Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NetExtender on SMA 500v - group/client routes can be manually extended by users?

tabbittabbit Newbie ✭

Hi everybody,

we got a test with an SMA 500v on our site. In the network routes I opened up the routes to all necessary subnets with all machines which would be necessary for all teams.

Now we wanted to restric the access to specific servers for specific teams (e.g. support / back office / development). I tried to configure this by using the client and group routes and this works so far.

Anyway, it's possible on the client to manually add a route by using the "route add" command, thus it would be possible to override the setting and allow myself access to systems to which I shouldn't have access using VPN.

Example: My user account should not have access to a server with the IP 10.10.10.10 - the route is properly configured for this in my group. Anyway, I can add access to all machines in the 10.10.10.0 subnet by running this command as an admin on my Windows machine: "route add 10.10.10.0 mask 255.255.255.0 0.0.0.0 IF <netextender interface card>".

Is it possible to prevent this behavior?

Thanks a lot for your help on this...

Category: Secure Mobile Access Appliances
Reply

Best Answer

  • CORRECT ANSWER
    prestonpreston All-Knowing Sage ✭✭✭✭
    edited August 2021 Answer ✓

    Hi @tabbit, you can set up policies per user domain / group etc to only allow access to certain IP addresses or ranges, so even if they overide the windows routing table the access is denied.

    just to be clear when setting up polcies you will not find IP Ranges as an option (not sure why) so you need to deny the whole subnet and allow the IP addresses which you want them to get to.

Answers

Sign In or Register to comment.