Frank, thx for the answer but it doesn´t help us in our situation.
The ldap server queries are already working, we can see that in packet
traces on the servers.
Furthermore the LDAP traffic has not to be encrypted. Of course we use
LDAP-SSL and all servers can
be reached over a mpls network so there´s no vpn communication between
the enforcement modules and the active directories.
As already mentioned:
Clientauth, session auth... work, we can use all our directory servers
for authentication.
But SecureClient client only connects when the user is authenticated by
Active Directory 1.
The users of the other AD servers are unable to connect.
btw. the Active Directories are totally independent, no trusts between
them and different domains.
Best regards,
Alex
Sommerfeld, Frank schrieb:
You should disable the line
#define ENABLE_LDAP_SERVER
In %os%\FW1\R60\fw1\lib\implied_rules.def to make sure that the ldap traffic will be encrypted/decrypted by rulebase.
Best Regards
Frank
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Alex
Sent: Monday, June 26, 2006 4:40 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] SecureClient & LDAP
Hi,
we want to authenticate our SecureClient users via Active Directory and LDAP
integration.
We have multiple Active Directory (AD) servers in different countries.
We configured them the same way but we experience different behavior.
SecureClient works when we logon with a user of AD1.
But when we try to connect with a user of AD2 we get the error message "gateway not
responding".
Smartview Tracker shows no drop/alerts or anything else. When we use a wrong
password then we get an error message that user or password is wrong.
We captured packets between the enforcement module and the ldap server and they
look the same on the working and the nonworking AD. First we see the search
query and after that a bind request with the user credentials that succeeds.
Furthermore when we create a client auth rule theres no problem to authenticate a
user of the 2 AD server. So i´m pretty sure that LDAP is configured correctly.
When we look at SecureClient Diagnostics we can see after Phase 1 Details (Main Mode
completes) - XAuth: "Sending user authentication to
VPN-1 Gateway" and after that
"VPN-1 Gateway did not response to IKE key-exchange"
Gateway: Nokia IPSO 4.0 VRRP Cluster running NGX-R60-HFA02
SecureClient: NGX-R60-HFA1
Has anyone an idea where to look at ?
thanks in advance
Alex
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
MAKINO DISCLAIMER----------------------------------------------------
This e-mail and any attachment is for authorised use by the intendent
recipient(s) only ! It may contain proprietary material, confidential
information and/ or subject to legal privilege. It should not be
copied, disclosed to, retained or used by any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
------------------------------------------------end MAKINO DISCLAIMER
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
