Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 4283 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN DNS Settings for external employees

logan517

Hello,

we're using SSL VPN Client for our employees and in the RemoteAccess -> Advanced Settings we have set our internal DNS / Active Directory (10.200.100.31 and .32).

The respective route and firewall rule is created accordingly
PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 10.200.100.0 255.255.255.0,dhcp-option DNS 10.200.100.31,dhcp-option DNS 10.200.100.32,dhcp-option DOMAIN myspecialcompany.local,ifconfig 10.242.2.14 255.255.255.0'
Firewall for DNS: employees (user group network) -> DNS -> 10.200.100.31 and 32

Now we have some external employees who should also use the ssl vpn client, but not our internetl network (10.200.100.0/24), only some terminalservers in other network.
We created a new VLAN/Network like 10.0.10.0/24

Firewall: external employees (user group network) -> mstsc -> terminalservers
We pushed only the route to the new network to these users:

PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 10.0.10.0 255.255.255.0,dhcp-option DNS 10.200.100.31,dhcp-option DNS 10.200.100.32,dhcp-option DOMAIN myspecialcompany.local,ifconfig 10.242.2.14 255.255.255.0'

The connection to the terminalservers is working fine, bot the DNS lookup not.
All external employees get the internal DNS server pushed.

I tried to edit the config file with
pull-filter ignore "dhcp-option DNS"
but with this, the client does not connect.

Whats the best way to solve our problem?
Push the IP of the UTM (and if yes, which one) to all users and add a request routing for our domain "myspecialcompany.local"?

Regards

Tobias



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    If I understand correctly, you're trying to limit access to external users' internal network. Trying to allow access to only certain internal networks to few users? Is it correct? 

    If that is the case, you could try to create a new SSL VPN profile for those users and only specify the internal network they should have access to. 

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

    yes correct, i want to limit the access for a specific user-group to only a few services.

    I've create already an extra SSL VPN Profile:

    Like:
    Profile A (Own employees)
    Users and Groups: employees (user group network)
    Local Networks: 10.200.100.0/24
    [ ] Automatic Firewall rule <-- off
    (I set the firewall rule manully)

    Profile B (external employees)
    Users and Groups: external employees (user group network)
    Local Networks: 10.0.10.0/24
    [ ] Automatic Firewall rule <-- off
    (I set the firewall rule manully)

    both scenarios work, except for the dns resolution for external employees.

  • 0 in reply to logan517

    DNS-settings are global for all SSL profiles, so that's a bit inconvinient. What you could do is push 10.242.2.1 as DNS-server (which is the UTM itself at the gateway interface for the VPN-clients. You external workers will however get all DNS records your internal workers get, that might not be an issue, but maybe you don't want that.

    What also might work is to create a DNAT rule with traffic from: External (User group network) using Service DNS going to (your internal DNS servers) translate destination to 8.8.8.8 and tick automatic firewall rule for the DNAT.

    That way all DNS-requests that go towards your internal DNS-servers is being rerouted to Google's DNS server.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to logan517

    Hallo Tobias,

    If this issue is not resolved, please show pictures of the Edits of the SSL VPN Profiles and of the relevant firewall rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML