|
|
|
In This Section: |
When you enable Identity Awareness on a Security Gateway, a wizard opens. You can use the wizard to configure one Security Gateway that uses the AD Query, Browser-Based Authentication, and Terminal Servers for acquiring identities. You cannot use the wizard to configure a multiple Security Gateway environment or to configure Endpoint Identity Agent and Remote Access acquisition (other methods for acquiring identities).
When you complete the wizard and install a Policy, the system is ready to monitor Identity Awareness. You can use SmartView Tracker and SmartEvent to see the logs for user and computer identity.
To enable Identity Awareness:
The Identity Awareness Configuration wizard opens.
See Choosing Identity Sources.
Note - When you enable Browser-Based Authentication on a Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80.
The Integration With Active Directory window opens.
When SmartDashboard is part of the domain, SmartDashboard suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.
Note - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard you can use existing LDAP Account units or create a new one for one AD domain. If you create a new domain, the LDAP account unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them at a later time manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, select Servers and OPSEC in the objects tree > LDAP Account Unit.
The LDAP Account Unit name syntax is: <domain name>_ _ AD
For example, CORP.ACME.COM_ _ AD.
If you selected Browser-Based Authentication on the first page, the Browser-Based Authentication Settings page opens.
All IP addresses configured for the Security Gateway show in the list. The IP address selected by default is the Security Gateway main IP address>. The same IP address can be used for other portals with different paths. For example:
If you selected Terminal Servers, the page includes a link to download the agent. See Terminal Servers Configuration.
These are the results of the wizard:
After you enable Identity Awareness, you create Access Role objects.
You can use Access Role objects as source and/or destination parameter in a rule. Access role objects can include one or more of these objects:
To create an Access Role object:
The Access Role window opens.
Your selection is shown in the Networks node in the Role Preview pane.
A window opens. You can search for Active Directory entries or select them from the list.
You can search for AD entries or select them from the list.
The access role is added to the Users and Administrators tree.
Identity Awareness automatically recognizes changes to LDAP group membership and updates identity information, including access roles.
When you:
The system recalculates LDAP group membership for ALL users in ALL Groups. Be very careful when you deactivate user-related notifications.
LDAP Group Update is activated by default. You can manually deactivate LDAP Group Update with the CLI.
|
Important - Automatic LDAP group update works only with Microsoft Active Directory when AD Query is activated. |
To deactivate automatic access role assignment:
adlogconfig a
The adlog status screen and menu opens.
LDAP groups update notifications status changes to [ ] (not active). If you enter 26 when automatic access role assignment is not active, LDAP groups update notifications status changes to [X ] (active).
You can use adlogconfig to set the time between LDAP change notifications and to send notifications only for user related changes.
To configure LDAP group notification options:
adlogconfig a
The adlog status screen and menu opens.
Be very careful when you deactivate user-related notifications. This can cause excessive gateway CPU load.
Automatic access role assignment does not occur immediately because Identity Awareness looks for users and groups in the LDAP cache first. The information in the cache does not contain the updated access role. By default, the cache contains 1,000 users and cached user information is updated every 15 minutes.
You must deactivate the LDAP cache to get automatic access role assignments immediately. This action can cause Identity Awareness to work slower.
To deactivate the LDAP cache:
The Security Gateway examines packets and applies rules in a sequential manner. When a Security Gateway receives a packet from a connection, it examines the packet against the first rule in the Rule Base. If there is no match, it then goes on to the second rule and continues until it matches a rule.
In rules with access roles, you can add a property in the Action field to redirect traffic to the Captive Portal. If this property is added, when the source identity is unknown and traffic is HTTP, the user is redirected to the Captive Portal. If the source identity is known, the Action in the rule (Allow or Block) is enforced immediately and the user is not sent to the Captive Portal. After the system gets the credentials from the Captive Portal, it can examine the rule for the next connection.
|
Important - When you set the option to redirect http traffic from unidentified IP addresses to the Captive Portal, make sure to place the rule in the correct position in the Rule Base to avoid unwanted behavior. |
In rules with access role objects, criteria matching works like this:
If all the conditions apply, the traffic is redirected to the Captive Portal to get credentials and see if there is a match.
If not all conditions apply, there is no match and the next rule is examined.
|
Note - You can only redirect http traffic to the Captive Portal. |
To redirect http traffic to the Captive Portal:
The Action Properties window opens.
The Action column shows that a redirect to the Captive Portal occurs.
