This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NickDeGrootYama
Explorer
‎2022-12-22 10:29 AM
Jump to solution

Windows Always-ON VPN ( Device & User tunnel ) together with Identity Collector question

Hi All,

 

I do have a question regarding the combination of Windows AO-VPN and IDC.

Our Windows AO-VPN solution on our Windows Endpoints consists of 2 tunnels.

1. Device Tunnel ( Is initiated when Windows boots and before user logs in )

2. User Tunnel ( is initiated after the user logs in into Windows )

The Device Tunnel is there purely for management purposes ( getting (AV)/Windows updates etc). The User Tunnel gets the corresponding routes which the user needs.

However in SmartConsole i see in the logs that the traffic which the user initiates does not has a source-username log entry.

Investigating it further , i see that the username of the corresponding user that has logged in to the endpoints is correlating with the Device-Tunnel IP address. However,  that IP is not used for resources behind the VPN.

The IDC is working correctly for internal traffic , but as the remote endpoint gets 2 IP addresses , IDC only correlates the Device IP instead of the User-Tunnel IP.

Currently the traffic flow is as follows

  1. Devices boots
  2. Windows starts up and Device-Tunnel is initiated -> IP 10.10.10.1 is assigned.
  3. User logs in into Windows before the User-Tunnel is initiated the IDC correlates the Device-Tunnel IP with the logged in user ( which is what gets into the AD Event logs ) so untill here everyhing works correctly
  4. User-Tunnel is automatic initiated after user login and traffic to on-prem resources flows via User-Tunnel ( IP 10.10.10.2 )

 

So what we would actually like to establish is that the 10.10.10.2 is correlated in SmartConsole with the Windows Username. However , i doubt if that is possible as the real login on the Windows Endpoint happens before. Hopefully anybody here can point me in the right direction.

0 Kudos
1 Solution

Accepted Solutions
AaronCP
Advisor
‎2022-12-22 02:26 PM
Jump to solution

Hi @NickDeGrootYama,

 

My previous employer had the same set up. As @PhoneBoy mentioned, we used Identity Agent (transparent Kerberos SSO) with Windows AOVPN and it worked as you required i.e. presented the user tunnel IP along with the user & device credentials from the Kerberos ticket.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2022-12-22 11:27 AM
Jump to solution

Identity Collector can only leverage information it gets from the Identity Source (in this case, Active Directory).
If there isn't a login event reported on the other IP address in the Windows Security Logs, we'll never know about it.

The only thing I can suggest trying is using an Identity Agent on systems with AO-VPN.

Chris_Atkinson
Employee Employee
Employee
‎2022-12-22 01:34 PM
Jump to solution

Just to confirm your identity awareness config has "remote access VPN" selected as an identity source correct?

If this VPN doesn't terminate on a CP gateway as such you can ignore the above however.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-22 01:43 PM
In response to Chris_Atkinson
Jump to solution

We're talking about Microsoft's Always-on VPN...which doesn't use our client or terminate on our gateway.

AaronCP
Advisor
‎2022-12-22 02:26 PM
Jump to solution

Hi @NickDeGrootYama,

 

My previous employer had the same set up. As @PhoneBoy mentioned, we used Identity Agent (transparent Kerberos SSO) with Windows AOVPN and it worked as you required i.e. presented the user tunnel IP along with the user & device credentials from the Kerberos ticket.

NickDeGrootYama
Explorer
‎2022-12-22 10:30 PM
In response to AaronCP
Jump to solution

Tested this on my own machine , and indeed that works as expected.

Was hoping this could be done clientless , but if we need this Identity Agent then we should do that!

Thanks!

0 Kudos
SimonSchreiber9
Explorer
‎2024-01-15 06:09 AM
Jump to solution

Hi,

is there any possibility to establish an user AND machine tunnel during the session?

Terminal mode (in trac default) ist activated.
PC boots up. Machine tunnel will be established. User logs in, user tunnel will be established WITHOUT disconnecting the machine tunnel ?

 

Is this possible?

Thanks and kind regards,

Simon.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-16 10:11 PM
In response to SimonSchreiber9
Jump to solution

Not currently as it is operating as designed.
Please discuss your specific requirements with your Check Point SE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events