Account Units

An Account Unit represents branches of user information on one or more LDAP servers. The Account Unit is the interface between the LDAP servers and the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and Security Gateways.

You can have a number of Account Units representing one or more LDAP servers. Users are divided among the branches of one Account Unit, or between different Account Units.

Note - When you enable the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. and Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. , SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. opens a First Time Configuration Wizard. The Active Directory Integration window of this wizard lets you create a new AD Account Unit. After you complete the wizard, SmartConsole creates the AD object and Account Unit.

Working with LDAP Account Units

Use the LDAP Account Unit Properties window in SmartConsole to create a new or to edit an existing Account Unit or to create a new one manually.

To create or edit an existing LDAP Account Unit:

    • Create: In the Objects tab, click New > More > User/Identity > LDAP Account unit.

    • Edit: In SmartConsole, open the Object Explorer (press the CTRL+E keys) > Users/Identities > LDAP Account Units > Right-click the LDAP Account Unit and select Edit.

    The LDAP Account Unit Properties window opens.

  1. Edit the settings in these tabs:

  2. Click OK.

  3. Install the Access Control Policy.

Configuring LDAP query parameters

  1. From the Manage objects on drop-down menu, select the LDAP server object.

  2. Click Fetch branches.

    The Security Management Server queries and shows the LDAP branches.

  3. Configure Branches in use:

    • To add a branch, click Add and in the LDAP Branch Definition window that opens, enter a new Branch Path

    • To edit a branch, click Edit and in the LDAP Branch Definition window that opens, modify the Branch Path

    • To delete a branch, select it and click Delete

  4. Select Prompt for password when opening this Account Unit, if necessary (optional).

  5. Configure the number of Return entries that are stored in the LDAP database (the default is 500).

Modifying the LDAP Server

  1. On the LDAP Account Unit Properties > Servers tab, double-click a server.

    The LDAP Server Properties window opens.

  2. On the General tab, you can change:

  3. On the Encryption tab, you can change the encryption settings between Security Management Server / Security Gateways and LDAP server.

    If the connections are encrypted, enter the encryption port and strength settings.

    Note - User Directory connections can be authenticated by client certificates from a Certificate Authority (CA). To use certificates, the LDAP server must be configured with SSL strong authentication. See Authenticating with Certificates.

Account Units and High Availability

With User Directory replications for High Availability, one Account Unit represents all the replicated User Directory servers. For example, two User Directory server replications can be defined on one Account Unit, and two Security Gateways can use the same Account unit.

Item

Description

1

Security Management Server. Manages user data in User Directory. It has an Account Unit object, where the two servers are defined.

2

User Directory server replication.

3

Security Gateway. Queries user data and retrieves CRLs from nearest User Directory server replication (2).

4

Internet

5

Security Gateway. Queries user data and retrieves CRLs from nearest User Directory server replication (6).

6

User Directory server replication.

Setting High Availability Priority

With multiple replications, define the priority of each LDAP server in the Account Unit. Then you can define a server list on the Security Gateways.

Select one LDAP server for the Security Management Server to connect to. The Security Management Server can work with one LDAP server replication. All other replications must be synchronized for standby.

Authenticating with Certificates

The Security Management Server and Security Gateways can use certificates to secure communication with LDAP servers. If you do not configure certificates, the management server, Security Gateways, and LDAP servers communicate without authentication.