This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rockhead006
Explorer
‎2019-10-02 04:00 AM

Identity Awareness with Transparent Kerberos Authentication for multiple users on same machine

Hi,

I have a customer migrating from a webmarshal proxy to a Check Point (application control/URL filtering) solution.

Almost everything is working fine, except for one thing:

They have terminal servers (Citrix) using the MUH (terminal server) agent. Which is working fine for most things, however, it is breaking traffic from a Java application going to internal servers (so the traffic doesn't even go through the Check Point firewalls). It seems the MUH agent it breaking the Java connection some how (errors are like, reuse of TCP ports). We have been unable to find any solution by making changes to the MUH agent config.

So I was wondiner, if it would be possible to use Identity Awareness using 'Transparent Kerberos Authentication' instead on the terminal servers (instead of the MUH agent).

Does anyone know if this would be possible. It would be multiple users, logging in on the same machine/IP.

When using the Browser Based Transparent Kerberos Authentication, does it grab the user information from each HTTP packet (headers) and go through the rulebase based on that user name OR does it do it per machine/IP. So once it see's userA details from the Transparent Kerberos Authentication coming from IP1, does it assign that user only to that IP address.

Sorry if I'm not explaining this well. Basically I'm asking, can you have multiple users on the same machine/IP - which will have traffic go through the Check Point policy individually? So userA traffic will go through rule 1, and userB's traffic can go through rule 2.

Or is it, userA was identified, so all future traffic from this machine/IP will be assumed to be coming from userA.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-10-02 02:14 PM

MUH reserves ranges of source ports for a given user on the Terminal Service.
Based on the source port from the terminal server, we can determine reliably that it's user X making the connection and not user Y.
Without the agent, it would be impossible to tell which user is actually initiating connections.
0 Kudos
rockhead006
Explorer
‎2019-10-03 12:48 AM
In response to PhoneBoy

Unfortunately the MUH agent breaks the Java application, so it is not an option.

 

So you are saying the when using transparent kerberos authentication, it is per IP. So once any user is authenticated by kerberos, that IP is linked to that user only.  And that authentication is NOT done per web browser session.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-03 09:36 AM
In response to rockhead006

When you do it with kerberos, it authenticates the IP, not just the web session.
This is why the MUH Agent is required on terminal servers.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events