Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Royi_Priov
Employee
Employee

Identity Awareness Agents SK with direct links - published!

Hi CheckMates,

I have published a new SK for Identity Awareness agents with direct links and list of resolved issues for your use.

The SK is sk134312.

It includes the following agents:

  • Identity Collector
  • Identity Agent – Full
  • Identity Agent – light
  • Identity Agent for MAC
  • Terminal Server Agent.

We will update this SK from time to time with new versions after they will be QAed.

In case you have remarks or any clarification is needed - I'm here to answer.

Thanks,

Royi Priov

Team Leader, Identity Awareness R&D.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
18 Replies
Sven_Glock
Advisor

Nice! This was an outstanding SK! Thanks!

0 Kudos
Royi_Priov
Employee
Employee

With pleasure!

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Sean_Van_Loon
Contributor

Hi Royi,

Question, what is recommended for deployment of Identity Agents?

There are packages available on the UserCenter (thank you for the URL/SK btw!) and on the Security Gateway under the folder: /opt/CPNacPortal/htdocs/nac/nacclients/ ?

Is there a difference between those packages?

Thank you in advance!

Kind regards,

Sean

0 Kudos
Royi_Priov
Employee
Employee

Hi Sean Van Loon‌,

That's a good question.

 sk134312will be updated from time to time with a newer version of our agents.

Every time a gateway version is released (e.g. R80.20) the newest version of each version will be included in it (the latest one from the SK).

It means that if you want to get the most updated agent it will be available on  sk134312

Since the agents are backward compatible, you can upgrade the agent even without upgrading the gateway.

I hope this is clear.

Royi Priov

Identity Awareness R&D.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Royi_Priov
Employee
Employee

An update - a new version was uploaded to the SK.

Thanks,

Royi.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
phlrnnr
Advisor

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil

0 Kudos
Royi_Priov
Employee
Employee


@phlrnnr wrote:

I have a few follow up questions related to Identity Collector:

1. Is this the same agent that can be downloaded from the GW at https://<IP_of_Security Gateway>/_IA_IDC/download/CPIdentityCollector.msi ?

2. What is the recommended versioning?  Does the IDC version have to be greater than or equal to the highest version GW that has identity awareness enabled and tied to IDC?  For example, in an environment with R80.20 Mgmt, and mixed GWs of R80.10, and R77.30, would the IDC agent need to be R80.10 or greater?

3. Does the version of the IDC agent only tie to the version of the GWs of running IA?  Or does Security Management version matter?  Hypothetically, if my entire environment were R80.10, and I wanted to upgrade management to R80.20, would I have upgrade IDC to R80.20 at the same time management is upgraded?  Or only before we start upgrading GWs?

4. What is upgrade process for the IDC on the servers?  As long as there are redundant IDC servers, is it simply uninstall/reinstall of the .msi?

Thanks for your help!

Phil


 

1. The one on the SK is the most updated.

The IDC exists on the GW is the newest one available when the version (R80.10 / R80.20, etc) was released.

2. There is full BC of IDC version. However, the newest one is the most recommended.

3. Security MGMT is not relevant to this flow. The communication is IDC <-> GW.

4. Yes.

 

Good luck 🙂

Royi Priov

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
phlrnnr
Advisor

I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?
0 Kudos
Royi_Priov
Employee
Employee


@phlrnnr wrote:
I tested uninstall/reinstall in our lab and the configuration was wiped in the process. Is there any way to preserve the IDC configuration from one version to the next?

Sorry, I forgot about the database wipe.

There are 2 options to save the config while upgrading:

  1. perform in-place upgrade: install the newer version without uninstalling the current IDC. This will save everything.
  2. perform "export" before removing the old IDC and "import" in the new IDC. the main issue with this method is that all passwords (AD password and shared secrets with GWs) are not saved due to security concerns.

 

I do recommend the first method. you can always export the configuration before staring the procedure to be on the safe side.

 

Thanks,

Royi Priov

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
jk7
Explorer

if there are a mixed networks with R77.xx and R80.xx GWs, we can download IDC from the link you posted instead of from the GWs and installed on the windows, which could feed identities to either R77.xx and R80.xx PDPs, correct? thanks in advance!

0 Kudos
Sean_Van_Loon
Contributor

Hi Royi,

 

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

 

Thanks in advance!

 

Kind regards,

 

Sean

(1)
Royi_Priov
Employee
Employee


@Sean_Van_Loon wrote:

Hi Royi,

 

I see that there is currently no agent for linux/unix. Is there a plan to create one?

Or is there an alternative for linux/unix users to authenticate with the Check Point?

 

Thanks in advance!

 

Kind regards,

 

Sean


Hi @Sean_Van_Loon ,

Indeed, there is no linux based agent and currently there is no plan to crewate one.

You can use captive portal for linux machines.

 

Thanks,

Royi.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
remi0403
Explorer

Hello Royi

Is there a way to make upgrade of identity agent , without any action of user, I can see in the administration guide 80.40, identity agent upgrades, but does it works and how ?

If agent is no longer compatible, pc client can download and install automaticly since gateway ?

Thanks

 

0 Kudos
Royi_Priov
Employee
Employee

Hi @remi0403 ,

Our agents are backward compatible. Therefore, there is no situation where the clients are not compatible with the gw version. They might not support new features, but they will keep the current functionality.

My personal recommendation is to use GPO, with a prepackaged msi. Please use sk134312 for the latest version.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
nordom
Explorer

Thanks for your answer, how do we identify the linux server without browser? As soon as I activate the user awerness and remove the gest login, linux servers no more has access update.

Best regards, Brieuc.

0 Kudos
Juan_
Collaborator

Hi Royi!

May i ask what's the difference between light and full?

Also, the MSI seems to be the same for (mostly) everything now but the different versions point to different download links?

Many thanks

0 Kudos
Vincent_Bacher
Advisor
Advisor

ia-agents.png

br 
Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Juan_
Collaborator

Many Thanks!
Silly me, wasn't finding it in the admin guide 🙂

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events