Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkiYa
Contributor

How to allow Remote Access VPN from domain computers AND specific external computers?

Hi all,

we use the Endpoint Security client for the Remote Access VPN and I'm working to leverage the accessibility since I'd like to completely avoid that an external unauthorized user/device could install the client and connect from everywhere.

The connection is configured with Azure SAML, I know that with the conditional access rules I can limit the authentication to domain registered machines only, but in my case I also need to allow the connection from some external devices (ie. partners and a couple of admins with their personal pc).

Is there a way to configure something like an Access Role that matches for example a machine ID?
When a user connects with a personal device I can see a specific ID in the Host/device section of the log, would it possible to filter such ID?

Or is there any other way to allow the connection only for specific, known devices?

Thanks!

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Access Roles do support use of Machine Identities, which usually come from AD.
I believe this information should show in the logs if it's being gathered.
Not sure if it works for external (non-AD) attached).

0 Kudos
AkiYa
Contributor

Hi PhoneBoy,

yes I know about the Machine Identity but as you wrote it can be used for domain computers kerberos authenticated machines, whilst I need another type of ID, not related to any domain I manage.

I tried to work with the Identity Tags, but I didn't understand well which sources are compatible.

When I connect with a personal computer I can see a specific ID for the machine, the best would be use this ID in an Access Role so that external partners could connect with their specific machines only, or in the case of a credential theft a hacker won't be able to just install the CheckPoint client and use them to connect:

 
 

aaa.png

 

Any other option would be ok, but it must allow to connect a specific device only; I was trying to configure compliant rules as well, but if, for example, it checks for a registry key or file in the device, these could be replicated to any other.

 

0 Kudos
the_rock
Legend
Legend

Not sure this would give you much of a posture check...thats what most companies now offer as SASE solution.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Identity Tags are based on information that either comes from the Identity Awareness API or through SAML.
Which suggests if EntraID can identify the "authorized machines" and the SAML assertion includes this information...we can use it.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide... 

Not sure we can use the contents of the "ID" field that you show in the log to match specific machines.

0 Kudos
the_rock
Legend
Legend

Access roles came to my mind as well when I read your post.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events