Restrict SSL VPN user to specific internal ip

Forum|Forum|15 years ago
July 19, 2010
2 replies
5425 views

Hi, Could someone advise how to restrict the SSL VPN user to access only a specific internal ip address? When I set a Firewall policy to limit the SSL VPN to FQDN name, when I run the RDP Connection Tool for this SSL VPN user, there will be an SSL negotiation error, preventing the connection to get through. I suspect, besides setting a Firewall for this user to access that specifc IP, I also need to set another policy to access the Fortigate for ssl negotiation? When I set the Destination address to all, it would work.

Carl_Wallmark

New Member

Your policys should look like this: To actvate the SSL: WAN1 -> Internal -> Action SSL To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept

EdwinSohAuthor

New Member

Thanks for the info. So, if I have 1 user having full access to the LAN, and another user2 restricted to a specific internal ip, my policy should lok like below? To actvate the SSL: WAN1 -> Internal -> Action SSL To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept (Enable Identity Based policy for user2) To allow access to entire LAN: ssl.root -> Internal (all)

ede_pfau

SuperUser

Not quite. If you use an Identity Based policy it should be placed after a more general policy. The reason for this is that if the auth fails no further policies will be examined. This changed in v4.0 so please look it up in the Admin Guide. In your case this poses a dilemma as with e.g. To allow access to entire LAN: ssl.root -> Internal (all) (Enable Identity Based policy for user1) To limit the SSL user to a IP: ssl.root -> Internal (Destination " your adress" -> Action accept) (Enable Identity Based policy for user2) no non-admin user will ever be allowed thru the second policy. Will have to think about it again.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded