This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mahipal_Singh
Employee
Employee
‎2018-10-21 11:45 PM

SSL VPN user binding with MAC Address for Secure Workspace

Hello CheckMates,

I am have a customer who is using SSL VPN (Mobile Access Blade) solution with Secure Workspace functionality for external 3rd party vendor users (Around 20K users), now customer is asking for device binding with user for restricting the access for designated users to avoid misuse of their data. (It is basically a Bank and having Loan application accessed by their 3rd party loan distributor or retailer and they are keeping their data safe using  secure workspace but due to flexibility of login from anywhere users can login from any machine and leak the data to competitors)

Client machine are mostly Windows 7, 8. 10 desktop & laptops. 

Customer is looking for user binding with MAC Address to restrict the access from allowed/designated  machines only.

Regards,

Mahi

4 Replies
PhoneBoy
Admin
Admin
‎2018-10-22 02:56 PM

You could configure ESOD to ensure the machine people are connecting to meets some basic set of requirements.

I suppose that could include MAC address, but with 20k+ users, managing that could be a nightmare.

Mapping a specific user to a specific MAC would be an even bigger nightmare.

Another option would be to restrict access to the MAB portal to only come from specific IP addresses.

0 Kudos
Mahipal_Singh
Employee
Employee
‎2018-10-23 12:12 AM
In response to PhoneBoy

can you have explain how we can bind MAC or IP address. Is there detail document for ESOD configuration.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-23 06:38 AM
In response to Mahipal_Singh

A simple Access Policy rule (in the firewall) should be able to limit access to the MAB portal from unauthorized IP addresses.

The MAC address is in the Windows registry (assuming these are Windows machines) and it would be somewhere under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} (Depending on the adapter).

0 Kudos
Mahipal_Singh
Employee
Employee
‎2018-10-23 10:40 AM
In response to PhoneBoy

Ip addresses are public IPs and not fixed hence not applicable and in ESOD we can not apply more than 1 profile which have OR condition applied on that.

0 Kudos