SSLVPN - assign IP to user

scottbheasley · 2015-10-13T14:12:50.000Z

I’m scanning the help files and don’t see a way to assign / reserve an IP for an SSL VPN user.

Any thoughts?

Thanks

bojanzajc6669 · 2015-10-13T14:30:47.000Z

You can’t. The IP of a SSL VPN user is assigned from a pool of addresses you configure.

What for do you need a ‘static’ IP for SSL VPN users?

If it’s about firewall rules, than you can use the SSL VPN username in your rules.

A workaround could be, to set the client address static in the SSL VPN client config and using a large enough IP address pool, so the static assigned IP in the config would never be used by other ‘dynamic’ clients. I never tested, but it should be possible to configure on the client side. But it’s a question, it the firewall will than set up the correct routing.

If you need a static IP for a certain user, it would be better to use IPSec, where you can configure each user individually. the backside is, that IPSec won’t work from any remote location.

scottbheasley · 2015-10-13T14:45:27.000Z

Bojan Zajc:

You can’t. The IP of a SSL VPN user is assigned from a pool of addresses you configure.

What for do you need a ‘static’ IP for SSL VPN users?

— I have a need that would benefit our group

If it’s about firewall rules, than you can use the SSL VPN username in your rules.

---- Not about rules, just prefer locking it down in this instance

A workaround could be, to set the client address static in the SSL VPN client config and using a large enough IP address pool, so the static assigned IP in the config would never be used by other ‘dynamic’ clients. I never tested, but it should be possible to configure on the client side. But it’s a question, it the firewall will than set up the correct routing.

---- Going to look into this.

If you need a static IP for a certain user, it would be better to use IPSec, where you can configure each user individually. the backside is, that IPSec won’t work from any remote location.

---- If you mean that it isn’t perfect or simple for some users, I agree… thus the move to SSL for ease of use and updating for a secure connection.

Thanks

bojanzajc6669 · 2015-10-13T14:49:13.000Z

I meant, that IPSec VPN connections are often blocked at hotspots and hotels, so the only working option that remains is (too) often SSL VPN.

scottbheasley · 2015-10-13T15:45:34.000Z

Bojan Zajc:

I meant, that IPSec VPN connections are often blocked at hotspots and hotels, so the only working option that remains is (too) often SSL VPN.

I’ve found that most users don’t want to deal with updating the client if there is a need. I moved to SSL and the support needs are few. If I could reserve addresses, it would be nice.

bojanzajc6669 · 2015-10-13T15:57:36.000Z

It’s a bit difficult, when you compare it to the classic dhcp reservations, that bind to a MAC address.

Here you would have to bind to a username.

As long as it’s just a few users… but you might remember, that different appliances allow a different count of SSL VPN users. Already when you define the IP address pool, you get a notification, that you are overstepping the licensed count, if you set the pool too large.

Adding reservations would take away addresses available from the pool and soon you could run out of available addresses for dynamic assignment.

So I guess, that WGRD would have to change the way, they handle the whole SSL VPN licensing to enable per user address reservations.

scottbheasley · 2015-10-13T16:00:32.000Z

Bojan Zajc:

It’s a bit difficult, when you compare it to the classic dhcp reservations, that bind to a MAC address.

Here you would have to bind to a username.

As long as it’s just a few users… but you might remember, that different appliances allow a different count of SSL VPN users. Already when you define the IP address pool, you get a notification, that you are overstepping the licensed count, if you set the pool too large.

Adding reservations would take away addresses available from the pool and soon you could run out of available addresses for dynamic assignment.

So I guess, that WGRD would have to change the way, they handle the whole SSL VPN licensing to enable per user address reservations.

I hear you. I’m just used to being able to create reservations. Easier to lock down and log.

bojanzajc6669 · 2015-10-13T16:03:51.000Z

Sure - on ‘MY’ networks I also work with reservations - even for IPv6, so I always know, what IP address I will get with my mobile devices. But for the VPN part that is a problem, I agree.