This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Alexander_Urits
Contributor
‎2017-11-12 12:14 PM

VPN access restriction based on domain membership

Jump to solution

Hi.

I'm looking for an option to restrict VPN access only for laptops which are "domain members".

Is there a way to accomplish that? (All PCs/Part of them?)

Thanks,

Alex

0 Kudos
Reply
1 Solution

Accepted Solutions
Abdul_S
Participant
‎2020-05-05 08:59 AM
In response to Konstantinos_In

Jump to solution

Hi Konstantinos

I finally got this working with SCV by using the below option. Please note when we login to our machines, based on the GPO we are placed under Users Group which has a AD group for domain users called "ABC\Domain Users", where ABC is your company domain. Unfortunately there was not a lot of documentation and examples of groupmonitor in either the admin guides, endpoint guides etc, but is working fine with this option below. This is a pretty strong SCV check and hard to fake compared to reg keys or process monitor checks (my 2 cents...)

   : (groupmonitor

                        :type (plugin)

                        :parameters (

                                                :"builtin\Administrators" (false)

                                                :"builtin\Users=YOURCOMPANY\Domain Users" (true)

                                :begin_admin (admin)

                                        :send_log (alert)

                                        :mismatchmessage ("Make sure you are logged on as an authorized user.")

                                        :securely_configured_no_active_user (false)

                                :end (admin)

                        )

                )

 

Make sure to add this in the end for it to be effective,

       :SCVPolicy (

        : (groupmonitor)

        )

View solution in original post

Reply
16 Replies
PhoneBoy
Admin
Admin
‎2017-11-12 08:31 PM

Jump to solution

Yes, there's an option in the Endpoint Security VPN client called "Secure Configuration Verification" (SCV).

One of the checks you can configure is "Verifies that the user logged into the operating system and is a member of specified Domain User Groups."

That should meet your specific requirement.

Note this only applies to Windows PCs as the Mac VPN client does not support these checks.

Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity) 

Reply
Alexander_Urits
Contributor
‎2017-11-12 09:21 PM
In response to PhoneBoy

Jump to solution

Thanks.

Two additional questions:

1. Does that require specific VPN client license/flavor?

2. How do I enforce that only this type of client can connect?

TIA

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2017-11-12 09:54 PM
In response to Alexander_Urits

Jump to solution

It requires the Endpoint Security VPN client, which requires a remote access VPN license for each user that connects.

In terms of our current Endpoint licenses, this includes:

  • Endpoint Access Control
  • Endpoint Complete

However, other legacy licenses may include this .

If you have questions about this, reach out to your Check Point account team or Partner.

The procedure for enforcing that only that client can connect includes:

  • Defining the SCV policy appropriately
  • Preventing clients that are NOT Endpoint Security VPN from connecting

This should be covered in the documentation I linked previously.

0 Kudos
Reply
Alexander_Urits
Contributor
‎2018-05-03 03:37 PM

Jump to solution

Apparently SCV policy is a global property, and if the customer has more than one gateway or more different policies for different type of users it's not possible, at least I couldn't find any documentation on this and support guys didn't also.

Anyone who has any field experience with the SCV policy, please comment.

Thanks

0 Kudos
Reply
Darran_Lebas
Participant
‎2018-11-21 12:52 PM
In response to Alexander_Urits

Jump to solution

Hi Alex,

Did you manage to accomplish this in the end?

0 Kudos
Reply
Alexander_Urits
Contributor
‎2018-11-22 06:44 AM
In response to Darran_Lebas

Jump to solution

Hi Darran. 

Unfortunately there was no workaround. 

I was forced to implement this for all the gateways. 

Regards,

Alex

0 Kudos
Reply
mahendran_B1
Explorer
‎2019-03-22 06:00 AM
In response to Alexander_Urits

Jump to solution

Hi 

can we restrict with windows domain member for example  : allow the only machine which is in abc.com & sampla.com

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-03-22 06:39 AM
In response to mahendran_B1

Jump to solution
Yes, please see the docs I linked previously.
0 Kudos
Reply
mahendran_B
Explorer
‎2019-03-30 04:46 AM
In response to PhoneBoy

Jump to solution

Hi

By group monitor, we can restrict allow only based on domain member.At endpoint side, the secure client is enough or i need to install endpoint security. 

