Support Center > Search Results > SecureKnowledge Details
Identity Awareness Support for Terminal Servers - FAQ
Solution

Introduction

The Identity Awareness blade has the capability of associating an IP address and a user.

Terminal Servers / Citrix communicate with the Security Gateway through a single IP. However, they are used to host multiple users. This new feature aims to provide the Security Gateway with the capability of identifying the originating user behind each connection that comes from these multi-user hosts.

This page provides answers to frequently asked questions (FAQ) regarding installation and operation of Identity Awareness support for Terminal Servers/Citrix.

Also refer to sk107036 - Windows 10 Support Plan for Check Point Products.

Table of contents

  • Installation Questions
    • What operating systems are supported?
    • Does the feature require installing anything on the Terminal Server/Citrix?
    • Does the feature require installing anything on the endpoint clients that connect to the Terminal Server?
    • Where can the TS Identity Agent be downloaded from?
    • What is the size of the TS Identity Agent?
    • How much disk space is required?
    • What rights do I need to install the TS Identity Agent?
    • Can I install the TS identity Agent using a terminal session?
    • I have installed the TS Identity Agent on the Terminal Server and configured it to connect to the Identity Server. Now what?
    • Is Citrix supported? What about other remote application server software?
    • If I install the software, will I have to reboot the Terminal Server?
    • Does the uninstall require a reboot?
    • Is the agent backward or forward compatible with different gateway versions?
    • Can the agent be packaged and deployed in a similar manner to the regular agent ?
  • Operation Questions
    • How does the feature work, what is the magic?
    • What about protocols that are not port based, for example ICMP? How does the solution work?
    • What is the impact on protocols that are not supported (such as ICMP)?
    • The Endpoint Identity Agent does not require a "Shared Secret". Why is this required for the TS Identity Agent?
    • Once the TS Identity Agent is installed, will users be able to access it?
    • What are the known limitations?
    • Can I still use AD Query for users’ PCs when using TS/Citrix Identity Agents on Terminal Servers/Citrix?
    • Does the Terminal Services agent detect or handle local or service accounts on the server?
    • What can you do when you have multiple gateways and one MUH?
  • Configuration Questions
    • There is an option to configure the port ranges. When would this be useful?

Show All

Installation Questions

What operating systems are supported?

All Windows Server versions from Windows Server 2008R2 and above (both 32 bit and 64 bit) are supported. From R77.20, Windows 8.1 is supported. In addition, the following desktop Operating Systems are supported - Vista, Win7, Win8.
Notes: 
  • Windows 2016 R2 is not supported. 
  • Windows 2016 is supported, but only for R80.10

Does the feature require installing anything on the Terminal Server/Citrix?

Yes, installation of an Identity Agent is required. The Terminal Servers (TS) Identity Agent will control the connections from the TS/Citrix in a way that will allow the Identity Gateway to identify the user behind each connection. The agent will also install a TDI driver.

Does the feature require installing anything on the endpoint clients that connect to the Terminal Server?

No, the agent installation is only required on the Terminal Server itself and not on the clients.

Where can the TS Identity Agent be downloaded from?

The TS Identity Agent can be downloaded from a link provided in the SmartDashboard. Open the gateway object of the Identity Server and you should be able to see the link.

What is the size of the TS Identity Agent?

The installation file size of the TS Identity Agent is about 8 MB.

How much disk space is required?

The required disk space for TS Identity Agent installation is ~14 MB.

What rights do I need to install the TS Identity Agent?

Installing the TS Identity Agent requires administrative privileges.

Can I install the TS identity Agent using a terminal session?

Yes.

I have installed the TS Identity Agent on the Terminal Server and configured it to connect to the Identity Server. Now what?

Enable the TS/Citrix feature in SmartDashboard, from the 'Gateway Properties > Identity Awareness' tab. After the feature is enabled, configure the pre-shared secret and also set it in the TS Identity Agent Controller on the terminal server[s]. Detailed installation steps can be found in the R75.40 Identity Awareness Administration Guide.

Is Citrix supported? What about other remote application server software?

The solution works by identifying the owner of the source process of each connection and controls the connection in a way that identifies the source user to the Identity Gateway. As a result, any remote application server software should work just fine.

If I install the software, will I have to reboot the Terminal Server?

It is highly recommended to reboot the system, but it is not mandatory

 

Once the installation of the TS Identity Agent is complete, all new connections will be identified and properly enforced. All other connections that were already opened, will not be under the control of the TS Identity Agent, and thus it cannot detect from which user they originated.

