Identity Agent for a User Endpoint Computer - Configuring as Identity Source

Configuring the Identity Agent Settings on the Identity Awareness Gateway

Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. that manages the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway.
From the left navigation panel, click Gateways & Servers.
Double-click the Identity Awareness Gateway object.
From the left tree, click the Identity Awareness page.
In the Identity Sources section, select Identity Agents and click Settings.

The Identity Agents Settings window opens.

In the Identity Agents Settings window, configure the applicable settings:

Agent Access

In the Agent Access section, click Edit.

The Accessibility window opens.

Select to which interfaces on the Identity Awareness Gateway the Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. can connect.

Available options are based on the topology configured for the Identity Awareness Gateway interfaces:

Through all interfaces

Identity Clients can connect to the Identity Awareness Gateway through all interfaces that an administrator configured in the Identity Awareness Gateway object (regardless of their Topology settings).
Through internal interfaces

Identity Clients can connect to the Identity Awareness Gateway through internal interfaces only.
- Including undefined internal interfaces
  
  Identity Clients can connect to the Identity Awareness Gateway through all interfaces that the administrator configured in this way in the Identity Awareness Gateway object:
  1. From the left tree, click Network Management.
  2. Right-click an interface and click Edit.
  3. In the Topology section, click Modify.
  4. In the Leads To section, select Override > select This Network (Internal) > select Not defined.
  5. Click OK.
- Including DMZ internal interfaces
  
  Identity Clients can connect to the Identity Awareness Gateway through interfaces that the administrator configured in this way in the Identity Awareness Gateway object:
  1. From the left tree, click Network Management.
  2. Right-click an interface and click Edit.
  3. In the Topology section, click Modify.
  4. In the Leads To section, select Override > select the applicable option > select Interface leads to DMZ.
  5. Click OK.
- Including VPN encrypted interfaces
  
  Identity Clients can connect to the Identity Awareness Gateway through interfaces used for establishing route-based VPN tunnels (VTIs).
According to the Firewall policy

Select this option to control the access with Access Control rules.

Authentication Settings

In the Authentication Settings section, click Settings.

The Identity Awareness Gateway separately saves the authentication settings for different Identity Clients. This lets the administrator configure different authentication settings for different Identity Clients.

The configuration options are:

Authentication Method

This section controls how the Identity Awareness Gateway must authenticate users.
- Defined on user record (Legacy Authentication)
  
  The Identity Awareness Gateway takes the authentication method from Gateway Object Properties > Other > Legacy Authentication.
- Username and password
  
  You can configure this internally or on an LDAP server.
  
  To get usernames and passwords from a Terminal Server, see the Identity Awareness Administration Guide for your version > Chapter "Identity Awareness Use Cases" > Section "Getting Identities in a Terminal Server Environment".
  
  To get usernames and passwords from an LDAP server, see the Identity Awareness Administration Guide for your version > Chapter "Configuring Identity Sources" > Section "Configuring AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server.".
- RADIUS
  
  The Identity Awareness Gateway gets the authentication information from a configured RADIUS server.
  
  Select the server from the list.
  
  To configure a RADIUS server, see the Identity Awareness Administration Guide for your version > Chapter "Configuring Identity Sources" > Section "Configuring RADIUS Accounting".
Users Directories

This section controls where the Identity Awareness Gateway searches for users when they begin to authenticate.

All user directory options are selected by default. To improve Identity Awareness Gateway performance, select only those directories, from which the users authenticate.

Users with the same username must log in with domain / user.
- Internal users - The directory of internal users.
- Users from external directories
  - All Gateway's Directories - All external directories from which the Identity Awareness Gateway pulls identties.
  - Specific - Users from one or more external directories. To add an external directory, click the + button. In the window that opens, search for and select the external directory and click OK.
- External user profiles - The directory of users who have external user profiles.

Agent Upgrades

This section controls how the Identity Awareness Gateway enforces the upgrade of Identity Agents.

Note -When you install or upgrade the Full Identity Agent version, the user loses connectivity for a moment.

Check agent upgrades for

You can select All Users or select specific user groups.

To select specific user groups click the + button and select the specific group object. You can search for configured user groups.
Upgrade only non-compatible versions

The Identity Agent only checks for upgrades when its version is no longer compatible with the Identity Awareness Gateway.
Keep agents settings after upgrade

Keeps settings that users made in the Identity Agent before the upgrade.
Upgrade agents silently (without user intervention)

The Identity Agent automatically updates in the background, with no user confirmation for the upgrade.

Click OK to close the Check Point Gateway window.
Install the Access Control Policy on the Identity Awareness Gateway.

Configuring an Identity Agent Environment

It is possible to configure an Identity Agent environment in these ways:

From Captive Portal

You can tell users to download the Identity Agent from the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.. In addition, you can let users install the Identity Agent on a specified later date . During installation, the Identity Agent automatically detects if there are administrator permissions on the computer , and installs itself accordingly.

Notes

When you configure the Full Identity Agent, the user that installs the client must have administrator privileges on the computer. If the user does not have administrator privileges, the Light Identity Agent is installed instead.
When users authenticate with the transparent portal, the download link does not show. Users must install the agent from the distribution media.

Procedures:

Configuring an Identity Agent Environment from Captive Portal

Connect with SmartConsole to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. / Multi-Domain Server that manages the Identity Awareness Gateway.
From the left navigation panel, click Gateways & Servers.
Double-click the Identity Awareness Gateway object.
From the left tree, click the Identity Awareness page.
Select Browser-Based Authentication and click Settings.

The Portal Settings window opens.
In the Captive Portal Settings window, below Identity Agent Deployment from the Portal, select Require users to download to make users install the Identity Agent.

Select a type of Identity Agent for users to install:
- Identity Agent - Full
- Identity Agent - Custom
- Identity Agent - Light
Optional: To give users flexibility to choose when they install the Identity Client, select Users may defer installation until and select the latest date before users must install the Identity Client to continue to connect to the Identity Awareness Gateway. Until the selected date, the user sees a Skip Identity Client installation option in the Captive Portal.
Click OK.
Install the Access Control Policy.

Configuring an Identity Agent Environment for a User Group

When necessary, you can configure specific groups of users to download the Identity Agent.

Use Case: A group of mobile users need to stay connected as they move between mobile networks.

Connect with SmartConsole to the Security Management Server / Multi-Domain Server that manages the Identity Awareness Gateway.
From the left navigation panel, click Gateways & Servers.
Double-click the Identity Awareness Gateway object.
From the left tree, click the Identity Awareness page.
Select Browser-Based Authentication and click Settings.

The Portal Settings window opens.
In the Users Access section, select Name and password login and click Settings.

The Name And Password Login Settings window opens.
Select Adjust portal settings for specific user groups.

You can add user groups and configure the settings that are different from other users.

Settings you configure here for a user group, override the settings you configure elsewhere in the Portal Settings window.

You can configure these options for each user group:
- If they must accept a user agreement.
- If they must download the Identity Client and which one.
- If they can defer the Identity Client installation and until when.
Click OK.
Install the Access Control Policy.

With the Identity Agent Distributed Configuration Tool

You can configure the Identity Agent with distribution software. You can download Identity Agent (Full Agent and Light Agent) from sk134312.