User-ID Configuration



Similar documents
VMware Identity Manager Administration

Installation Steps for PAN User-ID Agent

User-ID. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Configuring User Identification via Active Directory

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

VMware Identity Manager Connector Installation and Configuration

Citrix Receiver for Mobile Devices Troubleshooting Guide

User-ID Best Practices

Active Directory Management. Agent Deployment Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

IIS, FTP Server and Windows

Sophos Mobile Control SaaS startup guide. Product version: 6

Web-Access Security Solution

Hosted Microsoft Exchange Client Setup & Guide Book

NSi Mobile Installation Guide. Version 6.2

System Administration Training Guide. S100 Installation and Site Management

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Contents. Before You Install Server Installation Configuring Print Audit Secure... 10

Sophos Mobile Control Installation guide. Product version: 3.5

AVG Business SSO Partner Getting Started Guide

Management Utilities Configuration for UAC Environments

Sophos Mobile Control Installation guide. Product version: 3

MaaS360 Mobile Enterprise Gateway

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Configuration Guide. BES12 Cloud

MaaS360 Mobile Enterprise Gateway

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Hosted Microsoft Exchange Client Setup & Guide Book

VMware Identity Manager Administration

Using DC Agent for Transparent User Identification

V Series Rapid Deployment Version 7.5

Configuring Sponsor Authentication

Mobile Device Management Version 8. Last updated:

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

Active Directory integration with CloudByte ElastiStor

Installation and Setup Guide

Copyright 2013 Trend Micro Incorporated. All rights reserved.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

GlobalProtect Configuration for IPsec Client on Apple ios Devices

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

User Guide. Cloud Gateway Software Device

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Certificate Management

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Technology Services Group Procedures. IH Anywhere guide. 0 P a g e

Installation and Configuration Guide

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

Setting Up SSL on IIS6 for MEGA Advisor

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

How To - Implement Single Sign On Authentication with Active Directory

Configuration Guide BES12. Version 12.3

v7.8.2 Release Notes for Websense Content Gateway

XIA Configuration Server

Presto User s Manual. Collobos Software Version Collobos Software, Inc

Secure Web Appliance. SSL Intercept

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Installing and Configuring vcloud Connector

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Medstar Health Dell Services

Cloud Services ADM. Agent Deployment Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Defender Token Deployment System Quick Start Guide

Novell Filr. Mobile Client

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Airnet-Student is a new and improved wireless network that is being made available to all Staffordshire University students.

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Click Studios. Passwordstate. Installation Instructions

Sophos Mobile Control Installation guide

Storage Sync for Hyper-V. Installation Guide for Microsoft Hyper-V

Installing Logos SSL Certificates on Mobile Devices

Active Directory Domain Migration Checklist ADUM Active Directory Migrator

Click Studios. Passwordstate. Installation Instructions

Phone: Fax: Box: 230

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Getting Started Guide

Business mail 1 MS OUTLOOK CONFIGURATION... 2

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Integrating LANGuardian with Active Directory

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

Presto User s Manual. Collobos Software Version Collobos Software, Inc!

BlackBerry Enterprise Service 10. Version: Configuration Guide

Configuration Guide BES12. Version 12.2

HOTPin Integration Guide: DirectAccess

Preparing for GO!Enterprise MDM On-Demand Service

WHITE PAPER Citrix Secure Gateway Startup Guide

Media Server Installation & Administration Guide

Acronis and Acronis Secure Zone are registered trademarks of Acronis International GmbH.

SafeGuard Enterprise Web Helpdesk

Copyright 2013, 3CX Ltd.

isupplygw Site Login Troubleshooting

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Transcription:

User-ID Configuration How to configure Active Directory for User-ID based internet access. Nick Pearce 5/11/2015

1 Install and configure the User-ID agent. Download the.zip file from https://dl.sgcyp.org.uk/pan/user-id.zip to the Domain Controller. Extract the.msi file and launch it whilst logged in as the Domain Administrator. Install the User-ID Agent service by launching the.msi file (UaInstall-6.0.7-10.msi) and click [Next, Next, Next, accept the UAC prompt if offered, Close]. After installation, open the Services MMC, locate the User-ID Agent service and open the properties window. Select the Log On tab and change the Log on as account from Local System account to the Domain Administrator; see below image for example. (You may be presented with a message box stating The account DOMAIN\Administrator has been granted the Log On As A Service right this is ok and correct, click [OK]) You will see a message box stating The new logon name will not take effect until you stop and restart the service, this is expected. Click [OK, OK] and then restart the service. Launch the Palo Alto Networks User-ID Agent application. (you will be presented with a window similar to the below)

Select the [Setup] option on the left-hand side, the window will now show; Click [Edit] (shown in Red above) to launch the configuration window.

Enter the Domain Administrator s UPN, i.e. administrator@schooldomain.local. Type the password for the account defined above. Select the Server Monitor tab. Ensure the options are configured as shown. Select the Client Probing tab. You do not have to enable these options. If you do, the agent will attempt to connect to devices on the IP addresses it monitors to verify the logged-in users.