Therefore:

  1. Rebooting will insure that the origins of all connections will be detected since the TDI driver will exist before the creation of these connections.
  2. User logouts close all connections and terminate processes. The TDI driver catches users upon their next login to the system.

Does the uninstall require a reboot?

It is highly recommended to reboot the system, but it is not mandatory.

 

After the uninstall process ends, the TDI driver remains resident, but functions as a pass-through driver to allow the system to function properly without interruption. After rebooting, the TDI driver is removed.
If an installation is initiated before the reboot, the TS Identity Agent will refuse to complete and request a reboot.

Is the agent backward or forward compatible with different gateway versions?

Agent compatibility: there is full compatibility between agents of version R76 or newer and gateways of version R76 or newer. For example: R77.20 agent will work with R76 gateway, and R77.20 gateway will work with R76 agent. In the same way, agents and gateways of R75.4x versions are compatible (e.g. R75.47 gateway with R75.40 agent).

Can the agent be packaged and deployed in a similar manner to the regular agent ?

The MUH agent can be installed either by using the prepackaged muhAgent.exe binary available on the gateway, or by using the MSI file with the “Terminal Server” flavor. Notice that MUH agent installation requires an additional step of configuring a shared secret used for safe communication with the gateway.

Operation Questions

How does the feature work, what is the magic?

To explain it simply, the TS Identity Agent that is installed on the Terminal Server communicates to the Identity Server how it will control the connections for each user (explained below). This information is later used when the traffic reaches the Identity Gateway.

The TS Agent communicates with the gateway over SSL (usually port 443 unless configured differently).

The solution is in fact based on source ports. The TS Identity Agent installs a TDI driver that intercepts all requests from any process that requests a new connection. Once the request reaches the TDI driver, it queries the system to fetch the requesting user behind this new connection and chooses a source port from a pool of port ranges that is allocated for this specific user.

Two different users will have two different port range pools, thus allowing the Identity Gateway to distinguish between the different connection owners.

What about protocols that are not port based, for example ICMP? How does the solution work?

Unfortunately, the solution does not support non-port based protocols. The solution supports TCP and UDP protocols only.

What is the impact on protocols that are not supported (such as ICMP)?

For unsupported protocols, the TS Identity Agent won't be able to control the network connections and therefore the Identity Server will not be aware of the user that is initiating these connections.

The Endpoint Identity Agent does not require a "Shared Secret". Why is this required for the TS Identity Agent?

The Endpoint Identity Agent authenticates to the Identity Server either with a username and password or via a Kerberos Ticket. For the TS Identity Agent, the authentication of users is not issued the same way, and thus for the Identity Server to trust the other end, a shared secret is used. This is to remove the possibility that a user may use this ability to claim that he is running a Terminal Server and indicate a false user.

Once the TS Identity Agent is installed, will users be able to access it?

Non-admin users can access the Controller of the TS Identity Agent, but only in read-only mode. Thus, they will be able to see the connection statistics and port assignment information, but won't be able to change anything.

What are the known limitations?

Known limitations are:

 

  1. The solution supports TCP and UDP protocols only, therefore it will not support other protocols like ICMP, file shares, etc.
  2. There is a limited number of users that can use the TS server at the same time and have network access. The number of users varies, and depends on the maximum number of ports the system is configured to assign to a user. In any case, the upper boundary is 1024 users per Terminal Server.

Can I still use AD Query for users’ PCs when using TS/Citrix Identity Agents on Terminal Servers/Citrix?

Yes. If you decide to use AD Query for users’ PCs, the best practice is to exclude the Terminal Servers’ IP addresses from AD Query. This will prevent unexpected agents’ disconnections and PDPD daemon high CPU utilization (see: sk86560 for instructions).

Does the Terminal Services agent detect or handle local or service accounts on the server?

Processes running under SYSTEM and other local user accounts are all assigned source ports within a special port range that is not assigned any user identity. Enforcement for those users can be done through the machine identity (available through Kerberos SSO authentication).
Any user accounts that belong to an Active Directory domain, including service accounts, can be identified by the TS agent.

What can you do when you have multiple gateways and one MUH? What if the gateways are managed by different management server?

Configuration Questions

There is an option to configure the port ranges. When would this be useful?

If there is software used on the Terminal Server that uses a certain range of ports, there is a chance that it will conflict with our mechanism. Once you exclude those from this feature's usage (and the TS is rebooted), those ports will not be used.
Applies To:
  • muhagent
  • Multi-User Host Agent
  • Multi User Host Agent
  • MUH Agent
  • Terminal Servers Identity Agent

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment