Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Karan0587
Explorer

Need help in understanding policy for mobile access users ( based on security group)

Jump to solution

We have a customer who wants the following setup with remote access

 

1)Designated user groups in AD should be able to login ( no one else )

I created the attached policy for Login with having the designated the security group part of Remote Access object as participating groups, now whoever is not part of the group is not able to login so this works

2)Then create policies on the basis of those groups different sets of policies when connected through remote access.

 I am not able to get the policy to work on specific applications for eg ANZ-VPN should be only able to access RDP services only, EMEA-VPN should be only able to access http/https services , 

 

Will these access rules be created below the auth policy ( for remote access ) ?

 

If someone can share snapshots of policy how they achieved this would be awesome or a document .

 

Setup 

GAIA -  R81 

Smart Cloud Mgmt with a Cluster + duo MFA setup 

 

 

Any help would be apprecciated

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

You would create similar rules to the one you've attached with Access Roles that refer to the different groups of users, destinations, and applications.
What precisely did you try and what was the precise result?

0 Kudos
Karan0587
Explorer

Hi ,

 

Thanks for the reply, i tested the rule which has source as Access Role and allowed port, but it doesn't work .

I believe there is a rule underneath with Office_Mode Pool IP addresses included in 1 Policy, the question is that do i remove the Office Mode as source when we are doing access role in the policies ?

I will test the above scenario as well today and would let u know how it goes.

0 Kudos
PhoneBoy
Admin
Admin

You should not need to use the Office Mode IPs directly in rules when using Access Roles (unless some Remote Access user isn't covered by an Access Role).

0 Kudos
Karan0587
Explorer

Hi ,

 

I just tried the above 

so removed officemode pool from the policy  and defined the specific AD group as access role in source and allowed some applications 

but still no go, in the logs, i am seeing it is hitting clean up rule.

 

My question is what happens if the user is part of multiple groups in AD ? and am i missing something.

 

0 Kudos
PhoneBoy
Admin
Admin

Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?

0 Kudos
Karan0587
Explorer

Thanks for your help, I tested again today and it is working as expected.

One thing I did was in Gateway Properties>>Remote Access>>Policy was selected as legacy instead of unified, I changed it to unified.

0 Kudos