topic Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ? in Firewall and Security Management

How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

MTS — Wed, 11 Aug 2021 14:58:29 GMT

Hello and thank you in advance.

We got trouble that we have CheckPoint are now managed by the same cloud.

Let says we got CheckPoint A and B now.

The AD (LDAP) server is located on A site now.

A and B sites just had a VPN community connection and we did confirm no communication error between sites.

At least, those Site B hosts can access the Site A LDAP for Domain authentication at the moment.

We set up the "identity awareness" on Site A Checkpoint and nothing outstanding, everything works well.

We then try to use the same configuration for the Site B Checkpoint to connect to the same AD over the VPN.

And it reported a connectivity issue and said the Site B Checkpoint NO connection to the remote site Server.

Why?

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

PhoneBoy — Wed, 11 Aug 2021 22:59:27 GMT

Version/JHF level?
Do you have identity sharing enabled between the gateways?
How are identities acquired? (AQ Query, Identity Collector, or?)

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

MTS — Thu, 12 Aug 2021 01:01:21 GMT

Version/JHF level?

the latest

Do you have identity sharing enabled between the gateways?

Should be no.

How are identities acquired? (AQ Query, Identity Collector, or?)

Just want to find an AD user name from the log.

Below the error message FYI.

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

PhoneBoy — Thu, 12 Aug 2021 03:39:51 GMT

This requires configuring Identity Awareness, which you are apparently trying to do.
For this to work, you must be running R80.20 and above and configure one of the gateways as an Active Directory proxy.

See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide/Topics-IDAG/Identity-Awareness-Config-as-Active-Directory-Proxy.htm?Highlight=Ad%20proxy

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

MTS — Thu, 12 Aug 2021 12:38:58 GMT

The same AD and Identity Awareness are just working for my 192.168.1.1 site.

For the 192.168.10.X checkpoint is not working... I have no idea how to let the 192.168.10.X checkpoint using the right route and source interface to access back the AD...

Based on the route debug and traceroute, I find it go outside the internet but not VPN to the AD...

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

PhoneBoy — Thu, 12 Aug 2021 13:25:30 GMT

Note that even though you did not explicitly configure it, the gateway is always included in the Encryption Domain.
However, you need to ensure the rules permit this traffic.
The traffic will probably come from the gateway's external IP, which is expected.

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

MTS — Mon, 23 Aug 2021 01:02:04 GMT

I even try to have a rule any source to any destination permit and still not works for me.

I also check the KB seems the 1500 series not supports having local connection to AD.

But seems using another Gateway Managed by the same SMS (We are Smart 1- Cloud) to share the AD is ok.

Might I know if you manipulate it also? Would like to knows the steps on how to configure it.

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

PhoneBoy — Mon, 23 Aug 2021 01:10:39 GMT

You can't use an SMB gateway as an AD proxy.
That is an RFE.
If you have a non-SMB gateway that is managed by the same AD server that also has access, you configure it per the docs I linked above.

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

MTS — Mon, 23 Aug 2021 01:13:00 GMT

So, there is no way for 1570 to connect the AD via VPN / Proxy now?

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

PhoneBoy — Mon, 23 Aug 2021 01:16:32 GMT

Correct, there is no way to do it with just SMB gateways.

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

MTS — Mon, 23 Aug 2021 01:19:25 GMT

Sorry, seems I missing one thing.

We are using 6000 formal Gaia OS gateway for A site.

Only B site uses the 1570.

Any chance has AD connected for this case?

Re: How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

PhoneBoy — Mon, 23 Aug 2021 01:44:56 GMT

The AD proxy is needed so Smart-1 Cloud can query your on-premise AD server.
Like I said previously, you need to configure Identity Sharing between the two gateways.
Please review the documentation I linked above.

Can your AD server accept LDAP requests on port 389?
If not, that also is a known limitation: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk159772