Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 6415 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Set Access Time(s) for Group(s)?

larray
I've looked almost everywhere I can think of in the console.  Is it possible to create time based restrictions for SSL VPN users/groups?

What would be really nice is everyone with a particular configuration/profile - say allow access between 7am and 7pm.

Create another profile that allows another group round the clock access.

Have I completely lost my mind?

Thanks,
Andy


This thread was automatically locked due to age.
  • 0
    IDK if you can restrict access to the VPN itself, but depending on the type of VPN connection, you should be able to put time limits on the Firewall rules that you create to allow access from the VPN network to anything else, so your VPN clients would be able to connect but not get anywhere outside the allowed hours.
  • 0
    +1 to jetkins' "solution".
    Make sure though not to tick "automatic firewall rules" but create them yourself.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Thanks for the suggestion!  Makes some sense - dumb question time.... What should the firewall rule be?  Can I make multiple firewall rules for the same service? (OpenVPN / 1194)

    As I try to noodle this out, I assume I need to create a different port for a work hours VPN and I can keep the default for "all day" access?
  • 0
    The trick here is to put the "username (User Network)" objects for the time-limited folks into a Network Group named "VPN Limited Users" and then create two firewall rules:

    VPN limited Users -> Any -> Internal (Network) : Block during non-allowed period
    VPN Pool (SSL) -> Any -> Internal (Network) : Allow


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I'm working on this during our snow days down here in Georgia [:)]

    The final Allow SSL for unrestricted access trumps the restricted access rule because it is last in the line correct?  I did have the port/service definition correct didn't I?  I also need to edit ALL other SSL VPN rules I had in place to remove the "Automatic Firewall Rules" correct?

    So when I create the rule it would go something like:
    Source: Any
    Service: 1194
    Destination: Internal Network
    Action: (Reject for Limited Users) (Allow for Unlimited users)
    Advanced - Time Period: (Rejected Hours definition)

    Where does the Network Group come into play?

    Thanks for the help as always Bob!
  • 0
    You should use Service: any (not 1194).
    What you're trying to do is restrict access to your LAN from the VPN clients. I don't think you can restrict the time the VPN-connection can be (or cannot be) made, but you can restrict the traffic flowing through the firewall.

    So basically you users can connect to the VPN but cannot do anything with it in the non-allowed hours.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    Wouldn't that restrict ALL access that is granted by user ID?  Wouldn't it even block external access to the User Portal, or pass through to other sites from the HTML VPN?  (Consequently wouldn't it block all VPN activity?  SSL, IPSEC, PPTP)
  • 0
    No, the User network entries are only valid for VPN-connected users. And if in doubt you could always have these rules last in your chain so any other rule will be higher in the list.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Unfiltered HTML