Print Download PDF Send Feedback

Previous

Next

Creating Custom Endpoint Identity Agents

Custom Endpoint Identity Agents

You can use the Identity Awareness Configuration Utility to create custom Endpoint Identity Agent installation packages (the Identity Awareness Configuration Utility - IAConfigTool.exe - is installed as part of Endpoint Identity Agent). Endpoint Identity Agents have many advanced configuration parameters. Some of these parameters are related to the installation process, while others are related to Endpoint Identity Agent functionality. All of the configuration parameters have default values that are deployed with the product and can remain unchanged.

Endpoint Identity Agent Type

Description

Full

Predefined Endpoint Identity Agent that includes packet tagging and computer authentication. It applies to all users of the computer, on which it is installed. Administrator permissions are required to use the Full Endpoint Identity Agent type.

Light

Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication. You can install this Endpoint Identity Agent individually for each user on the target computer. Administrator permissions are not required.

Terminal Servers

Predefined Endpoint Identity Agent that installs Managed Asset Detection (MAD) services and the Multi-user host driver on Citrix and Terminal Servers. This Endpoint Identity Agent type cannot be used for endpoint computers.

Custom

Lets you configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Installing Microsoft .NET Framework

You must install Microsoft .NET Runtime framework 4.0 or higher before you install and run the Endpoint Identity Agent Configuration Tool.

To install the .NET Runtime Framework v4.0:

  1. Download the .NET v4.0 installation package.
  2. When prompted to start the installation immediately, click Run.
  3. Follow the instructions on the screen.

Working with the Endpoint Identity Agent Configuration Tool

Getting the source MSI File

To create a custom Endpoint Identity Agent installation package, you must first copy the customizable MSI file from the Security Gateway to your management computer. This is the computer, on which you use the Endpoint Identity Agent Configuration Tool.

To get the customizable MSI file:

  1. Copy this file from the Security Gateway running on Gaia to your management computer:

    /opt/CPNacPortal/htdocs/nac/nacclients/customAgent.msi

  2. Make a backup copy of this file on your management computer with a different name.

    You must use the original copy of the MSI file when you work with the Endpoint Identity Agent Configuration Tool.

Running the Endpoint Identity Agent Configuration Tool

You must install Endpoint Identity Agent v2.0 or above (from Security Gateway R77 or above) on your management client computer. The Configuration Tool is installed in the Endpoint Identity Agent installation directory.

To install the Endpoint Identity Agent on your client computer:

  1. Copy these agents from the Security Gateway to your management computer:
    • Full Endpoint Identity Agent:
      /opt/CPNacPortal/htdocs/nac/nacclients/fullAgent.exe
    • Light Endpoint Identity Agent:
      /opt/CPNacPortal/htdocs/nac/nacclients/lightAgent.exe
  2. Run one of these executable files as applicable for your environment.
  3. Follow the instructions on the screen.

To run the Endpoint Identity Agent Configuration Tool:

  1. Go to the Endpoint Identity Agent installation directory.
    1. Click Start > All Programs > Check Point > Endpoint Identity Agent.
    2. Right-click the Endpoint Identity Agent shortcut and select Properties from the menu.
    3. Click Open File Location (Find Target in some Windows versions).
  2. Double-click IAConfigTool.exe.

    The Endpoint Identity Agent Configuration Tool opens.

Configuring the Endpoint Identity Agent

You configure all features and options in the Endpoint Identity Agent Configuration Tool window.

MSI Package Path

Enter or browse to the source installation package. You must use a Check Point customizable MSI file as the source for the configuration tool.

Installation Type

Select whether the Endpoint Identity Agent applies to one user or to all users of the computer, on which it is installed.

Installation UI

Select one of these end user interaction options:

Endpoint Identity Agent Type

Select the type of Endpoint Identity Agent to install:

Custom Features

Select these features for the Custom Endpoint Identity Agent type:

Copy configuration

Save

Click to save this configuration to a custom MSI file. Enter a name for the MSI file.

Deploying a Custom Endpoint Identity Agent with the Captive Portal

To deploy a custom Endpoint Identity Agent with the Captive Portal:

  1. Upload the custom customAgent.msi package to the /opt/CPNacPortal/htdocs/nacclients/ directory on the Security Gateway.
  2. Configure the Captive Portal to distribute the custom Endpoint Identity Agent:
    1. In SmartConsole, open the Identity Awareness Gateway object.
    2. Go to the Identity Awareness pane.
    3. Click on the Browser-Based Authentication Settings button.
    4. Change the Require users to download value to Identity Agent - Custom.
    5. Click OK.
  3. Install the Access Policy.