Views:
Direct Authentication is an agentless solution that authenticates users by connecting directly to your Active Directory and synchronizing Active Directory users and groups having limited attributes, which are configured in TMWS. You can use this authentication method if you want a simplified solution that provides adequate security (see Direct Authentication Diagram). This method does not require you to install any agent-supporting software on your network. TMWS connects directly to your Active Directory servers to synchronize and authenticate users and groups.
When there are multiple domains, they have the same authentication method, that is, Direct, AD FS, Agent, Okta, Azure AD, or Google. Each domain may have different settings under the same authentication method.
Choosing this authentication method allows you to enable Transparent Authentication.

Procedure

  1. Go to AdministrationUSERS & AUTHENTICATIONDirectory Services.
  2. Click here on the upper area of the Directory Services screen.
  3. On the screen that appears, select Direct and then click Save.
  4. Click verifyownership.bmp next to Disabled under AD Integration corresponding to the domain you want to configure.
  5. On the Edit AD Integration Settings screen that appears, configure the following parameters.
    Item
    Setting
    Domain name
    This field cannot be modified.
    Authentication method
    This field cannot be modified.
    Enable AD Integration
    Click On or Off as necessary.
    Allow non-synchronized users
    Click On or Off to decide whether to allow the AD users of your organization to visit websites through TMWS if their data is not synchronized to TMWS.
    Note
    Note
    This setting takes effect only when User authentication is set to Transparent authentication on an TMWS gateway.
  6. Configure the Cloud Settings section.
    Item
    Setting
    Server host name or IP address
    Type the Active Directory host name or IP address. Change the port number only if you use a different port for the Active Directory server.
    Select the Secure check box if you want to use LDAPS for communication.
    If you use a global catalog server or a trusting domain, set Port to 3268 or 3269 based on whether the corresponding server uses LDAP or LDAPS.
    Enable secondary Active Directory
    Turn on to ensure the continuation of service in case the primary Active Directory server becomes unavailable.
    Server host name or IP address
    Type the Active Directory host name or IP address. Change the port number only if you use a different port for the Active Directory server.
    Select the Secure check box if you want to use LDAPS for communication.
    User name and Password
    Type the Active Directory authentication credentials.
    Enable anonymous authentication
    Turn on to allow the administrator to be authenticated without providing an Active Directory administrator's account. For this feature to work, also enable anonymous authentication on the Active Directory server.
    Base distinguished name
    Type the name used by the Active Directory server as a reference point when querying an Active Directory.
    Click Test Connection to verify that connection can be established with the Active Directory server.
    Synchronization schedule
    Synchronize with the Active Directory server manually or according to a schedule (daily, weekly, or monthly). If you choose Manually, whenever there are changes to Active Directory user information, remember to go back to this screen and perform manual synchronization so that information in TMWS remains current.
    Note
    Note
    If you choose a schedule (daily, weekly, or monthly), the synchronization automatically runs during non-business hours (between 00:00 and 06:00 in the region hosting your TMWS data center).
  7. Click Advanced Settings.
  8. Configure the Attributes section.
    Important
    Important
    To ensure successful user synchronization and authentication using Direct, the following attributes must have the same configurations as those on your Active Directory server.
    Trend Micro strongly recommends keeping the default values for the attributes.
    Item
    Setting
    Username attribute
    The Active Directory user ID attribute name, "sAMAcountName", cannot be modified.
    This field is set to sAMAcountName, which cannot be modified.
    Email attribute
    Type the Active Directory user email address. Configuring this field enables Active Directory users to log on using their email address as their account name.
    User full name attribute
    Name of the Active Directory user. This parameter is fixed to name and not editable.
    Department name attribute
    Type the attribute name of the department to which the Active Directory user belongs.
    Group attribute
    Active Directory group attribute that is used in the relationship between a user and a group or a group and a group. This parameter is fixed to memberOf and not editable.
    Group name attribute
    Name of the Active Directory group attribute. This parameter is fixed to name and not editable.
  9. Configure the Filters section.
    Item
    Setting
    User search filter
    Query Active Directory by users.
    Group search filter
    Query Active Directory by groups.
  10. Click Save.
Related information