Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NeilDavey
Contributor

Identity Awareness Assistance/Advice

Hi

I am in the process of testing Identity Awareness as want to look at using this to replace individual static IP's from accessing DMZ's as using a User Account would be much easier, and also replacing our 3rd party PROXY Internet Filtering and use the Check Point Application Control/URL Filtering blades.  For both of these, I need IA setup correctly.

So far, I have setup IA Active Directory Query, Used "Assume that only one user is connected per computer" and under Identity Sharing, I have "Share local identities with other gateways" ticked.

Generally speaking this is working.  I can search AD and add my security group to rules and I get internet access.  I have also replaced a static IP with a user and they can access the DMZ etc.

The one issue I get, is sometimes, all of a sudden, internet stops working and I can't connect to the DMZ.  Looking at the logs against my local IP address, the Source User Name has changed from neildavey (which is allowed access) to be serverneil (which is not allowed).  I have not done anything other that work normally.

It looks as though this is a known issue with ADQuery:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Its a shame this happens, as this is an easy setup with nothing needing to be deployed etc and works straight away.

I am just wondering what the best method to get this working would be if anyone has done this same setup?

You have Identity Collector, but I think this does the same as Active Directory Query just on a server and sends the same data to the GW.

You have Identity Agents which I think would be what I need but I saw a section about "Users should reauthenticate every XXX minutes".  This sounds as though the user would need to reauthenticate at a certain time.

I am looking for the most straightforward and seamless way to get this working so my users don't have to do anything like the AD Query does.

Any advice/suggestions appreciated.

Thanks

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

The load of ADQuery in the AD server and gateway may be problematic with thousands of users.
Identity Collector is significantly more efficient for everyone involved.

However, I think the issue you’re running into would be solved by excluding specific identities.
This is necessary to filter out accounts that aren’t real users.
You can configure this in the relevant gateway object under  Identity Awareness > Active Directory Query > Settings > Advanced.

 

0 Kudos
NeilDavey
Contributor

Thanks for the reply.

I am aware I can exclude accounts as you listed but I don't think this would help in my situation.

As per my example, I am logged on as neildavey but then somehow my IP address is associated with serverneil.  I don't want to exclude serverneil from ADQuery as I would want to allow this account some kind of internet access in future.

0 Kudos
G_W_Albrecht
Legend
Legend

So disable Assume that only one user is connected per computer !

0 Kudos
NeilDavey
Contributor

That's how I originally had my AD Query setup but I had other issues with multiple accounts being associated with my IP and causing other issues like RDP, mapping network drives against the correct account.

I had to tick this box which mostly fixed the issue but not fully.  My other test user still gets issues where he can RDP into the DMZ one second, then the next he can't as the user against his PC has changed so he needs to do a PC lock/unlock to associate his account again.

This sounds like an AD Issue to me.  So if I can't use AD Query that can 100% guarantee the user logged against an IP, what would be the next best seamless method I could use?  Any recommendations?

0 Kudos