McAfee Directory Services Connector extension

Transcription

1 Setup Guide Revision B McAfee Directory Services Connector extension For use with epolicy Orchestrator and later

2 COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Directory Services Connector extension Setup Guide

3 Contents Preface 5 About this guide Audience Conventions What's in this guide Finding documentation Find product documentation Find McAfee SaaS service documentation Introducing the McAfee Directory Services Connector 7 Advantages of the Directory Services Connector Limitations of Directory Integration Using the Directory Services Connector Installing Directory Services Connector 9 Install the Directory Services Connector extension Update the Directory Services Connector extension to a newer version Remove the Directory Services Connector extension Configuring the Control Console 11 Assign a Customer Admin account Create an distribution list Set Logical Structure to AD Domain Configuring epo for Directory Services Connector 13 Set up the Directory Services Connector server as a registered server Set up Identity Bridge for McAfee Cloud Single Sign On Set up the server for exception notifications Configure the debug level and increase log file size Add permissions for Directory Services Connector access Configure a service principal user account in Active Directory for use with Identity Bridge 19 6 Configuring browsers for the Identity Bridge feature of Cloud Single Sign On 21 Configure Firefox for internal network SSO Configure Internet Explorer for internal network SSO Configure Google Chrome for internal network SSO Setting up Directory Services Connector 25 Set up AD domain synchronizations for the Directory Services Connector Add new synchronization tasks for the Directory Services Connector Important considerations for group synchronization Run a manual synchronization McAfee Directory Services Connector extension Setup Guide 3

4 Contents Enable automatic synchronization Index 33 4 McAfee Directory Services Connector extension Setup Guide

5 Preface This guide provides the information you need to quickly install and configure both the epolicy Orchestrator software as well as the Directory Services Connector extension. Contents About this guide Finding documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Directory Services Connector extension Setup Guide 5

6 Preface Finding documentation What's in this guide This guide is organized to help you find the information you need. It is organized into chapters that group relevant information together by task, so you can go directly to the topic you need to successfully complete your installation or configuration. In addition to first-time installation instructions for the Directory Services Connector extension, this guide covers: Configuring the connection to the Control Console. Setting up and scheduling the synchronization tasks for users and groups. Setting up Identity Bridge for McAfee Cloud Single Sign On. Configuring a service principal user account in Active Directory for Identity Bridge. Configuring browsers for Identity Bridge. Finding documentation If you have a grant, you should use the McAfee Technical Support ServicePortal to find product documentation and search the online KnowledgeBase. Otherwise, you should use the McAfee SaaS and Web Security Support site to find service documentation. Contents Find product documentation Find McAfee SaaS service documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. 1 Go to the McAfee ServicePortal at and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. Find McAfee SaaS service documentation McAfee provides the information you need during each phase of service implementation, from setup to daily use and troubleshooting. After a service update is released, information is added to the McAfee SaaS and Web Security Support site. 1 Go to the McAfee SaaS and Web Security Support page at 2 Under Knowledge Base, click Reference Materials. 3 Under Reference Materials, scroll down to access information that you need: Service Enhancements and Release Notes Training Materials Service Reference Guides 6 McAfee Directory Services Connector extension Setup Guide

7 1 Introducing 1 the McAfee Directory Services Connector Directory Services Connector is an extension for the epolicy Orchestrator (McAfee epo). Once installed, it allows you to synchronize the user accounts and groups in your active directory with those on the remote McAfee Control Console from your own network environment. With Identity Bridge enabled within Directory Services Connector and McAfee Cloud Single Sign On enabled on the Control Console, you can also allow users to access Cloud Single Sign On using their corporate network credentials as defined in your Active Directory. Contents Advantages of the Directory Services Connector Limitations of Directory Integration Using the Directory Services Connector Advantages of the Directory Services Connector The Directory Services Connector allows you to automatically add, remove, and update user information in the Control Console. Installing Directory Services Connector extension provides the following features: Simplifies the need to manually add, delete, or update users and groups Automatically assigns users to groups in the Control Console based on the group assignments in the Active Directory Runs locally in your own network and allows you to push changes as needed Schedules synchronization to run automatically one or more times per day With Identity Bridge, allows users to sign on to Cloud Single Sign On using corporate credentials stored in your company's Active Directory. Limitations of Directory Integration You should be aware of the limitations to Directory Integration that affect the Directory Services Connector. These limitations apply to both the push method used here as well as the pull method used in the Control Console. You must run separate synchronizations for each Active Directory domain. You cannot limit the number of synchronization changes. The Control Console limits group membership to 25,000. Group synchronizations fail if an Active Directory group contains more than 25,000 users. McAfee Directory Services Connector extension Setup Guide 7

8 1 Introducing the McAfee Directory Services Connector Using the Directory Services Connector You cannot run a synchronization that includes only the addresses that have changed. You must use Active Directory. Directory Services Connector does not run on epolicy Orchestrator version and requires version or a later version. Using the Directory Services Connector You should make all of the necessary modifications in the Control Console, McAfee epo, and the extension in order to use Directory Services Connector for push synchronization. To use Directory Services Connector, complete the necessary set up tasks: Configure the Control Console for push synchronization Connect to the remote Control Console from epo Connect to your Active Directory Domain server from epo Schedule synchronization tasks Push data from your Active Directory Domain server to the Control Console Enable Identity Bridge to authenticate Cloud Single Sign On users with Active Directory credentials. 8 McAfee Directory Services Connector extension Setup Guide

9 2 2 Installing Directory Services Connector The McAfee Directory Services Connector extension is installed using the software extension features of McAfee epo. When you install the Directory Services Connector version 3.2 on an epo that previously ran Versions 1.0 or 1.1 of the DSC, the DSC's server registration and all previously-configured DSC tasks are removed. You will have to reconfigure these items. Contents Install the Directory Services Connector extension Update the Directory Services Connector extension to a newer version Remove the Directory Services Connector extension Install the Directory Services Connector extension Use this task to install the Directory Services Connector extension (zip) file in epolicy Orchestrator and the online help that supports Directory Services Connector. Before you begin Download the Directory Services Connector extension from Directory Integration page in the Control Console. Sign into the Control Console, and select Account Management Configuration. Ensure the Logical Structure field shows AD Domain. Then, click the link labeled Directory Services Connector extension. For option definitions, click? in the interface. 1 Ensure that you have the extension file in an accessible location on the network. 2 Click Menu Software Extensions, then click Install Extension. 3 Browse to select the extension (zip) file, then click OK. 4 Verify that the Directory Services Connector name appears in the Extensions list. McAfee Directory Services Connector extension Setup Guide 9

10 2 Installing Directory Services Connector Update the Directory Services Connector extension to a newer version Update the Directory Services Connector extension to a newer version Use this task to update an existing install of the extension with a newer version. When you update the Directory Services Connector from Version 1.0 or 1.1 to version 3.2, the DSC's server registration and all previously-configured DSC tasks are removed. You will have to reconfigure these items. For option definitions, click? in the interface. 1 Ensure that you have the extension file in an accessible location on the network. 2 Click Menu Software Extensions, then click Install Extension. The Install Extension dialog box appears. 3 Browse to select the extension (zip) file, then click OK. The Install Extension page appears with information on the new version and a warning message that asks you if you want to replace the existing extension with the new version number. 4 Click OK. 5 Verify that the Directory Services Connector name appears in the Extensions list. Remove the Directory Services Connector extension Use this task to remove the Directory Services Connector extension (zip) file in epolicy Orchestrator. When you uninstall the Directory Services Connector extension, the DSC's server registration and all previously-configured DSC tasks are removed. You will have to reconfigure these items when you reinstall the extension. For option definitions, click? in the interface. 1 Click Menu Software Extensions. The Extensions page displays the list of currently installed extensions. 2 In the left-hand navigation under McAfee, select Directory Services Connector In the main section of the page, information for the Directory Services Connector extension appears. 3 To the right of the extension, Click Remove. A dialog box appears. 4 Click OK. The extension information disappears from the page. The extension is no longer running in epo. 10 McAfee Directory Services Connector extension Setup Guide

11 3 Configuring 3 the Control Console Before you can begin working with the Directory Services Connector, you will need to update settings in the Control Console. Contents Assign a Customer Admin account Create an distribution list Set Logical Structure to AD Domain Assign a Customer Admin account Directory synchronization requires that you have Customer Admin access or higher. McAfee recommends that you create a dedicated Customer Admin account in the Control Console for running Directory Services Connector. Create an distribution list Directory Services Connector requires that you have an distribution list set up in the Control Console for all notifications. Set Logical Structure to AD Domain Configure your Directory Integration settings in the Control Console by selecting AD Domain as your Logical Structure value. Before you begin You must be able to log on to the portal as a Customer Admin or higher. You will receive an error message in Directory Services Connector if you attempt to synchronize a domain that is not set to AD Domain. 1 Log on to the Control Console. 2 Select Account Management and then select Configuration. McAfee Directory Services Connector extension Setup Guide 11

12 3 Configuring the Control Console Set Logical Structure to AD Domain 3 From the Logical Structure drop-down list, select AD Domain. The Domain field as well as the Directory Settings and Automatic Synchronization Settings options are no longer displayed. 4 Click Save. 12 McAfee Directory Services Connector extension Setup Guide

13 4 Configuring 4 epo for Directory Services Connector Some standard epo settings should be configured for use with the Directory Services Connector. Contents Set up the Directory Services Connector server as a registered server Set up Identity Bridge for McAfee Cloud Single Sign On Set up the server for exception notifications Configure the debug level and increase log file size Add permissions for Directory Services Connector access Set up the Directory Services Connector server as a registered server Use this task to set up the Directory Services Connector server as a registered server in epo. This provides the Directory Services Connector with everything it needs to communicate with the Control Console. Before you begin You must be able to log on to the Control Console as a Customer Admin or higher. Additionally, McAfee recommends that you create a dedicated Customer Admin account for managing the Directory Services Connector. For option definitions, click? in the interface. 1 Select Menu Configuration Registered Servers, then click New Server. 2 From the Server type menu, select Directory Services Connector. 3 Enter a unique name, any additional information about the server, and then click Next. 4 In the Control Console Hostname field, enter one of the two valid host names. portal.saascontrol.com console.saascontrol.com The host name you choose depends on whether the URL you use to log on to the Control Console contains the word portal or console. McAfee Directory Services Connector extension Setup Guide 13

14 4 Configuring epo for Directory Services Connector Set up Identity Bridge for McAfee Cloud Single Sign On If your URL looks like this... portal.example.com console.example.com Enter this valid host name... portal.saascontrol.com console.saascontrol.com Do not enter any other value for the host name. Do not mismatch "portal" and "console" values. Do not include the protocol, for example: If you are not sure which value you should use, contact your admin or support representative. 5 Type the user name and password you use to log on to the Control Console. 6 In the DSC Server Nickname field, provide a name to identify this instance of the Directory Services Connector. By default, the DSC Server Nickname is the same as your epo server name. The UID (Unit Identifier) field is populated automatically for the server after a synchronization. The UID can also be viewed in the Control Console to confirm the current DSC Registered Server associated with Directory Integration configuration for the customer. 7 Select and enter the Active Directory Server Name. 8 Enter the Username and Password for your Active Directory account. 9 To verify that you have configured the server information correctly, click Test. The Test button is enabled when you complete all of the required fields. 10 In AD Synchronization Settings, complete the options to set up an Active Directory server. 11 Click Save to register the server. The added Directory Services Connector server appears on the Registered Server page. Set up Identity Bridge for McAfee Cloud Single Sign On Use this task to set up the Identity Bridge portion of the Directory Services Connector registered server. The Identity Bridge is available only if Cloud Single Sign On is enabled for your company on the Control Console. The Identity Bridge provides the ability to automatically authenticate users with corporate network credentials when they sign on to the Control Console and other applications in the cloud. Before you begin Identity Bridge uses the Integrated Windows Authentication (IWA) capability of Active Directory. Therefore, your company's Active Directory must have a security principal administered so that Identity Bridge can retrieve authentication credentials for your users. See "Configure a service principal user account in Active Directory" in the Directory Services Connector Setup Guide or Directory Services Connector online help. To access the Control Console over the Identity Bridge, users must also configure their browsers. See "Configuring browsers for the Identity Bridge feature of Cloud Single Sign On" in the Directory Services Connector Setup Guide or Directory Services Connector online help. 14 McAfee Directory Services Connector extension Setup Guide

15 Configuring epo for Directory Services Connector Set up Identity Bridge for McAfee Cloud Single Sign On 4 1 Select Menu Configuration Registered Servers, then click the server name beginning with dsc. 2 From the Actions drop-down list, select Edit. The Registered Server Builder: Description page appears. 3 Click Next. The Registered Server Builder: Details page appears. 4 Scroll down to the Identity Bridge Settings section. 5 Check the Identity Bridge Authentication checkbox to enable Identity Bridge and to enable the remaining configuration fields. 6 In the Company IP Address Range field, enter a single range of IP addresses, using CIDR notation, for example, /24. The range of IP addresses should include all users that can access Cloud SSO from a corporate sign in. The CIDR value must meet the following requirements: The IP address is valid. The netmask is between 24 and 32, inclusive. The IP address and netmask are compatible with CIDR notation. 7 In the epo Hostname field, Directory Services Connector automatically enters the epo server name and port number on which you are running Directory Services Connector and Identity Bridge, for example denver1.acme.com:8443. You must verify that the host name and port number are correct. If not, you must change them. In some cases, perhaps for traffic load balancing, you might wish to use the host name of a different epo server, if any, in your corporate network. Do not change the host name and default port number in the epo Hostname field unless you are sure the host name and port number you want to substitute will work. 8 In the Active Directory Server Principal Name field, enter the security principal name to be used to connect with Active Directory for authentication of users accessing the Control Console. The format of the name should be HTTP/<server_name_for_ID_Bridge>@<AD_DOMAIN_NAME>, where HTTP and <AD_DOMAIN_NAME> are in all uppercase. For example, if you entered denver1.acme.com in Step 7 and the AD domain of your users is ADcorp1.int, you would enter HTTP/ denver1.acme.com@adcorp1.int. 9 In the Server Principal Password field, do one of the following:. If you created a Service Principal that authenticates with a password, select Server Principal Password, and enter the password for the security principal to be used when connecting to the Active Directory domain. If you created a Service Principal that authenticates with a keytab, select Server Principal Keytab File, and use the Browse button to find and upload the password keytab file. 10 Click Save. McAfee Directory Services Connector extension Setup Guide 15

16 4 Configuring epo for Directory Services Connector Set up the server for exception notifications Set up the server for exception notifications Edit the SMTP server settings for exception notifications. Directory Services Connector uses the epo Server from address to identify automatic messages originating from epo. The from address you configure in epo only affects exception notifications that originate from Directory Services Connector. If you have a different address configured in the Control Console, you will continue to receive notifications from that address for events that take place in the cloud. McAfee recommends configuring the same from address in both systems if this will cause confusion. For option definitions, click? in the interface. 1 Select Menu Configuration Server Settings to open the Server Settings window. 2 From the Setting Categories list on the left, select Server. 3 Click Edit. 4 Enter all of the necessary information for your server and click Save. The new server settings display on the page. Your settings are now ready for use with notifications. Configure the debug level and increase log file size Modify the log file configuration to assist with troubleshooting and to increase the file size since, with multiple epo applications, the file can fill up quickly. For option definitions, click? in the interface. 1 Navigate to C:\Program Files (x86)\mcafee\epolicy Orchestrator\Server\conf\orion and edit the log config.xml file. 2 Add the following: <logger name="com.mcafee.saasc"> <level value="info"/> </logger> You may also increase the information level to debug by using the following: <logger name="com.mcafee.saasc"> <level value="debug"/> </logger> To turn on debug log for the Identity Bridge components of Cloud Single Sign On, add the following: <logger name="com.mcafee.identitybridge"> <level value="debug"/> </logger> 3 To increase the file size to the recommended size of 50 MB, change the "2" in the MaxFileSize line to "50:" <param name="maxfilesize" value="50mb"/> 16 McAfee Directory Services Connector extension Setup Guide

17 Configuring epo for Directory Services Connector Add permissions for Directory Services Connector access 4 4 Save the file. 5 Restart the epo Web Application Server service. a Open the Administrative Tools list on the server, and select Services. b c From the Services window, select McAfee epolicy Orchestrator Server. Click Stop. This step will also stop the Event Parser entry. d e When the window enables the Start button, click Start. Click OK. You might also need to restart the epo Event Parser service. Check that it has started. 6 Navigate to C:\Program Files (x86)\mcafee\epolicy Orchestrator\Server\Logs\orion.log to view the log file. Add permissions for Directory Services Connector access You can set permissions for users of epolicy Orchestra for the use of Directory Services Connector. You can set a user's permissions for Directory Services Connector to one of the following: No permissions The user cannot access Directory Services Connector. View permissions The user can view settings withindirectory Services Connector but cannot make any changes. Edit permissions The user can create and edit settings withindirectory Services Connector. To add permissions, perform the following steps: For option definitions, click? in the interface. 1 Click Menu User Management Permission Sets. 2 On the Permission Sets page, select a user from the list. 3 Click Edit in the Directory Services Connector row. 4 Select the level of permissions you wish to give the user, and click Save. McAfee Directory Services Connector extension Setup Guide 17

18 4 Configuring epo for Directory Services Connector Add permissions for Directory Services Connector access 18 McAfee Directory Services Connector extension Setup Guide

19 5 Configure 5 a service principal user account in Active Directory for use with Identity Bridge Identity Bridge uses the Integrated Windows Authentication (IWA) capability of Active Directory. Therefore, your company's Active Directory must have a service principal so that Identity Bridge can authenticate users against Active Directory credentials when users access the Cloud Single Sign On Control Console. 1 Log on to your Active Directory. 2 Create a user in the AD domain to which Directory Services Connector communicates. 3 Open the Properties page for the user 4 Check the Member of tab to make sure the user is in the domain used by Directory Services Connector. 5 In the Account tab, check the entry in the User login name field. This name, plus the associated domain name must be entered into the Active Directory Server Principal Name field in the Registered Server page of Directory Services Connector. 6 You can create a Service Principal that authenticates a connection with either a text password or a keytab: To create a Service Principal that authenticates with a text password, open the command line on the Active Directory server, and enter the following command at the command prompt:ktpass -princ HTTP/<ePO server name>@<ad domain name> -mapuser <user_name>@<domain_name> -pass * -ptype KRB5_NT_PRINCIPAL, where <epo server name> is the name of the epo server running Identity Bridge, <AD domain name> is the AD domain used for authentication, and <user_name>@<domain_name> is the security principal user you just created and the domain of the user. To create a Service Principal that authenticates with a keytab file, open the command line on the Active Directory server, and enter the following command at the command prompt:ktpass -princ HTTP/<ePO server name>@<ad domain name> -mapuser <user_name>@<domain_name> -pass * -ptype KRB5_NT_PRINCIPAL -out c:\users \administrator\ktpass.out, where <epo server name> is the name of the epo server running Identity Bridge, <AD domain name> is the AD domain used for authentication, and <user_name>@<domain_name> is the security principal user you just created and the domain of the user. A prompt to enter a password and confirmation password is displayed. McAfee Directory Services Connector extension Setup Guide 19

20 5 Configure a service principal user account in Active Directory for use with Identity Bridge 7 Enter the password in both fields. If you created a text password, the password is saved in the Active Directory database. If you created a keytab file, the file is saved at c:\users\administrator\ktpass.out. 8 At the command line prompt, type setspn -A HTTP/ <epo server name>@<ad domain name> <user_name>@<domain_name>, where <user_name>@<domain_name> is the security principal user you just created. 9 On the Registered Server page in Directory Services Connector, in the Identity Bridge section, enter this security principal user name and domain in the Active Directory Server Principal Name field. For more information, see "Set up Identity Bridge for McAfee Cloud Single Sign On" in the Directory Services Connector Setup Guide or the Directory Services Connector online help. 20 McAfee Directory Services Connector extension Setup Guide

21 6 Configuring browsers for the Identity Bridge feature of Cloud Single Sign On If your company is enabled for Cloud Single Sign On and also uses the Identity Bridge feature, Cloud Single Sign On users must configure their browsers so that they can sign on to your company network and access Cloud Single Sign On without entering sign on credentials again. Supported browsers for use of the Identity Bridge feature are: Internet Explorer Firefox Chrome Contents Configure Firefox for internal network SSO Configure Internet Explorer for internal network SSO Configure Google Chrome for internal network SSO Configure Firefox for internal network SSO Configure the user's Firefox browser so that the user can use the Identity Bridge feature to access the Control Console from the company network without entering sign on credentials again. If Identity Bridge is enabled and a user fails to configure the Firefox browser for Identity Bridge, the user gets a blank page when tying to access the Control Console with Firefox. This is caused by an HTTP 401 authentication error. 1 In the Firefox browser url field, enter about:config. A warning page appears. 2 Accept the warning. 3 Scroll down the Preference Name column to network.negotiate-auth.trusted-uris, and doubleclick it. The Enter string value page appears. 4 In the Enter string value field, enter or *.<corporate_domain> and click OK. The value you enter appears in the Value column. You can also enter multiple values separated by commas. McAfee Directory Services Connector extension Setup Guide 21

22 6 Configuring browsers for the Identity Bridge feature of Cloud Single Sign On Configure Internet Explorer for internal network SSO 5 Scroll down the Preference Name column to network.automatic-ntlm-auth.trusted-uris, and doubleclick it. The Enter string value page appears. 6 In the Enter string value field, enter the corporate domain, for example corp.acme.org and click OK. The corporate domain appears in the Value column. Configure Internet Explorer for internal network SSO Configure the user's Internet Explorer browser so that the user can use the Identity Bridge feature to access the Control Console from the company network without entering sign on credentials again. If Identity Bridge is enabled and a user fails to configure the Internet Explorer browser for Identity Bridge, the user gets a Windows Security page each time the user accesses the Control Console. If a user has trouble properly configuring Internet Explorer for Identity Bridge, the user should contact the company IT department. 1 Open Internet Explorer, and select Tools Internet Options. 2 Select the Security tab. 3 Click Local Intranet in the Select a zone or change security settings box. 4 Click Sites. 5 On the Local Intranet page, select Advanced. 6 In the Add this website to the zone field, add your corporate domain in the form *.<corporate_domain> or *.<corporate_domain>. 7 Click Close, and return to the main Internet Options page. 8 Click the Advanced tab. 9 In the Settings list, scroll down to the Security settings, and select the Enable Integrated Windows Authentication checkbox. 10 Click OK, and exit the Internet Options page. Configure Google Chrome for internal network SSO Configure the user's Google Chrome browser so that the user can use the Identity Bridge feature to access the Control Console from the company network without entering sign on credentials again. If Identity Bridge is enabled and a user fails to configure the Chrome browser for Identity Bridge, the user gets a Authentication Required page each time the user accesses the Control Console. If a user has trouble properly configuring Chrome for Identity Bridge, the user should contact the company IT department. 1 Right-click the Google Chrome icon on your desktop, or, without actually opening Google Chrome, select Start All Programs Google Chrome 2 Select Properties from the pop-up menu. 22 McAfee Directory Services Connector extension Setup Guide

23 Configuring browsers for the Identity Bridge feature of Cloud Single Sign On Configure Google Chrome for internal network SSO 6 3 In the Target field, add the following to the existing entry in the field: --auth-server-whitelist="host.company.com", where host.company.com is your corporate domain. You can also enter multiple values separated by commas. 4 Click OK. McAfee Directory Services Connector extension Setup Guide 23

24 6 Configuring browsers for the Identity Bridge feature of Cloud Single Sign On Configure Google Chrome for internal network SSO 24 McAfee Directory Services Connector extension Setup Guide

25 7 7 Setting up Directory Services Connector You should set up and schedule a synchronization task to automatically run for each of your Active Directory domains. Contents Set up AD domain synchronizations for the Directory Services Connector Add new synchronization tasks for the Directory Services Connector Important considerations for group synchronization Run a manual synchronization Enable automatic synchronization Set up AD domain synchronizations for the Directory Services Connector By default, a synchronization is created for each Active Directory domain when you set up the Directory Services Connector server as a registered server. However, you must configure and schedule AD domain synchronizations and ensure that user information is automatically updated in the Control Console. Before you begin Complete the following in the Account Management tab of the Control Console before synchronizing users. Set Directory Integration to AD Domain. Create an distribution list for exception notifications in the Control Console. To view or create those lists, sign into the Control Console as a Customer Administrator and navigate to Account Management Customers Distribution Lists. Complete the following in epo. Under Configuration Server Settings, set up the Server for notifications. Under Configuration Registered Servers, set up the Directory Services Connector server type. McAfee Directory Services Connector extension Setup Guide 25

26 7 Setting up Directory Services Connector Set up AD domain synchronizations for the Directory Services Connector For option definitions, click? in the interface. 1 From the toolbar, select Menu Automation Directory Services Connector to open the Active Directory Domain Synchronization page. 2 Set up a synchronization using one of the following: Select the checkbox for a Domain and then click Actions Edit. Mouse over the row for a domain to highlight it. Under the Actions column, click Edit. The Directory Settings page appears. 3 Complete the options to set up the Active Directory server. 4 Enter valid values for Attribute and Search Filter. If you are using Exchange Servers with Active Directory, enter search values as follows. Required Field Attribute Search Filter Recommended value proxyaddresses (&(proxyaddresses=smtp:*)(name=*)) If you are not using Exchange Servers with Active Directory, enter other search values, commonly using the "mail" attribute as follows. Required Field Attribute Search Filter Recommended value mail (&(mail=*)(name=*)) 5 If necessary, select DSC Server Authorization to authorize this Directory Services Connector within the Control Console to synchronize this AD domain. Directory Services Connector authorization is required and you cannot continue or save without it. 6 Under Additional Attributes, select any or all of the following checkboxes if you want to collect the additional data from the Active Directory: First Name Mobile Phone Last Name Title Display Name Department This data can be useful if you use the Cloud SSO application and you automatically provision apps that user can access under the Cloud SSO umbrella. 7 To verify that the server information you entered is correct, click Test. 8 Click Next. The Group Synchronization page appears. 9 Select Enable to add group names for synchronization or to select existing groups for synchronization. 26 McAfee Directory Services Connector extension Setup Guide

