Creating Custom Identity Agents

Custom Identity Agents

You can use the Identity Awareness Configuration Utility to create custom Identity Agent installation packages (the Identity Awareness Configuration Utility - IAConfigTool.exe - is installed as part of Identity Agent). Identity Agents have many advanced configuration parameters. Some of these parameters are related to the installation process, while others are related to Identity Agent functionality. All of the configuration parameters have default values that are deployed with the product and can remain unchanged.

Identity Agent Type	Description
Full	Predefined Identity Agent that includes packet tagging and computer authentication. It applies to all users of the computer, on which it is installed. Administrator permissions are required to use the Full Identity Agent type.
Light	Predefined Identity Agent that does not include packet tagging and computer authentication. You can install this Identity Agent individually for each user on the target computer. Administrator permissions are not required.
Terminal Servers	Predefined Identity Agent that installs Managed Asset Detection (MAD) services and the Multi-user host driver on Citrix and Terminal Servers. This Identity Agent type cannot be used for endpoint computers.
Custom	Lets you configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Installing Microsoft .NET Framework

You must install Microsoft .NET Runtime framework 4.0 or higher before you install and run the Identity Agent Configuration Tool.

To install the .NET Runtime Framework v4.0:

1. Download the .NET v4.0 installation package.
2. When prompted to start the installation immediately, click Run.
3. Follow the instructions on the screen.

Working with the Identity Agent Configuration Tool

Getting the source MSI File

To create a custom Identity Agent installation package, you must first copy the customizable MSI file from the Security Gateway to your management computer. This is the computer, on which you use the Identity Agent Configuration Tool.

To get the customizable MSI file:

1. Copy this file from the Security Gateway running on Gaia to your management computer:

   /opt/CPNacPortal/htdocs/nac/nacclients/customAgent.msi

2. Make a backup copy of this file on your management computer with a different name.

   You must use the original copy of the MSI file when you work with the Identity Agent Configuration Tool.

Running the Identity Agent Configuration Tool

You must install Identity Agent v2.0 or above (from Security Gateway R77 or above) on your management client computer. The Configuration Tool is installed in the Identity Agent installation directory.

To install the Identity Agent on your client computer:

1. Copy these agents from the Security Gateway to your management computer:
   • Full Identity Agent:
     /opt/CPNacPortal/htdocs/nac/nacclients/fullAgent.exe
   • Light Identity Agent:
     /opt/CPNacPortal/htdocs/nac/nacclients/lightAgent.exe
2. Run one of these executable files as applicable for your environment.
3. Follow the instructions on the screen.

To run the Identity Agent Configuration Tool:

1. Go to the Identity Agent installation directory.
   1. Click Start > All Programs > Check Point > Identity Agent.
   2. Right-click the Identity Agent shortcut and select Properties from the menu.
   3. Click Open File Location (Find Target in some Windows versions).
2. Double-click IAConfigTool.exe.

   The Identity Agent Configuration Tool opens.

Configuring the Identity Agent

You configure all features and options in the Identity Agent Configuration Tool window.

MSI Package Path

Enter or browse to the source installation package. You must use a Check Point customizable MSI file as the source for the configuration tool.

Installation Type

Select whether the Identity Agent applies to one user or to all users of the computer, on which it is installed.

• Per-User - Install the Light Identity Agent only for the user who does the installation. Administrator permissions are not required for this installation.
• Per Computer - Install any Identity Agent type for all users on the computer. Administrator permissions are required for this installation type, even for the Light Identity Agent type.

Installation UI

Select one of these end user interaction options:

• FULL (Default) - Interactive installation where the end user sees the full installation interface and can select options.
• BASIC - Non-interactive installation where the end user only sees a progress bar and a Cancel button.

Identity Agent Type

Select the type of Identity Agent to install:

• Full – Predefined Identity Agent includes packet tagging and computer authentication. It applies to all users of the computer that it is installed on. Administrator permissions are required to use the Full Identity Agent type.
• Light – Predefined Identity Agent that does not include packet tagging and computer authentication. You can install this Identity Agent individually for each user on the target computer. Administrator permissions are not required. You must select the Per-Computer installation type for this agent type.
• Terminal Servers - Predefined Identity Agent that installs MAD services and the Multi-user host driver on Citrix and Terminal Servers. This Identity Agent type cannot be used for endpoint computers.
• Custom - Configure custom features for all computers that use this agent, such as MAD services and packet tagging.

Custom Features

Select these features for the Custom Identity Agent type:

• MAD Service - Install MAD (Managed Asset Detection) services for Kerberos SSO and computer authentication.
• Packet Tagging - Install the packet tagging driver to enable anti-spoofing protection. The driver signs every packet that is sent from the computer. This setting is required if you have Firewall rules that use Access Roles and IP Spoofing is enabled.

