- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello,
I'm currently setting up identity awareness with the agent on our clients. I've got everything working with Kerberos SSO, and the logs are filled with AD user names. So far so good! Now I wanted to package this in to a .msi file that we can distribute with SCCM.
The issue I'm having is that the properties under Gobal Properties > Advanved > Identity Awareness > Agent are not applying. Maybe I've got this part wrong. But should these settings not be applied to the customagent.msi under $NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi? I've a few clients install in my pilot, should these settings be applied to these clients automatically or do I need to redistributed the updated client?
Thanks in advance
So after a few days of research, this is what I've gathered.
With the following knowledge I decided to make use of the client registry to make it work like I wanted to. This is documented in the R75.20 admin guide, if I remember correctly. It's not mentioned in the newer versions.
So what I ended up doing was to download the latest full client .msi file from supportcenter, and use the IAConfigTool to set it up the way I wanted it. To make the necessary changes to the client I deployed the following registry keys:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\IA] "DisableSettings"=dword:00000001 "DisableQuit"=dword:00000001 "HideGui"=dword:00000001 "GlobalConfigEnabled"=dword:00000000 "PdpDiscoveryEnabled"=dword:00000001 "DefaultGatewayEnabled"=dword:00000001
Registry path might be different depending on 32/64 bit and if you install for all users or only current user.
The first three are pretty self explanatory, the other three disables the client from getting the global policy pushed from the gateway, enables the client to use Automatic discovery when trying to find the gateway(this must be configured in the distributed config tool installed with the local client, otherwise use the string value "DefaultGateway"="<gateway>") and the last one I'm not sure about, but without it, it asks how to connect on each log on of the client. So I guess that is needed.
With my pre-configured .msi file and a .reg file I was able to deploy this with SCCM. It will restart the NIC:s on install, and you need to log out, and back in if installed as SYSTEM, otherwise the logged on user won't be detected by the client.
Everything you should need then is to run the Distributed Configuration tool. It should be located on a machine with the IA Agent installed, check under Start menu > All Programs > Check Point > Identity Agent.
Run it as domain admin or change the user inside the application to the domain admin account.
It's explained in the admin guide from page 160 and forward.
I'm trying to get the following settings to work:
nac_agent_hide_client
nac_agent_disable_quit
nac_agent_disable_settings
So I've ticked the checkbox next to them and pushed policy.
Is there a step I'm missing?
Please post your findings here when you'll get them resolved. I am battling with various IA issues in my lab as well.
I've yet to contact the TAC, as I've had some more pressing issues. I've thought done some more testing on my own. When installing the light client, settings are applied almost instantly. So the issue seems to be with the full client. Hopefully I'll be able to rise a TAC case this week.
So after a few days of research, this is what I've gathered.
With the following knowledge I decided to make use of the client registry to make it work like I wanted to. This is documented in the R75.20 admin guide, if I remember correctly. It's not mentioned in the newer versions.
So what I ended up doing was to download the latest full client .msi file from supportcenter, and use the IAConfigTool to set it up the way I wanted it. To make the necessary changes to the client I deployed the following registry keys:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\IA] "DisableSettings"=dword:00000001 "DisableQuit"=dword:00000001 "HideGui"=dword:00000001 "GlobalConfigEnabled"=dword:00000000 "PdpDiscoveryEnabled"=dword:00000001 "DefaultGatewayEnabled"=dword:00000001
Registry path might be different depending on 32/64 bit and if you install for all users or only current user.
The first three are pretty self explanatory, the other three disables the client from getting the global policy pushed from the gateway, enables the client to use Automatic discovery when trying to find the gateway(this must be configured in the distributed config tool installed with the local client, otherwise use the string value "DefaultGateway"="<gateway>") and the last one I'm not sure about, but without it, it asks how to connect on each log on of the client. So I guess that is needed.
With my pre-configured .msi file and a .reg file I was able to deploy this with SCCM. It will restart the NIC:s on install, and you need to log out, and back in if installed as SYSTEM, otherwise the logged on user won't be detected by the client.
Applying these registry settings helped me in my environment, but I am also missing the TrustedGateways tree. I am okay with defining it myself but cannot find an example of what this would be though. Hopefully that is a legit strategy to begin with, but can you provide what you have there? You can cut out any environment specific info.
Good to hear you had help from my post!
Regarding the trusted gateways. We're using an Microsoft Active Directory(AD) in our deployment. There is a tool that comes with the installation of the identity agent. At least on Windows. It's called Distributed Configuration. What it does is that it pushes all settings you configure there, to the AD. One of them being the trusted gateway. You need to have some form of domain admin rights to do this. I didn't test it out much, as I had access to the correct account needed. When this was done the agent found all the settings it needed when logged in to the Agent.
There are though a couple of ways to configure this. It's described in the R80.?? Identity Awareness Admin Guide(it's in r80.30, I just checked, and should behave the same on all R80) under Discovery and Trust Options.
I hope that sheds some light on it! If you have more questions, I'll answer them as soon as able!
If you are on Windows, and want a truly seamless experience I would suggest to include SSO with kerberos.
Everything you should need then is to run the Distributed Configuration tool. It should be located on a machine with the IA Agent installed, check under Start menu > All Programs > Check Point > Identity Agent.
Run it as domain admin or change the user inside the application to the domain admin account.
It's explained in the admin guide from page 160 and forward.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
23 | |
16 | |
12 | |
9 | |
9 | |
8 | |
7 | |
7 | |
7 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY