Example: authenticating VPN client users

This scenario shows an example of restricting VPN access so that only specific users can access the secure network.

Company A’s employees include several consultants who frequently work at customer locations, but also remotely access Company A’s secure network. All users are stored in the Management Server’s internal directory, and there is a separate User Group called Consultants for accounts belonging to the consultants. The administrators have set up a mobile VPN for remote access. They want to allow all users to establish a VPN tunnel to the office, but allow only users in the Consultants group to access the secure network.

The administrators:

Create a rule that establishes a VPN tunnel and allows users in the Consultants group to access the Secure Network after successful authentication:

Source	Destination	Service	Action	Authentication
DHCP address range for VPN clients Internal Networks	Secure Network	HTTP SSH FTP	Enforce VPN	Consultants User Group User Password Authentication

Source

Destination

Service

Action

Authentication

DHCP address range for VPN clients

Internal Networks

Secure Network

HTTP

SSH

FTP

Enforce VPN

Consultants User Group

User Password Authentication

This rule allows any users in any directory that is defined in the SMC to authenticate to a VPN client if their allowed authentication methods include User Password.
This rule allows any user whose account is stored in the internal directory to use a VPN client to establish a VPN tunnel to the office.

Create a rule to allow users who have established VPN tunnels to access the company’s internal networks from the DHCP-assigned IP addresses for VPN clients:

Source	Destination	Service	Action	Authentication
DHCP address range for VPN clients	Internal Networks	ANY	Allow

Transfer the policy to the firewall.