Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to Restrict VPN Access to GVC Users

10/14/2021 1,558 People found this article helpful 127,857 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    There are multiple methods to restrict remote VPN users' access to network resources. This article list three, namely:

    • Restrict access to hosts behind SonicWall based on Users.
    • Restrict access to a specific service (e.g. Terminal Services) using Access Rules.
    • Restrict access to a specific host behind the SonicWall using Access Rules.

    When a user is created, the user automatically becomes a member of Trusted Users and Everyone under the Users | Local Groups page. If you click on the configure tab for any one of the groups and if LAN Subnets is selected, every user can access any resource on the LAN. Following are the steps to restrict access based on user accounts.

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.



    Adding Address Objects:

    • Create an address object for the computers to which restricted users will be allowed. This can be done by selecting the Objects | Match Objects | Addresses page. Under Address Objects click Add.
    • Create an address object for the computer or computers to be accessed by Restricted Access group.

    For more information on creating Address Objects, refer Understanding Address Objects in SonicOS

    Adding and Configuring User Groups:

    1. Click on Device | Users | Local Users & Groups | Local Groups. Click the Configure tab for Everyone and Trusted Users group. Click the VPN Access tab and remove all Address Objects from the Access List.
    2. Click Users | Local Users & Groups | Local Groups | Add Group, crate two custom user groups such as “Full Access and Restricted Access”.
      • For the “Full Access” user group under the VPN Access tab, select LAN Subnets. 
      • For the “Restricted Access” user group under the VPN Access tab, select the address object that you had previously created for the restricted computers.

                   Image                        Image

     

    Adding users to appropriate Groups:

    • Create users by clicking Users | Local Users & Groups | Local Users. For those users who need full access, include them under the Full Access user group by clicking the Groups tab and adding them under Member of. For those users who will be given restricted access, include them under the Restricted Access user group by clicking the Groups tab and adding them under Member of.

     

    Restrict access to a specific service (e.g. Terminal Services) using Access Rules:

    • In the SonicWall Management UI, navigate to the Policy| Rules and Policies | Access Rules page.
    • Select From VPN To LAN from the drop down menu ot use the matrix. Create a Deny rule.

      NOTE: If you have other zones like DMZ, create similar rules From VPN to DMZ.

                                  Image

    How to Test:

    Test by trying to ping an IP Address on the LAN from a remote GVC PC. Since we have selected Terminal Services ping should fail.  Try to do Remote Desktop Connection to the same host and you should be able to.


    Restrict access to a specific host behind the SonicWall using Access Rules:

    In this scenario, remote VPN users' access should be locked down to one host in the network, namely a Terminal Server on the LAN. It is assumed that WAN GroupVPN, DHCP over VPN and user access list has already configured.

    Creating an address object for the Terminal Server

    1. Login to the SonicWall management interface.
    2. Navigate to Objects | Match Objects | Addresses.
    3. Create the following address object.

          Image

    Creating access rules to block all traffic to the network and allow traffic to the Terminal Server.

    1. Navigate to Policy| Rules and Policies | Access Rules
    2. Go to the From VPN | To LAN page.
    3. Create the following access rules.
       

      NOTE: If you have other zones like DMZ, create similar deny rules From VPN to DMZ.

                          Image

           

                           Image

    How to Test:

    Test by trying to ping an IP address on the LAN or DMZ from a remote GVC PC. Since we have created a deny rule to block all traffic to LAN or DMZ from remote GVC users, the ping should fail. Try to do a ping or Remote Desktop Connection to the Terminal Server on the LAN and you should be able to.

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.



    Restrict access to hosts behind SonicWall based on Users:

    Adding Address Objects:

    • Create an address object for the computers to which restricted users will be allowed. This can be done by selecting the Manage | Objects | Address Objects page. Under Address Objects click Add.
    • Create an address object for the computer or computers to be accessed by Restricted Access group.

    For more information on creating Address Objects, refer Understanding Address Objects in SonicOS

    Adding and Configuring User Groups:

    1. Click Users | Local Users & Groups | Local Groups. Click the Configure tab for Everyone and Trusted Users group. Click the VPN Access tab and remove all Address Objects from the Access List.
    2. Click Users | Local Users & Groups | Local Groups | Add Group, crate two custom user groups such as “Full Access and Restricted Access”.
      • For the “Full Access” user group under the VPN Access tab, select LAN Subnets. 
      • For the “Restricted Access” user group under the VPN Access tab, select the address object that you had previously created for the restricted computers.

    Image

    Image


    Adding users to appropriate Groups:

    • Create users by clicking Users | Local Users & Groups | Local Users. For those users who need full access, include them under the Full Access user group by clicking the Groups tab and adding them under Member of. For those users who will be given restricted access, include them under the Restricted Access user group by clicking the Groups tab and adding them under Member of.

