topic Re: Identity Collector - Identity Sources configuration in Firewall and Security Management

Identity Collector - Identity Sources configuration

Dave — Fri, 23 Sep 2022 14:40:54 GMT

So i'm preparing to move from AD query to Identity Collector.

Installed the software on 2 domain controllers for redundancy.

All working fine for the domain controller on which the software is installed, but the other one is not.

"Unable to connect, please check connectivity ....."

Actually, i added our 4 DC as identity sources but only planning to install IC on 2 of them since this is enough for redundancy purpose.

Are you supposed to only add the DC where Identity Collector has been installed on, as identity source?

Re: Identity Collector - Identity Sources configuration

the_rock — Fri, 23 Sep 2022 14:51:40 GMT

You should be able to add all of them actually. Did you check connectivity with other 3?

Andy

Re: Identity Collector - Identity Sources configuration

Dave — Fri, 23 Sep 2022 15:03:07 GMT

They are all in the same subnet so i would assume this would have been a no brainer. Seems not 😊

So on one DC, let's say DC4 in my case, i should be able to see events from all 4 DC, that's what you are saying?

Then i'm asking myself what is blocking this.....

Re: Identity Collector - Identity Sources configuration

the_rock — Fri, 23 Sep 2022 15:07:37 GMT

Agree, specially if its same subnet : - ). How did you add them? Manually or option "fetch automatically"?

Re: Identity Collector - Identity Sources configuration

Dave — Fri, 23 Sep 2022 15:17:33 GMT

"fetch automatically" is how i added them

If i double click on the identity source where IC is installed, it passes the test and connection is fine.

If i double click on any other identity source where IC is not installed on, it fails the test with the message "unable to connect, please check"

Re: Identity Collector - Identity Sources configuration

the_rock — Fri, 23 Sep 2022 15:20:00 GMT

Let me confirm with client we did this for, as they also have 4 DCs I believe and all shows fine, but IC is only installed on one of them.

Re: Identity Collector - Identity Sources configuration

the_rock — Fri, 23 Sep 2022 15:28:00 GMT

This is what customer told me as the answer to my question if he remembered if we did automatic or manual...

"I can’t recall but I think it found all of them. I know it pulled the wrong info (site name) and I had to manually enter that."

Re: Identity Collector - Identity Sources configuration

Dave — Tue, 27 Sep 2022 07:50:06 GMT

Got it figured out 🙂

The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.

Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.

Re: Identity Collector - Identity Sources configuration

_Val_ — Tue, 27 Sep 2022 08:38:50 GMT

Thanks for sharing the solution, @Dave

Re: Identity Collector - Identity Sources configuration

the_rock — Tue, 27 Sep 2022 12:30:52 GMT

Good old Windows : - ). Thanks a lot for letting us know, it will help others, for sure!!

Re: Identity Collector - Identity Sources configuration

Dave — Wed, 28 Sep 2022 15:14:24 GMT

Unfortunately, the story doesn't end here because another issue popped up.

So i had foreseen to run identity collector as a service under another service account, freshly created and with the domain user permissions, user is part of group 'Event Log Readers' group.

As soon as i run cpidc.exe as a service and under this new service account, everything stops working, all identity sources are yellow and no identities are collected anymore.

When i remove the service account and let the service run under my domain admin account, everthing changes instantly to green again and identities are collected.

This for sure has to do with user rights in Windows, but it seems like having a domain user with group membership of 'Event Log Readers' group is not enough?

Please help me understand what i'm missing 🙂

Re: Identity Collector - Identity Sources configuration

_Val_ — Thu, 29 Sep 2022 06:48:03 GMT

Most probably the permissions mismatch. If you looked through sk108235 and sk179544 and did not find the trigger for the issue, I would advise engaging with TAC to drill down.

Re: Identity Collector - Identity Sources configuration

Dave — Thu, 29 Sep 2022 07:51:16 GMT

Yes permission issue most probably, only hard to find what's missing...

This simple domain user account, should it also need to be part of the 'Distributed DCOM users' group?

Or the 'Event Log Readers' group should be enough?

Re: Identity Collector - Identity Sources configuration

freeman91 — Thu, 27 Feb 2025 14:38:26 GMT

Hi,

there are like 7 DCOM-In inbound rules with local port 135.

which of them needs to be allowed?