CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad 380015, INDIA www.cyberoam.com 7300-1.

CYBEROAM - ADS INTEGRATION GUIDE VERSION: 7

7300-1.0-9/20/2005 2 IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. SOFTWARE LICENSE The software described in this document is furnished under the terms of Elitecore s software license agreement. Please read these terms and conditions carefully before using the software. By using this software, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused software and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, noninfringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore s or its suppliers liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages. RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad 380015, INDIA www.cyberoam.com

7300-1.0-9/20/2005 3 Elitecore Technologies Ltd. Corporate Office 904 Silicon Tower, B/h Pariseema Building, Off. C.G. Road, Ahmedabad-380 006. INDIA Telephone: +91-79-26405600 Fax: +91-79-26462200 Bangalore Office 3 rd floor, 19/1 Infantry Road Cross Behind Medinova Diagnostic Centre Bangalore-560 001. INDIA Telephone: +91-80-51517880/81 Fax: +91-80-51517883 U.S.A Office 600 Meadowland Parkway, Suite 270, Secaucus, New Jersey 07094 U.S.A. Telephone: 201-484-7581 Fax: 201-422-9715 Australia Office 12 Peppercress Place, Old Toongabbie NSW 2146 Australia Telephone: 61-413939862 Fax: 61-296319091 Delhi Office 606 Mahatta Tower, B Block Community Centre, Janakpuri, New Delhi-110058. INDIA Telephone: +91-11-25529638/40, +91-11- 51589761/62 Fax: +91-11-51589760 Mumbai Office Office 4, B/65, Stanford Plaza, Off. New Link Road, Andheri (W) Mumbai-400 058. INDIA Telephone: +91-22-56951280/380 Fax:+91-22-56923363

Cyberoam ADS Integration Guide Guide Sets Guide Installation & Registration Guide User Guide Part I Getting Started Part II Management Detailed statistics Reports Console Guide Windows Client Guide Linux Client Guide HTTP Client Guide Analytical Tool Guide Cyberoan - LDAP Integration guide Cyberoam ADS Integration Guide Data transfer Management Guide Mail Management Multi Link Manager User Guide VPN Management Printer Usage Management Guide Printer Installation and Configuration Guide Describes Installation & registration process How to start using Cyberoam Management and Customization of Cyberoam Detailed reports Console Management Installation & configuration of Cyberoam Windows Client Installation & configuration of Cyberoam Linux Client Installation & configuration of Cyberoam HTTP Client Using the Analytical tool for diagnosing and troubleshooting common problems Configuration for integrating LDAP with Cyberoam for external authentication Configuration for integrating ADS with Cyberoam for external authentication Configuration and Management of user based data transfer policy Configuration and Management of Mail server Configuration of Multiple Gateways, load balancing and failover Implementing and managing VPN Configuration and Management of user based printing quota policy Installation and Configuration of Elitecore Print Manager 7300-1.0-9/20/2005 4

7300-1.0-9/20/2005 5 Cyberoam ADS Integration Guide Technical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office elitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-26405600 Fax: +91-79-26462200 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information.

Cyberoam ADS Integration Guide Typographic Conventions Material in this manual is presented in text, screen displays, or command-line notation. Item Convention Example Server Client User Username Part titles Bold and shaded font typefaces Machine where Cyberoam Software - Server component is installed Machine where Cyberoam Software - Client component is installed The end user Username uniquely identifies the user of the system Report Topic titles Shaded font typefaces Introduction Subtitles Bold & Black typefaces Notation conventions Navigation link Bold typeface Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Cross references Lowercase italic type Hyperlink in different color Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked refer to Customizing User database Clicking on the link will open the particular topic Notes & points to remember Prerequisites Bold typeface between the black borders Bold typefaces between the black borders Note Prerequisite Prerequisite details 7300-1.0-9/20/2005 6

7300-1.0-9/20/2005 7 Cyberoam ADS Integration Guide Overview Welcome to the Cyberoam s - ADS Integration Guide. Cyberoam s integrated Internet security solution is purpose-built to meet the unified threat management needs of corporate, government organizations and educational institutions. It also provides assistance in improving Bandwidth management, increasing Employee productivity and reducing legal liability associated with undesirable Internet content access. Once you have installed and placed Cyberoam, default policy is automatically applied which will allow complete network traffic to pass through Cyberoam. This will allow you to monitor user activity in your Network based on default policy. As Cyberoam monitors and logs user activity based on IP address, all the reports are generated based on IP address. To monitor and log user activities based on User names or logon names, you have to configure Cyberoam for integrating user information and authentication process. Integration will identify access request based on User names and generate reports based on Usernames. When the user attempts to access, Cyberoam requests a user name and password and authenticates the user's credentials before giving access. User level authentication can be performed using the local user database on the Cyberoam, an External ADS server, Windows Domain Controller, or LDAP server. To set up user database 1. Integrate ADS, Domain Controller or LDAP if external authentication is required. If your Network uses Active Directory Services, configure Cyberoam to communicate your ADS. Refer to Cyberoam ADS Integration for more details. If your Network uses Windows Domain Controller, configure for Cyberoam to communicate with Windows Domain Controller.Refer to Cyberoam PDC Integration for more details. If your Network uses LDAP, configure for Cyberoam to communicate with LDAP server. Refer to Cyberoam LDAP Integration for more details. 2. Configure for local authentication. 3. Register user Introduction to ADS Using Active Directory maximizes accuracy in identifying users as it identifies users in a realtime manner, as they log on to domains. This enables Cyberoam to accurately filter Internet access based on policies assigned to particular users or groups. Cyberoam ADS integration feature allows Cyberoam to map the users and groups from ADS for the purpose of authentication. This enables Cyberoam to transparently identify the network users. Cyberoam communicates with Windows Directory Services Active directory (AD) to authenticate user based on groups, domains and origanizational units. Whenever the exisiting user(s) in ADS logs on for the first time after configuration, user gets automatically created in Cyberoam and is assigned to the default group. If the Groups are already

7300-1.0-9/20/2005 8 Cyberoam ADS Integration Guide created in Cyberoam, User(s) will be created in the respective Groups i.e. the ADS User Groups will be mapped to Cyberoam User Groups. In case user is already created and there is change in expiry date or group name, user will be logged in with the changes. Administrator s task is just to configure Cyberoam to communicate with ADS. ADS Authentication Process User has to be authenticated by Cyberoam before accessing any resources controlled by Cyberoam. This authentication mechanism allows Users to access using their Windows authentication tokens (login/user name and password) in the Windows-based directory services. User sends the log on request/user authentication request to ADS and ADS authenticates user against the directory objects created in ADS. Once the user is authenticated, Cyberoam communicates with ADS to get the additional authorization data such as user name, password,user groups and expiry date as per the configuration and is used to control the access. Note If the ADS is down then the authentication request will always return Wrong username/password message It is necessary to have shared NETLOGON directory on ADS with the following permissions: Read, Read & Execute, List Folder Contents Note It is possible to authenticate Users of multiple ADS servers and multiple domains

7300-1.0-9/20/2005 9 Cyberoam ADS Integration Guide Configuring for ADS Integration For configuring Cyberoam to communicate with ADS, it is necessary to locate an Active Directory server (domain controller) for logging on to a domain and then finding the information that you need in Active Directory. Both processes use name resolution. Domain controller can be found by using DNS names or Network Basic Input/Output System (NetBIOS) names. When locating a domain controller, the Domain Name System (DNS) resolves a domain name or computer name to an Internet Protocol (IP) address. Every domain controller registers two types of names at startup: 4. A DNS domain name with the DNS service and IP Address 5. A NetBIOS name It is possible that registered DNS domain name and NetBIOS name are different. When a user logs on to a domain, the computer must do one of two things: 1. If the name of the logon domain is a DNS name, query is placed to DNS to find a domain controller with which to authenticate. 2. If the name of the logon domain is a NetBIOS name, the computer finds a domain controller for the specified domain. For this ensure that Users can connect to domain controller in your network. Connections to the domain controllers are enabled automatically during the Active Directory setup. Verify the connection from User machine using ping or a similar utility. Select User Authentication Settings to open configuration page

Cyberoam ADS Integration Guide Screen ADS Integration Screen Elements Description Configure Authentication & Integration parameters Integrate with Select Active directory as authentication server Default Group Update button Add button Cyberoam dynamically maps active directory groups to respective Cyberoam groups on each logon. Allows to select default group for users Click Default Group list to select Updates and saves the configuration Allows to add ADS server Refer Add ADS Server for details Table ADS Integration screen elements 7300-1.0-9/20/2005 10

Cyberoam ADS Integration User Guide Add ADS Server Add ADS Server Screen ADS Server configuration Screen Elements Add ADS Server Details ADS Server IP Port NetBIOS Domain ADS Username Password Test Connection button Add button Description Specify ADS Server IP Address Specify Port number over which ADS Server will communicate Default port is 389 Specify NetBIOS Domain name Specify Administrator Username Specify Password of Administrator Username Allows to check the connectivity of Cyberoam with ADS server Click to check Saves the server configuration and allows to add the Domain query for name resolution and authentication Click Add to add the domain query Cancel button Refer to Add Domain Query for more details Cancels the current operation Table ADS Server configuration screen elements 7300-1.0-9/20/2005 11

7300-1.0-9/20/2005 12 Cyberoam ADS Integration User Guide Add Domain Query Add Domain Query Screen Domain Query

Cyberoam ADS Integration User Guide Add Domain Query Screen Elements Domain Details Domain Name Search DN Add button Description Domain name to which the query is to be added Displays list of queries List order indicates preference of query for the name resolution. If more than one query exists, query will be resolved according to the order specified. Allows to add the query Click to add Opens a Search query dialog box and allows to enter the name resolution query Refer to How to build a Search DN Query for details Remove button Move Up button Click OK to save Click Cancel to cancel the current operation Allows to remove the query Click the query to be removed Click to remove Changes the order of query when more than one query is defined Moves the selected query one step up Move down button Click query which is to be moved up Click MoveUp Changes the order of query when more than one query is defined Moves the selected query one step down Save button Cancel button Click query which is to be moved down Click MoveUp Saves the configuration Click to save Cancels the current operation Table Domain Query screen elements How to build Search DN Query To search for the user in Active Directory, DN Query is placed. Query contains 3 components: domain component (dc), organizational unit (ou), common name (cn). For example, when for fully qualified domain name cyberoam.elitecore.com, user is created under ou support and cn administrator the query is written as: cn=administrator,ou=support, dc=cyberoam, dc=elitecore, dc=com 7300-1.0-9/20/2005 13

7300-1.0-9/20/2005 14 Cyberoam ADS Integration User Guide Single Sign on Client Configuration Connectivity check Connection to ADS is enabled automatically during Active Directory setup, but as ADS server is used for authenticating users it is necessary to check whether Cyberoam is able to connect to ADS or not. Connectivity can be checked: 1. At the time of adding ADS server details or 2. After adding ADS server details Checking connectivity at the time of adding ADS server Refer to Add ADS server for details on checking connectivity at the time of adding ADS server details. Checking connectivity after ADS server is added Select User External Authentication and click ADS Server IP which is to tested for connection. Click Test Connection button.

7300-1.0-9/20/2005 15 Cyberoam ADS Integration User Guide Single Sign on Client Configuration Single Sign on Client Configuration If user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to the Cyberoam also. Single sign on provides password synchronization for Windows users using Active Directory services and Cyberoam. i.e. if the user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to Cyberoam also. This will also enable Users to check their My Account using their windows password.

Cyberoam ADS Integration User Guide Single Sign on Client Configuration Follow the procedure to configure for Single Sign on login utility and ADS authentication. Step 1 Download the Cyberoam Single Sign on client as shown in the below screen shot and save SSCyberoam.exe to the NETLOGON scripts directory on the domain controller or as per your configuration. The logon scripts contain the configuration parameters for the initial user environment. The default location of NETLOGON directory is as given below: Server OS Windows 2000 Windows 2003 NETLOGON default location %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts Table - Default NETLOGON directory location Screen - Download Single sign on Client Go to step 2 if logon scripts for the Users are already created 7300-1.0-9/20/2005 16

7300-1.0-9/20/2005 17 Cyberoam ADS Integration User Guide Single Sign on Client Configuration Go to step 3 if logon scripts for the Users are not created Note If logon scripts for all the Users already exist, please do not download Logon Script Updation Utility and execute the script defaultlogonscript.bat, Step 2 If the logon scripts are already created, then Update them. Edit the logon script using any of the available Editors like Notepad and add the following line in the script and save the script: start \\ADS MachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server Domain E.g., start \\adsmachinename\netlogon\sscyberoam.exe 192.168.1.100 elitecore Whenever the User tries to logon in Windows, the logon script will be executed. The above statement in logon script executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam. Step 3 If the logon scripts are not created Create a new script - defaultlogonscript.bat using any of the available Editor like Notepad Add line start \\ADSMachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server Domain E.g., start \\adsmachine\netlogon\sscyberoam.exe 192.168.1.100 elitecore Copy the script - defaultlogonscript.bat to NETLOGON scripts directory. Refer to step 1 to find location of the NETLOGON scripts directory Download Logon Script Updation Utility as shown in the below screen shot and save the script as updatelogonscript.bat in the root directory of the server Open the command prompt

7300-1.0-9/20/2005 18 Cyberoam ADS Integration User Guide Single Sign on Client Configuration Screen - Download User Logon Script Updation utility Execute updatelogonscript.bat at the command prompt as follows: updatelogonscript.bat defaultlogonscript.bat This will update/add the logon script of the Users in the domain to defaultlogonscript.bat Whenever the User tries to logon in Windows, the script defaultlogonscript.bat will be executed which in turn executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam. If the User has logged in successfully using Single Sign on utility, then (S) will be shown next to the Username e.g. Joe (S) in the Live User list Logging to Cyberoam using Client exe/http client Diagram shows authentication process when user tries to log on to Cyberoam using Client exe or http client. Refer to Cyberoam User Guide for details on downloading the clients.

7300-1.0-9/20/2005 19 Cyberoam ADS Integration User Guide Single Sign on Client Configuration Note 1. If Cyberoam is configured for multiple Domains then at the time of login, user has to provide full username i.e <username>@<domainname> 2. If Cyberoam is configured for single Domain then at the time of login, user can provide only the username. Cyberoam will append the domain if not provided. 3. If the user is not found in ADS then the message Not able to authenticate will be displayed 4. If user is already logged in at the time of updations of expiry date and/or group then the changes will be reflected only at the next login Some Exception Conditions 1. Logon script will not execute if ADS is down and User will not be able to log on to Cyberoam and Internet access will not be available Once ADS is up, Users will have to re-logon 2. If Cyberoam is down or not reachable, the Cyberoam Single Sign client will continuously try to logon, and as soon as it is up Internet access will be available ADS authentication is an optional method for users to log in to Cyber am. Using ADS enables you to have central configuration for user account.