Options
SSLVPN TZ-x70 grant different services to user-groups
okortegast
Newbie ✭
in SSL VPN
Hi,
I struggle to configure our TZ-x70 firewall for SSLVPN. I created adress-objects and local user-groups and can assign the adress-objects to the user-groups - so far it works fine. I've created an service-group and restrict the access to the adress-objects with a policy from SSLVPN to LAN zone. That works fine too but now all users have same services available and I didnt find a way to assign different services to my user-groups. Searched the net for a long time but coulnt find out, how to setup. In the policy there are fields "User included" and "Users excluded" bat it doesnt work. Any advice is very welcome - thanks a lot in advance.
Regards, Ole
Category: SSL VPN
0
Answers
Create two rules, one each for your two sets of services+users, 'User included'.
Do you get hits on either of them?
Hi, thanks for your hint and sorry for the delay. As proposed I created 2 policies with following entries:
Source: SSLVPN / Adress: any / Ports: any
Destination: LAN (access to only some IP's is granted in user properties) / Adress: any / Ports: Group with allowed ports
Users: Included: Group with allowed users / Excluded: None
The Usergroups have access to different IP's setup in Adress-Group in User-Profile / VPN-Access
The Service-Groups are setup in the policy / Destination Port
If I connect with user 1 everything works as expected, If I disconnect and connect with user 2 on the same workstation - SSLVPN connects fine but no traffic. Reconnect user 1 works again. There are hits on the policies (your question). If I move the not working policy (user 2) to the top of policy-list, user 2 works fine but not user 1. So it seems the "Include Users" field has no effect.
Any ideas?
Thansk a lot in advance.
Regards,
Ole
@okortegast , this is expected behavior. When searching Access Rules, the firewall uses the five tuple parameters Source Address, Source Port, Destination Address, Destination Port and Protocol as a composite key to find the matching one. Once this is found, it will check the Users Included/Excluded. This is the reason of the behavior you are observing when moving/flipping the priorities of the Access Rules in question.
If you want to give different access to resource in your network, you need to use the VPN Access associated to the user/group.
Hi Mustafaa,
thanks a lot for your reply. I'm still unsure how I should change my configuration and rules. In the user/group configuration I have geven them access-rights to different adress-groups e.g. user1 -> addrgroup1, user2 -> addrgroup2.
About the policies:
Source: SSLVPN for both policies - same -> match for both
Source Adress: Any - same -> match for both
Destination: LAN - same -> match for both
Destination Adress: Any - same -> match for both
Destination Port: different service-groups -> should be used, if policy will match
User included: different user-groups -> should only match, if user is member of this group?
Where am I wrong?
Thanks, Ole
You need a single Access Rule with the Destination Ports you intend for both User Groups. Leave the Users Included/Excluded with default values and define the desired VPN Access for each group. In a nutshell, if you intention is to limit/control each user group differently with the Access Rule based on the Destination Ports, I am highly confident this is not possible.
Hi Mustafaa,
that sounds not so nice. Indeed the goal is to give different user-groups access to different adress-groups (VPN access in group) AND different service-groups. Do you think this is not possible in Sonicwall TZ configuration? We try to replace some 15 Year old Cisco ASAs where we have this confuration running without any issues. In case we can only have one service-group for all the users (admins, key-users, common users), we have to think about another solution to connect our 100+ remote users :-(
Thansk a lot for your hints.
Regards, Olaf
Hello, In the meantime we have been able to create a configuration that meets our requirements. The key is to bind the policies to different adress-groups - not user-groups - to setup different services to the users.
thanks a lot for your answers.
Regards,
Olaf