Configuring Endpoint Identity Agents

Endpoint Identity Agent Deployment Methods

There are different Endpoint Identity Agent deployment methods:

Using Captive Portal - You can require users to download the Endpoint Identity Agent from the Captive Portal. You can also let users install the Endpoint Identity Agent on a specified later date and not right away. During installation, the Endpoint Identity Agent automatically detects if there are administrator permissions on the computer or not and installs itself accordingly.
Notes:
- When you deploy the Full Endpoint Identity Agent, the user that installs the client must have administrator rights on the computer. If the user does not have administrator permissions, the Light Endpoint Identity Agent is installed instead.
- When users authenticate with the transparent portal, the download link does not show. They must install the agent from the distribution media.
Using distribution software - You can deploy the Endpoint Identity Agent with distribution software. You can find the MSI installation files (Light and Full) on the Identity Awareness Gateway: $NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi

Configuring Endpoint Identity Agent Deployment from Captive Portal

To configure Endpoint Identity Agent deployment from Captive Portal:

From the Identity Awareness page, select the Endpoint Identity Agents checkbox.
Select Browser-Based Authentication and click Settings.
From the Portal Settings window, select the Require users to download checkbox to make users install the Endpoint Identity Agent. Select which Endpoint Identity Agent they must install. If you select this option and you do not select the defer option, users will can only access the network if they install the Endpoint Identity Agent.
To give users flexibility to choose when they install the Endpoint Identity Agent, select Users may defer installation until. Select the date by which they must install it. Until that date a Skip Endpoint Identity Agent installation option shows in the Captive Portal.
Click OK.

Configuring Endpoint Identity Agent Deployment for User Groups

When necessary, you can configure specific groups to download the Endpoint Identity Agent. For example, if you have a group of mobile users that roam and it is necessary for them to stay connected as they move between networks.

To configure Endpoint Identity Agent deployment for user groups:

From the Identity Awareness page, select the Endpoint Identity Agent checkbox.
Select Browser-Based Authentication and click Settings.
Select Name and password login and click Settings.
Select Adjust portal settings for specific user groups - You can add user groups and give them settings that are different from other users. Settings specified for a user group here override settings configured elsewhere in the Portal Settings. The options that you configure for each user group are:
- If they must accept a user agreement.
- If they must download the Endpoint Identity Agent and which one.
- If they can defer the Endpoint Identity Agent installation and until when.
Click OK.

Configuring Endpoint Identity Agents in SmartConsole

In the Identity Sources section of the Identity Awareness page, select Endpoint Identity Agents to configure Endpoint Identity Agent settings.

To configure the Endpoint Identity Agent settings:

Select Endpoint Identity Agents and click Settings.
From the Endpoint Identity Agents Settings window, configure:
- Endpoint Identity Agent Access Settings
  Click Edit to open the Portal Access Settings window. In this window, you can configure:
  - Main URL - The primary URL that users are redirected to for the Captive Portal. You might have already configured this in the Identity Awareness Configuration wizard.
  - Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, ID.yourcompany.com can send users to the Captive Portal. To make the alias work, it must be resolved to the main URL on your DNS server.
  - Certificate - Click Import to import a certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This can cause browser warnings if the browser does not recognize Check Point as a trusted Certificate Authority. See Server Certificates for more details.
  - Accessibility - Click Edit to select from where the portal can be accessed. You might have already configured this in the Identity Awareness Wizard. The options are based on the topology configured for the Security Gateway.
    Users are sent to the Captive Portal, if they use networks connected to these interfaces.
    - Through all interfaces
    - Through internal interfaces
      Including undefined internal interfaces
      Including DMZ internal interfaces
      Including VPN encrypted interfaces
    - According to the Firewall policy - Select this if there is a rule that states who can access the portal.
- Authentication Settings
  Click Settings to open the Authentication Settings window. In this window you can configure:
  - Browser transparent Single Sign-On - Select Automatically authenticate users from computers in the domain if Transparent Kerberos Authentication is used to identify users.
    - Main URL: The URL used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal. This URL contains the DNS name or IP address of Identity Awareness Gateway.
    Note - The Endpoint Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so because users do not see the Captive Portal.
  - Authentication Method - Select one method that known users must use to authenticate.
    - Defined on user record (Legacy Authentication) - Takes the authentication method from Gateway Object Properties > Other > Legacy Authentication.
    - User name and password - This can be configured internally or on an LDAP server.
    - RADIUS - A configured RADIUS server. Select the server from the list.
  - User Directories - Select one or more places where the Security Gateway searches to find users when they try to authenticate.
    - Internal users - The directory of internal users.
    - LDAP users - The directory of LDAP users. Either:
      Any - Users from all LDAP servers.
      Specific - Users from an LDAP server that you select.
    - External user profiles - The directory of users who have external user profiles.
  The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.
- Session details
- Endpoint Identity Agent Upgrades

Endpoint Identity Agent Access

Click Edit to select from where the Endpoint Identity Agent can be accessed. The options are based on the topology configured for the Security Gateway.

Users can communicate with the servers if they use networks connected to these interfaces.

Through all interfaces
Through internal interfaces
- Including undefined internal interfaces
- Including DMZ internal interfaces
- Including VPN encrypted interfaces
According to the Firewall Policy - the Endpoint Identity Agent is accessible through interfaces associated with source networks that appear in access rules used in the Firewall Policy.

Session

Configure data for the logged in session using the Endpoint Identity Agent.

Agents send keepalive every X minutes - The interval, at which the Endpoint Identity Agent sends a keepalive signal to the Security Gateway. The keepalive is used as the server assumes the user logged out if it is not sent. Lower values affect bandwidth and network performance.
Users should re-authenticate every XXX minutes - For how long can users access network resources before they have to authenticate again. When using SSO, this is irrelevant.
Allow user to save password - When SSO is not enabled, you can let users save the passwords they enter in the Endpoint Identity Agent login window.

Endpoint Identity Agent Upgrades

Configure data for Endpoint Identity Agent upgrades.

Check agent upgrades for - You can select all users or select specific user groups that should be checked for Endpoint Identity Agent upgrades.
Upgrade only non-compatible versions - the system will only upgrade versions that are no longer compatible.
Keep agent settings after upgrade - settings made by users before the upgrade are saved.
Upgrade agents silently (without user intervention) - the Endpoint Identity Agent is automatically updated in the background without asking the user for upgrade confirmation.

Note - When you install or upgrade the Full Endpoint Identity Agent version, the user will experience a momentary loss of connectivity.

Troubleshooting Authentication Issues

Some users cannot authenticate with the Endpoint Identity Agent

This issue can occur in Kerberos environments with a very large Domain Controller database. The authentication failure occurs when the CCC message size is larger than the default maximum size. You can increase the maximum CCC message size to prevent this error.

To increase the maximum CCC message size, use the procedure in sk66087.

Transparent Portal Authentication fails for some users

This issue can occur for users that try to authenticate with Kerberos authentication with the transparent portal. The user sees a 400 Bad Request page with this message:

Your browser sent a request that this server could not understand.

Size of a request header field exceeds server limit.

The authentication failure occurs because the HTTP request header is larger than the default maximum size. You increase the maximum HTTP request header to prevent this error.

To increase the maximum HTTP request header size, use the procedure in sk92802.