Create a Post
Showing results for 
Search instead for 
Did you mean: 

Identity Awareness secondary DC in remote location



I have lab, diagram below. On both gateways Identity Awareness is configured, however CHeckpoint-GW-1 communicates only with siteA-DC-2  and Checkpoint GW-2 communicates only with siteB-DC-1. I would like to add siteB-DC-1 to Checkpoint-GW-1 LDAP Account Unit.  But I see message "at least one dc is disconnected" .There is a VPN between 2 sites and all traffic between internal subnets is allowed. I suppose both GW are trying to reach remote DC with external Ip address and that is NATed and can't reach DC on the other site or maybe it is something different ? Is there any way to make it work ? 



0 Kudos
1 Reply



well if u configure IA and other builtin Check Point blades they mostly work via implied rules.
In that case it could be that the communucation to the remote AD server is NOT encrypted but sent in clear.
Did you check that? 
Is that communication running in clear text or encrypted ...

what you can do is to remove LDAP from the implied rules, or better said remove it from running in clear text.

this might help ...
i have seen this pretty often when creating LDAP or Radius over VPN´s ... it always runs in clear but in should be encrypted!

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events