Advanced Identity Awareness Deployment

In This Section: Introduction Deployment Options Deploying a Test Environment Deployment Scenarios

Introduction

Deploy Check Point Identity Awareness enabled Security Gateways for better security for your network environment and corporate data. This section describes recommended deployments with Identity Awareness.

Important - NAT between two Identity Awareness Security Gateways that share data with each other is not supported.

• Perimeter Security Gateway with Identity Awareness – This deployment is the most common scenario. Deploy the Security Gateway at the perimeter where it protects access to the DMZ and the internal network. The perimeter Security Gateway also controls and inspects internal traffic going to the Internet. In this deployment, create an identity-based Firewall security Rule Base with Application Control.
• Data Center protection – If you have a Data Center or server farm separated from the users' network, protect access to the servers with the Security Gateway. Deploy the Security Gateway in front of the Data Center. All traffic is inspected by the Security Gateway. Control access to resources and applications with an identity-based access policy. Deploy the Security Gateway in bridge mode to protect the Data Center without significant changes to the existing network infrastructure.
• Large scale enterprise deployment – In large networks, deploy multiple Security Gateways. For example: deploy a perimeter Firewall and multiple Data Centers. Install an identity-based policy on all Identity Awareness Security Gateways. The Security Gateways share user and computer data of the complete environment.
• Network segregation – The Security Gateway helps you migrate or design internal network segregation. Identity Awareness lets you control access between different segments in the network with an identity-based policy. Deploy the Security Gateway close to the access network to avoid malware threats and unauthorized access to general resources in the global network.
• Distributed enterprise with branch offices – For an enterprise with remote branch offices connected to the headquarters with VPN, deploy the Security Gateway at the remote branch offices. When you enable Identity Awareness on the branch office Security Gateway, users are authenticated before they reach internal resources. The identity data on the branch office Security Gateway is shared with other Security Gateways to avoid unnecessary authentication.
• Wireless campus – Wireless networks have built-in security challenges. To give access to wireless-enabled corporate devices and guests, deploy Identity Awareness Security Gateways in front of the wireless switch. Install an Identity Awareness policy. The Security Gateways give guest access after authentication in the web Captive Portal, and then they inspect the traffic from WLAN users.

Deployment Options

You can deploy an Identity Awareness Gateway in two different network options:

• IP routing mode
• Transparent mode (bridge mode)

IP routing mode - This is a regular and standard method used to deploy Identity Awareness Gateways. You usually use this mode when you deploy the Identity Awareness Gateway at the perimeter. In this case, the Identity Awareness Gateway behaves as an IP router that inspects and forwards traffic from the internal interface to the external interface and vice versa. Both interfaces should be located and configured using different network subnets and ranges.

Transparent mode - Known also as a "bridge mode". This deployment method lets you install the Identity Awareness Gateway as a Layer 2 device, rather than an IP router. The benefit of this method is that it does not require any changes in the network infrastructure. It lets you deploy the Identity Awareness Gateway inline in the same subnet. This deployment option is mostly suitable when you must deploy an Identity Awareness Gateway for network segregation and Data Center protection purposes.

Deploying a Test Environment

If you want to evaluate how Identity Awareness operates in a Security Gateway, we recommend that you deploy it in a simple environment. The recommended test setup below gives you the ability to test all identity sources and create an identity-based Policy.

The recommendation is to install 3 main components in the setup:

1. User host (Windows)
2. Check Point Security Gateway R75.20 or higher
3. Microsoft Windows server with Active Directory, DNS and IIS (Web resource)

Deploy the Security Gateway in front of the protected resource, the Windows server that runs IIS (web server). The user host computer will access the protected resource via the Security Gateway.

Testing Identity Sources

To configure the test environment:

1. Install the user host computer with Windows XP or 7 OS.
2. Install Windows Server and configure Active Directory and DNS.
3. Install IIS with a sample Web Server.
4. Deploy a Security Gateway either in routing or bridge mode.
5. Test connectivity between the host and the Windows server.
6. Add the user host computer to the Active Directory domain.
7. Enable Identity Awareness in the Security Gateway.
8. Follow the wizard and enable the AD Query and Browser-Based Authentication identity sources.
9. Create an Access Role and define access for all authenticated users or select users with the Users picker.
10. Create 3 rules in the Firewall Rule Base:
    1. Any to Any Negate HTTP accept log
    2. Access Role to Any HTTP accept log
    3. Any to Any Drop
11. Install policy.
12. Logout and login again from the user host computer.
13. Open SmartView Tracker > Identity Awareness section and check whether the user is authenticated using the AD Query method.
14. Use the user host computer to test connectivity to the Web Server.
15. Check logs. The user and computer names show in the connections logs.
16. From the Security Gateway CLI revoke the authenticated user by: pdp control revoke_ip IP_ADDRESS
17. On the user host computer open an Internet browser and try to connect to the web resource.

    You should be redirected to the Captive Portal, use the user credentials to authenticate and access the web resource.

Testing Endpoint Identity Agents

Enable and configure Identity Agents, and configure Identity Agents self-provisioning through Captive Portal.

1. Open a browser and connect to the web resource.

   You are redirected to the Captive Portal.

2. Enter user credentials.
3. Install the client as requested by the Captive Portal.

   When the client is installed wait for an authentication pop-up to enter the user credentials through the client.

4. Test connectivity.