• No results found

Active Directory Integration

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Active Directory Integration"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

January 11, 2011

Author: SWAT Team

Audience: Evaluator

Product: Cymphonix® Network Composer EX Series, XLi™ OS version 9

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com

Active Directory Integration

The following steps will guide you through the process of directory integration. The goal of directory integration is to be able to apply filtering and/or shaping rules to your existing Active Directory security group/OU structure and to be able to report on and correlate all internet usage to a directory user. Once the integration is completed and groups have been built within composer, all management of group membership can be performed from your directory server.

There are varying ways to integrate your directory servers with Network Composer. You may have restricted business policies or requirements that prohibit your ability to download and distribute a Client Agent to all nodes across the network. To fit all environments and scenarios, we also provide other options to authenticate users signing on to the network: Cymphonix Client Agent (cymdir.exe), Web Authentication (web log-in or IP Lookup), and NTLM for Citrix or Terminal Server environments. You can refer to the document “TC6 - Other Options to User Name Based Reporting” for specifics.

We recommend deploying the Cymphonix Client Agent to all network nodes associated with Network Composer and the directory server. This is the method described within this document. However, you can select from one of the Web Authentication option methods. The following scenarios describe how Network Composer can authenticate user's logging in to their computers.

Two Step Process to accomplish Directory Integration

This is a two step process that needs to be followed in order. Network Composer will gain access to your directory structure by configuring the Network Composer with a directory agent which will connect to your directory server with a ‘Direct LDAP Connection’. Lastly, you will deploy a statically compiled executable, cymdir.exe, to your test workstation(s) which collects the user, IP, and domain information.

Configure Network Composer to communicate with Active Directory Server

(2)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com Requirements

The following fields are required information about your directory server or LDAP connection that you must have before you can create Directory Agents.

 Name  IP Address  Password  Base DN  Domain

To add a directory agent

1. From Network Composer, navigate to ‘Manage Tab-> Directory Users & Nodes -> Directory

Agent.

2. Click Create.

3. Choose ‘Direct LDAP Connection’ as the type of Directory Agent you want to create.

Note: Direct LDAP Connection: This type of directory agent does not require that the Directory

(3)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com 4. (Required) Enter the Name of the Directory Agent.

Use to identify which server the Directory Agent Client was installed on. The name you enter will appear in the Directory Agent drop-down list of the User Interface, when you select a directory server to find members from the structure to add to the Directory Agent Group.

Tip: We recommend using your domain name.

5. Enter a Description to identify the Directory Agent Server.

6. (Required) Entered an IP Address for the directory server you want to integrate.

Network Composer must have access to communicate with the directory server's IP address on the network.

7. By default, the Port number is 389.

You can change this value if your LDAP server uses a different port to communicate. 8. (Required) Enter a Password to access the directory server.

9. Enter the Domain name for the directory server. 10. Click Query Server to search for the Base DN 11. Click Save.

Identify when users authenticate to the network and their IP address

This is the final step to the directory integration process in which you will deploy cymdir.exe to the test workstation(s).

Deploying cymdir.exe allows Network Composer to immediately identify when users authenticate to the network while synchronizing with defined groups, OUs, or user attributes. This is accomplished by receiving definitive log-in and log-out events in “heart beats” of information sent from the client

executable once running on the workstation. The cymdir.exe is not a program or application that has to be installed, so there are no changes to the file structure or registry on the workstation. Rather, it only exists and runs as a process in memory which goes away at log off.

This method is the most widely used because it gives you full functionality and obtains the most accurate reporting data while being completely seamless to the end user.

(4)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com

Note: When deploying cymdir.exe into your corporate environment you will use a GPO login script for

ease of deployment instead of the manual method used here.

To Deploy Cymdir

1. From your workstation download the cymdir.exe file from compose. Login to Composer and navigate to ‘Admin Tab->Downloads -> Directory Agent Software -> Download 32-bit Windows Directory Client Agent’.

2. “Click here to download your file” and when given the choice save the file to the desktop of your

(5)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com 3. Click save and choose your desktop as the destination to start the download.

4. Once the download is complete you may need to remove a security flag from the file that Internet Explorer places on executable files. To do this, Right click on the file and select

Properties. If there is an ‘Unblock’ button available in the ‘Security’ section on the ‘General’ tab click ‘Unblock’.

