https://community.checkpoint.com/t5/Firewall-and-Security-Management/identity-logging-of-internet-browsing/m-p/141417#M26936 <P>Hello CheckMates,</P> <P>we had a use case getting reports for internet browsing with user identity.<BR />Normally this is no problem, but we have the requirement to install nothing in the customers directory service (ActiveDirectory).<BR />Meaning no Identity Collector, no TerminalServerIdentityAgent. We can do logins or requests to the ActiveDirectory but all has to be done via external software/processes.</P> <P>AD-Query will work, but this will be not more supported and does not work with the newest domain controller versions.</P> <P>I've a feeling maybe captive portal is a solution but does this work for 3000-5000 users?<BR />Does captive portal support authentication with SingleSignOn via ActiveDirectory ?<BR />Does captive portal support authentication for users of TerminalServer (CitrixVDI, Microsoft TerminalServer) environments ?<BR />Does captive portal support authentication if the connection seen on the gateway coming from a proxy with X_forwarding_for-flag set ?</P> <P>Any other ideas ?<BR />Identity Collector running on a server not member of this ActiveDirectory ?</P> <P>Wolfgang</P> Mon, 14 Feb 2022 12:22:40 GMT Wolfgang 2022-02-14T12:22:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/identity-logging-of-internet-browsing/m-p/141417#M26936 <P>Hello CheckMates,</P> <P>we had a use case getting reports for internet browsing with user identity.<BR />Normally this is no problem, but we have the requirement to install nothing in the customers directory service (ActiveDirectory).<BR />Meaning no Identity Collector, no TerminalServerIdentityAgent. We can do logins or requests to the ActiveDirectory but all has to be done via external software/processes.</P> <P>AD-Query will work, but this will be not more supported and does not work with the newest domain controller versions.</P> <P>I've a feeling maybe captive portal is a solution but does this work for 3000-5000 users?<BR />Does captive portal support authentication with SingleSignOn via ActiveDirectory ?<BR />Does captive portal support authentication for users of TerminalServer (CitrixVDI, Microsoft TerminalServer) environments ?<BR />Does captive portal support authentication if the connection seen on the gateway coming from a proxy with X_forwarding_for-flag set ?</P> <P>Any other ideas ?<BR />Identity Collector running on a server not member of this ActiveDirectory ?</P> <P>Wolfgang</P> Mon, 14 Feb 2022 12:22:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/identity-logging-of-internet-browsing/m-p/141417#M26936 Wolfgang 2022-02-14T12:22:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/identity-logging-of-internet-browsing/m-p/141484#M26937 <P>If I get your question right, you can not install IC on the AD but you could on another server.</P><P>It will work as long as you get a user member of Event Log Readers group and have connectivity to both AD and FW according to the relevant SK and the firewall can do the reverse lookup.</P><P>It's usually my preferred choice of deployment, as customers never give access to their AD but would give me a dedicated server on which I could manage the IC software which doesn't require a domain admin account.</P> Mon, 14 Feb 2022 21:46:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/identity-logging-of-internet-browsing/m-p/141484#M26937 Alex- 2022-02-14T21:46:30Z