https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58516#M11793 <P>Hello everyone!<BR />Please Helllp!!<BR />At this moment I´m using&nbsp; Checkpoint local users to connect to Client-to-site VPN.&nbsp;<BR />But I want to improve this and change all the method of VPN authentication to LDAP.<BR />For tests purposes, I´ve already a group on AD where we use shared with Checkpoint then we are able to do that and it realy works.<BR />By now, I don´t want to ask AD admin to create AD groups everytime we are asked to provide an VPN access.<BR />Is there a way to add AD users to a VPN rule without using a AD group?<BR />Let me explain better: we are a big organization, so we have diferents kinds of users with different needs, so we need to create differents kinds of access groups. Since I know that VPN rules only accept legacy users on groups, I´d like to know if theres a way to designate some AD users directly on firewall rules, or a way to do this without to contact AD admin to create the groups.</P><P>Thanks in advance!<BR /><BR />Checkpoint r77.30</P> Thu, 18 Jul 2019 20:14:57 GMT Rick_Rodrix 2019-07-18T20:14:57Z https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58516#M11793 <P>Hello everyone!<BR />Please Helllp!!<BR />At this moment I´m using&nbsp; Checkpoint local users to connect to Client-to-site VPN.&nbsp;<BR />But I want to improve this and change all the method of VPN authentication to LDAP.<BR />For tests purposes, I´ve already a group on AD where we use shared with Checkpoint then we are able to do that and it realy works.<BR />By now, I don´t want to ask AD admin to create AD groups everytime we are asked to provide an VPN access.<BR />Is there a way to add AD users to a VPN rule without using a AD group?<BR />Let me explain better: we are a big organization, so we have diferents kinds of users with different needs, so we need to create differents kinds of access groups. Since I know that VPN rules only accept legacy users on groups, I´d like to know if theres a way to designate some AD users directly on firewall rules, or a way to do this without to contact AD admin to create the groups.</P><P>Thanks in advance!<BR /><BR />Checkpoint r77.30</P> Thu, 18 Jul 2019 20:14:57 GMT https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58516#M11793 Rick_Rodrix 2019-07-18T20:14:57Z https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58520#M11796 When you have Identity Awareness setup and connected to your AD, you can create access roles, within those roles you can add individual users and/or groups and/or machines to allow certain traffic, so in other words yes this is possible. Thu, 18 Jul 2019 20:50:11 GMT https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58520#M11796 Maarten_Sjouw 2019-07-18T20:50:11Z https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58522#M11797 <P>Well, I do know that. I´m getting some success on this research. At this time, I discovered that for the first step, I need to allow AD users to connect in Remote Access, so I made this work adding the AD group "Domain Users" in Remote Access. But right now, every single account is able to login on Remote Access. I did a individual account role access and added to a rule and it is working now, I was abble to access my host. But I was wondering if to enable all the AD group "Domain Users" to allow connect to Endpoint Security is a good idea for security issues.&nbsp;<BR />Is it a best practice to put this kind of rule at the top of the rule table?<BR /><BR />I just wondering why no one had this question before, I didn´t find any message about this.</P> Thu, 18 Jul 2019 21:40:07 GMT https://community.checkpoint.com/t5/General-Topics/Using-ldap-for-user-authentication-on-vpn-checkpoint/m-p/58522#M11797 Rick_Rodrix 2019-07-18T21:40:07Z