- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Identity Collector
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Collector
Hi,
I am trying to use IDC (Windows AD) with remote access VPN.
IDC has green gateway and green AD server.
Whe using Checkpoint Endpoint Security App on Windows machine it connects well if users are locally created on SMS, but if users are on AD it logs:
that user is created on AD and added in a policy rule using an Access role:
On the remote access community under Participats user groups = all users
Windows machine can reach SMS and gateway and vice versa.
Running pdp idc status:
pdp idc status
Identity Collector IP: 192.168.10.212
Identity Sources:
No information about identity sources
and cpstat identityServer -f idc:
cpstat identityServer -f idc
Identity Collector Sources
-----------------------------------------------------------
|Type|Name|Host|Status|IDC IP|Events Recieved|Total Events|
-----------------------------------------------------------
-----------------------------------------------------------
I think IDC is not sending events to the gateway but why?
What do I miss here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you follow https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client... ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i did follow that, plus and firewall on windows machine is disabled
IDC is installed on same machine as AD!? does that create problems?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not at all - it is rather very usual to do that, as you need a Win Server for IC. Why not contact TAC ? Issues like yours are usually some config glitche(s) that can be resolved in a RAS quickly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would not create any issues, most clients I saw install IDC, they did on same machine, as long as communication is there.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have always deployed IDC on the AD server without problems. However once it did not work and TAC told us that is not recommended, we should install IDC on a different windows server. Tried moving the IDC to a different server and issue was fixed, so you can try and check.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try that!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its not bad idea at all. Personally, I always seee customers do it on same machine and works fine.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have now tried on other server, and i get the same result:
pdp idc status
Identity Collector IP: 192.168.10.212
Identity Sources:
No information about identity sources
Identity Collector IP: 192.168.10.187
Identity Sources:
No information about identity sources
The new server with no AD is .187
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And you also disabled windows fw on that machine as well?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do below.
Also, make sure you have latest version of IC as well:
sk113021 - Identity Collector fails to connect / add / edit a Security Gateway
I see customer I worked with few months ago had same issue and turned out to be certificate problem, but not sure which one exactly : - (
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have proper LDAP account unit configured? The reason I asked that question is what Phoneboy said in a different post couple of years back:
Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).
The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.
Which means you should verify the information needed to perform these lookups is correct: https://support.checkpoint.com/results/sk/sk180392
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running ldapsearch command shows that LDAP account Unit is correctly configured as of my knowledge!
ldapsearch -h 192.168.10.212 -p 389 -D "CN=CP-User,CN=Users,DC=alpha,DC=cp" -w Admin123 -b "DC=alpha,D
C=cp" "(sAMAccountName=CP-User)"
CN=CP-User,CN=Users,DC=alpha,DC=cp
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=CP-User
givenName=CP-User
distinguishedName=CN=CP-User,CN=Users,DC=alpha,DC=cp
instanceType=4
whenCreated=20250121161255.0Z
whenChanged=20250121161349.0Z
displayName=CP-User
uSNCreated=36933
memberOf=CN=Event Log Readers,CN=Builtin,DC=alpha,DC=cp
memberOf=CN=Distributed COM Users,CN=Builtin,DC=alpha,DC=cp
uSNChanged=36945
name=CP-User
objectGUID=NOT ASCII
userAccountControl=66048
badPwdCount=0
codePage=0
countryCode=0
badPasswordTime=0
lastLogoff=0
lastLogon=133825288336186747
pwdLastSet=133819495752215514
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=6
sAMAccountName=CP-User
sAMAccountType=805306368
userPrincipalName=CP-User@alpha.cp
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=alpha,DC=cp
dSCorePropagationData=16010101000000.0Z
lastLogonTimestamp=133819496297529642
1 match
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea, that looks good to me. Just wondering, from the smart console, unless its S1C mgmt instance, if its on prem, can you fetch branches okay from the ldap unit?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And when you click "fetch branches", what does it show?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it shows the same: DC=alpha,DC=cp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you use LDAPs or Simple LDAP on port 389?
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a lab so yes 389 is used.
