7 March 2012 Administration Guide Identity Awareness R75.40 Classification: [Protected] © 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13947 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date Description 7 March 2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Identity Awareness R75.40 Administration Guide). Contents Important Information 3 Getting Started With Identity Awareness 7 Introduction 7 AD Query 10 Browser-Based Authentication 11 Identity Agents 13 Deployment 14 Identity Awareness Scenarios 16 Acquiring Identities for Active Directory Users 16 Acquiring Identities with Browser-Based Authentication 18 Acquiring Identities with Endpoint Identity Agents 21 Acquiring Identities in a Terminal Server Environment 24 Acquiring Identities in Application Control 24 Configuring Identity Awareness 26 Enabling Identity Awareness on the Security Gateway 26 Results of the Wizard 29 Creating Access Roles 29 Using Identity Awareness in the Firewall Rule Base 31 Access Role Objects 32 Negate and Drop 32 Using Identity Awareness in the Application and URL Filtering Rule Base 32 Source and Destination Fields 33 Negate and Block 34 Configuring Browser-Based Authentication in SmartDashboard 34 Portal Network Location 34 Access Settings 34 Authentication Settings 35 Customize Appearance 36 User Access 36 Agent Deployment from the Portal 37 Configuring Endpoint Identity Agents 37 Endpoint Identity Agent Types 38 Endpoint Identity Agent Deployment Methods 40 Server Discovery and Trust 41 Configuring Endpoint Identity Agents in SmartDashboard 42 Configuring Terminal Servers 43 Deploying the Terminal Servers Identity Awareness Solution 43 Terminal Servers - Users Tab 45 Terminal Servers Advanced Settings 45 Configuring Remote Access 46 Configuring Identity Logging for a Log Server 46 Enabling Identity Awareness on the Log Server for Identity Logging 46 Identity Sources 48 Choosing Identity Sources 48 Advanced AD Query Configuration 49 Configuring Identity Awareness for a Domain Forest (Subdomains) 49 Specifying Domain Controllers per Security Gateway 49 Permissions and Timeout 51 Multiple Gateway Environments 53 Non-English Language Support 53 Performance 53 Nested Groups 53 Troubleshooting 54 Advanced Browser-Based Authentication Configuration 56 Customizing Text Strings 56 Adding a New Language 59 Server Certificates 61 Transparent Kerberos Authentication Configuration 64 Advanced Endpoint Identity Agents Configuration 68 Customizing Parameters 68 Prepackaging Endpoint Identity Agent Installation 69 Advanced Deployment 70 Introduction 70 Deployment Options 71 Deploying a Test Environment 71 Testing Identity Sources 71 Testing Endpoint Identity Agents 72 Deployment Scenarios 72 Perimeter Security Gateway with Identity Awareness 72 Data Center Protection 73 Large Scale Enterprise Deployment 74 Network Segregation 76 Distributed Enterprise with Branch Offices 76 Wireless Campus 78 Dedicated Identity Acquisition Gateway 79 Advanced Identity Agent Options 81 Kerberos SSO Configuration 81 Overview 81 How SSO Operates 82 References 82 SSO Configuration 83 Server Discovery and Trust 87 Introduction 87 Discovery and Trust Options 88 Option Comparison 89 Prepackaging Identity Agents 95 Introduction 95 Custom Endpoint Identity Agent msi 95 Using the cpmsi_tool.exe 95 Sample INI File 99 Deploying a Prepackaged Agent via the Captive Portal 99 Identity Awareness Commands 101 Introduction 101 pdp 102 pdp monitor 102 pdp connections 103 pdp control 104 pdp network 104 pdp debug 105 pdp tracker 106 pdp status 106 pdp update 107 pep 108 pep show 108 pep debug 110 adlog 111 adlog query 111 adlog dc 112 adlog statistics 112 adlog debug 112 adlog control 113 adlog service_accounts 113 test_ad_connectivity 114 Regular Expressions 115 Metacharacters 115 Square Brackets 116 Parentheses 116 Hyphen 116 Dot 116 Vertical Bar 116 Backslash 116 Escaping Symbols 116 Encoding Non-Printable Characters 117 Specifying Character Types 117 Quantifiers 117 Curly Brackets 118 Question Marks 118 Asterisk 118 Plus 118 Index 119 Identity Awareness Administration Guide R75.40 | 7 Chapter 1 Getting Started With Identity Awareness In This Chapter Introduction 7 Deployment 14 Identity Awareness Scenarios 16 Introduction Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and machine identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps users and machine identities. This lets you enforce access and audit data based on identity. Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and non-Active Directory based networks as well as for employees and guest users. It is currently available on the Firewall blade and Application Control blade and will operate with other blades in the future. Identity Awareness lets you easily configure network access and auditing based on network location and: The identity of a user The identity of a machine When Identity Awareness identifies a source or destination, it shows the IP address of the user or machine with a name. For example, this lets you create firewall rules with any of these properties. You can define a firewall rule for specific users when they send traffic from specific machines or a firewall rule for a specific user regardless of which machine they send traffic from. Getting Started With Identity Awareness Identity Awareness Administration Guide R75.40 | 8 In SmartDashboard, you use Access Role objects to define users, machines and network locations as one object. Identity Awareness also lets you see user activity in SmartView Tracker and SmartEvent based on user and machine name and not just IP addresses. Identity Awareness gets identities from these acquisition sources: AD Query Browser-Based Authentication Endpoint Identity Agent Terminal Servers Identity Agent Remote Access The table below shows how identity sources are different in terms of usage and deployment considerations. Depending on those considerations, you can configure Identity Awareness to use one identity source or a combination of identity sources ("Choosing Identity Sources" on page 48). Getting Started With Identity Awareness Identity Awareness Administration Guide R75.40 | 9 Source Description Recommended Usage Deployment Considerations AD Query Gets identity data seamlessly from Microsoft Active Directory (AD) Identity based auditing and logging Leveraging identity in Internet application control Basic identity enforcement in the internal network Easy configuration (requires AD administrator credentials). For organizations that prefer not to allow administrator users to be used as service accounts on third party devices there is an option to configure AD Query without AD administrator privileges, see sk43874 (http://supportcontent. checkpoint.com/soluti ons?id=sk43874). Preferred for desktop users Only detects AD users and machines Browser-Based Authentication Captive Portal sends unidentified users to a Web portal for authentication If Transparent Kerberos Authentication is configured, the browser attempts to authenticate users transparently by getting identity information before the Captive Portal Username/password page is shown to the user. Captive Portal Identity based enforcement for non-AD users (non-Windows and guest users) For deployment of Endpoint Identity Agents Transparent Kerberos Authentication In AD environments, when users are already logged in to the domain the browser obtains identity information from the credentials used in the original log in (SSO). Used for identity enforcement (not intended for logging purposes) Endpoint Identity Agent A lightweight endpoint agent that authenticates securely with Single Sign-On (SSO) Leveraging identity for Data Center protection Protecting highly sensitive servers When accuracy in detecting identity is crucial See Choosing Identity Sources (on page 48). Getting Started With Identity Awareness Identity Awareness Administration Guide R75.40 | 10 Source Description Recommended Usage Deployment Considerations Terminal Servers Identity Agent To identify multiple users that connect from one IP address, a Terminal Server Identity agent is installed on the application server that hosts Terminal/Citrix services. Identify users that use a Terminal Servers or Citrix environment. See Choosing Identity Sources (on page 48). Remote Access Users that gain access through IPSec VPN Office Mode are seamlessly authenticated. Identify and apply identity- based security policy on users that access the organization through VPN. See Choosing Identity Sources (on page 48). Identity aware gateways can share the identity information that they acquire with other identity aware gateways. In this way, users that need to pass through several enforcement points are only identified once. See Advanced Deployment (on page 70) for more information. AD Query AD Query is an easy to deploy, clientless identity acquisition method. It is based on Active Directory integration and it is completely transparent to the user. The AD Query option operates when: An identified asset (user or machine) tries to access an Intranet resource that creates an authentication request. For example, when a user logs in, unlocks a screen, shares a network drive, reads emails through Exchange, or accesses an Intranet portal. AD Query is selected as a way to acquire identities. The technology is based on querying the Active Directory Security Event Logs and extracting the user and machine mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients or on the Active Directory server. Identity Awareness supports connections to Microsoft Active Directory on Windows Server 2003 and 2008. How AD Query Operates - Firewall Rule Base Example The steps listed in the example align with the numbers in the image below. 