Selecting Identity Sources

Identity sources have different security and environment considerations. Depending on your organization's requirements, you can choose to set them separately, or as combinations that supplement each other. For information about how Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. prioritizes information it receives from different identity sources, see Identity Conciliation - PDP and Identity Conciliation - PEP.

Here are examples of how to choose identity sources for different organizational requirements:

Requirement

Recommended Identity Source

Logging and auditing with basic enforcement

AD Query.

Logging and auditing only

AD Query.

Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.

AD Query and Browser-Based Authentication.

The AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. finds all AD users and computers.

The Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. identity source is necessary to include all non-Windows users. In addition, it serves as a fallback option, if AD Query cannot identify a user.

If you configure Transparent Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication, then the browser attempts to authenticate users transparently by getting identity information before the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. username/password page is shown to the user.

Data Center, or internal server protection

The options are:

AD Query and Browser-Based Authentication - When most users are desktop users (not remote users) and easy configuration is important.

Note - You can add Identity Agents if you have mobile users and have users that are not identified by AD Query. Users that are not identified encounter redirects to the Captive Portal.

Identity Agents and Browser-Based Authentication - When a high level of security is necessary. The Captive Portal is used for distributing the Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center.. IP Spoofing protection can be set to prevent packets from being IP spoofed.

Terminal Servers and Citrix environments

Terminal Servers.

Tells you to install the Terminal Servers Identity Agent on each Terminal Server.

Users that get an access to the organization through VPN

Remote Access.

Lets you identify Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. and IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients that work in Office Mode.

Environment that use a RADIUS server for authentication

RADIUS Accounting.

Make sure that you configure the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. as a RADIUS Accounting client and give it access permissions and a shared secret.