- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Identity Awareness on Remote Gateway
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Awareness on Remote Gateway
Hi,
I have an issue with Identity Awareness where I want to configure IDA on a remote gateway.
the topology is
AD --> Corporate GW <---S2S VPN---> Remote GW
IDA is working well in the main office where the AD is and the corporate GW has direct access to the AD. when I try to connect the remote Gateway with the AD I get the following error:
"An error was detected while trying to authenticate against the AD server. It may be a problem of bad configuration or connectivity. Please refer to the troubleshooting guide for more help"
There are no instructions in the IDA manual or SK on how to work in such a configuration.
Does anyone have experience with it or can help troubleshoot?
( I have already contacted support but they aren't very helpful)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Shahar,
We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shahar,
maybee it‘s something with the vpn tunnel. Check for connections from your remote gateway to your AD servers. This connections will be initiated with the external IP of your remote gateway. Maybee they are not encrypted or blocked not going the through the tunnel.
Another way... use identity sharing, you can configure your central gateway to share identities with other gateway and your remote gateway should get the identities from the central gateway.
The error is shown if you run the IA wizard for the remote gateway ?
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked all communication and it looks like it is going through the VPN tunnel. We checked ports block with support, we didn't see any drop. We also to allow any service between AD and GW. maybe the back connections from the AD to the GW are blocked. we are still checking but didn't see anything.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would recommend the same - identity sharing. Else I stumbled across this one, sounds like yours:
and this might help too
We use Identity Collector instead of direct connection to AD which seems much soother from our experience 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Shahar,
We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the gateways in question are clusters be careful with identity sharing, because we saw identity sharing causing IPSEC replay attacks because of standby members!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
