This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
Advisor
‎2024-05-30 10:51 AM
Jump to solution

Can you migrate from internal User database to external (MS AD)

Management and Gateways are running R81.20.

 

Currently users are created locally in SmartConsole, for each user a certificate is created. This is only used for RemoteAccess.

A few years ago it was only for a few users. Since everybody is more or less working remotely now we  need to do this for every user.

 

We’d like to investigate the possibility of going from that model to using accounts from Microsoft AD. There wouldn’t be a need to create an account another time in CheckPoint.

 

We’re using Identity Awareness so LDAP account unit already exist.

 

Is it only a matter of enabling User Directory components in the properties of the management server?

Capture.JPG

I thought I had seen somewhere that you couldn’t have an internal user db and an external one at the same time. I can’t find that reference anymore so maybe it doesn’t matter.

thanks

Francis

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2024-09-25 01:42 AM
In response to flachance
Jump to solution

Correct, there is no migration path to move users in bulk. Most probably, you need to recreate them manually. 

View solution in original post

_Val_
Admin
Admin
‎2024-09-25 05:35 AM
In response to _Val_
Jump to solution

Never mind, I see the link. User Directory is a special feature allowing you to manage (create, edit, assign to groups, etc) LDAP users from SmartConsole. The limitation is valid, if you enable User Directory, you won't be able to use local users anymore. However, if you manage your LDAP users via other means, such as AD management tools, you do not need User Directory in the first place. 

I read you question as "can I use both local and LDAP user accounts for authentication purposes". The answer is still yes IF you DON'T enable User Directory, which, by the way, requires an additional license. 

View solution in original post

10 Replies
flachance
Advisor
‎2024-09-24 12:55 PM
Jump to solution

So in the Admin guide they say this:"

Enabling User Directory

In SmartConsole

flachance_0-1727207600244.gif

 

, enable the Security Management Server to manage users in the Account Unit. See Working with LDAP Account Units.

flachance_1-1727207600248.png

 

Note - You cannot use the SmartConsole User Database

flachance_2-1727207600249.gif

 

 when the User Directory LDAP server is enabled.

"

Does this mean there is no migration possible if we are using local checkpoint accounts to move to LDAP accounts?

 

0 Kudos
the_rock
Legend
Legend
‎2024-09-24 07:57 PM
In response to flachance
Jump to solution

Thats the way I understand that statement as well.

Andy

0 Kudos
_Val_
Admin
Admin
‎2024-09-25 01:42 AM
In response to flachance
Jump to solution

Correct, there is no migration path to move users in bulk. Most probably, you need to recreate them manually. 

flachance
Advisor
‎2024-09-25 05:14 AM
In response to _Val_
Jump to solution

Thanks that's what I thought. So does it mean as soon as I enable User Directory existing users (local) won't be able to connect?

0 Kudos
_Val_
Admin
Admin
‎2024-09-25 05:24 AM
In response to flachance
Jump to solution

Of course not. Both locally defined users and those from LDAP can be used in parallel

flachance
Advisor
‎2024-09-25 05:27 AM
In response to _Val_
Jump to solution

Thanks. Glad to hear that. It's not that clear when reading this note from the manual: 

"Note - You cannot use the SmartConsole User Database when the User Directory LDAP server is enabled."

_Val_
Admin
Admin
‎2024-09-25 05:30 AM
In response to flachance
Jump to solution

That's odd. Where do you see it? Can you provide me with an exact reference, please?

0 Kudos
_Val_
Admin
Admin
‎2024-09-25 05:35 AM
In response to _Val_
Jump to solution

Never mind, I see the link. User Directory is a special feature allowing you to manage (create, edit, assign to groups, etc) LDAP users from SmartConsole. The limitation is valid, if you enable User Directory, you won't be able to use local users anymore. However, if you manage your LDAP users via other means, such as AD management tools, you do not need User Directory in the first place. 

I read you question as "can I use both local and LDAP user accounts for authentication purposes". The answer is still yes IF you DON'T enable User Directory, which, by the way, requires an additional license. 

flachance
Advisor
‎2024-09-25 05:40 AM
In response to _Val_
Jump to solution

This is great info. That's correct, I'd like to use both for remote VPN access authentication but only for a transition period going from local to LDAP (MS AD). I thought I needed to enable User Directory for that.

0 Kudos
_Val_
Admin
Admin
‎2024-09-25 05:56 AM
In response to flachance
Jump to solution

No, you really don't want to do that. Also, you quoted user management from the SmartCenter admin guide. I would suggest looking into RAS VPN admin guide instead

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top