Copy configuration

• Copy configuration from this computer - Copy Identity Agent configuration settings from this computer to other computers running a custom MSI file.

Save

Click to save this configuration to a custom MSI file. Enter a name for the MSI file.

Deploying a Custom Identity Agent with the Captive Portal

To deploy a custom Identity Agent with the Captive Portal:

1. Upload the custom customAgent.msi package to the /opt/CPNacPortal/htdocs/nacclients/ directory on the Security Gateway.
2. Configure the Captive Portal to distribute the custom Identity Agent:
   1. In SmartConsole, open the Identity Awareness Gateway object.
   2. Go to the Identity Awareness pane.
   3. Click on the Browser-Based Authentication Settings button.
   4. Change the Require users to download value to Identity Agent - Custom.
   5. Click OK.
3. Install the Access Policy.

Automatic Reconnection to Prioritized PDP Gateways

Identity Agent can now reconnect to the original PDP Security Gateway after it recovers.

To configure the automatic reconnection to a higher-priority PDP Security Gateway:

1. Configure the PDP Security Gateway:
   1. Connect to the command line on the PDP Security Gateway.
   2. Log in to the Expert mode.
   3. To show the recovery interval value, run:

      pdp auth recovery_interval show

   4. To set the recovery interval value, run:

      pdp auth recovery_interval set <interval between 1 and 864000 seconds>

2. Install the Access Policy on the PDP Security Gateway.

PDP CLI Reference

Syntax	Description
pdp auth recovery_interval show	Show the recovery interval
pdp auth recovery_interval set <value>	Set the recovery interval value between 1 and 864000 seconds
pdp auth recovery_interval enable	Enable the automatic reconnection to a higher-priority PDP Security Gateway
pdp auth recovery_interval disable	Disable the automatic reconnection to a higher-priority PDP Security Gateway

Notes:

• The value of the recovery_interval parameter controls the recovery interval, during which the Identity Agent searches for a higher priority PDP Security Gateway.
• The recovery interval value can be set between 1 and 864000 seconds. Default recovery interval value is 14400 seconds.
• On VSX Gateways, configure the recovery_interval parameter in the context of each Virtual System with Identity Awareness enabled.
• The Identity Agent fetches the value of the recovery_interval parameter when it connects to the PDP Security Gateway. Therefore, the value must be the same on all relevant PDP Security Gateways in your environment.
• Site priority is based only on the priority configured in the Distributed Configuration tool. Site priority does not rely on other methods, such as DNS resolving.
• When two or more sites are unreachable, the Identity Agent tries to reconnect to the primary site only one time. If the attempt fails, the Identity Agent reconnects to the primary site gradually.

Transparent Kerberos SSO Authentication for Identity Agent

Identity Awareness can now recognize Microsoft group membership data in the Kerberos tickets that are granted by any domain controller configured in SmartConsole.

The Transparent Kerberos SSO Authentication feature is disabled by default.

To configure the Transparent Kerberos SSO Authentication feature on Identity Awareness Gateway:

• To see if the feature is enabled or disabled, run:

  pdp auth fetch_by_sid status

• To enable the feature, run:

  pdp auth fetch_by_sid enable

• To disable the feature, run:

  pdp auth fetch_by_sid disable

  Note - On VSX Gateway, run the command in the context of the Virtual System with enabled Identity Awareness Software Blade.

To configure the Identity Agent to support domains, which are not configured in SmartConsole:

• To see if the feature is enabled or disabled, run:

  pdp auth kerberos_any_domain status

• To enable the feature, run:

  pdp auth kerberos_any_domain enable

• To disable the feature, run:

  pdp auth kerberos_any_domain disable

  Note - On VSX Gateway, run the command in the context of the Virtual System with enabled Identity Awareness Software Blade.

To configure the Identity Agent to send updated Kerberos tickets upon policy installation:

By default, Identity Agent fetches and sends a Kerberos ticket to the Identity Awareness Gateway only during a re-authentication (according to the Identity Agent settings).

You can force the Identity Agent to send an updated Kerberos ticket when you install Access Policy on the Identity Awareness Gateway.

• To see if the feature is enabled or disabled on the Identity Awareness Gateway, run:

  pdp auth reauth_agents_after_policy status

• To enable the feature, run:

  pdp auth reauth_agents_after_policy enable

• To disable the feature, run:

  pdp auth reauth_agents_after_policy disable

  Note - On VSX Gateway, run the command in the context of the Virtual System with enabled Identity Awareness Software Blade.

Active Directory cross-forest trust support for Identity Agent

Terminal Servers Identity Agent now supports Microsoft Active Directory cross-forest trust.

This lets you associate users from foreign domains, if these users are members of groups in the local domain.

This feature is enabled by default.

Note - The Terminal Servers Identity Agent works only with Microsoft Active Directory as a user-directory server.