This is an example of a Firewall Rule Base that describes how matching operates:
No. |
Source |
Destination |
Service |
Action |
|---|---|---|---|---|
1 |
Finance_Dept (Access Role) |
Finance_Web_ Server |
Any |
Accept (display Captive Portal) |
2 |
Admin_IP |
Any |
Any |
Accept |
3 |
Any |
Any |
Any |
Drop |
Example 1 - If an unidentified Finance user tries to access the Finance Web Server with http, a redirect to the Captive Portal occurs. After the user enters credentials, the Security Gateway allows access to the Finance Web Server. Access is allowed based on rule number 1, which identifies the user through the Captive Portal as belonging to the Finance access role.
Example 2 - If an unidentified administrator tries to access the Finance Web Server with http, a redirect to the Captive Portal occurs despite rule number 2. After the administrator is identified, rule number 2 matches. To let the administrator access the Finance Web Server without redirection to the Captive Portal, switch the order of rules 1 and 2 or add a network restriction to the access role.
You can use Access Role objects as source and/or destination parameter in a rule. For example, a rule that allows file sharing between the IT department and the Sales department access roles.
Name |
Source |
Destination |
VPN |
Service |
Action |
|---|---|---|---|---|---|
IT and Sales File Sharing |
IT_dept |
Sales_dept |
Any Traffic |
ftp |
accept |
When you negate a source or destination parameter, it means that a given rule applies to all sources/destinations of the request except for the specified source/destination object. When the object is an access role, this includes all unidentified entities as well.
When you negate an access role, it means that the rule is applied to "all except for" the access role and unidentified entities. For example, let's say that the below rule is positioned above the Any, Any, Drop rule. The rule means that everyone (including unidentified users) can access the Intranet Web Server except for temporary employees. If a temporary employee is not identified when she accesses the system, she will have access to the Intranet Web Server. Right-click the cell with the access role and select Negate Cell. The icon that represents the access role object is shown crossed out.
Source |
Destination |
VPN |
Service |
Action |
|---|---|---|---|---|
Temp_employees |
Intranet_web_server |
Any Traffic |
http |
accept |
To prevent access to unidentified users, add another rule that ensures that only identified employees will be allowed access and that attempts by a temporary employee will be dropped.
Source |
Destination |
VPN |
Service |
Action |
|---|---|---|---|---|
Temp_employees |
Intranet_web_server |
Any Traffic |
http |
drop |
Any_identified_employee |
Intranet_web_server |
Any Traffic |
http |
accept |
The Security Gateway inspects Application Control and URL Filtering requests and applies rules in a sequential manner. When a Security Gateway receives a packet from a connection, it examines the packet against the first rule in the Rule Base. If there is no match, it goes on to the second rule and continues until it completes the Rule Base. If no rule matches, the packet is allowed.
In rules with access roles, you can add a property in the Action field to redirect traffic to the Captive Portal. If this property is added, when the source identity is unknown and traffic is HTTP, the user is redirected to the Captive Portal. If the source identity is known, the Action in the rule (Allow or Block) is enforced immediately and the user is not sent to the Captive Portal. When the system gets the credentials from the Captive Portal, it can examine the rule for the next connection.
In rules with access role objects, criteria matching works like this:
If all the conditions apply, the traffic is redirected to the Captive Portal to get credentials and see if there is a match.
If not all conditions apply, there is no match and the next rule is examined.
To redirect HTTP traffic to the Captive Portal:
The Action Properties window opens.
The Action column shows that a redirect to the Captive Portal occurs.
This is an example of an Application Control and URL Filtering Rule Base that shows how criteria matching operates:
No. |
Source |
Destination |
Service |
Applications/Sites |
Action |
|---|---|---|---|---|---|
1 |
Finance_Dept (Access Role) |
Internet |
Any |
Salesforce |
Allow |
2 |
Any_identified_user |
Internet |
Any |
Remote Administration Tool (non-HTTP category) |
Allow |
3 |
Any_identified_user |
Internet |
Any |
Any recognized |
Block |
When browsing the Internet, different users experience different outcomes:
Example 1 - An unidentified Finance user that attempts to access Salesforce is sent to the Captive Portal. This happens because the action is set to redirect to the Captive Portal. After entering credentials and being identified, the user is granted access according to rule number 1.
Example 2 - An unidentified user that attempts to access the Remote Administration Tool matches rule 2, but not the Source column. Because the application is not HTTP, traffic cannot be redirected to the Captive Portal. Since none of the rules match, the user is granted access to the Remote Administration Tool.
Example 3 - An unidentified user that browses to Gmail does not match rules 1 and 2 because of the application. In rule 3 there is also no match because the action is not set to redirect to the Captive Portal. Since none of the rules match, the user is granted access to Gmail.
