Solved: Re: New Identity Collector, Identity Agent (Window...

PhoneBoy · ‎2020-02-01

sk134312 was updated with a new Identity Collector, Identity Agent (Windows and MacOS) and MUH Agent for the R80.40 release.

The new MUH Agent introduces different approach for identifying users behind the same terminal server / Citrix server.
With this approach, we are resolving current limitation of number of users per server (will now be 256 users per server), and 3rd party applications compatibility issues.

This solution is supported only with R80.40 (or later) Security Gateways.
You will have to uninstall and reinstall the new agent as they have a different implementation and driver.
The previous agent will continue to work with R80.40.

Royi_Priov · ‎2020-04-17

Hi @Peter_Lyndley

It will be supported soon.

we are working on it.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

View solution in original post

Tobias_Moritz · ‎2020-02-05

Good news!

Maybe I just overlooked it in the documentation, but can you tell me something about the new approach, the MUHv2 is using?

sk134312 still links to sk66761 and this sk seems to describe the old MUHv1 behavior with reserved port ranges and manipulated tcp and udp source port numbers using a filter driver.

From page 69ff in CP_R80.40_IdentityAwareness_AdminGuide.pdf, it looks like there are no reserved tcp and udp port ranges anymore, but just "ID Range".

How does it work now?

Thanks in advance for any explanation (or link to the correct documentation).

PhoneBoy · ‎2020-02-05

@Royi_Priov can you explain?

Royi_Priov · ‎2020-02-05

Hi @Tobias_Moritz ,

Indeed our SKs are not yet updated with the new information about MUH2 (the new TS agent).

In few words: this is an agent which will work only with R80.40 (and above) gateways. It is not using source ports for user identity, but tagging the packets with IDs in a different way.

We performed this change for few reasons:

1. Scalability improvements on client side - it will allow having 256 users per TS machine.

2. 3rd party apps compatibility - other apps which also tunnel source port data (such as Anti-Viruses) will not collide with MUH anymore.

3. Scalability improvement on gateway side - the frequent update messages from MUH client to GW were really heavy. Since we are not sensitive to source ports anymore, the updates will be less frequent.

I hope it helps 🙂

You are welcome to tag me if any question is left unanswered.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Tobias_Moritz · ‎2020-02-05

Hi @Royi_Priov ,

thanks for the fast answer!

I guess when you say "tagging the packets with IDs in a different way" and "allow having 256 users per TS", you mean you add 8 bits to the option field of the IP packet header, inserted by a filter driver, right? This would explain the need for double reboots when upgrading from MUHv1 to MUHv2 (uninstall old driver which rewrites TCP and UDP source ports, reboot, install new driver which modifies IP header option field, reboot).

If I'm right, this approach should work for all layer 4 protocols, not only TCP und UDP like the old one.

Now the question: Am I right? 🤔

Royi_Priov · ‎2020-02-06

Hi @Tobias_Moritz ,

You are right in the high level details 😁

The implementation was done only for TCP and UDP in the driver.

If you need an implementation to other layer 4 protocol, you are welcome to explain the use case.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Peter_Lyndley · ‎2020-04-17

Hi ,

I'm sure I read it somewhere, that the MUHv2 agent can also work with an r80.30 gateway with a later JHF ?

Can someone confirm if MUHv2 for terminal server requires to connect to R80.40 gateway only or can be supported on R80.30 JHF x?

thanks

Peter

Royi_Priov · ‎2020-04-17

Hi @Peter_Lyndley

It will be supported soon.

we are working on it.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Peter_Lyndley · ‎2020-04-29

Hi Royi,

Customer is pushing me for this support in r80.30 JHF. Was it integrated into the latest ongoing release 195 ? or are we still awaiting release ?
thanks
Peter

Wolfgang · ‎2020-04-29

@Royi_Priov ,

we too had the requirement from some customer for support of the new agent with R80.30.

Are there any news or a timeline ?

Wolfgang

Peter_Lyndley · ‎2020-05-12

Hi Royi,

Customer is pushing me for this support in r80.30 JHF. Was it integrated into the latest ongoing release 195 ? or do we have any idea of time ? week/month ?

thanks
Peter

Royi_Priov · ‎2020-05-12

Hi @Peter_Lyndley , @Wolfgang

It will be added as PRJ-11851 to R80.30 JHF. It is not in T195, but probably the one after.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Yifat_Chen · ‎2020-05-12

Indeed , should be part of our upcoming R80.30 ongoing take, should be released by EOM.

Wolfgang · ‎2020-05-13

Great news.

Wolfgang

Sabine_Mauser · ‎2020-02-05

8)

Royi_Priov · ‎2020-05-27

Hi @Wolfgang , @Peter_Lyndley , @Tobias_Moritz

MUH2 support for R80.30 was released.

https://community.checkpoint.com/t5/Access-Control-Products/MUH2-support-for-R80-30-available/m-p/86...

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Are you a member of CheckMates?

New Identity Collector, Identity Agent (Windows and Mac) for R80.40