Re: Identity Collector

Moudar

Hi,

I am trying to use IDC (Windows AD) with remote access VPN.

IDC has green gateway and green AD server.

Whe using Checkpoint Endpoint Security App on Windows machine it connects well if users are locally created on SMS, but if users are on AD it logs:

that user is created on AD and added in a policy rule using an Access role:

On the remote access community under Participats user groups = all users

Windows machine can reach SMS and gateway and vice versa.

Running pdp idc status:

pdp idc status
Identity Collector IP: 192.168.10.212
Identity Sources:
        No information about identity sources

and cpstat identityServer -f idc:

cpstat identityServer -f idc



Identity Collector Sources
-----------------------------------------------------------
|Type|Name|Host|Status|IDC IP|Events Recieved|Total Events|
-----------------------------------------------------------
-----------------------------------------------------------

I think IDC is not sending events to the gateway but why?

What do I miss here?

G_W_Albrecht

Did you follow https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client... ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Moudar

i did follow that, plus and firewall on windows machine is disabled

IDC is installed on same machine as AD!? does that create problems?

G_W_Albrecht

Not at all - it is rather very usual to do that, as you need a Win Server for IC. Why not contact TAC ? Issues like yours are usually some config glitche(s) that can be resolved in a RAS quickly.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock

That would not create any issues, most clients I saw install IDC, they did on same machine, as long as communication is there.

Andy

RS_Daniel

Hello,

I have always deployed IDC on the AD server without problems. However once it did not work and TAC told us that is not recommended, we should install IDC on a different windows server. Tried moving the IDC to a different server and issue was fixed, so you can try and check.

Regards

Moudar

I will try that!

the_rock

Its not bad idea at all. Personally, I always seee customers do it on same machine and works fine.

Andy

Moudar

I have now tried on other server, and i get the same result:

 pdp idc status
Identity Collector IP: 192.168.10.212
Identity Sources:
        No information about identity sources

Identity Collector IP: 192.168.10.187
Identity Sources:
        No information about identity sources

The new server with no AD is .187

the_rock

And you also disabled windows fw on that machine as well?

Andy

Moudar

Yes

the_rock

I would do below.

https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics-IA-Client....

Also, make sure you have latest version of IC as well:

sk113021 - Identity Collector fails to connect / add / edit a Security Gateway

I see customer I worked with few months ago had same issue and turned out to be certificate problem, but not sure which one exactly : - (

Andy

the_rock

Do you have proper LDAP account unit configured? The reason I asked that question is what Phoneboy said in a different post couple of years back:

Identity Collector changes how the gateways acquire users (using Security Logs instead of WMI).
The actual groups are still pulled the same way as with ADQuery: via LDAP queries from the relevant gateways.
Which means you should verify the information needed to perform these lookups is correct: https://support.checkpoint.com/results/sk/sk180392

Andy

Moudar

Running ldapsearch command shows that LDAP account Unit is correctly configured as of my knowledge!

 ldapsearch -h 192.168.10.212 -p 389 -D "CN=CP-User,CN=Users,DC=alpha,DC=cp" -w Admin123 -b "DC=alpha,D
C=cp" "(sAMAccountName=CP-User)"
CN=CP-User,CN=Users,DC=alpha,DC=cp
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=CP-User
givenName=CP-User
distinguishedName=CN=CP-User,CN=Users,DC=alpha,DC=cp
instanceType=4
whenCreated=20250121161255.0Z
whenChanged=20250121161349.0Z
displayName=CP-User
uSNCreated=36933
memberOf=CN=Event Log Readers,CN=Builtin,DC=alpha,DC=cp
memberOf=CN=Distributed COM Users,CN=Builtin,DC=alpha,DC=cp
uSNChanged=36945
name=CP-User
objectGUID=NOT ASCII
userAccountControl=66048
badPwdCount=0
codePage=0
countryCode=0
badPasswordTime=0
lastLogoff=0
lastLogon=133825288336186747
pwdLastSet=133819495752215514
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=6
sAMAccountName=CP-User
sAMAccountType=805306368
userPrincipalName=CP-User@alpha.cp
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=alpha,DC=cp
dSCorePropagationData=16010101000000.0Z
lastLogonTimestamp=133819496297529642
1 match

the_rock

Yea, that looks good to me. Just wondering, from the smart console, unless its S1C mgmt instance, if its on prem, can you fetch branches okay from the ldap unit?

Andy

Moudar

the_rock

And when you click "fetch branches", what does it show?

Andy

Moudar

it shows the same: DC=alpha,DC=cp

AkosBakos

Do you use LDAPs or Simple LDAP on port 389?

----------------
\m/_(>_<)_\m/

Moudar

This is a lab so yes 389 is used.

Are you a member of CheckMates?

Identity Collector