Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Corporal307
Explorer
Jump to solution

limiting devices for connecting to VPN

Hi all! Please tell me, is it possible to limit VPN connections to only trusted devices? Goal: Users should use only corporate equipment to connect to the VPN. Windows, Linux and MacOS computers available. Restrictions through SCV policies cost only a couple of steps.

0 Kudos
3 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

Using Endpoint Security - the VPN blade is only installed as part of the EPS client. As all is controlled in EPSS portal, EPS clients can not be installed and used on other devices...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
(1)
PhoneBoy
Admin
Admin

The only supported VPN client for Linux is SNX, which can be invoked through Mobile Access Blade, but that requires JDK to be installed on the clients.
It does have Endpoint Security on Demand, which can do some client-level checking (though not sure how much on Linux).

For Windows and macOS, you have SCV or Harmony Endpoint's compliance checks.
If you goal is only "corporate computers" I'd go with Harmony Endpoint, the client for which would only be installed on corporate computers.
Also, the Harmony Endpoint compliance checks are a bit easier to configure than SCV.

View solution in original post

0 Kudos
(1)
PhoneBoy
Admin
Admin

Authentication with Machine Certificates (in addition to other methods) is the best way to go here.
Machine Certificates usually come from Active Directory and would be installed in the device’s certificate store and cannot be exported.

View solution in original post

0 Kudos
(1)
8 Replies
G_W_Albrecht
Legend Legend
Legend

Question: How does a trusted device differ from another, untrusted device ? DId you ever4 think of using Machine Authentication instead ? SCV and Machine Authentication have originally only been usable for Win clients, now also support OS X, but not Linux afaik...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Corporal307
Explorer

A trusted device is a corporate computer. Operating systems used: Windows, MacOS, Linux. There are domain computers, as well as computers that are not part of a domain. After studying the forum, documentation and watching webinars, there is a feeling that this will not be possible.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Only possible for Win and OS X, not for Linux, when using Enterprise Security VPN. If you use EPSS, that is Harmony Endpoint https://support.checkpoint.com/results/sk/sk117536 and available for Win, OS X and Linux, you can only use VPN blade on Win and OS X, so the same situation...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Corporal307
Explorer

If we talk about Windows and OS X, how can this be implemented? We tested using SCV and Harmony Endpoint policies, but in the end the entry in the registry can be done manually and then you can connect from any device.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Using Endpoint Security - the VPN blade is only installed as part of the EPS client. As all is controlled in EPSS portal, EPS clients can not be installed and used on other devices...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
PhoneBoy
Admin
Admin

The only supported VPN client for Linux is SNX, which can be invoked through Mobile Access Blade, but that requires JDK to be installed on the clients.
It does have Endpoint Security on Demand, which can do some client-level checking (though not sure how much on Linux).

For Windows and macOS, you have SCV or Harmony Endpoint's compliance checks.
If you goal is only "corporate computers" I'd go with Harmony Endpoint, the client for which would only be installed on corporate computers.
Also, the Harmony Endpoint compliance checks are a bit easier to configure than SCV.

0 Kudos
(1)
Corporal307
Explorer
The problem is that only Endpoint Seceruty was left in the vpn clients; using SCV policies we check the Harmony registry key. If we work honestly, then connection is only possible through Harmony. But you can install the Endpoint Security Standalone Client, manually specify the registry branch that is being checked, and I will also connect to the VPN through another client.
0 Kudos
PhoneBoy
Admin
Admin

Authentication with Machine Certificates (in addition to other methods) is the best way to go here.
Machine Certificates usually come from Active Directory and would be installed in the device’s certificate store and cannot be exported.

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events