Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 3215 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up SSL VPN tunnel without access to internal servers - Possible?

aceint

Hello everyone,

 

I am using an SG210 with UTM9 and I have a problem regarding the SSL VPN remote access.

We have been using SSL VPN for many years in order to enable some employees to work from their own place. We set up full tunneling (Remote Access Profile --> "Any" for Local Networks). Everything's good in this case.

 

Apart from that, I would now love to create a new Remote Access Profile for another colleague so he can use our public IP address without being able to access our internal devices such as servers. I have tried a billion things but I could not figure out how to do that. For example I tried to put "Internet" into the "Local networks" - field in the Remote Access Profile settings. I also tried manual firewall rules that block access to the internal network. Nothing helped, so far.

I would be so grateful if someone of you guys would help me.

Thank you very much in advance!

Best Regards,

Sebastian



This thread was automatically locked due to age.
Parents
  • +1

    best way would be creating "manual firewall rules that block access to the internal network".

    But this rule must be places before the automatic "permit any" rule from VPN-connection.

    goto VPN connection and uncheck "automatic firewall-rules" .

    now you can create a "deny internal" and behind it the "permit any" rule.

  • 0 in reply to dirkkotte

    Hello,

     

    thank you very much for your quick reply!

    I will try that later that day.

     

    So, just to make sure, this is what I'm going to do. Please tell me if something's wrong.

     

    --> Create Remote Access Profile and put "Internet IPv4" into the "Local networks" - field

     

    --> Uncheck "Automatic firewall rules"

     

    --> Go to Network Security --> Firewall --> "Show all" --> Create the following two rules:

     

    a) Source: SSL VPN User Group (User Group Network)  / Service: Any / Destination: Internet / Action: Allow

    b) Source:                   "                                            /        "           / Destination: Internal (Network) / Action: Drop

     

     

     

     

    Is everything correct?

     

    Thank you very much.

  • +2 in reply to aceint

    The drop rule must be placed before the allow rule.

    If "internet" not working within the allow rule, you can use "any", because you drop internal traffic before.

Reply Children