For Windows users within an Active Directory domain, there is one more authentication method available: using a dedicated authentication agent. The agent is a service that sends user information, including the username and IP address, to the NGFW server. This allows NGFW to uniquely identify all network connections of this user without having to use other authentication methods. To start working with user identification using the authorization agent, follow these steps:
Name |
Description |
---|---|
Step 1. Allow the Authentication agent service in the desired zone. |
In the Network ➜ Zones section, allow the Authentication agent service for the zone where the users are located. |
Step 2. Set a password for terminal server agents. |
In the NGFW console, go to the UserGate ➜ General settings ➜ Modules section, click the Configure button next to the Password for terminal server agent entry, and set a password for terminal server agents. |
Step 3. Install the authentication agent. |
Install the authentication agent on all computers that require user identification. Important! The authorization agent is compatible with all Windows versions except Windows XP. The authentication agent is supplied with an administrative template for distribution via Active Directory policies. The administrator can use this template to deploy a correctly configured agent to a large number of user computers. Using the administrative template, the administrator can specify the IP address and port of UserGate NGFW as well as the password set at the previous step. For more details on deploying software using Active Directory policies, see the Microsoft documentation. You can also install the agent without using Group Policies. To do this, you need to install the agent from the installer and specify the necessary parameters for connecting to UserGate NGFW in the following registry keys: [HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client] "ServerIP"="" "ServerPort"="1813" "SharedKey"="" |
NGFW will now receive user information. You can use user names as shown in Active Directory in your security policies; for that, you will need a configured LDAP connector. Absent a configured connector, you can use the Known and Unknown users.
The installed authentication agent sends information about all IP addresses assigned to the device interfaces. In some scenarios, you may need to exclude certain IP addresses from this information by specifying a network or range in the agent settings.
You can exclude the authentication agent from sending certain addresses and/or subnets using the ExcludeIP parameter. The ExcludeIP parameter can have the following settings:
-
IP addresses in the x.x.x.x format and/or subnet addresses in the x.x.x.x/n format are specified separated by semicolons (for example, ExcludeIP=x.x.x.x/n; x.x.x.x).
-
Spaces are allowed between addresses in the list, they are ignored (for example, ExcludeIP=x.x.x.x/n; x.x.x.x;y.y.y.y).
-
If there are spelling errors in the addresses in the line, they will be reflected in the logs when the agent starts. Only correctly specified addresses will be used. The number of used addresses from the list is written to the log when the agent starts.
-
If, as a result of filtering, all addresses are excluded from the distribution, then a log entry is made (once) in the form: GetIPAddressList: IP list is blocked by ExceptIP. If a non-empty distribution is later generated, a log entry is made in the form: GetIPAddressList: IP list is not blocked by ExceptIP anymore.
The ExcludeIP parameter can be enabled on the system in several ways:
-
Added to the agent configuration file tsagent.cfg, which is created in the section: \users\<username>..ApplicationData\Entensys. After making changes, the authentication agent must be restarted. In this case, the parameter settings will only apply to the user under whose account the file was created.
-
Added as a string parameter to the Windows registry key [HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client]. In this case, the parameter settings will only apply to this user.
-
Added as a string parameter to the Windows registry key [HKEY_LOCAL_MACHINE\Software\Policies\Entensys\Auth Client]. In this case, the parameter settings will apply to all users of this system.
The order of searching for ExcludeIP parameter settings in the system is as follows: first, the parameter is searched in the registry key [HKEY_LOCAL_MACHINE\Software\Policies\Entensys\Auth Client], then in the registry key [HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client], then in the tsagent.cfg file.