Configuring eDirectory Agent

eDirectory Agent gathers user logon session information from Novell eDirectory, which authenticates users logging on to the network. The agent then:

  1. Associates each user with an IP address.
  2. Records user name-to-IP-address pairings to a local user map.
  3. Communicates the map to Filtering Service.

Filtering Service uses the information to apply policies to users, groups, or OUs.

Note: From a Novell client running Windows, multiple users can log on to a single Novell eDirectory server. This associates one IP address with multiple users. In this scenario, eDirectory Agent’s user map only retains the user name/IP address pairing for the last user logged on from a given IP address.

One instance of eDirectory Agent can support one Novell eDirectory master, plus any number of Novell eDirectory replicas.

Use the User Identification > eDirectory Agent page to configure a new instance of eDirectory Agent, as well as to configure the global settings that apply to all instances of eDirectory Agent.

For detailed information eDirectory Agent deployment, including configuration options not available via the Forcepoint Security Manager, see the Using eDirectory Agent for Transparent User Identification technical paper.

To add a new instance of eDirectory Agent:

Steps

  1. Under Basic Agent Configuration, enter the IPv4 address or hostname of the eDirectory Agent machine.
    Note:

    Machine names must start with an alphabetical character (a-z), not a numeric or special character.

    Machine names containing certain extended ASCII characters may not resolve properly. In non-English environments, enter an IP address instead of a name.

  2. Enter the Port that eDirectory Agent should use to communicate with other web protection components (30700, by default).
  3. To establish an authenticated connection between Filtering Service and eDirectory Agent, select Enable authentication, and then enter a Password for the connection.

Next steps

Next, customize global eDirectory Agent communication settings:

  1. Under eDirectory Server, specify a Search base (root context) for eDirectory Agent to use as a starting point when searching for user information in the directory.
  2. Provide the administrative user account information that eDirectory Agent should use to communicate with the directory:
    1. Enter the Administrator distinguished name for a Novell eDirectory administrative user account.
    2. Enter the Password used by that account.
    3. Specify a User entry timeout interval to indicate how long entries remain in the agent’s user map.

      This interval should be approximately 30% longer than a typical user logon session. This helps prevent user entries from being removed from the map before the users are done browsing.

      Typically, the default value (24 hours) is recommended.

      Note: In some environments, instead of using the User entry timeout interval to determine how frequently eDirectory Agent updates its user map, it may be appropriate to query the eDirectory Server at regular intervals for user logon updates. See the Using eDirectory Agent for Transparent User Identification technical paper for details.
  3. Add the eDirectory Server master, as well as any replicas, to the eDirectory Replicas list. To add an eDirectory Server master or replica to the list, click Add, and the follow the instructions in Adding an eDirectory server replica.

    When you are finished making configuration changes, click OK to return to the User Identification page, then click OK again to cache your changes. Changes are not saved until you click Save and Deploy.