Hi there, I'm trying to build a VPN PoC solution for my employer using Sophos UTM (the latest production version, currently v9.006-5). So far, I'm quite excited about Sophos UTM, but before we go and buy it, the PoC must be 100% working. This is what I need to achieve: L2TP/IPsec VPN access (+ some other remote access protocols supported by Sophos UTM, but L2TP/IPsec is an essential requirement) Users stored in Active Directory (AD) Firewall rules based on a custom user list Firewall rules based on a User Group / AD Group Membership This is what I've successfully done so far, i.e. working for me without any problems: L2TP/IPsec VPN with RADIUS authentication: Microsoft NPS Server as a Radius server NPS server is an AD member server only members of AD Group "VPNTestUsers" are allowed to use VPN Different firewall rules applied to different users: UTM configured to prefetch members of AD Group "VPNTestUsers" from AD Prefetched user used in the "Sources" field for the firewall rule A list of prefetched users used in the "Sources" field for the firewall rule So that's the part I'm quite excited about, it's working, everything is OK. Now, here comes the problem, the part which is not working : Firewall does not match the rule if Sources is a User Group (group type: Static members), which contains prefetched users (but it matches the rule if the same users are in Sources as a separate list of users) Firewall does not match the rule if Sources is a User Group (group type: Backend membership, Backend: AD), which contains the same users that are being prefetched by UTM (but it matches the rule if the same users are in Sources as a separate list of users) I might be doing something wrong here. Maybe I've missed something and I'm approaching it from a bad angle, I don't know. I'm kind of stuck now. Could you please point out what I am doing wrong? Is there a better way to get this PoC working based on the requirements mentioned above? Thank you for any help or advice.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules based on User Group membership

Hi there,

I'm trying to build a VPN PoC solution for my employer using Sophos UTM (the latest production version, currently v9.006-5). So far, I'm quite excited about Sophos UTM, but before we go and buy it, the PoC must be 100% working.

This is what I need to achieve:

L2TP/IPsec VPN access (+ some other remote access protocols supported by Sophos UTM, but L2TP/IPsec is an essential requirement)
Users stored in Active Directory (AD)
Firewall rules based on a custom user list
Firewall rules based on a User Group / AD Group Membership

This is what I've successfully done so far, i.e. working for me without any problems:

L2TP/IPsec VPN with RADIUS authentication:
- Microsoft NPS Server as a Radius server
- NPS server is an AD member server
- only members of AD Group "VPNTestUsers" are allowed to use VPN
Different firewall rules applied to different users:
UTM configured to prefetch members of AD Group "VPNTestUsers" from AD
Prefetched user used in the "Sources" field for the firewall rule
A list of prefetched users used in the "Sources" field for the firewall rule

So that's the part I'm quite excited about, it's working, everything is OK.

Now, here comes the problem, the part which is not working:

Firewall does not match the rule if Sources is a User Group (group type: Static members), which contains prefetched users (but it matches the rule if the same users are in Sources as a separate list of users)
Firewall does not match the rule if Sources is a User Group (group type: Backend membership, Backend: AD), which contains the same users that are being prefetched by UTM (but it matches the rule if the same users are in Sources as a separate list of users)

I might be doing something wrong here. Maybe I've missed something and I'm approaching it from a bad angle, I don't know. I'm kind of stuck now.

Could you please point out what I am doing wrong?
Is there a better way to get this PoC working based on the requirements mentioned above?

Thank you for any help or advice.

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

•Firewall does not match the rule if Sources is a User Group (group type: Static members), which contains prefetched users (but it matches the rule if the same users are in Sources as a separate list of users)

I don't understand that.  What should work is a Network Group containing "(User Network)" objects created by WebAdmin when the user objects were synced to the UTM.

The other thing that might work (haven't tried it) would be the "(User Group Network)" object created by WebAdmin when you defined the RADIUS Backend Group.  If that works, I'd be interested to know if having local user objects is necessary.

Finally, the next version of UTM, V9.1, should be out soon.  The 9.1 SSL VPN will offer different profiles, and the clients are free.  I believe that this will be the solution that you will want eventually.  You should ask Sophos to hook you up with a strong Solution Partner that can help you get off on the right foot.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 12 years ago

•Firewall does not match the rule if Sources is a User Group (group type: Static members), which contains prefetched users (but it matches the rule if the same users are in Sources as a separate list of users)

I don't understand that.  What should work is a Network Group containing "(User Network)" objects created by WebAdmin when the user objects were synced to the UTM.

The other thing that might work (haven't tried it) would be the "(User Group Network)" object created by WebAdmin when you defined the RADIUS Backend Group.  If that works, I'd be interested to know if having local user objects is necessary.

Finally, the next version of UTM, V9.1, should be out soon.  The 9.1 SSL VPN will offer different profiles, and the clients are free.  I believe that this will be the solution that you will want eventually.  You should ask Sophos to hook you up with a strong Solution Partner that can help you get off on the right foot.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 timelord over 12 years ago in reply to BAlfson

Hi Bob,

Thank you for your advice

What should work is a Network Group containing "(User Network)" objects created by WebAdmin when the user objects were synced to the UTM.

Awesome! This actually works [[:)]]

I have to say I'm quite surprised I can add Users to a Network Group container. I was always adding them to a User Group container, and then using that User Group container as Sources in the firewall rule. That was not working.

Your advice to add Users to a Network Group container has solved one of my issues - Firewall rules based on a (Local) User Group Membership - thanks again! [[:)]]

The other thing that might work (haven't tried it) would be the "(User Group Network)" object created by WebAdmin when you defined the RADIUS Backend Group.

Unfortunately, this one doesn't work [:(] I have tried both, Radius Backend Group and AD Backend Group, but none of them works when added to a Network Group container.

That means, I still need to figure out how to apply firewall rules based on a backend (AD) Group Membership
Cancel
Vote Up 0 Vote Down

Cancel