When working with a User Directory (LDAP) server, the Check Point Security Management (SmartCenter Server) and Security Gateways, function as User Directory (LDAP) clients. An Account Unit is the interface that allows interaction between these entities and the User Directory (LDAP) server(s).
In order to work with User Directory (LDAP) servers, the administrator needs to:
- define the Account Unit(s) that represent(s) the organization.
- enter the access information, required in order to connect to the relevant User Directory (LDAP) server.
After this is done, the Security Management (SmartCenter Server), or Security Gateways can then connect to that User Directory (LDAP) server, in order to retrieve the users, or to make queries.
Note: In order to retrieve users on a User Directory (LDAP) server a special license is required. Once the license has been obtained, an Account Unit that represents the User Directory (LDAP) server needs to be defined.
Proceed as follows:
- In SmartDashboard, select "Policy > Global Properties > User Directory" and enable "Use User Directory".
In R80 go to upper-left menu, select "Policy > Global Properties > User Directory" and enable "Use User Directory".
- Create a node object. (In SmartDashboard, select 'Manage > Network Objects > New > Node > Host'.) Type in a descriptive name and the IP address of the LDAP Server.
In R80 go to Objects, select 'Manage > Network Objects > New > Host'.
- Create a user template to represent the LDAP users. (Select 'Manage > Users and Administrators > New > Template'.) You need to enter the name and configure the authentication method to "Check Point Password". (No other modification is mandatory here.)
In R80 go to New > More > User > User Template.
- Create an LDAP Account Unit. (Select 'Manage > Servers and OPSEC applications > New > LDAP Account Unit'.)
In R80 go to Objects > Servers > LDAP Account Units > R.Click > New LDAP Account Unit
- In the General Tab: Enter the LDAP Account Unit name, set the profile to Microsoft_AD, and select both the 'CRL Retrieval' and the 'User management' options.
- In the Servers Tab: Click 'Add' and specify the node object, created previously, from the drop-down list. Leave the port as "389", specify the login DN (i.e. cn=useraccount, cn=users, DC=Domain, DC=org) and specify the password for the specified login. (Do not select the Encryption tab, as this is relevant for encrypted SSL.) Click 'OK'.
*To find a DN value of a user, use the following command in Windows Server CMD:
>dsquery user -name <username>
- In the Objects management tab: The 'Manage objects on' is enabled on the previously defined Node object (represents the LDAP/MSAD server). Click 'fetch branches'. (This must work before the LDAP authentication works.) You should see the AD branches appear.
- In the Authentication tab: The 'Use common group path for queries' option is not selected. The 'Allowed authentication schemes' selected must include the 'Check Point Password' scheme. The 'Users default template' option should be selected. Choose the user template that was created previously. All other options are not selected/checked.
- Create the necessary LDAP group. (Select 'Manage > Users and Administrators > New > LDAP Group'.) Enter the LDAP group name, and specify the previously created LDAP Account Unit. The "Group's scope" is set to "All Account-Unit's Users".
In R80, select 'Objects > More > User > LDAP Group'.
- Create a rule specifying the above LDAP group, as the source. (When you right-click on the 'SOURCE' column, specify 'Add Users Access'.) The destination and service in this example are set to "ANY". The VPN column is set to the Remote Access VPN community (Secure Client/SecuRemote). The Action is "ACCEPT" and Track is set to "LOG".
- Install Policy
For more information, refer to the R77 Security Management Server Administration Guide.
Note: If using remote access VPN fat clients or SNX, limit the number of branches to use in the LDAP Account Unit to as low as possible. When using a lot of branches, each connected user will be checked against the Active Domain server and the number of queries is equal to the number of branches. This process can be overload the vpnd process and will cause connected users to be disconnected and new users will not be able to connect for a while.