Identity Awareness - Comparison of Acquisition Sources

These tables show how identity sources are different in terms of usage and environment considerations. Based on these considerations, you can configure Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. to use one or more identity of these identity sources (see Selecting Identity Sources).

Browser-Based Authentication - Captive Portal

Unidentified users log in with a user name and password in a Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.. After authentication, the user clicks a link to go to the destination address.

Recommended Usage	Environment Considerations
Identity based enforcement for non-AD users (non-Windows and guest users). You can demand environment of Identity Agents.	Use it for identity enforcement (not intended for logging purposes).

Browser-Based Authentication - Transparent Kerberos Authentication

The Transparent Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication Single-Sign On (SSO) solution transparently authenticates users already logged into the AD. When users authenticate to the domain, they can access all authorized network resources, and do not have to enter credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive Portal for manual authentication.

Note - The Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is because users do not see the Captive Portal.

Recommended Usage	Environment Considerations
In AD environments, when known users are already logged in to the domain.	Used for identity enforcement only (not intended for logging purposes). Transparent Kerberos Authentication does not use Identity Agents or the Keep Alive feature.

AD Query

Gets identity data seamlessly from Active Directory (AD).

Recommended Usage	Environment Considerations
Identity-based auditing and logging. Leveraging identity in Internet application control. Basic identity enforcement in the internal network.	Easy configuration (AD administrator credentials are necessary). For organizations that prefer not to allow administrator users to be used as service accounts on third party devices, there is an option to configure AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. without AD administrator privileges, see sk43874. Preferred for Desktop users. Only detects AD users and computers.

Recommended Usage

Environment Considerations

Identity-based auditing and logging.
Leveraging identity in Internet application control.
Basic identity enforcement in the internal network.

Easy configuration (AD administrator credentials are necessary). For organizations that prefer not to allow administrator users to be used as service accounts on third party devices, there is an option to configure AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. without AD administrator privileges, see sk43874.
Preferred for Desktop users.
Only detects AD users and computers.

Identity Agent

A lightweight Identity Agent authenticates users securely with Single Sign-On (SSO).

Recommended Usage	Environment Considerations
Identity enforcement for Data Centers. Protecting highly sensitive servers. When accuracy in detecting identity is crucial.	See Selecting Identity Sources.

Terminal Servers Identity Agent

Identifies multiple users, who connect from one IP address. A Terminal Server Identity Agent is installed on the application server, which hosts the terminal/Citrix services.

Recommended Usage	Environment Considerations
Identify users who use Terminal Servers or a Citrix environment.	See Selecting Identity Sources.

RADIUS Accounting

You can configure an Identity Awareness Gateway to use RADIUS Accounting to get user and computer identities directly from a RADIUS accounting client. Identity Awareness Gateway uses this information to apply access permissions to the connection.

RADIUS Accounting gets identity data from RADIUS Accounting Requests generated by the RADIUS accounting client. Identity Awareness Gateway uses the data from these requests to get user and device group information from the LDAP server. Firewall rules apply these permissions to users, computers and networks.

Recommended Usage	Environment Considerations
In environments, where authentication is handled by a RADIUS server.	You must configure the RADIUS accounting client to send RADIUS accounting requests to the Identity Awareness Gateway. You must give the RADIUS client access permissions and create a shared secret.

Identity Collector

The Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. You can download the Identity Collector package from Support Center. See sk134312. is a Windows-based application, which collects identity information and sends it to the Identity Awareness Gateways for identity enforcement.

Recommended Usage	Environment Considerations
Works with Microsoft Active Directory Domain Controller in large-scale environments. Integrates with Cisco Identity Services Engine (ISE). Works with NetIQ eDirectory Servers. Asks for Event Log Readers permission credentials.	Windows application with prerequisites. Locally managed.

Identity Web API

The Web API is a flexible identity source that you can use for simple integration with 3rd party security and identity products.

Recommended Usage	Environment Considerations
Integrates with 3rd party security products, such as ForeScout CounterACT and Aruba Networks ClearPass. Integrates Identity Awareness with authentication systems that Check Point does not regularly support. Does system administration tasks such as quick checks of users' IP address.	You must properly configure the accessibility and the list of authorized API clients. You must create a separate shared secret for each API client.

Remote Access

Users who get access using IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Office Mode can authenticate seamlessly.

Recommended Usage	Environment Considerations
Identify and apply identity-based security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on users that get an access to the organization through VPN.	See Selecting Identity Sources.