Configuring Identity Awareness Gateway as an Active Directory Proxy

If Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is not currently connected to your Active Directory environment, Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway can act as Active Directory Proxy and let you use the Identity Awareness User Picker in the Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. object (see Working with Access Role Objects in the Rule Base).

Note - The Identity Awareness Gateway needs to be connected to your Active Directory server.

Configuring Identity Awareness Gateway in SmartConsole:

1. Create a new Host object for each Active Directory Domain Controller in your Active Directory environment.

   1. In the top left corner, click Objects > New Host.

   2. Configure the object name and IP address.

   3. Click OK.

2. Install the Access Control Policy on the Identity Awareness Gateway.

3. Configure an LDAP Account Unit object

   1. In the top left corner, click Objects > Object Explorer.

      The Object Explorer window opens.

   2. In the left navigation tree, click Servers.

   3. From the toolbar, click New > Server > LDAP Account Unit.

      The LDAP Account Unit Properties window opens:

      • Configure properties on the General tab.

        1. In the Name field, enter the applicable object name (for example, mycompany.com_LDAP_ACC_UNIT).

        2. In the Profile field, select Microsoft_AD.

        3. In the Prefix field, enter your domain name (for example, mycompany.com).

        4. In the Account Unit usage section, select all the options.

        5. In the Additional configuration section, select Enable Unicode support.

      • Configure properties on the Servers tab.

        1. Click Add.

        2. The LDAP Server Properties window opens.

        3. Go to the General tab.

        4. In the Host field, select the host object you created for this Domain Controller in Step 1.

        5. In the Username field, enter the username for this Domain Controller (for example, John.Smith).

        6. In the Login DN field, enter the user's distinguished name (DN) for this Domain Controller (see RFC 1779).

           Note - Refer to the official Microsoft documentation. For example, use the PowerShell Get-ADUser command.

        7. In the Password field, enter the password for this Domain Controller.

        8. In the Confirm password field, enter the password again.

        9. Click OK to close the LDAP Server Properties window.

           Note - The order, in which these LDAP Servers are displayed is also the default order, in which they will be queried. You can configure the applicable priority for these LDAP Servers..

      • Configure properties on the Objects Management tab.

        1. In the Server to connect field, select the host object you created for this Domain Controller in Step 1.

        2. Manually add the branch(es).

           Note - This feature does not support fetching on branches.

        3. The branch name is the suffix of the Login DN that begins with DC=.

        4. For example, if the Login DN is CN=John.Smith,CN=Users,DC=mycompany,DC=com

        5. then the branch name is DC=mycompany,DC=com

        6. Select Management Server needs proxy to reach AD server.

        7. In the Proxy through field, select the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Security Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. that has a route to your AD server.

        8. Configure other applicable settings.

      • (Optional) Configure properties on the Authentication tab.

        1. Clear Use common group path for queries.

        2. In the Allowed authentication schemes section, select all the options.

        3. In the Users' default values section:

           • Clear Use user template.

           • Select Default authentication scheme > Check Point Password.

   4. Click OK to complete the configuration of the new LDAP Account Unit object and to close the LDAP Account Unit Properties window.

4. (Optional) Configure the Security Gateway to encrypt the LDAP communication with your Domain Controller

   1. Open the LDAP Account Unit object you configured in Step 3.

   2. Go to the Servers tab.

   3. Select the LDAP Server object and click Edit.

   4. Go to the Encryption tab.

   5. Select Use Encryption (SSL).

   6. In the Verify that server has the following Fingerprints field, enter the Active Directory server fingerprint you get from the Identity Awareness Gateway.

      To get the Active Directory server fingerprint from the Security Gateway

      1. Open a plain-text editor on your computer.

      2. Copy and paste this single long command to the plain-text editor:

         cpopenssl s_client -connect 192.168.1.2:636 2>&1 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | cpopenssl x509 -noout -md5 -fingerprint

      3. In the text editor, replace the 192.168.1.2 with the IP address of your Active Directory Domain Controller.

      4. Connect to the command line on Security Gateway.

      5. Log in to the Expert mode.

      6. If this is a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., switch to the context of the relevant Virtual System that has connectivity to the Active Directory Domain Controller.

      7. Make sure there is connectivity between the Security Gateway, or Virtual System and the Active Directory Domain Controller.

      8. Copy and paste the modified command from the text editor on your computer to the Security Gateway console and press Enter.

         MD5 Fingerprint is displayed. For example:

         MD5 Fingerprint=0B:84:D1:28:A5:19:6A:4D:24:57:72:5A:32:9B:2D:4D

      9. Copy the displayed Active Directory fingerprint number (after the = sign) from the Security Gateway console.

      10. Paste the copied fingerprint number in the Verify that server has the following Fingerprints field.

      11. Click OK to close the LDAP Server Properties window.

   7. Click OK to close the LDAP Account Unit Properties window.

5. Enable the Identity Awareness Software Blade on the Security Gateway.

   1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left Navigation Toolbar, click Gateways & Servers.

   2. Edit the Security Gateway object.

   3. Select Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

   4. When Identity Awareness Configuration wizard opens, click Cancel.

   5. Make sure the Identity Awareness is selected.

   6. In the left navigation tree, go to Identity Awareness.

   7. In the Identity Sources section, select and configure the relevant options.

   8. Click OK.

   9. Install the Access Control Policy.

Important Notes about the Identity Awareness Gateway as Active Directory Proxy feature This feature works only with Microsoft Active Directory. This feature supports only the user picker in the Access Role object. Other settings, such as Identity Awareness Configuration wizard, Client certificate, Legacy user picker, Fetch branches, Fetch fingerprint, and LDAP tree are not supported. This feature works only with Security Gateway R80.20 and above running on Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS. This feature supports only Virtual Systems that belong to the same domain as the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway or VSX Cluster (context of VS0). This feature does not support Virtual Systems that belong to a different domain than the VSX Gateway or VSX Cluster (context of VS0). This feature does not support Centrally Managed Quantum Spark Appliances running Gaia Embedded OS (applies to all models). This feature does not support Scalable Platforms (41000 / 44000 / 61000 / 64000). This feature does not support DAIP gateways or Externally managed gateways. Available communication types: Clear - Communication between the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the Security Gateway is encrypted by SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.. However, the communication from the Security Gateway to the Active Directory server is not encrypted. SSL - Active Directory domain controller needs to allow SSL. In a Multi-Domain Security Management environment, this feature is not available for Account Units that are configured in the Global SmartConsole. Required Active Directory permissions for the account used to configure the Account Unit: For user picker functionality, the account should have permission to perform LDAP queries. For Security Gateway functionality - depends on the identity sources that are used on the Security Gateway. To acquire identities using the AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server., without using domain admin credentials, refer to sk93938.