This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2025-01-28 05:00 AM

Identity Collector

Hi,

I am trying to use IDC (Windows AD) with remote access VPN.

IDC has green gateway and green AD server.

kort.png

kort.png

Whe using Checkpoint Endpoint Security App on Windows machine it connects well if users are locally created on SMS, but if users are on AD it logs:

kort.png

that user is created on AD and added in a policy rule using an Access role:

kort.png

kort.png

On the remote access community under Participats user groups = all users

Windows machine can reach SMS and gateway and vice versa.

Running pdp idc status:

pdp idc status
Identity Collector IP: 192.168.10.212
Identity Sources:
        No information about identity sources

and cpstat identityServer -f idc:

cpstat identityServer -f idc



Identity Collector Sources
-----------------------------------------------------------
|Type|Name|Host|Status|IDC IP|Events Recieved|Total Events|
-----------------------------------------------------------
-----------------------------------------------------------

 

I think IDC is not sending events to the gateway but why?

What do I miss here?

0 Kudos
19 Replies
G_W_Albrecht
Legend Legend
Legend
‎2025-01-28 05:31 AM

Did you follow https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client... ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Moudar
Advisor
‎2025-01-28 06:08 AM
In response to G_W_Albrecht

i did follow that, plus and firewall on windows machine is disabled

IDC is installed on same machine as AD!? does that create problems?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-01-28 06:31 AM
In response to Moudar

Not at all - it is rather very usual to do that, as you need a Win Server for IC. Why not contact TAC ? Issues like yours are usually some config glitche(s) that can be resolved in a RAS quickly.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2025-01-28 06:33 AM
In response to Moudar

That would not create any issues, most clients I saw install IDC, they did on same machine, as long as communication is there.

Andy

0 Kudos
RS_Daniel
Advisor
‎2025-01-28 06:40 AM
In response to Moudar

Hello,

I have always deployed IDC on the AD server without problems. However once it did not work and TAC told us that is not recommended, we should install IDC on a different windows server. Tried moving the IDC to a different server and issue was fixed, so you can try and check. 

Regards

the_rock
Legend
Legend
‎2025-01-28 06:59 AM
In response to RS_Daniel

Its not bad idea at all. Personally, I always seee customers do it on same machine and works fine.

Andy

0 Kudos
Moudar
Advisor
‎2025-01-28 07:44 AM
In response to RS_Daniel

I have now tried on other server, and i get the same result:

 pdp idc status
Identity Collector IP: 192.168.10.212
Identity Sources:
        No information about identity sources

Identity Collector IP: 192.168.10.187
Identity Sources:
        No information about identity sources

 The new server with no AD is .187 

0 Kudos
the_rock
Legend
Legend
‎2025-01-28 07:47 AM
In response to Moudar

And you also disabled windows fw on that machine as well?

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-28 07:56 AM
In response to Moudar

I would do below.

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client....

Also, make sure you have latest version of IC as well:

sk113021 - Identity Collector fails to connect / add / edit a Security Gateway

I see customer I worked with few months ago had same issue and turned out to be certificate problem, but not sure which one exactly : - (

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-28 05:37 AM

Do you have proper LDAP account unit configured? The reason I asked that question is what Phoneboy said in a different post couple of years back:

Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).
The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.
Which means you should verify the information needed to perform these lookups is correct: https://support.checkpoint.com/results/sk/sk180392

Andy

0 Kudos
Moudar
Advisor
‎2025-01-28 06:07 AM
In response to the_rock

Running ldapsearch command shows that LDAP account Unit is correctly configured as of my knowledge!

 ldapsearch -h 192.168.10.212 -p 389 -D "CN=CP-User,CN=Users,DC=alpha,DC=cp" -w Admin123 -b "DC=alpha,D
C=cp" "(sAMAccountName=CP-User)"
CN=CP-User,CN=Users,DC=alpha,DC=cp
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=CP-User
givenName=CP-User
distinguishedName=CN=CP-User,CN=Users,DC=alpha,DC=cp
instanceType=4
whenCreated=20250121161255.0Z
whenChanged=20250121161349.0Z
displayName=CP-User
uSNCreated=36933
memberOf=CN=Event Log Readers,CN=Builtin,DC=alpha,DC=cp
memberOf=CN=Distributed COM Users,CN=Builtin,DC=alpha,DC=cp
uSNChanged=36945
name=CP-User
objectGUID=NOT ASCII
userAccountControl=66048
badPwdCount=0
codePage=0
countryCode=0
badPasswordTime=0
lastLogoff=0
lastLogon=133825288336186747
pwdLastSet=133819495752215514
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=6
sAMAccountName=CP-User
sAMAccountType=805306368
userPrincipalName=CP-User@alpha.cp
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=alpha,DC=cp
dSCorePropagationData=16010101000000.0Z
lastLogonTimestamp=133819496297529642
1 match
0 Kudos
the_rock
Legend
Legend
‎2025-01-28 06:10 AM
In response to Moudar

Yea, that looks good to me. Just wondering, from the smart console, unless its S1C mgmt instance, if its on prem, can you fetch branches okay from the ldap unit?

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-28 06:30 AM
In response to Moudar

And when you click "fetch branches", what does it show?

Andy

Moudar
Advisor
‎2025-01-28 06:41 AM
In response to the_rock

it shows the same: DC=alpha,DC=cp

0 Kudos
AkosBakos
Leader Leader
Leader
‎2025-01-28 06:35 AM
In response to Moudar

Do you use LDAPs or Simple LDAP on port 389?

----------------
\m/_(>_<)_\m/
0 Kudos
Moudar
Advisor
‎2025-01-28 06:40 AM
In response to AkosBakos

This is a lab so yes 389 is used.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top