SSL VPN
Reply
Visitor
mayash
Posts: 3
Registered: ‎01-05-2012
0

How to limit network connect to only company PC's

  I am trying to set it up so they must be on a company machine to use network connect. I think limiting access to only machine connected to our domain would work but when I go into resource policies/ network connect and detailed rules I add a rule for ntdomain = "PB_MT" and it saves but doen't show up in the list and doesn't seem to work. Any suggestions or ideas?

Contributor
icmp
Posts: 14
Registered: ‎05-09-2010
0

Re: How to limit network connect to only company PC's

Think that you can use the following with Host Checker Policy to check whether the device is joined the domain and think that user has to logon with domain account as well to get this value.

 

- For Windows 7

 

Key/Subkey: SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain
String; ABC.DEF.COM

 

- For Windows XP

 

Key/Subkey: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName
String; ABC

Contributor
Lilja
Posts: 85
Registered: ‎12-02-2009
0

Re: How to limit network connect to only company PC's

I think this key works on both Win XP and Win 7:

Registry Subkey:\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Name: Domain
Type: String
Value: <domainname>

---------------------------------------------------
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
---------------------------------------------------
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
Trusted Contributor
Mrkool
Posts: 248
Registered: ‎02-28-2008
0

Re: How to limit network connect to only company PC's

this is what we are using and it works for windows xp, vista and 7

 

Key/Subkey: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain
String; domainnamehere

i would also make a fake file name it something like mouse.dxp and put it in windows folder and hide it as a system file and use MD5 hash match to check for this file as well as the above.

SA-6500 (7.3R3) Production
MAG 4610 (7.4) Lab
Trusted Contributor
mattspierce
Posts: 104
Registered: ‎07-27-2010
0

Re: How to limit network connect to only company PC's

Have you thought about using client certs? That would tighten up.authentication. enforce client certificates in configure/security. ad can publish and maintain the certs. Mark the keys non exportable in your template and now only ad boxes can associate.
Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: How to limit network connect to only company PC's

If your detailed rule is ntdomain, that is an attribute from when users login to the IVE; it will always be true since it is based on the AD/LDAP value.

 

The suggestions for use of Host Checker (any of the ideas posted will work great, singly or in combination) or certificates are the best ways to do this as it relies solely with what is on the PC for access. And then require that policy on the role (making sure to enable the evaluate option on the realm)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.