topic Re: Identity Agent Untrusted Gateway in Firewall and Security Management

Identity Agent Untrusted Gateway

sukruozdemir — Fri, 10 Jul 2020 11:34:41 GMT

Hello
I am using R80.10 on 23500 appliances.
I want use Identity Awareness Blade, actually almost everything working good expect Identity Agent SSL Certificate.
When I install identity agent on a Windows there is a Warning Message on status of agent.

My SSL certificate is looks like OK. If I click Trust everything working perfect. But while the installation like VPN is not sending any message to user for this trust relationship. It is just waiting in here, every user have to open up the status of agent and click Review after that click Trust. The users are do not know what is mouse so they can not do this clicking steps and we are talking about 20k active users.
Browser-Based Authentication works fine with same certificate.
My certificate is validated but I am still having this issue.

Re: Identity Agent Untrusted Gateway

_Val_ — Fri, 10 Jul 2020 11:59:05 GMT

This is normal. Just press "Trust" and move on. Browser based CA trust is using a different repository. Agent's trust is relying on registry entry, which will be created when you press "Trust"

Re: Identity Agent Untrusted Gateway

sukruozdemir — Fri, 10 Jul 2020 12:06:57 GMT

Hello Val
But my users are really bad using computer so thousands of them can not right click on agent, open up satus, click Review and click Trust.
Why it is not showing me a pop up while connecting or installing the agent for this trust relationship like Endpoint Security VPN.
Does every user in the world using Identity Agent have to click Trust?

Re: Identity Agent Untrusted Gateway

Tobias_Moritz — Fri, 10 Jul 2020 13:02:48 GMT

You can prevent this problem for your users by predeploying the trust.

There are multiple ways to do so and Identity Awareness Admin Guide is showing you how.

For a very quick workaround for your 20k users: Deploy the following registry key using you client software management plattform (SCCM or something like that):

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\IA\TrustedGateways\...

Just copy the needed content of this hive key from a client, where the trust button is already pressed.

For the future, just bundle the needed registry keys with the agent installer. You can manipulate the agent installer msi file do include this trust. Just patch it using the IA config tool. See Identity Awareness Admin Guide for details.

Re: Identity Agent Untrusted Gateway

sukruozdemir — Mon, 13 Jul 2020 06:13:10 GMT

This one is perfect.
I have learned lots of things , thanks to you.

Re: Identity Agent Untrusted Gateway

CP-NDA — Tue, 13 Jun 2023 14:58:36 GMT

Hi,

I'm interested to get more feedback about this process.

We are also familiar with the Distributed Configuration which basically stored this info in the AD and avoid this Trust message

However when it's time to renew the certificate how do you proceed ?

We have about 65 GW where we need to change the certificate manually (no automation / api or script if I'm not wrong) ?

Also not able to add in advance the new Fingerprint (Not possible to have 2 registry key with same name) and same issue with the Distributed Configuratin. It doesn't allow to add a second certificate with the same FQDN and a different Fingerprint

Any idea ?

Thank you