Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

AD Integration with Checkpoint

Hello,

One question, for the integration of the AD with the Checkpoint Firewall, is it necessary to use the "domain admin" account ???? Or how many privileges must have the server account, to be able to integrate the AD with Checkpoint? My customer does not want to "provide" the main domain admin accounts.

Thanks for your comments.

0 Kudos
11 Replies
Wolfgang
Authority
Authority

Short answer, it‘s not necessary to use a domain admin account.

For Identity Collector you need a user with memberships the „Event Log Readers group“

To browse the Active Directory, getting identities and reading groupmemberships you need a user with read rights in all OUs you want to read.

0 Kudos
PhoneBoy
Admin
Admin

For AD Query integration, you MUST use the Domain Admin account.
For Identity Collector, the account used must have the ability to read Security Event Logs. 
For LDAP group lookups (regardless of method), only an account that is able to read the directory is required.

0 Kudos
Wolfgang
Authority
Authority

@PhoneBoy for AD query ther's no need to use an domain admin account Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Serve... 

Because of the new security features in newer windows releases AD query should not be used and it's not working without lowering the security on the windows server.

0 Kudos
PhoneBoy
Admin
Admin

I thought the recent changes Microsoft made broke all this?
Still, I agree: use Identity Collector.

Wolfgang
Authority
Authority

from AD Query cannot access DC server when AD Query is configured for non-admin user workaround 2 states using a member of domain admin group. But does not work with the newest windows releases. 

@Matlu forget about AD query. Identity Collector, Identity Agent, MUH agent are the working solutions.

0 Kudos
the_rock
Legend
Legend

I tried that sk with 4 different customers in the past, every time even TAC was on the phone, and we got it working once for like 1 day and then broke and could not be fixed again, so we just gave up on it.

0 Kudos
Matlu
Advisor

Hello,

One doubt, for the Identity Collector, is it mandatory that the AD account used belongs to the group "Event Log Readers"?

It is not possible to work this integration with an "any" user of the AD, which is in "read only" mode?

Greetings.

0 Kudos
the_rock
Legend
Legend

It must be able to read security event logs.

0 Kudos
Matlu
Advisor

I will give that "option" to the client, because being a state entity, their policies are really a headache.
They don't want to provide a user from the "Event Log Readers" group, as a "precaution".
Hence my query.

the_rock
Legend
Legend

We all encounter clients like that, my friend : - )

0 Kudos
Wolfgang
Authority
Authority

@Matlu in a similar case we used the Identity Agent on the endpoint. You need local admin rights on the endpoint to install the agent but only for install. Agent can be configured to use SSO with the user authenticated on the endpoint.

Identity Agent for a User Endpoint Computer - Configuring as Identity Source 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events