Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to add MAC address filtering to SSL VPN authentication?

Jae Park

I've been asked to lock down the SSL VPN so only approved devices can connect in.

On the face of it, it appeared pretty straight forward and I tried to do so here under Authentication > Users:

But it doesn't work, get error ID 17705: "Failed to login to SSLVPN through AD authentication mechanism because of..."

Does this not do what I hope it does? How can I get MAC address filtering to work with the SSL VPN?



This thread was automatically locked due to age.
Parents
  • 0

    Because the fact, that XG Firewall's WAN Port and the SSL-VPN Client usually are not in the Same Broadcastdomain, your XG Firewall doesn't know the MAC Adress of your SSL-VPN Client so this requirement doesn't make any sense.

    In UTM there is a workarround how you can allow SSL-VPN Connections from certain Public IPs (For example only from certain countries) but on XG I'm not aware of something like that.

    You somehow could reach this with Security Heartbeat. If "Approved Devices" are all devices which have Cloud Endpoint installed, and they are linked to security heartbeat, you can create a Firewall Rule which says that traffic from SSL VPN to XG is only allowed, if Security Heartbeat is green. All other devices trying to connect will be able to create the SSL-VPN tunnel, but won't be able to communicate trough this tunnel.

Reply
  • 0

    Because the fact, that XG Firewall's WAN Port and the SSL-VPN Client usually are not in the Same Broadcastdomain, your XG Firewall doesn't know the MAC Adress of your SSL-VPN Client so this requirement doesn't make any sense.

    In UTM there is a workarround how you can allow SSL-VPN Connections from certain Public IPs (For example only from certain countries) but on XG I'm not aware of something like that.

    You somehow could reach this with Security Heartbeat. If "Approved Devices" are all devices which have Cloud Endpoint installed, and they are linked to security heartbeat, you can create a Firewall Rule which says that traffic from SSL VPN to XG is only allowed, if Security Heartbeat is green. All other devices trying to connect will be able to create the SSL-VPN tunnel, but won't be able to communicate trough this tunnel.

Children
No Data