Cisco Cisco Web Security Appliance S360 Guia Do Utilizador
5-15
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Security appliance is managed by a Security Management appliance, be prepared to ensure that
same-named authentication realms on different Web Security appliances have identical properties
defined on each appliance. Be aware that once you commit the new realm, you cannot change a
realm’s authentication protocol.
same-named authentication realms on different Web Security appliances have identical properties
defined on each appliance. Be aware that once you commit the new realm, you cannot change a
realm’s authentication protocol.
•
For NTLMSSP, single sign on (SSO) can be configured on client browsers. See
.
Using Multiple NTLM Realms and Domains
The following rules apply in regard to using multiple NTLM realms and domains:
•
You can create up to 10 NTLM authentication realms.
•
The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another
NTLM realm.
NTLM realm.
•
Each NTLM realm can join one Active Directory domain only but can authenticate users from any
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
•
Create additional NTLM realms to authenticate users in domains that are not trusted by existing
NTLM realms.
NTLM realms.
Step 1
Choose Network > Authentication.
Step 2
Click Add Realm.
Step 3
Assign a unique name to the authentication realm using only alphanumeric and space characters.
Step 4
Select Active Directory in the Authentication Protocol and Scheme(s) field.
Step 5
Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).
Example:
active.example.com
.
An IP address is required only if the DNS servers configured on the appliance cannot resolve the Active
Directory server hostname.
Directory server hostname.
When multiple authentication servers are configured in the realm, the appliance attempts to authorize
with up to three authentication servers before failing to authorize the transaction within this realm.
with up to three authentication servers before failing to authorize the transaction within this realm.
Step 6
Join the appliance to the domain:
a.
Configure the Active Directory Account:
b.
Click Join Domain.
Setting
Description
Active Directory Domain
The Active Directory server domain name.
Also known as a DNS Domain or realm.
Also known as a DNS Domain or realm.
NetBIOS domain name
If the network uses NetBIOS, provide the domain name.
Computer Account
Specify a location within the Active Directory domain where AsyncOS
will create an Active Directory computer account, also known as a
“machine trust account”, to uniquely identify the computer on the domain.
will create an Active Directory computer account, also known as a
“machine trust account”, to uniquely identify the computer on the domain.
If the Active Directory environment automatically deletes computer
objects at particular intervals, specify a location for the computer account
that is in a container, protected from automatic deletion.
objects at particular intervals, specify a location for the computer account
that is in a container, protected from automatic deletion.