I'm looking for an option to restrict VPN access only for laptops which are "domain members".
Is there a way to accomplish that? (All PCs/Part of them?)
Yes, there's an option in the Endpoint Security VPN client called "Secure Configuration Verification" (SCV).
One of the checks you can configure is "Verifies that the user logged into the operating system and is a member of specified Domain User Groups."
That should meet your specific requirement.
Note this only applies to Windows PCs as the Mac VPN client does not support these checks.
Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity)
Two additional questions:
1. Does that require specific VPN client license/flavor?
2. How do I enforce that only this type of client can connect?
It requires the Endpoint Security VPN client, which requires a remote access VPN license for each user that connects.
In terms of our current Endpoint licenses, this includes:
However, other legacy licenses may include this .
If you have questions about this, reach out to your Check Point account team or Partner.
The procedure for enforcing that only that client can connect includes:
This should be covered in the documentation I linked previously.
Apparently SCV policy is a global property, and if the customer has more than one gateway or more different policies for different type of users it's not possible, at least I couldn't find any documentation on this and support guys didn't also.
Anyone who has any field experience with the SCV policy, please comment.
Retrieving data ...