Did TAC explain how this works? sk84620 suggests the server certificate is being installed as a trusted certificate (imported into the CA certificate store).
I am a bit concerned that importing a certificate implies a static configuration as with Identity Awareness AD Query LDAPS fingerprints. We routinely have to help customers whose IA or VPN authentication breaks because the AD DC LDAPS certificates have been automatically renewed and the Check Point environment only knows the fingerprints for the old certificates.
Can someone clarify for Endpoint Security cloud? I'm guessing AD Scanner will break if the LDAPS certificate is renewed.
At a minimum this should import the CA certificate for the server certificate so that it will trust newly issued certificates signed by the same CA.
Is anyone else concerned about allowing Internet inbound connections to their AD DCs? Something like the IA identity gathering agent installed in the enterprise, collecting identities, and sharing them with the relevant cloud Endpoint Security Management Server would be a lot more appropriate from an architectural perspective.