Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Identity Collector - LDAPS

Jump to solution

Hi,

 

When checking SK108235 for ports.

Communication Protocols

DirectionPortProtocol
Identity Collector to Identity Awareness Gateway443Proprietary Check Point protocol, over HTTPS.
Used for ongoing communication between the Agent and the Security Gateway.
Identity Awareness Gateway to Domain Controller389 / 636LDAP / LDAPS
Identity Collector to Domain Controller53DNS
*Identity Collector to Domain Controller389LDAP 
Identity Collector to Domain Controller135,
and dynamically
allocated ports
DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE5222Session subscribe. Gets notifications of new login/logout events.
Identity Collector to Cisco ISE8910Bulk session download. Fetches all the active sessions from the ISE Server.

* Note: LDAPS is also optional (through port 636) when using "NetIQ eDirectory". For all other uses (which are the most common ones), we are using LDAP only. 



I dont see LDAPS, 636 for standard Microsoft AD. not sure what this NetIQ eDirectory is.
When is LDAPS 636 comming for IA if its not already present, (if so i dont see where to change it in the GUI)

 

Regards,

Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

Hi Magnus,

 

LDAP is used on Identity Collector in 2 ways:

 

  1. AD integration - only for discovering the AD servers in the environment. After this discovery, the entire communication is done securely with Microsoft API. The discovery itself is performed with LDAP (not LDAPS).
  2. NetIQ eDirectory - this is an LDAP server by NetIQ, which we are communicating over LDAP / LDAPS all the way for fetching logged in users.

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post

4 Replies
Highlighted
Admin
Admin
I believe it's configured on the relevant LDAP Account Unit object.
0 Kudos
Highlighted

Within smartconsole, yes sure.
But the Identity collector you dont have any options like that.

And Microsoft is pushing pretty hard to remove LDAP for LDAPS, 

domain_ic.jpgad_server.jpg

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Highlighted
Admin
Admin

I'm guessing Identity Collector will try both LDAP and LDAPS but maybe @Royi_Priov can confirm.

0 Kudos
Highlighted
Employee+
Employee+

Hi Magnus,

 

LDAP is used on Identity Collector in 2 ways:

 

  1. AD integration - only for discovering the AD servers in the environment. After this discovery, the entire communication is done securely with Microsoft API. The discovery itself is performed with LDAP (not LDAPS).
  2. NetIQ eDirectory - this is an LDAP server by NetIQ, which we are communicating over LDAP / LDAPS all the way for fetching logged in users.

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post