Hi,
Ive got an XG3100 on SFOS 19.0.0 GA-Build317
I'm a little confused on two things on SSL VPN users and would be brilliant to have clarification as no doubt im being a numpty.
Some information ive changed for security like domain.local isnt the real value.
OVERVIEW
1) Users on SSL VPN cant RDP to LAN - Partially sorted but dont get the rule handing - more below
2) Users on SSL VPN RDP to a computer name fails - Partially sorted by entering the full domain of the computer - more below
DETAILED
1) In Remote Access VPN -> SSL VPN (Tab), created new object, permitted network resources added the local network.
In Rules and Policies I have two rules, top one is number 2 and the bottom is number 7 in the list
|
VPN, NAME OF SSL VPN POOL.
|
LAN, NAME OF LAN
|
Any service
|
#9
|
Accept
|
|
VPN, Any host
|
WAN, Any host
|
Any service
|
#8
|
Accept
|
I can see the top rule has 0B both ways and the 2nd has all of it
SSL VPN can access shares, https and http in the LAN but RDP doesn't.
I then changed the 2nd rule to be
|
VPN, Any host
|
LAN, WAN, Any host
|
Any service
|
#8
|
Accept
|
So any traffic from VPN can access anything in LAN and WAN - RDP starts working.
I dont understand why the first rule isnt being used. Is it because the 2nd rule says any host in VPN zone and therefore overrides all despite the ordering?
2) If an SSL VPN user RDPs to a computer name of "bob", it fails, if they do the full domain name "bob.domain.local" then it works.
So in Network -> DNS, primary DNS is the DC of that domain so my thought was any query would first query that DC and resolve "bob.domain.local". I also have DNS Request route domain.local going to that DC.
In Remote Access VPN -> SSL VPN -> SSL VPN global settings, I have the DNS as the same DC but Domain Name is blank.
My betting is if i put in the domain name "domain.local" then it will fix the issue but ideally I dont want to do that as would mean rolling out SSL VPN config again. If there is no option then by any chance does anyone know where the SSL config file resides on windows and what value would I enter into it? Be great to test it before making changes to live system.
Question is though why? Surely the above should work but also its a limitation, if the customer has more than one domain then specifying a domain would make other domains fail. Perhaps it would point to your forest DCs and then work downwards? I dont recall ever needing to do this on UTMs.
Thanks in advance to everyone who reads this, still fairly new to XGS but like it
This thread was automatically locked due to age.
