To deploy Terminal Servers Endpoint Identity Agent:
Go to sk134312 to download the Terminal Servers Endpoint Identity Agent.
Make sure you open the link from a location defined in the Terminal Servers Accessibility setting (Identity Awareness Gateway properties > Identity Awareness > Terminal Servers > Settings > Edit).
There is no option to upgrade the Terminal Servers Endpoint Identity Agent when you upgrade a Security Gateway to a newer version. You must manually install the new version of the Terminal Servers Endpoint Identity Agent on the Citrix or Terminal Server.
You must configure the same password as a shared secret in the Terminal Servers Endpoint Identity Agent on the application server that hosts the Terminal/Citrix services and on the Security Gateway enabled with Identity Awareness. The shared secret enables secure communication and lets the Security Gateway trust the application server with the Terminal Servers functionality.
The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no more than three consecutive digits, and must be eight characters long. In SmartConsole, you can automatically generate a shared secret that matches these conditions.
To configure the shared secret on the Identity Awareness gateway:
The generated password is shown in the Pre-shared secret field.
Note the strength of the password in the Indicator.
To configure the shared secret on the application server:
The Check Point Endpoint Identity Agent - Terminal Servers main window opens.
The options are based on the topology configured for the gateway:
Through all interfaces
Through internal interfaces
Including undefined internal interfaces
Including DMZ internal interfaces
Including VPN encrypted interfaces
According to the Firewall policy
- Select this, if there is a rule that states who can access the portal. The Users tab in the Terminal Servers Endpoint Identity Agent main window shows a table with information about all users that are actively connected to the application server that hosts the Terminal/Citrix services.
Table Field |
Description |
---|---|
ID |
The SID of the user. |
User |
The user and domain name. The format used: |
TCP Ports |
The ports allocated to the user for TCP traffic. |
UDP Ports |
The ports allocated to the user for TCP traffic. |
Authentication Status |
Indicates whether this user is authenticated on the gateway. |
The ID and User field information is automatically updated from processes running on the application server. The Terminal Servers Endpoint Identity Agent assigns TCP and UDP port ranges for each connected user.
In the Terminal Servers Endpoint Identity Agent main window, click Advanced > Terminal Servers Settings.
Advanced uses can change these settings when necessary.
Best Practice - We highly recommend that you keep the default values, if you are not an advanced user.
Changes are applied to new users that log in to the application server after the settings are saved in the Terminal Servers Endpoint Identity Agent. Users that are currently logged in, will stay with the older settings.
Advanced Setting |
Description |
---|---|
Excluded TCP Ports |
Ports included in this range will not be assigned to any user for TCP traffic. This field accepts a port range or list of ranges (separated with a semicolon). |
Excluded UDP Ports |
Ports included in this range will not be assigned to any user for UDP traffic. This field accepts a port range or list of ranges (separated with a semicolon). |
Maximum Ports Per User |
The maximum number of ports that can be assigned to a user in each of the TCP and UDP port ranges. |
Ports Reuse Timeout (seconds) |
The number of seconds the system waits until it assigns a port to a new user after it has been released by another user. |
Errors History Size |
N/A |
Gateway Shared Secret |
The same password that is set on the gateway that enables trusted communication between the Security Gateway and the application server. |