References

For more about Kerberos SSO, see:

• http://web.mit.edu/Kerberos/
• http://technet.microsoft.com/en-us/library/bb742433.aspx

SSO Configuration

SSO configuration includes two steps:

• AD Configuration - Creating a user account and mapping it to a Kerberos principal name.
• SmartDashboard Configuration - Creating an LDAP Account Unit and configuring it with SSO.

AD Configuration

Server Discovery and Server Trust

Introduction

The Endpoint Identity Agent client needs to be connected to an Identity Awareness Gateway. For this to happen, it must discover the server and trust it.

Server discovery refers to the process of deciding, to which server the client should connect. We offer several methods for configuring server discovery – from a very basic method of simply configuring one server to a method of deploying a domain wide policy of connecting to a server based on your current location. This section describes these options.

Server trust refers to the process of validating that the server, to which the end user connects, is indeed a genuine one. It also makes sure that communication between the client and the server was not tampered with by a Man In The Middle (MITM) attack.

The trust process compares the server fingerprint calculated during the SSL handshake with the expected fingerprint. If the client does not have the expected fingerprint configured, it will ask the user to verify that it is correct manually. This section describes the methods that allow the expected fingerprint to be known, without user intervention.

Discovery and Trust Options

These are the options that the client has for discovering a server and creating trust with it:

• File name based server configuration – If no other method is configured (default, out-of-the-box situation), any Endpoint Identity Agent downloaded from the portal will be renamed to have the portal computer IP in it. During installation, the client uses this IP to represent the Identity Awareness Gateway. Note that the user has to trust the server by himself (the trust dialog box opens).
• AD based configuration – If client computers are members of an Active Directory domain, you can deploy the server addresses and trust data using a dedicated tool.
• DNS SRV record based server discovery – It is possible to configure the server addresses in the DNS server. Because the DNS is not secure, we recommend that you do not configure trust this way. Users can authorize the server manually in a trust dialog box that opens. This is the only server discovery method that is applicable for the MAC OS Endpoint Identity Agent.
• Remote registry – All client configuration, including the server addresses and trust data are in the registry. You can deploy the values before installing the client (by GPO, or any other system that lets you control the registry remotely). This lets you use the configuration from first run.
• Custom Endpoint Identity Agents – You can create a custom version of the Endpoint Identity Agent installation package that includes the server IP and trust data.

Comparing Options

	Requires AD	Manual User Trust Required?	Multi- Site	Client Remains Signed?	Allows Ongoing Changes	Level	Recommended for...
File name based	No	Yes	No	Yes	No	Very Simple	Single Security Gateway deployments
AD based	Yes	No	Yes	Yes	Yes	Simple	Deployments with AD that you can modify
DNS based	No	Yes	Partially (per DNS server)	Yes	Yes	Simple	Deployments without AD or with an AD you cannot modify, but the DNS can be changed
Remote registry	No	No	Yes	Yes	Yes	Moderate	Where remote registry is used for other purposes
Pre- packaging	No	No	Yes	No	No	Advanced	When both DNS and AD cannot be changed, and there is more than one Security Gateway

File Name Based Server Discovery

This option is the easiest to deploy, and works out-of-the-box if the Captive Portal is also the Identity Awareness Gateway. If your deployment consists of one Identity Awareness Gateway, and a Captive Portal is running on the same Security Gateway, and it is OK with you that the user needs to verify the server fingerprint and trust it once, then you can use this option, which works with no configuration.

How does it work?

When a user downloads the Endpoint Identity Agent client from the Captive Portal, the address of the Identity Awareness Gateway is added to the file name. During the installation sequence, the client checks if there is any other discovery method configured (Pre-packaged, AD based, DNS based or local registry). If no method is configured, and the Identity Awareness Gateway can be reached, the Endpoint Identity Agent will use it. You can make sure that this is the case by looking at the Endpoint Identity Agent settings and seeing that the Identity Awareness Gateway that is shown in the file name is present in the Endpoint Identity Agent dialog box.

