This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matt_Parfitt
Participant
‎2018-02-23 02:41 AM

Microsoft DirectAccess, Proxy & Identity Awareness

We are using Microsoft DirectAccess and we are trying to implement CheckPoint Proxy with HTTPS Inspection. We have managed to get Proxy & URL Filtering working via DirectAccess, however the logs do not show the originating computer/user, it just shows the VPN Server as the source.

This is obviously a problem when troubleshooting a specific user's problem or when we need to generate reports based on usage etc.

Does anyone have any ideas?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2018-02-23 10:54 AM

Have you enabled this option, by chance?

Matt_Parfitt
Participant
‎2018-02-26 12:58 AM
In response to PhoneBoy

I have the first two checkboxes enabled on that Proxy Settings page.

0 Kudos
David_GOURANTON
Participant
‎2018-02-26 07:07 AM
In response to Matt_Parfitt

Unfortunately, you won't be able to identify your users when they are connected behind a Direct Access server. Indeed, the remote machines IP address is NATed by the DA server. As Checkpoint Identity Awareness maps a user to an IP address it won't work. Moreover, installing an IA agent doesn't help, as it cannot work through a DA server.

The only solution is to do NTLM/Kerberos authentication with an web proxy. This way, the user identity is carried by the browser request and not impacted by the IP address translation, allowing the proxy to identity the users.

Matt_Parfitt
Participant
‎2018-02-27 01:10 AM
In response to David_GOURANTON

Thanks David. That sounds like a viable solution, is it possible to only apply the browser request on computers that are accessing the Internet via DirectAccess?

0 Kudos
Labels