This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2020-02-10 11:27 AM
Jump to solution

Identity Awareness on Remote Gateway

Hi, 

 

I have an issue with Identity Awareness where I want to configure IDA on a remote gateway.

the topology is 

AD --> Corporate GW <---S2S VPN---> Remote GW 

IDA is working well in the main office where the AD is and the corporate GW has direct access to the AD. when I try to connect the remote Gateway with the AD I get the following error:

"An error was detected while trying to authenticate against the AD server.  It may be a problem of bad configuration or connectivity.  Please refer to the troubleshooting guide for more help" 

There are no instructions in the IDA manual or SK on how to work in such a configuration.

 

Does anyone have experience with it or can help troubleshoot?

( I have already contacted support but they aren't very helpful) 

0 Kudos
1 Solution

Accepted Solutions
RS_Daniel
Advisor
Advisor
‎2020-02-11 04:39 AM
In response to Kaspars_Zibarts
Jump to solution

Hello Shahar,

 

We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic. 

HTH.

View solution in original post

8 Replies
Wolfgang
MVP Gold
MVP Gold
‎2020-02-10 12:24 PM
Jump to solution

Shahar,

maybee it‘s something with the vpn tunnel. Check for connections from your remote gateway to your AD servers. This connections will be initiated with the external IP of your remote gateway. Maybee they are not encrypted or blocked not going the through the tunnel.

Another way... use identity sharing, you can configure your central gateway to share identities with other gateway and your remote gateway should get the identities from the central gateway.

The error is shown if you run the IA wizard for the remote gateway ?
Wolfgang

0 Kudos
Shahar_Grober
Advisor
‎2020-02-10 02:39 PM
In response to Wolfgang
Jump to solution

no error is shown during the creation of the IA wizard,
I checked all communication and it looks like it is going through the VPN tunnel. We checked ports block with support, we didn't see any drop. We also to allow any service between AD and GW. maybe the back connections from the AD to the GW are blocked. we are still checking but didn't see anything.
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-02-11 12:33 AM
In response to Shahar_Grober
Jump to solution

I would recommend the same - identity sharing. Else I stumbled across this one, sounds like yours:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and this might help too

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

We use Identity Collector instead of direct connection to AD which seems much soother from our experience 🙂

0 Kudos
RS_Daniel
Advisor
Advisor
‎2020-02-11 04:39 AM
In response to Kaspars_Zibarts
Jump to solution

Hello Shahar,

 

We had a similar issue in the past. We noticed LDAP queries did not go trough the tunnel because LDAP traffic is accepted by implied rules and is not encrypted. Used workaround was the procedure in sk26059 and create specific rules for that traffic. 

HTH.

Shahar_Grober
Advisor
‎2020-02-12 06:42 AM
In response to RS_Daniel
Jump to solution

Thanks for the quick reply, indeed this is what CP says. It seems weird that LDAP is in an implied rule. I think that the best option, in this case, is Identity Sharing instead of modifying inspection rules. Let's see if this one works
0 Kudos
Norbert_Bohusch
Advisor
‎2020-02-12 10:51 AM
In response to Shahar_Grober
Jump to solution

If the gateways in question are clusters be careful with identity sharing, because we saw identity sharing causing IPSEC replay attacks because of standby members!

0 Kudos
Shahar_Grober
Advisor
‎2020-02-13 02:27 AM
In response to Norbert_Bohusch
Jump to solution

The main GW which do the identity sharing is a cluster. Is there a way to mitigate it?
0 Kudos
MikeB
Advisor
‎2020-03-26 12:26 PM
In response to RS_Daniel
Jump to solution

Thank you RS_Daniel! you solve my problem too!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events