Support Center > Search Results > SecureKnowledge Details
Configuring Different Encryption Domains for Different User Groups in SNX Technical Level
Solution

The Authorized Locations (hosts or address ranges) of a Native application are defined in the Authorized Locations page of the Native Application. However, it is also possible to configure authorized locations per user group. Users who belong to two or more groups can access the union of the authorized locations of the groups.

User experience

The routing table on the user machine will be changed according to the encryption domain defined for his group.

  1. If the user belongs to two groups or more, he will get the union of the encryption domains defined for the groups.

  2. If this feature is enabled, but no EDOM object was found for any of the user's group, the user will get the default encryption domain.

    Note: The user will NOT be able to manually add routing entries for destinations in the encryption domain of other groups and pass data to them.



    Admin configuration 

    Enabling or disabling the feature is done through the command line on the Security Gateway:
    [Expert@Hostname:0]# vpn set_snx_encdom_groups on/off 

    This command survives a reboot.

    To check the current value of this property, run:

    [Expert@Hostname:0]# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 snx_enc_domain_per_user_group

    The output will be either

    SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 snx_enc_domain_per_user_group=[n]1 }.6.0 : { }

    OR

    SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 snx_enc_domain_per_user_group=[n]0 }.6.0 : { }

     

    Another option to check the value is to run:

    [Expert@Hostname:0]# cat /opt/CPshrd-R77/registry/HKLM_registry.data | grep snx

    The output will be either :snx_enc_domain_per_user_group ("[4]1")

    OR :snx_enc_domain_per_user_group ("[4]0")

     

    Note: For the registry change to take effect, either run cpstop;cpstart or reboot the Security Gateway.


    For IPSec SNX
    :

    1. Define a Remote Access rule with the following details:

      • Source - users group
      • Destination - the encryption domain group, defined below
      • VPN - Remote Access
      • Service - Any (or the list of requested services)
      • Action - Accept
    2. Define the encryption domains per group:
      Create a group of network objects per each user group on a specific gateway with the following naming convention:
      EDOM~[Users Group Name]~[Gateway name]

    3. Install the Security Policy / Publish session

     

    For SNX in Mobile Access:

      1. Create a native application for each encryption domain group that was defined (the encryption domain group should be the "authorized locations").

      2. Create access rule in the "Access to application" table for each user group with the matching Native application.

      3. Define the encryption domains per group:
        Create a group of network objects per each user group on a specific gateway with the following naming convention:
        EDOM~[Users Group Name]~[Gateway name]

      4. Install the Security Policy / Publish session.


    Note
    : For AD groups, you must prepend “ad_group” to the name.

    For example: EDOM~[ad_group_groupname]~[Gateway_name]

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment