Test Case 3 Active Directory Integration

April 12, 2010 Author: Audience: Joe Lowry and SWAT Team Evaluator Test Case 3 Active Directory Integration The following steps will guide you through the process of directory integration. The goal of directory integration is to be able to apply filtering and/or shaping rules to your existing Active Directory security group/ou structure and to be able to report on and correlate all internet usage to a directory user. Once the integration is completed and groups have been built within composer, all management of group membership can be performed from your directory server. Three Step Process to accomplish Directory Integration This is a three step process that needs to be followed in order. Network Composer will gain access to your directory structure by installing an agent, referred to as CDA (Cymphonix Directory Agent), on your server followed by configuring Network Composer to communicate with the agent. Lastly you will choose one of three options available to identify user information. Install the Directory Agent on your server NOTE: This agent can be installed on any domain controller that is running the Active Directory Domain Services role, it does not have to be installed on the primary domain controller. You will first login to the server where you plan on installing the Active Directory Server Agent and then login to Network Composer from there to download the agent and finally install it. You must add Network Composer to your trusted zones within Internet Explorer to be able to login to the GUI and to be able to download files from Network Composer. Also, flash must be installed in order to login to the Network Composer. You can download the most recent version of flash from http://get.adobe.com/flashplayer.

2 1. Once logged into the server where you ll be installing the Active Directory Server agent, launch Internet Explorer (You must use IE 6.0 or better to manage the Network Composer). Locate the IE toolbar and go to Tools > Internet Options > Security Tab > Trusted Sites > Sites. In the Add this website to the zone field, type in http://ipaddressofyournetworkcomposer (type in https://ipaddressofyournetworkcomposer if you have the Require server verification (https:) for all sites in this zone checked), and then click Add.

3 2. Log into your Network Composer, from your server, being careful to use the correct URL; could be http or https depending on how you made your entry into the Trusted Sites. Then click on the admin tab. 3. Click on Downloads. Then click on Directory Agent Software. 4. Click on Download 32-bit Active Directory Agent Server Agent.

4 5. A File Download box with open in a pop up window. Click on Click here to download your file to initiate the download request. 6. Depending on if you re installing this on a windows 2003 server or a windows 2008 server; you will need to install the Directory Agent in a specific way. Since 2008 server has more security there is an extra step involved that requires you install the.exe as an administrator. If Installing from a Windows 2003 server: a. Click Run when the Download box opens. b. Proceed directly to step 7.

5 If installing from a Windows 2008 server: a. Click Save when the download box opens b. Save the file to your desktop c. Right click on the adagent icon located on your desktop, adagent32.exe, and choose the Run as administrator option.

6 d. If you receive the User Account Control dialogue, click yes to allow the changes. e. Proceed to step 8. 7. Click on the Run button on the Security warning box. 8. Click next on the first screen.

7 9. On the next screen accept the license agreement and click next. 10. Click next on this screen (unless you want to choose a custom install location).

8 11. On this screen you can normally leave the default port number there. (The only reason to change it is if you have another application that uses that port, otherwise it is fine to use the default port). 12. Enter a password for use with the Network Composer (this does not need to be a password for any user in your domain; it is only used for secure communication between this agent and Network Composer). Then click next.

9 13. Click the Install button to begin the install. 14. Click finish when done.

10 15. If the Windows Firewall is turned on within this server where you installed the Active Directory Server Agent, you will need to make an exception for the directory agent to be able to communicate with Network Composer. The communication utilizes TCP port 3462 unless you changed the port during setup. To make the exception launch your Windows Firewall from your control panel. Then go to the Exceptions tab and click on Add Port.

11 16. In the Name Field enter Active Directory Server Agent. Enter 3462 for the Port Number and select TCP for the protocol and then click OK. Configure Network Composer to communicate with Active Directory Server Agent This is the second step of the Directory Integration where we configure Network Composer to communicate with the Directory Server Agent. 1. Login to the Network Composer, from your workstation or server, and click on the Manage tab. 2. Click on Directory Users & Nodes, then Directory Agent.

