You can configure Deep Discovery Web
Inspector Active
Directory Services to integrate with Active Directory for authentication Services.
With the integrated Services, Deep Discovery Web
Inspector can use Active Directory accounts for
authentication.
Deep Discovery Web
Inspector supports
integration with the following Microsoft Active Directory servers:
-
Microsoft Windows Server 2012 R2
-
Microsoft Windows Server 2016
You can use Active Directory authentication for the following:
|
Account management
|
Create an account using an Active Directory
user that can log into the web console, including a
user with full administrative rights.
|
|
Notification templates
|
Deep Discovery Web
Inspector can
insert Active Directory user or group names into the
%USER% and %USER_GROUP % tokens used in applicable
notification templates.
|
|
Policy matching using traffic source
|
Use Active Directory users or groups to
match policy traffic using the traffic source
criteria.
|
|
HTTPS Inspection rule matching using
traffic source
|
Use Active Directory users or groups to
match HTTPS inspection policy traffic using the
decryption source criteria.
|
|
Web access and Captive Portal
authentication
|
Deep Discovery Web
Inspector can use Active Directory users
or groups for authentication when end-users access
web resources.
If Deep Discovery Web Inspector cannot
transparently authenticate an end-user, then the
user can use Active Directory credentials to log on
through Captive Portal.
|
When configuring Active Directory Services, keep the following in
mind:
-
Supported format for adding an Active Directory domain account is [DOMAIN]\[USERNAME].
-
You can choose users and groups from multiple Active Directory domains.
-
You can set one Active Directory domain as the default domain.
Note
NTLM authentication is only supported in the default domain. -
You can specify a list of domain controllers and global catalogs to use for each specified domain or you can have Deep Discovery Web Inspector automatically discover them.
Note
Deep Discovery Web Inspector discovers Active Directory servers by querying DNS servers for service records (SRV). You must ensure that the DNS servers configured in Deep Discovery Web Inspector contain the appropriate “_gc._tcp” or “_ldap._tcp” records. -
Deep Discovery Web Inspector automatically synchronizes Active Directory information with the appliance's account information according to configured settings.Alternatively, you can manually synchronize account information.
-
You can customize the client IP ranges on which to apply Active Directory authentication.
-
Deep Discovery Web Inspector records information in the detection log and access log (via syslog). If traffic is authenticated, the user name and domain information is recorded in these logs. If not authenticated, the user name is recorded as the IP address and the domain field is blank.
-
Enabling IP user cache is strongly recommended (default is enabled). If IP user cache is disabled, some applications or browsers might not access the Internet successfully.
-
When choosing domain controllers, recommendation is to use the 'nearby-est/fastest/local' domain controllers. The 'far/slow/remote' domain controllers will slow down authentication and user/group synchronization speed.
-
It is recommended that you use an administrator account for the Active Directory Services service account when configuring Active Directory domains.
Important
If the service account's password is expired, authentication will not work. Be sure to update the service account's password before it expires. -
The following operation restarts the scan daemon and the authentication daemon; therefore, this operation should be executed during non-working time:Configure global authentication settings
-
The following operations reload the scan daemon and restart the authentication daemon; therefore, these operations should be executed during non-working time:
-
Adding, modifying, or removing Active Directory domains
-
Operations on the default domain (disable/enable default domain)
-
-
Captive Portal supports the following format for the user name:
-
[Netbios Domain Name]\[sAMAccountName]
-
[sAMAccountName] (only supported for authentication on the default domain)
-
UPN
-
-
NTLM authentication supports the following format for user name: [DOMAIN]\[sAMAccountName] (only supported for authentication on the default domain)