This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rick_Rodrix
Contributor
‎2019-07-18 12:52 PM

Using ldap for user authentication on vpn checkpoint

Hello everyone!
Please Helllp!!
At this moment I´m using  Checkpoint local users to connect to Client-to-site VPN. 
But I want to improve this and change all the method of VPN authentication to LDAP.
For tests purposes, I´ve already a group on AD where we use shared with Checkpoint then we are able to do that and it realy works.
By now, I don´t want to ask AD admin to create AD groups everytime we are asked to provide an VPN access.
Is there a way to add AD users to a VPN rule without using a AD group?
Let me explain better: we are a big organization, so we have diferents kinds of users with different needs, so we need to create differents kinds of access groups. Since I know that VPN rules only accept legacy users on groups, I´d like to know if theres a way to designate some AD users directly on firewall rules, or a way to do this without to contact AD admin to create the groups.

Thanks in advance!

Checkpoint r77.30

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
‎2019-07-18 01:50 PM

When you have Identity Awareness setup and connected to your AD, you can create access roles, within those roles you can add individual users and/or groups and/or machines to allow certain traffic, so in other words yes this is possible.
Regards, Maarten
0 Kudos
Rick_Rodrix
Contributor
‎2019-07-18 02:38 PM
In response to Maarten_Sjouw

Well, I do know that. I´m getting some success on this research. At this time, I discovered that for the first step, I need to allow AD users to connect in Remote Access, so I made this work adding the AD group "Domain Users" in Remote Access. But right now, every single account is able to login on Remote Access. I did a individual account role access and added to a rule and it is working now, I was abble to access my host. But I was wondering if to enable all the AD group "Domain Users" to allow connect to Endpoint Security is a good idea for security issues. 
Is it a best practice to put this kind of rule at the top of the rule table?

I just wondering why no one had this question before, I didn´t find any message about this.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events