Support Center > Search Results > SecureKnowledge Details
AD Query traffic dropped by Check Point Security Gateway Technical Level
Symptoms
  • AD Query is configured, but users are not identified in logs and cannot get access based on their identity.

  • Identity Awareness wizard fails with this error message "WMI(DCE-RPC) test failed".

  • In SmartView Monitor, or in "adlog a dc" (using Expert mode), there are Domain Controllers to which the Security Gateway fails to connect.
Cause

AD Query relies on continuous communication between the Security Gateway running AD Query and the Active Directory Domain Controllers. This communication is the DCE-RPC traffic. It may be blocked by certain configuration settings on the Security Gateway. When the communication is blocked, the Identity Awareness First Time Configuration Wizard fails, and error logs are written to the Identity Awareness section in SmartView Tracker.


Solution

Use SmartView Tracker to identify what is blocking the traffic, and look for drop logs for traffic from the Security Gateway to the domain controller(s). If you find such logs, configure the Security Gateway as follows.

Scenario 1: A firewall is deployed between the Security Gateway and the Domain controller

If there is a firewall deployed between the Security Gateway running AD Query and the Domain Controller, you must add an explicit rule which allows the traffic. Add rules which allow services 'ALL_DCE_RPC' or 'AD_Dcerpc_Services' for traffic from the Security Gateway running AD Query to the Domain Controller(s).

If the Security Management is pre-R75, you must also select 'Allow DCE-RPC interfaces other than End-Point Mapper (such as DCOM) on Port 135'. This option is found under 'IPS Blade, DCOM - General Settings' on R70 and higher, and under 'Smart Defense, protection DCOM' on NGX R65 and below.

Scenario 2: Security Gateway - Domain Controller traffic is detected as another protocol and is blocked

Note: This issue can occur on the local Security Gateway (one running AD Query) or on a Security Gateway en route to the Domain Controller(s).

DCE-RPC traffic starts at port 135, but moves to a dynamically coordinated high port.

  • If this port is within the X11 port range (6000-6063), then the traffic may be blocked by the firewall, as X11 is not allowed by default and is not part of "Any". If this is the situation, manually add a rule which allows X11 between the Security Gateway and the Domain Controller(s).
  • If the Security Gateway is running IPS, and this port is a well-known port with an enabled protocol anomaly protection on it (for example, SOCKS on port 1080), IPS may block the traffic, because the traffic will fail the anomaly test (in this example, the traffic is DCE-RPC and not SOCKS. ) If this is the case, either add a network exception in the anomaly protection for the IP address of the Security Gateway running AD Query, or add a general (not protection specific) exception for this IP Address.
  • Alternatively, you can configure a specific port range on your Domain Controller, using the following procedure, on your Domain Controller:
    1. Run dcomcnfg ('Start > Run > dcomcnfg').
    2. Select Component Services > Computers, and right-click My Computer.
    3. Select My Computer Properties.
    4. Select the Default Protocols tab.
    5. In DCOM Protocols, double-click Connection Oriented TCP/IP.
    6. In Properties for COM Internet Services, add a high port range that does not include any well-known port number (for example: 10000-65000 is a good choice).
    7. Reboot your Domain Controller.

 


 

Related Solution: sk60301 (Identity Awareness AD Query)

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment