VPN Access Question
I am testing a SonicWall NSa 2650 firewall running firmware 6.5.x and would like some clarification regarding restricting VPN access.
The firewall currently has SSLVPN enabled only on the WAN zone. The Default Device Profile for SSLVPN is configured with Tunnel All Mode Enabled and has a single Client Routes entry: Firewalled Subnets.
Users are using the SonicWall NetExtender app on Windows workstations, which are domain computers that will be accessing network resources on a domain, to connect to the VPN and are logging in with local firewall accounts. These users are members of the Everyone, Trusted Users, and SSLVPN Services user groups. The VPN Access list is empty for the Everyone and Trusted Users groups. The VPN Access list for SSLVPN Services contains WAN RemoteAccess Networks and WLAN RemoteAccess Networks.
Two separate users have been created on the firewall with the following VPN Access: User A has LAN Subnets added to their VPN Access list and User B has their VPN Access list left empty.
Both users appear to have the same access to LAN resources once connected to the VPN -- they can ping the different servers on the LAN, access Intranet webpages, access network shares on different file servers (assuming that appropriate domain credentials are provided), etc.
I understand that I can restrict the network access by creating new SSLVPN To LAN firewall Access Rules, but I would like to avoid this if possible.
Am I missing something obvious here? Why does the VPN Access list for the two users noted above appear to have no impact on their actual access to network resources? Shouldn't adding different Address Objects to the VPN Access lists of the users affect which resources they can access when connected to the VPN?
Thank you in advance for any assistance.
TKWITS Community Legend ✭✭✭✭✭
Think it through.
Tunnel All mode is enabled, which means all traffic destined to anywhere is routed through the SSLVPN client. This is essentially a route for 0.0.0.0/0.0.0.0.
SSLVPN Services group is allowed 'WAN RemoteAccess Networks' and 'WLAN RemoteAccess networks'. Both of these address objects are 0.0.0.0/0.0.0.0 (Any address).
The users are inheriting their access rights from the SSLVPN Services group. So no matter what you allow per user, they will always have access to 0.0.0.0/0.0.0.0 (Any address).0
Thank you @TKWITS. I knew that I was overthinking things and that it was going to be something obvious -- it's sometimes the most obvious things that are missed. I really appreciate the info.