Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Henrik_Oersnes_
Explorer

Identity collector and MUH agent - Ignores more than 7 Logins

Hi all Checkmates,

This is my first post, so first of all thanks for all the great post and knowledge sharing.

This weekend I change my FW setup from identity sharing to identity collector, for a simpler identity sharing between my firewalls
On the firewall clusters I also disabled "Active directory query" as this would be done on the ID Collector.


Now FWCLUS01/DMZ ignores more than 7 logins
"x.x.x.x with machine: Termial-Server100@domain.xzy, was marked as a multi user host IP. user login events for that IP will be ignored from now on"

It is ingnored when it hit's the native Multi-user host Detection Threshold = 7 . I have tried to change this threshold by using the cli configuration tool "adlogconfig a" and change the "Multi-user host Detection Threshold" to "10" and install policy.
This does not change the behavior.

Do any of you know if this setting is an option when running with Identity collector ?

The Firewall (FWCLUS02/WAN) collecting user from terminal server via MUH Agent is accepting the the increasement of "Multi-user host Detection Threshold" but I guess this is because the MUH Agent config is this FWCLUS02/WAN and it looks at the parameter. 

My firewall setup:
The user on the terminal server environment is auth with MUH agent against FWCLUS02/WAN=Blue line
Identity sharing is used on both FWCLUS01/DMZ and FWCLUS02/WAN shown as the = Green line
VDA User A is connecting to the DMZapplicaiton = red
All FW/SMS is running R80.40 Take 118

CHK Identity collector.jpg

When the VDA user A connects to DMZapplication and FWCLUS01/DMZ looks up the amount of user on the terminal server from identity collector and if it is above 7 it will add into this state "x.x.x.x with machine: Termial-Server100@domain.xzy, was marked as a multi user host IP. user login events for that IP will be ignored from now on"

It looks like when Identity collector is used it looks like i'm missing the parameter to increase "Multi-user host Detection Threshold" to more than 7.  

Hope someone in the checkmates community have been through the same and have a solution for it. 

 

 

 

/Henrik 

0 Kudos
5 Replies
the_rock
Mentor
Mentor

Just a shot in the dark, but did you try pdp update all command?

0 Kudos
Henrik_Oersnes_
Explorer

Hi,

I just tried it this morning nothing changed.
When I did a test after your command I was able to see the connection to the "DMZapplication" showed up in the logs for FWCLUS01DMZ as a compleat different user.
This user was who ever loged into the Terminal server latest!

I might have a misconfiguration/design somware.
Atm. it looks like the Identity collector does not work well with in a MUH setup.

 

 

0 Kudos
Wolfgang
Leader
Leader

@Henrik_Oersnes_ 

another shot in the dark....Did you tried the new MUH v2 agent on your terminalserver

Terminal Server Agent v2 (MUH2) - FAQ 

0 Kudos
Benedikt_Weissl
Advisor

Are the terminal server IPs excluded in the identity collector config? Try to authenticate every user only via one mechanism, either via identity collector or MUHv2 agent.

0 Kudos
Henrik_Oersnes_
Explorer

Hi,
This is a design flaw from my side. I have misunderstood what the use case is for Identity collector.

I expected that the Firewall cluster/GW participated in the identity collector setup, also would send back info about users connected to them as MUH can't connect to the identity collector.

In my case I will need setup "Identity sharing" between the two cluster.
And as you write Benedik_Weissl exclude the server running with the MUH.
Hope to change my configuration this Friday and let you know if it works.

Hope Checkpoint would move MUH feature to Identity collector in a furture relase.

 

Thanks for your inputs.

 

 

0 Kudos