In user objects, you can enter either X.509 certificate patterns or VPN user patterns to reference VPN users and groups. With the use of the VPN Client & Network Access Client 5.x, you can also reference users by policy role patterns.
Combining fields is also possible. For example, you can enforce a VPN connection, by entering the required VPN user patterns and requiring a matching X.509 certificate to be installed in the browser application by entering required X.509 certificate patterns.
Create a User Object for VPN Users
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
Click Lock.
In the left menu, select Users and Groups.
Right-click the table and select New.
In the Edit/Create User Object window, enter a Name for the user object. E.g.,
VPN Users
Click New to add a user condition. The User Condition window opens.
If you are using the VPN Client & Network Access Client 5.x, enter the policy roles patterns in the Policy Roles Patterns section.
Select the required condition from the list.
Click Add and select one or more patterns. If a condition must not apply, select the Negative Match check box.
To use a certificate, click Edit in the X509 Certificate Pattern section and specify the certificate conditions:
Subject/Issuer – The subject/issuer of the affected X.509 certificate.
Policy/AltName – The ISO number and the SubjectAltName according to the certificate.
If applicable, enter the required VPN login and group policy the object has to apply to in the VPN User Pattern section:
VPN Name – The required VPN login name. Using wildcards (?, *) is allowed. For example, enter
*username*
when using external authentication.VPN Group – The required VPN group policy that the object has to apply to.
Authentication Method – In this section, you can specify the following settings:
Origin – Defines the type of originator (see User Objects).
Service/Box – Allows enforcing authentication on a certain service/box.
Click OK.
After you specify the conditions for all of the users that you want to include in this object, click OK to create the user object.
Click Send Changes and Activate.
Apply a User Object to an Access Rule
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
Click Lock.
Edit the access rule that you want to apply to the user object.
From the Authenticated User list, select the user object.
Click OK.
Click Send Changes and Activate.