Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Champion
Champion

Proper settings for Identity Awareness on vSEC?

I have been reading the R80.10 vSEC limitations (sk110519), and have encountered this:

To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:

  • vSEC Controller Enforcer Hotfix must be installed
  • Identity Awareness blade must be activated with Terminal Servers authentication

The R80.10 vSEC Controller Administration Guide describes the procedure for enabling this functionality.

But I do not recall seeing this requirement in actual vSEC deployment guides.

Can someone shed a light on what's what with the IA with Terminal Services for vSEC?

0 Kudos
Reply
5 Replies
Admin
Admin

It may be that the "Terminal Server" option is required to ensure that Identity Awareness pulls the information from the sent via the Identity Awareness API, which the vSEC Controller uses.

However, that is merely a guess. 

0 Kudos
Reply
Employee+
Employee+

In R77.30 since IDA Web API were not exposed through the management, the TS Agent was piggybacked. in R80.10 the setting is done via the Web API section properly.  

0 Kudos
Reply
Champion
Champion

So the TS setting is not required in R80.X for proper enforcement of policies containing data center objects?

If this is, indeed, the case, you may want to address it in sk110519.

Thank you,

Vladimir

0 Kudos
Reply
Collaborator

Hi Vlad,

I want to share my experience

I have vSEC R80.10 gateway with 'Identity Awareness' blade enabled with 'Terminal Services' option.

I have configured the 'DataCenter' object to have my Azure subscription in the management server. I can see the management server getting all the updates fine whenever there is change to my Azure datacenter objects

Whenever I add 'Tags' to my Azure VM's, the management server is able to recognize the Tags in security policies and updates them.

The 'TAGS' don't work when 'Identity Awareness' blade is enabled, It works when I disable the 'Identity Awareness' blade, however the vSEC gateways couldn't get any updated Tags. Other VM's without TAGS are also being allowed by security policies

I checked with my SE, he says he could get his TAGS to work fine in his lab. I have an Support ticket open, they have sent it to DEV team for further research. I will update this thread once I have a resolution

Does anyone face similar issues with TAGS in their setup?

Chandru

0 Kudos
Reply
Champion
Champion

Thank you for sharing your experience.

Please ask your SE about TS options in R80.10 and let us know the outcome of your troubleshooting sessions.

0 Kudos
Reply