Identity Agent for a Terminal Server - Configuring as Identity Source

Configuring an Identity Agent for a Terminal Server

1. Install an Identity Agent for Terminal Servers

   Install this agent on the application server that hosts the Terminal/Citrix services after you enable the Terminal Servers identity source in the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway object and install the Access Control Policy.

   Note - To install an Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. for a Terminal Server, you must have administrator privileges for the Terminal Server. After the agent is installed, non-admin users can access the Controller of the agent, but only in read-only mode.

   1. Download the Terminal Server Identity Agent from sk134312.

      Important - Terminal Server Identity Agent Version 2 (Multi-User Host (MUH) v2) is a new installation. It is not an upgrade. To uninstall Terminal Server Identity Agent Version 1 and install Terminal Server Identity Agent Version 2 (MUH v2): Uninstall Terminal Server Identity Agent (Version 1). Reboot your computer. Enter the new preshared key for the new Terminal Server Identity Agent (Version 2). Reboot your computer.

   2. Make sure you open the link from a location defined in the Accessibility section:

      Identity Awareness Gateway object properties > Identity Awareness page > near Terminal Servers, click Settings > in the Accessibility section, click Edit.

2. Configure the Shared Secret

   You must configure the same password as a shared secret in the Terminal Servers Identity Agent in these places:

   • The application server that hosts the Terminal/Citrix services

   • The Identity Awareness Gateway

   The shared secret enables secure connection, so that the Identity Awareness Gateway trusts the application server with the Terminal Servers functionality.

   The shared secret must be eight characters long and contain each of these:

   • at least one digit

   • at least one lowercase character

   • at least one uppercase character

   • no more than three consecutive digits

   In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you can automatically generate a shared secret that matches these conditions.

   On the Identity Awareness Gateway

   1. Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Identity Awareness Gateway.

   2. From the left navigation panel, click Gateways & Servers.

   3. Open the Identity Awareness Gateway object.

   4. In the left tree, click the Identity Awareness page.

   5. Select Terminal Servers and click Settings.

      The Terminal Servers window opens.

   6. Configure the shared secret automatically or manually.

      • To configure the shared secret automatically:

        Click Generate to get a shared secret automatically that matches the string conditions.

        The generated password appears in the Pre-shared secret file.

      • To configure the shared secret manually:

        Enter a password that matches the conditions in the Pre-shared secret field.

        Note the strength of the password in the Indicator.

   On the Terminal Server

   1. Open the Identity Agent.

   2. In the Overview section, click Multi User Host Settings.

   3. In Identity Server Shared Secret, enter the shared secret string.

   4. Click Save.

3. Configure Identity Agent Accessibility in the Identity Awareness Gateway object

   1. The Terminal Servers window is still open.

   2. In the Accessibility section, click Edit.

      The Accessibility window opens.

      Select to which interfaces on the Identity Awareness Gateway the Identity Agent can connect.

      Available options are based on the topology configured for the Identity Awareness Gateway interfaces:

      Available options are based on the topology configured for the Identity Awareness Gateway interfaces:

      • Through all interfaces

        Identity Clients can connect to the Identity Awareness Gateway through all interfaces that an administrator configured in the Identity Awareness Gateway object (regardless of their Topology settings).

      • Through internal interfaces

        Identity Clients can connect to the Identity Awareness Gateway through internal interfaces only.

        • Including undefined internal interfaces

          Identity Clients can connect to the Identity Awareness Gateway through all interfaces that the administrator configured in this way in the Identity Awareness Gateway object:

          1. From the left tree, click Network Management.

          2. Right-click an interface and click Edit.

          3. In the Topology section, click Modify.

          4. In the Leads To section, select Override > select This Network (Internal) > select Not defined.

          5. Click OK.

        • Including DMZ internal interfaces

          Identity Clients can connect to the Identity Awareness Gateway through interfaces that the administrator configured in this way in the Identity Awareness Gateway object:

          1. From the left tree, click Network Management.

          2. Right-click an interface and click Edit.

          3. In the Topology section, click Modify.

          4. In the Leads To section, select Override > select the applicable option > select Interface leads to DMZ.

          5. Click OK.

        • Including VPN encrypted interfaces

          Identity Clients can connect to the Identity Awareness Gateway through interfaces used for establishing route-based VPN tunnels (VTIs).

      • According to the Firewall policy

        Select this option to control the access with Access Control rules.

   3. Click OK to close the Accessibility window.

4. Configure Identity Agent Authentication Settings

   The Identity Awareness Gateway separately saves the authentication settings for different Identity Clients. This lets the administrator configure different authentication settings for different Identity Clients.

   1. In the Terminal Servers window > Authentication Settings section, click Edit.

      The User Directories window opens.

   2. Select the applicable option.

      Note - Terminal Server Identity Agent (MUH) works only with Microsoft Active Directory as a user-directory server.

      To work with all Active Directory servers

      1. Select All Gateway's Active Directories (Security Gateway > Other > User Directory).

      2. Click OK to close the User Directories window.

      3. Click OK to close the Terminal Servers window.

      4. Click OK to close the Check Point Gateway window.

      5. Configure the Account Units Query settings:

         1. In the left tree of the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object, click the [+] icon near the Other pane.

         2. Click the User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. pane.

         3. In the Account Units Query section, select All.

      6. Configure the Account Units Query settings in the Identity Awareness Gateway object:

         1. In the left tree, expand Other.

         2. Click the User Directory page.

         3. In the User Directories section, select All.

      To work with a specific Active Directory server

      1. Select Specific.

      2. Click the green [+] icon > select the applicable existing LDAP Account Unit object.

      3. Click OK to close the User Directories window.

      4. Click OK to close the Terminal Servers window.

      5. Configure the Account Units Query settings in the Identity Awareness Gateway object:

         1. In the left tree, expand Other.

         2. Click the User Directory page.

         3. In the User Directories section, select Selected User Directories list.

         4. Click Add.

         5. Select the same LDAP Account Unit object that you selected earlier the Terminal Servers > User Directories window.

5. Click OK to close the Check Point Gateway window.

6. Install the Access Control Policy on the Identity Awareness Gateway.

   Best Practice - After you finish the configuration procedure, it is highly recommended to reboot the Terminal Server. After you finish installation, Identity Agent for a Terminal Server identifies and enforces policy for all new connections. When you reboot the Terminal Server, you terminate all connections that started before Identity Agent for a Terminal Server was installed. After the reboot, Identity Agent for a Terminal Server identifies and enforces policy for all connections.