topic Re: Identity Agent IP exclusion in Firewall and Security Management

Identity Agent IP exclusion

nmelay — Tue, 08 Mar 2022 18:47:16 GMT

Hi all,

One of my customers recently started using a new remote access solution (from another vendor), which terminates on two "connectors" inside the corporate network.
Some of these remote users are also running the Identity Agent on their computer.
From the gateways's perspective, all of them are sharing the same two internal IP addresses.
This group of Identity Agents are thus competing for these IP's ownership, and make IA go crazy on the gateway.

I know the Identity Collector can be configured to exclude/ignore some specific IPs.
As far as I can see, no such provision has been made for the Identity Agent.

I guess I could try to solve this by blocking the Identity Agent from connecting to the gateway.
Is there a cleaner and more elegant way to do it?

Re: Identity Agent IP exclusion

Chris_Atkinson — Wed, 09 Mar 2022 01:09:21 GMT

Consult with TAC if the workaround proposed in sk111374 is valid for your use case (or self test).

Re: Identity Agent IP exclusion

nmelay — Wed, 09 Mar 2022 01:56:17 GMT

Thanks Chris for checking on this.
This SK seems unrelated though: it's about AD Query conflicting with Identity Agent, and how to prevent it from doing so.
Here, only Identity Agents are in use.

In this setup, I actually want to disable any form of IA from occurring from the connectors IPs, as the user access policy security is handled by the third party product.
A few users just happen to be running the Identity Agent on their computers (so that they get correctly identified when they're actually on site, vs remotely connected).

Is seems like the only identity sources that allow any kind of filtering are AD Query and Identity Collector.

Then again, I guess I just need to prevent the Identity Agent from being able to reach the gateway in the first place.
I'll just try this before getting involved with TAC.

Re: Identity Agent IP exclusion

Tobias_Moritz — Fri, 11 Mar 2022 14:57:04 GMT

Not sure if this works, but have you tried setting gateway properties -> Identity Awareness -> Identity Agent Settings -> Agent Access -> Accessibility: "According to the Firewall policy" in combination with appropriate rules allowing your on-site client networks and denying these twoe remote access connector IPs?

If this does not work because of implied rules, maybe you can disable implied rule for "Accept Identity Awareness control connections" in Global Properties -> Firewall and configure all needed rules for your Identity Awareness setup manually (including rules for Identity Sharing if in use)?