This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Richards
Contributor
‎2022-08-17 01:47 PM

LDAPS Fingerprints and Proxy

Our client has a SMS server in Azure in it's own segregated network. It manages both on-site and Azure GW's with no issue (communicates via the Azure public IP). They were using LDAPS for VPN authentication which was working fine. It appears that the fingerprints changed on the AD servers and we need to update them on the SMS. Normally the SMS does not need to communicate with AD, just the GW's, but apparently the SMS does have to communicate when updating the Fingerprints. We tried to enable "Management Server needs proxy to reach AD server" but this did not help with the Fingerprints. Does anyone know how you can update the Fingerprints if the SMS cannot talk to AD directly? We turned off LDAPS, pushed policy, and the users could authenticate using AD. Turn on LDAPS and it fails.

 
 

 

 

proxysetting.JPG
Preview file
14 KB
12 Replies
PhoneBoy
Admin
Admin
‎2022-08-23 12:50 PM

I would think you could update the fingerprint manually with the correct value.
Might be worth a TAC case to ask if there's a way to do that.

0 Kudos
Tobias_Moritz
Advisor
‎2022-09-05 04:19 AM

Yes, you can update it manually. What Check Point expects here, is the MD5 fingerprint of the LDAP server cert. You can query it manually from a client which can reach the LDAP server using openssl. When running from the gateway (Gaia Expert Shell), use cpopenssl instead of openssl:

LDAP with Start-TLS:

echo | openssl s_client -connect servername:389 -starttls ldap | openssl x509 -noout -fingerprint -md5

LDAPS:

echo | openssl s_client -connect servername:636 | openssl x509 -noout -fingerprint -md5

 

In case you don't want/need certificate pinning and let the gateways just accept any LDAP server cert, you can leave the fingerprint string input field empty. Never tried it myself, but another CheckMate recently confirmed this is working.

JozkoMrkvicka
Authority
Authority
‎2022-09-05 01:10 PM
In response to Tobias_Moritz

If the fingerprint is empty (blank) the firewall will accept all fingerprints. It is like "any" in rule 😄 and works perfectly. You dont need to fetch new fingerprint once cert on LDAP is changed.

Kind regards,
Jozko Mrkvicka
John_Richards
Contributor
‎2022-09-06 08:42 AM
In response to JozkoMrkvicka

I have attached a screen shot of the configuration for LDAPS. So to be clear, you are saying the I do not need anything in the Fingerprints area? I would enable "Use Encryption (SSL), clear the information in the Fingerprints box, save and push policy?

Capture.JPG
Preview file
28 KB
0 Kudos
Piet_vd_Maas
Contributor
‎2022-09-06 10:34 AM
In response to John_Richards

You can leave the Fingerprint blank even using SSL

CCSM Elite
Matt_Taber
Contributor
‎2022-10-19 06:13 AM
In response to Piet_vd_Maas

Thank you for this.   We had written a script to check LDAPS cert fingerprints in policy to what the servers were presenting and then alert when there's a mismatch.  Before we knew this was happening, we were down to 1 DC (out of 6) that didn't have a fingerprint mismatch.   IA was on the brink of disaster.   Good to know we can just *NOT* have a fingerprint in there.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2022-09-06 01:07 PM
In response to John_Richards

Yes.

Kind regards,
Jozko Mrkvicka
0 Kudos
John_Richards
Contributor
‎2022-09-10 12:58 PM
In response to JozkoMrkvicka

So I was able to clear the fingerprint field and enabled ldap-ssl. Users can now change their passwords using VPN. The odd thing is I see a few ldap-ssl connections using port 636 from the FW to the DC in the logs. Then I see users authenticating to VPN and the port is 389 (not 636). Is this normal or is there a way to force the authentication to use ldap-ssl? Thanks

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2022-09-15 10:35 PM
In response to John_Richards

How many LDAP servers are you using for redundancy ? You can configure many LDAP servers and every LDAP server can use different LDAP port (636 or 389). Check your LDAP Account Units for this one.

If LDAP with highest priority is not answering, second one in priority list is contacted.

Kind regards,
Jozko Mrkvicka
0 Kudos
John_Richards
Contributor
‎2022-09-16 08:26 AM
In response to JozkoMrkvicka

All servers are set to use ldap-ssl and there are only 2 servers. I am meeting with CP on Monday to discuss and get more information. Will provide an update.

0 Kudos
John_Richards
Contributor
‎2022-10-10 08:20 AM
In response to John_Richards

I finally met with an Identity Awareness expert on this. Basically using LDAP-SSL creates a tunnel back to AD and all auth goes over this tunnel. You will still see regular LDAP traffic. MS does claim that the fingerprint should rarely, if ever change. This is not what we see with our customers who use LDAP-SSL and Identity Awareness. Would be nice if Check Point would document "NOT" needing the fingerprint along with a good explanation as to why.

0 Kudos
Agent_Smith
Contributor
4 weeks ago
In response to John_Richards

I'm trying to setup LDAPS, LDAP works fine. I got off the phone with CP support and they said not to do what everyone here is suggesting of accepting any fingerprint. But also my LDAPS isn't working and it won't fetch the settings. We are using a self-signed cert so I'm not sure if that makes a difference.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top