This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2019-06-27 03:16 PM
Jump to solution

AD Query server connection

Hi all,

 

Wondering if anyone has ideas on this issue, I have 2 clusters (same policy). On one cluster it can successfully connect and receive login events from two domain controllers, on the other cluster I get the message "no connectivity, connection refused by remote host [ntstatus = 0xc0000236]"

 

Both clusters use the same login credentials,  both clusters can telnet to the server IP's on port 389 and 636. I have also connected to the server and checked event viewer. I don't see any errors it all says success.

 

When I use the test_ad_connectivity tool I get the following:

 

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

 

 

Any ideas what this could be?

thanks

0 Kudos
1 Solution

Accepted Solutions
Sigbjorn
Advisor
Advisor
‎2019-06-27 10:38 PM
In response to Ryan_Ryan
Jump to solution

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-06-27 04:21 PM
Jump to solution

Can you check with ldapsearch instead?
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Ryan_Ryan
Advisor
‎2019-06-27 07:03 PM
In response to PhoneBoy
Jump to solution

Hi good idea,

 

I tried that and can confirm it has successfully queried and returns correct information from ldap.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-27 08:31 PM
In response to Ryan_Ryan
Jump to solution

Unless @Royi_Priov or someone from R&D has an idea, I suggest opening a TAC case.

0 Kudos
Ryan_Ryan
Advisor
‎2019-06-27 09:13 PM
In response to PhoneBoy
Jump to solution

I might have found the issue, if there is another f/w between the gateway and the domain controller it appears you need to open:

 

tcp/389 or tcp/636

tcp/135

tcp/1025-65535 

 

For full connectivity. Will update once we have opened ports and confirmed.

0 Kudos
Sigbjorn
Advisor
Advisor
‎2019-06-27 10:38 PM
In response to Ryan_Ryan
Jump to solution

Hi Ryan,

You do need RPC communication for AD Query to work, but you don't need all "tcp-high-ports".

49152-65535 is the Microsoft specified range required, and it's what we use for our AD Query setups.

(In addtition to tcp/636 and tcp/135)

/Sigbjorn

Gaurav_Pandya
Advisor
‎2019-06-28 02:54 AM
In response to Sigbjorn
Jump to solution

Hi Ryan,

I am sure that firewall in between is the issue. You need to open required ports on that firewall

0 Kudos
Royi_Priov
Employee
Employee
‎2019-06-30 12:01 AM
In response to Gaurav_Pandya
Jump to solution

Hi,

It looks like you are in the right direction with the DCE-RPC ports, I will explain why:

LDAP connectivity is not related to the WMI connection which should be open between GW to AD.

You can also see in the log:

:status (SUCCESS_LDAP_WMI_NO_CONNECTIVITY)
:err_msg ("ADLOG_ERROR_NETWORK_PROBLEM;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (ADLOG_ERROR_NETWORK_PROBLEM)
:timestamp ("Thu Jun 27 16:55:30 2019")

 

Thanks,

Royi.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Ryan_Ryan
Advisor
‎2019-07-03 08:38 PM
In response to Royi_Priov
Jump to solution

confirmed it was the f/w ports needing to be opened. working now!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events