https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242664#M47142 <P>I can agree. Just bc it is internal communication between DC and IC, any any policy with specified source and destination will do a job.</P> Fri, 28 Feb 2025 14:05:06 GMT freeman91 2025-02-28T14:05:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242638#M47129 <P>Hi all,&nbsp;</P><P>I looked at all the threads related to Identity Collector, as well as the documentation for deploing Identity Collector and like other, I also have had a problem until I turned off firewall on windows server.</P><P>This is enough for me just to check if there is a connection issue to DC other then firewall. Now I want to turn on the firewall and allow only what is necessary.&nbsp;<BR />Are anyone here is willing to share setup of its windows firewall in case where its firewall is turned on, and connection with IC is green <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Far now, I allowed only those 7 DCOM 135 rules&nbsp;&nbsp;but it is not enough.</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29748i1DB33E4B54EC239C/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> Fri, 28 Feb 2025 10:11:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242638#M47129 freeman91 2025-02-28T10:11:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242644#M47131 <P>HTTPS, DCOM, RPC, LDAP, DNS are needed depending on the server role.&nbsp;<A href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Requirements.htm?tocpath=Identity%20Collector%7C_____1" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Requirements.htm?tocpath=Identity%20Collector%7C_____1</A></P> Fri, 28 Feb 2025 11:36:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242644#M47131 Chris_Atkinson 2025-02-28T11:36:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242656#M47137 <P>Can you assist me how does this rule looks like in firewall policy:</P><UL><LI><P>Add "Allow"<SPAN>&nbsp;</SPAN><A class="" href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Requirements.htm?tocpath=Identity%20Collector%7C_____1#" target="_blank" rel="noopener">rule</A></P><SPAN>Remote Event Log Management &gt; Remote Event Log Management (RPC)</SPAN></LI></UL> Fri, 28 Feb 2025 13:10:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242656#M47137 freeman91 2025-02-28T13:10:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242659#M47138 <P>I just add a rule that says from fw to IC (bi-directionally), allow on any port, thats it.</P> <P>Andy</P> Fri, 28 Feb 2025 13:35:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242659#M47138 the_rock 2025-02-28T13:35:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242661#M47139 <P>Ok, I can accept that as a good workaround solution.&nbsp;</P><P>&nbsp;</P><P>Thank you!</P> Fri, 28 Feb 2025 13:59:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242661#M47139 freeman91 2025-02-28T13:59:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242663#M47141 <P>Glad we can help. Btw, since we all do IT security here, goes without saying ports should always be indicated whenever possible, but at the end of the day, this is just internal communication, so I dont find it would be a huge deal...just my 2 cents.</P> <P>Andy</P> Fri, 28 Feb 2025 14:01:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242663#M47141 the_rock 2025-02-28T14:01:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242664#M47142 <P>I can agree. Just bc it is internal communication between DC and IC, any any policy with specified source and destination will do a job.</P> Fri, 28 Feb 2025 14:05:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242664#M47142 freeman91 2025-02-28T14:05:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242665#M47143 <P>Though you can always follow what Chris gave, its an official reference.</P> <P>Andy</P> Fri, 28 Feb 2025 14:08:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Check-Point-Identity-Collector-Windows-Server-firewall/m-p/242665#M47143 the_rock 2025-02-28T14:08:19Z