Print Download PDF Send Feedback

Previous

Next

Advanced Endpoint Identity Agents Configuration

In This Section:

Customizing Parameters

Advanced Endpoint Identity Agent Options

Customizing Parameters

You can change settings for Endpoint Identity Agent parameters to control Endpoint Identity Agent behavior. You can change some of the settings in SmartConsole and others using the Endpoint Identity Agent Configuration tool.

To change Endpoint Identity Agents parameters in SmartConsole:

  1. In SmartConsole, go to Menu > Global properties.

    The Global Properties window opens.

  2. In the left navigation tree, click Advanced > Configure.
  3. Go to Identity Awareness > Agent.
  4. Change the Endpoint Identity Agents parameters.
  5. Click OK.

This is a sample list of parameters that you can change:

Parameter

Description

nac_agent_disable_settings

Whether users can right click the Endpoint Identity Agent client (umbrella icon on their desktops) and change settings.

nac_agent_email_for_sending_logs

You can add a default email address, to which to send client troubleshooting information.

nac_agent_disable_quit

Whether users can right click the Endpoint Identity Agent client (umbrella icon on their desktops) and close the agent.

nac_agent_disable_tagging

Whether to disable the packet tagging feature that prevents IP Spoofing.

nac_agent_hide_client

Whether to hide the client (the umbrella icon does not show on users' desktops).

Advanced Endpoint Identity Agent Options

Kerberos SSO Compliance

The Identity Awareness Single Sign-On (SSO) solution for Endpoint Identity Agents gives the ability to authenticate users transparently that are logged in to the domain. This means that a user authenticates to the domain one time and has access to all authorized network resources without additional authentication.

Using Endpoint Identity Agents gives you:

You get SSO in Windows domains with the Kerberos authentication protocol. Kerberos is the default authentication protocol used in Windows 2000 and above.

The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted authority, which in this case, is the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket vouches for the user’s identity. When the user needs to authenticate against the Identity Awareness Gateway, the Endpoint Identity Agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (Security Gateway that Endpoint Identity Agents connect to). The Endpoint Identity Agent then presents this service ticket to the Security Gateway that grants access.

How SSO Works

This is the workflow for SSO (Single Sign On):

  1. The user logs in to the computer and authenticates to the AD server.
  2. The AD sends an initial ticket (TGT) to the computer.
  3. The Endpoint Identity Agent connects to the Security Gateway, which then requests the identity.
  4. The Endpoint Identity Agent requests an SR (service ticket) for the Security Gateway and presents the TGT to the AD server.
  5. The AD server sends the SR to the computer.

    The user name is encrypted with the shared secret between the Security Gateway and the AD server.

  6. The Endpoint Identity Agent sends the SR to the Security Gateway.
  7. The Security Gateway uses the shared secret to decrypt the ticket and confirms the user identity.
  8. The user can access the Data Center.

Item

Description

1

Computer for the user

2

Active Directory Domain Controller server

3

Identity Awareness Gateway

4

Data Center servers

SSO Configuration

SSO configuration includes two steps:

AD Configuration

To use Kerberos with AD, make a Kerberos principal name with the Check Point Security Gateway service. Map this new account to the domain name.

Use the setspn.exe utility. Make sure you have the correct version.

Important - If you used the setspn utility before, with the same principal name, but with a different account, you must delete the different account, or remove the association to the principal name.
To remove the association, run:
setspn -D ckp_pdp/<domain_full_dns_name> <old_account name>

If you do not do this, authentication will fail.

To configure AD for Kerberos:

  1. Make a new user account.
  2. Open the command line (Start > Run > cmd).
  3. Run:
    setspn -A ckp_pdp/<domain_full_dns_name> <username>

To see users associated with the principle name, run: setspn -Q ckp_pdp*/*

When done, configure an Account Unit in the SmartConsole, to use this account.