topic Re: Identity Collector and Gateway certificates - which one? in Firewall and Security Management

Identity Collector and Gateway certificates - which one?

David_C1 — Fri, 11 Apr 2025 19:33:52 GMT

A question to which I think I know the answer, but thought I'd see if anyone knows of an "official answer". We use Identity Collectors in our various environments: production, lab, etc. In our lab. the certificate used by the Identity Collector to validate the gateway is the platform portal certificate, issued by our internal Windows CA. Our lab gateways also have an IPSec certificate, issued by our SMS.

In our production environment, the certificate used by the Identity Collector to validate the gateway is the IPSec certificate, issued by our SMS. These gateways do not have a platform portal certificate.

So my question is - where a gateway has a certificate for the platform portal and for IPSec VPN, does the Identity Collector default to the platform portal? Or is there a way to choose what it uses?

Dave

Re: Identity Collector and Gateway certificates - which one?

CheckPointerXL — Mon, 14 Apr 2025 10:47:49 GMT

yuo can control which certificate IDC uses.

example: you can associate your Certificate signed by your CA to user check portal

the user check portal will be associate to an ip ad an fqdn to make certificate working... so simply configure usercheck ip to IDC and your own certificate will be prompted to be trusted

that ip/fqdn/certificate association needs to be unique on FW to avoid overlapping with other portals

i have environment with usercheck and captive portal associated to same ip, fqdn and certificate... from idc i configure IP of them

Re: Identity Collector and Gateway certificates - which one?

the_rock — Mon, 14 Apr 2025 11:58:29 GMT

@CheckPointerXL explained it perfectly.

Andy

Re: Identity Collector and Gateway certificates - which one?

David_C1 — Mon, 14 Apr 2025 13:12:05 GMT

Thanks for this information. Your explanation makes sense, but it does not match my configuration. I have cert assigned to my captive portal (and same cert assigned to my platform portal) with an IP of 10.1.1.1. This cert has a number of Subject Alternate Names, both DNS entries and IP addresses. The IP address I used in the IDC configuration to establish connection with this cluster is neither 10.1.1.1 nor any of the SAN entries - it is a different interface on the firewall (the interface for the network that the IDC is on). When I look at the Certificate Info on the gateway config on the IDC, it is using the usercheck/platform portal cert, but again the IP address used to configure the gateway is not 10.1.1.1 nor any of the addresses listed as a Subject Alternate Name.

Still a bit stumped.

Dave