topic Re: different vpn access in Spark Firewall (SMB)

different vpn access

Webnoob — Tue, 01 Jul 2025 19:51:50 GMT

I have a 1570 with remote access enabled. I also have Radius configured and use NPS Azure MFA extension.
Is it possible to give the VPN users different VPN access?

Ex. one group can RDP to one server, another group RDP to another server and a third group ssh to a specific device?

Re: different vpn access

PhoneBoy — Tue, 01 Jul 2025 22:44:58 GMT

This should be possible (at least on most recent firmware versions) by creating Inbound VPN rules in terms of users/groups.

Re: different vpn access

Webnoob — Thu, 03 Jul 2025 19:30:30 GMT

I have just upgraded to R81.10.17
Is there a step by step explanation?

Re: different vpn access

PhoneBoy — Mon, 07 Jul 2025 17:15:40 GMT

There are two ways to retrieve groups:

Via LDAP, which must be explicitly configured on each gateway to the relevant Active Directory server
Via the SAML Assertion used as part of SAML Authentication

As far as I know, with Azure, there IS no LDAP interface.
Which means you should be using SAML here.

Are you managing this device entirely through the WebUI or are you using external management?

Re: different vpn access

Webnoob — Sun, 27 Jul 2025 13:23:20 GMT

Users are in an onprem AD
I use Radius to get user info when they use VPN.
The device is only managed locally through the webui.

Re: different vpn access

G_W_Albrecht — Mon, 28 Jul 2025 09:27:50 GMT

That is the most easy way to implement - Use the AD for the groups needed.

- Enable User Awareness Blade and configure AD query:

Working with User Awareness

- add manual Incoming Rules for specified user groups and service/destination, followed by a Block all rule for all groups.

Afaik SAML Authentication is only supported on Managed SMBs - and DC is much easier...