CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: AD Query method not working for ad users

  1. #1
    Join Date
    2016-09-01
    Posts
    4
    Rep Power
    0

    Default AD Query method not working for ad users

    I have configured AD Query in Checkpoint 4800. AD gets integrated successfully and users are also getting fetched but Single Sign On with AD Query is not working.

    We have AD server in DMZ: 192.168.201.0/24 subnet, LAN in 192.168.200.0/24 subnet and WAN in configured on one of the interface.

    In this scenario when we user logs in as domain user he is not able to access internet and also username is not shown in logs. Also Identity Awareness logs does not show user log in event.

    But when I put the Client machine and AD server in same LAN e.g 192.168.200.0/24 then AD Query is working and username is also shown in logs and Identity Awareness user logs are also seen.

    In my network it is not possible to put Client Machine and AD Server in same LAN so I am stuck here.

    I have performed all troubleshooting activities as per now also Checkpoint TAC is working on it from 2 days but no solution is found.

    If any one has faced the same issue and got resolution then please help us.

    Thanks.. Harmesh Yadav

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: AD Query method not working for ad users

    So there is more then one AD controller or just one in the DMZ? Are you sure the firewall is able to connect to AD controller in DMZ?

    The way AD Query works is the firewall create a WMI connection to all domain controllers listed. It then reads the event logs and reads the login events to create the user mapping. The reason i'm pointing this out is there is no requirement for the user and the domain controller to be on the same network.

    sk99006 says these events must be logged in your domain controller for this to work. I think some versions of windows don't enable these by default. Not sure which ones, maybe someone else will know. I do know this came up in a different posting on cpug.

    Windows 2003 servers: 672, 673, 674
    Windows 2008 servers: 4624, 4768, 4769, 4770
    Windows 2012 servers: 4624, 4768, 4769, 4770

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: AD Query method not working for ad users

    Make sure the firewall knows about *all* AD controllers in your network, look at the Account Unit object created by the IA wizard and ensure all your AD controllers are in there. Security log entries are not replicated between the AD controllers.

    As another poster said, make sure the default logging config has not been tampered with on the AD controllers and they are logging domain logons and ticket renewals.

    If the user is roaming around, they may be using cached credentials which the firewall cannot detect without a successful Transparent Kerberos Auth or the EndPoint Identity Agent, try logging out of the domain explicitly before moving the Client's workstation around.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2016-09-01
    Posts
    4
    Rep Power
    0

    Default Re: AD Query method not working for ad users

    Quote Originally Posted by ShadowPeak.com View Post
    Make sure the firewall knows about *all* AD controllers in your network, look at the Account Unit object created by the IA wizard and ensure all your AD controllers are in there. Security log entries are not replicated between the AD controllers.

    As another poster said, make sure the default logging config has not been tampered with on the AD controllers and they are logging domain logons and ticket renewals.

    If the user is roaming around, they may be using cached credentials which the firewall cannot detect without a successful Transparent Kerberos Auth or the EndPoint Identity Agent, try logging out of the domain explicitly before moving the Client's workstation around.

    I am only asking for that , why Ad and Client user in Different Subnet = internet is not working , and When Ad and Client user in Same Subnet = Internet is working

    We want internet should work in different subnet scenario

    Rest of Configuration is correct as per verification .

    Regards,
    Harmesh Yadav
    8511119037

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: AD Query method not working for ad users

    Quote Originally Posted by harmesh_88 View Post
    I am only asking for that , why Ad and Client user in Different Subnet = internet is not working , and When Ad and Client user in Same Subnet = Internet is working

    We want internet should work in different subnet scenario

    Rest of Configuration is correct as per verification .

    Regards,
    Harmesh Yadav
    8511119037
    Please verify the three things I mentioned in a prior post are correct. Also as a test you may want to try enabling captive portal in your IA setup and on the rule that is letting the Client out, to see if the captive portal appears and they can authenticate explicitly to reach the Internet.
    Last edited by ShadowPeak.com; 2016-10-05 at 08:18.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: AD Query method not working for ad users

    Quote Originally Posted by harmesh_88 View Post
    I am only asking for that , why Ad and Client user in Different Subnet = internet is not working , and When Ad and Client user in Same Subnet = Internet is working

    We want internet should work in different subnet scenario

    Rest of Configuration is correct as per verification .

    Regards,
    Harmesh Yadav
    8511119037
    And that is what they are trying to answer for you.

    As it works when the user is on the same subnet as the AD Server in the DMZ then can basically say that providing you authenticate against that server then the identity is acquired, and that the Firewall is querying the AD Server in the DMZ correctly. As such Firewall to AD Server connectivity is working fine, and would appear to be logging the necessary events.

    As such I would be questioning that the User Machine can actually authenticate against the AD Server and isn't Cached Login or isn't authenticating against a different AD Server that the Firewall isn't querying.

    IA works by simply reading the logs on the Servers that tell it about. This information in the logs isn't Synched between AD Servers which is why you need to ensure that ALL AD Servers in a Domain are queried. A lot and I mean a lot of people fail to realise how IA works and think of it as AD Integration which it isn't. IA isn't reading your AD, it is simply reading the various logs that are generated on the Server.

    User Directory and Authentication is different in that it sends the Username and Password to a the AD Server, and any AD Server can authenticate any user in a Domain.

    Clearly the Firewall is querying the AD Server in the DMZ, (otherwise it woulndn't work when on the same subnet for Client and Server ) so I would be looking at the Client to the AD Server connectivity rather then the Firewall to AD Server as being the issue.

    Are the necessary ports open between the LAN and DMZ for the Client Machine to be able to authenticate against the AD Server directly. Are there other AD Servers on the Domain that are reachable from the LAN when the user fires up the machine and logs in. If the Client on the LAN cannot reach the AD Server on the DMZ then won't be able to authenticate against the AD Server and thus no log entry is generated.
    If the Client on the LAN is going to a different AD Server then won't generate a log entry on the DMZ AD Server. If the Client on the LAN is using a Cached Login then won't generate a login entry on the DMZ Server.

    For a Customer that has dual layer Firewall then the Outer Check Points are doing the Identity Awareness gathering from AD Servers on the Inside Network that is the far side of another Firewall, and works fine.
    Customer has multiple subnets for Users that don't have the AD Servers in them, and IA gathers them correctly as the Client Machines can communicate with the AD Servers fine.

    Simply being in a different subnet for Servers and Clients is no obstacle to IA working, as long as the Client can communicate with the AD Server.

    Does the AD Server itself have an Entry for when the Client logs into the machine. I would suspect that you will find that don't have any Log Entries for when the user machine is on the LAN indicating that the LAN to AD Server Connectivity is the Issue.

  7. #7
    Join Date
    2016-09-01
    Posts
    4
    Rep Power
    0

    Default Re: AD Query method not working for ad users

    Dear Team,

    Thanks you All of you posting reply on this post

    We have found solution and its working now , See below solution

    Actually when in same subnet user logged in that user ip showing in source so in this scenario AD can idetified machine and user also so internet working and login activity showing in log

    When in different subnet user logged in that user ip not showing in source (Packet Source address) that showing user gateway means interface IP address so in log there is not activity shown for that user

    After this understanding we have Created NAT Policy FROM that SOURCE SUBNET TO DESTINATION SUBNET Packet source Address keep original

    after this configuration user identity found and proper authetication working

    Finally we got Solution

    Regards,
    Harmesh Yadav (CCNP R&S, CCSA)
    Sr. Network Security Engineer

Similar Threads

  1. different hash method
    By laf_c in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-02-23, 05:28
  2. Radius Authentications for new users not working
    By udupik in forum Authentication
    Replies: 6
    Last Post: 2014-12-03, 12:24
  3. Query for Inactive VPN users
    By qwertyq691 in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2010-01-07, 11:02
  4. HTTP not working for certain users
    By kpatel in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-03-15, 11:15
  5. HTTP stops working for random users
    By Huisje in forum Miscellaneous
    Replies: 2
    Last Post: 2006-10-16, 07:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •