Provisioning users from Active Directory

Active Directory (AD) integration supports automatic provisioning and deprovisioning of users as well as synchronization of user group membership changes made in AD.

To setup directory sync, you need to deploy the Forcepoint ONE SSE AD Connector. Select groups and organizational units (OUs) which will be used as the source for synchronizing user and group membership change. The synched Groups/OUs can also be used in policy rules for security enforcement.

Note: All users synced from AD into Forcepoint ONE SSE count against the user limit of the purchased license. To avoid issues with user licensing, Forcepoint ONE SSE recommend syncing by groups instead of selecting all users. This will help prevent syncing over accounts that are not intended to be used with Forcepoint ONE SSE (such as test accounts, rooms, etc). You may also consider creating Forcepoint ONE SSE-specific group(s) in AD to ensure only the users you intend to use with Forcepoint ONE SSE are synced.

Agent authentication can be utilized once your User Source has been set to Active Directory. Forcepoint ONE SSE can cache a user's AD password hash so authentication is done inside of Forcepoint ONE SSE instead of querying AD every time. The cache expires every 24 hours.

If you are using AD agent authentication, it is required that you have redundant agents setup in order to ensure High Availability. This ensures users can login in the event of a failure, for example, the agent becomes unreachable, agent connectivity to the AD server is lost, the machine running the agent goes down/reboots, etc.