- Products
- Learn
- Local User Groups
- Partners
- More
Introduction to Lakera:
Securing the AI Frontier!
Quantum Spark Management Unleashed!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Is there a procedure similar to sk84620 for cloud-based EPS running on portal.checkpoint.com?
I can't realistically ask a customer to use LDAP for organization scanners in clear text over an Internet connection.
For those interested, I did a TAC case and the current procedure is to generate the LDAP certificate, open a TAC case with your cloud instance and an engineer will install it for you.
I understand it's a new offering but I hope this procedure will be streamlined in the future and integrated in the Cloud EPS Smart Console or the Portal instead of circulating LDAP certificates.
For those interested, I did a TAC case and the current procedure is to generate the LDAP certificate, open a TAC case with your cloud instance and an engineer will install it for you.
I understand it's a new offering but I hope this procedure will be streamlined in the future and integrated in the Cloud EPS Smart Console or the Portal instead of circulating LDAP certificates.
Did TAC explain how this works? sk84620 suggests the server certificate is being installed as a trusted certificate (imported into the CA certificate store).
I am a bit concerned that importing a certificate implies a static configuration as with Identity Awareness AD Query LDAPS fingerprints. We routinely have to help customers whose IA or VPN authentication breaks because the AD DC LDAPS certificates have been automatically renewed and the Check Point environment only knows the fingerprints for the old certificates.
Can someone clarify for Endpoint Security cloud? I'm guessing AD Scanner will break if the LDAPS certificate is renewed.
At a minimum this should import the CA certificate for the server certificate so that it will trust newly issued certificates signed by the same CA.
Is anyone else concerned about allowing Internet inbound connections to their AD DCs? Something like the IA identity gathering agent installed in the enterprise, collecting identities, and sharing them with the relevant cloud Endpoint Security Management Server would be a lot more appropriate from an architectural perspective.
An update on this: TAC have advised me that we cannot do LDAPS over the Internet, and have to use the client scanner and file-based scanner documented in the cloud admin guide (https://sc1.checkpoint.com/documents/Endpoint_MaaS/html_frameset.htm?topic=documents/Endpoint_MaaS/2...). It looks like that window has been slammed shut. For a customer with regular AD changes, manually updating via the file-based scanner will become another manual task.
Hopefully something similar to the Capsule Cloud agent is available soon.
Have there been any developments in this area, since these posts? I have not found anything in the docs, but could have missed something. Thx.
Hi @Mikel_Aucutt,
LDAPs is supported, follow the instructions here to learn how.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
5 | |
3 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY