Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Contributor

Limited Remote VPN access

Jump to solution

Hi Everybody,

I need to configure a limited remote access via Endpoint client, for example Group A (windows group) has Full access to all internal network and Group B just to one subnet. I configured like that (still not sure does it work properly or not)

Source: Access Role with LDAP group (here i use Group A or B)

Dest: All internal networks for Group A or another rule - one subnet for group B

VPN: RemoteAccess Community

Services: all

It works for my Primary firewall, i had problem before - we have to use OfficeMode (i know its requirements for Full Endpoint Client), and sometimes its stop working, because OfficeMode means all remote clients have IP addresses and technically its standard network, and has to following standard firewall rules (add OfficeMode network to rules like source). But for my second firewall this schema doesnt work, i havet create rule - source OfficeMode Net - Dest - Internal networks, but with this rule, all my previous rules  (Access Roles etc) totally useless, Group A and B have same full access.

Any idea how to configure it properly?

thanks

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion
Champion

I'd start with something like this on your primary firewall:

image.png

As you can see this doesn't allow a separation of OfficeMode IPs for RAS Group A and B.
Solution (also for your second firewall) : sk33422 - Office Mode IP and ipassignment.conf file

This allows you to assign specific IP addresses of your Office Mode Pool to users of RAS VPN Group B.
Then you can create two new subnet objects 'OfficeMode1' and 'OfficeMode2' and use them in your rulebase (leave the original OfficeMode object as it is).

Result:

image.png

View solution in original post

2 Replies
Danny
Champion
Champion

I'd start with something like this on your primary firewall:

image.png

As you can see this doesn't allow a separation of OfficeMode IPs for RAS Group A and B.
Solution (also for your second firewall) : sk33422 - Office Mode IP and ipassignment.conf file

This allows you to assign specific IP addresses of your Office Mode Pool to users of RAS VPN Group B.
Then you can create two new subnet objects 'OfficeMode1' and 'OfficeMode2' and use them in your rulebase (leave the original OfficeMode object as it is).

Result:

image.png

Sergo89
Contributor

Wow Danny! it works! unbelievable!