Instead giving the entire LAN Subnet access to the client VPN user, create a address object for the particular Server and provide the VPN client access to that Server;
For example, Navigate to the Local users & groups-->Select the user-->Edit-->VPN access, add the created server address object.
To expand Ajishlal's input, keep your SSLVPN Client Settings \ Client Routes the same (include LAN subnet address object), but adjust the VPN Access settings per-user.
How I can restrict access to a service for example RDP ? I dont' see the ACL from SSL to LAN for example. I must define this ACL manually and put it over the generic ACL from SSL to LAN ?
@Ajishlal How can I achieve this when the user is a member of SSLVPN services group which has VPN access to all my networks? If I make amend the users VPN access to a single address object, will that take precedence over the SSLVPN services unrestricted VPN access?
Or will I have to remove all networks from SSLVPN services & separate into groups?
Answers
@VictorManzanares
Instead giving the entire LAN Subnet access to the client VPN user, create a address object for the particular Server and provide the VPN client access to that Server;
For example, Navigate to the Local users & groups-->Select the user-->Edit-->VPN access, add the created server address object.
To expand Ajishlal's input, keep your SSLVPN Client Settings \ Client Routes the same (include LAN subnet address object), but adjust the VPN Access settings per-user.
How I can restrict access to a service for example RDP ? I dont' see the ACL from SSL to LAN for example. I must define this ACL manually and put it over the generic ACL from SSL to LAN ?
Hi VictorManzanares, if you want more control and granularity you would be best trialing an SMA 500v
yes. you have to define the policy if you need custom tailored.
SMA hardware can check for example the status of windows update on remote client ?
@Ajishlal How can I achieve this when the user is a member of SSLVPN services group which has VPN access to all my networks? If I make amend the users VPN access to a single address object, will that take precedence over the SSLVPN services unrestricted VPN access?
Or will I have to remove all networks from SSLVPN services & separate into groups?
@rmrk Your last statement is what you'll need to do.
Change the SSLVPN Services group to contain object(s) that ALL users MUST have access to e.g. a domain controller / DNS server.
Then you can either adjust 'VPN Access' permissions per user, or use groups with the appropriate 'VPN Access' settings and add users to the groups.