Controlling SSLVPN Traffic

When setting up a mobile VPN, it’s important that the configuration be set to only allow traffic to the necessary resources.  This could include internal devices as well as Internet access.  If you follow the setup wizard for the SSLVPN, all user traffic is forced through the VPN connection.  This method is considered more secure as it allows the firewall to process all of the user’s traffic, giving more visibility and control.  However, this default option also includes a policy that allows the user to access all internal and external resources without restriction.

In order to best secure your SSLVPN, it is recommended that you first reconfigure the default policy that is created.  You will be able to control the user’s access based on the authentication group or account they are connected to the VPN with.


Dictating Access by Group

The first part of understanding how to secure SSLVPN access is to understand how your authentication is created.  When configuring the SSLVPN, a default authentication group is created called SSLVPN-Users.  In order for a user to authenticate, they must be a member of this group.  Whether the group is using local Firebox accounts or a domain account like from Active Directory, the group will dictate access.

Add users and groups screen image

You can also add additional security groups or users.  For example, if there is a particular security group that exists in your Active Directory environment, you can add it for authentication to the SSLVPN.

WatchGuard Mobile VPN with SS Setup Wizard

Understanding the Default SSLVPN Policy

If you add additional groups or users, it is important to understand that these do not automatically get added to the VPN policy.  It is only the SSLVPN-Users group that is included initially.

SSLVPN-User policy checkbox

It is also important to understand that this allows users authenticated through the SSLVPN-Users group to have access to ANY internal or external resource, on ANY port.  At a minimum we recommend logging be enabled on this policy, so that traffic can be properly monitored.

Restricting Access Through Authentication and Policy

To fully control your SSLVPN traffic, it is recommended that you create policies based on the groups or users that are connecting.  As an example, the SSLVPN-Users group might include your sales staff that needs to connect remotely.  They need some access to the internal network, but not full access.  Additionally, you may want to restrict their web access.  

You can start by editing the default Allow SSLVPN-Users policy to allow access to internal resources.  As an example, you can allow them access just to the Active Directory server so that they can gain access to file shares.

Edit Policy Properties Screen image

If you would like to then restrict their web traffic, you simply need to build HTTP and HTTPS proxies that reference the SSLVPN-Users security group.

HTTP and HHTPS proxies portal screen image

You can then grant different access across the VPN to the IT_Department group that has been added.  For this group, you can grant access to all internal resources for troubleshooting purposes.  You can also implement web filtering to ensure traffic is restricted to just trusted sites.

HTTP and HTPPS Proxies portal screen image

Summary

To ensure proper control of user access through the SSLVPN, make sure to build policies based on the authentication group they are connected to.  If you would like assistance in making sure your policies are properly configured, Contact Us!