Configuring Identity Awareness Gateway as an Active Directory Proxy

If a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is not currently connected to your Active Directory environment, an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway can work as Active Directory Proxy. This let you use the Identity Awareness User Picker in an Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (see Using Identity Awareness in the Firewall Rule Base). To work as an Active Directory Proxy, the Identity Awareness Gateway must be connected to your Active Directory server.

Known Limitations

• This feature works only with Microsoft Active Directory.

• This feature supports only the user picker in the Access Role object.

• This feature works only with Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.R80.20 and above running on Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS.

• This feature supports only Virtual Systems that belong to the same domain as the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. (context of VS0).

  This feature does not support Virtual Systems that belong to a different domain than the VSX Gateway or VSX Cluster (context of VS0).

• This feature does not support Centrally ManagedQuantum SparkAppliances running Gaia Embedded OS (applies to all models).

• This feature does not support Scalable Platforms (41000 / 44000 / 61000 / 64000).

• This feature does not support DAIP gateways or Externally managed gateways.

• Available connection types:

  • Clear - Connection between the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the Security Gateway is encrypted by SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.. The connection from the Security Gateway to the Active Directory server is not encrypted.

  • SSL - Active Directory domain controller needs to allow SSL.

• In a Multi-Domain Security Management environment, this feature is not available for Account Units that are configured in the Global SmartConsole.

• Necessary Active Directory permissions for the account, you use them to configure the Account Unit:

  • For user picker functionality, the account should have permission to perform LDAP queries.

  • For Security Gateway functionality - depends on the identity sources that are used on the Security Gateway.

  • To acquire identities through the AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server., without domain admin credentials, refer to sk93938.

Configuring an Identity Awareness Gateway as an Active Directory Proxy

Procedure:

1. Create a new Host object for each Active Directory Domain Controller in your Active Directory environment:

   1. In the top left corner, click Objects > New Host.

   2. Configure the object name and IP address.

   3. Click OK.

2. Install the Access Control Policy on the Identity Awareness Gateway.

3. Configure an LDAP Account Unit object:

   1. In the top left corner, click Objects > Object Explorer.

      The Object Explorer window opens.

   2. In the left navigation tree, click Servers.

   3. From the toolbar, click New > More > User/Identity > LDAP Account Unit.

      The LDAP Account Unit Properties window opens.

   4. Configure properties on each tab in the window.

      • General tab

        1. In the Name field, enter the applicable object name (for example, mycompany.com_LDAP_ACC_UNIT).

        2. In the Profile field, select Microsoft_AD.

        3. In the Prefix field, enter your domain name (for example, mycompany.com).

        4. In the Account Unit usage section, select all the options.

        5. In the Additional configuration section, select Enable Unicode support.

      • Servers tab

        1. Click Add.

        2. The LDAP Server Properties window opens.

        3. Go to the General tab.

        4. In the Host field, select the host object you created for this Domain Controller in Step 1.

        5. In the Username field, enter the username for this Domain Controller (for example, John.Smith).

        6. In the Login DN field, enter the user's distinguished name (DN) for this Domain Controller (see RFC 1779).

           Note - Refer to the official Microsoft documentation. For example, use the PowerShell Get-ADUser command.

        7. In the Password field, enter the password for this Domain Controller.

        8. In the Confirm password field, enter the password again.

        9. Click OK to close the LDAP Server Properties window.

           Note - The order in which these LDAP Servers come to the view, is the default order in which they are queried. You can configure the applicable priority for these LDAP Servers.

      • Objects Management tab

        1. In the Server to connect field, select the host object you created for this Domain Controller in Step 1.

        2. Manually add the branch(es).

           Note - This feature does not support fetching on branches.

        3. The branch name is the suffix of the Login DN that begins with DC=.

        4. For example, if the Login DN is CN=John.Smith,CN=Users,DC=mycompany,DC=com

        5. then the branch name is DC=mycompany,DC=com

        6. Select Management Server needs proxy to reach AD server.

        7. In the Proxy through field, select the Security Gateway / Security Cluster that has a route to your AD server.

        8. Configure other applicable settings.

      • (Optional) Authentication tab

        1. Clear Use common group path for queries.

        2. In the Allowed authentication schemes section, select all the options.

        3. In the Users' default values section:

           • Clear Use user template.

           • Select Default authentication scheme > Check Point Password.

   5. Click OK to complete the configuration of the new LDAP Account Unit object and to close the LDAP Account Unit Properties window.

(Optional) Configuring the Security Gateway to Encrypt the LDAP Connection with your Domain Controller

Procedure:

1. Open the LDAP Account Unit object you configured in Step 3.

2. Go to the Servers tab.

3. Select the LDAP Server object and click Edit.

4. Go to the Encryption tab.

5. Select Use Encryption (SSL).

6. In the Verify that server has the following Fingerprints field, enter the Active Directory server fingerprint you get from the Identity Awareness Gateway.

   Getting the Active Directory server fingerprint from the Security Gateway

   1. Open a plain-text editor on your computer.

   2. Copy and paste this single long command to the plain-text editor:

      cpopenssl s_client -connect 192.168.1.2:636 2>&1 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | cpopenssl x509 -noout -md5 -fingerprint

   3. In the text editor, replace the 192.168.1.2 with the IP address of your Active DirectoryDomain Controller.

   4. Connect to the command line on Security Gateway.

   5. Log in to the Expert mode.

   6. If this is a VSX Gateway, switch to the context of the applicable Virtual System that has connectivity to the Active Directory Domain Controller.

   7. Make sure there is connectivity between the Security Gateway, or Virtual System and the Active Directory Domain Controller.

   8. Copy and paste the modified command from the text editor on your computer to the Security Gateway console and press Enter.

      MD5 Fingerprint is displayed. For example:

      MD5 Fingerprint=0B:84:D1:28:A5:19:6A:4D:24:57:72:5A:32:9B:2D:4D

   9. Copy the displayed Active Directory fingerprint number (after the = sign) from the Security Gateway console.

   10. Paste the copied fingerprint number in the Verify that server has the following Fingerprints field.

   11. Click OK to close the LDAP Server Properties window.

7. Click OK to close the LDAP Account Unit Properties window.