Active Directory Services Parent topic

You can configure Deep Discovery Web Inspector Active Directory Services to integrate with Active Directory for authentication Services. With the integrated Services, Deep Discovery Web Inspector can use Active Directory accounts for authentication.
Deep Discovery Web Inspector supports integration with the following Microsoft Active Directory servers:
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
You can use Active Directory authentication for the following:
Account management
Create an account using an Active Directory user that can log into the web console, including a user with full administrative rights.
Notification templates
Deep Discovery Web Inspector can insert Active Directory user or group names into the %USER% and %USER_GROUP % tokens used in applicable notification templates.
Policy matching using traffic source
Use Active Directory users or groups to match policy traffic using the traffic source criteria.
HTTPS Inspection rule matching using traffic source
Use Active Directory users or groups to match HTTPS inspection policy traffic using the decryption source criteria.
Web access and Captive Portal authentication
Deep Discovery Web Inspector can use Active Directory users or groups for authentication when end-users access web resources.
If Deep Discovery Web Inspector cannot transparently authenticate an end-user, then the user can use Active Directory credentials to log on through Captive Portal.
When configuring Active Directory Services, keep the following in mind:
  • Supported format for adding an Active Directory domain account is [DOMAIN]\[USERNAME].
  • You can choose users and groups from multiple Active Directory domains.
  • You can set one Active Directory domain as the default domain.
    Note
    Note
    NTLM authentication is only supported in the default domain.
  • You can specify a list of domain controllers and global catalogs to use for each specified domain or you can have Deep Discovery Web Inspector automatically discover them.
    Note
    Note
    Deep Discovery Web Inspector discovers Active Directory servers by querying DNS servers for service records (SRV). You must ensure that the DNS servers configured in Deep Discovery Web Inspector contain the appropriate “_gc._tcp” or “_ldap._tcp” records.
  • Deep Discovery Web Inspector automatically synchronizes Active Directory information with the appliance's account information according to configured settings.
    Alternatively, you can manually synchronize account information.
  • You can customize the client IP ranges on which to apply Active Directory authentication.
  • Deep Discovery Web Inspector records information in the detection log and access log (via syslog). If traffic is authenticated, the user name and domain information is recorded in these logs. If not authenticated, the user name is recorded as the IP address and the domain field is blank.
  • Enabling IP user cache is strongly recommended (default is enabled). If IP user cache is disabled, some applications or browsers might not access the Internet successfully.
  • When choosing domain controllers, recommendation is to use the 'nearby-est/fastest/local' domain controllers. The 'far/slow/remote' domain controllers will slow down authentication and user/group synchronization speed.
  • It is recommended that you use an administrator account for the Active Directory Services service account when configuring Active Directory domains.
    Important
    Important
    If the service account's password is expired, authentication will not work. Be sure to update the service account's password before it expires.
  • The following operation restarts the scan daemon and the authentication daemon; therefore, this operation should be executed during non-working time:
    Configure global authentication settings
  • The following operations reload the scan daemon and restart the authentication daemon; therefore, these operations should be executed during non-working time:
    • Adding, modifying, or removing Active Directory domains
    • Operations on the default domain (disable/enable default domain)
  • Captive Portal supports the following format for the user name:
    • [Netbios Domain Name]\[sAMAccountName]
    • [sAMAccountName] (only supported for authentication on the default domain)
    • UPN
  • NTLM authentication supports the following format for user name: [DOMAIN]\[sAMAccountName] (only supported for authentication on the default domain)
Related information