This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Velocy
Participant
‎2020-11-26 11:52 PM

Secure Domain Logon unrealiable / users are too fast

Hello Community,

we are using Checkpoint Endpoint Security (currently in E84.00 but, also had this with earlier versions). We are using Secure Domain Logon which is working as it should most of the time. Logon Prompt appears if the user is on an external network, no logon prompt if the user is at an internal network and so on.

We now have Conditional Access in place for M365 which relies on trusted locations, it's essential that the user logs on to VPN before any M365 services can be used, since using OneDrive and Teams Application is disallowed from untrusted locations (and OneDrive Autostarts if the user logs on).

The issue with SDL is, especially in the current panedmic scneario, that some users are simply too fast and logon as soon as the credential window appears... that's faster than the VPN client / service starts. We already have "Always wait for network..." active via GPO, but that does not really improve the situation. Telling the users to just wait like 10 seconds and then log on is also not quite satisfying.

Is there any idea, how the secure domain logon is reliably started before a user logs on?

 

Kind regards

0 Kudos
3 Replies
G_W_Albrecht
Legend
Legend
‎2020-11-27 04:19 AM

You did configure it following Remote Access VPN R80.40 Administration Guide p.139ff ? Another possibility is to use Machine Authentication, see Remote Access VPN R80.40 Administration Guide p.113.

CCSE CCTE SMB Specialist
0 Kudos
Velocy
Participant
‎2020-11-27 04:58 AM
In response to G_W_Albrecht

Thank you for the ideas.
About machine authentication, unfortunately compliance requests MFA with RSA Token, no change is possible to this at the moment.
Also yes, disabling cached credentials would actually prevent users from logging on at all without Domain Connections, but would also fully disable "offline usage" of the clients if there is no internet connection available (especially problematic if, for example the user needs to connect to a hotspot that requires additional steps)... so this is basically a no-go-

0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-27 06:42 PM

My understanding is this ties into specific Microsoft APIs that tie starting the VPN to logging in.
Sounds like it’s not and it might be worth a TAC case to troubleshoot this.

0 Kudos