prevent cascade connection by solo user account

[colapig]

I created a user account for individual user. How can I prevent the user use this account in cascade connection?

[dajhorn]

In the user properties dialog, enable "Set Security Policy" and try something like "Deny Bridge Operation".

[colapig]

Thanks for your reply.
I tried the setting, but the cascade function still can be online. The cascade status is online (established) when I check the manage cascade connections.

[dajhorn]

I don't know whether there is a way to actually block Cascade Connections, but restricting sessions with various security policies and ACLs should produce similar results.

In the SoftEther source code, there isn't much difference between a Cascade Connection and a regular Client Connection. Describe why you want to block Cascade Connections to get a better answer or perhaps motivate a software patch.

[colapig]

good idea, I will do it later today.

[colapig]

Sorry, I may miss understanding your reply. I though you want me to open a ticket for the patch. I think I can explain it here, hope the function can be added in the next version.
distinguish the individual user account and cascade connection account can help me to manage the connection better. If some user use the individual account to make a cascade connection. That would increase the the VPN server traffic (though I have limit the bandwidth for each account). I can't identify who is using the account too. This would make the network under risk, specially the VPN server with local bridge connection.
I hope administrator can have the ability to restrict the user how to use the account.
For the log, I hope the message can show up which computer(s) is/are using the VPN connection in a cascade site.
Thank you for your effort.

[BoredAus]

Here is a bit of out of the box thinking, but seeing as how the ability to create more than one VPN server isn't restricted, thus only be bounded by the amount of ports that are to be dedicated to it. Why don't you create another SoftEther VPN server that has bridging functionalities and has user accounts whom you want to grant them access to use cascade connection functionality?

I am aware this is probably not the ideal solution you are looking for but at least you can prevent users whom you don't want them to use cascade connection functionality to be basically prohibited as the node for that VPN server isn't configured to have that capability.

SoftEther VPN can be configured to produce logs and probably to the extent of as verbose as you want it, right down to detailed packet logs. If you are unaware of who is using accounts that has cascade connection that is a matter of policy issue restricted to your network. At that point I would be issuing each and every user their own unique accounts which would most likely track down where compromisations are happening.

[colapig]

I don't know how to restricte it even I create one more server. If I only can identify the connection type by the log, that I have to write some code to do that.
I just hope there is a simple solution to do that.

Thanks, for your suggetion.

[dajhorn]

First, open the virtual hub properties dialog, click the "Virtual Hub Admin Option" button, and try setting the deny_bridge and deny_routing options.

Second, open the user properties dialog, enable "Set Security Policy", click the "Security Policy" button, and enable "Enforce DHCP Allocated IP Addresses". (Other options in these lists could apply.)

This should make it difficult to establish a working Cascade Connection, but I wouldn't rely on such options for perfect enforcement without testing. Furthermore, SoftEther does not provide a logging mechanism that makes it easy to detect this kind of activity, so you must learn how to use the server_log and packet_log.

[colapig]

thanks for your idea. I will try it.

[thisjun]

Please change a value of 'max_session_client_bridge_apply' to 1 in 'Virtual Hub Admin Option'.