Cisco Cisco Web Security Appliance S170 사용자 가이드
9-13
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 9 Identities
Identifying Users Transparently
•
The Active Directory Agent uses on-demand mode when it communicates with the Web Security
appliance.
appliance.
•
The Active Directory Agent pushes user logout information to the Web Security appliance.
However, some user logout information never gets recorded in the Active Directory server security
logs. This might happen if the client machine crashes or if the user shuts down the machine without
logging out. If there is no user logout information in the security logs, the Active Directory Agent
cannot inform the appliance that the IP address no longer is assigned to that user. Because of this,
you can define the timeout value for how long AsyncOS caches the IP address to user mapping when
there are no updates from the Active Directory Agent. For more information, see
However, some user logout information never gets recorded in the Active Directory server security
logs. This might happen if the client machine crashes or if the user shuts down the machine without
logging out. If there is no user logout information in the security logs, the Active Directory Agent
cannot inform the appliance that the IP address no longer is assigned to that user. Because of this,
you can define the timeout value for how long AsyncOS caches the IP address to user mapping when
there are no updates from the Active Directory Agent. For more information, see
.
•
The Active Directory Agent records the sAMAccountName for each user logging in from a
particular IP address to ensure the user name is unique.
particular IP address to ensure the user name is unique.
•
The client IP addresses that the client machines present to the Active Directory server and the Web
Security appliance must be the same.
Security appliance must be the same.
•
AsyncOS for Web only searches for direct parent groups that the user belongs to. It does not search
nested groups.
nested groups.
Setting Up the Active Directory Agent to Provide Information to the Web Security Appliance
Because AsyncOS for Web cannot obtain client IP addresses directly from Active Directory, it must
obtain IP address to user name mapping information from the Cisco Active Directory Agent.
obtain IP address to user name mapping information from the Cisco Active Directory Agent.
Install the Active Directory Agent on a machine on the network that is accessible to the Web Security
appliance and can communicate with all Windows domain controllers in the forest. For best
performance, this machine should be as close as possible to the Web Security appliance on the network.
In smaller network environments, you may want to install the Active Directory Agent directly on the
Active Directory server.
appliance and can communicate with all Windows domain controllers in the forest. For best
performance, this machine should be as close as possible to the Web Security appliance on the network.
In smaller network environments, you may want to install the Active Directory Agent directly on the
Active Directory server.
shows where the Active Directory Agent is installed in the network.
Figure 9-5
Active Directory Agent Workflow
Note
The Active Directory Agent instance used for communicating with the Web Security appliance can also
support other products, such as the adaptive security appliance and other Web Security appliances.
support other products, such as the adaptive security appliance and other Web Security appliances.
Client
Active Directory
Server
Web Security Appliance
Active Directory
Agent Installation