https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224806#M37429 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a>,</P> <P>Maybe the&nbsp; <A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Secure-Configuration-Verification-Advanced.htm" target="_self">Secure Configuration Verification - Advanced</A> can be useful in this situation.</P> <P>What if you check the logged in user is a DOMAIN user in the companies AD?</P> <P><SPAN class="MCDropDownHead dropDownHead"><A class="MCDropDownHotSpot dropDownHotspot MCDropDownHotSpot_ MCHotSpotImage" role="button" href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Secure-Configuration-Verification-Advanced.htm#" aria-expanded="true" aria-controls="mc-dropdown-body1bf28320-dc31-4e45-843f-16749a003d6b" target="_blank">"Groupmonitor"</A></SPAN></P> <DIV id="mc-dropdown-body1bf28320-dc31-4e45-843f-16749a003d6b" class="MCDropDownBody dropDownBody"> <P>This checks that the logged on user belongs to the expected domain user groups.</P> <TABLE class="TableStyle-TP_Table_Dark_Header_and_Pattern" cellspacing="0"><COLGROUP><COL class="TableStyle-TP_Table_Dark_Header_and_Pattern-Column-Column_Style" /><COL class="TableStyle-TP_Table_Dark_Header_and_Pattern-Column-Column_Style" /></COLGROUP> <THEAD> <TR class="TableStyle-TP_Table_Dark_Header_and_Pattern-Head-Header_Style"> <TH class="TableStyle-TP_Table_Dark_Header_and_Pattern-HeadE-Column_Style-Header_Style" scope="col"> <P>Parameter</P> </TH> <TH class="TableStyle-TP_Table_Dark_Header_and_Pattern-HeadD-Column_Style-Header_Style" scope="col"> <P>Description</P> </TH> </TR> </THEAD> <TBODY> <TR class="TableStyle-TP_Table_Dark_Header_and_Pattern-Body-White_Background"> <TD class="TableStyle-TP_Table_Dark_Header_and_Pattern-BodyB-Column_Style-White_Background"> <P><CODE>"builtin\<SPAN class="mc-variable Vars_Other.tp_admin variable">administrator</SPAN>" (false)</CODE></P> </TD> <TD class="TableStyle-TP_Table_Dark_Header_and_Pattern-BodyA-Column_Style-White_Background"> <P>A name of a user group. The user must belong to this group for the machine configuration to be verified.</P> </TD> </TR> </TBODY> </TABLE> </DIV> <P>&nbsp;</P> <P>Cheers,</P> <P>Akos</P> Wed, 28 Aug 2024 11:33:32 GMT AkosBakos 2024-08-28T11:33:32Z https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224776#M37424 <P>Is it possible to perform posture checks with the latest ‘Standalone E88.50 Remote Access VPN Clients for Windows’?</P> <P>Background to my question:</P> <P>A customer wants to avoid using the ‘Remote Access VPN client’ on private PC. The user could install the software on his private PC and then set up a VPN tunnel to the company.<BR /><BR />Are there posture checks here so that you can check whether the “Remote Access VPN Client” &nbsp;software only works on company PCs?</P> <P>I had thought of something like this:<BR />- Certificate check whether a company certificate is available.<BR />- Check whether a company registry key is set.<BR />- and and and<BR /><BR />Is this possible with ‘Inline Layer’ or ‘Order Layer’?<BR />The idea is to query the user certificate first and then the machine certificate if necessary.</P> <P>Or perhaps with IA rule to use both certificates (user certificate and machine certificate).<BR /><BR />Does anyone here have any ideas?<BR /><BR />I have not found anything on this in the following documents:<BR /><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Office-Mode.htm?TocPath=Office%20Mode%7C_____0#Office_Mode" target="_blank" rel="noopener">- R81.20 Remote Access VPN Administration Guide</A><BR /><A href="https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Introduction.htm?TocPath=Introduction%20to%20Remote%20Access%20Clients%7C_____0" target="_blank" rel="noopener">- Remote Access VPN Clients for Windows Admin Guide</A><BR /><A href="https://support.checkpoint.com/results/sk/sk75221" target="_blank" rel="noopener">- Remote Access TTM Configuration (sk75221)</A><BR /><A href="https://sc1.checkpoint.com/documents/E88.x/EN/Endpoint_Security_Clients_for_Windows_RN/Content/Topics-Endpoint_Security_Client_for_Windows_RN/Release-Map.htm?tocpath=_____5" target="_blank" rel="noopener">- E88.x