SSL VPN SAML Rules

Hi everyone.

I'd like to ask your opinion on the scenario below. What would you do?

I use a mobile VPN with SAML. In the entraID app configuration, I use the "everyone" group, and my users can connect to the VPN. Currently, all users can access all internal networks on all ports, but I'd like to limit all users to accessing the internet on ports 443 and 80.

A small group of users should remain able to access some internal resources on ports 3389 and 22.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Amiranda01

    The default SSLVPN policy will allow any outbound traffic.

    You can disable the built-in Allow SSLVPN-Users policy and add the group you wish to use to policies.

    See:

    (About Mobile VPN with SSL Policies)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_policies.html

    Modifying the policies to only allow traffic out 80/443 and any other ports you need can be done via policy. I would suggest making a different group for the handful of users that need access to the other ports and making a policy for that too.

    -James Carson
    WatchGuard Customer Support

  • I understand, the idea is good. I even reviewed the documentation, but since I use SAML, it was a bit complicated. I tried creating different groups, but I couldn't link them to users. I'll open a ticket about this. If anyone has any ideas on how to make this adjustment, please comment below.

Sign In to comment.