Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 24975 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting VPN access per device

itinfserv
Is it possible to restrict VPN access based on the device that is connecting to it? For example could we allow a device with a specific certificate full access to our network via the VPN while allowing a device without the certificate access only on port 3389?

We are running an SG210 with the firmware version 9.315-2


This thread was automatically locked due to age.
  • 0
    Yes and no.  You can choose to not have 'Automatic firewall rules' and you can differentiate between connections based on certificates for Site-to-Site and on users' certificates for Remote Access.  If that's not enough of an answer, please be more specific.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Yes and no.  You can choose to not have 'Automatic firewall rules' and you can differentiate between connections based on certificates for Site-to-Site and on users' certificates for Remote Access.  If that's not enough of an answer, please be more specific.

    Cheers - Bob


    Thanks, can this be done over SSL VPN?
  • 0
    Thanks, can this be done over SSL VPN
    Remote Access or Site2Site?  Please be specific.  [:)]
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Agreed with Scott.  Please be specific about what you're trying to accomplish.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Sorry for the confusion, using the "Remote Access" SSL VPN.

    The goal is to allow users to use remote access SSL VPN to access the network. If they are using a personal computer they can only access RDP.

    If they are using a managed domain joined computer they can get standard access to the network.
  • 0
    You could limit based on the user, by using manual firewall rules instead of automatic, but not based on the client computer used.  For this, your best bet would be to control access to the VPN software and client profile packages, by not giving the users access to these.  This way they can't run a VPN from their personal computers and you do the installs on company owned computers.  Put this in writing as a company policy as well, to CYA.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Thanks Scott, in BAlfson's first post he mentions using user certificates for remote access. Is this not an option?

    With regards to your post, we do need users to be able to use the remote access from their personal devices, but want to limit what they can access.
  • 0
    You can regulate access per user, but not per machine.  I think there's a feature suggestion for this that you might vote for and comment on.

    Scott's approach is the only way at present with the UTM.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML