: Configure the Cloud Identity Agent

Configure the Cloud Identity Agent

Table of Contents

Configure the Cloud Identity Agent

After you download the agent and install it on a Windows server, configure the agent to connect to your supported on-premises directory and to the Cloud Identity Engine.
Avoid configuring the agent for the first time during the daily certificate revocation list (CRL) reload time (9:00-10:00 PM/21:00-22:00 CDT for US or CEST for EU). If you configure the agent and the initial attribute sync occurs at this time but isn’t successful, wait a few minutes, then Synchronize All Attributes to ensure the attributes are synchronized with your tenant.
After you download the agent from the Cloud Identity Engine app and Install the Cloud Identity Agent on a supported Windows server, configure the agent to establish a connection with your Active Directory or OpenLDAP-based directory and the Cloud Identity Engine so that it can collect all of the attributes from the Active Directory during the initial setup. In the Cloud Identity Engine app, you can optionally Synchronize Cloud Identity Engine Tenants instantly to ensure attribute and other directory changes are available in the Cloud Identity Engine.
The minimum required permissions for the service account are the ability to create LDAP bind requests (LDAP protocol version, the DN for the account, and the account credentials) and the IP address or domain for the directory.
  1. Install the certificate authority (CA) certificate used to sign the certificate used by the directory in the Local Computer Trusted root CA certificate store of the agent host.
    You must complete this step if the server that hosts the agent doesn’t already have the CA certificate of the domain controller or the CA certificate from the issue of the domain controller’s certificate.
  2. On the agent host, launch the Cloud Identity agent (
    Palo Alto Networks
    Cloud Identity Agent
    Don’t manually edit configuration files for the agent. Manually editing the agent configuration files might cause unexpected behavior.
  3. Select
    Cloud Identity Configuration
    and enter the regional agent configuration endpoint for the
    Cloud Identity Engine
    that matches the region that the corresponding Cloud Identity Engine tenant uses.
    Agent Configuration
    United States (US)
    European Union (EU)
    United Kingdom (UK)
    Singapore (SG)
    Canada (CA)
    Japan (JP)
    Australia (AU)
    Germany (DE)
    United States - Government
    India (IN)
    Switzerland (CH)
    Spain (ES)
    Italy (IT)
    France (FR)
    China (CN)
    This region is only accessible in the Cloud Identity Engine within the specified region.
    Poland (PL)
    Qatar (QA)
    Taiwan (TW)
    Israel (IL)
    Indonesia (ID)
  4. (Optional) If your network configuration uses a proxy server, enter the
    Proxy IP Server and Port (optional)
    to allow the Cloud Identity agent to use a secure mTLS connection to tunnel the agent traffic through the proxy server.
    Enter the proxy server’s IP address in
    format, where
    represents the IP address of the proxy server and
    represents the port number.
  5. Configure the
    LDAP Configuration
    to allow the agent to communicate with your on-premises directory.
    To learn how to collect attributes from multiple domains, see Configure Domains for the Cloud Identity Engine.
    1. Enter the
      Bind DN
      for the service account you want to bind to your directory (for example,
      If you don’t know the DN of the service account, enter the following command in the command prompt on the Active Directory server:
      dsquery user -name
      is the service account login name). Be sure to delete the quotation marks if you copy the DN from the command output.
    2. Enter the
      Bind Password
      to authenticate the session.
      The Bind Password is saved in encrypted format in the Windows credential store, not the configuration file. If you delete the LDAP configuration for the server and commit the changes, you must re-enter the password.
    3. Select a
      • LDAP
        —Connect to the directory using the default unencrypted LDAP protocol on port 389.
      • LDAPS
        —(Default) Connect to the directory server using LDAP over SSL (LDAPS) on port 636. This option requires a CA certificate in the Local Computer certificate store on the agent host or in the Trusted Root CA store for your directory.
      • LDAP with STARTTLS
        —Connect to the directory server using LDAPv3 Transport Layer Security (TLS) on port 389. This option requires a CA certificate in the Local Computer certificate store on the agent host or in the Trusted Root CA store for your directory.
  6. Verify that the
    Bind Timeout
    value will allow enough time for the agent to connect to your on-premises directory.
