Configure the Cloud Identity Agent
After you download the agent and install it on a Windows server, configure the agent to connect to your Active Directory and to the Cloud Identity Engine.
Avoid configuring the agent for the first time during the daily certificate revocation list (CRL) reload time (9:00-10:00 PM/21:00-22:00 CDT for US or CEST for EU). If you configure the agent and the initial attribute sync occurs at this time but is not successful, wait a few minutes, then Synchronize All Attributes to ensure the attributes are synchronized with your instance.
After you download the agent from the Cloud Identity Engine app and Install the Cloud Identity Agent on a supported Windows server, configure the agent to establish a connection with your Active Directory and the Cloud Identity Engine so that it can collect all of the attributes from the Active Directory during the initial setup. By default, the Cloud Identity Engine app synchronizes the Active Directory attributes for all configured domains once every 24 hours, but you can optionally Synchronize Cloud Identity Engine Instances instantly or configure a shorter interval for the synchronization.
The minimum required permissions for the service account are the ability to create LDAP bind requests (LDAP protocol version, the DN for the account, and the account credentials) and the IP address or domain for the Active Directory.
- If you have not already done so, Configure Your Network to Allow Cloud Identity Agent Traffic.
- Install the certificate authority (CA) certificate used to sign the certificate used by the Active Directory in the Local Computer Trusted Root CA certificate store of the agent host.This step is required if the server that hosts the agent does not already have the CA certificate of the domain controller or the CA certificate from the issue of the domain controller’s certificate.
- On the agent host, launch the Cloud Identity agent ()StartPalo Alto NetworksCloud Identity AgentDo not manually edit configuration files for the agent. Manually editing the agent configuration files may cause unexpected behavior.
- SelectCloud Identity Configurationand enter the regional agent configuration endpoint for theCloud Identity Enginethat matches the region that the corresponding Cloud Identity Engine instance uses.RegionAgent ConfigurationUnited States (US)agent-directory-sync.us.paloaltonetworks.comEuropean Union (EU)agent-directory-sync.eu.paloaltonetworks.comUnited Kingdom (UK)agent-directory-sync.uk.paloaltonetworks.comSingapore (SG)agent-directory-sync.sg.paloaltonetworks.comCanada (CA)agent-directory-sync.ca.apps.paloaltonetworks.comJapan (JP)agent-directory-sync.jp.apps.paloaltonetworks.comAustralia (AU)agent-directory-sync.au.apps.paloaltonetworks.comGermany (DE)agent-directory-sync.de.apps.paloaltonetworks.comUnited States - Governmentagent-directory-sync.gov.apps.paloaltonetworks.comIndia (IN)agent-directory-sync.in.apps.paloaltonetworks.com
- Configure theLDAP Configurationto allow the agent to communicate with your Active Directory.To learn how to collect attributes from multiple domains, see Configure Domains for the Cloud Identity Engine.
- Enter theBind DNfor the service account you want to bind to your Active Directory (for example,CN=admin,OU=IT,DC=domain1,DC=example,DC=com).If you don’t know the DN of the service account, enter the following command in the command prompt on the Active Directory server:dsquery user -name(whereusernameusernameis the service account login name). Be sure to delete the quotation marks if you copy the DN from the command output.
- Enter theBind Passwordto authenticate the session.The Bind Password is saved in encrypted format in the Windows credential store, not the configuration file. If you delete the LDAP Configuration for the server and commit the changes, you must re-enter the password.
- Select aProtocol:
- LDAP—Connect to the Active Directory using the default unencrypted LDAP protocol on port 389.
- LDAPS—(Default) Connect to the directory server using LDAP over SSL (LDAPS) on port 636. This option requires a CA certificate in the Local Computer certificate store on the agent host or in the Trusted Root CA store for your Active Directory.
- LDAP with STARTTLS—Connect to the directory server using LDAPv3 Transport Layer Security (TLS) on port 389. This option requires a CA certificate in the Local Computer certificate store on the agent host or in the Trusted Root CA store for your Active Directory.
- Verify that theBind Timeoutvalue will allow enough time for the agent to connect to your Active Directory.The default is 30 seconds and the range is from 1-60 seconds. When the timeout limit is reached, the agent attempts to connect to the next domain controller in the sequence for that domain.
- Verify that theSearch Timeoutvalue will allow enough time for the LDAP query to complete.The default is 15 seconds and the range is 1-120 seconds. If the timeout occurs, the search stops and the timeout error is included in the debug logs. If you Configure Cloud Identity Agent Logs to Information, any partial results retrieved by the Cloud Identity Engine are deleted. If the log level is set to Debug or higher, the results may not be deleted, but they are not used by the agent.
- Addyour Active Directory.To ensure that the Cloud Identity Engine can calculate group membership correctly, use a value that does not end in65if you must use a custom value for theMaxValRangeattribute in your LDAP query policy.
- Enter theNamefor your Active Directory.
- Enter your Active Directory fully qualifiedDomainname.You can configure up to 20 domains for each agent.
- Enter the IP address or fully qualified domain name (FQDN) as theNetwork Addressfor your Active Directory.If you enter an FQDN, it must be the complete original FQDN for that IP address (for example, if the FQDN isexample.hr.com, you must enterexample.hr.com, not justexample.com).
- (Optional) Enter thePortnumber for your Active Directory.Do not configure the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).If you do not enter a port number, the agent uses the following default ports:
- 636 for LDAPS
- 389 for LDAP or LDAP with STARTTLS
- (Optional but recommended) To confirm the agent can successfully connect to your Active Directory, you canTest Connectivity to AD. The agent verifies that it can successfully connect to the domain and validates the NetBIOS name based on the domain.
- Committhe changes to restart the agent and apply the configuration.The agent will connect to your Active Directory to collect the attributes and to the Cloud Identity Engine to share the attributes with the Palo Alto Networks cloud-based apps you Associate the Cloud Identity Engine with Palo Alto Networks Apps with your Cloud Identity Engine instance.
- To confirm the agent is able to connect to your Active Directory and the Cloud Identity Engine, log in to the Cloud Identity Engine app, select the instance, then selectDirectoriesto verify the following information:
- The domains currently monitored by the Cloud Identity Engine and each domain’s NetBIOS name.
- The sync status of the most recent attribute collection update from the Active Directory (for example, In Progress or Successful).
- When the last successful attribute collection update from the Active Directory occurred.
- The number of users, computers, groups, containers, and organizational units (OUs) in the domains monitored by Cloud Identity Engine.
- (Optional but recommended) Configure an additional agent for high availability (HA).You can configure HA for the Cloud Identity Engine by configuring two or more agents to collect attributes from the same domain in the same instance. The configuration for each agent must be identical. We recommend this configuration to ensure that if an agent is temporarily unavailable, any in-progress syncs complete successfully and service is not interrupted. If the Cloud Identity Engine fails to connect to an agent, it searches for the next available agent. The Cloud Identity Engine communicates with only one agent at a time and the agents do not communicate with each other.
- After you have configured the agent, you can optionally Configure Cloud Identity Agent Logs to track the agent events you want to monitor.
- To allow other Palo Alto Networks apps to reference your Active Directory data, Associate the Cloud Identity Engine with Palo Alto Networks Apps.
- For a comprehensive user identity and authentication solution, learn how to Authenticate Users with the Cloud Identity Engine.
Recommended For You
Recommended videos not found.