Lockdown NSX Edge SSL VPN to Specific IP Address

Issue:

I wanted to lock down my NSX Edge Gateway SSL VPN portal to a specific IP range. As you are not allowed to put a custom rule above a system defined rule on the edge itself I needed a work around.

 

Resolution:

In vCenter web client go to HOME -> Network & Security -> Firewall -> Add rule {Green + sign)

Add an accept (SSL_VPN_EDGE) and deny (SSL_VPN_EDGE_BLOCK) rule – as highlighed in the screenshot below:

ssl_vpn_edge3

Note; Ensure this is applied to the Edge only

Then go back you NSX Edge:

Go to HOME -> Network & Security -> NSX Edges -> {Select Edge in question} -> Firewall

You'll now see the the rules applied above the system rules

ssl_vpn_edge2