Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Advisor
Jump to solution

Identity Collector and VPN SSL/SNX

Hi community,

 

My customer has a deployment with many security gateways that currently are using AD Query to map users with IP addresses. He is moving to Identity Collector, and after installed and configured, right now the security gateways are learning login events from both AD Query and Identity Collector. Now and before migrating to only Identity Collector we have a doubt. My customer also has a security gateway running VPN SSL and VPN SNX for remote users, and it validates the remote users againts AD. Do we have to change anything on the configuration of VPN SSL/SNX?

 

Regards,

Julián

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Yes, it simply means making sure Remote Access is configured as an Identity Source on the relevant gateway object:

image.png

View solution in original post

13 Replies
Chris_Atkinson
Employee Employee
Employee

The actual authentication of VPN users doesn't leverage Identity Collector. So this would be more about what you don't remove when decommissioning ADquery e.g. LDAP Account units or Radius servers etc.

There is also the ability to leverage "remote access" as an identity source for identity awareness enforcement in your security policy.

CCSM R77/R80/ELITE
fjulianom
Advisor

Hi Chris,

The actual authentication of VPN users doesn't leverage Identity Collector. So this would be more about what you don't remove when decommissioning ADquery e.g. LDAP Account units or Radius servers etc.

 

Do you mean my remote users will be still authenticated using RADIUS against the AD and we don't need to touch anything for the remote access section?

 

Regards,

Julián

0 Kudos
PhoneBoy
Admin
Admin

Yes, it simply means making sure Remote Access is configured as an Identity Source on the relevant gateway object:

image.png

fjulianom
Advisor

Hi again,

 

Still one doubt. My VPN users are authenticated with the AD server (LDAP Account units). According to the Identity Collector guide, we should disable LDAP Query in the LDAP Account Unit object:

Imagen1.png

And also, change the credentials with a non-admin user in this object:

Imagen2.png

In this LDAP Account Unit, which is my AD server, all my users who connect to VPN are stored.

- Then, will they be still authenticated through RADIUS against the AD if Active Directory Query is disabled?

- If so, if the credentials used are non-admin, isn't there a problem when contacting the AD? We are using Identity Collector because of the sk180232 (When AD Query is configured for a user who is not an admin on the Domain Controller (DC), AD Query cannot access the DC.)

- Or the VPN users will be authenticated not using "AD query" method but "Remote Access" method which is not affected by sk180232?

 

Regards,

Julián

 

0 Kudos
PhoneBoy
Admin
Admin

Even with Identity Collector or Remote Access (with RADIUS auth), LDAP is used by the gateway to gather groups.
Not familiar with where the documentation states to change the Account Unit usage as you’ve shown, so an exact reference to the docs where this was suggested would be helpful. 

You should definitely change the credentials used to non-admin credentials, though.

fjulianom
Advisor

Hi,

 

I saw about changing the Account Unit usage in this video from 3:45 on:

https://www.youtube.com/watch?v=SPF8BYYM1uY&list=PLBfjYlNj4w1tNYJk46ZlumprP0cKvHSS9&index=6

which makes sense, isn't it needed?

Anyway, do you mean that Remote Access clients authenticate directly against the AD through RADIUS and not through AD Query which uses WMI to look into Active Directory Security Event Logs?

 

Regards,

Julián

0 Kudos
PhoneBoy
Admin
Admin

I trust @Peter_Elmer on these matters 🙂

Meanwhile, Remote Access clients are authenticated through RADIUS and their groups are looked up in LDAP.
The Remote Access checkbox in the Identity Awareness configuration for the relevant gateway objects is to ensure the users are given their correct Access Roles for Access Policy enforcement.

fjulianom
Advisor

Hi PhoneBoy,

 

Then I will wait for @Peter_Elmer. My customer is concerned because the VPN users' usernames and passwords are stored in the same AD server. Then he is afraid if we disable the Active Directory Query in the LDAP Account Unit object, and change the credentials to non-admin user in it, the VPN users will not be able to authenticate. I think VPN users are authenticated through RADIUS, and for the group membership you don't need AD Query. But I don't know if for the group membership an admin user credential is needed to access the AD server or not, I am not sure.

 

Regards,

Julián

0 Kudos
PhoneBoy
Admin
Admin

@Peter_Elmer actually did the video you linked.

Removing the Active Directory Query tickbox should have no effect on LDAP queries needed by the gateway 
Changing the credentials in the LDAP AU object to non-admin credentials is HIGHLY recommended.
Your users should still be able to authentication via VPN when you make these changes.

Peter_Elmer
Employee
Employee

Hello @fjulianom , @PhoneBoy ,

It's hard making recommendations without seeing all the configuration of remote access SNX. There are options using 'legacy' objects in the Access Control Policy instead of the recommended Access Role Objects. It is my current recall, that for SNX remote access, no ID Awareness sessions are getting created. Authentication is performed based on the legacy settings, referencing the LDAP Account Unit object. Note, there is a Client Template setting in the 4th tab of the object. It's kind of impossible to say more by writing, as the complexity requires a remote session review. 

When you are using Access Role Objects to represent users, the setting in Gateway > ID Awareness is taken into account. It's been years I haven't configured SNX and don't have a lab running now to check quickly.  My lab is using Harmony SASE for Remote Access and have Quantum Gateways configured using dynamic route-based VPNs with Harmony SASE. In this way all Harmony SASE supported clients can connect via the SASE backbone to my 'data center' resources. On Harmony SASE and on Quantum I configured Microsoft Entra ID as authentication instance. In this video, you can see the user experience documented. You may want to explore such options with your local Check Point Sales Engineering contacts.

I documented how ID Collector and AD Query impact the creation of Identity Sessions in sk179544. Here you can find as well information about the UserID (a regular domain user - not an administrative account) that you configure in the LDAP Account Unit Object. 

I am sorry, that I can't provide a 100% proven answer here, but in respect of the complexity and your production environment, I recommend either a lab exercise matching your production environment, or to engage Professional Services.

Best regards

Pelmer 

 

 

fjulianom
Advisor

Hi Peter_Elmer,

 

Many thanks for your answer. I think the point is to know if the Remote Access users uses AD Query to authenticate and get the role. If AD Query is not used, I think is sure to disable the AD Query checkbox in the LDAP Account Unit. My customer has SNX clients and regular VPN SSL clients. What do you think?

 

Regards,

Julián

0 Kudos
Peter_Elmer
Employee
Employee

Hello @fjulianom ,

to my understanding AD Query and Remote Access are not related. The legacy Remote Access configuration steps are referencing the LDAP Account Unit object. This object is as well referenced by AD Query. These are two different functionalities using the same object to know the answer to the question "how can I contact the Active Directory".

This leads to a complex environment and therefore I suggested to stage it or to call Professional Services to get on-site help.

best regards

peter

 

fjulianom
Advisor

Hi guys,

 

As you said Peter, AD Query and Remote Access are not related. I engaged TAC and they confirmed that disabling AD Query will not affect the VPN users authentication, since the gateway authenticates the users and looks for the membership through LDAP, and not AD Query. Thank you very much @Peter_Elmer and @PhoneBoy for your interest.

 

Regards,

Julián

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events