Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to Restrict VPN Access to SSL VPN Client Based on User, Service & Destination

09/07/2022 184 People found this article helpful 204,763 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    How to Restrict VPN Access to SSL VPN Client Based on User, Service & Destination

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

     1) Restrict Access to Network behind SonicWall based on Users

    While Configuring SSLVPN in SonicWall, the important step is to create a User and add them to SSLVPN service group. So the Users who is not a member of SSLVPN Services Group cannot be able to connect using SSLVPN. You have option to define access to that users for local network in VPN access Tab.

    When a user is created, the user automatically becomes a member of Trusted Users and Everyone under the Device| Users | Local Users & Groups | Local Groups page. To use that User for SSLVPN Service, you need to make them as member of SSLVPN Services Group.

    Adding Address Objects:
     
    Login to your SonicWall Management page
    Click Object in the top navigation menu.
    Navigate to Objects | Address Objects, under Address objects click Add to create an address object for the computer or computers to be accessed by Restricted Access group as below.

     Image
        

    Adding and Configuring User Groups:

    1) Login to your SonicWall Management Page
    2) Navigate to Device | Users | Local Users & Groups | Local Groups, Click the configure button of SSLVPN Services. Click the VPN Access tab and remove all Address Objects from the Access List.
    3) Navigate to Users | Local Users & Groups | Local Groups, Click Add to create two custom user groups such as "Full Access" and "Restricted Access". Also make them as member of SSLVPN Services Group.
     
    For the "Full Access" user group under the VPN Access tab, select LAN Subnets.

    Image  Image Image

    • For the "Restricted Access" user group under the VPN Access tab, select Server (address object that you had previously created for the restricted computers). 

    Image  ImageImage

    2) Restrict Access to Services (Example: Terminal Service) using Access rule

    • Login to your SonicWall Management page
    • Navigate to Policy|Rules and Policies|Access rules
    • Select From SSLVPN To LAN
    • Click Add to create a rule

     Create the following access rules.

    • Creating an access rule to block all traffic from SSLVPN users to the network with Priority 2.
    • Creating an access rule to allow only Terminal Services traffic from SSLVPN users to the network with Priority 1.

     Note: If you have other zones like DMZ, create similar rules From SSLVPN to DMZ.

    Image Image

    Image

    3) Restrict Access to Destination host behind SonicWall using Access Rule

    In this scenario, SSLVPN users' access should be locked down to one host in the network, namely a Terminal Server on the LAN. It is assumed that SSLVPN service, User access list has already configured and further configuration involves:

    • Create an address object for the Terminal Server
    • Create 2 access rule from SSLVPN | LAN zone
     
    || Creating an address object for the Terminal Server

    • Login to the SonicWall management page.
    • Navigate to Object|Addresses, create the following address object.

    Image

    || Create 2 access rule from SSLVPN to LAN zone
     
    • Creating an access rule to block all traffic from remote VPN users to the network with Priority 2.
    • Creating an access rule to allow all traffic from remote VPN users to the Terminal Server with Priority 1.

    ImageImage

    Image


    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

     1) Restrict Access to Network behind SonicWall based on Users

    While Configuring SSLVPN in SonicWall, the important step is to create a User and add them to SSLVPN service group. So the Users who is not a member of SSLVPN Services Group cannot be able to connect using SSLVPN. You have option to define access to that users for local network in VPN access Tab.


    When a user is created, the user automatically becomes a member of Trusted Users and Everyone under the Manage | Users | Local Users & Groups | Local Groups page. To use that User for SSLVPN Service, you need to make them as member of SSLVPN Services Group.

    If you click on the configure tab for any one of the groups and if LAN Subnet is selected in VPN Access Tab, every user of that group can access any resource on the LAN. Following are the steps to restrict access based on user accounts.


    Adding Address Objects:

    Login to your SonicWall Management page

    Click Manage in the top navigation menu.
    Navigate to Objects | Address Objects, under Address objects click Add to create an address object for the computer or computers to be accessed by Restricted Access group as below.


    Image

    Adding and Configuring User Groups:

    1) Login to your SonicWall Management Page
    2) Navigate to Manage | Users | Local Users & Groups | Local Groups, Click the configure button of SSLVPN Services. Click the VPN Access tab and remove all Address Objects from the Access List.
    3) Navigate to Users | Local Users & Groups | Local Groups, Click Add to create two custom user groups such as "Full Access" and "Restricted Access". Also make them as member of SSLVPN Services Group.

    • For the "Full Access" user group under the VPN Access tab, select LAN Subnets.

