Options

Is it possible to restrict SSL VPN logon page accessibility?

Alexander_KimAlexander_Kim
in Firebox - VPN Mobile User

Hi guys,

Is it possible to restrict SSL VPN logon page (https://address/sslvpn_logon.shtml) accessibility to a certain number of IP addresses?

Regards,

Best Answers

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Hi @WatchDog
    You can turn the page completely off in v 12.5.4 + by issuing the following command on the Fireware CLI:
    "no sslvpn web-download enable"

    It can't be set to specific IPs, but you can point the users to software.watchguard.com to download the client directly from our website. (It'll be listed as Mobile VPN w/SSL under each firewall for Windows and MacOS.)

    -James Carson
    WatchGuard Customer Support

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Reference page 309 here if you'd like to see more:
    https://www.watchguard.com/help/docs/fireware/12/en-US/CLI/CLI_Reference_v12_6.pdf

    -James Carson
    WatchGuard Customer Support

  • Options
    Alexander_KimAlexander_Kim
    Answer ✓

    Hi @James_Carson,

    Thanks for your prompt reply.
    Would running "no sslvpn web-download enable" command affect users' Mobile VPN?

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    @WatchDog
    No, it just disables the download page itself.
    The "WatchGuard SSLVPN" and "Allow SSLVPN_Users" policies are what govern user's access in and out of the firewall.

    Note that the firewall still listens on the SSLVPN port (443 by default) since that's the socket the vpn users connect to. If a user tries to surf to that page after running that command, they won't get a page back.

    You can also revert the command by issuing "sslvpn web-download enable"

    -James Carson
    WatchGuard Customer Support

Sign In to comment.