Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NickDeGrootYama
Explorer
Jump to solution

Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

Hi All,

 

I do have a question regarding the combination of Windows AO-VPN and IDC.

Our Windows AO-VPN solution on our Windows Endpoints consists of 2 tunnels.

1. Device Tunnel ( Is initiated when Windows boots and before user logs in )

2. User Tunnel ( is initiated after the user logs in into Windows )

The Device Tunnel is there purely for management purposes ( getting (AV)/Windows updates etc). The User Tunnel gets the corresponding routes which the user needs.

However in SmartConsole i see in the logs that the traffic which the user initiates does not has a source-username log entry.

Investigating it further , i see that the username of the corresponding user that has logged in to the endpoints is correlating with the Device-Tunnel IP address. However,  that IP is not used for resources behind the VPN.

The IDC is working correctly for internal traffic , but as the remote endpoint gets 2 IP addresses , IDC only correlates the Device IP instead of the User-Tunnel IP.

Currently the traffic flow is as follows

  1. Devices boots
  2. Windows starts up and Device-Tunnel is initiated -> IP 10.10.10.1 is assigned.
  3. User logs in into Windows before the User-Tunnel is initiated the IDC correlates the Device-Tunnel IP with the logged in user ( which is what gets into the AD Event logs ) so untill here everyhing works correctly
  4. User-Tunnel is automatic initiated after user login and traffic to on-prem resources flows via User-Tunnel ( IP 10.10.10.2 )

 

So what we would actually like to establish is that the 10.10.10.2 is correlated in SmartConsole with the Windows Username. However , i doubt if that is possible as the real login on the Windows Endpoint happens before. Hopefully anybody here can point me in the right direction.

0 Kudos
1 Solution

Accepted Solutions
AaronCP
Advisor

Hi @NickDeGrootYama,

 

My previous employer had the same set up. As @PhoneBoy mentioned, we used Identity Agent (transparent Kerberos SSO) with Windows AOVPN and it worked as you required i.e. presented the user tunnel IP along with the user & device credentials from the Kerberos ticket.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

Identity Collector can only leverage information it gets from the Identity Source (in this case, Active Directory).
If there isn't a login event reported on the other IP address in the Windows Security Logs, we'll never know about it.

The only thing I can suggest trying is using an Identity Agent on systems with AO-VPN.

Chris_Atkinson
Employee
Employee

Just to confirm your identity awareness config has "remote access VPN" selected as an identity source correct?

If this VPN doesn't terminate on a CP gateway as such you can ignore the above however.

0 Kudos
PhoneBoy
Admin
Admin

We're talking about Microsoft's Always-on VPN...which doesn't use our client or terminate on our gateway.

AaronCP
Advisor

Hi @NickDeGrootYama,

 

My previous employer had the same set up. As @PhoneBoy mentioned, we used Identity Agent (transparent Kerberos SSO) with Windows AOVPN and it worked as you required i.e. presented the user tunnel IP along with the user & device credentials from the Kerberos ticket.

NickDeGrootYama
Explorer

Tested this on my own machine , and indeed that works as expected.

Was hoping this could be done clientless , but if we need this Identity Agent then we should do that!

Thanks!

0 Kudos