This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cem82
Contributor
‎2021-12-01 02:54 AM
Jump to solution

Identity Awareness MUH agent queries

Hi

 

We are currently running IA collector and looking to install MUH agent on our terminal servers.  Something that concerns me in sk164998 is the below line.  Surely this doesn't mean that we should only have the agent installed on 50 term servers or what does this 50 relate to?  Is there a way for the MUH agent to feed into the IA collector and then send the identities that way to save opening up FW rules between all the TS to the GW?  I presume we don't need to update the gateway "allowed-client" list to include the TS as this connectivity is to the GW itself on https?

 

How many MUHv2 Agents are supported on one Security Gateway?

It is a recommended best practice to have a maximum of 50 MUHv2 agents on one Security Gateway.

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2021-12-03 09:04 AM
Jump to solution

Each terminal server should have a MUH agent. SK is saying, a single PDP should not have more than 50 agents reporting to it.

View solution in original post

PhoneBoy
Admin
Admin
‎2021-12-03 11:00 AM
In response to _Val_
Jump to solution

And a PDP exists on a gateway, so yes, it means no more than 50 MUHv2 agents should be reporting to a single gateway.
You can, of course, have different MUHv2 agents reporting to different gateways which share identities.
You may also want to have dedicated Identity Awareness gateways in some configurations that merely exist to consume and share identities with other gateways.

View solution in original post

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2021-12-03 09:04 AM
Jump to solution

Each terminal server should have a MUH agent. SK is saying, a single PDP should not have more than 50 agents reporting to it.

PhoneBoy
Admin
Admin
‎2021-12-03 11:00 AM
In response to _Val_
Jump to solution

And a PDP exists on a gateway, so yes, it means no more than 50 MUHv2 agents should be reporting to a single gateway.
You can, of course, have different MUHv2 agents reporting to different gateways which share identities.
You may also want to have dedicated Identity Awareness gateways in some configurations that merely exist to consume and share identities with other gateways.

0 Kudos
cem82
Contributor
‎2021-12-03 03:06 PM
In response to PhoneBoy
Jump to solution

Thanks for clarifying, I am surprised but does the number of expected users come into play on the recommendation of 50 agents?  EG if some TS are likely to only have a few users logged in at a time or is user count irrelevant and just the total number of TS should be less than 50?

0 Kudos
_Val_
Admin
Admin
‎2021-12-04 03:40 AM
In response to cem82
Jump to solution

Each agent can work with 256 users at the same terminal server, but you are correct, the amount of users connected is not in play here. One PDP - up to 50 MUHv2

 

0 Kudos
cem82
Contributor
‎2021-12-04 04:45 AM
In response to _Val_
Jump to solution

Awesome thanks for clarifying 🙂

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2022-03-15 01:50 PM
In response to _Val_
Jump to solution

@_Val_ @and @PhoneBoy  any changes about these limitation ?

How many MUHv2 Agents are supported on one Security Gateway?

It is a recommended best practice to have a maximum of 50 MUHv2 agents on one Security Gateway.

 

We have a use case for 10.000 users connecting from a larger Citrix environment. Each Citrix host will be used by around 50 users, 200 Citrix hosts with MUHv2 agents needed.

50 MUHv2 agents for one PDP needs 4 separate gateways and some more for redundancy.  They’re doing nothing then running PDP and sharing identities. 
Are there any changes upcoming to support more MUHv2 per PDP ?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-15 03:07 PM
In response to Wolfgang
Jump to solution

In R81.20, there are some underlying infrastructure changes that should allow for better redundancy/resiliency/scalability.
What the final number are, not sure yet.

0 Kudos
Rafal_N
Contributor
‎2022-10-09 02:11 AM
In response to Wolfgang
Jump to solution

Can MUH information can be shared across gateways via IA sharing?? Or is it just to connected gateway??

MUH -> GW1 PDP (Internal GW) <-IA sharing-> GW2 PDP (Internet GW)

Does GW2 in that topology would understand packet tagging from MUH and we can build Access Role policy there??

How can we identify packet tag on pcap (wireshark)? Is it in readable format?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-10 11:47 AM
In response to Rafal_N
Jump to solution

Any identity source can be shared with any other gateway--that includes MUH.
And yes, you can build the appropriate access policy (with Access Roles) on other gateways as a result.
The packet tagging we do is described here: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so... 
The tags aren't readable.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events