These issues are related to Source and Destination fields:
Negate and block in the Application Control Rule Base operates similarly to Negate and drop in the Firewall Rule Base. Unlike the Firewall Rule Base, if a connection does not match any of the rules, it is not automatically blocked. It is allowed.
Thus, when you use negate on an access role you allow all unidentified users and anyone who is not the access role access. To prevent this you must include an access role that prevents access to unidentified users. This rule makes sure that only identified users will be allowed access and attempts by unidentified users will be blocked.
This example shows rules that block temporary employees from accessing the Internet and allows access for identified employees.
Source |
Destination |
Application |
Action |
|---|---|---|---|
Temp_employees |
Internet |
Any Recognized |
Block |
Any_identified_employee |
Internet |
Any Recognized |
Allow |
In the Identity Sources section of the Identity Awareness page, select Browser-Based Authentication to send unidentified users to the Captive Portal.
If you configure Transparent Kerberos Authentication, the browser tries to identify AD users before sending them to the Captive Portal. See Transparent Kerberos Authentication Configuration.
If you already configured the portal in the Identity Awareness Wizard or SmartDashboard, its URL shows below Browser-Based Authentication.
To configure the Browser-Based Authentication settings:
|
Note - When you enable Browser-Based Authentication on a Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80. |
Select if the portal runs on this Security Gateway or a different Identity Awareness enabled Security Gateway. The default is that the Captive Portal is on the Security Gateway. The Security Gateway redirects unidentified users to the Captive Portal on the same Security Gateway. This is the basic configuration.
A more advanced deployment is possible where the portal runs on a different Security Gateway. See the Deployment section for more details.
Click Edit to open the Portal Access Settings window. In this window, you can configure:
ID.yourcompany.com can send users to the Captive Portal. To make the alias work, it must be resolved to the main URL on your DNS server.Users are sent to the Captive Portal, if they use networks connected to these interfaces.
Click Settings to open the Authentication Settings window. In this window you can configure:
Note - The Endpoint Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so because users do not see the Captive Portal.
The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.
Click Edit to open the Portal Customization window and edit the images that users see in the Captive Portal. Configure the labeled elements of the image below.
Label Number |
Name |
To do in GUI |
|---|---|---|
1 |
Portal Title |
Enter the title of the portal. The default title is Network Access Login. |
2 |
Company Logo |
Select Use my company logo and Browse to select a logo image for the portal. |
2 |
Company Logo for mobiles |
Select Use my company logo for mobiles and Browse to select a smaller logo image for users who access the portal from mobile devices. |
Configure what users can do in the Captive Portal to become identified and access the network.
Click Settings to configure settings for known users after they enter their usernames and passwords successfully.
You can only configure settings for Endpoint Identity Agent deployment if Endpoint Identity Agents is selected on the Identity Awareness page.
Click Settings to configure settings for guests.
If Endpoint Identity Agents is selected as a method to acquire identities, you can require users to download the Endpoint Identity Agent from the Captive Portal. You can also let users install the Endpoint Identity Agent on a specified later date and not right away.
Endpoint Identity Agents are dedicated client agents installed on user computers that acquire and report identities to the Security Gateway. As the administrator, you, not the users, configure the Agents.
Before you configure Endpoint Identity Agents, consider these elements:
The Endpoint Identity Agent identity source uses SSO to authenticate users when they enter their login credentials (Active Directory or other authentication server). The system securely gets authentication data one time without making users authenticate manually (as is necessary with Captive Portal).
You get SSO with Kerberos, an inherent authentication and authorization protocol in Windows networks that is available by default on all Windows servers and workstations. If you do not use SSO, users enter credentials in another window.
These are the Endpoint Identity Agent types that you can install:
For more information, see Prepackaging Endpoint Identity Agents.
User identification - Users that log in to the Active Directory domain are transparently authenticated (with SSO) and identified when using an Endpoint Identity Agent. If you do not configure SSO or you disable it, the Endpoint Identity Agent uses username and password authentication with a standard LDAP server. The system opens a window for entering credentials.
Computer identification - You get computer identification when you use the Full Endpoint Identity Agent as it requires installing a service.
IP change detection - When an endpoint IP address changes (interface roaming or DHCP assigns a new address), the Endpoint Identity Agent automatically detects the change. The Endpoint Identity Agent tells the Security Gateway and you stay connected.
Packet tagging - A technology that prevents IP spoofing is available only for the Full Endpoint Identity Agent as it requires installing a driver.
