Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Salom_Idhogela
Collaborator
Jump to solution

Using LDAPS 636 for AD query Identity Awareness

Hi All,

 

I want to enable LDAPS port 636 for Identity Awareness for may gateways in a cluster, current it works with LDAP. Is it possible in Checkpoint?

Regards,

Salom

0 Kudos
1 Solution

Accepted Solutions
Salom_Idhogela
Collaborator

I have found out that for LDAPS to work, LDAP 389 should also be allowed on the FW rule.

Follow this article to understand how it works.

https://www.tec-bite.ch/the-pain-with-check-point-and-ldaps-and-some-medicine-against-it/

Regards,

Salom

View solution in original post

0 Kudos
6 Replies
M_Soler
Contributor

Yes you can, go to Object Catégories>Users/identities> LDAP Account Units chose your LDAP server and go to Servers (like in the screenshot) chose your host server and configure the Encryption.
LDAP Account Unit Properties.png
Note: you need to have LDAPS activated in your LDAP server.

Regards,
M_Soler

Salom_Idhogela
Collaborator

A cert might be required on the CP, how do I do that?

Regards,

Salom

0 Kudos
M_Soler
Contributor

No certificate needed, Check Point firewall validates the certificate of Microsoft DCs using the fingerprint.

Regards,
M_Soler

0 Kudos
Salom_Idhogela
Collaborator

Thanks, I managed to fetch the fingerprints however If I removed LDAP 389, leaving 636 I am getting the attached error. Do I need to have all the protocol allowed on the FW rule?

Regards,

Salom

 

IA.png

0 Kudos
Salom_Idhogela
Collaborator

I have found out that for LDAPS to work, LDAP 389 should also be allowed on the FW rule.

Follow this article to understand how it works.

https://www.tec-bite.ch/the-pain-with-check-point-and-ldaps-and-some-medicine-against-it/

Regards,

Salom

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes LDAPS is supported.

Start by reviewing SSL Encryption options in the LDAP Account unit.

Select 'Manage -> Servers and OPSEC Applications -> LDAP Account Unit'.

Under the Servers tab for your DC object, select Encryption tab.

See the setting "Use Encryption (SSL)". Port will be 636.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events