You can include users and user groups in access policy rules for a managed engine even if SMC is not able to query an external LDAP or AD server.
Follow the following steps to add users and user groups to an access policy when SMC cannot access the directory server for browsing:Note: The engine must be able to access the LDAP
server for user authentication, even if the LDAP server is not accessible from SMC.
Steps
-
Create an LDAP server. For more information, refer to the Create LDAP Server or Active Directory Server elements topic.
Note: This step can be skipped, if the LDAP server is already created.
-
Create a new Authentication domain. For more information, refer to the Define Authentication domain elements topic.
Important: Uncheck the SMC – Browse Users and Groups checkbox and select the Engine – Resolve Users and Groups checkbox to
create your own users or user groups and use them in access policy rules for authentication when SMC is not able to communicate with the external LDAP or AD server.
-
Do one of the following:
- Create users or user groups manually for the newly created External LDAP domain. For more information:
- On how to create a user, refer to Create External User elements topic.
- On how to create a user group, refer to Create External User Group elements topic.
- Import users and user groups by using an LDAP Data Interchange Format (LDIF) file. For more information, refer to Import user and user groups into an Authentication
domain topic.
-
Use the user or user group in the access policy. Below is an example access rule:
Table 1.
| Source |
Destination |
Service |
Action |
| User or User Group |
ANY |
ANY |
Allow |
| User or User Group |
Engine |
Remote desktop |
Deny |