topic Re: Identity Collector in General Topics

Identity Collector

Moudar — Tue, 28 Jan 2025 13:00:59 GMT

Hi,

I am trying to use IDC (Windows AD) with remote access VPN.

IDC has green gateway and green AD server.

Whe using Checkpoint Endpoint Security App on Windows machine it connects well if users are locally created on SMS, but if users are on AD it logs:

that user is created on AD and added in a policy rule using an Access role:

On the remote access community under Participats user groups = all users

Windows machine can reach SMS and gateway and vice versa.

Running pdp idc status:

pdp idc status Identity Collector IP: 192.168.10.212 Identity Sources: No information about identity sources

and cpstat identityServer -f idc:

cpstat identityServer -f idc Identity Collector Sources ----------------------------------------------------------- |Type|Name|Host|Status|IDC IP|Events Recieved|Total Events| ----------------------------------------------------------- -----------------------------------------------------------

I think IDC is not sending events to the gateway but why?

What do I miss here?

Re: Identity Collector

G_W_Albrecht — Tue, 28 Jan 2025 13:31:49 GMT

Did you follow https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Requirements.htm?tocpath=Identity%20Collector%7C_____1 ?

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 13:40:42 GMT

Do you have proper LDAP account unit configured? The reason I asked that question is what Phoneboy said in a different post couple of years back:

Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).
The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.
Which means you should verify the information needed to perform these lookups is correct: https://support.checkpoint.com/results/sk/sk180392

Andy

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 14:07:06 GMT

Running ldapsearch command shows that LDAP account Unit is correctly configured as of my knowledge!

ldapsearch -h 192.168.10.212 -p 389 -D "CN=CP-User,CN=Users,DC=alpha,DC=cp" -w Admin123 -b "DC=alpha,D C=cp" "(sAMAccountName=CP-User)" CN=CP-User,CN=Users,DC=alpha,DC=cp objectClass=top objectClass=person objectClass=organizationalPerson objectClass=user cn=CP-User givenName=CP-User distinguishedName=CN=CP-User,CN=Users,DC=alpha,DC=cp instanceType=4 whenCreated=20250121161255.0Z whenChanged=20250121161349.0Z displayName=CP-User uSNCreated=36933 memberOf=CN=Event Log Readers,CN=Builtin,DC=alpha,DC=cp memberOf=CN=Distributed COM Users,CN=Builtin,DC=alpha,DC=cp uSNChanged=36945 name=CP-User objectGUID=NOT ASCII userAccountControl=66048 badPwdCount=0 codePage=0 countryCode=0 badPasswordTime=0 lastLogoff=0 lastLogon=133825288336186747 pwdLastSet=133819495752215514 primaryGroupID=513 objectSid=NOT ASCII accountExpires=9223372036854775807 logonCount=6 sAMAccountName=CP-User sAMAccountType=805306368 userPrincipalName=CP-User@alpha.cp objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=alpha,DC=cp dSCorePropagationData=16010101000000.0Z lastLogonTimestamp=133819496297529642 1 match

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 14:09:38 GMT

i did follow that, plus and firewall on windows machine is disabled

IDC is installed on same machine as AD!? does that create problems?

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 14:10:00 GMT

Yea, that looks good to me. Just wondering, from the smart console, unless its S1C mgmt instance, if its on prem, can you fetch branches okay from the ldap unit?

Andy

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 14:28:40 GMT

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 14:30:14 GMT

And when you click "fetch branches", what does it show?

Andy

Re: Identity Collector

G_W_Albrecht — Tue, 28 Jan 2025 14:31:29 GMT

Not at all - it is rather very usual to do that, as you need a Win Server for IC. Why not contact TAC ? Issues like yours are usually some config glitche(s) that can be resolved in a RAS quickly.

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 14:33:22 GMT

That would not create any issues, most clients I saw install IDC, they did on same machine, as long as communication is there.

Andy

Re: Identity Collector

AkosBakos — Tue, 28 Jan 2025 14:35:33 GMT

Do you use LDAPs or Simple LDAP on port 389?

Re: Identity Collector

RS_Daniel — Tue, 28 Jan 2025 14:40:16 GMT

Hello,

I have always deployed IDC on the AD server without problems. However once it did not work and TAC told us that is not recommended, we should install IDC on a different windows server. Tried moving the IDC to a different server and issue was fixed, so you can try and check.

Regards

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 14:40:45 GMT

This is a lab so yes 389 is used.

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 14:41:26 GMT

it shows the same: DC=alpha,DC=cp

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 14:52:13 GMT

I will try that!

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 14:59:07 GMT

Its not bad idea at all. Personally, I always seee customers do it on same machine and works fine.

Andy

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 15:44:43 GMT

I have now tried on other server, and i get the same result:

pdp idc status Identity Collector IP: 192.168.10.212 Identity Sources: No information about identity sources Identity Collector IP: 192.168.10.187 Identity Sources: No information about identity sources

The new server with no AD is .187

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 15:47:47 GMT

And you also disabled windows fw on that machine as well?

Andy

Re: Identity Collector

Moudar — Tue, 28 Jan 2025 15:49:12 GMT

Yes

Re: Identity Collector

the_rock — Tue, 28 Jan 2025 15:56:45 GMT

I would do below.

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Clients-AG/Identity-Collector-Debug.htm#:~:text=In%20most%20cases%2C%20the%20debugging,enabled%20on%20the%20service%20side.&text=The%20default%20debug%20level%20is,of%20logs%20in%20Identity%20Collector.

Also, make sure you have latest version of IC as well:

sk113021 - Identity Collector fails to connect / add / edit a Security Gateway

I see customer I worked with few months ago had same issue and turned out to be certificate problem, but not sure which one exactly : - (

Andy