topic Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question in Firewall and Security Management

Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

NickDeGrootYama — Thu, 22 Dec 2022 18:29:21 GMT

Hi All,

I do have a question regarding the combination of Windows AO-VPN and IDC.

Our Windows AO-VPN solution on our Windows Endpoints consists of 2 tunnels.

1. Device Tunnel ( Is initiated when Windows boots and before user logs in )

2. User Tunnel ( is initiated after the user logs in into Windows )

The Device Tunnel is there purely for management purposes ( getting (AV)/Windows updates etc). The User Tunnel gets the corresponding routes which the user needs.

However in SmartConsole i see in the logs that the traffic which the user initiates does not has a source-username log entry.

Investigating it further , i see that the username of the corresponding user that has logged in to the endpoints is correlating with the Device-Tunnel IP address. However, that IP is not used for resources behind the VPN.

The IDC is working correctly for internal traffic , but as the remote endpoint gets 2 IP addresses , IDC only correlates the Device IP instead of the User-Tunnel IP.

Currently the traffic flow is as follows

Devices boots
Windows starts up and Device-Tunnel is initiated -> IP 10.10.10.1 is assigned.
User logs in into Windows before the User-Tunnel is initiated the IDC correlates the Device-Tunnel IP with the logged in user ( which is what gets into the AD Event logs ) so untill here everyhing works correctly
User-Tunnel is automatic initiated after user login and traffic to on-prem resources flows via User-Tunnel ( IP 10.10.10.2 )

So what we would actually like to establish is that the 10.10.10.2 is correlated in SmartConsole with the Windows Username. However , i doubt if that is possible as the real login on the Windows Endpoint happens before. Hopefully anybody here can point me in the right direction.

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

PhoneBoy — Thu, 22 Dec 2022 19:27:29 GMT

Identity Collector can only leverage information it gets from the Identity Source (in this case, Active Directory).
If there isn't a login event reported on the other IP address in the Windows Security Logs, we'll never know about it.

The only thing I can suggest trying is using an Identity Agent on systems with AO-VPN.

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

Chris_Atkinson — Thu, 22 Dec 2022 21:37:25 GMT

Just to confirm your identity awareness config has "remote access VPN" selected as an identity source correct?

If this VPN doesn't terminate on a CP gateway as such you can ignore the above however.

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

PhoneBoy — Thu, 22 Dec 2022 21:43:00 GMT

We're talking about Microsoft's Always-on VPN...which doesn't use our client or terminate on our gateway.

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

AaronCP — Thu, 22 Dec 2022 22:26:36 GMT

Hi @NickDeGrootYama,

My previous employer had the same set up. As @PhoneBoy mentioned, we used Identity Agent (transparent Kerberos SSO) with Windows AOVPN and it worked as you required i.e. presented the user tunnel IP along with the user & device credentials from the Kerberos ticket.

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

NickDeGrootYama — Fri, 23 Dec 2022 06:30:17 GMT

Tested this on my own machine , and indeed that works as expected.

Was hoping this could be done clientless , but if we need this Identity Agent then we should do that!

Thanks!

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

SimonSchreiber9 — Mon, 15 Jan 2024 14:09:48 GMT

Hi,

is there any possibility to establish an user AND machine tunnel during the session?

Terminal mode (in trac default) ist activated.
PC boots up. Machine tunnel will be established. User logs in, user tunnel will be established WITHOUT disconnecting the machine tunnel ?

Is this possible?

Thanks and kind regards,

Simon.

Re: Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

PhoneBoy — Wed, 17 Jan 2024 06:11:21 GMT

Not currently as it is operating as designed.
Please discuss your specific requirements with your Check Point SE.