https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/204885#M10214 <P>Only if there is a domain controller locally, as per&nbsp;sk178604.</P><TABLE border="1" cellspacing="2" cellpadding="4"><TBODY><TR><TD>SMBGWY-2486</TD><TD>An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.<BR /><BR />Workaround: Install another Domain Controller in the internal zone of the device.</TD><TD>R81.10.00</TD></TR></TBODY></TABLE> Fri, 02 Feb 2024 13:18:01 GMT Steven_Sultana 2024-02-02T13:18:01Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/77861#M3204 <P>If we follow&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk123858&amp;partition=Basic&amp;product=Identity" target="_blank">sk123858: Identity Collector support on SMB Appliances</A>, Identity Collector is not supported with&nbsp;1100, 1200R, 1400, 600, 700&nbsp;Gaia Embedded&nbsp;R77.20, R75.20 Appliances and the same is declared in <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108235&amp;partition=General&amp;product=Identity" target="_blank">sk108235 - Identity Collector - Technical Overview</A>. <SPAN>sk105380&nbsp;</SPAN><SPAN>Features and Known Limitations for R77.20.xx does not mention it, but in&nbsp;sk159772&nbsp;Check Point R80.20 for 1500 Appliances Features and Known Limitations we find that&nbsp;Identity Collector is supported neither&nbsp;Locally nor&nbsp;Centrally&nbsp;managed !</SPAN></P> <P>The background for this limitation: The&nbsp;<SPAN>PDP of SMB Appliances has no API listening to tcp/443.</SPAN></P> <P><SPAN>But Identity Sharing between PDP on a Gaia GW and PEPs on SMB Appliances do work, see&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106965&amp;partition=Advanced&amp;product=Identity" target="_blank">sk106965: <STRONG>Identity</STRONG> <STRONG>Sharing</STRONG> does not work with <STRONG>SMB</STRONG> appliance running</A>&nbsp;for details.</SPAN></P> <P><SPAN>So we have tested in lab a central GAiA GW with SMB star VPN topology. Identity Collector updates the GAiA GW and the GAiA GW performs&nbsp;Identity Sharing with the PEPs on the SMB Appliances! This does work, so sk123858 seems a little too narrow-minded...8)</img></SPAN></P> <P>&nbsp;</P> Tue, 10 Mar 2020 11:40:03 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/77861#M3204 G_W_Albrecht 2020-03-10T11:40:03Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/78015#M3223 You're correct, the underlying issue is the Identity Awareness API is not supported on SMB appliances.<BR />Any feature that relies on this API is therefore not supported…at least directly.<BR />If you have a regular gateway in the environment and implement identity sharing with the SMB appliances, that most definitely works.<BR />Not sure exactly how to best represent this in the SK, though. Wed, 11 Mar 2020 19:53:30 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/78015#M3223 PhoneBoy 2020-03-11T19:53:30Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158183#M7466 <P>Hi,</P> <P>This is a very interesting solution that overcomes some of the limitations as described in the abovementioned sk.</P> <P>I have a customer who is only using SMB appliances and wants to deploy Identity Awareness using a dedicated Gaia FW as PDP.</P> <P>Question: as the management is only currently licensed to support SMB appliances, do we need to foresee a "full-Gaia" management license for this only firewall who will serve as PDP?&nbsp;</P> <P>Thanks and best regards</P> Tue, 27 Sep 2022 15:16:21 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158183#M7466 rlopesdu 2022-09-27T15:16:21Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158234#M7471 <P>Yes, you will need a license to manage that gateway.</P> Tue, 27 Sep 2022 21:05:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158234#M7471 PhoneBoy 2022-09-27T21:05:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158263#M7473 <P>Thanks for the clarification.&nbsp;</P> Wed, 28 Sep 2022 07:02:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158263#M7473 rlopesdu 2022-09-28T07:02:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158281#M7474 <P>In R81.10.00 for Quantum spark 1500\1600\1800, Identity collector is supported for centrally managed appliances.</P> Wed, 28 Sep 2022 08:53:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/158281#M7474 G_W_Albrecht 2022-09-28T08:53:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/204885#M10214 <P>Only if there is a domain controller locally, as per&nbsp;sk178604.</P><TABLE border="1" cellspacing="2" cellpadding="4"><TBODY><TR><TD>SMBGWY-2486</TD><TD>An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.<BR /><BR />Workaround: Install another Domain Controller in the internal zone of the device.</TD><TD>R81.10.00</TD></TR></TBODY></TABLE> Fri, 02 Feb 2024 13:18:01 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Identity-Collector-Mystery/m-p/204885#M10214 Steven_Sultana 2024-02-02T13:18:01Z