This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fzahinos
Participant
‎2020-04-01 09:34 AM

How to restrict the MS Active Directory Authentication for remote access VPN to specific AD Groups

Jump to solution

Hello everyone,

we are using AD users for remote access VPN. We have defined some Access Roles for serveral AD Groups, but,  we have observed every AD user can log in via VPN client (end point sercurity), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to  some where, but, they still can do the log in successfully on the VPN client.

So, somehow, we would like to allow the AD authentication for remote access VPN  just for those users belonging to the Access Roles or for some specific AD Groups.

How could we do this configuration?

Thanks for your help.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Mentor
Mentor
‎2020-04-02 05:25 AM
In response to Norbert_Bohusch

Jump to solution

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

View solution in original post

15 Replies
Wolfgang
Mentor
Mentor
‎2020-04-01 12:20 PM

Jump to solution
Fzahinos,

on the RemoteAccess community you can restrict the access to VPN via local or LDAP user group. Remove the normally shown „all users“ and add your own ldap group. Every user not being member of this group will be not allowed to connect.

Wolfgang
Fzahinos
Participant
‎2020-04-02 12:15 AM
In response to Wolfgang

Jump to solution

Thanks Wolfgang.

I have a doubt about this solution. In case an user is included in two LDAP or Users Local Groups, shoud I define the two LDAP  Groups as Participant User Groups?

BR,

Fzahinos.

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-04-02 01:54 AM
In response to Fzahinos

Jump to solution
Fzahinos,
if the user is in more then one Group, one Group is enough to allow the remote Access.
We are using normal rules with access_roles as source for allowing the specific access to Destination and services inside the Network.
With the group on the remote access community we're allowing the generally access to VPN. For this we created a new group in ActiveDirectory and reference them there. Now we can regulate which users can generally connect via remote access, regardless the access_roles.
Wolfgang
Fabio_Curcio
Participant
‎2020-04-02 02:54 AM
In response to Wolfgang

Jump to solution

Hello

but in case you use access role on rules than you need to create ldap group to filter on the remote access community, bit annoying

Fabio

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-04-02 04:48 AM
In response to Fabio_Curcio

Jump to solution

@Fabio_Curcio 

yes you are right, it's little bit confusing.

But you can add only local or ldap groups to the remote access community, it would be better with a normal access role but that's how it works. Maybe one day Check Point will allow access roles with all configurations, but at the moment some things can be done only with ldap-groups

We added there only one ldap-group named "remote_access_allow_general". This is configured in two minutes and then you can forget about ldap-groups 😉

Wolfgang

Fabio_Curcio
Participant
‎2020-04-02 04:59 AM
In response to Wolfgang

Jump to solution

what do you mean exaclty with "remote_access_allow_general"? anyway if you have different access role group you will need the matching one the remote access community, if not any user anyway will log in (even after without have access to resources)

0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-02 05:10 AM
In response to Fabio_Curcio

Jump to solution
He means the LDAP group is specified only on first implementation and every VPN user is added to this group through AD.
Later on this group doesn't need to be changed configuration-wise in Check Point and only access roles need to be configured/modified to allow specific access on rules.
0 Kudos
Wolfgang
Mentor
Mentor
‎2020-04-02 05:25 AM
In response to Norbert_Bohusch

Jump to solution

@Norbert_Bohusch 

you're right, thanks for clarification 😀

With this configuration anyone can login via VPN client, regardless the configured access rules.

RemoteAccess_all.PNG

With this configuration the login via vpn client is failing if the user is not member of the shown group. This is to restrict the generally access to the remote access vpn.

RemoteAccess_group.PNG

Fabio_Curcio
Participant
‎2020-04-02 05:44 AM
In response to Wolfgang

Jump to solution

Ok got it what you mean!

 

Thank you
Fabio

0 Kudos
Rui_Gomes_PT
Contributor
‎2020-04-07 02:27 AM
In response to Wolfgang

Jump to solution
Hi,
Does this works with nested groups?
Thanks
0 Kudos
Wolfgang
Mentor
Mentor
‎2020-04-07 04:34 AM
In response to Rui_Gomes_PT

Jump to solution

Not sure, you have to try.

Following Mobile Access and Endpoint clients LDAP nested groups are not enforced correctly

it's not supported. But I think this article is meaning the access rules itself and not the group for the remote access community.

Wolfgang

Rajnesh_Chand
Explorer
‎2020-04-11 07:51 AM
In response to Wolfgang

Jump to solution

Hi,

 

I'm unable to either add custom ldap group or delete the default All Users group user Participant Users Group.  Am i missing something?

 

Thanks

Raj

PointOfChecking
Contributor
‎2021-03-19 04:07 AM
In response to Rajnesh_Chand

Jump to solution

me too

0 Kudos
PointOfChecking
Contributor
‎2021-03-19 08:59 AM
In response to Rajnesh_Chand

Jump to solution

You also need to create a new LDAP Group in the objects.  Not a User Access Group.

 

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-03-24 07:19 AM
In response to PointOfChecking

Jump to solution

Hi,

 

just updating the thread that the issue raised by @PointOfChecking , solved.

In order for VPN to work as an identity source  you must enable "Remote Access" checkbox under Identity Awareness properties.

it is also documented in Identity Awareness Admin Guide.

 

Thanks,

Ilya 

0 Kudos