CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 2 of 2

Thread: Active Directory/Check Point expected behavior?

  1. #1
    Join Date
    2006-06-29
    Posts
    6
    Rep Power
    0

    Default Active Directory/Check Point expected behavior?

    Hello,

    I'm trying to determine if an issue I'm having with Active Directory based VPN authentication is expected behavior or not. I'm currently deploying an R75.20 cluster (in the testing phase right now), running on Splat (management on Splat as well), and am attempting to manage VPN accounts and groups via AD. The MS domain controllers are 2003 servers - two of which I am pointing at for the LDAP Account Unit.

    I have followed the documents that I have found via this site and other resources to setup AD based user/group management and authentication. What I have done so far is:

    - Setup a group in AD, into which we place users who are allowed VPN access.
    - In the firewall I have setup the LDAP Account Unit (which successfully connects as I am able to open the AD tree), an LDAP group (pointing to the AD group for VPN users), a template (Default) set to use Checkpoint auth, a remote access community (containing the LDAP group), and the appropriate rule in the rule base.
    - If I put a user in the AD group and install the policy, they’re able to authenticate to the VPN.
    - If I then remove the user from the AD group, or change their password via AD, they are still able to authenticate to the VPN.
    - It’s only until I install the policy that their access is denied (because of password change or group membership removal). The same thing happens in the opposite direction. If I put the user back into the AD group (or change their password back) it’s not until I install the policy that the user is able to authenticate.

    What I'm trying to figure out is if this is expected behavior or not. My goal is to be able to manage users/groups in AD and not in the firewall (of course also to be able to allow a user to change their password and then be able to use the new password for VPN authentication without having to have us install the policy). If anyone has any ideas I would really appreciate the help!

    Thanks!
    Last edited by phreakyphish; 2012-03-01 at 14:18.

  2. #2
    Join Date
    2008-07-07
    Posts
    97
    Rep Power
    13

    Default Re: Active Directory/Check Point expected behavior?

    Quote Originally Posted by phreakyphish View Post
    Hello,

    I'm trying to determine if an issue I'm having with Active Directory based VPN authentication is expected behavior or not. I'm currently deploying an R75.20 cluster (in the testing phase right now), running on Splat (management on Splat as well), and am attempting to manage VPN accounts and groups via AD. The MS domain controllers are 2003 servers - two of which I am pointing at for the LDAP Account Unit.

    I have followed the documents that I have found via this site and other resources to setup AD based user/group management and authentication. What I have done so far is:

    - Setup a group in AD, into which we place users who are allowed VPN access.
    - In the firewall I have setup the LDAP Account Unit (which successfully connects as I am able to open the AD tree), an LDAP group (pointing to the AD group for VPN users), a template (Default) set to use Checkpoint auth, a remote access community (containing the LDAP group), and the appropriate rule in the rule base.
    - If I put a user in the AD group and install the policy, theyíre able to authenticate to the VPN.
    - If I then remove the user from the AD group, or change their password via AD, they are still able to authenticate to the VPN.
    - Itís only until I install the policy that their access is denied (because of password change or group membership removal). The same thing happens in the opposite direction. If I put the user back into the AD group (or change their password back) itís not until I install the policy that the user is able to authenticate.

    What I'm trying to figure out is if this is expected behavior or not. My goal is to be able to manage users/groups in AD and not in the firewall (of course also to be able to allow a user to change their password and then be able to use the new password for VPN authentication without having to have us install the policy). If anyone has any ideas I would really appreciate the help!

    Thanks!
    Hi

    This is expected behavior. Under Global Properties / SmartDirectory (LDAP) their is a timeout on cached users. This is defaulted to 900 seconds or 15min. This cache is cleared and updated when a policy is pushed. In essence it will refresh every 15min so once a user is removed from AD group it will take that amount of time or less for checkpoint to update it's LDAP cache

    Regards

Similar Threads

  1. Authentication with Active Directory
    By Ivo Marques in forum Authentication
    Replies: 0
    Last Post: 2010-12-11, 17:52
  2. Users authentication using Active directory
    By SteveS in forum SmartDirectory/LDAP/Active Directory
    Replies: 3
    Last Post: 2010-06-23, 10:27
  3. Poll Active Directory for Nodes
    By arvliet in forum Installing And Upgrading
    Replies: 0
    Last Post: 2008-08-26, 19:13
  4. SecuRemote and MS Active Directory
    By GordonCopestake in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2007-08-10, 05:52
  5. How To Integrate Microsoft Active Directory With Check Point Firewall-1/VPN-1
    By Barry J. Stiefel in forum SmartDirectory/LDAP/Active Directory
    Replies: 0
    Last Post: 2006-10-26, 16:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •