Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rules - Match Known Users

Hi,

How does this actually work?

What is this authenticating against? The Firewall or AD?

This is my scenarios.

1. Site to Site VPN between 'Site A' and 'Site B'. Firewall rule rules grants access to known user 'User A' to File Servers at 'Site B' but restricted to all other users. User is part of the same Domain that is synced across both sites.

a. "User A' connects remotely from home via VPN client connected to 'Site A' but Accessing File Server over at 'Site B' (Comes in remotely at 'Site A' and then over the site to site VPN from 'Site A' to 'Site B').

b. Same user sitting on internal Lan at 'Site A' accessing file servers at 'Site B'

2. Site to Site VPN between 'Site B' and 'Site C'. Firewall rule grants access to known user 'User B' to File Servers at 'Site B' but restricted to all other users. User is part of a entirely different Domain that is not visible at 'Site B' but is added manually within Sophos Firewall Users.

a. "User B' connects remotely from home via VPN client connected to 'Site C' but Accessing File Server over at 'Site B' (Comes in remotely at 'Site C' and then over the site to site VPN from 'Site C' to 'Site B').

b. Same user sitting on internal Lan at 'Site C' accessing file servers at 'Site B'

Then how does the option "Use web authentication for unknown users" work for both users connecting remotely over the VPN and coming in over the Site to Site VPN on the local lan.

Thanks



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    VPN to VPN rule: A firewall rule configured with source and destination zone both as VPN
    VPN to LAN: A firewall rule configured with source zone as VPN and destination zone as LAN
    LAN to VPN: A firewall rule configured with source zone as LAN and destination zone as VPN

    (Use filter option under Rules and policies > Firewall rules to find a rule with a specific source/destination zone.)

    When 'User A' access the file server of SiteB from internal LAN, traffic will be forwarded from LAN to VPN rule over IPsec tunnel. You might have applied user restriction on this LAN to VPN rule, that's the reason other users can't access SiteB server.

    When 'User A' connects remotely to SiteA and access the file server of SiteB, the traffic will be forwarded from VPN to VPN rule as the traffic comes from remote VPN and gets forwarded over IPsec tunnel. If you'd like to apply user-based restriction for remote users then turn on Match known users in VPN to VPN firewall rule.

    Same applies to 'User B' who remotely connects to SiteC and then access the file server located at SiteB.