ADS Integration Guide



Similar documents
CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA

Radius Integration Guide Version 9

CYBEROAM WINDOWS DOMAIN CONTROLLER INTEGRATION GUIDE VERSION:

HTTP Client Installation Guide Version 9

High Availability Configuration Guide Version 9

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA

Cyberoam Multi link Implementation Guide Version 9

Virtual LAN Configuration Guide Version 9

Cyberoam Anti Spam Implementation Guide Version 9

IPSec VPN Client Installation Guide. Version 4

Cyberoam IPSec VPN Client Configuration Guide Version 4

SSL VPN Client Installation Guide Version 9

SOFTWARE LICENSE LIMITED WARRANTY

Cyberoam Anti Virus Implementation Guide Version 9

Cyberoam Anti Spam Configuration Guide Version 9

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

User Guide Version 9 Document version /03/2007

Cyberoam Anti Spam Implementation Guide Version 9

SSL VPN Management Guide Version 10

Version: 4.10 Build 010 Date: April, 2008

Cyberoam Virtual Security Appliance - Installation Guide for XenServer. Version 10

Thin Client Solution Installation Guide Version

User Guide Version 9.5.8

Cyberoam Virtual Security Appliance - Installation Guide for VMware ESX/ESXi. Version 10

How To - Implement Single Sign On Authentication with Active Directory

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Svn.spamsvn110. QuickStart Guide to Authentication. WebTitan Version 5

Unified Threat Management

Self Help Guides. Create a New User in a Domain

empower Authentication Manual, Version 3.7

axsguard Gatekeeper Internet Redundancy How To v1.2

4.0. Offline Folder Wizard. User Guide

Setup Guide Access Manager 3.2 SP3

Defender Delegated Administration. User Guide

EMC Data Domain Management Center

Ektron CMS400.NET Virtual Staging Server Manual Version 7.5, Revision 1

HP Device Manager 4.7

Installing Policy Patrol on a separate machine

Dell One Identity Cloud Access Manager How to Configure for High Availability

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

formerly Help Desk Authority Upgrade Guide

Active Directory Change Notifier Quick Start Guide

SSL VPN User Guide Version 10

Quick Start Guide for VMware and Windows 7

DameWare Server. Administrator Guide

Installation Guide Supplement

Quick Connect Express for Active Directory

Sample Configuration: Cisco UCS, LDAP and Active Directory

Application Note. Gemalto s SA Server and OpenLDAP

Internet Redundancy How To. Version 8.0.0

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

VCCC Appliance VMware Server Installation Guide

Installing the IPSecuritas IPSec Client

MiSync Personal for Beams

Nexio Connectus with Nexio G-Scribe

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Application Note. SA Server and ADAM

Dell Statistica Document Management System (SDMS) Installation Instructions

Defender 5.7. Remote Access User Guide

Dell One Identity Cloud Access Manager Installation Guide

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

By the Citrix Publications Department. Citrix Systems, Inc.

Quick Start Guide for Parallels Virtuozzo

Strong Authentication for Juniper Networks SSL VPN

TelePresence Migrating TelePresence Management Suite (TMS) to a New Server

RealPresence Platform Director

HP IMC Firewall Manager

Integrated Citrix Servers

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

HP A-IMC Firewall Manager

Installation Guide. Squid Web Proxy Cache. Websense Enterprise Websense Web Security Suite. v for use with

Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6

Application Note. Citrix Presentation Server through a Citrix Web Interface with OTP only

DC Agent Troubleshooting

Interworks. Interworks Cloud Platform Installation Guide

Copy Tool For Dynamics CRM 2013

Synology NAS Server Mail Station User Guide

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Symantec Managed PKI. Integration Guide for ActiveSync

Dell Spotlight on Active Directory Deployment Guide

Dell Statistica Statistica Enterprise Installation Instructions

SafeNet Cisco AnyConnect Client. Configuration Guide

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Adeptia Suite LDAP Integration Guide

Using Logon Agent for Transparent User Identification

LDAP Synchronization Agent Configuration Guide for

Transparent Identification of Users

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

Remote Filtering Software

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Transcription:

ADS Integration Guide Document version 9402-1.0-18/10/2006

Cyberoam ADS Integration Guide IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER S LICENSE The Appliance described in this document is furnished under the terms of Elitecore s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore s or its supplier s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages. RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad 380015, INDIA Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com, www.cyberoam.com

