Provisioning users from Active Directory

Active Directory (AD) integration supports automatic provisioning and deprovisioning of users as well as synchronization of user group membership changes made in AD.

To setup directory sync, you need to deploy the Forcepoint Data Security Cloud | SSE AD Connector. Select groups and organizational units (OUs) which will be used as the source for synchronizing user and group membership change. The synched Groups/OUs can also be used in policy rules for security enforcement.

Note: All users synced from AD into Forcepoint Data Security Cloud | SSE count against the user limit of the purchased license. To avoid issues with user licensing, Forcepoint Data Security Cloud | SSE recommend syncing by groups instead of selecting all users. This will help prevent syncing over accounts that are not intended to be used with Forcepoint Data Security Cloud | SSE (such as test accounts, rooms, etc). You may also consider creating Forcepoint Data Security Cloud | SSE-specific group(s) in AD to ensure only the users you intend to use with Forcepoint Data Security Cloud | SSE are synced.

Agent authentication can be utilized once your User Source has been set to Active Directory. Forcepoint Data Security Cloud | SSE can cache a user's AD password hash so authentication is done inside of Forcepoint Data Security Cloud | SSE instead of querying AD every time. The cache expires every 24 hours.

If you are using AD agent authentication, it is required that you have redundant agents setup in order to ensure High Availability. This ensures users can login in the event of a failure, for example, the agent becomes unreachable, agent connectivity to the AD server is lost, the machine running the agent goes down/reboots, etc.