This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Webnoob
Explorer
‎2025-07-01 12:51 PM

different vpn access

I have a 1570 with remote access enabled. I also have Radius configured and use NPS Azure MFA extension.
Is it possible to give the VPN users different VPN access? 

Ex. one group can RDP to one server, another group RDP to another server and a third group ssh to a specific device?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2025-07-01 03:44 PM

This should be possible (at least on most recent firmware versions) by creating Inbound VPN rules in terms of users/groups.

0 Kudos
Webnoob
Explorer
‎2025-07-03 12:30 PM
In response to PhoneBoy

I have just upgraded to R81.10.17
Is there a step by step explanation?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-07 10:15 AM
In response to Webnoob

There are two ways to retrieve groups:

  • Via LDAP, which must be explicitly configured on each gateway to the relevant Active Directory server
  • Via the SAML Assertion used as part of SAML Authentication

As far as I know, with Azure, there IS no LDAP interface.
Which means you should be using SAML here.

Are you managing this device entirely through the WebUI or are you using external management?

0 Kudos
Webnoob
Explorer
‎2025-07-27 06:23 AM
In response to PhoneBoy

Users are in an onprem AD
I use Radius to get user info when they use VPN.
The device is only managed locally through the webui.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-07-28 02:27 AM
In response to Webnoob

That is the most easy way to implement - Use the AD for the groups needed.

- Enable User Awareness Blade and configure AD query:

Working with User Awareness

- add manual Incoming Rules for specified user groups and service/destination, followed by a Block all rule for all groups.

Afaik SAML Authentication is only supported on Managed SMBs - and DC is much easier...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events