Cyberoam ADS Integration Guide Guide Sets Guide User Guide Console Guide Windows Client Guide Linux Client Guide HTTP Client Guide Analytical Tool Guide LDAP Integration Guide ADS Integration Guide PDC Integration Guide RADIUS Integration Guide High Availability Configuration Guide Data transfer Management Guide Multi Link Manager User Guide VPN Management Cyberoam IDP Implementation Guide Cyberoam Anti Virus Implementation Guide Cyberoam Anti Spam Implementation Guide Describes Console Management Installation & configuration of Cyberoam Windows Client Installation & configuration of Cyberoam Linux Client Installation & configuration of Cyberoam HTTP Client Using the Analytical tool for diagnosing and troubleshooting common problems Configuration for integrating LDAP with Cyberoam for external authentication Configuration for integrating ADS with Cyberoam for external authentication Configuration for integrating PDC with Cyberoam for authentication Configuration for integrating RADIUS with Cyberoam for external authentication Configuration of High Availability (HA) Configuration and Management of user based data transfer policy Configuration of Multiple Gateways, load balancing and failover Implementing and managing VPN Configuring, implementing and managing Intrusion Detection and Prevention Configuring and implementing anti virus solution Configuring and implementing anti spam solution

Cyberoam ADS Integration Guide Technical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office elitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information.

Cyberoam ADS Integration Guide Typographic Conventions Material in this manual is presented in text, screen displays, or command-line notation. Item Convention Example Server Client User Username Part titles Bold and shaded font typefaces Machine where Cyberoam Software - Server component is installed Machine where Cyberoam Software - Client component is installed The end user Username uniquely identifies the user of the system Report Topic titles Shaded font typefaces Introduction Subtitles Bold & Black typefaces Notation conventions Navigation link Bold typeface Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Cross references Lowercase italic type Hyperlink in different color Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked refer to Customizing User database Clicking on the link will open the particular topic Notes & points to remember Prerequisites Bold typeface between the black borders Bold typefaces between the black borders Note Prerequisite Prerequisite details

Cyberoam ADS Integration Guide Overview Welcome to the Cyberoam s - ADS Integration Guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoam s perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Once you have installed and placed Cyberoam, default policy is automatically applied which will allow complete network traffic to pass through Cyberoam. This will allow you to monitor user activity in your Network based on default policy. As Cyberoam monitors and logs user activity based on IP address, all the reports are generated based on IP address. To monitor and log user activities based on User names or logon names, you have to configure Cyberoam for integrating user information and authentication process. Integration will identify access request based on User names and generate reports based on Usernames. When the user attempts to access, Cyberoam requests a user name and password and authenticates the user's credentials before giving access. User level authentication can be performed using the local user database on the Cyberoam, an External ADS server, Windows Domain Controller, or LDAP server. To set up user database 1. Integrate ADS, Domain Controller or LDAP if external authentication is required. If your Network uses Active Directory Services, configure Cyberoam to communicate your ADS. Refer to ADS Integration for more details. If your Network uses Windows Domain Controller, configure for Cyberoam to communicate with Windows Domain Controller. Refer to PDC Integration for more details. If your Network uses LDAP, configure for Cyberoam to communicate with LDAP server. Refer to LDAP Integration for more details. If your Network uses RADIUS server, configure for Cyberoam to communicate with RADIUS server. Refer to RADIUS Integration Guide for more details. 2. Configure for local authentication. 3. Register user Introduction to ADS Using Active Directory maximizes accuracy in identifying users as it identifies users in a realtime manner, as they log on to domains. This enables Cyberoam to accurately filter Internet access based on policies assigned to particular users or groups.

