Identity Agent for a User Endpoint Computer - Server Discovery and Server Trust

To connect to an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway, the Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. must discover it and trust it.

The discovery is the process the Identity Agent uses when it decides to connect to an Identity Awareness Gateway (server).

Server trust is the process the Identity Agent uses to validate that the end user connects to a genuine server. In addition, it makes sure that the connection between the client and the server is not breached by a Man-In-The-Middle (MITM) attack.

The trust process compares the server fingerprint calculated during the SSL handshake with the expected fingerprint. If the client does not have the expected fingerprint configured, the trust process asks the user to verify the fingerprint manually. This section describes how the trust process can recognize the fingerprint without user intervention.

Discovery and Trust Options

These are the configuration options for the client to discover and trust a server:

Discovery and Trust Method

Description

Based on Identity Agent File Name

If no other method is configured (out of the box situation), the Identity Agent downloaded from the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. is renamed to include the Captive Portal computer IP address in its name.

During installation, the Identity Agent uses this IP address for the Identity Awareness Gateway.

Users manually accept the server in the Trust window.

Based on Active Directory Membership

If the Identity Agent computers are members of an Active Directory domain, configure the server IP addresses and trust data with the Identity Agent Distributed Configuration Tool Check Point Identity Agent control tool for Windows-based client computers that are members of an Active Directory domain. The Distributed Configuration tool lets you configure connectivity and trust rules for Identity Agents - to which Identity Awareness Security Gateways the Identity Agent should connect, depending on its IPv4 / IPv6 address, or Active Directory Site. This tool is installed a part of the Identity Agent: go to the Windows Start menu > All Programs > Check Point > Identity Agent > open the Distributed Configuration. Note - You must have administrative access to this Active Directory domain to allow automatic creation of new LDAP keys and writing. (installed as a part of the Identity Agent).

Based on DNS SRV record

Configure the Identity Awareness Gateway's addresses on the DNS server.

Users manually accept the server in the Trust window.

Note - This is the only server discovery method for the macOSIdentity Agent.

Based on Remote Registry

All client configurations, including Identity Server Check Point Security Gateway with enabled Identity Awareness Software Blade. IP addresses and trust data, are in the Windows OS Registry.

Configure these values before installing the client (by GPO, or other method that lets you remotely control the Windows registry).

The Identity Agent uses the data immediately.

Prepackaging Custom Identity Agents (see Creating Custom Identity Clients)

Create a custom version of the Identity Agent installation that comes with the Identity Awareness Gateway.

General Overview

Server Discovery	Must Have AD	Manual User Trust Necessary?	Multi- Site	Client Remains Signed?	Allows Ongoing Changes	Level	Recommended for...
Based on Identity Agent File Name	No	Yes	No	Yes	No	Very Simple	Environment with single Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.
Based on Active Directory Membership	Yes	No	Yes	Yes	Yes	Simple	Environment where you can change AD settings
Based on DNS SRV record	No	Yes	Partially (per DNS server)	Yes	Yes	Simple	Environment with AD where you cannot change AD settings (or without AD), but can change the DNS settings
Based on Remote Registry	No	No	Yes	Yes	Yes	Moderate	Environment where remote registry is used for other purposes
Pre- packaging	No	No	Yes	No	No	Advanced	Environment where you cannot change AD and DNS settings, with more than one Security Gateway

Server Discovery Based on an Identity Agent File Name

This option is the easiest to configure, and works by default if Captive Portal is configured in addition the Identity Awareness Gateway. This configuration is suitable for an environment that meets these criteria:

There is one Identity Awareness Gateway.
Captive Portal and Identity Awareness run on the same Security Gateway
It is acceptable for new users to verify the server fingerprint once to establish trust.

How does it work?

When a user downloads the Identity Agent client from the Captive Portal, the address of the Identity Awareness Gateway is added to the file name. During the installation sequence, the client checks if there is any other discovery method configured (Pre-packaged, AD-based, DNS-based or local registry). If no discovery method is configured, the Identity Agent connects to the Identity Awareness Gateway.

Why cannot we use this for data trust?

As the file name can be changed, we cannot be sure that the file name was not modified by an attacker along the way. Therefore, we cannot trust data passed in the file name as authentic, and we need to verify the trust data by another means.

Server Discovery Based on Active Directory Membership

If endpoint computers are members of an Active Directory domain, and you have administrative access to this domain, you can use the Identity Agent Distributed Configuration Tool to configure connectivity and trust rules for Identity Agent. This tool is installed a part of the Identity Agent.

Notes:

You must have administrative access to this Active Directory domain to allow automatic creation of new LDAP keys and writing.
The credentials are not saved anywhere. The access is only necessary to modify the distributed configuration. The Identity Agent Distributed Configuration Tool only writes to this Active Directory domain when it saves configuration.
All users are allowed to view the configuration (without this permission, the Identity Agents cannot fetch it).

The LDAP keys are:

LDAP://CN=PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.,CN=Check Point,CN=Program Data,DC=...< Domain Name>...

LDAP://CN=PDPconnRB,CN=Check Point,CN=Program Data,DC=...< Domain Name>...

The Identity Agent Distributed Configuration Tool has three panes:

Welcome - This pane describes the tool and lets you enter alternate credentials that you use to get an access to the AD.
Server Configuration - This pane lets you configure, to which Identity Awareness Gateway the Identity Agent should connect, depending on the IPv4 / IPv6 address that is configured on the endpoint computer, or its AD Site.
Trusted Gateways - This pane lets you view and change the list of fingerprints of Identity Awareness Gateways, which the Identity Agent considers secure.

Note - The complete configuration is in the Active Directory database, under the Program Data branch in a hive named Check Point. The first run of the tool adds this hive. This hive has no effect on other AD-based applications or features.

Server Configuration Rules

The Identity Agent fetches the configured rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. lists from the Active Directory database. When the Identity Agent connects to an Identity Awareness Gateway, it matches against the rules, from top to bottom.

When the Identity Agent matches a rule, it uses the Identity Awareness Gateways configured in this rule based on the specified priority.

For example:

This configuration means:

If the user's computer is configured with the IPv4 address 192.168.0.1 / 24, then the Identity Agent needs to connect to the Identity Awareness Gateway "US-GW1".

If the gateway "US-GW1" is not available, then the Identity Agent needs to connect to the Identity Awareness Gateway "BAK-GS2" (applies only if gateway "US-GW1" is not available, because its priority is higher).
If the user connects from the Active Directory site "UK-SITE", then the Identity Agent needs to connect to Identity Awareness Gateway "US-GW1", or to Identity Awareness Gateway "UK-GW2". The Identity Agent selects between these gateways randomly, because they both have the same priority).

If both of these gateways are not available, then the Identity Agent needs to connect to the Identity Awareness Gateway "BAK-GS2".
The default rule is that the Identity Agent needs to connect to Identity Awareness Gateway "BAK-GS2" (the default rule is always matched when it is encountered).

Trusted Gateways

The Trusted Gateways pane shows the list of Identity Awareness Security Gateways considered trusted. When the Identity Agent starts to connect to these Identity Awareness Security Gateways, no pop-up windows open.

You can add, edit or delete a server. If you get a connection to the Identity Awareness Security Gateway, enter its address and click Fetch Fingerprint to get the name and fingerprint. If not, enter the same name and fingerprint that appear when you connect to this Identity Awareness Security Gateway.

Server Discovery Based on a DNS SRV Record

If you configure the client to "Automatic Discovery" (the default), it looks for a server by issuing a DNS SRV query for the address "CHECKPOINT_NAC_SERVER._tcp" (the DNS suffix is added automatically). You can configure the address in the DNS server.

On the DNS server (Example is for Windows 2003. For more information, see official Microsoft documentation):

Go to Start > All Programs > Administrative Tools > DNS.
Go to Forward lookup zones and select the applicable domain.
Go to the _tcp subdomain.
Right-click and select Other new record.
Select Service Location, Create Record.
In the Service field, enter CHECKPOINT_NAC_SERVER.
Set the Port number to 443.
In Host offering this service, enter the address of the Identity Awareness Gateway.
Click OK.

Notes

To create a specified Identity Awareness Load Sharing, make some SRV records with the same priority. To create a specified Identity Awareness High Availability, make some SRV records with different priorities.
If you configure AD based and DNS based configuration, the results are combined based on the specified priority (from the lowest to highest).

Troubleshooting - Viewing the SRV Record Stored in the DNS Server

In Windows Command Prompt, run:

nslookup

Set query type to SERVER:

set type=SRV

Query for the checkpoint_nac_server:

checkpoint_nac_server._tcp

Example output:

Server: dns.company.com

Address: 192.168.0.17

checkpoint_nac_server._tcp.ad.company.com SRV service location:

priority = 0

weight = 0

port = 443

svr hostname = idserver.company.com

idserver.company.com internet address = 192.168.1.212

Exit:

exit

Server Discovery Based on Remote Registry

If you have another way to configure registry entries to your client computers (such as Active Directory GPO updates), you can configure the Identity Awareness Gateway addresses and trust parameters before you install the clients. Clients use the new settings immediately after installation.

To use the remote registry option:

Install the client on a computer. Make sure it is installed in the same mode in all computers.

The full Identity Agent installs itself to your Program Files directory and saves its configuration to HKEY_LOCAL_MACHINE.

The light Identity Agent installs itself to the Users directory and saves its configuration to HKEY_CURRENT_USER.
Connect manually to all of the servers that are configured, verify their fingerprints, and click Trust in the fingerprint verification window.
In the client Settings window, configure it to connect to the requested servers.

If you let the client select a server in dependence to location, click Advanced (see Server Discovery Based on Active Directory Membership).
Export these registry keys (from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, based on the client type installed):
1. The whole tree:
  
  SOFTWARE\CheckPoint\IA\TrustedGateway.
2. The "IA" branch:
  - 32-bit:
    
    SOFTWARE\CheckPoint\IA\
  - 64-bit:
    
    SOFTWARE\Wow6432Node\Checkpoint\IA
  Parameters:
  - Default Gateway
  - DefaultGatewayEnabled
  - PredefinedPDPConnRBUsed
  - PredefinedPDPConnectRuleBase
Configure the exported keys on the workstations before you install the client on them.