This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rodrigo_Mezetti
Contributor
‎2021-02-15 10:48 AM

Do not view LDAP groups

Hey guys

I need to limit user authentication on vpn using endpoit security and even located in the community "remote access" and there is "all users" but there is no ldap groups for me to do this configuration, only the local group that I created and the local user appears .
In the environment I have several rules that are related to users in the ad, and I came across this situation.

Has anyone ever experienced this ?

 

 

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2021-02-15 01:40 PM

For something like that, use accessroles, not remote access groups.

 

Andy

PhoneBoy
Admin
Admin
‎2021-02-15 04:03 PM
In response to the_rock

That doesn’t prevent you from authenticating to the VPN but it can be used to prevent you from going anywhere if you do connect.
Preventing you from authenticating at all using anything other than a locally defined group of locally defined users is an RFE, I believe.

Rodrigo_Mezetti
Contributor
‎2021-02-16 12:27 PM
In response to PhoneBoy

I made the configuration creating and users / ldap group, indicating the path of the group in the active directory that has the users inside and it worked. Now only those who are in this group are authenticated.

 

Tanks

Karan0587
Explorer
‎2021-06-01 04:31 PM
In response to Rodrigo_Mezetti

Hey  Mate,

 

I am trying to do the same, could you please share the config of AD and access policy as well.

 

Regards

Karan Sharma

0 Kudos
Rodrigo_Mezetti
Contributor
‎2021-06-01 05:49 PM
In response to Karan0587

hi man.. sorry my english..

I created an ldap group, on the right of the smartconsole in user - ldap group. I informed the full path of the OU that has the users who will be able to "authenticate in vpn"
example:
dn-prefix set box
CN=AUTH_VPN - ,OU=Client_vpn,OU=Group,OU=test,DC=testlocal,DC=com,DC=br which is the path you can take in active director via adsi editor

After that I created the rules on the blade firewall/app access rules with the access that each user can have after authenticating, and set vpn ( remote access).
Some accessing remote desktop, others ssh , all under different rules and stating .
Remember to inform the group in the VPN domain of the internal servers in the gateway or cluster properties,

0 Kudos
Karan0587
Explorer
‎2021-06-02 01:08 AM
In response to Rodrigo_Mezetti

Hi Rodrigo,

 

Thanks for your reply so authentication is fixed following your method although i am still confused as how to restrict the ports on the basis of some security groups only for eg i am attaching a rule  which has access roles in source of security group with RDP access only and allowing 3389 tcp port.Is this the way or i have to create an inline layer underneath the actual remote access policy, can u share ur config ( blur the org details).

Capture.JPG
Preview file
18 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top