topic Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy in Firewall and Security Management

Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

dehaasm — Wed, 01 Mar 2023 18:13:01 GMT

Hi All,

I am trying to deploy a Identity Awareness identity collector agent on a server and to bypass the proxy server.

When we try to exclude the agent from the proxy traffic using command it does not work.

netsh winhttp set proxy proxy.company.com:80 "10.0.0.0/8"

Current WinHTTP proxy settings:

Proxy Server(s) : proxy.company.com:80
Bypass List : 10.0.0.0/8

Only when we configure netsh winhttp reset proxy to completely shutdown the proxy on OS level the agent connects successfully to the gateway.

I there any supported documented configuration possibly to exclude the only the IA identity collector agent from proxy traffic using netsh?

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

Sorin_Gogean — Thu, 02 Mar 2023 10:47:14 GMT

Hello,

I don't remember seeing proxy options when I tested the Identity Client (still it was 1 year ago).
Anyway, is the FQDN that you are addressing your client covered by the 10.0.0.0/8 ? You might try to skip some domain or full FQDN, still I'm not convinced netsh supports that.

Thank you,

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

dehaasm — Thu, 02 Mar 2023 10:59:52 GMT

Hi Sorin,

Yes it is covered with that, only disabling the explicit proxy completely works, hence the reason for the question. If it is not (yet) supported by Check Point I would like to hear that.

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

Sorin_Gogean — Thu, 02 Mar 2023 11:11:28 GMT

And with that set-up, you are seeing the Client traffic in the proxy logs ?
Can you try and do that exception at the user level, same time with the machine level.

Could be that the Identity Client is started by user and not machine (just an ideea).

Ty,

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

dehaasm — Thu, 02 Mar 2023 11:40:23 GMT

Yes with the netsh http proxy reset command we see the logs coming into the gateway and the trust is established.

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

Sorin_Gogean — Thu, 02 Mar 2023 12:27:52 GMT

No, no, no, I was asking if you are seeing traffic towards the GW from Identity client in the proxy logs.

Also you did not tell me anything if you have set the proxy on User ?

Ty,

PS: according to some, the domains or FQDN can be also in the bypass list... 'could use this format. netsh winhttp set proxy proxy-server="192.168.2.2:8080" bypass-list="*.ourdomain.com;*.yourdomain.com*"'
So give that a try....

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

PhoneBoy — Thu, 02 Mar 2023 20:21:37 GMT

@Royi_Priov can you have someone on your team comment on this?

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

dehaasm — Fri, 17 Mar 2023 08:40:58 GMT

no answer from internally is it supported to have explicit proxy with IA agent installed?

Re: Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

PhoneBoy — Fri, 17 Mar 2023 23:17:27 GMT

I tagged the wrong person.
@Liel_Shaish can you or someone on the team comment on this?

I would also ask the TAC if you haven't already.