none
DA UAG user/group based TMG rules RRS feed

  • Question

  • We are migrating from CheckPount VPN solution to UAG DA solution and are trying to replicate some functionality we had in Checkpoint.

    For example, our Checkpoint is aware of our AD and when user logs in via VPN we can define access rules by user group membership: users with basic access can have only say exchange, rdp to TS, users with advanced access can have access to some internal resources.

    TMG underneath UAG also contains "Users" field and by default set to "All Users". And  as we prefer to have more control on what remote users can  access via DA, I have tried to use the same AD groups I use in Checkpoint in the rules

    however I have got the following message and denied effect of the TMG:

    

    And my question is how can I filter on user basis in TMG? It is DA user, so it is clearly authorized by the same server to my understanding

    Tuesday, May 15, 2012 2:59 PM

Answers

  • You have to think about DirectAccess as extending the network out to your user, not really as connecting individual users into the network. When a user is connected via DA, it really is like they are sitting on the internal network. They have access to the same things outside as they do inside. That can be both good and bad, depending on your perspective.

    I have seen companies enable DirectAccess to common resources (like your Exchange the Terminal Servers) for everyone, and then just like Mylo was saying when you have power users that need additional access (like to a PCI zone) they would have to launch an additional form of connectivity, such as a UAG portal.

    One important thing to keep in mind is that any restrictions you have in place on the internal network are also going to be in place for the DirectAccess connections. So if "Susie" has access to Server1 but not to Server22, she automatically will also have the same level of access while connected via DA. So you can use your existing security measures and restrictions at the application server level to manage access as well.

    Wednesday, May 16, 2012 12:46 PM

All replies

  • Hi Romans,

    The session is not being authenticated thru TMG. You can provide DirectAccess to those users with advanced access requirements and then revert to the use of a UAG trunk to control access thru the UAG portal, with access to Exchange, RDP to TS accordingly, for more limited use cases.

    Regards,

    Mylo

    Tuesday, May 15, 2012 5:03 PM
  • You have to think about DirectAccess as extending the network out to your user, not really as connecting individual users into the network. When a user is connected via DA, it really is like they are sitting on the internal network. They have access to the same things outside as they do inside. That can be both good and bad, depending on your perspective.

    I have seen companies enable DirectAccess to common resources (like your Exchange the Terminal Servers) for everyone, and then just like Mylo was saying when you have power users that need additional access (like to a PCI zone) they would have to launch an additional form of connectivity, such as a UAG portal.

    One important thing to keep in mind is that any restrictions you have in place on the internal network are also going to be in place for the DirectAccess connections. So if "Susie" has access to Server1 but not to Server22, she automatically will also have the same level of access while connected via DA. So you can use your existing security measures and restrictions at the application server level to manage access as well.

    Wednesday, May 16, 2012 12:46 PM
  • Thanks a lot for your answers, guys.


    Thursday, May 17, 2012 11:52 AM