12 3. Click on the Create button. 4. Enter a Name for the Directory Agent (normally the name of the domain). 5. You can enter a description in the description field but it is an optional field. 6. Enter the IP address of the Active Directory Server where you installed the Agent Utility. 7. Enter the Password you created when you installed the Agent. 8. Click on Save. You have now setup your Network Composer to use Active Directory Integration. Identify when users authenticate to the network and their IP address This is the third and final step to the directory integration process. There are three options available, two of them are clientless. Deploying cymdir.exe is the directory client method while IP Lookup and Web Login page are clientless web authentication options. Each option is listed below including a quick synopsis. Option 1 Deploy statically compiled client executable cymdir.exe. This option allows Network Composer to immediately identify when users are accessing the network while synchronizing with defined groups, OUs, or user attributes by receiving definitive log-in and logout events in heart beats of information sent from this client executable once running on the workstation. The cymdir.exe is not a program or application install, thus there are no changes to the file structure or registry changes to the workstation. Rather, it only exists and runs as a process in memory and goes away at log off. This method is the most widely used because it gives you full functionality and obtains the most accurate reporting data. It is also completely seamless to the end user requiring no interaction. We will deploy the statically compiled executable file (cymdir.exe) onto one or both of your test PC s using a manual method.

13 NOTE: When deploying cymdir.exe into your corporate environment you will use the GPO login script method for ease of deployment instead of the manual method used here. 1. From your workstation download the cymdir.exe file from compose. Login to Composer and go to Admin > Downloads > Directory Agent Software > Download 32-bit Windows Directory Client Agent. 2. Click here to download your file and when given the choice save the file to the desktop of your workstation.

14 3. Click save and choose your desktop as the destination to start the download. 4. Once the download is complete you may need to remove a security flag from the file that Internet Explorer places on executable files. To do this, Right click on the file and select Properties. If there is an Unblock button available in the Security section on the General tab click Unblock. NOTE: If the file is already unblocked you will the Unblock button at the bottom of the General tab

15 5. On your workstation click on the Start menu, then Run. Browse to the location of Cymdir.exe OR simply drag the icon from your desktop into the run box. Once the full path of the cymdir.exe file exists in the Run dialogue box add a space to the very end of the path followed by the bridge IP address of your composer. Then click OK. Example: "C:\Documents and Settings\Administrator\Desktop\cymdir.exe" 10.3.0.50 6. When prompted with the Security Warning dialogue box, click the Run button.

16 7. If you launch your Task Manager you should see a process called cymdir.exe running. 8. If cymdir.exe is running on the workstation Network Composer should be receiving your user information. You can verify this within Network Composer by going to Admin > Diagnostic Tools > Directory Agent Users. You should see your username listed. 9. If you see your username in the list this means all of your subsequent traffic will be associated to the directory username and you can continue with Test Case 3a. Option 2 IP Lookup IP Lookup relies upon the directory server to query the workstation for user, domain and IP information versus the information being sent directly to Network Composer from the workstation when using the directory client (cymdir). There are some dependencies that have to be in place to use this option to allow the native windows api query to complete from server to workstation.

17 The main advantage of using this option is that it s clientless and all mechanics of the authentication in this mode are seamless to the end user. The main disadvantage of this method is the lack of a specific login and logout event. What this means is that any application traffic passed before we identify the user, (We identify the user soon as a browser session is launched) will only be associated to the IP address or network node. Checklist (Dependencies that must be in place) before implementing IP Lookup: File and Printer Sharing for Microsoft Networks installed on workstation Any HIDS (Host Intrusion Detection System) or firewall service running on the workstation(s) is allowing the File and printer services. Workstations Primary DNS server set to the IP address of the Active Directory server Workstations are joined to the domain and use Windows 2000 SP4 or above CDA,Directory Agent Service specifically, is configured on your directory server to Log On with administrator rights 1. NOTE: To verify or change this go to the server where the CDA is installed and open your services. (Start > Run > Type Services.msc) Once within services locate the service named Directory Agent and right click on the service and select Properties. Click the Log On tab, and then change the Log on as from local system account to an administrator account by selecting the radial button next to This account and specify an account that has administrator privileges. 2. Technical Brief Why does the Directory Agent service have to be configured to run with administrative privileges to use the IP Lookup option? We use NetWkstaUserEnum() to get the user name at the given IP address and then we pass that (username) to ADsOpenObject()/ADsGetObject() followed by ExecuteSearch() It "follows" that anybody using any of these APIs needs Admin rights. If they weren't controlled, this would mean that anybody could get Active Directory info on anybody else just for the asking. Configure Network Composer to use the IP Lookup web authentication/directory Option mode and specify which workstation(s) will utilize this mode. IP lookup is configured and required through IUR s (Internet Usage Rules), subsequently the IUR is applied to a specific Network Composer Group whom you desire to utilize the IP Lookup method. The Network Composer group can contain the desired workstation(s) by utilizing different choices of member types, whether that is by IP, VLAN, Subnet, etc.

