Getting started with directory servers

A directory server is a server that contains a user database that is queried during the user authentication process.

You can store the user accounts in the Management Server’s internal user database, or on an external directory server. Different users can be stored in different directories. Authentication is based on the user information, but is a separate operation and is not necessarily done on the same server that stores the user information.

You can optionally use an integrated external Active Directory Server with the Forcepoint User ID Service or the Integrated User ID Service to provide transparent user identification for access control by user. Access control by user allows the use of Active Directory users as the source and destination of rules. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.

To implement user authentication, you must define user accounts either in the internal user database or on an external directory server.

If you use an external third-party authentication server and do not need to define different access rights for different users, it is not necessary to integrate an external directory server with the SMC. You can create a special User element with the name *external* in the internal user database to represent any user that authenticates using the external authentication service.

Limitations

  • The internal LDAP user database does not allow external authentication servers to query user information.
  • The internal LDAP database limits the length of the User and User Group DN (distinguished name) to a maximum of 254 characters. Check the restrictions of external LDAP servers from the external server’s documentation.
  • If administrative Domains are configured, the internal user database is always in the Shared Domain. The user accounts stored in the internal database are also always in the Shared Domain. If you want to limit the visibility of end-user accounts, you must configure external LDAP databases separately for each Domain.
  • User authentication is only supported on Firewalls. User authentication is not supported on layer 2 physical interfaces on Firewalls.

What do I need to know before I begin?

  • The Management Server has an internal LDAP user database.
  • Alternatively, you can use external LDAP user databases (including Active Directory).
  • Different users can be stored in different databases.
Depending where user information is stored, different authentication options are available. The following table explains the possible combinations of internal and external directory servers and authentication servers:
Table 1. Combinations of internal and external directory servers and authentication servers
  Internal authentication server External authentication server
Internal directory server User and User group information are maintained in the Management Server’s internal user database. User and User Group information can be managed using the Management Client and can be used for creating rules. Authentication can be done with password, IPsec certificate, or preshared key. A second, external user database is required because the external authentication server has no access to the internal database. The same user information must be maintained separately in the Management Server’s internal user database and in the external user database. User and User Group information can be used for creating rules. Any authentication method supported by the external authentication server can be used.
External directory server The Management Server is defined as an LDAP client for the external directory server. User and User Group information is shown in the Management Client, and can be used for creating rules. Authentication can be done with password, IPsec certificate, or preshared key.

If you define NGFW Engines as LDAP clients for the external directory server, the NGFW Engine can send the user name and password to the external directory server for authentication. The external directory server checks the user name and password against the user’s credentials in the external directory server, then replies to the NGFW Engine whether authentication succeeded or failed.

You can optionally define the Management Server as an LDAP client for the external directory server. You can also duplicate and manually maintain the same user information separately in the Management Server’s internal user database and in the external user database.

Otherwise, you can create a single User element named *external* to represent all externally stored users. In this case, it is not possible to create different rules for different externally stored users. Each authentication rule includes all external users. There can be several rules, but any user that can authenticate in one rule can also authenticate when any of the other rules is triggered.

Any authentication method supported by the external authentication server can be used.