VPN only for known devices

SGIT

Hi there,

I have the following issue:

We have a NSA 6650. We use SSL VPN which works like a charm.

We want to restrict VPN access only for known devices (managed computers from our company).

The problem is that some of our users install the Netextender on their private machines illegally.

Does anybody have an idea how to manage that only "allowed" computers can use the SSL VPN connection?

I guess filtering via Mac-Address won't work because of routing (TCP/IP Layer 3).

Thanks in advance,

Best,

David

shiprasahu93

Hello @SGIT,

Yes, you are right. We cannot check this using MAC address and it won't be the same until it reaches the firewall. We have option called End point control available on our dedicated Secure Mobile Access devices with which you can control the devices from which the SSLVPN connection can be made.

'End Point Control Scenarios' on Page 333 on the administration guide will be a good read.

https://www.sonicwall.com/techdocs/pdf/sma-12-3-administration-guide.pdf

Unfortunately, we do not have those controls on the firewall. You can use TOTP for adding a second layer of authentication but if the users have the access to their phone/laptop with which they create the bind, it won't be that helpful.

https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-ldap-and-totp/190829123329169/

Thanks!

Saravanan

Hi @SGIT,

There is already a feature enhancement request filed to "Add per-user SSLVPN Client static IP support". This request is still being worked on.

You could try restricting the SSLVPN users to connect to the SonicWall appliance for VPN access via their public IP addresses. You will have to get the public IP address of your VPN users, create address objects, group these objects using an address group and call this group in the source field of the WAN to WAN default added SSLVPN rule. The source field will have "Any" as default set option.

Note: This suggestion may not help if the SSLVPN user has both their official and personal PC's with them.

shiprasahu93

Hello @SGIT ,
Yes, your are right. We also have SMA appliances for virtual platforms. Please contact your Sales representative to walk you through this.
Thanks!

Saravanan

@SGIT - Please take a look about the SMA appliance features and cross check if it can meet all your expectations.

https://www.sonicwall.com/products/remote-access/remote-access-appliances/

Once you are all set for the purchase, please contact our Sales team for appropriate assistance.

https://www.sonicwall.com/customers/contact-sales/

Have a good one 😊

SGIT

Thank you for your answers.

Restricting to Wan is not possible because lots of them use DSL connections at home where the WAN-IP changes every 24 hours (forced reconnect).

So I understand that I need a SMA which have those features that I need, is that right? SMA in addition to the NSA?

Best,

David