Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Velocy
Participant

Secure Domain Logon unrealiable / users are too fast

Hello Community,

we are using Checkpoint Endpoint Security (currently in E84.00 but, also had this with earlier versions). We are using Secure Domain Logon which is working as it should most of the time. Logon Prompt appears if the user is on an external network, no logon prompt if the user is at an internal network and so on.

We now have Conditional Access in place for M365 which relies on trusted locations, it's essential that the user logs on to VPN before any M365 services can be used, since using OneDrive and Teams Application is disallowed from untrusted locations (and OneDrive Autostarts if the user logs on).

The issue with SDL is, especially in the current panedmic scneario, that some users are simply too fast and logon as soon as the credential window appears... that's faster than the VPN client / service starts. We already have "Always wait for network..." active via GPO, but that does not really improve the situation. Telling the users to just wait like 10 seconds and then log on is also not quite satisfying.

Is there any idea, how the secure domain logon is reliably started before a user logs on?

 

Kind regards

0 Kudos
3 Replies
G_W_Albrecht
Champion
Champion

You did configure it following Remote Access VPN R80.40 Administration Guide p.139ff ? Another possibility is to use Machine Authentication, see Remote Access VPN R80.40 Administration Guide p.113.

0 Kudos
Velocy
Participant

Thank you for the ideas.
About machine authentication, unfortunately compliance requests MFA with RSA Token, no change is possible to this at the moment.
Also yes, disabling cached credentials would actually prevent users from logging on at all without Domain Connections, but would also fully disable "offline usage" of the clients if there is no internet connection available (especially problematic if, for example the user needs to connect to a hotspot that requires additional steps)... so this is basically a no-go-

0 Kudos
PhoneBoy
Admin
Admin

My understanding is this ties into specific Microsoft APIs that tie starting the VPN to logging in.
Sounds like it’s not and it might be worth a TAC case to troubleshoot this.

0 Kudos