Active Directory Scanner
If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data.. After the objects have been imported, you can assign policies.
When you first log in to SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies., the Users and Computers tree is empty. To populate the tree with users from the Active Directory, you must configure the Directory Scanner A component of Endpoint Security Management Server that scans the defined Active Directory and copies the existing Active Directory structure to the server database..
The Directory Scanner scans the defined Active Directory and fills the Directories node in the Users and Computers tab, copying the existing Active Directory structure to the server database.
Required Permissions to Active Directory
For the scan to succeed, the user account related to each Directory Scanner instance requires full read permissions to:
-
The Active Directory root.
-
All child containers and objects.
-
The deleted objects container.
An object deleted from the Active Directory is not immediately erased but moved to the Deleted Objects container. Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network resources (computers, servers, users, groups) that have changed since the last scan.
The Active Directory Scanner does not scan Groups of type "Distribution".
Required Configuration for Domains
On the Active Directory server, set the Groups Scope to Domain Local only.
Configuring a Directory Scanner Instance
A scanner instance defines which path of the Active Directory will be scanned and the scan frequency. One scanner instance can include the full Active Directory domain, or a part of the domain, for example an OU.
If you want to scan more than one domain or different parts of the same domain, configure in SmartEndpoint more than one scanner. For example, if you want to scan the "HOME" domain and the "OFFICE" domain, configure one scanner instance for each.
Do not create a scanner instance for an OU that is included in a different scan. If you try to create a scan that conflicts with a different scan, an error message shows.
Note - If the scanner is for a specific OU in the domain, only the groups and group members in the OU are included in the scan. If your groups contain members from different OUs we highly recommend configuring the LDAP Path of the scan to the root of the domain, to avoid inconsistencies.
If the domains use DNS servers, make sure that:
-
The DNS server is configured on the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
-
The DNS server can supply a list of domain controllers in its domain. We recommend that you configure the DNS server to supply a list of the domain controllers for all domains that the Directory Scanner will scan.
To create a scanner instance:
-
In SmartEndpoint, open the Deployment tab > Organization Scanners.
-
Click Add Directory Scanner.
-
In the Active Directory Scanner Settings window:
-
Domain Name -Enter the Domain Name in FQDN format, for example, example.com.
-
Username and Password -Enter the Username and Password of an administrator. The administrator must have read permissions to the scan path and the deleted objects container.
Note - xxx
-
@ -The UPN suffix for the administrator is filled in automatically. Change it if it is different than the FQDN.
-
-
In the Advanced area, select or enter the IP Address of the Domain Controller. If the domain has DNS, this is filled in automatically.
-
In LDAP Path, click the browse button to select an OU. If you do not select an OU, the full domain is scanned.
-
You can change the default values in the Advanced area:
-
Connection - Choose the type of connection for the Directory Scanner communication:
-
GSS Enabled - Uses DNS to create Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). ticket requests. If DNS is not configured correctly on the Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., the connection is not successful. By default, this is not selected.
-
SSL Enabled - Uses SSL Tunneling. You must have an SSL certificate installed on the Domain Controller. By default, this is not selected.
-
Port - The port over which the scan occurs.
-
Scan Interval - The Endpoint Security Management Server sends a request to the Domain Controller to see if changes were made to the domain. If changes were made, the Directory Scanner synchronizes Endpoint Security nodes in the Users and Computers tree with nodes in the Active Directory. The Scan Interval is the time, in minutes, between the requests.
-
-
Click OK.
The scan shows in the Organization Scanner window.
|
Note - Scanning the Active Directory takes time. AD objects show in the sequence they are discovered |
The Organization Scanners Page
In the Deployment tab > Organization Scanners page, you can see all configured scans and their statuses. You can also do these operations:
-
Add Directory Scan - Configure a scan of an Active Directory domain or OU.
-
Edit - Edit a configured scan.
-
Remove - Remove a scan from the list. It will not occur again.
-
Rescan - Run a selected scan on demand.
-
Start/Stop - Click the start or stop icon to start or stop a scan.
-
Smart Card certificate scanning setting > Configure - Configure if all user certificates are scanned for Smart Card information during a scanner instance, or only those with the Smart Card Logon OID.
Directory Synchronization
At the specified interval of a scanner instance, the Directory Scanner synchronizes Endpoint Security nodes in the Users and Computers tree with nodes in the Active Directory. When synchronization occurs:
-
New Active Directory objects are added to Endpoint Security and inherit a policy according to the Endpoint Security policy assignment.
-
Deleted users are removed from the Users and Computers tree, but only if they had no encrypted removable media devices. Deleted users with encrypted removable media devices move to the Deleted Users/Computers folder. The user no longer exists in the Active Directory, but the server keeps the encryption keys for possible recovery.
