Creating Custom Endpoint Identity Agents

Custom Endpoint Identity Agents

You can use the Identity Awareness Configuration Utility to create custom Endpoint Identity Agent installation packages (the Identity Awareness Configuration Utility - IAConfigTool.exe - is installed as part of Endpoint Identity Agent). Endpoint Identity Agents have many advanced configuration parameters. Some of these parameters are related to the installation process, while others are related to Endpoint Identity Agent functionality. All of the configuration parameters have default values that are deployed with the product and can remain unchanged.

Endpoint Identity Agent Type	Description
Full	Predefined Endpoint Identity Agent that includes packet tagging and computer authentication. It applies to all users of the computer, on which it is installed. Administrator permissions are required to use the Full Endpoint Identity Agent type.
Light	Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication. You can install this Endpoint Identity Agent individually for each user on the target computer. Administrator permissions are not required.
Terminal Servers	Predefined Endpoint Identity Agent that installs Managed Asset Detection (MAD) services and the Multi-user host driver on Citrix and Terminal Servers. This Endpoint Identity Agent type cannot be used for endpoint computers.
Custom	Lets you configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Installing Microsoft .NET Framework

You must install Microsoft .NET Runtime framework 4.0 or higher before you install and run the Endpoint Identity Agent Configuration Tool.

To install the .NET Runtime Framework v4.0:

1. Download the .NET v4.0 installation package.
2. When prompted to start the installation immediately, click Run.
3. Follow the instructions on the screen.

Working with the Endpoint Identity Agent Configuration Tool

Getting the source MSI File

To create a custom Endpoint Identity Agent installation package, you must first copy the customizable MSI file from the Security Gateway to your management computer. This is the computer, on which you use the Endpoint Identity Agent Configuration Tool.

To get the customizable MSI file:

1. Copy this file from the Security Gateway running on Gaia to your management computer:

   /opt/CPNacPortal/htdocs/nac/nacclients/customAgent.msi

2. Make a backup copy of this file on your management computer with a different name.

   You must use the original copy of the MSI file when you work with the Endpoint Identity Agent Configuration Tool.

Running the Endpoint Identity Agent Configuration Tool

You must install Endpoint Identity Agent v2.0 or above (from Security Gateway R77 or above) on your management client computer. The Configuration Tool is installed in the Endpoint Identity Agent installation directory.

To install the Endpoint Identity Agent on your client computer:

1. Copy these agents from the Security Gateway to your management computer:
   • Full Endpoint Identity Agent:
     /opt/CPNacPortal/htdocs/nac/nacclients/fullAgent.exe
   • Light Endpoint Identity Agent:
     /opt/CPNacPortal/htdocs/nac/nacclients/lightAgent.exe
2. Run one of these executable files as applicable for your environment.
3. Follow the instructions on the screen.

To run the Endpoint Identity Agent Configuration Tool:

1. Go to the Endpoint Identity Agent installation directory.
   1. Click Start > All Programs > Check Point > Endpoint Identity Agent.
   2. Right-click the Endpoint Identity Agent shortcut and select Properties from the menu.
   3. Click Open File Location (Find Target in some Windows versions).
2. Double-click IAConfigTool.exe.

   The Endpoint Identity Agent Configuration Tool opens.

Configuring the Endpoint Identity Agent

You configure all features and options in the Endpoint Identity Agent Configuration Tool window.

MSI Package Path

Enter or browse to the source installation package. You must use a Check Point customizable MSI file as the source for the configuration tool.

Installation Type

Select whether the Endpoint Identity Agent applies to one user or to all users of the computer, on which it is installed.

• Per-User - Install the Light Endpoint Identity Agent only for the user who does the installation. Administrator permissions are not required for this installation.
• Per Computer - Install any Endpoint Identity Agent type for all users on the computer. Administrator permissions are required for this installation type, even for the Light Endpoint Identity Agent type.

Installation UI

Select one of these end user interaction options:

• FULL (Default) - Interactive installation where the end user sees the full installation interface and can select options.
• BASIC - Non-interactive installation where the end user only sees a progress bar and a Cancel button.

Endpoint Identity Agent Type

Select the type of Endpoint Identity Agent to install:

• Full – Predefined Endpoint Identity Agent includes packet tagging and computer authentication. It applies to all users of the computer that it is installed on. Administrator permissions are required to use the Full Endpoint Identity Agent type.
• Light – Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication. You can install this Endpoint Identity Agent individually for each user on the target computer. Administrator permissions are not required. You must select the Per-Computer installation type for this agent type.
• Terminal Servers - Predefined Endpoint Identity Agent that installs MAD services and the Multi-user host driver on Citrix and Terminal Servers. This Endpoint Identity Agent type cannot be used for endpoint computers.
• Custom - Configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Custom Features

Select these features for the Custom Endpoint Identity Agent type:

• MAD Service - Install MAD (Managed Asset Detection) services for Kerberos SSO and computer authentication.
• Packet Tagging - Install the packet tagging driver to enable anti-spoofing protection. The driver signs every packet that is sent from the computer. This setting is required if you have Firewall rules that use Access Roles and IP Spoofing is enabled.

Copy configuration

• Copy configuration from this computer - Copy Endpoint Identity Agent configuration settings from this computer to other computers running a custom MSI file.

Save

Click to save this configuration to a custom MSI file. Enter a name for the MSI file.

Deploying a Custom Endpoint Identity Agent with the Captive Portal

To deploy a custom Endpoint Identity Agent with the Captive Portal:

1. Upload the custom customAgent.msi package to the /opt/CPNacPortal/htdocs/nacclients/ directory on the Security Gateway.
2. Configure the Captive Portal to distribute the custom Endpoint Identity Agent:
   1. In SmartConsole, open the Identity Awareness Gateway object.
   2. Go to the Identity Awareness pane.
   3. Click on the Browser-Based Authentication Settings button.
   4. Change the Require users to download value to Identity Agent - Custom.
   5. Click OK.
3. Install the Access Policy.