Identity Agent for a User Endpoint Computer - Parameters in Windows Registry

You can add attributes to Identity AgentClosed Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. on a Windows endpoint computers to control its behavior.

To add a new attribute to Identity Agent:

  1. On the Windows endpoint computer:

    1. Click Start.

    2. Enter "Run" and press the Enter key.

    3. Enter "regedit" and press the Enter key.

      Windows Registry Editor opens.

  2. In the top address bar, go to the required file path for the Identity Agent type and the Windows OS type:

    Identity Agent Type

    Windows OS Type

    File Path

    Full Identity Agent

    or

    MUH Identity Agent

    32-bit Windows

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA

    Full Identity Agent

    or

    MUH Identity Agent

    64-bit Windows

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA

    Light Identity Agent

    32-bit Windows or 64 bit Windows

    Computer\HKEY_CURRENT_USER\SOFTWARE\CheckPoint\IA

Identity Agent Attributes

You can control the behavior of an Identity Agent with different attributes in Windows Registry.

Identity Agent Attributes

Attribute Name

Description

Branch in Registry

Attribute Type

Default Value

Comments

DelayBetweenConnAttempts

Configures the delay time between failures - how much time to wait (in milliseconds) between failures.

"IA"

REG_DWORD

10000 milliseconds

See sk88520.

DelayFactorBetweenConnAttempts

Configures the delay factor - multiplication factor for the delay time between failures.

To activate this parameter, assign it a value greater than or equal to 2.

"IA"

REG_DWORD

1

See sk88520.

MaxDelayBetweenConnAttempts

Configures the maximum delay time between failures (in milliseconds).

"IA"

REG_DWORD

900000 milliseconds (15 minutes)

See sk88520.

ConnectionNumRetries

Configures the maximum number of connection attempts before the client resets the connection.

"IA"

REG_DWORD

2

See sk88520.

NumberOfAttemptsDiscoverPdp

Configures the maximum number of failed attempts to discover PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. (Discovery Mode) before the client resets the connection.

"IA"

REG_DWORD

6

Added in R81.004.0000 (see sk170756).

DelayTimeToDiscoverPdp

After the Identity Agent reaches the configured number of failed attempts, how much time it waits before the next attempt (in milliseconds).

"IA"

REG_DWORD

300000 millisecons

Added in R81.004.0000 (see sk170756).

PdpDNSDiscoveryEnabled

Enables (1) or disables (0) the search in the DNS Server in discovery mode.

"IA"

REG_DWORD

1

Added in R81.004.0000 (see sk170756).

CabDir

Configures the path where to create the Cab file after "collect logs" operation (by priority lookup, from global to the user context).

"IA"

REG_SZ

%temp%

Added in R80.234.000

LogsEnabled

Enables (1) or disables (0) logs.

"IA"

REG_DWORD

1

Added in R80.234.000

InterfaceNameToExclude

Configures an interface that the Identity Agent excludes in discovery mode when it matches the configured ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. lists form the Active Directory database

"IA"

REG_SZ

[NAME OF INTERFACE]

Only one interface can be selected. This parameter was added in R81.018.0000.

InterfaceNameToUse

Configures an interface that the Identity Agent uses in discovery mode when it matches the configured rule lists form the Active Directory database.

"IA"

REG_SZ

--

Only one interface can be selected. This parameter was added in R81.018.0000.

EventLogsEnabled

Enables (1) or disables (0) the Identity Agent from writing logs in the Windows Event Viewer.

"IA"

REG_DWORD

0

This parameter was added in R81.018.0000.

FilteredEventLogs

Configures the list of states that do not have an event log created.

"IA"

REG_SZ

For MUH, default ="16"

For Identity Agent for Window, default= [EMPTY]"

See sk103682.

UserKerberosAuthDisabled

Enables (0) or disables (1) user authentication with KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS)..

"IA"

REG_DWORD

0

Added in R80.234.000

MachineReportEnabled

Enables (1) or disables (0) collection of a machine report during the "collect logs" operation.

"IA"

REG_DWORD

0

Added in R81.005.0000

AgentGlobalPropsBuffer

Global properties downloaded from Management and the Gateway.

"IA"

REG_BINARY

None

 

DisableBalloonNotifications

Enables (0) or disables (1) balloon notifications.

"IA"

REG_DWORD

0

See sk163577.

DisableDisconnect

Enables (0) or disables (1) a user to disconnect from the server.

"IA"

REG_DWORD

0

Added in R80.234.000

HideGui

Shows (0) or hides (1) the client GUI from the end user.

"IA"

REG_DWORD

0

See sk121335.

DisableSettings

Enables (0) or disables (1) a user to change the Identity Agent settings from the User Interface.

