Integrating external directory servers
You can use an external directory server to store user group and user information instead of or in addition to the internal user database.
The external directory server can be an LDAP server, or a Microsoft Active Directory server that provides LDAP services.
You can use an external directory server without integrating it with the Secure SD-WAN Manager components. You can view user information and use it for authentication against an external authentication service simply by allowing the Secure SD-WAN Manager components to connect to the LDAP database.
The Management Server and the Engines each use their own integrated LDAP client to query the external LDAP directory directly. The external LDAP directory is not replicated into the internal directory on the Management Server or into the local directory of the Engines. Instead, the external LDAP directory is queried separately each time by the Engines each time a user attempts to authentication. The external LDAP directory is also queried separately Management Server when you view the User elements in the Management Client.
You can configure access to the directory server for both the Management Server and the Engines, or for the Engines only. To take full advantage of user authentication features, we recommend configuring access to the directory server for both the Management Server and the Engines.
- There is no need to manually duplicate user account information. User and User Group elements are automatically added to the Secure SD-WAN Manager from the external directory.
- Externally stored user accounts are shown in the Management Client and can be used to create different rules for different users.
- In most cases, users can be also added, removed, and edited through the Management Client.
- Internal authentication methods can be used to authenticate externally stored users.
If only the Engines can access the external directory server, the following restrictions apply:
- You can authenticate externally stored users only against authentication methods provided by an external authentication server. Internal authentication methods are not available for externally stored users.
- A single element (User element named *external*) is used to represent all externally stored users in the Firewall Policy. It is not possible to create different rules for different externally stored users.