topic Re: Activating Identity Awareness to Intergrate AD in General Topics

Activating Identity Awareness to Intergrate AD

Sanjay_S — Tue, 30 Oct 2018 11:33:05 GMT

Hi All,

I need your suggestion on this, could you please let me know how to configure Identity awareness for 2 domains.

We have 2 domains and we need to configure Identity Awareness for both the domains. Is this possible?

Is yes can you please let me know how to achieve this? This is the first time i am implementing the Identity awareness, so let me know what all the best back-out plan if something goes wrong.

Re: Activating Identity Awareness to Intergrate AD

G_W_Albrecht — Tue, 30 Oct 2018 13:45:40 GMT

This is a very broad and complicated topic - please study the CP Identity Awareness Admin Guide (for R77 or R80 versions) first to be able to select the best configuration for the customer. A very good way to get information from several DCs is the Check Point Identity Collector, see sk108235 !

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Wed, 31 Oct 2018 09:35:27 GMT

Thank you Gunther, i will go through the SK and will get back to you if any doubts.

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Mon, 05 Nov 2018 11:53:42 GMT

Hi Gunther,

I went through multiple docs and the SK you shared and found that there is a possibility of configuring multiple domains. As per the adminisration guide. But no where i see the help to how we configure and where to configure.

Identity Awareness R80.10 Administration Guide

As per the note in the administration guide below:

Notes:

After completing this wizard, you can select additional Identity Sources.
When you enable Browser-Based Authentication on Security Gateway that runs on an IP Series appliance with IPSO OS, make sure to set the Voyager management application port to a number other than 443 or 80.

So that says we can configure additional AD, but not sure how to configure. Is there any who tried this? Any suggestions help please.

Re: Activating Identity Awareness to Intergrate AD

G_W_Albrecht — Mon, 05 Nov 2018 12:56:10 GMT

Identity Source does mean something else - here, you have to follow sk97837: How to add Multiple LDAP Servers into AD Query.

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Mon, 05 Nov 2018 13:30:42 GMT

Thank you Gunther

I will check this and configure in the standby site first and then if any doubts will get back to you.

Re: Activating Identity Awareness to Intergrate AD

Sven_Glock — Mon, 05 Nov 2018 18:19:16 GMT

I have not tested it, but I would say that it should work like this:

When using the Identity Awareness wizzard you only have the possibility to add one AD/domain.

For the second AD/Domain you need to add a LDAP Account Unit manually.

After that go into your gateway's properties --> Identity Awareness

Select the settings of the identity sources you are using.

Go to the authentication settings and add the LDAP account unit you added before to the user directories:

Cheers

Sven

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Mon, 26 Nov 2018 10:45:44 GMT

Hi Sven,

Could you please be more clear on this. I will add one AD/Domain from the Wizzard and the second one as below SK.

How to add Multiple LDAP Servers into AD Query

And then what should i do to proceed to get this working? Please give me steps or any SK that could help. Because today at 3PM UK i will be implementing it. As of now i am not seeing any Identity awareness settings hope it will be enabled only after i enable the blade.

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Mon, 26 Nov 2018 17:58:58 GMT

Hi All,

I tried configuring the first domain, but during the first step it failed with the below error message.

SmartDashboard could not connect to 10.10.10.1 - Could not communicate with Server.

Re: Activating Identity Awareness to Intergrate AD

Sven_Glock — Mon, 26 Nov 2018 18:13:47 GMT

HI Sanjay,

for connection to the AD you need several open ports.
Please check R80.x Ports Used for Communication by Various Check Point Modules

Additinally you need users with specific rights in the AD.

Hope this will help.

Cheers

Sven

Re: Activating Identity Awareness to Intergrate AD

Sven_Glock — Mon, 26 Nov 2018 18:16:26 GMT

What the SK forget to tell is: If you want to add a second AD you need to an a new LDAP Account Unit.

The you can add the new LDAP Account Unit as described in the SK.

Cheers

Sven

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Fri, 30 Nov 2018 13:18:27 GMT

Thank you Sven for the reply.

Could you please help me to know whether there should be access from Management server to the AD server for which we will enable the Identity awareness blade?

What all pre-requisites for getting this happen other than ports? Please help.

Re: Activating Identity Awareness to Intergrate AD

Sanjay_S — Fri, 30 Nov 2018 14:56:22 GMT

Just for clarification does the AD server needs to be reachable from both Management server and Gateways to get this working?

Re: Activating Identity Awareness to Intergrate AD

G_W_Albrecht — Mon, 03 Dec 2018 07:36:26 GMT

Yes.

Re: Activating Identity Awareness to Intergrate AD

Sven_Glock — Mon, 03 Dec 2018 08:59:08 GMT

For creating access-roles using the SmartConsole you have to select specific items from the AD tree.

For this operation you need to have access from the management server to the AD