Configure the Integrated User ID Service

You can use the Integrated User ID Service on the NGFW Engine to provide transparent user identification for access control by user. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

Before you begin

  • You have created an Active Directory server element and added the Domain Control servers and Microsoft Exchange Servers from which the Active Directory server receives information in the Active Directory Server properties.
  • You have created an External LDAP Domain element and bound the Active Directory Server element that you created to the External LDAP Domain element.
Note: The Integrated User ID Service requires that the external authentication method of the Active Directory Server and the authentication method of the External LDAP Domain is user password or LDAP authentication.

Note: You cannot use the Integrated User ID Service with Virtual NGFW Engines.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > Engine Properties > User Identification Services.
  3. Right-click User Identification Services, then select New > Integrated User ID Service.
  4. Enter a name for the service.
  5. In the Active Directory Domain field, select the External LDAP Domain from which the Integrated User ID Service element receives information about users, groups, and IP addresses.
    Select the External LDAP Domain element to which you bound the Active Directory Server that you want to use in the Integrated User ID Service configuration. If several Active Directory Servers are bound to the External LDAP Domain element, the Integrated User ID Service uses the first Active Directory Server element that is listed in the External LDAP Domain element.
  6. Enter the time range for the first query of user, IP address, and group information from the NGFW Engine to the Active Directory Server.
    The time range for the first query defines how far back in time the NGFW Engine queries for the user, IP address, and group information. The time range for the first query must be between one minute and seven days.
    Note: The NGFW Engine uses the defined time range for the first query only when the Integrated User ID Service starts after it has first been configured or when the Integrated User ID Service starts after the NGFW Engine has been rebooted.
  7. Define how often the NGFW Engines polls for the user, group, and IP address information from the AD server.
  8. (Optional) Define user names and IP addresses that the Integrated User ID Service does not monitor.
    • User names to be ignored are typically user names that are associated with service accounts that do not represent actual users.
    • IP addresses to be ignored typically represent multi-user servers such as terminal servers.
    • If you define an entry that contains both a user name and an IP address, the entry matches only if both the user name and the IP address are detected.
  9. Click OK.
    The User ID Service element is created.
  10. Enable the Integrated User ID Service on the NGFW Engine.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Browse to Add-Ons > User Identification.
    4. In the User Identification Service list, select an Integrated User ID Service element.
      If the Integrated User ID Service element that you want to use is not listed, select Select, then select the Integrated User ID Service element.
    5. If the LDAP domain for the External LDAP Domain is not the default LDAP domain, browse to Advanced Settings > Authentication , then select Allow lookup from known User Domain matching to client email domain or UPN suffix to allow the Active Directory Server to query the user information from the external LDAP domain.
    6. Click Save and Refresh.
  11. On the Domain Controller servers and Exchange Servers that provide information about users' IP addresses to the Integrated User ID Service, configure permissions for the user accounts that are used to query the IP address information.
    Note: The NGFW Engine uses the BIND user that is configured in the Active Directory Server element properties to monitor logon events.
    1. Open the command prompt, type wmimgmt.msc, then press Enter.
    2. Right-click WMI Control, then click Properties.
    3. Switch to the Security tab.
    4. Browse to Root > CIMV2.
    5. Make sure that Execute Methods, Remote Enable, Read Security, and Enable Account are selected.
    6. Click OK.

Result

The Integrated User ID Service is enabled on the NGFW Engine.

Integrated User ID Service Properties dialog box

Use this dialog box to define the properties of the Integrated User ID Service element.

Option Definition
Name The unique name of the element.
Active Directory Domain The External LDAP Domain from which the Integrated User ID Service receives information about users, groups, and IP addresses.
Time Range for First Query The time range for how far back in time the NGFW Engine queries for the user, IP address, and group information from the Active Directory Server.
Polling Interval for Logon Information How often the NGFW Engines polls for the user, group, and IP address information from the Active Directory Server.
Ignored Users and IP Addresses User names and IP addresses that the Integrated User ID Service does not monitor.
Add Click Add to define a user name and IP address that the Active Directory Server does not monitor.
Remove

Removes the selected row from the list of ignored user names and IP addresses.
Category Includes the Integrated User ID Service in predefined categories.
Comment An optional comment for your own reference.