Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
H2-F1
Participant
Jump to solution

Connect Smart-1 Cloud to local Active Directory

Hi Guys,

 

I'm not able to connect my Smart-1 Cloud to local active directory. I followed the steps in 

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...

under the "How to Connect a Local Active Directory to Smart-1 Cloud". 

I have confirmed that the gateway can reach the DC. The Maas tunnel state is up (I can push policies to the gateway), I also have another local management server and this can successfully connect to the DC using the same credentials as the LDAP account unit configured in smart-1 Cloud.

Error-AD.JPG

A packet capture on the DC shows no traffic from the Gateway when I try to fetch the branches from Smart-1 Cloud. I'm not sure if I need to turn on http/https Proxy on the gateway itself or if I'm missing some other configuration.

 

0 Kudos
2 Solutions

Accepted Solutions
Amiad_Stern

Hi,

The fact that you fail to fetch branches shouldn't prevent you from creating Access Role and access your AD. As far as I know, the 'Gateway as a Proxy' feature was developed for 'Access Roles' only. Please try to create an Access Role and access your AD, if you fail to do that as well, please let me know and I will address the relevant owner.

Regards,

Amiad.

View solution in original post

0 Kudos
Kevin_Morris
Participant

@maddah87 

 

  1. Host for AD DC Server
  2. ldap account unit, all required tabs:
    1. General - Profile: Micrsoft_AD, Domain, User Management and Enable unicode support checked
    2. Servers - added your AD DC Server and all required fields filled in LDAP Server Properties
    3. Objects Management - Manually added Branch, proxy through: your GW selected

If you don't see a gateway to select then either the gateway of management server is not on the correct version. see attached screenshot for reference and the link wolfgang posted.

View solution in original post

0 Kudos
28 Replies
PhoneBoy
Admin
Admin

What version/JHF of gateway?

0 Kudos
H2-F1
Participant

software version R80.40 - Build 106 - HOTFIX_R80_40_JUMBO_HF_MAIN Take: 83

0 Kudos
Amiad_Stern

Hi,

The fact that you fail to fetch branches shouldn't prevent you from creating Access Role and access your AD. As far as I know, the 'Gateway as a Proxy' feature was developed for 'Access Roles' only. Please try to create an Access Role and access your AD, if you fail to do that as well, please let me know and I will address the relevant owner.

Regards,

Amiad.

0 Kudos
H2-F1
Participant

Thanks Amiad,

That is indeed correct, I was able to create an Access Role and browse through AD. Also for anyone else that is facing the same issue, I also enabled Identity Awareness and while I wasn't able to also connect to AD during blade activation, I ignored it and continued, I manually added my AD in the for Active Directory Query - settings section. when testing, I was able to see the machine hostname and user full name.

 

Thanks again.

0 Kudos
Fatihah
Participant

Hi @Amiad_Stern ,

I did follow as you mentioned.

However when I trying to create the Access Role, I unable to access the AD  as below:

Capture.PNG

Capture.PNG

 

Is there anything that I'm missing?

 

Regards,

Fatihah

0 Kudos
Amiad_Stern

Hi @Fatihah ,

I'm no longer the owner of Smart-1 Cloud. I'll refer this thread to the relevant owners for them to address your issue.

 

Regards,

Amiad.

0 Kudos
Fatihah
Participant

Hi @Amiad_Stern,

 

Oh I see. Sure and thanks for your help.

Hopefuly, they able to assist me on this issue.

 

Regards,

Fatihah

0 Kudos
Stas_M
Employee
Employee

Hi @Fatihah
Apologies for delay. Did you solved the above issue? Is it still relevant? 

0 Kudos
dzianiss
Employee
Employee

Hi,

Please note that fetching branch is not supported

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...


You should manually add branch, after it you should be able to create access role.

Kevin_Morris
Participant

Hi @dzianiss ,

 

According to the admin guide you linked the cloud server will use the gateway as a proxy, but it doesn't give me any options for a proxy on the LDAP account unit. Is there a setting that should make my gateway available as a proxy?

