Identity Collector - Working with Active Directory

To configure the Identity Collector to work with Active Directory:

1. In Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways for identity enforcement, you can download the Identity Collector package from the Support Center., add a new Active Directory Domain.

   To add a new Active Directory Domain

   1. Open the Identity Collector application.

   2. At the top, click Domains.

   3. From the top toolbar, click New Domain ().

   4. Enter the Domain name to show in the Identity Collector.

      The domain name must exactly match the actual domain name to ensure all features function correctly.

   5. Optional: Enter the comment.

   6. In the Username and Password fields, enter the Domain account credentials.

      Important: The account must be a member of the Event Log Readers group. To enable the configuration of Domain Controllers automatically by DNS and LDAP queries, as well as the periodic AD discovery flows to function seamlessly with Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). authentication, it is imperative that domain credentials be formatted in the User Principal Name (UPN) format. It is crucial to note that the use of a combination of User Principal Name format and DC IP address is not compatible.

   7. In the DC Host name / IP Address field, enter the host name or the IP address of one of the Domain Controllers that you want to add.

   8. Click OK.

   To edit a current Active Directory Domain

   1. Open the Identity Collector application.

   2. At the top, click Domains.

   3. Select the applicable Domain.

   4. From the top toolbar, click Edit Domain ().

   5. Configure the Domain.

   6. Click OK.

   To delete a current Active Directory Domain

   1. Open the Identity Collector application.

   2. At the top, click Domains.

   3. Select the applicable Domain.

   4. From the top toolbar, click Delete Domain ().

   5. Click Yes to confirm.

   6. Click OK.

2. In Identity Collector, add new Active Directory Domain Controllers.

   Follow one of these procedures to add the necessary Domain Controllers.

   Add Domain Controllers automatically by DNS and LDAP queries

   1. Open the Identity Collector application.

   2. From the left navigation toolbar, click Identity Sources.

   3. From the top toolbar, click New Source > Active Directory > Fetch Automatically.

   4. Enter the Domain Controller information:

      • Domain - Select the Active Directory Domain, or configure a new one.

      • DC Host name / IP Address - Enter the host name or the IP address of one of the Domain Controllers you want to add.

        Note - To work with Kerberos authentication, you must use the host name.

   5. Optional: To configure the Identity Collector to fetch Active Directory Domain Controllers from LDAP over SSL, select LDAP over SSL.

   6. Click Fetch.

      A list of the Domain Controllers appears.

   7. Enable the Domain Controllers you want to add.

   8. Click OK.

      The enabled Domain Controllers are added.

   Add Domain Controllers manually one at a time

   1. Open the Identity Collector application.

   2. From the left navigation toolbar, click Identity Sources.

   3. From the top toolbar, click New Source > Active Directory > Add Manually.

   4. Enter the Domain Controller Name to appear in the Identity Collector.

   5. Optional: Enter your comment.

   6. Enter the Domain Controller information:

      • Domain

        Select the Active Directory Domain, or configure a new one.

      • DC Host name / IP Address

        Enter the host name or the IP address of one of the Domain Controllers you want to add.

        Note - To work with Kerberos authentication, you must use the host name.

      • Site

        Optional. Enter the Domain Controller site name.

      • Is Forwarded Event Log Collector

        Select this option, if this server is not a Domain Controller, but a server, to which the login events are forwarded.

   7. Click Test.

   8. Click OK.

      The Domain Controller is added.

3. In the Identity Collector, add a new Query Pool, or edit a current Query Pool.

   See Identity Collector - Query Pools.

4. In the Identity Collector, add a new Filter for the login events, or edit a current Filter.

   See Identity Collector - Filters for Login Events.

5. Connect the Identity Collector to the Check Point Identity Server Check Point Security Gateway with enabled Identity Awareness Software Blade..

   See Identity Collector - Connecting to an Identity Awareness Gateway

Notes: Identity Collector uses the Windows Event Log API for fetching the security logs from Domain Controllers. Identity Collector can communicate with up to 35 Active Directory servers. Identity Collector can process up to 1900 Active Directory events per second. Domain Controllers configured with IP address must be changed to FQDN to work with Kerberos authentication.