This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
benko2
Participant
‎2024-05-24 03:39 AM
Jump to solution

Unable to connect to the account unit LDAP servers behind the IPSec tunnel

Hello,

I have problem accessing the LDAP account unit servers of the external company that is behind the IPSec tunnel.

This is my topology:

mgmt --> DCGW --> PerimGW ---IPsec--> Fortinet --> ExtLDAPs
           |
       IntLDAPs
  • mgmt: Check Point SMS server, R81.20 JHFA Take 53
  • DCGW: Check Point DataCenter gateway. Active-Standby cluster. R81.20 JHFA Take 53. Active Identity Awareness (both PDP and PEP). Open servers.
  • PerimGW: Check Point perimeter gateway. Active-Standby cluster. R81.20 JHFA Take 53. Active Identity Awareness (both PDP and PEP). Open servers.
  • IntLDAPs: Internal Active Directory servers used in 1st LDAP account unit
  • IPsec: domain based tunnel, NAT disabled inside the VPN community. IPsec works without any problems; a lot of communication in both directions.
  • Fortinet: VPN gateway of the external company
  • ExtLDAPs: Active Directory servers of the external company used in 2nd LDAP account unit

From two account units only the 1st one works as expected. Regarding the 2nd one which doesn't work at all I observe the following (strange) behavior:

  • When port 389 is used in LDAP account unit definition, it is not possible to make TCP connection to ExtLDAPs because TCP SYN packet is not sent by PerimGW to the IPSec tunnel (instead it is NATed by PerimGW to the public VIP address). Making the TCP connection to the port 636 (nc -v server 636) works without any problem (goes to the IPSec tunnel).
  • When port 636 is used in LDAP account unit definition, it is not possible to make TCP connection to ExtLDAPs because TCP SYN packet is not sent by PerimGW to the IPSec tunnel (instead it is NATed by PerimGW to the public VIP address). Making the TCP connection to the port 389 (nc -v server 389) works without any problem.
  • When I remove one of the LDAP servers from LDAP account unit definition, both 389 and 636 ports of the not-used server can be accessed by running the "nc -v server port" command.
  • When communication is NATed, no logs can be seen in SmartConsole. When communication goes to the IPSec tunnel, logs are there. Turning on implied rules logging doesn't change anything.

Why my perimeter gateway does NAT instead of sendnig the communication to the IPsec tunnel?
What can I do in order to change this behavior?

0 Kudos
1 Solution

Accepted Solutions
OliverBayerlein
Participant
‎2024-05-24 05:17 AM
Jump to solution

The outbound LDAP connects from the gateway to the Account Unit LDAP Server are handled by the implied rules by default.
The implicit rule takes effect before the access policy. Therefore, no logs are written and the VPN domains are not applied.

ImpliedRule.png

The implied rule does not apply to ports or servers that are not configured in the account unit. The explicit rules take effect and logging / VPN routing is applied.

You can deactivate the implied rule by commenting out the following line in the $FWDIR/lib/implied_rules.def file on the management server.
#define ENABLE_LDAP_SERVER

Please note that explicit rules must then exist for both the internal and external account units.

Oliver

 

View solution in original post

1 Reply
OliverBayerlein
Participant
‎2024-05-24 05:17 AM
Jump to solution

The outbound LDAP connects from the gateway to the Account Unit LDAP Server are handled by the implied rules by default.
The implicit rule takes effect before the access policy. Therefore, no logs are written and the VPN domains are not applied.

ImpliedRule.png

The implied rule does not apply to ports or servers that are not configured in the account unit. The explicit rules take effect and logging / VPN routing is applied.

You can deactivate the implied rule by commenting out the following line in the $FWDIR/lib/implied_rules.def file on the management server.
#define ENABLE_LDAP_SERVER

Please note that explicit rules must then exist for both the internal and external account units.

Oliver

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events