topic Re: AD Query server connection in Firewall and Security Management

AD Query server connection

Ryan_Ryan — Thu, 27 Jun 2019 22:16:20 GMT

Hi all,

Wondering if anyone has ideas on this issue, I have 2 clusters (same policy). On one cluster it can successfully connect and receive login events from two domain controllers, on the other cluster I get the message "no connectivity, connection refused by remote host [ntstatus = 0xc0000236]"

Both clusters use the same login credentials, both clusters can telnet to the server IP's on port 389 and 636. I have also connected to the server and checked event viewer. I don't see any errors it all says success.

When I use the test_ad_connectivity tool I get the following:

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

Any ideas what this could be?

thanks

Re: AD Query server connection

PhoneBoy — Thu, 27 Jun 2019 23:21:03 GMT

Can you check with ldapsearch instead?
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk55040

Re: AD Query server connection

Ryan_Ryan — Fri, 28 Jun 2019 02:03:48 GMT

Hi good idea,

I tried that and can confirm it has successfully queried and returns correct information from ldap.

Re: AD Query server connection

PhoneBoy — Fri, 28 Jun 2019 03:31:46 GMT

Unless @Royi_Priov or someone from R&D has an idea, I suggest opening a TAC case.

Re: AD Query server connection

Ryan_Ryan — Fri, 28 Jun 2019 04:13:08 GMT

I might have found the issue, if there is another f/w between the gateway and the domain controller it appears you need to open:

tcp/389 or tcp/636

tcp/135

tcp/1025-65535

For full connectivity. Will update once we have opened ports and confirmed.

Re: AD Query server connection

Sigbjorn — Fri, 28 Jun 2019 05:38:01 GMT

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

Re: AD Query server connection

Gaurav_Pandya — Fri, 28 Jun 2019 09:54:02 GMT

Hi Ryan,

I am sure that firewall in between is the issue. You need to open required ports on that firewall

Re: AD Query server connection

Royi_Priov — Sun, 30 Jun 2019 07:01:52 GMT

Hi,

It looks like you are in the right direction with the DCE-RPC ports, I will explain why:

LDAP connectivity is not related to the WMI connection which should be open between GW to AD.

You can also see in the log:

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

Thanks,

Royi.

Re: AD Query server connection

Ryan_Ryan — Thu, 04 Jul 2019 03:38:09 GMT

confirmed it was the f/w ports needing to be opened. working now!