Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Couple SSL VPN questions

SGICT

Hi,


Ive got an XG3100 on SFOS 19.0.0 GA-Build317

I'm a little confused on two things on SSL VPN users and would be brilliant to have clarification as no doubt im being a numpty.

Some information ive changed for security like domain.local isnt the real value.

OVERVIEW

1) Users on SSL VPN cant RDP to LAN - Partially sorted but dont get the rule handing - more below

2) Users on SSL VPN RDP to a computer name fails - Partially sorted by entering the full domain of the computer - more below


DETAILED

1) In Remote Access VPN -> SSL VPN (Tab), created new object, permitted network resources added the local network.
In Rules and Policies I have two rules, top one is number 2 and the bottom is number 7 in the list

VPN, NAME OF SSL VPN POOL.
LAN, NAME OF LAN
Any service
#9
Accept
VPN, Any host
WAN, Any host
Any service
#8
Accept

I can see the top rule has 0B both ways and the 2nd has all of it

SSL VPN can access shares, https and http in the LAN but RDP doesn't.

I then changed the 2nd rule to be

VPN, Any host
LAN, WAN, Any host
Any service
#8
Accept

So any traffic from VPN can access anything in LAN and WAN - RDP starts working.

I dont understand why the first rule isnt being used. Is it because the 2nd rule says any host in VPN zone and therefore overrides all despite the ordering?

2) If an SSL VPN user RDPs to a computer name of "bob", it fails, if they do the full domain name "bob.domain.local" then it works.

So in Network -> DNS, primary DNS is the DC of that domain so my thought was any query would first query that DC and resolve "bob.domain.local". I also have DNS Request route domain.local going to that DC.

In Remote Access VPN -> SSL VPN -> SSL VPN global settings, I have the DNS as the same DC but Domain Name is blank.

My betting is if i put in the domain name "domain.local" then it will fix the issue but ideally I dont want to do that as would mean rolling out SSL VPN config again. If there is no option then by any chance does anyone know where the SSL config file resides on windows and what value would I enter into it? Be great to test it before making changes to live system.

Question is though why? Surely the above should work but also its a limitation, if the customer has more than one domain then specifying a domain would make other domains fail. Perhaps it would point to your forest DCs and then work downwards? I dont recall ever needing to do this on UTMs.

Thanks in advance to everyone who reads this, still fairly new to XGS but like it



This thread was automatically locked due to age.
Parents
  • 0

    Hi again, so i've played around a bit more and need to get clarification that im doing this right

    I've got 1 SSL VPN pool/object with all the users and permitted network access of just LAN, nothing else.

    They can access anything in that LAN, great.

    I've then created a rule

    Source: VPN, Any host
    Destination: WAN, Any host
    Any service

    They get internet access, great

    My questions

    1) If I create a firewall rule

    Source: VPN, Any host
    Destination: LAN, Any host
    Any service

    No traffic passes through that rule, it states 0B in and out.

    So its ignoring that rule because I've permitted the LAN for access in the SSL VPN pool/object I guess.

    However, lets say I just wanted to permit RDP over SSL VPN, I cant this way as its permitted network access and there's no way of locking it down.

    Should I remove that permitted LAN access in the SSL VPN pool and it'll then use the firewall rule I created instead to handle VPN to LAN with RDP only?

    2) I dont get how DNS works on SSL VPN

    I have 2 DNS servers on the LAN, 192.168.1.5 and 192.168.1.6 and they are set as the primary and secondary in SSL VPN global settings.

    I connect with Sophos Connect, run ipconfig /all and see the VPN adapter has those DNS servers.

    Now if I ping a local server just by its name it fails. If I do it by the full server domain name, so server1.domain.local then it works.

    However, i shouldnt need to add the domain, surely by setting the DNS pri and sec to the domains DNS servers then it should work. This is how it behaved on UTMs anyway.

    Just to add if i go onto a computer on the LAN and type in "server1" then it does resolve, same DNS servers/settings, so its definitely something to do with how Sophos Firewall v19 handles the query.