     

    Restrict access to a specific service (e.g. Terminal Services) using Access Rules:

    • In the SonicWall Management UI, navigate to the Manage | Rules | Access Rules page.
    • Select From VPN To LAN from the drop down menu ot use the matrix. Create a Deny rule.

    Image

    NOTE: If you have other zones like DMZ, create similar rules From VPN to DMZ.


    Image

     

    How to Test:

    Test by trying to ping an IP Address on the LAN from a remote GVC PC. Since we have selected Terminal Services ping should fail.  Try to do Remote Desktop Connection to the same host and you should be able to.


    Restrict access to a specific host behind the SonicWall using Access Rules:

    In this scenario, remote VPN users' access should be locked down to one host in the network, namely a Terminal Server on the LAN. It is assumed that WAN GroupVPN, DHCP over VPN and user access list has already configured.

    Creating an address object for the Terminal Server

    1. Login to the SonicWall management interface.
    2. Navigate to Manage | Objects | Address Objects
    3. Create the following address object.

    Image

    Creating access rules to block all traffic to the network and allow traffic to the Terminal Server.

    1. Navigate to Manage| Rules | Access Rules
    2. Go to the From VPN | To LAN page.
    3. Create the following access rules.
       

      NOTE: If you have other zones like DMZ, create similar deny rules From VPN to DMZ.

     

    Image

    Image


    How to Test:

    Test by trying to ping an IP address on the LAN or DMZ from a remote GVC PC. Since we have created a deny rule to block all traffic to LAN or DMZ from remote GVC users, the ping should fail. Try to do a ping or Remote Desktop Connection to the Terminal Server on the LAN and you should be able to.


    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.






    Restrict access to hosts behind SonicWall based on Users:

    Adding Address Objects:

    • Create an address object for the computers to which restricted users will be allowed. This can be done by selecting the Network | Address Objects page. Under Address Objects click Add. Create an address object for the computer or computers to be accessed by Restricted Access group.

    For more information on creating Address Objects, refer Understanding Address Objects in SonicOS

    Adding and Configuring User Groups:

    1. Click Users | Local Groups. Click the Configure tab for Everyone and Trusted Users group. Click the VPN Access tab and remove all Address Objects from the Access List.
    2. Click Users | Local Groups | Add Group, crate two custom user groups such as “Full Access and Restricted Access”.
      • For the “Full Access” user group under the VPN Access tab, select LAN Subnets. 
      • For the “Restricted Access” user group under the VPN Access tab, select the address object that you had previously created for the restricted computers.

    Image

    Image


    Adding users to appropriate Groups:

    • Create users by clicking Users | Local Users. For those users who need full access, include them under the Full Access user group by clicking the Groups tab and adding them under Member of. For those users who will be given restricted access, include them under the Restricted Access user group by clicking the Groups tab and adding them under Member of.

    Restrict access to a specific service (e.g. Terminal Services) using Access Rules:

    • In the SonicWall Management UI, navigate to the Firewall | Access Rules page.
    • Select From VPN To LAN in the matrix.
    • Create the following access rules.
      Note: If you have other zones like DMZ, create similar rules From VPN to DMZ.

    Image

    Image

    How to Test:

    Test by trying to ping an IP Address on the LAN from a remote GVC PC. Since we have selected Terminal Services ping should fail.  Try to do Remote Desktop Connection to the same host and you should be able to.


    Restrict access to a specific host behind the SonicWall using Access Rules:

    In this scenario, remote VPN users' access should be locked down to one host in the network, namely a Terminal Server on the LAN. It is assumed that WAN GroupVPN, DHCP over VPN and user access list has already configured.

    Creating an address object for the Terminal Server

    1. Login to the SonicWall management interface.
    2. Navigate to Network | Address Objects
    3. Create the following address object.

    Image

    Creating access rules to block all traffic to the network and allow traffic to the Terminal Server.

    1. Navigate to Firewall | Access Rules
    2. Go to the From VPN | To LAN page.
    3. Create the following access rules.
       

       NOTE: If you have other zones like DMZ, create similar deny rules From VPN to DMZ.

     

    Image

    Image


    How to Test:

    Test by trying to ping an IP address on the LAN or DMZ from a remote GVC PC. Since we have created a deny rule to block all traffic to LAN or DMZ from remote GVC users, the ping should fail. Try to do a ping or Remote Desktop Connection to the Terminal Server on the LAN and you should be able to.

    Related Articles

    • Accessing resources across network using Point to Point link
    • Unable to access the junk summary URL using TCP port 10080
    • ICMP Redirect force to change the routing table

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall NSA Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall SuperMassive E10000 Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:0981bd95f32945e4467f8723afb65d56-68