    The default is 30 seconds and the range is from 1-60 seconds. When the timeout limit is reached, the agent attempts to connect to the next domain controller in the sequence for that domain.
  7. Verify that the
    Search Timeout
    value will allow enough time for the LDAP query to complete.
    The default is 15 seconds and the range is 1-120 seconds. If the timeout occurs, the search stops and the timeout error is included in the debug logs. If you Configure Cloud Identity Agent Logs to Information, any partial results retrieved by the Cloud Identity Engine are deleted. If the log level is set to Debug or higher, the results might not be deleted, but they aren’t used by the agent.
  8. Add
    your on-premises directory.
    To ensure that the Cloud Identity Engine can calculate group membership correctly, use a value that doesn’t end in
    if you must use a custom value for the
    attribute in your LDAP query policy rule.
    1. (Optional) Enter the
      Name (optional)
      for your directory.
    2. Enter the fully qualified
      name for your directory.
      You can configure up to 20 domains for each agent.
    3. Enter the IP address or fully qualified domain name (FQDN) as the
      Network Address
      for your directory.
      If you enter an FQDN, it must be the complete original FQDN for that IP address (for example, if the FQDN is
      , you must enter
      , not just
    4. (Optional) Enter the
      Port (optional)
      number for your directory.
      Don’t configure the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).
      If you don’t enter a port number, the agent uses the following default ports:
      • 636 for LDAPS
      • 389 for LDAP or LDAP with STARTTLS
    5. (
      Required for OpenLDAP
      ) Enter the
      Base DN
      (base Distinguished Name) for your directory.
      OpenLDAP requires the Base DN; without the Base DN, directory searches can’t complete successfully.
      When you enter the Base DN, use the domainComponent format (for example,
      DC=example, DC=com
    6. Select your directory
      • OpenLDAP
        —Configure the agent to use an OpenLDAP-based directory server.
        The Cloud Identity Engine supports OpenLDAP groups with the following ObjectClass:
        . When configuring another application (for example, GlobalProtect) with the Cloud Identity Engine for an OpenLDAP-based directory, specify the
        as the Primary Name. By default, the Cloud Identity Engine uses the sAMAccountName.
      • Active Directory
        —Configure the agent to use an Active Directory directory server.
    7. (Optional but recommended) To confirm the agent can successfully connect to your Active Directory, you can
      Test Connectivity to Directory
      . The agent verifies that it can successfully connect to the domain and validates the NetBIOS name based on the domain.
    8. Click
      When you add an on-premises directory, the Cloud Identity agent automatically attempts to complete a full synchronization of all domains, including existing domains, so confirm the agents are active and all configured domains are active before adding a new domain to the agent. If an inactive domain is no longer necessary, delete the domain from your configuration.
  9. Commit
    the changes to restart the agent and apply the configuration.
    The agent will connect to your directory to collect the attributes and to the Cloud Identity Engine to share the attributes with the Palo Alto Networks cloud-based apps.
  10. To confirm the agent is able to connect to your on-premises directory and the Cloud Identity Engine, log in to the Cloud Identity Engine app, select the tenant, then select
    to verify the following information:
    • The domains currently monitored by the Cloud Identity Engine and each domain’s NetBIOS name.
    • The sync status of the most recent attribute collection update from the directory (for example, In Progress or Successful).
    • When the last successful attribute collection update from the directory occurred.
    • The number of users, computers, groups, containers, and organizational units (OUs) in the domains monitored by the Cloud Identity Engine.
  11. (Optional but recommended) Configure an additional agent for high availability (HA).
    You can configure HA for the Cloud Identity Engine by configuring two or more agents to collect attributes from the same domain in the same tenant. The configuration for each agent must be identical. We recommend this configuration to ensure that if an agent is temporarily unavailable, any in-progress syncs complete successfully and service isn’t interrupted. If the Cloud Identity Engine fails to connect to an agent, it searches for the next available agent. The Cloud Identity Engine communicates with only one agent at a time and the agents don’t communicate with each other.

Next Steps

Recommended For You