This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2022-09-23 07:40 AM
Jump to solution

Identity Collector - Identity Sources configuration

So i'm preparing to move from AD query to Identity Collector.

Installed the software on 2 domain controllers for redundancy.

All working fine for the domain controller on which the software is installed, but the other one is not.

Identity Sources.jpg

 "Unable to connect, please check connectivity ....."

Actually, i added our 4 DC as identity sources but only planning to install IC on 2 of them since this is enough for redundancy purpose.

 

Are you supposed to only add the DC where Identity Collector has been installed on, as identity source?

 

0 Kudos
1 Solution

Accepted Solutions
Dave
Contributor
‎2022-09-27 12:48 AM
In response to the_rock
Jump to solution

Got it figured out 🙂

 

The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.

 

Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.

View solution in original post

(1)
13 Replies
the_rock
Legend
Legend
‎2022-09-23 07:51 AM
Jump to solution

You should be able to add all of them actually. Did you check connectivity with other 3?

Andy

0 Kudos
Dave
Contributor
‎2022-09-23 08:03 AM
In response to the_rock
Jump to solution

They are all in the same subnet so i would assume this would have been a no brainer. Seems not 😊

So on one DC, let's say DC4 in my case, i should be able to see events from all 4 DC, that's what you are saying?

Then i'm asking myself what is blocking this.....

0 Kudos
the_rock
Legend
Legend
‎2022-09-23 08:07 AM
In response to Dave
Jump to solution

Agree, specially if its same subnet : - ). How did you add them? Manually or option "fetch automatically"?

0 Kudos
Dave
Contributor
‎2022-09-23 08:15 AM
In response to the_rock
Jump to solution

"fetch automatically" is how i added them

If i double click on the identity source where IC is installed, it passes the test and connection is fine.

If i double click on any other identity source where IC is not installed on, it fails the test with the message "unable to connect, please check"

0 Kudos
the_rock
Legend
Legend
‎2022-09-23 08:19 AM
In response to Dave
Jump to solution

Let me confirm with client we did this for, as they also have 4 DCs I believe and all shows fine, but IC is only installed on one of them.

0 Kudos
the_rock
Legend
Legend
‎2022-09-23 08:28 AM
In response to Dave
Jump to solution

This is what customer told me as the answer to my question if he remembered if we did automatic or manual...

 

"I can’t recall but I think it found all of them.  I know it pulled the wrong info (site name) and I had to manually enter that."

0 Kudos
Dave
Contributor
‎2022-09-27 12:48 AM
In response to the_rock
Jump to solution

Got it figured out 🙂

 

The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.

 

Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.

(1)
_Val_
Admin
Admin
‎2022-09-27 01:38 AM
In response to Dave
Jump to solution

Thanks for sharing the solution, @Dave 

0 Kudos
the_rock
Legend
Legend
‎2022-09-27 05:30 AM
In response to Dave
Jump to solution

Good old Windows : - ). Thanks a lot for letting us know, it will help others, for sure!!

0 Kudos
Dave
Contributor
‎2022-09-28 08:14 AM
In response to the_rock
Jump to solution

Unfortunately, the story doesn't end here because another issue popped up.

So i had foreseen to run identity collector as a service under another service account, freshly created and with the domain user permissions, user is part of group 'Event Log Readers' group.

As soon as i run cpidc.exe as a service and under this new service account, everything stops working, all identity sources are yellow and no identities are collected anymore.

When i remove the service account and let the service run under my domain admin account, everthing changes instantly to green again and identities are collected.

This for sure has to do with user rights in Windows, but it seems like having a domain user with group membership of 'Event Log Readers' group is not enough?

Please help me understand what i'm missing 🙂

0 Kudos
_Val_
Admin
Admin
‎2022-09-28 11:48 PM
In response to Dave
Jump to solution

Most probably the permissions mismatch. If you looked through sk108235 and sk179544 and did not find the trigger for the issue, I would advise engaging with TAC to drill down.

Dave
Contributor
‎2022-09-29 12:51 AM
In response to _Val_
Jump to solution

Yes permission issue most probably, only hard to find what's missing...

This simple domain user account, should it also need to be part of the 'Distributed DCOM users' group?

Or the 'Event Log Readers' group should be enough?

 

 

0 Kudos
freeman91
Contributor
‎2025-02-27 06:38 AM
In response to Dave
Jump to solution

Hi, 

there are like 7 DCOM-In inbound rules with local port 135.

 

Screenshot_1.png

which of them needs to be allowed?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events