Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shahar_Grober
Advisor
Jump to solution

Identity Awareness on Remote Gateway

Hi, 

 

I have an issue with Identity Awareness where I want to configure IDA on a remote gateway.

the topology is 

AD --> Corporate GW <---S2S VPN---> Remote GW 

IDA is working well in the main office where the AD is and the corporate GW has direct access to the AD. when I try to connect the remote Gateway with the AD I get the following error:

"An error was detected while trying to authenticate against the AD server.  It may be a problem of bad configuration or connectivity.  Please refer to the troubleshooting guide for more help" 

There are no instructions in the IDA manual or SK on how to work in such a configuration.

 

Does anyone have experience with it or can help troubleshoot?

( I have already contacted support but they aren't very helpful) 

0 Kudos
1 Solution

Accepted Solutions
RS_Daniel
Advisor

Hello Shahar,

 

We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic. 

HTH.

View solution in original post

8 Replies
Wolfgang
Authority
Authority

Shahar,

maybee it‘s something with the vpn tunnel. Check for connections from your remote gateway to your AD servers. This connections will be initiated with the external IP of your remote gateway. Maybee they are not encrypted or blocked not going the through the tunnel.

Another way... use identity sharing, you can configure your central gateway to share identities with other gateway and your remote gateway should get the identities from the central gateway.

The error is shown if you run the IA wizard for the remote gateway ?
Wolfgang

0 Kudos
Shahar_Grober
Advisor
no error is shown during the creation of the IA wizard,
I checked all communication and it looks like it is going through the VPN tunnel. We checked ports block with support, we didn't see any drop. We also to allow any service between AD and GW. maybe the back connections from the AD to the GW are blocked. we are still checking but didn't see anything.
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

I would recommend the same - identity sharing. Else I stumbled across this one, sounds like yours:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and this might help too

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

We use Identity Collector instead of direct connection to AD which seems much soother from our experience 🙂

0 Kudos
RS_Daniel
Advisor

Hello Shahar,

 

We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic. 

HTH.

Shahar_Grober
Advisor
Thanks for the quick reply, indeed this is what CP says. It seems weird that LDAP is in an implied rule. I think that the best option, in this case, is Identity Sharing instead of modifying inspection rules. Let's see if this one works
0 Kudos
Norbert_Bohusch
Advisor

If the gateways in question are clusters be careful with identity sharing, because we saw identity sharing causing IPSEC replay attacks because of standby members!

0 Kudos
Shahar_Grober
Advisor
The main GW which do the identity sharing is a cluster. Is there a way to mitigate it?
0 Kudos
MikeB
Advisor
Thank you RS_Daniel! you solve my problem too!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events