Identity Agent for a Terminal Server - Configuring as Identity Source

Configuring an Identity Agent for a Terminal Server

Install an Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. for Terminal Servers.

Steps

Install this agent on the application server that hosts the Terminal/Citrix services after you enable the Terminal Servers identity source in the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway object and install the Access Control Policy.

Note - To install an Identity Agent for a Terminal Server, you must have administrator privileges for the Terminal Server.

After the agent is installed, non-admin users can access the Controller of the agent, but only in read-only mode.

Download the Terminal Server Identity Agent from sk134312.

Important - Terminal Server Identity Agent Version 2 (Multi-User Host (MUH) v2) is a new installation. It is not an upgrade.

To uninstall Terminal Server Identity Agent Version 1 and install Terminal Server Identity Agent Version 2 (MUH v2):

Uninstall Terminal Server Identity Agent (Version 1).
Reboot your computer.
Enter the new preshared key for the new Terminal Server Identity Agent (Version 2).
Reboot your computer.

Make sure you open the link from a location defined in the Accessibility section:

Identity Awareness Gateway object properties > Identity Awareness page > near Terminal Servers, click Settings > in the Accessibility section, click Edit.

Configure the Shared Secret.
Steps
You must configure the same password as a shared secret in the Terminal Servers Identity Agent in these places:
- The application server that hosts the Terminal/Citrix services
- The Identity Awareness Gateway
The shared secret enables secure connection, so that the Identity Awareness Gateway trusts the application server with the Terminal Servers functionality.

The shared secret must be eight characters long and contain each of these:
- at least one digit
- at least one lowercase character
- at least one uppercase character
- no more than three consecutive digits
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you can automatically generate a shared secret that matches these conditions.
On the Identity Awareness Gateway
Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Identity Awareness Gateway.

From the left navigation panel, click Gateways & Servers.

Double-click the Identity Awareness Gateway object.

In the left tree, click the Identity Awareness page.

Select Terminal Servers and click Settings.

The Terminal Servers window opens.

Configure the shared secret automatically or manually.

To configure the shared secret automatically:

Click Generate to get a shared secret automatically that matches the string conditions.

The generated password appears in the Pre-shared secret file.

To configure the shared secret manually:

Enter a password that matches the conditions in the Pre-shared secret field.

Note the strength of the password in the Indicator.
On the Terminal Server
Open the Identity Agent.

In the Overview section, click Multi User Host Settings.

In Identity Server Shared Secret, enter the shared secret string.

Click Save.
Configure Identity Agent Accessibility in the Identity Awareness Gateway object.
Steps
1. The Terminal Servers window is still open.
2. In the Accessibility section, click Edit.
  
  The Accessibility window opens.
  
  Select to which interfaces on the Identity Awareness Gateway the Identity Agent can connect.
  
  Available options are based on the topology configured for the Identity Awareness Gateway interfaces:
  
  Available options are based on the topology configured for the Identity Awareness Gateway interfaces:
  - Through all interfaces
    
    Identity Clients can connect to the Identity Awareness Gateway through all interfaces that an administrator configured in the Identity Awareness Gateway object (regardless of their Topology settings).
  - Through internal interfaces
    
    Identity Clients can connect to the Identity Awareness Gateway through internal interfaces only.
    
    Including undefined internal interfaces
    
    Identity Clients can connect to the Identity Awareness Gateway through all interfaces that the administrator configured in this way in the Identity Awareness Gateway object:
    
    From the left tree, click Network Management.
    
    Right-click an interface and click Edit.
    
    In the Topology section, click Modify.
    
    In the Leads To section, select Override > select This Network (Internal) > select Not defined.
    
    Click OK.
    
    Including DMZ internal interfaces
    
    Identity Clients can connect to the Identity Awareness Gateway through interfaces that the administrator configured in this way in the Identity Awareness Gateway object:
    
    From the left tree, click Network Management.
    
    Right-click an interface and click Edit.
    
    In the Topology section, click Modify.
    
    In the Leads To section, select Override > select the applicable option > select Interface leads to DMZ.
    
    Click OK.
    
    Including VPN encrypted interfaces
    
    Identity Clients can connect to the Identity Awareness Gateway through interfaces used for establishing route-based VPN tunnels (VTIs).
  - According to the Firewall policy
    
    Select this option to control the access with Access Control rules.
3. Click OK to close the Accessibility window.

Configure Identity Agent Authentication Settings.

Steps

The Identity Awareness Gateway separately saves the authentication settings for different Identity Clients. This lets the administrator configure different authentication settings for different Identity Clients.

In the Terminal Servers window > Authentication Settings section, click Edit.

The User Directories window opens.

Select the applicable option.

Note - Terminal Server Identity Agent (MUH) works only with Microsoft Active Directory as a user-directory server.

To work with a specific Active Directory server

Select Specific.
Click the green [+] icon > select the applicable existing LDAP Account Unit object.
Click OK to close the User Directories window.
Click OK to close the Terminal Servers window.
Configure the Account Units Query settings in the Identity Awareness Gateway object:
1. In the left tree, expand Other.
2. Click the User Directory page.
3. In the User Directories section, select Selected User Directories list.
4. Click Add.
5. Select the same LDAP Account Unit object that you selected earlier the Terminal Servers > User Directories window.

Click OK to close the Check Point Gateway window.

Install the Access Control Policy on the Identity Awareness Gateway.

Best Practice - After you finish the configuration procedure, it is highly recommended to reboot the Terminal Server. After you finish installation, Identity Agent for a Terminal Server identifies and enforces policy for all new connections. When you reboot the Terminal Server, you terminate all connections that started before Identity Agent for a Terminal Server was installed. After the reboot, Identity Agent for a Terminal Server identifies and enforces policy for all connections.