Getting Identities in a Terminal Server Environment
Scenario: Identifying Users who get an Access to the Internet through Terminal Servers
The ACME organization defined a new policy that only allows users to get an access to the internet through Terminal Servers. The ACME organization wants to make sure that only the Sales department can get an access to Facebook. The current Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase. uses static IP addresses to give access for Facebook, but now all connections are initiated from Terminal Server IP addresses.
Amy, the IT administrator wants to leverage the use of the Terminal Servers solution so that:
-
Sales users are automatically authenticated with Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. when they log in to the Terminal Servers. -
All connections to the Internet are identified and logged in.
-
Access to Facebook is restricted to the Sales department users.
To enable the Terminal Servers solution, Amy must:
-
Configure Terminal Server/Citrix Identity Agents as an identity source for Identity Awareness.
-
Install a Terminal Servers Identity Agent
Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. on each of the Terminal Servers. -
Configure a shared secret between the Terminal Servers Identity Agents and the gateway.
-
After configuration and installation of the policy, users that log in to Terminal Servers and browse to the Internet are identified and only Sales department users get an access to Facebook.