Server Discovery and Server Trust

The Identity Agent client needs to be connected to an Identity Awareness Gateway. For this to happen, it must discover the server and trust it.

Server discovery refers to the process of deciding, to which server the client should connect. We offer some methods to configure server discovery - from a very basic method when you simply configure one server, to a method when you configure a domain wide policy and connect to a server in the function of your current location. This section describes these options.

Server trust refers to the process of validating that the server, to which the end user connects, is indeed a genuine one. In addition, it makes sure that connection between the client and the server was not tampered with by a Man-In-The-Middle (MITM) attack.

The trust process compares the server fingerprint calculated during the SSL handshake with the expected fingerprint. If the client does not have the expected fingerprint configured, it asks the user to verify that it is correct manually. This section describes the methods that allow the expected fingerprint to be known, without user intervention.

Discovery and Trust Options

These are the options that the client has for discovering a server and creating trust with it:

  • File name based server configuration - If no other method is configured (default, out-of-the-box situation), any Identity Agent downloaded from the portal gets a name with the portal computer IP in it. During installation, the client uses this IP to represent the Identity Awareness Security Gateway. When the trust dialog box opens, the user must confirm the trust to the server.

  • AD based configuration - If client computers are members of an Active Directory domain, you can configure the server addresses and trust data with the Identity Agent Distributed Configuration Tool.

  • DNS SRV record based server discovery - It is possible to configure the server addresses in the DNS server. Because the DNS is not secure, we recommend that you do not configure trust this way. Users can authorize the server manually in a trust dialog box that opens. This is the only server discovery method that is applicable for the macOS Identity Agent.

  • Remote registry - All client configuration, including the server addresses and trust data are in the registry. You can configure the values before installing the client (by GPO, or any other system that lets you control the registry remotely). This lets you use the configuration from first run.

  • Custom Identity Agents - You can use the Identity Agent Configuration Utility to create a custom version of the Identity Agent installation package that includes the server IP address and trust data.

Comparing Options

General Overview

Option

Must Have AD

Manual User Trust Necessary?

Multi-
Site

Client Remains Signed?

Allows Ongoing Changes

Level

Recommended for...

File name based

No

Yes

No

Yes

No

Very Simple

Environment with single Security Gateway

AD based

Yes

No

Yes

Yes

Yes

Simple

Environment in which you can change AD settings

DNS based

No

Yes

Partially (per DNS server)

Yes

Yes

Simple

Environment with AD in which you cannot change AD settings (or without AD), but can change

the DNS settings

Remote registry

No

No

Yes

Yes

Yes

Moderate

Where remote registry is used for other purposes

Pre-
packaging

No

No

Yes

No

No

Advanced

Environment in which you cannot change AD and DNS settings, with more than one Security Gateway

File Name Based Server Discovery

This option is the easiest to configure, and works out-of-the-box if the Captive Portal is in addition the Identity Awareness Gateway. If your configuration consists of one Identity Awareness Gateway, and a Captive Portal is running on the same Security Gateway, and it is OK with you that the user needs to verify the server fingerprint and trust it once, then you can use this option, which works with no configuration.

How does it work?

When a user downloads the Identity Agent client from the Captive Portal, the address of the Identity Awareness Gateway is added to the file name. During the installation sequence, the client checks if there is any other discovery method configured (Pre-packaged, AD based, DNS based or local registry). If no discovery method is configured, and the Identity Agent can connect to the Identity Awareness Gateway, it does so. Examine the Identity Agent settings. The Identity Awareness Gateway must be present in the Identity Agent dialog box.

Why cannot we use this for trust data?

As the file name can be changed, we cannot be sure that the file name was not modified by an attacker along the way. Therefore, we cannot trust data passed in the file name as authentic, and we need to verify the trust data by another means.

AD Based Configuration

If your endpoint computers are members of an Active Directory domain, and you have administrative access to this domain, you can use the Identity Agent Distributed Configuration Tool to configure connectivity and trust rules for the Identity Agent.

This tool is installed a part of the Identity Agent: go to the Start menu > All Programs > Check Point > Identity Agent > click the Distributed Configuration.

Notes:

  • You must have administrative access to this Active Directory domain to allow automatic creation of new LDAP keys and writing.

  • The credentials are not saved anywhere. The access is only necessary to modify the distributed configuration. The Identity Agent Distributed Configuration Tool only writes to this Active Directory domain when it saves configuration.

  • All users are allowed to view the configuration (if not, the Identity Agents can not fetch it).

  • The LDAP keys are:

    LDAP://CN=PDP,CN=Check Point,CN=Program Data,DC=...< Domain Name>...

    LDAP://CN=PDPconnRB,CN=Check Point,CN=Program Data,DC=...< Domain Name>...

The Identity Agent Distributed Configuration Tool has three panes:

  • Welcome - This pane describes the tool and lets you enter alternate credentials that you use to get an access to the AD.

  • Server Configuration - This pane lets you configure, to which Identity Awareness Gateway the Identity Agent should connect, depending on the IPv4 / IPv6 address that is configured on the endpoint computer, or its AD Site.

  • Trusted Gateways - This pane lets you view and change the list of fingerprints of Identity Awareness Gateways, which the Identity Agent considers secure.

Note - The complete configuration is in the Active Directory database, under the Program Data branch in a hive named Check Point. The first run of the tool adds this hive. This hive has no effect on other AD-based applications or features.

Server Configuration Rules

The Identity Agent fetches the configured rule lists from the Active Directory database. Each time the Identity Agent needs to connect to an Identity Awareness Gateway, it tries to match itself against the rules, from top to bottom.

When the Identity Agent matches a rule, it uses the Identity AwarenessGateways configured in this rule based on the specified priority.

For example:

This configuration means:

  • If the user's computer is configured with the IPv4 address 192.168.0.1 / 24, then the Identity Agent needs to connect to the Identity Awareness Gateway "US-GW1".

    If the gateway "US-GW1" is not available, then the Identity Agent needs to connect to the Identity Awareness Gateway "BAK-GS2" (applies only if gateway "US-GW1" is not available, because its priority is higher).

  • If the user connects from the Active Directory site "UK-SITE", then the Identity Agent needs to connect to Identity Awareness Gateway "US-GW1", or to Identity Awareness Gateway "UK-GW2". The Identity Agent selects between these gateways randomly, because they both have the same priority).

    If both of these gateways are not available, then the Identity Agent needs to connect to the Identity Awareness Gateway "BAK-GS2".

  • The default rule is that the Identity Agent needs to connect to Identity Awareness Gateway "BAK-GS2" (the default rule is always matched when it is encountered).

Trusted Gateways

The Trusted Gateways pane shows the list of Identity Awareness Security Gateways considered trusted. When the Identity Agent starts to connect to these Identity Awareness Security Gateways, no pop-up windows open.

You can add, edit or delete a server. If you get a connection to the Identity Awareness Security Gateway, enter its address and click Fetch Fingerprint to get the name and fingerprint. If not, enter the same name and fingerprint that appear when you connect to this Identity Awareness Security Gateway.

DNS Based Configuration

If you configure the client to "Automatic Discovery" (the default), it looks for a server by issuing a DNS SRV query for the address "CHECKPOINT_NAC_SERVER._tcp" (the DNS suffix is added automatically). You can configure the address in your DNS server.

On the DNS server (Example is Windows 2003. For more information, see official Microsoft documentation):

  1. Go to Start > All Programs > Administrative Tools > DNS.

  2. Go to Forward lookup zones and select the applicable domain.

  3. Go to the _tcp subdomain.

  4. Right-click and select Other new record.

  5. Select Service Location, Create Record.

  6. In the Service field, enter CHECKPOINT_NAC_SERVER.

  7. Set the Port number to 443.

  8. In Host offering this service, enter the address of the Identity Awareness Gateway.

  9. Click OK.

Notes

  • To create a specified Identity Awareness Load Sharing, make some SRV records with the same priority. To create a specified Identity Awareness High Availability, make some SRV records with different priorities.

  • If you configure AD based and DNS based configuration, the results are combined based on the specified priority (from the lowest to highest).

Remote Registry

If you have another way to configure registry entries to your client computers (such as Active Directory GPO updates), you can configure the Identity Awareness Gateway addresses and trust parameters before you install the clients. Clients use the already installed settings immediately after installation.

To use the remote registry option:

  1. Install the client on a computer. Make sure it is installed in the same mode in all computers.

    The full Identity Agent installs itself to your Program Files directory and saves its configuration to HKEY_LOCAL_MACHINE.

    The light Identity Agent installs itself to the Users directory and saves its configuration to HKEY_CURRENT_USER.

  2. Connect manually to all of the servers that are configured, verify their fingerprints, and click Trust in the fingerprint verification window.

  3. In the client Settings window, configure it to connect to the requested servers.

    If you let the client select a server in dependence to location, click Advanced (see AD Based Configuration).

  4. Export these registry keys (from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, based on the client type installed):

    1. SOFTWARE\CheckPoint\IA\TrustedGateway (the whole tree).

    2. SOFTWARE\CheckPoint\IA\ (on 32-bit), or

      SOFTWARE\Wow6432Node\Checkpoint\IA (on 64-bit)

      • Default Gateway

      • DefaultGatewayEnabled

      • PredefinedPDPConnRBUsed

      • PredefinedPDPConnectRuleBase

  5. Configure the exported keys on the workstations before you install the client on them.