We have a SSL VPN "on-a-stick"...
we configured 2 IPs on an interface (physical and virtual).
Is there a way to restricting "/admin" access on the virtual interface?
Is there any kb or doc link on this?
Michael - Ron's post answered your question. If you go to Admin Realm / Auth Policy / Source IP - you can handle allow or blocking based on IP ranges. It would be much easier to write a policy tha only allowed access from internal IP addressing than to write one that blocked all public address though
Also - please note that the "admin" URL can also be changed. This is a cheap security measure that a lof of my clients implement. On the "Authentication / Signing In" page change the value of the word */admin to read something (anything) else. This will lockout or hide the admin page from the user who knows about the SSL box and is looking to try and hack.
I have been looking for a way to do this as well but does not look like there is a way. If you have Application layer firewalls you can block access to the /admin page in there. It looks like all /URLs are available from all interfaces so you can lock it down by doing what Kevin said but not even show the page to the external user is not something that is built in option.
Do you have a list of internal IPs/subnets you can allow on the admin realm?
If you have the actual external port configured, deny admin login on the external port.
I changed URL but the folliowing URL still allowed access
If you only change the string, rather than create a new URL, connecting to the default redirected URL will work, which is what you have there. To prevent access to /admin, you will need to create a new admin URL and then disable the default.