Nice! This was an outstanding SK! Thanks!

With pleasure!

Hi Royi,

Question, what is recommended for deployment of Identity Agents?

There are packages available on the UserCenter (thank you for the URL/SK btw!) and on the Security Gateway under the folder: /opt/CPNacPortal/htdocs/nac/nacclients/ ?

Is there a difference between those packages?

Thank you in advance!

Kind regards,

Sean

Hi Sean Van Loon‌,

That's a good question.

 sk134312will be updated from time to time with a newer version of our agents.

Every time a gateway version is released (e.g. R80.20) the newest version of each version will be included in it (the latest one from the SK).

It means that if you want to get the most updated agent it will be available on  sk134312

Since the agents are backward compatible, you can upgrade the agent even without upgrading the gateway.

I hope this is clear.

Royi Priov

Identity Awareness R&D.

An update - a new version was uploaded to the SK.

Thanks,

Royi.

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil

---

@phlrnnr wrote:

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil

---

1. The one on the SK is the most updated.

The IDC exists on the GW is the newest one available when the version (R80.10 / R80.20, etc) was released.

2. There is full BC of IDC version. However, the newest one is the most recommended.

3. Security MGMT is not relevant to this flow. The communication is IDC <-> GW.

4. Yes.

Good luck 🙂

Royi Priov

---

@phlrnnr wrote:
I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?

---

Sorry, I forgot about the database wipe.

There are 2 options to save the config while upgrading:

1. perform in-place upgrade: install the newer version without uninstalling the current IDC. This will save everything.
2. perform "export" before removing the old IDC and "import" in the new IDC. the main issue with this method is that all passwords (AD password and shared secrets with GWs) are not saved due to security concerns.

I do recommend the first method. you can always export the configuration before staring the procedure to be on the safe side.

Thanks,

Royi Priov

if there are a mixed networks with R77.xx and R80.xx GWs, we can download IDC from the link you posted instead of from the GWs and installed on the windows, which could feed identities to either R77.xx and R80.xx PDPs, correct? thanks in advance!

Hi Royi,

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

Thanks in advance!

Kind regards,

Sean

---

@Sean_Van_Loon wrote:

Hi Royi,

 

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

 

Thanks in advance!

 

Kind regards,

 

Sean

---

Hi @Sean_Van_Loon ,

Indeed, there is no linux based agent and currently there is no plan to crewate one.

You can use captive portal for linux machines.

Thanks,

Royi.