Cyberoam ADS Integration Guide Cyberoam ADS integration feature allows Cyberoam to map the users and groups from ADS for the purpose of authentication. This enables Cyberoam to transparently identify the network users. Cyberoam communicates with Windows Directory Services Active directory (AD) to authenticate user based on groups, domains and origanizational units. Whenever the exisiting user(s) in ADS logs on for the first time after configuration, user gets automatically created in Cyberoam and is assigned to the default group. If the Groups are already created in Cyberoam, User(s) will be created in the respective Groups i.e. the ADS User Groups will be mapped to Cyberoam User Groups. In case user is already created and there is change in expiry date or group name, user will be logged in with the changes. Administrator s task is just to configure Cyberoam to communicate with ADS. ADS Authentication Process User has to be authenticated by Cyberoam before accessing any resources controlled by Cyberoam. This authentication mechanism allows Users to access using their Windows authentication tokens (login/user name and password) in the Windows-based directory services. User sends the log on request/user authentication request to ADS and ADS authenticates user against the directory objects created in ADS. Once the user is authenticated, Cyberoam communicates with ADS to get the additional authorization data such as user name, password,user groups and expiry date as per the configuration and is used to control the access. Note If the ADS is down then the authentication request will always return Wrong username/password message It is necessary to have shared NETLOGON directory on ADS with the following permissions: Read, Read & Execute, List Folder Contents Note It is possible to authenticate Users of multiple ADS servers and multiple domains

Cyberoam ADS Integration Guide Configuring for ADS Integration For configuring Cyberoam to communicate with ADS, it is necessary to locate an Active Directory server (domain controller) for logging on to a domain and then finding the information that you need in Active Directory. Both processes use name resolution. Domain controller can be found by using DNS names or Network Basic Input/Output System (NetBIOS) names. When locating a domain controller, the Domain Name System (DNS) resolves a domain name or computer name to an Internet Protocol (IP) address. Every domain controller registers two types of names at startup: 4. A DNS domain name with the DNS service and IP Address 5. A NetBIOS name It is possible that registered DNS domain name and NetBIOS name are different. When a user logs on to a domain, the computer must do one of two things: 1. If the name of the logon domain is a DNS name, query is placed to DNS to find a domain controller with which to authenticate. 2. If the name of the logon domain is a NetBIOS name, the computer finds a domain controller for the specified domain. For this ensure that Users can connect to domain controller in your network. Connections to the domain controllers are enabled automatically during the Active Directory setup. Verify the connection from User machine using ping or a similar utility. Select User Authentication Settings to open configuration page

Cyberoam ADS Integration Guide Screen ADS Integration Screen Elements Description Configure Authentication & Integration parameters Integrate with Select Active directory as authentication server Default Group Update button Add button Cyberoam dynamically maps active directory groups to respective Cyberoam groups on each logon. Allows to select default group for users Click Default Group list to select Updates and saves the configuration Allows to add ADS server Refer Add ADS Server for details Table ADS Integration screen elements

Cyberoam ADS Integration User Guide Add ADS Server Add ADS Server Screen ADS Server configuration Screen Elements Add ADS Server Details ADS Server IP Port NetBIOS Domain ADS Username Password Test Connection button Add button Description Specify ADS Server IP Address Specify Port number over which ADS Server will communicate Default port is 389 Specify NetBIOS Domain name Specify Administrator Username Specify Password of Administrator Username Allows to check the connectivity of Cyberoam with ADS server Click to check Saves the server configuration and allows to add the Domain query for name resolution and authentication Click Add to add the domain query Cancel button Refer to Add Domain Query for more details Cancels the current operation Table ADS Server configuration screen elements

Cyberoam ADS Integration User Guide Add Domain Query Add Domain Query Screen Domain Query

Cyberoam ADS Integration User Guide Add Domain Query Screen Elements Domain Details Domain Name Search DN Add button Description Domain name to which the query is to be added Displays list of queries List order indicates preference of query for the name resolution. If more than one query exists, query will be resolved according to the order specified. Allows to add the query Click to add Opens a Search query dialog box and allows to enter the name resolution query Refer to How to build a Search DN Query for details Remove button Move Up button Click OK to save Click Cancel to cancel the current operation Allows to remove the query Click the query to be removed Click to remove Changes the order of query when more than one query is defined Moves the selected query one step up Move down button Click query which is to be moved up Click MoveUp Changes the order of query when more than one query is defined Moves the selected query one step down Save button Cancel button Click query which is to be moved down Click MoveUp Saves the configuration Click to save Cancels the current operation Table Domain Query screen elements How to build Search DN Query To search for the user in Active Directory, DN Query is placed. Query contains 3 components: domain component (dc), organizational unit (ou), common name (cn). For example, when for fully qualified domain name cyberoam.elitecore.com, user is created under ou support and cn administrator the query is written as: cn=administrator,ou=support, dc=cyberoam, dc=elitecore, dc=com

Cyberoam ADS Integration User Guide Single Sign on Client Configuration Connectivity check Connection to ADS is enabled automatically during Active Directory setup, but as ADS server is used for authenticating users it is necessary to check whether Cyberoam is able to connect to ADS or not. Connectivity can be checked: 1. At the time of adding ADS server details or 2. After adding ADS server details Select User External Authentication and click ADS Server IP which is to tested for connection. Click Test Connection button.

