"Client Isolation" Mobile VPN with SSL

Is there a way to do some kind of client isolation with the Mobile VPN SSL?
In our case, VPN devices are not allowed to communicate with each other.

Or is there a opportunity to add a second ip adress pool?

Tanks for help!

Comments

  • edited March 2023

    You would simply add an Any-Deny rule that denies traffic from SSLVPN-Users that goes to SSLVPN Subnet (By default the SSLVPN Subnet is 192.168.113.0/24)

    Make sure that rule is on top of the Default SSLVPN traffic rule and you should be golden. (If in auto-order mode it should automagically add it above the Default SSLVPN traffic rule since it is more specific and it is a deny).

  • Great, works. That was easy, thank you.

    But I have also another question.
    I have added the SSL users (Firebox DB) to an SSL group. When I create the rules based on the group, they do not take effect. When I add the VPN users individually to the rules, they work. I can't explain it to myself. Do you have any idea?

  • edited March 2023

    @Bastixko said:
    Great, works. That was easy, thank you.

    But I have also another question.
    I have added the SSL users (Firebox DB) to an SSL group. When I create the rules based on the group, they do not take effect. When I add the VPN users individually to the rules, they work. I can't explain it to myself. Do you have any idea?

    Are your users assigned to the group?

    You would need to check this by going to:

    Setup > Authentication > Authentication Servers

    After this you would need to double-click on the user (Or click user once and click _edit__), and make sure that SSLVPN-Users is in the Member: column:

    If that doesn't work I would see what happens if you do SSLVPN-Users (Any).

    If push comes to shove you can also just add SSLVPN Network as the source and it will do the same thing you want (Possibly even better since it won't matter what your users authenticate as)

  • edited March 2023

    Redacted Message

  • edited March 2023

    Is this only possible via the System Manager?
    Edit:
    Yes, the user is member of the group "SSLVPN-Users" and my created group.

  • The user must always be a member of "SSLVPN-Users" or the group name that you specify on the SSLVPN setup, and can be members of other groups, such as SSLVPN-Users-A, which are used in policies.
    If policies which use a group such as SSLVPN-Users-A should work as long as the user is also a member of "SSLVPN-Users"

    Manually Configure the Firebox for Mobile VPN with SSL
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/configure_fb_for_mvpn_ssl_c.html

Sign In to comment.