This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2018-12-09 02:57 PM

LDAP groups in Remote Access VPN Rules

Dear Mates

I have been searching around, and so far I was not able to find an answer to the issue that I am facing.

I have currently migrated our VPN solution to Check Point RA VPN, but I am having an issue when it comes to create rules for remote access users. Each group has permissions to access different machines remotely, so I have requested the creation of specific LDAP groups to be used for remote access.

Unfornatunately, when a use an LDAP group in the Source field of the policy, users are not being able to authenticate. The authentication only works when I select the option "All Account Unit´s Users".

Any idea on how this issue could be overcomed? or a workaround perhaps? 

Thanks in advance

8 Replies
Vladimir
Champion
Champion
‎2018-12-09 03:36 PM

Try using Access Roles instead of LDAP group and select the desired AD group under "Users" section of the role:

Di_Junior
Advisor
Advisor
‎2018-12-09 10:30 PM
In response to Vladimir

Hi Vladimir,

When I try that I get the following error during policy verification:

"

Firewall and Address Translation Policy Verification:
Verifier warnings: Rule 32: Only User Groups are allowed as Source in VPN and Client Authentication Rules

"

Note: I am still using R77.30.

Thanks

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-12-10 12:22 AM
In response to Di_Junior

Since you are still using R77.30, which you should have mentioned in your first post, you need to remove the RemoteAccess VPN group from the VPN column.

Di_Junior
Advisor
Advisor
‎2018-12-10 01:33 AM
In response to Danny

HI Danny

Thanks for your contribution, and sorry about not mentioning that I am using R77.30 later.

I would like to know why you suggested ti remove the RemoteAccess VPN group from the VPN Column since I want the users to connect using the Remote Access Community.

Thanks once again

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-10 07:42 AM
In response to Di_Junior

Have a look into sk64400: Policy Verification Error: "Only User Groups are allowed as Source in VPN and Client Authen...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rick_Rodrix
Contributor
‎2019-07-18 01:32 PM
In response to G_W_Albrecht

Hi there!

I have the same issue. 

I´ve added a access role with a AD user in a firewall rule with "any traffic" in "VPN", but I can´t connect using "Endpoint Security".

In Smartlog I receive the message from blade Mobile Access,  "User does not belong to the Remote Access Community,"

System version R77.30

Endpoint Security E80.80.

 

 

0 Kudos
Andy_Van_Horn
Explorer
‎2020-03-16 12:45 PM
In response to Vladimir

Valdimir, Is this example for R80.30 ? I am on R80.10 and do not see the "+" option, only the manual input

 

Thanks,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-16 06:02 PM
In response to Andy_Van_Horn

Looks like it's there in the R80.10 UI for me when I go to look.
A screenshot of what exactly you're seeing might help.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events