Why can't we use this for trust data?

As the file name can be changed, we cannot be sure that the file name was not modified by an attacker along the way. Therefore, we cannot trust data passed in the file name as authentic, and we need to verify the trust data by another means.

AD Based Configuration

If your endpoint computers are members of an Active Directory domain, and you have administrative access to this domain, you can use the Distributed Configuration tool to configure connectivity and trust rules for the Endpoint Identity Agent.

This tool is installed a part of the Endpoint Identity Agent: go to the Start menu > All Programs > Check Point > Identity Agent.

Note - You must have administrative access to this Active Directory domain.

The Distributed Configuration tool has three panes:

• Welcome - This pane describes the tool and lets you enter alternate credentials that are used to access the AD.
• Server Configuration - This pane lets you configure, to which Identity Awareness Gateway the Endpoint Identity Agent should connect, depending on the IPv4 / IPv6 address that is configured on the endpoint computer, or its AD Site.
• Trusted Gateways - This pane lets you view and change the list of fingerprints of Identity Awareness Gateways, which the Endpoint Identity Agent considers secure.

Note - The complete configuration is written to Active Directory database - under the Program Data branch in a hive named Check Point. This hive is added in the first run of the tool. Adding this hive will not have any effect on other AD based applications or features.

Server Configuration Rules

The Endpoint Identity Agent fetches the configured rule lists from the Active Directory database. Each time the Endpoint Identity Agent needs to connect to an Identity Awareness Gateway, it tries to match itself against the rules, from top to bottom.

When the Endpoint Identity Agent matches a rule, it uses the Identity Awareness Gateways configured in this rule, according to the priority specified.

For example:

This configuration means:

• If the user's computer is configured with the IPv4 address 192.168.0.1 / 24, then the Endpoint Identity Agent needs to connect to the Identity Awareness Gateway "US-GW1".

  If the gateway "US-GW1" is not available, then the Endpoint Identity Agent needs to connect to the Identity Awareness Gateway "BAK-GS2" (it will be used only if gateway "US-GW1" is not available, as its priority is higher).

• If the user connects from the Active Directory site "UK-SITE", then the Endpoint Identity Agent needs to connect to either Identity Awareness Gateway "US-GW1", or Identity Awareness Gateway "UK-GW2" (Endpoint Identity Agent will choose between these gateways randomly, as they both have the same priority).

  If both of these gateways are not available, then the Endpoint Identity Agent needs to connect to the Identity Awareness Gateway "BAK-GS2".

• The default rule is that the Endpoint Identity Agent needs to connect to Identity Awareness Gateway "BAK-GS2" (the default rule is always matched when it is encountered).

Trusted Gateways

The Trusted Gateways pane shows the list of Identity Awareness Gateways considered trusted - no pop-ups will open when the Endpoint Identity Agent tries to connect to these Identity Awareness Gateways.

You can add, edit or delete a server. If you have connectivity to the Identity Awareness Gateway, you can get the name and fingerprint by entering its address and clicking Fetch Fingerprint. Otherwise, you should enter the same name and fingerprint that is shown when connecting to that Identity Awareness Gateway.

For example:

DNS Based Configuration

If you configure the client to ‘Automatic Discovery’ (the default), it looks for a server by issuing a DNS SRV query for the address ‘CHECKPOINT_NAC_SERVER._tcp’ (the DNS suffix is added automatically). You can configure the address in your DNS server.

To configure the automatic discovery address on the DNS server:

1. Go to Start > All Programs > Administrative Tools > DNS.
2. Go to Forward lookup zones and select the applicable domain.
3. Right click and select Other new record.
4. Select Service Location > Create Record.
5. In the Service field, enter CHECKPOINT_NAC_SERVER.
6. Set the Port number to 443.
7. In the Protocol field, select _tcp.
8. In the Host offering this service field, enter the Security Gateway (with Identity Awareness) IP address.
9. Click OK.

