Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Security_Consul
Participant

Idenity Awareness on VSX Virtual System environment

Hi 

I enable Idenity Awareness on VSX Virtual System( Test2 ) under VSX Gateway, I connected with my LDAP Server without Wizard When use ID Wizard config I got error "SmartDashboard could not connected Server" So i config manual connect LDAP Server that can Query User Database from LDAP Server when i create Access Role user list appeared.  Problem is when I Testing with account under Access Roles specific user/group to any dest any service the Policy rule is't any Hit count. 

I dont any config on VSX Gateway without DNS,MGT IP

Q1: Why Idenity Awareness Wizard show "SmartDashboard could not connected Server" I prefer to use Wizard not manual config
Q2: Why Access Roles not have any hit count?

Q3: How to config Idenity Awareness on VSX Virtual System?

 

DiagramDiagram

0 Kudos
6 Replies
Maarten_Sjouw
Champion
Champion

First of all it helps if you mention the version you are working with.
Second point is that you need to know is that the way the connections are setup differs per version.

  • R77.xx during setup the connection is made between the Windows machine, running SmartDashboard, to the AD server
    • Once active the Gateway and the AD server run the actual connection for checking group memberships and also AD server to gateway for login entries to tie the user to an IP.
  • R80.10 and up, the initial connection is setup from the SMS to the AD server (Since last month MS only accepts LDAPS connections!!!) For changing things in SmartConsole (adding roles) the management server directly connects to the AD server
  • R80.20 and up allow the gateway to act as a proxy for the connection between Management server and AD server

Also keep in mind that the gateway by default will try to login by means of NTLM v1, use 'adlogconfig a' to change this behavior to NTLM v2 (don't forget to push policy directly after changing the setting to take effect!!)

 

In a VSX environment the VS will have it's own connection to the AD server, this is not done by the VSX gateway/cluster, like some other things are done on that level. This way each VS can be used in it's own environment with it's own AD server.

Regards, Maarten
0 Kudos
Security_Consul
Participant

Hi Maarten

Thank for reply

 I running GAIA R80.30 with 3.10 kernal.

About LDAPS you meaning every since last month Microsoft AD Server integrate with Checkpoint version above 8.10 have to enable LDAPS? I test offline LAB its have enable SSL or not if have to enable (Smartdashboard > LDAP Account unit > Servers tab > AD Server > Encryption > Enable Use SSL > OK) Right?   

I actually test enable LDAPS my Access Roles can not Query AD User when i disable that can Query

Next about Proxy as i understood if connection between SMS - AD Server is not same environment (Same Network) should use Proxy selected VS that can routed to AD Server? (Smartdashboard > LDAP Account unit > Object Management tab > Management Server Needs proxy to reach AD Server > Select VS > OK) Right?  

Could you tell me why smartdashboard show error when connect with AD Server 

0 Kudos
Maarten_Sjouw
Champion
Champion

The latest update from MS has been set to enforce LDAPS, so when that was installed you should not be able anymore to connect without LDAPS.
(SmartConsole > LDAP Account unit > Servers tab > AD Server > Encryption > Enable Use SSL > OK) Right!!

Proxy is only needed when the management server is NOT able to connect directly to the AD server, in your case check the logs of your Palo fro drops between SMS and ad server, AD server and gateway and gateway to AD..
Regards, Maarten
0 Kudos
Security_Consul
Participant

Palo side is any allow all same as Checkpoint

Admin PC running Smartdashboard have to communicate with AD Server?

0 Kudos
Security_Consul
Participant

Admin PC run Smartdashboard have to connect AD Server. AdminPC connecting to VS0 that can route to AD Server that why i successfully connected then VS0 share to VS1 by (Virtual System object - Properties - Other - Legacy Authentication - section Authentication Servers Accessibility (including LDAP) - select "Shared". VS1 also success connected.

Seem like bug or cache when i disable idenity awareness on VS0 and VS1 and I enable idenity awareness again on only VS1 its still successfully connected. first time i tested VS1  can not connect before. 

0 Kudos
Maarten_Sjouw
Champion
Champion

The Authentication part is ca completely different thing from Identity awareness.
The reason you probably need the access from your client to the AD server during setup, is that the managemnt server still needs everything added and setup, the Wizard is just collecting all information to put into the database when done.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events