In This Section: |
When you enable Identity Awareness on a Security Gateway, a wizard opens. You can use the wizard to configure one Security Gateway that uses the AD Query, Browser-Based Authentication, and Terminal Servers for acquiring identities. You cannot use the wizard to configure a multiple Security Gateway environment or to configure Endpoint Identity Agent and Remote Access acquisition (other methods for acquiring identities).
When you complete the wizard and install a policy, the system is ready to monitor Identity Awareness. You can see the logs for user and computer identity in the Manage & Settings > Logs tab. You can see events in the Logs & Monitor Access Control views.
To enable Identity Awareness:
The Identity Awareness Configuration wizard opens.
These are the methods of acquiring identities you can choose in the wizard. However, other identity sources are supported.
Note - When you enable Browser-Based Authentication on an IPSO Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80.
The Integration with Active Directory window opens.
When the R80 SmartConsole client computer is part of the AD domain, R80 SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.
Note - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard you can use existing LDAP Account units or create a new one for one AD domain.
If the R80 SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured
If you create a new domain, and the R80 SmartConsole computer is not part of the domain, the LDAP account unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them at a later time manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is: <domain name>_ _ AD
For example, CORP.ACME.COM_ _ AD.
If you selected Browser-Based Authentication on the first page, the Browser-Based Authentication Settings page opens.
All IP addresses configured for the Security Gateway show in the list. The IP address selected by default is the Security Gateway main IP address. The same IP address can be used for other portals with different paths. For example:
If you selected Terminal Servers, the page includes a link to download the agent.
After you enable Identity Awareness, you create Access Role objects.
You can use Access Role objects as source and/or destination parameter in a rule. Access role objects can include one or more of these objects:
To create an Access Role object:
The New Access Role window opens.
For computers that use Full Endpoint Identity Agents, you can select (optional) Enforce IP Spoofing protection.
Identity Awareness automatically recognizes changes to LDAP group membership and updates identity information, including access roles.
When you:
The system recalculates LDAP group membership for ALL users in ALL Groups. Be very careful when you deactivate user-related notifications.
LDAP Group Update is activated by default. You can manually deactivate LDAP Group Update with the CLI.
Important - Automatic LDAP group update works only with Microsoft Active Directory when AD Query is activated. |
To deactivate automatic LDAP group update:
adlogconfig a
The adlog status screen and menu opens.
LDAP groups update notifications status changes to [ ] (not active). If you enter Turn LDAP groups update on/off when automatic LDAP group update is not active, LDAP groups update notifications status changes to [X] (active).
You can use adlogconfig
to set the time between LDAP change notifications and to send notifications only for user related changes.
To configure LDAP group notification options:
adlogconfig a
The adlog status screen and menu opens.
Be very careful when you deactivate only user-related notifications. This can cause excessive gateway CPU load.
Automatic LDAP Group Update does not occur immediately because Identity Awareness looks for users and groups in the LDAP cache first. The information in the cache does not contain the updated LDAP Groups. By default, the cache contains 1,000 users and cached user information is updated every 15 minutes.
You must deactivate the LDAP cache to get automatic LDAP Group Update assignments immediately. This action can cause Identity Awareness to work slower.
To deactivate the LDAP cache:
The Security Gateway examines packets and applies rules in a sequential manner. When a Security Gateway receives a packet from a connection, it examines the packet against the first rule in the Rule Base. If there is no match, it then goes on to the second rule and continues until it matches a rule.
In rules with access roles, you can add a property in the Action field to enable the Captive Portal. If this property is added, when the source identity is unknown and traffic is HTTP, the user is redirected to the Captive Portal. The packet is matched according to the other fields in the rule. After the system gets the credentials from the Captive Portal, it can examine the rule for the next connection.
In rules with access role objects, criteria matching works like this:
If all the conditions apply, the traffic is redirected to the Captive Portal to get credentials and see if there is a match.
If not all conditions apply, there is no match and the next rule is examined.
Note - When you set the option to redirect http traffic from unidentified IP addresses to the Captive Portal, make sure to place the rule in the correct position in the Rule Base to avoid unwanted behavior.
To redirect http traffic to the Captive Portal:
The Action Settings window opens.
The Action column shows that a redirect to the Captive Portal occurs.
This is an example of a Rule Base that describes how matching operates:
No. |
Source |
Destination |
Services & Applications |
Action |
---|---|---|---|---|
1 |
Finance_Dept (Access Role) |
Finance_Web_ Server |
Any |
Accept (display Captive Portal) |
2 |
Admin_IP |
Any |
Any |
Accept |
3 |
Any |
Any |
Any |
Drop |
Example 1 - If an unidentified Finance user tries to access the Finance Web Server with http, a redirect to the Captive Portal occurs. After the user enters credentials, the Security Gateway allows access to the Finance Web Server. Access is allowed based on rule number 1, which identifies the user through the Captive Portal as belonging to the Finance access role.
Example 2 - If an unidentified administrator tries to access the Finance Web Server with http, a redirect to the Captive Portal occurs despite rule number 2. After the administrator is identified, rule number 2 matches. To let the administrator access the Finance Web Server without redirection to the Captive Portal, switch the order of rules 1 and 2 or add a network restriction to the access role.
You can use Access Role objects as source and/or destination parameter in a rule. For example, a rule that allows file sharing between the IT department and the Sales department access roles.
Name |
Source |
Destination |
VPN |
Services & Applications |
Action |
---|---|---|---|---|---|
IT and Sales File Sharing |
IT_dept |
Sales_dept |
Any |
ftp |
accept |
When you negate a source or destination parameter, it means that a given rule applies to all sources/destinations of the request except for the specified source/destination object. When the object is an access role, this includes all unidentified entities as well.
When you negate an access role, it means that the rule is applied to "all except for" the access role and unidentified entities. For example, let's say that the below rule is positioned above the Any, Any, Drop rule. The rule means that everyone (including unidentified users) can access the Intranet Web Server except for temporary employees. If a temporary employee is not identified when she accesses the system, she will have access to the Intranet Web Server. Right-click the cell with the access role and select Negate Cell. The word [Negated] is added to the cell.
Source |
Destination |
VPN |
Services & Applications |
Action |
---|---|---|---|---|
Temp_employees [Negated] |
Intranet_web_server |
Any |
http |
accept |
To prevent access to unidentified users, add another rule that ensures that only identified employees are allowed access.
Source |
Destination |
VPN |
Services & Applications |
Action |
---|---|---|---|---|
Temp_employees |
Intranet_web_server |
Any |
http |
drop |
Any_identified_employee |
Intranet_web_server |
Any |
http |
accept |
In the Identity Sources section of the Identity Awareness page, select Browser-Based Authentication to send unidentified users to the Captive Portal.
If you configure Transparent Kerberos Authentication, the browser tries to identify AD users before sending them to the Captive Portal.
If you already configured the portal in the Identity Awareness Wizard or R80 SmartConsole, its URL shows below Browser-Based Authentication.
To configure the Browser-Based Authentication settings:
Note - When you enable Browser-Based Authentication on an IPSO Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80. |
You must configure the same password as a shared secret in the Terminal Servers Endpoint Identity Agent on the application server that hosts the Terminal/Citrix services and on the Security Gateway enabled with Identity Awareness. The shared secret enables secure communication and lets the Security Gateway trust the application server with the Terminal Servers functionality.
The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no more than three consecutive digits, and must be eight characters long in length. In R80 SmartConsole, you can automatically generate a shared secret that matches these conditions.
To configure the shared secret on the Identity Server:
The generated password is shown in the Pre-shared secret field.
To configure the shared secret on the application server:
The Check Point Endpoint Identity Agent - Terminal Servers main window opens.