I've recently configured SSL VPN, and I've played around with some different policy settings. Right now I'm experiencing that a policy set for a user group fails to come into effect. I'll try and describe the scenario:
I have the default Domain SSLVPN, linked to the portal SSLVPN.
I have the default user group SSLVPN, and an additional user group called "SSL VPN User", both in the SSLVPN domain.
I have a user "admin" member of the SSLVPN group, and a user "am" member og the "SSL VPN User" group.
I have defined an SSL VPN Resource called "Web Resources" - this resource includes access to port 80 and some other ports I use for WebGUI access.
Furthermore I have imposed a global "Deny All" policy, denying access on all ports for all IP addresses.
Now the problem arise when I'm trying to apply the Web Resources policy to the different user groups.
I have permitted the "Web Resources" to the user group SSLVPN. This works, and when I log in with SSL VPN as "admin", I have access to the web resources.
Then I have permitted the "Web Resources" to the user group "SSL VPN User". This DOES NOT work, and when I log in with SSL VPN as the user "am" I DO NOT have access to the web resources, even though I should have this access. I have also tried to just give access to port 80 on my webserver (not using the Web Resource), this also doesn't work. It simply seems like the policies set for the "SSL VPN User" group do not apply at all.
Finally I assign permission to "Web Resources" for the user "am" specifically. This DOES work, and now I have SSL VPN access to the web resources again.
So the only thing not working is when I try to assign the resources to the user group I have created myself called "SSL VPN User". The problem is that I might well create more users in this group, and it would be nice to define a set of policies for this group only.
Can you please comment on this issue?
I just tried deleting the "Web Resources" rule from both the user "am" and the group "SSL VPN User", along with all other allowed resources for this group and user, so now the user "am" should not have access to anything on the network. But now it seems like the user rule for "am" (the Web Resources") is still in effect, because I can still access the webserver and the different WebGUI's. I know the global deny all is in effect, because I can't access FTP and SSH.