Note: If the file is already unblocked you will not see the ‘Unblock’ button at the bottom of the ‘General’

(6)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com

5. On your workstation click on the Start menu, then ‘Run’. Browse to the location of Cymdir.exe

OR simply drag the icon from your desktop into the run box. Once the full path of the

cymdir.exe file exists in the ‘Run’ dialogue box add a space to the very end of the path followed by the bridge IP address of your composer. Then click ‘OK’.

Example: “C:\Documents and Settings\Administrator\Desktop\cymdir.exe” 10.3.0.50

(7)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com Tip: If you launch your Task Manager you should see a process called cymdir.exe running.

If cymdir.exe is running on the workstation Network Composer should be receiving your user information.

7. You can verify this within Network Composer by going to ‘Admin Tab -> Diagnostic Tools -> Directory Agent Users’. You should see your username listed.

(8)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com

Creating a Directory Group

Within the Network Composer you can create a ‘Composer Directory Group’ which allows you to incorporate Security Groups, OU’s or individual members from your existing directory architecture and subsequently apply unique policies to these users. The other advantage to creating groups outside of granular policy control is the ability to utilize the ‘Correlate by Group’ reporting option. This test case will take you through the necessary steps to create a directory group.

1. Log in to Network Composer and navigate to ‘ManageTab-> Policies & Rules-> Groups-> Click Create’. When presented with the ‘Choose a Group Type, choose ‘Create a Directory Agent Group -> Click ‘Ok.

2. You will now be in the ‘Add/Edit Directory Agent Group Detail’. Click ‘Add Members’ which will bring you to the ‘Add Directory Group Members’ screen. You can create a Directory Agent Group that contains members from your Active Directory server in different ways.

 Security group  OU

 Attribute.

Tip: The attribute option is commonly used when needing to add individual users. This

can be easily accomplished by using in the attribute ‘SamAccountName’.

(9)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com

For a test case we recommend just adding one OU or security group that you can comfortably subject content filtering and/or shaping to such as your IT security group. Or create a group that consists of one or a couple of directory users by using the ‘Attribute’ option mentioned above.

Note: This must be a security group that isn’t set as any users’ ‘Primary Group’. By default

all users’ ‘Primary Group’ is set to ‘Domain Users’). In the ‘Name’ field enter something that relates to the users, such as ‘IT Group’, in the ‘Description’ field enter ‘Members contained within “description of group”.

3. Check the box next to ‘IT Group’ (or a different group that you feel is appropriate for testing) and then click ‘OK’ at the bottom of the page.

(10)

8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com

You have now successfully created a Directory Agent Group that allows you to accomplish two things.

 You can run reports and correlate the results ‘by Group’ giving you aggregate reporting data to a specific directory group. For Example - How much bandwidth a domain users group is using versus a domain admins group.

References

Download now ( PDF - 10 Page - 0.93 MB )

Related documents

This standard applies to computers that are used in computer classroom for both VCU users and non- VCU users.

Classroom computers can be members of an Active Directory OU(s) to limit activity via Active Directory group policy (GPO). B) Resetting software such as Deep Freeze by Faronics

CSC111 Computer Science II

Once you have created a directory, you can make it be your working directory (which is often referred to a “going into it” using the cd (change directory) command.. Move into

View Installation. VMware Horizon 6.0 EN

If you install View Composer on a different machine than vCenter Server, you must create a domain user account in Active Directory that View can use to authenticate to the View

Active Directory. Administration & Security Challenges

− Improves the security of your Windows environment by simplifying the use of Active Directory Group Policy. − Provides a single console for managing Active Directory Group

Computer Classroom Security Standard

Classroom computers can be members of an Active Directory OU(s) to limit activity via Active Directory group policy (GPO). 3) Resetting software such as Deep Freeze by Faronics can

How to Use Your UT WebSpace Account By Kimberly Pendell October 2004

• Click on “New Directory” in the toolbar and create a folder named “www.” This directory automatically allows Internet browsers to access any html files you place within it.

SINGLE SIGN-ON SETUP T ECHNICAL NOTE

Within Import Users From An Active Directory page you will see: • Active Directory integration parameters (e.g. Host, Domain and Port) • Available Users, Groups and Organizational

Technical Bulletin 41137

Using Active Directory Users and Computers, you can create an account for the phone to use to access the corporate directory.. In the following example, we create a user