This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Sykes
Participant
‎2020-11-28 02:06 AM

Identity Awareness and Dell Wyse Terminals

Hi everyone,

I have a situation where we have a number of Dell Wyse Terminals that are not being recognized by an Access Role I have created.  The Access Role is configured for 'Networks' and 'Machines', but the rule it is applied to is not being hit when in the policy.

The Network section is populated by a User LAN and the Machine section is pointing to an AD OU specifically created for Dell Wyse Terminals.

These terminals just have their standard OS and are configured to boot to a web page that has the look and feel of a standard Windows desktop.  This is a virtual desktop and then the users logs on to that.

The users do not authenticate when logging onto the Wyse client - only when they hit the VDI page.

The Wyse terminals are on various user networks (shared with other user machines) and are able to reach the DHCP and DNS servers, however, the user network and VDI network mentioned above are different.

Do you know why when the Wyse terminal traverses the FW policy it is not recognized by the IA role?  It is permitted if I allow the network the terminal is sitting on, just not being seen by IA.

What do machines, of any sort, need on them/be part of, to be recognized by IA?  It seems an OU in AD is not enough.

I should add, we have plenty of Access Roles working as expected, configured using Network, Users and Machines.

Also, do you have any suggestions of a way around this?

Many thanks

Alex

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-11-28 09:03 AM

Generally in Identity Awareness, we're tracking login actions from IP addresses via the identity source (usually AD).
I assume it's because we see the logins from the VDI IP, not from the IP of the terminal itself.
You said the terminal has a web browser, no?
You could trigger a Captive Portal login and get a direct user/IP association that way.

0 Kudos
Alex_Sykes
Participant
‎2020-11-30 07:42 AM
In response to PhoneBoy

Hi PhoneBoy,

Thanks for your response.

Unfortunately, even though it is a web browser the terminal boots into there are also other resources it needs to connect to.  And there are other devices that connect quite happily to the web page for the VDI session so if I did try captive portal other users would be impacted too.  It's not a deal breaker, but something I would prefer to avoid.

I was hoping that the Access Role would pick up the identity of the machine from the OU and then I would be able to apply policy specifically for these terminals.

Thanks again for your input.

Kind regards

Alex

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-30 02:18 PM
In response to Alex_Sykes

This does seem like an interesting use case.
@Royi_Priov any suggestions here?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events