Direct Authentication

Direct Authentication is an agentless solution that authenticates users by connecting directly to your Active Directory and synchronizing Active Directory users and groups having limited attributes, which are configured in TMWS. You can use this authentication method if you want a simplified solution that provides adequate security (see Direct Authentication Diagram). This method does not require you to install any agent-supporting software on your network. TMWS connects directly to your Active Directory servers to synchronize and authenticate users and groups.

When there are multiple domains, they have the same authentication method, that is, Direct, AD FS, Agent, Okta, Azure AD, or Google. Each domain may have different settings under the same authentication method.

Choosing this authentication method allows you to enable Transparent Authentication.

  1. Go to Administration > USERS & AUTHENTICATION > Directory Services.
  2. Click here on the upper area of the Directory Services screen.
  3. On the screen that appears, select Direct and then click Save.
  4. Click next to Disabled under AD Integration corresponding to the domain you want to configure.
  5. On the Edit AD Integration Settings screen that appears, configure the following parameters.

    Item

    Setting

    Domain name

    This field cannot be modified.

    Authentication method

    This field cannot be modified.

    Enable AD Integration

    Click On or Off as necessary.

    Allow non-synchronized users

    Click On or Off to decide whether to allow the AD users of your organization to visit websites through TMWS if their data is not synchronized to TMWS.

    Note:

    This setting takes effect only when User authentication is set to Transparent authentication on an TMWS gateway.

  6. Configure the Cloud Settings section.

    Item

    Setting

    Server host name or IP address

    Type the Active Directory host name or IP address. Change the port number only if you use a different port for the Active Directory server.

    Select the Secure check box if you want to use LDAPS for communication.

    If you use a global catalog server or a trusting domain, set Port to 3268 or 3269 based on whether the corresponding server uses LDAP or LDAPS.

    Enable secondary Active Directory

    Turn on to ensure the continuation of service in case the primary Active Directory server becomes unavailable.

    Server host name or IP address

    Type the Active Directory host name or IP address. Change the port number only if you use a different port for the Active Directory server.

    Select the Secure check box if you want to use LDAPS for communication.

    User name and Password

    Type the Active Directory authentication credentials.

    Enable anonymous authentication

    Turn on to allow the administrator to be authenticated without providing an Active Directory administrator's account. For this feature to work, also enable anonymous authentication on the Active Directory server.

    Base distinguished name

    Type the name used by the Active Directory server as a reference point when querying an Active Directory.

    Click Test Connection to verify that connection can be established with the Active Directory server.

    Synchronization schedule

    Synchronize with the Active Directory server manually or according to a schedule (daily, weekly, or monthly). If you choose Manually, whenever there are changes to Active Directory user information, remember to go back to this screen and perform manual synchronization so that information in TMWS remains current.

  7. Click Advanced Settings.
  8. Configure the Attributes section.
    Important:

    To ensure successful user synchronization and authentication using Direct, the following attributes must have the same configurations as those on your Active Directory server.

    Trend Micro strongly recommends keeping the default values for the attributes.

    Item

    Setting

    Username attribute

    The Active Directory user ID attribute name, "sAMAcountName", cannot be modified.

    This field is set to sAMAcountName, which cannot be modified.

    Email attribute

    Type the Active Directory user email address. Configuring this field enables Active Directory users to log on using their email address as their account name.

    User full name attribute

    Name of the Active Directory user. This parameter is fixed to name and not editable.

    Department name attribute

    Type the attribute name of the department to which the Active Directory user belongs.

    Group attribute

    Active Directory group attribute that is used in the relationship between a user and a group or a group and a group. This parameter is fixed to memberOf and not editable.

    Group name attribute

    Name of the Active Directory group attribute. This parameter is fixed to name and not editable.

  9. Configure the Filters section.

    Item

    Setting

    User search filter

    Query Active Directory by users.

    Group search filter

    Query Active Directory by groups.

  10. Click Save.