This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fzahinos
Participant
‎2020-04-01 09:34 AM
Jump to solution

How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Groups

Hello everyone,

we are using AD users for remote access VPN. We have defined some Access Roles for serveral AD Groups, but,  we have observed every AD user can log in via VPN client (end point sercurity), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to  some where, but, they still can do the log in successfully on the VPN client.

So, somehow, we would like to allow the AD authentication for remote access VPN  just for those users belonging to the Access Roles or for some specific AD Groups.

How could we do this configuration?

Thanks for your help.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2020-04-02 05:25 AM
In response to Norbert_Bohusch
Jump to solution

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

View solution in original post

15 Replies
Wolfgang
MVP Gold
MVP Gold
‎2020-04-01 12:20 PM
Jump to solution

Fzahinos,

on the RemoteAccess community you can restrict the access to VPN via local or LDAP user group. Remove the normally shown „all users“ and add your own ldap group. Every user not being member of this group will be not allowed to connect.

Wolfgang
Fzahinos
Participant
‎2020-04-02 12:15 AM
In response to Wolfgang
Jump to solution

Thanks Wolfgang.

I have a doubt about this solution. In case an user is included in two LDAP or Users Local Groups, shoud I define the two LDAP  Groups as Participant User Groups?

BR,

Fzahinos.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-04-02 01:54 AM
In response to Fzahinos
Jump to solution

Fzahinos,
if the user is in more then one Group, one Group is enough to allow the remote Access.
We are using normal rules with access_roles as source for allowing the specific access to Destination and services inside the Network.
With the group on the remote access community we're allowing the generally access to VPN. For this we created a new group in ActiveDirectory and reference them there. Now we can regulate which users can generally connect via remote access, regardless the access_roles.
Wolfgang
Bac26
Contributor
‎2020-04-02 02:54 AM
In response to Wolfgang
Jump to solution

Hello

but in case you use access role on rules than you need to create ldap group to filter on the remote access community, bit annoying

Fabio

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-04-02 04:48 AM
In response to Bac26
Jump to solution

@Bac26 

yes you are right, it's little bit confusing.

But you can add only local or ldap groups to the remote access community, it would be better with a normal access role but that's how it works. Maybe one day Check Point will allow access roles with all configurations, but at the moment some things can be done only with ldap-groups

We added there only one ldap-group named "remote_access_allow_general". This is configured in two minutes and then you can forget about ldap-groups 😉

Wolfgang

Bac26
Contributor
‎2020-04-02 04:59 AM
In response to Wolfgang
Jump to solution

what do you mean exaclty with "remote_access_allow_general"? anyway if you have different access role group you will need the matching one the remote access community, if not any user anyway will log in (even after without have access to resources)

0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-02 05:10 AM
In response to Bac26
Jump to solution

He means the LDAP group is specified only on first implementation and every VPN user is added to this group through AD.
Later on this group doesn't need to be changed configuration-wise in Check Point and only access roles need to be configured/modified to allow specific access on rules.
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-04-02 05:25 AM
In response to Norbert_Bohusch
Jump to solution

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

Bac26
Contributor
‎2020-04-02 05:44 AM
In response to Wolfgang
Jump to solution

Ok got it what you mean!

 

Thank you
Fabio

0 Kudos
Rui_Gomes_PT
Contributor
‎2020-04-07 02:27 AM
In response to Wolfgang
Jump to solution

Hi,
Does this works with nested groups?
Thanks
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-04-07 04:34 AM
In response to Rui_Gomes_PT
Jump to solution

Not sure, you have to try.

Following Mobile Access and Endpoint clients LDAP nested groups are not enforced correctly

it's not supported. But I think this article is meaning the access rules itself and not the group for the remote access community.

Wolfgang

Rajnesh_Chand
Explorer
‎2020-04-11 07:51 AM
In response to Wolfgang
Jump to solution

Hi,

 

I'm unable to either add custom ldap group or delete the default All Users group user Participant Users Group.  Am i missing something?

 

Thanks

Raj

PointOfChecking
Collaborator
‎2021-03-19 04:07 AM
In response to Rajnesh_Chand
Jump to solution

me too

0 Kudos
PointOfChecking
Collaborator
‎2021-03-19 08:59 AM
In response to Rajnesh_Chand
Jump to solution

You also need to create a new LDAP Group in the objects.  Not a User Access Group.

 

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-03-24 07:19 AM
In response to PointOfChecking
Jump to solution

Hi,

 

just updating the thread that the issue raised by @PointOfChecking , solved.

In order for VPN to work as an identity source  you must enable "Remote Access" checkbox under Identity Awareness properties.

it is also documented in Identity Awareness Admin Guide.

 

Thanks,

Ilya 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events