WatchGuard Technologies SSL VPN Denying Access to Groups without an ACL, Configuring User Groups

Denying Access to Groups without an ACL

When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Policies tab. The list of accessible networks must include all internal networks and subnetworks that the user may need to access with the Secure Access Client.

The Secure Access Client uses the list of accessible networks as a filter to determine whether or not packets transmitted from the client computer should be sent to the Firebox SSL VPN Gateway.

When the Secure Access Client starts, it obtains the list of accessible networks from the Firebox SSL VPN Gateway. The Secure Access Client examines all packets transmitted on the network from the cli- ent computer and compares the addresses within the packets to the list of accessible networks. If the destination address in the packet is within one of the accessible networks, the Secure Access Client sends the packet through the VPN tunnel to the Firebox SSL VPN Gateway. If the destination address is not in an accessible network, the packet is not encrypted and the client routes the packet appropri- ately.

To enable split tunneling

1Click the Global Cluster Policies tab.

2Under Access Options, click Enable Split Tunneling.

3In Accessible Networks, type the IP addresses. Use a space or carriage return to separate the list of networks.

4Click Submit.

Configuring User Groups

User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local users to a group, you can then define the resources they have access to on the Access Policy Manager tab. For more information about configuring local users, see “Configuring Properties for a User Group” on page 90.

When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained from the authentication server after a user is authenticated. If the group name that is obtained from the authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the prop- erties of the local group are used for the matching group obtained from the authentication servers.

Note

Important: Group names on authentication servers and on the Firebox SSL VPN Gateway must be identical and they are case-sensitive

Denying Access to Groups without an ACL

Each user should belong to at least one group that is defined locally on the Firebox SSL VPN Gateway. If a user does not belong to a group, the overall access of the user is determined by using access control lists (ACLs) that are defined by the Deny access without access control list (ACL) setting as follows:

If the Deny Access option is enabled, the user cannot establish a connection If the Deny Access option is disabled, the user has full network access

In either case, the user can use kiosk mode, but network access within that session is determined by the Deny access without access control list (ACL) setting.