cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Restricting access to corporate devices

We are evaluating Checkpoint VPN and one of the things it needs to do is control client access based on whether the devices is corporate or non-corporate.

What we need it to do is the following:

  1. Corporate owned devices (Windows, Mac, Linux, iOS,Android) need to be able to connect to the VPN and have access to all internal and DMZ based systems. Authentication will be done with with LDAP (Active Directory)
  2. Contractors need to be able to connect to the VPN and access certain systems in the DMZ. Authentication will be done with with LDAP (Active Directory).

In an ideal world I would like to be able to push a certificate to the corporate machines and have this inspected at VPN connection time, and then based on this allow the machine into the internal network. For Windows we have Group Policies/SCCM and for Mac we have Jamf so we can push what every we need. The contractors would get access based on their username/password.

Basically I want to stop an employee from going to Aldi and buying a PC, then use this to connect to the internal network through VPN using their username and password, 

How can Checkpoint do this, any ideas?

 

0 Kudos
4 Replies

Re: Restricting access to corporate devices

I would suggest to use ESOD (Endpoint Security on Demand) with SNX, see Remote Access VPN Administration Guide R80.20 p. 132ff ! This makes it possible to use e.g. a Win registry key deployed by GPO to differentiate between corporate and contractors PCs.

0 Kudos

Re: Restricting access to corporate devices

Great thanks! How do I differentiate between Windows and non-Windows machines in the policies. I am more interested in stopping private Windows machines than Mac or Linux. Is is a case to looking at the client type, meaning having multiple lines for the internal employees each with a different client version?

I have also seen that I can check if the machine is in a specific AD group, has anyone had any success with this and will it also work with Mac (if they are registered in the domain)?

0 Kudos

Re: Restricting access to corporate devices

Please first have a good read through R80.20 Remote Access VPN Administration Guide and afterwards, after digesting the conatined information, ask the questions that have been left over !

0 Kudos
Highlighted
Jerry
Platinum

Re: Restricting access to corporate devices

all you need is one-two day PS Consultant 🙂 and job done!
Jerry
0 Kudos