Hi there, I'm trying to build a VPN PoC solution for my employer using Sophos UTM (the latest production version, currently v9.006-5). So far, I'm quite excited about Sophos UTM, but before we go and buy it, the PoC must be 100% working. This is what I need to achieve: L2TP/IPsec VPN access (+ some other remote access protocols supported by Sophos UTM, but L2TP/IPsec is an essential requirement) Users stored in Active Directory (AD) Firewall rules based on a custom user list Firewall rules based on a User Group / AD Group Membership This is what I've successfully done so far, i.e. working for me without any problems: L2TP/IPsec VPN with RADIUS authentication: Microsoft NPS Server as a Radius server NPS server is an AD member server only members of AD Group "VPNTestUsers" are allowed to use VPN Different firewall rules applied to different users: UTM configured to prefetch members of AD Group "VPNTestUsers" from AD Prefetched user used in the "Sources" field for the firewall rule A list of prefetched users used in the "Sources" field for the firewall rule So that's the part I'm quite excited about, it's working, everything is OK. Now, here comes the problem, the part which is not working : Firewall does not match the rule if Sources is a User Group (group type: Static members), which contains prefetched users (but it matches the rule if the same users are in Sources as a separate list of users) Firewall does not match the rule if Sources is a User Group (group type: Backend membership, Backend: AD), which contains the same users that are being prefetched by UTM (but it matches the rule if the same users are in Sources as a separate list of users) I might be doing something wrong here. Maybe I've missed something and I'm approaching it from a bad angle, I don't know. I'm kind of stuck now. Could you please point out what I am doing wrong? Is there a better way to get this PoC working based on the requirements mentioned above? Thank you for any help or advice.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules based on User Group membership

Hi there,

I'm trying to build a VPN PoC solution for my employer using Sophos UTM (the latest production version, currently v9.006-5). So far, I'm quite excited about Sophos UTM, but before we go and buy it, the PoC must be 100% working.

This is what I need to achieve:

L2TP/IPsec VPN access (+ some other remote access protocols supported by Sophos UTM, but L2TP/IPsec is an essential requirement)
Users stored in Active Directory (AD)
Firewall rules based on a custom user list
Firewall rules based on a User Group / AD Group Membership

This is what I've successfully done so far, i.e. working for me without any problems:

L2TP/IPsec VPN with RADIUS authentication:
- Microsoft NPS Server as a Radius server
- NPS server is an AD member server
- only members of AD Group "VPNTestUsers" are allowed to use VPN
Different firewall rules applied to different users:
UTM configured to prefetch members of AD Group "VPNTestUsers" from AD
Prefetched user used in the "Sources" field for the firewall rule
A list of prefetched users used in the "Sources" field for the firewall rule

So that's the part I'm quite excited about, it's working, everything is OK.

Now, here comes the problem, the part which is not working:

Firewall does not match the rule if Sources is a User Group (group type: Static members), which contains prefetched users (but it matches the rule if the same users are in Sources as a separate list of users)
Firewall does not match the rule if Sources is a User Group (group type: Backend membership, Backend: AD), which contains the same users that are being prefetched by UTM (but it matches the rule if the same users are in Sources as a separate list of users)

I might be doing something wrong here. Maybe I've missed something and I'm approaching it from a bad angle, I don't know. I'm kind of stuck now.

Could you please point out what I am doing wrong?
Is there a better way to get this PoC working based on the requirements mentioned above?

Thank you for any help or advice.

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

Unfortunately, this one doesn't work I have tried both, Radius Backend Group and AD Backend Group, but none of them works when added to a Network Group container

First, don't get confused between the different objects:
Create a local user balfson
WebAdmin then creates a network definition balfson (User Network)

Configure L2TP/IPsec to authenicate by Local users
When balfson logs into the L2TP/IPsec VPN, balfson (Address) is populated with the IP address assigned by the VPN

Create a RADIUS backend group Radius
WebAdmin then creates a network definition Radius (User Group Network)

Configure L2TP/IPsec for RADIUS-authenication
When a RADIUS-authenticated user logs in, the question is whether the Radius (User Group Network) is populated with the IP assigned to the User; if so, then this object can be used in a Firewall rule

Since the SSL VPN allows the use of Active Directory Backend Groups, that may be a better solution for you if you want different groups to have different levels of access.

In V9.1, the advantage of the SSL VPN for your purposes will be increased. When you first configure the SSL VPN, set up a different port, like 2443, and select UDP instead of TCP.

For 100 simultaneous remote users, you'll want at least a 2GB dual core device for L2TP/IPsec and roughly twice that for SSL VPN.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 timelord over 12 years ago in reply to BAlfson

Thanks for the explanation, Bob. Now it makes sense to me.

When a RADIUS-authenticated user logs in, the question is whether the Radius (User Group Network) is populated with the IP assigned to the User; if so, then this object can be used in a Firewall rule

Unfortunately, no. That's the first thing I tried, it didn't work.

I will for sure take a look at SSL VPN. I would like to give the clients as many VPN options as possible, but the built-in L2TP/IPSec client in Windows/OSX/iOS makes L2TP/IPSec kind of a requirement in my manager's eyes.

If I can make all this work, or find a workaround, then we would most likely go with Sophos UTM appliances. For now, I'm testing it on some older IBM blade with Intel Xeon E5430 @ 2.66GHz and 10GB RAM.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 timelord over 12 years ago in reply to BAlfson

Thanks for the explanation, Bob. Now it makes sense to me.

When a RADIUS-authenticated user logs in, the question is whether the Radius (User Group Network) is populated with the IP assigned to the User; if so, then this object can be used in a Firewall rule

Unfortunately, no. That's the first thing I tried, it didn't work.

I will for sure take a look at SSL VPN. I would like to give the clients as many VPN options as possible, but the built-in L2TP/IPSec client in Windows/OSX/iOS makes L2TP/IPSec kind of a requirement in my manager's eyes.

If I can make all this work, or find a workaround, then we would most likely go with Sophos UTM appliances. For now, I'm testing it on some older IBM blade with Intel Xeon E5430 @ 2.66GHz and 10GB RAM.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data