This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mbh80
Employee
Employee
‎2021-03-04 07:34 AM

Remote Access (selective) Compliance

Hello all, I am requesting some assistance in confirming whether a specific solution exists within the checkpoint products. Any help in confirming this is greatly appreciated.

 

I have a client requesting a Remote Access compliance solution as follows:

Scenario:

Users - Active directory (some on the domain, and 3rd party users and contractors off the domain). Of the users on the domain, there are 2 OUs which users will be in. 

 

Remote Access setup:

  • Endpoint Security VPN, with most users on windows desktop client (some mac users)
  • Desktop Policy, and SCV checks are applied

 

Requirements:

  • Perform compliance checks on AD users in the 2 OU groups, consisting of (check whether a process is running) and (whether they are using a corporate asses - IE. Domain check). These checks can easily be done via the SCV file. No issue there.
  • Perform different compliance checks on users not on the domain
  • Allow each type of user to connect based on success of their different compliance requirements

 

Constraints:

  • All users must use the same method to connect (desktop client)
  • All users must use the same gateway to connect

 

Problem(s):

  • The SCV checks apply to all users non-discriminatorily.
  • A user must pass all checks or they are non-compliant
  • If a user fails one check, they are non-compliant
  • The SCV file does not allow IF statements (If the user is in this OU, then check if the process is running, else allow connection)

 

What I've tried:

  • ScriptRun monitor push down to members in the two OU's. The powershell script would accomplish the process and domain check. However the ScriptRun check would still try to execute for all users, not just the OU users, so in the end the non-domain users would still fail the compliance and be unable to connect.  

 

Conclusions:

  • There is a lot of granularity with regard to protection of applications once the user has connected to the VPN,  but not any options for enforcing different compliance requirements depending on the user, in order to connect to the VPN. Maybe I am wrong, and that’s why I am here looking for possible solutions I have missed.

 

Summary:

I'm hoping I'm missing something and there is a way to enforce different compliance requirements depending on the user, and allowing the user to connect to the VPN depending on the success of their individual compliance requirements. With all users connecting to the same gateway via the same method - desktop client.

Many thanks in advance.

 

 

2 Replies
PhoneBoy
Admin
Admin
‎2021-03-05 12:15 PM

SCV doesn't apply to Mac endpoints currently, so you'd have to bypass that check on Mac computers.
For that, you'd need to use Compliance checks as that's the only thing currently supported.
(SCV support for Mac is on the roadmap)

I assume you could write the script pushed via ScriptRun to check whether the computer is in the domain or not and return a different result based on that.
Seems like the cleanest solution for this since SCV otherwise applies to all users. 

0 Kudos
Yuber_Sierra_av
Participant
‎2022-12-28 03:05 PM
In response to PhoneBoy

Hello, 

I have a similar situation:

We are restricting VPN access to only computers belonging to our corporate domain with a SCV RegMonitor.

The problem I have now is how make exclusions to that check, to allow connections from supplier computers which don't belong to the domain. I was thinking about install a software on those PCs and configure a Process Monitor SCV Check, but the problem is that a user must pass all checks or they are non-compliant.

Is there any way or hotfix to let SCV Checks to allow conections if one of several conditions are met (i.e. computer belongs to domain OR computer is running a process) ?

 

Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events