Identity Collector - Working with Active Directory

To configure the Identity Collector to work with Active Directory:

1. In Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312., add a new Active Directory Domain.

   To add a new Active Directory Domain

   1. Open the Identity Collector application.

   2. At the top, click Domains.

   3. From the top toolbar, click New Domain ().

   4. Enter the Domain name to show in the Identity Collector. The domain name must exactly match the actual domain name to ensure all features function correctly.

   5. (Optional) Enter the comment.

   6. Enter the Domain account credentials - Username and Password.

      Note - The account must be a member of the Event Log Readers group. To enable the Add Domain Controllers automatically by DNS and LDAP queries as well as the periodic AD discovery flows to function seamlessly with Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). authentication, it is imperative that domain credentials be formatted in the User Principal Name (UPN) format. It is crucial to note that the use of a combination of User Principal Name format and DC IP address is not compatible.

   7. DC Host name / IP Address - Enter the host name or the IP address of one of the Domain Controllers that you want to add.

   8. Click OK.

   To edit a current Active Directory Domain

   1. Open the Identity Collector application.

   2. At the top, click Domains.

   3. Select the applicable Domain.

   4. From the top toolbar, click Edit Domain ().

   5. Configure the Domain.

   6. Click OK.

   To delete a current Active Directory Domain

   1. Open the Identity Collector application.

   2. At the top, click Domains.

   3. Select the applicable Domain.

   4. From the top toolbar, click Delete Domain ().

   5. Click Yes to confirm.

   6. Click OK.

2. In Identity Collector, add new Active Directory Domain Controllers.

   Follow one of these procedures to add the necessary Domain Controllers.

   Add Domain Controllers automatically by DNS and LDAP queries

   1. Open the Identity Collector application.

   2. From the left navigation toolbar, click Identity Sources.

   3. From the top toolbar, click New Source > Active Directory > Fetch Automatically.

   4. Enter the Domain Controller information:

      • Domain - Select the Active Directory Domain, or configure a new one.

      • DC Host name / IP Address - Enter the host name or the IP address of one of the Domain Controllers you want to add.

        Note - To work with Kerberos authentication, you must use the host name.

   5. Optional: To configure the Identity Collector to fetch Active Directory Domain Controllers from LDAP over SSL, select LDAP over SSL.

   6. Click Fetch.

      A list of the Domain Controllers appears.

   7. Enable the Domain Controllers you want to add.

   8. Click OK.

      The enabled Domain Controllers are added.

   Add Domain Controllers manually one at a time

   1. Open the Identity Collector application.

   2. From the left navigation toolbar, click Identity Sources.

   3. From the top toolbar, click New Source > Active Directory > Add Manually.

   4. Enter the Domain Controller Name to appear in the Identity Collector.

   5. (Optional) Enter your comment.

   6. Enter the Domain Controller information:

      • Domain - Select the Active Directory Domain, or configure a new one.

      • DC Host name / IP Address - Enter the host name or the IP address of one of the Domain Controllers you want to add.

        Note - To work with Kerberos authentication, you must use the host name.

      • Site - (Optional) Enter the Domain Controller site name.

      • Is Forwarded Event Log Collector - Select this option, if this server is not a Domain Controller, but a server, to which the login events are forwarded.

   7. Click Test.

   8. Click OK.

      The Domain Controller is added.

3. In the Identity Collector, add a new Query Pool, or edit a current Query Pool.

   See Identity Collector - Query Pools.

4. In the Identity Collector, add a new Filter for the login events, or edit a current Filter.

   See Identity Collector - Filters for Login Events.

5. Connect the Identity Collector to the Check Point Identity Server Check Point Security Gateway with enabled Identity Awareness Software Blade. (Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway).

   See Identity Collector - Connecting to an Identity Awareness Gateway.

Notes: Identity Collector uses the Windows Event Log API for fetching the security logs from Domain Controllers. Identity Collector can communicate with up to 35 Active Directory servers. Identity Collector can process up to 1900 Active Directory events per second. Domain Controllers configured with IP address must be changed to FQDN to work with Kerberos authentication.