Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

Activating Identity Awareness to Intergrate AD

Hi All,

I need your suggestion on this, could you please let me know how to configure Identity awareness for 2 domains.

We have 2 domains and we need to configure Identity Awareness for both the domains. Is this possible?

Is yes can you please let me know how to achieve this? This is the first time i am implementing the Identity awareness, so let me know what all the best back-out plan if something goes wrong.

14 Replies
G_W_Albrecht
Legend
Legend

This is a very broad and complicated topic - please study the CP Identity Awareness Admin Guide (for R77 or R80 versions) first to be able to select the best configuration for the customer. A very good way to get information from several DCs is the Check Point Identity Collector, see sk108235 !

CCSE CCTE CCSM SMB Specialist
Sanjay_S
Advisor

Thank you Gunther, i will go through the SK and will get back to you if any doubts.

0 Kudos
Sanjay_S
Advisor

Hi Gunther,

I went through multiple docs and the SK you shared and found that there is a possibility of configuring multiple domains. As per the adminisration guide. But no where i see the help to how we configure and where to configure.

Identity Awareness R80.10 Administration Guide 

As per the note in the administration guide below:

Notes:

  • After completing this wizard, you can select additional Identity Sources.
  • When you enable Browser-Based Authentication on Security Gateway that runs on an IP Series appliance with IPSO OS, make sure to set the Voyager management application port to a number other than 443 or 80.

So that says we can configure additional AD, but not sure how to configure. Is there any who tried this? Any suggestions help please.

0 Kudos
G_W_Albrecht
Legend
Legend

Identity Source does mean something else - here, you have to follow sk97837: How to add Multiple LDAP Servers into AD Query.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sanjay_S
Advisor

Thank you Gunther Smiley Happy

I will check this and configure in the standby site first and then if any doubts will get back to you.

0 Kudos
Sven_Glock
Advisor

I have not tested it, but I would say that it should work like this:

When using the Identity Awareness wizzard you only have the possibility to add one AD/domain.

For the second AD/Domain you need to add a LDAP Account Unit manually.

After that go into your gateway's properties --> Identity Awareness

Select the settings of the identity sources you are using.

Go to the authentication settings and add the LDAP account unit you added before to the user directories:

Cheers

Sven

Sanjay_S
Advisor

Hi Sven,

Could you please be more clear on this. I will add one AD/Domain from the Wizzard and the second one as below SK.

How to add Multiple LDAP Servers into AD Query 

And then what should i do to proceed to get this working? Please give me steps or any SK that could help. Because today at 3PM UK i will be implementing it. As of now i am not seeing any Identity awareness settings hope it will be enabled only after i enable the blade.

0 Kudos
Sven_Glock
Advisor

What the SK forget to tell is: If you want to add a second AD you need to an a new LDAP Account Unit.

The you can add the new LDAP Account Unit as described in the SK.

Cheers

Sven

Sanjay_S
Advisor

Hi All,

I tried configuring the first domain, but during the first step it failed with the below error message.

SmartDashboard could not connect to 10.10.10.1 - Could not communicate with Server.

0 Kudos
Sven_Glock
Advisor

HI Sanjay,

for connection to the AD you need several open ports.
Please check R80.x Ports Used for Communication by Various Check Point Modules 

Additinally you need users with specific rights in the AD.

Hope this will help.

Cheers

Sven

0 Kudos
Sanjay_S
Advisor

Thank you Sven for the reply.

Could you please help me to know whether there should be access from Management server to the AD server for which we will enable the Identity awareness blade?

What all pre-requisites for getting this happen other than ports? Please help.

0 Kudos
Sanjay_S
Advisor

Just for clarification does the AD server needs to be reachable from both Management server and Gateways to get this working?

G_W_Albrecht
Legend
Legend

Yes.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Sven_Glock
Advisor

For creating access-roles using the SmartConsole you have to select specific items from the AD tree.

For this operation you need to have access from the management server to the AD

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events