A short follow up to my questions regarding the AD sync issues. The original thread MR3 was closed.
So I checked the behaviour at our XG once again, now with MR3. I can add a user in our AD group and i'm able to connect the ssl vpn. After that I removed the user from the group and tried to reconnect.
It was also possible. I checked the Users Group, it was now "Open Group" as mentioned from ddcool.
Checked the assigned remote access of "Open Group" --> no policy applied. So I checked the user configuration, were the vpn configuration of the AD group was still applied. That's nuts?
Next try, I set up a new default group where all settings are denied or not set. Not able to connect to ssl vpn but still able to login at the user portal. If I remove a user from their corresponding AD groups, there shouldn't be any further access to the systems.
What am I missing? Any Ideas? LuCar Toni Heinz Göth
Regards and thanks in advance,
User portal access should be possible, as the user is existing. SSLVPN should not be possible, if the certificate is removed. The certificate should be removed, if the user is removed from the configuration…
Am I the only one with this kind of issue / feature?
User portal access should be possible, as the user is existing. SSLVPN should not be possible, if the certificate is removed. The certificate should be removed, if the user is removed from the configuration.
Thanks for your explanation. A) I understand that a user are able to access the user portal as long as he is existing. But why? If I understand it correctly I have technically no chance to lock out a user from xg per group assignment until I delete him? A hard coded default group with "Deny all" would be great, or just an "active" checkbox ?B) What excatly do you mean with " is the user is removed from the configuration" ? Also delete him from the XG?
C) Can you please give me a best-practise how to setup the XG, that I'm able to control which user is allowed to connect with ssl vpn per AD group assignment and also if I remove the user from AD group that the user is not able to connect? Without any further configurations by hand. That would be awesome.
sorry that I'm askign again, but is it possible to disable a user completely by AD groups or not? In my opinion this is a really important security feature. I'm wondering that nobody else care about this.