cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

Identity Awareness Agents SK with direct links - published!

Hi CheckMates,

I have published a new SK for Identity Awareness agents with direct links and list of resolved issues for your use.

The SK is sk134312.

It includes the following agents:

  • Identity Collector
  • Identity Agent – Full
  • Identity Agent – light
  • Identity Agent for MAC
  • Terminal Server Agent.

We will update this SK from time to time with new versions after they will be QAed.

In case you have remarks or any clarification is needed - I'm here to answer.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

11 Replies
Sven_Glock
Silver

Re: Identity Awareness Agents SK with direct links - published!

Nice! This was an outstanding SK! Thanks!

0 Kudos
Employee+
Employee+

Re: Identity Awareness Agents SK with direct links - published!

With pleasure!

0 Kudos

Re: Identity Awareness Agents SK with direct links - published!

Hi Royi,

Question, what is recommended for deployment of Identity Agents?

There are packages available on the UserCenter (thank you for the URL/SK btw!) and on the Security Gateway under the folder: /opt/CPNacPortal/htdocs/nac/nacclients/ ?

Is there a difference between those packages?

Thank you in advance!

Kind regards,

Sean

0 Kudos
Employee+
Employee+

Re: Identity Awareness Agents SK with direct links - published!

Hi Sean Van Loon‌,

That's a good question.

 sk134312will be updated from time to time with a newer version of our agents.

Every time a gateway version is released (e.g. R80.20) the newest version of each version will be included in it (the latest one from the SK).

It means that if you want to get the most updated agent it will be available on  sk134312

Since the agents are backward compatible, you can upgrade the agent even without upgrading the gateway.

I hope this is clear.

Royi Priov

Identity Awareness R&D.

Employee+
Employee+

Re: Identity Awareness Agents SK with direct links - published!

An update - a new version was uploaded to the SK.

Thanks,

Royi.

0 Kudos
phlrnnr
Copper

Re: Identity Awareness Agents SK with direct links - published!

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil

0 Kudos
Employee+
Employee+

Re: Identity Awareness Agents SK with direct links - published!


@phlrnnr wrote:

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil


 

1. The one on the SK is the most updated.

The IDC exists on the GW is the newest one available when the version (R80.10 / R80.20, etc) was released.

2. There is full BC of IDC version. However, the newest one is the most recommended.

3. Security MGMT is not relevant to this flow. The communication is IDC <-> GW.

4. Yes.

 

Good luck 🙂

Royi Priov

0 Kudos
phlrnnr
Copper

Re: Identity Awareness Agents SK with direct links - published!

I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?
0 Kudos
Employee+
Employee+

Re: Identity Awareness Agents SK with direct links - published!


@phlrnnr wrote:
I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?

Sorry, I forgot about the database wipe.

There are 2 options to save the config while upgrading:

  1. perform in-place upgrade: install the newer version without uninstalling the current IDC. This will save everything.
  2. perform "export" before removing the old IDC and "import" in the new IDC. the main issue with this method is that all passwords (AD password and shared secrets with GWs) are not saved due to security concerns.

 

I do recommend the first method. you can always export the configuration before staring the procedure to be on the safe side.

 

Thanks,

Royi Priov

0 Kudos

Re: Identity Awareness Agents SK with direct links - published!

Hi Royi,

 

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

 

Thanks in advance!

 

Kind regards,

 

Sean

0 Kudos
Employee+
Employee+

Re: Identity Awareness Agents SK with direct links - published!


@Sean_Van_Loon wrote:

Hi Royi,

 

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

 

Thanks in advance!

 

Kind regards,

 

Sean


Hi @Sean_Van_Loon ,

Indeed, there is no linux based agent and currently there is no plan to crewate one.

You can use captive portal for linux machines.

 

Thanks,

Royi.

0 Kudos