Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcinw
Participant

Identity Awareness secondary DC in remote location

Hi

 

I have lab, diagram below. On both gateways Identity Awareness is configured, however CHeckpoint-GW-1 communicates only with siteA-DC-2  and Checkpoint GW-2 communicates only with siteB-DC-1. I would like to add siteB-DC-1 to Checkpoint-GW-1 LDAP Account Unit.  But I see message "at least one dc is disconnected" .There is a VPN between 2 sites and all traffic between internal subnets is allowed. I suppose both GW are trying to reach remote DC with external Ip address 10.0.1.1 and 10.0.2.1 that is NATed and can't reach DC on the other site or maybe it is something different ? Is there any way to make it work ? 

 

 

0 Kudos
1 Reply

Hello, 

 

well if u configure IA and other builtin Check Point blades they mostly work via implied rules.
In that case it could be that the communucation to the remote AD server is NOT encrypted but sent in clear.
Did you check that? 
Is that communication running in clear text or encrypted ...

what you can do is to remove LDAP from the implied rules, or better said remove it from running in clear text.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

this might help ...
i have seen this pretty often when creating LDAP or Radius over VPN´s ... it always runs in clear but in should be encrypted!


0 Kudos