Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cdooer
Participant

Checkpoint Mobile Access Compliance vs SVC

Hello everyone. Apologies if this is a stupid question, but we've got a requirement to lock down our Remote Access VPN solution a little more than it currently is, by checking that a users machine is a domain member, and maybe looking for an embedded file. I was originally looking at using SVC for this, but ran across the compliance piece of the Mobile Access blade while doing some reading. Are there any advantages/disadvantages from one to the other?

 

0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend

These are two different technologies, see sk67820:

- SCV is the legacy method for Win RA clients (Endpoint / VPN, SNX a.o.)

- Clientless Mobile Acces Portal has its own Endpoint Security on Demand (ESOD)

To compare the configurable options you should consult the relevant admin guides.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

There's also a third option: Endpoint Compliance.
However, this requires Harmony Endpoint licenses OR legacy CPEP-ACCESS licenses.
SCV will work with your existing Mobile Access license. 

Keep in mind that using MAB for this purpose will require logging in via the MAB portal and require the deployment of Java on client machines.
Unless you're already doing this, it's probably better to stick with SCV or Endpoint Compliance.

0 Kudos
cdooer
Participant

I didn't realize that using the Mobile Access Blade for this posturing piece would require java to be installed on client machines...this is a show stopper, since java has recently been removed from all client machines due to security/licensing concerns. 

When I look under my support portal on the Checkpoint site, I see that I've got enough Endpoint Total Security Package licenses to cover off all 2000 of my users. Would this license include the compliance piece I'm looking for?

0 Kudos
PhoneBoy
Admin
Admin

Compliance Blade on Endpoint is included with all the modern Endpoint SKUs (even basic level).

0 Kudos
cdooer
Participant

Hey folks. Struggling to get this working. We've got an open call with TAC, but they also seem to be confused on exactly how it works. Compliance will report the machine as not being compliant, but won't take any action. Our Endpoint server is different than our firewall management server (that manages the VPN gateways), and I'll admit, I'm confused on exactly how these two talk to each other. Any real world guides on how these integrate?

All clients are running Endpoint Security, no need for any other method of connecting.  

0 Kudos
PhoneBoy
Admin
Admin

The only real "integration" relates to licenses (some of which needs to occur on the gateway) and Remote Access VPN.
If you expect actions to be taken based on compliance results, you need to configure remediation actions and/or a Restricted policy.
Refer to: https://support.checkpoint.com/results/sk/sk162635 

0 Kudos
cdooer
Participant

Does there need to be a remediation action? Currently the client is showing as out of compliance, but they've got full access to the network, and the action is set to Restrict. Is there a way to cut off access if the client isn't compliant?

0 Kudos
PhoneBoy
Admin
Admin

Did you configure a Restricted State policy at all?
This is described under the "Configuring Compliance States Enforcement" heading of the SK I previously linked.

0 Kudos
cdooer
Participant

The Compliance blade doesn't seem to have the option to be Restricted...only Connected or Disconnected. This seems to be confirmed when I attempt to create the rule;

The following Policies can have different configurations for Restricted state:

  • Firewall
  • Access Zones
  • Application Control
  • Media Encryption & Port Protection 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events