Re: Restricting "/admin" access on SSL VPN

michael.saw_ · ‎04-28-2012

Hi all,

We have a SSL VPN "on-a-stick"...

we configured 2 IPs on an interface (physical and virtual).

Is there a way to restricting "/admin" access on the virtual interface?

Is there any kb or doc link on this?

ronf_ · ‎04-29-2012

On the admin realm, you can configure IP based restrictions to particular source IP address-ranges. We typically do this for one-armed setups like yours to restrict admin access to internal subnets only. Ron

michael.saw_ · ‎04-29-2012

Hi Ron,

Thanks for sharing.
Is there a way to block "/admin" access from external IP?

muttbarker_ · ‎04-30-2012

Michael - Ron's post answered your question. If you go to Admin Realm / Auth Policy / Source IP - you can handle allow or blocking based on IP ranges. It would be much easier to write a policy tha only allowed access from internal IP addressing than to write one that blocked all public address though

Also - please note that the "admin" URL can also be changed. This is a cheap security measure that a lof of my clients implement. On the "Authentication / Signing In" page change the value of the word */admin to read something (anything) else. This will lockout or hide the admin page from the user who knows about the SSL box and is looking to try and hack.

michael.saw_ · ‎05-01-2012

Thanks, Kevin.

I was looking for a way for the 'administrators' page to be blocked from external access(i.e admin page not to be accessible from external access)

Mrkool_ · ‎05-01-2012

Michael ,

I have been looking for a way to do this as well but does not look like there is a way. If you have Application layer firewalls you can block access to the /admin page in there. It looks like all /URLs are available from all interfaces so you can lock it down by doing what Kevin said but not even show the page to the external user is not something that is built in option.

RexPGP_ · ‎05-01-2012

I changed URL but the folliowing URL still allowed access

https://10.16.10.105/dana-na/auth/url_admin/welcome.cgi

zanyterp_ · ‎05-02-2012

Do you have a list of internal IPs/subnets you can allow on the admin realm?

If you have the actual external port configured, deny admin login on the external port.

zanyterp_ · ‎05-02-2012

@RexPGP wrote:

I changed URL but the folliowing URL still allowed access

https://10.16.10.105/dana-na/auth/url_admin/welcome.cgi

If you only change the string, rather than create a new URL, connecting to the default redirected URL will work, which is what you have there. To prevent access to /admin, you will need to create a new admin URL and then disable the default.