Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Richards
Contributor

LDAPS Fingerprints and Proxy

Our client has a SMS server in Azure in it's own segregated network. It manages both on-site and Azure GW's with no issue (communicates via the Azure public IP). They were using LDAPS for VPN authentication which was working fine. It appears that the fingerprints changed on the AD servers and we need to update them on the SMS. Normally the SMS does not need to communicate with AD, just the GW's, but apparently the SMS does have to communicate when updating the Fingerprints. We tried to enable "Management Server needs proxy to reach AD server" but this did not help with the Fingerprints. Does anyone know how you can update the Fingerprints if the SMS cannot talk to AD directly? We turned off LDAPS, pushed policy, and the users could authenticate using AD. Turn on LDAPS and it fails.

 
 

 

 

11 Replies
PhoneBoy
Admin
Admin

I would think you could update the fingerprint manually with the correct value.
Might be worth a TAC case to ask if there's a way to do that.

0 Kudos
Tobias_Moritz
Advisor

Yes, you can update it manually. What Check Point expects here, is the MD5 fingerprint of the LDAP server cert. You can query it manually from a client which can reach the LDAP server using openssl. When running from the gateway (Gaia Expert Shell), use cpopenssl instead of openssl:

LDAP with Start-TLS:

echo | openssl s_client -connect servername:389 -starttls ldap | openssl x509 -noout -fingerprint -md5

LDAPS:

echo | openssl s_client -connect servername:636 | openssl x509 -noout -fingerprint -md5

 

In case you don't want/need certificate pinning and let the gateways just accept any LDAP server cert, you can leave the fingerprint string input field empty. Never tried it myself, but another CheckMate recently confirmed this is working.

JozkoMrkvicka
Mentor
Mentor

If the fingerprint is empty (blank) the firewall will accept all fingerprints. It is like "any" in rule 😄 and works perfectly. You dont need to fetch new fingerprint once cert on LDAP is changed.

Kind regards,
Jozko Mrkvicka
John_Richards
Contributor

I have attached a screen shot of the configuration for LDAPS. So to be clear, you are saying the I do not need anything in the Fingerprints area? I would enable "Use Encryption (SSL), clear the information in the Fingerprints box, save and push policy?

0 Kudos
Piet_vd_Maas
Contributor

You can leave the Fingerprint blank even using SSL

CCSM - CCTE - CCVS - CCMS
(1)
Matt_Taber
Contributor

Thank you for this.   We had written a script to check LDAPS cert fingerprints in policy to what the servers were presenting and then alert when there's a mismatch.  Before we knew this was happening, we were down to 1 DC (out of 6) that didn't have a fingerprint mismatch.   IA was on the brink of disaster.   Good to know we can just *NOT* have a fingerprint in there.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Yes.

Kind regards,
Jozko Mrkvicka
0 Kudos
John_Richards
Contributor

So I was able to clear the fingerprint field and enabled ldap-ssl. Users can now change their passwords using VPN. The odd thing is I see a few ldap-ssl connections using port 636 from the FW to the DC in the logs. Then I see users authenticating to VPN and the port is 389 (not 636). Is this normal or is there a way to force the authentication to use ldap-ssl? Thanks

0 Kudos
JozkoMrkvicka
Mentor
Mentor

How many LDAP servers are you using for redundancy ? You can configure many LDAP servers and every LDAP server can use different LDAP port (636 or 389). Check your LDAP Account Units for this one.

If LDAP with highest priority is not answering, second one in priority list is contacted.

Kind regards,
Jozko Mrkvicka
0 Kudos
John_Richards
Contributor

All servers are set to use ldap-ssl and there are only 2 servers. I am meeting with CP on Monday to discuss and get more information. Will provide an update.

0 Kudos
John_Richards
Contributor

I finally met with an Identity Awareness expert on this. Basically using LDAP-SSL creates a tunnel back to AD and all auth goes over this tunnel. You will still see regular LDAP traffic. MS does claim that the fingerprint should rarely, if ever change. This is not what we see with our customers who use LDAP-SSL and Identity Awareness. Would be nice if Check Point would document "NOT" needing the fingerprint along with a good explanation as to why.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events