Identity Awareness

R75
Administration Guide

30 December 2010

© 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11662 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History
Date 30 December 2010 15 December 2010 Description Improved documentation, formatting and document layout First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Identity Awareness R75 Administration Guide).

.............................46 Non-English Language Support ...............................................31 Access Settings ...........................................................30 Negate and Block ............................................................46 Performance ......49 Customizing Text Strings ...........................47 Advanced Captive Portal Configuration ..............................................................33 Agent Deployment from the Portal ..............................................46 Troubleshooting ........................................................................11 Deployment .......................40 Identity Sources .........................................23 Enabling Identity Awareness on the Security Gateway .............................12 Identity Awareness Scenarios ..............................................................34 Configuring Identity Agents..........41 Advanced AD Query Configuration ....................................56 ..34 Identity Agent Types .........................................................29 Source and Destination Fields .....................................................13 Acquiring Identities for Active Directory Users ...................................41 Choosing Identity Sources .......36 Server Discovery and Trust..........................................................................................................................................................................................................................................................................................................................45 Multiple Gateway Environments .............................................................41 Specifying Domain Controllers per Security Gateway .................................................................................................29 Negate and Drop .................31 Configuring Captive Portal in SmartDashboard ............................. 9 Identity Agents ..................................................................................................28 Access Role Objects .............................................49 Adding a New Language...........................................................................................32 Customize Appearance................................................................................................................................................................................................37 Configuring Identity Agents in SmartDashboard.....................................................................................56 Customizing Parameters ...............................................................................................................................................31 Authentication Settings ...................................................................................................................26 Creating Access Roles ........................................................................................................................................... 6 AD Query ........................................................................................................................................................34 Identity Agent Deployment Methods .............13 Acquiring Identities with the Captive Portal .6 Introduction .........................................................................................................................23 Results of the Wizard ..........................................................................................................20 Configuring Identity Awareness ......15 Acquiring Identities with Identity Agents ..........32 User Access .................................54 Advanced Identity Agents Configuration ................................18 Acquiring Identities in Application Control ...........................................................41 Configuring Identity Awareness for a Domain Forest (Subdomains) .................................................................................................................................................................................................................................................3 Getting Started With Identity Awareness ..................................................................29 Using Identity Awareness in the Application Control Rule Base ........52 Server Certificates .38 Configuring Identity Awareness for a Log Server .......................................................................................................42 Permissions and Timeout ............Contents Important Information ....................................................................................................................26 Using Identity Awareness in the Firewall Rule Base ..................................40 Enabling Identity Awareness on the Log Server ............................................................................................................................................................................................................................................................................................................. 8 Captive Portal .................................................................................31 Portal Network Location ...........................................................................................................

......................................................................................................77 Background ...................................................71 Overview .......................................................................................................................................................77 Custom Identity Agent msi .......................71 References .........................................61 Testing Identity Sources .......................................................62 Data Center Protection ............................................78 Configuring Installed Features .....................61 Testing Identity Agents .............................................83 Server Discovery and Trust Options ...................................59 Checking the Bridge Configuration...........................73 SmartDashboard Configuration .........................................................................................................................................................69 Kerberos SSO Configuration .......77 Using the cpmsi_tool.................63 Large Scale Enterprise Deployment ....................................................................................................................................................................................................................................................................................................................................................................83 Introduction ....................60 Configuring the Cluster ..................................................72 SSO Configuration.....86 DNS Based Configuration .......................................66 Distributed Enterprise with Branch Offices ..............................[Features] Section ..................................................56 Advanced Deployment ...................................................................................................................84 Option Comparison........................62 Perimeter Security Gateway with Identity Awareness ....62 Deployment Scenarios .......................................................................................................................................71 How SSO Operates .....................................82 Server Discovery and Trust .......................84 File Name Based Server Discovery ...............................................................57 Deployment Options ........................................................................57 Introduction ...........................................81 Sample INI File .................................................................................................................................................................................................................................[Properties] Section ..............58 Configuring Clusters in Bridge Mode ......................90 Index ...................................................................88 Remote Registry ..................................................................................................................................Prepackaging Identity Agent Installation ...............................................................................................................................................................................................................................................[AddFiles] Section ......................77 Configuring Installation ...................................................................................60 Configuring the External Identity Awareness Gateway .......................................................................................................................................................................................................................61 Deploying a Test Environment ..........................................................................exe.................................................93 .85 AD Based Configuration .......................................................................58 Preparing Clusters with a Bridge ...........................................................................................................................................................................75 Prepackaging Identity Agents ...................................................................60 Configuring Cluster and Bridge Support ..........................................73 AD Configuration ......................................................................64 Network Segregation ......89 Prepackaging Identity Agents .................................................................79 Configuring Deployed Identity Agents ...................................66 Wireless Campus............68 Dedicated Identity Acquisition Gateway .........................................

Identity Awareness lets you easily configure network access and auditing based on network location and:   The identity of a user The identity of a machine When Identity Awareness identifies a source or destination. It is applicable for both Active Directory and non-Active Directory based networks as well as for employees and guest users.Chapter 1 Getting Started With Identity Awareness In This Chapter Introduction Deployment Identity Awareness Scenarios 6 12 13 Introduction Traditionally. You can define a firewall rule for specific users when they send traffic from specific machines or a firewall rule for a specific user regardless of which machine they send traffic from. It is currently available on the Firewall blade and Application Control blade and will operate with other blades in the future. Identity Awareness removes this notion of anonymity since it maps users and machine identities. firewalls use IP addresses to monitor traffic and are unaware of the user and machine identities behind those IP addresses. Page 6 . it shows the IP address of the user or machine with a name. Identity Awareness is an easy to deploy and scalable solution. this lets you create firewall rules with any of these properties. This lets you enforce access and audit data based on identity. For example.

you use Access Role objects to define users. Identity Awareness also lets you see user activity in SmartView Tracker and SmartEvent based on user and machine name and not just IP addresses. Identity Awareness gets identities from these acquisition sources:    AD Query Captive Portal Identity Agent The table below shows how identity sources are different in terms of usage and deployment considerations. you can configure Identity Awareness to use one identity source or a combination of identity sources ("Choosing Identity Sources" on page 41). Getting Started With Identity Awareness Page 7 . machines and network locations as one object. Depending on those considerations.Introduction In SmartDashboard.

The Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. It is based on Active Directory integration and it is completely transparent to the user. a standard Microsoft protocol. users that need to pass through several enforcement points are only identified once. It is based on Windows Management Instrumentation (WMI).Firewall Rule Base Example The steps listed in the example align with the numbers in the image below. 2. AD Query AD Query is an easy to deploy.  The technology is based on querying the Active Directory Security Event Logs and extracting the user and machine mapping to the network address from them. How AD Query Operates . reads emails through Exchange. clientless identity acquisition method. when a user logs in. In this way. 1. See Advanced Deployment (on page 57) for more information. AD Query is selected as a way to acquire identities.Introduction Source AD Query Description Gets identity data seamlessly from Microsoft Active Directory (AD) Recommended Usage  Identity based auditing and logging Leveraging identity in Internet application control Basic identity enforcement in the internal network Identity based enforcement for non-AD users (non-Windows and guest users) For deployment of Identity Agents Leveraging identity for Data Center protection Protecting highly sensitive servers When accuracy in detecting identity is crucial Deployment Considerations  Easy configuration (requires AD administrator credentials) Preferred for desktop users Only detects AD users and machines     Captive Portal Sends unidentified users to a Web portal for authentication   Used for identity enforcement (not intended for logging purposes)  Identity Agent A lightweight endpoint  agent that authenticates securely with Single Sign-On  (SSO)   See Choosing Identity Sources (on page 41). or accesses an Intranet portal. A user logs in to a desktop computer using his Active Directory credentials. The AD Query option operates when:  An identified asset (user or machine) tries to access an Intranet resource that creates an authentication request. No installation is necessary on the clients or on the Active Directory server. Identity aware gateways can share the identity information that they acquire with other identity aware gateways. Getting Started With Identity Awareness Page 8 . The Security Gateway registers to receive security event logs from the Active Directory domain controllers. unlocks a screen. For example. shares a network drive.

But if users are identified. For guest users. The Active Directory DC sends the security event log to the Security Gateway. 5. they get a web page that must fill out to continue. Captive Portal The Captive Portal is a tool that acquires identities from unidentified users. Unidentified users cannot access that resource because of rules with access roles in the Firewall / Application Rule Base. Figure 1-1 Captive Portal Login The Captive Portal option operates when a user tries to access a web resource and all of these apply:   The Captive Portal is selected as a way to acquire identities. enter required credentials. The Security Gateway confirms that the user has been identified and lets him access the Internet based on the policy. they might be able to access the resource. 4. Configure what is required in the Portal Settings. When users try to access a protected resource. Getting Started With Identity Awareness Page 9 . The Security Gateway extracts the user and IP information (user name@domain. Captive Portal acquires the identities of users. It is a simple method that authenticates users through a web interface before granting them access to Intranet resources. machine name and source IP address).Introduction 3. When these criteria are true. The user initiates a connection to the Internet. From the Captive Portal users can:   Enter an existing user name and password if they have them.

Check Point internal credentials. The credentials are verified. 1. such as LDAP. or RADIUS. Getting Started With Identity Awareness Page 10 . In this example they are verified with the AD server. Configure this in the Portal Settings. 4.Introduction  Click a link to download an Identity Awareness agent. The user can now go to the originally requested URL. The user enters his regular office credentials. 2. Identity Awareness does not recognize him and redirects the browser to the Captive Portal. The credentials can be AD or other Check Point supported authentication methods. 3. How Captive Portal Operates .Firewall Rule Base The steps listed in the example align with the numbers in the image below. 5. A user wants to access the Internal Data Center.

does not require administrator permissions for installation. 3. as the client detects the movement and reconnects. A user logs in to his PC with his credentials and wants to access the Internal Data Center. users enter their credentials manually. The Security Gateway enabled with Identity Awareness does not recognize him and sends him to the Captive Portal. Identity Agents also gives you strong (Kerberos based) user and machine authentication. Added security .transparent authentication using Kerberos Single Sign-On (SSO) when users are logged in to the domain. How You Download an Identity Agent .   For more information.requires administrator permissions for installation. it will automatically revert to installing the Light agent. Cannot be configured with packet tagging or machine authentication.users stay automatically identified when they move between networks. 2.Introduction Identity Agents Identity Agents are dedicated client agents installed on users' computers that acquire and report identities to the Security Gateway. Using Identity Agents gives you:    User and machine identity Minimal user intervention . Users can download and install Identity Agents from the Captive Portal or you can distribute MSI files to computers with distribution software or any other method (such as telling them where to download the client from).Example This is how a user downloads the Identity Agent from the Captive Portal: 1.all necessary configuration is done by administrators and does not require user input. Connectivity through roaming .a customized installation package.you can use the patented packet tagging technology to prevent IP Spoofing. Light . The Full agent performs packet tagging and machine authentication. If you do not want to use SSO. If installed by a user without administrator permissions. The Security Gateway sends a page that shows the Captive Portal to the user. Getting Started With Identity Awareness Page 11 . You can let them save these credentials. see the Prepackaging Identity Agents (on page 77).   There are 3 types of Identity Agents:  Full . Custom . It contains a link that he can use to download the Identity Agent. Seamless connectivity .

the user is automatically connected. Deploy on branch office gateways and central gateways. 6. Identity awareness supports ClusterXL HA and LS modes. Deployment Identity Awareness is commonly enabled on the perimeter gateway of the organization. If SSO with Kerberos is configured. Identity Awareness can be deployed in Bridge mode or Route mode. If you deploy Identity Awareness on more than one gateway. In Route mode the gateway acts as a router with different subnets connected to its network interfaces. 5.   In Bridge mode it can use an existing subnet with no change to the hosts' IP addresses.Deployment 4. The user is authenticated and the Security Gateway sends the connection to its destination according to the Firewall Rule Base. This can be in addition to on the perimeter gateway but does not require a perimeter gateway. Deploy on several data center gateways. you can configure the gateways to share identity information. For redundancy. such as data centers. You can also share identities between gateways managed in different Multi-Domain Servers. To protect internal data centers. Common scenarios include:    Deploy on your perimeter gateway and data center gateway. The Identity Agent client connects to the Security Gateway. The user downloads the Identity Agent from the Captive Portal and installs it on his PC. Identity Awareness can be enabled on an internal gateway in front of internal servers. You can have one or more gateways acquire identities and share them with the other gateways. It is frequently used in conjunction with Application Control. Getting Started With Identity Awareness Page 12 . you can deploy a gateway cluster in Active-Standby (HA) or Active-Active (LS) modes.

Identity Awareness Scenarios Identity Awareness Scenarios This section describes scenarios in which you can use Identity Awareness to let users access network resources. An access role object defines users.217. you are configuring clientless employee access for all Active Directory users.3. selects AD Query as one of the Identity Sources and installs the policy. The first 3 scenarios describe different situations of acquiring identities in a Firewall Rule Base environment. The IT department gave the laptop a static IP address. 4.168.3. To enforce access options. He wants to move around the organization and continue to have access to the HR Web Server. He received a laptop and wants to access the HR Web Server from anywhere in the organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. 2.168. To make this scenario work. Thus. Enables Identity Awareness on a gateway. the gateway policy permits access only from John's desktop which is assigned a status IP address 192. The last scenario describes the use of Identity Awareness in an Application Control environment.217). Checks SmartView Tracker to make sure the system identifies John Adams in the logs. machines and network locations as one object. make rules in the Firewall Rule Base that contain access role objects. Active Directory users that log in and are authenticated will have seamless access to resources based on Firewall Rule Base rules. When you set the AD Query option to get identities. Sees how the system tracks the actions of the access role in SmartView Tracker. 3. Acquiring Identities for Active Directory Users Organizations that use Microsoft Active Directory as a central user repository for employee data can use AD Query to acquire identities. Scenario: Laptop Access John Adams is an HR partner in the ACME organization. but that limits him to operating it only from his desk. Let's examine a scenario to understand what AD Query does. Adds an access role object to the Firewall Rule Base that lets John Adams access the HR Web Server from any machine and from any location. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (192. Getting Started With Identity Awareness Page 13 . the IT administrator does these steps: 1.

ACME. he should lock and unlock the computer. Note .Identity Awareness Scenarios User Identification in the Logs The SmartView Tracker log below shows how the system recognizes John Adams as the user behind IP 192. This uses the identity acquired from AD Query. This log entry shows that the system maps the source IP to the user John Adams from CORP.168.AD Query maps the users based on AD activity.COM. If John Adams is not identified (the IT administrator does not see the log). Getting Started With Identity Awareness Page 14 .3. This can take some time and depends on user activity.217.

she cannot identify seamlessly with AD Query. However. Scenario: Recognized User from Unmanaged Device The CEO of ACME recently bought her own personal iPad. Her access to resources is based on rules in the Firewall Rule Base. Because the iPad is not a member of the Active Directory domain.Identity Awareness Scenarios Using Access Roles To let John Adams access the HR Web Server from any machine. Acquiring Identities with the Captive Portal The Captive Portal lets you acquire identities from unidentified users such as:   Managed users connecting to the network from unknown devices such as Linux computers or iPhones. If unidentified users try to connect to resources in the network that are restricted to identified users. Unmanaged. The Security Gateway lets the user John Adams access the HR Web server from his laptop with a dynamic IP as the HR_Partner access role tells it that the user John Adams from any machine and any network is permitted access. Then the IT administrator replaces the source object of the current rule with the HR_Partner access role object and installs the policy for the changes to be updated. it is necessary for the administrator to change the current rule in the Rule Base. Let's examine some scenarios to understand what the Captive Portal does and the configuration required for each scenario. they are automatically sent to the Captive Portal. guest users such as partners or contractors. she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. She wants to access the internal Finance Web server from her iPad. To do this. The IT administrator can then remove the static IP from John Adam's laptop and give it a dynamic IP. it is necessary to create an access role ("Creating Access Roles" on page 26) for John Adams that includes the specific user John Adams from any network and any machine. Getting Started With Identity Awareness Page 15 .

c) In the Machines tab make sure that Any machine is selected. the IT administrator must: 1. d) Click OK. User Experience Jennifer McHanry does these steps: 1. Right-click the Action column and select Edit Properties. 6. Note: redirection will not occur if the source IP is already mapped to a user checkbox. 7. Select accept as the Action. Click OK. In the Portal Settings window in the User Access section. Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Browses to the Finance server from her iPad. make sure that Name and password login is selected. 3. The Action Properties window opens.Identity Awareness Scenarios Required SmartDashboard Configuration To make this scenario work. A Welcome to the network window opens. From the Source of the rule. She enters her usual system credentials in the Captive Portal. b) In the Users tab. select Specific users and choose Jennifer McHanry. 5. 3. 2. Select the Redirect http connections to an authentication (captive) portal. Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources. She can successfully browse to the Finance server. 2. The Captive Portal opens because she is not identified and therefore cannot access the Finance Server. right-click to create an Access Role. 4. a) Enter a Name for the Access Role. The Access Role is added to the rule. Getting Started With Identity Awareness Page 16 .

In the Unregistered Guest Login Settings window. the Captive Portal opens. Afterwards they are given access to the Iinternet for a specified period of time. In the Portal Settings window in the User Access section. Guests enter their name. the IT administrator configures the Captive Portal to let unregistered guests log in to the portal to get network access.Identity Awareness Scenarios User Identification in the Logs The SmartView Tracker log below shows how the system recognizes Jennifer McHanry from her iPad. When guests browse to the Internet. 3. the CEO wants to let them access the Internet on their own laptops. and phone number in the portal.Settings. Click Unregistered guest login . Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources. For how long users can access the network resources. Getting Started With Identity Awareness Page 17 . Amy. Required SmartDashboard Configuration To make this scenario work. email address. If a user agreement is required and its text. This log entry shows that the system maps the source "Jennifer_McHanry" to the user name. She makes a rule in the Firewall Rule Base to let unauthenticated guests access the Internet only. make sure that Unregistered guest login is selected. 2. company. the IT administrator must: 1. Scenario: Guest Users from Unmanaged Device Guests frequently come to the ACME company. This uses the identity acquired from Captive Portal. 4. They then agree to the terms and conditions written in a network access agreement. configure:    The data guests must enter. While they visit.

create a rule that identified users can access the internet from the organization. The current Rule Base uses static IP addresses to define access for the Finance department. (ix) Click OK. (iii) In the Users tab.Identity Awareness Scenarios 5. Amy. She enters her identifying data in the Captive Portal and reads through and accepts a network access agreement. (iv) Click OK. right-click to create an Access Role. A Welcome to the network window opens. The Captive Portal opens because she is not identified and therefore cannot access the Internet. She can successfully browse to the Internet for a specified period of time. (v) The Access Role is added to the rule. User Identification in the Logs The SmartView Tracker log below shows how the system recognizes a guest. (i) From the Source of the rule. she does these steps: 1. User Experience From the perspective of a guest at ACME. (iv) In the Machines tab select Any machine if guests will access the network from their own machines or Specific machines to choose a computer that they will use. (viii) Select the Redirect http connections to an authentication (captive) portal. In this case. b) Create a rule to let Unauthorized Guests access only the internet. Acquiring Identities with Identity Agents Scenario: Identity Agent Deployment and User Group Access The ACME organization wants to make sure that only the Finance department can access the Finance Web server. (v) Click OK. the IT administrator wants to leverage the use of Identity Agents so: Getting Started With Identity Awareness Page 18 . select Specific users and choose Unauthenticated Guests. (ii) Enter a Name for the Access Role. 3. (ii) Enter a Name for the Access Role. (vi) Select accept as the Action. (iii) In the Users tab. The Access Role is added to the rule. select All identified users. This log entry shows that the system maps the source IP address with the user's identity. 2. (i) From the Source of the rule. The Action Properties window opens. Note: redirection will not occur if the source IP is already mapped to a user checkbox. (vii) Right-click the Action column and select Edit Properties. Browses to an internet site from her laptop. the identity is "guest" because that is how the user is identified in the Captive Portal. right-click to create an Access Role. Create two new rules in the Firewall Rule Base: a) If it is not already there.

right-click to create an Access Role. Browses to the Finance Web server. Amy wants Finance users to download the Identity Agent from the Captive Portal. Agent deployment for the Finance department group from the Captive Portal. e) In the Machines tab. Alternatively. 4. select All identified machines and select Enforce IP spoofing protection (requires Full Identity Agent). She needs to deploy the Full Identity Agent so she can set the IP spoofing protection. b) Enter a Name for the Access Role. In the Identity Agent Deployment from the Portal. Note . from all managed machines and from all locations with IP spoofing protection enabled. Required SmartDashboard Configuration To make this scenario work. g) The Access Role is added to the rule. c) In the Networks tab. No configuration is necessary on the client for IP spoofing protection. select Require users to download and select Identity Agent . Users that roam the organization will have continuous access to the Finance Web server. Click the Captive Portal Settings button. select Name and password login. A rule in the Rule Base with an access role for Finance users. Create a rule in the Firewall Rule Base that lets only Finance department users access the Finance Web server and install policy: a) From the Source of the rule. 5. She needs to configure: Identity Agents as an identity source for Identity Awareness.This configures Identity Agent for all users. 2. f) Click OK. you can set Identity Agent download for a specific group ("Configuring Agent Deployment for User Groups" on page 37).  After configuration and policy install. In the Portal Settings window in the Users Access section. User Experience A Finance department user does this: 1. 3. select All identified users.Full option. the IT administrator must: 1.Identity Awareness Scenarios      Finance users will automatically be authenticated one time with SSO when logging in (using Kerberos which is built-in into Microsoft Active Directory). 6. Enable Identity Awareness on a gateway and select Identity Agents and Captive Portal as Identity Sources. select Specific users and add the Active Directory Finance user group. 7. d) In the Users tab. Access to the Finance Web server will be more secure by preventing IP spoofing attempts. Getting Started With Identity Awareness Page 19 . Configure Kerberos SSO ("Kerberos SSO Configuration" on page 71). Install policy. users that browse to the Finance Web server will get the Captive Portal and can download the Identity Agent.

Note . The user automatically connects to the Finance Web server. 3. The user can successfully browse to the internet for a specified period of time. 2. Access roles ("Creating Access Roles" on page 26) to leverage machine awareness.Identity Awareness Scenarios The Captive Portal opens because the user is not identified and cannot access the server. End user interface protection so users cannot access the client settings. The user automatically connects to the gateway. machine awareness. In this scenario. See User Access (on page 33). A window opens asking the user to trust the server. and application awareness to the Check Point gateway. Click OK. the File Name server discovery method is used.    Acquiring Identities in Application Control Identity Awareness and Application Control can be used together to add user awareness. A link to download the Identity Agent is shown. See Server Discovery and Trust (on page 37) for more details on other server discovery methods that do not require user trust confirmation. See Server Discovery and Trust (on page 37)for more details. A Welcome to the network window opens.The trust window opens because the user connects to the Security Gateway with Identity Awareness using the File name based server discovery option. The user clicks the link to download the Identity Agent. What's Next Other options that can be configured for Identity Agents:  A method that determines how Identity Agents connect to a Security Gateway enabled with Identity Awareness and trusts it. Let users defer client installation for a set time and ask for user agreement confirmation. They work together in these procedures: Getting Started With Identity Awareness Page 20 .

the IT administrator must enable Application Control and Identity Awareness. Enables the Application Control blade on a gateway. 2. This adds a default rule to the Application Control Rule Base that allows traffic from known applications. The SmartView Tracker and SmartEvent logs will then show identity information for the traffic. Scenario: Identifying Users in Application Control Logs The ACME organization wants to use Identity Awareness to monitor outbound application traffic and learn what their employees are doing.Identity Awareness Scenarios    Use Identity Awareness Access Roles in Application Control rules as the source or destination of the rule. Next. the IT department can add rules to block specific applications or track them differently in the Application Control policy to make it even more effective. with the tracking set to Log. Required SmartDashboard Configuration To make this scenario work. 3.com/documentation_download?ID=11658). This SmartView Tracker log entry shows that the system maps the source IP address with the user's identity.checkpoint. Installs the policy. the IT administrator does these steps: 1. It also shows Application Control data. To do this. See the R75 Application Control Administration Guide (http://supportcontent. Enables Identity Awareness on a gateway. In SmartView Tracker logs and SmartEvent events. Getting Started With Identity Awareness Page 21 . selects AD Query as one of the Identity Sources. you can see which user and IP address accesses which applications. User identification in the Logs Logs related to application traffic in SmartView Tracker and SmartEvent show data for identified users. You can use all the types of identity sources to acquire identities of users who try to access applications.

Getting Started With Identity Awareness Page 22 .Identity Awareness Scenarios This SmartEvent Intro log entry shows details of an Application Control event with Identity Awareness user and machine identity.

On the General Properties page > Additional Features section. expand the Check Point branch. 4. Double-click the gateway on which to enable Identity Awareness. Log in to SmartDashboard. On the Identity Awareness page.Chapter 2 Configuring Identity Awareness In This Chapter Enabling Identity Awareness on the Security Gateway Creating Access Roles Using Identity Awareness in the Firewall Rule Base Using Identity Awareness in the Application Control Rule Base Configuring Captive Portal in SmartDashboard Configuring Identity Agents Configuring Identity Awareness for a Log Server 23 26 28 29 31 34 40 Enabling Identity Awareness on the Security Gateway When you enable Identity Awareness on a Security Gateway. From the Network Objects tree. You can use SmartView Tracker and SmartEvent to see the logs for user and machine identity. a wizard opens. To enable Identity Awareness: 1. You cannot use the wizard to configure a multiple gateway environment or to configure client acquisition (another method for acquiring identities). The Identity Awareness Configuration wizard opens. 2. select Identity Awareness. When you complete the wizard and install a policy. 3. You can use the wizard to configure one Security Gateway that uses the AD Query and Captive Portal for acquiring identities. select Enable Identity Awareness. select Identity Awareness. Or From the Gateway Properties tree. the system is ready to monitor Identity Awareness. Page 23 .

go to the Firewall tab > Servers and OPSEC Applications tab in the objects tree > LDAP Account Unit. Select one or both options.  Captive Portal . The Integration With Active Directory window opens. If AD Query is not required to operate with some of the domain controllers. Click Next. The LDAP Account Unit name syntax is: <domain name>_ _ AD Configuring Identity Awareness Page 24 . If you select this domain. See Choosing Identity Sources (on page 41). 6. you must add them at a later time manually to the LDAP Servers list.We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. These options set the methods for acquiring identities of managed and unmanaged assets.Sends users to a Web page to acquire identities from unidentified users. delete them from the LDAP Servers list.Lets the Security Gateway seamlessly identify Active Directory users and computers. SmartDashboard suggests this domain automatically. Note . If you create a new domain. To view/edit the LDAP Account Unit object. the LDAP account unit that the system creates contains only the domain controller you set manually. When SmartDashboard is part of the domain.Enabling Identity Awareness on the Security Gateway 5. the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory. If it is necessary for AD Query to fetch data from other domain controllers.  AD Query .

COM_ _ AD. Enter the Active Directory credentials and click Connect to verify the credentials.ACME. From the Select an Active Directory list. Important .For AD Query you must enter domain administrator credentials. the Captive Portal Settings page opens.2. 11. For Captive Portal standard credentials are sufficient. 10. where unidentified users will be directed.10.2. password and domain controller credentials.2/sslvpn Configuring Identity Awareness Page 25 .Enabling Identity Awareness on the Security Gateway For example. For example:    Identity Awareness Captive Portal . username. you need to enter a domain name. Click Next. The IP address selected by default is the <gateway's main IP address>/connect. select the Active Directory to configure from the list that shows configured LDAP account units or create a new domain.10. 8.2. In the Captive Portal Settings page. select I do not wish to configure Captive Portal at this time and click Next. All IP addresses configured for the gateway show in the list. The same IP address can be used for other portals with different paths. 9.2. CORP. select a URL for the portal. If you selected Captive Portal on the first page. If you selected to use Captive Portal and do not wish to configure Active Directory.2/DLP Mobile Access Portal .1/connect DLP Portal . 7.20. If you have not set up Active Directory.2.2.

click Edit. By default. CORP. click Access Roles > New Access Role. use these access role objects in the Rule Base.Creating Access Roles 12. Active Directory and / or Captive Portal become active. To enforce Identity Awareness. 15. the portal is accessible only through internal interfaces. You can select specific users. Access role objects define users. We do not recommend that you make the portal accessible through external interfaces on a perimeter gateway. The Access Role window opens. Creating Access Roles After you activate Identity Awareness. The Identity Awareness is Now Active page opens. To create an access role: 1. you can create access role objects. Configuring Identity Awareness Page 26 . When you set an Active Directory domain. Click Finish.COM_ _ AD. network and machine or be general for a certain user from any network or any machine. user groups or user branches. Select Policy > Install from the SmartDashboard menu. The access role can be specified for a certain user. The LDAP Account Unit name syntax is: <domain name>_ _ AD For example. To change this. From the Users and Administrators tree. go to the Firewall tab > Servers and OPSEC Applications tab in the objects tree > LDAP Account Unit. Results of the Wizard These are the results of the wizard:   Depending on the acquisition methods you set. Click Next to complete the wizard and see what is configured. machines and network locations as one object. 13. 14. the system creates an LDAP Account Unit object for the Active Directory domain.ACME. To view/edit the LDAP Account Unit object.

click and select a network.includes machines identified by a supported authentication method (Active Directory or LDAP machines). A window opens. 3. Your selections are shown in the Users node in the Role Preview pane. Specific machines. 7. Active Directory users or LDAP users).click . In the Networks tab. select one of these:    Any machine All identified machines . In the Machines tab. select one of these:   Any network Specific networks . You can search for Active Directory entries or select them from the list. Select a Color for the object (optional).Creating Access Roles 2. Your selections are shown in the Machines node in the Role Preview pane. Specific users -click . 5. Enter a Name and Comment (optional) for the access role. In the Users tab. Click OK. select Enforce IP spoofing protection (requires full identity agent) if you want to enable the packet tagging feature. You can search for Active Directory entries or select them from the list.includes any user identified by a supported authentication method (internal SmartDashboard users. 6. A window opens. Your selection is shown under the Networks node in the Role Preview pane. Configuring Identity Awareness Page 27 . The access role is added to the Users and Administrators tree. In the Machines tab. select one of these:    Any user All identified users . 4. 8.

After the system gets the credentials from the Captive Portal.If an unidentified Finance Dept user tries to access the Finance Web Server with http. it then goes on to the second rule and continues until it matches a rule. In rules with access roles. it can examine the rule for the next connection. In a rule that uses an access role in the Source column. Click OK. If it does not match an access role. 1 Source Finance_Dept (Access Role) Admin_IP Any Destination Service Action Accept (redirect to Captive Portal) Accept Drop Finance_Web_ Any Server Any Any Any Any 2 3 Example 1 . Important .You can only redirect http traffic to the Captive Portal. a redirect to the Captive Portal occurs. When identity data for an IP is unknown and: To redirect http traffic to the Captive Portal: 1. the traffic is redirected to the Captive Portal to get credentials and see if there is a match. Note: redirection will not occur if the source IP is already mapped to a user checkbox. If not all conditions apply. the rule is applied and the traffic is accepted/dropped based on the action. criteria matching operates like this:  When identity data for an IP is known:       If it matches an access role. When a Security Gateway receives a packet from a connection. If this property is added. right-click the Action column and select Edit Properties. If the source identity is known.Using Identity Awareness in the Firewall Rule Base Using Identity Awareness in the Firewall Rule Base The Security Gateway examines packets and applies rules in a sequential manner. 2. Below is an example of a Firewall Rule Base that describes how matching operates: No. the gateway allows access to the Configuring Identity Awareness Page 28 . there is no match and the next rule is examined. the user is redirected to the Captive Portal. The Action column shows that a redirect to the Captive Portal occurs. Select the Redirect http connections to an authentication (captive) portal. the Action in the rule (Allow or Block) is enforced immediately and the user is not sent to the Captive Portal. it goes on to examine the next rule. If all the conditions apply. If there is no match. when the source identity is unknown and traffic is HTTP. you can add a property in the Action field to redirect traffic to the Captive Portal. The Action Properties window opens. The connection is http. 3.When you set the option to redirect http traffic from unidentified IP addresses to the Captive Portal. All the rule’s fields match besides the source field with an access role. it examines the packet against the first rule in the Rule Base. Note . In rules with access role objects. After the user enters credentials. make sure to place the rule in the correct position in the Rule Base to avoid unwanted behavior. The action is set to redirect to the Captive Portal.

If the source identity is known. Negate and Drop When you negate a source or destination parameter. In rules with access role objects. If this property is added. When the object is an access role. For example. After the administrator is identified. she will have access to the Intranet Web Server. a redirect to the Captive Portal occurs despite rule number 2.Using Identity Awareness in the Application Control Rule Base Finance Web Server. The rule means that everyone (including unidentified users) can access the Intranet Web Server except for temporary employees. Example 2 . this includes all unidentified entities as well. To prevent access to unidentified users. When you negate an access role. the Action in the rule (Allow or Block) is enforced immediately and the user is not sent to the Captive Portal.If an unidentified administrator tries to access the Finance Web Server with http. After the system gets the credentials from the Captive Portal. For example. it examines the packet against the first rule in the Rule Base. Access is allowed based on rule number 1. To let the administrator access the Finance Web Server without redirection to the Captive Portal. Any. it means that the rule is applied to "all except for" the access role and unidentified entities. the packet is allowed. If there is no match. In rules with access roles. you can add a property in the Action field to redirect traffic to the Captive Portal. it can examine the rule for the next connection. the rule is applied and the traffic is allowed/blocked based on the action. criteria matching operates like this:  When identity data for an IP is known:   If it matches an access role. If no rule matches. rule number 2 matches. a rule that allows file sharing between the IT department and the Sales department. the user is redirected to the Captive Portal. it goes on to examine the next rule. If it does not match an access role. If a temporary employee is not identified when she accesses the system. which identifies the user through the Captive Portal as belonging to the Finance Dept access role. add another rule that ensures that only identified employees will be allowed access and that attempts by a temporary employee will be dropped. Using Identity Awareness in the Application Control Rule Base The Security Gateway inspects Application Control requests and applies rules in a sequential manner. Drop rule. switch the order of rules 1 and 2 or add a network restriction to the access role. when the source identity is unknown and traffic is HTTP. When a Security Gateway receives a packet from a connection. let's say that the below rule is positioned above the Any. Configuring Identity Awareness Page 29 . it goes on to the second rule and continues until it completes the Rule Base. it means that a given rule applies to all sources/destinations of the request except for the specified source/destination object. Access Role Objects Access Role objects can be used as a source and/or destination parameter in a rule.

This happens because the action is set to redirect to the Captive Portal. This means you cannot have a rule that uses an access role in both the Source column and the Destination column. The Action column shows that a redirect to the Captive Portal occurs. 2.Using Identity Awareness in the Application Control Rule Base  When identity data for an IP is unknown and:    All the rule’s fields match besides the source field with an access role. but not the Source column. there is no match and the next rule is examined. traffic cannot be redirected to the Captive Portal. right-click the Action column and select Edit Properties. After entering credentials and being identified. the traffic is redirected to the Captive Portal to get credentials and see if there is a match. Since none of the rules match. you cannot use access roles in both the Source and Destination columns in the same Rule Base. Source and Destination Fields These issues are related to Source and Destination fields:  You can use access role objects in the Source column or the Destination column of a rule. Example 3 . Since none of the rules match. In the Source and Destination columns. To redirect HTTP traffic to the Captive Portal: 1. Below is an example of an Application Control Rule Base that shows how criteria matching operates: No. you can use a network object together with an access role object. the user is granted access to Gmail. the user is granted access to the Remote Administration Tool. The action is set to redirect to the Captive Portal. 3.  When the criteria does not match any of the rules in the Rule Base:  The traffic is allowed. In a rule that uses an access role in the Source column. Click OK. If all the conditions apply. different users experience different outcomes: Example 1 . Furthermore.An unidentified user that browses to Gmail does not match rules 1 and 2 because of the application. Because the application is not HTTP. 1 Source Finance_Dept (Access Role) Destination Service Application Internet Any Salesforce Action Allow (redirect to Captive Portal) 2 Any_identified_user Internet (Access Role) Any Remote Allow Administration Tool (nonHTTP category) Any recognized Block 3 Any_identified_user Internet (Access Role) Any When browsing the Internet.An unidentified user that attempts to access the Remote Administration Tool matches rule 2.An unidentified Finance user that attempts to access Salesforce is sent to the Captive Portal. Select Redirect HTTP connections. Example 2 . the user is granted access according to rule number 1. The Action Properties window opens. The connection protocol is HTTP.  Configuring Identity Awareness Page 30 . But the condition between them is "or" and not "and". In rule 3 there is also no match because the action is not set to redirect to the Captive Portal. If not all conditions apply.

If you already configured the portal in the Identity Awareness Wizard or SmartDashboard. A more advanced deployment is possible where the portal runs on a different gateway. Unlike the Firewall Rule Base.The primary URL that users are redirected to for the Captive Portal. configure:       Portal Network Location Access Settings Authentication Settings Customize Appearance Users Access Agent Deployment from the Portal Portal Network Location Select if the portal runs on this gateway or a different Identity Awareness enabled gateway. Aliases . ID. To make the alias work. 2. You might have already configured this in the Identity Awareness Wizard. Configuring Captive Portal in SmartDashboard In the Identity Sources section of the Identity Awareness page. its URL shows below Captive Portal. it must be resolved to the main URL on your DNS server. See the Deployment section for more details. The gateway thus redirects unidentified users to the portal on the same gateway. It is allowed. it is not automatically blocked. if a connection does not match any of the rules.yourcompany. Select Captive Portal and click Settings. This example shows rules that block temporary employees from accessing the Internet and allows access for identified employees. This rule makes sure that only identified users will be allowed access and attempts by unidentified users will be blocked.com can send users to the Captive Portal.Click the Aliases button to Add URL aliases that are redirected to the main portal URL. To prevent this you must include an access role that prevents access to unidentified users. Access Settings Click Edit to open the Portal Access Settings window. The default is that the Captive Portal is on the gateway. For example. To configure the Captive Portal settings: 1. when you use negate on an access role you allow all unidentified users and anyone who is not the access role access. select Captive Portal to send unidentified users to the Captive Portal. In this window you can configure:   Main URL . From the Portal Settings window. This is the basic configuration.Configuring Captive Portal in SmartDashboard Negate and Block Negate and block in the Application Control Rule Base operates similarly to Negate and drop (on page 29) in the Firewall Rule Base. Configuring Identity Awareness Page 31 . Thus.

Users from all LDAP servers. User Directories . Users are sent to the Captive Portal if they use networks connected to these interfaces. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize gateway performance when users authenticate.A configured RADIUS server.Select one or more places where the gateway searches to find users when they try to authenticate. In this window you can configure:  Authentication Method .   Internal users . LDAP users .The directory of LDAP users. Select the server from the list.This can be configured internally or on an LDAP server.Users from an LDAP server that you select. External user profiles .Click Import to import a certificate for the portal website to use.The directory of internal users.   Through all interfaces Through internal interfaces  Including undefined internal interfaces  Including DMZ internal interfaces According to the Firewall policy . See Server Certificates (on page 54) for more details.Click Edit to select from where the portal can be accessed.The directory of users who have external user profiles. Either:  Any .  The default is that all user directory options are selected. This might cause browser warnings if the browser does not recognize Check Point as a trusted Certificate Authority. the portal uses a Check Point auto-generated certificate. The options are based on the topology configured for the gateway.    User name and password .  Specific .Select this if there is a rule that states who can access the portal. Accessibility . Configuring Identity Awareness Page 32 .   Authentication Settings Click Settings to open the Authentication Settings window.Configuring Captive Portal in SmartDashboard  Certificate . Users with identical user names must log in with domain\user. If you do not import a certificate.Select one method that known users must use to authenticate. Customize Appearance Click Edit to open the Portal Customization window and edit the images that users see in the Captive Portal. You might have already configured this in the Identity Awareness Wizard. RADIUS . Configure the labeled elements of the image below.

This name is used in the agreement. Customized agreement .You can add user groups and give them settings that are different from other users. The default title is Network Access Login.Configuring Captive Portal in SmartDashboard Label Number 1 Name Portal Title To do in GUI Enter the title of the portal. Select Use my company logo for mobiles and Browse to select a smaller logo image for users who access the portal from mobile devices. Replace Company Name with the name of your company.Paste the text of a customized agreement into the text box. Settings specified for a user group here override settings configured elsewhere in the Portal Settings.For how long can they access network resources before they have to authenticate again.For how long can they access network resources before they have to authenticate again. The options that you configure per user group are:   If they must accept a user agreement. Click Edit to upload an agreement.Let guests who are not known by the gateway access the network after they enter required data. Click Edit to choose an agreement and the End-user Agreement Settings page opens.   Login Fields .   Access will be granted for xxx minutes .You can require that users sign a user agreement. Adjust portal settings for specific user groups .   Name and password login. Unregistered guests login .Select this to use the standard agreement. See the text in the Agreement preview.Edit the table shown until it contains the fields that users complete in that sequence. This option is not selected by default because a user agreement is not usually necessary for known users. Unregistered Guest Login Settings Click Settings to configure settings for guests. If they must download the Identity Agent and which one.Makes users sign a user agreement. Name and Password Login Settings Click Settings to configure settings for known users after they enter their usernames and passwords successfully.Users are prompted to enter an existing username and password. 2 Company Logo 2 Company Logo for mobiles User Access Configure what users can do in the Captive Portal to become identified and access the network. This will only let known users authenticate.   If they can defer the Identity Agent installation and until when.   Access will be granted for xxx minutes . Select Use my company logo and Browse to select a logo image for the portal. Ask for user agreement . Ask for user agreement . Select Is Mandatory for each field that guests must complete before they can get access to the Configuring Identity Awareness Page 33 . You can only configure settings about Identity Agent deployment if Identity Agent is selected on the Identity Awareness page. You can use HTML code. Select an agreement to use:  Default agreement with this company name .

Configuring Identity Agents Identity Agents are dedicated client agents installed on users' computers that acquire and report identities to the Security Gateway. Light Identity Agent or Custom Identity Agent. Configuring Identity Awareness Page 34 . Before you configure Identity Agents. Server discovery and trust . Agent Deployment from the Portal If Identity Agents is selected as a method to acquire identities. Use the green arrows to change the sequence of the fields. Automatic authentication using Single Sign-On (SSO) . Select which Identity Agent they must install.Full Identity Agent . the Identity Agent must discover and trust the server that it connects to. see Prepackaging Identity Agents (on page 77). The Custom Identity Agent is a customized installation package. You get SSO with Kerberos. It is not necessary to have administrator permissions to install the Light Identity Agent. Installation deployment methods. The Identity Agent identity source uses SSO to authenticate users when they enter their login credentials (Active Directory or other authentication server). If you do not use SSO. The system securely gets authentication data one time without making users authenticate manually (as is necessary with Captive Portal). users enter credentials in another window.Full Identity Agent.Select this to make users install the Identity Agent.a customized installation package.    Identity Agent Types There are 3 Identity Agent types that you can install:    Identity Agent .  Require users to download . For the Full Identity Agent you can enforce IP spoofing protection. To set up Kerberos. Installation permissions .Custom .You can deploy the Identity Agent for installation through the Captive Portal or use other means you use to deploy software in your organization.Light Identity Agent .Configuring Identity Agents network. users will only be able to access the network if they install the identity agent. you can configure that users must download the Identity Agent from the Captive Portal. an inherent authentication and authorization protocol in Windows networks that is available by default on all Windows servers and workstations. All necessary configuration is done by administrators and does not require user input. The first field will show in the SmartView Tracker logs. If this option is selected and the defer option is not selected. For the Full Identity Agent you can also manage asset detection if you define machines in access roles. For more information. You can configure one of five methods. Select the date by which they must install it. see Kerberos SSO Configuration (on page 71). To add a new field.Identity Agents installed on endpoint computers authenticate users automatically when they log in to the domain using SSO.Select this if you want to give users flexibility to choose when they install the Identity Agent. you must think about these elements:  Identity Agent type .Before the Identity Agent can connect to a Security Gateway with Identity Awareness. Until that date a Skip Identity Agent installation option shows in the Captive Portal. You can also let users choose not to install the Identity Agent immediately and instead wait until a specified later date.To install the Full Identity Agent the computer must have administrator permissions.  Users may defer installation until . enter it in the empty field and then click Add.

The system opens a window for entering credentials. Packet Tagging for Anti-Spoofing IP Spoofing happens when an unauthorized user assigns an IP address of an authenticated user to an endpoint computer. This table shows the similarities and differences of the Identity Agent types.Users that log in to the Active Directory domain are transparently authenticated (with SSO) and identified when using an Identity Agent. Machine identification . Packet tagging . Configuring Identity Awareness Page 35 . This is done by a joint effort between the Identity Agent and the Security Gateway that uses a unique technology that sign packets with a shared key. IP change detection . Identity Agent Light Identity Agent Full Installation Elements Agent format Resident application Resident application + service + driver Administrator Installation permissions Upgrade permissions Security Features User identification Machine identification IP change detection Packet tagging None None None SSO No SSO Yes Yes Yes No Yes The installation file size is 7MB for both types and the installation takes less than a minute.When an endpoint IP address changes (interface roaming or DHCP assigns a new address). The Identity Agent tells the Security Gateway and you stay connected. the user bypasses identity access enforcement rules.Configuring Identity Agents User identification .You get machine identification when you use the Full Agent as it requires installing a service. you can enable Packet Tagging. To protect packets from IP spoofing attempts. By doing so. Packet Tagging is a patent pending technology that prevents spoofed connections from passing through the gateway. the Identity Agent uses username and password authentication with a standard LDAP server. the Identity Agent automatically detects the change. It is also possible to poison ARP tables that let users do ARP "man-in-the-middle attacks" that keep a continuous spoofed connectivity status. If you do not configure SSO or you disable it.A technology that prevents IP spoofing is available only for the Full Agent as it requires installing a driver.

The Success status indicates that a successful key exchange happened. In the Machines tab. During installation. the Identity Agent automatically knows if there are administrator permissions on the computer or not and installs itself accordingly. 4. Identity Agent Deployment Methods There are 2 Identity Agent deployment methods:  Using Captive Portal . Make sure users have the full Identity Agent installed.Configuring Identity Agents The Identity Awareness view in SmartView Tracker shows Packet Tagging logs.you can configure that users must download the Identity Agent from the Captive Portal. To enable IP Spoofing protection: 1. select Enforce IP spoofing protection (requires full identity agent). the Light Identity Agent is installed instead. If the user does not have administrator permissions.When you deploy the Full Identity Agent it is necessary for the user that installs the client to have administrator rights on the computer. 2. You can also let users choose not to install the Identity Agent immediately and instead wait until a specified later date. Create an Access Role ("Creating Access Roles" on page 26). Note .Packet Tagging can only be set on computers installed with the Full Identity Agent. 3. Click OK. Configuring Identity Awareness Page 36 . Note .

From the Identity Awareness page.msi For more information. There are several methods you can use to configure this.  If they can defer the Identity Agent installation and until when. 3. From the Portal Settings window. users will can only access the network if they install the Identity Agent. select the Require users to download checkbox to make users install the Identity Agent. Configuring Agent Deployment for User Groups When necessary. Click OK. Trust is verified by comparing the server fingerprint calculated during the SSL handshake with the expected fingerprint. There are 5 server discovery and trust methods: Configuring Identity Awareness Page 37 . Settings specified for a user group here override settings configured elsewhere in the Portal Settings. You can find a customizable msi version of the Identity Agent (for distribution via a software distribution tool) in these places:   Installed Security Gateway . The most basic method is to configure one server.in /opt/CPNacPortal/htdocs/nac/nacclients/customAgent. Select Captive Portal and click Settings. select the Enable Identity Agent checkbox. see Prepackaging Identity Agents (on page 77). 3. 5. To configure Identity Agent deployment for user groups: 1. 4. Click OK. if you have a group of mobile users that roam and it is necessary for them to stay connected as they move between networks. For example. select the Enable Identity Agent checkbox. Select Adjust portal settings for specific user groups . If they must download the Identity Agent and which one.msi Secure Platform installation CD . Another method is to deploy a domain wide policy of connecting to a Security Gateway with Identity Awareness based on the Identity Agent client's current location.You can add user groups and give them settings that are different from other users. you can configure specific groups to download the Identity Agent. Select the date by which they must install it.in /linux/windows/Check_Point_Custom_Nac_Client. Configuring Agent Deployment from Captive Portal To configure Identity Agent deployment from Captive Portal: 1. The msi installation files (Light and Full) can be found in the \linux\windows directory on the supplied DVD. Select which Identity Agent they must install. Server Trust refers to the procedure that:   Makes sure that the Identity Agent connects to a genuine Security Gateway with Identity Awareness.you can deploy the Identity Agent with distribution software. Until that date a Skip Identity Agent installation option shows in the Captive Portal. To give users flexibility to choose when they install the Identity Agent. 4. The options that you configure for each user group are:   If they must accept a user agreement. 2. If you select this option and you do not select the defer option. select Users may defer installation until. an attempt to launch a Man-in-the-middle attack. Select Captive Portal and click Settings. Server Discovery and Trust Server Discovery refers to the procedure the Identity Agent uses to find which Security Gateway with Identity Awareness to connect to.Configuring Identity Agents  Using distribution software . Select Name and password login and click Settings. 5. 2. For example. From the Identity Awareness page. Makes sure that the communication between the Identity Agent and the Security Gateway with Identity Awareness is not being tampered with.

2. configure:     Agent Access Authentication Settings Session details Agent Upgrades Agent Access Click Edit to select from where the Identity Agent can be accessed. users will have to manually trust the server (a trust window opens). Remote registry – All client configuration resides in the registry. The options are based on the topology configured for the gateway. This includes the Identity Server addresses and trust data. Configuring Identity Agents in SmartDashboard In the Identity Sources section of the Identity Awareness page. users will have to manually trust the server (a trust window opens). Configuring Identity Awareness Page 38 . or any other method that lets you control the registry remotely). Users can communicate with the servers if they use networks connected to these interfaces. Select Identity Agents and click Settings. You can deploy these values before installing the client (by GPO. AD based configuration – If the Identity Agent computers are members of an Active Directory domain. any Identity Agent downloaded from the Captive Portal is renamed to include the Captive Portal machine IP address in it. see Server Discovery and Server Trust ("Server Discovery and Trust" on page 83). PrePackaging – You can create a prepackaged version of the client installation that comes with the Security Gateway with Identity Awareness IP and trust data.If no other method is configured (out of the box situation). During installation. To configure the Identity Agent settings: 1. From the Identity Agents Settings window.   For more details. you can deploy the server addresses and trust data using a dedicated "Distributed Configuration" tool. When you use this method.Configuring Identity Agents  File name based server configuration . Because DNS is not secure. The Identity Agent can then use them immediately.   DNS SRV record based server discovery – You can configure the Security Gateway with Identity Awareness addresses in the DNS server. select Identity Agents to configure Identity Agent settings. the Identity Agent uses this IP for the Security Gateway with Identity Awareness.

Either:  Any . Upgrade only non-compatible versions .Users from an LDAP server that you select.the Identity Agent is automatically updated in the background without asking the user for upgrade confirmation. Allow user to save password .click the button to show the Identity Agent versions installed in the system. Select the server from the list. User Directories . Configuring Identity Awareness Page 39 .  The default is that all user directory options are selected.Select one method that known users must use to authenticate. Installed Agents Versions .A configured RADIUS server.Configuring Identity Agents   Through all interfaces Through internal interfaces   Including undefined internal interfaces Including DMZ internal interfaces  According to the Firewall policy .the system will only upgrade versions that are no longer compatible.The interval at which the Identity Agent sends a keepalive signal to the Security Gateway.For how long can users access network resources before they have to authenticate again. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize gateway performance when users authenticate.You can select all users or select specific user groups that should be checked for agent upgrades.settings made by users before the upgrade are saved. Users with identical user names must log in with domain\user. Session Configure data for the logged in session using the Identity Agent. When using SSO. The keepalive is used as the server assumes the user logged out if it is not sent. this is irrelevant. External user profiles .The directory of internal users.Users from all LDAP servers.      Check agent upgrades for .The directory of LDAP users.When SSO is not enabled. Authentication Settings Click Settings to open the Authentication Settings window. RADIUS . LDAP users . Keep agent settings after upgrade . Users should reauthenticate every XXX minutes .the Identity Agent is accessible through interfaces associated with source networks that appear in access rules used in the Firewall policy. you can let users save the passwords they enter in the Identity Agent login window. Upgrade agents silently (without user intervention) .This can be configured internally or on an LDAP server.The directory of users who have external user profiles. Lower values affect bandwidth and network performance.Select one or more places where the gateway searches to find users when they try to authenticate. In this window you can configure:  Authentication Method .  Agents send keepalive every X minutes .  Specific .    User name and password .   Agent Upgrades Configure data for Identity Agent upgrades.   Internal users .

select the Active Directory to configure from the list that shows configured LDAP account units or create a new domain. If you select this domain.Configuring Identity Awareness for a Log Server Configuring Identity Awareness for a Log Server When you configure Identity Awareness for a Log Server. The LDAP Account Unit name syntax is: <domain name>_ _ AD For example. From the Network Objects tree. 7.COM_ _ AD. password and domain controller credentials. the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory. Note . When SmartDashboard is part of the domain. username.For AD Query you must enter domain administrator credentials. Enabling Identity Awareness on the Log Server Before you enable Identity Awareness on the Log Server:   Make sure there is network connectivity between the Log Server and the domain controller of your Active Directory environment. If it is necessary for AD Query to fetch data from other domain controllers. you are incorporating user and machine identification into Check Point logs. the LDAP account unit that the system creates contains only the domain controller you set manually. Configuring Identity Awareness Page 40 .We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. The data extracted from AD is stored in an association map on the Log Server. Important . When Security Gateways generate a Check Point log entry and send it to the Log Server. With Identity Awareness administrators can analyze network traffic and security-related events better. you need to enter a domain name. right-click Check Point and select the gateway with the Log Server. If AD Query is not required to operate with some of the domain controllers. On the Identity Awareness page. select Identity Awareness. 6. The Identity Awareness Configuration wizard opens.ACME. To enable Identity Awareness on the Log Server: 1. 5. Get the Active Directory administrator's credentials. 3. If you have not set up Active Directory. 2. you must add them at a later time manually to the LDAP Servers list. delete them from the LDAP Servers list. From the Select an Active Directory list. go to the Firewall tab > Servers and OPSEC Applications tab in the objects tree > LDAP Account Unit. CORP. 4. SmartDashboard suggests this domain automatically. Log in to SmartDashboard. It then adds this identity aware information to the log. If you create a new domain. To view/edit the LDAP Account Unit object. From the Gateway Properties tree. the server gets the user and machine name from the association map entry that corresponds to the source IP address. select Add Identity to logs received from non-identity aware gateways. The Log Server communicates with Active Directory servers and gets user and machine names along with the source IP address information from AD event logs. Enter the Active Directory credentials and click Connect to verify the credentials. Click Finish. The Integration With Active Directory window opens. Click Next.

   For logging and auditing with basic enforcement . IP spoofing protection can be set to prevent packets from being IP spoofed.these are some identity source options:  AD Query and Captive Portal . Depending on your organization's requirements. This automatically creates an LDAP Account Unit. The AD Query finds all AD users and machines. For logging and auditing only . but you then must make additional changes as listed below in the LDAP Account Unit. You must manually create all other domains you want Identity Awareness to relate to from Servers and OPSEC Applications > Servers > New > LDAP Account Unit. For Data Center protection .You can add Identity Agents if you have mobile users and also have users that are not identified by AD Query. The Captive Portal identity source is necessary to include all non-Windows users. Users that are not identified encounter redirects to the Captive Portal.e.select the Add identity to logs option on the Identity Awareness page.set the AD Query and Captive Portal identity sources.When most users are desktop users (not remote users) and easy deployment is important.enable Identity Awareness on the gateway and select AD Query as the identity source. It also serves as a fallback option if AD Query cannot identify a user. you can choose to set them separately or as combinations that supplement each other. Note . The Captive Portal is used for distributing the Identity Agent. For Application Control .Chapter 3 Identity Sources In This Chapter Choosing Identity Sources Advanced AD Query Configuration Advanced Captive Portal Configuration Advanced Identity Agents Configuration 41 41 49 56 Choosing Identity Sources Identity sources are different in terms of security and deployment considerations.  Advanced AD Query Configuration Configuring Identity Awareness for a Domain Forest (Subdomains) You need to create a separate LDAP Account Unit for each domain in the forest (i. subdomain).  Identity Agents and Captive Portal . You can use the Identity Awareness Configuration Wizard to define one of the subdomains.When a high level of security is necessary. Page 41 . This section presents some examples of how to choose identity sources for different organizational requirements. You cannot add domain controllers from two different subdomains into the same account unit.

This is configured in the SmartDirectory (LDAP) page of the Gateway Properties. then for the Enterprise administrator John_Doe enter in the Username field: ACME. where each site has its own domain controllers that are protected by a Security Gateway. In Objects Management tab > Branches in use . the default priority of the Account Unit must be set to a value higher than 1000.ACME. change DC=ACME. An Enterprise administrator account that is a member of the Enterprise Admins group in the domain. When AD Query is enabled on Security Gateways.Advanced AD Query Configuration When you create an LDAP Account Unit for each domain in the forest.COM and the subdomain is SUB. When all of the domain controllers belong to the same Active Directory.DC=DOMAIN_SUFFIX. Identity Sources Page 42 . For each domain controller that is to be ignored.add the login DN. Make sure the username is one of these:   A Domain administrator account that is a member of the Domain Admins group in the subdomain. For example.DC=ACME. a single LDAP Account Unit is created in SmartDashboard. In LDAP Server Properties tab > Add > Login DN .COM. in the LDAP Account Unit go to LDAP Server Properties tab > Add > Username.COM\John_Doe Note . note the instructions for these fields: 1.DC=local Specifying Domain Controllers per Security Gateway An organization's Active Directory may have several sites. if the domain is ACME. For example. enter the administrator's name as domain\user.In the wizard this is the Username field.DC=DOMAIN_SUFFIX to DC=SUB_DOMAIN_NAME.Edit the base DN from DC=DOMAIN_NAME. 2.DC=local to DC=SUB. 3. you may want to configure each Security Gateway to communicate with only some of the domain controllers.DC=DOMAIN_NAME. If you use an Enterprise administrator.

Identity Sources Page 43 . 2. This means that all other domain controllers must be set to a priority higher than 1000 in the gateway properties. Log in to SmartDashboard. select SmartDirectory (LDAP). right-click Check Point and select the Security Gateway. 5. 4.com has 5 domain controllers. To specify domain controllers per Security Gateway: 1. Create an environment variable named CP_SHOW_SMARTDIRECTORY=0 on the computer that runs SmartDashboard. Click Selected Account Units list and click Add.Advanced AD Query Configuration For example. let's say that the LDAP Account Unit ad. From the Gateway Properties tree. On the Security Gateway we want to enable AD Query only for domain controllers dc2 and dc3.mycompany. 3. From the Network Objects tree.

Select your Account Unit.Advanced AD Query Configuration 6. Identity Sources Page 44 . 7. Clear the Use default priorities checkbox and set the priority 1001 to dc1. dc4 and dc5.

For example. The system receives a security event log when a user or machine accesses a network resource. If necessary. a user sitting at the same computer with the same IP address originally authenticated. unlocks a screen. To prevent this you can exclude irrelevant accounts ("Excluding Users" on page 46) from being logged. etc. Install policy. usually this is not a problem. or shares a network drive.   Single User Assumption A solution for multiple accounts logging in with the same IP address is to assume that only one user is connected to each computer. You can see the domain controllers that the Security Gateway is set to communicate with as well as the domain controllers it ignores. When the administrator logs out. you can increase the default time (Check Point Gateway Properties > Identity Awareness > Active Directory Query Settings).Advanced AD Query Configuration 8. user B will be considered the user connected to the computer. Permissions and Timeout AD Query is based on querying the Active Directory Security Event Logs and extracting the user and machine mapping to the network address from them. AD Query does not distinguish between application service accounts on a user's machine and the actual user's account. it is necessary to exclude any service accounts used by user computers. a user logs in. Multiple accounts can be connected to the same IP address. When this happens. This happens because IP permissions are kept until the timeout value passes and Identity Awareness does not detect user logs out. you can exclude "dummy" user names used for automatic actions or services running on endpoint computers (anti-virus. if user A logs out before the timeout and user B logs in. Resulting logs show that multiple accounts are logged in on the same IP. when a Helpdesk administrator logs on to install a program for a user. 9. permissions are no longer applicable. Notifications are not sent when a user logs out as the Active Directory is not aware of this. users access resources every 30 minutes that create authentication requests. User B will then only have his permissions and not user A's permissions. If the user does not access an Intranet resource that requires authentication after logging in. backup. For example. For example. For example. the user will no longer have permissions after the timeout period. the user will get the Helpdesk administrator's permissions plus his own permissions until the timeout. Checking the Status of Domain Controllers You can make sure that the domain controllers are set properly by using the adlog CLI. Identity Sources Page 45 . To prevent this you must first filter service accounts and then enable single user assumption. For example. The CLI command is adlog a dc. Click OK. the user gets the Captive Portal for authentication purposes (if Captive Portal is set). When using AD Query you must be aware of its limitations:  When the defined timeout passes (12 hours by default). Before you can make this assumption. On average.).

If you do not exclude them. Exclude any service accounts. the AD server can become overloaded with WMI queries. Click Advanced. 4. Programs that have many authentication requests result in a larger amount of logs.). etc. 3.Another way to keep these issues to a minimum is to increase DHCP lease time. You can use the * and ? wildcard characters to specify multiple users in a list entry. All other gateways to get identities from the gateway that acquires identities from the given domain controller. Excluding Users You can distinguish between application service accounts on a user's machine and the actual user's account by excluding the service accounts. 4. See the Deployment Scenarios (on page 62) section for more details. Click Add. Use dbedit or GuiDBEdit tools to set the SupportUnicode attribute to true on the LDAP Account Unit object. 2. Multiple Gateway Environments In environments that use multiple gateways and AD Query. To set single user assumption: 1. Click OK. The observed bandwidth range varies between 0. The generated events include event logs and authentication events. The LDAP Account Unit object is found in the Servers table. 3. You do not need to set this attribute when Identity Awareness is enabled on the Security Management Server or Log Server. If more than one gateway gets identities from the same AD server. select Settings for Active Directory Query. select Settings for Active Directory Query. Performance Bandwidth between the Log server and Active Directory Domain Controllers The amount of data transferred between the Log server and domain controllers depends on the amount of events generated. backup. To distinguish between application server accounts and a user's account: 1. 2. You can also enter any regular expression via the syntax regexp:<regular expression>. In the Excluded Users / Machines section. Identity Sources Page 46 . From the Identity Awareness page. 5. they show up multiple times in logs. you must set an attribute. This is the gateway that gets identities from a given domain controller. Select Assume that only one user is connected per computer.25 Mbps per each 1000 users.Advanced AD Query Configuration Note . See Excluding Users (on page 46). we recommend that you set only one gateway to acquire identities from a given Active Directory domain controller per physical site. Click OK. type the name or name pattern of the Active Directory accounts to ignore. Set these options on the Identity Awareness page:   One gateway to share identities with other gateways.1 to 0. From the Identity Awareness page. The amounts vary according to the applications running in the network. These service accounts are used for automatic actions or services running on endpoint computers (anti-virus. Non-English Language Support To support non-English user names on a Security Gateway enabled with Identity Awareness.

Enter wbemtest. Perform standard network diagnostics as required. see Configuring the firewall (on page 48) and sk58881 (http://supportcontent. perform the following troubleshooting steps: In this section: Check Connectivity Use wbemtest to Verify WMI Confirm that Security Event Logs are Recorded Install Database for a Log Server 47 47 49 49 Check Connectivity 1. Use wbemtest to Verify WMI To use the Microsoft wbemtest utility to verify that WMI is functional and accessible. Ping the Security Gateway with Identity Awareness/log server from your domain controller. the impact on the domain controller's CPU is less than 3%. click Connect.com\admin Identity Sources Page 47 . 2.44\root\cimv2 b) Fully qualified AD user name. 3. Troubleshooting If you experience connectivity problems between your domain controllers and Security Gateway with Identity Awareness/log servers. 4. If there are drops. 4.checkpoint.Advanced AD Query Configuration CPU Impact When using AD Query. Click Start > Run. 3.com/solutions?id=sk58881). Check SmartView Tracker and see if there are drops between a Security Gateway defined with AD Query (Source) and the domain controller (Destination).company. 2. In the Connect window.22. Ping the domain controller from the Security Gateway with Identity Awareness/log server. 1. enter the following information: a) Domain controller in the following format: \\<IP address>\root\cimv2 For example: \\11. In the Windows Management Instrumentation Tester window.exe in the Run window. For example: ad.33.

