Cisco Cisco Web Security Appliance S680 Guía Del Usuario
8-14
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Identifying Users Transparently
AsyncOS for Web communicates with an Active Directory agent to maintain a local copy of the IP
address to user name mapping. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mapping. If no match is found, it queries an Active Directory
agent to find a match.
address to user name mapping. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mapping. If no match is found, it queries an Active Directory
agent to find a match.
For more information on installing and configuring an Active Directory agent, see
.
Consider the following rules and guidelines when you identify users transparently using Active
Directory:
Directory:
•
Transparent user identification with Active Directory works with an NTLM authentication realm
only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory
instance.
only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory
instance.
•
Transparent user identification works with the versions of Active Directory supported by an Active
Directory agent.
Directory agent.
•
Optionally, you can install a second instance of an Active Directory agent on a different machine to
achieve high availability. When you do this, each Active Directory agent maintains an IP address to
user name mapping independently of the other agent. AsyncOS for Web uses the backup Active
Directory agent after three unsuccessful ping attempts to the primary agent.
achieve high availability. When you do this, each Active Directory agent maintains an IP address to
user name mapping independently of the other agent. AsyncOS for Web uses the backup Active
Directory agent after three unsuccessful ping attempts to the primary agent.
•
The Active Directory agent uses on-demand mode when it communicates with the Web Security
appliance.
appliance.
•
The Active Directory agent pushes user logout information to the Web Security appliance. However,
some user logout information never gets recorded in the Active Directory server security logs. This
might happen if the client machine crashes or if the user shuts down the machine without logging
out. If there is no user logout information in the security logs, an Active Directory agent cannot
inform the appliance that the IP address no longer is assigned to that user. Because of this, you can
define the timeout value for how long AsyncOS caches the IP address to user mapping when there
are no updates from an Active Directory agent. For more information, see
some user logout information never gets recorded in the Active Directory server security logs. This
might happen if the client machine crashes or if the user shuts down the machine without logging
out. If there is no user logout information in the security logs, an Active Directory agent cannot
inform the appliance that the IP address no longer is assigned to that user. Because of this, you can
define the timeout value for how long AsyncOS caches the IP address to user mapping when there
are no updates from an Active Directory agent. For more information, see
.
•
The Active Directory agent records the sAMAccountName for each user logging in from a particular
IP address to ensure the user name is unique.
IP address to ensure the user name is unique.
•
The client IP addresses that the client machines present to the Active Directory server and the Web
Security appliance must be the same.
Security appliance must be the same.
•
AsyncOS for Web only searches for direct parent groups that the user belongs to. It does not search
nested groups.
nested groups.
Setting Up the Active Directory Agent to Provide Information to the Web Security Appliance
Because AsyncOS for Web cannot obtain client IP addresses directly from Active Directory, it must
obtain IP address to user name mapping information from an Active Directory agent.
obtain IP address to user name mapping information from an Active Directory agent.
Install an Active Directory agent on a machine on the network that is accessible to the Web Security
appliance and can communicate with all Windows domain controllers in the forest. For best
performance, this machine should be as close as possible to the Web Security appliance on the network.
In smaller network environments, you may want to install an Active Directory agent directly on the
Active Directory server.
appliance and can communicate with all Windows domain controllers in the forest. For best
performance, this machine should be as close as possible to the Web Security appliance on the network.
In smaller network environments, you may want to install an Active Directory agent directly on the
Active Directory server.
shows where an Active Directory agent is installed in the network.