor thing that was missed here. If you ever feel the need to give it another shot just lemme know.
Stay safe.
--Michael@BWC
Michael,
Your choice was the one I was excited about trying. I'm sure there is some little thing buried someplace that is causing it to fail. Getting one option to work got me past the immediate need so I can breathe a little. Will keep your offer in mind when I have a few minutes to try again. I really do appreciate the input and offer. You stay safe as well.
Douglas
Michael, I have this exact situation as well. I am very interested in your solution.
@edtrumbull did you followed the steps I pointed out above already? Douglas did not had any luck on this in the past, but after reviewing it I couldn't why it shouldn't work.
It was pretty straight forward, but priority of the Access Rules is key here if you wanna restrict single users/groups to specific resources.
--Michael@BWC
Sorry about the late response.
The resolution for us was to use GVC for those few users who had to have this function.