topic Re: Identity Awareness MUH agent queries in Firewall and Security Management

Identity Awareness MUH agent queries

cem82 — Wed, 01 Dec 2021 10:54:07 GMT

We are currently running IA collector and looking to install MUH agent on our terminal servers. Something that concerns me in sk164998 is the below line. Surely this doesn't mean that we should only have the agent installed on 50 term servers or what does this 50 relate to? Is there a way for the MUH agent to feed into the IA collector and then send the identities that way to save opening up FW rules between all the TS to the GW? I presume we don't need to update the gateway "allowed-client" list to include the TS as this connectivity is to the GW itself on https?

How many MUHv2 Agents are supported on one Security Gateway?

It is a recommended best practice to have a maximum of 50 MUHv2 agents on one Security Gateway.

Re: Identity Awareness MUH agent queries

_Val_ — Fri, 03 Dec 2021 17:04:58 GMT

Each terminal server should have a MUH agent. SK is saying, a single PDP should not have more than 50 agents reporting to it.

Re: Identity Awareness MUH agent queries

PhoneBoy — Fri, 03 Dec 2021 19:00:43 GMT

And a PDP exists on a gateway, so yes, it means no more than 50 MUHv2 agents should be reporting to a single gateway.
You can, of course, have different MUHv2 agents reporting to different gateways which share identities.
You may also want to have dedicated Identity Awareness gateways in some configurations that merely exist to consume and share identities with other gateways.

Re: Identity Awareness MUH agent queries

cem82 — Fri, 03 Dec 2021 23:06:34 GMT

Thanks for clarifying, I am surprised but does the number of expected users come into play on the recommendation of 50 agents? EG if some TS are likely to only have a few users logged in at a time or is user count irrelevant and just the total number of TS should be less than 50?

Re: Identity Awareness MUH agent queries

_Val_ — Sat, 04 Dec 2021 11:40:53 GMT

Each agent can work with 256 users at the same terminal server, but you are correct, the amount of users connected is not in play here. One PDP - up to 50 MUHv2

Re: Identity Awareness MUH agent queries

cem82 — Sat, 04 Dec 2021 12:45:37 GMT

Awesome thanks for clarifying 🙂

Re: Identity Awareness MUH agent queries

Wolfgang — Tue, 15 Mar 2022 20:50:18 GMT

@_Val_ @and @PhoneBoy any changes about these limitation ?

How many MUHv2 Agents are supported on one Security Gateway?

It is a recommended best practice to have a maximum of 50 MUHv2 agents on one Security Gateway.

We have a use case for 10.000 users connecting from a larger Citrix environment. Each Citrix host will be used by around 50 users, 200 Citrix hosts with MUHv2 agents needed.

50 MUHv2 agents for one PDP needs 4 separate gateways and some more for redundancy. They’re doing nothing then running PDP and sharing identities.
Are there any changes upcoming to support more MUHv2 per PDP ?

Re: Identity Awareness MUH agent queries

PhoneBoy — Tue, 15 Mar 2022 22:07:28 GMT

In R81.20, there are some underlying infrastructure changes that should allow for better redundancy/resiliency/scalability.
What the final number are, not sure yet.

Re: Identity Awareness MUH agent queries

Rafal_N — Sun, 09 Oct 2022 09:23:48 GMT

Can MUH information can be shared across gateways via IA sharing?? Or is it just to connected gateway??

MUH -> GW1 PDP (Internal GW) <-IA sharing-> GW2 PDP (Internet GW)

Does GW2 in that topology would understand packet tagging from MUH and we can build Access Role policy there??

How can we identify packet tag on pcap (wireshark)? Is it in readable format?

Re: Identity Awareness MUH agent queries

PhoneBoy — Mon, 10 Oct 2022 18:47:18 GMT

Any identity source can be shared with any other gateway--that includes MUH.
And yes, you can build the appropriate access policy (with Access Roles) on other gateways as a result.
The packet tagging we do is described here: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60221&partition=Advanced&product=Identity
The tags aren't readable.