This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Terri_Hawkins
Collaborator
‎2022-06-21 11:10 AM
Jump to solution

MUH and Identity Collector

Hi All,

I am running R81 gateways and have 2 Identity Collector Servers (version 81.035.0000).  We have a bunch of remote locations which connect to us via vpn. These are behind an assortment of 1430 and 1530 devices.  At these locations there are some kiosk type pc's for employees to log into, they are shared.  These pc's can get a lot of different users on them as the employees sometimes change from fire station to firestation or from park to park.  When we were using adquery I was able to set the MUH threshold to 25 which works well for us.  In Identity Collector I can not find a place to do that (I actually can't find any customizing options like I could using adlogconfig for adquery).  Does anyone know where I can find this threshold and change it from 7 to something else? These are not terminal servers, employees actually sign on, use it, then sign off one at a time thru the day. 

Any help is GREATLY appreciated. 

0 Kudos
1 Solution

Accepted Solutions
Peter_Elmer
Employee
Employee
‎2022-06-22 08:06 AM
In response to Terri_Hawkins
Jump to solution

Hello @Terri_Hawkins ,

I suggest you contact a Sales Engineer local to you. It is complicated (kind of impossible) supporting complex projects by writing.

If your use case is having 10 different users working on the same computer you need MUHv2 agent on it. This is the solution foreseen for this use case. 

There are other potential solutions:

  • have you thought about creating a logic using the ID Awareness API?
  • are you planning integrating to a NAC solution such as Cisco ISE or any other solutions supporting RADIUS ACCOUNTING?
  • would asking the users logging on the Captive Portal (Browser based authentication) be a potential solution?

As I said, you may want to brainstorm with a colleague local to you about this.

best regards

peter 

View solution in original post

5 Replies
Wolfgang
Authority
Authority
‎2022-06-21 01:46 PM
Jump to solution

@Terri_Hawkins „pdp conciliation idc_multiple_users enable“ will be you‘re needed command.

see @Peter_Elmer nice video Identity Awareness - Multiple users working on one machine 

Peter_Elmer
Employee
Employee
‎2022-06-21 11:08 PM
Jump to solution

Hello @Terri_Hawkins ,

you find guidelines about ID Collector scalable deployment in sk179544. Take your time walking through the material.

best regards

peter 

0 Kudos
Terri_Hawkins
Collaborator
‎2022-06-22 06:51 AM
In response to Peter_Elmer
Jump to solution

Thank you so much for the link. I watched the video and it is very helpful. However, I am unsure if this will fix the issue.  If I have 10 people signing in will changing the pdp concil idc to "enable" allow me to bypass the threshold of 7 for MUH?  I read the default threshold is 7, and what we are seeing in our environment is when the 8th person signs in their PC is marked as muh. The traffic in the logs show the ip of the pc but no user attached to it. Since all of our rules are based on user there is no internet for them.  Your thoughts are appreciated.

0 Kudos
Peter_Elmer
Employee
Employee
‎2022-06-22 08:06 AM
In response to Terri_Hawkins
Jump to solution

Hello @Terri_Hawkins ,

I suggest you contact a Sales Engineer local to you. It is complicated (kind of impossible) supporting complex projects by writing.

If your use case is having 10 different users working on the same computer you need MUHv2 agent on it. This is the solution foreseen for this use case. 

There are other potential solutions:

  • have you thought about creating a logic using the ID Awareness API?
  • are you planning integrating to a NAC solution such as Cisco ISE or any other solutions supporting RADIUS ACCOUNTING?
  • would asking the users logging on the Captive Portal (Browser based authentication) be a potential solution?

As I said, you may want to brainstorm with a colleague local to you about this.

best regards

peter 

Terri_Hawkins
Collaborator
‎2022-06-22 10:40 AM
In response to Peter_Elmer
Jump to solution

Thanks so much!  We are going to do the Captive Portal and put agents on the kiosk pc's, but in the meantime we took your advise and contacted our Sales Engineer and he gave us the article we were looking for.  There were two of us searching like crazy and could not find it but there it is.  We will be implementing this shortly and hopefully it will work well enough to get us thru the short run until we can do the agents/portal.

thanks again! Terri

Solution Title: How to increase the threshold for multiuser host (MUH) for Identity Collector associations?

Solution ID: sk136652

Solution Link:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...   

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top