Print Download PDF Send Feedback

Previous

Next

Identity Awareness Deployment

In This Section:

Identity Sharing

Configuring Identity Awareness for a Domain Forest (Subdomains)

Non-English Language Support

Nested Groups

Configuring Identity Awareness Gateway as Active Directory Proxy

Identity Sharing

Best Practice - In a distributed environment with multiple Identity Awareness Security Gateways and AD Query, we recommend to consider Identity Sharing configuration.

In this configuration, Identity Awareness Security Gateways can share the identity information that they acquire with other Identity Awareness Security Gateways. You can configure Identity Sharing across multiple Security Gateways if the gateways have Identity Awareness enabled.

Use-case scenario without the Identity Sharing (sk149255):

Solution

Identity Awareness Security Gateways (configured as Policy Decision Points) acquire identity information and share it with other Identity Awareness Security Gateways (configured as Policy Enforcement Points). Traffic passes through many Security Gateways, but the User is only identified once. Only one Identity Awareness Security Gateway performs the group membership query and calculates the Access Role object. This reduces the load on the identity sources and/or on User Directory.

PDP - Policy Decision Point (Identity Server):

  1. Acquires user/machine identities from the designated identity sources
  2. Shares user/machine identities with other Security Gateways

PEP - Policy Enforcement Point (Identity Gateway):

  1. Provides the relevant Access Roles to the Rule Base matching process. It enforces the action as defined in the policy.
  2. Can receive identities through Identity Sharing
  3. Can redirect users to the Identity Awareness Captive Portal

Identity Sharing Configurations

There are multiple ways to deploy Identity Sharing:

To configure Identity Sharing Configuration, define:

  1. Which Identity Awareness Security Gateways will share their identities (Policy Decision Point).
  2. Which Identity Awareness Security Gateways will receive identities (Policy Enforcement Point).

Smart-Pull Sharing Method

In this method, identities are sent to the PEP only when the PEP needs them, i.e. requests or pulls them from the PDP. In larger deployments not all identities acquired by PDPs are needed by all of the PEPs. For instance, small branch offices with a small number of users do not require storing of all of the identities acquired by the PDP located in the headquarters site. Storing unnecessary identities will consume more space on the PEP and create more unnecessary transactions between the PDP and the PEP over the network.

Smart-Pull sharing method divides into the 3 following Operation mode stages:

1. Identity Acquisition

  1. The PDP acquires identities and stores them in the PDP repository.
  2. The PDP notifies the relevant PEPs about the network (Class C), from which the user was identified.
  3. The pep show network pdp command on the PEP shows the PDPs and the networks they identify.
  4. The # pdp network info command shows all the networks published by the PDP.

The PDP does not publish the identities to the PEPs yet.

2. Sub-Network Registration

When a user initiates a connection through the PEP, where the policy requires an identity element, the PEP searches for the identity in its local database.

If the identity is not found, the PEP checks to see if there is a PDP that knows that the Class C network needed to resolve the identity.

If the identity is found, then:

  1. The PEP registers to the PDP for notification about a smaller network (subnet mask 255.255.255.240).
  2. The pep show network registration command on the PEP shows the 255.255.255.240 networks, to which the PEP is registered.
  3. The pdp network registered command on the PDP shows the distribution of the PEPs to 255.255.255.240 networks.
  4. The PDP publishes all the currently known identities from the 255.255.255.240 networks to the registering PEPs.

3. Identity Propagation

  1. The PDP acquires identity of a user whose IP address is from an already registered 255.255.255.240 network.
  2. The PDP immediately publishes the identity to the registered PEPs.

Push Sharing Method

This method is straight-forward: a PDP publishes each identity when it is acquired to the PEP.

Note - It is the only sharing method for the Identity Awareness Security Gateway that runs both as PDP and PEP.

Monitoring Identity Sharing

With Identity Sharing, there is always a connection from PDP to PEP, presented below as 'Outgoing'.

The 'Outgoing' (2) is the local connection PDP -> PEP running on the same Security Gateway.

With the Smart-Pull sharing method, when the Identity Sharing is used between PDP and remote PEP, with the Smart Pull sharing method there is an additional connection PEP->PDP presented below as 'Incoming' (1).

Monitoring Identity Sharing

With Identity Sharing, there is always a connection from PDP to PEP, presented below as 'Outgoing'.

The 'Outgoing' (2) is the local connection PDP -> PEP running on the same Security Gateway.

With the Smart-Pull sharing method, when the Identity Sharing is used between PDP and remote PEP, there is an additional connection PEP->PDP presented below as 'Incoming' (1).

