Solved: Re: AD Query server connection

Ryan_Ryan · ‎2019-06-27

Hi all,

Wondering if anyone has ideas on this issue, I have 2 clusters (same policy). On one cluster it can successfully connect and receive login events from two domain controllers, on the other cluster I get the message "no connectivity, connection refused by remote host [ntstatus = 0xc0000236]"

Both clusters use the same login credentials, both clusters can telnet to the server IP's on port 389 and 636. I have also connected to the server and checked event viewer. I don't see any errors it all says success.

When I use the test_ad_connectivity tool I get the following:

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

Any ideas what this could be?

thanks

Sigbjorn · ‎2019-06-27

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

View solution in original post

PhoneBoy · ‎2019-06-27

Can you check with ldapsearch instead?
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Ryan_Ryan · ‎2019-06-27

Hi good idea,

I tried that and can confirm it has successfully queried and returns correct information from ldap.

PhoneBoy · ‎2019-06-27

Unless @Royi_Priov or someone from R&D has an idea, I suggest opening a TAC case.

Ryan_Ryan · ‎2019-06-27

I might have found the issue, if there is another f/w between the gateway and the domain controller it appears you need to open:

tcp/389 or tcp/636

tcp/135

tcp/1025-65535

For full connectivity. Will update once we have opened ports and confirmed.

Sigbjorn · ‎2019-06-27

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

Gaurav_Pandya · ‎2019-06-28

Hi Ryan,

I am sure that firewall in between is the issue. You need to open required ports on that firewall

Royi_Priov · ‎2019-06-30

Hi,

It looks like you are in the right direction with the DCE-RPC ports, I will explain why:

LDAP connectivity is not related to the WMI connection which should be open between GW to AD.

You can also see in the log:

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

Thanks,

Royi.

Thanks,
Royi Priov
R&D Group manager, Identity and Trust (formerly known as Infinity Identity)

Ryan_Ryan · ‎2019-07-03

confirmed it was the f/w ports needing to be opened. working now!

Are you a member of CheckMates?

AD Query server connection