This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FredrikV
Contributor
‎2021-01-27 02:41 AM

Identity Collector with DNS other than AD

I'm trying to set up Identity Awereness with Identity Collector in a fairly large organization.

Two Collectors have been installed to separate VMs, and they are connected to the Security Gateway (VS). I have defined the company domain in the Collector management software and credentials proved valid.

Now I'm struggling with adding the acctual domain controllers. When trying to fetch them automatically, after entering one of the DC IPs as requested by the wizard I got a message in green saying "Sources fetching finished successfully" but the list doesn't get populated with any DCs. The details log is saying "Failed with this DNS, might try with another DNS", and then it says on the row beneath "Make DNS query with the following DNS: 10.22.*.*"

The suggested 10.22.*.* address belongs to the Infoblox cluster, which acts as the primary IPAM for the domain. If I try to connect to that address instead as suggested by the log, it says in red "Unable to connect".

I can add a DC manually, but it just ends up with a pending status and does nothing.

 

The account specified for the domain is a member of the Event Log Readers AD group.

Does anyone know if the Identity Collector requires the DNS to be running under the Active Directory, as sk108235 is mentioning that the DCs must be able to receive DNS traffic from the Collector server?

 

Thanks in advance.

Fredrik

6 Replies
PhoneBoy
Admin
Admin
‎2021-01-27 07:11 PM

I would look at the DNS queries generated to make sure the correct responses are coming back.
My guess is that the Infoblox server isn’t returning the records we expect.
Paging @Royi_Priov for other ideas.

FredrikV
Contributor
‎2021-01-28 01:19 AM
In response to PhoneBoy

Okay. This is the response I get back according to the details log within the Collector:

A Records:

<Empty>

SRV Records:

DC1

DC2

DC3

DC4

DC5

DC6

 

Should be the necessary information right?

I will try to capture the queries as well. I've just got confirmation that the DCs internal firewalls aren't blocking the required ports.

PhoneBoy
Admin
Admin
‎2021-01-31 07:25 PM
In response to FredrikV

It's not about blocking the ports (though obviously that'd be problematic too) but comparing the equivalent queries with that on the AD server to see if the results are...different.

0 Kudos
FredrikV
Contributor
‎2021-02-01 07:48 AM
In response to PhoneBoy

We have now captured querys between Identity Collector and Infoblox. The Identity Collector sends a standard DNS query for "_ldap._tcp.<site>._sites.dc._msdcs.<domain>" to Infobox, which responds nicely with SRV records containing all the domain controllers. The Identity Collector doesn't seem to like it though.

No DNS services are running on the acctual domain controllers, so not much to compare the queries against.

See attached screenshots from Identity Collector and Wireshark. I cannot find any information that points out exactly what the Identity Collector expects for an answer.

Preview file
57 KB
Preview file
32 KB
Preview file
105 KB
PhoneBoy
Admin
Admin
‎2021-02-01 02:35 PM
In response to FredrikV

That all seems reasonable.
A TAC case is definitely in order here. 

0 Kudos
FredrikV
Contributor
‎2021-02-10 05:47 AM
In response to PhoneBoy

It's working now. The problem was that no query pool had been defined. With a pool in place and the pending domain controllers added to it, the status went to "green" and event traffic started to flow.

I thought that connection must be established first, in order to group the controllers together for a specific site. Turned out it was the other way around. Case closed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events