Connecting to Windows Active Directory (Native Mode)

Note:

If User Service resides on an appliance or Linux server, and you are using Logon Agent to identify users, use a text editor to edit authserver.ini (in C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/, by default) and add the following to the [ServerMap] section.

USER DOMAIN=pdc hostname=pdc ip address

where USER DOMAIN is the primary domain name, hostname is the hostname of the primary domain controller, and ip address is the IP address of the primary domain controller.

Windows Active Directory stores user information in one or more global catalogs. The global catalog lets individuals and applications find objects (users, groups, and so on) in an Active Directory domain.

In order for User Service to communicate with Active Directory in Native Mode, you must provide information about the global catalog servers in your network.

  1. Click Add, next to the Global catalog servers list. The Add Global Catalog Server page appears.
  2. Provide the IPv4 address or hostname of the global catalog server:
    • If you have multiple global catalog servers configured for failover, enter the DNS domain name.
    • If your global catalog servers are not configured for failover, enter the IPv4 address or hostname (if name resolution is enabled in your network) of the server to add.
  3. Enter the Port that User Service should use to communicate with the global catalog (by default, 3268).
  4. Optionally, enter the Root context for User Service to use when associating user and group information with Internet requests. Note that this context is used for policy enforcement, but not for adding clients in the Forcepoint Security Manager.
    • If you supply a value, it must be a valid context in your domain.
    • If you have specified a communications port of 3268 or 3269, you do not need to supply a root context. If there is no root context, User Service begins searching at the top level of the directory service.
    • If the specified port is 389 or 636, you must provide a root context.
      Note: Avoid having the same user name in multiple domains. If User Service finds duplicate account names for a user, the user cannot be identified transparently.
  5. Specify which administrative account User Service should use to retrieve user name and path information from the directory service. This account must be able to query and read from the directory service, but does not need to be able to make changes to the directory service, or be a domain administrator.

    Select Distinguished name by components or Full distinguished name to specify how you prefer to enter the account information.

    • If you selected Distinguished name by components, enter the Display name, account Password, Account folder, and DNS domain name for the administrative account. Use the common name (cn) form of the administrative user name, and not the user ID (uid) form.
      Note: The Account folder field does not support values with the organizational unit (ou) tag (for example, ou=Finance). If your administrative account name contains an ou tag, enter the full distinguished name for the administrative account.
    • If you selected Full distinguished name, enter the distinguished name as a single string in the User distinguished name field (for example, cn=Admin, cn=Users, ou=InfoSystems, dc=company, dc=net), and then supply the Password for that account.
  6. Click Test Connection to verify that User Service can connect to the directory using the account information provided.
  7. Click OK to return to the Directory Services page.
  8. Repeat the process above for each global catalog server.
  9. Click Advanced Directory Settings, and then go to Advanced directory settings.