Identity Agent for a User Endpoint Computer

This section describes how to configure an Identity AgentClosed Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. (a type of Identity Client) for a user endpoint computer.

Introduction

An administrator installs these Identity Agents on user endpoint computers that acquire and report user identities to the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.

The administrator, not the users, configures these Identity Agents.

The Capabilities of Identity Agents

Item

Description

User identification

SSO transparently authenticates users that log in to the Active Directory domain, and then an Identity Agent identifies them as they use the Identity Agent.

If you do not configure SSO, or you disable it, the Identity Agent uses username and password authentication with a standard LDAP server.

The system opens a window for you to enter credentials.

Computer identification

You get computer identification only when you use the Full Identity Agent, because it requires a service installation.

Seamless connectivity

Transparent authentication when users use KerberosClosed An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Single Sign-On (SSO), when they are logged in to the domain.

Users who do not want to use SSO enter their credentials manually. You can let users keep these credentials.

Detection of IP address change

When an endpoint IP address changes (interface roaming, or DHCP assigns a new IP address), the Identity Agent automatically detects the change and reconnects.

Added security

You can use the patented packet tagging technology to prevent IP Spoofing.

Packet tagging is available only for the Full Identity Agent, because it requires a driver.

In addition, Identity Agent gives you strong (Kerberos-based) user and computer authentication.

Packet tagging

Packet Tagging for Anti-Spoofing is a technology that prevents IP Spoofing.

Note - Available only for the Full Identity Agent, because it requires installation of a driver.

IP Spoofing occurs when a user who is not approved assigns an IP address of an authenticated user to an endpoint computer. In this procedure, the user bypasses identity access enforcement rules.

To protect packets from IP Spoofing attempts, enable Packet Tagging. Packet Tagging is a technology that forbids spoofed connections to go through the Identity Awareness Gateway. In packet tagging, the Identity Agent and the Identity Awareness Gateway sign packets with a shared key.

Types of Identity Agents for a User Endpoint Computer

Important - For more information, see sk134312.

Type of Identity Agent

Description

Full

This is a predefined client that includes packet tagging and computer authentication.

The Windows administrator installs this client one time on a computer, and it applies to all users who log on to this computer.

Windows administrator permissions are required to use the Full Identity Agent.

The Full Identity Agent supports:

Light

This is a predefined client that does not include packet tagging and computer authentication.

The Windows administrator installs this client for each user who logs on to this computer.

Windows administrator permissions are not required to use the Light Identity Agent.

Comparison of the Light and Full Identity Agent Types

Category

Item

Full Identity Agent

Light Identity Agent

Installation Elements

Installed component

Application,

Windows Service,

Windows Driver

Application only

Required installation permissions

Administrator

None

Required upgrade permissions

None

None

Security Features

User identification

Single Sign-On

Single Sign-On

Computer identification

Yes

No

Detection of an IP address change on the client computer

Yes

Yes

Packet Tagging for Anti-Spoofing

Yes

No

Downloading Identity Agents

It is a Best Practice to download the latest Identity Agents to endpoint computers from sk134312.

An administrator of an Identity Awareness Gateway can require end users to download an Identity Agent from the Identity Awareness Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. so that they can access the Identity Awareness Gateway.

By default, the version of the Identity Agent that end users download from the Identity Awareness Captive Portal is current to the General Availability release date of the Identity Awareness Gateway. Identity Agent is not updated in Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators. An administrator can replace the default Identity Agent file on the Identity Awareness Gateway with a newer version of Identity Agent.

Authentication with an Identity Agent

Item

Description

1

User that is trying to connect to the internal network

2

Identity Awareness Gateway

3

Active Directory domain controller

4

Internal network

High-level overview of the Identity Awareness authentication process

  1. A user logs in to a computer with credentials and requests access to the Internal Data Center.

  2. The Identity Agent connects to the Identity Awareness Gateway:

    • If the Identity Agent is already installed, then it connects to the Identity Awareness Gateway.

    • If the Identity Agent is not installed yet:

      1. The Identity Awareness Gateway does not recognize the user and redirects the user to the Identity Awareness Captive Portal.

      2. The user logs in to Captive Portal.

      3. The Captive Portal shows a link to download the Identity Agent (if the Identity Awareness Gateway administrator configured so).

      4. The user downloads the Identity Agent from the Captive Portal and installs it.

      5. The Identity Agent connects to the Identity Awareness Gateway.

    Note - If SSO with Kerberos is configured, the user is automatically connected.

  3. The Identity Awareness Gateway authenticates the user.

  4. The Identity Awareness Gateway sends the connection to its destination, based on the Access Control Policy.