The Deployment Scenarios section has more details.

Configuring Identity Awareness for a Domain Forest (Subdomains)

Create a separate LDAP Account Unit for each domain in the forest (subdomain). You cannot add domain controllers from two different subdomains into the same LDAP Account Unit.

You can use the Identity Awareness Configuration Wizard to define one subdomain. This automatically creates an LDAP Account Unit that you can easily configure for more settings. You must manually create all other domains that you want Identity Awareness to relate to, from Servers and OPSEC in the Objects tree > Servers > New > LDAP Account Unit.

When you create an LDAP Account Unit for each domain in the forest:

  1. Make sure the username is one of these:
    • A Domain administrator account that is a member of the Domain Admins group in the subdomain. Enter the username as subdomain\user.
    • An Enterprise administrator account that is a member of the Enterprise Admins group in the domain. If you use an Enterprise administrator, enter the username as domain\user.

      For example, if the domain is ACME.COM, the subdomain is SUB.ACME.COM, and the administrator is John_Doe:

      If the admin is a Domain administrator, Username is: SUB.ACME.COM\John_Doe

      If the admin is an Enterprise administrator, Username is: ACME.COM\John_Doe

      Note - In the wizard, this is the Username field. In the LDAP Account Unit, go to LDAP Server Properties tab > Add > Username.

  2. In LDAP Server Properties tab > Add > Login DN, add the login DN.
  3. In Objects Management tab > Branches in use, edit the base DN
    from: DC=DOMAIN_NAME,DC=DOMAIN_SUFFIX
    to: DC=SUB_DOMAIN_NAME,DC=DOMAIN_NAME,DC=DOMAIN_SUFFIX
    For example, change DC=ACME,DC=local to DC=SUB,DC=ACME,DC=local

Non-English Language Support

To support non-English user names on an Identity Awareness Gateway, you must set a parameter in the LDAP Account Unit object in SmartConsole.

It is not necessary to set this parameter when you enable Identity Awareness on the Security Management Server or Log Server.

To set non-English language support:

  1. In SmartConsole, click Open Object Explorer (Ctrl+E).
  2. From the Categories tree, select Servers > LDAP Account Unit and select the LDAP Account Unit.
  3. In the General tab of the LDAP Account Unit, make sure Enable Unicode support. is selected. It is selected by default.
  4. Click OK.

Nested Groups

Identity Awareness supports the use of LDAP nested groups. When a group is nested in another group, users in the nested group are identified as part of the parent group. For example, if you make Group_B a member of Group_A, Group_B members will be identified by Identity Awareness as being part of Group A.

There are three ways to configure nested group queries:

Configuring Nested Groups Query Options

You configure the nested group query options through the Security Gateway CLI:

Command

Description

pdp nested_groups status

Shows status

pdp nested_groups __set_state 1

Sets recursive nested groups (like R.77x)

pdp nested_groups __set_state 2

Sets per-user nested groups

pdp nested_groups __set_state 3

Sets multi per-group nested groups

Configuring Identity Awareness Gateway as Active Directory Proxy

If Security Management Server is not currently connected to your Active Directory environment, Identity Awareness Gateway can act as Active Directory Proxy and let you use the Identity Awareness User Picker in the Access Role object.

Note - The Identity Awareness Gateway needs to be connected to your Active Directory server.

Workflow to configure this feature:

  1. In SmartConsole, create a new Host object for each Active Directory Domain Controller in your Active Directory environment.
  2. In SmartConsole, install the Access policy on the Identity Awareness Gateway.
  3. In SmartConsole, configure an LDAP Account Unit object.
  4. Enable the Identity Awareness Software Blade on the Security Gateway.

Step

Instructions

1

In SmartConsole, create a new Host object for each Active Directory Domain Controller in your Active Directory environment:

  1. In the top left corner, click Objects > New Host.
  2. Configure the object name and IP address.
  3. Click OK.

2

In SmartConsole, install the Access Policy on the Identity Awareness Gateway.

3A

In SmartConsole, configure an LDAP Account Unit object:

  1. In the top left corner, click Objects > Object Explorer.

    The Object Explorer window opens.

  2. In the left navigation tree, click Servers.
  3. From the toolbar, click New > Server > LDAP Account Unit.

    The LDAP Account Unit Properties window opens.

3B

Configure the LDAP Account Unit object.

Go to the General tab.

