- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: New IA Implementation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New IA Implementation
Hello,
One query, please.
Due to customer need, we require to implement the AI blade.
The customer has a quite large network (More than 2000 users).
I understand that there are 2 ways to integrate the Windows Server AD, by the AD Query / Identity Collector (correct me if I am wrong please).
I understand that the viable method for us would be to install some application in the same AD Windows Server.
I understand that this application is called IDENTITY COLLECTOR, right?
If my comment is true, downloading and installing this application, is it free or is it required to make a purchase from Checkpoint?
Are end users going to have to be forced to install some application on their computers?
Greetings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Collector can be installed on a Window machine in the same domain doesn't have to be the DC, no cost is involved specific to the collector.
Identity agents for the client PCs are not mandatory but will operate more effectively in some scenarios.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matlu,
Identity Collector is absolutely the way to go, AD Query is being deprecated, and in fact you have to jump through hoops to get that working nowadays.
You don't need to install it on a DC, a member server is fine. An active support contract will entitle you to the download, there is no separate charge.
There is an client that you can install on a client, but it should not be necessary from what I can see (in fact it's not necessary for the vast majority of use cases in my experience).
Thanks,
Ruan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can you share me the SK or WEB from where I could download the Identity Collector, please.
In addition to this, I understand that this application does not need to be installed in the same Windows Server we have, but in any station with privileges, certain ????
When activating the AI blade in the Cluster object from my SmartConsole, in order to work with the Identity Collector, I must select the option that I show in the image, correct?
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey bro,
Once IA blade is enabled, dont even bother going through the wizard, just cancel it, make sure blade shows as on and you can download collected from below option, just make sure its checked.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Bro.
The customer has serious doubts in implementing the agent.
Is it still feasible to use the AD Query mode, for a number of approx. 4k users?
Greetings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey bro,
You can do that, but please show them below. We had few customers with same concern and now they are so happy they went with collector and they are actually bit upset they had not done it sooner.
Andy
These are the benefits of using Identity Collector instead of a standard AD QueryClosed:
Reduced load on the Security Gateway - Identity Collector does the queries instead of the Security Gateway
Reduced load on the Domain Controller (DC) - the native Windows API consumes fewer resources
Lower permissions required - Identity Collector requires read-only access to the domain security logs
No changes are required in the Active Directory (AD) schema.
One Identity Collector can serve multiple Security Gateways, even from a different Domain Management Servers on a Multi-Domain ServerClosed.
Identity Collector can communicate with a maximum of up to 35 Active Directory (AD) servers.
Identity Collector can process a maximum of 1900 Active Directory (AD) events per second.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Andy,
I will try to persuade the client, even if he is a bit "inane", and well, I have not implemented the agent before, so I am "reading the documentation".
Could you comment me, which is the option of the agent, that should be downloaded in our case, for a Windows Server 2019 to more, please????
What leaves me doubts in the documentation, is if only enough to install the agent on the server and already, or is that I will have to install other agents separately, other agents on each machine of each user ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SK I referred to earlier explains what each agent is for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just install the collector (first one in the list), though one I gave you from last screenshot works even on windows 11 (tried it myself in the lab). Then, once installed, I attached some screenshots of what you need to do.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Btw, @PhoneBoy explained it PERFECTLY. And trust me, hes been around CP almost since the beginning, so if you should listen to anyone, its him...just saying : - )
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would not do ANY new deployments with AD Query at this point.
First of all, AD Query causes additional load on the AD server.
With 4k users, this might be noticeable.
Second, due to various security vulnerabilities in WMI, Microsoft has and continues to make changes, some of which have broken AD Query.
Currently, using fully patched AD servers, AD Query can only be implemented using an account with Domain Admin credentials.
Meanwhile, Identity Collector:
- Is significantly more scalable
- Only requires an account that can read Security Logs from Active Directory
- Is the recommended solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the clarification.
I think the best option is to make a lab for this.
I will try to replicate the scenario I need for our client.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lab is always best bro 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the various Identity Awareness clients (including Collector) are linked here: https://support.checkpoint.com/results/sk/sk134312
