How To Configure LDAP - Check Point

How To Configure LDAP28 July 2011

© 2011 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed underlicensing restricting their use, copying, distribution, and decompilation. No part of this product or relateddocumentation may be reproduced in any form or by any means without prior written authorization of CheckPoint. While every precaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein are subject to changewithout notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.TRADEMARKS:Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list ofrelevant copyrights and third-party licenses.

Important InformationLatest SoftwareWe recommend that you install the most recent software release to stay up-to-date with the latest functionalimprovements, stability fixes, security enhancements and protection against new and evolving attacks.Latest DocumentationThe latest version of this document is at:http://supportcontent.checkpoint.com/documentation_download?ID=12475For additional technical information, visit the Check Point Support Center(http://supportcenter.checkpoint.com).Revision HistoryDateDescription28 July 2011 First release of this documentFeedbackCheck Point is engaged in a continuous effort to improve its documentation.Please help us by sending your comments(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Configure LDAP ).

ContentsImportant Information ............................................................................................. 3How To Configure LDAP ........................................................................................ 5Objective ............................................................................................................. 5Supported Versions ............................................................................................. 5Supported OS ...................................................................................................... 5Supported Appliances ......................................................................................... 5Before You Start ..................................................................................................... 5Related Documentation and Assumed Knowledge .............................................. 5Impact on the Environment and Warnings ........................................................... 5Configuration Steps for LDAP ............................................................................... 6Create an Object for LDAP Server ....................................................................... 6Create a User Template to Represent the LDAP Users ....................................... 7Create an LDAP Account Unit ............................................................................. 8Create the Necessary LDAP Group ....................................................................11Create a Rule Using the Above LDAP Group .....................................................11Completing the Procedure ................................................................................... 12Verifying ................................................................................................................ 12

ObjectiveHow To Configure LDAPObjectiveThis document explains the steps for setting up a LDAP authentication for user connecting to Check Pointgateways.Supported Versions• NGX R60 and upSupported OS• AllSupported Appliances• AllBefore You StartRelated Documentation and AssumedKnowledge• Users need to be familiar with the settings they have to setup on their LDAP server and theirLDAP server architecture.Impact on the Environment and Warnings• None.How To Configure LDAP Page 5

Create an Object for LDAP ServerConfiguration Steps for LDAPBelow are the steps used to setup LDAP authentication with a Microsoft Active Directory server.Create an Object for LDAP Server1. Manage --> Network Objects --> New --> Node --> Hosta. In the Name field, enter a descriptive name for the new node.b. In the IP field, enter the IP address of the LDAP server.Configuration Steps for LDAP Page 6

Create a User Template to Represent the LDAP UsersCreate a User Template to Represent theLDAP Users1. Manage --> Users and Administrators --> New... --> Templatea. Select the previously-defined nameb. From the Authentication push down menu, select "Check Point Password" and click OK.Configuration Steps for LDAP Page 7

Create an LDAP Account UnitCreate an LDAP Account Unit1. Manage --> Servers and OPSEC Applications --> LDAP Account Unit...1.1. Under the General tab, in the Name field, provide the name.1.2. Mark the both the check boxes: "CRL Retrieval" and the "User Management".1.3. From the Profile push down menu, selecet the profile: Microsoft AD, and click OK.Configuration Steps for LDAP Page 8

Create an LDAP Account Unit1.4. Under the Servers tab - Click "Add..." and specify the Node object created above from the Hostpush down menu. Leave the port at the default port 389, specify the Login DN (ie. cn=UserAccount,cn=users, DC=Testdomain, DC=org) and specify the password for the account specified in theLoginDN. The "Read data from this server" and "Write data to this server" are both checked. Do noselect any options on the Encryption tab as this is for the Encrypted SSL. Click OK on the "Add..."window.1.4.1. The Login DN is for the firewall and it must have an administrator privileges so it will be able tofetch data about the users from the LDAP1.4.2. In R65 and lower after you click OK on the "Add..." window, you must specify the 'EarlyVersions Compatibility server' from the push down menu. Use the same node object (as wascreated above).Configuration Steps for LDAP Page 9

Create an LDAP Account Unit1.5. Under the Objects Management tab - 'Manage objects on:' should be set to the Node objectdefined above that represents the LDAP/MSAD server. Click Fetch branches. This MUST workbefore the LDAP authentication will work. You should see the AD branches appear. The "Prompt forpassword..." checkbox is cleared, and the "Return X entries" is at the default value of 500. You alsocan add branches manually if not all of the needed branches were added. If a user is listed under abranch, that is not listed under the Objects Management tab, the firewall will not be able to validatecredentials for that user.1.6. Under the Authentication tab - The "Use common group path for queries" checkbox is cleared. The"Allowed authentication schemes" selected MUST include the "Check Point Password" scheme (youcan leave all the rest). The "Users' default template:" checkbox should be marked, and select the usertemplate that was created in a previous step. All other options are not marked.Configuration Steps for LDAP Page 10

Create the Necessary LDAP Group1. Manage --> Servers and OPSEC Applications --> LDAP Group1.1. In the Name field, enter the group name1.2. Specify the above created LDAP Group1.3. In the "Group's Scope" section, select the "All Account-Unit's Users" option button.Create the Necessary LDAP GroupCreate a Rule Using the Above LDAP Group1. Right-click on the SOURCE column -> Add Users Access... The destination and service can be set toANY. The VPN column is set to Remote Access VPN community (SecureClient/SecuRemote), and theaction is ACCEPT with Track set to LOG. You also need to make sure that this group is included inRemote Access VPN community.2. You can also use it for client authentication rule; in that case you do not need to set up a community.Configuration Steps for LDAP Page 11

Create a Rule Using the Above LDAP GroupCompleting the ProcedureTo complete the configuration you need to install the policy on the security gateway.VerifyingTo verify the configuration, test in the following way:Use a SecureClient host to connect to the firewall using a user that is created on the Microsoft ActiveDirectory server. The client is able to authenticate.If you are using client authentication rules, try to access the resource that should be allowed after theauthentication.To test gateway communication with the MSAD/LDAP server, from the gateway command line, run:ldapsearch -h 198.148.18.245 -D "cn=Check Point,cn=users,dc=tapscanww,dc=com" -b"dc=tapscanww,dc=com" -w "cn=*" > ldap.outthe above command is actually getting the info about user Check Point from 198.148.18.245 LDAPserver. It redirects the output to the LDAP.out. The password that you need to provide in thecommand is the password for the administrator that is allowed to fetch information about that user (itis the same password that is provided during the LDAP configuration process).Completing the Procedure Page 12