https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101445#M10169 <P>It may be depending on how you've configured it.<BR />Screenshots of the relevant configuration would be helpful.</P> Mon, 09 Nov 2020 01:23:15 GMT PhoneBoy 2020-11-09T01:23:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101437#M10168 <P>Hi team,</P><P>I need your help on this matter.</P><P>&nbsp;</P><P>Here is the environment</P><UL><LI>R80.40</LI><LI>Dedicated Management</LI><LI>Cluster of 5600</LI></UL><P>We are using MS Active Directory Integration&nbsp;with Access Mobile Access and we defined access role.</P><P>But, AD users not belonging to an access role have access to mobile access portal, why&nbsp;? In the log we see in the usergroup_-"user do not belong to any group".</P><P>I want to know if this is an expected behaviour&nbsp;? from my understanding, an Access Role is how the firewall determines what users are allowed access and those that are not define will be dropped.</P><P>Regards</P> Sun, 08 Nov 2020 19:58:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101437#M10168 constant69 2020-11-08T19:58:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101445#M10169 <P>It may be depending on how you've configured it.<BR />Screenshots of the relevant configuration would be helpful.</P> Mon, 09 Nov 2020 01:23:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101445#M10169 PhoneBoy 2020-11-09T01:23:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101472#M10170 <P>Hi PhoneBoy,</P><P>Thank for your reply.</P><P>This is a basic configuration in R80.40 ( I have the same behavior in my lab R80.10)</P><P>- 2 Access roles</P><P>- 2 rules with the both access roles in the source and mobile access application</P><P>I have attached screenshots</P><P>&nbsp;</P><P>Regards</P> Mon, 09 Nov 2020 12:49:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101472#M10170 constant69 2020-11-09T12:49:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101478#M10171 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/43988">@constant69</a>&nbsp;</P> <P>are the users with no group-mebership able to login only and did not see any MOB-defined application ?</P> <P>Wolfgang</P> Mon, 09 Nov 2020 10:24:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101478#M10171 Wolfgang 2020-11-09T10:24:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101494#M10172 <P><SPAN>Hi,</SPAN></P><P><SPAN>The users with no group-membership are able to login only and they did not see any MOB-defined application,</SPAN></P><P><SPAN>Regards</SPAN></P> Mon, 09 Nov 2020 12:47:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101494#M10172 constant69 2020-11-09T12:47:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101508#M10173 <P>Ok, looks like expected behaviour.</P> <P>If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.</P> <P>The users can authenticate but have no access to any MOB application or VPN connection.</P> <P>If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.</P> <P>Wolfgang</P> <P>Wolfgang</P> Mon, 09 Nov 2020 13:40:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101508#M10173 Wolfgang 2020-11-09T13:40:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101514#M10174 <P>Thank for your help on this matter.</P><P>To sum up, as we cannot select Access Roles, the following procedure is relevant<BR />1) Create a ldap group that containt the AD users allowed<BR />2) Then, select the previous ldap group in the remote access community</P><P>Regards</P> Mon, 09 Nov 2020 13:48:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101514#M10174 constant69 2020-11-09T13:48:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101637#M10175 <P>Hi Wolfgang,</P><P>Thank for your help on this matter: that solved my issue!</P><P>Regards</P> Tue, 10 Nov 2020 15:02:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mobile-Access-AD-users-not-belonging-to-an-access-role-have/m-p/101637#M10175 constant69 2020-11-10T15:02:34Z