This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Magnus-Holmberg
Advisor
Advisor
‎2019-12-17 02:14 AM
Jump to solution

Identity Collector - LDAPS

Hi,

 

When checking SK108235 for ports.

Communication Protocols

DirectionPortProtocol
Identity Collector to Identity Awareness Gateway443Proprietary Check Point protocol, over HTTPS.
Used for ongoing communication between the Agent and the Security Gateway.
Identity Awareness Gateway to Domain Controller389 / 636LDAP / LDAPS
Identity Collector to Domain Controller53DNS
*Identity Collector to Domain Controller389LDAP 
Identity Collector to Domain Controller135,
and dynamically
allocated ports		DCOM protocol, which makes extensive use of DCE/RPC.
Identity Collector to Cisco ISE5222Session subscribe. Gets notifications of new login/logout events.
Identity Collector to Cisco ISE8910Bulk session download. Fetches all the active sessions from the ISE Server.

* Note: LDAPS is also optional (through port 636) when using "NetIQ eDirectory". For all other uses (which are the most common ones), we are using LDAP only. 



I dont see LDAPS, 636 for standard Microsoft AD. not sure what this NetIQ eDirectory is.
When is LDAPS 636 comming for IA if its not already present, (if so i dont see where to change it in the GUI)

 

Regards,

Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
1 Solution

Accepted Solutions
Royi_Priov
Employee
Employee
‎2019-12-17 11:11 PM
Jump to solution

Hi Magnus,

 

LDAP is used on Identity Collector in 2 ways:

 

  1. AD integration - only for discovering the AD servers in the environment. After this discovery, the entire communication is done securely with Microsoft API. The discovery itself is performed with LDAP (not LDAPS).
  2. NetIQ eDirectory - this is an LDAP server by NetIQ, which we are communicating over LDAP / LDAPS all the way for fetching logged in users.

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2019-12-17 12:27 PM
Jump to solution

I believe it's configured on the relevant LDAP Account Unit object.
0 Kudos
Magnus-Holmberg
Advisor
Advisor
‎2019-12-17 12:39 PM
In response to PhoneBoy
Jump to solution

Within smartconsole, yes sure.
But the Identity collector you dont have any options like that.

And Microsoft is pushing pretty hard to remove LDAP for LDAPS, 

domain_ic.jpgad_server.jpg

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-17 02:00 PM
In response to Magnus-Holmberg
Jump to solution

I'm guessing Identity Collector will try both LDAP and LDAPS but maybe @Royi_Priov can confirm.

0 Kudos
Royi_Priov
Employee
Employee
‎2019-12-17 11:11 PM
Jump to solution

Hi Magnus,

 

LDAP is used on Identity Collector in 2 ways:

 

  1. AD integration - only for discovering the AD servers in the environment. After this discovery, the entire communication is done securely with Microsoft API. The discovery itself is performed with LDAP (not LDAPS).
  2. NetIQ eDirectory - this is an LDAP server by NetIQ, which we are communicating over LDAP / LDAPS all the way for fetching logged in users.

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
Val1976
Explorer
‎2023-01-31 03:59 AM
In response to Royi_Priov
Jump to solution

Hi Royi

I have a customer that is exactly in the same situation, trying to move away from AD query and use Identity Collector... As the AD environment is configured to allow only LDAPS connections, the initial test connection to and AD server, using plain LDAP is unsuccessful and the  migration cannot progress further...

Is there any way of forcing the initial test connection to use LDAPS instead of LDAP? The customer has downloaded and installed the latest version of the Identity Collector software - R81.040.0000 / 20 Sep 2022...

Thanks and best regards,

Valeriu

 

0 Kudos
Zolo
Contributor
Contributor
‎2023-02-08 05:32 AM
In response to Val1976
Jump to solution

Hi Valeriu,

You can connect to the "Active Directory" LDAPS server if the LDAPS certificate contains the IP address of the DC in the SAN field.

Click New Source > Active Directory > Fetch Automatically and choose LDAP over SSL.

The IC only accepts IP address and the DC IP address must be entered.

Br,

Zolo

0 Kudos
Jöran_Kaußel
Participant
‎2024-04-18 04:27 AM
In response to Zolo
Jump to solution

Hello Check Mates,

any tipps for those whose PKI does not support IPs in SAN field?

Any help appreciated,
Jöran

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-18 12:01 PM
In response to Jöran_Kaußel
Jump to solution

Upgrade to R82 when it's available as the validation mechanism for the LDAPS certificate will change.
Instead of validating the existing certificate, we'll ensure the certificate is valid and signed by a specific CA.

0 Kudos
Zolo
Contributor
Contributor
‎2024-04-18 11:54 PM
In response to Jöran_Kaußel
Jump to solution

Hello Jöran,

Good news 😀

As I checked, the latest IC version (R81.069.0000) finally supports FQDN.

Br,

Zoli

0 Kudos
Jöran_Kaußel
Participant
‎2024-04-19 03:30 AM
In response to Zolo
Jump to solution

Hello Zolo,

unfortunately I can't confirm. Using R81.069.0000 throughout the currently running DC migration to Windows Server 2022 I can only fetch them via the remaining 2016 DCs, not directly. And then I can't get them connected neither via IP, nor hostname or FQDN.

Fetching via IP works instantly while hostname and fqdn needs about 30 secs.

Error states "Unable to connect; please check connectivity with server and server firewall configuration". I can see tcp/udp 389 but no 636. Nothings getting dropped, tried debug options via regedit but got not significant more info other than "ErrCode (1722)" which seems to be a dead end.

Any tipps appreciated
Jöran

0 Kudos
Jöran_Kaußel
Participant
‎2024-04-23 10:42 AM
In response to Jöran_Kaußel
Jump to solution

Hello mates,

sorry for the noise. DCs local firewalls refuse to answer to RPC when freshly deployed. Problem solved from my side.

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top