SMA100: Access Policy to allow RDP but block all services over NetExtender/Mobile Connect

06/16/2020 4 1680

DESCRIPTION:

The Secure Mobile Access web-based management interface provides granular control of access to the SMA appliance. Access policies provide different levels of access to the various network resources that are accessible using the SMA appliance. There are three levels of access policies: global, groups, and users. You can block and permit access by creating access policies for an IP address, an IP address range, all addresses, or a network object.

RESOLUTION:

Access Policy Hierarchy:
An administrator can define user, group and global policies to predefined network objects, IP addresses, address ranges, or all IP addresses and to different Secure Mobile Access services. Certain policies take precedence.
The Secure Mobile Access policy hierarchy is:
• User policies take precedence over group policies
• Group policies take precedence over global policies
• If two or more user, group or global policies are configured, the most specific policy takes precedence

EXAMPLE: Let us consider that we have a user test connecting to the SMA using NetExtender and once connected would like to get access to IP: 172.27.64.194 which is present on X0. We want it to be able to only RDP to this client and allow no other services like Telnet, ping etc.

To achieve this, we can create two set of policies.

1.  A global deny rule that blocks all traffic to that IP address. You can also set this for the entire network at a global level and allow access on group and user level. In this example, we are creating these rules specific to one IP address.
   Navigate to Services | Policies and click on Add Policy. Select the following for the policy.
   Policy Owner: Global Policy
   Policy Name: Block all services
   Apply Policy To: IP address
   IP Address: 172.27.64.194
   Protocols: ALL
   Service: All Services
   Status: Deny
   Click on Accept.
   

   

2. A group level policy to allow RDP to the same IP address.
   Click on Add policy. Select the following for the policy.
   Policy Owner: Group policy (support)
   Policy Name: Allow only RDP
   Apply Policy To: IP address
   IP Address: 172.27.64.194
   Protocols: TCP
   Port Range/Port Number: 3389
   Service: All Services
   Status: Allow
   Click on Accept.
   

   

NOTE: It is highly important to select the Services as 'All Services' and explicitly mention the port number. There is also an option to select the service as 'Terminal Services RDP' but that will not trigger for connections made using NetExtender or Mobile Connect.

Both the policies will show up and it does not matter which one is on top of the list as the allow policy is created on group level and takes precedence over the deny rule at global level.

How to Test:
Connect using the user 'test' that belongs to the group 'support' and perform RDP and ping tests to 172.27.64.194 post connection.

The ping test fails due to the global policy:

The RDP connection succeeds due to the group policy: