Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rockhead006
Explorer

Identity Awareness with Transparent Kerberos Authentication for multiple users on same machine

Hi,

I have a customer migrating from a webmarshal proxy to a Check Point (application control/URL filtering) solution.

Almost everything is working fine, except for one thing:

They have terminal servers (Citrix) using the MUH (terminal server) agent. Which is working fine for most things, however, it is breaking traffic from a Java application going to internal servers (so the traffic doesn't even go through the Check Point firewalls). It seems the MUH agent it breaking the Java connection some how (errors are like, reuse of TCP ports). We have been unable to find any solution by making changes to the MUH agent config.

So I was wondiner, if it would be possible to use Identity Awareness using 'Transparent Kerberos Authentication' instead on the terminal servers (instead of the MUH agent).

Does anyone know if this would be possible. It would be multiple users, logging in on the same machine/IP.

When using the Browser Based Transparent Kerberos Authentication, does it grab the user information from each HTTP packet (headers) and go through the rulebase based on that user name OR does it do it per machine/IP. So once it see's userA details from the Transparent Kerberos Authentication coming from IP1, does it assign that user only to that IP address.

Sorry if I'm not explaining this well. Basically I'm asking, can you have multiple users on the same machine/IP - which will have traffic go through the Check Point policy individually? So userA traffic will go through rule 1, and userB's traffic can go through rule 2.

Or is it, userA was identified, so all future traffic from this machine/IP will be assumed to be coming from userA.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

MUH reserves ranges of source ports for a given user on the Terminal Service.
Based on the source port from the terminal server, we can determine reliably that it's user X making the connection and not user Y.
Without the agent, it would be impossible to tell which user is actually initiating connections.
0 Kudos
rockhead006
Explorer

Unfortunately the MUH agent breaks the Java application, so it is not an option.

 

So you are saying the when using transparent kerberos authentication, it is per IP. So once any user is authenticated by kerberos, that IP is linked to that user only.  And that authentication is NOT done per web browser session.

0 Kudos
PhoneBoy
Admin
Admin

When you do it with kerberos, it authenticates the IP, not just the web session.
This is why the MUH Agent is required on terminal servers.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events