Cyberoam ADS Integration User Guide Single Sign on Client Configuration Single Sign on Client Configuration If user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to the Cyberoam also. Single sign on provides password synchronization for Windows users using Active Directory services and Cyberoam. i.e. if the user is configured for Single sign on, whenever User logs on to Windows, user is automatically logged to Cyberoam also. This will also enable Users to check their My Account using their windows password. Follow the procedure to configure for Single Sign on login utility and ADS authentication. Step 1 Download the Cyberoam Single Sign on client as shown in the below screen shot and save SSCyberoam.exe to the NETLOGON scripts directory on the domain controller or as per your configuration. The logon scripts contain the configuration parameters for the initial user environment. The default location of NETLOGON directory is as given below: Server OS Windows 2000 Windows 2003 NETLOGON default location %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts Table - Default NETLOGON directory location

Cyberoam ADS Integration User Guide Single Sign on Client Configuration Screen - Download Single sign on Client Go to step 2 if logon scripts for the Users are already created Go to step 3 if logon scripts for the Users are not created Ok, Step 2 If the logon scripts are already created, then Update them. Edit the logon script using any of the available Editors like Notepad and add the following line in the script and save the script: start \\ADS MachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server Domain E.g., start \\adsmachinename\netlogon\sscyberoam.exe 192.168.1.100 elitecore Whenever the User tries to logon in Windows, the logon script will be executed. The above statement in logon script executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam. Step 3 If the logon scripts are not created Create a new script - defaultlogonscript.bat using any of the available Editor like Notepad Add line start \\ADSMachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server Domain E.g., start \\adsmachine\netlogon\sscyberoam.exe 192.168.1.100 elitecore Copy the script - defaultlogonscript.bat to NETLOGON scripts directory. Refer to step 1 to find location of the NETLOGON scripts directory Download Logon Script Updation Utility as shown in the below screen shot and save the script as updatelogonscript.bat in the root directory of the server Open the command prompt

Cyberoam ADS Integration User Guide Single Sign on Client Configuration Screen - Download User Logon Script Updation utility Execute updatelogonscript.bat at the command prompt as follows: updatelogonscript.bat defaultlogonscript.bat This will update/add the logon script of the Users in the domain to defaultlogonscript.bat Whenever the User tries to logon in Windows, the script defaultlogonscript.bat will be executed which in turn executes the Cyberoam logon program with the Windows Username and automatically logs in User to the Cyberoam. If the User has logged in successfully using Single Sign on utility, then (S) will be shown next to the Username e.g. Joe (S) in the Live User list Logging to Cyberoam using Client exe/http client Diagram shows authentication process when user tries to log on to Cyberoam using Client exe or http client. Refer to Cyberoam User Guide for details on downloading the clients.

Cyberoam ADS Integration User Guide Single Sign on Client Configuration Note 1. If Cyberoam is configured for multiple Domains then at the time of login, user has to provide full username i.e <username>@<domainname> 2. If Cyberoam is configured for single Domain then at the time of login, user can provide only the username. Cyberoam will append the domain if not provided. 3. If the user is not found in ADS then the message Not able to authenticate will be displayed 4. If user is already logged in at the time of updations of expiry date and/or group then the changes will be reflected only at the next login Some Exception Conditions 1. Logon script will not execute if ADS is down and User will not be able to log on to Cyberoam and Internet access will not be available Once ADS is up, Users will have to re-logon 2. If Cyberoam is down or not reachable, the Cyberoam Single Sign client will continuously try to logon, and as soon as it is up Internet access will be available ADS authentication is an optional method for users to log in to Cyber am. Using ADS enables you to have central configuration for user account.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information