https://<Gateway_IP_Address>/connect
$NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi
https://<Gateway_IP_Address>/_IA_IDC/download/CPIdentityCollector.msi
https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe
Related Topics |
Important - NAT between two Security Gateways with Identity Awareness that share information with each other is not supported. |
Item | Description |
---|---|
A | User |
B | Active Directory Domain Controller |
C | Security Gateway that Endpoint Identity Agents connect to |
D | Data Center servers |
1 | a) A logs in to B b) B sends an initial ticket (TGT) to A |
2 | a) The Endpoint Identity Agent connects to C b) C asks A for user authentication |
3 | a) The Endpoint Identity Agents requests a service ticket (SR) for C and presents the TGT to B b) B sends the SR (encrypting the user name with the shared secret between B and C) |
4 | The Endpoint Identity Agent sends the service ticket to C |
5 | C decrypts the ticket with the shared secret and identifies A |
6 | A gets access to D based on identity |
C:> ktpass -princ ckp_pdp/domain_name@DOMAIN_NAME -mapuser username@domain_name -pass password -out unix.keytab –crypto RC4-HMAC-NT
Important - Make sure to enter the command exactly as shown. Mapping the username to the Kerberos principal name with ktpass is case-sensitive. |
Parameter | Value |
---|---|
domain_name@DOMAIN_NAME | |
username@domain_name | |
password | qwe123@# |
Important - If you have used the ktpass utility before for the same principal name (ckp_pdp/domain_name@DOMAIN_NAME) but with a different account, you must either delete the different account beforehand or remove its association to the principal name (by using setspn –D ckp_pkp/domain_name old_account name – i.e. setspn –D ckp_pdp/corp.acme.com ckpsso). Failure to do this will cause the authentication to fail. |
/
' instead of a hyphen '-
'.ktpass /princ ckp_pdp/[email protected] /mapuser [email protected] /pass qweQWE!@# /out unix.keytab /crypto RC4-HMAC-NT
ckpsso
.Requires AD | Manual User Trust Required? | Multi- Site | Client Remains Signed? | Allows Ongoing Changes | Level | Recommended for... | |
---|---|---|---|---|---|---|---|
File name based | No | Yes | No | Yes | No | Very Simple | Single Security Gateway deployments |
AD based | Yes | No | Yes | Yes | Yes | Simple | Deployments with AD that you can modify |
DNS based | No | Yes | Partially (per DNS server) | Yes | Yes | Simple | Deployments without AD or with an AD you cannot modify, but the DNS can be changed |
Remote registry | No | No | Yes | Yes | Yes | Moderate | Where remote registry is used for other purposes |
Pre- packaging | No | No | Yes | No | No | Advanced | When both DNS and AD cannot be changed, and there is more than one Security Gateway |
Note - The entire configuration is written in a hive named ‘Check Point’ under the ‘Program Data’ Branch in the AD database that is added in the first run of the tool. Adding this hive won’t have any effect on other AD based applications or features. |
443
._tcp
.Note - Security Gateway with Identity Awareness Load Sharing can be achieved by creating several SRV records with the same priority and High Availability can be achieved by creating several SRV records with different priorities. |
Note - If you configure AD based and DNS based configuration, the results are combined according to the specified priority (from the lowest to highest). |
C:> nslookup
> set type=srv
> checkpoint_nac_server._tcp
Server: dns.company.com
Address: 192.168.0.17
checkpoint_nac_server._tcp.ad.company.com SRV service location:
priority = 0
weight = 0
port = 443
svr hostname = idserver.company.com
idserver.company.com internet address = 192.168.1.212
>
Important - The Endpoint Identity Agents come digitally signed by Check Point Software Technologies Ltd. Any modification to the Endpoint Identity Agents, including prepackaging, will invalidate the signature, and will result in security warnings displayed to the user downloading them from the Captive Portal. |
/opt/CPNacPortal/htdocs/nac/nacclients/customAgent.msi
/linux/windows/Check_Point_Custom_Nac_Client.msi
cpmsi_tool <installation package name> readini <INI file name>
defs.reg
file is a simple registry file. The registry values are located in these branches:Note - If the defs.reg file does not exist the installation will fail. |
Registry Key | Accepted Values | Description | |
---|---|---|---|
1 | DisableSettings | DWORD:1,0 | If the value is set to 1 then the settings button will not appear in the Identity Agent's tray menu. 0 is the default value. |
2 | DisableQuit | DWORD:1,0 | If the value is set to 1 then the quit button will not appear in the Identity Agent's tray menu. 0 is the default value. |
3 | HideGui | DWORD:1,0 | If the value is set to 1 then the Identity Agent's tray icon will not appear and there will be no client GUI. 0 is the default value. |
4 | SendLogsTO | String: <email addresses delimited by ”;”> | Allows defining the default email addresses to send logs to if an error occurs or if a user chooses to send logs in from the agent’s status dialog box. For example, to send error logs to MYEmail and disable the agent's settings dialog box: [HKEY_LOCAL_MACHINESOFTWARECheckPointIA] 'SendLogsTO'[email protected] 'DisableSettings'=dword:00000001 |
Note - If a default gateway is not defined and the automatic server discovery fails during installation, the user will be asked to define the Security Gateway with Identity Awareness manually. |