Identity Agent for a User Endpoint Computer - Downloading

There are the ways to download Identity Agents for a user endpoint computer:

It is a Best Practice to download the latest Identity Agents from sk134312.

An administrator of an Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway can force the endpoint users to download an Identity AgentClosed Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. from the Identity Awareness Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication..

Note - To force endpoint users to download a newer version of the Identity Agent, an administrator can change the file path in the Identity Awareness Gateway to the path for the new version of the Identity Agent.

  1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the Identity Awareness Gateway.

  2. From the left navigation panel, click Gateways & Servers.

  3. Double-click the Identity Awareness Gateway object.

  4. From the left, click the Identity Awareness page.

  5. Enable the Browser-Based Authentication and click Settings.

  6. In the section Identity Agent Deployment from the Portal:

    1. Select Require users to download.

    2. Select the required Identity Agent type.

  7. Click OK to close the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

  8. Install the Access Control Policy on the Identity Awareness Gateway.

The version of the Identity Agent that end users download from the Identity Awareness Captive Portal is current to the General Availability release date of the Identity Awareness Gateway.

This version is not updated.

  1. Download the new version of Identity Agent from sk134312 to your computer.

  2. Copy the downloaded Identity Agent from your computer to the Identity Awareness Gateway to this directory:

    /opt/CPNacPortal/htdocs/nac/nacclients

  3. Connect to the command line of the Identity Awareness Gateway.

  4. Log in to the Expert mode.

  5. To make sure the file has permissions configured to allow end users to download it, run:

    chmod -v 644 /opt/CPNacPortal/htdocs/nac/nacclients/<Identity Agent Package>

  6. Make sure that users are required to download the same type of Identity Agent that you downloaded to the Security Gateway.

    For example, if you downloaded the Full Identity Agent package, then:

    1. Connect with SmartConsole to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server that manages the Identity Awareness Gateway.

    2. From the left navigation panel, click Gateways & Servers.

    3. Double-click the Identity Awareness Gateway object.

    4. From the left tree, click the Identity Awareness page.

    5. Select Browser-Based Authentication and click Settings.

      The Portal Settings window opens.

    6. In the Captive Portal Settings window, below Identity Agent Deployment from the Portal, select Require users to download to make users install the Identity Agent.

      Make sure the selected a type of Identity Agent matches the type of Identity Agent you downloaded to the Security Gateway:

      • Identity Agent - Full

      • Identity Agent - Custom

      • Identity Agent - Light

    7. Optional: To give users flexibility to choose when they install the Identity Client, select Users may defer installation until and select the latest date before users must install the Identity Client to continue to connect to the Identity Awareness Gateway. Until the selected date, the user sees a Skip Identity Client installation option in the Captive Portal.

    8. If you selected a new kind of Identity Agent or made changes to Users may defer installation until:

      1. Click OK to close the Security Gateway object.

      2. Install the Access Control Policy.

Authentication with an Identity Agent

Item

Description

1

User that is trying to connect to the internal network

2

Identity Awareness Gateway

3

Active Directory domain controller

4

Internal network

High-level overview of the Identity Awareness authentication process

  1. A user logs in to a computer with credentials and requests access to the Internal Data Center.

  2. The Identity Agent connects to the Identity Awareness Gateway:

    • If the Identity Agent is already installed, then it connects to the Identity Awareness Gateway.

    • If the Identity Agent is not installed yet:

      1. The Identity Awareness Gateway does not recognize the user and redirects the user to the Identity Awareness Captive Portal.

      2. The user logs in to Captive Portal.

      3. The Captive Portal shows a link to download the Identity Agent (if the Identity Awareness Gateway administrator configured so).

      4. The user downloads the Identity Agent from the Captive Portal and installs it.

      5. The Identity Agent connects to the Identity Awareness Gateway.

    Note - If SSO with KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). is configured, the user is connected automatically.

  3. The Identity Awareness Gateway authenticates the user.

  4. The Identity Awareness Gateway sends the connection to its destination, based on the Access Control Policy.