- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi,
i have a quantum 1600 device which i need to authenticate against the new Windows Server 2025 AD Server. But i can only enter an IP Address and so is not possible to successfully connect my appliance with the LDAPS Windows Server. I get the error "Stronger authentication required". But i can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server.
What can i do to solve this issue?
Thanks for Help
Rafael
Hi Everyone,
I am planning to build Windows Server 2025 for a new customer and set up authentication integration between the server and Quantum Spark for RA VPN.
However, based on this thread, it seems that this may not work properly yet.
I don’t have experience enabling the RADIUS server feature on Windows Server, so if authentication via RADIUS is possible as an alternative, I would like to consider that option.
Does anyone tried RADIUS authentication instead of LDAP?
Even if you use RADIUS for authentication, LDAP is still necessary to get information about user groups.
@G_W_Albrecht @LM-Rafael @Tom_Hinoue
Hi Guys,
Quick summary of the issue:
Starting with Windows Server 2025, Microsoft enforces LDAP signing and channel binding by default.
While earlier Windows Server versions allowed unsecured LDAP (simple bind without signing), Windows Server 2025 requires secure LDAP over SSL/TLS (LDAPS).
Since Quantum Spark appliances previously attempted LDAP communication without SSL, authentication failed due to missing certificate validation and channel binding enforcement.
We have now released a new Jumbo Hotfix (HFX) that adds support for LDAPS communication with Windows Server 2025.
This fix will also be included in our upcoming official release R82.x.
In the meantime, here are the Jumbo HFX download links:
After installation, run in clish:
set user-awareness ldaps true
On the Windows Server 2025 side, make sure a CA certificate is installed via Active Directory Certificate Services (AD CS).
Thank you all for your patience.
I’ll do my best to go back over the service requests from the past six months to make sure this fix reaches everyone who needs it.
Hi @itayravenna
Great news!
Is this fix only for the legacy AD Query, or does this fix also make Identity Collector to work also?
Hi @Tom
I haven't tested that yet
Hi @itayravenna ,
The fix description (CLISH command) seems like it's only for the AD query... anyways I will test out both patterns.
Hi @itayravenna
I tested the provided fix and confirmed the spark gateway can now connect to AD server using LDAPS(TCP/636). We don't see the "Stronger Authentication Required" warning any more 🙂
Any chance the CLISH parameter could be added to Device -> Advanced Settings so it could be configured via WEBUI or maybe a checkbox can be added when defining the AD server in IDA when we want to use LDAPS?
Also...we still have the issue where AD groups could not be read/fetched.
Does this occur on your side..? Related?
Hi @Tom_Hinoue
I think an advanced parameter will be added on the 82 official release, there will also be a UI agreement to fill.
Not sure about the groups issue... didn't happen on my end.
This firmware is currently not available in Infinity SMP Portal - can you please add it to the SMP or provide the Customer Hotfix Firmware ID !
And: is the fix from sk183884 also included here ?
You can add them yourself to your SMP account.
Go to Plan / GW Object -> Services -> Firmware -> Add Customer Hotfix Firmware
The firmware ID is in the link of the specific download, for example:
https://support.checkpoint.com/results/download/139514?fw1_vx_dep_R81_10_17_996004708.img
As for sk183884 - Since its also a JHX, I don't think it's included. but I'm double checking this internally with RnD
Great! Thank you.
@itayravenna - any news about sk183884 ?
Seems to be included- in SR# i asked if R81_10_17 Build 996004708 that adds support for LDAPS communication with Windows Server 2025 and R81.10.17 Build 996004654 including the Update Required for VPN/Remote Access Security Gateways Using DigiCert/GeoTrust CA by Sep 8, 2025 is included in R81.10.17 build 996004710 for empty URLF Categories tab and learned that Previous fixes are already included in this jumbo hotfix (with build 996004710) and it also includes DigiCert fix as well.
So the fix from sk183884 should be included here, too…
Some questions remain:
- what about IA on GAiA ? According to R&D, this issue is present on all CP products using IA.
- what about the new 25x0 SMBs ?
- is there finally a SK to document the issue, or only a simple email and a CheckMates topic ?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
17 | |
14 | |
6 | |
4 | |
4 | |
3 | |
2 | |
2 | |
2 | |
2 |
Wed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY