Support User Manuals

NETGEAR UTM5EW-100NAS Router User Manual

Open as PDF

of 704

Virtual Private Networking Using SSL Connections

372

ProSecure Unified Threat Management (UTM) Appliance

For example, assume the following global policy configuration:

• Policy 1. A Deny rule has been configured to block all services to the IP address range

10.0.0.0–10.0.0.255.

• Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2–10.0.1.10.

• Policy 3. A Permit rule has been configured to allow FTP access to the predefined

network resource with the name FTP Servers. The FTP Servers network resource

includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com,

which resolves to 10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user attempted

to access FTP servers at the following addresses, the actions listed would occur:

• 10.0.0.1. The user would be blocked by Policy 1.

• 10.0.1.5. The user would be blocked by Policy 2.

• 10.0.0.10. The user would be granted access by Policy 3. The IP address range

10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1.

• ftp.company.com. The user would be granted access by Policy 3. A single host name is

more specific than the IP address range that is configured in Policy 2.

Note: The user would not be able to access ftp.company.com using its IP

address 10.0.1.3. The UTM’s policy engine does not perform

reverse DNS lookups.

Note: When you use the SSL VPN Wizard to build a portal, a user policy

that permits access is automatically added for the user account that

you define with the SSL VPN Wizard.

Global Default Policy

The global default policy with destination 0.0.0.0/[0] and permission Deny prevents traffic

from any SSL VPN client to reach the LAN after an SSL VPN has been established. This is a

security measure. To provide access to the LAN, you would normally create new policies for

users or groups and permit restricted access to resources on the LAN.

If you want to provide global access to the LAN without restrictions, change the permission of

the global default policy to Permit. Alternately, you could provide global access to the LAN but

restrict access to a port or port range by specifying a port number or range of port numbers

for the global default policy and by changing the permission of the global default policy to

Permit.

previous next