Hi
I have a question regarding Identity Awareness, i'm not sure how to do that.
Basically, i have a nice setup running. I have a cluster which is my PDP gateway. All other firewalls (14 single gateways and 8 clusters) get all IA information from this gateway. The PDP is fed via 4 IDCs, a lot of MUH agents and a couple of client agents.
I have an internal PKI, which i used to create a certificate fot the portal, so when a user accesses https://mypdpgateway.local/connect/PortalMain, they are not greeted by an error 🙂
Now, the certificate on my pdp will expire on 2023-12-20. And in order for everything to still work, i have to exchange it to a new one. Sadly all the IA agents use certificate pinning, instead of simply trustin my internal PKI (like Windows).
So my question is, how can i exchange the certificate, without breaking my environment?
Reconfiguring the IDCs to the new certificate is easy. Just four machines where i can import it the moment the policy install is done. But the Agents?
For the client agents i use the AD distributed config to control them, but i can only store one fingerprint per gateway, if i'm not mistaken.
For MUH agents, it's even worse. Most of them are on Citrix terminal servers, which are recreated from an image every night. So i have to update the fingerprint with my colleage, and then only on the next day it'll work again, not in between.
I see two ways that i can go now.
Either configure another cluster als PDP and have everything report there. All other gateways will have to query from both PDPs during the transition time.
Or i try switching to http instead of https. I the "Distributed Configuration" tool i can enter a port, so entering 80 may work, i've never tried. But disabling TLS is not my favorite way 😞
Does anyone know of a better way, which is not as complex and time-consuming? IMHO it would be best if all clients simply trust the certificate chains that the OS trusts, instead of cert pinning. But Checkpoint apparently doesn't like that.
Here a few statistics about my environment:
# pdp con ts | wc -l
77
# pdp mon sum a | wc -l
9255
# pdp mon all | grep "Client Type: Identity Agent" | wc -l
120
# pdp mon all | grep "Client Type: Terminal Server Identity Agent" | wc -l
628
The PDP is running on R81.10 JHF Take 110, the Manager on R81.20 JHF Take 26.
Thanks for any help.