Directory Connector SonicWALL Directory Services Connector 3.1.7 Contents Platform Compatibility... 1 New Features... 2 Known Issues... 3 Resolved Issues... 4 Overview... 7 About SonicWALL Single Sign-On and the Single Sign-On Agent... 9 About Active Directory and the SonicWALL ADConnector... 14 About Novell edirectory and the SonicWALL NDConnector... 17 Related Technical Documentation... 21 Platform Compatibility SonicWALL Directory Services Connector version 3.1.7 software is a supported release for use with the following SonicWALL platforms: NSA 240 / 2400 / 3500 / 4500 / 5000 running SonicOS Enhanced 5.0 and above NSA E-Class E5500 / E6500 / E7500 running SonicOS Enhanced 5.0 and above TZ 210 / 210W / 190 / 190W / 180 / 180W running SonicOS Enhanced 4.0 and above PRO 2040 / 3060 / 4060 / 4100 / 5060 running SonicOS Enhanced 4.0 and above CSM 2200 / 3200 running SonicOS CF 2.6 and above SonicWALL Directory Services Connector version 3.1.7 is supported for installation on the following operating systems: Windows 32-bit: o Windows Server 2008 o Windows Server 2003 o Windows Server 2000 Windows 64-bit: o Windows Server 2008 o Windows Server 2003 o Windows Server 2000 On all Windows 32-bit and 64-bit systems, a.net Framework must be installed. The following versions of.net Framework are supported:.net Framework 2.0.Net Framework 3.0.Net Framework 3.5 Note: The following Microsoft Windows operating systems and service packs are not supported with this version of SonicWALL Directory Connector: Windows Vista All versions Windows XP All versions Windows 2000 All versions P/N 232-001717-00 Rev A
New Features SonicWALL Directory Services Connector 3.1.7 supports the following new and upcoming features: The SonicWALL Single Sign-On Agent supports an enhanced protocol with features such as better optimized messaging and a new error recovery mechanism. This will provide for better scalability when used with SonicOS Enhanced 5.5 and higher. Note that the SSO Agent is fully backwards with older appliance firmware, but without these enhancements. SonicWALL NDConnector can be used with SonicWALL SSO to authenticate Novell users passing through SonicWALL UTM appliances beginning with SonicOS Enhanced 5.5. The Directory Connector Configurator Action menu provides access to the Diagnostic Tool for troubleshooting, and to the list of Windows Service Users that are configured on the SonicWALL appliance. Diagnostic Tool: Windows Service Users: The View Logs window in the SonicWALL SSO Agent Configurator now has a paging option. 2
Known Issues This section contains a list of known issues in the SonicWALL Directory Services Connector 3.1.7 release. Configurator Clicking the scrollbar when editing SonicWALL appliance settings causes any changes to revert to the previous values. Occurs when changes are made in the Edit SonicWALL Appliance window, and then the scrollbar is used before clicking the Apply button. 81575 The Help link is not enabled in the Directory Connector configuration tool. The Directory Connector Configurator tool cannot view or edit the configuration of a second appliance. Policies Occurs because no online help is available for the Directory Connector configuration tool. Occurs when the same friendly name is used when adding the second appliance. Workaround: Use a unique friendly name for each appliance. 81464 79426 There 3 different symptoms observed when viewing SonicWALL CSM policies: 1) Connector does not display any policies available on the CSM appliance. 2) Connector displays only some of the policies available on the CSM appliance. 3) Connector logs errors related to CSM policies Occurs when viewing the Policies tab just after installing ADC/NDC and configuring the SonicWALL CSM appliance settings. Workaround: Before attempting to view policies, synchronize policies through the CSM by visiting the Policy > Policy List tab. Once policies are synchronized, everything works as expected. 81156 Single Sign-On On Windows Server 2008, Single Sign-On does not start after the Directory Connector installation. Occurs when the Directory Connector installer prompts the user to install the.net framework, but fails to install it without informing the user of the failure. Workaround: Install.NET Framework 2.0 before installing SonicWALL Directory Connector or SSO. 81154 Upgrading The Directory Connector installer creates a separate installation instead of upgrading the existing ADConnector, resulting in two separate connectors on the system: ADConnector and Directory Connector. Occurs when upgrading from ADConnector 2.0.28 to Directory Connector 3.1.7. Workaround: Uninstall the old version of ADConnector before installing the new Directory Connector. 77574 The upgrade fails to complete because the installer cannot find the SonicWALL Directory Connector MSI file after the computer reboots. If found manually, allowing completion of the upgrade, the Directory Connector splash screen stays on top of the tool indefinitely when the tool is first started. Occurs when upgrading Directory Connector from the current web-posted version. Workaround: When the installer reports that the "SonicWALL Directory Connector.msi" file cannot be found, searching for the missing file and pointing the installer to it will allow the installation to finish. 77502 3
Resolved Issues This section contains a list of issues that are resolved in the SonicWALL Directory Services Connector 3.1.7 release. ADConnector The ADConnector does not support.net framework 2.0. Occurs when the ADConnector is installed after installing.net framework 2.0. Workaround: Use.NET framework 1.1 with the ADConnector. 49966 SonicOS CF on the CSM logs frequent timeouts from the ADConnector regarding the ADConnector computer. Configurator Occurs when the CSM and the ADConnector computer are both under minimal load. 46239 The Directory Connector Configurator tool displays incorrect version information on the main screen. Occurs when using Help > About SonicWALL Directory Connector to view version information. Workaround: View the support information in the Control Panel > Add/Remove Programs window. 81449 The Diagnostic Tool (DCON) utility needs to be included in the Directory Connector Configurator for troubleshooting. Installation Needed to help SonicWALL Technical Support and customers find any latency, network-related, or Windows Firewall-related issues. This is now available as Actions > Diagnostic Tool. 79651 The words Configure and Privileges are misspelled in the installation wizard. Occurs when attempting to install SSO. The words in the User Configuration window are misspelled as cofigure and priviliges. 78854 Instructions in the installation wizard are difficult to read. Occurs when installing Directory Connector. The text is overlapped by lines, which make the instructions difficult to read. 77507 4
Log CPU usage spikes to between 50% and 100% when using the built-in log viewer in the Directory Connector console. Occurs when log levels are set to 2 or 3, or when log size is large. 81157 Directory Connector 3.1.3: Event log messages for System and Privileges are misspelled. The ViewLogs window is too small and is not resizable, and Users and Hosts window is too small and the data display does not adapt when the window is resized. More diagnostic log messages are needed. Event log gives an SSO Agent error. NDConnector Occurs when using SSO and App Logs; the two messages are misspelled as Syetms and Priviledges. Occurs when viewing the ViewLogs or Users and Hosts windows for a SonicWALL SSO Agent in the Directory Connector Configuation Tool. A paging option is now available for the ViewLogs window, and the other issues are corrected. Needed when using log levels of 2 or 3 in debug mode. Occurs when attempting to access the Internet as a user who is not part of the domain. 79488 79451 79450 53753 Upgrading from the NDConnector 1.0.03 causes the CSM and edirectory tree to become unavailable. Occurs when the NDC MMC loses its configuration after the upgrade. Workaround: Perform a fresh install of the NDConnector 1.0.05 instead of upgrading. 49281 Policies Console throws unhandled exception when Occurs when using policy search feature on 81807 using ADConnector. ADConnector running on Windows 2008. ADConnector does not display the last policy, preventing the administrator from assigning it to domain users. Occurs when at least six policies are created on a SonicWALL CSM, and then ADConnector is used to assign the policies to domain users. 67320 5
Single Sign-On Agent A user who is not logged into the domain is still authenticated by Single Sign-On. Occurs when the user is logged in as a local PC user to a computer on the LAN which has joined the domain, and then is able to access a WAN side IP address. 81477 SonicWALL SSO Agent service fails to start automatically after installation. Occurs when SonicWALL Directory Connector is installed on Windows Server 2008 with Windows XP SP2 compatibility, even when the user enters the correct domain user and password. The service will not start until the user manually reenters the domain password from the services.msc tool. 73671 The SonicWALL SSO Agent tool does not display the service and SonicWALL appliance configuration in the configuration tree. After installing SSO on Windows Server 2008, neither the installer nor the agent console is able to start the SSO service and the user is not able to change, remove, or repair SSO. Occurs when SonicWALL Directory Connector is installed on Windows Server 2008 64-bit with Windows XP SP2 compatibility. Occurs when SonicWALL SSO is installed on Windows Server 2008 without first modifying the installer properties to enable Windows XP SP2 compatibility. 73667 73512 Uninstalling Uninstalling Directory Connector fails to remove registry entries referencing the Directory Connector. Occurs when SonicWALL Directory Connector is installed on Windows Server 2008, and then uninstalled. 77509 Uninstalling Directory Connector fails to remove the Start menu program shortcuts in Windows Server 2008. Occurs when Directory Connector is uninstalled and the system is restarted. Workaround: Remove Start menu program shortcuts manually. If issue persists, run the uninstall option with "run as" administrator. 77508 6
Overview SonicWALL Directory Services Connector allows SonicWALL NSA, TZ, PRO, and CSM appliances to achieve transparent, automated Single-Sign-On (SSO) integration with Active Directory and Novell edirectory. SonicWALL Directory Services Connector includes three installable agents: Single Sign-On Agent (SSO) ADConnector (ADC) NDConnector (NDC) SonicWALL SSO Agent identifies users by IP address using a SonicWALL ADConnector-compatible protocol and automatically determines when a user has logged out to prevent unauthorized access. The SonicWALL SSO Agent can be installed on any server with a Windows domain that can communicate with clients and the SonicWALL security appliance directly using the IP address or using a path, such as VPN. The SonicWALL SSO Agent is not supported in a Citrix or Terminal Services Environment, and only works in an Active Directory environment. SonicWALL ADConnector runs as a service on a Microsoft server that is part of the Active Directory network. SonicWALL NDConnector runs as a service on a Microsoft server that is part of the edirectory network, and can communicate with Windows, Linux, or MAC clients. With Directory Services Connector, the SonicWALL appliance can use Active Directory or Novell edirectory to authenticate users and determine the filtering policies to assign to each user or user group. A separate TSA agent is required when using a Citrix or Terminal Server Environment with a SonicWALL CSM appliance. In an example network using SonicWALL Directory Services Connector, a SonicWALL UTM security appliance, and an LDAP user authentication system such as Active Directory, or local user authentication on the appliance, the following process occurs: The Administrator creates policies applicable to users and groups on the SonicWALL UTM appliance. The user attempts to send traffic to the Internet through the SonicWALL UTM appliance. The SonicWALL UTM appliance sends the user's IP address to the SSO Agent with a user name request. Blocked packets are saved. The SSO Agent replies with the user name of the user who is logged into the workstation. The LDAP or Local Database is used to find the group membership for the user. Based on group membership and policy match, access is granted and the SonicWALL UTM appliance allows the user traffic to pass through to the Internet. If applicable, saved packets are reinstated and sent. The SonicWALL UTM appliance polls the SSO Agent to make sure the same user is still logged on. The polling interval can be configured in the SonicWALL UTM management interface. In an example network using SonicWALL Directory Services Connector, a SonicWALL CSM security appliance, and the Active Directory user authentication system, the following process occurs: Users on the network authenticate with Active Directory. Content filtering policies are created on the CSM appliance and communicated to the SonicWALL ADConnector agent. The Administrator applies policies to users through the ADConnector. The SonicWALL ADConnector synchronizes the user policy information with the Active Directory system (the domain controller), where it is stored in the database. When a user on a single-user workstation that is not connected to a Citrix server or Windows Terminal Services server makes an Internet request, only the host system IP address is sent to the SonicWALL CSM as part of the request. When the SonicWALL CSM security appliance intercepts a response to an Internet request, the CSM communicates with the ADConnector to determine the policy for the user making the request. o If the request originates from a user on a stand-alone workstation, the CSM passes the workstation IP address to the ADConnector. The ADConnector queries the workstation for the user information, and then uses that to query the Active Directory system for the policy information. The ADConnector returns the content filtering policies for the user to the CSM security appliance. Based on the policies, the CSM appliance either allows or blocks the Internet request. 7
In an example network using SonicWALL Directory Services Connector, a SonicWALL CSM security appliance, and the Novell edirectory user authentication system, the following process occurs: Users on the network authenticate with edirectory. Content filtering policies are created on the CSM appliance and communicated to the SonicWALL NDConnector agent. The Administrator applies policies to users through the NDConnector. The NDConnector synchronizes the user policy information with the edirectory system, where it is stored in the database. When a user makes an Internet request, only the host system IP address is sent to the SonicWALL CSM as part of the request. When the SonicWALL CSM security appliance intercepts a response to an Internet request, the CSM passes the workstation IP address to the NDConnector. The NDConnector queries the edirectory system for the user information and policy. The NDConnector returns the content filtering policies for the user to the CSM security appliance. Based on the policies, the CSM appliance either allows or blocks the Internet request. 8
About SonicWALL Single Sign-On and the Single Sign-On Agent Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single workstation login. SonicWALL security appliances provide SSO functionality using the SonicWALL Single Sign-On Agent (SSO Agent) to identify user activity based on workstation IP address. SSO is configured in the Users > Settings page of the SonicOS management interface. SSO is separate from the authentication method for login settings, which can be used at the same time for authentication of VPN/L2TP client users or administrative users. SonicWALL SSO Agent identifies users by IP address using a protocol compatible with SonicWALL ADConnector and automatically determines when a user has logged out to prevent unauthorized access. Based on data from SonicWALL SSO Agent, the SonicWALL security appliance queries LDAP or the local database to determine group membership. Memberships are optionally checked by firewall policies to control who is given access, and can be used in selecting policies for Content Filtering and Application Firewall to control what they are allowed to access. User names learned via SSO are reported in logs of traffic and events from the users. The configured inactivity timer applies with SSO but the session limit does not, though users who are logged out are automatically and transparently logged back in when they send further traffic. Users logged into a workstation directly but not logged into the domain will not be authenticated. For users that are not logged into the domain, an Authentication Required screen will display, indicating that a manual login is required for further authentication. Users that are identified but lack the group memberships required by the configured policy rules are redirected to an Access Barred page. To use SonicWALL SSO, it is required that the SonicWALL SSO Agent be installed on a server within your Windows domain that can reach clients and can be reached from the appliance, either directly or through a VPN path. The following requirements must be met in order to run the SSO Agent: Port 2258 must be open; the firewall uses UDP port 2258 by default to communicate with SonicWALL SSO Agent; if a custom port is configured instead of 2258, then this requirement applies to the custom port Windows Server, with latest service pack.net Framework 2.0 or above Net API or WMI The SSO Agent must run under Domain Admin privileges Note: Mac and Linux PCs do not support the Windows networking requests that are used by the SonicWALL SSO Agent, and hence do not work with SonicWALL SSO. MAC and Linux users can still get access, but will need to log in to do so. They can be redirected to the login prompt if policy rules are set to require authentication. Installing the SonicWALL SSO Agent Install the SonicWALL SSO Agent on a host on your network within the Windows domain that has access to the Active Directory server. To install the SonicWALL SSO Agent, perform the following steps: 1. Download one of the following installation programs, depending on your computer: SonicWALL Directory Connector (32-bit) 3.1.7.exe SonicWALL Directory Connector (64-bit) 3.1.7.exe You can find these on http://www.mysonicwall.com under Directory Services Connector. 2. Double-click the installation program to begin installation. 3. If prompted, install the Microsoft.NET framework. 4. In the Welcome screen, click Next to continue the installation. 5. In the License Agreement screen, accept the terms of the license agreement, and then click Next. 9
6. In the Customer Information screen, enter your username and the name of the company that owns the workstation where you are installing the Directory Connector, select the application use privileges, and then click Next. 7. Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Change, select the folder, and click Next. 10
8. On the Custom Setup page, the installation icon is displayed by default next to the SonicWALL SSO Agent feature. Click Next. 9. In the next screen, click Install to install Directory Connector. The status bar displays while the SonicWALL SSO Agent installs. 11
10. To configure a common service account that the SSO Agent will use to log into a specified Windows domain, enter the username of an account with administrative privileges in the Username field, the password for the account in the Password field, and the domain name of the account in the Domain Name field. Click Next. 11. Enter the IP address of your SonicWALL security appliance in the SonicWALL Appliance IP field. Type the port number for the same appliance in the SonicWALL Appliance Port field. Enter a shared key (a hexadecimal number from 1 to 16 digits in length) in the Shared Key field. Click Next to continue. 12
12. When installation is complete, optionally select the Launch SonicWALL Directory Connector checkbox to launch the SonicWALL Directory Connector, and then click Finish. For more information about configuring and using the SonicWALL SSO Agent, see the SonicOS Administrator s Guide and the SonicWALL Single Sign-On Feature Module, available on http://www.sonicwall.com/us/support.html. 13
About Active Directory and the SonicWALL ADConnector The SonicWALL ADConnector provides a way for the SonicWALL CSM security appliance to reuse existing Microsoft Active Directory credentials for user authentication. The ADConnector also enables the administrator to assign content filtering policies to users in the Active Directory domain. When an Internet request is handled by the SonicWALL CSM appliance, the appliance queries the ADConnector to get the policy information for that user. Installing the SonicWALL ADConnector Install the SonicWALL ADConnector on a host on your network that has access to the Active Directory server. The host must be joined to the Active Directory domain prior to installing ADConnector. To install the ADConnector, perform the following steps: 1. Download one of the following installation programs, depending on your computer: SonicWALL Directory Connector (32-bit) 3.1.7.exe SonicWALL Directory Connector (64-bit) 3.1.7.exe You can find these on http://www.mysonicwall.com under Directory Services Connector. 2. Double-click the installation program to begin installation. 3. If prompted, install the Microsoft.NET framework. 4. In the Welcome screen, click Next to continue the installation. 5. In the License Agreement screen, accept the terms of the license agreement, and then click Next. 6. In the Customer Information screen, enter your username and the name of the company that owns the workstation where you are installing the ADConnector, select the application use privileges, and then click Next. 14
7. Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Change, select the folder, and click Next. 8. On the Custom Setup page, select the SonicWALL ADC feature for installation and disable installation of the other features. Click Next. 9. In the Ready to Install the Program screen, click Install. 15
10. In the Directory Connector Service User Configuration screen, enter the username, password, and domain for the administrative account that ADConnector will use to access the Active Directory domain, and then click Next. 11. In the Default CSM Appliance Configuration screen, enter the IP address and port number for your CSM appliance and enter the 16 digit shared key for communicating securely with the CSM. Click Next. 12. When installation is complete, optionally select the Launch SonicWALL Directory Connector checkbox to launch the SonicWALL Directory Connector, and then click Finish. For more information about configuring and using the SonicWALL ADConnector, see the SonicOS CF 2.6 Administrator s Guide and the SonicWALL CSM Integrated Solutions Guide. 16
About Novell edirectory and the SonicWALL NDConnector Novell edirectory together with the SonicWALL NDConnector and SonicWALL CSM appliance provides a solution for user authentication and the management of access to network resources and online content. SonicWALL CSM Novell edirectory Solution Architecture The user logs into the network and authenticates with edirectory. The user initiates a request for an Internet resource (such as a Web page, an audio or video stream, or a chat program). The CSM detects the request. The CSM queries the NDConnector. The NDConnector queries the edirectory server about the user. The NDConnector communicates to the CSM the user s content filtering policies, based on the user s individually assigned policies and any policies inherited from groups and from organizational units. The CSM allows, logs, or blocks the user s request, based on the user s content filtering policies. The SonicWALL NDConnector includes the following features: Logging Debugging Search Service Management CSM Appliance configuration Policy management for o Computers o Users o Groups o Organizational Units 17
Installing the SonicWALL NDConnector Install the NDConnector on a host on your network that has access to the Novell edirectory server. To install the NDConnector, perform the following steps: 1. Download one of the following installation programs, depending on your computer: SonicWALL Directory Connector (32-bit) 3.1.7.exe SonicWALL Directory Connector (64-bit) 3.1.7.exe You can find these on http://www.mysonicwall.com under Directory Services Connector. 2. Double-click the installation program to begin installation. 3. If prompted, install the Microsoft.NET framework. 4. In the Welcome screen, click Next to continue the installation. 5. In the License Agreement screen, accept the terms of the license agreement, and then click Next. 6. In the Customer Information screen, enter your username and the name of the company that owns the workstation where you are installing the NDConnector, select the application use privileges, and then click Next. 18
7. Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Change, select the folder, and click Next. 8. On the Custom Setup page, select the SonicWALL NDC feature for installation and disable installation of the other features. Click Next. 9. In the Ready to Install the Program screen, click Install. 19
10. In the Default CSM Appliance Configuration screen, enter the IP address and port number for your CSM appliance and enter the 16 digit shared key for communicating securely with the CSM. Click Next. 13. In the Novell edirectory Admin User Configuration screen, enter the information for the Novell edirectory server, and then click Next: edirectory Server IP Address edirectory Server Port (389 by default) Login username for the administrator account to access the edirectory server Password for the administrator account to access the edirectory server edirectory context in which the administrator account for the edirectory server resides 14. When installation is complete, optionally select the Launch SonicWALL Directory Connector checkbox to launch the SonicWALL Directory Connector, and then click Finish. For more information about configuring and using the SonicWALL NDConnector, see the SonicOS CF 2.6 Administrator s Guide and the SonicWALL CSM Integrated Solutions Guide. 20
Related Technical Documentation SonicWALL user guides and reference documentation is available at the SonicWALL Technical Documentation Online Library: http://www.sonicwall.com/us/support.html For basic and advanced deployment examples, refer to SonicOS Guides and SonicOS Technotes. Last updated: 8/5/2009 21