Identity Collector - Working with NetIQ eDirectory LDAP Servers

Note - Check Point only supports user authentication for NetIQ eDirectory.

Configuration Procedure:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., configure the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway to work with a NetIQ eDirectory LDAP server.

   1. Configure the Identity Awareness Gateway object.

      Procedure

      1. Open the Identity Awareness Gateway object.

      2. Enable the Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

         The Identity Awareness Configuration Wizard opens.

      3. On the Methods For Acquiring Identity page, select Browser-Based Authentication or Terminal Servers and click Next.

         You can disable this Identity Source later.

      4. On the Integration With Active Directory page, select I do not wish to configure the Active Directory at this time and click Next.

      5. Click Finish.

         The Identity Awareness Configuration Wizard closes.

      6. From the left navigation tree, go to the Identity Awareness page.

      7. Select Identity Collector and click Settings.

      8. Configure these settings:

         • Client Access Permissions - though which interfaces Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses, and sends it to the Check Point Security Gateways for identity enforcement. For more information, see sk108235. You can download the Identity Collector package from sk134312. client can connect to Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

         • Authorized Clients - which computers with installed Identity Collector can connect to Security Gateway

         • Selected Shared Secret - to configure in Identity Collector for this Security Gateway

         • Authentication Settings - how to authenticate users

      9. Click OK to close the Identity Collector Settings window.

      10. Click OK to close the Check Point Gateway window.

   2. Create a new Host object to represent your NetIQ eDirectory LDAP server.

      Procedure

      1. In the top left corner, click Objects > New Host.

      2. Configure the object name and IP address.

      3. Click OK.

   3. Create a new LDAP Account Unit object to represent the NetIQ eDirectory LDAP server, which manages the identities.

      Procedure

      1. In the top left corner, click Objects menu > Object Explorer.

      2. In the left navigation tree, click Servers.

      3. From the top toolbar, click New > More > User/Identity > LDAP Account Unit.

         The LDAP Account Unit Properties window opens.

   4. Configure the new LDAP Account Unit object that represents the NetIQ eDirectory LDAP server.

      • The 'General' tab

        1. In the Name field, enter the applicable object name (for example, mycompany.com_LDAP_ACC_UNIT).

        2. In the Profile field, select Novell_DS.

        3. In the Prefix field, enter your domain name (for example, mycompany.com).

        4. In the Account Unit usage section, select all the options.

        5. In the Additional configuration section, select Enable Unicode support.

      • The 'Servers' tab

        1. Click Add.

        2. The LDAP Server Properties window opens.

        3. Go to the General tab.

        4. In the Host field, select the host object you created for this LDAP server in Step 2 above.

        5. In the Username field, enter the username for this LDAP server (for example, John.Smith).

        6. In the Login DN field, enter the user's distinguished name (DN) for this LDAP server (see RFC1779).

           Note - Refer to the official NetIQ documentation. For example, use the ldapsearch command.

        7. In the Password field, enter the password for this LDAP server.

        8. In the Confirm password field, enter the password again.

        9. Click OK to close the LDAP Server Properties window.

           Note - The order in which these LDAP Servers come to the view, is the default order in which they are queried. You can configure the applicable priority for these LDAP Servers.

      • The 'Objects Management' tab

        1. In the Server to connect field, select the host object you created for this LDAP server in Step 2 above.

        2. Fetch or manually add the branch(es).

           The branch name is the suffix of the Login DN that begins with DC=.

           For example, if the Login DN is

           CN=John.Smith,CN=Users,DC=mycompany,DC=com

           then the branch name is

           DC=mycompany,DC=com

      • The 'Authentication' tab (Optional)

        1. Clear Use common group path for queries.

        2. In the Allowed authentication schemes section, select all the options.

        3. In the Users' default values section:

           • Clear Use user template.

           • Select Default authentication scheme > Check Point Password.

   5. Click OK to close the LDAP Account Unit Properties window.

   6. In SmartConsole, install the Access Control Policy on the Identity Awareness Gateway that works as Identity Server Check Point Security Gateway with enabled Identity Awareness Software Blade..

2. In the Identity Collector, add a new NetIQ eDirectory LDAP Server.

   Procedure

   1. Open the Identity Collector application.

   2. From the left navigation toolbar, click Identity Sources.

   3. From the top toolbar, click New Source > eDirectory.

   4. Enter the eDirectory Server information:

      • Object Name - Enter the NetIQ eDirectory Server name to show in the Identity Collector.

      • Domain - Select the NetIQ eDirectory domain, or click New Domain to configure a New Domain:

        1. Domain Name - Enter the NetIQ eDirectory Domain name to show in the Identity Collector.

        2. (Optional) Enter your comment.

        3. Username - Enter the NetIQ eDirectory username DN.

        4. Password - Enter the password for the given NetIQ eDirectory username.

        5. Click OK to close the New Domain window.

      • IP address - Enter the NetIQ eDirectory Server IP address.

      • Port - Enter the NetIQ eDirectory LDAP port (default is 389, SSL default is 636).

      • Site - (Optional) Enter the NetIQ eDirectory site.

      • Base DN - (Optional) Enter the queried base DN (for example, o=corp).

      • LDAP over SSL - (Optional) Select for using LDAP over SSL.

   5. Click OK to close the New eDirectory Server window.

3. In the Identity Collector, add a new Query Pool, or edit a current Query Pool

   See Identity Collector - Query Pools

4. In the Identity Collector, add a new Filter for the login events, or edit a current Filter

   See Identity Collector - Filters for Login Events.

5. Connect the Identity Collector to the Check Point Identity Server (Identity Awareness Gateway)

   See Identity Collector - Connecting to an Identity Awareness Gateway.