Did TAC explain how this works? sk84620 suggests the server certificate is being installed as a trusted certificate (imported into the CA certificate store).

I am a bit concerned that importing a certificate implies a static configuration as with Identity Awareness AD Query LDAPS fingerprints. We routinely have to help customers whose IA or VPN authentication breaks because the AD DC LDAPS certificates have been automatically renewed and the Check Point environment only knows the fingerprints for the old certificates.

Can someone clarify for Endpoint Security cloud? I'm guessing AD Scanner will break if the LDAPS certificate is renewed.

At a minimum this should import the CA certificate for the server certificate so that it will trust newly issued certificates signed by the same CA.

Is anyone else concerned about allowing Internet inbound connections to their AD DCs? Something like the IA identity gathering agent installed in the enterprise, collecting identities, and sharing them with the relevant cloud Endpoint Security Management Server would be a lot more appropriate from an architectural perspective.

An update on this: TAC have advised me that we cannot do LDAPS over the Internet, and have to use the client scanner and file-based scanner documented in the cloud admin guide (https://sc1.checkpoint.com/documents/Endpoint_MaaS/html_frameset.htm?topic=documents/Endpoint_MaaS/2...). It looks like that window has been slammed shut. For a customer with regular AD changes, manually updating via the file-based scanner will become another manual task.

Hopefully something similar to the Capsule Cloud agent is available soon.

Have there been any developments in this area, since these posts? I have not found anything in the docs, but could have missed something. Thx.

Hi @Mikel_Aucutt,

LDAPs is supported, follow the instructions here to learn how.