Virtual Private Networking Using SSL Connections
372
ProSecure Unified Threat Management (UTM) Appliance
For example, assume the following global policy configuration:
• Policy 1. A Deny rule has been configured to block all services to the IP address range
10.0.0.0–10.0.0.255.
• Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2–10.0.1.10.
• Policy 3. A Permit rule has been configured to allow FTP access to the predefined
network resource with the name FTP Servers. The FTP Servers network resource
includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com,
which resolves to 10.0.1.3.
Assuming that no conflicting user or group policies have been configured, if a user attempted
to access FTP servers at the following addresses, the actions listed would occur:
• 10.0.0.1. The user would be blocked by Policy 1.
• 10.0.1.5. The user would be blocked by Policy 2.
• 10.0.0.10. The user would be granted access by Policy 3. The IP address range
10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1.
• ftp.company.com. The user would be granted access by Policy 3. A single host name is
more specific than the IP address range that is configured in Policy 2.
Note: The user would not be able to access ftp.company.com using its IP
address 10.0.1.3. The UTM’s policy engine does not perform
reverse DNS lookups.
Note: When you use the SSL VPN Wizard to build a portal, a user policy
that permits access is automatically added for the user account that
you define with the SSL VPN Wizard.
Global Default Policy
The global default policy with destination 0.0.0.0/[0] and permission Deny prevents traffic
from any SSL VPN client to reach the LAN after an SSL VPN has been established. This is a
security measure. To provide access to the LAN, you would normally create new policies for
users or groups and permit restricted access to resources on the LAN.
If you want to provide global access to the LAN without restrictions, change the permission of
the global default policy to Permit. Alternately, you could provide global access to the LAN but
restrict access to a port or port range by specifying a port number or range of port numbers
for the global default policy and by changing the permission of the global default policy to
Permit.