https://community.checkpoint.com/t5/SASE-and-Remote-Access/Spliting-RA-VPN-access-between-domain-and-non-domain-PCs-fo/m-p/226349#M3233 <P>Hi there!</P><P>I would like to split access for remote users (MAB, RA VPN, 2FA) into domain and non-domain. All users have only MS AD accounts, but they can connect via VPN from a domain or non-domain PC. Depending on whether the PC is in the domain or not, different resource should be available.</P><P>For example, if John Doe connects from a domain PC, he can access the [LAN1] resource. But if the same John Doe connects from a non-domain PC, he can access [LAN2].</P><P>Can you please tell me if you have such an implementation? If so, how stable is it?</P><P>I think all RA resources will be announced into VPN for all users, regardless of whether the PC is in the domain or not. And access to [LAN1] or [LAN2] will be determined by the FW policy, but now I don't understand how to write it....</P> Thu, 12 Sep 2024 08:51:44 GMT EVSolovyev 2024-09-12T08:51:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Spliting-RA-VPN-access-between-domain-and-non-domain-PCs-fo/m-p/226349#M3233 <P>Hi there!</P><P>I would like to split access for remote users (MAB, RA VPN, 2FA) into domain and non-domain. All users have only MS AD accounts, but they can connect via VPN from a domain or non-domain PC. Depending on whether the PC is in the domain or not, different resource should be available.</P><P>For example, if John Doe connects from a domain PC, he can access the [LAN1] resource. But if the same John Doe connects from a non-domain PC, he can access [LAN2].</P><P>Can you please tell me if you have such an implementation? If so, how stable is it?</P><P>I think all RA resources will be announced into VPN for all users, regardless of whether the PC is in the domain or not. And access to [LAN1] or [LAN2] will be determined by the FW policy, but now I don't understand how to write it....</P> Thu, 12 Sep 2024 08:51:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Spliting-RA-VPN-access-between-domain-and-non-domain-PCs-fo/m-p/226349#M3233 EVSolovyev 2024-09-12T08:51:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Spliting-RA-VPN-access-between-domain-and-non-domain-PCs-fo/m-p/226390#M3234 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1629">@EVSolovyev</a>&nbsp;</P> <P>What is came into my mind: you are able to determine in the in the Access role the machine(s):</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="machines.png" style="width: 785px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27581i8C0BE6CDEB5DEE8F/image-size/large?v=v2&amp;px=999" role="button" title="machines.png" alt="machines.png" /></span></P> <OL> <LI><EM>Choose a <STRONG>group of machines</STRONG>&nbsp;(this represents the domain machines)</EM></LI> <LI><EM> if the user connects from a machine what is not a domain member (not in the choosen group)</EM></LI> <LI><EM>the rule won't applies to it.</EM></LI> </OL> <P><EM>This kind of handling 100% stable, as the Access policy. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM></P> <P>There was a same kind of topic recently, have a look at on it:</P> <P><EM><A href="https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224806#M37429" target="_blank">https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Checks/m-p/224806#M37429</A></EM></P> <P>Maybe the&nbsp;<SPAN>&nbsp;</SPAN><A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Secure-Configuration-Verification-Advanced.htm" target="_self" rel="noopener noreferrer">Secure Configuration Verification - Advanced</A><SPAN>&nbsp;</SPAN>can be useful in this situation.</P> <P>What if you check the logged in user is a DOMAIN user in the companies AD?</P> <P><SPAN class="MCDropDownHead dropDownHead"><A class="MCDropDownHotSpot dropDownHotspot MCDropDownHotSpot_ MCHotSpotImage" role="button" href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Secure-Configuration-Verification-Advanced.htm#" target="_blank" rel="noopener noreferrer" aria-expanded="true" aria-controls="mc-dropdown-body1bf28320-dc31-4e45-843f-16749a003d6b">"Groupmonitor"</A></SPAN></P> <DIV id="mc-dropdown-body1bf28320-dc31-4e45-843f-16749a003d6b" class="MCDropDownBody dropDownBody"> <P>This checks that the logged on user belongs to the expected domain user groups.</P> <TABLE class="TableStyle-TP_Table_Dark_Header_and_Pattern" cellspacing="0"><COLGROUP><COL class="TableStyle-TP_Table_Dark_Header_and_Pattern-Column-Column_Style" /><COL class="TableStyle-TP_Table_Dark_Header_and_Pattern-Column-Column_Style" /></COLGROUP> <THEAD> <TR class="TableStyle-TP_Table_Dark_Header_and_Pattern-Head-Header_Style"> <TH class="TableStyle-TP_Table_Dark_Header_and_Pattern-HeadE-Column_Style-Header_Style" scope="col"> <P>Parameter</P> </TH> <TH class="TableStyle-TP_Table_Dark_Header_and_Pattern-HeadD-Column_Style-Header_Style" scope="col"> <P>Description</P> </TH> </TR> </THEAD> <TBODY> <TR class="TableStyle-TP_Table_Dark_Header_and_Pattern-Body-White_Background"> <TD class="TableStyle-TP_Table_Dark_Header_and_Pattern-BodyB-Column_Style-White_Background"> <P><CODE>"builtin\<SPAN class="mc-variable Vars_Other.tp_admin variable">administrator</SPAN>" (false)</CODE></P> </TD> <TD class="TableStyle-TP_Table_Dark_Header_and_Pattern-BodyA-Column_Style-White_Background"> <P>A name of a user group. The user must belong to this group for the machine configuration to be verified.</P> </TD> </TR> </TBODY> </TABLE> </DIV> <P>&nbsp;</P> <P>Cheers,</P> <P>Akos</P> Thu, 12 Sep 2024 13:04:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Spliting-RA-VPN-access-between-domain-and-non-domain-PCs-fo/m-p/226390#M3234 AkosBakos 2024-09-12T13:04:57Z