Proper settings for Identity Awareness on vSEC?
I have been reading the R80.10 vSEC limitations (sk110519), and have encountered this:
To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:
- vSEC Controller Enforcer Hotfix must be installed
- Identity Awareness blade must be activated with Terminal Servers authentication
The R80.10 vSEC Controller Administration Guide describes the procedure for enabling this functionality.
But I do not recall seeing this requirement in actual vSEC deployment guides.
Can someone shed a light on what's what with the IA with Terminal Services for vSEC?
It may be that the "Terminal Server" option is required to ensure that Identity Awareness pulls the information from the sent via the Identity Awareness API, which the vSEC Controller uses.
However, that is merely a guess.
So the TS setting is not required in R80.X for proper enforcement of policies containing data center objects?
If this is, indeed, the case, you may want to address it in sk110519.
I want to share my experience
I have vSEC R80.10 gateway with 'Identity Awareness' blade enabled with 'Terminal Services' option.
I have configured the 'DataCenter' object to have my Azure subscription in the management server. I can see the management server getting all the updates fine whenever there is change to my Azure datacenter objects
Whenever I add 'Tags' to my Azure VM's, the management server is able to recognize the Tags in security policies and updates them.
The 'TAGS' don't work when 'Identity Awareness' blade is enabled, It works when I disable the 'Identity Awareness' blade, however the vSEC gateways couldn't get any updated Tags. Other VM's without TAGS are also being allowed by security policies
I checked with my SE, he says he could get his TAGS to work fine in his lab. I have an Support ticket open, they have sent it to DEV team for further research. I will update this thread once I have a resolution
Does anyone face similar issues with TAGS in their setup?