Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mbh80
Employee
Employee

Remote Access (selective) Compliance

Hello all, I am requesting some assistance in confirming whether a specific solution exists within the checkpoint products. Any help in confirming this is greatly appreciated.

 

I have a client requesting a Remote Access compliance solution as follows:

Scenario:

Users - Active directory (some on the domain, and 3rd party users and contractors off the domain). Of the users on the domain, there are 2 OUs which users will be in. 

 

Remote Access setup:

  • Endpoint Security VPN, with most users on windows desktop client (some mac users)
  • Desktop Policy, and SCV checks are applied

 

Requirements:

  • Perform compliance checks on AD users in the 2 OU groups, consisting of (check whether a process is running) and (whether they are using a corporate asses - IE. Domain check). These checks can easily be done via the SCV file. No issue there.
  • Perform different compliance checks on users not on the domain
  • Allow each type of user to connect based on success of their different compliance requirements

 

Constraints:

  • All users must use the same method to connect (desktop client)
  • All users must use the same gateway to connect

 

Problem(s):

  • The SCV checks apply to all users non-discriminatorily.
  • A user must pass all checks or they are non-compliant
  • If a user fails one check, they are non-compliant
  • The SCV file does not allow IF statements (If the user is in this OU, then check if the process is running, else allow connection)

 

What I've tried:

  • ScriptRun monitor push down to members in the two OU's. The powershell script would accomplish the process and domain check. However the ScriptRun check would still try to execute for all users, not just the OU users, so in the end the non-domain users would still fail the compliance and be unable to connect.  

 

Conclusions:

  • There is a lot of granularity with regard to protection of applications once the user has connected to the VPN,  but not any options for enforcing different compliance requirements depending on the user, in order to connect to the VPN. Maybe I am wrong, and that’s why I am here looking for possible solutions I have missed.

 

Summary:

I'm hoping I'm missing something and there is a way to enforce different compliance requirements depending on the user, and allowing the user to connect to the VPN depending on the success of their individual compliance requirements. With all users connecting to the same gateway via the same method - desktop client.

Many thanks in advance.

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

SCV doesn't apply to Mac endpoints currently, so you'd have to bypass that check on Mac computers.
For that, you'd need to use Compliance checks as that's the only thing currently supported.
(SCV support for Mac is on the roadmap)

I assume you could write the script pushed via ScriptRun to check whether the computer is in the domain or not and return a different result based on that.
Seems like the cleanest solution for this since SCV otherwise applies to all users. 

0 Kudos