Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 10063 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Client - locate and block

RIMAdministrator

Hello all.

Hopefully there is a simple answer to this question.  We are on v9.351-3 and using SSL VPN for remote access into our file servers.  Our "remote access" users have work-issued laptops.  All users are non-local admins, so the IT shop is responsible for installation of the SSL VPN clients.  Somewhere along the way, a user's VPN installer was used to install on their personal home machine (we have no control over the non-domain machine and we became aware of this when Sophos started reporting a virus via "Advanced Threat Protection").

Is it possible, and what would be the process (which logs), to locate this machine in UTM and then block it from being able to VPN in?  I tried finding MAC address with the mentioned IP from "ATP", but unsure if I am looking in the correct logs (thought maybe the firewall logs).  Also created a MAC address definition for this MAC address and then created a new firewall rule to deny/reject for the specific user using MAC filter.  Was not successful.

Unfortunately, it is not an option to remove the user from the "VPN user group", since this person still needs access from their domain laptop.

Tony



This thread was automatically locked due to age.
Parents
  • 0
    Thank you Scott_Klassen for your quick response. I was afraid that there might not be an elegant "IT" solution to this. I totally agree with your point, and my boss is handling that end of things. Another question though. I notice that a user's "X509 User Cert" has a "Fingerprint" that matches the local machine certificate's "Thumbprint" (c:\program files (x86)\sophos\sophos ssl vpn client\config\username@companyemailaddress\utmhostname.user.crt). I do not like to presume anything, but I am guessing that if I delete the UTM's "X509 User Cert" for that individual, and then recreate, a new diffirent "Fingerprint/Thumbprint" will exist, and this would hopefully break all current VPN client connections for this user. Then I would only need to reinstall on the domain laptop and make sure there is no lingering installer to be "hijacked". Does this sound like a successful plan, or am I again losing IQ points? :)
Reply
  • 0
    Thank you Scott_Klassen for your quick response. I was afraid that there might not be an elegant "IT" solution to this. I totally agree with your point, and my boss is handling that end of things. Another question though. I notice that a user's "X509 User Cert" has a "Fingerprint" that matches the local machine certificate's "Thumbprint" (c:\program files (x86)\sophos\sophos ssl vpn client\config\username@companyemailaddress\utmhostname.user.crt). I do not like to presume anything, but I am guessing that if I delete the UTM's "X509 User Cert" for that individual, and then recreate, a new diffirent "Fingerprint/Thumbprint" will exist, and this would hopefully break all current VPN client connections for this user. Then I would only need to reinstall on the domain laptop and make sure there is no lingering installer to be "hijacked". Does this sound like a successful plan, or am I again losing IQ points? :)
Children
No Data
Unfiltered HTML