topic Re: Identity Awareness on Remote Gateway in Firewall and Security Management

Identity Awareness on Remote Gateway

Shahar_Grober — Mon, 10 Feb 2020 19:27:25 GMT

Hi,

I have an issue with Identity Awareness where I want to configure IDA on a remote gateway.

the topology is

AD --> Corporate GW <---S2S VPN---> Remote GW

IDA is working well in the main office where the AD is and the corporate GW has direct access to the AD. when I try to connect the remote Gateway with the AD I get the following error:

"An error was detected while trying to authenticate against the AD server. It may be a problem of bad configuration or connectivity. Please refer to the troubleshooting guide for more help"

There are no instructions in the IDA manual or SK on how to work in such a configuration.

Does anyone have experience with it or can help troubleshoot?

( I have already contacted support but they aren't very helpful)

Re: Identity Awareness on Remote Gateway

Wolfgang — Mon, 10 Feb 2020 20:24:06 GMT

Shahar,

maybee it‘s something with the vpn tunnel. Check for connections from your remote gateway to your AD servers. This connections will be initiated with the external IP of your remote gateway. Maybee they are not encrypted or blocked not going the through the tunnel.

Another way... use identity sharing, you can configure your central gateway to share identities with other gateway and your remote gateway should get the identities from the central gateway.

The error is shown if you run the IA wizard for the remote gateway ?
Wolfgang

Re: Identity Awareness on Remote Gateway

Shahar_Grober — Mon, 10 Feb 2020 22:39:18 GMT

no error is shown during the creation of the IA wizard,
I checked all communication and it looks like it is going through the VPN tunnel. We checked ports block with support, we didn't see any drop. We also to allow any service between AD and GW. maybe the back connections from the AD to the GW are blocked. we are still checking but didn't see anything.

Re: Identity Awareness on Remote Gateway

Kaspars_Zibarts — Tue, 11 Feb 2020 08:33:09 GMT

I would recommend the same - identity sharing. Else I stumbled across this one, sounds like yours:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105950

and this might help too

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113747

We use Identity Collector instead of direct connection to AD which seems much soother from our experience 🙂

Re: Identity Awareness on Remote Gateway

RS_Daniel — Tue, 11 Feb 2020 12:39:52 GMT

Hello Shahar,

We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic.

HTH.

Re: Identity Awareness on Remote Gateway

Shahar_Grober — Wed, 12 Feb 2020 14:42:14 GMT

Thanks for the quick reply, indeed this is what CP says. It seems weird that LDAP is in an implied rule. I think that the best option, in this case, is Identity Sharing instead of modifying inspection rules. Let's see if this one works

Re: Identity Awareness on Remote Gateway

Norbert_Bohusch — Wed, 12 Feb 2020 18:51:41 GMT

If the gateways in question are clusters be careful with identity sharing, because we saw identity sharing causing IPSEC replay attacks because of standby members!

Re: Identity Awareness on Remote Gateway

Shahar_Grober — Thu, 13 Feb 2020 10:27:24 GMT

The main GW which do the identity sharing is a cluster. Is there a way to mitigate it?

Re: Identity Awareness on Remote Gateway

MikeB — Thu, 26 Mar 2020 19:26:05 GMT

Thank you RS_Daniel! you solve my problem too!