Select the Cache tab. Ensure the options are configured as shown. Select the Agent Service tab. Ensure the options are configured as shown.

edirectory and Syslog are unlikely to be used, but the defaults are; and Click [OK].

Select Discovery on the left-hand side and then click [Add] below the Servers area (Red). You will see the below window; Type the Name of your Domain Controller and the IP Address, ensure you have Active Directory selected for the Server Type. Click [OK]. NB. If there is more than one Domain Controller in the schools AD domain, you will need to repeat this step for each Domain Controller.

Click [Add] below the Include / Exclude list of configured networks area (Yellow). o Note the Include option should be selected. o Set Name to be the school name (with the -31) o Set the Network Address as above, changing the.x. to be the subnet in use by the school. o Click [OK] Click [Add] below the Include / Exclude list of configured networks area (Yellow) again. o Note the Include option should be selected. o Set Name to be the school name (with the -29) o Set the Network Address as above, changing the.x. to be the subnet in use by the school. o Click [OK]

Click [Add] below the Include / Exclude list of configured networks area (Yellow) again. o o o o Note the Exclude option should be selected this time. Set Name to Domain Server (if you have multiple DCs, add a number to the end) or the actual name of your Domain Controllers if you prefer. Set the Network Address as the exact IP address of the Domain Controller, changing the.x.x to the correct settings. Click [OK] You should now be back to the main window, click [Commit] (you may have to wait a couple of seconds before you can press [Commit]) to save and apply the settings, the service will now reload and User-ID information will start to be collected. You can monitor this from the Monitoring option on the left-hand side of the main window.

2 Active Directory Configuration. Add a new OU to your Active Directory (this is for cleanliness) called PAN-DOMAIN-Groups (where DOMAIN = the NETBIOS Domain name). In the new OU, create a user called PAN-DOMAIN-Read (where DOMAIN = the NETBIOS Domain name). This user account requires no special configuration, it should be a member of the Domain Users group only. Ensure that both User cannot change password and Password never expires are both enabled. NB. Even though this account has no special privileges, I would recommend setting a complex password this URL may help (Password Generator) it is configured to generate a password that is 16 characters long, contains numbers, upper-case letters, lower-case letters and allowable symbols (example password:!u=^2$f#=u-wqv^b). Create two new AD Groups (where DOMAIN = the NETBIOS Domain name); o PAN-DOMAIN-Admin-InternetAccess o PAN-DOMAIN-Teacher-InternetAccess Add the Admin Staff accounts to the PAN-DOMAIN-Admin-InternetAccess Group Add the Teaching Staff accounts to the PAN-DOMAIN-Teacher-InternetAccess Group You will need to deploy the Root CA Certificate (that was included in the User-ID.zip file you downloaded originally) to the Trusted Root Certification Authorities container for the Local Computer on all machines in the schools AD Domain. In addition, the certificate should also be deployed to any non-domain joined devices; ipads, Android tablets, etc Due to a limitation in the way Apple allows 3 rd party apps to interact with the ios and the way that Google has chosen to implement the Chrome app for ios devices. Google Chrome will not work correctly on Apple products that run ios, iphones, ipads, ipods, etc when SSL decryption is being performed. It is fine on other Apple operating systems. In this situation the workaround is to use the built-in Safari browser or another ios browser app that works within the boundaries set by Apple. SSL decryption is being used to enable the filtering of certain search-engine requests and to catch attempts to access proxy-avoidance websites which would enable safeguarding policies to be bypassed. The traffic is decrypted on the Firewall and is not exported or accessible to any individual.

3 Information that needs to be provided to SG IT; I will need the following information from you so I can configure the firewall to provide the granular filtering for Admin and Teaching staff. This should be emailed to servicedesk@sgcyp.org.uk with a meaningful subject line and be marked for the attention of Nick Pearce. IP Address of the Domain Controller(s) AD Domain Name FQDN AD Domain Name NETBIOS AD OU Distinguished Name AD User Distinguished Name and Password AD Group Distinguished Names. LDAP Configuration are you using LDAPS? If so, I will need a copy of the public certificate. Confirmation that the Root CA Certificate has been deployed to all machines/devices. If this is not done, it will result in a degraded experience for users. A copy of the configuration file by default (on a 64-bit server) this will be ("C:\Program Files (x86)\palo Alto Networks\User-ID Agent\UserIDAgentConfig.xml") NB. This file contains all of the configuration settings you have configured above including the user account that the agent uses to obtain the User-ID/IP mappings, this is needed to aid any troubleshooting that may be required. NB. If you open this file, you will see that there is an authentication entry just below the general-settings section. At the end of this line is an encrypted version of the password entered for the specified user account (the domain administrator). I want to confirm that I cannot reverse this encryption to discover the entered password, but if you would prefer to remove it anyway please delete the password= ################### entry from that line and leave the rest of the file as-is.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information