Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

AWS Identity Awareness Configuration

Hello,

We are configuring the identity awareness blade on a AWS Cloudguard gateway.

-The IA blade is enabled
-The identity collector has been configured as an identity source in the blade configuration
-The collector has been installed and configured on an Windows Serer 2022 ec2 instance which resides on a network behind the Cloudguard gateway.
-The identity sources are Active Directory servers hosted on-premise.
-There is an active VPN between the AWS Cloudguard gateway and on-premise site where the AD servers reside.
-An access rule has been created specifying an access role specifying relevant networks and users.

When trying to connect to a remote destination, the identity awareness blade shows a failure when trying to authenticate against the AD servers.

"An error was detected while trying to authenticate against the AD server. It may be a problem of bad configuration or connectivity"

There is LDAP traffic in the logged showing the security gateway sending LDAP queries to the LDAP server. The traffic is sent in the clear and accepted by an implied rule.

The problem appears to relate to sk26059 where authentication fails when the LDAP server located behind a remote Security Gateway.

The solution outlined in sk26059 is to modify the implied_rules.def file by commenting out the #define ENABLE_LDAP_SERVER line and adding an explicit rule that allows LDAP traffic to/from relevant Security Gateways to the LDAP and AD servers.

Are there any caveats to this solution? 

Regards,

Simon 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

The caveat is that if the VPN goes down, so does Identity Awareness, effectively.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events