Active Directory is the Microsoft® Windows-based application of an LDAP directory structure. Active Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It keeps information and settings for an organization in a central, easy-to-access database. You can use an Active Directory authentication server to enable your users to authenticate to the XTM device with their current network credentials. You must configure both your XTM device and the Active Directory server for Active Directory authentication to work correctly.
When you configure Active Directory authentication, you can specify one or more Active Directory domains that your users can select when they authenticate. For each domain, you can add up to two Active Directory servers: one primary server and one backup server. If the first server you add fails, the second server is used to complete authentication requests. When you add an Active Directory server, you can select whether to specify the IP address or the DNS name of each server.
If you configure more than one Active Directory domain and you use Single Sign-On (SSO), to enable your users to select from the available Active Directory domains and authenticate, your users must install the SSO client. For more information, see About Single Sign-On (SSO) andInstall the WatchGuard Single Sign-On (SSO) Client.
If your users authenticate with the Active Directory authentication method, their distinguished names (DN) and passwords are not encrypted. To use Active Directory authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAPS client on your XTM device and your Active Directory server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the Active Directory server certificate. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server.
The Active Directory server can be located on any XTM device interface. You can also configure your XTM device to use an Active Directory server available through a VPN tunnel. For more information, seeAuthentication to an Active Directory Server Through a BOVPN Tunnel.
Before you begin, make sure your users can successfully authenticate to your Active Directory server. You can then use Policy Manager to configure your XTM device. You can add, edit, or delete the Active Directory domains and servers defined in your configuration.
Add an Active Directory Authentication Domain and Server
To limit the directories on the authentication server where the XTM device can search for an authentication match, you can set a search base. We recommend that you set the search base to the root of the domain. This enables you to find all users and all groups to which those users belong.
For more information, see Find Your Active Directory Search Base.
If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
For example,cn=Administrator,cn=Users,dc=example,dc=com.
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings in Policy Manager. You can set these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings.
Edit an Existing Active Directory Domain
When you edit an Active Directory domain, you cannot change the details of the Active Directory servers configured in the domain. Instead, you must add a new server. If there are two servers in the list, you must remove one of the servers before you can add a new one.
From the Authentication Servers dialog box:
From the Authentication Servers dialog box:
When you configure Active Directory authentication, you can specify one or more Active Directory domains that your users can select when they authenticate. For each domain, you can add up to two Active Directory servers: one primary server and one backup server. If the first server you add fails, the second server is used to complete authentication requests. When you add an Active Directory server, you can select whether to specify the IP address or the DNS name of each server.
If you configure more than one Active Directory domain and you use Single Sign-On (SSO), to enable your users to select from the available Active Directory domains and authenticate, your users must install the SSO client. For more information, see About Single Sign-On (SSO) andInstall the WatchGuard Single Sign-On (SSO) Client.
If your users authenticate with the Active Directory authentication method, their distinguished names (DN) and passwords are not encrypted. To use Active Directory authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAPS client on your XTM device and your Active Directory server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the Active Directory server certificate. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server.
The Active Directory server can be located on any XTM device interface. You can also configure your XTM device to use an Active Directory server available through a VPN tunnel. For more information, seeAuthentication to an Active Directory Server Through a BOVPN Tunnel.
Before you begin, make sure your users can successfully authenticate to your Active Directory server. You can then use Policy Manager to configure your XTM device. You can add, edit, or delete the Active Directory domains and servers defined in your configuration.
Add an Active Directory Authentication Domain and Server
- Click
.
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. - Select the Active Directory tab.
The Active Directory settings appear.
- Click Add.
The Add Active Directory Domain dialog box appears.
- In the Domain Name text box, type the domain name to use for this Active Directory server.
The domain name must include a domain suffix. For example, type example.com, not example. - Click Add.
The Add IP/DNS Name dialog box appears.
- From the Choose Type drop-down list, select IP Address orDNS Name.
- In the Value text box, type the IP address or DNS name of this Active Directory server.
- In the Port text box, type or select the TCP port number for the device to use to connect to the Active Directory server.
The default port number is 389. If you enable LDAPS, you must select port 636.
- Click OK.
The IP address or DNS name you added appears in the Add Active Directory Domain dialog box. - To add another Active Directory server to this domain, repeat Steps 3–9. You can add up to two servers.
Make sure the shared secret is the same on all the Active Directory servers you specify.
- In the Search Base text box, type the location in the directory to begin the search.
To limit the directories on the authentication server where the XTM device can search for an authentication match, you can set a search base. We recommend that you set the search base to the root of the domain. This enables you to find all users and all groups to which those users belong.
For more information, see Find Your Active Directory Search Base.
- In the Group String text box, type the attribute string that is used to hold user group information on the Active Directory server. If you have not changed your Active Directory schema, the group string is always memberOf.
- In the DN of Searching User text box, type the distinguished name (DN) for a search operation.
If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
For example,cn=Administrator,cn=Users,dc=example,dc=com.
- In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
- In the Login Attribute text box, type or select an Active Directory login attribute to use for authentication.
- In the Dead Time text box, type or select a time after which an inactive server is marked as active again.
- From the Dead Time drop-down list, select minutes or hours to set the duration.
- To enable secure SSL connections to your Active Directory server, select the Enable LDAPS check box.
- If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears. To use the default port, click Yes. To use the port you specified, click No
- To verify the certificate of the Active Directory server is valid, select the Validate server certificate check box.
- To specify optional attributes for the primary LDAP server, clickOptional Settings.
- To add another Active Directory domain, repeat Steps 3–20. Make sure the shared secret is the same on all the Active Directory domains you specify.
- Click OK.
- Save the Configuration File.
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings in Policy Manager. You can set these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings.
Edit an Existing Active Directory Domain
When you edit an Active Directory domain, you cannot change the details of the Active Directory servers configured in the domain. Instead, you must add a new server. If there are two servers in the list, you must remove one of the servers before you can add a new one.
From the Authentication Servers dialog box:
- In the Active Directory domains list, select the server to change.
- Click Edit.
The Edit Active Directory Domain dialog box appears.
- To add an IP address or DNS name to the server for this domain, click Add and follow the instructions in Steps 5–9 of the previous section.
- To remove an IP address or DNS name from the server for this domain, select the entry in the IP Address / DNS Name list and click Remove.
- Update the settings for your Active Directory server.
From the Authentication Servers dialog box:
- In the Active Directory domains list, select the domain to delete.
- Click Remove.
A confirmation message appears. - Click Yes.