18 Note: Network Composer can utilize one, or a combination of directory authentication options. If you were to use IP Lookup in a combination with other available methods you have to specify which workstations utilize IP Lookup by creating a Network Composer group containing those devices (by using any of the available member types available, eg.- IP, VLAN, subnet). Secondly, you must configure an Internet Usage Rule for IP Lookup as the web authentication mode and then associate the IUR to the previously created group through the policy manager. Note: To implement IP Lookup for all devices on the network it is a much simpler process. You will configure the default IUR, which is associated to the catch all default group, to use IP Lookup. Since this is the rule that everyone (all network nodes) is using be default, this will force IP Lookup for all devices. This Apply IP Lookup network wide concept will be the approach behind the following steps. 1. Log in to Network Composer and go to Manage > Policies & Rules > Internet Usage Rules > Click Default Usage Rules. Now that you re in the Add/Edit Internet Usage Rule Set screen open the Web Authentication tab, Check the boxes next to Require Web Based Authentication and Directory Agent IP Lookup and finally click Save. 2. If you re using this Option and completed the previous steps you can now go directly to Test Case 3a. Once a directory user is authenticated via the IP Lookup mode (seamless to end user and happens soon as the user initiates a browser session) their traffic is no longer subject to the rules applied to the network node, now their traffic is associated and subject to their Directory Group and associated IUR. Option 3 Login Page When a user attempts to load a web page they will be presented with a credential challenge window where valid domain credentials must be entered to continue. Once valid credentials are entered, the user is allowed to browse and content filtering and/or shaping will be applied according to their directory user name and group information. Internet usage is also correlated to the authenticated directory user. The advantage of this option is that it s clientless and can be utilized where users have Directory accounts but their devices are not members of the domain. For example, you may have a wireless network or Macintosh workstations where users don t authenticate to the domain but are able to

19 browse the web. By implementing this option you will be able to force authentication to such users and report on their internet usage by user name The Login Page mode is configured and required through IUR s (Internet Usage Rules), subsequently the IUR is applied to a specific Network Composer Group whom you desire to force the login authentication. The Network Composer group can contain the desired workstation(s) by utilizing different choices of member types, whether that is by IP, VLAN, Subnet, etc., You will first create a Network Composer group that contains your workstation and then apply an IUR (Internet Usage Rule) that has the login mode enabled to the group through Policy Manager. 1. Login to Network Composer and go to Manage > Policies & Rules > Groups > Create. Choose Create a Network Composer Group. This will bring you to the Add/Edit Group Detail. In the Name field type Web Login Group. Locate your node according to the current IP address configured on your workstation and then select it and Add to the group, followed by Save. 2. Go to Manage > Policies & Rules > Internet Usage Rules > Create. This will bring you to the Add/Edit Internet Usage Rule Set. In the Rule Set Name field type Web login Rule. Go to the Web Authentication tab Check the boxes next to Require Web Based Authentication and Enable Login Page and finally click Save.

