This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Salom_Idhogela
Collaborator
‎2023-07-05 03:04 AM
Jump to solution

Using LDAPS 636 for AD query Identity Awareness

Hi All,

 

I want to enable LDAPS port 636 for Identity Awareness for may gateways in a cluster, current it works with LDAP. Is it possible in Checkpoint?

Regards,

Salom

0 Kudos
1 Solution

Accepted Solutions
Salom_Idhogela
Collaborator
‎2023-07-07 05:51 AM
In response to M_Soler
Jump to solution

I have found out that for LDAPS to work, LDAP 389 should also be allowed on the FW rule.

Follow this article to understand how it works.

https://www.tec-bite.ch/the-pain-with-check-point-and-ldaps-and-some-medicine-against-it/

Regards,

Salom

View solution in original post

0 Kudos
6 Replies
M_Soler
Contributor
‎2023-07-05 06:52 AM
Jump to solution

Yes you can, go to Object Catégories>Users/identities> LDAP Account Units chose your LDAP server and go to Servers (like in the screenshot) chose your host server and configure the Encryption.
LDAP Account Unit Properties.png
Note: you need to have LDAPS activated in your LDAP server.

Regards,
M_Soler

Salom_Idhogela
Collaborator
‎2023-07-06 06:48 AM
In response to M_Soler
Jump to solution

A cert might be required on the CP, how do I do that?

Regards,

Salom

0 Kudos
M_Soler
Contributor
‎2023-07-06 07:53 AM
In response to Salom_Idhogela
Jump to solution

No certificate needed, Check Point firewall validates the certificate of Microsoft DCs using the fingerprint.

Regards,
M_Soler

0 Kudos
Salom_Idhogela
Collaborator
‎2023-07-07 01:41 AM
In response to M_Soler
Jump to solution

Thanks, I managed to fetch the fingerprints however If I removed LDAP 389, leaving 636 I am getting the attached error. Do I need to have all the protocol allowed on the FW rule?

Regards,

Salom

 

IA.png

0 Kudos
Salom_Idhogela
Collaborator
‎2023-07-07 05:51 AM
In response to M_Soler
Jump to solution

I have found out that for LDAPS to work, LDAP 389 should also be allowed on the FW rule.

Follow this article to understand how it works.

https://www.tec-bite.ch/the-pain-with-check-point-and-ldaps-and-some-medicine-against-it/

Regards,

Salom

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-07-05 06:55 AM
Jump to solution

Yes LDAPS is supported.

Start by reviewing SSL Encryption options in the LDAP Account unit.

Select 'Manage -> Servers and OPSEC Applications -> LDAP Account Unit'.

Under the Servers tab for your DC object, select Encryption tab.

See the setting "Use Encryption (SSL)". Port will be 636.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events