https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-based-Access-Roles-with-Office-Mode-Remote-Access-VPN/m-p/112842#M9069 <P><BR />We have an R80.40 Gateway Cluster with Identity Awareness. The identity sources are AD Query and Remote Access. Mobile Access Office Mode is enabled. User-based access roles work fine for VPN users, but&nbsp;the same can't be said for an access&nbsp;role that defines the machines.&nbsp;</P><P>The AD Query is working fine for the other contexts, but it's not applied to VPN connection.</P><P>In PDPd and PEPd&nbsp;logs I can see the AD connection for the machine in the VPN, but I think it's not processed by the identity Awareness.</P><P><EM>[28237 4059047744]@CPFW01[25 Feb 14:01:17] [TRACKER]: #3326304 -&gt; INCOMING -&gt; ADQUERY_ASSOCIATION -&gt;</EM><BR /><EM>Association</EM><BR /><EM>ip: 10.18.172.130</EM><BR /><EM>user:</EM><BR /><EM>machine: dxx-55375</EM><BR /><EM>domain:&nbsp;xxx.jus.br</EM><BR /><EM>reason:&nbsp;</EM></P><P><BR />Is there a way for the Remote Access and AD Query to work together to get the machine identification? What I'm trying to achieve here is to have identified domain machines hit a different rule/layer compared to a machine that remotely connects and is not identified.</P><P>Thanks in advance!</P> Tue, 09 Mar 2021 13:28:06 GMT saulosouza 2021-03-09T13:28:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-based-Access-Roles-with-Office-Mode-Remote-Access-VPN/m-p/112842#M9069 <P><BR />We have an R80.40 Gateway Cluster with Identity Awareness. The identity sources are AD Query and Remote Access. Mobile Access Office Mode is enabled. User-based access roles work fine for VPN users, but&nbsp;the same can't be said for an access&nbsp;role that defines the machines.&nbsp;</P><P>The AD Query is working fine for the other contexts, but it's not applied to VPN connection.</P><P>In PDPd and PEPd&nbsp;logs I can see the AD connection for the machine in the VPN, but I think it's not processed by the identity Awareness.</P><P><EM>[28237 4059047744]@CPFW01[25 Feb 14:01:17] [TRACKER]: #3326304 -&gt; INCOMING -&gt; ADQUERY_ASSOCIATION -&gt;</EM><BR /><EM>Association</EM><BR /><EM>ip: 10.18.172.130</EM><BR /><EM>user:</EM><BR /><EM>machine: dxx-55375</EM><BR /><EM>domain:&nbsp;xxx.jus.br</EM><BR /><EM>reason:&nbsp;</EM></P><P><BR />Is there a way for the Remote Access and AD Query to work together to get the machine identification? What I'm trying to achieve here is to have identified domain machines hit a different rule/layer compared to a machine that remotely connects and is not identified.</P><P>Thanks in advance!</P> Tue, 09 Mar 2021 13:28:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-based-Access-Roles-with-Office-Mode-Remote-Access-VPN/m-p/112842#M9069 saulosouza 2021-03-09T13:28:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-based-Access-Roles-with-Office-Mode-Remote-Access-VPN/m-p/112857#M9070 <P><SPAN>The R80.40 release adds a new VPN authentication capability to Security Gateway. Authentication with a machine certificate as of Endpoint Security Client E80.71 is now available for gateways. Refer to&nbsp;</SPAN><A href="https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Machine-Certificate.htm?tocpath=_____12" target="_blank" rel="noopener">Remote Access VPN R80.40 Administration Guide</A><BR /><BR />Also, highly recommended is&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk86240" target="_self"><SPAN>sk86240</SPAN></A></P> Tue, 09 Mar 2021 14:53:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-based-Access-Roles-with-Office-Mode-Remote-Access-VPN/m-p/112857#M9070 _Val_ 2021-03-09T14:53:12Z