20 3. If you re using this Option and completed the previous steps you can now go directly to Test Case 3a. Once a directory user is authenticated via the Login page mode (user enters credentials) their traffic is no longer subject to the rules applied to the network node, now their traffic is associated and subject to their Directory Group and associated IUR. Test Case 3a - Creating a Directory Group Within the Network Composer you can create a Composer Directory Group which allows you to incorporate Security Groups, OU s or individual members from your existing directory architecture and subsequently apply unique policies. The other advantage to creating groups outside of granular policy control is the ability to utilize the Correlate by Group reporting option. This test case will take you through the necessary steps to create a directory group. 1. Log in to Network Composer and go to Manage> Policies & Rules> Groups> Create > Create a Directory Agent Group > Click Ok.

21 2. You will now be in the Add/Edit Directory Agent Group Detail. You can create a Directory Agent Group that contains members from your Active Directory server, either by security group, OU, or attribute. For a test case we recommend just adding one OU or security group that you can comfortably subject content filtering and/or shaping to such as your IT group. (NOTE: This must be a security group that isn t set as any users Primary Group. By default all users Primary Group is set to Domain Users ). In the Name field enter something that relates to the users, such as IT Group, in the Description field enter Members contained within description of group. a. Click Add Members which will bring you to the Add Directory Group Members screen. b. Check the box next to IT Group (or a different group that you feel is appropriate for testing) and then click OK at the bottom of the page. c. Now that you re back at the Add/Edit Directory Agent Group Detail click the Save button

22 3. You have now successfully created a Directory Agent Group that allows you to accomplish two things. a. You can run reports and correlate the results by Group giving you aggregate reporting data to a specific directory group. For Example - How much bandwidth a domain users group is using versus a domain admins group. b. You can apply content filtering (IUR s Internet Usage Rules) and/or Shaping rules according to the directory user s OU or Security Group membership or even by a specific user attribute. You would associate a unique IUR and/or shaping rule to the directory group through Policy manager.

23 Test Case 3b - Real Time Reporting by Directory User In this test case you will utilize the Real Time URL monitor to view web hits generated by a directory user. As a user accesses URL s you will be able to monitor this in real time as well as other useful pieces of information. 1. Log in to Network Composer and go to Report > Dashboards > Real time URL Monitor. 2. Open a second browser window that will enable you to still view and monitor the Real time URL monitor. Then begin browsing to the following sites: www.cymphonix.com, www.cnn.com, www.espn.com, www.facebook.com, www.youtube.com. NOTE: If using Directory Option 3, you will be presented with a credential challenge window when entering the first URL. When prompted, enter in your valid domain credentials and continue browsing to the other URL s. 3. As you pass traffic to the internet you should be able to see within the Real Time URL Monitor the specific URL s your visiting and Directory User information associated to each hit.

24 4. You can also view the current state of all directory agent users by going to Admin > Diagnostic Tools > Directory Agent Users. Users with recent activity will be displayed along with their IP Address, Group membership and mode (Client executable, IP Lookup, or Log In) information. If you want to verify if a user is being authenticated and subsequently traffic is being associated to a particular user name you can use this tool to verify the user is showing with a Logged in status.

25 Test Case 3c Historical Reporting by Directory User In this test case you will utilize reports to view historical data collected specific to a directory user. Historical data is updated every 5 minutes, so assure at least 5 minutes have passed since browsing to the afore mentioned URL s. This will make sure the reporting data exists in the following reports before you go to view them. View specific HTTP content, Host URL s, visited by a specific directory user. 1. Log in to Network Composer and go to Report > Web Usage > Overview/Hits. 2. Right click Allowed > Highlight Report Correlations and select Correlate by Directory User.

26 3. Right Click on your directory user name in the Details section and highlight Report Correlations and select Correlate by Host. 4. You should now be viewing the specific Host (web sites) that specific directory user visited. View the application data correlated by directory user. This allows you to see how much data associated to any application set breaks down to a per user utilization. 1. Go to Report > Applications > Application Set Overview. 2. In the Details section Right Click HTTP and highlight Report Correlations and select Correlate by Directory User. You are viewing the total HTTP application data used per directory user. You can correlate any of the other application sets by directory user as well.