     Image

    • For the "Restricted Access" user group under the VPN Access tab, select Server (address object that you had previously created for the restricted computers).

      Image



    2) Restrict Access to Services (Example: Terminal Service) using Access rule

    Login to your SonicWall Management page

    • Navigate to the Manage  |  Rules | Access Rules page.
    • Select From SSLVPN To LAN 
    • Click Add to create a rule

    Create the following access rules.

    • Creating an access rule to block all traffic from SSLVPN users to the network with Priority 2.
    • Creating an access rule to allow only Terminal Services traffic from SSLVPN users to the network with Priority 1.

    Note: If you have other zones like DMZ, create similar rules From SSLVPN to DMZ.
    Image
    Image



    3) Restrict Access to Destination host behind SonicWall using Access Rule

    In this scenario, SSLVPN users' access should be locked down to one host in the network, namely a Terminal Server on the LAN. It is assumed that SSLVPN service, User access list has already configured and further configuration involves:

    • Create an address object for the Terminal Server
    • Create 2 access rule from SSLVPN | LAN zone

    || Creating an address object for the Terminal Server

    • Login to the SonicWall management page.
    • Navigate to Manage | Objects | Address Objects, create the following address object.

    Image
    || Create 2 access rule from SSLVPN to LAN zone

    • Creating an access rule to block all traffic from remote VPN users to the network with Priority 2.
    • Creating an access rule to allow all traffic from remote VPN users to the Terminal Server with Priority 1.

    Image
    Image

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

     1) Restrict Access to Network behind SonicWall based on Users

    While Configuring SSLVPN in SonicWall, the important step is to create a User and add them to SSLVPN service group. So the Users who is not a member of SSLVPN Services Group cannot be able to connect using SSLVPN. You have option to define access to that users for local network in VPN access Tab.


    When a user is created, the user automatically becomes a member of Trusted Users and Everyone under the Users | Local Groups page. To use that User for SSLVPN Service, you need to make them as member of SSLVPN Services Group.

    If you click on the configure tab for any one of the groups and if LAN Subnet is selected in VPN Access Tab, every user of that group can access any resource on the LAN. Following are the steps to restrict access based on user accounts.


    Adding Address Objects:

    Login to your SonicWall Management page
    Navigate to Network | Address objects, under Address objects click Add to create an address object for the computer or computers to be accessed by Restricted Access group as below.?


    Image

    Adding and Configuring�User Groups:

    1) Login to your SonicWall Management Page
    2) Navigate to Users | Local Groups, Click the Configure button of SSLVPN Service Group. Click the VPN Access tab and remove all Address Objects from the Access List.
    3) Navigate to Users | Local Groups | Add Group, create two custom user groups such as "Full Access and Restricted Access". Also make them as member of SSLVPN Services Group.

    • For the "Full Access" user group under the VPN Access tab, select LAN Subnets.

    Image 

    • For the "Restricted Access" user group under the VPN Access tab, select Server (address object that you had previously created for the restricted computers).

      Image 



    2) Restrict Access to Services (Example: Terminal Service) using Access rule

    Login to your SonicWall Management page

    • Navigate to the Firewall | Access Rules page, on the right side click Matrix Radio Button
    • Select From SSLVPN To LAN in the matrix.

    Create the following access rules.

    • Creating an access rule to block all traffic from SSLVPN users to the network with Priority 2.
    • Creating an access rule to allow only Terminal Services traffic from SSLVPN users to the network with Priority 1.

    Note: If you have other zones like DMZ, create similar rules From SSLVPN to DMZ.
    Image
    Image



    3) Restrict Access to Destination host behind SonicWall using Access Rule

    In this scenario, SSLVPN users' access should be locked down to one host in the network, namely a Terminal Server on the LAN. It is assumed that SSLVPN service, User access list has already configured and further configuration involves:

    • Create an address object for the Terminal Server
    • Create 2 access rule from SSLVPN | LAN zone

    || Creating an address object for the Terminal Server

    • Login to the SonicWall management page.
    • Navigate to Network | Address Objects, create the following address object.

    Image
    || Create 2 access rule from SSLVPN | LAN zone

    • Creating an access rule to block all traffic from remote VPN users to the network with Priority 2.
    • Creating an access rule to allow all traffic from remote VPN users to the Terminal Server with Priority 1.

    Image
    Image

    Related Articles

    • How to Setup the SonicWave 600 series
    • Identical Access Rules for different users/user groups
    • Advanced Network Security eLearning Training Course

    Categories

    • Firewalls > SonicWall NSA Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > TZ Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top