Cisco Cisco Web Security Appliance S360 User Guide

When all Active Directory domains exist in the same forest, there must be a trust relationship among 
all domains in the forest.

When an Active Directory domain exists in a different forest, the domain that the Web Security 
appliance joins must have at least a one way trust with the domain where the users belong.

AsyncOS allows you to create up to 10 NTLM authentication realms. You might want to create multiple 
NTLM realms when the Web Proxy must authenticate users in different Active Directory forests that do 
not have mutual trust with another forest.

To create multiple NTLM realms, the client IP addresses in one NTLM realm must not overlap with the 
client IP addresses in another NTLM realm. 

When you define policy group membership by group name, the web interface only displays Active 
Directory groups in the domain where AsyncOS created a computer account when joining the domain. 
To create a policy group for users in a different domain, manually enter the domain and group name in 
the web interface.

Cisco recommends creating as few NTLM realms as necessary. Creating multiple NTLM realms requires 
additional memory usage for authentication.

This section lists the characters the Web Security appliance supports when it communicates with LDAP 
and Active Directory servers. For authentication to work properly, verify that your authentication servers 
only use the supported characters listed in this section.

For example, according to 

, the appliance can validate users with the following Active 

Directory user name:

jsmith#123

 

And according to 

, the appliance cannot validate users with the following Active Directory 

user name:

jsmith+

 

 lists the characters the Web Security appliance supports for the User Name field for Active 

Directory servers. 

A...Z a...z

0 1 2 3 4 5 6 7 8 9

` ~ ! # $ % ^ & ( ) _ - { } ' . @

space

/ \ [ ] : ; | = , + * ? < > "