This table shows the similarities and differences of the Light and Full Endpoint Identity Agent types.
|
Endpoint Identity Agent Light |
Endpoint Identity Agent Full |
|
|---|---|---|---|
Installation Elements |
Endpoint Identity Agent format |
Resident application |
Resident application + service + driver |
Installation permissions |
None |
administrator |
|
Upgrade permissions |
None |
None |
|
Security Features |
User identification |
SSO |
SSO |
Computer identification |
No |
Yes |
|
IP change detection |
Yes |
Yes |
|
Packet tagging |
No |
Yes |
|
The installation file size is 7MB for both types and the installation takes less than a minute.
IP Spoofing happens when an unauthorized user assigns an IP address of an authenticated user to an endpoint computer. By doing so, the user bypasses identity access enforcement rules. It is also possible to poison ARP tables that let users do ARP "man-in-the-middle attacks" that keep a continuous spoofed connectivity status.
To protect packets from IP spoofing attempts, you can enable Packet Tagging. Packet Tagging is a patent pending technology that prevents spoofed connections from passing through the Security Gateway. This is done by a joint effort between the Endpoint Identity Agent and the Security Gateway that uses a unique technology that sign packets with a shared key.
The Identity Awareness view in SmartView Tracker shows Packet Tagging logs. The Success status indicates that a successful key exchange happened.
|
Note - Packet Tagging can only be set on computers installed with the Full Endpoint Identity Agent. |
For details, see Packet Tagging.
To enable IP Spoofing protection:
There are different Endpoint Identity Agent deployment methods:
Note - When you deploy the Full Endpoint Identity Agent, the user that installs the client must have administrator rights on the computer. If the user does not have administrator permissions, the Light Endpoint Identity Agent is installed instead.
Note - When users authenticate with the transparent portal, the download link does not show. They must install the agent from the distribution media.
$NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi on the gateway.To configure Endpoint Identity Agent deployment from Captive Portal:
When necessary, you can configure specific groups to download the Endpoint Identity Agent. For example, if you have a group of mobile users that roam and it is necessary for them to stay connected as they move between networks.
To configure Endpoint Identity Agent deployment for user groups:
With Server Discovery, the Endpoint Identity Agent finds the Security Gateway with Identity Awareness to connect to. There are several methods to configure this. The basic method is to configure one server. Or, you can deploy a domain-wide Policy, to connect to a Security Gateway with Identity Awareness, based on the Endpoint Identity Agent client current location.
Server Trust makes sure that the Endpoint Identity Agent connects to a genuine Security Gateway with Identity Awareness. It makes sure that the communication between the Endpoint Identity Agent and the Security Gateway is secure. For example, Server Trust blocks man-in-the-middle attacks.
Trust is made with when the server fingerprint matches the expected fingerprint, as calculated during the SSL handshake.
There are different server discovery and trust methods:
Note - The only server discovery method for the MAC OS Endpoint Identity Agent.
In the Identity Sources section of the Identity Awareness page, select Endpoint Identity Agents to configure Endpoint Identity Agent settings.
To configure the Endpoint Identity Agent settings:
Click Edit to select from where the Endpoint Identity Agent can be accessed. The options are based on the topology configured for the Security Gateway.
Users can communicate with the servers if they use networks connected to these interfaces.
Configure data for the logged in session using the Endpoint Identity Agent.
Configure data for Endpoint Identity Agent upgrades.
|
Note - When you install or upgrade the Full Endpoint Identity Agent version, the user will experience a momentary loss of connectivity. |
Some users cannot authenticate with the Endpoint Identity Agent
This issue can occur in Kerberos environments with a very large Domain Controller database. The authentication failure occurs when the CCC message size is larger than the default maximum size. You can increase the maximum CCC message size to prevent this error.
To increase the maximum CCC message size, use the procedure in sk66087.
Transparent Portal Authentication fails for some users
This issue can occur for users that try to authenticate with Kerberos authentication with the transparent portal. The user sees a 400 Bad Request page with this message:
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
The authentication failure occurs because the HTTP request header is larger than the default maximum size. You increase the maximum HTTP request header to prevent this error.
To increase the maximum HTTP request header size, use the procedure in sk92802.
The Identity Awareness Terminal Servers solution lets the system enforce identity aware policies on multiple users that connect from one IP address. This functionality is necessary when an administrator must control traffic created by users of application servers that host Microsoft Terminal Servers, Citrix XenApp, and Citrix XenDesktop.
The Terminal Servers solution is based on reserving a set of TCP/UDP ports for each user. Each user that is actively connected to the application server that hosts the Terminal/Citrix services is dynamically assigned a set of port ranges. The Identity Server receives that information. Then, when a user attempts to access a resource, the packet is examined and the port information is mapped to the user.
For more information, see sk66761.
To deploy Terminal Servers Endpoint Identity Agent:
Go to the link https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe
Make sure you open the link from a location defined in the Terminal Servers Accessibility setting (Identity Awareness Gateway properties > Identity Awareness > Terminal Servers > Settings > Edit).
The Terminal Servers Endpoint Identity Agent installation installs the Terminal Servers driver and features. A user with administrator rights must run the Terminal Servers installation.
You can download the Terminal Servers Endpoint Identity Agent from a link in SmartDashboard.
To download the Terminal Servers Endpoint Identity Agent:
There is no option to upgrade the Terminal Servers Endpoint Identity Agent when you upgrade a Security Gateway to a newer version. You must manually install the new version of the Terminal Servers Endpoint Identity Agent on the Citrix or Terminal Server.
You must configure the same password as a shared secret in the Terminal Servers Endpoint Identity Agent on the application server that hosts the Terminal/Citrix services and on the Security Gateway enabled with Identity Awareness. The shared secret enables secure communication and lets the Security Gateway trust the application server with the Terminal Servers functionality.
The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no more than three consecutive digits, and must be eight characters long in length. In SmartDashboard, you can automatically generate a shared secret that matches these conditions.
To configure the shared secret on the Identity Server:
The Identity Awareness page opens.
The generated password is shown in the Pre-shared secret field.
To configure the shared secret on the application server:
The Check Point Endpoint Identity Agent - Terminal Servers main window opens.
The options are based on the topology configured for the gateway:
Through all interfacesThrough internal interfacesIncluding undefined internal interfacesIncluding DMZ internal interfacesIncluding VPN encrypted interfacesAccording to the Firewall policy - Select this, if there is a rule that states who can access the portal. The Users tab in the Terminal Servers Endpoint Identity Agent shows a table with information about all users that are actively connected to the application server that hosts the Terminal/Citrix services.
Table Field |
Description |
|---|---|
ID |
The SID of the user. |
User |
The user and domain name. The format used: |
TCP Ports |
The ports allocated to the user for TCP traffic. |
UDP Ports |
The ports allocated to the user for TCP traffic. |
Authentication Status |
Indicates whether this user is authenticated on the gateway. |
The ID and User field information is automatically updated from processes running on the application server. The Terminal Servers Endpoint Identity Agent assigns TCP and UDP port ranges for each connected user.
From the Advanced section of the Multi User Host main window, you can access Terminal Servers Settings.
Advanced uses can change these settings when necessary. Best Practice - We highly recommend that you keep the default values if you are not an advanced user.
Changes are applied to new users that log in to the application server after the settings are saved. Users that are currently logged in, will stay with the older settings.
Advanced Setting |
Description |
|---|---|
Excluded TCP Ports |
Ports included in this range will not be assigned to any user for TCP traffic. This field accepts a port range or list of ranges (separated with a semicolon). |
Excluded UDP Ports |
Ports included in this range will not be assigned to any user for UDP traffic. This field accepts a port range or list of ranges (separated with a semicolon). |
Maximum Ports Per User |
The maximum number of ports that can be assigned to a user in each of the TCP and UDP port ranges. |
Ports Reuse Timeout (seconds) |
The number of seconds the system waits until it assigns a port to a new user after it has been released by another user. |
Errors History Size |
N/A |
Gateway Shared Secret |
The same password that is set on the gateway that enables trusted communication between the Security Gateway and the application server. |
You can configure a Security Gateway with Identity Awareness to use RADIUS Accounting to get user and computer identities directly from a RADIUS accounting client. Identity Awareness uses this information to apply access permissions to the connection.
RADIUS Accounting gets identity data from RADIUS Accounting Requests generated by the RADIUS accounting client. Identity Awareness uses the data from these requests to get user and device group information from the LDAP server. Firewall rules apply these permissions to users, computers and networks.
Item |
Description |
|---|---|
1 |
User devices |
2 |
Security Gateway with Identity Awareness configured as a RADIUS Accounting server |
3 |
RADIUS authentication server with RADIUS Accounting client enabled |
4 |
RADIUS Accounting request |
5 |
User identity information |
6 |
LDAP server |
7 |
Protected resources |
You must enable RADIUS Accounting on Security Gateways before they can work as a RADIUS Accounting server.
To enable RADIUS Accounting for a Security Gateway: