CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Identity Awareness for Terminal Servers R77.30

  1. #1
    Join Date
    2018-04-18
    Posts
    25
    Rep Power
    0

    Default Identity Awareness for Terminal Servers R77.30

    Hello,

    I am running R77.30 and am attempting to setup Identity Awareness for Terminal Servers. In SmartDashboard I went into the Check Point objects and enabled Identity Awareness for Terminal Servers and applied policy for the security gateways that I want this running on.

    I also download the ID Awareness software from the link in SmartDashboard.

    When I go to install the endpoint client on our Windows 2016 Terminal Server the connection state of the endpoint says "could not find server" , and prompts me to enter a server before continuing with the install. I have attached a screen shot.

    I do not know what to enter for the server. I am under the impression as the security gateways with this feature enabled on them are the servers and they pull their ID information from our Active Directory.

    Has anyone configured this feature before or have any advice? All of the SK articles I have found don't indicate anything for the server for the installation of the endpoint.

    Click image for larger version. 

Name:	cp end point rds.jpg 
Views:	5 
Size:	48.3 KB 
ID:	1413

  2. #2
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Identity Awareness for Terminal Servers R77.30

    Quote Originally Posted by mjensen View Post
    Hello,

    I am running R77.30 and am attempting to setup Identity Awareness for Terminal Servers. In SmartDashboard I went into the Check Point objects and enabled Identity Awareness for Terminal Servers and applied policy for the security gateways that I want this running on.

    I also download the ID Awareness software from the link in SmartDashboard.

    When I go to install the endpoint client on our Windows 2016 Terminal Server the connection state of the endpoint says "could not find server" , and prompts me to enter a server before continuing with the install. I have attached a screen shot.

    I do not know what to enter for the server. I am under the impression as the security gateways with this feature enabled on them are the servers and they pull their ID information from our Active Directory.

    Has anyone configured this feature before or have any advice? All of the SK articles I have found don't indicate anything for the server for the installation of the endpoint.

    Click image for larger version. 

Name:	cp end point rds.jpg 
Views:	5 
Size:	48.3 KB 
ID:	1413
    https://supportcenter.checkpoint.com...nid=sk66761#Q1

    Identity Awareness Terminal Server FAQ.

    •Windows 2016 R2 is not supported.
    •Windows 2016 is supported, but only for R80.10

    If on R77.30 is relevant. You may find that using an R80.10 TS Agent may get this to work, but don't expect the pre R80 Agents to work. May find that need to raise a case with Check Point to get a compatible Agent, certainly the one from the SmartDashboard will be R77.30 Agent so no Windows 2016.

    You are correct in that the Server as defined is the Security Gateway. When you download the IA MUH Agent from the Gateway then will populate the Agent with the Gateway IP. Depending upon the setting regarding accessibility then may also need to define rules to permit the MUH agent to communicate with the Security Gateway as well.


    When hookup then will also need to trust the Certificate from the VPN Gateway as well to get it to connect.

  3. #3
    Join Date
    2018-04-18
    Posts
    25
    Rep Power
    0

    Default Re: Identity Awareness for Terminal Servers R77.30

    Thank you for the information. Is it possible to define multiple security gateways as "the server" to pull ID information from? I would like to avoid only one security gateway answering all of the ID requests.

  4. #4
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Identity Awareness for Terminal Servers R77.30

    The TS Agent can only connect to 1 Check Point Gateway.

    Different TS Agents can however connect to different Check Point Gateway in your environment. You then can use the Identity Sharing to share that information to other Check Point Gateways.

    The TS Agent/ Gateway Communication is simply the passing of User Information to the Gateway about the User, Groups In and the Source Port Range, so that can be matched against Access Roles, Logged against the User.

    There are no requests as such that the Gateway would be receiving from the TS Agent about User ID.

    The TS Agent simply intercepts traffic from the Session and manipulates the Source Port so that instead of being some random is the next available port in the Range associated with the User Session.

    That way when the user traffic arrives at the Gateway then will be seen coming from the TS Server IP, with a known Source Port that will identify the user to the Gateway.

Similar Threads

  1. Identity Awareness Problem
    By nickliako in forum R77.30
    Replies: 0
    Last Post: 2018-07-13, 01:36
  2. R76 Identity Agent Terminal Servers disconnect/connect flapping
    By ark.heidel in forum Identity Awareness Blade
    Replies: 2
    Last Post: 2013-08-19, 02:22
  3. Identity Awareness
    By sawant.arjun@gmail.com in forum CCSA R75 Exam 156-215.75
    Replies: 1
    Last Post: 2013-06-27, 23:39
  4. Identity Awareness in QoS?
    By LydaRA in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 1
    Last Post: 2012-02-28, 14:53
  5. Identity logging vs. Identity awareness
    By phlegm in forum Identity Awareness Blade
    Replies: 3
    Last Post: 2011-11-09, 08:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •