Views:

Before you begin

Prepare a computer on which to install the Authentication Agent.
TMWS supports the following operating systems for the agent and the AD server:
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
If you want to authenticate Active Directory users transparently:
  • Be sure that the computer has a public IP address or a publicly resolvable FQDN when you use the cloud proxy.
  • Do not add the IP address or FQDN to the PAC file's skiphosts section or to the browser's proxy bypass list.

Procedure

  1. Download the agent installation package.
  2. Copy the installation package to the computer that you prepared for the agent and then extract the content of the package.
  3. Execute the .msi file to launch the installation wizard and then follow the prompts to complete the installation.
  4. From the Trend Micro IWSaaS Authentication Agent dialog box, configure the following:
    Item
    Details
    Auth Agent Port
    Type the port where the Authentication Agent operates. If you change the default 443 port, also change the firewall settings to give incoming traffic access to the new port for the Authentication Agent.
    Transparent Authentication Port
    Type the port number used for transparent authentication.
    Be sure to configure firewall settings for TMWS to allow incoming traffic through the transparent authentication port.
    LDAP Server Address
    Type the Active Directory server address.
    If you use a global catalog server or a trusting domain, set the port number to 3268 or 3269 based on whether the corresponding server uses LDAP or LDAPS.
    Base DN
    Type name used by the Active Directory server as a reference point when querying Active Directory.
    LDAP Admin Account (Username and Password)
    Type the Active Directory authentication credentials.
  5. Follow these steps if you need to replace the currently installed Trend Micro self-signed root certificate with your organization's certificate (for example, to increase security or to prevent warning messages from showing on end users' browsers):
    1. Click Replace IWSaaS Certificate.
    2. In the new window that displays, specify your organization's public certificate, private key, and public certificate chain, and then click OK.
      Use a public certificate if you do not have a public certificate chain.
  6. Click Apply.
  7. Make sure your AD server supports Opportunistic TLS.
    The Authentication Agent uses SSL/TLS by default to connect to the AD server and requires that the AD server supports Opportunistic TLS.
    Note
    Note
    If your AD server does not support Opportunistic TLS, disable SSL/TLS for the Authentication Agent so that the agent can communicate with your AD server successfully: Open the configuration file <Installation path>\AuthenticationAgent\simplesamlphp\config\authsources.php, and change the value of the parameter enable_tls to FALSE.
  8. On the TMWS management console, go to AdministrationUSERS & AUTHENTICATIONDirectory Services and configure settings. For details, see Agent Authentication.