 

 

0 Kudos
dzianiss
Employee
Employee

Hi @Kevin_Morris ,

Which gateway platform/version are you using?

Also please check version of management and smartconsole build.

0 Kudos
Kevin_Morris
Participant

Quantum Spark 1600 on R81.10

0 Kudos
dzianiss
Employee
Employee

And which smartconsole build and smart-1 cloud version?

0 Kudos
Kevin_Morris
Participant

SmartConsole 81.20.9700.451 / Smart-1 Cloud R81.20.

0 Kudos
PhoneBoy
Admin
Admin

You can only select gateways running R80.20 and above as the proxy.
This does not currently include Quantum Spark devices.

0 Kudos
Kevin_Morris
Participant

Actually it looks like you can select them if SmartConsole version is 81.20.9700.631. I was using .451 before. Now the question becomes does it actually work. So far I still can't get users and groups from AD.

0 Kudos
dzianiss
Employee
Employee

Quantum Spark 1500 1600 1800 were added to support AD proxy feature with R81.20 security management.
Please check if you accurately configured:

  1. Host for AD DC Server
  2. ldap account unit, all required tabs:
    1. General - Profile: Micrsoft_AD, Domain, User Management and Enable unicode support checked
    2. Servers - added your AD DC Server and all required fields filled in LDAP Server Properties
    3. Objects Management - Manually added Branch, proxy through: your GW selected
 

 

0 Kudos
PhoneBoy
Admin
Admin

I'm curious when this was added since it's still listed as a known limitation in the relevant SK for R81.10.00: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
The bug ID is SMB-16255.
It's possible this may have been added to R81.10.05 (currently in EA), though I didn't see it mentioned in the feature list. 

 

0 Kudos
dzianiss
Employee
Employee

Hi, AFAIK it was added in R80.20.50. I've tested this version and R81.00. Probably it was not announced in SMB project before R81.20 GA. From my side I can open bug for SMB to include it in resolved issues. I already opened bug for Management Guide - TP-10270.

0 Kudos
Kevin_Morris
Participant

I can finally confirm this works with the 1600 SMB on R81.10.00 Build 996000575 and SmartConsole version 81.20.9700.631 in Smart-1 Cloud. 

maddah87
Contributor

hi @Kevin_Morris ,

Trying to configure the same with 1800. Would you please help on this. 
what to refer, steps to be taken.

0 Kudos
Wolfgang
Authority
Authority

@maddah87  yes this is possible. You have to follow How to Connect a Local Active Directory to Smart-1 Cloud 

Your Smart-1 cloud instance has to be on R81.20 and firmware on 1800 appliance R81.xx

0 Kudos
maddah87
Contributor

It worked, with identity collector and manually added branch.

 

Thanks all.

0 Kudos
Kevin_Morris
Participant

@maddah87 

 

  1. Host for AD DC Server
  2. ldap account unit, all required tabs:
    1. General - Profile: Micrsoft_AD, Domain, User Management and Enable unicode support checked
    2. Servers - added your AD DC Server and all required fields filled in LDAP Server Properties
    3. Objects Management - Manually added Branch, proxy through: your GW selected

If you don't see a gateway to select then either the gateway of management server is not on the correct version. see attached screenshot for reference and the link wolfgang posted.

0 Kudos
maddah87
Contributor

It was success, on the same day. Branch was added manually and it worked.

Thanks all.

0 Kudos
maddah87
Contributor

Hi, 

I this feature currently available for Spark gateways.

Admin guide says supported Embedded Gaia R80.20.xx and above. struggling configuring the same.

 

0 Kudos
PhoneBoy
Admin
Admin

You need to be on R80.20.50 and R81.20 Management with the relevant JHF.
See: https://support.checkpoint.com/results/sk/sk159772

0 Kudos
maddah87
Contributor

It worked,

Thanks all

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events