This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Corporal307
Explorer
Tuesday
Jump to solution

limiting devices for connecting to VPN

Hi all! Please tell me, is it possible to limit VPN connections to only trusted devices? Goal: Users should use only corporate equipment to connect to the VPN. Windows, Linux and MacOS computers available. Restrictions through SCV policies cost only a couple of steps.

0 Kudos
3 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to Corporal307
Jump to solution

Using Endpoint Security - the VPN blade is only installed as part of the EPS client. As all is controlled in EPSS portal, EPS clients can not be installed and used on other devices...

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
(1)
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

The only supported VPN client for Linux is SNX, which can be invoked through Mobile Access Blade, but that requires JDK to be installed on the clients.
It does have Endpoint Security on Demand, which can do some client-level checking (though not sure how much on Linux).

For Windows and macOS, you have SCV or Harmony Endpoint's compliance checks.
If you goal is only "corporate computers" I'd go with Harmony Endpoint, the client for which would only be installed on corporate computers.
Also, the Harmony Endpoint compliance checks are a bit easier to configure than SCV.

View solution in original post

0 Kudos
(1)
PhoneBoy
Admin
Admin
Wednesday
In response to Corporal307
Jump to solution

Authentication with Machine Certificates (in addition to other methods) is the best way to go here.
Machine Certificates usually come from Active Directory and would be installed in the device’s certificate store and cannot be exported.

View solution in original post

0 Kudos
(1)
8 Replies
G_W_Albrecht
Legend Legend
Legend
Tuesday
Jump to solution

Question: How does a trusted device differ from another, untrusted device ? DId you ever4 think of using Machine Authentication instead ? SCV and Machine Authentication have originally only been usable for Win clients, now also support OS X, but not Linux afaik...

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
Corporal307
Explorer
Tuesday
In response to G_W_Albrecht
Jump to solution

A trusted device is a corporate computer. Operating systems used: Windows, MacOS, Linux. There are domain computers, as well as computers that are not part of a domain. After studying the forum, documentation and watching webinars, there is a feeling that this will not be possible.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to Corporal307
Jump to solution

Only possible for Win and OS X, not for Linux, when using Enterprise Security VPN. If you use EPSS, that is Harmony Endpoint https://support.checkpoint.com/results/sk/sk117536 and available for Win, OS X and Linux, you can only use VPN blade on Win and OS X, so the same situation...

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
Corporal307
Explorer
Tuesday
In response to G_W_Albrecht
Jump to solution

If we talk about Windows and OS X, how can this be implemented? We tested using SCV and Harmony Endpoint policies, but in the end the entry in the registry can be done manually and then you can connect from any device.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to Corporal307
Jump to solution

Using Endpoint Security - the VPN blade is only installed as part of the EPS client. As all is controlled in EPSS portal, EPS clients can not be installed and used on other devices...

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

The only supported VPN client for Linux is SNX, which can be invoked through Mobile Access Blade, but that requires JDK to be installed on the clients.
It does have Endpoint Security on Demand, which can do some client-level checking (though not sure how much on Linux).

For Windows and macOS, you have SCV or Harmony Endpoint's compliance checks.
If you goal is only "corporate computers" I'd go with Harmony Endpoint, the client for which would only be installed on corporate computers.
Also, the Harmony Endpoint compliance checks are a bit easier to configure than SCV.

0 Kudos
(1)
Corporal307
Explorer
Tuesday
In response to PhoneBoy
Jump to solution 

The problem is that only Endpoint Seceruty was left in the vpn clients; using SCV policies we check the Harmony registry key. If we work honestly, then connection is only possible through Harmony. But you can install the Endpoint Security Standalone Client, manually specify the registry branch that is being checked, and I will also connect to the VPN through another client.
0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to Corporal307
Jump to solution

Authentication with Machine Certificates (in addition to other methods) is the best way to go here.
Machine Certificates usually come from Active Directory and would be installed in the device’s certificate store and cannot be exported.

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events