This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
EVSolovyev
Collaborator
3 weeks ago

Spliting RA VPN access between domain and non-domain PCs fo domain users

Hi there!

I would like to split access for remote users (MAB, RA VPN, 2FA) into domain and non-domain. All users have only MS AD accounts, but they can connect via VPN from a domain or non-domain PC. Depending on whether the PC is in the domain or not, different resource should be available.

For example, if John Doe connects from a domain PC, he can access the [LAN1] resource. But if the same John Doe connects from a non-domain PC, he can access [LAN2].

Can you please tell me if you have such an implementation? If so, how stable is it?

I think all RA resources will be announced into VPN for all users, regardless of whether the PC is in the domain or not. And access to [LAN1] or [LAN2] will be determined by the FW policy, but now I don't understand how to write it....

Labels
0 Kudos
1 Reply
AkosBakos
Advisor
3 weeks ago

Hi @EVSolovyev 

What is came into my mind: you are able to determine in the in the Access role the machine(s):

machines.png

  1. Choose a group of machines (this represents the domain machines)
  2. if the user connects from a machine what is not a domain member (not in the choosen group)
  3. the rule won't applies to it.

This kind of handling 100% stable, as the Access policy. 🙂

There was a same kind of topic recently, have a look at on it:

https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Check...

Maybe the  Secure Configuration Verification - Advanced can be useful in this situation.

What if you check the logged in user is a DOMAIN user in the companies AD?

"Groupmonitor"

 

Cheers,

Akos

----------------
\m/_(>_<)_\m/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events