Identity Agent for a User Endpoint Computer

There are the ways to download Identity Agents for a user endpoint computer:

It is a Best Practice to download the latest Identity Agents from sk134312.

An administrator of an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway can force the endpoint users to download an Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. from the Identity Awareness Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication..

Note -To force endpoint users to download a newer version of the Identity Agent, an administrator can change the file path in the Identity Awareness Gateway to the path for the new version of the Identity Agent.

The version of the Identity Agent that end users download from the Identity Awareness Captive Portal is current to the General Availability release date of the Identity Awareness Gateway. This version is not updated.

To update the version of Identity Agent that end users download

Connect to the command line of the Identity Awareness Gateway.
Download the new version of Identity Agent from sk134312.
Use a file manager (example: WinSCP) to replace the file in this location:

/opt/CPNacPortal/htdocs/nac/nacclients
To make sure the file has permissions configured to allow end users to download it, run:

chmod 644 ‘filename
Make sure that users are required to download the same type of Identity Agent that you downloaded to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. For example, if you downloaded Identity Agent - Full Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. that manages the Identity Awareness Gateway.
1. Connect with SmartConsole to the Security Management Server / Multi-Domain Server that manages the Identity Awareness Gateway.
2. From the left navigation panel, click Gateways & Servers.
3. Double-click the Identity Awareness Gateway object.
4. From the left tree, click the Identity Awareness page.
5. Select Browser-Based Authentication and click Settings.
  
  The Portal Settings window opens.
6. In the Captive Portal Settings window, below Identity Agent Deployment from the Portal, select Require users to download to make users install the Identity Agent.
  
  Make sure the selected a type of Identity Agent matches the type of Identity Agent you downloaded to the Security Gateway:
  - Identity Agent - Full
  - Identity Agent - Custom
  - Identity Agent - Light
7. Optional: To give users flexibility to choose when they install the Identity Client, select Users may defer installation until and select the latest date before users must install the Identity Client to continue to connect to the Identity Awareness Gateway. Until the selected date, the user sees a Skip Identity Client installation option in the Captive Portal.
8. If you selected a new kind of Identity Agent or made changes to Users may defer installation until:
  1. Click OK.
  2. Install the Access Control Policy.

Authentication with an Identity Agent

Item	Description
1	User that is trying to connect to the internal network
2	Identity Awareness Gateway
3	Active Directory domain controller
4	Internal network

High-level overview of the Identity Awareness authentication process

A user logs in to a computer with credentials and requests access to the Internal Data Center.

The Identity Agent connects to the Identity Awareness Gateway:

If the Identity Agent is already installed, then it connects to the Identity Awareness Gateway.
If the Identity Agent is not installed yet:
1. The Identity Awareness Gateway does not recognize the user and redirects the user to the Identity AwarenessCaptive Portal.
2. The user logs in to Captive Portal.
3. The Captive Portal shows a link to download the Identity Agent (if the Identity Awareness Gateway administrator configured so).
4. The user downloads the Identity Agent from the Captive Portal and installs it.
5. The Identity Agent connects to the Identity Awareness Gateway.

Note - If SSO with Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). is configured, the user is automatically connected.

The Identity Awareness Gateway authenticates the user.
The Identity Awareness Gateway sends the connection to its destination, based on the Access Control Policy.

Identity Agent for a User Endpoint Computer - Downloading

Authentication with an Identity Agent