Directory Connector FAQs: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 20: Line 20:




=== What about shared IP addresses, like with a Terminal Server? ===
=== What about shared IP addresses, like with a Terminal Server? 💡 ===


The Directory Connector works by mapping IP addresses to usernames; any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. After some testing, we've seen that a product called Virtual IP when paired with Captive Portal allows these users to be differentiated and become subject to policies and filtering. This has not been tested with the login script - we'll update this entry when we have more information. Virtual IP is only available as a part of the [http://www.thinomenon.com/products/AccessSuite/default.aspx Thinomenon Access Suite].
The Directory Connector works by mapping IP addresses to usernames; any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. After some testing, we've seen that a product called Virtual IP when paired with Captive Portal allows these users to be differentiated and become subject to policies and filtering. This has not been tested with the login script - we'll update this entry when we have more information. Virtual IP is only available as a part of the [http://www.thinomenon.com/products/AccessSuite/default.aspx Thinomenon Access Suite].
Line 65: Line 65:




=== I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why? ===
=== I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why? 💡 ===


Captive Portal must go into the rack ''after'' Directory Connector to properly work - this refers to the order in which they are installed into the rack, ''not'' the order they appear in the rack. If you're seeing this issue, simply remove Captive Portal to the rack, then add it back into the rack and reconfigure it. The next time a user logs in through it, they should correctly populate on the Username Map.
Captive Portal must go into the rack ''after'' Directory Connector to properly work - this refers to the order in which they are installed into the rack, ''not'' the order they appear in the rack. If you're seeing this issue, simply remove Captive Portal to the rack, then add it back into the rack and reconfigure it. The next time a user logs in through it, they should correctly populate on the Username Map.


=== Can I use the UNLS with my OSX machines? ===
=== Can I use the UNLS with my OSX machines? ===
Line 124: Line 123:
|}
|}


=== Can I use an LDAP Server other than Active Directory? ===
=== Can I use an LDAP Server other than Active Directory? 💡 ===
Directory Connector is designed specifically for Active Directory or a RADIUS server. It does not support alternative LDAP servers such as OpenLDAP.
Directory Connector is designed specifically for Active Directory or a RADIUS server. It does not support alternative LDAP servers such as OpenLDAP.


=== What do I enter in the fields for nested OUs? ===
=== What do I enter in the fields for nested OUs? 💡 ===
 
You can use the image below for example to get the information directly from your server.


For nested OUs, the nested OU 'IT' needs to be specified like this in Directory Connector:
For nested OUs, the nested OU 'IT' needs to be specified like this in Directory Connector:

Latest revision as of 22:09, 14 September 2023

The UNLS never completes or isn't working. Why?

You'll need to make sure Domain Controller has the following settings:

ComputerConf > Policies > Admin Templates > System > Scripts
- Run logon scripts synchronously =  disabled
- Run startup scripts asynchronously = enabled

UserConf > Policies > Admin Templates > System > Scripts
- Run logon scripts synchronously = disabled

One user solved his issue by adding the script here:

UserConf > Policies > Administrative Templates > System > Logon > Run These Programs at System Logon


What about shared IP addresses, like with a Terminal Server? 💡

The Directory Connector works by mapping IP addresses to usernames; any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. After some testing, we've seen that a product called Virtual IP when paired with Captive Portal allows these users to be differentiated and become subject to policies and filtering. This has not been tested with the login script - we'll update this entry when we have more information. Virtual IP is only available as a part of the Thinomenon Access Suite.


There is one other way to accomplish this if you are running Windows Server 2008 r2:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. In the Edit settings area, under RD IP Virtualization, double-click IP Virtualization.
  3. In the Properties dialog box, click the RD IP Virtualization tab.
  4. To enable Remote Desktop IP Virtualization, select the Enable IP virtualization check box to enable Remote Desktop IP Virtualization.
  5. To select the network adapter to be used for Remote Desktop IP Virtualization, in the Select the network adapter to be used for IP virtualization list, select the appropriate network adapter.
  6. To select the Remote Desktop IP Virtualization mode, under IP virtualization mode: Click Per session to configure Remote Desktop IP Virtualization to run in per session mode.
  7. If you have more than one Ethernet adapter on the server you may need to change between them back in step 5. I rebooted the server after the first tests failed but it ended up needing the other adapter.

Why can I only see 1000 users?

NG Firewall can read more than 1000 users from Active Directory, however your AD server must be configured to send more than 1000 users. Run these commands from the command prompt on the AD server to send up to 5000 users:

ntdsutil.exe
LDAP policies
Connections
Connect to server addomainname.local
Quit
Set MaxPageSize to 5000
Commit Changes
Quit
Quit

The Active Directory Login Script is still not working - what can I do?

One way to check to see if your logon script is working or not is to check the status page to view the current Username Map. If you are seeing no entries after running the script manually, edit the script and make sure the internal IP of NG Firewall is listed. If you're in bridge mode, make sure Administrator Alerts isn't telling you your bridge is backwards.

Does the GPMC (Group Policy Management Console) work with a 64bit OS?

Not officially - please check out this link or contact Microsoft for more information.


Why are my Security Groups not showing up?

Security Groups will not be displayed when using the Active Directory Users button in the settings, but they will be displayed when selecting users in the Policy Manager. Only Security Groups will be shown, not OUs.


I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why? 💡

Captive Portal must go into the rack after Directory Connector to properly work - this refers to the order in which they are installed into the rack, not the order they appear in the rack. If you're seeing this issue, simply remove Captive Portal to the rack, then add it back into the rack and reconfigure it. The next time a user logs in through it, they should correctly populate on the Username Map.

Can I use the UNLS with my OSX machines?

While NG Firewall does not directly support this, one of our users has adapted some existing scrips to provide the same functionality. You can find more information on our forums here.

Is this supported with all versions of Active Directory?

For clients running the UNLS, any version of Windows XP or newer should work. For servers, please see the table below. If you're running Windows Server 2008 and you've installed it with the strictest security settings, you must disable the signed LDAP security requirement. Microsoft has an article for enabling the feature here, however for our purposes it must be disabled. Here are the steps to disabled this setting in Windows 2008.

How to disable the server LDAP signing requirement

  1. Click Start, click Run, type mmc.exe, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
  4. In the Select Group Policy Object dialog box, click Browse.
  5. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the #Domains, OUs and linked Group Policy Objects area, and then click OK.
  6. Click Finish.
  7. Click OK.
  8. Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  9. Right-click Domain controller: LDAP server signing requirements, and then click Properties.
  10. In the Domain controller: LDAP server signing requirements Properties dialog box, enable # Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
  11. In the Confirm Setting Change dialog box, click Yes.

You should then run gpupdate /force on the server to update the current group policy.

AD Server OS Support
Windows Server 2012 Yes
Windows Server 2012 Essentials Yes
Windows Server 2008 Yes
Windows Small Business Server 2008 Yes
Windows Small Business Server 2003 No
Windows Server 2003, Standard SP2 No
Windows 2000 Server No
Windows NT 4.0 Server No

Can I use an LDAP Server other than Active Directory? 💡

Directory Connector is designed specifically for Active Directory or a RADIUS server. It does not support alternative LDAP servers such as OpenLDAP.

What do I enter in the fields for nested OUs? 💡

For nested OUs, the nested OU 'IT' needs to be specified like this in Directory Connector: OU=IT,OU=Users,OU=MyBusiness

Note: spaces are allowed.