cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Silver

LDAPS and cloud-based Endpoint servers

Jump to solution

Is there a procedure similar to sk84620 for cloud-based EPS running on portal.checkpoint.com?

I can't realistically ask a customer to use LDAP for organization scanners in clear text over an Internet connection.

1 Solution

Accepted Solutions
Highlighted
Silver

Re: LDAPS and cloud-based Endpoint servers

Jump to solution

For those interested, I did a TAC case and the current procedure is to generate the LDAP certificate, open a TAC case with your cloud instance and an engineer will install it for you.

I understand it's a new offering but I hope this procedure will be streamlined in the future and integrated in the Cloud EPS Smart Console or the Portal instead of circulating LDAP certificates.

View solution in original post

5 Replies
Highlighted
Silver

Re: LDAPS and cloud-based Endpoint servers

Jump to solution

For those interested, I did a TAC case and the current procedure is to generate the LDAP certificate, open a TAC case with your cloud instance and an engineer will install it for you.

I understand it's a new offering but I hope this procedure will be streamlined in the future and integrated in the Cloud EPS Smart Console or the Portal instead of circulating LDAP certificates.

View solution in original post

Highlighted
Admin
Admin

Re: LDAPS and cloud-based Endpoint servers

Jump to solution
I suspect once there is a web interface for managing the Endpoint policy (versus using SmartEndpoint as is the case today), this might be something that gets included.
0 Kudos

Re: LDAPS and cloud-based Endpoint servers

Jump to solution

Did TAC explain how this works? sk84620 suggests the server certificate is being installed as a trusted certificate (imported into the CA certificate store).

I am a bit concerned that importing a certificate implies a static configuration as with Identity Awareness AD Query LDAPS fingerprints. We routinely have to help customers whose IA or VPN authentication breaks because the AD DC LDAPS certificates have been automatically renewed and the Check Point environment only knows the fingerprints for the old certificates.

Can someone clarify for Endpoint Security cloud? I'm guessing AD Scanner will break if the LDAPS certificate is renewed.

At a minimum this should import the CA certificate for the server certificate so that it will trust newly issued certificates signed by the same CA.

Is anyone else concerned about allowing Internet inbound connections to their AD DCs? Something like the IA identity gathering agent installed in the enterprise, collecting identities, and sharing them with the relevant cloud Endpoint Security Management Server would be a lot more appropriate from an architectural perspective.

Highlighted
Silver

Re: LDAPS and cloud-based Endpoint servers

Jump to solution
Hi Paul,
I share your concerns, but for now this is the way to go according to TAC. Hopefully the upcoming releases of the EPS SmartConsole or a web-based one running directly on your instance will address this.
Highlighted

Re: LDAPS and cloud-based Endpoint servers

Jump to solution

An update on this: TAC have advised me that we cannot do LDAPS over the Internet, and have to use the client scanner and file-based scanner documented in the cloud admin guide (https://sc1.checkpoint.com/documents/Endpoint_MaaS/html_frameset.htm?topic=documents/Endpoint_MaaS/2...). It looks like that window has been slammed shut. For a customer with regular AD changes, manually updating via the file-based scanner will become another manual task.

Hopefully something similar to the Capsule Cloud agent is available soon.

0 Kudos