https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25345#M5131 <HTML><HEAD></HEAD><BODY><P class="">That’s a big problem of LDAPS configuration in Check Point Account Unit, as there is no check of when certificate expires and a warning upfront.&nbsp;</P><P class="">That’s why I prefer LDAP in this case (at least if everything is internal traffic), even though we send it in clear.</P></BODY></HTML> Mon, 10 Sep 2018 16:43:01 GMT Norbert_Bohusch 2018-09-10T16:43:01Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25340#M5126 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>I was just wondering how domain controller redundancy works in Checpoint policy. You create LDAP Account Unit for a domain and add in your 2 ldap server objects (domain controllers).</P><P><IMG class="image-3 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/70119_pastedImage_1.png" /></P><P>Then on the "Objects Management" tab you can only choose 1 of these 2 servers</P><P><IMG class="jive-image image-4" src="https://community.checkpoint.com/legacyfs/online/checkpoint/70120_pastedImage_2.png" /></P><P></P><P>Today the cert on irbdc04 changed which meant ldaps queries stopped working until the fingerprint was fetched. The customer asked us, "why didnt the other domain controller take over serving authentication queries".&nbsp;</P><P>So I'm wondering even though I have 2 servers defined in the ldap account unit, but only 1 defined Objects management tab does this mean that if irbdc04 is not working there is no ldap server redundancy? At what point will phdc03 take over serving requests?</P><P></P><P>Thanks in advance</P><P></P><P>John</P></BODY></HTML> Fri, 07 Sep 2018 12:15:22 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25340#M5126 John_Colfer 2018-09-07T12:15:22Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25341#M5127 <HTML><HEAD></HEAD><BODY><P>i would use CP Identity Collector here - see&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235&amp;partition=General&amp;product=Identity">sk108235 Identity Collector - Technical Overview</A> for details !</P></BODY></HTML> Fri, 07 Sep 2018 12:21:42 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25341#M5127 G_W_Albrecht 2018-09-07T12:21:42Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25342#M5128 <HTML><HEAD></HEAD><BODY><P>The question is about authentication, not about Identity Awareness.</P></BODY></HTML> Fri, 07 Sep 2018 12:28:49 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25342#M5128 _Val_ 2018-09-07T12:28:49Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25343#M5129 <HTML><HEAD></HEAD><BODY><P>We had EXACTLY the same issue like you a year ago and it looks that priority does nothing in this case because LDAP is reachable, but cannot fetch anything = no issue at all for Check Point.</P><P></P><P>in case first LDAP is not reachable (telnet 636 not possible), it will go to the other LDAP in priority list.</P><P></P><P>In your case first LDAP was reachable (can you confirm ?) and thats all fine accorrding Check Point design.</P></BODY></HTML> Fri, 07 Sep 2018 16:20:38 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25343#M5129 JozkoMrkvicka 2018-09-07T16:20:38Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25344#M5130 <HTML><HEAD></HEAD><BODY><P>Hi Jozko</P><P>Yeah the ldap server was reachable (the server was up), but the fingerprint on the cert had changed so it could not retrieve anything. So does that mean that if the server is up and reachable it will not use the next server in the list, even though it cannot query the directory?</P></BODY></HTML> Mon, 10 Sep 2018 14:36:20 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25344#M5130 John_Colfer 2018-09-10T14:36:20Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25345#M5131 <HTML><HEAD></HEAD><BODY><P class="">That’s a big problem of LDAPS configuration in Check Point Account Unit, as there is no check of when certificate expires and a warning upfront.&nbsp;</P><P class="">That’s why I prefer LDAP in this case (at least if everything is internal traffic), even though we send it in clear.</P></BODY></HTML> Mon, 10 Sep 2018 16:43:01 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25345#M5131 Norbert_Bohusch 2018-09-10T16:43:01Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25346#M5132 <HTML><HEAD></HEAD><BODY><P>Yes, exactly.</P></BODY></HTML> Mon, 10 Sep 2018 20:35:56 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25346#M5132 JozkoMrkvicka 2018-09-10T20:35:56Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25347#M5133 <HTML><HEAD></HEAD><BODY><P>Thanks Norbert. I suggested this to customer but they prefer not to send usernames/passwords in the clear. Is there any other way around this? Is this issue addressed in a subsequent version?</P><P></P><P>Thanks again</P><P></P><P>John</P></BODY></HTML> Wed, 12 Sep 2018 08:49:28 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/25347#M5133 John_Colfer 2018-09-12T08:49:28Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/96875#M19052 <P>Does anyone know if the fingerprint is cached for a period of time on the gateways?&nbsp; &nbsp; &nbsp;Our DC's are configured to auto-renew their certificates annually.&nbsp; &nbsp;But I don't know how much time(if any) we have after the certificates are renewed on the DC's to Fetch the new fingerprint and push policy?</P> Wed, 16 Sep 2020 16:07:42 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/96875#M19052 Scott_Bily 2020-09-16T16:07:42Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/97072#M19078 <P>This is indeed good question, I second that.</P> <P>The best would be to test it in LAB to see real world scenario. I suspect that fingerprint is not cached, it could depends how often you are downloading CRLs from DC, or what is requesting from gateway to DC.</P> Sun, 20 Sep 2020 05:54:36 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/97072#M19078 JozkoMrkvicka 2020-09-20T05:54:36Z https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/97099#M19082 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/14797">@Scott_Bily</a>&nbsp;</P> <P>The fingerprint is not cached on the gateway. Fingerprint will be installed on the gateway if you fetched from LDAPS-server and did a policy install. Until you change the policy nothing is changed on the gateway. If the fingerprint changes on the LDAP-server you have to refectory again and install policy.</P> <P>There is only one way to overcome the fingerprint problem following&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk42905&amp;partition=Advanced&amp;product=Security" target="_blank" rel="noopener"> LDAP failing with "SSL finger print does not match"</A>&nbsp;, but with a little bit lower security.</P> <P>As a security company Check Point should should solve such a small problem.</P> <P>Wolfgang</P> Sun, 20 Sep 2020 17:56:35 GMT https://community.checkpoint.com/t5/General-Topics/Domain-Controller-Redundancy/m-p/97099#M19082 Wolfgang 2020-09-20T17:56:35Z