The situation is that I can control who has remote VPN access but I can not control what device they access it with. Someone could easily install NetExtender on their non-company managed device and have access to our network.
I am just trying to figure out if there is some way I can enforce access controls for both at the user and device level.
The SonicWall Firewall’s built in SSLVPN service does not have this functionality. You’d have to look into a SMA for this capability.
There is somewhat of a way around this. To lock down VPN via GeoIP, we’ve setup DDNS clients on approved devices and the users do not have the credentials to the DDNS client. On the SonicWall side of things, we’ve added those devices by FQDN. Anything else is not approved.
Create address objects for each MAC address you want to allow, or create DHCP reservations for each using a contiguous range.
Then add all the address objects to a group, or create a range that covers the allowed IP range.
Create a SSLVPN to LAN rule that allows the address objects. Then create another rule with priority +1 that denies all traffic.
Allowed devices will hit the first rule and be allowed while everything else will hit the second rule and be blocked.
Would also like to know this, something I’ve wanted for a while but never found an answer for.
I wonder if the SonicWall SMA devices (as opposed to NSA / TZ firewalls) support device authentication or something?
This is myscenario;
I didn’t think so, thanks.
Csn you please help on how I can do this?
I am a newbie and need some Instructions.
We are also trying to set up our sslvpn in a way that unapproved devices on the sslvpn should not be able to communicate with the LAN.
So ssl vpn to LAN = deny (unless coming from an approved device).
Nice. I was thinking about doing this but I forget why I thought it wouldn’t work… give it another try
But how would the firewall read the MAC adrldresses which are on ssl vpn?
Is sonicwall able to read MAc addresses of devices which are on the sal vpn zone?