27 Setting up Directory Services Connector Set up AD domain synchronizations for the Directory Services Connector 7 10 In the Group Name field, type the initial letters of a group you want to add. Directory Services Connector searches your Active Directory for matching group names and a list based on the characters you enter. Directory Services Connector synchronizes only Active Directory security groups, not distribution groups. 11 Select the group name you want, and click Add The group is added to the list. 12 Add other groups as needed. 13 Select the checkbox next to each group name you want to synchronize. If you add a group to an AD domain in Directory Services Connector, the group is automatically included in the synchronization of any other AD domains you add in Directory Services Connector. 14 Click Next. The Exception Notifications and Automatic Synchronization page appears. 15 From the Exception Notification Distribution drop-down, select an distribution list. The distribution lists that appear in the drop-down menu are those lists that have been created in the Control Console. To view or create those lists, sign into the Control Console as a Customer Administrator and navigate to Account Management Customers Distribution Lists. The selected distribution list's recipients will receive the selected exception notifications. 16 Select the options for Exception Notification Content. 17 If necessary, enter a value to specify the User Deactivation Limit. 18 Under Automatic Synchronization leave Enable deselected for now. Run the synchronization manually first. If it works as you expect, return here, select Enable, and select: Enable automatic synchronization of Users Synchronizes users in the AD domain, without assigning them to groups in the Control Console. Enable automatic synchronization of Users and Groups Synchronizes users in the AD domain and assigns them to groups in the Control Console. 19 Under Schedule, select the frequency of how often you would like the task to run. 20 Click Save. The Directory Services Connector synchronization is set up and ready to run. McAfee recommends that you run the synchronization manually before enabling it to run automatically. Repeat this process for each of your Active Directory domains. McAfee Directory Services Connector extension Setup Guide 27

28 7 Setting up Directory Services Connector Add new synchronization tasks for the Directory Services Connector Add new synchronization tasks for the Directory Services Connector Use this task to add new synchronization tasks for the Directory Services Connector. Each Active Directory Domain is limited to one synchronization task. Before you begin Complete the following in the Account Management tab of the Control Console before synchronizing users. Set Directory Integration to AD Domain. Create an distribution list for exception notifications. Complete the following in epo. Under Configuration Server Settings, set up the Server for notifications. Under Configuration Registered Servers, set up the Directory Services Connector server type. For option definitions, click? in the interface. 1 From the toolbar, select Menu Automation Directory Services Connector to open the Directory Services Connector page. 2 Create a new AD domain synchronization using one of the following: Select Actions New. Click New. The Directory Settings page appears. 3 Complete the options to set up the Active Directory server. 4 Enter valid values for Attribute and Search Filter. Required Field Attribute Search Filter Recommended value proxyaddresses (&(proxyaddresses=smtp:*)(name=*)) 5 Select DSC Server Authorization to register this task with the Control Console. Directory Services Connector registration is required and you cannot continue or save without registering. 6 Under Additional Attributes, select the checkboxes for any additional attributes you want to include in the synchronization. 7 To verify that the server information you entered is correct, click Test. 8 Click Next. The Group Synchronization page appears. 9 Complete the options to set up group synchronizations, if desired. 28 McAfee Directory Services Connector extension Setup Guide

29 Setting up Directory Services Connector Important considerations for group synchronization 7 10 Click Next. The Exceptions Notifications and Automatic Synchronization page appears. 11 From the Exception Notification Distribution drop-down, select an distribution list. An active distribution list is required to save the task. You can create the list in the Control Console. 12 Select the options for Exception Notification ContentException Notification Distribution. 13 Under Automatic Synchronization leave Enable deselected for now. Run the task manually first. If it works as you expect, return here and select Enable. 14 If necessary, enter a value to specify the User Deactivation Limit. 15 Under Schedule, select the frequency of how often you would like the task to run. 16 Click Save. The Directory Services Connector task is set up and ready to run. McAfee recommends that you run the task manually before enabling it to run automatically. Important considerations for group synchronization Nested groups Active Directory allows administrators to add a group as a member of another group. When a group is a member of a parent group, Directory Services Connector synchronizes the users in the member group as well as users within the group explicitly identified within Directory Services Connector. The Control Console therefore includes all members of a parent group in its membership list, including those in any member groups. Group members in other AD domains Domain Local and Universal groups in Active Directory can contain members or groups who reside in other AD domains. In the case where group members reside in AD domains different from that of a group being synchronized, a synchronization includes only group members in that group's AD domain. To synchronize all members in a group when some members exist in different AD domains, you must synchronize all AD domains that contain members for the group. Groups that have migrated from one AD domain to another AD domain When a group is moved, or migrated, in Active Directory from one AD domain to another, the subsequent synchronization records this change in the Control Console. The migrated group retains the members that it previously had in the Control Console. However, the group's members continue to reside in the AD domain that they resided in prior to the migration. If you moved groups in Active Directory from one AD domain to another, first perform a synchronization on the AD domain to which you moved the groups, then perform a synchronization on the groups' old AD domain. This sequence avoids a temporary deactivation of those groups in the Control Console McAfee Directory Services Connector extension Setup Guide 29

30 7 Setting up Directory Services Connector Run a manual synchronization Run a manual synchronization Run Directory Services Connector manually to review and approve results. Running the task manually helps to ensure that the synchronization process is providing the desired results before enabling scheduled syncs. Before you begin Be sure to configure the Directory Services Connector synchronization task first. If you moved user accounts or groups in Active Directory from one AD domain to another, first perform a synchronization on the AD domain to which you moved the users or groups, then perform a synchronization on the users' or groups' old AD domain. This sequence avoids a temporary deactivation of those users or groups in the Control Console For option definitions, click? in the interface. 1 From the toolbar, select Menu Automation Directory Services Connector to open the Directory Services Connector page. 2 From the Active Directory Domain Synchronization task list, select the row of the task you want to run. 3 Run the sync by doing one of the following: From the Actions column, click Sync Now. Select Actions Sync. A Sync Now window appears. 4 Select one of the following options: Review sync result You must approve the synchronization on the Directory Services Connector Review page before the changes take effect in the Control Console. Auto approve sync result The changes take effect immediately in the Control Console after the synchronization is complete. A message displays: Directory Services Connector manual task synchronization has been successfully submitted. Submitting manual sync task: taskname The sync task can take time to complete. 5 When the system is ready, review the results of the manual sync task by doing one of the following: From the Actions column, click Review. Select Actions Review. The Directory Services Connector Review page appears. If your session expires, click your browser's refresh button or close and re-open the Directory Services Connector Review window. 6 In the upper right corner, click Review. The page refreshes with the User Synchronization Details page. The synchronization might take awhile to complete. 30 McAfee Directory Services Connector extension Setup Guide

31 Setting up Directory Services Connector Enable automatic synchronization 7 When the synchronization is completed and you previously selected Auto approve sync result, the Approved synchronization is listed. When the synchronization is completed and you previously selected Review sync result, use the following steps to review and approve the synchronization. 1 Click Approve. A confirmation message is displayed. 2 Click OK. The synchronization approval continues in the background. You can check the status dynamically in the Sync History window if the approval takes too long. The Control Console now includes all of the most recent changes in your Active Directory. Enable automatic synchronization Enable the Directory Services Connector task to run automatically based on the schedule you set previously. Before you begin Be sure to configure the Directory Services Connector task first. If you move user accounts in Active Directory from one AD domain to another, immediately perform a manual synchronization on the AD domain to which you moved the users. Synchronizing the new AD domain of the users prior to a synchronization of their old AD domain prevents a temporary deactivation of those users in the Control Console. To minimize synchronization use of both AD resources and network resources, select the least frequent schedule option that still meets your business need. Also, a synchronization might take significantly longer to finish than a normally scheduled synchronization if you make certain configuration changes, such as: You add domains to your Control Console. You make certain changes to the synchronization task, such as enabling or disabling group synchronizations. You reinstall Directory Services Connector. You change a large number of objects in the AD when those objects had been previously synchronized. For option definitions, click? in the interface. 1 From the toolbar, select Menu Automation Directory Services Connector to open the Directory Services Connector page. 2 From the Active Directory Domain Synchronization task list, select the row of the task you want to run. 3 Click Edit The Directory Setting window is displayed. 4 Click Next to display the Group Synchronization page. McAfee Directory Services Connector extension Setup Guide 31

32 7 Setting up Directory Services Connector Enable automatic synchronization 5 Click Next to display the Exceptions Notifications and Automatic Synchronization page. 6 Click Enable. 7 Select one of the following options: Enable automatic synchronization of users Enable automatic synchronization of users and groups This option is available only if you have enabled group synchronizations. 8 Click Save. The Active Directory Domain Synchronization page updates to show that the task is enabled, how often it will run, and the next time it will run. The sync task can take time to complete. The task will run based on its scheduled options. Automatic syncs do not need to be reviewed. You can disable the task at anytime by repeating the process and selecting Disable. 32 McAfee Directory Services Connector extension Setup Guide