VPN: SSL VPN profiles
Like in IPSec RoadWarrior VPN, give the SSL VPN RoadWarrior configuration the possibility to make different groups, so you can assign different settings to SSL VPN users. These differences can be: IP range to distribute addresses from (or use the Fixed Address possibility), DNS servers, Policies, ...
I looking for a method to filter SSL-VPN Access for each user seperatly. For example i need to allow access only if a specified VPN-Client is connecting with a specified allowed source-ip
at the moment the remote access ssl has a common pool of accessible routes/subnets for all remote access users and all routes are pushed out but it would good if you could configure remote access users/groups in the same was as a site to site ssl vpn and control what routes are pushed
Now every users can see all local networks configured on remote access settings. Sometimes it is useful to restrict a user/group to a particular network/s but with v8 and v7 is not possible. Using the profiles could be a solution...
At th moment all configured SSL VPN users can access all the defined networks when automatic packet filter rules are enabled. If you want to make a more specific configuration you have to disable it and make the packet filter rules yourself. Would be nice to have the possibility to map goups/users to different configured networks without the need to make all the package filter rules yourself.
This feature has been released as part of UTM 9.1. Enjoy!
i need a option to allow login only with a specified source-ip adress for each user seperatly
i guess the votes from http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/178371-remoteaccess-static-ip-for-ssl-vpn should be added to this requests because it's a subset
Hi graspi, interesting but non praticable because this violate the license and configuration will be deleted (as you said).
For Angelo Comazzetto, what you are suggesting it is just what we can do now but if I have several networks behind my firewall and several openvpn users and usually a user need to access to only one network, unfortunately (at this state of art) every openvpn user can understand and see (doing route print) all the networks configured on the openvpn service and this is not a good thing....
You can do this from the console in
just create a file (e.g. vi admin) and insert users push configuration
push "dhcp-option DOMAIN tld.local"
push "dhcp-option DNS 192.168.256.1"
So now you have an individually SSL VPN configuration a User.
Beware: if you change something on the Webinterface Remote SSL Configurration, you must reapply the user configuration. It will be deleted.
Ray Lock commented
This is a very useful and ultimately sales winning function
Vivek Rajput commented
Yes... it is very good..!! Please add this feature..!!
Yes, and please make it possible to include autogenerated batch-files. I mean the ..._up.bat and ..._down.bat to connect net drives etc....
This must based on backend membership groups (eDirectory).
Yes Gabriele, using FULL NAT could be a workaround but not so elegant like a profile solution...I hope for some votes. Thanks for your interest.
Maybe I was not so clear but the problem is not the possibility to create packet filter rules for each remote users (it is what I already did).
This feature request comes from my experience. My OpenVPN configuration has several remote users with several local network but not all local networks are needed by all users. Usually the relation between users and network is N:1 but without profiles the relation is N:M. Obviously every remote user can use the resources granted by packet filter rules but, the question here is another: every remote user (usually external consultants) can see, understand and known my internal networks. IMHO introducing a profile configuration could solve the problem....
I do understand your concern.. Waiting for another comments and votes, let me suggest meanwhile to you to use to FULL NAT to hide to your remote users the real subnets that you have in your network. I'm aware that is a workaround that at least something doable right now ;-)
Gabriele, I already done what you are suggesting...it's the minimun I can do.
Instead the problem is when a remote user connects to OpenVPN. The openvpn client creates each route for every network declared on the remote access settings.
The remote user can potentially know all my internal netwoks even if he need only one...for me, this is a security issue.
You can achieve the same goal configuring packet filte rules per user since it's doable in this case because Middleware maps the user's ip address
Jan Willem Heuver commented
And to assign an DHCP server like the option in PPTP.
Francois Delpierre commented
The profile should be specified by the RADIUS server when using Radius.
Some of the comments here differ from the original requests. It is already possible to specifically state what a user or group of them can access over the SSL VPN, simply disable the auto-packet filter, then make your own rules in the packet filter section using the appropriate user or group object as to what IP's they can visit, on what ports.
Mustafa Nasser commented
Same problem here. We are unable to use VPN because everybody gets the same rights. I need to be able to set different policies for different users or IPs and define what specific services one can access on the destination server.
this would be great! we cannot use ssl-vpn cause everybody gets the same rights which is unwanted.