Locate the Windows Management Instrumentation service and verify that the service has started. If the domain controller root directory appears. If the connection fails. 3. Identity Sources Page 48 .33. Verify the WMI Service To verify if the WMI service is running: 1. Click Start > Run. 3.44\c$. configure the Firewall to allow WMI traffic. Check and retry. WMI is fully functional. right-click this service and select Start from the option menu. 4. Enter \\<domain controller IP>\c$ in the Run window. enter your domain administrator user name and password. 2. Check Domain Administrator Credentials To verify your domain administrator credentials: 1. In SmartDashboard > Firewall. For example: \\11. Save the policy and install it on Security Gateways. In the Logon window.Advanced AD Query Configuration c) Password 5. 2. If the Windows Management Instrumentation Tester window re-appears with its buttons enabled. this indicates that he is not defined as a domain administrator. Click Connect. If it has not started. check for the following conditions: a) Connectivity ("Check Connectivity" on page 47) problems b) Incorrect domain administrator credentials ("Check Domain Administrator Credentials" on page 48). Click Start > Run. 7. 6. or you receive an error message.msc in the Run window. b) You entered the incorrect user name or password. Configuring the Firewall If a Security Gateway is located between the Security Gateway with Identity Awareness/log server and the Active Directory controller. Enter services. create a rule that allows ALL_DCE_RPC traffic:     Source = Security Gateways that run AD Query Destination = Domain Controllers Service = ALL_DCE_RPC Action = Accept 2. To create firewall rules for WMI traffic: 1. this indicates that your domain administrator account has sufficient privileges. Obtain a domain administrator's credentials. An error message may indicate that: a) If the user does not have sufficient privileges.22. c) WMI service ("Verify the WMI Service" on page 48) is not running d) A firewall is blocking traffic ("Configuring the Firewall" on page 48) between the Security Gateway with Identity Awareness/log server and domain controller. c) The domain controller IP is incorrect or you are experiencing connectivity issues.

If you upgrade the Security Gateway. 2. but do not see identities in logs. you must configure language files.672. These language files are saved on the Security Gateway and cannot be upgraded. refer to Microsoft Active Directory documentation for instructions on how to configure these events. 3.If there are connectivity issues on DCE RPC traffic after this policy is installed. Select the machine(s) on which you would like to install the database and click OK. 4769. Select Policy > Install Database. AD Query reads these events from the Security Event log:   On Windows 2003 domain controllers . these files must be configured again. see sk37453 (http://supportcontent. To help you understand what each string ID means.com/solutions?id=sk37453) for a solution.4624. You can make changes to the default English language or edit files to show text strings in other languages. The Install Database script appears. 4768.. 674 On Windows 2008 domain controllers . Install Database for a Log Server If you have configured Identity Awareness for a log server. This includes changes to the text strings shown on the Captive Portal Network Login page. If the domain controller does not generate these events. To configure other languages to show text strings in a specified language on the Captive Portal. To install the database: 1. you can set the Captive Portal to String ID Help Mode.Advanced Captive Portal Configuration Note . make sure you installed the database. 673. Setting Captive Portal to String ID Help Mode To set the Captive Portal to String ID Help mode: 1.. You can change English text that is shown on the Captive Portal to different English text through the SmartDashboard. On the Security Gateway. Click Close when the script is complete. Advanced Captive Portal Configuration Customizing Text Strings You can customize some aspects of the web interface.php Identity Sources Page 49 . This mode lets you view the string IDs used for the text captions. 4770 Make sure you see the applicable events in the Event Viewer on the domain controller (My computer > Manage > Event Viewer > Security). The changes are saved in the database and can be upgraded..checkpoint. The Install Database window appears. Confirm that Security Event Logs are Recorded If you have checked connectivity ("Check Connectivity" on page 47) but still do not see identity information in logs. make sure that the necessary event logs are being recorded to the Security Event Log. open the file: /opt/CPNacPortal/phpincs/utils/L10N.

(delete the two backslashes that you see before the text return $stringID).php and put backslashes before the text return #stringID. Replace the line // return $stringID. with return $stringID. Changing Portal Text in SmartDashboard To change the text that shows in SmartDashboard: 1. Reload the Captive Portal in your web browser. To revert to regular viewing mode. Click Configure. 2. Identity Sources Page 50 . 3.Advanced Captive Portal Configuration 2. Go to Policy > Global Properties > SmartDashboard Customization. See the highlighted text in step number 2 above. 4. The Captive Portal opens showing the string IDs. open the file L10N.

Install the policy. Identity Sources Page 51 . Go to Identity Awareness > Portal Texts. Delete the word DEFAULT and type the new English text in the required field. Click OK.Advanced Captive Portal Configuration 3. 6. 5. 4.

users can choose the language they prefer to log in with from a list at the bottom of the page.Advanced Captive Portal Configuration Adding a New Language You can configure the Captive Portal to show the Network Login pages in different languages. Set the language selection list to show on the Network Login page. In the $arLanguages array. Use the English language file as a template to create new language files. 5. Save the files with UTF-8 encoding and move them to the correct location. add an entry to the supported languages file: 1. Edit the language array for the new language locale. Make sure the text strings are shown correctly. After you set the language selection list. By default. 3. you must create an entry in the supported languages file and create a new language file. Editing the Language Array The supported language file contains entries for languages that you can see in the list on the Captive Portal page. 2. For each new language. create a new locale entry with the syntax: "xx_XX" => "XName". To configure a language for Captive Portal you must: 1. To create a new language. It has a corresponding language file. Open the file: /opt/CPNacPortal/phpincs/conf/L10N/supported_languages. 4.php 2. Then translate the strings in the new language file. Identity Sources Page 52 . English is the only language entry in the list. For example: "de_DE" => "German".

If this is not possible.txt' file with UTF-8 as the encoding method and rename it to portal_xx_XX. When using Microsoft Word. Identity Sources Page 53 . On the Security Gateway. Use Notepad. 2. Move the file to /opt/CPNacPortal/phpincs/conf/L10N if it is not already there. To see the language list on the Network Login page: 1. Microsoft Word or a different editor to save the file with UTF-8 encoding. use the English language file (portal_en_US. Captive Portal users can then select the language with which to log in.Advanced Captive Portal Configuration To disable a language:  Comment out the line of the specific language or delete the line. Remove these lines: <?PHP /* */?> You can find the first line a few lines above the language_selection string.php. Showing the Language Selection List When you only use the English language. To revert back to not showing the language selection list. Translate the strings in the copied file. You cannot use HTML special character sequences such as &nbsp. 4. Rename it to the new language using the syntax portal_xx_XX. To save a file with UTF-8 encoding: 1. When you configure additional languages. Find the language_selection string which is part of <label for="language_selection">. For example. Copy the English language file: /opt/CPNacPortal/phpincs/conf/L10N/portal_en_US. 3. you must show the language selection list on the Network Login page. / &gt in the translated strings. The language selection list will show on the Network Login page. replace the current file with the backup of the original file. Saving New Language Files You must save the language file with UTF-8 encoding. but you must include all strings in the new language file. open the file: /opt/CPNacPortal/phpincs/view/html/Authentication. the language selection list does not show at the bottom of the Captive Portal Network Login page.php) as a template and refer to it for the source language.php 2. This is important to prevent breaks in the page layout. 5. It is not necessary to translate all strings. portal_de_DE. make sure that the string's length is almost the same in size as the initial English string. Creating New Language Files To create new language files.php. When you translate a string.php 2. To create a new language file: 1. / &lt. You can find the second line about 20 lines below the language_selection string. Back up the file (for possible future revert).php 3. The file contains the message strings. save the file as a '. 6. Save the file. consult with technical support.

Browse to the Captive Portal from a different browser and use a different font size. Identity Sources Page 54 . or be a chained certificate that has a certification path to a trusted root certificate authority (CA). 4. Make sure that the text is shown correctly on the Captive Portal pages.+++ writing new private key to 'server1. There are quite a few fields but you can leave some blank. The next sections describe how to get a certificate that is signed by a known certificate authority (CA) for a gateway. they are overwritten without warning.key' Enter PEM pass phrase: 3.. gateways must have a server certificate signed by a known certificate authority (such as Entrust. generate a Certificate Signing Request (CSR). Server Certificates For secure SSL communication. Browse to the Captive Portal and select the new language. From the gateway command line.This procedure creates private key files. by default. 2. Browsers do not trust this certificate.+++ . because the gateway acts as a server to the clients. The CSR is for a server certificate. use a certificate created by the Internal Certificate Authority on the Security Management Server as their server certificate. 5. What you are about to enter is what is called a Distinguished Name or a DN. 3. If you enter '. Obtaining and Installing a Trusted Server Certificate To be accepted by an endpoint computer without a warning. Fill in the data. the field will be left blank. You see this output: Generating a 2048 bit RSA private key . log in to expert mode.'. Note . 2. When an endpoint computer tries to connect to the gateway with the default certificate. Run: cpopenssl req -new -out <CSR file> -keyout <private key file> -config $CPDIR/conf/openssl.Advanced Captive Portal Configuration Making Sure the Strings Shows Correctly To make sure the strings show correctly: 1. Browse to the Captive Portal and select the English language. To prevent these warnings. the administrator must install a server certificate signed by a trusted certificate authority.cnf This command generates a private key. certificate warning messages open in the browser. gateways must establish trust with endpoint computers by showing a Server Certificate. Enter a password and confirm.. This section discusses the procedures necessary to generate and install server certificates. All portals on the same Security Gateway IP address use the same certificate. Check Point gateways. VeriSign or Thawte). Browse from different operating systems with different locale setups. You see this message: You are about to be asked to enter information that will be incorporated into your certificate request. This certificate can be issued directly to the gateway. For some fields there will be a default value. If private key files with the same names already exist on the machine. 1. Generating the Certificate Signing Request First.

Installing the Signed Certificate All portals on the same IP address use the same certificate. 1. convert these files to PEM (Base-64) format. click Import or Replace.example. From the gateway command line.crt file to install the certificate with the *.com. log in to expert mode. 2. This field must have the Fully Qualified Domain Name (FQDN). It does not affect the certificate installed manually using this procedure. 4. Import the new certificate to the gateway in SmartDashboard from a page that contains the Portal Settings for that blade. click the lock icon that is next to the address bar in most browsers. Note . Get the Signed Certificate for the gateway from the certificate authority.key private key file.crt file contains the full certificate chain up to a trusted CA. Sometimes it is in a separate file. Install the policy on the gateway.p12 -in server1. Send the CSR file to a trusted certificate authority. For example: portal. The certificate that users see depends on the actual IP address that they use to access the portal. Use the *. To see the certificate when you connect to the portal. 2.key b) Enter the certificate password when prompted. If the signed certificate is in P12 or P7B format. Identity Sources Page 55 . 3. If the signed certificate and the trust chain are in separate files. 4.not only the IP address configured for the portal in SmartDashboard. For example:    Gateway Properties > Mobile Access > Portal Settings Gateway Properties > SecurePlatform Settings Gateway Properties > Data Loss Prevention  Gateway Properties > Identity Awareness > Captive Portal > Settings > Access Settings In the Certificate section.key file that you generated in Generating the Certificate Signing Request (on page 54). a) Run: cpopenssl pkcs12 -export -out <output file> -in <signed cert chain file> -inkey <private key file> For example: cpopenssl pkcs12 -export -out server1. Keep the . Generating the P12 File After you get the Signed Certificate for the gateway from the certificate Authority. use a text editor to combine them into one file. Make sure to request a Signed Certificate in PEM format. Make sure that the . Viewing the Certificate To see the new certificate from a Web browser: The gateway uses the certificate when you connect with a browser to the portal. Usually you get the certificate chain from the signing CA.  All other fields are optional. 1. This is the site that users access. Define the IP address of the portal in the Portal Settings page for the blade.Advanced Captive Portal Configuration  The Common Name field is mandatory.crt -inkey server1.The Repository of Certificates on the IPSec VPN page of the SmartDashboard gateway object is only for self-signed certificates. generate a P12 file that contains the Signed Certificate and the private key.

prepackage the agent with the server address. Whether to hide the client (the umbrella icon does not show on users' desktops). the digital signature in the installer is invalidated. Whether to disable the packet tagging feature that prevents IP spoofing. Go to Identity Awareness > Agent.When you use prepackaging. Nac_agent_email_for_sending_logs Nac_agent_disable_quit Nac_agent_disable_tagging Nac_agent_hide_client 4. This lets you. 3. for example. Note . For more information. This is a sample list of parameters that you can change: Parameter Description Nac_agent_disable_settings Whether users can right click the Identity Agent client (umbrella icon on their desktops) and change settings. You can then have users download the Identity Agents from the Captive Portal or send them the installation through email. Prepackaging Identity Agent Installation Prepackaging refers to a procedure that lets you add configuration to the Identity Agents installation. The Agent parameters are shown. see Prepackaging Identity Agents (on page 77). Unless you resign the installation with your own software signing certificate. To change Identity Agents parameters in SmartDashboard: 1. You can add a default email address for to which to send client troubleshooting information. You can change some of the settings from SmartDashboard and some can be prepackaged with the agent. click the View button in the Certificate section. Go to Policy > Global Properties > SmartDashboard Customization. 2. Click Configure. Identity Sources Page 56 . Whether users can right click the Identity Agent client (umbrella icon on their desktops) and close the agent.Advanced Identity Agents Configuration To see the new certificate from SmartDashboard: From a page that contains the portal settings for that blade. Advanced Identity Agents Configuration Customizing Parameters You can change settings for Identity Agent parameters to control agent behavior. users that download the agent through the Captive Portal will receive a notification saying that the installer is not signed. Click OK.

You can distribute the identity-based policy to all identity aware security gateways in the network. provide an identity aware access policy and inspect the traffic that comes from WLAN users. Identity Awareness capability is centrally managed through the Security Management Server and SmartDashboard. deploy the security gateway inline in front of the Data Center. segregated from the users' network. however they are intensively used to provide access to wireless-enabled corporate devices and guests. Identity Awareness lets you control access between different segments in the network by creating an identity-based policy. The perimeter security gateway can also control and inspect outbound traffic.Chapter 4 Advanced Deployment In This Chapter Introduction Deployment Options Configuring Clusters in Bridge Mode Deploying a Test Environment Deployment Scenarios 57 58 58 61 62 Introduction You can deploy Check Point Security Gateways enabled with Identity Awareness in various scenarios that provide a maximum level of security for your network environment and corporate data. there is a need to deploy multiple security gateways at different network locations. Large scale enterprise deployment – In large scale enterprise networks. You can deploy the security gateway in transparent mode (bridge mode) to avoid significant changes in the existing network infrastructure. In this case. Identity Awareness gives guests access by authenticating guests with the web Captive Portal. you can create an identity-based firewall security Rule Base together with Application Control. This section describes recommended deployment scenarios and options available with Identity Awareness. Identity information about all users and machines obtained by each gateway is shared between all gateways in the network to provide a complete Identity Awareness infrastructure. Network segregation – The security gateway helps you migrate or design internal network segregation. All traffic that flows is then inspected by the gateway. targeted to the Internet. The identity information learned from the branch office gateways is shared between internal gateways to avoid unnecessary authentications. You can control access to resources and applications with an identity-based access policy. You can deploy the security gateway close to the access network to avoid malware threats and unauthorized access to general resources in the global network. Data Center protection – If you have a Data Center or server farm. To do this. Wireless campus – Wireless networks are not considered secure for network access. When you enable Identity Awareness at the branch office gateway you make sure that users are authenticated before they reach internal resources. You can deploy the security gateway at the remote branch offices to avoid malware threats and unauthorized access to the headquarters' internal network and Data Centers. where you deploy the Check Point security gateway at the perimeter where it protects access to the DMZ and the internal network. Distributed enterprise with branch offices – The distributed enterprise consists of remote branch offices connected to the headquarters through VPN lines.  Perimeter security gateway with Identity Awareness – This deployment scenario is the most common scenario. you can protect access to the servers with the security gateway. You can deploy a security gateway enabled with Identity Awareness inline in front of the wireless switch. such as the perimeter firewall and multiple Data Centers.      Page 57 .

One component that is deployed on a different gateway that serves as an external Identity Awareness gateway. Configuring Clusters in Bridge Mode If you have clusters with a bridge in your environment. The benefit of this method is that it does not require any changes in the network infrastructure. cluster interfaces and all identity sources (users.Deployment Options Deployment Options You can deploy a security gateway enabled with Identity Awareness in two different network options:   IP routing mode Transparent mode (bridge mode) IP routing mode – This is a regular and standard method used to deploy Check Point security gateways. We recommend SecurePlatform for full feature support. the gateway behaves as an IP router that inspects and forwards traffic from the Internet interface to the external interface and vice versa. Important . You must configure these interfaces:     1 management (DMI) interface (with an IP address) 1 synchronization interface (with an IP address) 2 interfaces for the bridge (no IP addresses) 1 cluster interface (with a virtual IP address) . It lets you deploy the gateway inline in the same subnet. bridges. This deployment option is mostly suitable when you must deploy a gateway for network segregation and Data Center protection purposes.to communicate with the external Identity Awareness gateway. You usually use this mode when you deploy the gateway at the perimeter. machines and networks) must connect to the same switch. This deployment method lets you install the security gateway as a Layer 2 device. Advanced Deployment Page 58 . Transparent mode – Known also as a "bridge mode". you must configure Identity Awareness with these components:   One component that is deployed on the bridge's cluster member gateways. Both interfaces should be located and configured using different network subnets and ranges.Cluster members and bridges must be on SecurePlatform or IPSO. Due to bridge operations. you must configure the cluster members. In this case. and Identity Awareness differently. The external Identity Awareness gateway. The gateway members of a security cluster must have at least 5 interfaces. rather than an IP router.

Vlan Vlan-x Preparing Clusters with a Bridge To prepare clusters with a bridge for Identity Awareness: 1. eth2) for a synchronization IP address.  Each with an interface (for example.Configuring Clusters in Bridge Mode Item Firewalls 1 Description R75 or higher Security Gateway on SecurePlatform . where x is the Vlan number. Advanced Deployment Page 59 .enabled with Identity Awareness Bridge interfaces (without IP addresses) 2 Interfaces Eth0 Eth1 Eth2 Eth3 Eth4 Sync interface Dedicated Management interface (DMI) Cluster interface (with IP address) The Vlan in the network.enabled with Identity Awareness (serves as the external Identity Awareness gateway) R75 or higher cluster member gateways on SecurePlatform . Create the cluster members on SecurePlatform.

3.cancel 3. 2. Reboot the cluster members. Enable the firewall Software Blade. 2. Configuring the Cluster To configure the cluster: 1. run ifconfig. Continue with the sysconfig configurations and then reboot the cluster members. On each of the gateway members. Checking the Bridge Configuration To make sure the bridge was configured correctly: 1.Configuring Clusters in Bridge Mode  Each with an interface (for example. eth3) for a management IP address. 4. eth4) for a cluster IP address. Open SmartDashboard. On each of the gateway members. In sysconfig: a) Enter 5 . 6. run brctl show to see the interfaces attached to the bridge.next f) Enter c . 3. e) Enter n . In the Identity Awareness tab. type: a) cd $FWDIR/conf b) vi discntd. At the prompt.if c) Manually add br0 and the bridge interfaces (eth0 and eth1) to this file. 2.  Each with an interface (for example. select Enable Identity Awareness and select the relevant identity sources. Select Share local identities with other gateways. Open SmartDashboard. Configure the bridge interface on the cluster members. Click OK. 5. 4. make sure that the bridge interfaces are not monitored. Create a Security Gateway object.Add new connection c) Enter 3 . Make sure you see an entry equivalent to the below.Network Connections b) Enter 1 . Create a new cluster object: Advanced Deployment Page 60 . 2. Configuring the External Identity Awareness Gateway To configure the external Identity Awareness gateway: 1.Bridge d) Press spacebar to select the relevant interfaces (for example. eth0 and eth1). At the prompt.

You do not see the bridge interfaces in SmartDashboard. Select Get identities from other gateways and select the gateway configured for the external component. c) Open Topology > Edit Topology. Microsoft Windows server with Active Directory. f) Disable Anti-spoofing. Open Firewall-1 > General and select the cxl_is_bridge option. g) Make sure Network defined by the interface IP and net mask is selected. Open Policy > Global Properties. Select Enable Identity Awareness and keep all options cleared. Do not select Not Defined. Deploy a security gateway either in routing or bridge mode. The user host machine will access the protected resource via the security gateway. 3. 2. we recommend that you deploy it in a simple environment. d) Click Get all members' topology with Topology. open Identity Awareness. the Windows server that runs IIS (web server). Click OK. Install IIS with a sample Web Server. Deploying a Test Environment If you want to evaluate how Identity Awareness operates in a security gateway.Deploying a Test Environment a) Enable the Firewall Software Blade. The recommendation is to install 3 main components in the setup: 1. 4. Advanced Deployment Page 61 . 2. The recommended test setup below gives you the ability to test all identity sources and create an identity-based policy. 3. b) Add the cluster members. The IP address of each member must be the management IP address. e) Define a Cluster interface in the Network Objective column and give the cluster object a virtual IP address. Install the user host machine with Windows XP and 7 OS. You see the management interface. cancel it. Click OK. User host (Windows) 2. Configuring Cluster and Bridge Support To configure cluster and bridge support: 1. Check Point security gateway R75 3. In the cluster object. Install Windows Server and configure Active Directory and DNS. 5. DNS and IIS (Web resource) Deploy the gateway inline in front of the protected resource. 4. If the wizard opens. Testing Identity Sources To configure the test environment: 1. 3. 6. sync interface and the cluster members. Open SmartDashboard Customization and click Configure. 4.

Enter user credentials. On the user host machine open an Internet browser and try to connect to the web resource. Create 3 rules in the Firewall Rule Base: a) Any to Any Negate HTTP accept log b) Access Role to Any HTTP accept log c) Any to Any Drop 11. 13. 4. Install policy. 14. Controlling access to the allowed applications is possible through the Application Control blade. Logout and login again from the user host machine. Use the user host machine to test connectivity to the Web Server. use the user's credentials to authenticate and access the web resource. 9. Check logs. Access roles let you configure an identity aware policy together with Application Control to allow access only to specified user groups to the applications on the Internet. you may require a more granular access policy that is based also on user and machine identity – i. 6. Test connectivity. The SSO method using Kerberos authentication can be tested as well. 7. However. You are redirected to the Captive Portal. 10. Users located in the internal networks access the Internet resource and applications daily. 1. 2. Install the client as requested by the Captive Portal. Follow the wizard and enable the AD Query and Captive Portal identity sources. 8. Test connectivity between the host and the Windows server. access roles. Enable Identity Awareness in the gateway. From the gateway's CLI revoke the authenticated user by: pdp control revoke_ip IP_ADDRESS 17. Blocking all internal access may impact productivity of certain employees that must have access in the context of their daily work definition. Open SmartView Tracker > Identity Awareness section and check whether the user is authenticated using the AD Query method. The user and machine names show in the connections logs. Deployment Scenarios Perimeter Security Gateway with Identity Awareness Security Challenge The security gateway at the perimeter behaves as a main gate for all incoming and outgoing traffic to and from your corporate network. 16. Add the user host machine to the Active Directory domain. 12. 3. Create an Access Role and define access for all authenticated users or select users with the Users picker. Open a browser and connect to the web resource. When the client is installed wait for an authentication pop-up to enter the user's credentials via the client. You should be redirected to the Captive Portal.Deployment Scenarios 5. 15. Not all Internet applications and web sites are secure and some are restricted according to corporate policy.e. Advanced Deployment Page 62 . Testing Identity Agents Enable and configure Identity Agents and configure Identity Agents self provisioning via Captive Portal ("Configuring Agent Deployment from Captive Portal" on page 37). see Kerberos SSO Configuration (on page 71).

Deployment Scenarios

In this case Identity Awareness should be enabled on the perimeter security gateway.

Deployment scenario
1. Deploy the gateway at the perimeter in routing mode and define an external interface towards the ISP (the Internet) and an internal interface points to the internal corporate network LAN. Optional: you can define another internal interface which protects DMZ servers. 2. Make sure that NAT or Proxy devices do not exist between the gateway and LAN (the recommendation is to have proxy in the DMZ network). 3. Check that the gateway has connectivity to the internal AD domain controllers. 4. Make sure that users can reach the gateway’s internal interface. 5. Configure the Application Control blade. See the R75 Application Control Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11658). 6. If you have several perimeter gateways leading to the Internet, we recommend that you manage these gateways with one Security Management Server and SmartDashboard to deploy the relevant security policy.

Configuration
1. Enable Identity Awareness and select the appropriate identity sources. 2. Create access roles based on users and machines. You can create multiple access roles that represent different departments, user and machine groups and their location in the network. 3. Add the access roles to the source column of the relevant firewall and application control policies.

Data Center Protection
Security Challenge
The Data Center contains sensitive corporate resources and information that must be securely protected from unauthorized access. You must also protect it from malwares and viruses that can harm databases and steal corporate information. Access to the Data Center and particularly to certain applications must be granted only to compliant users and machines.

Deployment Scenario
1. Deploy the security gateway inline in front of the Date Center core switch, protecting access to the Data Center from the LAN. 2. We recommend that you deploy the gateway in the bridge mode, to avoid any changes in the network. However, IP routing mode is also supported. 3. Define at least two interfaces on the gateway and configure them to be internal or bridged. 4. Make sure that the gateway has connectivity to the Active Directory and all relevant internal domain controllers in the network (LAN).

Advanced Deployment

Page 63

Deployment Scenarios

5. Make sure that users from the LAN can connect to the Data Center through the security gateway with an ANY ANY accept policy. 6. Make sure that you do not have a proxy device between the gateway and users or the LAN.

Configuration
1. Enable Identity Awareness on the gateway and select identity sources. 2. Create access roles for users and apply the access roles to relevant Firewall security rules.

Large Scale Enterprise Deployment
Security Challenge
In complex large scale enterprise networks you must control access from the local network to the Internet and to multiple Data Center resources. Access should be granted only to compliant users and machines. The Data Center contains sensitive corporate resources and information that must be securely protected from unauthorized access. You must also protect it from malwares and viruses that can harm databases and steal corporate information. Users located in the internal networks access the Internet resource and applications daily. Not all Internet applications and web sites are secure and some are restricted according to corporate policy. Blocking all internal access may impact productivity of certain employees that must have access in the context of their daily work definition. Controlling access to the allowed applications is possible through the Application Control blade. However, you may require a more granular access policy that is based also on user and machine identity – i.e. access roles.

Deployment Scenario
1. Deploy or use existing security gateways at the perimeter and in front of the Data Center. 2. Install the gateway at the perimeter in routing mode, and use at least one external interface to the Internet and one to the internal network (define it as an internal interface). 3. Deploy the gateway as an inline device in front of the Data Center in bridge mode to avoid network changes. This is not required, but is recommended. Nonetheless, IP routing mode is also supported. 4. Make sure that all gateways in the Data Centers and perimeter can communicate directly with each other. 5. We recommend that you manage the gateway from one Security Management Server and SmartDashboard. 6. Make sure that there is connectivity from each gateway to the Active Directory internal domain controllers. 7. Make sure that in an "Any Any Accept" policy, users from the LAN can connect to the desired resources. 8. Make sure that there is no NAT or proxy devices installed between the gateways and LAN segment. If there are such devices, consider moving them to DMZ if possible.

Configuration
1. Enable Identity Awareness on the gateway and choose the appropriate identity source method for each gateway, at the perimeter and at the Data Center. 2. Create access roles for users and apply access roles to the relevant firewall security rules. 3. Use the Application Control policy in the perimeter gateway and add access roles to the policy.

Advanced Deployment

Page 64

Deployment Scenarios

4. In the Gateway properties > Identity Awareness tab, make sure to select Share local identities with other gateways.

AD Query Recommended Configuration
When you enable AD Query to obtain user and machine identity, we recommend that you enable the feature on all gateways that participate in the network environment. All gateways should have the Active Directory domain defined with the list of all relevant domain controllers in the internal network.

Identity Agents Recommended Configuration
If you choose to use Identity Agents to authenticate users and machines, you have to select the gateway that will be used to maintain identity agents. For a single Data Center and perimeter gateway it is recommended to define identity agents that connect to a single gateway. Then the identity obtained by the gateway is shared with the other gateways in the network. Select a high capacity / performance gateway, which can also behave as an authentication server, and configure this gateway’s IP / DNS on the Identity Agents (see Identity Agents section). For complex multi Data Center environments where there are several gateways that protect different Data Centers and the perimeter, we recommend that you balance Identity Agents authentication using different gateways. You can configure a list of gateways in the Identity Agent settings, where the agent will connect to different gateways. This provides load balancing across the gateways. Identities learned from the agents are shared between all gateways in the network.

Identity Sharing Advanced Settings
To define a list of gateways between which identity information is shared: 1. Go to Gateway properties > Identity Awareness tab and select Get identities from other gateways. 2. Select the gateways you want to obtain identities from.

Advanced Deployment

Page 65

Deployment Scenarios Network Segregation Security Challenge Networks consist of different network segments and subnets where your internal users reside. If you want to share identities with one gateway. keep this option selected and disable Get identities from other gateways in the segment gateway. 5. as well as authenticate users connecting to the servers and the Internet. Access between the segments is controlled by the gateway. If you want to use Identity Agents. the perimeter gateway. for example. Deploy gateways in each segment in bridge mode. Share identities learned from the segment gateways with the perimeter firewall to create an outgoing traffic firewall policy or use an Application Control policy as well. Enable Identity Awareness on each gateway and select an appropriate identity source method. make sure that all gateways can connect to this domain controller. Configuration 1. There is also a challenge of how to provide Advanced Deployment Page 66 . Make sure that there is no proxy or NAT device between the gateways and the LAN. Deployment scenario        We recommend that you deploy security gateways close to access networks before the core switch. clear the Share local identities with other gateways option. Access between the LAN and the Internet is controlled by the gateways either at each segment or at the perimeter gateway. Either AD Query. In the Identity Awareness tab. We recommend that you deploy the gateway in bridge mode to avoid network and routing changes. Captive Portal or Identity Agents. Then go to the perimeter gateway and select Get identities from other gateways. 3. Each gateway of a particular segment authenticates users with the selected method. then define the particular gateway’s DNS/IP in the agent gateway configuration per access segment. If there is a general domain controller that serves all users across the segments. Users that connect to the network can potentially spread viruses and malwares across the network that can infect other computers and servers on the network. Make sure that the gateways can communicate with the Active Directory domain controller deployed in each segment (replicated domain controllers). 6. Distributed Enterprise with Branch Offices Security Challenge In distributed enterprises there is a potential risk of malware and viruses spreading from remote branch offices over VPN links to the corporate's internal networks. You want to make sure that only compliant users and machines can pass and connect across multiple network segments. Access between the LAN and Data Center is controlled by the gateway. 2. 4.

We recommend using bridge mode. You can install the Data Center gateway in bridge mode to avoid changes to the existing network. 2. users from the branch office are identified by the local branch office gateway before connecting to the corporate network over VPN. We recommend that you deploy security gateways at the remote branch offices and at headquarters in front of the Data Center and at the perimeter. 4. as well as a perimeter gateway. 5. If you have Active Directory domain controllers replicated across your branch offices make sure that local gateways can communicate with the domain controller. 3. Advanced Deployment Page 67 . the user is identified by the gateway at the headquarters Data Center without the need for additional authentication. Create an access role and apply the roles in the security policy on the branch office gateways. Deploy gateways inline at the Data Center. 5. At remote branch offices. Configuration 1. perimeter and Data Center gateway. The perimeter gateway can serve as a VPN gateway for branch offices as well. Enable Identity Awareness and select the appropriate methods to get identity.Deployment Scenarios authorized access to users that come from remote branch offices that request and want to access the Data Center and the Internet. establishing a VPN link to the corporate gateways. 4. we recommend that you deploy Data Center gateways to protect access to Data Center resources and applications. 2. At the corporate headquarters. Deploy the gateways at the branch offices in routing mode. 6. In this scenario. Define VPN site-to-site if necessary. Deployment Scenario 1. Deploy a gateway at the perimeter that protects the internal network in routing mode. 3. Select a security gateway according to a performance guideline for your remote branch offices. 7. make sure that the gateways can access the headquarters' internal domain controller over VPN. When a user from a branch office attempts to connect to the Data Center. In case you do not have a local domain controller. The identities learned by the branch office gateways are then shared with the headquarters' internal and perimeter gateways. Deploy the remote branch gateways in IP routing mode and have them function as a perimeter firewall and VPN gateway. you can deploy low capacity gateways due to a relatively low number of users.

It is not necessary to configure all domain controllers available in the network. Make sure that you share identities between the branch offices with the headquarter and Data Center gateways. select Unregistered guests login and in Settings. if you have a branch office gateway and a Data Center gateway.Deployment Scenarios 8. by selecting these settings on the Identity Awareness tab: AD Query Recommended Configuration When you use AD Query to authenticate users from the local and branch offices. guests and contractors. On the Data Center gateway. Deployment Scenario 1. 3. Furthermore. The agents connect to the local gateway and the user is authenticated. Wireless Campus Security Challenge You use wireless networks to grant access to employees that use Wi-Fi enabled devices. enable AD Query on all gateways. In the Gateway properties > Identity Awareness tab > Captive Portal Settings. 2. Advanced Deployment Page 68 . Make sure that the gateway can access the Internet or any other required resource in the network. On the branch office gateway. Select Log out users when they close the portal browser. Wireless networks do not give a desired level of security in terms of network access. Check that there is no NAT or proxy device between the gateway and the WLAN network. select the fields you want guests to fill when they register. configure a list of domain controllers installed in the internal headquarters network. Select Captive Portal as an identity source. since the identity information is shared between branch and internal gateways accordingly. 2. Enable Identity Awareness on the gateway. identities are shared with the internal headquarter gateways. Configuration 1. Guests and contractors in some cases cannot use the corporate wired network connection and must connect through WLAN. we recommend that you configure the local branch office gateway’s DNS/IP on the agent. 4. it is not intended for guests and contractors to install any endpoint agents on their devices. These devices are not part of the Active Directory domain. Deploy the security gateway in bridge mode in front of the Wireless Switch. For example. Identity Agents Recommended Configuration When using Identity Agents. Wireless access is also intensively used to connect mobile devices such as smart phones where agents can be installed. select the Active Directory domain controllers replications installed in the branch office only. Make sure that the gateway can communicate with the authentication server. we recommend that you only configure a local domain controller list per site in the relevant gateways. 4. 3. such as Active Directory or RADIUS.

3. the dedicated gateway should communicate with all Active Directory domain controllers over WMI. enable Identity Awareness and select Get identities from other gateways. Advanced Deployment Page 69 . To avoid an impact on performance of the gateways in terms of user identity acquisition and authentication. Make sure to configure the gateway to share identities with other gateways in the network. If you enable AD Query. it is recommended to offload this functionality to a separate Security Gateway.Deployment Scenarios Dedicated Identity Acquisition Gateway Security Challenge You have several Security Gateways that protect the Data Center or Internet access where access is based on identity acquisition. you have to choose an appropriate appliance to deploy as the dedicated Identity Awareness enabled gateway. On the dedicated identity acquisition gateway. Deployment Scenario In this deployment scenario. performance authentication and sharing learned identities with all enforcing gateways in the network. enable the Identity Awareness feature and select the identity method. The dedicated Security Gateway is responsible for acquiring user identity. The gateways run different blades and deal with heavy traffic inspection. On the enforcement gateways. All users authenticate with this gateway. 1. 2.

Deployment Scenarios Advanced Deployment Page 70 .

When a user logs in. How SSO Operates Item A B C Description Domain Controller Data Center Security Gateway that Identity Agents connect to Page 71 . When the user needs to authenticate against the Security Gateway with Identity Awareness. This ticket vouches for the user’s identity. You get SSO in Windows domains with the Kerberos authentication protocol. The Kerberos protocol is based on the idea of tickets. the Identity Agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (Security Gateway that Identity Agents connect to). Kerberos is the default authentication protocol used in Windows 2000 and above. encrypted data packets issued by a trusted authority which in this case is the Active Directory (AD).Chapter 5 Kerberos SSO Configuration In This Chapter Overview How SSO Operates References SSO Configuration 71 71 72 73 Overview The Identity Awareness Single Sign-On (SSO) solution gives the ability to transparently authenticate users that are logged in to the domain. This means that a user authenticates to the domain one time and has access to all authorized network resources without additional authentication. The Identity Agent then presents this service ticket to the gateway that grants access. the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT).

edu/Kerberos/) http://technet. see these links:   http://web.mit.References Item 1 2 Description User logs in to the AD User gets an initial ticket (TGT) Item A B C 1 2 3 Description Domain Controller Data Center Security Gateway that Identity Agents connect to The Identity Agent connects to the Security Gateway The Security Gateway asks for user authentication The Identity Agent requests a service ticket (SR) for the Security Gateway that Identity Agents connect to and presents the TGT The AD sends a ticket (encrypting the user name with the shared secret between the AD and the Security Gateway that Identity Agents connect to) The Identity Agent sends the service ticket The Security Gateway that Identity Agents connect to decrypts the ticket with the shared secret and identifies the user The user gets access based on identity 4 5 6 7 References For detailed information on Kerberos SSO.edu/Kerberos/ (http://web.aspx) Kerberos SSO Configuration Page 72 .microsoft.com/enus/library/bb742433.com/en-us/library/bb742433.mit.aspx (http://technet.microsoft.

Creating an LDAP Account Unit and configuring it with SSO. 3. Add a new user account. SmartDashboard Configuration .SSO Configuration SSO Configuration SSO configuration includes two steps:   AD Configuration . Kerberos SSO Configuration Page 73 .acme. open Active Directory Users and Computers (Start->Run->dsa. Clear User must change password at next logon and select Password Never Expires. For example: a user account named ckpsso with the password 'qwe123!@#' to the domain corp.Creating a user account and mapping it to a Kerberos principal name. You can choose any username and password.msc) 2. In Active Directory.com. AD Configuration Creating a New User Account 1.

Kerberos SSO Configuration Page 74 . 2. If you’re using ActiveDirectory 2008. Ktpass is a command-line tool available in Windows 2000 and higher. Ktpass. 1.msi.aspx?familyid=96A35011-FD83-419D-939B9A772EA2DF90&displaylang=en (http://www.com/downloads/details.COM ckpsso qwe123@# The AD is ready to support Kerberos authentication for the Security Gateway.acme. Open a command line to run the ktpass tool (Start > Run > cmd).microsoft. Use Ktpass 1.com). For example. It is part of the Windows 2000/2003 support tools. At the command prompt.ACME.keytab –crypto RC4-HMAC-NT Below is an example of running ktpass with these parameters: Parameter Value domain_name@DOMAIN_NAME username@domain_name password corp.exe version on the AD. A Kerberos principal name consists of a service name (for the Security Gateway that Identity Agents connect to) and the domain name to which the service belongs (e.microsoft. 2. You need to open the command prompt as an administrator by right clicking it and selecting "run as an Administrator".qa. AD 2003 SP2 requires support tools for 2003 sp2: http://www.com@CORP.checkpoint. the ktpass utility is already installed on your server and you can run the command line.msi files to a new folder on your AD server.g.cab and suptools.com/downloads/details.microsoft. Retrieve the correct executable You must install the correct ktpass. c) Run the suptools.exe is not installed by default in Windows 2000/2003. If you are using Windows 2000/2003: a) Retrieve the correct executable from the Microsoft Support site (http://support. max.SSO Configuration Mapping the User Account to a Kerberos Principal Name This step uses the ktpass utility to create a Kerberos principal name that is used by both the gateway and the AD. run kptass with this syntax: C:> ktpass -princ ckp_pdp/domain_name@DOMAIN_NAME -mapuser username@domain_name -pass password -out unix.aspx?familyid=96A35011-FD83-419D-939B9A772EA2DF90&displaylang=en) b) Download the support.com/) prior to installation.

set_spn –D ckp_pdp/corp. Enter a name and IP address for the AD object and click OK. Failure to do this will cause the authentication to fail. Entering a value into this field will not affect existing LDAP Account Units. enter the domain name. 4. 2. For example. d) Select CRL retrieval and User management. 3. Add a new host to represent the AD domain controller.acme.If you have used the ktpass utility before for the same principal name (ckp_pdp/domain_name@DOMAIN_NAME) but with a different account. In the General tab of the LDAP Account Unit: a) Enter a name. Go to Servers and OPSEC Applications tab > Servers > New > LDAP Account Unit. Configuring an Account Unit 1. you must either delete the different account beforehand or remove its association to the principal name (by using set_spn –D ckp_pkp/domain_name old_account name – i. It is highly recommended to fill this field for existing account units that you want to use for Identity Awareness.SSO Configuration Important . ADServer. Go to Network Objects tab > Nodes > Node > Host. SmartDashboard Configuration This section describes how to configure an LDAP Account Unit to support SSO. Add a new LDAP Account Unit. 5.e. select Microsoft_AD. b) In the Profile field. Click Active Directory SSO configuration and configure the values (see example): Kerberos SSO Configuration Page 75 . c) In the Domain field.com ckpsso).

COM c) Enter the account username you created in Creating a New User Account (on page 73). 8. d) Enter the LDAP user password and confirm it. 6. select the AD object you configured in step 4 above. fetch the fingerprint and click OK. In the Servers tab: a) Click Add and enter the LDAP Server properties. enter the login DN of a predefined user (added in the AD) used for LDAP operations. c) Set the number of entries supported. b) Click Fetch Branches to configure the branches in use. e) In the Check Point Gateways are allowed to section. select Check Point Password in the Default authentication scheme and click OK. c) In the Login DN field. In the Authentication tab. select Read data from this server. either skip step f or configure your domain controller to support LDAP over SSL. For example.LDAP over SSL is not supported by default. ckpsso. b) In the Host field.ACME. Kerberos SSO Configuration Page 76 . For example. In the Objects Management tab: a) In the Manage objects on field. select the AD object you configured in step 4 above.SSO Configuration a) Select Use kerberos Single Sign On. f) Click OK. e) Leave the default settings for Ticket encryption method. select Use Encryption (SSL). If you have not configured your domain controller to support LDAP over SSL. f) In the Encryption tab. Note . d) Enter the account password for that user (the same password you configured for the account username in AD) and confirm it. 7. b) Enter the domain name. CORP.

The Features section controls the installed features. All of the configuration parameters have default values that are deployed with the product and can remain unchanged.exe Sample INI File 77 77 77 82 Background The Check Point Identity Agent has many advanced configuration parameters.exe is a shell tool.in /opt/CPNacPortal/htdocs/nac/nacclients/customAgent. Some of these parameters relate to the installation process and some relate to the actual operation of the agent. The AddFiles section controls the deployed Identity Agent configuration. Custom .Chapter 6 Prepackaging Identity Agents In This Chapter Background Custom Identity Agent msi Using the cpmsi_tool. with packet tagging and machine authentication. There are 3 types of Identity Agents:    Full agent – The Identity Agent is available for all users who use the computer. Custom Identity Agent msi You can find a customizable msi version of the Identity Agent (for distribution via a software distribution tool) in these places:   Installed Security Gateway . The customization tool is called cpmsi_tool.exe The cpmsi_tool.The installation process and the product configuration can be customized.exe and it is deployed with the agent (Program Files > Check Point > Identity Agent). Page 77 . Light agent – The Identity Agent is available for the single user that is running this installation and does not include packet tagging and machine authentication. You can use the template INI file for quick configuration. To use it.in /linux/windows/Check_Point_Custom_Nac_Client.msi Secure Platform installation CD . The INI file is divided into 3 sections:    The Properties section controls the installation process.msi Using the cpmsi_tool. store it in the same location as the installation package and type: cpmsi_tool <installation package name> readini <INI file name> From the INI file you can control the configuration.

the Custom Setup dialog box is shown (it is not hidden). By default. INSTALLTYPE This property lets you can choose one of these installation type values:    ALLUSERS . FULL .Only for the user who is installing the Identity Agent ASKUSER .exe /i <installation package name> SILENT=YES HIDEFEATURES=NO This command will start a silent installation where features are not hidden (even though for this type of installation this is irrelevant). you can type: msiexec. For example.[Properties] Section You can configure these Identity Agent installation properties in the INI file: INSTALLUITYPE There are 3 values for this property:    SILENT .exe The tool has some other options that are not used for Identity Awareness.The user sees a full installation user interface. Values for this property:   Yes No .Anyone who uses the computer SINGLEUSER . BASIC . Prepackaging Identity Agents Page 78 .An installation progress bar is shown while installation takes place. If this dialog box is hidden then the installation process behaves as if the user clicked Next without changing anything. This is the default value. Configuring Installation .No user interface is shown to the user. the Choose Installation orientation dialog box is shown. Note .Leaves the dialog box in the installation for the end user to decide. HIDEFEATURES This property determines the visibility of the Custom Setup (feature selection) dialog box in the installation process.Using the cpmsi_tool.By default.You can configure the Properties section properties using msiexec.exe.

For example. Prepackaging Identity Agents Page 79 . This is a service that gives you machine authentication and enables managed asset detection prior to logon authentication. or let users decide on their own. if you set MADService=Yes then the feature dialog box will force install the Managed Asset Detection service. This driver signs every packet that is sent from the machine. This property is required if you rules in the Rule Base that relate to machines. Values:    Yes No Ask .the dialog box is shown to the end user who can decide whether to install or not. PacketTagging This property relates to the Packet Tagging driver.[Features] Section You can configure the following properties and decide whether or not to install these features.Using the cpmsi_tool. MADService This property relates to the Managed Asset Detection service. This is the default value.exe Configuring Installed Features .

Values:    Yes No Ask .exe This setting is required if you have rules in the Rule Base that use Access Roles and are set to enforce IP spoofing protection on the Machines tab. Prepackaging Identity Agents Page 80 .Using the cpmsi_tool.the dialog box is shown to the end user who can decide whether to install or not. This is the default value.

2 DisableQuit DWORD:1. 0 is the default value.[AddFiles] Section You can add a defs.0 Automatic Server Discovery You can define a default gateway and trusted gateways by defining a defs. Registry file values: Registry Key 1 Accepted Values Description If the value is set to 1 then the settings button will not appear in the Identity Agent's tray menu. to send error logs to MYEmail and disable the agent's settings dialog box: [HKEY_LOCAL_MACHINE\SOFTWARE\C heckPoint\IA] "SendLogsTO"=MYEmail@checkpoint.0 If the value is set to 1 then the Identity Agent's tray icon will not appear and there will be no client GUI. you must: 1. Note .exe Configuring Deployed Identity Agents .”> user chooses to send logs in from the agent’s status dialog box. 3 HideGui DWORD:1.reg file does not exist the installation will fail.If the defs. For example.reg file to the installation that lets you change the deployed Identity Agent configuration.reg file with the relevant parameters.0 If the value is set to 1 then the quit button will not appear in the Identity Agent's tray menu. The registry values are stored in the branch HKEY_LOCAL_MACHINE > SOFTWARE > Checkpoint >IA or in HKEY_CURRENT_USER > SOFTWARE > Checkpoint > IA if the installation is for a single user. 4 SendLogsTO String: <email Allows defining the default email addresses addresses to send logs to if an error occurs or if a delimited by ”. After you create the defs. Prepackaging Identity Agents Page 81 . Uncomment the DEF_FILE_NAME line in the INI file. 2. 0 is the default value. Copy it to the same directory as the installation package and the cpmsi_tool. 0 is the default value.reg file.Using the cpmsi_tool.reg file is a simple registry file. The defs.com "DisableSettings"=dword:00000001 DisableSettings DWORD:1.

Prepackaging Identity Agents Page 82 . Sample INI File Below is a sample INI file with the default configuration.Sample INI File For example: Note . the user will be asked to define the Security Gateway with Identity Awareness manually.If a default gateway is not defined and the automatic server discovery fails during installation.

This section describes these options. Server discovery refers to the process of deciding which server the client should connect to. For this to happen. It also makes sure that communication between the client and the server was not tampered with by a Man In The Middle (MITM) attack. Page 83 . it must discover the server and trust it.Chapter 7 Server Discovery and Trust In This Chapter Introduction Server Discovery and Trust Options Option Comparison 83 84 84 Introduction The Identity Agent client needs to be connected to a Security Gateway with Identity Awareness. We offer several methods for configuring server discovery – from a very basic method of simply configuring one server to a method of deploying a domain wide policy of connecting to a server based on your current location. Server trust refers to the process of validating that the server the end user connects to is indeed a genuine one.

the trust data cannot be configured in that way and the user will have to authorize it manually. During installation. Remote registry – All of the client configuration. out-of-the-box situation). Note that as DNS isn’t secure. Note that the user has to trust the server by himself (the trust dialog box opens). Prepackaging – You can create a prepackaged version of the client installation that includes the with the server IP and trust data.. AD based configuration – If client computers are members of an Active directory domain. you can deploy the server addresses and trust data using a dedicated tool.     Option Comparison Requires Deploy AD Trust Data File name based No No MultiSite No Client Remains Signed? Yes Allows Ongoing Changes No Level Recommended for. This lets you use the configuration from first run. it will ask the user to verify that it is correct manually. This section describes the methods that allow the expected fingerprint to be known. If the client does not have the expected fingerprint configured.Server Discovery and Trust Options The trust process compares the server fingerprint calculated during the SSL handshake with the expected fingerprint.. Single gateway deployments Very Simple Server Discovery and Trust Page 84 . DNS SRV record based server discovery – It is possible to configure the server addresses in the DNS server. including the server addresses and trust data reside in the registry. Server Discovery and Trust Options These are the options that the client has for discovering a server and trusting it:  File name based server configuration – If no other method is configured (default. any Identity Agent downloaded from the portal will be renamed to have the portal machine IP in it. without user intervention. or any other system that lets you control the registry remotely). You can deploy the values before installing the client (by GPO. the client uses this IP to represent the Security Gateway with Identity Awareness.

Option Comparison Requires Deploy AD Trust Data AD based Yes Yes MultiSite Yes Client Remains Signed? Yes Allows Ongoing Changes Yes Level Recommended for. Deployments with AD that you can modify Deployments without AD or with an AD you cannot modify. If your deployment consists of one Security Gateway with Identity Awareness and a Captive Portal running on the same gateway and it is OK with you that the user needs to verify the server fingerprint and trust it once. which works with no configuration.. and works out-of-the-box if the Captive Portal is also the Security Gateway with Identity Awareness.. but the DNS can be changed Simple DNS based No No Partially Yes (per DNS server) Yes Simple Remote registry No Yes Yes Yes Yes Moderate Where remote registry is used for other purposes Advance d When both DNS and AD cannot be changed. Server Discovery and Trust Page 85 . and there is more than one gateway Prepackaging No Yes Yes No No File Name Based Server Discovery This option is the easiest to deploy. you can use this option.

Option Comparison

How does it work?
When a user downloads the Identity Agent client from the Captive Portal, the address of the Security Gateway with Identity Awareness is embedded into the file name. During the installation sequence, the client checks if there is any other discovery method configured (prepackaged, AD based, DNS based or local registry). If no method is configured and the server can be reached, it will be used as the Security Gateway with Identity Awareness. You can make sure that this is the case by looking at the client settings and seeing that the server that is shown in the file name is present in the Identity Agent dialog box.

Why can't we use this for trust data?
As the Captive Portal can be deployed in HTTP mode, we cannot be sure that the file name wasn’t modified by an attacker along the way. Therefore, we cannot trust data passed in the file name as authentic, and we need to verify the trust data by another means.

AD Based Configuration
If your client computers are members of an Active Directory domain and you have administrative access to this domain, you can use the Distributed Configuration tool to configure connectivity and trust rules. The Distributed Configuration tool consists of three windows:  Welcome - This window describes the tool and lets you to enter alternate credentials that are used to access the AD.

Server Discovery and Trust

Page 86

Option Comparison

 

Server configuration – This window lets you configure which Security Gateway with Identity Awareness the client should use, depending on its source location. Trusted gateways – This window lets you view and change the list of fingerprints that the Security Gateways with Identity Awareness consider secure.

Server Configuration Rules
If you use the Distributed Configuration tool and you configure ‘Automatically discover’ the server, the client fetches the rule lists and each time it needs to connect to a server, it tries to match itself against a rule, from top to bottom. When it matches a rule, it uses the servers shown in this rule, according to the priority specified. For example:

This configuration means: 1. If the user is coming from ‘192.168.0.1 – 192.168.0.255’, then try to connect to US-GW1. If it isn’t available, try BAK-GS2 (it will be used only if US-GW1 is not available, as its priority is higher). 2. Otherwise, if the user is connected from the Active Directory site ‘UK-SITE’, connect either to UK-GW1 or UK-GW2 (choose between them randomly, as they both have the same priority). If both of them are not available, connect to BAK-GS2. 3. Otherwise, connect to BAK-GS2 (the default rule is always matched when it is encountered).

Server Discovery and Trust

Page 87

Option Comparison

Trusted Gateways
The trusted gateways window shows the list of servers considered trusted – no popups will open when trying to connect to them. You can add, edit or delete a server. If you have connectivity to the server, you can get the name and fingerprint by entering its address and clicking ‘Fetch Fingerprint’. Otherwise, you should enter the same name and fingerprint that is shown when connecting to that server.

Note - The entire configuration is written under a hive named ‘Check Point’ under the ‘Program Data’ Branch in the AD database that is added in the first run of the tool. Adding this hive won’t have any affect on other AD based applications or features.

DNS Based Configuration
If you configure the client to ‘Automatic Discovery’ (the default), it looks for a server by issuing a DNS SRV query for the address ‘CHECKPOINT_NAC_SERVER._tcp’ (the DNS suffix is added automatically). You can configure the address in your DNS server. On the DNS server: 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to Start > All Programs > Administrative Tools > DNS. Go to Forward lookup zones and select the applicable domain. Go to the _tcp subdomain. Right click and select Other new record. Select Service Location, Create Record. In the Service field, enter CHECKPOINT_NAC_SERVER. Set the Port number to 443. In Host offering this server, enter the address of the Security Gateway with Identity Awareness. Click OK. Note - Security Gateway with Identity Awareness load sharing can be achieved by creating several SRV records with the same priority and High Availability can be achieved by creating several SRV records with different priorities.

Server Discovery and Trust

Page 88

ad.com idserver. and saves its configuration to HKEY_CURRENT_USER._tcp. you can deploy the Security Gateway with Identity Awareness addresses and trust parameters before installing the clients. 2. and click ‘trust’ on the fingerprint verification dialog box. Active Directory GPO updates).212 > Remote Registry If you have another way to deploy registry entries to your client computers (i.e.com SRV service location: priority = 0 weight = 0 port = 443 svr hostname = idserver.Option Comparison Note . and saves its configuration to HKEY_LOCAL_MACHINE. That way.company.company.17 checkpoint_nac_server.com Address: 192. the results are combined according to the specified priority (from the lowest to highest). they will use the already deployed settings immediately after installation. Install the client on one of your computers._tcp Server: dns.Displaying SRV Record Stored in the DNS Server Run the following commands: C:\> nslookup > set type=srv > checkpoint_nac_server.1. Make sure it is installed in the same mode that will be installed on the other computers – the ‘full agent’ installs itself to your program files directory. Connect manually to all of the servers that are configured.168.company.0. To use the remote registry option: 1.com internet address = 192. while the light agent installs itself to the users directory. verify their fingerprints. Troubleshooting . Server Discovery and Trust Page 89 .168.If you configure AD based and DNS based configuration.company.

(ii) FULL – User will have dialog boxes describing the installation and can cancel. This section focuses mainly on server discover and trust aspects. 3. download the customAgent. 2. If you need the client to choose a server based on the client location. see Prepackaging Identity Agents (on page 77). will invalidate the signature. Export the following registry keys (from HKEY_LOCAL_MACHINE / HKEY_CURRENT_USER. If you do not have an Identity Agent installed. To create a prepackaged version of the Identity Agent: 1. For more information. Follow the instructions specified in Configuring Deployed Identity Agents . Any modification to the Identity Agents. according to the client type installed): a) SOFTWARE\CheckPoint\NAC\TrustedGateways (the entire tree) b) SOFTWARE\CheckPoint\NAC\ (i) DefaultGateway (ii) DefaultGatewayEnabled (iii) PredefinedPDPConnRBUsed (iv) PredefinedPDPConnectRuleBase 5. Prepackaging Identity Agents Prepackaging can be used to control client aspects other than server discovery and trust.msi from your Security Gateway with Identity Awareness. no other user interaction. finish. you can click ‘Advanced’ and configure it that way. Via SCP. (iii) SILENT – No UI will be shown. including prepackaging. 4. under /opt/CPNacPortal/htdocs/nacclients. You can use Identity Agent prepackaging feature to create a custom client version that comes bundled with the server addresses and trust data configured. 4.Option Comparison 3.reg containing the server addresses and trust data you want to deploy. Create a package INI file containing the following: You may want to change the following attributes: a) INSTALLUITYPE (i) BASIC [default] – only a progress bar is shown.The Identity Agents come digitally signed by Check Point Software Technologies Ltd. Configure it manually to connect to the requested servers (Use the settings dialog box). Important . Deploy the exported keys to the workstations before installing the client on your workstations. click next. See AD Based Configuration (on page 86) to understand how these rules are interpreted. b) INSTALLTYPE Server Discovery and Trust Page 90 . etc. install one (it does not necessarily need to be the custom agent).[AddFiles] Section (on page 81) to create a registry file named defs. and will result in security warnings displayed to the user downloading them from the Captive Portal.

No administrative privileges are needed. you can distribute the modified customAgent. d) Change the Require users to download value to Identity Agent .msi readini package. b) Go to the Identity Awareness page. (ii) SINGLEUSER – the client will be installed only for the installing user.msi to your identification portal at /opt/CPNacPortal/htdocs/nacclients. (Note: If you use another software distribution mechanism.Option Comparison (i) ALLUSERS – the client will be installed for any user running on the computer.ini 6. From the Identity Agent directory. run: cpmsi_tool customAgent. (ii) NO – Do not install the Managed Asset Detection Service. c) Click on the Captive Portal Settings button.Custom. Server Discovery and Trust Page 91 . c) MADService (i) YES – Install the Managed Asset Detection Service (Requires administrative privileges). d) PacketTagging (i) YES – Install the Packet Tagging driver (Requires administrative privileges) (ii) NO – Do not install the Packet Tagging driver. and you don’t have to upload it to your portal). and configure the Captive Portal to distribute the custom agent. 5. Upload the modified customAgent. Installation will require administrative privileges. go to the Security Gateway with Identity Awareness. a) Under the Smart Dashboard.

.

Firewall Rule Base • 10 How SSO Operates • 71 How You Download an Identity Agent Example • 11 I Identity Agent Deployment Methods • 36 Identity Agent Types • 34 Identity Agents • 11 Identity Awareness Scenarios • 13 Identity Sources • 41 Important Information • 3 Install Database for a Log Server • 49 Installing the Signed Certificate • 55 Introduction • 6. 57.Firewall Rule Base Example • 8 How Captive Portal Operates .[Properties] Section • 78 Configuring Installed Features .[Features] Section • 79 Configuring the Cluster • 60 Configuring the External Identity Awareness Gateway • 60 G Generating the Certificate Signing Request • 54 Generating the P12 File • 55 Getting Started With Identity Awareness • 6 H How AD Query Operates . 83 K Kerberos SSO Configuration • 71 L Large Scale Enterprise Deployment • 64 . 39 Automatic Server Discovery • 81 Configuring the Firewall • 48 Confirm that Security Event Logs are Recorded • 49 Creating a New User Account • 73 Creating Access Roles • 26 Creating New Language Files • 53 Custom Identity Agent msi • 77 Customize Appearance • 32 Customizing Parameters • 56 Customizing Text Strings • 49 D Data Center Protection • 63 Dedicated Identity Acquisition Gateway • 69 Deploying a Test Environment • 61 Deployment • 12 Deployment Options • 58 Deployment Scenarios • 62 Distributed Enterprise with Branch Offices • 66 DNS Based Configuration • 88 E Editing the Language Array • 52 Enabling Identity Awareness on the Log Server • 40 Enabling Identity Awareness on the Security Gateway • 23 Excluding Users • 46 B Background • 77 F File Name Based Server Discovery • 85 C Captive Portal • 9 Changing Portal Text in SmartDashboard • 50 Check Connectivity • 47 Check Domain Administrator Credentials • 48 Checking the Bridge Configuration • 60 Checking the Status of Domain Controllers • 45 Choosing Identity Sources • 41 Configuring Agent Deployment for User Groups • 37 Configuring Agent Deployment from Captive Portal • 37 Configuring an Account Unit • 75 Configuring Captive Portal in SmartDashboard • 31 Configuring Cluster and Bridge Support • 61 Configuring Clusters in Bridge Mode • 58 Configuring Deployed Identity Agents [AddFiles] Section • 81 Configuring Identity Agents • 34 Configuring Identity Agents in SmartDashboard • 38 Configuring Identity Awareness • 23 Configuring Identity Awareness for a Domain Forest (Subdomains) • 41 Configuring Identity Awareness for a Log Server • 40 Configuring Installation .Index A Access Role Objects • 29 Access Settings • 31 Acquiring Identities for Active Directory Users • 13 Acquiring Identities in Application Control • 20 Acquiring Identities with Identity Agents • 18 Acquiring Identities with the Captive Portal • 15 AD Based Configuration • 86 AD Configuration • 73 AD Query • 8 Adding a New Language • 52 Advanced AD Query Configuration • 41 Advanced Captive Portal Configuration • 49 Advanced Deployment • 57 Advanced Identity Agents Configuration • 56 Agent Access • 38 Agent Deployment from the Portal • 34 Agent Upgrades • 39 Authentication Settings • 32.

Displaying SRV Record Stored in the DNS Server • 89 N Name and Password Login Settings • 33 Negate and Block • 31 Negate and Drop • 29 Network Segregation • 66 Non-English Language Support • 46 U Unregistered Guest Login Settings • 33 Use wbemtest to Verify WMI • 47 User Access • 33 User Experience • 16. 90 Preparing Clusters with a Bridge • 59 V Verify the WMI Service • 48 Viewing the Certificate • 55 W What's Next • 20 Wireless Campus • 68 R References • 72 Remote Registry • 89 Required SmartDashboard Configuration • 16.exe • 77 O Obtaining and Installing a Trusted Server Certificate • 54 Option Comparison • 84 Overview • 71 P Packet Tagging for Anti-Spoofing • 35 Performance • 46 Perimeter Security Gateway with Identity Awareness • 62 Permissions and Timeout • 45 Portal Network Location • 31 Prepackaging Identity Agent Installation • 56 Prepackaging Identity Agents • 77.M Making Sure the Strings Shows Correctly • 53 Mapping the User Account to a Kerberos Principal Name • 74 Multiple Gateway Environments • 46 T Testing Identity Agents • 62 Testing Identity Sources • 61 Troubleshooting • 47 Troubleshooting . 21 Results of the Wizard • 26 S Sample INI File • 82 Saving New Language Files • 53 Scenario Guest Users from Unmanaged Device • 17 Identifying Users in Application Control Logs • 21 Identity Agent Deployment and User Group Access • 18 Laptop Access • 13 Recognized User from Unmanaged Device • 15 Server Certificates • 54 Server Discovery and Trust • 37. 18. 19 User identification in the Logs • 21 User Identification in the Logs • 14. 18 Using Access Roles • 15 Using Identity Awareness in the Application Control Rule Base • 29 Using Identity Awareness in the Firewall Rule Base • 28 Using the cpmsi_tool. 83 Server Discovery and Trust Options • 84 Session • 39 Setting Captive Portal to String ID Help Mode • 49 Showing the Language Selection List • 53 Single User Assumption • 45 SmartDashboard Configuration • 75 Source and Destination Fields • 30 Specifying Domain Controllers per Security Gateway • 42 SSO Configuration • 73 Page 94 . 19. 17. 17.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times