This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NikFal
Contributor
Thursday

Identity Agent vs Identitiy Collector -- AD Query

Hello, 

I was trying to find out what is exactly how does the Identity agent send the info to the ID Awareness Server. 
Could not find exactly an SK that tell me directly what happened on the Agent side. 

I already installed and configured the ID Agent on the Gateway (Identity source). I see that the Identity source when users connect with the identity Agent .. Although, in how does the Gateway learn the AD Groups that user in? 
Does the Agent collect this information from the user and send it to the PDP ? In this case, any changes in the AD should be followed with gpupdate on the client side, so the agent learns those changes ? 

And in this scale of 3000 users, is it ok to keep the Agent or recommended moving to Collector? 
Which one is better for AD traffic ? I don't want to send many request to AD. Although the Agent gets them from user PC which already make the connection to the AD. But the collector is up-to-date. 

I could not find much info regarding this subject on the Checkpoint site... 

 

 

 
 

 

Preview file
14 KB
0 Kudos
12 Replies
AkosBakos
Advisor
Advisor
Thursday

Hi @NikFal 

Frist have a look at on the best practices: https://support.checkpoint.com/results/sk/sk88520

I have exprience with  2000 user and they use Identity Agent. No problem, works fine.

I would push you to the IA Collector way in a large environment. Easier to keep up to date the version, no need to change/update agents  on the endpoints (where a lot of agent have already installed on the machines).

It would be enough to handle the Terminal server agent on the jumphosts etc.

What is under the hood in IA? The answer:  ATRG: Identity Awareness

Akos

ps.: i will search for detailed explanation of the IA agent.

update i: https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-...

 

----------------
\m/_(>_<)_\m/
NikFal
Contributor
Thursday
In response to AkosBakos

Ya ive gone through those article before i posted my question. but non of them says exactly what or how does the agent works. 
If i updated something in AD, should i do gpupdate on the client side so that the Agent knows the new changes, Or it connects to the AD and take the info and give it to the PDP. Although the agent System does not even know that there changes ... how does it exactly work!!? 

0 Kudos
the_rock
Legend
Legend
Thursday

Have a look at this discussion, I believe it will help you lots.

Andy

https://community.checkpoint.com/t5/Security-Gateways/New-IA-Implementation/m-p/185851#M34184

0 Kudos
NikFal
Contributor
Thursday
In response to the_rock

Still does not explain how does the Agent optain the infos about user groups !

0 Kudos
AkosBakos
Advisor
Advisor
Friday
In response to NikFal

Hi @NikFal 

Just open a TAC case, and ask them to give a resolution of IA working.

They 100% have a detailed description of IA flow.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
Friday
In response to NikFal

Also, see below what TAC sent me while back when I worked with client that mostly had MAC os in their company.

Andy

*********************

The MacOS identity agent would offer an alternative to AD Query, since the domain controller is not providing the proper events we need to do AD Query for the MacOS hosts. The agent would authenticate with the gateway, which would in turn authenticate against the AD. This should allow the gateway to enforce user-based identities for MacOS clients.

The captive portal may also be another option should they not wish to install the Identity Agent on the MacOS hosts but, unlike the Agent, has difficulty distinguishing between multiple users behind the same IP address.

******************************

0 Kudos
Lesley
Leader Leader
Leader
Thursday

On the gateway object i would recommend idc. 2 servers would be the best. It is not a ‘cluster’ then but it helps if something happens on one server. You don’t need to run a separate server special for idc it can share the server with other stuff 😃

Most customers do not want idc on their dc tho. Also do not enable adquery on gateway object only idc. Just make a ldap account unit in SmartConsole 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin
Thursday

The most accurate way to obtain identity is via the agent as it is closest to the user.
All identity methods (except SAML ones) get groups via an LDAP Query via the relevant Active Directory server.

NikFal
Contributor
Thursday
In response to PhoneBoy

who makes the Query in case of the Identity Agent setup ? The ID agent ? Does the gateway need to connect the AD after that ?  

0 Kudos
NikFal
Contributor
Thursday

Thnx for the answers, 
Although this still does not answer my question, how does the Gateway learn the AD Groups that the user has in the Identity Agent setup? 
Does the ID agent connect to AD, take the info and forward it to the Gateway/PDP ?

 

 

  

Preview file
314 KB
0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to NikFal

The gateway (the PDP specifically) makes the LDAP query based on the configured LDAP Account Unit(s). 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events