Note - Security Gateway with Identity Awareness Load Sharing can be achieved by creating several SRV records with the same priority and High Availability can be achieved by creating several SRV records with different priorities.

Note - If you configure AD based and DNS based configuration, the results are combined according to the specified priority (from the lowest to highest).

Troubleshooting - See SRV Record Stored in the DNS Server

1. In Windows Command Prompt, run:

   C:\> nslookup

2. Set query type to SERVER:

   > set type=SRV

3. Query for the checkpoint_nac_server:

   > checkpoint_nac_server._tcp

   Example output:

   Server: dns.company.com
Address: 192.168.0.17

   checkpoint_nac_server._tcp.ad.company.com SRV service location:
priority = 0
weight = 0
port = 443
svr hostname = idserver.company.com

   idserver.company.com internet address = 192.168.1.212

4. To exit, run:

   > exit

Remote Registry

If you have another way to deploy registry entries to your client computers (such as Active Directory GPO updates), you can deploy the Identity Awareness Gateway addresses and trust parameters before you install the clients. Clients will use the already-deployed settings immediately after installation.

To use the remote registry option:

1. Install the client on a computer. Make sure it is installed in the same mode that will be installed on the other computers.

   The full agent installs itself to your Program Files directory and saves its configuration to HKEY_LOCAL_MACHINE.

   The light Endpoint Identity Agent installs itself to the Users directory and saves its configuration to HKEY_CURRENT_USER.

2. Connect manually to all of the servers that are configured, verify their fingerprints, and click Trust in the fingerprint verification window.
3. In the client Settings window, configure it to connect to the requested servers.

   If let the client choose a server based on location, click Advanced.

4. Export these registry keys (from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, according to the client type installed):
   1. SOFTWARE\CheckPoint\IA\TrustedGateways (the whole tree)
   2. SOFTWARE\CheckPoint\IA\ (on 32-bit), or

      SOFTWARE\Wow6432Node\Checkpoint\IA (on 64-bit)

      • DefaultGateway
      • DefaultGatewayEnabled
      • PredefinedPDPConnRBUsed
      • PredefinedPDPConnectRuleBase
5. Deploy the exported keys to the workstations before you install the client on them.

Creating Custom Endpoint Identity Agents

Custom Endpoint Identity Agents

You can use the Identity Awareness Configuration Utility to create custom Endpoint Identity Agent installation packages. Endpoint Identity Agents have many advanced configuration parameters. Some of these parameters are related to the installation process, while others are related to Endpoint Identity Agent functionality. All of the configuration parameters have default values that are deployed with the product and can remain unchanged.

• Full – Predefined Endpoint Identity Agent includes packet tagging and computer authentication. It applies to all users of the computer, on which it is installed. Administrator permissions are required to use the Full Endpoint Identity Agent type.
• Light – Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication. You can install this Endpoint Identity Agent individually for each user on the target computer. Administrator permissions are not required.
• Terminal Servers - Predefined Endpoint Identity Agent that installs MAD services and the Multi-user host driver on Citrix and Terminal Servers. This Endpoint Identity Agent type cannot be used for endpoint computers.
• Custom - Configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Installing Microsoft .NET Framework

You must install Microsoft .NET Runtime framework 4.0 or higher before you install and run the Endpoint Identity Agent Configuration Tool.

To install the .NET Runtime Framework v4.0:

1. Download the .NET v4.0 installation package.
2. When prompted to start the installation immediately, click Run.
3. Follow the instructions on the screen.

Working with the Endpoint Identity Agent Configuration Tool

Getting the source MSI File

To create a custom Endpoint Identity Agent installation package, you must first copy the customizable MSI file from the Security Gateway to your management computer. This is the computer on which you use the Endpoint Identity Agent Configuration Tool.

To get the customizable MSI file:

1. Copy this file from the Security Gateway to your management computer:
   SecurePlatform, Gaia or Linux:
   /opt/CPNacPortal/htdocs/nac/nacclients/customAgent.msi
2. Make a backup copy of this file on your management computer with a different name.

