topic Re: Limited Remote VPN access in Endpoint

Limited Remote VPN access

Sergo89 — Tue, 19 Apr 2022 14:39:05 GMT

Hi Everybody,

I need to configure a limited remote access via Endpoint client, for example Group A (windows group) has Full access to all internal network and Group B just to one subnet. I configured like that (still not sure does it work properly or not)

Source: Access Role with LDAP group (here i use Group A or B)

Dest: All internal networks for Group A or another rule - one subnet for group B

VPN: RemoteAccess Community

Services: all

It works for my Primary firewall, i had problem before - we have to use OfficeMode (i know its requirements for Full Endpoint Client), and sometimes its stop working, because OfficeMode means all remote clients have IP addresses and technically its standard network, and has to following standard firewall rules (add OfficeMode network to rules like source). But for my second firewall this schema doesnt work, i havet create rule - source OfficeMode Net - Dest - Internal networks, but with this rule, all my previous rules (Access Roles etc) totally useless, Group A and B have same full access.

Any idea how to configure it properly?

thanks

Re: Limited Remote VPN access

Danny — Wed, 20 Apr 2022 06:19:00 GMT

I'd start with something like this on your primary firewall:

As you can see this doesn't allow a separation of OfficeMode IPs for RAS Group A and B.
Solution (also for your second firewall) : sk33422 - Office Mode IP and ipassignment.conf file

This allows you to assign specific IP addresses of your Office Mode Pool to users of RAS VPN Group B.
Then you can create two new subnet objects 'OfficeMode1' and 'OfficeMode2' and use them in your rulebase (leave the original OfficeMode object as it is).

Result:

Re: Limited Remote VPN access

Sergo89 — Tue, 19 Apr 2022 23:32:20 GMT

Wow Danny! it works! unbelievable!