  1. In the Name field, enter the desired object name (for example, mycompany.com_LDAP_ACC_UNIT).
  2. In the Profile field, select Microsoft_AD.
  3. In the Prefix field, enter your domain name (for example, mycompany.com).
  4. In the Account Unit usage section, select all the options.
  5. In the Additional configuration section, select Enable Unicode support.

3C

Continue configuring the LDAP Account Unit object.

Go to the Servers tab.

  1. Click Add.
  2. The LDAP Server Properties window opens.
  3. Go to the General tab.
  4. In the Host field, select the host object you created for this Domain Controller in Step 1.
  5. In the Username field, enter the username for this Domain Controller (for example, John.Smith).
  6. In the Login DN field, enter the user's distinguished name (DN) for this Domain Controller (see RFC1779). Note - Refer to the official Microsoft documentation. For example, use the PowerShell Get-ADUser command.
  7. In the Password field, enter the password for this Domain Controller.
  8. In the Confirm password field, enter the password again.
  9. Click OK to close the LDAP Server Properties window.

Note - The order, in which these LDAP Servers are displayed is also the default order, in which they will be queried. You can configure the desired priority for these LDAP Servers.

3D

Continue configuring the LDAP Account Unit object.

Go to the Objects Management tab.

  1. In the Server to connect field, select the host object you created for this Domain Controller in Step 1.
  2. Manually add the branch(es). Note - This feature does not support fetching on branches.
  3. The branch name is the suffix of the Login DN that begins with DC=.
  4. For example, if the Login DN is CN=John.Smith,CN=Users,DC=mycompany,DC=com
  5. then the branch name is DC=mycompany,DC=com
  6. Select Management Server needs proxy to reach AD server.
  7. In the Proxy through field, select the Security Gateway / Security Cluster that has a route to your AD server.
  8. Configure other desired settings.

3E

Continue configuring the LDAP Account Unit object.

(Optional) Go to the Authentication tab.

  1. Clear Use common group path for queries.
  2. In the Allowed authentication schemes section, select all the options.
  3. In the Users' default values section:
    • Clear Use user template.
    • Select Default authentication scheme > Check Point Password.

3F

Complete the configuration of the new LDAP Account Unit object:

Click OK to close the LDAP Account Unit Properties window.

4

(Optional) You can configure the Security Gateway to encrypt the LDAP communication with your Domain Controller:

  1. Open the LDAP Account Unit object you configured in Step 3.
  2. Go to the Servers tab.
  3. Select the LDAP Server object and click Edit.
  4. Go to the Encryption tab.
  5. Select Use Encryption (SSL).
  6. In the Verify that server has the following Fingerprints field, enter the Active Directory server fingerprint you get from the Identity Awareness Gateway.

    To get the Active Directory server fingerprint from the Security Gateway:

    1. Open a plain-text editor on your computer.
    2. Copy and paste this single long command to the plain-text editor:

      cpopenssl s_client -connect 192.168.1.2:636 2>&1 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | cpopenssl x509 -noout -md5 -fingerprint

    3. In the text editor, replace the 192.168.1.2 with the IP address of your Active Directory Domain Controller.
    4. Connect to the command line on Security Gateway.
    5. Log in to Expert mode.
    6. If this is a VSX Gateway, switch to the context the relevant Virtual System that has connectivity to the Active Directory Domain Controller.
    7. Make sure there is connectivity between the Security Gateway, or Virtual System and the Active Directory Domain Controller.
    8. Copy and paste the modified command from the text editor on your computer to the Security Gateway console and press Enter.

      MD5 Fingerprint is displayed. For example:

      MD5 Fingerprint=0B:84:D1:28:A5:19:6A:4D:24:57:72:5A:32:9B:2D:4D

    9. Copy the displayed Active Directory fingerprint number (after the = sign) from the Security Gateway console.
    10. Paste the copied fingerprint number in the Verify that server has the following Fingerprints field.
    11. Click OK to close the LDAP Server Properties window.
  7. Click OK to close the LDAP Account Unit Properties window.

5

Enable the Identity Awareness Software Blade on the Security Gateway.

  1. In SmartConsole, from the left Navigation Toolbar, click Gateways & Servers.
  2. Edit the Security Gateway object.
  3. Select Identity Awareness Software Blade.
  4. When Identity Awareness Configuration wizard opens, click Cancel.
  5. Make sure the Identity Awareness is selected.
  6. In the left navigation tree, go to Identity Awareness.
  7. In the Identity Sources section, select and configure the relevant options.
  8. Click OK.
  9. Install the Access policy.

Notes about the Identity Awareness Gateway as Active Directory Proxy feature: