Remote Access (selective) Compliance

mbh80 — Thu, 04 Mar 2021 15:34:42 GMT

Hello all, I am requesting some assistance in confirming whether a specific solution exists within the checkpoint products. Any help in confirming this is greatly appreciated.

I have a client requesting a Remote Access compliance solution as follows:

Scenario:

Users - Active directory (some on the domain, and 3rd party users and contractors off the domain). Of the users on the domain, there are 2 OUs which users will be in.

Remote Access setup:

Endpoint Security VPN, with most users on windows desktop client (some mac users)
Desktop Policy, and SCV checks are applied

Requirements:

Perform compliance checks on AD users in the 2 OU groups, consisting of (check whether a process is running) and (whether they are using a corporate asses - IE. Domain check). These checks can easily be done via the SCV file. No issue there.
Perform different compliance checks on users not on the domain
Allow each type of user to connect based on success of their different compliance requirements

Constraints:

All users must use the same method to connect (desktop client)
All users must use the same gateway to connect

Problem(s):

The SCV checks apply to all users non-discriminatorily.
A user must pass all checks or they are non-compliant
If a user fails one check, they are non-compliant
The SCV file does not allow IF statements (If the user is in this OU, then check if the process is running, else allow connection)

What I've tried:

ScriptRun monitor push down to members in the two OU's. The powershell script would accomplish the process and domain check. However the ScriptRun check would still try to execute for all users, not just the OU users, so in the end the non-domain users would still fail the compliance and be unable to connect.

Conclusions:

There is a lot of granularity with regard to protection of applications once the user has connected to the VPN, but not any options for enforcing different compliance requirements depending on the user, in order to connect to the VPN. Maybe I am wrong, and that’s why I am here looking for possible solutions I have missed.

Summary:

I'm hoping I'm missing something and there is a way to enforce different compliance requirements depending on the user, and allowing the user to connect to the VPN depending on the success of their individual compliance requirements. With all users connecting to the same gateway via the same method - desktop client.

Many thanks in advance.

Re: Remote Access (selective) Compliance

PhoneBoy — Fri, 05 Mar 2021 20:15:47 GMT

SCV doesn't apply to Mac endpoints currently, so you'd have to bypass that check on Mac computers.
For that, you'd need to use Compliance checks as that's the only thing currently supported.
(SCV support for Mac is on the roadmap)

I assume you could write the script pushed via ScriptRun to check whether the computer is in the domain or not and return a different result based on that.
Seems like the cleanest solution for this since SCV otherwise applies to all users.

Re: Remote Access (selective) Compliance

Yuber_Sierra_av — Wed, 28 Dec 2022 23:05:16 GMT

Hello,

I have a similar situation:

We are restricting VPN access to only computers belonging to our corporate domain with a SCV RegMonitor.

The problem I have now is how make exclusions to that check, to allow connections from supplier computers which don't belong to the domain. I was thinking about install a software on those PCs and configure a Process Monitor SCV Check, but the problem is that a user must pass all checks or they are non-compliant.

Is there any way or hotfix to let SCV Checks to allow conections if one of several conditions are met (i.e. computer belongs to domain OR computer is running a process) ?

Thank you.

topic Re: Remote Access (selective) Compliance in SASE and Remote Access

Remote Access (selective) Compliance

Re: Remote Access (selective) Compliance

Re: Remote Access (selective) Compliance