SmartEndpoint isn't required here at all, but enabling Identity Awareness will definitely be a good idea.
You could actually create two different Access Roles here:
- One that is just specifies the relevant networks/hosts (optionally tie it to specific AD groups)
- Another that is Remote Access users
![Screen Shot 2020-08-03 at 12.22.01 PM.png Screen Shot 2020-08-03 at 12.22.01 PM.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7461i6FFDBB11A5382D03/image-size/medium?v=v2&px=400)
Make sure Remote Access is a valid identity source in the gateway/cluster object:
![Screen Shot 2020-08-03 at 12.23.21 PM.png Screen Shot 2020-08-03 at 12.23.21 PM.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7462iD968864874C34842/image-size/medium?v=v2&px=400)
Note the reason I am suggesting an Access Role for the networks versus just using the network objects is because you generally can't mix regular network objects and access roles in the source/destination field of a rule.
Believe this limitation is removed in R80.40.