Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
Jump to solution

New Identity Collector, Identity Agent (Windows and Mac) for R80.40

sk134312 was updated with a new Identity Collector, Identity Agent (Windows and MacOS) and MUH Agent for the R80.40 release.

The new MUH Agent introduces different approach for identifying users behind the same terminal server / Citrix server.
With this approach, we are resolving current limitation of number of users per server (will now be 256 users per server), and 3rd party applications compatibility issues.

This solution is supported only with R80.40 (or later) Security Gateways.
You will have to uninstall and reinstall the new agent as they have a different implementation and driver.
The previous agent will continue to work with R80.40.

1 Solution

Accepted Solutions
Royi_Priov
Employee
Employee

Hi @Peter_Lyndley 

 

It will be supported soon.

we are working on it.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post

15 Replies
Tobias_Moritz
Advisor

Good news!

Maybe I just overlooked it in the documentation, but can you tell me something about the new approach, the MUHv2 is using?

sk134312 still links to sk66761 and this sk seems to describe the old MUHv1 behavior with reserved port ranges and manipulated tcp and udp source port numbers using a filter driver.

From page 69ff in CP_R80.40_IdentityAwareness_AdminGuide.pdf, it looks like there are no reserved tcp and udp port ranges anymore, but just "ID Range".

How does it work now?

Thanks in advance for any explanation (or link to the correct documentation).

0 Kudos
PhoneBoy
Admin
Admin

@Royi_Priov can you explain?

0 Kudos
Royi_Priov
Employee
Employee

Hi @Tobias_Moritz ,

 

Indeed our SKs are not yet updated with the new information about MUH2 (the new TS agent).

In few words: this is an agent which will work only with R80.40 (and above) gateways. It is not using source ports for user identity, but tagging the packets with IDs in a different way.

We performed this change for few reasons:

1. Scalability improvements on client side - it will allow having 256 users per TS machine.

2. 3rd party apps compatibility - other apps which also tunnel source port data (such as Anti-Viruses) will not collide with MUH anymore.

3.  Scalability improvement on gateway side - the frequent update messages from MUH client to GW were really heavy. Since we are not sensitive to source ports anymore, the updates will be less frequent.

 

I hope it helps 🙂

You are welcome to tag me if any question is left unanswered.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Tobias_Moritz
Advisor

Hi @Royi_Priov ,

thanks for the fast answer!

I guess when you say "tagging the packets with IDs in a different way" and "allow having 256 users per TS", you mean you add 8 bits to the option field of the IP packet header, inserted by a filter driver, right? This would explain the need for double reboots when upgrading from MUHv1 to MUHv2 (uninstall old driver which rewrites TCP and UDP source ports, reboot, install new driver which modifies IP header option field, reboot).

If I'm right, this approach should work for all layer 4 protocols, not only TCP und UDP like the old one.

Now the question: Am I right? 🤔

Royi_Priov
Employee
Employee

Hi @Tobias_Moritz ,

You are right in the high level details 😁

The implementation was done only for TCP and UDP in the driver.

If you need an implementation to other layer 4 protocol, you are welcome to explain the use case.

 

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Peter_Lyndley
Advisor
Advisor

Hi ,

I'm sure I read it somewhere, that the MUHv2 agent can also work with an r80.30 gateway with a later JHF ?

Can someone confirm if MUHv2 for terminal server requires to connect to R80.40 gateway only or can be supported on R80.30 JHF x?

 

thanks

Peter

0 Kudos
Royi_Priov
Employee
Employee

Hi @Peter_Lyndley 

 

It will be supported soon.

we are working on it.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Peter_Lyndley
Advisor
Advisor
Hi Royi,

Customer is pushing me for this support in r80.30 JHF. Was it integrated into the latest ongoing release 195 ? or are we still awaiting release ?
thanks
Peter
0 Kudos
Wolfgang
Authority
Authority

@Royi_Priov ,

we too had the requirement from some customer for support of the new agent with R80.30.

Are there any news or a timeline ?

Wolfgang

0 Kudos
Peter_Lyndley
Advisor
Advisor
Hi Royi,

Customer is pushing me for this support in r80.30 JHF. Was it integrated into the latest ongoing release 195 ? or do we have any idea of time ? week/month ?

thanks
Peter
0 Kudos
Royi_Priov
Employee
Employee

Hi @Peter_Lyndley , @Wolfgang 

It will be added as PRJ-11851 to R80.30 JHF. It is not in T195, but probably the one after.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Yifat_Chen
Employee Alumnus
Employee Alumnus

Indeed , should be part of our upcoming R80.30 ongoing take, should be released by EOM. 

Wolfgang
Authority
Authority

Great news.

Wolfgang

0 Kudos
Sabine_Mauser
Participant

😎

0 Kudos
Royi_Priov
Employee
Employee

Hi @Wolfgang , @Peter_Lyndley , @Tobias_Moritz 

 

MUH2 support for R80.30 was released.

https://community.checkpoint.com/t5/Access-Control-Products/MUH2-support-for-R80-30-available/m-p/86...

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events