cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting "/admin" access on SSL VPN

Highlighted
Regular Contributor

Restricting "/admin" access on SSL VPN

Hi all,

We have a SSL VPN "on-a-stick"...

we configured 2 IPs on an interface (physical and virtual).

Is there a way to restricting "/admin" access on the virtual interface?

Is there any kb or doc link on this?

8 REPLIES 8
Highlighted
Occasional Contributor

Re: Restricting "/admin" access on SSL VPN

On the admin realm, you can configure IP based restrictions to particular source IP address-ranges. We typically do this for one-armed setups like yours to restrict admin access to internal subnets only. Ron
Highlighted
Regular Contributor

Re: Restricting "/admin" access on SSL VPN

Hi Ron,

Thanks for sharing.
Is there a way to block "/admin" access from external IP?
Highlighted
Valued Contributor

Re: Restricting "/admin" access on SSL VPN

Michael - Ron's post answered your question. If you go to Admin Realm / Auth Policy / Source IP - you can handle allow or blocking based on IP ranges. It would be much easier to write a policy tha only allowed access from internal IP addressing than to write one that blocked all public address though Smiley Happy

Also - please note that the "admin" URL can also be changed. This is a cheap security measure that a lof of my clients implement. On the "Authentication / Signing In" page change the value of the word */admin to read something (anything) else. This will lockout or hide the admin page from the user who knows about the SSL box and is looking to try and hack.

Highlighted
Regular Contributor

Re: Restricting "/admin" access on SSL VPN

Thanks, Kevin.

I was looking for a way for the 'administrators' page to be blocked from external access(i.e admin page not to be accessible from external access)
Highlighted
Super Contributor

Re: Restricting "/admin" access on SSL VPN

Michael ,

I have been looking for a way to do this as well but does not look like there is a way. If you have Application layer firewalls you can block access to the /admin page in there. It looks like all /URLs are available from all interfaces so you can lock it down by doing what Kevin said but not even show the page to the external user is not something that is built in option.

Highlighted
Frequent Contributor

Re: Restricting "/admin" access on SSL VPN

I changed URL but the folliowing URL still allowed access

https://10.16.10.105/dana-na/auth/url_admin/welcome.cgi

Highlighted
Respected Contributor

Re: Restricting "/admin" access on SSL VPN

Do you have a list of internal IPs/subnets you can allow on the admin realm?

If you have the actual external port configured, deny admin login on the external port.

Highlighted
Respected Contributor

Re: Restricting "/admin" access on SSL VPN


@RexPGP wrote:

I changed URL but the folliowing URL still allowed access

https://10.16.10.105/dana-na/auth/url_admin/welcome.cgi

 



If you only change the string, rather than create a new URL, connecting to the default redirected URL will work, which is what you have there. To prevent access to /admin, you will need to create a new admin URL and then disable the default.