"IA"

REG_DWORD

0

Added in R80.234.000

DisableQuit

Enables (0) or disables (1) a user to close the Identity Agent.

"IA"

REG_DWORD

0

Added in R80.234.000

IsFirstTimeActivation

Enables (1) or disables (0) a baloon message that asks users if this is the first time they are using Identity Agent.

"IA"

REG_DWORD

1

Added in R80.234.000

DefaultGateway

Enables (1) or disables (0) manual configuration of the IP address and DNS name of the Default Gateway.

"IA"

REG_SZ

""

Added in R80.234.000

Fingerprint

Configures the server's certificate fingerprint string.

"IA"

\TrustedGateways\SERVER_CN

REG_SZ

None

Added in R80.234.000

PdpDiscoveryEnabled

Enables (1) or disables (0) the PDP Discovery Mode.

"IA"

REG_DWORD

1

Added in R80.234.000

DefaultGatewayEnabled

Enables (1) or disables (0) manual configuration of a PDP Gateway.

Manual configuration includes the predefined advanced rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

"IA"

REG_BINARY

0

Added in R80.234.000

PredefinedPDPConnRUBUsed

Enables (1) or disables (0) the predefined advanced rulebase.

"IA"

REG_DWORD

0

Added in R80.234.000

PredefinedPDPConnectRuleBase

The name of the manually predefined advanced rulebase.

"IA"

REG_BINARY

None

Added in R80.234.000

ResolveFQDN

Enables (1) or disables (0) the user to connect with the FQDN format.

"IA"

REG_DWORD

0

See sk87200.

ResolveUPN

Enables (1) or disables (0) the user to connect with UPN format.

"IA"

REG_DWORD

0

See sk110858.

DisableTagging

Enables (0) or disables (1) packet tagging.

"IA"

REG_DWORD

0

Added in R80.234.000

IsHandleSessionEventEnabledMuh2

Enables (1) or disables (0) the user identification through the running process or sessions event with MUH2.

"IA"

REG_DWORD

1

Added in R81.004.0000.

See sk170635.

SharedSecret

Configures the MUH agent's shared secret.

"IA"

REG_SZ

""

Added in R80.234.000

MUHMonitoringEnabled

Enables (1) or disables (0) the MUH monitoring.

"IA"

REG_DWORD

0

See sk164998 (Operation Questions > "Can I monitor the status of connected TS Identity Agents").

MUHMonitoringInterval

If the MUH monitoring is enabled, this attribute configures the interval (in seconds) at which the MUH Agent sends monitoring information to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

"IA"

REG_DWORD

15 seconds

See sk164998 (Operation Questions > "Can I monitor the status of connected TS Identity Agents").

MUHCollectLogsForAllUsersEnabled

Determines who can collect logs in the MUH agents - administrators (0) or all users (1).

"IA"

REG_DWORD

0

Added in R80.234.000

EnablePortProbing

Enables (1) or disables (0) the verification if ports (source or destination) used for a connection are available.

"UIP"

REG_DWORD

0

See sk117089.

ExcludedTCPPorts

Configures MUH1 to exclude the specified TCP ports.

"UIP"

REG_SZ

1-9999

Added in R80.234.000

ExcludedUDPPorts

Configures MUH1 to exclude the specified UDP ports.

"UIP"

REG_SZ

1-9999

Added in R80.234.000

MaxNumOfPortsPerUser

Configures the maximum number of ports that MUH1 can allocate per user.

"UIP"

REG_DWORD

900

Added in R80.234.000

PortsMinPerUser

Configures the minimum number of ports that MUH1 can allocate per user.

"UIP"

REG_DWORD

20

Added in R80.234.000

IAConfigToolPath

Configures the path for the Identity Agent configuration tool.

"IA"

REG_SZ

""

Added in R81.004.0000

AdvancedDistributedConfigurationEnabled

Enables (1) or disables (0) the use of the Advanced Distributed Configuration tool (it supports multiple domain controllers).

"IA"

REG_DWORD

1

Added in R81.018.0000

UserAuthMethods

Determines which authentication methods to use for user authentication.

The value 1 enables all user authentication.

The value 0 disables all user authentication.

Use the value 0 for an Identity Agent that only requires authentication by machine identity.

"IA"

REG_DWORD

1

Added in R80.234.000

MachineAuthMethods

Determines which authentication methods to use for user authentication.

The value 1 enables all machine authentication

The value 1 disables all machine authentication.

Use the value 0 for an Identity Clients that only requires authentication by user identity.

"IA"

REG_DWORD

1

Added in R80.234.000

KerberosGetUserNameRetries

Configures the number of times that the Identity Agent tries to fetch the logged-on username for user authentication with Kerberos.

"IA"

REG_DWORD

15

Added in R81.022.0000