This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Pierre_Bienaime
Participant
‎2019-11-26 12:50 PM

Check Point Endpoint Security VPN Service only on company-owned devices

Hi Fellow Checkmate Members 

Can anyone help me in achieving this for my company pretty please

Scenario:

We are using "Check Point Endpoint Security" as a remote access client for VPN users. It is working great with no problem. We are currently "Username+Password" as an authentication mechanism.  The problem we are having is the following:

Users can install the client on their own personal devices and connect to the VPN because they are allowed to. Now we want to limit Remove Access VPN connection ONLY using company-owned or company-assigned devices to the user. How do I go about achieving that? We are trying to prevent users from installing the Check Point Endpoint Security client to their personal devices, while not removing their Remote access VPN right on company-owned devices. Please help 😔 

 
 
0 Kudos
Reply
7 Replies
PhoneBoy
Admin
Admin
‎2019-11-26 09:36 PM

This is the kind of thing Endpoint Compliance should solve.
A thread that discusses this is here: https://community.checkpoint.com/t5/Remote-Access-Solutions/Restricting-access-to-corporate-devices/...
You can also achieve something similar with SCV.
See: https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Check...
Reply
Chris_Atkinson
Employee++
Employee++
‎2019-11-27 03:14 AM
In response to PhoneBoy

R80.40 may yield a feature of interest...

Remote Access VPN

Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).

Reply
Pierre_Bienaime
Participant
‎2019-11-27 08:40 AM
In response to Chris_Atkinson

Thank you Chris,
This is the path that I am intending to take, but I want to know how to I go about the certificate registration process
0 Kudos
Reply
Pierre_Bienaime
Participant
‎2019-11-27 08:41 AM
In response to PhoneBoy

That is a very good approach PhoneBoy thank you. I will dive through the links to have a deeper understanding
0 Kudos
Reply
Tommy_Forrest
Advisor
‎2019-11-27 04:36 AM

Change your authentication method so that it is Username+Password+Certificate and only agree to allow them to register a corporate device with the generated Certificate.

While it isn't impossible to export certificates off of a Windows box, it takes some work to get it done and is beyond the capabilities of most users.

Reply
Pierre_Bienaime
Participant
‎2019-11-27 08:37 AM
In response to Tommy_Forrest

Hi Tommy ,
That is the route that I am currently exploring. I see that you have mentioned the Registration of a Corporate device. I am not familiar with how to process will go after enabling the use of "Username+Password+Certificate" on my perimeter Gateways. I do not have a sandbox environment to try, and I want a clear path as to what would follow to complete the process after enabling the setting. I am glad you have mentioned this process, and if I can get a follow up on that, it will be great, thank you in advance
0 Kudos
Reply
Di_Junior
Advisor
‎2020-05-15 07:35 AM
In response to Pierre_Bienaime

Hi Pierre

Did you perhaps found a solution for this?

Thanks in advance
0 Kudos
Reply