Once you have defined the Domains and the elements that belong to them, you must also define which administrators are allowed to log in to the Domains and manage the elements.
Accounts with restricted privileges can be created within any Domain, but you cannot move administrator accounts from one Domain to another, so make sure that you are logged in to the right Domain before creating the accounts. Unrestricted accounts can only exist in the Shared Domain. To give an administrator account access to several Domains, you must define the Administrator element in the Shared Domain. Each Web Portal User account is always bound to a single Domain.
See Administrator Accounts (page 53) for more information.
64 Chapter 8 Domains
Examples of Domains
The examples in this section illustrate a common use for Domains in StoneGate and general steps on how each scenario is configured.
Creating Separate Domains for Different Customers
Company A is a well-known Managed Security Service Provider (MSSP) with a large number of customers. It is important that the networks of different customers are kept separate and that the administrators who manage the customer networks are only allowed to see the networks for which they are responsible. Most of the administrators only manage a single customer’s network, but some of the administrators are responsible for several customers’ networks.
The administrator at Company A decides to use Domain elements to group together the elements belonging to each customer and to make it easier to manage the different customer networks. The administrator also decides to use Category elements to tag the existing elements that will be included in each Domain. As the user database information must not be available across Domains, the administrator decides to use an external LDAP server in each Domain for user authentication.
Company A’s administrator:
1. Arranges a service break with the customers before introducing Domains into the system.
2. Logs in to the Shared Domain and creates the following elements:
•A separate Domain for each customer.
•The Administrator elements (the administrator accounts) for the administrators who manage several customers’ networks in several Domains.
3. Logs in to each customer’s Domain and creates the Administrator elements (the administrator accounts) for the administrators who manage only that particular customer’s network.
4. While logged in to each Domain, configures the elements for using an external LDAP server for authenticating the users in the Domain and for storing the Domain’s user database.
5. Logs in to the Shared Domain, creates a Category element for each customer, and selects the correct customer-specific Category for each customer’s elements.
6. Moves all the customer-specific elements from the Shared Domain to the correct customer-specific Domain.
•To make it easier to move the elements, the administrator first selects the customer-specific Category and then all the elements that belong to the Category.
7. When all the customers’ Domains and their elements have been configured and the service break is over, the administrator’s for each customer company log in to the Management Client.
•The administrators who are responsible for a single customer’s networks automatically log in to the Domain assigned to them when they log in to the Management Client. They only see the elements that belong to their own configuration as well as the elements in the Shared Domain.
•The administrators who have permissions in several Domains must select the Domain when they have logged in to the Management Client.
Examples of Domains 65
Creating Separate Domains for Different Sites
Company B is a large enterprise planning a new system. The system will include 12 different sites, each of which will contain 10 networks. The administrators at each site only need to be able to see the networks at their own sites. As all the sites belong to the same enterprise, the headquarters administrator decides to use the Management Server’s internal LDAP user database for user authentication in all the Domains even if this means that all the administrators in each Domain will be able to view the user database information.
The headquarters administrator:
1. Logs in to the Shared Domain and creates Domains to represent each of the 12 sites.
2. Configures the user database and user authentication using StoneGate’s internal LDAP directory while logged in to the Shared Domain.
3. Logs in to each Domain that represent a site’s configuration and creates the elements for the Domain:
•The Administrator elements (the administrator accounts) for the administrators of each site.
•All the other elements that belong to each Domain.
4. When the administrators at each site log in to the Management Client, they also automatically log in to the Domain assigned to them. They only see the elements that belong to their own site’s configuration and also the elements in the Shared Domain.
66 Chapter 8 Domains
67
C HAPTER 9
C ATEGORIES
A Category is a label for grouping together related elements for the purpose of filtering elements that are displayed in the Management Client.
The following sections are included:
Overview to Categories (page 68)
Configuration of Categories (page 68)
Examples of Categories (page 69)
68 Chapter 9 Categories
Overview to Categories
In a large system, there can be hundreds of elements, but you usually do not need to work with all of the elements at the same time. Category elements allow you to group together related elements according to any criteria you want. Using Categories, you can quickly filter your Management Client view. Elements that do not belong to the selected Category are filtered out so that only the relevant elements are visible. This allows you to manage a large number of elements more efficiently by making it easier to find the elements you need.
Configuration of Categories
You can create as many Category elements as you need. You can modify the contents of the Categories by adding or removing elements. Each element can belong to several Categories.
Default Elements
There are two predefined Categories:
•The System Category is assigned to all the default elements in StoneGate. You can use it to find all the predefined elements in the system.
•The Not Categorized Category contains all the elements that have not yet been assigned a Category.
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Online Help of the Management Client and the Administrator’s Guide PDF.