This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronCP
Advisor
‎2022-06-27 01:11 PM

Identity Awareness - Identity Agent & Browser Based Authentication

Good evening CheckMates,

 

I'm looking for some advice regarding the enabling of two authentication methods - namely Identity Agent & Browser Based Authentication.

 

We have been running Identity Agent using transparent Kerberos SSO for approximately 6 months and it has been working seamlessly. We've had a request from a 3rd party to access one of our internal systems that we don't want to expose over the internet. We considered a VPN, but they have an Azure tenancy that I'd like to configure using SAML2 via Browser Based Authentication. This is where I encountered issues.

 

The actual setup was straightforward and I was able to create the Identity Provider and connect it with the 3rd party enterprise application. I enabled the Browser Based Authentication on the SMS and configured two rules in the ruleset - first to allow my home public IP to connect to the gateway on port 443, the second using my access role & identity tag to access a host on the network. This worked as expected.

 

Shortly after setting up this test environment, our customers started reporting that they were unable to authenticate via their Identity Agent, preventing their access to core systems. They were receiving an error that they were required to trust a new certificate, which looked like a self-signed gateway certificate. Our Windows server team also reported that our Identity Collector server was being bombarded with traffic, even though the Identity Collector check box is no longer ticked/configured on the gateway. I noticed when I connected to the Gaia portal of the gateway that I was also being presented with this self-signed certificate.

 

When I was configuring the Browser Based Authentication, there was an area to install a certificate. I chose to use the self-signed certificate for this specific setup, so this is what would have been the cause of the certificate issue.

 

Can someone clarify why using the self-signed certificate purely for the Browser Based Authentication caused this behaviour for other Identity methods and the change in the gateway Gaia certificate, please? I assumed that I could use two different certificates for two different authentication methods.

 

Any advice on this would be greatly appreciated, as always!

 

Thanks,

 

Aaron.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2022-06-27 05:13 PM

I believe Identity Agent (particularly with Kerberos SSO) ultimately connects to the same portal as the browser.
As such, I would expect both methods to use the same certificate.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events