    Edited: I've added a DNS Host entry on the firewall of server1 to the IP and tried the SSL VPN and still doesnt work, so SSL VPN seems to ignore certain elements of DNS. So odd

  • 0 in reply to SGICT

    You need to use Permitted Networks first. Permitted Networks actually mean, it will create the routes. Without the routes, it will not work. 

    About the DNS: Check a wireshark on the client. It is most likely my link above. The client is not calling the name you are seeing. Instead it is doing suffix addition, which will not match your SSLVPN config. You will see this in wireshark. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you LuCar, been really helpful

    Just to confirm adding the domain to SSL VPN Global settings fixed it but Ill fire up my test XGS and look at wireshark

    So with the permitted network, ive only added LAN, not WAN but the internet works which is puzzling if you need to permit it.

    How do you go about locking down the SSL VPN traffic in that case, if its a permitted network then it allows all protocols to the LAN from the SSL VPN.

    I presume if I add LAN as permitted then a firewall rule that says VPN, Any -> LAN, DataNetwork, RDP then even if the entire network is permitted then the firewall restricts to just RDP?

  • 0 in reply to SGICT

    Permitted does not allow the traffic. You need a Firewall to allow it. 

    Essentially you can put your networks into permitted networks. Then restrict/allow it via Firewall rule. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you but that doesnt explain the behaviour Im seeing. Ive got in permitted only LAN, no firewall rules and yet SSL VPN can see and access all LAN devices. If I add a rule to the firewall, VPN, ANY -> LAN, DataNetwork, ANY, the rule isnt being used, its just 0B both in and out. I've even tried VPN, ANY -> LAN, ANY, ANY and still 0B in and out.

    I thought I was going mad but original that is how I thought permitted and firewall worked as you described.

  • 0 in reply to LuCar Toni

    I really can't explain the behaviour of this at all but I've resolved it but no explaination how.

    I have 1 permitted network in SSL VPN object of just the internal data network, 10.0.0.0/24

    I have 2 firewall rules that allow ANY VPN to Internal data network and WAN, theres only 1 WAN connection.

    SSL VPN users can get full blow LAN and WAN access

    In the firewall section, you can see the counter has values of inbound and outbound for VPN ANY TO WAN so the firewall is seeing it. However, the LAN rule, its 0B in and out.

    The firewall rule for ANY VPN to Internal data network was in the Traffic to Internal Zone group, this is where it was 0B in and out

    I've just moved that rule outside of any groups and suddenly I'm seeing the counters increase so that firewall rule is now live.

    To me this just doesnt make any sense

    On our development XGS firewall, v19, we have identical rule where ANY VPN to Internal data is in the Traffic to Internal zone group and see the counter hass values, i.e. not 0B.

    I also dont get if Permitted networks setup the routes but ive only specified the internet data network then how can SSL VPN users be routing out to the internet when I've not permitted the network.

Reply
  • 0 in reply to LuCar Toni

    I really can't explain the behaviour of this at all but I've resolved it but no explaination how.

    I have 1 permitted network in SSL VPN object of just the internal data network, 10.0.0.0/24

    I have 2 firewall rules that allow ANY VPN to Internal data network and WAN, theres only 1 WAN connection.

    SSL VPN users can get full blow LAN and WAN access

    In the firewall section, you can see the counter has values of inbound and outbound for VPN ANY TO WAN so the firewall is seeing it. However, the LAN rule, its 0B in and out.

    The firewall rule for ANY VPN to Internal data network was in the Traffic to Internal Zone group, this is where it was 0B in and out

    I've just moved that rule outside of any groups and suddenly I'm seeing the counters increase so that firewall rule is now live.

    To me this just doesnt make any sense

    On our development XGS firewall, v19, we have identical rule where ANY VPN to Internal data is in the Traffic to Internal zone group and see the counter hass values, i.e. not 0B.

    I also dont get if Permitted networks setup the routes but ive only specified the internet data network then how can SSL VPN users be routing out to the internet when I've not permitted the network.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML