How Directory Agent works with User Service

Although Directory Agent collects directory information independently, it has one important dependency on User Service. At installation, Directory Agent must connect to a Policy Server instance that has a User Service associated with it. Directory Agent can be configured to communicate only with the directory that this User Service instance is configured to use.

In other words, in a distributed deployment, if you have multiple Policy Servers, each with an associated User Service, and the User Service instances connect to different directory servers, you must associate Directory Agent with the Policy Server whose User Service connects to the directory that you want to use for hybrid user identification.

  • You can have multiple Directory Agent instances.
  • Each Directory Agent instance must be associated with a different Policy Server.
  • All Directory Agent instances must connect to a single Sync Service. (A deployment can have only one Sync Service instance.)

You must configure the Sync Service connection manually for all supplemental Directory Agent instances. (Communication is configured automatically for the Directory Agent instance that connects to the same Policy Server as Sync Service.)

To do this:

Steps

  1. When you log on to the Forcepoint Security Manager, select the appropriate Policy Server instance for the Directory Agent that you want to configure.
  2. Go to the Settings > Hybrid Configuration > Shared User Data page.
  3. Under Synchronize User Data, verify the Name or IP address of the Sync Service machine and the Port used for Sync Service communication (by default, 55832).
  4. Click Test Connection to verify that Directory Agent can send data to Sync Service. The test may take a minute or more.
    • If the connection is made, a success message is displayed.
    • If the connection cannot be made, verify the IP address or hostname of the Sync Service machine and the communication port. Also verify that the Sync Service machine is on, that Sync Service is running, and that your network firewall permits connections on the Sync Service port.
  5. Click OK to cache your changes, and then click Save and Deploy to implement them.

Next steps

Directory Agent configuration can not be performed until there is a supported User Service configuration. Changes to User Service configuration may also require you to update your Directory Agent configuration.

  • User Service configuration is performed on the Settings > General > Directory Services page (see Working with users and groups).
  • Directory Agent configuration is performed on the Settings > Hybrid Configuration > Shared User Data page (see Send user and group data to the hybrid service).

You can configure Directory Agent to use a different root context than User Service, and to process its directory data differently than User Service. Also, with Windows Active Directory, if User Service is configured to communicate with multiple global catalog servers, Directory Agent can communicate with all of them.

Note that if you have multiple Directory Agent instances, each instance must use a unique, non-overlapping root context.