Access Control on Access Server
Content of the article
Access control is an important security tool used to grant users or groups access to the services and tools they need to do their job. It also restricts access to other services and tools, keeping them available only to specific users.
Access Control Levels and Patterns
Access Server — is a software developed by OpenVPN that allows you to configure and manage network access via VPN. Access Server provides encrypted access to your network over the unsecured Internet, and allows you to precisely determine which user can access which resources.
Access control in Access Server works on three levels:
- Global level - general access for all VPN users.
- Group level - access for specific groups of users.
- User level - individual access for a specific user.
Let's say you need to grant access, as in this scenario:
- All VPN users need access to print servers. Grant global access to the print server with web address 10.0.0.1.
- Only the web team should have access to the development server. Grant the development team access to the development server with IP 10.0.0.2.
- Only one member of the operations team needs access to the production server. We provide him with individual access to the production server 10.0.0.3.
To implement such a scenario, several servers will be required, each of which will perform its own specific function and have a unique IP address.
Access control rules on the Access Server can be represented by the following points:
- A user can belong to one group or not belong to any (in this case, he has global access rights).
- If a user belongs to two groups, his access rights are formed based on the combination of accesses from both groups and the global level. This means that the user inherits the access granted to each of the groups to which he belongs, as well as the access granted at the global level.
- A user can have additional access defined for his account.
- Each user group automatically receives the access rights that are defined at the global level for all network users.
- A group can have additional access defined for the group.
- Global access applies to all groups and users.
Types of access and their configuration
Configuring global access involves the following steps to grant access to all VPN users to a specific resource based on a subnet:
- Log in to the Admin Web UI.
- Go to Configuration. VPN settings.
- In the Routing section, enable access by setting Yes, using NAT. NAT — This is a technology that allows you to change IP-addresses in the headers of network packets when they pass through a router or firewall. Using NAT allows multiple devices on a local network to use the same public IP address to access the external network. This is necessary to ensure the correct route for data transmission and mask internal IP addresses.
- For private subnets, enter the subnet for the resource (for example, for a print server, enter "10.0.0.1/32").
Setting up group access involves the following steps:
- Log in to the Admin Web UI.
- Go to User Management > Group permissions.
- For the group that needs to be granted access, click Advanced settings.
- In the Access control section, set Use access control to Yes.
- Configure access to networks and services, groups, and users.
Steps for configuring access to networks and services:
- Click Advanced settings for the group that is being granted access privileges.
- Set the Use access control checkbox to Yes.
- In the Allow access section, enter subnets in the network/bit depth format or services in the network/bit depth:services format.
- Click Save settings and Update running server.
By default, groups are isolated from each other and from users within the group. To grant access to groups, you can follow these steps:
- Click Advanced settings for the group.
- Set Use access control to Yes.
- In the Allow access to section, select the group name from the list.
- Click Save settings and Refresh running server.
The algorithm for granting group access to specific users:
- Click Advanced settings for the group.
- Set Use access control to Yes.
- In the Allow access to section, select the user from the list.
- Click Save settings and Refresh running server.
Steps to grant access to a specific user to a resource based on a subnet:
- Log in to Admin Web UI.
- Go to User Management. User Permissions.
- For the user you want to grant access to, click Advanced Settings.
- In the Access Management section, select Use NAT for the addressing method.
- In the Allow access to these networks section, enter the subnet for the resource (for example, for a production server, enter "10.0.0.3/32").
If you need to delete all global access control rules:
- Log in to the Admin Web UI.
- Go to Configuration. VPN settings.
- In the Routing section, set the first parameter to No.
Properly setting up access control on the Access Server ensures security and control over access to various resources. This allows you to divide access between different users and groups, limiting it to only the necessary resources.
Private VPN server: an effective access control tool
Using a private VPN server allows you to flexibly manage access to resources, which is especially important in a corporate environment. A private VPN server can be configured to comply with all of the above principles and access control rules, providing an additional level of security and control.
You can rent or buy a private VPN server on favorable terms on the VPN.how website.