Acquiring Identities in a Terminal Server Environment
Scenario: Identifying Users Accessing the Internet through Terminal Servers
The ACME organization defined a new policy that only allows users to access the internet through Terminal Servers. The ACME organization wants to make sure that only the Sales department will be able to access Facebook. The current Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase. uses static IP addresses to define access for Facebook, but now all connections are initiated from Terminal Server IP addresses.
Amy, the IT administrator wants to leverage the use of the Terminal Servers solution so that:
-
Sales users will automatically be authenticated with Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. when logging in to the Terminal Servers. -
All connections to the internet will be identified and logged.
-
Access to Facebook will be restricted to the Sales department users.
To enable the Terminal Servers solution, Amy must:
-
Configure Terminal Server/Citrix Identity Agents as an identity source for Identity Awareness.
-
Install a Terminal Servers Identity Agent
Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. on each of the Terminal Servers. -
Configure a shared secret between the Terminal Servers Identity Agents and the gateway.
-
After configuration and installation of the policy, users that log in to Terminal Servers and browse to the internet will be identified and only Sales department users will be able to access Facebook.