We have a couple of SSGs in front of a small cluster of our servers and want to limit access to portions of the network a little more.
Specifically part of the software we use has a public side for our clients to access and then a staff side.
We want to leave the public portions available to anybody on the net (unless the SSG is blocking the IPs) and then have the /staff interface only accessible to those who are VPNd into the network.
Is this something we can do with a SSL VPN + SSG combo? Or is there another product to do this?
I know we can restrict access to any portion of the web server to specific IP addresses. But we aren't familiar with how the SSL VPN works. Essentially, we need our remote workers to be able to access those resoruces even though they have dynamic IPs at home. So we can't restrict it via the firewall or web server unless they are VPNed in.
So if we restrict access for /staff to the IP of the SA, only users who VPN in can access it? Is that correct?
I ask this because we have different answers from 2 people now and need confirmation one way or the other.
I might be totally missing your question. It does not really sound like a SSL-VPN issue. If you lock down your application to only accept input from the same IP as the inside I/F of the SSL box and you grant your staff WEB access to the application through the SSL then, YES you will accomplish your objective.
But the SSL is only allowing access to the resource. The deny has nothing to do with it unless you are talking about using the SSL for both staff and non-staff and using two different policies. Again in that case it will work fine.
Sorry if I am not understanding your question properly.
If your staff users are accessing the app via the SSL VPN, they will always connect to your internal web resource from the internal interface address of the SSL VPN box. So, if your non-staff users connect directly from the internet (through a NAT) to that same resourse, yes, they will be coming from a different source address than your staff users. If you also admin the firewalls, you should be able to track both guest and staff connections from outside, through your firewall, (into the sslvpn) and onto the web resource.
If not, your firewall admin needs to verify that the traffic reaching your web resource is distinguishable (guest/staff). If not, they would need to modify their nat policies.