Identity Collector - Configuring as Identity Source

To enable the Identity CollectorClosed Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. solution, you must configure it in the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway object in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Identity Awareness Gateway object.

  3. From the left tree, click the Identity Awareness pane.

  4. Select Identity Collector and click Settings.

  5. In the Identity Collector Settings window, configure these:

    Select to which interfaces on the Identity Awareness Gateway the Identity Collector can connect.

    Available options are based on the topology configured for the Identity Awareness Gateway interfaces:

    • Through all interfaces

      Identity Clients can connect to the Identity Awareness Gateway through all interfaces that an administrator configured in the Identity Awareness Gateway object (regardless of their Topology settings).

    • Through internal interfaces

      Identity Clients can connect to the Identity Awareness Gateway through internal interfaces only.

      • Including undefined internal interfaces

        Identity Clients can connect to the Identity Awareness Gateway through all interfaces that the administrator configured in this way in the Identity Awareness Gateway object:

        1. From the left tree, click Network Management.

        2. Right-click an interface and click Edit.

        3. In the Topology section, click Modify.

        4. In the Leads To section, select Override > select This Network (Internal) > select Not defined.

        5. Click OK.

      • Including DMZ internal interfaces

        Identity Clients can connect to the Identity Awareness Gateway through interfaces that the administrator configured in this way in the Identity Awareness Gateway object:

        1. From the left tree, click Network Management.

        2. Right-click an interface and click Edit.

        3. In the Topology section, click Modify.

        4. In the Leads To section, select Override > select the applicable option > select Interface leads to DMZ.

        5. Click OK.

      • Including VPN encrypted interfaces

        Identity Clients can connect to the Identity Awareness Gateway through interfaces used for establishing route-based VPN tunnels (VTIs).

    • According to the Firewall policy

      Select this option to control the access with Access Control rules.

    Important - The Through all interfaces and Through internal interfaces options have priority over Access Control Policy rules. If an Access Control ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is configured to block connections from Identity Collector clients, the Identity Awareness Gateway continues to allow these connections.

    An Identity Awareness Gateway accepts connections only from authorized Identity Collector client computers.

    To configure authorized Identity Collector client computers:

    In the Authorized Clients section of the Identity Collector Settings window, click the green [+] icon and select an Identity Collector client from the list.

    Notes:

    • To create a specified new host object:

      1. Close the Identity Collector Settings window.

      2. Close the Identity Awareness Gateway Properties window.

      3. From the top toolbar, click the Objects menu > More > Network Object > New Host.

        Or from the right upper corner, click the Objects tab > New > Host.

    • To remove a current Identity Collector client from the list, select the client and click the red [-] icon.

    To create an authentication secret for a selected Identity Collector client:

    1. Select the Identity Collector client in the list.

    2. Click Generate, or enter the applicable secret manually.

    Notes:

    • Each client has its own client secret.

    • To change a client secret, change it manually.

    The Identity Awareness Gateway separately saves the authentication settings for different Identity Clients. This lets the administrator configure different authentication settings for different Identity Clients.

    1. In the Authentication Settings section, click Settings.

      The User Directories window opens.

    2. Configure where the Identity Awareness Gateway can search for users when they try to authenticate:

      • Internal users - The directory of configured internal users.

      • LDAP users - The directory of LDAP users:

        • All Gateway's Directories - Users from all configured LDAP servers.

        • Specific - Users from configured LDAP servers that you select.

      • External user profiles - The directory of users, who have external user profiles.

      By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. performance, when users authenticate. Users with identical user names must log in with domain\username.

    3. Click OK to close the User Directories window.

  6. Click OK to close the Identity Collector Settings window.

  7. Click OK to close the Check Point Gateway window.

  8. Optional: To enforce the Cisco Security Group Tags (SGTs) on the Identity Awareness Gateway:

    1. In SmartConsole, click the Objects menu > click Object Explorer.

    2. In the Object Explorer, click New > User > User Group.

    3. Name the new group: CSGT-<SGT_NAME>.

    4. Assign this group to an Access RoleClosed Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules..

  9. Install the Access Control Policy.