Hi Chris,

The actual authentication of VPN users doesn't leverage Identity Collector. So this would be more about what you don't remove when decommissioning ADquery e.g. LDAP Account units or Radius servers etc.

Do you mean my remote users will be still authenticated using RADIUS against the AD and we don't need to touch anything for the remote access section?

Regards,

Julián

Hi again,

Still one doubt. My VPN users are authenticated with the AD server (LDAP Account units). According to the Identity Collector guide, we should disable LDAP Query in the LDAP Account Unit object:

And also, change the credentials with a non-admin user in this object:

In this LDAP Account Unit, which is my AD server, all my users who connect to VPN are stored.

- Then, will they be still authenticated through RADIUS against the AD if Active Directory Query is disabled?

- If so, if the credentials used are non-admin, isn't there a problem when contacting the AD? We are using Identity Collector because of the sk180232 (When AD Query is configured for a user who is not an admin on the Domain Controller (DC), AD Query cannot access the DC.)

- Or the VPN users will be authenticated not using "AD query" method but "Remote Access" method which is not affected by sk180232?

Regards,

Julián

Even with Identity Collector or Remote Access (with RADIUS auth), LDAP is used by the gateway to gather groups.
Not familiar with where the documentation states to change the Account Unit usage as you’ve shown, so an exact reference to the docs where this was suggested would be helpful. 

You should definitely change the credentials used to non-admin credentials, though.

Hi,

I saw about changing the Account Unit usage in this video from 3:45 on:

https://www.youtube.com/watch?v=SPF8BYYM1uY&list=PLBfjYlNj4w1tNYJk46ZlumprP0cKvHSS9&index=6

which makes sense, isn't it needed?

Anyway, do you mean that Remote Access clients authenticate directly against the AD through RADIUS and not through AD Query which uses WMI to look into Active Directory Security Event Logs?

Regards,

Julián

I trust @Peter_Elmer on these matters 🙂

Meanwhile, Remote Access clients are authenticated through RADIUS and their groups are looked up in LDAP.
The Remote Access checkbox in the Identity Awareness configuration for the relevant gateway objects is to ensure the users are given their correct Access Roles for Access Policy enforcement.

Hi PhoneBoy,

Then I will wait for @Peter_Elmer. My customer is concerned because the VPN users' usernames and passwords are stored in the same AD server. Then he is afraid if we disable the Active Directory Query in the LDAP Account Unit object, and change the credentials to non-admin user in it, the VPN users will not be able to authenticate. I think VPN users are authenticated through RADIUS, and for the group membership you don't need AD Query. But I don't know if for the group membership an admin user credential is needed to access the AD server or not, I am not sure.

Regards,

Julián

@Peter_Elmer actually did the video you linked.

Removing the Active Directory Query tickbox should have no effect on LDAP queries needed by the gateway 
Changing the credentials in the LDAP AU object to non-admin credentials is HIGHLY recommended.
Your users should still be able to authentication via VPN when you make these changes.

Hello @fjulianom , @PhoneBoy ,

It's hard making recommendations without seeing all the configuration of remote access SNX. There are options using 'legacy' objects in the Access Control Policy instead of the recommended Access Role Objects. It is my current recall, that for SNX remote access, no ID Awareness sessions are getting created. Authentication is performed based on the legacy settings, referencing the LDAP Account Unit object. Note, there is a Client Template setting in the 4th tab of the object. It's kind of impossible to say more by writing, as the complexity requires a remote session review. 

When you are using Access Role Objects to represent users, the setting in Gateway > ID Awareness is taken into account. It's been years I haven't configured SNX and don't have a lab running now to check quickly.  My lab is using Harmony SASE for Remote Access and have Quantum Gateways configured using dynamic route-based VPNs with Harmony SASE. In this way all Harmony SASE supported clients can connect via the SASE backbone to my 'data center' resources. On Harmony SASE and on Quantum I configured Microsoft Entra ID as authentication instance. In this video, you can see the user experience documented. You may want to explore such options with your local Check Point Sales Engineering contacts.

I documented how ID Collector and AD Query impact the creation of Identity Sessions in sk179544. Here you can find as well information about the UserID (a regular domain user - not an administrative account) that you configure in the LDAP Account Unit Object. 

I am sorry, that I can't provide a 100% proven answer here, but in respect of the complexity and your production environment, I recommend either a lab exercise matching your production environment, or to engage Professional Services.

Best regards

Pelmer 

Hi Peter_Elmer,

Many thanks for your answer. I think the point is to know if the Remote Access users uses AD Query to authenticate and get the role. If AD Query is not used, I think is sure to disable the AD Query checkbox in the LDAP Account Unit. My customer has SNX clients and regular VPN SSL clients. What do you think?

Regards,

Julián

Hello @fjulianom ,

to my understanding AD Query and Remote Access are not related. The legacy Remote Access configuration steps are referencing the LDAP Account Unit object. This object is as well referenced by AD Query. These are two different functionalities using the same object to know the answer to the question "how can I contact the Active Directory".

This leads to a complex environment and therefore I suggested to stage it or to call Professional Services to get on-site help.

best regards

peter

Hi guys,

As you said Peter, AD Query and Remote Access are not related. I engaged TAC and they confirmed that disabling AD Query will not affect the VPN users authentication, since the gateway authenticates the users and looks for the membership through LDAP, and not AD Query. Thank you very much @Peter_Elmer and @PhoneBoy for your interest.

Regards,

Julián