Identity Agent for a Terminal Server

This section is an introduction to Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. (a type of Identity Client) for a Microsoft Terminal Server (also known as Multi-User Host (MUH).

Identity Agent for a Terminal Server can identify user accounts that belong to an Active Directory domain, including service accounts. Identity Agent for a Terminal Server communicates with the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway over SSL (by default, port 443).

Example Topology and Traffic Flow:

Item	Description
1	Windows Server with Identity Agent for a Terminal Server installed
2	User endpoint computers
3	Identity Awareness Gateway
4	Internal resources
5	Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.
A	Endpoint users authenticate on the Windows Server (1)
B	Endpoint user computers (2) communicate with the Identity Awareness Gateway (3)
C	Identity Agent for a Terminal Server on the Windows Server sends user and machine identities to the Identity Awareness Gateway (3)
D	Identity Awareness Gateway (3) grants or denies users access to internal resources according to the Access Control Policy
E	Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.(5) manages the Identity Awareness Gateway (3)

Comparing Terminal Server Identity Agent Versions

There are different versions of Identity Agent for Terminal Servers:

Terminal ServerIdentity Agent Version 1 (MUH v1) - Based on source ports. Supports older versions of Windows Server that MUH v2 does not support.
Terminal ServerIdentity Agent Version 2 (MUH v2) - Based on packet tagging. Supports more simultaneous users and more features than MUH v1. MUH v2 is a new installation, and is not an upgrade for MUH v1.

Aspect	Terminal Server Identity Agent Version 1 (MUH v1)	Terminal Server Identity Agent Version 2 (MUH v2)
How it Works	Based on source ports. Workflow: MUH v1 installs a TDI driver on the Terminal Server that intercepts all requests from any process that requests a new connection. When a request reaches the TDI driver, the TDI driver: Sends a query to the Terminal Server to fetch the requesting user behind this new connection Selects a source port from a pool of port ranges that MUH v1 allocates for this specific use MUH v1 communicates to the Identity Awareness Gateway how it controls the connections for each user. The Identity Awareness Gateway distinguishes between the different connection owners. Two different users have two different port range pools.	Based on packet tagging. Workflow: MUH v2 installs a WFP driver on the Terminal Server that intercepts all traffic originated by a user. When a request reaches the WFP driver, the WFP driver tags the packet from a pool of ID ranges that MUH v2 allocates this specific user. MUH v2 communicates to the Identity Awareness Gateway how it tags the packets for each user. The Identity Awareness Gateway distinguishes between the different packets. Two different users have two different packet tag pools.
Available Check Point Versions	R77 and higher	Check Point R80.40 and higher R80.30 with the R80.30 Jumbo Hotfix Accumulator starting from Take 210 (on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and the Management Server / Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.)
Supported Windows Server Versions (32-bit and 64-bit)	Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022	Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows 10 Windows 10 Enterprise multi-session (see sk177024)
Supported Windows Desktop Operating System Versions	Windows Vista Windows 7 Windows 8	Windows 10 Windows 10 Enterprise multi-session (see sk177024)
Supported Number of Simultaneous Users	Supports a maximum of 20 simultaneous users per MUH v1 instance	Supports a maximum of 256 simultaneous users per MUH v2 instance.
Support for Windows Secure Boot (Windows security feature)	Does not support Windows Secure Boot	Supports Windows Secure Boot.
SYSTEM and other local user accounts	Assigns source ports in a special port range to processes that run in SYSTEM and other local user account. Ports in this special range are not assigned to any user identity authentication.	Does not identity and does not assign an ID range to SYSTEM and other local user accounts. To enforce machine identities for these users, use Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). SSO authentication.

Best Practice - If you decide to use AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. for end user computers, exclude the IP addresses of the Terminal Servers from AD Query. This prevents unexpected disconnections of agents and high CPU utilization by the PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. daemon. See sk86560 for instructions.

Known Limitations

Terminal Server Identity Agent Version 2 (MUH v2) supports only TCP and UDP protocols. It does not support other protocols such as ICMP. For unsupported protocols, such as ICMP, the Terminal Server Identity Agent cannot control the network connections. The Identity Server Check Point Security Gateway with enabled Identity Awareness Software Blade. is not aware of the user that initiates these connections.
IPv6 is not supported.
A PDP Security Gateway can support a maximum of 1000 MUH v2 agents connected to it directly. Check Point QA certified this with 20 users per MUH v2 client.
Upgrade from Terminal Server Identity Agent Version 1 (MUH v1) to Terminal Server Identity Agent Version 2 (MUH v2) is not supported.
Terminal Server Identity Agent Version 1 (MUH v1) does not support applications that do port tunneling on the Terminal Server.
When Terminal Server Identity Agent Version 2 (MUH v2) is configured, it is not supported for an application to make decisions based on user context (example: Windows Firewall). This is because when MUH v2 tags traffic, it changes the user context to SYSTEM context.