Support Center > Search Results > SecureKnowledge Details
Terminal Server Agent v2 (MUH2) - FAQ Technical Level
Solution

Introduction

The Identity Awareness blade has the capability of associating an IP address and a user.

Terminal Servers / Citrix communicate with the Security Gateway through a single IP. However, they are used to host multiple users. This new feature aims to provide the Security Gateway with the capability of identifying the originating user behind each connection that comes from these multi-user hosts.

This page provides answers to frequently asked questions (FAQ) regarding installation and operation of Identity Awareness support for Terminal Servers/Citrix.

Also refer to sk66761 - Identity Awareness Support for Terminal Servers - FAQ.

Show All

Installation Questions

What operating systems are supported?

  • Windows Server 2016 for R80.40
  • Windows Server 2019 for R80.40
  • Windows Server 2016 for R80.30 (Jumbo Hotfix Accumulator for R80.30 (take 210 and above on both Gateway and Management))
  • Windows Server 2019 for R80.30 (Jumbo Hotfix Accumulator for R80.30 (take 210 and above on both Gateway and Management))
Note: MUH agents are tested only for Windows Servers, as they are directed for servers with multiple users.

Does the feature require installing anything on the Terminal Server/Citrix?

Yes, installation of an Identity Agent is required. The Terminal Servers (TS) Identity Agent will control the connections from the TS/Citrix in a way that will allow the Identity Gateway to identify the user behind each connection. The agent will also install a WFP driver.

Does the feature require installing anything on the endpoint clients that connect to the Terminal Server?

No, the agent installation is only required on the Terminal Server itself and not on the clients.

Where can the TS Identity Agent be downloaded from?

The TS Identity Agent can be downloaded from the Identity Agents article [sk134312]. 

What rights do I need to install the TS Identity Agent?

Installing the TS Identity Agent requires administrative privileges.

Can I install the TS identity Agent using a terminal session?

Yes.

I have installed the TS Identity Agent on the Terminal Server and configured it to connect to the Identity Server. Now what?

Enable the TS/Citrix feature in SmartDashboard, from the 'Gateway Properties > Identity Awareness' tab. After the feature is enabled, configure the pre-shared secret and also set it in the TS Identity Agent Controller on the terminal server[s]. Detailed installation steps can be found in the R80.40 Identity Awareness Administration Guide.

If I install the software, will I have to reboot the Terminal Server?

It is highly recommended to reboot the system, but it is not mandatory.

 

Once the installation of the TS Identity Agent is complete, all new connections will be identified and properly enforced. All other connections that were already opened, will not be under the control of the TS Identity Agent, and thus it cannot detect from which user they originated.

Therefore:

  1. Rebooting will insure that the origins of all connections will be detected since the WFP driver will exist before the creation of these connections.
  2. User logouts close all connections and terminate processes. The WFP driver catches users upon their next login to the system.

Does the uninstall require a reboot?

It is highly recommended to reboot the system, but it is not mandatory.

After the uninstall process ends, the WFP driver remains resident, but functions as a pass-through driver to allow the system to function properly without interruption. After rebooting, the WFP driver is removed.
If an installation is initiated before the reboot, the TS Identity Agent will refuse to complete and request a reboot.

Which gateway versions are compatible with this agent?

The Agent is compatible with the R80.40 gateway and the R80.30 gateway (Jumbo Hotfix Accumulator for R80.30 (take 210 and above)).

Can the agent be packaged and deployed in a similar manner to the regular agent ?

The TS Identity Agent can be installed by using the MSI file with the “Terminal Server v2” flavor. Notice that TS Identity Agent installation requires an additional step of configuring a shared secret used for safe communication with the gateway.

Operation Questions

What is new in the new version?

The new version of the Terminal Server Agent introduces a different approach for identifying users behind the same Terminal Server / Citrix server. It replaces the port-based user identification with tagging of user traffic. 
With this approach, we are resolving the current limitation of the number of users per server (will now be 256 users per server), and 3rd party applications compatibility issues.
In this new version users are identified by login/ logoff events.
In addition, this version adds support for Windows Secure Boot (Windows security feature).

How does the feature work, what is the magic?

The TS Identity Agent that is installed on the Terminal Server communicates to the Identity Server how it will control the connections for each user (explained below). This information is later used when the traffic reaches the Identity Gateway.

The TS Agent communicates with the gateway over SSL (usually port 443, unless configured differently).

The solution is in fact based on tagging packets. The TS Identity Agent installs a WFP driver that intercepts all traffic originated by a user. Once the request reaches the WFP driver, it tags the packet from a pool of ID ranges that is allocated for this specific user.

Two different users will have two different ranges, thus allowing the Identity Gateway to distinguish between the different connection owners.

What about protocols that are not port based, for example ICMP? How does the solution work?

Unfortunately, the solution does not support non-port based protocols. The solution supports TCP and UDP protocols only.

What is the impact on protocols that are not supported (such as ICMP)?

For unsupported protocols, the TS Identity Agent won't be able to control the network connections, and therefore the Identity Server will not be aware of the user that is initiating these connections.

The Endpoint Identity Agent does not require a "Shared Secret". Why is this required for the TS Identity Agent?

The Endpoint Identity Agent authenticates to the Identity Server either with a username and password, or via a Kerberos Ticket. For the TS Identity Agent, the authentication of users is not issued in the same way, and thus for the Identity Server to trust the other end, a shared secret is used. This is to remove the possibility that a user may use this ability to claim that he is running a Terminal Server and indicate a false user.

Once the TS Identity Agent is installed, will users be able to access it?

Non-admin users can access the Controller of the TS Identity Agent, but only in read-only mode. Thus, they will be able to see the connection statistics and port assignment information, but won't be able to change anything.

What are the known limitations?

Known limitations are:
  1. The solution supports TCP and UDP protocols only. Therefore, it will not support other protocols like ICMP, etc.
  2. IPv6 is not supported.
  3. Upgrade from Terminal server Agent v1 to Terminal server Agent v2 is not supported. 

Does the Terminal Services agent detect or handle local or service accounts on the server?

SYSTEM and other local user accounts are not assigned with an ID range and will not be identified. Enforcement for those users can be done through the machine identity (available through Kerberos SSO authentication). Any user accounts that belong to an Active Directory domain, including service accounts, can be identified by the TS agent. 

What can you do when you have multiple gateways and one MUH? What if the gateways are managed by different management server?

Only identity sharing between the gateways. You can set sharing across different CMAs using sk65404 - Establishing SIC trust between Identity Awareness entities managed by different Security Management Servers / Domain Management Servers, or using Identity Broker sharing (more details can be found in the R80.40 Identity Awareness Administration Guide).

Can I monitor the status of connected TS Identity Agents?

Monitoring information is sent from each TS Identity Agent to the gateway. The information includes the following: IP, Version, Next Keep Alive, number of Connected Users, number of Authenticated Users and Number Of Assigned Ranges.

Monitoring capability is not enabled, by default. To enable it, please add a registry key named "MUHMonitoringEnabled" and set it to "1" (DWORD). The default frequency of sending the data is 15 seconds. Frequency is configurable by a registry key named "MUHMonitoringInterval" (for example, set as "60"  to achieve a frequency of 1 minute). This is done under the following location:
  • For 32-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\
  • For 64-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\IA\
To apply these changes, reboot the machine (or restart the ‘Check Point Managed Asset Detection‘ service).

There are 2 options to query the data:
  • SNMP:
    The SNMP Object Identifiers (OIDs) that point to this information are found in $FWDIR/conf/identity_server.cps
  • Command Line:
    • Via cpstat cli: "cpstat identityServer -f muh"
    • Via pdp cli: "pdp muh status" - available only since R80.30.

How many users are supported on the MUHv2 Agent?

The MUHv2 agent supports up to 265 users per TS agent and you can connect up to 50 MUHv2 agents to one PDP instance. You should apply a scalable design based on Identity Broker and share identities between the PDP instances.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment