Domain Verification
The end user identification is required in Harmony Connect Agent for secure internet access. Harmony Connect Agent uses the end user domain and maps it to the Infinity Portal account that owns this domain. For details on retrieval of the end user domain, see sk172550.
In the process of connection of an Identity Provider, you have the Identity Provider Settings. In this step, the administrators need to prove ownership of their company domain. This check prevents a possible security issue:
-
An attacker maps a domain of a company he would like to attack to an Infinity Portal account that he created
-
The attacker sends a phishing email to end users of the company with the request to install Harmony Connect Agent
-
Harmony Connect Agent maps the domain name of the end users computers to the attacker’s Infinity Portal account
-
The attacker can see all traffic logs of the end users, including their emails, various internet-facing application that they use, and types of files that they upload or download. The attacker can allow these users to access malicious websites or download malicious files.
How Harmony Connect verifies your Domain
-
The Administrator adds the company domain name (or names) in the corresponding field of the Identity Provider wizard.
-
The Administrator logs into the company DNS server that matches this domain and adds a DNS record with the value that appears in the Identity Provider Settings.
-
When the Administrator clicks Next, Harmony Connect attempts to make a DNS call to this domain and verifies that the correct value is retrieved.
Internal Domain Names
Some companies use internal domain names at their managed devices’ settings. If the company domain has a private domain name, Harmony Connect cannot verify the domain because it is not reachable from the cloud An administrator approved Harmony Connect cloud location that processes the internet and corporate traffic.. In this case, you need an approval of Check Point Harmony Connect. Submit a support request to Check Point based on sk154712. Make sure you mention your Infinity Portal Account ID (as appears in Global Settings > Account Settings) and the domain name that you want to map to your account.
Additional Information
-
Harmony Connect Agent retrieves the username and company domain name from the end user device. To learn more details on the process, refer to sk172550.
-
You can map more than one domain name to your company Infinity Portal account. Harmony Connect Agent attempts to verify each of these domains.
-
Some DNS servers take more than one minute to update their DNS records. During this time, the administrator cannot proceed to the next step.
-
It is important to know that the value of the DNS record is preserved in this Infinity Portal account even if the administrator cancels the Identity Provider wizard or even logs out of Infinity Portal. The DNS record value only changes if another administrator completes connection of an Identity Provider, then deletes that integration and starts again. In all other cases, the administrator can open this Identity Provider wizard later on and verify the domain.