1. The Security Gateway registers to receive security event logs from the Active Directory domain controllers. 2. A user logs in to a desktop computer using his Active Directory credentials. 3. The Active Directory DC sends the security event log to the Security Gateway. The Security Gateway extracts the user and IP information (user name@domain, machine name and source IP address). 4. The user initiates a connection to the Internet. [...]... with the user's identity It also shows Application Control data This SmartEvent Intro log entry shows details of an Application Control event with Identity Awareness user and machine identity Identity Awareness Administration Guide R75.40 | 25 Chapter 2 Configuring Identity Awareness In This Chapter Enabling Identity Awareness on the Security Gateway Creating Access Roles Using Identity Awareness in the... Started With Identity Awareness You can have one or more gateways acquire identities and share them with the other gateways You can also share identities between gateways managed in different Multi-Domain Servers Identity Awareness Administration Guide R75.40 | 15 Getting Started With Identity Awareness Identity Awareness Scenarios This section describes scenarios in which you can use Identity Awareness. .. for some reason, Identity Awareness redirects the browser to the Captive Portal Identity Awareness Administration Guide R75.40 | 12 Getting Started With Identity Awareness Identity Agents There are two types of Identity Agents: Endpoint Identity Agents - dedicated client agents installed on users' computers that acquire and report identities to the Security Gateway Terminal Servers Identity Agent... the Network Objects tree, expand the Check Point branch Double-click the gateway on which to enable Identity Awareness In the Software Blades section, select Identity Awareness on the Network Security tab Identity Awareness Administration Guide R75.40 | 26 Configuring Identity Awareness The Identity Awareness Configuration wizard opens 5 Select one or more options These options set the methods for... the client from) Identity Awareness Administration Guide R75.40 | 13 Getting Started With Identity Awareness How You Download an Endpoint Identity Agent - Example This is how a user downloads the Endpoint Identity Agent from the Captive Portal: 1 A user logs in to his PC with his credentials and wants to access the Internal Data Center 2 The Security Gateway enabled with Identity Awareness does not... Application Control Rule Base that allows traffic from known applications, with the tracking set to Log 2 Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources 3 Installs the policy Identity Awareness Administration Guide R75.40 | 24 Getting Started With Identity Awareness User identification in the Logs Logs related to application traffic in SmartView Tracker and SmartEvent... modes Identity awareness supports ClusterXL HA and LS modes If you deploy Identity Awareness on more than one gateway, you can configure the gateways to share identity information Common scenarios include: Deploy on your perimeter gateway and data center gateway Deploy on several data center gateways Deploy on branch office gateways and central gateways Identity Awareness Administration Guide R75.40. .. then get Identity Awareness Administration Guide R75.40 | 18 Getting Started With Identity Awareness the same access as on her office computer Her access to resources is based on rules in the Firewall Rule Base Required SmartDashboard Configuration To make this scenario work, the IT administrator must: 1 Enable Identity Awareness on a gateway and select Browser-Based Authentication as one of the Identity. .. Preview pane 7 In the Machines tab, select Enforce IP spoofing protection (requires full identity agent) if you want to enable the packet tagging feature 8 Click OK The access role is added to the Users and Administrators tree Identity Awareness Administration Guide R75.40 | 30 Configuring Identity Awareness Using Identity Awareness in the Firewall Rule Base The Security Gateway examines packets and applies... selected by default is the . Started With Identity Awareness Identity Awareness Administration Guide R75. 40 | 16 Identity Awareness Scenarios This section describes scenarios in which you can use Identity Awareness to. some reason, Identity Awareness redirects the browser to the Captive Portal. Getting Started With Identity Awareness Identity Awareness Administration Guide R75. 40 | 13 Identity Agents. Index 119 Identity Awareness Administration Guide R75. 40 | 7 Chapter 1 Getting Started With Identity Awareness In This Chapter Introduction 7 Deployment 14 Identity Awareness Scenarios