- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: AD Integration with Checkpoint
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AD Integration with Checkpoint
Hello,
One question, for the integration of the AD with the Checkpoint Firewall, is it necessary to use the "domain admin" account ???? Or how many privileges must have the server account, to be able to integrate the AD with Checkpoint? My customer does not want to "provide" the main domain admin accounts.
Thanks for your comments.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Short answer, it‘s not necessary to use a domain admin account.
For Identity Collector you need a user with memberships the „Event Log Readers group“
To browse the Active Directory, getting identities and reading groupmemberships you need a user with read rights in all OUs you want to read.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For AD Query integration, you MUST use the Domain Admin account.
For Identity Collector, the account used must have the ability to read Security Event Logs.
For LDAP group lookups (regardless of method), only an account that is able to read the directory is required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhoneBoy for AD query ther's no need to use an domain admin account Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Serve...
Because of the new security features in newer windows releases AD query should not be used and it's not working without lowering the security on the windows server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought the recent changes Microsoft made broke all this?
Still, I agree: use Identity Collector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from AD Query cannot access DC server when AD Query is configured for non-admin user workaround 2 states using a member of domain admin group. But does not work with the newest windows releases.
@Matlu forget about AD query. Identity Collector, Identity Agent, MUH agent are the working solutions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried that sk with 4 different customers in the past, every time even TAC was on the phone, and we got it working once for like 1 day and then broke and could not be fixed again, so we just gave up on it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
One doubt, for the Identity Collector, is it mandatory that the AD account used belongs to the group "Event Log Readers"?
It is not possible to work this integration with an "any" user of the AD, which is in "read only" mode?
Greetings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It must be able to read security event logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will give that "option" to the client, because being a state entity, their policies are really a headache.
They don't want to provide a user from the "Event Log Readers" group, as a "precaution".
Hence my query.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We all encounter clients like that, my friend : - )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Matlu in a similar case we used the Identity Agent on the endpoint. You need local admin rights on the endpoint to install the agent but only for install. Agent can be configured to use SSO with the user authenticated on the endpoint.
Identity Agent for a User Endpoint Computer - Configuring as Identity Source