Configure the Cloud Identity Agent

After you download the agent and install it on a Windows server, configure the agent to connect to your Active Directory and to the Cloud Identity Engine.
Avoid configuring the agent for the first time during the daily certificate revocation list (CRL) reload time (9:00-10:00 PM/21:00-22:00 CDT for US or CEST for EU). If you configure the agent and the initial attribute sync occurs at this time but is not successful, wait a few minutes, then Synchronize All Attributes to ensure the attributes are synchronized with your instance.
After you download the agent from the Cloud Identity Engine app and Install the Cloud Identity Agent on a supported Windows server, configure the agent to establish a connection with your Active Directory and the Cloud Identity Engine so that it can collect all of the attributes from the Active Directory during the initial setup. By default, the Cloud Identity Engine app synchronizes the Active Directory attributes for all configured domains once every 24 hours, but you can optionally Synchronize Cloud Identity Engine Instances instantly or configure a shorter interval for the synchronization.
The minimum required permissions for the service account are the ability to create LDAP bind requests (LDAP protocol version, the DN for the account, and the account credentials) and the IP address or domain for the Active Directory.
  1. Install the certificate authority (CA) certificate used to sign the certificate used by the Active Directory in the Local Computer Trusted Root CA certificate store of the agent host.
    This step is required if the server that hosts the agent does not already have the CA certificate of the domain controller or the CA certificate from the issue of the domain controller’s certificate.
  2. On the agent host, launch the Cloud Identity agent (
    Start
    Palo Alto Networks
    Cloud Identity Agent
    )
    Do not manually edit configuration files for the agent. Manually editing the agent configuration files may cause unexpected behavior.
  3. Select
    Cloud Identity Configuration
    and enter the regional agent configuration endpoint for the
    Cloud Identity Engine
    that matches the region that the corresponding Cloud Identity Engine instance uses.
    Region
    Agent Configuration
    United States (US)
    agent-directory-sync.us.paloaltonetworks.com
    European Union (EU)
    agent-directory-sync.eu.paloaltonetworks.com
    United Kingdom (UK)
    agent-directory-sync.uk.paloaltonetworks.com
    Singapore (SG)
    agent-directory-sync.sg.paloaltonetworks.com
    Canada (CA)
    agent-directory-sync.ca.apps.paloaltonetworks.com
    Japan (JP)
    agent-directory-sync.jp.apps.paloaltonetworks.com
    Australia (AU)
    agent-directory-sync.au.apps.paloaltonetworks.com
    Germany (DE)
    agent-directory-sync.de.apps.paloaltonetworks.com
    United States - Government
    agent-directory-sync.gov.apps.paloaltonetworks.com
    India (IN)
    agent-directory-sync.in.apps.paloaltonetworks.com
  4. Configure the
    LDAP Configuration
    to allow the agent to communicate with your Active Directory.
    To learn how to collect attributes from multiple domains, see Configure Domains for the Cloud Identity Engine.
    1. Enter the
      Bind DN
      for the service account you want to bind to your Active Directory (for example,
      CN=admin,OU=IT,DC=domain1,DC=example,DC=com
      ).
      If you don’t know the DN of the service account, enter the following command in the command prompt on the Active Directory server:
      dsquery user -name
      username
      (where
      username
      is the service account login name). Be sure to delete the quotation marks if you copy the DN from the command output.
    2. Enter the
      Bind Password
      to authenticate the session.
      The Bind Password is saved in encrypted format in the Windows credential store, not the configuration file. If you delete the LDAP Configuration for the server and commit the changes, you must re-enter the password.
    3. Select a
      Protocol
      :
      • LDAP
        —Connect to the Active Directory using the default unencrypted LDAP protocol on port 389.
      • LDAPS
        —(Default) Connect to the directory server using LDAP over SSL (LDAPS) on port 636. This option requires a CA certificate in the Local Computer certificate store on the agent host or in the Trusted Root CA store for your Active Directory.
      • LDAP with STARTTLS
        —Connect to the directory server using LDAPv3 Transport Layer Security (TLS) on port 389. This option requires a CA certificate in the Local Computer certificate store on the agent host or in the Trusted Root CA store for your Active Directory.
  5. Verify that the
    Bind Timeout
    value will allow enough time for the agent to connect to your Active Directory.
    The default is 30 seconds and the range is from 1-60 seconds. When the timeout limit is reached, the agent attempts to connect to the next domain controller in the sequence for that domain.
  6. Verify that the
    Search Timeout
    value will allow enough time for the LDAP query to complete.
    The default is 15 seconds and the range is 1-120 seconds. If the timeout occurs, the search stops and the timeout error is included in the debug logs. If you Configure Cloud Identity Agent Logs to Information, any partial results retrieved by the Cloud Identity Engine are deleted. If the log level is set to Debug or higher, the results may not be deleted, but they are not used by the agent.
  7. Add
    your Active Directory.
    To ensure that the Cloud Identity Engine can calculate group membership correctly, use a value that does not end in
    65
    if you must use a custom value for the
    MaxValRange
    attribute in your LDAP query policy.
    1. Enter the
      Name
      for your Active Directory.
    2. Enter your Active Directory fully qualified
      Domain
      name.
      You can configure up to 20 domains for each agent.
    3. Enter the IP address or fully qualified domain name (FQDN) as the
      Network Address
      for your Active Directory.
      If you enter an FQDN, it must be the complete original FQDN for that IP address (for example, if the FQDN is
      example.hr.com
      , you must enter
      example.hr.com
      , not just
      example.com
      ).
    4. (Optional) Enter the
      Port
      number for your Active Directory.
      Do not configure the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).
      If you do not enter a port number, the agent uses the following default ports:
      • 636 for LDAPS
      • 389 for LDAP or LDAP with STARTTLS
    5. (Optional but recommended) To confirm the agent can successfully connect to your Active Directory, you can
      Test Connectivity to AD
      . The agent verifies that it can successfully connect to the domain and validates the NetBIOS name based on the domain.
    6. Click
      OK
      .
  8. Commit
    the changes to restart the agent and apply the configuration.
    The agent will connect to your Active Directory to collect the attributes and to the Cloud Identity Engine to share the attributes with the Palo Alto Networks cloud-based apps you Associate the Cloud Identity Engine with Palo Alto Networks Apps with your Cloud Identity Engine instance.
  9. To confirm the agent is able to connect to your Active Directory and the Cloud Identity Engine, log in to the Cloud Identity Engine app, select the instance, then select
    Directories
    to verify the following information:
    • The domains currently monitored by the Cloud Identity Engine and each domain’s NetBIOS name.
    • The sync status of the most recent attribute collection update from the Active Directory (for example, In Progress or Successful).
    • When the last successful attribute collection update from the Active Directory occurred.
    • The number of users, computers, groups, containers, and organizational units (OUs) in the domains monitored by Cloud Identity Engine.
  10. (Optional but recommended) Configure an additional agent for high availability (HA).
    You can configure HA for the Cloud Identity Engine by configuring two or more agents to collect attributes from the same domain in the same instance. The configuration for each agent must be identical. We recommend this configuration to ensure that if an agent is temporarily unavailable, any in-progress syncs complete successfully and service is not interrupted. If the Cloud Identity Engine fails to connect to an agent, it searches for the next available agent. The Cloud Identity Engine communicates with only one agent at a time and the agents do not communicate with each other.

Next Steps

Recommended For You