Advanced Identity Awareness Environment

Configure a Check Point Security Gateway with enabled Identity Awareness Software Blade for better security for your network environment and corporate data. This section describes environment configuration with Identity Awareness that we recommend.

Important:

  • NAT between two Identity Awareness Security Gateways that share data with each other, is not supported.

  • Perimeter Identity Awareness Security Gateway is the most standard environment. Configure the Security Gateway at the perimeter where it protects an access to the DMZ and the internal network. The perimeter Security Gateway in addition controls and inspects internal traffic going to the Internet. In this environment, create an identity-based Access Control Policy .

  • Data Center protection - If you have a Data Center or server farm separately from the users' network, then protect the access to the servers with the Security Gateway. Configure the Security Gateway in front of the Data Center. The Security Gateway inspects all traffic. An identity-based Access Control Policy controls the access to resources and applications. Configure the Security Gateway in Bridge Mode to protect the Data Center without important changes to the current network infrastructure.

  • Large-scale enterprise environment - In large networks, configure multiple Security Gateway. For example: configure a perimeter Firewall and multiple Data Centers. Install an identity-based policy on all Identity Awareness Security Gateway. The Identity Awareness Gateways share user and computer data of the whole environment.

  • Network segregation - The Security Gateway helps you migrate or create internal network segregation. Identity Awareness lets you control access between different segments in the network with an identity-based policy. Configure the Security Gateway near to the network to prevent malware threats and access that is not approved to general resources in the global network.

  • Distributed enterprise with branch offices - For an enterprise with remote branch offices connected to the headquarters with VPN, configure the Security Gateway at the remote branch offices. When you enable Identity Awareness on the branch office Security Gateway, users are authenticated before they get to internal resources. The branch office Security Gateway shares the identity data with other Security Gateway to prevent authentication that is not necessary .

  • Wireless campus - Wireless networks have built-in security challenges. To give an access to wireless-enabled corporate devices and guests, configure Identity Awareness Security Gateway in front of the wireless switch. Install an Identity Awareness policy. The Security Gateway gives a guest access after authentication in the web Captive Portal, and then they inspect the traffic from WLAN users.

Advanced Configuration

There are more ways to configure an Identity Awareness Security Gateway:

  • IP routing mode

  • Transparent mode (Bridge Mode)

IP routing mode - This is a regular and standard method to configure Identity Awareness Gateways. Use this mode when you configure the Identity Awareness Security Gateway at the perimeter. In this case, the Identity Awareness Security Gateway behaves as an IP router that examines and forwards traffic between the internal interface and the external interface in both directions. Use different network subnets and ranges to locate both interfaces.

Transparent mode - Has an additional name "Bridge Mode". Use this configuration method to install the Identity Awareness Security Gateway as a Layer 2 device, rather than an IP router. The benefit of this method is that it is not necessary to make changes in the network infrastructure. It lets you configure the Identity Awareness Security Gateway inline in the same subnet. This configuration is mostly applicable when you must configure an Identity Awareness Gateway for network segregation and Data Center protection purposes.

Configuring a Test Environment

Best Practice - If you want to examine how Identity Awareness works in a Security Gateway, we recommend that you configure it in a simple environment. In this setup, you can examine all identity sources and create an identity-based policy.

We recommend to install these main components in the setup:

  1. User host (Windows)

  2. Check Point Security Gateway R75.20 or higher

  3. Microsoft Windows server with Active Directory, DNS and IIS (Web resource)

Put the Security Gateway in front of the protected resource, the Windows server that runs IIS (web server). The user host computer gets an access to the protected resource through the Security Gateway.

Testing Identity Agents

Enable and configure Identity Agents, and configure Identity Agents self-provisioning through Captive Portal (see Configuring an Identity Agent).

  1. Open a browser and connect to the web resource.

    The resource redirects you to the Captive Portal.

  2. Enter user credentials.

  3. Install the client as prompted by the Captive Portal.

  4. In the authentication window, enter the user credentials through the client.

  5. Examine the connection.