- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Proper settings for Identity Awareness on vSEC...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proper settings for Identity Awareness on vSEC?
I have been reading the R80.10 vSEC limitations (sk110519), and have encountered this:
To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:
- vSEC Controller Enforcer Hotfix must be installed
- Identity Awareness blade must be activated with Terminal Servers authentication
The R80.10 vSEC Controller Administration Guide describes the procedure for enabling this functionality.
But I do not recall seeing this requirement in actual vSEC deployment guides.
Can someone shed a light on what's what with the IA with Terminal Services for vSEC?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may be that the "Terminal Server" option is required to ensure that Identity Awareness pulls the information from the sent via the Identity Awareness API, which the vSEC Controller uses.
However, that is merely a guess.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In R77.30 since IDA Web API were not exposed through the management, the TS Agent was piggybacked. in R80.10 the setting is done via the Web API section properly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the TS setting is not required in R80.X for proper enforcement of policies containing data center objects?
If this is, indeed, the case, you may want to address it in sk110519.
Thank you,
Vladimir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vlad,
I want to share my experience
I have vSEC R80.10 gateway with 'Identity Awareness' blade enabled with 'Terminal Services' option.
I have configured the 'DataCenter' object to have my Azure subscription in the management server. I can see the management server getting all the updates fine whenever there is change to my Azure datacenter objects
Whenever I add 'Tags' to my Azure VM's, the management server is able to recognize the Tags in security policies and updates them.
The 'TAGS' don't work when 'Identity Awareness' blade is enabled, It works when I disable the 'Identity Awareness' blade, however the vSEC gateways couldn't get any updated Tags. Other VM's without TAGS are also being allowed by security policies
I checked with my SE, he says he could get his TAGS to work fine in his lab. I have an Support ticket open, they have sent it to DEV team for further research. I will update this thread once I have a resolution
Does anyone face similar issues with TAGS in their setup?
Chandru
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for sharing your experience.
Please ask your SE about TS options in R80.10 and let us know the outcome of your troubleshooting sessions.