With pleasure!

Hi Sean Van Loon‌,

That's a good question.

 sk134312will be updated from time to time with a newer version of our agents.

Every time a gateway version is released (e.g. R80.20) the newest version of each version will be included in it (the latest one from the SK).

It means that if you want to get the most updated agent it will be available on  sk134312

Since the agents are backward compatible, you can upgrade the agent even without upgrading the gateway.

I hope this is clear.

Royi Priov

Identity Awareness R&D.

---

@phlrnnr wrote:

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil

---

1. The one on the SK is the most updated.

The IDC exists on the GW is the newest one available when the version (R80.10 / R80.20, etc) was released.

2. There is full BC of IDC version. However, the newest one is the most recommended.

3. Security MGMT is not relevant to this flow. The communication is IDC <-> GW.

4. Yes.

Good luck 🙂

Royi Priov

---

@phlrnnr wrote:
I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?

---

Sorry, I forgot about the database wipe.

There are 2 options to save the config while upgrading:

1. perform in-place upgrade: install the newer version without uninstalling the current IDC. This will save everything.
2. perform "export" before removing the old IDC and "import" in the new IDC. the main issue with this method is that all passwords (AD password and shared secrets with GWs) are not saved due to security concerns.

I do recommend the first method. you can always export the configuration before staring the procedure to be on the safe side.

Thanks,

Royi Priov

if there are a mixed networks with R77.xx and R80.xx GWs, we can download IDC from the link you posted instead of from the GWs and installed on the windows, which could feed identities to either R77.xx and R80.xx PDPs, correct? thanks in advance!

---

@Sean_Van_Loon wrote:

Hi Royi,

 

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

 

Thanks in advance!

 

Kind regards,

 

Sean

---

Hi @Sean_Van_Loon ,

Indeed, there is no linux based agent and currently there is no plan to crewate one.

You can use captive portal for linux machines.

Thanks,

Royi.

Hello Royi

Is there a way to make upgrade of identity agent , without any action of user, I can see in the administration guide 80.40, identity agent upgrades, but does it works and how ?

If agent is no longer compatible, pc client can download and install automaticly since gateway ?

Thanks

Hi @remi0403 ,

Our agents are backward compatible. Therefore, there is no situation where the clients are not compatible with the gw version. They might not support new features, but they will keep the current functionality.

My personal recommendation is to use GPO, with a prepackaged msi. Please use sk134312 for the latest version.

Thanks for your answer, how do we identify the linux server without browser? As soon as I activate the user awerness and remove the gest login, linux servers no more has access update.

Best regards, Brieuc.

br 
Vincent

Many Thanks!
Silly me, wasn't finding it in the admin guide 🙂