https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169241#M5584 <P>Hi Daniel,</P><P>&nbsp;</P><P>as phoneboy said, you will need to setup SAML Authentication against Azure IDP for being able to do something there.&nbsp;</P><P>check out those videos - that helped me a lot in configuring something like that:</P><P><A href="https://www.youtube.com/watch?v=172xGxqQvhI" target="_blank">https://www.youtube.com/watch?v=172xGxqQvhI</A><BR /><A href="https://www.youtube.com/watch?v=yZVB3sJ3fZ8" target="_blank">https://www.youtube.com/watch?v=yZVB3sJ3fZ8</A><BR /><BR /></P><P>Basically your client check is than done by Azure within a conditional access ruleset. Gateway only receives a "OK" or "not OK" including some attributes (i.e. group memberships, maybe Machine attributes are possible too)</P><P>So there is nothing like an on prem AD on your site, where machine accounts are replicated to - so one could then go via ldap account unit...?</P> Thu, 26 Jan 2023 08:06:24 GMT Nüüül 2023-01-26T08:06:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169146#M5581 <P>Good evening everyone, for the past few weeks I've been going crazy trying to get the VPN working on a PC deployed via Intune (so it's an Azure AD Joined PC), but the machine is in no way recognised by the firewall and therefore does not match any policy.</P><P>I believe that this malfunction is related to the fact that we use authentication via a certificate, but this is not loaded on the machine in Azure AD. Am I on the right way or is there something else to check?</P> Wed, 25 Jan 2023 15:52:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169146#M5581 DanielVd 2023-01-25T15:52:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169203#M5582 <P>If you're using Azure AD, the entire authentication must occur with Azure AD (i.e. via SAML) in order to get the group information.<BR />This applies regardless of the authentication method you specify in Azure AD.<BR />That also implies your certificates need to come from Azure AD.&nbsp;</P> Thu, 26 Jan 2023 02:38:20 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169203#M5582 PhoneBoy 2023-01-26T02:38:20Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169238#M5583 <P>Thanks PhoneBoy. Can you link me to any guides explaining how to configure the remote access section? I have found several, but I cannot get the desired result.</P> Thu, 26 Jan 2023 07:48:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169238#M5583 DanielVd 2023-01-26T07:48:37Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169241#M5584 <P>Hi Daniel,</P><P>&nbsp;</P><P>as phoneboy said, you will need to setup SAML Authentication against Azure IDP for being able to do something there.&nbsp;</P><P>check out those videos - that helped me a lot in configuring something like that:</P><P><A href="https://www.youtube.com/watch?v=172xGxqQvhI" target="_blank">https://www.youtube.com/watch?v=172xGxqQvhI</A><BR /><A href="https://www.youtube.com/watch?v=yZVB3sJ3fZ8" target="_blank">https://www.youtube.com/watch?v=yZVB3sJ3fZ8</A><BR /><BR /></P><P>Basically your client check is than done by Azure within a conditional access ruleset. Gateway only receives a "OK" or "not OK" including some attributes (i.e. group memberships, maybe Machine attributes are possible too)</P><P>So there is nothing like an on prem AD on your site, where machine accounts are replicated to - so one could then go via ldap account unit...?</P> Thu, 26 Jan 2023 08:06:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169241#M5584 Nüüül 2023-01-26T08:06:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169297#M5585 <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk172909&amp;partition=Advanced&amp;product=Endpoint" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk172909&amp;partition=Advanced&amp;product=Endpoint</A></P> Thu, 26 Jan 2023 15:26:52 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Security-VPN-on-Azure-AD-Joined-PC/m-p/169297#M5585 PhoneBoy 2023-01-26T15:26:52Z