Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

LDAPS and cloud-based Endpoint servers

Jump to solution

Is there a procedure similar to sk84620 for cloud-based EPS running on portal.checkpoint.com?

I can't realistically ask a customer to use LDAP for organization scanners in clear text over an Internet connection.

1 Solution

Accepted Solutions
Highlighted
Advisor

For those interested, I did a TAC case and the current procedure is to generate the LDAP certificate, open a TAC case with your cloud instance and an engineer will install it for you.

I understand it's a new offering but I hope this procedure will be streamlined in the future and integrated in the Cloud EPS Smart Console or the Portal instead of circulating LDAP certificates.

View solution in original post

7 Replies
Highlighted
Advisor

For those interested, I did a TAC case and the current procedure is to generate the LDAP certificate, open a TAC case with your cloud instance and an engineer will install it for you.

I understand it's a new offering but I hope this procedure will be streamlined in the future and integrated in the Cloud EPS Smart Console or the Portal instead of circulating LDAP certificates.

View solution in original post

Admin
Admin
I suspect once there is a web interface for managing the Endpoint policy (versus using SmartEndpoint as is the case today), this might be something that gets included.
0 Kudos
Highlighted
Contributor

Did TAC explain how this works? sk84620 suggests the server certificate is being installed as a trusted certificate (imported into the CA certificate store).

I am a bit concerned that importing a certificate implies a static configuration as with Identity Awareness AD Query LDAPS fingerprints. We routinely have to help customers whose IA or VPN authentication breaks because the AD DC LDAPS certificates have been automatically renewed and the Check Point environment only knows the fingerprints for the old certificates.

Can someone clarify for Endpoint Security cloud? I'm guessing AD Scanner will break if the LDAPS certificate is renewed.

At a minimum this should import the CA certificate for the server certificate so that it will trust newly issued certificates signed by the same CA.

Is anyone else concerned about allowing Internet inbound connections to their AD DCs? Something like the IA identity gathering agent installed in the enterprise, collecting identities, and sharing them with the relevant cloud Endpoint Security Management Server would be a lot more appropriate from an architectural perspective.

Highlighted
Advisor
Hi Paul,
I share your concerns, but for now this is the way to go according to TAC. Hopefully the upcoming releases of the EPS SmartConsole or a web-based one running directly on your instance will address this.
Highlighted
Contributor

An update on this: TAC have advised me that we cannot do LDAPS over the Internet, and have to use the client scanner and file-based scanner documented in the cloud admin guide (https://sc1.checkpoint.com/documents/Endpoint_MaaS/html_frameset.htm?topic=documents/Endpoint_MaaS/2...). It looks like that window has been slammed shut. For a customer with regular AD changes, manually updating via the file-based scanner will become another manual task.

Hopefully something similar to the Capsule Cloud agent is available soon.

0 Kudos
Highlighted
Explorer

Have there been any developments in this area, since these posts? I have not found anything in the docs, but could have missed something. Thx.

0 Kudos
Highlighted
Employee+
Employee+

Hi @Mikel_Aucutt,

LDAPs is supported, follow the instructions here to learn how.

0 Kudos