Configuring Active Directory and LDAP for DLP

You can configure the DLP Gateway to access a Microsoft Active Directory or LDAP server to:

  • Authenticate to the DLP Portal with Active Directory credentials

  • Authenticate to UserCheck with Active Directory credentials

  • Define Active Directory or LDAP groups to be used in the DLP policy

  • Define the My Organization object

If you run the wizard from a computer in the Active Directory domain, the Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. Wizard asks for your Active Directory credentials to create the LDAP account unit automatically. You can run the wizard again from a computer in the Active Directory domain to create the LDAP account unit.

  1. From a computer that is a member of the Active Directory domain, create the DLP Gateway object.

  2. Enter your Active Directory credentials in the Active Directory page.

    It is not necessary to enter credentials with administrator privileges.

    >

    Best Practice - Create an Active Directory account that is dedicated for use by Check Point products to connect to Active Directory.

  3. When you complete the wizard, the LDAP account unit is created automatically.

    If you have multiple Active Directory servers:

    1. Review the created account unit.

    2. Remove unnecessary servers.

    3. Assign applicable priorities to all the servers.

The DLP Wizard asks for Active Directory credentials only if no LDAP account unit exists. If you already have an LDAP account unit, the wizard does not ask for your credentials. To create the LDAP account unit from the DLP Wizard, delete the existing LDAP account unit and run the wizard again.

Note - If you configure the LDAP Account Unit manually, with the username and password authentication method, you must set the Default Authentication Scheme to Check Point Password.

If you need more LDAP account units, you can create the LDAP account unit manually. See the R81 Security Management Administration Guide.

Rerunning the Data Loss Prevention Wizard

If you run the DLP Wizard from a computer that is not part of the Active Directory domain, you can run it again from a computer in the Active Directory domain to create the LDAP account unit.

To run the Data Loss Prevention Wizard again:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The gateway window opens and shows the General Properties page.

  2. Clear the Data Loss Prevention Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

  3. Select the Data Loss Prevention Software Blade.

    The Data Loss Prevention Wizard starts.