0 Kudos
Reply
mahendran_B
Explorer
‎2019-04-08 11:12 PM
In response to PhoneBoy

Jump to solution

HI

 

Can you please confirm below configuration for domain monitor in local.scv file.

 

: (groupmonitor
:type (plugin)
:parameters (
:begin_or (or1)
:begin_and (1)
:mydomian.com (true)
:end (1)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You are using SecureClient with a non-authorized user.\nMake sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)

 

0 Kudos
Reply
Konstantinos_In
Contributor
‎2020-04-28 03:56 AM
In response to mahendran_B

Jump to solution
Hello mahendran_B

The options you have are the below. Did you finally configured it?

: (groupmonitor
:type (plugin)
:parameters (
:begin_or (or1)
:begin_and (1)
:"builtin\administrator" (false)
:"BUILTIN\Users" (true)
:end (1)
:begin_and (2)
:"builtin\administrator" (true)
:"BUILTIN\Users" (false)
:end (and2)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You are using SecureClient with a non-authorized user.\nMake sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
0 Kudos
Reply
Abdul_S
Participant
‎2020-05-05 08:59 AM
In response to Konstantinos_In

Jump to solution

Hi Konstantinos

I finally got this working with SCV by using the below option. Please note when we login to our machines, based on the GPO we are placed under Users Group which has a AD group for domain users called "ABC\Domain Users", where ABC is your company domain. Unfortunately there was not a lot of documentation and examples of groupmonitor in either the admin guides, endpoint guides etc, but is working fine with this option below. This is a pretty strong SCV check and hard to fake compared to reg keys or process monitor checks (my 2 cents...)

   : (groupmonitor

                        :type (plugin)

                        :parameters (

                                                :"builtin\Administrators" (false)

                                                :"builtin\Users=YOURCOMPANY\Domain Users" (true)

                                :begin_admin (admin)

                                        :send_log (alert)

                                        :mismatchmessage ("Make sure you are logged on as an authorized user.")

                                        :securely_configured_no_active_user (false)

                                :end (admin)

                        )

                )

 

Make sure to add this in the end for it to be effective,

       :SCVPolicy (

        : (groupmonitor)

        )

View solution in original post

Reply
Konstantinos_In
Contributor
‎2020-05-15 07:15 AM
In response to Abdul_S

Jump to solution

Hello

Thank you for your response 🙂 .We are in the same page.

It is not very hard to fake the domain if you create a domain controller and a same domain name with the corporate you want to "attack".

As concerns processes just a rename does the bypass..

As concerns registry key i don't know if there is a way to find somehow the "required" keys in order to connect and pass compliance "client side"

 

BR,

Kostas

 

0 Kudos
Reply
Gaurav_Pandya
Advisor
‎2018-11-23 01:24 AM

Jump to solution

Hi,

Other way of achieving your requirement (Only Domain users can connect remote VPN) is that you can enable Mobile access blade and create Native application for Domain check.

You need to enable Endpoint security scan check in Mobile access blade and create Native application for Domain check.

This is long process but it is very stable. I have enabled this scenario for one customer and it is working fine.

Reply
shenderson
Participant
‎2019-04-09 06:43 AM
In response to Gaurav_Pandya

Jump to solution

What I need to is to only allow domain users to connect to VPN who are using corporate machines. Mac and Linux machines would be great but I at least need to check the Windows machines which will be joined to our corporate domain. 

0 Kudos
Reply
Sanjay_S
Advisor
‎2019-06-07 06:11 AM
In response to Gaurav_Pandya

Jump to solution
Hi Gaurav,
I have the same issue, i am not able to create Native Application for Domain Check. Can i have the steps to do it? Can you guide me from Native Applications step because i can see this option but not sure how to create Domain Check.
Many thanks in advance.
0 Kudos
Reply