Remote Access VPN Clients</A><BR /><A href="https://sc1.checkpoint.com/documents/E87.x/EN/Endpoint_Security_Clients_for_Windows_RN/Content/Topics-Endpoint_Security_Client_for_Windows_RN/Release-Map.htm?tocpath=_____5" target="_blank" rel="noopener">- E87.x Remote Access VPN Clients</A></P> Wed, 28 Aug 2024 10:05:22 GMT https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224776#M37424 HeikoAnkenbrand 2024-08-28T10:05:22Z https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224784#M37425 <P>Proposal: Allow authentication only with password AND certificate. Only Company Devices receive the cert and you also include a second factor.</P> Wed, 28 Aug 2024 10:33:09 GMT https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224784#M37425 D_W 2024-08-28T10:33:09Z https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224806#M37429 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a>,</P> <P>Maybe the&nbsp; <A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Secure-Configuration-Verification-Advanced.htm" target="_self">Secure Configuration Verification - Advanced</A> can be useful in this situation.</P> <P>What if you check the logged in user is a DOMAIN user in the companies AD?</P> <P><SPAN class="MCDropDownHead dropDownHead"><A class="MCDropDownHotSpot dropDownHotspot MCDropDownHotSpot_ MCHotSpotImage" role="button" href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Secure-Configuration-Verification-Advanced.htm#" aria-expanded="true" aria-controls="mc-dropdown-body1bf28320-dc31-4e45-843f-16749a003d6b" target="_blank">"Groupmonitor"</A></SPAN></P> <DIV id="mc-dropdown-body1bf28320-dc31-4e45-843f-16749a003d6b" class="MCDropDownBody dropDownBody"> <P>This checks that the logged on user belongs to the expected domain user groups.</P> <TABLE class="TableStyle-TP_Table_Dark_Header_and_Pattern" cellspacing="0"><COLGROUP><COL class="TableStyle-TP_Table_Dark_Header_and_Pattern-Column-Column_Style" /><COL class="TableStyle-TP_Table_Dark_Header_and_Pattern-Column-Column_Style" /></COLGROUP> <THEAD> <TR class="TableStyle-TP_Table_Dark_Header_and_Pattern-Head-Header_Style"> <TH class="TableStyle-TP_Table_Dark_Header_and_Pattern-HeadE-Column_Style-Header_Style" scope="col"> <P>Parameter</P> </TH> <TH class="TableStyle-TP_Table_Dark_Header_and_Pattern-HeadD-Column_Style-Header_Style" scope="col"> <P>Description</P> </TH> </TR> </THEAD> <TBODY> <TR class="TableStyle-TP_Table_Dark_Header_and_Pattern-Body-White_Background"> <TD class="TableStyle-TP_Table_Dark_Header_and_Pattern-BodyB-Column_Style-White_Background"> <P><CODE>"builtin\<SPAN class="mc-variable Vars_Other.tp_admin variable">administrator</SPAN>" (false)</CODE></P> </TD> <TD class="TableStyle-TP_Table_Dark_Header_and_Pattern-BodyA-Column_Style-White_Background"> <P>A name of a user group. The user must belong to this group for the machine configuration to be verified.</P> </TD> </TR> </TBODY> </TABLE> </DIV> <P>&nbsp;</P> <P>Cheers,</P> <P>Akos</P> Wed, 28 Aug 2024 11:33:32 GMT https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224806#M37429 AkosBakos 2024-08-28T11:33:32Z https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224823#M37435 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/28415">@AkosBakos</a>,<BR /><BR />I was probably blind when reading the manuals <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Thank you very much, that's exactly what I was looking for.<BR /><BR />Cheers,<BR />Heiko</P> Wed, 28 Aug 2024 12:44:31 GMT https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224823#M37435 HeikoAnkenbrand 2024-08-28T12:44:31Z https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224825#M37436 <P>Thought you could set it below, but guess not, has to be done through local.scv file...</P> <P>Andy</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27389i068703F137166EC3/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Wed, 28 Aug 2024 12:53:21 GMT https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224825#M37436 the_rock 2024-08-28T12:53:21Z