mobile vpn ssl - create firewall rule(s) for each user

hello and thanks,

i am super newbie so if i posted in the wrong location, please let me know.
and i know this must be a basic question but i had a hard enough time getting the
router working at all but a great router it is.

due to covid, we have employees at home, using mobile vpn ssl to remote into their office computer.

as of now, their home computer can access the entire office subnet, all ip addresses.
i need lock each user to one or more ip address in the office.

please help, thanks,
David

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @davidneltzon

    You can do this, however, I would suggest making each user into their own group, and using that to do this. Using accounts is possible, but users tend to type in their user names differently. The firebox treats James, james, and JAMES as different users, whereas the group will always return the same way.

    Check the article here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/configure_fb_for_mvpn_ssl_c.html
    and scroll down to the section:
    Use Other Groups or Users in a Mobile VPN with SSL Policy

    What you'll need to do is disable the default SSLVPN policy, and create a policy for each user (or group.)
    The policy will be from the user/group, and to the specific resources they need to get to. Also make sure they're allowed to get to any other resources they may need (like DNS/WINS) in that policy.

    -James Carson
    WatchGuard Customer Support

  • thanks much, about the user/group, i am confused.
    at https://192.168.1.254:8080/vpn/ssl, under authentication, i can add user/groups, but if i add a group, there is no edit button, no way to add a user to that group.
    but my vpn users are no listed there, instead i created them at
    https://192.168.1.254:8080/authentication/usersgroups.

    as a test, i want to a new user, add the user to a new group and then add a policy to that group, without affecting all the users who are logged into the vpn now. can you help with that, is there a way for you to remote in, i have a gold level tech support plan.
    thanks,
    david

  • For Firebox users -
    . in the Web UI: Authentication -> Servers -> Firebox-DB - then select a user, and then select desired Groups for this user.
    . In WSM Policy Manager - Authentication -> -> Firebox-DB then the same

  • edited January 5

    i did the following, what now? thanks
    1. create a new group for that one user.
    2. create a new user
    3. assign that user to that group

  • If each SSLVPN user need different access than every other SSLVPN user, then you need a separate group for each user.
    If you have users that need the same access, then multiple users can be members of the same group.

      • only if this is a new SSLVPN user account that you are creating, otherwise you select an account for an existing SSLVPN user ID.
        Also make sure that SSLVPN-Users group is selected for that user.

    Then create a desired policy for each group with the accesses desired.

  • edited January 5

    for that new user, i created a new group and assigned that new user to that new group.
    so i still need to add that new user to the SSLVPN-Users group?
    i need that user/group to have it own policy.
    thanks

  • When you edit the Firebox-DB -> user. you can select all groups desired for that user.

  • edited January 5

    deleted post.

  • edited January 5

    i made a policy, but it does not seem to be active.
    from 'grpuser01 Firebox DB' to '192.168.1.9/32'
    policy type 'port tcp:3389`

    i am in using vpn as that user 'user01'

    do i need to move the new policy from the bottom of the list to above 'Allow SSLVPN-User' policy?

  • i tried to move that new policy above the SSLVPN-User but still seems that the policy did not take effect?

  • 1) there are predefined Packet Filters, including one for RDP. Whenever possible, I use the predefined ones.

    2) did you disable the SSLVPN-Users policy ? If not, please do so - so that it is not active and will not apply to any packets.

    3) you can turn on Logging on a policy to see what packets are allowed by that policy in Traffic Monitor. Use Traffic Monitor to help understand what is happening.

    4) policies are processed from the top to the bottom. The 1st one which matches the packet being inspected is used

  • edited January 5

    i did not disable the SSLVPN-Users policy as all the other users are using that to vpn in and i do not want that to change at all for now.

    as a test, i only want to create a new user and have that new user locked to one internal machine.
    once that is working, i will replicate for each existing user.
    thanks,

Sign In to comment.