https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162201#M28810 <P>Hello,</P><P>Make a packet capture while running on encrypted on port 389. You will see everything. This makes it vulnerable for men in the middle attacks. Attackers could steal or change data in the AD. I would strongly recommend to use 636 with fingerprint Check Point. The only downside for 636 in combination with Check Point is the random fingerprint changes. Please refer to this SK to get better understanding:&nbsp;</P><P>&nbsp;</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk42905" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk42905</A></P><P><A href="https://community.checkpoint.com/t5/Security-Gateways/Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is/td-p/100671" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is/td-p/100671&nbsp;</A></P><P>&nbsp;</P> Wed, 16 Nov 2022 09:32:57 GMT Lesley 2022-11-16T09:32:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162131#M28789 <P>&nbsp;</P><P>Hello Gents,</P><P>Just seeking an opinion on how risky it would be to stick with port 389 over 636 for communication with domain controller.</P><P>Cheers,</P><P>CPter</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Nov 2022 13:17:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162131#M28789 checkpointer 2022-11-15T13:17:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162187#M28803 <P>Suggest researching the relevant Microsoft recommendations and what they're enforcing, for example:</P> <P><A href="https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a" target="_blank">https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a</A></P> <P>&nbsp;</P> Wed, 16 Nov 2022 01:53:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162187#M28803 Chris_Atkinson 2022-11-16T01:53:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162201#M28810 <P>Hello,</P><P>Make a packet capture while running on encrypted on port 389. You will see everything. This makes it vulnerable for men in the middle attacks. Attackers could steal or change data in the AD. I would strongly recommend to use 636 with fingerprint Check Point. The only downside for 636 in combination with Check Point is the random fingerprint changes. Please refer to this SK to get better understanding:&nbsp;</P><P>&nbsp;</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk42905" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk42905</A></P><P><A href="https://community.checkpoint.com/t5/Security-Gateways/Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is/td-p/100671" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is/td-p/100671&nbsp;</A></P><P>&nbsp;</P> Wed, 16 Nov 2022 09:32:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Gateway-to-encrypt-LDAP-communication-for-Identity/m-p/162201#M28810 Lesley 2022-11-16T09:32:57Z