This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Contributor
‎2025-06-10 09:45 AM

Identity Awareness across multiple sites and AD domains

I'm currently exploring how to roll out Identity Awareness am am looking for any tips and advice!

I have ID awareness running on one site using ID agents on the endpoints, which works just fine. Now I have deployed 1500 series devices to other sites, all managed from the same SMS, and need to look at rolling out ID awareness on these. The remote sites are on different AD domains, so these will need to be created as objects and configured accordingly, then I should be able to share the identities between the gateways. The problem here is the inter-site communication, it is not traditional S2S VPNs, it's Harmony SASE. On top of that, domain controllers are only accessible at the sites that they serve.

So whilst the identity will work fine on the users home site using access roles linked to the local AD, when the user goes to a different site they will log into their laptop using cached credentials and I don't think the ID agent will connect as it won't see it's expected gateway. I'm not sure, but I thought there was a way to define multiple gateways for the ID agent to use, which may have been an option, but I can't find any details on this.

Has anyone else tried to do anything like this at all?

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2025-06-10 10:51 AM

I would think Harmony SASE (possibly with additional configuration) would enable the Identity Agent to connect to the right gateway successfully (ie to authenticate to the end user’s home AD).
This is configured by using a specific FQDN in the Identity Agent config and relevant DNS entries.

Not sure one installation Identity Agent will support multiple gateways managed by different domains, at least without some sort of trust prompt.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events