Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SSLVPN TZ-x70 grant different services to user-groups

okortegastokortegast Newbie ✭

Hi,

I struggle to configure our TZ-x70 firewall for SSLVPN. I created adress-objects and local user-groups and can assign the adress-objects to the user-groups - so far it works fine. I've created an service-group and restrict the access to the adress-objects with a policy from SSLVPN to LAN zone. That works fine too but now all users have same services available and I didnt find a way to assign different services to my user-groups. Searched the net for a long time but coulnt find out, how to setup. In the policy there are fields "User included" and "Users excluded" bat it doesnt work. Any advice is very welcome - thanks a lot in advance.

Regards, Ole

Category: SSL VPN
Reply

Answers

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Create two rules, one each for your two sets of services+users, 'User included'.

    Do you get hits on either of them?

  • okortegastokortegast Newbie ✭

    Hi, thanks for your hint and sorry for the delay. As proposed I created 2 policies with following entries:

    Source: SSLVPN / Adress: any / Ports: any

    Destination: LAN (access to only some IP's is granted in user properties) / Adress: any / Ports: Group with allowed ports

    Users: Included: Group with allowed users / Excluded: None

    The Usergroups have access to different IP's setup in Adress-Group in User-Profile / VPN-Access

    The Service-Groups are setup in the policy / Destination Port

    If I connect with user 1 everything works as expected, If I disconnect and connect with user 2 on the same workstation - SSLVPN connects fine but no traffic. Reconnect user 1 works again. There are hits on the policies (your question). If I move the not working policy (user 2) to the top of policy-list, user 2 works fine but not user 1. So it seems the "Include Users" field has no effect.

    Any ideas?

    Thansk a lot in advance.

    Regards,

    Ole

  • MustafaAMustafaA SonicWall Employee

    @okortegast , this is expected behavior. When searching Access Rules, the firewall uses the five tuple parameters Source Address, Source Port, Destination Address, Destination Port and Protocol as a composite key to find the matching one. Once this is found, it will check the Users Included/Excluded. This is the reason of the behavior you are observing when moving/flipping the priorities of the Access Rules in question.

    If you want to give different access to resource in your network, you need to use the VPN Access associated to the user/group.

  • okortegastokortegast Newbie ✭

    Hi Mustafaa,

    thanks a lot for your reply. I'm still unsure how I should change my configuration and rules. In the user/group configuration I have geven them access-rights to different adress-groups e.g. user1 -> addrgroup1, user2 -> addrgroup2.

    About the policies:

    Source: SSLVPN for both policies - same -> match for both

    Source Adress: Any - same -> match for both

    Destination: LAN - same -> match for both

    Destination Adress: Any - same -> match for both

    Destination Port: different service-groups -> should be used, if policy will match

    User included: different user-groups -> should only match, if user is member of this group?

    Where am I wrong?

    Thanks, Ole

  • MustafaAMustafaA SonicWall Employee

    You need a single Access Rule with the Destination Ports you intend for both User Groups. Leave the Users Included/Excluded with default values and define the desired VPN Access for each group. In a nutshell, if you intention is to limit/control each user group differently with the Access Rule based on the Destination Ports, I am highly confident this is not possible.

  • okortegastokortegast Newbie ✭

    Hi Mustafaa,

    that sounds not so nice. Indeed the goal is to give different user-groups access to different adress-groups (VPN access in group) AND different service-groups. Do you think this is not possible in Sonicwall TZ configuration? We try to replace some 15 Year old Cisco ASAs where we have this confuration running without any issues. In case we can only have one service-group for all the users (admins, key-users, common users), we have to think about another solution to connect our 100+ remote users :-(

    Thansk a lot for your hints.

    Regards, Olaf

  • okortegastokortegast Newbie ✭

    Hello, In the meantime we have been able to create a configuration that meets our requirements. The key is to bind the policies to different adress-groups - not user-groups - to setup different services to the users.

    thanks a lot for your answers.

    Regards,

    Olaf

Sign In or Register to comment.