   You must use the original copy of the MSI file when you work with the Endpoint Identity Agent Configuration Tool.

Running the Endpoint Identity Agent Configuration Tool

You must install Endpoint Identity Agent v2.0 or above (from Security Gateway R77 or above) on your management client computer. The Configuration Tool is installed in the Endpoint Identity Agent installation directory.

To install the Endpoint Identity Agent on your client computer:

1. Copy these agents from the Security Gateway to your management computer:
   • Full Endpoint Identity Agent:
     /opt/CPNacPortal/htdocs/nac/nacclients/fullAgent.exe
   • Light Endpoint Identity Agent:
     /opt/CPNacPortal/htdocs/nac/nacclients/lightAgent.exe
2. Run one of these executable files as applicable for your environment.
3. Follow the instructions on the screen.

To run the Endpoint Identity Agent Configuration Tool:

1. Go to the Endpoint Identity Agent installation directory.
   1. Click Start > All Programs > Check Point > Endpoint Identity Agent.
   2. Right-click the Endpoint Identity Agent shortcut and select Properties from the menu.
   3. Click Open File Location (Find Target in some Windows versions).
2. Double-click IAConfigTool.exe.

   The Endpoint Identity Agent Configuration Tool opens.

Configuring the Endpoint Identity Agent

You configure all features and options in the Endpoint Identity Agent Configuration Tool window.

MSI Package Path

Enter or browse to the source installation package. You must use a Check Point customizable MSI file as the source for the configuration tool.

Installation Type

Select whether the Endpoint Identity Agent applies to one user or to all users of the computer, on which it is installed.

• Per-User - Install the Light Endpoint Identity Agent only for the user who does the installation. Administrator permissions are not required for this installation.
• Per Computer - Install any Endpoint Identity Agent type for all users on the computer. Administrator permissions are required for this installation type, even for the Light Endpoint Identity Agent type.

Installation UI

Select one of these end user interaction options:

• FULL (Default) - Interactive installation where the end user sees the full installation interface and can select options.
• BASIC - Non-interactive installation where the end user only sees a progress bar and a Cancel button.

Endpoint Identity Agent Type

Select the type of Endpoint Identity Agent to install:

• Full – Predefined Endpoint Identity Agent includes packet tagging and computer authentication. It applies to all users of the computer that it is installed on. Administrator permissions are required to use the Full Endpoint Identity Agent type.
• Light – Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication. You can install this Endpoint Identity Agent individually for each user on the target computer. Administrator permissions are not required. You must select the Per-Computer installation type for this agent type.
• Terminal Servers - Predefined Endpoint Identity Agent that installs MAD services and the Multi-user host driver on Citrix and Terminal Servers. This Endpoint Identity Agent type cannot be used for endpoint computers.
• Custom - Configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Custom Features

Select these features for the Custom Endpoint Identity Agent type:

• MAD Service - Install MAD (Managed Asset Detection) services for Kerberos SSO and computer authentication.
• Packet Tagging - Install the packet tagging driver to enable anti-spoofing protection. The driver signs every packet that is sent from the computer. This setting is required if you have Firewall rules that use Access Roles and IP Spoofing is enabled.

Copy configuration

• Copy configuration from this computer - Copy Endpoint Identity Agent configuration settings from this computer to other computers running a custom MSI file.

Save

Click to save this configuration to a custom MSI file. Enter a name for the MSI file.

Deploying a Custom Endpoint Identity Agent with the Captive Portal

To deploy a custom Endpoint Identity Agent with the Captive Portal:

1. Upload the custom customAgent.msi package to the /opt/CPNacPortal/htdocs/nacclients/ directory on the Security Gateway.
2. Configure the Captive Portal to distribute the custom Endpoint Identity Agent:
   1. In SmartConsole, open the Identity Awareness Gateway object.
   2. Go to the Identity Awareness pane.
   3. Click on the Browser-Based Authentication Settings button.
   4. Change the Require users to download value to Identity Agent - Custom.
   5. Click OK.
3. Install the Access Policy.