topic Re: Identity Agent - Auto Detecting gateway in Firewall and Security Management

Identity Agent - Auto Detecting gateway

NorthernNetGuy — Tue, 22 Jan 2019 15:53:56 GMT

For some reason within the Identity Agent, when I auto detect the gateway to connect to, the correct IP address shows, but does not connect. If I edit this to the hostname, it does connect.

I'm not sure why this is occurring, but what have others done for setting this up. I'm working towards deploying the agent, but want to make sure it's as seamless as possible for my users. I'd rather get to the root of this than bundle a custom MSI that includes our host name in the field already.

Anyone see this situation before?

Re: Identity Agent - Auto Detecting gateway

Daniel_Taney — Tue, 22 Jan 2019 16:21:16 GMT

When you say it connects if you edit the hostname, do you mean that it works when you manually specify the Gateway? or that you manipulated the host file on the machine to make it connect?

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Tue, 22 Jan 2019 16:30:12 GMT

I mean that I manually specify the gateway in the agents settings.

I think I need to have the correct _tcp DNS record setup to get this working, however i'm having trouble creating the record, as CHECKPOINT_NAC_SERVER isn't accepted as a service.

Re: Identity Agent - Auto Detecting gateway

Daniel_Taney — Tue, 22 Jan 2019 16:42:12 GMT

Yes, you will need that service record to exist for the auto-discovery to complete. I asked our AD admin to set up this record for me, so I don't know if there was some trick to getting it to work. But, he didn't come back to me saying he had issues creating it.

I'm assuming you are doing this in Windows DNS? Do you already have an A record for the GW defined? Were you using the FQDN for the Gateway in the "Host offering this service" field?

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Tue, 22 Jan 2019 16:53:26 GMT

yup we are on windows DNS. the "Host offering this service" I put in the FQDN of the gateway.

whenever I choose the _https protocol, it creates a new subdomain in _tcp, which I don't think should be happening, it should just be the protocol for the srv record, not another subdomain

Re: Identity Agent - Auto Detecting gateway

Daniel_Taney — Tue, 22 Jan 2019 16:58:21 GMT

You are setting the protocol to "_https"? I think the protocol is supposed to be "_tcp" and just the port number specified as 443. At least, that's how the IA Admin Guide shows it:

Maybe that's your issue?

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Tue, 22 Jan 2019 17:06:00 GMT

Ah yea, thats what I had wrong. I was doing _https instead of _tcp.

I can create the entry now, however I'm realizing i have a problem with auto connecting still. My gateway is in the main domain, and the computers are in a subdomain, however the subdomain is defined as a separate domain. Our DNS is a little messy. Any idea on getting around this?

Re: Identity Agent - Auto Detecting gateway

Daniel_Taney — Tue, 22 Jan 2019 17:15:18 GMT

Which domain did you put this SRV record in? I think it should work if you create an A record in the "computers subdomain" that points to the IP of the Gateway running IA. It shouldn't matter that the Gateway's DNS registers in a different domain as long as the desktops can route to the IP of the Gateway.

With that A record in place, put the SRV record in the computers subdomain and point it at the FQDN computers domain hostname you just created for the GW. This way, the computers should be able to find this SRV record and resolve DNS to the Gateway.

Sorry if that got a little word-y! It made sense in my head, hopefully I translated the idea clear enough

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Tue, 22 Jan 2019 17:45:24 GMT

You got the idea through, no worries!

I deleted the srv record from the base domain, and created it in the subdomain instead, using the original FQDN for the "host offering this service", which resolved to the correct domain. No need to create pointers or additional records.

My test client then connected immediately

Re: Identity Agent - Auto Detecting gateway

Daniel_Taney — Tue, 22 Jan 2019 18:02:20 GMT

Cool! Glad that all worked out!

In your OP, you said you wanted it to be as seamless as possible for the users. From my experience, your users may have to manually accept the Check Point CA fingerprint when the client connects for the first time. Since we try to discourage users from just clicking YES to everything, we tried to communicate this to our users through email ahead of time.

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Tue, 22 Jan 2019 18:06:23 GMT

I've noticed some of my test clients see the fingerprint popup, and some trust right away. Both have received the same certificates from Group policy. I'm going to try and figure out why, but I'll likely still inform them prior to deployment, as we have lots of different devices and OS's deployed that may act differently.

Re: Identity Agent - Auto Detecting gateway

Mark_Mitchell — Thu, 24 Jan 2019 06:36:06 GMT

Hi David,

I don't know if it is of any use to you, but you could configure the configuration to be stored in Active Directory? This will store both the "Trusted Gateways" with their fingerprint and also the rule configuration that ties in a AD site or IP range to a particular gateway.

The Distributed configuration tool installs as part of the Identity Agent on the client machine.

To set it up is really easy, just open the distributed configuration tool with an account that has administrative permissions within the domain and it automatically creates the CheckPoint container in the default naming context in AD.

The client will then check AD each time to locate the best IA server to use.

This should resolve your fingerprint issue and removes the decision from the user to accept the fingerprint of the gateway.

Hope this helps.

Cheers

Mark

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Wed, 30 Jan 2019 13:14:33 GMT

Hi Mark,

Sorry for the late reply, I was away on break.

I've tried the distributed configuration tool without success, but I'll give it another attempt.

I'm unable to find the container it is supposed to create, Where in AD can I verify if the distributed configuration tool created the container properly?

Thanks,

David

Re: Identity Agent - Auto Detecting gateway

Mark_Mitchell — Wed, 30 Jan 2019 13:55:55 GMT

Hi David,

Not a problem at all. To view the container in Active Directory you will need to open ADSIEdit.msc and connect to your domains "Default naming Context". You should be able to browse the structure to dc=<domain>,<dc=local>,CN=Program Data,CN=Check Poiint.

When you ran the Distributed Configuration Tool, was it run with an account that has administrative permissions in the domain?

Regards

Mark

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Wed, 30 Jan 2019 14:00:58 GMT

Hey Mark,

I've found the program data entry for it now, however the two containers are empty. What would they normally contain?

I did the creation with an account that has admin permissions.

Re: Identity Agent - Auto Detecting gateway

Mark_Mitchell — Wed, 30 Jan 2019 14:04:19 GMT

Hi David,

That is great. That looks good. I wouldn't expect to see anything as such in these. Can you screenshot your Distributed Tool configuration output please? When you open the tool you should see any entries that you had entered before.

Regards

Mark

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Wed, 30 Jan 2019 14:19:09 GMT

Pretty simply, we just have the one server, it's fingerprint correctly shows in the trusted gateways

Re: Identity Agent - Auto Detecting gateway

Mark_Mitchell — Wed, 30 Jan 2019 14:23:33 GMT

Thanks David. That looks good to me. Is your identity agent on your client set to automatically detect the gateway?

Also, I am assuming that your Gateway also has the Identity Awareness blade enabled and the identity source set as Identity Agent on your gateway configuration? If you can share your gateways Identity Agent configuration as well please?

Regards

Mark

Re: Identity Agent - Auto Detecting gateway

NorthernNetGuy — Wed, 30 Jan 2019 14:34:52 GMT

After testing a few more clients, this seems to be working well for the identity agent.

I am noticing some problems with the terminal server agent running on windows 10 clients. We have some computers that multiple users sign on to, and use the fast user switching function, so we were going to use the MUH for them. They are connecting successfully, but no users are detected. This seems similar to sk113732, however this is windows 10 which is compatible with sha2.

Re: Identity Agent - Auto Detecting gateway

Mark_Mitchell — Wed, 30 Jan 2019 14:48:12 GMT

So just to review where we are at. The normal identity agent is working as expected on Windows 10 machines now, and the issue currently lies with the MUH Agent?

Is there any error displayed within the gateway logs? Filter search. "blade:Identity Awareness" that may relate to the issue?

Regards

Mark