cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

(AD Query or IC Server) and IA Agent Deployments

Hi,

I was wondering if someone could advise on the below:

We have both Prod and Non Prod Checkpoint Domains, which uses AD Query:

  • AD Query sources are the same for Prod and Non Prod
  • Prod share identities to all other gateways but not to Non Prod as different domain.

Issues:

  • We have had logon issues where DC1 of 4 has required restarting and those users authenticated by it were not allowed via IA, potential issue with security logs being truncated and WMI issue (required restarting), have not been able to repeat
  • Our TS multi user agent can only connect Prod as preference is for Prod IA Gateway, until we change preference to Non Prod IA gateway. This is by design and could only be fixed by sharing identities between Prod/Non Prod (no possible as multidomain?) or we need TS servers for Prod and Non Prod and not combined for management.

I would like to deploy the IA Agent but users will have the above TS issue when connecting to Prod/Non Prod. Forcing them to select the required IA Gateway for each domain. IA Agent is preferred to allow transparent subnet roaming without creating a security event.  

I was wondering if anyone was deploying both (AD Query and IA Agents) or (IA Collector Server and IA Agents) as this would provide redundancy and fix our issue with different domains. 

Appreciate your help

Aaron

Tags (1)
1 Reply

Re: (AD Query or IC Server) and IA Agent Deployments

We run a flavour of all 3 (AD Query, IDC and Multi-Host Identitiy Agent).    The issue with the TS multi user agent is something that has been very frustrating for us as well.   And wish Check Point would give a better solution to this issue.   

   You can actually share the learned TS Identities across gateways managed by different domains under the multi-domain(I know it a mouthful).     We followed sk65404 and have cross domain identity sharing working for a few of our gateways..   But it is not a really user friendly solution.     Also a word of caution is that if you introduce clustered environments into this solution it makes it much more complex, and there is very little reference on how to resolve the cluster issues & identity sharing in the provided SK,

0 Kudos