Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Best method to allow only select computers access to SSLVPN?

I am setting up SSLVPN access and would like to restrict only select computers to allow VPN access. Would I be able to do this with an address object group of PC MAC addresses or does it need to be done differently than that?

Category: VPN Client
Reply
Tagged:

Answers

  • MitatOngeMitatOnge All-Knowing Sage ✭✭✭✭

    Hi @lostbackups

    If you are talking about internal source access over SSL-VPN service with Firewall device, You should assign VPN ACCESS list on the user settings.

    you can find out below link.

    other hand, you want to block ssl vpn login access with specific pc, I think, you should try mac address object and assign to Wan to WAN zone access rule.

    Normaly SMA can block client via end poind control (Regedit keys, AV update status or version, OS version etc...)

    This link is include step by step configuration. On the User VPN ACCESS config part assigned "LAN SUBNETS" you must change to PC IP address.



  • I am talking about restricting access for the SSLVPN users to only the computers I give them. For example, say I give Bob access to SSLVPN access and I give him a computer with NetExtender installed. Now he can get remote access, which is good. However, what if Bob installs NetExtender on his home PC and then remotes in on that? His home PC is not managed by IT. I want to limit SSLVPN access so that users connect only on specific computers.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    AFAIK there is no way to prevent users from installing the NetExtender (or Mobile Connect) client on another PC and deny them the ability to login through it. It pretty much defeats the purpose of having SSL VPN access.

    You could go through a very obfuscated process of setting up a Dynamic DNS service for the users work-provided PC and only allow those FQDNs to access the SSLVPN portal. I've never done it, but in theory it would work.

  • prestonpreston All-Knowing Sage ✭✭✭✭
    edited January 2022

    @lostbackups, you need an SMA 100 series with Endpoint control or using by using LDAP and Certificate Authentication as only the domain joined devices would have the certificate installed.

    This is not possible on the UTM Appliances for SSL VPN as TKWITS mentioned

  • It actually doesn't defeat the purpose of SSLVPN at all. The idea is pretty simple. I only want employees accessing the company network on company managed devices, not personal ones. Imagine someone downloaded NetExtender on their home PC with Windows 7 and tons of malware and having that connect on our company network. That is the situation I want to prevent.

  • MitatOngeMitatOnge All-Knowing Sage ✭✭✭✭
    edited January 2022

    Hi @lostbackups

    This is myscenario;

    1) install python3 to fileserver and for example this servernetbios name is : filesrv

    Netbios name is : filesrv

    ip address: 192.168.1.10

    2)create folder for netextender folder

    3)Put the netextender created folder

    4) open the cmd promt and go to netextender folder via "cd" command

    5) and type this command: python3 -m http.server 80 ( this command create mini web server on this file server.

    6) check firewall on the file server. It must be accessable via outbound to local web port 80

    7) Publis this web server via WAN and create subdomain name filesrv (not netextender)

    8) edit managed cliets host file and add below config:

    Host file path: "c:\Windows\System32\Drivers\etc\hosts"

    netextendersrv.YOURCOUMPANYDOMAİN.COM WANIP

    9) SSLVPN/ Server Settings/ SSL VPN Client Download URL/ Use customer's HTTP server as downloading URL- enable and add below link (for sonicos 6)

    http://netextendersrv.YOURCOUMPANYDOMAİN.COM/netextenderzipfilename.zip

    scenario is basic: managed computer has different name of fileserver and if user login via managed pc can access file server.

    I hope this is usefull for this case.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    @lostbackups Don't get me wrong I understand what you are trying to do and why. As @preston agreed this is not really do-able with a UTM device, but is possible with a SMA.

    The reason I made that comment is in a scenario where the users laptop is stolen, broken, etc. AND managed replacements not available, you wouldn't be able to get the user functional.

  • prestonpreston All-Knowing Sage ✭✭✭✭

    Hi @lostbackups, I would recommend you get a trial of an SMA 500v appliance, you'll be amazed at the multitude of capabilities and granularity you have with SMA compared to the SSL VPN on the UTM appliances,

    you can try and bodge it, but personally I would just use a device which is designed to do what you want it to do in the first place. it is much more secure using the Endpoint control and other features of the SMA for reasons like TKWITS mentioned in his replies.

Sign In or Register to comment.