I mean that I manually specify the gateway in the agents settings.

I think I need to have the correct _tcp DNS record setup to get this working, however i'm having trouble creating the record, as CHECKPOINT_NAC_SERVER isn't accepted as a service.

Yes, you will need that service record to exist for the auto-discovery to complete. I asked our AD admin to set up this record for me, so I don't know if there was some trick to getting it to work. But, he didn't come back to me saying he had issues creating it. 

I'm assuming you are doing this in Windows DNS? Do you already have an A record for the GW defined? Were you using the FQDN for the Gateway in the "Host offering this service" field? 

yup we are on windows DNS. the "Host offering this service" I put in the FQDN of the gateway.

whenever I choose the _https protocol, it creates a new subdomain in _tcp, which I don't think should be happening, it should just be the protocol for the srv record, not another subdomain

Ah yea, thats what I had wrong. I was doing _https instead of _tcp.

I can create the entry now, however I'm realizing i have a problem with auto connecting still. My gateway is in the main domain, and the computers are in a subdomain, however the subdomain is defined as a separate domain. Our DNS is a little messy. Any idea on getting around this?

Which domain did you put this SRV record in? I think it should work if you create an A record in the "computers subdomain" that points to the IP of the Gateway running IA. It shouldn't matter that the Gateway's DNS registers in a different domain as long as the desktops can route to the IP of the Gateway.

With that A record in place, put the SRV record in the computers subdomain and point it at the FQDN computers domain hostname you just created for the GW. This way, the computers should be able to find this SRV record and resolve DNS to the Gateway. 

Sorry if that got a little word-y! It made sense in my head, hopefully I translated the idea clear enough  

You got the idea through, no worries!

I deleted the srv record from the base domain, and created it in the subdomain instead, using the original FQDN for the "host offering this service", which resolved to the correct domain. No need to create pointers or additional records.

My test client then connected immediately 

Cool! Glad that all worked out! 

In your OP, you said you wanted it to be as seamless as possible for the users. From my experience, your users may have to manually accept the Check Point CA fingerprint when the client connects for the first time. Since we try to discourage users from just clicking YES to everything, we tried to communicate this to our users through email ahead of time.

I've noticed some of my test clients see the fingerprint popup, and some trust right away. Both have received the same certificates from Group policy. I'm going to try and figure out why, but I'll likely still inform them prior to deployment, as we have lots of different devices and OS's deployed that may act differently.

Hi David, 

I don't know if it is of any use to you, but you could configure the configuration to be stored in Active Directory? This will store both the "Trusted Gateways" with their fingerprint and also the rule configuration that ties in a AD site or IP range to a particular gateway. 

The Distributed configuration tool installs as part of the Identity Agent on the client machine. 

To set it up is really easy, just open the distributed configuration tool with an account that has administrative permissions within the domain and it automatically creates the CheckPoint container in the default naming context in AD. 

The client will then check AD each time to locate the best IA server to use. 

This should resolve your fingerprint issue and removes the decision from the user to accept the fingerprint of the gateway. 

Hope this helps. 

Cheers

Mark

Hi Mark,

Sorry for the late reply, I was away on break.

I've tried the distributed configuration tool without success, but I'll give it another attempt.

I'm unable to find the container it is supposed to create, Where in AD can I verify if the distributed configuration tool created the container properly?

Thanks,

David

Hi David, 

Not a problem at all. To view the container in Active Directory you will need to open ADSIEdit.msc and connect to your domains "Default naming Context". You should be able to browse the structure to dc=<domain>,<dc=local>,CN=Program Data,CN=Check Poiint.

When you ran the Distributed Configuration Tool, was it run with an account that has administrative permissions in the domain? 

Regards

Mark

Hey Mark,

I've found the program data entry for it now, however the two containers are empty. What would they normally contain?

I did the creation with an account that has admin permissions.

Hi David, 

That is great. That looks good. I wouldn't expect to see anything as such in these. Can you screenshot your Distributed Tool configuration output please? When you open the tool you should see any entries that you had entered before. 

Regards

Mark

Pretty simply, we just have the one server, it's fingerprint correctly shows in the trusted gateways

Thanks David. That looks good to me.  Is your identity agent on your client set to automatically detect the gateway?

Also, I am assuming that your Gateway also has the Identity Awareness blade enabled and the identity source set as Identity Agent on your gateway configuration? If you can share your gateways Identity Agent configuration as well please?

Regards

Mark

After testing a few more clients, this seems to be working well for the identity agent.

I am noticing some problems with the terminal server agent running on windows 10 clients. We have some computers that multiple users sign on to, and use the fast user switching function, so we were going to use the MUH for them. They are connecting successfully, but no users are detected. This seems similar to sk113732, however this is windows 10 which is compatible with sha2.

So just to review where we are at. The normal identity agent is working as expected on Windows 10 machines now, and the issue currently lies with the MUH Agent?

Is there any error displayed within the gateway logs? Filter search. "blade:Identity Awareness" that may relate to the issue?

Regards

Mark

You've got the current state of things correct

no errors are displaying. I see the successful machine authentication logs, but no user logins show up.

In the MUH log files on the endpoint, I see the same error as referenced in sk113732 "[UIPLib (NAC::IS::TD::Surprise)] UIP::UserIdentificationByPort::startDriver: StartService failed error code = 0x241"

Windows 10 has built in sha2 support, so the articles solution doesn't seem valid for this scenario. 

Fantastic thank you. 

I have an identity awareness lab I've used recently so I will have a go at re-creating the error you are getting on a vanilla platform. It sounds like it is an Windows issue rather than a Check Point one at the minute. 

Do you have any restrictive group policies that would do anything that would stop services running or any other security related configurations? Also is the Windows 10 client fully patched and up to date?

Thank you for helping dig into this!

No restrictive policies are in place, nothign that would stop the services from running, no real security related configurations in place, I've put it into an open group for testing.

The client is fully up to date on patches.

So I think I found the problem.

sk138252 - MUH does not correctly work with Windows 10 computers with Secure Boot enabled.

So for me to deploy this, I would have to update the BIOS settings on all my windows 10 machines to disable secure boot.

Is the only option at this point to move with an RFE?

Hi David, 

I am more than happy to help.

I believe you are 100% spot on with the find. I have just tested this in a vanilla setup in a virtual machine running Windows 10. Secure boot enabled the agent is not able to collect identities. With Secure Boot disabled the agent works flawlessly.

Long term I think it would be beneficial to raise the RFE so that this is a supported feature in future releases of the agent. In the meantime, as a workaround for this specific scenario could you do the following?

1. Configure the captive portal on the gateway
   1. Kerberos SSO as well
2. Create an AD group for the users/machines that use quick switching.
3. Create a group policy that will start IE and browse the captive portal where SSO will be performed and target the group you just created. Group policy will also need to contain the certificate of the captive portal so that the machines trust it and don't display a certificate error page. 

Once the SSO within the captive portal has completed your identity based rules should apply as normal. I believe that this may be a viable workaround?

Regards

Mark

Hi Mark,

Sorry for the late reply again.

I think we are instead going to opt for a different path with our agents.Our approach will be to install the full Identity Agent, and perform the following:

1. Known shared computers will only be auto logged in to a shared account, no other accounts will be allowed to log in to those computer. They are meant for checking webmail, health & safety, internal websites, and other needs for the workers, that do not require individual user logins

2. Individual computers will be reviewed, and we may possibly remove fast user switching across the domain, as there isn't too big of a need for it, just QoL for some cases.

I like your SSO captive portal idea, I'll see if i'm able to demo it out on a test group, although I tend to be met with resistance when I bring up captive portals.