Create a Post
Showing results for 
Search instead for 
Did you mean: 

Using ldap for user authentication on vpn checkpoint

Hello everyone!
Please Helllp!!
At this moment I´m using  Checkpoint local users to connect to Client-to-site VPN. 
But I want to improve this and change all the method of VPN authentication to LDAP.
For tests purposes, I´ve already a group on AD where we use shared with Checkpoint then we are able to do that and it realy works.
By now, I don´t want to ask AD admin to create AD groups everytime we are asked to provide an VPN access.
Is there a way to add AD users to a VPN rule without using a AD group?
Let me explain better: we are a big organization, so we have diferents kinds of users with different needs, so we need to create differents kinds of access groups. Since I know that VPN rules only accept legacy users on groups, I´d like to know if theres a way to designate some AD users directly on firewall rules, or a way to do this without to contact AD admin to create the groups.

Thanks in advance!

Checkpoint r77.30

0 Kudos
2 Replies

When you have Identity Awareness setup and connected to your AD, you can create access roles, within those roles you can add individual users and/or groups and/or machines to allow certain traffic, so in other words yes this is possible.
Regards, Maarten
0 Kudos

Well, I do know that. I´m getting some success on this research. At this time, I discovered that for the first step, I need to allow AD users to connect in Remote Access, so I made this work adding the AD group "Domain Users" in Remote Access. But right now, every single account is able to login on Remote Access. I did a individual account role access and added to a rule and it is working now, I was abble to access my host. But I was wondering if to enable all the AD group "Domain Users" to allow connect to Endpoint Security is a good idea for security issues. 
Is it a best practice to put this kind of rule at the top of the rule table?

I just wondering why no one had this question before, I didn´t find any message about this.

0 Kudos