VPN Access Question
I am testing a SonicWall NSa 2650 firewall running firmware 6.5.x and would like some clarification regarding restricting VPN access.
The firewall currently has SSLVPN enabled only on the WAN zone. The Default Device Profile for SSLVPN is configured with Tunnel All Mode Enabled and has a single Client Routes entry: Firewalled Subnets.
Users are using the SonicWall NetExtender app on Windows workstations, which are domain computers that will be accessing network resources on a domain, to connect to the VPN and are logging in with local firewall accounts. These users are members of the Everyone, Trusted Users, and SSLVPN Services user groups. The VPN Access list is empty for the Everyone and Trusted Users groups. The VPN Access list for SSLVPN Services contains WAN RemoteAccess Networks and WLAN RemoteAccess Networks.
Two separate users have been created on the firewall with the following VPN Access: User A has LAN Subnets added to their VPN Access list and User B has their VPN Access list left empty.
Both users appear to have the same access to LAN resources once connected to the VPN -- they can ping the different servers on the LAN, access Intranet webpages, access network shares on different file servers (assuming that appropriate domain credentials are provided), etc.
I understand that I can restrict the network access by creating new SSLVPN To LAN firewall Access Rules, but I would like to avoid this if possible.
Am I missing something obvious here? Why does the VPN Access list for the two users noted above appear to have no impact on their actual access to network resources? Shouldn't adding different Address Objects to the VPN Access lists of the users affect which resources they can access when connected to the VPN?
Thank you in advance for any assistance.