You can delete these users manually using SmartEndpoint.
-
Computers deleted from the Active Directory that do not have Endpoint Security are deleted from Users and Computers.
-
Computers deleted from the Active Directory that do have Endpoint Security move to the Deleted Users/Computers folder because they might require recovery. You can delete these computers manually from the Management Console.
-
Objects updated in the Active Directory are also updated on the server.
-
Unchanged records stay unchanged.
Troubleshooting the Directory Scanner
Issue |
Solution |
---|---|
The account of the Directory Scanner instance does not have the required read permissions to the Active Directory or to the deleted objects container. |
Supply the required permissions. |
A corrupted object exists in the Active Directory. |
Remove the object or deny the account used by the Directory Scanner read permission to that object. If the corrupt object is a container object, permission is denied for all objects in the container. |
SSL Troubleshooting
If you use an SSL connection for the Directory Scanner communication, you might see a message that is related to SSL configuration. Find the problem and solution here.
Configuring DNS for GSS Connections
GSSAPI, Generic Security Service API, is an interface used to access security services. Kerberos is the implementation of GSSAPI used in Microsoft's Windows platform and is supported by Active Directory authentication protocols. During Kerberos authentication, a domain's KDC (Key Distribution Center) must be found through a DNS request.
The DNS server configured on the Endpoint Security Management Server must be able to resolve IP address by name and name by IP address for all domains that are scanned by the Directory Scanner. If DNS is not configured properly, the authentication fails.
Make sure that:
-
The DNS server is configured on the Endpoint Security Management Server.
-
The DNS server can recognize the DNS servers of all domains that the Directory Scanner will scan.
To make sure the DNS server is configured correctly for GSSAPI authentication:
-
On the Endpoint Security Management Server, run:
nslookup
. -
Test the name to IP resolving for all domain controllers that are used by the Directory Scanner.
-
Test the IP to name resolving or all domain controllers that are used by the Directory Scanner.
Strengthening Active Directory Authentication to use LDAPS
By default Active Directory authentication uses the LDAP protocol and a simple authentication method. You can make the authentication more secure by changing the authentication protocol to LDAPS, with or without GSSAPI authentication. GSSAPI authentication is based on Kerberos v5.
To change the authentication protocol to LDAPS, GSSAPI, or the two of them:
-
Edit the
$UEPMDIR/engine/conf/ldap.utils.properties
file. -
Configure the protocol or protocols to use.
-
To configure LDAPS - Change
use.ssl=false
touse.ssl=true
-
To configure GSSAPI - Change
use.gssapi=false
touse.gssapi=true
You can set LDAPS and GSSAPI to true.
-
-
Save the file.
For GSSAPI, no additional configuration is necessary.
Additional steps for LDAPS:
-
Configure the Domain Controller to use LDAPS.
-
Import all Domain Controller certificates to the Endpoint Security Management Server keystores.
To import a certificate to the keystores on the Endpoint Security Management Server:
-
On a domain controller which is configured to support LDAPS, run:
certutil -store -v MY
The output of this command is a list of certificates. The certificates are separated by a line like this:
================ Certificate 0 ================
where 0 is the index number of the certificate.
-
Find a certificate:
-
That has a subject that is the FQDN of the Domain Controller. In the example below:
DC.mulberry.com
-
In which one of certificate extensions has the OID Server Authentication (1.3.6.1.5.5.7.3.1).
-
-
Get the index number of the certificate.
This is the number which appears in the separation header before each certificate. In this example it is 0.
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: 610206fb000000000002
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=mulberry-DC-CA
DC=mulberry
DC=com
NotBefore: 23/06/2014 13:12
NotAfter: 23/06/2015 13:12
Subject:
CN=DC.mulberry.comPublic Key Algorithm:
?
Certificate Extensions: 9
1.3.6.1.4.1.311.20.2: Flags = 0, Length = 22
Certificate Template Name (Certificate Type)
DomainController
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
-
Download a certificate from the domain controller. Run:
certutil -store MY <certificate index> <path_to>\<file name>
For example:
certutil -store MY 0 C:\certificates\DCCert.cer
-
Copy the certificate file to the Endpoint Security server. In a High Availability environment, copy the file to the Primary and Secondary servers.
-
Import a certificate to Endpoint Security server keystore. Run:
cd $CPDIR/jre_64
./bin/keytool -import -keystore ./lib/security/cacerts -file <file_name> -alias <alias>
For example:
./bin/keytool -import -keystore ./lib/security/cacerts -file /home/admin/ServerCert.cer -alias SSLCert
-
Enter the default password changeit.
-
Click YES on Trust this Certificate.
A confirmation message Certificate was added to the keystore appears.
-
Restart the Endpoint Security servers. Run:
uepm_stop
uepm_start