Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

Standalone Remote Access VPN Client + Posture Checks

Is it possible to perform posture checks with the latest ‘Standalone E88.50 Remote Access VPN Clients for Windows’?

Background to my question:

A customer wants to avoid using the ‘Remote Access VPN client’ on private PC. The user could install the software on his private PC and then set up a VPN tunnel to the company.

Are there posture checks here so that you can check whether the “Remote Access VPN Client”  software only works on company PCs?

I had thought of something like this:
- Certificate check whether a company certificate is available.
- Check whether a company registry key is set.
- and and and

Is this possible with ‘Inline Layer’ or ‘Order Layer’?
The idea is to query the user certificate first and then the machine certificate if necessary.

Or perhaps with IA rule to use both certificates (user certificate and machine certificate).

Does anyone here have any ideas?

I have not found anything on this in the following documents:
- R81.20 Remote Access VPN Administration Guide
- Remote Access VPN Clients for Windows Admin Guide
- Remote Access TTM Configuration (sk75221)
- E88.x Remote Access VPN Clients
- E87.x Remote Access VPN Clients

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Leader Leader
Leader

Hi @HeikoAnkenbrand,

Maybe the  Secure Configuration Verification - Advanced can be useful in this situation.

What if you check the logged in user is a DOMAIN user in the companies AD?

"Groupmonitor"

 

Cheers,

Akos

----------------
\m/_(>_<)_\m/

View solution in original post

4 Replies
D_W
Advisor

Proposal: Allow authentication only with password AND certificate. Only Company Devices receive the cert and you also include a second factor.

AkosBakos
Leader Leader
Leader

Hi @HeikoAnkenbrand,

Maybe the  Secure Configuration Verification - Advanced can be useful in this situation.

What if you check the logged in user is a DOMAIN user in the companies AD?

"Groupmonitor"

 

Cheers,

Akos

----------------
\m/_(>_<)_\m/
HeikoAnkenbrand
Champion Champion
Champion

Hi @AkosBakos,

I was probably blind when reading the manuals 😉

Thank you very much, that's exactly what I was looking for.

Cheers,
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
Legend
Legend

Thought you could set it below, but guess not, has to be done through local.scv file...

Andy

 

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events