Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EVSolovyev
Collaborator

Spliting RA VPN access between domain and non-domain PCs fo domain users

Hi there!

I would like to split access for remote users (MAB, RA VPN, 2FA) into domain and non-domain. All users have only MS AD accounts, but they can connect via VPN from a domain or non-domain PC. Depending on whether the PC is in the domain or not, different resource should be available.

For example, if John Doe connects from a domain PC, he can access the [LAN1] resource. But if the same John Doe connects from a non-domain PC, he can access [LAN2].

Can you please tell me if you have such an implementation? If so, how stable is it?

I think all RA resources will be announced into VPN for all users, regardless of whether the PC is in the domain or not. And access to [LAN1] or [LAN2] will be determined by the FW policy, but now I don't understand how to write it....

0 Kudos
1 Reply
AkosBakos
Advisor

Hi @EVSolovyev 

What is came into my mind: you are able to determine in the in the Access role the machine(s):

machines.png

  1. Choose a group of machines (this represents the domain machines)
  2. if the user connects from a machine what is not a domain member (not in the choosen group)
  3. the rule won't applies to it.

This kind of handling 100% stable, as the Access policy. 🙂

There was a same kind of topic recently, have a look at on it:

https://community.checkpoint.com/t5/General-Topics/Standalone-Remote-Access-VPN-Client-Posture-Check...

Maybe the  Secure Configuration Verification - Advanced can be useful in this situation.

What if you check the logged in user is a DOMAIN user in the companies AD?

"Groupmonitor"

 

Cheers,

Akos

----------------
\m/_(>_<)_\m/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events