Access Role objects let you configure network access according to:
After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules.
Microsoft® directory information service. Stores data about user, computer, and service identities for authentication and access.
Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user.
The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol.
The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server.
No installation is necessary on the clients, or on the Active Directory server.
In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. In general terms, it is a set of clearly defined methods of communication between various software components.
Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate.
A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.
Check Point Identity Agent control tool for Windows-based client computers that are members of an Active Directory domain.
The Distributed Configuration tool lets you configure connectivity and trust rules for Identity Agents - to which Identity Awareness Security Gateways the Identity Agent should connect, depending on its IPv4 / IPv6 address, or Active Directory Site.
This tool is installed a part of the Identity Agent: go to the Windows Start menu > All Programs > Check Point > Identity Agent.
For more information, see AD Based Configuration.
Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway.
The administrator configures the Identity Agents (not the end users).
There are three types of Identity Agents - Full, Light and Custom.
You can download the Full, Light and Custom Identity Agent package from the Captive Portal:https://<Gateway_IP_Address>/connect
You can transfer the Full and Light Identity Agent package from the Identity Awareness Gateway:$NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi
Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235.
You can download the Identity Collector package from the Identity Awareness Gateway:https://<Gateway_IP_Address>/_IA_IDC/download/CPIdentityCollector.msi
Identity Sources for Check Point Identity Collector - Microsoft Active Directory Domain Controllers, Cisco Identity Services Engine (ISE) Servers, or NetIQ eDirectory Servers.
A list of Identity Sources for Check Point Identity Collector.
Check Point Security Gateway with enabled Identity Awareness Software Blade.
A computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.
Network Access Control. This is an approach to computer security that attempts to unify endpoint security technology (such as Anti-Virus, Intrusion Prevention, and Vulnerability Assessment), user or system authentication and network security enforcement. Check Point's Network Access Control solution is called Identity Awareness Software Blade.
Check Point Identity Awareness Security Gateway that acts as Policy Decision Point:
Check Point Identity Awareness Security Gateway that acts as Policy Enforcement Point:
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport.
A set of traffic parameters and other conditions that cause specified actions to be taken for a communication session.
The database that contains the rules in a security policy and defines the sequence, in which they are enforced.
A computer that runs Check Point software to inspect traffic and enforces Security Policies for connected network resources.
A computer that runs Check Point software to manage the objects and policies in Check Point environment.
In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server.
A Check Point GUI application used to manage Security Policies, monitor products and events, install updates, provision new devices and appliances, and manage a multi-domain environment and each domain.
Single sign-on is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system. This is typically accomplished using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers.
Microsoft® Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services.
Dedicated client agent installed on Microsoft® Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. This client agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. In the past, this client agent was called Multi-User Host (MUH) Agent.
You can download the Terminal Servers Identity Agent from the Identity Awareness Gateway:https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe