Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Pearson
Participant

Endpoint Security Client with Access Role controlled security policy

We have R80.20 firewalls with R80.20 management and endpoint server.

The main security policy on the firewall uses inline rules for content security, which are controlled by Access Roles linked to LDAP groups in the AD. (Works nicely!)

All users have the Identity Agent installed, which provides their identity to the firewall, and hence their access role membership. Again this works nicely!

(We tried using AD Query to provide the identity but this proved troublesome for laptop users that move around the LAN from wired to wireless connections, as it required a logon type event to trigger the change to the firewall)

We then deployed the Endpoint Security Client to all laptop users. This worked fine whilst they were on site and connected to the LAN (no VPN required) but when working remotely, the VPN will connect but no LAN resources are available. This was traced to the identity agent, which connected to the firewall as soon as the VPN comes up, which in turn causes the firewall identity blade to recognise a secondary connection because the VPN has already identified the user. This causes the initial identity session to be dropped to allow the second one but as soon as the first one drops the user has no identity to be able to match any of the Access Roles to allow the reconnection. Result: VPN shows connected but no traffic allowed through the firewall.

Resolution: Close the Identity Agent before connecting the VPN. This means that the users have to remember to stop it off site and start it on site, which is far from ideal!

We were advised that the Identity agent is not designed to run with the Endpoint VPN Client, and is not actually required as the Endpoint Client provides the identity anyway. However this does not appear to be the case unless the VPN is connected.

I can't believe we are the only people with this setup, so, has anyone else experienced these issues?

How is everyone else configuring this type of setup requirement?

Any advise gratefully received!

 

0 Replies