04-25-2018 07:12 AM
Greetings all,
I've been asked to set up a secure desktop for one of our departments. The desktop will need access to a few on premises resources such as DHCP, DNS, and AD but, otherwise, it has to be restricted to allow connectivity only to a specific website.
I can do this simply with a VLAN setup but this leaves open the possibility of a mistake being made somewhere in our core that would allow other devices to route or access that VLAN.
Instead, I started to think about doing a Pre-Logon and Always-On VPN connection and just leave the device connected to the main building VLAN. This is something I've been meaning to implement anyways for a few other projects but I just haven't gotten around to it yet.
I'm trying to figure out the best way to go about this though and could use some input:
Thanks in advance.
04-25-2018 07:38 AM
Personally I think you are adding a lot of complexity when you don't actually need to. If you are worried that someone else could make a configuration change that could effect this VLAN, why not simply setup the interface with an access-group and be done with it? You could allow access to whatever is needed and wouldn't have to worry about anything on your cores effecting this port in any way at all.
04-25-2018 07:41 AM
@BPry it seemed like a good idea at first just from the security aspect of it... no matter what is done with this computer or upstream network config, it would always have encrypted traffic going directly to the firewall. They could even move it to another network and it would still just work and be secure.
I agree that it seems pretty complicated now that I've started diving in to the config. I may revise this and look back at the VLAN option although I still need to figure out all of the pre-logon/always-on VPN stuff for some of the other projects I mentioned.
04-25-2018 07:44 AM
This would have been a great test for that until you mentioned that you didn't want the user to inherit their access while on this machine.
04-25-2018 07:57 AM
Yeah and I think the only way to do that is the separate portal. We have two other use cases:
With #1 a separate portal may not be necessary as the pre-logon connection is what is really important for the AD login. After login, the VPN could be always on with SSO or On-Demand.
With #2 a separate portal may also not be strictly necessary since we're primarly concerned here with transfer of sensitive over the wireless segment.
That being said, it seems like having a second portal just for this kind of connectivity could really open some options for better control over the types of connectivity the same users have access to on other portals (i.e. one portal for general VPN client access, another one for pre-logon, etc.).
04-25-2018 03:27 PM
Hello,
Just a few ideas but first let me address this question from the original post:
For this I would have a seperate account for the users needing to access this machine. So either a different portal and zone, or policies restricting traffic based on username would help here.
For:
Just have them VPN prior to transferring and data and then you are secure. One way I got around this problem was wireless users can only access internet resources. They need to VPN to access internal resources. However that solution is very politically charged.
I think you are on the corret path with multiple options.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
